on basing one way permutations on np hard problems under
play

On basing one-way permutations on NP-hard problems under quantum - PowerPoint PPT Presentation

On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1 How do people say a crypto system is


  1. On basing one-way permutations on NP-hard problems under quantum reductions Nai-Hui Chia (PennState to UTAustin) Joint work with Sean Hallgren (PennState) and Fang Song (PortlandState to TAMU) 1

  2. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y 2

  3. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? 3

  4. How do people say a crypto system is computationally secure? Many experts put lots of efforts on Okay, Y is secure breaking system Y for a very long time. Still cannot find an After 50yrs... efficient algorithm for Y System Y Do we really need to wait 50yrs? ● SAT has already been studied for >50yrs. ● SAT is hard (NP-complete) ● P≠NP (people believe) SAT Use SAT to show Problem Y is hard. 4

  5. Show Y is hard by a reduction from SAT: SAT ≤ Y An oracle for Y Questions Answers Answer An instance of SAT Algorithm A (A reduction) SAT ≤ Y: ● An efficient algorithm A solving SAT by using an oracle for Y. ● Algorithm A and (Questions, Answers) can be either classical or quantum! SAT ≤ Y ⇒ No efficient algorithm can break system Y unless NP = P. 5

  6. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○

  7. Consider Y as inverting one-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. The existence of one-way functions implies ○ Pseudorandom generators ○ Digital signature scheme ○ Message Authentication Codes ……. ○ Can inverting one-way functions be as hard as SAT?

  8. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive [AGGM05] or the functions are preimage verifiable[AGGM05,BB15].

  9. One-way functions ● Functions which are easy to compute but hard to invert. ● A fundamental cryptographic primitive. It implies Pseudorandom generators ○ ○ Digital signature scheme ○ Message Authentication Codes ○ ……. Can inverting one-way functions be as hard as SAT? ● SAT ≤ c Inverting a one-way permutation ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[AGGM05] or the functions are preimage verifiable[AGGM05, BB15]. Only classical reductions are considered!

  10. We are interested in quantum reductions Problem Y solver (An oracle for Y) Quantum messages An instance of SAT Algorithm A Answers to SAT (A quantum algorithm) Quantum algorithm Computational tasks Hard problems ≤ quantum (e.g., inverting one-way (e.g., NP-hard problems) functions) Do these reductions exist? 10

  11. ● SAT ≤ c Inverting a one-way permutation ⇒ coNP ⊆ AM ⇒ PH collapses [Brassard96]. ● SAT ≤ c Inverting a one-way function ⇒ PH collapses, ○ when the reductions are non-adaptive[BT06] or the functions are preimage verifiable[]. Our results SAT ≤ q Inverting a one-way permutation (Inv-OWP) ⇒ coNP ⊆ QIP(2), where ● our result has the restrictions that the reductions are non-adaptive and the distribution of the questions to the oracle are not far from the uniform distribution. ● It is not known if coNP ⊆ QIP(2). 11

  12. NP-hard Problems ≤ c Inv-OWP ⇒ coNP ⊆ AM Theorem [Brassad96]: SAT ≤ c Inv-OWP ⇒ coNP ⊆ AM ⇒ The polynomial hierarchy collapses to the second level. O (An oracle for Inv-OWP) The goal is to construct a “constant-round protocol” for SAT by using the reduction. y f -1 (y) x R O R O (x,r,y,f -1 (y)) = L(x) (The reduction) r 12

  13. Arthur-Merlin Protocol x Two classical messages exchanged . r: a random string Prover Verifier c: a proof (Merlin) (Arthur) A(x,r,c)=L(x) PSPACE We say L ∈ AM if ● (completeness) if x ∈ L , there is a prover AM (Merlin) can convince Arthur (the verifier) that x ∈ L . NP ● (soundness) if x ∉ L , no prover (Merlin) can convince Arthur that x ∈ L . P 13

  14. SAT ≤ c Inv-OWP ⇒ SAT ∈ AM Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) Verifier R O r (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 14

  15. Can we use this protocol for quantum reductions? Given the verifier’s randomness, the prover knows the question Prover O Arthur wants to ask. (Simulate O ) (An oracle for Inv-OWP) f -1 (y) y,x y r x x 1-R O (x,r) R O (x,r) r Verifier R O (Verify f(x)=y and apply R o ) r (The reduction) 1. The verifier sends his random string to the prover. ○ The prover knows y after having the random string. 2. The prover sends y and x (where f(x)=y) to the verifier. A malicious prover may send (y’, x’) ≠ (y, x). ○ 3. The verifier verifies whether y is the question and f(x) = y. If not, reject. The verifier runs the reduction R o if he doesn’t reject in step 3. 4. 15

  16. No, quantum reductions are more tricky Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) 16

  17. Why does the classical protocol fail? Each question can be in superposition O ○ |Q> 123 =∑ q c q |q> 1 |0> 2 |w q > 3 (An oracle for Inv-OWP) |c q | 2 can be viewed as the ○ |Q> 12 |A> 12 weight of question q. The answer is also in superposition Reduction U R x (An efficient quantum U R |x>|A> |A> 123 =∑ q c q |q> 1 |f -1 (q)> 2 |w q > 3 ○ algorithm) ● SImulating the reduction SAT ≤ q Inv-OWP only gives “quantum interactive proof” protocol. ● The prover can cheat by giving correct (q,f -1 (q)), but changing the weight c q . 17

  18. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) AM NP P 18

  19. Goal: SAT ≤ q Inv-OWP ⇒ SAT ∈ QIP(2) under uniform quantum reductions |M 1 > Prover Verifier (Applying some operation: |M 2 > (quantum algorithm U A ) |Q> ⟶ |Q H >) We say L ∈ QIP(2) if ● (completeness) if x ∈ L , the prover can convince the verifier that x ∈ L . ● (soundness) if x ∉ L , no prover can convince the verifier that x ∈ L . PSPACE QIP(2) Uniform quantum reductions: AM ● Each query is a uniform superposition NP |Q>=∑ q |q>|0>|w q > ○ ● The answer is also in uniform superposition |A>=∑|q>|f -1 (q)>|w q > ○ P 19

  20. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> The real query The main idea: If the prover cheats, he has ½ probability to cheat on the trap state. The verifier can catch him by verifying the trap state! ● The prover cannot distinguish the trap and the real query. ● |S> can be efficiently verified by the verifier. 20

  21. A protocol with “trap” The trap Register M of |Q> or |T> Prover Verifier Register M of |A> or |S> 1. Send the register M of |Q> or |T> uniformly at The real query random. ● |Q>=∑ q (|q>|0>) M (|w q >|q>) V ● |T>=∑ q (|q>|0>) M (|0>|q>) V 2. An honest prover will send |A> or |S>. |A>=∑ q |q>|f -1 (q)>|w q >|q> ● 3. The verifier does the following. |S>=∑ q |q>|f -1 (q)>|0>|q> ● In case |Q>: ● ○ Run the reduction and accept if the reduction accepts. ● |A> ⇒ |0> may not be ● In case |T>: efficient. Run the unitary U: |S> ⇒ |0> and ○ ● U: |S> ⇒ |0> is efficient. measure the output in the standard basis. If the outcome is |0>, accepts. 21

Recommend


More recommend