on basing one way permutations on np hard problems under
play

On basing one-way permutations on NP-hard problems under quantum - PowerPoint PPT Presentation

Nov 08, 2022 •316 likes •567 views

On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1 How do people say a crypto system is

  1. On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1

  2. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y 2

  3. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? 3

  4. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? ● SAT has already been studied for >50yrs. ● SAT is hard (NP-complete) ● P≠NP (people believe) SAT Use SAT to show Problem Y is hard. 4

  5. Show Y is hard by a reduction from SAT: SAT ≤ Y An oracle for Y Questions Answers Answer An instance of SAT Algorithm A (A reduction) SAT ≤ Y: ● An efficient algorithm A solving SAT by using an oracle for Y. ● Algorithm A and (Questions, Answers) can be either classical or quantum! SAT ≤ Y ⇒ No efficient algorithm can break system Y unless NP = P. 5

  6. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○

  7. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○ Can inverting one-way functions be as hard as SAT?

  8. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive [AGGM05] or the functions are preimage verifiable[AGGM05,BB15].

  9. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[AGGM05] or the functions are preimage verifiable[AGGM05, BB15]. Only classical reductions are considered!

  10. We are interested in quantum reductions Problem Y solver (An oracle for Y) Quantum messages An instance of SAT Algorithm A Answers to SAT (A quantum algorithm) Quantum algorithm Computational tasks Hard problems ≤ quantum (e.g., inverting one-way (e.g., NP-hard problems) functions) Do these reductions exist? 10

  11. ● SAT ≤ c Inverting a one-way permutation ⇒ coNP ⊆ AM ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[BT06] or the functions are preimage verifiable[]. Our results SAT ≤ q Inverting a one-way permutation (Inv-OWP) ⇒ coNP ⊆ QIP(2), where ● our result has the restrictions that the reductions are non-adaptive and the distribution of the questions to the oracle are not far from the uniform distribution. ● It is not known if coNP ⊆ QIP(2). 11

  12. NP-hard Problems ≤ c Inv-OWP ⇒ coNP ⊆ AM Theorem [Brassad96]: SAT ≤ c Inv-OWP ⇒ coNP ⊆ AM ⇒ The polynomial hierarchy collapses to the second level. O (An oracle for Inv-OWP) The goal is to construct a “constant-round protocol” for SAT by using the reduction. y f -1 (y) x R O R O (x,r,y,f -1 (y)) = L(x) (The reduction) r 12

  13. Arthur-Merlin Protocol x Two classical messages exchanged . r: a random string Prover Verifier c: a proof (Merlin) (Arthur) A(x,r,c)=L(x) PSPACE We say L ∈ AM if ● (completeness) if x ∈ L , there is a prover AM (Merlin) can convince Arthur (the verifier) that x ∈ L . NP ● (soundness) if x ∉ L , no prover (Merlin) can convince Arthur that x ∈ L . P 13

  14. SAT ≤ c Inv-OWP ⇒ SAT ∈ AM Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) Verifier R O r (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 14

  15. Can we use this protocol for quantum reductions? Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) r Verifier R O (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 15

  16. No, quantum reductions are more tricky Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) 16

  17. Why does the classical protocol fail? Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) ● SImulating the reduction SAT ≤ q Inv-OWP only gives “quantum interactive proof” protocol. ● The prover can cheat by giving correct (q,f -1 (q)), but changing the weight c q . 17

  18. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) AM NP P 18

  19. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) under uniform quantum reductions |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) Uniform quantum reductions: AM ● Each query is a uniform superposition NP |Q>=∑ q |q>|0>|w q > ○ ● The answer is also in uniform superposition |A>=∑|q>|f -1 (q)>|w q > ○ P 19

  20. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> The real query The main idea: If the prover cheats, he has ½ probability to cheat on the trap state. The verifier can catch him by verifying the trap state! ● The prover cannot distinguish the trap and the real query. ● |S> can be efficiently verified by the verifier. 20

