# Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

## Presentation on theme: "Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH."— Presentation transcript:

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH rBQP)

Why Arithmetize Russells Worlds? R, C, F p : Funhouse mirrors of complexity theory Permanent vs. Determinant, P C NP C : Warmups to P vs. NP? Some of our motivation came from Mulmuleys GCT program But who cares about crypto in the arithmetic model? As it happens, much of current crypto is based on arithmetic over finite fields Challenge: Arithmetic Natural Proofs. Explain why its so hard to prove circuit lower bounds for the Permanent Lifting to larger fields gives new insights about worst-case / average-case equivalence

On the Menu Today 1. Equivalence of Complexity Questions In The Boolean and Small Finite Field Worlds 2. Over Large Finite Fields F,NP P/poly OWFs Exist (Heuristica=Pessiland=Minicrypt) 3. Natural Proofs for Arithmetic Circuits: A Challenge and Concrete Proposal

Arithmetic Computation Over A Finite Field F Not allowed: Directly access bit representations of F -elements Deep reason for finiteness: In cryptography, its nice to have a uniform distribution over F -elements Allowed operations: - Add, subtract, multiply, or divide any two F -elements - Create and recognize the 0 and 1 elements ( equality testing, branching, Boolean side-computation) - Sample a random F -element (in randomized models) - Hardwire F -elements (in nonuniform models) In this talk, | F | will be finite, prime, possibly dependent on n

Three Regimes of Arithmetic Complexity | F |poly(n) Trivially the same as Boolean computation | F |2 poly(n) No stronger than Boolean computation. Maybe weaker, since cant see bit representations of input F -elements. Same as Boolean computation if input is conveniently Boolean | F |>>2 poly(n) Incomparable with Boolean computation (a P machine cant even store F -elements). Algebraic geometry becomes relevant, since polynomials have degree <<| F |

Related Models Blum-Shub-Smale: Uniform, defined for a fixed field F (such as R, C, GF 2 ) Equality tests allowed; version over R allows comparisons Algebraic computation trees: Basically, nonuniform version of [BSS] Arithmetic circuits, straight-line programs, Valiants VP and VNP: No divisions or equality tests allowed Our results for | F |2 poly(n) will extend to the straight-line model

P F /poly = Class of languages Given{p(n)} n 1 a list of primes… such that for some polynomial size bound s and every n, there exists an F p(n) -circuit C n of size s(n) such that for all x L C n (x) 0 NP F /poly = The same, except we substitute x L w {-1,1} poly(n) such that C n (x,w) 0 Can define uniform versions with more sweat Why are the NP witnesses Boolean? For p(n)2 poly(n), it doesnt matter For p(n)>2 poly(n), allowing F -witnesses would trivialize P F NP F ! (Consider, e.g., quadratic residuosity)

Arithmetic Cryptography When | F |2 poly(n) A/A (Arithmetic/Arithmetic) OWF: Family of functions computable in P F /poly, such that for all P F /poly adversaries C n, A/B (Arithmetic/Boolean) OWF: Same, except now the adversary is P/poly (i.e. has Boolean access to f n (x)) B/B, A/A, and A/B pseudorandom generators and pseudorandom functions can be defined similarly B/B (Boolean/Boolean) OWF: Ordinary one-way function

Equivalence Theorem: Assuming | F |2 poly(n), A/B OWFs B/B OWFs A/A OWFs A/B PRGs B/B PRGs A/A PRGs A/B PRFs B/B PRFs A/A PRFs Obvious [HILL][GGM] Obvious This work

The Boneh-Lipton Problem: A Bridge Between the Boolean and Arithmetic Worlds Problem: Recover x, given (x+a 1 ) q,…,(x+a k ) q and a 1,…,a k Suppose this problem is easy. Then for all p2 poly(n), the Boolean and F p worlds are polynomially equivalent Alas, best known classical algorithm to recover x takes time [BL96]

Intuition: We Win Either Way Two possibilities: (1) BL is easy to invert Boolean and F computation are equivalent OWFs exist in one world iff they exist in the other (2) BL is hard to invert BL itself is an OWF, in both the Boolean and F worlds Difficulties: What if BL is only slightly hard? Or easy to invert on some input lengths but not others?

Lemma: For all x y in F, Proof: (x+a i ) q -(y+a i ) q is a degree-q, nonzero polynomial in a i, so it has at most q=(p-1)/2 roots. Implication: (x+a 1 ) q,…,(x+a k ) q information-theoretically determine x with high probability over a 1,…,a k, provided k>>log(p)

Easy Direction: B/B OWF A/B OWF Let f be a Boolean OWF. Then as our arithmetic OWF, we can take Clearly, any inverter for F yields an inverter for f.

