on basing one way permutations on np hard problems under
play

On basing one-way permutations on NP-hard problems under quantum - PowerPoint PPT Presentation

Nov 08, 2022 •316 likes •567 views

On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1 How do people say a crypto system is

  1. On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1

  2. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y 2

  3. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? 3

  4. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? ● SAT has already been studied for >50yrs. ● SAT is hard (NP-complete) ● P≠NP (people believe) SAT Use SAT to show Problem Y is hard. 4

  5. Show Y is hard by a reduction from SAT: SAT ≤ Y An oracle for Y Questions Answers Answer An instance of SAT Algorithm A (A reduction) SAT ≤ Y: ● An efficient algorithm A solving SAT by using an oracle for Y. ● Algorithm A and (Questions, Answers) can be either classical or quantum! SAT ≤ Y ⇒ No efficient algorithm can break system Y unless NP = P. 5

  6. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○

  7. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○ Can inverting one-way functions be as hard as SAT?

  8. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive [AGGM05] or the functions are preimage verifiable[AGGM05,BB15].

  9. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[AGGM05] or the functions are preimage verifiable[AGGM05, BB15]. Only classical reductions are considered!

  10. We are interested in quantum reductions Problem Y solver (An oracle for Y) Quantum messages An instance of SAT Algorithm A Answers to SAT (A quantum algorithm) Quantum algorithm Computational tasks Hard problems ≤ quantum (e.g., inverting one-way (e.g., NP-hard problems) functions) Do these reductions exist? 10

  11. ● SAT ≤ c Inverting a one-way permutation ⇒ coNP ⊆ AM ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[BT06] or the functions are preimage verifiable[]. Our results SAT ≤ q Inverting a one-way permutation (Inv-OWP) ⇒ coNP ⊆ QIP(2), where ● our result has the restrictions that the reductions are non-adaptive and the distribution of the questions to the oracle are not far from the uniform distribution. ● It is not known if coNP ⊆ QIP(2). 11

  12. NP-hard Problems ≤ c Inv-OWP ⇒ coNP ⊆ AM Theorem [Brassad96]: SAT ≤ c Inv-OWP ⇒ coNP ⊆ AM ⇒ The polynomial hierarchy collapses to the second level. O (An oracle for Inv-OWP) The goal is to construct a “constant-round protocol” for SAT by using the reduction. y f -1 (y) x R O R O (x,r,y,f -1 (y)) = L(x) (The reduction) r 12

  13. Arthur-Merlin Protocol x Two classical messages exchanged . r: a random string Prover Verifier c: a proof (Merlin) (Arthur) A(x,r,c)=L(x) PSPACE We say L ∈ AM if ● (completeness) if x ∈ L , there is a prover AM (Merlin) can convince Arthur (the verifier) that x ∈ L . NP ● (soundness) if x ∉ L , no prover (Merlin) can convince Arthur that x ∈ L . P 13

  14. SAT ≤ c Inv-OWP ⇒ SAT ∈ AM Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) Verifier R O r (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 14

  15. Can we use this protocol for quantum reductions? Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) r Verifier R O (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 15

  16. No, quantum reductions are more tricky Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) 16

  17. Why does the classical protocol fail? Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) ● SImulating the reduction SAT ≤ q Inv-OWP only gives “quantum interactive proof” protocol. ● The prover can cheat by giving correct (q,f -1 (q)), but changing the weight c q . 17

  18. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) AM NP P 18

  19. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) under uniform quantum reductions |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) Uniform quantum reductions: AM ● Each query is a uniform superposition NP |Q>=∑ q |q>|0>|w q > ○ ● The answer is also in uniform superposition |A>=∑|q>|f -1 (q)>|w q > ○ P 19

  20. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> The real query The main idea: If the prover cheats, he has ½ probability to cheat on the trap state. The verifier can catch him by verifying the trap state! ● The prover cannot distinguish the trap and the real query. ● |S> can be efficiently verified by the verifier. 20

