Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Slides:



Advertisements
Similar presentations
Quantum Lower Bounds You probably Havent Seen Before (which doesnt imply that you dont know OF them) Scott Aaronson, UC Berkeley 9/24/2002.
Advertisements

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?
Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.
Quantum Software Copy-Protection Scott Aaronson (MIT) |
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.
Multilinear Formulas and Skepticism of Quantum Computing Scott Aaronson UC Berkeley IAS.
Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?
Quantum Double Feature Scott Aaronson (MIT) The Learnability of Quantum States Quantum Software Copy-Protection.
New Evidence That Quantum Mechanics Is Hard to Simulate on Classical Computers Scott Aaronson Parts based on joint work with Alex Arkhipov.
How to Solve Longstanding Open Problems In Quantum Computing Using Only Fourier Analysis Scott Aaronson (MIT) For those who hate quantum: The open problems.
Oracles Are Subtle But Not Malicious Scott Aaronson University of Waterloo.
The Equivalence of Sampling and Searching Scott Aaronson MIT.
New Computational Insights from Quantum Optics Scott Aaronson.
Solving Hard Problems With Light Scott Aaronson (Assoc. Prof., EECS) Joint work with Alex Arkhipov vs.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Function Technique Eduardo Pinheiro Paul Ilardi Athanasios E. Papathanasiou The.
Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Average-case Complexity Luca Trevisan UC Berkeley.
How to Fool People to Work on Circuit Lower Bounds Ran Raz Weizmann Institute & Microsoft Research.
Shortest Vector In A Lattice is NP-Hard to approximate
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Scott Aaronson (MIT) Forrelation A problem admitting enormous quantum speedup, which I and others have studied under various names over the years, which.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Time vs Randomness a GITCS presentation February 13, 2012.
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Complexity and Cryptography
Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
In a World of BPP=P Oded Goldreich Weizmann Institute of Science.
Nathan Brunelle Department of Computer Science University of Virginia Theory of Computation CS3102 – Spring 2014 A tale.
Correlation testing for affine invariant properties on Shachar Lovett Institute for Advanced Study Joint with Hamed Hatami (McGill)
CSCI 4325 / 6339 Theory of Computation Zhixiang Chen.
Umans Complexity Theory Lectures Lecture 1a: Problems and Languages.
Parallel computation Section 10.5 Giorgi Japaridze Theory of Computability.
Polynomials Emanuele Viola Columbia University work partially done at IAS and Harvard University December 2007.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.
List Decoding Using the XOR Lemma Luca Trevisan U.C. Berkeley.
Comparing Notions of Full Derandomization Lance Fortnow NEC Research Institute With thanks to Dieter van Melkebeek.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Complexity Theory and Explicit Constructions of Ramsey Graphs Rahul Santhanam University of Edinburgh.
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
From Classical Proof Theory to P vs. NP
Pseudorandomness when the odds are against you
Background: Lattices and the Learning-with-Errors problem
Umans Complexity Theory Lectures
Pseudo-derandomizing learning and approximation
The Curve Merger (Dvir & Widgerson, 2008)
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 8.
Introduction to Oracles in Complexity Theory
Impossibility of SNARGs
Presentation transcript:

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH rBQP)

Why Arithmetize Russells Worlds? R, C, F p : Funhouse mirrors of complexity theory Permanent vs. Determinant, P C NP C : Warmups to P vs. NP? Some of our motivation came from Mulmuleys GCT program But who cares about crypto in the arithmetic model? As it happens, much of current crypto is based on arithmetic over finite fields Challenge: Arithmetic Natural Proofs. Explain why its so hard to prove circuit lower bounds for the Permanent Lifting to larger fields gives new insights about worst-case / average-case equivalence

On the Menu Today 1. Equivalence of Complexity Questions In The Boolean and Small Finite Field Worlds 2. Over Large Finite Fields F,NP P/poly OWFs Exist (Heuristica=Pessiland=Minicrypt) 3. Natural Proofs for Arithmetic Circuits: A Challenge and Concrete Proposal