Other Direction: A/A OWF A/B OWF Let g be an OWF secure against arithmetic adversaries. Heres an OWF secure against Boolean adversaries: Let G be a good Boolean inverter for G Heres a good arithmetic inverter for g(x): first generate a 1,…,a k randomly (remembering their Boolean descriptions), then compute G(x,a 1,…,a k ) and run G on it Key fact: G(x,a 1,…,a k )=G(y,a 1,…,a k ) g(x)=g(y) with high probability over a 1,…,a k, provided k>>log(p). In which case, G can only invert G by finding a preimage of g(x)

Argument for Pseudorandom Generators Let f be a B/B PRG. As our A/B PRG, we can take Likewise, let g: F F 2 be an A/A PRG. By a standard hybrid argument, we can stretch g to produce g 1,…,g m : F F, so that (g 1 (x),…,g m (x)) looks random. Heres our A/B PRG: where Om(x) is the omelettization of a Boolean string x: its conversion to F -elements in a standard way Similar arguments show that B/B or A/A pseudorandom functions imply A/B pseudorandom functions

Collapse Theorem: Assuming | F |>2 poly(n), NP F P F /poly NP F is hard on average F- OWFs In other words: Algorithmica Heuristica Pessiland Minicrypt Cryptomania Heuristiminipessicrypt Hard-on-average NP F problems with planted (Boolean) solutions More interesting notion of OWF when | F |>2 poly(n)

Major Challenge for Complexity Theory: Explain why current techniques fail to show P ERMANENT AlgP/poly First approach: Extend algebrization [AW08] to low- degree oracles queried by arithmetic circuits. Construct A such that Alg#P A =AlgP A Second approach: Natural Proofs [RR97] for arithmetic complexity. Show that arithmetic circuit lower bounds based on rank, partial derivatives, etc. cant possibly work, since they would distinguish random functions f: F n F from pseudorandom ones Whats needed: Pseudorandom function families computable by arithmetic circuits over finite fields

Arithmetic Pseudorandom Functions Real Challenge of Arithmetic Natural Proofs: Find a family of degree-d polynomials p s : F n F that are (1)computable by poly-size arithmetic circuits, (2)indistinguishable from random degree-d polynomials Our results show that, if ordinary OWFs exist, then one can construct a family of functions f s : F n F that are (1)computable by poly-size arithmetic circuits, (2)indistinguishable from random functions (even by Boolean circuits) Problem: P ERMANENT is a low-degree polynomial! Any plausible lower bound proof would use that fact Problem solved!

Pseudorandom Low-Degree Polynomials: How to Construct Them? Other constructions based on lattices/LWE Generic construction of PRF [Goldreich-Goldwasser-Micali] Number-theoretic PRF [Naor-Reingold] Hardness of learning small- depth arithmetic circuits [Klivans-Sherstov] Doesnt work (blows up degree) ??? Doesnt work (uses bit operations to parallelize) Doesnt work (requires specific input distribution)

Candidate for Low-Degree Arithmetic PRF Conjecture: Using oracle access to p, no polynomial-size arithmetic circuit over the finite field F can distinguish g: F n F from a uniformly random, homogeneous polynomial of degree d, with non-negligible bias. where the L ij s are independent, random linear functions Note: its easy to distinguish g from a random function!

Conclusions One can give sensible definitions of Heuristica, Pessiland, and Minicrypt over a finite field F When | F |2 poly(n), these worlds perfectly mirror their Boolean counterpartseven if F -computation is weaker than Boolean Natural Proofs are no less fearsome in F -land But when | F |>2 poly(n), Heuristica=Pessiland=Minicrypt Note: Both of these results explain why the other doesnt generalize to all F ! From this perspective, the distinction between P NP, NP hard on average, and existence of OWFs (if indeed there is one) seems like an artifact of small field size.

Open Problems Construct pseudorandom low-degree polynomials p: F n F, ideally based on a known assumption Convincing Natural Proofs story for why P ERMANENT AlgP/poly is hard OWF PRG PRF when | F |>2 poly(n) ? NP-completeness theory for large F Cryptomania: PKC, CRHFs, IBE, homomorphic encryption (?!), etc. in the arithmetic world Arithmetic circuits based on non-classical physics? Model proposed by [van Dam]

Handwaving Idea Theorem: CIRCUITSAT F is NP F -complete. What one would expect: Schwartz-Zippel! Lemma: Let C: F n F be a P F /poly circuit of size s. Then {x F n : C(x)=0} belongs to the Boolean closure of 2 s algebraic varieties of degree 2 s each Canonical NP F -Complete Problem: Given x=(x 1,…,x n ) F n, which we take to encode a (pure) arithmetic circuit C x : F m F, does there exist a Boolean input w {-1,1} m such that C x (w) 0? (Get rid of equality tests using encoding tricks) Take a P F /poly circuit A that solves this problem for most x, and correct it to one that works for all x

Similar presentations