View
227
Download
2
Embed Size (px)
Complexity and Cryptography
Haya ShulmanCGC Colloquium
Complexity Theory
• Determines complexity (power and limitations) of well defined tasks– Defines resources required to solve
computational problems• E.g. time, space, randomness, interaction
– Classifies problems according to their difficulty
– Defines relations between computational phenomena
Complexity Theory
• Provided a way of dividing computational world into complexity classes
• Evidence implying that these complexity classes are distinct
• Complexity Class is a fundamental notion of complexity theory – Practical: relationship between
computational classes and real computational problems
Complexity Class
• A model of computation– Turing machine
• A resource or a set thereof– E.g. time, memory
• A complexity bound for each resource• Complexity considers the worst case
performance• Lower bounds are stated asymptotically
– Constant factors are irrelevant, and only the order of the lower bound is considered (linear, poly, exponential,…)
Turing Machine
Deterministic vs. Non-Deterministic Turing
Machine
Turing Machine
• Was invented by Alan Turing in 1936• Turing machine is an abstract model
of computation– Embodies any computer program– Turing machine is composed of a
"tape“, head and the program, i.e. a list of transitions
Turing Machine vs. Computers
• If a computer can compute an algorithm then so can a Turing machine
• Can a computer compute an algorithm if a Turing machine can?– No computer is as powerful as a Turing
machine• A computer is restricted while a Turing
machine can do all that is theoretically possible given unlimited resources, e.g. time, memory
Deterministic Turing Machine
• Deterministic machines model real computations
• Transition function for a given state and symbol under the tape head, specifies: – The symbol to be written to the tape– The direction to move the head– The state of the finite control
• Given A on the tape in state 5, write B on the tape move the head right, and switch to state 7
Non-Deterministic Turing Machine
• The state and tape symbol do not uniquely specify the computation– The machine "branches" into many copies,
each follows one possible transition– If any branch of the tree halts with an accept
condition, then the machine accepts the input
• Given A on the tape in state 5, write B on the tape move the head right, and switch to state 7 or write A, move left and stay in state 5
Deterministic vs. Non-Deterministic Turing Machine
• NDTM has a computation tree, while a DTM has a single computation path
• Is NDTM more powerful than DTM?– Any language recognized by an NDTM can
also be recognized by a DTM• DTM simulates each branch of NDTM
– Makes multiple copies of states when multiple transitions are possible
• How long to simulate? P vs. NP
NPP
DeterministicPolynomial Time
Non-DeterministicPolynomial Time
P vs. NP
P vs. NP
• Is finding solutions to problems harder than verifying their correctness?
• P represents – Efficiently solvable tasks– Sets of assertions that can be efficiently verified
from scratch
• NP represents – Tasks for which solutions can be efficiently
checked– Sets of assertions that can be efficiently verified
with the help of adequate proofs
P vs. NP
• Complexity theory is concerned with manipulation of information– A solution to a computational problem is a
different representation of the information• A representation in which the answer is explicit
rather than implicit
– The problem contains all necessary information• Process the information in order to supply the
answer• E.g. the answer to “is a given Boolean formula
satisfiable” is implicit in the formula itself and the task is to make the answer explicit
Complexity Classes
P, NP, NPC
Definitions
• A language is a set of strings– E.g. Primes={2,3,5,7,11,13,17,19…}
• Decision problem:– Given some string determine if it is in
the set– Given i, is i Primes?
