On the Complexity of On the Complexity of Parallel Parallel Hardness Amplification Hardness Amplification for One-Way Functions for One-Way Functions Chi-Jen Lu Chi-Jen Lu Academia Sinica, Taiwan Academia Sinica, Taiwan
Mar 27, 2015
On the Complexity of On the Complexity of ParallelParallel
Hardness AmplificationHardness Amplification for One-Way Functionsfor One-Way Functions
Chi-Jen LuChi-Jen Lu
Academia Sinica, TaiwanAcademia Sinica, Taiwan
OutlineOutline
MotivationMotivation Our ResultsOur Results Proof IdeasProof Ideas
MotivationMotivation
Fundamental Fundamental PrimitivesPrimitives One-way function (OWF): One-way function (OWF):
– easy to compute, hard to inverteasy to compute, hard to invert
Pseudo-random generator (PRG):Pseudo-random generator (PRG):– stretch a random seed into a long “random stretch a random seed into a long “random
looking” stringlooking” string
RelationshipRelationship
weak OWFweak OWF strong OWF strong OWF [Yao][Yao] PRG PRG [HILL][HILL]
– in polynomial timein polynomial time– in lower complexity classes?in lower complexity classes?
Hardness AmplificationHardness Amplification
OWF f has OWF f has hardness hardness : : poly-time poly-time MM
PrPrxx[M fails to invert f([M fails to invert f(xx)] > )] > .. 1-n-(1)
strong OWF
n-O(1)
weak OWF
2-n
worst-case OWF
Question 1Question 1
Worst-case OWF Worst-case OWF Strong OWF? Strong OWF?
???
1-n-(1)
strong OWF
n-O(1)
weak OWF
2-n
worst-case OWF
Weak OWF Weak OWF Strong Strong OWFOWF [Yao][Yao] f f f f’’
ff’’ ( (xx11,,xx22,,……,,xxkk) = (f() = (f(xx11),f(),f(xx22),),……,f(,f(xxkk))))
good: simple, parallelgood: simple, parallel bad: bad: notnot “security-preserving”“security-preserving” (blo (blo
w up input size)w up input size)
Weak OWP Weak OWP Strong Strong OWPOWP [GILVZ] f [GILVZ] f f f’’
ff’’ ((xx, , ww11,,……,,wwkk) = f() = f(wwkk(…(f((…(f(ww11(f((f(xx))))))
[GILVZ] f [GILVZ] f f f’’
ff’’ ((xx, , ww11,,……,,wwkk) = f() = f(wwkk(…(f((…(f(ww11(f((f(xx))))))
good: security-preserving good: security-preserving bad: bad: complex, sequentialcomplex, sequential
walk on expander
Weak OWP Weak OWP Strong Strong OWPOWP
Question 2Question 2
Weak OWF Weak OWF Strong OWF: Strong OWF:
security preserving + security preserving +
parallel (low complexity)?parallel (low complexity)?
Weak OWFWeak OWFACAC0 0 strong strong OWFOWFACAC00: security preserving ?: security preserving ?
constant-depth poly-size circuits
Bigger QuestionBigger Question
Low-complexity Crypto?Low-complexity Crypto?
Crypto. constructions / reductions Crypto. constructions / reductions in low complexity classes?in low complexity classes?
Theory vs. practiceTheory vs. practice
Attempt on Question 2Attempt on Question 2
Derandomize [Yao]?Derandomize [Yao]?ff’’ ( (xx11,,xx22,,……,,xxkk) = (f() = (f(xx11),f(),f(xx22),),……,f(,f(xxkk))))
Generate Generate xx11,,xx22,,……,,xxkk in some in some pseudo-rpseudo-random wayandom way from a short seed from a short seed xx? ?
ff’’ ( (xx) = (f() = (f(xx11),f(),f(xx22),),……,f(,f(xxkk))))
– [IW] some success w.r.t. hardness of “co[IW] some success w.r.t. hardness of “computing” functions (BPP vs. P)mputing” functions (BPP vs. P)
k independent
inputs
No success for OWF…No success for OWF…
Impossible task?Impossible task? Aim: hardness amplification is a Aim: hardness amplification is a
high complexity taskhigh complexity task What if What if strong OWF f strong OWF f’’ AC AC00??
hard. amp.: ignore f, compute fhard. amp.: ignore f, compute f’’ directly…directly…
Black-Box Hardness Black-Box Hardness AmplificationAmplification
(Strongly) Black Box(Strongly) Black Box
Transformation: Transformation:
hard f hard f harder fharder f’ ’ = = AMP f AMP uses uses ff as a black box as a black box
Hardness proof:Hardness proof:
A breaks fA breaks f’ ’ DDEC EC AA breaks f breaks f
DDECEC uses uses AA as a black box as a black box
could be unbounde
d
Weakly Black BoxWeakly Black Box
Transformation: Transformation:
hard f hard f harder fharder f’ ’ = = AMP f AMP uses uses ff as a black box as a black box
Hardness proof:Hardness proof:
A breaks fA breaks f’ ’ DDEC EC AA breaks f breaks f
DDECEC uses A as a black box uses A as a black box
ComplexityComplexity
Transformation: Transformation:
hard f hard f harder fharder f’ ’ = = AMP f AMP uses f as a black box uses f as a black box
Hardness proof:Hardness proof:
A breaks fA breaks f’ ’ DDEC EC AA breaks f breaks f
DDECEC uses A as a black box uses A as a black box
hardness hardness ’
AMP
high complexity
Previous WorkPrevious Work
Lin-Trevisan-WeeLin-Trevisan-Wee
B.B. hardness B.B. hardness tt with Awith AMPMP making making ss queries queries
t t = O(= O(ss).).
