on basing one way permutations on np hard problems under
play

On basing one-way permutations on NP-hard problems under quantum - PowerPoint PPT Presentation

On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1 How do people say a crypto system is


  1. On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1

  2. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y 2

  3. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? 3

  4. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? ● SAT has already been studied for >50yrs. ● SAT is hard (NP-complete) ● P≠NP (people believe) SAT Use SAT to show Problem Y is hard. 4

  5. Show Y is hard by a reduction from SAT: SAT ≤ Y An oracle for Y Questions Answers Answer An instance of SAT Algorithm A (A reduction) SAT ≤ Y: ● An efficient algorithm A solving SAT by using an oracle for Y. ● Algorithm A and (Questions, Answers) can be either classical or quantum! SAT ≤ Y ⇒ No efficient algorithm can break system Y unless NP = P. 5

  6. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○

  7. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○ Can inverting one-way functions be as hard as SAT?

  8. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive [AGGM05] or the functions are preimage verifiable[AGGM05,BB15].

  9. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[AGGM05] or the functions are preimage verifiable[AGGM05, BB15]. Only classical reductions are considered!

  10. We are interested in quantum reductions Problem Y solver (An oracle for Y) Quantum messages An instance of SAT Algorithm A Answers to SAT (A quantum algorithm) Quantum algorithm Computational tasks Hard problems ≤ quantum (e.g., inverting one-way (e.g., NP-hard problems) functions) Do these reductions exist? 10

  11. ● SAT ≤ c Inverting a one-way permutation ⇒ coNP ⊆ AM ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[BT06] or the functions are preimage verifiable[]. Our results SAT ≤ q Inverting a one-way permutation (Inv-OWP) ⇒ coNP ⊆ QIP(2), where ● our result has the restrictions that the reductions are non-adaptive and the distribution of the questions to the oracle are not far from the uniform distribution. ● It is not known if coNP ⊆ QIP(2). 11

  12. NP-hard Problems ≤ c Inv-OWP ⇒ coNP ⊆ AM Theorem [Brassad96]: SAT ≤ c Inv-OWP ⇒ coNP ⊆ AM ⇒ The polynomial hierarchy collapses to the second level. O (An oracle for Inv-OWP) The goal is to construct a “constant-round protocol” for SAT by using the reduction. y f -1 (y) x R O R O (x,r,y,f -1 (y)) = L(x) (The reduction) r 12

  13. Arthur-Merlin Protocol x Two classical messages exchanged . r: a random string Prover Verifier c: a proof (Merlin) (Arthur) A(x,r,c)=L(x) PSPACE We say L ∈ AM if ● (completeness) if x ∈ L , there is a prover AM (Merlin) can convince Arthur (the verifier) that x ∈ L . NP ● (soundness) if x ∉ L , no prover (Merlin) can convince Arthur that x ∈ L . P 13

  14. SAT ≤ c Inv-OWP ⇒ SAT ∈ AM Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) Verifier R O r (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 14

  15. Can we use this protocol for quantum reductions? Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) r Verifier R O (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 15

  16. No, quantum reductions are more tricky Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) 16

  17. Why does the classical protocol fail? Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) ● SImulating the reduction SAT ≤ q Inv-OWP only gives “quantum interactive proof” protocol. ● The prover can cheat by giving correct (q,f -1 (q)), but changing the weight c q . 17

  18. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) AM NP P 18

  19. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) under uniform quantum reductions |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) Uniform quantum reductions: AM ● Each query is a uniform superposition NP |Q>=∑ q |q>|0>|w q > ○ ● The answer is also in uniform superposition |A>=∑|q>|f -1 (q)>|w q > ○ P 19

  20. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> The real query The main idea: If the prover cheats, he has ½ probability to cheat on the trap state. The verifier can catch him by verifying the trap state! ● The prover cannot distinguish the trap and the real query. ● |S> can be efficiently verified by the verifier. 20

  21. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> 1. Send the register M of |Q> or |T> uniformly at The real query random. ● |Q>=∑ q (|q>|0>) M (|w q >|q>) V ● |T>=∑ q (|q>|0>) M (|0>|q>) V 2. An honest prover will send |A> or |S>. |A>=∑ q |q>|f -1 (q)>|w q >|q> ● 3. The verifier does the following. |S>=∑ q |q>|f -1 (q)>|0>|q> ● In case |Q>: ● ○ Run the reduction and accept if the reduction accepts. ● |A> ⇒ |0> may not be ● In case |T>: efficient. Run the unitary U: |S> ⇒ |0> and ○ ● U: |S> ⇒ |0> is efficient. measure the output in the standard basis. If the outcome is |0>, accepts. 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend