On the Complexity of On the Complexity of Parallel Parallel Hardness Amplification Hardness Amplification for One-Way Functions for One-Way Functions Chi-Jen Lu Chi-Jen Lu Academia Sinica, Taiwan Academia Sinica, Taiwan
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Mar 27, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
On the Complexity of On the Complexity of ParallelParallel
Hardness AmplificationHardness Amplification for One-Way Functionsfor One-Way Functions
Chi-Jen LuChi-Jen Lu
Academia Sinica, TaiwanAcademia Sinica, Taiwan
OutlineOutline
MotivationMotivation Our ResultsOur Results Proof IdeasProof Ideas
MotivationMotivation
Fundamental Fundamental PrimitivesPrimitives One-way function (OWF): One-way function (OWF):
– easy to compute, hard to inverteasy to compute, hard to invert
Pseudo-random generator (PRG):Pseudo-random generator (PRG):– stretch a random seed into a long “random stretch a random seed into a long “random
looking” stringlooking” string
RelationshipRelationship
weak OWFweak OWF strong OWF strong OWF [Yao][Yao] PRG PRG [HILL][HILL]
– in polynomial timein polynomial time– in lower complexity classes?in lower complexity classes?
Hardness AmplificationHardness Amplification
OWF f has OWF f has hardness hardness : : poly-time poly-time MM
PrPrxx[M fails to invert f([M fails to invert f(xx)] > )] > .. 1-n-(1)
strong OWF
n-O(1)
weak OWF
2-n
worst-case OWF
Question 1Question 1
Worst-case OWF Worst-case OWF Strong OWF? Strong OWF?
???
1-n-(1)
strong OWF
n-O(1)
weak OWF
2-n
worst-case OWF
Weak OWF Weak OWF Strong Strong OWFOWF [Yao][Yao] f f f f’’
ff’’ ( (xx11,,xx22,,……,,xxkk) = (f() = (f(xx11),f(),f(xx22),),……,f(,f(xxkk))))
good: simple, parallelgood: simple, parallel bad: bad: notnot “security-preserving”“security-preserving” (blo (blo
w up input size)w up input size)
Weak OWP Weak OWP Strong Strong OWPOWP [GILVZ] f [GILVZ] f f f’’
ff’’ ((xx, , ww11,,……,,wwkk) = f() = f(wwkk(…(f((…(f(ww11(f((f(xx))))))
[GILVZ] f [GILVZ] f f f’’
ff’’ ((xx, , ww11,,……,,wwkk) = f() = f(wwkk(…(f((…(f(ww11(f((f(xx))))))
good: security-preserving good: security-preserving bad: bad: complex, sequentialcomplex, sequential
walk on expander
Weak OWP Weak OWP Strong Strong OWPOWP
Question 2Question 2
Weak OWF Weak OWF Strong OWF: Strong OWF:
security preserving + security preserving +
parallel (low complexity)?parallel (low complexity)?
Weak OWFWeak OWFACAC0 0 strong strong OWFOWFACAC00: security preserving ?: security preserving ?
constant-depth poly-size circuits
Bigger QuestionBigger Question
Low-complexity Crypto?Low-complexity Crypto?
Crypto. constructions / reductions Crypto. constructions / reductions in low complexity classes?in low complexity classes?
Theory vs. practiceTheory vs. practice
Attempt on Question 2Attempt on Question 2
Derandomize [Yao]?Derandomize [Yao]?ff’’ ( (xx11,,xx22,,……,,xxkk) = (f() = (f(xx11),f(),f(xx22),),……,f(,f(xxkk))))
Generate Generate xx11,,xx22,,……,,xxkk in some in some pseudo-rpseudo-random wayandom way from a short seed from a short seed xx? ?
ff’’ ( (xx) = (f() = (f(xx11),f(),f(xx22),),……,f(,f(xxkk))))
– [IW] some success w.r.t. hardness of “co[IW] some success w.r.t. hardness of “computing” functions (BPP vs. P)mputing” functions (BPP vs. P)
k independent
inputs
No success for OWF…No success for OWF…
Impossible task?Impossible task? Aim: hardness amplification is a Aim: hardness amplification is a
high complexity taskhigh complexity task What if What if strong OWF f strong OWF f’’ AC AC00??
hard. amp.: ignore f, compute fhard. amp.: ignore f, compute f’’ directly…directly…
Black-Box Hardness Black-Box Hardness AmplificationAmplification
(Strongly) Black Box(Strongly) Black Box
Transformation: Transformation:
hard f hard f harder fharder f’ ’ = = AMP f AMP uses uses ff as a black box as a black box
Hardness proof:Hardness proof:
A breaks fA breaks f’ ’ DDEC EC AA breaks f breaks f
DDECEC uses uses AA as a black box as a black box
could be unbounde
d
Weakly Black BoxWeakly Black Box
Transformation: Transformation:
hard f hard f harder fharder f’ ’ = = AMP f AMP uses uses ff as a black box as a black box
Hardness proof:Hardness proof:
A breaks fA breaks f’ ’ DDEC EC AA breaks f breaks f
DDECEC uses A as a black box uses A as a black box
ComplexityComplexity
Transformation: Transformation:
hard f hard f harder fharder f’ ’ = = AMP f AMP uses f as a black box uses f as a black box
Hardness proof:Hardness proof:
A breaks fA breaks f’ ’ DDEC EC AA breaks f breaks f
DDECEC uses A as a black box uses A as a black box
hardness hardness ’
AMP
high complexity
Previous WorkPrevious Work
Lin-Trevisan-WeeLin-Trevisan-Wee
B.B. hardness B.B. hardness tt with Awith AMPMP making making ss queries queries
t t = O(= O(ss).).
