Cryptography from NP-Hardness: can quantum computing help? Fang Song CSE @ TAMU Joint work with Nai-Hui Chia, UT Austin arXiv:1804.10309 Sean Hallgren, Penn State P = NP ?● P = {L: poly-time computable} ● NP = {L: poly-time verifiable} ● NP-Complete = {L: “hardest” in NP} NPC Satisfiability NP Shortest vector Problem Graph isomorphism P Sorting
(Unfortunate) reality: unlikely to solve NPC in P
2 Cryptography: where to find?
Cryptopia Program obfuscation ... Cryptomania Public-key encryption … Symmetric-key encryption, Minicrypt digital signature, ...
(Unfortunate) reality: don’t exist unconditionally
3 If P ≠ NP Then Crypto Cryptopia NP ? Cryptomania P ⇒ Minicrypt
4 Basing crypto on NP-hardness ? If P ≠ NP ⇒ Then Crypto
☹ seems unlikely [Bra79,FF93,BT06,AGGM06,BB15...] … in the classical computing regime so far
Our work: quantum computing might not help
5 This Talk
1 Negative evidence in the classical world
2 Our work: neg. evidence in the quantum world
6 Making the goal concrete BPP={L: computable in probabilistic poly-time}
? Minicrypt SAT ∉ BPP ⇒ OWF ⟺ One-Way Function f ● Easy to compute (poly-time) ● Hard to invert on average X Y ○ Given: y = f(x), x ←X random �� X=Y={0,1}n ○ Find: x’ s.t. f(x’)=y.
7 Making sense of the goal SAT ∉ BPP ?⇒ OWF 1. Construct a function f 2. Prove security of f Inverting f is as hard as solving SAT on average worst-case x ● Given A: inverter of f ● Concoct R: efficient SAT solver A R Reduction: SAT ⩽ OWF x∊SAT? 8 Collapse of the wish ● If SAT ⩽ OWPermutation, then coNP ⊆ AM. [Bra79] ● If SAT ⩽ OWF, then coNP ⊆ AM. ○ Non-adaptive reductions R [AGGM05] ○ f preimage verifiable [BB15] AM coAM ➔ PH collapses to 2nd level: NP coNP widely believed unlikely P PH: polynomial hierarchy
9 Arthur-Merlin interactive proofs ● L∊AM, if ∃
○ (Completeness) if x∊ L, V acc w.p. >⅔. ○ (Soundness) if x∉ L, ∀ (dishonest) P*, V acc w.p < ⅓. x satisfiable? r: random $ P a: proof V acc/rej Prover: unbounded Verifier: (randomized) poly-time ● NP⊆AM: prover ignores r and sends a witness
10 How come the negative evidence? Theorem[Bra79] If SAT ⩽ OWP, then coNP ⊆
AM.● Idea: prover can act as an inverter
AM protocol for co-SAT x x y A i r={y } V ←Y P i -1 x =f (y ) a={x } R R (x , y ) R i i A i 0 i i ¬R0(xi , yi)
Enforce honest P: V checks f(xi)=yi 11 This Talk
1 Negative evidence in the classical world
2 Our work: neg. evidence in the quantum world
12 What quantum brings us NPC ● BQP = {L: poly-time computable NP on a quantum computer} BQP ● Many cryptosystems at risk … P factoring Quantum cryptography can be helpful ○ Quantum Key Distribution (strong security)
13 A highly hopeful message Quantum reduction from worst-case lattice problems to crypto [Regev05] ★ Enables cryptopia: FHE, FuncEnc, ... Shortest NPC vector ★ Promising post-quantum candidate NP Problem
● Later de-quantized, but not as good P ○ Larger keys if via classical reduction ☹ This lattice problem is unlikely NP-Complete
14 Revisiting our goal via a quantum lens SAT ∉ BPP ?⇒ OWF SAT ∉ BQP ?⇒ OWF 1. Construct a function f by quantum algorithms
○ Applications exist [DMS00] H H ↗ ○ Expensive for honest users H ⊕ 2. Prove security of f by quantum algorithms OUR WORK
15 Quantum reductions ? Inverting f is as hard as quantumly solving SAT
● A: inverter of f (classical x or quantum) A x∊SAT? ? ● R: quantum SAT solver R ● Options for the quantum reduction algorithm ○ Quantum superposition queries vs. classical queries ○ Adaptive vs. Non-adaptive NB. Stronger Reductions ⇒ Stronger impossibility 16 We (kinda) rule out natural QRed’s Upon formally defining various Q Reductions ...
. Our Main Theorem If SAT ⩽UQ OWP by uniform quantum-query reductions, then coNP ⊆ QIP(2).
〉 〉 〉 Quantum queries allowed ∑q|q |0 |wq ☹ Queries follow special format R A What about QIP(2)? 〉 -1 〉 〉 ∑q|q |f (q) |wq Progress on approx uniform and OW functions too 17 Reduction to protocol: same old trick? ● A: inverter of f R A ● R: quantum SAT solver w/ 0 R1 acc/rej uniform Q queries to A ⇒
● QIP(2) for co-SAT: V V P ○ 2 quantum msgs P ↔ V R R 0 A 1 ● Dishonest P*? X ○ Twist the uniform query ○ Seems undetectable 18 “Trap” query to enforce honest prover
V V P
R0 A R1 X Computation path Trap path
V V ↗ P T T -1 0 A 0 ↗ ↗ Dishonest P ⇒ not all 0
19 A QIP(2) protocol for co-SAT ● V chooses to run Comp/Trap path at random x
|Q〉 or |T〉 at random P V acc/rej
● Completeness: clear ● Soundness: P cannot tell and has to behave
20 The curious case of QIP(2) ● QIP(1) = QMA ⊇ NP ○ Common belief: coNP ⊈ QMA QIP(3) = IP = PSPACE ● QAM = QIP(2) w/ 1st msg classical $ ○ Common belief: coNP ⊈ QAM QIP(2)
● QIP(3) = PSPACE ⊇ coNP QAM ? AM coAM QMA ★ Where does QIP(2) belong? NP coNP P 21 ? If P ≠ NP ⇒ Then Crypto
☹ seems unlikely even with quantum reductions
● Strengthening the negative evidence ○ General reductions, QIP(2) → QAM? ● Revist crypto landscape via quantum reductions ○ Making [OWF ⇒ Collision resistant hash] possible? Thank you!
22