Our ResultsOur Results
Result (I)Result (I)
B.B. hardness B.B. hardness tt , with , with AAMP MP realized in ACrealized in AC00(s) (s)
t t (n’/n) (n’/n) loglogO(1)O(1)ss
t t n nO(1)O(1) when n’when n’nnO(1)O(1) & s& s22nnO(1)O(1)..
n’: new input lengthn: init. input length
PH PH NP NP P P
constant-depth circuits
of size s
Result (I)Result (I)
B.B. hardness B.B. hardness tt , with , with AAMP MP realized in ACrealized in AC00(s) (s)
t t (n’/n) (n’/n) loglogO(1)O(1)ss
t t log logO(1)O(1)nn when n’=O(n) & swhen n’=O(n) & snnO(1)O(1)..
security preserving
ACAC00
n’: new input lengthn: init. input length
Result (II)Result (II)
Weakly B.B. hardness Weakly B.B. hardness tt , , with Awith AMP MP realized in ACrealized in AC0 0 &&t t > (n’/n)> (n’/n) loglogO(1)O(1)nn
AAMPMP must “embed” a OWF with har must “embed” a OWF with hardness dness tt
Parallel Query ModelParallel Query Model
ModelModel
[Vio] [Vio] AMPf on input z:on input z:– generates circuit Cgenerates circuit CACAC00(s) and (s) and
non-adaptive queries xnon-adaptive queries x11,…,x,…,xkk – calls the oracle: (ycalls the oracle: (y11,…,y,…,ykk)=(f(x)=(f(x11),…,f(x),…,f(xkk))))– outputs outputs AMPf(z)(z) = C(y= C(y11,…,y,…,ykk))
Proof IdeasProof Ideas
Weakness of ACWeakness of AC0 0
circuitscircuits W.h.p. after a random restriction W.h.p. after a random restriction ,,
CCACAC00
1 0 0 1* *
* w.p. 1 w.p. (1-)/20 w.p. (1-)/2.
each bit each bit independentlyindependently
receivedreceived
{
Weakness of ACWeakness of AC0 0
circuitscircuits W.h.p. after a random restriction W.h.p. after a random restriction , a, a
ny Cny CACAC00 becomes becomes biasedbiased
CCACAC00
0, 1
1 0 0 * *1
C(Y) is the same for most Y
B.B. Hard. Amp.B.B. Hard. Amp.
z, z, AMPf(z)(z) = C(f(x= C(f(x11),…,f(x),…,f(xkk)) )) AC AC00
HardnessHardness tt Show: large Show: large t t contradiction contradiction Strategy: (follow closely [Vio]) find Strategy: (follow closely [Vio]) find
– f: with hardness f: with hardness – AMPf: with hardness < : with hardness < tt
Hardness Hardness
W.h.p. a random function f is hard,W.h.p. a random function f is hard,even after a random restriction even after a random restriction , if r, if rate of ate of ** is is highhigh [Vio]. [Vio].
**11**11**0000…………
100100**0101****0101**1111**1010**00**0101f(0
n)
.
.
.f(1
n)
against inverter
with poly
queries
kills Akills AMPMPff
[Vio] [Vio] z, w.h.p. after a random z, w.h.p. after a random , , AMPf(z)(z) = C(f= C(f(x(x11),…,f),…,f(x(xkk)) )) AC AC00
is same for most f, if rate of is same for most f, if rate of ** is is lowlow.. W.h.p. over W.h.p. over ,
M AMPf for most f A=M
“breaks” AMPf for most f DECA inverts fwell for most f.
New Random New Random RestrictionRestriction Rate of * is Rate of * is lowlow, but for a significant # , but for a significant #
of x, fof x, f(x) has enough (x) has enough **.. f
is a (weak) OWFis a (weak) OWF
**11**11**0000…………
10010101001010**0101**1111**
10101011010101f(0n)
.
.
.f(1
n)
Proof of Result (I)Proof of Result (I)
a restriction a restriction s.t. for most f,s.t. for most f, f
is hard to invertis hard to invert kills kills AMPf
some A inverts AMPf well DECA inverts fwell
t t in in ACAC0(s): large (s): large tt,, small ssmall s
Proof of Result (II)Proof of Result (II)
Derandomize Proof of Result (I)Derandomize Proof of Result (I)
Other Result:Other Result:PRG from OWFPRG from OWF
Result (III)Result (III)
B.B. PRG from OWFB.B. PRG from OWFPPRGRGff: {0,1}: {0,1}rr {0,1}{0,1}mm AC AC00(s)(s)
m-r o(r) when s 2mo(1).
sublinear stretch improving [Vio]: s mO(1).
Conclusion & Conclusion & QuestionsQuestions
High-Complexity TasksHigh-Complexity Tasks
Hard OWF Hard OWF harder OWF harder OWF OWF OWF PRG of long stretch PRG of long stretch
Relation among Relation among PrimitivesPrimitives
– lower complexity?lower complexity?
TDP
TDF PKE
PIR OT
KA OWF
BC
PRG
…
ZK