Download presentation
Presentation is loading. Please wait.
1
A Festive PhD Lecture Eylon Yogev
2
Search Problems: A Cryptographic Perspective
3
Moni
4
Computer Science: A Cryptographic Perspective
5
Computational Complexity
Obfuscation, NP Secret-Sharing: [Komargodski-Moran-Naor-Pass-Rosen-Y14], [Komargodski-Naor-Y15], [Komargodski-Naor-Y16] Adversarial Bloom Filters: [NaorY13], [NaorY15] Computational Complexity Cryptography Cryptography Search Problems Data Structures Distributed Algorithms Ramsey, Local Search, Hashing: [Hubacek-Naor-Y17], [Hubacek-Y17], [Komargodski-Naor-Y17], [Komargodski-Naor-Y18] Secure Distributed Algorithm & Derandomization: [Halevi-Ishai-Jain-Komargodski-Sahai-Y17], [Parter-Y17], [Parter-Y18a], [Parter-Y18b]
6
Reverse Randomization
π΅ππβ Ξ£ 2 [Lautemann 83] Commitment schemes [Naor 89] ZAPs [Dwork-Naor 00] Perfect Correctness [Dwork-Naor-Reingold 04], [Bitansky-Vaikuntanathan 15] Today: TFNP Hardness [HubΓ‘Δek-Naor-Y 17]
7
TFNP β Total Function NP [MP91]
NP: easy to verify decision problems FNP: easy to verify search problems Given an instance π₯, find a valid witness for π₯ TFNP: problems in FNP with guaranteed solution Megiddo- Papadimitriou Try to prune the text, be more succinct e.g., NP: easy to verify decision problems FNP: easy to verify search problems TFNP: search problems in FNP with guaranteed solution FNP coNP NP TFNP P FP
![TFNP β Total Function NP [MP91]](http://slideplayer.com/slide/17866486/106/images/7/TFNP+%E2%80%93+Total+Function+NP+%5BMP91%5D.jpg "NP: easy to verify decision problems. FNP: easy to verify search problems. Given an instance π₯, find a valid witness for π₯. TFNP: problems in FNP with guaranteed solution. Megiddo- Papadimitriou. Try to prune the text, be more succinct e.g., NP: easy to verify decision problems. FNP: easy to verify search problems. TFNP: search problems in FNP with guaranteed solution. FNP. coNP. NP. TFNP. P. FP.")
8
TFNP Landscape π»ππ΅π· π·π·π· π·π³πΊ π·π·π¨π« Polynomial Pigeonhole Principle
βEvery length preserving function either has a collision or a preimage for 0β TFNP Landscape π»ππ΅π· π·π·π· Local Optimum βEvery DAG has a sinkβ π·π³πΊ π·π·π¨π« Nash Equilibrium Brouwer Fixed Points βevery directed graph with an unbalanced node must have anotherβ πͺπ³πΊ Continuous Local Optimum [DP11] βEvery function has a local optimumβ
9
Collision resistant hash / one-way permutation
Hardness Collision resistant hash / one-way permutation [Pap94] π»ππ΅π· π·π·π· π·π³πΊ π·π·π¨π« P β NP ? ? Ramsey [KNY17] πͺπ³πΊ Obfuscation/FE [BPR15] Obfuscation/FE [HY17]
10
WHAT IS THE WEAKEST ASSUMPTION UNDER WHICH WE CAN SHOW HARDNESS OF TFNP?
11
Hardness based on P β NP formula π π»ππ΅π· πΊπ¨π» solution π₯ βNP=coNP
12
Barriers for Proving TFNP Hardness
TFNP hardness from worst-case NP hardness β NP = coNP [Johnson-Papadimitriou-Yannakakis 88] A randomized reduction from TFNP to NP β SAT is βcheckableβ [Mahmoody-Xiao 10] There exists an oracle relative to TFNP is easy and PH is infinite [Buhrman-Fortnow-Koucky-Rogers-Vereshchagin 10] TFNP hardness from one-way functions β exponentially many solutions [Rosen-Segev-Shahaf 16] Maybe decrease the font size a bit and try to make the each item fit a single line.
