Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker...
-
Upload
owen-sheehan -
Category
Documents
-
view
216 -
download
0
Transcript of Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker...
32
Impagliazzo’s Worlds in Arithmetic Complexity:A Progress Report
Scott Aaronson and Andrew DruckerMIT
100% QUANTUM-FREE TALK
(FROM COWS NOT TREATED WITH rBQP)
Why Arithmetize Russell’s Worlds?
R, C, Fp: Funhouse mirrors of complexity theory
Permanent vs. Determinant, PCNPC: “Warmups” to P vs. NP?
Some of our motivation came from Mulmuley’s GCT program
But who cares about crypto in the arithmetic model?
As it happens, much of current crypto is based on arithmetic over finite fields
Challenge: Arithmetic Natural Proofs. Explain why it’s so hard to prove circuit lower bounds for the Permanent
“Lifting” to larger fields gives new insights about worst-case / average-case equivalence
On the Menu Today
1. Equivalence of Complexity Questions In The Boolean and Small Finite Field Worlds
2. Over Large Finite Fields F, “NPP/poly OWFs Exist” (Heuristica=Pessiland=Minicrypt)
3. Natural Proofs for Arithmetic Circuits: A Challenge and Concrete Proposal
Arithmetic Computation Over A Finite Field F
Not allowed: Directly access bit representations of F-elements
“Deep reason” for finiteness: In cryptography, it’s nice to have a uniform distribution over F-elements
Allowed operations:
- Add, subtract, multiply, or divide any two F-elements
- Create and recognize the 0 and 1 elements( equality testing, branching, Boolean side-computation)
- Sample a random F-element (in randomized models)
- Hardwire F-elements (in nonuniform models)
In this talk, |F| will be finite, prime, possibly dependent on n
Three Regimes of Arithmetic Complexity
|F|≤poly(n)
Trivially the same as Boolean
computation
|F|≤2poly(n)
No stronger than Boolean computation. Maybe weaker, since
can’t see bit representations of input F-elements. Same as Boolean
computation if input is conveniently Boolean
|F|>>2poly(n)
Incomparable with Boolean
computation (a P machine can’t even store F-elements). Algebraic geometry becomes relevant, since polynomials
have degree <<|F|
Related ModelsBlum-Shub-Smale: Uniform, defined for a fixed field F
(such as R, C, GF2)Equality tests allowed; version over R allows comparisons
Algebraic computation trees: Basically, nonuniform version of [BSS]
Arithmetic circuits, straight-line programs, Valiant’s VP and VNP: No divisions or equality tests allowed
Our results for |F|≤2poly(n) will extend to the straight-line model
PF/poly = Class of languages 1
n
nnpL F
,nnpx F
Given ,1
nnpFF {p(n)}n1 a list of primes…
such that for some polynomial size bound s and every n, there exists an Fp(n)-circuit Cn of size s(n) such that for allxL Cn(x)0
NPF/poly = The same, except we substitutexL w{-1,1}poly(n) such that Cn(x,w)0
Can define uniform versions with more sweat
Why are the NP witnesses Boolean? For p(n)≤2poly(n), it doesn’t matter For p(n)>2poly(n), allowing F-witnesses would trivialize PFNPF!
(Consider, e.g., quadratic residuosity)
Arithmetic Cryptography When |F|≤2poly(n)
A/A (Arithmetic/Arithmetic) OWF: Family of functions
computable in PF/poly, such that for all PF/poly adversaries Cn,
A/B (Arithmetic/Boolean) OWF: Same, except now the adversary is P/poly (i.e. has Boolean access to fn(x))
nnnnn
xxfxfCf
np
negPr F
B/B, A/A, and A/B pseudorandom generators and pseudorandom functions can be defined similarly
nmnp
nnpnf FF :
B/B (Boolean/Boolean) OWF: Ordinary one-way function
Equivalence Theorem: Assuming |F|≤2poly(n),
A/B OWFs
B/B OWFs
A/A OWFs
A/B PRGs
B/B PRGs
A/A PRGs
A/B PRFs
B/B PRFs
A/A PRFs
Obvious Obvious
[HILL] [GGM]
Obv
ious
Obv
ious
Obv
ious
Obvious
Obvious
Obvious
This work
This
wor
k
This work
This work
This
wor
k
This
wor
k
The Boneh-Lipton Problem:A Bridge Between the Boolean and Arithmetic Worlds
Problem: Recover x, given (x+a1)q,…,(x+ak)q and a1,…,ak
Suppose this problem is easy. Then for all p≤2poly(n), the Boolean and Fp worlds are polynomially equivalent
Alas, best known classical algorithm to recover x takes time
px F 1,0,1,,1 qk
q axax pkaa F,,1
2
1pq
ppc logloglog~ [BL96]
Intuition: We Win Either WayTwo possibilities:
(1) BL is easy to invert
Boolean and F computation are equivalent
OWFs exist in one world iff they exist in the other
(2) BL is hard to invert
BL itself is an OWF, in both the Boolean and F worlds
Difficulties: What if BL is only slightly hard? Or easy to invert on some input lengths but not others?
Lemma: For all xy in F,
k
qi
qi
aakiayax
k 2
1Pr,1
F
Proof: (x+ai)q-(y+ai)q is a degree-q, nonzero polynomial in ai, so it has at most q=(p-1)/2 roots.
