power of randomness
Download
Report
Transcript power of randomness
On the Complexity of Parallel
Hardness Amplification
for One-Way Functions
Chi-Jen Lu
Academia Sinica, Taiwan
Outline
Motivation
Our Results
Proof Ideas
Motivation
Fundamental Primitives
One-way function (OWF):
– easy to compute, hard to invert
Pseudo-random generator (PRG):
– stretch a random seed into a long “random
looking” string
Relationship
weak OWF
strong OWF
PRG
[Yao]
[HILL]
– in polynomial time
– in lower complexity classes?
Hardness Amplification
d:
OWF f has hardness d : poly-time M
Prx[M fails to invert f(x)] > d.
2-n
worst-case OWF
n-O(1)
1-n-W(1)
weak OWF
strong OWF
Question 1
d:
Worst-case OWF Strong OWF?
2-n
worst-case OWF
n-O(1)
1-n-W(1)
weak OWF
strong OWF
???
Weak OWF Strong OWF
[Yao] f f’
f’ (x1,x2,…,xk) = (f(x1),f(x2),…,f(xk))
good: simple, parallel
bad: not “security-preserving” (blow
up input size)
Weak OWP Strong OWP
[GILVZ] f f’
f’ (x, w1,…,wk) = f(wk(…(f(w1(f(x)))
Weak OWP Strong OWP
[GILVZ] f f’
f’ (x, w1,…,wk) = f(wk(…(f(w1(f(x)))
walk on expander
good: security-preserving
bad: complex, sequential
Question 2
Weak OWF Strong OWF:
security preserving +
parallel (low complexity)?
Weak OWFAC0 strong OWFAC0:
security preserving ?
constant-depth
poly-size circuits
Bigger Question
Low-complexity Crypto?
Crypto. constructions / reductions in
low complexity classes?
Theory vs. practice
Attempt on Question
2
k independent
inputs
Derandomize [Yao]?
f’ (x1,x2,…,xk) = (f(x1),f(x2),…,f(xk))
Generate x1,x2,…,xk in some pseudorandom way from a short seed x?
f’ (x) = (f(x1),f(x2),…,f(xk))
– [IW] some success w.r.t. hardness of
“computing” functions (BPP vs. P)
No success for OWF…
Impossible task?
Aim: hardness amplification is a high
complexity task
What if strong OWF f’ AC0?
hard. amp.: ignore f, compute f’
directly…
Black-Box Hardness
Amplification
(Strongly) Black Box
Transformation:
hard f harder f’ = AMP f
AMP uses f as a black box
Hardness proof:
A
could be
A
breaks
f
’
D
EC breaks f
unbounded
DEC uses A as a black box
Weakly Black Box
Transformation:
hard f harder f’ = AMP f
AMP uses f as a black box
Hardness proof:
A breaks f’ DEC A breaks f
DEC uses A as a black box
Complexity
hardness d
hardness d’ >> d
high complexity
Transformation:
f
hard f harder f’ = AMP
MP
AMP uses f as a black box
Hardness proof:
A breaks f’ DEC A breaks f
DEC uses A as a black box
Previous Work
Lin-Trevisan-Wee
B.B. hardness d t d
with AMP making s queries
t = O(s).
Our Results
Result (I)
constant-depth
circuits of size s
B.B. hardness d t d, with
AMP realized in AC0(s)
n’: new input length
t (n’/n) logO(1)s
n: init. input length
t
nO(1)
when
n’nO(1)
&
O(1)
n
s2 .
PH NP P
Result (I)
B.B. hardness d t d, with
AMP realized in AC0(s)
n’: new input length
t (n’/n) logO(1)s
n: init. input length
t logO(1)n when n’=O(n) & snO(1).
security preserving
AC0
Result (II)
Weakly B.B. hardness d t d,
with AMP realized in AC0 &
t > (n’/n) logO(1)n
AMP must “embed” a OWF with
hardness t d
Parallel Query Model
Model
[Vio] AMPf on input z:
– generates circuit CAC0(s) and
non-adaptive queries x1,…,xk
– calls the oracle: (y1,…,yk)=(f(x1),…,f(xk))
– outputs AMPf(z) = C(y1,…,yk)
Proof Ideas
Weakness of AC0 circuits
W.h.p. after a random restriction r,
each bit
independently
received
{
w.p. a
1 w.p. (1-a)/2
0 w.p. (1-a)/2.
CAC0
*
1
0
0
*
1
*
Weakness of AC0 circuits
W.h.p. after a random restriction r,
any CAC0 becomes biased
0, 1
C(Yr) is the same
for most Y
CAC0
1
0
0
*
1
*
B.B. Hard. Amp.
z, AMPf(z) = C(f(x1),…,f(xk)) AC0
Hardness d t d
Show: large t contradiction
Strategy: (follow closely [Vio]) find
– f: with hardness d
– AMPf: with hardness < t d
against
inverter
with
poly
queries
Hardness d
W.h.p. a random function f is hard,
even after a random restriction r, if
rate of * is high [Vio].
fr(0n)
.
.
.
fr(1n)
10*0*01
*01*11*
100*01*
……
*1*1*00
r kills
f
AMP r
[Vio] z, w.h.p. after a random r,
AMPfr(z) = C(fr(x1),…,fr(xk)) AC0
is same for most f, if rate of * is low.
W.h.p. over r,
Mr AMPfr for most f
Ar=Mr-1 “breaks” AMPfr for most f
DECAr inverts fr well for most f.
New Random Restriction
Rate of * is low, but for a significant #
of x, fr(x) has enough *.
fr is a (weak) OWF
fr(0n)
.
.
.
fr(1n)
1010101
*01*11*
1001010
……
*1*1*00
Proof of Result (I)
a restriction r s.t. for most f,
fr is hard to invert
d t d in AC0(s):
large t, small s
r kills AMPfr
some Ar inverts AMPfr well
DECAr inverts fr well
Proof of Result (II)
Derandomize Proof of Result (I)
Other Result:
PRG from OWF
Result (III)
B.B. PRG from OWF
PRGf: {0,1}r {0,1}m AC0(s)
o(1)
m
m-r o(r) when s 2 .
sublinear stretch
improving [Vio]:
s mO(1).
Conclusion & Questions
High-Complexity Tasks
Hard OWF harder OWF
OWF PRG of long stretch
Relation among Primitives
TDF
PKE
PRG
ZK
TDP
KA
OWF
…
PIR
OT
– lower complexity?
BC