Presentation is loading. Please wait.

Presentation is loading. Please wait.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Published byMustafa Decoursey Modified over 9 years ago

Similar presentations

Presentation on theme: "Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard."— Presentation transcript:

1 Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard

2 Question Suppose the sequence 666 appears in the digits of  both in the 100 th place and in the 1000000 th place. Suppose an archeologist finds a mathematical proof by Archimedes that 666 appears in . Is it possible to recover the place in  Archimedes knew about?

3 Our Results Under reasonable assumptions we obtain: Non-interactive WI proof system for NP (in the plain model) First non-interactive proof with secrecy property Non-interactive Commitment Scheme Under incomparable assumptions to [BM]

4 Our Assumptions Assumption A: 9 L s.t. L 2 Dtime(2 cn ) for some c L  Ntime(2  n ) / 2  n for some  >0 A natural strengthening of EXP * NP NcNc NN NN Thm 1: Assumption A + TDP ) non-interactive WI Thm 2: Assumption A + OWF ) non-interactive commit. In paper: prove Thm 2 under weaker, uniform, assumption. (Uses [GST03])

5 Derandomization: a brief overview* A paradigm that attempts to transform: Probabilistic algorithms => deterministic algorithms. (P  BPP  EXP  NEXP). Probabilistic protocols => deterministic protocols. (NP  AM  EXP  NEXP). We don ’ t know how to separate BPP and NEXP. Can derandomize BPP and AM under natural complexity theoretic assumptions. * Thanks to Ronen Shaltiel for these slides

6 Hardness versus Randomness Initiated by [BM,Yao,Shamir]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03]

7 Hardness versus Randomness Assumption: hard functions exist. Conclusion: Derandomization.

8 Hardness versus Randomness Assumption: hard functions exist. Exists pseudo-random generator Conclusion: Derandomization.

9 Pseudo-random generators A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits. pseudo-random bits PRG seed Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms. Consider also generators with O(log n) length seed. ??????????????

10 Pseudo-random generators with O(log n) length seed. Polynomial-sized algorithm can identify pseudo- random strings as follows: Given a long string, enumerate all seeds and check that PRG(seed)=long string. Can distinguish between random strings and pseudo- random strings. Assuming distinguisher can enumerate all seeds. The Nisan-Wigderson setup: distinguisher can not enumerate all seeds. Example: Seed length = 5logn and generator fools circuits of size n 3. PRG can also run in time n 5 Sufficient for derandomization!!

11 State of the art in this direction Thm [NW88, …,IW97]: If 9 L s.t. L 2 Dtime(2 cn ) for some c L  Size(2  n ) for some  >0 Then BPP=P.

12 Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. Merlin Arthur “xL”“xL” toss coins message I accept

13 Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP. (e.g. graph nonisomorphism)

14 The big question: Does AM=NP? In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic? Note that such a protocol is an NP proof.

15 Pseudo-random generators for nondeterministic circuits Nondeterministic algorithm can identify pseudo-random strings as follows: Given a long string, guess a short seed and check that PRG(seed)=long string. Assuming the circuit can run the PRG!! In NW setup circuit cannot run the PRG!!. For example: The PRG runs in time n 5 and fools (nondeterministic) circuits of size n 3.

16 State of the art in this direction Thm [AK,MV,KvM,SU]: If 9 L s.t. L 2 Dtime(2 cn ) for some c L  Nsize(2  n ) for some  >0 (i.e., if Assumption A holds) Then AM=NP.

17 PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random message message I accept Hardwire input

18 PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random input Nondeterministic guess I accept input Nondeterministic guess Hardwire input

19 PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. We can use pseudo-random bits instead of truly random bits. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept Nondeterministic guess input Hardwire input

20 PRG ’ s for nondeterministic circuits derandomize AM We have AM protocol w/ deterministic (not probabilistic) Arthur: He sends all pseudo-random strings and Merlin replies on each one. Protocol is sound : otherwise we have a nondeterministic distinguisher. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept Our main observation: If original protocol was WI then new “ protocol ” is also WI!

21 Proof of Thm 1: Thm [DN]: 9 TDP ) 9 AM protocol that is WI for NP Combining this w/ [SU] and observation we get Thm 1: TDP + Assumption A ) 9 Noninteractive WI for NP

22 Proving Thm 2 Use same technique to derandomize Naor ’ s commitment scheme (which is also of “ AM ” type).

23 That ’ s it …

Download ppt "Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard."

Similar presentations

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :

Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Complexity Theory Lecture 10 Lecturer: Moni Naor.

Complexity Theory Lecture 10 Lecturer: Moni Naor.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.

Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Similar presentations

Ads by Google