Download presentation

Presentation is loading. Please wait.

Published byStephanie McIntosh Modified over 2 years ago

1
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan

2
Outline Motivation Motivation Our Results Our Results Proof Ideas Proof Ideas

3
Motivation

4
Fundamental Primitives One-way function (OWF): One-way function (OWF): –easy to compute, hard to invert Pseudo-random generator (PRG): Pseudo-random generator (PRG): –stretch a random seed into a long random looking string

5
Relationship weak OWF weak OWF strong OWF [Yao] strong OWF [Yao] PRG [HILL] PRG [HILL] –in polynomial time –in lower complexity classes?

6
Hardness Amplification OWF f has hardness : poly-time M OWF f has hardness : poly-time M Pr x [M fails to invert f(x)] >. 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

7
Question 1 Worst-case OWF Strong OWF? Worst-case OWF Strong OWF? ??? 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

8
Weak OWF Strong OWF [Yao] f f [Yao] f f f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) good: simple, parallel good: simple, parallel bad: not security-preserving (blow up input size) bad: not security-preserving (blow up input size)

9
Weak OWP Strong OWP [GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x)))

10
[GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x))) good: security-preserving good: security-preserving bad: complex, sequential bad: complex, sequential walk on expander Weak OWP Strong OWP

11
Question 2 Weak OWF Strong OWF: Weak OWF Strong OWF: security preserving + parallel (low complexity)? Weak OWF AC 0 strong OWF AC 0 : security preserving ? Weak OWF AC 0 strong OWF AC 0 : security preserving ? constant-depth poly-size circuits

12
Bigger Question Low-complexity Crypto? Low-complexity Crypto? Crypto. constructions / reductions in low complexity classes? Theory vs. practice Theory vs. practice

13
Attempt on Question 2 Derandomize [Yao]? Derandomize [Yao]? f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? f (x) = (f(x 1 ),f(x 2 ),…,f(x k )) –[IW] some success w.r.t. hardness of computing functions (BPP vs. P) k independent inputs

14
No success for OWF … Impossible task? Impossible task? Aim: hardness amplification is a high complexity task Aim: hardness amplification is a high complexity task What if strong OWF f AC 0 ? What if strong OWF f AC 0 ? hard. amp.: ignore f, compute f directly …

15
Black-Box Hardness Amplification

16
(Strongly) Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box could be unbounded

17
Weakly Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box

18
Complexity Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box hardness A MP high complexity

19
Previous Work

20
Lin-Trevisan-Wee B.B. hardness t B.B. hardness t with A MP making s queries t = O(s). t = O(s).

21
Our Results

22
Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t n O(1) when n n O(1) & s 2 n O(1). t n O(1) when n n O(1) & s 2 n O(1). n: new input length n: init. input length PH NP P constant-depth circuits of size s

23
Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t log O(1) n when n=O(n) & s n O(1). t log O(1) n when n=O(n) & s n O(1). security preserving AC 0 n: new input length n: init. input length

24
Result (II) Weakly B.B. hardness t, Weakly B.B. hardness t, with A MP realized in AC 0 & t > (n/n) log O(1) n A MP must embed a OWF with hardness t A MP must embed a OWF with hardness t

25
Parallel Query Model

26
Model [Vio] on input z: [Vio] A MP f on input z: –generates circuit C AC 0 (s) and non-adaptive queries x 1, …,x k –calls the oracle: (y 1, …,y k )=(f(x 1 ), …,f(x k )) –outputs (z) = C(y 1, …,y k ) –outputs A MP f (z) = C(y 1, …,y k )

27
Proof Ideas

28
Weakness of AC 0 circuits W.h.p. after a random restriction, W.h.p. after a random restriction, C AC ** * w.p. 1 w.p. (1- )/2 0 w.p. (1- )/2. each bit independentlyreceived {

29
Weakness of AC 0 circuits W.h.p. after a random restriction, any C AC 0 becomes biased W.h.p. after a random restriction, any C AC 0 becomes biased C AC 0 0, **1 C(Y ) is the same for most Y

30
B.B. Hard. Amp. z, (z) = C(f(x 1 ), …,f(x k )) AC 0 z, A MP f (z) = C(f(x 1 ), …,f(x k )) AC 0 Hardness t Hardness t Show: large t contradiction Show: large t contradiction Strategy: (follow closely [Vio]) find Strategy: (follow closely [Vio]) find –f: with hardness –f: with hardness –: with hardness < t –A MP f : with hardness < t

31
Hardness Hardness W.h.p. a random function f is hard, W.h.p. a random function f is hard, even after a random restriction, if rate of * is high [Vio]. *1*1*00 …… 100*01* *01*11* 10*0*01 f (0 n ). f (1 n ) against inverter with poly queries

32
kills A MP f kills A MP f [Vio] z, w.h.p. after a random, [Vio] z, w.h.p. after a random, (z) = C(f (x 1 ), …,f (x k )) AC 0 A MP f (z) = C(f (x 1 ), …,f (x k )) AC 0 is same for most f, if rate of * is low. W.h.p. over W.h.p. over, M A MP f for most f A =M breaks A MP f for most f D EC A inverts f well for most f.

33
New Random Restriction Rate of * is low, but for a significant # of x, f (x) has enough *. Rate of * is low, but for a significant # of x, f (x) has enough *. is a (weak) OWF f is a (weak) OWF *1*1*00 …… *01*11* f (0 n ). f (1 n )

34
Proof of Result (I) a restriction s.t. for most f, a restriction s.t. for most f, is hard to invert f is hard to invert kills kills A MP f some A inverts A MP f well D EC A inverts f well t in AC(s): large t, small s t in AC 0 (s): large t, small s

35
Proof of Result (II) Derandomize Proof of Result (I) Derandomize Proof of Result (I)

36
Other Result: PRG from OWF

37
Result (III) B.B. PRG from OWF B.B. PRG from OWF P RG f : {0,1} r {0,1} m AC 0 (s) m-r o (r) when s 2 m o(1). sublinear stretch improving [Vio]: s m O(1).

38
Conclusion & Questions

39
High-Complexity Tasks Hard OWF harder OWF Hard OWF harder OWF OWF PRG of long stretch OWF PRG of long stretch

40
Relation among Primitives –lower complexity? TDP TDFPKE PIROT KAOWF BC PRG … ZK

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google