Complexity and Cryptography
Haya Shulman
CGC Colloquium
Complexity Theory
•
Determines complexity (power and limitations)
of well defined tasks
–
Defines resources required to solve computational
problems
•
E.g. time, space, randomness, interaction
–
Classifies problems according to their difficulty
–
Defines relations between computational
phenomena
Complexity Theory
•
Provided a way of dividing computational world
into complexity classes
•
Evidence implying that these complexity classes
are distinct
•
Complexity Class is a fundamental notion of
complexity theory
–
Practical: relationship between computational classes
and real computational problems
Complexity Class
•
A model of computation
–
Turing machine
•
A resource or a set thereof
–
E.g. time, memory
•
A complexity bound for each resource
•
Complexity considers the worst case performance
•
Lower bounds are stated asymptotically
–
Constant factors are irrelevant, and only the order of the
lower bound is considered (linear, poly, exponential,…)
Turing Machine
Deterministic vs. Non

Deterministic
Turing Machine
Turing Machine
•
Was invented by Alan Turing in 1936
•
Turing machine is an abstract model of
computation
–
Embodies any computer program
–
Turing machine is composed of a "tape“, head and
the program, i.e. a list of transitions
Turing Machine vs. Computers
•
If a computer can compute an algorithm then so
can a Turing machine
•
Can a computer compute an algorithm if a
Turing machine can?
–
No computer is as powerful as a Turing machine
•
A computer is restricted while a Turing machine can do
all that is theoretically possible given unlimited resources,
e.g. time, memory
Deterministic Turing Machine
•
Deterministic machines model real computations
•
Transition function for a given state and symbol
under the tape head, specifies:
–
The symbol to be written to the tape
–
The direction to move the head
–
The state of the finite control
•
Given A on the tape in state 5, write B on the
tape move the head right, and switch to state 7
Non

Deterministic Turing Machine
•
The state and tape symbol do not uniquely
specify the computation
–
The machine "branches" into many copies, each
follows one possible transition
–
If any branch of the tree halts with an accept
condition, then the machine accepts the input
•
Given A on the tape in state 5, write B on the
tape move the head right, and switch to state 7
or write A, move left and stay in state 5
Deterministic vs. Non

Deterministic
Turing Machine
•
NDTM has a computation tree, while a DTM has
a single computation path
•
Is NDTM more powerful than DTM?
–
Any language recognized by an NDTM can also be
recognized by a DTM
•
DTM simulates each branch of NDTM
–
Makes multiple copies of states when multiple
transitions are possible
•
How long to simulate? P vs. NP
NP
P
Deterministic
Polynomial Time
Non

Deterministic
Polynomial Time
P vs. NP
P vs. NP
•
Is finding solutions to problems harder than verifying
their correctness?
•
P represents
–
Efficiently solvable tasks
–
Sets of assertions that can be efficiently verified from scratch
•
NP represents
–
Tasks for which solutions can be efficiently checked
–
Sets of assertions that can be efficiently verified with the help
of adequate proofs
P vs. NP
•
Complexity theory is concerned with manipulation
of information
–
A solution to a computational problem is a different
representation of the information
•
A representation in which the answer is explicit rather than
implicit
–
The problem contains all necessary information
•
Process the information in order to supply the answer
•
E.g. the answer to “is a given Boolean formula satisfiable” is
implicit in the formula itself and the task is to make the
answer explicit
Complexity Classes
P, NP, NPC
Definitions
•
A language is a set of strings
–
E.g.
Primes
={2,3,5,7,11,13,17,19…}
•
Decision problem:
–
Given some string determine if it is in the set
–
Given
i
, is
i
Primes
?
•
Primes
P
P
Complexity Class
•
The class of all languages that can be recognised
by a deterministic polynomial time machine
•
A language
L
is in
P
if there exists a TM M and a
polynomial
p()
, s.t.
–
M(
x
) halts in at most
p
(
x
) steps
–
M(
x
)=1 iff
x
in
L
P
Associated with Efficient
Computation
•
Showing that a problem not in
P
, implies that solution
by a DTM is impossible
•
Reductions: given efficient
f()
and
p()
,
h
=
f•p
efficient
•
Poly time is a boundary between feasible and infeasible
–
Given a polynomial algorithm apply mathematical and
algorithmic techniques to improve
•
All models of sequential computation yield the same
class
P
–
The notions of polynomial time for all models of sequential
computation yeild the same class
–
The class
P
captures the true notion of the problems that are
computable in polynomial time by sequential machines
NP Complexity Class
•
L
NP
if
L
’
P
and
p
(
∙
), s.t. for every
x
,
x
L
iff
w
, s.t. 
w
≤
p
(
x
) and (
x
,
w
)
L
’
–
Definition by means of DTM, which verifies correctness of
solutions
–
When
x
L, w
is the positive solution to the problem
represented by
x,
or a proof that
x
L
•
Class of problems, s.t.
–
DTM: Given solution, test for validity efficiently
–
NDTM: Guess a solution and test for validity
•
NDTM has infinitely many parallel processors
NP Complexity Class
•
L
is set of composite numbers
–
DTM:
•
Given the proof, verify its correctness
•
Given proof that x is composite, i.e.
x
1
≥2 and
x
2
≥ 2, check if
x
1
x
2
=
x
–
NDTM:
•
Try all possible solutions at once, and identify the solution in
polynomial time
•
On input x the machine branches to write down guesses for
x
1
and
x
2
–
Then deterministically multiplies to test if
x
1
x
2
=
x
•
There exists an accepting computation path iff
x
is composite
Complexity
•
Failed to establish lower bounds on resources
•
Showed that many problems computationally
equivalent
–
All of them have efficient algorithms or all of them do
not
–
E.g. failed to determine complexity of finding satisfying
assignment of boolean formula (SAT) or 3COL
–
In contrast, established that these problems are
computationally equivalent
NP Complete Complexity Class
•
Identifies a set of problems that are as hard as NP
•
If Any of those problems is easy to solve, then so
are all problems in NP
•
Demonstrating NP

