Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

Similar presentations


Presentation on theme: "On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan."— Presentation transcript:

1 On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan

2 Outline Motivation Motivation Our Results Our Results Proof Ideas Proof Ideas

3 Motivation

4 Fundamental Primitives One-way function (OWF): One-way function (OWF): –easy to compute, hard to invert Pseudo-random generator (PRG): Pseudo-random generator (PRG): –stretch a random seed into a long random looking string

5 Relationship weak OWF weak OWF strong OWF [Yao] strong OWF [Yao] PRG [HILL] PRG [HILL] –in polynomial time –in lower complexity classes?

6 Hardness Amplification OWF f has hardness : poly-time M OWF f has hardness : poly-time M Pr x [M fails to invert f(x)] >. 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

7 Question 1 Worst-case OWF Strong OWF? Worst-case OWF Strong OWF? ??? 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

8 Weak OWF Strong OWF [Yao] f f [Yao] f f f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) good: simple, parallel good: simple, parallel bad: not security-preserving (blow up input size) bad: not security-preserving (blow up input size)

9 Weak OWP Strong OWP [GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x)))

10 [GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x))) good: security-preserving good: security-preserving bad: complex, sequential bad: complex, sequential walk on expander Weak OWP Strong OWP

11 Question 2 Weak OWF Strong OWF: Weak OWF Strong OWF: security preserving + parallel (low complexity)? Weak OWF AC 0 strong OWF AC 0 : security preserving ? Weak OWF AC 0 strong OWF AC 0 : security preserving ? constant-depth poly-size circuits

12 Bigger Question Low-complexity Crypto? Low-complexity Crypto? Crypto. constructions / reductions in low complexity classes? Theory vs. practice Theory vs. practice

13 Attempt on Question 2 Derandomize [Yao]? Derandomize [Yao]? f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? f (x) = (f(x 1 ),f(x 2 ),…,f(x k )) –[IW] some success w.r.t. hardness of computing functions (BPP vs. P) k independent inputs

14 No success for OWF … Impossible task? Impossible task? Aim: hardness amplification is a high complexity task Aim: hardness amplification is a high complexity task What if strong OWF f AC 0 ? What if strong OWF f AC 0 ? hard. amp.: ignore f, compute f directly …

15 Black-Box Hardness Amplification

16 (Strongly) Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box could be unbounded

17 Weakly Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box

18 Complexity Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box hardness A MP high complexity

19 Previous Work

20 Lin-Trevisan-Wee B.B. hardness t B.B. hardness t with A MP making s queries t = O(s). t = O(s).

21 Our Results

22 Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t n O(1) when n n O(1) & s 2 n O(1). t n O(1) when n n O(1) & s 2 n O(1). n: new input length n: init. input length PH NP P constant-depth circuits of size s

23 Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t log O(1) n when n=O(n) & s n O(1). t log O(1) n when n=O(n) & s n O(1). security preserving AC 0 n: new input length n: init. input length

24 Result (II) Weakly B.B. hardness t, Weakly B.B. hardness t, with A MP realized in AC 0 & t > (n/n) log O(1) n A MP must embed a OWF with hardness t A MP must embed a OWF with hardness t

25 Parallel Query Model

26 Model [Vio] on input z: [Vio] A MP f on input z: –generates circuit C AC 0 (s) and non-adaptive queries x 1, …,x k –calls the oracle: (y 1, …,y k )=(f(x 1 ), …,f(x k )) –outputs (z) = C(y 1, …,y k ) –outputs A MP f (z) = C(y 1, …,y k )

27 Proof Ideas

28 Weakness of AC 0 circuits W.h.p. after a random restriction, W.h.p. after a random restriction, C AC ** * w.p. 1 w.p. (1- )/2 0 w.p. (1- )/2. each bit independentlyreceived {

29 Weakness of AC 0 circuits W.h.p. after a random restriction, any C AC 0 becomes biased W.h.p. after a random restriction, any C AC 0 becomes biased C AC 0 0, **1 C(Y ) is the same for most Y

30 B.B. Hard. Amp. z, (z) = C(f(x 1 ), …,f(x k )) AC 0 z, A MP f (z) = C(f(x 1 ), …,f(x k )) AC 0 Hardness t Hardness t Show: large t contradiction Show: large t contradiction Strategy: (follow closely [Vio]) find Strategy: (follow closely [Vio]) find –f: with hardness –f: with hardness –: with hardness < t –A MP f : with hardness < t

31 Hardness Hardness W.h.p. a random function f is hard, W.h.p. a random function f is hard, even after a random restriction, if rate of * is high [Vio]. *1*1*00 …… 100*01* *01*11* 10*0*01 f (0 n ). f (1 n ) against inverter with poly queries

32 kills A MP f kills A MP f [Vio] z, w.h.p. after a random, [Vio] z, w.h.p. after a random, (z) = C(f (x 1 ), …,f (x k )) AC 0 A MP f (z) = C(f (x 1 ), …,f (x k )) AC 0 is same for most f, if rate of * is low. W.h.p. over W.h.p. over, M A MP f for most f A =M breaks A MP f for most f D EC A inverts f well for most f.

33 New Random Restriction Rate of * is low, but for a significant # of x, f (x) has enough *. Rate of * is low, but for a significant # of x, f (x) has enough *. is a (weak) OWF f is a (weak) OWF *1*1*00 …… *01*11* f (0 n ). f (1 n )

34 Proof of Result (I) a restriction s.t. for most f, a restriction s.t. for most f, is hard to invert f is hard to invert kills kills A MP f some A inverts A MP f well D EC A inverts f well t in AC(s): large t, small s t in AC 0 (s): large t, small s

35 Proof of Result (II) Derandomize Proof of Result (I) Derandomize Proof of Result (I)

36 Other Result: PRG from OWF

37 Result (III) B.B. PRG from OWF B.B. PRG from OWF P RG f : {0,1} r {0,1} m AC 0 (s) m-r o (r) when s 2 m o(1). sublinear stretch improving [Vio]: s m O(1).

38 Conclusion & Questions

39 High-Complexity Tasks Hard OWF harder OWF Hard OWF harder OWF OWF PRG of long stretch OWF PRG of long stretch

40 Relation among Primitives –lower complexity? TDP TDFPKE PIROT KAOWF BC PRG … ZK


Download ppt "On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan."

Similar presentations


Ads by Google