13
The Five Worlds of Impagliazzo
Algorithmica: P = NP Heuristica: P β NP but NP is easy-on-average Pessiland: NP is hard-on-average but β one-way functions Minicrypt: β one-way functions but β public-key crypto Cryptomania: β public-key cryptography The Five Worlds of Impagliazzo This is a nice slide Obfustopia: β indistinguishability obfuscation
14
The Five Worlds of Impagliazzo
Algorithmica: P = NP Heuristica: P β NP but NP is easy-on-average Pessiland: NP is hard-on-average but β one-way functions Minicrypt: β one-way functions but β public-key crypto Cryptomania: β public-key cryptography The Five Worlds of Impagliazzo Obfustopia: β indistinguishability obfuscation
15
The Five Worlds of Impagliazzo
Algorithmica: P = NP Heuristica: P β NP but NP is easy-on-average Pessiland: NP is hard-on-average but β one-way functions Minicrypt: β one-way functions but β public-key crypto Cryptomania: β public-key cryptography The Five Worlds of Impagliazzo Obfustopia: β indistinguishability obfuscation
16
TFNP* hardness can be based on any hard-on-average language in NP
Our Results TFNP* hardness can be based on any hard-on-average language in NP For example: planted clique, random SAT, etc. In particular, any one-way function. Our results show: hard-on-average TFNP problems exist in Pessiland (and beyond) * In the non-uniform setting (will elaborate later). No need for case: planted clique, random SAT
17
The Five Worlds of Impagliazzo
Algorithmica: P = NP Heuristica: P β NP but NP is easy-on-average Pessiland: NP is hard-on-average but β one-way functions Minicrypt: β one-way functions but β public-key crypto Cryptomania: β public-key cryptography The Five Worlds of Impagliazzo Obfustopia: β indistinguishability obfuscation
18
The Five Worlds of Impagliazzo
Algorithmica: P = NP Heuristica: P β NP but NP is easy-on-average Pessiland: NP is hard-on-average but β one-way functions Minicrypt: β one-way functions but β public-key crypto Cryptomania: β public-key cryptography The Five Worlds of Impagliazzo TFNP Hardness Obfustopia: β indistinguishability obfuscation
19
Proof Let πΏβππ be a hard-on-average language with distribution D {0,1}n D Not in TFNP πΏ Search Problem: given π₯β D find π€ s.t. π₯,π€ βπΏ π₯
20
Reverse Randomization
πΏ π : π₯β πΏ π β π₯βπ βπΏ {0,1}n D πΏ π Distributed according to D Random shift of D Not a hard distribution πΏ Search Problem: given π₯β D find w s.t. π₯,π€ βπΏ OR π₯βπ ,π€ βπΏ π₯
21
Proof πΏβ: rβπΏβ² β D π βπΏ {0,1}m D {0,1}n πΏβ πΏ π π₯
22
U Proof πΏβ: rβπΏβ² β D π βπΏ {0,1}m π πΏβ π
Search Problem: given πβU find π€ such that (D r ,w)βπΏ πΏβ π The same as for curly D and normal D goes also for curly U and normal U.
23
U Proof πΏ π β² : πβ πΏ π β² βπ· πβπ βπΏ {0,1}m π πΏβ π L π β²
Search Problem: given πβU find w such that (D r ,w)βπΏ OR (D rβπ ,w)βπΏ πΏβ π L π β² Typo: Lβ_i in the bullet point
24
U proof πΏ π π β² : πβ πΏ π π β² βπ· πβ π π βπΏ {0,1}m π πΏβ π L s 1 β²
πΏ π π β² : πβ πΏ π π β² βπ· πβ π π βπΏ {0,1}m U π Search Problem: given πβU find w such that (D rβ π π ,w)βπΏ for some i πΏβ π L s 1 β² Typos: Lβ_i in the bullet point and Lβ_{s_1} in the picture
25
U proof πΏ π π β² : πβ πΏ π π β² βπ· πβ π π βπΏ {0,1}m r Lβ r L s 1 β²
πΏ π π β² : πβ πΏ π π β² βπ· πβ π π βπΏ {0,1}m U r Search Problem: given πβU find w such that (D rβ π π ,w)βπΏ for some i Lβ r L s 1 β² Hard distribution?
