# On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

## Presentation on theme: "On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan."— Presentation transcript:

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan

Outline Motivation Motivation Our Results Our Results Proof Ideas Proof Ideas

Motivation

Fundamental Primitives One-way function (OWF): One-way function (OWF): –easy to compute, hard to invert Pseudo-random generator (PRG): Pseudo-random generator (PRG): –stretch a random seed into a long random looking string

Relationship weak OWF weak OWF strong OWF [Yao] strong OWF [Yao] PRG [HILL] PRG [HILL] –in polynomial time –in lower complexity classes?

Hardness Amplification OWF f has hardness : poly-time M OWF f has hardness : poly-time M Pr x [M fails to invert f(x)] >. 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

Question 1 Worst-case OWF Strong OWF? Worst-case OWF Strong OWF? ??? 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

Weak OWF Strong OWF [Yao] f f [Yao] f f f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) good: simple, parallel good: simple, parallel bad: not security-preserving (blow up input size) bad: not security-preserving (blow up input size)

Weak OWP Strong OWP [GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x)))

[GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x))) good: security-preserving good: security-preserving bad: complex, sequential bad: complex, sequential walk on expander Weak OWP Strong OWP

Question 2 Weak OWF Strong OWF: Weak OWF Strong OWF: security preserving + parallel (low complexity)? Weak OWF AC 0 strong OWF AC 0 : security preserving ? Weak OWF AC 0 strong OWF AC 0 : security preserving ? constant-depth poly-size circuits

Bigger Question Low-complexity Crypto? Low-complexity Crypto? Crypto. constructions / reductions in low complexity classes? Theory vs. practice Theory vs. practice

Attempt on Question 2 Derandomize [Yao]? Derandomize [Yao]? f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? f (x) = (f(x 1 ),f(x 2 ),…,f(x k )) –[IW] some success w.r.t. hardness of computing functions (BPP vs. P) k independent inputs

No success for OWF … Impossible task? Impossible task? Aim: hardness amplification is a high complexity task Aim: hardness amplification is a high complexity task What if strong OWF f AC 0 ? What if strong OWF f AC 0 ? hard. amp.: ignore f, compute f directly …

Black-Box Hardness Amplification

(Strongly) Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box could be unbounded

Weakly Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box

Complexity Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box hardness A MP high complexity

Previous Work

Lin-Trevisan-Wee B.B. hardness t B.B. hardness t with A MP making s queries t = O(s). t = O(s).

Our Results

Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t n O(1) when n n O(1) & s 2 n O(1). t n O(1) when n n O(1) & s 2 n O(1). n: new input length n: init. input length PH NP P constant-depth circuits of size s

Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t log O(1) n when n=O(n) & s n O(1). t log O(1) n when n=O(n) & s n O(1). security preserving AC 0 n: new input length n: init. input length

Result (II) Weakly B.B. hardness t, Weakly B.B. hardness t, with A MP realized in AC 0 & t > (n/n) log O(1) n A MP must embed a OWF with hardness t A MP must embed a OWF with hardness t

Parallel Query Model

Model [Vio] on input z: [Vio] A MP f on input z: –generates circuit C AC 0 (s) and non-adaptive queries x 1, …,x k –calls the oracle: (y 1, …,y k )=(f(x 1 ), …,f(x k )) –outputs (z) = C(y 1, …,y k ) –outputs A MP f (z) = C(y 1, …,y k )

Proof Ideas

Weakness of AC 0 circuits W.h.p. after a random restriction, W.h.p. after a random restriction, C AC 0 100 1** * w.p. 1 w.p. (1- )/2 0 w.p. (1- )/2. each bit independentlyreceived {

Weakness of AC 0 circuits W.h.p. after a random restriction, any C AC 0 becomes biased W.h.p. after a random restriction, any C AC 0 becomes biased C AC 0 0, 1 100 **1 C(Y ) is the same for most Y

B.B. Hard. Amp. z, (z) = C(f(x 1 ), …,f(x k )) AC 0 z, A MP f (z) = C(f(x 1 ), …,f(x k )) AC 0 Hardness t Hardness t Show: large t contradiction Show: large t contradiction Strategy: (follow closely [Vio]) find Strategy: (follow closely [Vio]) find –f: with hardness –f: with hardness –: with hardness < t –A MP f : with hardness < t

Hardness Hardness W.h.p. a random function f is hard, W.h.p. a random function f is hard, even after a random restriction, if rate of * is high [Vio]. *1*1*00 …… 100*01* *01*11* 10*0*01 f (0 n ). f (1 n ) against inverter with poly queries

kills A MP f kills A MP f [Vio] z, w.h.p. after a random, [Vio] z, w.h.p. after a random, (z) = C(f (x 1 ), …,f (x k )) AC 0 A MP f (z) = C(f (x 1 ), …,f (x k )) AC 0 is same for most f, if rate of * is low. W.h.p. over W.h.p. over, M A MP f for most f A =M breaks A MP f for most f D EC A inverts f well for most f.

New Random Restriction Rate of * is low, but for a significant # of x, f (x) has enough *. Rate of * is low, but for a significant # of x, f (x) has enough *. is a (weak) OWF f is a (weak) OWF *1*1*00 …… 1001010 *01*11* 1010101 f (0 n ). f (1 n )

Proof of Result (I) a restriction s.t. for most f, a restriction s.t. for most f, is hard to invert f is hard to invert kills kills A MP f some A inverts A MP f well D EC A inverts f well t in AC(s): large t, small s t in AC 0 (s): large t, small s

Proof of Result (II) Derandomize Proof of Result (I) Derandomize Proof of Result (I)

Other Result: PRG from OWF

Result (III) B.B. PRG from OWF B.B. PRG from OWF P RG f : {0,1} r {0,1} m AC 0 (s) m-r o (r) when s 2 m o(1). sublinear stretch improving [Vio]: s m O(1).

Conclusion & Questions

High-Complexity Tasks Hard OWF harder OWF Hard OWF harder OWF OWF PRG of long stretch OWF PRG of long stretch

Relation among Primitives –lower complexity? TDP TDFPKE PIROT KAOWF BC PRG … ZK

Download ppt "On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan."

Similar presentations