32

Impagliazzo’s Worlds in Arithmetic Complexity:A Progress Report

Scott Aaronson and Andrew DruckerMIT

100% QUANTUM-FREE TALK

(FROM COWS NOT TREATED WITH rBQP)

Why Arithmetize Russell’s Worlds?

R, C, Fp: Funhouse mirrors of complexity theory

Permanent vs. Determinant, PCNPC: “Warmups” to P vs. NP?

Some of our motivation came from Mulmuley’s GCT program

But who cares about crypto in the arithmetic model?

As it happens, much of current crypto is based on arithmetic over finite fields

Challenge: Arithmetic Natural Proofs. Explain why it’s so hard to prove circuit lower bounds for the Permanent

“Lifting” to larger fields gives new insights about worst-case / average-case equivalence

On the Menu Today

1. Equivalence of Complexity Questions In The Boolean and Small Finite Field Worlds

2. Over Large Finite Fields F, “NPP/poly OWFs Exist” (Heuristica=Pessiland=Minicrypt)

3. Natural Proofs for Arithmetic Circuits: A Challenge and Concrete Proposal

Arithmetic Computation Over A Finite Field F

Not allowed: Directly access bit representations of F-elements

“Deep reason” for finiteness: In cryptography, it’s nice to have a uniform distribution over F-elements

Allowed operations:

- Add, subtract, multiply, or divide any two F-elements

- Create and recognize the 0 and 1 elements( equality testing, branching, Boolean side-computation)

- Sample a random F-element (in randomized models)

- Hardwire F-elements (in nonuniform models)

In this talk, |F| will be finite, prime, possibly dependent on n

Three Regimes of Arithmetic Complexity

|F|≤poly(n)

Trivially the same as Boolean

computation

|F|≤2poly(n)

No stronger than Boolean computation. Maybe weaker, since

can’t see bit representations of input F-elements. Same as Boolean

computation if input is conveniently Boolean

|F|>>2poly(n)

Incomparable with Boolean

computation (a P machine can’t even store F-elements). Algebraic geometry becomes relevant, since polynomials

have degree <<|F|

Related ModelsBlum-Shub-Smale: Uniform, defined for a fixed field F

(such as R, C, GF2)Equality tests allowed; version over R allows comparisons

Algebraic computation trees: Basically, nonuniform version of [BSS]

Arithmetic circuits, straight-line programs, Valiant’s VP and VNP: No divisions or equality tests allowed

Our results for |F|≤2poly(n) will extend to the straight-line model

PF/poly = Class of languages 1

n

nnpL F

,nnpx F

Given ,1

nnpFF {p(n)}n1 a list of primes…

such that for some polynomial size bound s and every n, there exists an Fp(n)-circuit Cn of size s(n) such that for allxL Cn(x)0

NPF/poly = The same, except we substitutexL w{-1,1}poly(n) such that Cn(x,w)0

Can define uniform versions with more sweat

Why are the NP witnesses Boolean? For p(n)≤2poly(n), it doesn’t matter For p(n)>2poly(n), allowing F-witnesses would trivialize PFNPF!

(Consider, e.g., quadratic residuosity)

Arithmetic Cryptography When |F|≤2poly(n)

A/A (Arithmetic/Arithmetic) OWF: Family of functions

computable in PF/poly, such that for all PF/poly adversaries Cn,

A/B (Arithmetic/Boolean) OWF: Same, except now the adversary is P/poly (i.e. has Boolean access to fn(x))

nnnnn

xxfxfCf

np

negPr F

B/B, A/A, and A/B pseudorandom generators and pseudorandom functions can be defined similarly

nmnp

nnpnf FF :

B/B (Boolean/Boolean) OWF: Ordinary one-way function

Equivalence Theorem: Assuming |F|≤2poly(n),

A/B OWFs

B/B OWFs

A/A OWFs

A/B PRGs

B/B PRGs

A/A PRGs

A/B PRFs

B/B PRFs

A/A PRFs

Obvious Obvious

[HILL] [GGM]

Obv

ious

Obv

ious

Obv

ious

Obvious

Obvious

Obvious

This work

This

wor

k

This work

This work

This

wor

k

This

wor

k

The Boneh-Lipton Problem:A Bridge Between the Boolean and Arithmetic Worlds

Problem: Recover x, given (x+a1)q,…,(x+ak)q and a1,…,ak

Suppose this problem is easy. Then for all p≤2poly(n), the Boolean and Fp worlds are polynomially equivalent

Alas, best known classical algorithm to recover x takes time

px F 1,0,1,,1 qk

q axax pkaa F,,1

2

1pq

ppc logloglog~ [BL96]

Intuition: We Win Either WayTwo possibilities:

(1) BL is easy to invert

Boolean and F computation are equivalent

OWFs exist in one world iff they exist in the other

(2) BL is hard to invert

BL itself is an OWF, in both the Boolean and F worlds

Difficulties: What if BL is only slightly hard? Or easy to invert on some input lengths but not others?

Lemma: For all xy in F,

k

qi

qi

aakiayax

k 2

1Pr,1

F

Proof: (x+ai)q-(y+ai)q is a degree-q, nonzero polynomial in ai, so it has at most q=(p-1)/2 roots.

Implication: (x+a1)q,…,(x+ak)q information-theoretically determine x with high probability over a1,…,ak, provided k>>log(p)

Easy Direction: B/B OWF A/B OWF

Let f be a Boolean OWF. Then as our arithmetic OWF, we can take

qnqn yyfyyF ,,:,, 11

Clearly, any inverter for F yields an inverter for f.