26
Is this a Hard Distribution?
The instance is the random coins of the distribution Can we learn anything from the random coins about the solution? Think of the planted clique vs. random SAT We need the distribution to be a βpublic-coinβ distribution Do such distributions necessarily exist? Theorem: There exists a reduction from private-coin to public-coin [Impagliazzo-Levin 90] Proof goes through universal one-way hash function
27
Finding a Good Shift A random set π 1,β¦,π π satisfies that πΏβ² π 1 ,β¦, π π is hard for U Can we find π 1,β¦,π π deterministically? Solution #1: hard-wire them non-uniformly β A hard problem in (non-uniform) TFNP Solution #2: use derandomization (Nisan-Wigderson PRG) β A hard problem in TFNP assuming NW-PRG
28
Nisan-Wigderson Pseudorandom Generator
Assume a hard function exists β f β E that has Ξ 2 -circuit complexity 2 π(π) Exists pseudorandom generator Against Ξ 2 -circuits We can derandomize Combine all shifts to one good shift
29
Collision resistant hash / one-way permutation
Hardness Collision resistant hash / one-way permutation [Pap94] π»ππ΅π· π·π·π· π·π³πΊ π·π·π¨π« P β NP ? ? Ramsey [KNY17] πͺπ³πΊ Obfuscation/FE [BPR15] Obfuscation/FE [HY17]
30
Collision resistant hash / one-way permutation
Hardness Collision resistant hash / one-way permutation [Pap94] π»ππ΅π· π·π·π· π·π³πΊ π·π·π¨π« NP is hard-on-average ? Ramsey [KNY17] πͺπ³πΊ Obfuscation/FE [BPR15] Obfuscation/FE [HY17]
31
The succinct Black-Box Model
32
? Models of Computation π The Black-Box Model π π(π)
Complexity: # of queries The White-Box Model π ? Complexity: Running time as a function of π
33
Models of Computation π The Black-Box Model π π(π) The White-Box Model
Complexity: # of queries The White-Box Model π The Succinct Black-Box Model π π π(π) Complexity: Running time as a function of π Complexity: # of queries as a function of |π|
34
The Succinct Black-Box Model
The algorithm is given oracle (black-box) query access to the function. Complexity as a function of the size of π. poly-size representation => poly-many queries. π Example: point functions π π : 0,1 π β{0,1} where π π π₯ =1 iff π₯=π and 0 otherwise. Representation size is π. π π(π) Fact: finding π takes ~2 π many queries for any algorithm. The promise that π exists does not help the algorithm!
35
The Succinct Black-Box Model
The algorithm is given oracle (black-box) query access to the function. Theorem: For any problem in TFNP if: 1. Representation size: π 2. Solution size: π Then: a solution can be found within π(π β
π) queries. π π π(π) Explains why all black-box lower bounds require huge oracles Incorrect outside TFNP Example: point function
36
Can shave log(π) factor by querying on very biased columns.
The Succinct Black-Box Model Theorem: representation is π bits, a solution is of size π then a solution can be found within π(π β
π) queries. π π π β¦ π π π π π π 1 π 1 π 2 π 3 π 2 π Proof: πΏ := all possible functions of size π . Repeat: π β π₯ = Maj πβπΏ π(π₯) Solve π β ==> π£ 1 ,β¦, π£ π . Query on π£ 1 ,β¦, π£ π . If consistent, output π£ 1 ,β¦, π£ π . Remove from πΏ all inconsistent πβs. Main point: At every iteration we either find a solution or remove half of the rows. Can shave log(π) factor by querying on very biased columns. π β¦ π π β
37
Collision resistant hash / one-way permutation
π»ππ΅π· π·π·π· π·π³πΊ π·π·π¨π« NP is hard-on-average ? Ramsey πͺπ³πΊ Obfuscation/FE Obfuscation/FE
Similar presentations
