Cryptography from NP-Hardness

Home , QIP (complexity)

Cryptography from NP-Hardness: can quantum computing help? Fang Song CSE @ TAMU Joint work with Nai-Hui Chia, UT Austin arXiv:1804.10309 Sean Hallgren, Penn State P = NP ?● P = {L: poly-time computable} ● NP = {L: poly-time veriﬁable} ● NP-Complete = {L: “hardest” in NP} NPC Satisﬁability NP Shortest vector Problem Graph isomorphism P Sorting

(Unfortunate) reality: unlikely to solve NPC in P

2 Cryptography: where to ﬁnd?

Cryptopia Program obfuscation ... Cryptomania Public-key encryption … Symmetric-key encryption, Minicrypt digital signature, ...

(Unfortunate) reality: don’t exist unconditionally

3 If P ≠ NP Then Crypto Cryptopia NP ? Cryptomania P ⇒ Minicrypt

4 Basing crypto on NP-hardness ? If P ≠ NP ⇒ Then Crypto

☹ seems unlikely [Bra79,FF93,BT06,AGGM06,BB15...] … in the classical computing regime so far

Our work: quantum computing might not help

5 This Talk

1 Negative evidence in the classical world

2 Our work: neg. evidence in the quantum world

6 Making the goal concrete BPP={L: computable in probabilistic poly-time}

? Minicrypt SAT ∉ BPP ⇒ OWF ⟺ One-Way Function f ● Easy to compute (poly-time) ● Hard to invert on average X Y ○ Given: y = f(x), x ←X random �� X=Y={0,1}n ○ Find: x’ s.t. f(x’)=y.

7 Making sense of the goal SAT ∉ BPP ?⇒ OWF 1. Construct a function f 2. Prove security of f Inverting f is as hard as solving SAT on average worst-case x ● Given A: inverter of f ● Concoct R: eﬃcient SAT solver A R Reduction: SAT ⩽ OWF x∊SAT? 8 Collapse of the wish ● If SAT ⩽ OWPermutation, then coNP ⊆ AM. [Bra79] ● If SAT ⩽ OWF, then coNP ⊆ AM. ○ Non-adaptive reductions R [AGGM05] ○ f preimage veriﬁable [BB15] AM coAM ➔ PH collapses to 2nd level: NP coNP widely believed unlikely P PH: polynomial hierarchy

9 Arthur-Merlin interactive proofs ● L∊AM, if ∃ ○ (Completeness) if x∊ L, V acc w.p. >⅔. ○ (Soundness) if x∉ L, ∀ (dishonest) P*, V acc w.p < ⅓. x satisfiable? r: random $ P a: proof V acc/rej Prover: unbounded Veriﬁer: (randomized) poly-time ● NP⊆AM: prover ignores r and sends a witness

10 How come the negative evidence? Theorem[Bra79] If SAT ⩽ OWP, then coNP ⊆

AM.● Idea: prover can act as an inverter

AM protocol for co-SAT x x y A i r={y } V ←Y P i -1 x =f (y ) a={x } R R (x , y ) R i i A i 0 i i ¬R0(xi , yi)

Enforce honest P: V checks f(xi)=yi 11 This Talk

1 Negative evidence in the classical world

2 Our work: neg. evidence in the quantum world

12 What quantum brings us NPC ● BQP = {L: poly-time computable NP on a quantum computer} BQP ● Many cryptosystems at risk … P factoring  Quantum cryptography can be helpful ○ Quantum Key Distribution (strong security)

13 A highly hopeful message  Quantum reduction from worst-case lattice problems to crypto [Regev05] ★ Enables cryptopia: FHE, FuncEnc, ... Shortest NPC vector ★ Promising post-quantum candidate NP Problem

● Later de-quantized, but not as good P ○ Larger keys if via classical reduction ☹ This lattice problem is unlikely NP-Complete

14 Revisiting our goal via a quantum lens SAT ∉ BPP ?⇒ OWF SAT ∉ BQP ?⇒ OWF 1. Construct a function f by quantum algorithms

○ Applications exist [DMS00] H H ↗ ○ Expensive for honest users H ⊕ 2. Prove security of f by quantum algorithms OUR WORK

15 Quantum reductions ? Inverting f is as hard as quantumly solving SAT

● A: inverter of f (classical x or quantum) A x∊SAT? ? ● R: quantum SAT solver R ● Options for the quantum reduction algorithm ○ Quantum superposition queries vs. classical queries ○ Adaptive vs. Non-adaptive NB. Stronger Reductions ⇒ Stronger impossibility 16 We (kinda) rule out natural QRed’s Upon formally deﬁning various Q Reductions ...

. Our Main Theorem If SAT ⩽UQ OWP by uniform quantum-query reductions, then coNP ⊆ QIP(2).

〉〉〉  Quantum queries allowed ∑q|q |0 |wq ☹ Queries follow special format R A What about QIP(2)?  〉 -1 〉〉 ∑q|q |f (q) |wq Progress on approx uniform and OW functions too 17 Reduction to protocol: same old trick? ● A: inverter of f R A ● R: quantum SAT solver w/ 0 R1 acc/rej uniform Q queries to A ⇒

● QIP(2) for co-SAT: V V P ○ 2 quantum msgs P ↔ V R R 0 A 1 ● Dishonest P*? X ○ Twist the uniform query ○ Seems undetectable 18 “Trap” query to enforce honest prover

V V P

R0 A R1 X Computation path Trap path

V V ↗ P T T -1 0 A 0 ↗ ↗ Dishonest P ⇒ not all 0

19 A QIP(2) protocol for co-SAT ● V chooses to run Comp/Trap path at random x

|Q〉 or |T〉 at random P V acc/rej

● Completeness: clear ● Soundness: P cannot tell and has to behave

20 The curious case of QIP(2) ● QIP(1) = QMA ⊇ NP ○ Common belief: coNP ⊈ QMA QIP(3) = IP = PSPACE ● QAM = QIP(2) w/ 1st msg classical $ ○ Common belief: coNP ⊈ QAM QIP(2)

● QIP(3) = PSPACE ⊇ coNP QAM ? AM coAM QMA ★ Where does QIP(2) belong? NP coNP P 21 ? If P ≠ NP ⇒ Then Crypto

☹ seems unlikely even with quantum reductions

● Strengthening the negative evidence ○ General reductions, QIP(2) → QAM? ● Revist crypto landscape via quantum reductions ○ Making [OWF ⇒ Collision resistant hash] possible? Thank you!