• Primes P
P Complexity Class
• The class of all languages that can be recognised by a deterministic polynomial time machine
• A language L is in P if there exists a TM M and a polynomial p(), s.t.– M(x) halts in at most p(|x|) steps– M(x)=1 iff x in L
P Associated with Efficient Computation
• Showing that a problem not in P, implies that solution by a DTM is impossible
• Reductions: given efficient f() and p(), h=f•p efficient
• Poly time is a boundary between feasible and infeasible– Given a polynomial algorithm apply mathematical and
algorithmic techniques to improve• All models of sequential computation yield the
same class P– The notions of polynomial time for all models of
sequential computation yeild the same class– The class P captures the true notion of the problems
that are computable in polynomial time by sequential machines
NP Complexity Class
• LNP if L’ P and p(∙), s.t. for every x, x L iff w, s.t. |w|≤p(|x|) and (x,w) L’– Definition by means of DTM, which verifies
correctness of solutions– When x L, w is the positive solution to the
problem represented by x, or a proof that x L
• Class of problems, s.t. – DTM: Given solution, test for validity efficiently– NDTM: Guess a solution and test for validity
• NDTM has infinitely many parallel processors
NP Complexity Class
• L is set of composite numbers– DTM:
• Given the proof, verify its correctness
• Given proof that x is composite, i.e. x1≥2 and x2 ≥ 2, check if x1x2=x
– NDTM: • Try all possible solutions at once, and identify the
solution in polynomial time• On input x the machine branches to write down guesses
for x1 and x2
– Then deterministically multiplies to test if x1x2=x
• There exists an accepting computation path iff x is composite
Complexity
• Failed to establish lower bounds on resources• Showed that many problems computationally
equivalent– All of them have efficient algorithms or all of them
do not– E.g. failed to determine complexity of finding
satisfying assignment of boolean formula (SAT) or 3COL
– In contrast, established that these problems are computationally equivalent
NP Complete Complexity Class
• Identifies a set of problems that are as hard as NP
• If Any of those problems is easy to solve, then so are all problems in NP
• Demonstrating NP-Completeness of a task is a central tool in indicating hardness of problems
• Showing that a problem is NPC provides evidence to its intractability
NP Complete Complexity Class
• A problem is NP Complete if– It is in NP– Every NP problem is reduced to it in
polynomial time
• L NPC if – L NP
– For every L’ NP, L’ ≤P L
Reducibility
• Language L1 is polynomial-time reducible to language L2
– L1 ≤P L2
• If there exists a polynomial-time computable function f: {0, 1}* → {0, 1}* such that for all x {0, 1}*
x L1 iff f(x) L2•Significance:
– If L2 P and L1 ≤P L2, then L1 P also
Reduction
• Cook’s theorem:– Every decision problem in the class NP
reduces to the Boolean satisfiability problem SAT
SAT
• The first decision problem proved to be NP-complete• Boolean satisfiability problem (SAT) is a decision
problem– Its instance is a Boolean expression with only AND, OR, NOT,
variables, and parentheses– Is there some assignment of TRUE and FALSE values to the
variables that will make the entire expression true
• Any problem that can be reduced to SAT in polynomial time is in NPC
j
m
jii
n
ixCC
11 s.t. ,
SAT
• Non-Deterministic algorithm:– Guess an assignment of the variables– Check if this is a satisfying assignment
• Deterministic algorithm– Given an assignment, check if satisfying
• Time for n variables: – Guess an assignment of the variables O(n)– Check if this is a satisfying assignment O(n)– Total time: O(n)
The satisfiability problem is an NP Complete Problem
Theorem: NP-Completeness
• If any NP-complete problem is polynomial-time solvable, then P = NP!– If L NPC and we can find a DTM accepting L in
polynomial time (so that L P ), then P = NP– All the problems in NP would have polynomial
deterministic solutions!
• Equivalently, if any problem in NP is not polynomial-time solvable, then no NP-complete problem is polynomial-time solvable– If we prove that we cannot solve an NP-Complete
problem in Deterministic Polynomial Time, then we know: P ≠ NP
Proof: NP-Completeness
• Let L P and L NPC– For any L′ NP, L′≤P L
• By definition of NP-completeness
– Therefore, L′ P
P, NP, NPC Complexity Hierarchy
P
Primes
NP
NPC
• SAT
Cryptography and Complexity
Basing cryptography on complexity
theoretic assumptionsRandomnessInteraction
Complexity Theory• Study the resources
required to solve computational tasks – time, space(memory)
• Understanding relations between complexity phenomena
• Provides new perspective on various concepts
Cryptography• Specify security
requirements of systems
• Use the computational infeasibility of problems to obtain security
• Almost any cryptographic task requires using this idea
These disciplines are connected!
Cryptography and Complexity
Cryptography
• Study of systems that are easy to use, but hard to abuse
• Crypto systems involve– Secrets– Randomness– Interaction – Complexity gap
• Between proper usage by legitimate parties and infeasibility of causing systems deviate from prescribed functionality
Cryptography is Based on Complexity Theoretic
Assumptions• Transformations of simple primitives, e.g.