Completeness of a task is a
central tool in indicating hardness of problems
•
Showing that a problem is NPC provides
evidence to its intractability
NP Complete Complexity Class
•
A problem is NP Complete if
–
It is in NP
–
Every NP problem is reduced to it in polynomial
time
•
L
NPC if
–
L
NP
–
For every L’
NP, L’
≤
P
L
Reducibility
•
Language L
1
is
polynomial

time reducible
to
language L
2
–
L
1
≤
P
L
2
•
If there exists a polynomial

time computable
function f: {0, 1}
*
→ {0, 1}
*
such that for all
x
{0, 1}
*
x
L
1
iff f(x)
L
2
•
Significance:
–
If
L
2
P
and
L
1
≤
P
L
2
, then
L
1
P
also
Reduction
•
Cook’s theorem:
–
Every decision problem in the class
NP
reduces to
the Boolean satisfiability problem SAT
SAT
•
The first decision problem proved to be NP

complete
•
Boolean satisfiability problem (SAT) is a decision problem
–
Its instance is a Boolean expression with only AND, OR, NOT, variables,
and parentheses
–
Is there some assignment of TRUE and FALSE values to the variables that
will make the entire expression true
•
Any problem that can be reduced to SAT in polynomial time is in
NPC
j
m
j
i
i
n
i
x
C
C
1
1
s.t.
,
SAT
•
Non

Deterministic algorithm:
–
Guess an assignment of the variables
–
Check if this is a satisfying assignment
•
Deterministic algorithm
–
Given an assignment, check if satisfying
•
Time for n variables:
–
Guess an assignment of the variables O(n)
–
Check if this is a satisfying assignment O(n)
–
Total time: O(n)
The satisfiability problem is an NP Complete Problem
Theorem: NP

Completeness
•
If any NP

complete problem is polynomial

time solvable,
then P = NP!
–
If L
NPC
and we can find a DTM accepting L in polynomial
time (so that L
P
), then
P
=
NP
–
All the problems in
NP
would have polynomial deterministic
solutions!
•
Equivalently, if any problem in NP is not polynomial

time
solvable, then no NP

complete problem is polynomial

time
solvable
–
If we prove that we cannot solve an NP

Complete problem in
Deterministic Polynomial Time, then we know: P
≠
NP
Proof: NP

Completeness
•
Let L
P and L
NPC
–
For any L′
NP, L′≤
P
L
•
By definition of NP

completeness
–
Therefore, L′
P
P, NP, NPC Complexity Hierarchy
P
Primes
NP
NPC
•
SAT
Cryptography and Complexity
Basing cryptography on complexity
theoretic assumptions
Randomness
Interaction
Complexity Theory
•
Study the resources
required to solve
computational tasks
–
time, space(memory)
•
Understanding relations
between complexity
phenomena
•
Provides new perspective
on various concepts
Cryptography
•
Specify security
requirements of systems
•
Use the computational
infeasibility of problems to
obtain security
•
Almost any cryptographic
task requires using this idea
These disciplines are connected!
Cryptography and Complexity
Cryptography
•
Study of systems that are easy to use, but hard to
abuse
•
Crypto systems involve
–
Secrets
–
Randomness
–
Interaction
–
Complexity gap
•
Between proper usage by legitimate parties and
infeasibility of causing systems deviate from prescribed
functionality
Cryptography is Based on Complexity
Theoretic Assumptions
•
Transformations of simple primitives, e.g. One
Way Functions into complex constructions, e.g.
encryption schemes
•
Intractability of NPC problems is based on
hardest instances
–
But, some problems are easy on average
•
Breaking crypto

system must be hard for almost
all instances and not just some of them
–
For cryptography, use average case complexity analysis
Randomness
Pseudo