Our ResultsOur Results
Result (I)Result (I)
B.B. hardness B.B. hardness tt , with , with AAMP MP realized in ACrealized in AC00(s) (s)
t t (n’/n) (n’/n) loglogO(1)O(1)ss
t t n nO(1)O(1) when n’when n’nnO(1)O(1) & s& s22nnO(1)O(1)..
n’: new input lengthn: init. input length
PH PH NP NP P P
constant-depth circuits
of size s
Result (I)Result (I)
B.B. hardness B.B. hardness tt , with , with AAMP MP realized in ACrealized in AC00(s) (s)
t t (n’/n) (n’/n) loglogO(1)O(1)ss
t t log logO(1)O(1)nn when n’=O(n) & swhen n’=O(n) & snnO(1)O(1)..
security preserving
ACAC00
n’: new input lengthn: init. input length
Result (II)Result (II)
Weakly B.B. hardness Weakly B.B. hardness tt , , with Awith AMP MP realized in ACrealized in AC0 0 &&t t > (n’/n)> (n’/n) loglogO(1)O(1)nn
AAMPMP must “embed” a OWF with har must “embed” a OWF with hardness dness tt
Parallel Query ModelParallel Query Model
ModelModel
[Vio] [Vio] AMPf on input z:on input z:– generates circuit Cgenerates circuit CACAC00(s) and (s) and
non-adaptive queries xnon-adaptive queries x11,…,x,…,xkk – calls the oracle: (ycalls the oracle: (y11,…,y,…,ykk)=(f(x)=(f(x11),…,f(x),…,f(xkk))))– outputs outputs AMPf(z)(z) = C(y= C(y11,…,y,…,ykk))
Proof IdeasProof Ideas
Weakness of ACWeakness of AC0 0
circuitscircuits W.h.p. after a random restriction W.h.p. after a random restriction ,,
CCACAC00
1 0 0 1* *
* w.p. 1 w.p. (1-)/20 w.p. (1-)/2.
each bit each bit independentlyindependently
receivedreceived
{
Weakness of ACWeakness of AC0 0
circuitscircuits W.h.p. after a random restriction W.h.p. after a random restriction , a, a
ny Cny CACAC00 becomes becomes biasedbiased
CCACAC00
0, 1
1 0 0 * *1
C(Y) is the same for most Y
B.B. Hard. Amp.B.B. Hard. Amp.
z, z, AMPf(z)(z) = C(f(x= C(f(x11),…,f(x),…,f(xkk)) )) AC AC00
HardnessHardness tt Show: large Show: large t t contradiction contradiction Strategy: (follow closely [Vio]) find Strategy: (follow closely [Vio]) find
– f: with hardness f: with hardness – AMPf: with hardness < : with hardness < tt
Hardness Hardness
W.h.p. a random function f is hard,W.h.p. a random function f is hard,even after a random restriction even after a random restriction , if r, if rate of ate of ** is is highhigh [Vio]. [Vio].
**11**11**0000…………
100100**0101****0101**1111**1010**00**0101f(0
n)
.
.
.f(1
n)
against inverter
with poly
queries
kills Akills AMPMPff
[Vio] [Vio] z, w.h.p. after a random z, w.h.p. after a random , , AMPf(z)(z) = C(f= C(f(x(x11),…,f),…,f(x(xkk)) )) AC AC00
is same for most f, if rate of is same for most f, if rate of ** is is lowlow.. W.h.p. over W.h.p. over ,
M AMPf for most f A=M
“breaks” AMPf for most f DECA inverts fwell for most f.
New Random New Random RestrictionRestriction Rate of * is Rate of * is lowlow, but for a significant # , but for a significant #
of x, fof x, f(x) has enough (x) has enough **.. f
is a (weak) OWFis a (weak) OWF
**11**11**0000…………
10010101001010**0101**1111**
10101011010101f(0n)
.
.
.f(1
n)
Proof of Result (I)Proof of Result (I)
a restriction a restriction s.t. for most f,s.t. for most f, f
is hard to invertis hard to invert kills kills AMPf
some A inverts AMPf well DECA inverts fwell
t t in in ACAC0(s): large (s): large tt,, small ssmall s
Proof of Result (II)Proof of Result (II)
Derandomize Proof of Result (I)Derandomize Proof of Result (I)
Other Result:Other Result:PRG from OWFPRG from OWF
Result (III)Result (III)
B.B. PRG from OWFB.B. PRG from OWFPPRGRGff: {0,1}: {0,1}rr {0,1}{0,1}mm AC AC00(s)(s)
m-r o(r) when s 2mo(1).
sublinear stretch improving [Vio]: s mO(1).
Conclusion & Conclusion & QuestionsQuestions
High-Complexity TasksHigh-Complexity Tasks
Hard OWF Hard OWF harder OWF harder OWF OWF OWF PRG of long stretch PRG of long stretch
Relation among Relation among PrimitivesPrimitives
– lower complexity?lower complexity?
TDP
TDF PKE
PIR OT
KA OWF
BC
PRG
…
ZK
Related Documents