Arithmetic Computation Over A Finite Field F Not allowed: Directly access bit representations of F -elements Deep reason for finiteness: In cryptography, its nice to have a uniform distribution over F -elements Allowed operations: - Add, subtract, multiply, or divide any two F -elements - Create and recognize the 0 and 1 elements ( equality testing, branching, Boolean side-computation) - Sample a random F -element (in randomized models) - Hardwire F -elements (in nonuniform models) In this talk, | F | will be finite, prime, possibly dependent on n

Three Regimes of Arithmetic Complexity | F |poly(n) Trivially the same as Boolean computation | F |2 poly(n) No stronger than Boolean computation. Maybe weaker, since cant see bit representations of input F -elements. Same as Boolean computation if input is conveniently Boolean | F |>>2 poly(n) Incomparable with Boolean computation (a P machine cant even store F -elements). Algebraic geometry becomes relevant, since polynomials have degree <<| F |

Related Models Blum-Shub-Smale: Uniform, defined for a fixed field F (such as R, C, GF 2 ) Equality tests allowed; version over R allows comparisons Algebraic computation trees: Basically, nonuniform version of [BSS] Arithmetic circuits, straight-line programs, Valiants VP and VNP: No divisions or equality tests allowed Our results for | F |2 poly(n) will extend to the straight-line model

P F /poly = Class of languages Given{p(n)} n 1 a list of primes… such that for some polynomial size bound s and every n, there exists an F p(n) -circuit C n of size s(n) such that for all x L C n (x) 0 NP F /poly = The same, except we substitute x L w {-1,1} poly(n) such that C n (x,w) 0 Can define uniform versions with more sweat Why are the NP witnesses Boolean? For p(n)2 poly(n), it doesnt matter For p(n)>2 poly(n), allowing F -witnesses would trivialize P F NP F ! (Consider, e.g., quadratic residuosity)

Arithmetic Cryptography When | F |2 poly(n) A/A (Arithmetic/Arithmetic) OWF: Family of functions computable in P F /poly, such that for all P F /poly adversaries C n, A/B (Arithmetic/Boolean) OWF: Same, except now the adversary is P/poly (i.e. has Boolean access to f n (x)) B/B, A/A, and A/B pseudorandom generators and pseudorandom functions can be defined similarly B/B (Boolean/Boolean) OWF: Ordinary one-way function

Equivalence Theorem: Assuming | F |2 poly(n), A/B OWFs B/B OWFs A/A OWFs A/B PRGs B/B PRGs A/A PRGs A/B PRFs B/B PRFs A/A PRFs Obvious [HILL][GGM] Obvious This work

The Boneh-Lipton Problem: A Bridge Between the Boolean and Arithmetic Worlds Problem: Recover x, given (x+a 1 ) q,…,(x+a k ) q and a 1,…,a k Suppose this problem is easy. Then for all p2 poly(n), the Boolean and F p worlds are polynomially equivalent Alas, best known classical algorithm to recover x takes time [BL96]

Intuition: We Win Either Way Two possibilities: (1) BL is easy to invert Boolean and F computation are equivalent OWFs exist in one world iff they exist in the other (2) BL is hard to invert BL itself is an OWF, in both the Boolean and F worlds Difficulties: What if BL is only slightly hard? Or easy to invert on some input lengths but not others?

Lemma: For all x y in F, Proof: (x+a i ) q -(y+a i ) q is a degree-q, nonzero polynomial in a i, so it has at most q=(p-1)/2 roots. Implication: (x+a 1 ) q,…,(x+a k ) q information-theoretically determine x with high probability over a 1,…,a k, provided k>>log(p)

Easy Direction: B/B OWF A/B OWF Let f be a Boolean OWF. Then as our arithmetic OWF, we can take Clearly, any inverter for F yields an inverter for f.

Other Direction: A/A OWF A/B OWF Let g be an OWF secure against arithmetic adversaries. Heres an OWF secure against Boolean adversaries: Let G be a good Boolean inverter for G Heres a good arithmetic inverter for g(x): first generate a 1,…,a k randomly (remembering their Boolean descriptions), then compute G(x,a 1,…,a k ) and run G on it Key fact: G(x,a 1,…,a k )=G(y,a 1,…,a k ) g(x)=g(y) with high probability over a 1,…,a k, provided k>>log(p). In which case, G can only invert G by finding a preimage of g(x)