  21. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> 1. Send the register M of |Q> or |T> uniformly at The real query random. ● |Q>=∑ q (|q>|0>) M (|w q >|q>) V ● |T>=∑ q (|q>|0>) M (|0>|q>) V 2. An honest prover will send |A> or |S>. |A>=∑ q |q>|f -1 (q)>|w q >|q> ● 3. The verifier does the following. |S>=∑ q |q>|f -1 (q)>|0>|q> ● In case |Q>: ● ○ Run the reduction and accept if the reduction accepts. ● |A> ⇒ |0> may not be ● In case |T>: efficient. Run the unitary U: |S> ⇒ |0> and ○ ● U: |S> ⇒ |0> is efficient. measure the output in the standard basis. If the outcome is |0>, accepts. 21

Recommend

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known. E.g., NP-hard problems such as machine scheduling, bin packing, 0/1 knapsack. Is this necessarily bad? Data encryption relies on difficult

721 views • 15 slides
HydroCare HC-44 HydroCare HC-44 Hard Water Problems Hard Water Problems Hard Water Costs You

HydroCare HC-44 HydroCare HC-44 Hard Water Problems Hard Water Problems Hard Water Costs You

HydroCare HC-44 HydroCare HC-44 Hard Water Problems Hard Water Problems Hard Water Costs You Money! Hard Water Costs You Money! Limescale originates in the components of the waters carbonic rigidity-calcium carbonate (lime), magnesium

614 views • 8 slides
Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are hard to solve. No polynomial time algorithm is known. Transmission E.g., NP-hard problems such as machine scheduling, Channel bin packing,

516 views • 8 slides
Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are hard to solve. No polynomial time algorithm is known. Transmission E.g., NP-hard problems such as machine scheduling, Channel bin packing,

445 views • 5 slides
s II, Acta Math. Acad. Sci. Hungar. 18 (1967), s S 151164; III, ibid. 18 (1967),

s II, Acta Math. Acad. Sci. Hungar. 18 (1967), s S 151164; III, ibid. 18 (1967),

Extremal problems Permutations How many permutations in a set (or group) with prescribed distances? Peter J. Cameron

524 views • 3 slides
Pattern avoiding permutations in genome rearrangement problems: the transposition model G.

Pattern avoiding permutations in genome rearrangement problems: the transposition model G.

Pattern avoiding permutations in genome rearrangement problems: the transposition model Pattern avoiding permutations in genome rearrangement problems: the transposition model G. Cerbai, L. Ferrari Dipartimento di Matematica e Informatica U.

688 views • 66 slides
Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard Problems Rachael Madsen Optimal Design Software LLC BS in Mathematics Software Engineer & Architect Python programmer

872 views • 46 slides
More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps

More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps

More NP-Complete Problems NP-Hard Problems Tautology Problem Node Cover Knapsack 1 Next Steps We can now reduce 3SAT to a large number of problems, either directly or indirectly. Each reduction must be polytime. Usually we focus

871 views • 49 slides
Local convergence for random permutations The case of uniform pattern-avoiding permutations

Local convergence for random permutations The case of uniform pattern-avoiding permutations

Local convergence for random permutations The case of uniform pattern-avoiding permutations Jacopo Borga, Institut fr Mathematik, Universitt Zrich July 9, 2018 Dartmouth College, Hanover, New Hampshire Our goal 1. Scaling limits: Our

2.18k views • 175 slides
JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by

JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by

JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by A.J.Hobson 19.2.1 Introduction 19.2.2 Rules of permutations and combinations 19.2.3 Permutations of sets with some objects alike UNIT 19.2 -

400 views • 11 slides
Representing permutations without permutations The expressive power of sequential intersection

Representing permutations without permutations The expressive power of sequential intersection

Representing permutations without permutations The expressive power of sequential intersection Pierre VIAL Equipe Gallinette Inria (LS2N CNRS) June 10, 2018 Non-idempotent typing P. Vial 0 1 /33 Outline Non-idempotent Rigid vs.