  21. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> 1. Send the register M of |Q> or |T> uniformly at The real query random. ● |Q>=∑ q (|q>|0>) M (|w q >|q>) V ● |T>=∑ q (|q>|0>) M (|0>|q>) V 2. An honest prover will send |A> or |S>. |A>=∑ q |q>|f -1 (q)>|w q >|q> ● 3. The verifier does the following. |S>=∑ q |q>|f -1 (q)>|0>|q> ● In case |Q>: ● ○ Run the reduction and accept if the reduction accepts. ● |A> ⇒ |0> may not be ● In case |T>: efficient. Run the unitary U: |S> ⇒ |0> and ○ ● U: |S> ⇒ |0> is efficient. measure the output in the standard basis. If the outcome is |0>, accepts. 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known. E.g., NP-hard problems such as machine scheduling, bin packing, 0/1 knapsack. Is this necessarily bad? Data encryption relies on difficult

721 views • 15 slides
HydroCare HC-44 HydroCare HC-44 Hard Water Problems Hard Water Problems Hard Water Costs You

HydroCare HC-44 HydroCare HC-44 Hard Water Problems Hard Water Problems Hard Water Costs You

HydroCare HC-44 HydroCare HC-44 Hard Water Problems Hard Water Problems Hard Water Costs You Money! Hard Water Costs You Money! Limescale originates in the components of the waters carbonic rigidity-calcium carbonate (lime), magnesium

614 views • 8 slides
Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are hard to solve. No polynomial time algorithm is known. Transmission E.g., NP-hard problems such as machine scheduling, Channel bin packing,

516 views • 8 slides
Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are hard to solve. No polynomial time algorithm is known. Transmission E.g., NP-hard problems such as machine scheduling, Channel bin packing,

445 views • 5 slides
s II, Acta Math. Acad. Sci. Hungar. 18 (1967), s S 151164; III, ibid. 18 (1967),

s II, Acta Math. Acad. Sci. Hungar. 18 (1967), s S 151164; III, ibid. 18 (1967),

Extremal problems Permutations How many permutations in a set (or group) with prescribed distances? Peter J. Cameron

524 views • 3 slides
Pattern avoiding permutations in genome rearrangement problems: the transposition model G.

Pattern avoiding permutations in genome rearrangement problems: the transposition model G.

Pattern avoiding permutations in genome rearrangement problems: the transposition model Pattern avoiding permutations in genome rearrangement problems: the transposition model G. Cerbai, L. Ferrari Dipartimento di Matematica e Informatica U.

688 views • 66 slides
Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard Problems Rachael Madsen Optimal Design Software LLC BS in Mathematics Software Engineer & Architect Python programmer

872 views • 46 slides
More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps

More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps

More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps We can now reduce 3SAT to a large number of problems, either directly or indirectly. Each reduction must be polytime. Usually we focus

871 views • 49 slides
Local convergence for random permutations The case of uniform pattern-avoiding permutations

Local convergence for random permutations The case of uniform pattern-avoiding permutations

Local convergence for random permutations The case of uniform pattern-avoiding permutations Jacopo Borga, Institut fr Mathematik, Universitt Zrich July 9, 2018 Dartmouth College, Hanover, New Hampshire Our goal 1. Scaling limits: Our

2.18k views • 175 slides
JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by

JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by

JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by A.J.Hobson 19.2.1 Introduction 19.2.2 Rules of permutations and combinations 19.2.3 Permutations of sets with some objects alike UNIT 19.2 -

400 views • 11 slides
Representing permutations without permutations The expressive power of sequential intersection

Representing permutations without permutations The expressive power of sequential intersection

Representing permutations without permutations The expressive power of sequential intersection Pierre VIAL Equipe Gallinette Inria (LS2N CNRS) June 10, 2018 Non-idempotent typing P. Vial 0 1 /33 Outline Non-idempotent Rigid vs.

1.4k views • 123 slides
Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Introduction The MQ Problem Polynomial Equivalence Problems Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de Versailles Saint-Quentin Versailles, France Sminaire CARAMEL 20 janvier 2012

721 views • 59 slides
Automatic Algorithm Configuration Thomas St utzle Optimization problems arise everywhere!

