Transcript Impagliazzo's Worlds in Arithmetic Complexity

Impagliazzo’s Worlds in Arithmetic Complexity:

A Progress Report

2


Scott Aaronson and Andrew Drucker
MIT

3
Why Arithmetize Russell’s Worlds?
R, C, Fp: Funhouse mirrors of complexity theory
Permanent vs. Determinant, PCNPC: “Warmups” to P vs. NP?
Some of our motivation came from Mulmuley’s GCT program
But who cares about crypto in the arithmetic model?
 As it happens, much of current crypto is based on arithmetic
over finite fields
 Challenge: Arithmetic Natural Proofs. Explain why it’s so hard
to prove circuit lower bounds for the Permanent
 “Lifting” to larger fields gives new insights about worst-case /
average-case equivalence
On the Menu Today
1. Equivalence of Complexity
Questions In The Boolean and
Small Finite Field Worlds
2. Over Large Finite Fields F,
“NPP/poly  OWFs Exist”
(Heuristica=Pessiland=Minicrypt)
3. Natural Proofs for Arithmetic
Circuits: A Challenge and
Concrete Proposal
Arithmetic Computation Over A Finite Field F
Allowed operations:
- Add, subtract, multiply, or divide any two F-elements
- Create and recognize the 0 and 1 elements
( equality testing, branching, Boolean side-computation)
- Sample a random F-element (in randomized models)
- Hardwire F-elements (in nonuniform models)
Not allowed: Directly access bit representations of F-elements
In this talk, |F| will be finite, prime, possibly dependent on n
“Deep reason” for finiteness: In cryptography, it’s nice to
have a uniform distribution over F-elements
Three Regimes of Arithmetic Complexity
|F|≤poly(n)
|F|≤2poly(n)
|F|>>2poly(n)
Trivially the same
as Boolean
computation
No stronger than
Boolean computation.
Maybe weaker, since
can’t see bit
representations of
input F-elements.
Same as Boolean
computation if input is
conveniently Boolean
Incomparable with
Boolean
computation (a P
machine can’t even
store F-elements).
Algebraic geometry
becomes relevant,
since polynomials
have degree <<|F|
Related Models
Blum-Shub-Smale: Uniform, defined for a fixed field F
(such as R, C, GF2)
Equality tests allowed; version over R allows comparisons
Algebraic computation trees: Basically, nonuniform version
of [BSS]
Arithmetic circuits, straight-line programs, Valiant’s VP and
VNP: No divisions or equality tests allowed
Our results for |F|≤2poly(n) will
extend to the straight-line model
 
Given F  Fpn 
n1
,
{p(n)}n1 a list of primes…
n
L

F
PF/poly = Class of languages
 p n 
n1
such that for some polynomial size bound s and every n, there
exists an Fp(n)-circuit Cn of size s(n) such that for all x  Fpnn  ,
xL  Cn(x)0
NPF/poly = The same, except we substitute
xL   w{-1,1}poly(n) such that Cn(x,w)0
Can define uniform versions with more sweat
Why are the NP witnesses Boolean?
 For p(n)≤2poly(n), it doesn’t matter
 For p(n)>2poly(n), allowing F-witnesses would trivialize PFNPF!
(Consider, e.g., quadratic residuosity)
Arithmetic Cryptography When |F|≤2poly(n)
B/B (Boolean/Boolean) OWF: Ordinary one-way function
A/A (Arithmetic/Arithmetic) OWF: Family of functions
f n : Fpnn   Fpmnn
computable in PF/poly, such that for all PF/poly adversaries Cn,
Pr  f n Cn  f n x   f n x   negn
xFp  n 
A/B (Arithmetic/Boolean) OWF: Same, except now the
adversary is P/poly (i.e. has Boolean access to fn(x))
B/B, A/A, and A/B pseudorandom generators and
pseudorandom functions can be defined similarly
Equivalence Theorem: Assuming |F|≤2poly(n),
Obvious
Obvious
A/B PRFs
This work
This work
This work
A/A PRGs
Obvious
B/B PRFs
Obvious
Obvious
Obvious
A/A OWFs
A/B PRGs
[GGM]
This work
A/B OWFs
Obvious
B/B PRGs
This work
This work
Obvious
B/B OWFs
[HILL]
A/A PRFs
The Boneh-Lipton Problem:
A Bridge Between the Boolean and Arithmetic Worlds
x  Fp
a1 ,, ak  Fp
x  a1  ,, x  ak  1,0,1
q
q
p 1 

q 

2 

Problem: Recover x, given (x+a1)q,…,(x+ak)q and a1,…,ak
Suppose this problem is easy. Then for all p≤2poly(n), the
Boolean and Fp worlds are polynomially equivalent
Alas, best known classical algorithm to recover x takes time
~c
log p loglog p
[BL96]
Intuition: We Win Either Way
Two possibilities:
(1) BL is easy to invert
 Boolean and F computation are equivalent
 OWFs exist in one world iff they exist in the other
(2) BL is hard to invert
 BL itself is an OWF, in both the Boolean and F worlds
Difficulties: What if BL is only slightly hard? Or easy
to invert on some input lengths but not others?
Lemma: For all xy in F,
Pr
a1 ,ak F
x  a 
q
i
  y  ai 
q

1
i  k   k
2
Proof: (x+ai)q-(y+ai)q is a degree-q, nonzero polynomial
in ai, so it has at most q=(p-1)/2 roots.
Implication: (x+a1)q,…,(x+ak)q information-theoretically
determine x with high probability over a1,…,ak,
provided k>>log(p)
Easy Direction: B/B OWF  A/B OWF
Let f be a Boolean OWF. Then as our arithmetic OWF,
we can take