1.4k views • 123 slides
Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Introduction The MQ Problem Polynomial Equivalence Problems Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de Versailles Saint-Quentin Versailles, France Sminaire CARAMEL 20 janvier 2012

721 views • 59 slides
Automatic Algorithm Configuration Thomas St utzle Optimization problems arise everywhere!

Automatic Algorithm Configuration Thomas St utzle Optimization problems arise everywhere!

HEURISTIC OPTIMIZATION Automatic Algorithm Configuration Thomas St utzle Optimization problems arise everywhere! Most such problems are computationally very hard (NP-hard!) Heuristic Optimization 2015 2 The algorithmic solution of hard

342 views • 19 slides
CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

As no encryption scheme besides the OneTimePad is unconditionally secure, we need CS 4803 to find some building blocks - hard problems (assumptions about hardness of some Computer and Network Security problems) to base security of our new

553 views • 3 slides
Posets and Permutations in the Duplication-Loss Model: Minimal Permutations with d Descents.

Posets and Permutations in the Duplication-Loss Model: Minimal Permutations with d Descents.

Posets and Permutations in the Duplication-Loss Model: Minimal Permutations with d Descents. Mathilde Bouvel Elisa Pergola GASCom 2008 liafa Definitions Duplication-Loss Characterization Posets Enumeration Conclusion Outline of the talk 1

620 views • 31 slides
A Note on 5-bit Quadratic Permutations Classification Duan Boilov Begl Bilgin Hac

A Note on 5-bit Quadratic Permutations Classification Duan Boilov Begl Bilgin Hac

A Note on 5-bit Quadratic Permutations Classification Duan Boilov Begl Bilgin Hac Ali ahin March 6, 2017 Motivation 2/14 Permutations are main nonlinear part of symmetric primitives Quadratic permutations can be used to

381 views • 22 slides
Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Definitions A sequence a 1 , a 2 , . . . , a k of distinct integers is alternating if a 1 > a 2 < a 3 > a 4 < , and reverse alternating if

1.14k views • 98 slides
Family History Technology: A Survey of 10 Hard Problems Dr.

Family History Technology: A Survey of 10 Hard Problems Dr.

Family History Technology: A Survey of 10 Hard Problems Dr. Doran Wilde Brigham Young University Dept. Electrical and Computer Engineering Family

613 views • 22 slides
Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Basic

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Basic

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Basic definitions A sequence a 1 , a 2 , . . . , a k of distinct integers is alternating if a 1 > a 2 < a 3 > a 4 < , and reverse

1.59k views • 119 slides
Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP

Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP

Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP Next best thing: define hardest problem in NP A problem P is NP -hard if Every problem Q in NP can be solved in this way: 1. given an instance

609 views • 14 slides
On Basing Search SIVP on NP-Hardness Tianren Liu MIT liutr@mit.edu Sixteenth IACR Theory of

On Basing Search SIVP on NP-Hardness Tianren Liu MIT liutr@mit.edu Sixteenth IACR Theory of

On Basing Search SIVP on NP-Hardness Tianren Liu MIT liutr@mit.edu Sixteenth IACR Theory of Cryptography Conference Tianren LIU (MIT) Basing Search SIVP on NP-Hardness TCC 2018 1 / 18 Assumptions and Primitives in Cryptography

1.46k views • 99 slides
Random permutations with logarithmic cycle Random permutations weights Classical measures The

Random permutations with logarithmic cycle Random permutations weights Classical measures The

Random permutations with logarithmic cycle weights Setting the scene Random permutations with logarithmic cycle Random permutations weights Classical measures The weighted measure The cycle counts C m Dirk Zeindler The cycle containing

1.6k views • 149 slides

More recommend