Implication: (x+a1)q,…,(x+ak)q information-theoretically determine x with high probability over a1,…,ak, provided k>>log(p)
Easy Direction: B/B OWF A/B OWF
Let f be a Boolean OWF. Then as our arithmetic OWF, we can take
qnqn yyfyyF ,,:,, 11
Clearly, any inverter for F yields an inverter for f.
Other Direction: A/A OWF A/B OWFLet g be an OWF secure against arithmetic adversaries. Here’s an OWF secure against Boolean adversaries:
kq
kq
k aaaxgaxgaaxG ,,,,,:,,, 111
Let G’ be a good Boolean inverter for G
Here’s a good arithmetic inverter for g(x): first generate a1,…,ak randomly (remembering their Boolean descriptions), then compute G(x,a1,…,ak) and run G’ on it
Key fact: G(x,a1,…,ak)=G(y,a1,…,ak) g(x)=g(y) with high probability over a1,…,ak, provided k>>log(p). In which case, G’ can only invert G by finding a preimage of g(x)
Argument for Pseudorandom GeneratorsLet f be a B/B PRG. As our A/B PRG, we can take
qnqn yyfyyF ,,Om:,, 11
Likewise, let g:FF2 be an A/A PRG. By a standard hybrid argument, we can “stretch” g to produce g1,…,gm:FF, so that (g1(x),…,gm(x)) looks random. Here’s our A/B PRG:
qmq xgxgxG ,,Om: 1
where Om(x) is the omelettization of a Boolean string x: its conversion to F-elements in a standard way
Similar arguments show that B/B or A/A pseudorandom functions imply A/B pseudorandom functions
Collapse Theorem: Assuming |F|>2poly(n),
NPF PF/poly NPF is hard on average F-OWFs
In other words:
AlgorithmicaHeuristicaPessilandMinicrypt
Cryptomania
Heuristiminipessicrypt
Hard-on-average NPF problems with planted (Boolean)
solutions
More interesting notion of OWF
when |F|>2poly(n)
Major Challenge for Complexity Theory: Explain why current techniques fail to show PERMANENT AlgP/poly
First approach: Extend algebrization [AW08] to low-degree oracles queried by arithmetic circuits. Construct A such that Alg#PA=AlgPA
Second approach: Natural Proofs [RR97] for arithmetic complexity. Show that arithmetic circuit lower bounds based on rank, partial derivatives, etc. can’t possibly work, since they would distinguish random functions f:FnF from pseudorandom ones
What’s needed: Pseudorandom function families computable by arithmetic circuits over finite fields
Arithmetic Pseudorandom Functions
Real Challenge of Arithmetic Natural Proofs: Find a family of degree-d polynomials ps:FnF that are
(1)computable by poly-size arithmetic circuits,
(2)indistinguishable from random degree-d polynomials
Our results show that, if ordinary OWFs exist, then one can construct a family of functions fs:FnF that are
(1)computable by poly-size arithmetic circuits,
(2)indistinguishable from random functions(even by Boolean circuits)
Problem: PERMANENT is a low-degree polynomial!Any plausible lower bound proof would use that fact
Problem solved!
Pseudorandom Low-Degree Polynomials: How to Construct Them?
Other constructions based on lattices/LWE
Generic construction of PRF[Goldreich-Goldwasser-Micali]
Number-theoretic PRF[Naor-Reingold]
Hardness of learning small-depth arithmetic circuits[Klivans-Sherstov]
Doesn’t work (blows up degree)
???
Doesn’t work (uses bit operations to parallelize)
Doesn’t work (requires specific input distribution)
Candidate for Low-Degree Arithmetic PRF
Conjecture: Using oracle access to p, no polynomial-size arithmetic circuit over the finite field F can distinguish g:FnF from a uniformly random, homogeneous polynomial of degree d, with non-negligible bias.
nddnd
ndn
n
xxLxxL
xxLxxL
xxg
,,,,
,,,,
det:,,
111
11111
1
where the Lij’s are independent, random linear functions
Note: it’s easy to distinguish g from a random function!
ConclusionsOne can give sensible definitions of Heuristica, Pessiland, and Minicrypt over a finite field F
When |F|≤2poly(n), these worlds perfectly mirror their Boolean counterparts—even if F-computation is weaker than Boolean
Natural Proofs are no less fearsome in F-land
But when |F|>2poly(n), Heuristica=Pessiland=Minicrypt
Note: Both of these results explain why the other doesn’t generalize to all F!
From this perspective, the distinction between PNP, NP hard on average, and existence of OWFs (if indeed there is one) seems like an “artifact of small field size.”
Open Problems
Construct pseudorandom low-degree polynomials p:FnF, ideally based on a known assumption Convincing Natural Proofs story for why PERMANENT AlgP/poly is hard
OWF PRG PRF when |F|>2poly(n)?
NP-completeness theory for large F
Cryptomania: PKC, CRHFs, IBE, homomorphic encryption (?!), etc. in the arithmetic world
Arithmetic circuits based on non-classical physics?Model proposed by [van Dam]
Handwaving IdeaWhat one would expect: Schwartz-Zippel!
Lemma: Let C:FnF be a PF/poly circuit of size s. Then {xFn : C(x)=0} belongs to the Boolean closure of ≤2s algebraic varieties of degree ≤2s each
Canonical NPF-Complete Problem: Given x=(x1,…,xn)Fn, which we take to encode a (pure) arithmetic circuit Cx:FmF , does there exist a Boolean input w{-1,1}m such that Cx(w)0?
(Get rid of equality tests using encoding tricks)
Take a PF/poly circuit A that solves this problem for most x, and correct it to one that works for all x