F  y1,, yn  : f y ,, y
q
1
q
n

Clearly, any inverter for F yields an inverter for f.
Other Direction: A/A OWF  A/B OWF
Let g be an OWF secure against arithmetic adversaries.
Here’s an OWF secure against Boolean adversaries:
Gx, a1 ,, ak  : g x   a1  ,, g x   ak  , a1 ,, ak
q
q
Let G’ be a good Boolean inverter for G
Here’s a good arithmetic inverter for g(x): first generate
a1,…,ak randomly (remembering their Boolean descriptions),
then compute G(x,a1,…,ak) and run G’ on it
Key fact: G(x,a1,…,ak)=G(y,a1,…,ak)  g(x)=g(y) with high
probability over a1,…,ak, provided k>>log(p). In which
case, G’ can only invert G by finding a preimage of g(x)
Argument for Pseudorandom Generators
Let f be a B/B PRG. As our A/B PRG, we can take

F  y1,, yn  : Om f y ,, y
q
1
q
n

where Om(x) is the omelettization of a Boolean string x:
its conversion to F-elements in a standard way
Likewise, let g:FF2 be an A/A PRG. By a standard hybrid
argument, we can “stretch” g to produce g1,…,gm:FF, so
Similar
arguments
show random.
that B/B or
A/A pseudorandom
that
(g1(x),…,g
Here’s
our A/B PRG:
m(x)) looks
functions imply A/B pseudorandom functions

Gx : Om g1 x ,, gm x
q
q

Collapse Theorem: Assuming |F|>2poly(n),
NPF  PF/poly  NPF is hard on average   F-OWFs
In other words:
Algorithmica
Heuristica
Pessiland
Heuristiminipessicrypt
Minicrypt
Cryptomania
Hard-on-average
NPF problems with
planted (Boolean)
solutions
More interesting
notion of OWF
when |F|>2poly(n)
Major Challenge for Complexity Theory: Explain why
current techniques fail to show PERMANENT  AlgP/poly
First approach: Extend algebrization [AW08] to lowdegree oracles queried by arithmetic circuits.
Construct A such that Alg#PA=AlgPA
Second approach: Natural Proofs [RR97] for arithmetic
complexity. Show that arithmetic circuit lower bounds
based on rank, partial derivatives, etc. can’t possibly
work, since they would distinguish random functions
f:FnF from pseudorandom ones
What’s needed: Pseudorandom function families
computable by arithmetic circuits over finite fields
Arithmetic Pseudorandom Functions
Our results show that, if ordinary OWFs exist, then one can
construct a family of functions fs:FnF that are
Problem
(1) computable by poly-size arithmetic circuits,
solved!
(2) indistinguishable from random functions
(even by Boolean circuits)
Problem: PERMANENT is a low-degree polynomial!
Any plausible lower bound proof would use that fact
Real Challenge of Arithmetic Natural Proofs: Find a family
of degree-d polynomials ps:FnF that are
(1) computable by poly-size arithmetic circuits,
(2) indistinguishable from random degree-d polynomials
Pseudorandom Low-Degree
Polynomials: How to Construct Them?
Generic construction of PRF
[Goldreich-Goldwasser-Micali]
Doesn’t work (blows up
degree)
Number-theoretic PRF
[Naor-Reingold]
Doesn’t work (uses bit
operations to parallelize)
Hardness of learning smalldepth arithmetic circuits
[Klivans-Sherstov]
Doesn’t work (requires
specific input distribution)
Other constructions based on
lattices/LWE
???
Candidate for Low-Degree Arithmetic PRF
 L11  x1 ,  , xn   L1d  x1 ,  , xn  


g  x1 ,  , xn  : det 




 L  x ,  , x   L  x ,  , x 
n
dd
1
n 
 d1 1
where the Lij’s are independent, random linear functions
Conjecture: Using oracle access to p, no polynomial-size
arithmetic circuit over the finite field F can distinguish
g:FnF from a uniformly random, homogeneous
polynomial of degree d, with non-negligible bias.
Note: it’s easy to distinguish g from a random function!
Conclusions
One can give sensible definitions of Heuristica,
Pessiland, and Minicrypt over a finite field F
When |F|≤2poly(n), these worlds perfectly mirror their
Boolean counterparts—even if F-computation is
weaker than
Boolean
From
this perspective, the distinction
 Natural Proofs are no less fearsome in F-land
between PNP, NP hard on average, and
existence
of OWFs
(if indeed there is one)
But when
|F|>2poly(n)
, Heuristica=Pessiland=Minicrypt
seems like an “artifact of small field size.”
Note: Both of these results explain why the other
doesn’t generalize to all F!
Open Problems
Construct pseudorandom low-degree polynomials
p:FnF, ideally based on a known assumption
 Convincing Natural Proofs story for why PERMANENT  AlgP/poly is hard
OWF  PRG  PRF when |F|>2poly(n)?
NP-completeness theory for large F
Cryptomania: PKC, CRHFs, IBE, homomorphic
encryption (?!), etc. in the arithmetic world
Arithmetic circuits based on non-classical physics?
Model proposed by [van Dam]
Handwaving Idea
What one would expect: Schwartz-Zippel!
Lemma: Let C:FnF be a PF/poly circuit of size s.
Then {xFn : C(x)=0} belongs to the Boolean closure
of ≤2s algebraic varieties of degree ≤2s each
Canonical NPF-Complete Problem: Given
x=(x1,…,xn)Fn, which we take to encode a (pure)
arithmetic circuit Cx:FmF , does there exist a
Boolean input w{-1,1}m such that Cx(w)0?
(Get rid of equality tests using encoding tricks)
Take a PF/poly circuit A that solves this problem for
most x, and correct it to one that works for all x