Automatic Algorithm Configuration Thomas St utzle Optimization problems arise everywhere!

HEURISTIC OPTIMIZATION Automatic Algorithm Configuration Thomas St utzle Optimization problems arise everywhere! Most such problems are computationally very hard (NP-hard!) Heuristic Optimization 2015 2 The algorithmic solution of hard

342 views • 19 slides
CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

As no encryption scheme besides the OneTimePad is unconditionally secure, we need CS 4803 to find some building blocks - hard problems (assumptions about hardness of some Computer and Network Security problems) to base security of our new

553 views • 3 slides
Bayesian inference in Inverse problems Bani Mallick bmallick@stat.tamu.edu Department of

Bayesian inference in Inverse problems Bani Mallick bmallick@stat.tamu.edu Department of

Bayesian inference in Inverse problems Bani Mallick bmallick@stat.tamu.edu Department of Statistics, Texas A&M University, College Station 1/20 Inverse Problems Inverse problems arise from indirect observations of a quantity of interest

872 views • 45 slides
Stokes Profile Inversion and Comparison to Full-Resolution Data Max Genecov LASP REU

Stokes Profile Inversion and Comparison to Full-Resolution Data Max Genecov LASP REU

Stokes Profile Inversion and Comparison to Full-Resolution Data Max Genecov LASP REU July 31, 2014 Mentors: Alfred de Wijn, Rebeca Centeno Elliott Solar Magnetic Fields Magnetic field strength and orientation are great

675 views • 22 slides
Survey: Compressive Sensing in Signal Processing Justin Romberg Georgia Tech, School of ECE

Survey: Compressive Sensing in Signal Processing Justin Romberg Georgia Tech, School of ECE

Survey: Compressive Sensing in Signal Processing Justin Romberg Georgia Tech, School of ECE Sublinear Algorithms May 23, 2011 Bertinoro, Italy Acquisition as linear algebra # samples resolution/ = bandwidth data acquisition system

791 views • 41 slides
Seismic inverse scattering by reverse time migration Chris Stolk University of Amsterdam RICAM

Seismic inverse scattering by reverse time migration Chris Stolk University of Amsterdam RICAM

Seismic inverse scattering by reverse time migration Chris Stolk University of Amsterdam RICAM Workshop, November 21, 2011 Seismic imaging and linearized inversion Reflection seismic imaging Claerbouts imaging principle (1971), reverse

449 views • 30 slides
Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa

Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa

Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa State University Ames, Iowa 50010 slutzki@cs.iastate.edu May 9th, 2010 Jointly with Jia Tao and Vasant Honavar G. Slutzki (ISU) Inverting Proof

375 views • 35 slides
Time space tradeoffs for attacks against one-way functions and PRGs Anindya De University of

Time space tradeoffs for attacks against one-way functions and PRGs Anindya De University of

Time space tradeoffs for attacks against one-way functions and PRGs Anindya De University of California, Berkeley Joint work with Luca Trevisan - UC Berkeley and Stanford University Madhur Tulsiani - Princeton University 0 / 26 What is this

943 views • 90 slides
Addition and Subtraction Philipp Koehn 4 September 2019 Philipp Koehn Computer Systems

Addition and Subtraction Philipp Koehn 4 September 2019 Philipp Koehn Computer Systems

Addition and Subtraction Philipp Koehn 4 September 2019 Philipp Koehn Computer Systems Fundamentals: Addition and Subtraction 4 September 2019 1 addition Philipp Koehn Computer Systems Fundamentals: Addition and Subtraction 4 September

512 views • 35 slides
DTTF/NB479: Dszquphsbqiz Day 7 Announcements: Matlab tutorial linked to in syllabus

DTTF/NB479: Dszquphsbqiz Day 7 Announcements: Matlab tutorial linked to in syllabus

DTTF/NB479: Dszquphsbqiz Day 7 Announcements: Matlab tutorial linked to in syllabus Questions? Today: Block ciphers, especially Hill Ciphers Modular matrix inverses 1 Block Ciphers So far, changing 1 character in the plaintext changes

108 views • 6 slides

More recommend