One Way Functions into complex constructions, e.g. encryption schemes
• Intractability of NPC problems is based on hardest instances– But, some problems are easy on average
• Breaking crypto-system must be hard for almost all instances and not just some of them– For cryptography, use average case
complexity analysis
Randomness
Pseudo-Random Generators (PRG)
Randomness and Intractability
• Complexity defines objects as equivalent if they cannot be told apart by efficient observer
• Coin toss is random if it is infeasible to predict the outcome
• A distribution is random if it is infeasible to distinguish from uniform distribution
• Randomness is expandable– Random strings can be expanded into longer
pseudo random strings
Randomness and Intractability
• Pseudo-randomness refers to intractability– i.e. infeasibility of distinguishing pseudo-random
strings from uniformly distributed strings
• The assumption of One Way Functions implies the existence of pseudo-random generators– Stretch short random seeds into long pseudo-
random strings
• Existence of PRGs is equivalent to the existence of OWFs
Derandomisation
• Goal– Real random bits are difficult to obtain, use
less randomness• Idea
– Replace random strings with pseudo-random• Security?
– Depends on the power of the distinguisher• For restricted distinguisher, probability to
distinguish is ½• For an unbounded distinguisher, probability to
distinguish is 1
Generating Computational Randomness
Pseudo-Random Generator
random seed
Pseudo-random string
Insecure against computationally unbounded distinguisher
Secure against computationally bounded distinguisher
Pseudo-Random Generator
PRG
random seed
Pseudo-random string truly random string
Appear indistinguishableto any Efficient Observer
• PRG is a polynomial time deterministic function whose output is indistinguishable from random by any efficient distinguisher
PRG and P vs. NP
• Theorem:– If P=NP there are no PRGs
• Proof sketch:– Let G be a PRG and let D be a distinguisher,
s.t. on input y it accepts iff there is an x s.t. G(x)=y
– D NP - can guess x’ and check if G(x’)=y– Since P=NP, D is efficient– Accepts all strings except those output by G– G is not PRG
Information vs. Knowledge
Interactive Proofs Zero Knowledge Proofs
Knowledge and Secrecy• A result of hard computation
– Not a knowledge if can be efficiently computed by anyone
• Zero Knowledge Interaction– Interactions in which no knowledge is gained– Assert correctness of data provided beforehand– Motivation for interaction is gaining knowledge– Showing a possession of a secret to other party
without revealing the secret
• Knowledge is something one party has and the other does not and cannot feasibly obtain– “Knowledge is a secret”
What is a gain of knowledge?
• Defined with respect to computational ability
• Bob gains knowledge after interacting with Alice if:– After the interaction Bob can easily
compute something that was infeasible for him before
Recall: The complexity class NP
• The languages in NP are those whose members all have short certificates of membership, which can be easily verified
• NP can be characterized as the set of languages for which an efficient procedure exists to check if a string belongs to that language
• Given a string x from a language L and a certificate w it is easy to check if x belongs to L
Proof Systems and NP
• We can view this as follows:– There is an unbounded prover– The prover has to convince the
verifier that the input is indeed a member of the language
– It sends the verifier a short (polynomial) certificate
– The verifier is bounded•The verification of the certificate cannot
take more than polynomial time
Interactive Proof System• Interactive proofs is a generalisation of the
concept of a proof system• It is obtained by adding two more properties
– Interaction between the parties (interaction adds power)
– Letting the verifier toss coins (randomisation)• Why?
• An Interactive Proof System is a two-party game between a verifier and a prover that interact on a common input for a polynomial amount of time
• Eventually the verifier accepts (x L) or rejects the input otherwise
Properties of an Interactive Proof System
• Prover and verifier interact with each other– Two Turing machines, sharing a common tape– The unbounded prover has to convince the bounded
(polynomial) verifier• Correctness:
– Soundness - I’ll not believe a false statement• For a false assertion no proof strategy exists
– Completeness - I’ll believe all true statements• For a true assertion there is a convincing proof strategy
• Proofs are defined by their verification procedure
• Verification is typically simple - proving is typically hard
• IP = class of languages that have interactive proofs
Example: IP for SAT
• Check the membership of a given boolean formula: =(xyz’)(x’y’)z’
• The prover must convince the verifier this formula is satisfiable – It sends an assignment, which supposedly
satisfies the formula • x=0, y=1, z=0
– It is not difficult for the prover to find such, if such exists; why?• The prover is unbounded
Example: IP for SAT
• The verifier checks the truth value of the formula under the assignment it received
• Finds out whether the prover was right
• This takes polynomial time
Zero Knowledge Proof System
• (P,V) is ZKIP, if – It is complete and sound– It is zero knowledge
• The verifier does not learn anything except the truth of the statement
• For every verifier interacting with a prover, there is a simulator
• This simulator does not have access to the interactive prover– Yet, it can simulate the interaction between P and V– Hence, V did not gain any knowledge from P
• Since the same output could have been generated without any access to P
Questions?
Thank you.