Other Direction: A/A OWF A/B OWFLet g be an OWF secure against arithmetic adversaries. Here’s an OWF secure against Boolean adversaries:

kq

kq

k aaaxgaxgaaxG ,,,,,:,,, 111

Let G’ be a good Boolean inverter for G

Here’s a good arithmetic inverter for g(x): first generate a1,…,ak randomly (remembering their Boolean descriptions), then compute G(x,a1,…,ak) and run G’ on it

Key fact: G(x,a1,…,ak)=G(y,a1,…,ak) g(x)=g(y) with high probability over a1,…,ak, provided k>>log(p). In which case, G’ can only invert G by finding a preimage of g(x)

Argument for Pseudorandom GeneratorsLet f be a B/B PRG. As our A/B PRG, we can take

qnqn yyfyyF ,,Om:,, 11

Likewise, let g:FF2 be an A/A PRG. By a standard hybrid argument, we can “stretch” g to produce g1,…,gm:FF, so that (g1(x),…,gm(x)) looks random. Here’s our A/B PRG:

qmq xgxgxG ,,Om: 1

where Om(x) is the omelettization of a Boolean string x: its conversion to F-elements in a standard way

Similar arguments show that B/B or A/A pseudorandom functions imply A/B pseudorandom functions

Collapse Theorem: Assuming |F|>2poly(n),

NPF PF/poly NPF is hard on average F-OWFs

In other words:

AlgorithmicaHeuristicaPessilandMinicrypt

Cryptomania

Heuristiminipessicrypt

Hard-on-average NPF problems with planted (Boolean)

solutions

More interesting notion of OWF

when |F|>2poly(n)

Major Challenge for Complexity Theory: Explain why current techniques fail to show PERMANENT AlgP/poly

First approach: Extend algebrization [AW08] to low-degree oracles queried by arithmetic circuits. Construct A such that Alg#PA=AlgPA

Second approach: Natural Proofs [RR97] for arithmetic complexity. Show that arithmetic circuit lower bounds based on rank, partial derivatives, etc. can’t possibly work, since they would distinguish random functions f:FnF from pseudorandom ones

What’s needed: Pseudorandom function families computable by arithmetic circuits over finite fields

Arithmetic Pseudorandom Functions

Real Challenge of Arithmetic Natural Proofs: Find a family of degree-d polynomials ps:FnF that are

(1)computable by poly-size arithmetic circuits,

(2)indistinguishable from random degree-d polynomials

Our results show that, if ordinary OWFs exist, then one can construct a family of functions fs:FnF that are

(1)computable by poly-size arithmetic circuits,

(2)indistinguishable from random functions(even by Boolean circuits)

Problem: PERMANENT is a low-degree polynomial!Any plausible lower bound proof would use that fact

Problem solved!

Pseudorandom Low-Degree Polynomials: How to Construct Them?

Other constructions based on lattices/LWE

Generic construction of PRF[Goldreich-Goldwasser-Micali]

Number-theoretic PRF[Naor-Reingold]

Hardness of learning small-depth arithmetic circuits[Klivans-Sherstov]

Doesn’t work (blows up degree)

???

Doesn’t work (uses bit operations to parallelize)

Doesn’t work (requires specific input distribution)

Candidate for Low-Degree Arithmetic PRF

Conjecture: Using oracle access to p, no polynomial-size arithmetic circuit over the finite field F can distinguish g:FnF from a uniformly random, homogeneous polynomial of degree d, with non-negligible bias.

nddnd

ndn

n

xxLxxL

xxLxxL

xxg

,,,,

,,,,

det:,,

111

11111

1

where the Lij’s are independent, random linear functions

Note: it’s easy to distinguish g from a random function!

ConclusionsOne can give sensible definitions of Heuristica, Pessiland, and Minicrypt over a finite field F

When |F|≤2poly(n), these worlds perfectly mirror their Boolean counterparts—even if F-computation is weaker than Boolean

Natural Proofs are no less fearsome in F-land

But when |F|>2poly(n), Heuristica=Pessiland=Minicrypt

Note: Both of these results explain why the other doesn’t generalize to all F!

From this perspective, the distinction between PNP, NP hard on average, and existence of OWFs (if indeed there is one) seems like an “artifact of small field size.”

Open Problems

Construct pseudorandom low-degree polynomials p:FnF, ideally based on a known assumption Convincing Natural Proofs story for why PERMANENT AlgP/poly is hard

OWF PRG PRF when |F|>2poly(n)?

NP-completeness theory for large F

Cryptomania: PKC, CRHFs, IBE, homomorphic encryption (?!), etc. in the arithmetic world

Arithmetic circuits based on non-classical physics?Model proposed by [van Dam]

Handwaving IdeaWhat one would expect: Schwartz-Zippel!

Lemma: Let C:FnF be a PF/poly circuit of size s. Then {xFn : C(x)=0} belongs to the Boolean closure of ≤2s algebraic varieties of degree ≤2s each

Canonical NPF-Complete Problem: Given x=(x1,…,xn)Fn, which we take to encode a (pure) arithmetic circuit Cx:FmF , does there exist a Boolean input w{-1,1}m such that Cx(w)0?

(Get rid of equality tests using encoding tricks)

Take a PF/poly circuit A that solves this problem for most x, and correct it to one that works for all x