Post on 11-Jan-2016
description
Derandomization & Cryptography
Boaz Barak, WeizmannShien Jin Ong, MIT
Salil Vadhan, Harvard
Question
Suppose the sequence 666 appears in the digits of both in the 100th place and in the 1000000th place.
Suppose an archeologist finds a mathematical proof by Archimedes that 666 appears in .
Is it possible to recover the place in Archimedes knew about?
Our Results
Under reasonable assumptions we obtain:
Non-interactive WI proof system for NP(in the plain model)
First non-interactive proof with secrecy property
Non-interactive Commitment SchemeUnder incomparable assumptions to [BM]
Our AssumptionsAssumption A: 9 L s.t. L 2 Dtime(2cn ) for some c L Ntime(2 n)/ 2 n for some >0
A natural strengthening of EXP * NP
NcN
N
Thm 1: Assumption A + TDP ) non-interactive WI
Thm 2: Assumption A + OWF ) non-interactive commit.
In paper: prove Thm 2 under
weaker, uniform, assumption.
(Uses [GST03])
Derandomization: a brief overview* A paradigm that attempts to transform:
Probabilistic algorithms => deterministic algorithms. (P BPP EXP NEXP).
Probabilistic protocols => deterministic protocols. (NP AM EXP NEXP).
We don’t know how to separate BPP and NEXP.
Can derandomize BPP and AM under natural complexity theoretic assumptions.
* Thanks to Ronen Shaltiel for these slides
Hardness versus Randomness Initiated by [BM,Yao,Shamir].
Assumption: hard functions exist.
Conclusion: Derandomization.
A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03]
Hardness versus Randomness
Assumption: hard functions exist.
Conclusion: Derandomization.
Hardness versus Randomness
Assumption: hard functions exist.
Exists pseudo-random generator
Conclusion: Derandomization.
Pseudo-random generators A pseudo-random generator (PRG) is an algorithm
that stretches a short string of truly random bits into a long string of pseudo-random bits.
pseudo-random bits
PRG seed
Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms.
Consider also generators with O(log n) length seed.
??????????????
Pseudo-random generators with O(log n) length seed. Polynomial-sized algorithm can identify
pseudo-random strings as follows: Given a long string, enumerate all seeds and check that PRG(seed)=long string.
Can distinguish between random strings and pseudo-random strings.
Assuming distinguisher can enumerate all seeds.
The Nisan-Wigderson setup: distinguisher can not enumerate all seeds. Example: Seed length = 5logn and generator fools circuits of size n3. PRG can also run in time n5
Sufficient for derandomization!!
State of the art in this direction
Thm [NW88,…,IW97]: If 9 L s.t. L 2 Dtime(2cn) for some c L Size(2 n) for some >0Then BPP=P.
Arthur-Merlin Games [BM] Completeness: If the statement is
true then Arthur accepts. Soundness: If the statement is
false then Pr[Arthur accepts]<½.
Merlin Arthur“xL”
toss coinsmessage
message
I accept
Arthur-Merlin Games [BM] Completeness: If the statement is
true then Arthur accepts. Soundness: If the statement is
false then Pr[Arthur accepts]<½.
The class AM: All languages L which have an Arthur-Merlin protocol.
Contains many interesting problems not known to be in NP. (e.g. graph nonisomorphism)
The big question:
Does AM=NP?
In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic?
Note that such a protocol is an NP proof.
Pseudo-random generators for nondeterministic circuits Nondeterministic algorithm can identify
pseudo-random strings as follows: Given a long string, guess a short seed and check that PRG(seed)=long string.
Assuming the circuit can run the PRG!! In NW setup circuit cannot run the
PRG!!. For example: The PRG runs in time n5 and fools (nondeterministic) circuits of size n3.
State of the art in this direction
Thm [AK,MV,KvM,SU]: If 9 L s.t. L 2 Dtime(2cn) for some c L Nsize(2 n) for some >0(i.e., if Assumption A holds)Then AM=NP.
PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a
nondeterministic circuit which gets the random coins as input.
Merlin Arthur“xL”
random message
message
I accept
Hardwire input
PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a
nondeterministic circuit which gets the random coins as input.
Merlin Arthur“xL”
random input
Nondeterministic guess
I accept
inputNondeterministic guessHardwire input
PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a
nondeterministic circuit which gets the random coins as input.
We can use pseudo-random bits instead of truly random bits.
Merlin Arthur“xL”
pseudo-random input
Nondeterministic guess
I accept
Nondeterministic guess inputHardwire input
PRG’s for nondeterministic circuits derandomize AM We have AM protocol w/ deterministic (not
probabilistic) Arthur: He sends all pseudo-random strings and Merlin replies on each one.
Protocol is sound : otherwise we have a nondeterministic distinguisher.
Merlin Arthur“xL”
pseudo-random input
Nondeterministic guess
I accept
Our main observation: If original protocol was WI then new “protocol” is also WI!
Proof of Thm 1:
Thm [DN]: 9 TDP ) 9 AM protocol that is WI for NP
Combining this w/ [SU] and observation we get Thm 1:
TDP + Assumption A ) 9 Noninteractive WI for NP
Proving Thm 2
Use same technique to derandomize Naor’s commitment scheme (which is also of “AM” type).
That’s it…