Cryptography from NP-Hardness

Cryptography from NP-Hardness

Cryptography from NP-Hardness: can quantum computing help? Fang Song CSE @ TAMU Joint work with Nai-Hui Chia, UT Austin arXiv:1804.10309 Sean Hallgren, Penn State P = NP ?● P = {L: poly-time computable} ● NP = {L: poly-time verifiable} ● NP-Complete = {L: “hardest” in NP} NPC Satisfiability NP Shortest vector Problem Graph isomorphism P Sorting (Unfortunate) reality: unlikely to solve NPC in P 2 Cryptography: where to find? Cryptopia Program obfuscation ... Cryptomania Public-key encryption … Symmetric-key encryption, Minicrypt digital signature, ... (Unfortunate) reality: don’t exist unconditionally 3 If P ≠ NP Then Crypto Cryptopia NP ? Cryptomania P ⇒ Minicrypt 4 Basing crypto on NP-hardness ? If P ≠ NP ⇒ Then Crypto ☹ seems unlikely [Bra79,FF93,BT06,AGGM06,BB15...] … in the classical computing regime so far Our work: quantum computing might not help 5 This Talk 1 Negative evidence in the classical world 2 Our work: neg. evidence in the quantum world 6 Making the goal concrete BPP={L: computable in probabilistic poly-time} ? ∉ ⟺ Minicrypt SAT BPP ⇒ OWF One-Way Function f ● Easy to compute (poly-time) ● Hard to invert on average X Y ○ Given: y = f(x), x ←X random �� X=Y={0,1}n ○ Find: x’ s.t. f(x’)=y. 7 Making sense of the goal SAT ∉ BPP ?⇒ OWF 1. Construct a function f 2. Prove security of f Inverting f is as hard as solving SAT on average worst-case x ● Given A: inverter of f ● Concoct R: efficient SAT solver A R Reduction: SAT ⩽ OWF x∊SAT? 8 Collapse of the wish ● If SAT ⩽ OWPermutation, then coNP ⊆ AM. [Bra79] ● If SAT ⩽ OWF, then coNP ⊆ AM. ○ Non-adaptive reductions R [AGGM05] ○ f preimage verifiable [BB15] AM coAM ➔ PH collapses to 2nd level: NP coNP widely believed unlikely P PH: polynomial hierarchy 9 Arthur-Merlin interactive proofs ● L∊AM, if ∃ <P,V> ○ (Completeness) if x∊ L, V acc w.p. >⅔. ○ (Soundness) if x∉ L, ∀ (dishonest) P*, V acc w.p < ⅓. x satisfiable? r: random $ P a: proof V acc/rej Prover: unbounded Verifier: (randomized) poly-time ● NP⊆AM: prover ignores r and sends a witness 10 How come the negative evidence? Theorem[Bra79] If SAT ⩽ OWP, then coNP ⊆ AM.● Idea: prover can act as an inverter AM protocol for co-SAT x x y A i r={y } V ←Y P i -1 x =f (y ) a={x } R R (x , y ) R i i A i 0 i i ¬R0(xi , yi) Enforce honest P: V checks f(xi)=yi 11 This Talk 1 Negative evidence in the classical world 2 Our work: neg. evidence in the quantum world 12 What quantum brings us NPC ● BQP = {L: poly-time computable NP on a quantum computer} BQP ● Many cryptosystems at risk … P factoring Quantum cryptography can be helpful ○ Quantum Key Distribution (strong security) 13 A highly hopeful message Quantum reduction from worst-case lattice problems to crypto [Regev05] ★ Enables cryptopia: FHE, FuncEnc, ... Shortest NPC vector ★ Promising post-quantum candidate NP Problem ● Later de-quantized, but not as good P ○ Larger keys if via classical reduction ☹ This lattice problem is unlikely NP-Complete 14 Revisiting our goal via a quantum lens SAT ∉ BPP ?⇒ OWF SAT ∉ BQP ?⇒ OWF 1. Construct a function f by quantum algorithms ○ Applications exist [DMS00] H H ↗ ○ Expensive for honest users H ⊕ 2. Prove security of f by quantum algorithms OUR WORK 15 Quantum reductions ? Inverting f is as hard as quantumly solving SAT ● A: inverter of f (classical x or quantum) A x∊SAT? ? ● R: quantum SAT solver R ● Options for the quantum reduction algorithm ○ Quantum superposition queries vs. classical queries ○ Adaptive vs. Non-adaptive NB. Stronger Reductions ⇒ Stronger impossibility 16 We (kinda) rule out natural QRed’s Upon formally defining various Q Reductions ... Our Main Theorem If SAT ⩽UQ OWP by uniform quantum-query reductions, then coNP ⊆ QIP(2). 〉 〉 〉 Quantum queries allowed ∑q|q |0 |wq ☹ Queries follow special format R A What about QIP(2)? 〉 -1 〉 〉 ∑q|q |f (q) |wq Progress on approx uniform and OW functions too 17 Reduction to protocol: same old trick? ● A: inverter of f R A ● R: quantum SAT solver w/ 0 R1 acc/rej uniform Q queries to A ⇒ ● QIP(2) for co-SAT: V V P ○ 2 quantum msgs P ↔ V R R 0 A 1 ● Dishonest P*? X ○ Twist the uniform query ○ Seems undetectable 18 “Trap” query to enforce honest prover V V P R0 A R1 X Computation path Trap path V V ↗ P T T -1 0 A 0 ↗ ↗ Dishonest P ⇒ not all 0 19 A QIP(2) protocol for co-SAT ● V chooses to run Comp/Trap path at random x |Q〉 or |T〉 at random P V acc/rej ● Completeness: clear ● Soundness: P cannot tell and has to behave 20 The curious case of QIP(2) ● QIP(1) = QMA ⊇ NP ○ Common belief: coNP ⊈ QMA QIP(3) = IP = PSPACE ● QAM = QIP(2) w/ 1st msg classical $ ○ Common belief: coNP ⊈ QAM QIP(2) ● QIP(3) = PSPACE ⊇ coNP QAM ? AM coAM QMA ★ Where does QIP(2) belong? NP coNP P 21 ? If P ≠ NP ⇒ Then Crypto ☹ seems unlikely even with quantum reductions ● Strengthening the negative evidence ○ General reductions, QIP(2) → QAM? ● Revist crypto landscape via quantum reductions ○ Making [OWF ⇒ Collision resistant hash] possible? Thank you! 22.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    22 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us