Random Generators (PRG)
Randomness and Intractability
•
Complexity defines objects as equivalent if they
cannot be told apart by efficient observer
•
Coin toss is random if it is infeasible to predict the
outcome
•
A distribution is random if it is infeasible to
distinguish from uniform distribution
•
Randomness is expandable
–
Random strings can be expanded into longer pseudo
random strings
Randomness and Intractability
•
Pseudo

randomness refers to intractability
–
i.e. infeasibility of distinguishing pseudo

random strings from
uniformly distributed strings
•
The assumption of One Way Functions implies the
existence of pseudo

random generators
–
Stretch short random seeds into long pseudo

random strings
•
Existence of PRGs is equivalent to the existence of OWFs
Derandomisation
•
Goal
–
Real random bits are difficult to obtain, use less
randomness
•
Idea
–
Replace random strings with pseudo

random
•
Security?
–
Depends on the power of the distinguisher
•
For restricted distinguisher, probability to distinguish is ½
•
For an unbounded distinguisher, probability to distinguish is 1
Generating Computational
Randomness
Pseudo

Random
Generator
random seed
Pseudo

random string
Insecure against computationally unbounded distinguisher
Secure against computationally bounded distinguisher
Pseudo

Random Generator
PRG
random seed
Pseudo

random string
truly
random string
Appear indistinguishable
to any Efficient Observer
•
PRG is a polynomial time deterministic function whose
output is indistinguishable from random by any efficient
distinguisher
PRG and P vs. NP
•
Theorem:
–
If P=NP there are no PRGs
•
Proof sketch:
–
Let
G
be a PRG and let
D
be a distinguisher, s.t. on
input
y
it accepts iff there is an
x
s.t.
G
(
x
)=
y
–
D
NP

can guess
x’
and check if
G
(
x’
)=
y
–
Since P=NP,
D
is efficient
–
Accepts all strings except those output by
G
–
G
is not PRG
Information vs. Knowledge
Interactive Proofs
Zero Knowledge Proofs
Knowledge and Secrecy
•
A result of hard computation
–
Not a knowledge if can be efficiently computed by anyone
•
Zero Knowledge Interaction
–
Interactions in which no knowledge is gained
–
Assert correctness of data provided beforehand
–
Motivation for interaction is gaining knowledge
–
Showing a possession of a secret to other party without
revealing the secret
•
Knowledge is something one party has and the other does
not and cannot feasibly obtain
–
“Knowledge is a secret”
What is a
gain
of knowledge?
•
Defined with respect to
computational ability
•
Bob
gains knowledge
after interacting with
Alice if:
–
After the interaction Bob can easily compute
something that was infeasible for him before
Recall: The complexity class NP
•
The languages in NP are those whose members
all have short certificates of membership, which
can be easily verified
•
NP can be characterized as the set of languages
for which an efficient procedure exists to
check
if a string belongs to that language
•
Given a string
x
from a language
L
and a
certificate
w
it is easy to check if
x
belongs to
L
Proof Systems and NP
•
We can view this as follows:
–
There is an unbounded prover
–
The prover has to convince the verifier that
the input is indeed a member of the language
–
It sends the verifier a short (polynomial)
certificate
–
The verifier is bounded
•
The verification of the certificate cannot take
more than polynomial time
Interactive Proof System
•
Interactive proofs is a generalisation of the concept of a
proof system
•
It is obtained by adding two more properties
–
Interaction between the parties (interaction adds power)
–
Letting the verifier toss coins (randomisation)
•
Why?
•
An Interactive Proof System is a two

party game
between a verifier and a prover that interact on a
common input for a polynomial amount of time
•
Eventually the verifier accepts (x
L) or rejects the
input otherwise
Properties of an Interactive Proof
System
•
Prover and verifier interact with each other
–
Two Turing machines, sharing a common tape
–
The unbounded prover has to convince the bounded
(polynomial) verifier
•
Correctness:
–
Soundness

I’ll not believe a false statement
•
For a false assertion no proof strategy exists
–
Completeness

I’ll believe all true statements
•
For a true assertion there is a convincing proof strategy
•
Proofs are defined by their
verification procedure
•
Verification is typically simple

proving is typically hard
•
IP =
class of languages that have interactive proofs
Example: IP for SAT
•
Check the membership of a given boolean formula:
=(x
y
z’)
(
x’
·
]·
•
The prover must convince the verifier this formula
is satisfiable
–
It sends an assignment, which supposedly satisfies the
formula
•
x=0, y=1, z=0
–
It is not difficult for the prover to find such, if such
exists; why?
•
The prover is unbounded
Example: IP for SAT
•
The verifier checks the truth value of the
formula under the assignment it received
•
Finds out whether the prover was right
•
This takes polynomial time
Zero Knowledge Proof System
•
(P,V) is ZKIP, if
–
It is complete and sound
–
It is zero knowledge
•
The verifier does not learn anything except the truth of the statement
•
For every verifier interacting with a prover, there is a
simulator
•
This simulator does not have access to the interactive
prover
–
Yet, it can simulate the interaction between
P
and
V
–
Hence,
V
did not gain any knowledge from
P
•
Since the same output could have been generated without any access to
P
Questions?
Thank you.
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο