Embed Size (px)
DESCRIPTION
COS 433: Cryptography. Princeton University Fall 2005 Boaz Barak. Lecture 3: Computational Hardness. “Impatient Cryptography”. Last Lecture: Simple algorithm (~10 lines of C code) to break every encryption with key-length < message-length. - PowerPoint PPT Presentation
Citation preview
Princeton University • COS 433 • Cryptography • Fall 2005 • Boaz Barak
COS 433: Cryptography
Princeton University
Fall 2005
Boaz Barak
Lecture 3: Computational Hardness
2
“Impatient Cryptography”
Last Lecture: Simple algorithm (~10 lines of C code) to break every encryption with key-length < message-length.
Caveat: Takes roughly 2key length steps to run.
For 1KB key will take more than galaxy’s lifetime to finish.
This holds even if we run in parallel one processor for each atom of the universe each running in light speed.
Encryption that takes this long to break seems to provide “pretty good privacy”.
3
Measuring Computational Steps
Church-Turing thesis: every physically feasible computation can be described roughly as follows
memory in initial state
s
Step 1 Step 2 Step i Step i+1 Final state
tCaptures every computer or other computing device ever built, including human brain.
Bit in state i+1 depends on constant (e.g. 3) bits of state i.
W.l.o.g, each bit depends on · 2 bits, using either Æ, Ç or : functions.
We call this a t¢s –sized Boolean circuit.
4
Computational Hardness
Fact 1: 8f:{0,1}n{0,1}n, 9 n22n-sized Boolean circuit C s.t. C computes f.
Def: Let f:{0,1}n{0,1}m be a function. We say that f is (T,)-hard if for every T-sized circuit C
Prx{0,1}n [ C(x) = f(x) ] <
Thm: 8n, there exists a function f:{0,1}n {0,1}n that is (2n/10,2-n/10)-hard
We know: If f:{0,1}n{0,1}n then f can’t be (n22n,1)- hard and can’t be (T,0)-hard for any T (where T>n).
5
Asymptotic Hardness
Def: A function h:NN is super-polynomial if 8 polynomial q(¢), 9n s.t. h(n)>q(n).
In other words h(n)=n(1).
Def: Let { fn } be family of functions, where fn:{0,1}n{0,1}n .
We say that { fn } is hard if 9 super-poly h(¢) s.t.
for every n, fn is (h(n) , 1/h(n) ) –hard.
Examples: h(n) = 2n , h(n)=nlog n , h(n) = 2n , h(n) = 1/3
1 n<106
2n n¸106
Def: Let f:{0,1}n{0,1}m be a function. We say that f is (T,)-hard if for every T-sized circuit C Prx{0,1}n [ C(x) = f(x) ] <
We know: There exists a hard family of functions.
6
Asymptotic Easyness
Def: Let { fn } be family of functions, where fn:{0,1}n{0,1}m .
We say that { fn } is in the class P/poly if
9 polynomial q(¢) and circuit family { Cn } s.t. 8n |Cn| · q(n) and
We say that a circuit family {Cn} is uniform if there’s a (constant-size)
Turing machine that on input n,i outputs the ith gate of Cn in · |Cn|2 steps.
8 x 2 {0,1}n , C(x) = f(x)
If the family {Cn} is uniform then { fn } is in the class P.
Def: Let { fn } be family of functions, where fn:{0,1}n{0,1}n .
We say that { fn } is hard if 9 super-poly h(¢) s.t.
for every n, fn is (h(n) , 1/h(n) ) –hard.
7
World View
P -easy for poly-size uniform circuits
P/poly -easy for poly-size circuits
All function families Mildly hard func.
families
Hard function families
8
Functions Known to be in P
Arithmetic functions: f1(a,b) = a+b , f2(a,b) = a¢ b , etc..
(elementary school algorithms)
Arithmetic mod n: f1(a,b,n) = a+b (mod n) , f2(a,b,n) = a¢ b (mod n)
GCD(a,b) = largest c s.t. c|a , c|b
Inverse(a): If GCD(a,n)=1 find a-1 (mod n)
EXP(a,b) = ab (mod n)
Maximal Ind. Set: Given graph G(V,E), we say that Sµ V is independent if 8 u,v 2 S , (u,v) E. Find S s.t. forall v S , S[{ v } is not independent.
9
Functions Believed Outside of P/poly
Factoring: f1(a) = prime factors of a
(can be computed in time 2|a|, even in 2|a| )1/3
Maximum Ind. Set: Given graph G(V,E), find S of maximum size s.t. S independent (i.e., 8u,v2 S, (u,v) E)
Believed to be a hard function family
3SAT: Given 3CNF Boolean formula on n variables, find (if exist) x1,…,xn such
that (x1,…,xn) is true.
= (x1 Ç : x7 Ç x9) Æ (: x2 Ç x9 Ç : x12) Æ … Æ (x1 Ç x2 Ç x100)
For all these functions, it is easy to verify a given solution.
Such functions are in the class NP
If either max-ind-set or 3SAT is in P/poly then every problem in NP is in P/poly
Such functions are called NP-complete
10
Proving NP - Completeness
Maximum Ind. Set: Given graph G(V,E), find S of maximum size s.t. S independent (i.e., 8u,v2 S, (u,v) E)
3SAT: Given 3CNF Boolean formula on n variables, find (if exist) x1,…,xn such
that (x1,…,xn) is true.
= (x1 Ç : x7 Ç x9) Æ (: x2 Ç x9 Ç : x12) Æ … Æ (x1 Ç x2 Ç x100)
If either max-ind-set or 3SAT is in P/poly then every problem in NP is in P/poly
This is proven using a reduction. For example.
Circuit to compute IND-SET
Thm: Assume that 9 poly(n) circuit family for IND-SET. Then 9 poly(n) circuit family for 3SAT.
Circuit to compute 3SAT
G S x
11
World View
P -easy for poly-size uniform circuits
P/poly -easy for poly-size circuits
All function families Mildly hard func.
families
Hard function families
add, mult, GCD, EXP, maximal IS
3SAT, Ind-SET, NP-Complete
Factoring
12
Randomization
Possible objection to our model: Can circuits get more power by tossing coins?
Input
Random bits
Probabilistic circuit Output
In this context, answer is NO.
Thm: If f:{0,1}n{0,1}m is (T,)-hard for standard (deterministic) circuits, then it is (T/10,)-hard for probabilistic circuits.
