power of randomness

Download Report

Transcript power of randomness 

On the Complexity of Parallel
Hardness Amplification
for One-Way Functions
Chi-Jen Lu
Academia Sinica, Taiwan
Outline



Motivation
Our Results
Proof Ideas
Motivation
Fundamental Primitives

One-way function (OWF):
– easy to compute, hard to invert

Pseudo-random generator (PRG):
– stretch a random seed into a long “random
looking” string
Relationship
weak OWF
 strong OWF
 PRG

[Yao]
[HILL]
– in polynomial time
– in lower complexity classes?
Hardness Amplification

d:
OWF f has hardness d : poly-time M
Prx[M fails to invert f(x)] > d.
2-n
worst-case OWF
n-O(1)
1-n-W(1)
weak OWF
strong OWF
Question 1

d:
Worst-case OWF  Strong OWF?
2-n
worst-case OWF
n-O(1)
1-n-W(1)
weak OWF
strong OWF
???
Weak OWF  Strong OWF

[Yao] f  f’
f’ (x1,x2,…,xk) = (f(x1),f(x2),…,f(xk))


good: simple, parallel
bad: not “security-preserving” (blow
up input size)
Weak OWP  Strong OWP

[GILVZ] f  f’
f’ (x, w1,…,wk) = f(wk(…(f(w1(f(x)))
Weak OWP  Strong OWP

[GILVZ] f  f’
f’ (x, w1,…,wk) = f(wk(…(f(w1(f(x)))
walk on expander


good: security-preserving
bad: complex, sequential
Question 2


Weak OWF  Strong OWF:
security preserving +
parallel (low complexity)?
Weak OWFAC0  strong OWFAC0:
security preserving ?
constant-depth
poly-size circuits
Bigger Question


Low-complexity Crypto?
Crypto. constructions / reductions in
low complexity classes?
Theory vs. practice
Attempt on Question
2
k independent
inputs


Derandomize [Yao]?
f’ (x1,x2,…,xk) = (f(x1),f(x2),…,f(xk))
Generate x1,x2,…,xk in some pseudorandom way from a short seed x?
f’ (x) = (f(x1),f(x2),…,f(xk))
– [IW] some success w.r.t. hardness of
“computing” functions (BPP vs. P)
No success for OWF…



Impossible task?
Aim: hardness amplification is a high
complexity task
What if  strong OWF f’  AC0?
hard. amp.: ignore f, compute f’
directly…
Black-Box Hardness
Amplification
(Strongly) Black Box

Transformation:
hard f  harder f’ = AMP f
AMP uses f as a black box
Hardness proof:
A
could be
A
breaks
f
’

D
EC breaks f
unbounded
DEC uses A as a black box

Weakly Black Box


Transformation:
hard f  harder f’ = AMP f
AMP uses f as a black box
Hardness proof:
A breaks f’  DEC A breaks f
DEC uses A as a black box
Complexity
hardness d


hardness d’ >> d
high complexity
Transformation:
f
hard f  harder f’ = AMP
MP
AMP uses f as a black box
Hardness proof:
A breaks f’  DEC A breaks f
DEC uses A as a black box
Previous Work
Lin-Trevisan-Wee
B.B. hardness d  t d
with AMP making s queries
 t = O(s).

Our Results
Result (I)
constant-depth
circuits of size s
B.B. hardness d  t d, with
AMP realized in AC0(s)
n’: new input length
 t  (n’/n) logO(1)s

n: init. input length
t 
nO(1)
when
n’nO(1)
&
O(1)
n
s2 .
PH  NP  P
Result (I)
B.B. hardness d  t d, with
AMP realized in AC0(s)
n’: new input length
 t  (n’/n) logO(1)s

n: init. input length
 t  logO(1)n when n’=O(n) & snO(1).
security preserving
AC0
Result (II)
Weakly B.B. hardness d  t d,
with AMP realized in AC0 &
t > (n’/n) logO(1)n
 AMP must “embed” a OWF with
hardness  t d

Parallel Query Model
Model

[Vio] AMPf on input z:
– generates circuit CAC0(s) and
non-adaptive queries x1,…,xk
– calls the oracle: (y1,…,yk)=(f(x1),…,f(xk))
– outputs AMPf(z) = C(y1,…,yk)
Proof Ideas
Weakness of AC0 circuits

W.h.p. after a random restriction r,
each bit
independently
received
{
w.p. a
1 w.p. (1-a)/2
0 w.p. (1-a)/2.
CAC0
*
1
0
0
*
1
*
Weakness of AC0 circuits

W.h.p. after a random restriction r,
any CAC0 becomes biased
0, 1
C(Yr) is the same
for most Y
CAC0
1
0
0
*
1
*
B.B. Hard. Amp.




z, AMPf(z) = C(f(x1),…,f(xk))  AC0
Hardness d  t d
Show: large t  contradiction
Strategy: (follow closely [Vio]) find
– f: with hardness d
– AMPf: with hardness < t d
against
inverter
with
poly
queries
Hardness d

W.h.p. a random function f is hard,
even after a random restriction r, if
rate of * is high [Vio].
fr(0n)
.
.
.
fr(1n)
10*0*01
*01*11*
100*01*
……
*1*1*00
r kills
f
AMP r
[Vio] z, w.h.p. after a random r,
AMPfr(z) = C(fr(x1),…,fr(xk))  AC0
is same for most f, if rate of * is low.
 W.h.p. over r,
 Mr  AMPfr for most f
 Ar=Mr-1 “breaks” AMPfr for most f
 DECAr inverts fr well for most f.

New Random Restriction
Rate of * is low, but for a significant #
of x, fr(x) has enough *.
 fr is a (weak) OWF

fr(0n)
.
.
.
fr(1n)
1010101
*01*11*
1001010
……
*1*1*00
Proof of Result (I)
 a restriction r s.t. for most f,
 fr is hard to invert
d  t d in AC0(s):
large t, small s
 r kills AMPfr
 some Ar inverts AMPfr well
 DECAr inverts fr well

Proof of Result (II)

Derandomize Proof of Result (I)
Other Result:
PRG from OWF
Result (III)
B.B. PRG from OWF
PRGf: {0,1}r {0,1}m  AC0(s)
o(1)
m
 m-r  o(r) when s  2 .

sublinear stretch
improving [Vio]:
s  mO(1).
Conclusion & Questions
High-Complexity Tasks


Hard OWF  harder OWF
OWF  PRG of long stretch
Relation among Primitives
TDF
PKE
PRG
ZK
TDP
KA
OWF
…
PIR
OT
– lower complexity?
BC