
Cryptography from NP-Hardness: can quantum computing help? Fang Song CSE @ TAMU Joint work with Nai-Hui Chia, UT Austin arXiv:1804.10309 Sean Hallgren, Penn State P = NP ?● P = {L: poly-time computable} ● NP = {L: poly-time verifiable} ● NP-Complete = {L: “hardest” in NP} NPC Satisfiability NP Shortest vector Problem Graph isomorphism P Sorting (Unfortunate) reality: unlikely to solve NPC in P 2 Cryptography: where to find? Cryptopia Program obfuscation ... Cryptomania Public-key encryption … Symmetric-key encryption, Minicrypt digital signature, ... (Unfortunate) reality: don’t exist unconditionally 3 If P ≠ NP Then Crypto Cryptopia NP ? Cryptomania P ⇒ Minicrypt 4 Basing crypto on NP-hardness ? If P ≠ NP ⇒ Then Crypto ☹ seems unlikely [Bra79,FF93,BT06,AGGM06,BB15...] … in the classical computing regime so far Our work: quantum computing might not help 5 This Talk 1 Negative evidence in the classical world 2 Our work: neg. evidence in the quantum world 6 Making the goal concrete BPP={L: computable in probabilistic poly-time} ? ∉ ⟺ Minicrypt SAT BPP ⇒ OWF One-Way Function f ● Easy to compute (poly-time) ● Hard to invert on average X Y ○ Given: y = f(x), x ←X random �� X=Y={0,1}n ○ Find: x’ s.t. f(x’)=y. 7 Making sense of the goal SAT ∉ BPP ?⇒ OWF 1. Construct a function f 2. Prove security of f Inverting f is as hard as solving SAT on average worst-case x ● Given A: inverter of f ● Concoct R: efficient SAT solver A R Reduction: SAT ⩽ OWF x∊SAT? 8 Collapse of the wish ● If SAT ⩽ OWPermutation, then coNP ⊆ AM. [Bra79] ● If SAT ⩽ OWF, then coNP ⊆ AM. ○ Non-adaptive reductions R [AGGM05] ○ f preimage verifiable [BB15] AM coAM ➔ PH collapses to 2nd level: NP coNP widely believed unlikely P PH: polynomial hierarchy 9 Arthur-Merlin interactive proofs ● L∊AM, if ∃ <P,V> ○ (Completeness) if x∊ L, V acc w.p. >⅔. ○ (Soundness) if x∉ L, ∀ (dishonest) P*, V acc w.p < ⅓. x satisfiable? r: random $ P a: proof V acc/rej Prover: unbounded Verifier: (randomized) poly-time ● NP⊆AM: prover ignores r and sends a witness 10 How come the negative evidence? Theorem[Bra79] If SAT ⩽ OWP, then coNP ⊆ AM.● Idea: prover can act as an inverter AM protocol for co-SAT x x y A i r={y } V ←Y P i -1 x =f (y ) a={x } R R (x , y ) R i i A i 0 i i ¬R0(xi , yi) Enforce honest P: V checks f(xi)=yi 11 This Talk 1 Negative evidence in the classical world 2 Our work: neg. evidence in the quantum world 12 What quantum brings us NPC ● BQP = {L: poly-time computable NP on a quantum computer} BQP ● Many cryptosystems at risk … P factoring Quantum cryptography can be helpful ○ Quantum Key Distribution (strong security) 13 A highly hopeful message Quantum reduction from worst-case lattice problems to crypto [Regev05] ★ Enables cryptopia: FHE, FuncEnc, ... Shortest NPC vector ★ Promising post-quantum candidate NP Problem ● Later de-quantized, but not as good P ○ Larger keys if via classical reduction ☹ This lattice problem is unlikely NP-Complete 14 Revisiting our goal via a quantum lens SAT ∉ BPP ?⇒ OWF SAT ∉ BQP ?⇒ OWF 1. Construct a function f by quantum algorithms ○ Applications exist [DMS00] H H ↗ ○ Expensive for honest users H ⊕ 2. Prove security of f by quantum algorithms OUR WORK 15 Quantum reductions ? Inverting f is as hard as quantumly solving SAT ● A: inverter of f (classical x or quantum) A x∊SAT? ? ● R: quantum SAT solver R ● Options for the quantum reduction algorithm ○ Quantum superposition queries vs. classical queries ○ Adaptive vs. Non-adaptive NB. Stronger Reductions ⇒ Stronger impossibility 16 We (kinda) rule out natural QRed’s Upon formally defining various Q Reductions ... Our Main Theorem If SAT ⩽UQ OWP by uniform quantum-query reductions, then coNP ⊆ QIP(2). 〉 〉 〉 Quantum queries allowed ∑q|q |0 |wq ☹ Queries follow special format R A What about QIP(2)? 〉 -1 〉 〉 ∑q|q |f (q) |wq Progress on approx uniform and OW functions too 17 Reduction to protocol: same old trick? ● A: inverter of f R A ● R: quantum SAT solver w/ 0 R1 acc/rej uniform Q queries to A ⇒ ● QIP(2) for co-SAT: V V P ○ 2 quantum msgs P ↔ V R R 0 A 1 ● Dishonest P*? X ○ Twist the uniform query ○ Seems undetectable 18 “Trap” query to enforce honest prover V V P R0 A R1 X Computation path Trap path V V ↗ P T T -1 0 A 0 ↗ ↗ Dishonest P ⇒ not all 0 19 A QIP(2) protocol for co-SAT ● V chooses to run Comp/Trap path at random x |Q〉 or |T〉 at random P V acc/rej ● Completeness: clear ● Soundness: P cannot tell and has to behave 20 The curious case of QIP(2) ● QIP(1) = QMA ⊇ NP ○ Common belief: coNP ⊈ QMA QIP(3) = IP = PSPACE ● QAM = QIP(2) w/ 1st msg classical $ ○ Common belief: coNP ⊈ QAM QIP(2) ● QIP(3) = PSPACE ⊇ coNP QAM ? AM coAM QMA ★ Where does QIP(2) belong? NP coNP P 21 ? If P ≠ NP ⇒ Then Crypto ☹ seems unlikely even with quantum reductions ● Strengthening the negative evidence ○ General reductions, QIP(2) → QAM? ● Revist crypto landscape via quantum reductions ○ Making [OWF ⇒ Collision resistant hash] possible? Thank you! 22.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages22 Page
-
File Size-