Argument for Pseudorandom Generators Let f be a B/B PRG. As our A/B PRG, we can take Likewise, let g: F F 2 be an A/A PRG. By a standard hybrid argument, we can stretch g to produce g 1,…,g m : F F, so that (g 1 (x),…,g m (x)) looks random. Heres our A/B PRG: where Om(x) is the omelettization of a Boolean string x: its conversion to F -elements in a standard way Similar arguments show that B/B or A/A pseudorandom functions imply A/B pseudorandom functions

Collapse Theorem: Assuming | F |>2 poly(n), NP F P F /poly NP F is hard on average F- OWFs In other words: Algorithmica Heuristica Pessiland Minicrypt Cryptomania Heuristiminipessicrypt Hard-on-average NP F problems with planted (Boolean) solutions More interesting notion of OWF when | F |>2 poly(n)

Major Challenge for Complexity Theory: Explain why current techniques fail to show P ERMANENT AlgP/poly First approach: Extend algebrization [AW08] to low- degree oracles queried by arithmetic circuits. Construct A such that Alg#P A =AlgP A Second approach: Natural Proofs [RR97] for arithmetic complexity. Show that arithmetic circuit lower bounds based on rank, partial derivatives, etc. cant possibly work, since they would distinguish random functions f: F n F from pseudorandom ones Whats needed: Pseudorandom function families computable by arithmetic circuits over finite fields

Arithmetic Pseudorandom Functions Real Challenge of Arithmetic Natural Proofs: Find a family of degree-d polynomials p s : F n F that are (1)computable by poly-size arithmetic circuits, (2)indistinguishable from random degree-d polynomials Our results show that, if ordinary OWFs exist, then one can construct a family of functions f s : F n F that are (1)computable by poly-size arithmetic circuits, (2)indistinguishable from random functions (even by Boolean circuits) Problem: P ERMANENT is a low-degree polynomial! Any plausible lower bound proof would use that fact Problem solved!

Pseudorandom Low-Degree Polynomials: How to Construct Them? Other constructions based on lattices/LWE Generic construction of PRF [Goldreich-Goldwasser-Micali] Number-theoretic PRF [Naor-Reingold] Hardness of learning small- depth arithmetic circuits [Klivans-Sherstov] Doesnt work (blows up degree) ??? Doesnt work (uses bit operations to parallelize) Doesnt work (requires specific input distribution)

Candidate for Low-Degree Arithmetic PRF Conjecture: Using oracle access to p, no polynomial-size arithmetic circuit over the finite field F can distinguish g: F n F from a uniformly random, homogeneous polynomial of degree d, with non-negligible bias. where the L ij s are independent, random linear functions Note: its easy to distinguish g from a random function!

Conclusions One can give sensible definitions of Heuristica, Pessiland, and Minicrypt over a finite field F When | F |2 poly(n), these worlds perfectly mirror their Boolean counterpartseven if F -computation is weaker than Boolean Natural Proofs are no less fearsome in F -land But when | F |>2 poly(n), Heuristica=Pessiland=Minicrypt Note: Both of these results explain why the other doesnt generalize to all F ! From this perspective, the distinction between P NP, NP hard on average, and existence of OWFs (if indeed there is one) seems like an artifact of small field size.

Open Problems Construct pseudorandom low-degree polynomials p: F n F, ideally based on a known assumption Convincing Natural Proofs story for why P ERMANENT AlgP/poly is hard OWF PRG PRF when | F |>2 poly(n) ? NP-completeness theory for large F Cryptomania: PKC, CRHFs, IBE, homomorphic encryption (?!), etc. in the arithmetic world Arithmetic circuits based on non-classical physics? Model proposed by [van Dam]

Handwaving Idea Theorem: CIRCUITSAT F is NP F -complete. What one would expect: Schwartz-Zippel! Lemma: Let C: F n F be a P F /poly circuit of size s. Then {x F n : C(x)=0} belongs to the Boolean closure of 2 s algebraic varieties of degree 2 s each Canonical NP F -Complete Problem: Given x=(x 1,…,x n ) F n, which we take to encode a (pure) arithmetic circuit C x : F m F, does there exist a Boolean input w {-1,1} m such that C x (w) 0? (Get rid of equality tests using encoding tricks) Take a P F /poly circuit A that solves this problem for most x, and correct it to one that works for all x

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.