# Complexity and Cryptography

Τεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 4 χρόνια και 7 μήνες)

103 εμφανίσεις

Complexity and Cryptography

Haya Shulman

CGC Colloquium

Complexity Theory

Determines complexity (power and limitations)

Defines resources required to solve computational
problems

E.g. time, space, randomness, interaction

Classifies problems according to their difficulty

Defines relations between computational
phenomena

Complexity Theory

Provided a way of dividing computational world
into complexity classes

Evidence implying that these complexity classes
are distinct

Complexity Class is a fundamental notion of
complexity theory

Practical: relationship between computational classes
and real computational problems

Complexity Class

A model of computation

Turing machine

A resource or a set thereof

E.g. time, memory

A complexity bound for each resource

Complexity considers the worst case performance

Lower bounds are stated asymptotically

Constant factors are irrelevant, and only the order of the
lower bound is considered (linear, poly, exponential,…)

Turing Machine

Deterministic vs. Non
-
Deterministic
Turing Machine

Turing Machine

Was invented by Alan Turing in 1936

Turing machine is an abstract model of
computation

Embodies any computer program

Turing machine is composed of a "tape“, head and
the program, i.e. a list of transitions

Turing Machine vs. Computers

If a computer can compute an algorithm then so
can a Turing machine

Can a computer compute an algorithm if a
Turing machine can?

No computer is as powerful as a Turing machine

A computer is restricted while a Turing machine can do
all that is theoretically possible given unlimited resources,
e.g. time, memory

Deterministic Turing Machine

Deterministic machines model real computations

Transition function for a given state and symbol

The symbol to be written to the tape

The direction to move the head

The state of the finite control

Given A on the tape in state 5, write B on the
tape move the head right, and switch to state 7

Non
-
Deterministic Turing Machine

The state and tape symbol do not uniquely
specify the computation

The machine "branches" into many copies, each
follows one possible transition

If any branch of the tree halts with an accept
condition, then the machine accepts the input

Given A on the tape in state 5, write B on the
tape move the head right, and switch to state 7
or write A, move left and stay in state 5

Deterministic vs. Non
-
Deterministic
Turing Machine

NDTM has a computation tree, while a DTM has
a single computation path

Is NDTM more powerful than DTM?

Any language recognized by an NDTM can also be
recognized by a DTM

DTM simulates each branch of NDTM

Makes multiple copies of states when multiple
transitions are possible

How long to simulate? P vs. NP

NP
P

Deterministic

Polynomial Time

Non
-
Deterministic

Polynomial Time

P vs. NP

P vs. NP

Is finding solutions to problems harder than verifying
their correctness?

P represents

Sets of assertions that can be efficiently verified from scratch

NP represents

Tasks for which solutions can be efficiently checked

Sets of assertions that can be efficiently verified with the help

P vs. NP

Complexity theory is concerned with manipulation
of information

A solution to a computational problem is a different
representation of the information

A representation in which the answer is explicit rather than
implicit

The problem contains all necessary information

Process the information in order to supply the answer

E.g. the answer to “is a given Boolean formula satisfiable” is
implicit in the formula itself and the task is to make the

Complexity Classes

P, NP, NPC

Definitions

A language is a set of strings

E.g.
Primes
={2,3,5,7,11,13,17,19…}

Decision problem:

Given some string determine if it is in the set

Given
i
, is
i

Primes
?

Primes

P

P

Complexity Class

The class of all languages that can be recognised
by a deterministic polynomial time machine

A language
L

is in
P

if there exists a TM M and a
polynomial
p()
, s.t.

M(
x
) halts in at most
p
(|
x
|) steps

M(
x
)=1 iff
x

in
L

P

Associated with Efficient
Computation

Showing that a problem not in
P
, implies that solution
by a DTM is impossible

Reductions: given efficient
f()

and
p()
,
h
=
f•p

efficient

Poly time is a boundary between feasible and infeasible

Given a polynomial algorithm apply mathematical and
algorithmic techniques to improve

All models of sequential computation yield the same
class
P

The notions of polynomial time for all models of sequential
computation yeild the same class

The class
P

captures the true notion of the problems that are
computable in polynomial time by sequential machines

NP Complexity Class

L

NP

if

L

P

and
p
(

), s.t. for every
x
,

x

L

iff

w
, s.t. |
w
|≤
p
(|
x
|) and (
x
,
w
)

L

Definition by means of DTM, which verifies correctness of
solutions

When
x

L, w
is the positive solution to the problem
represented by

x,
or a proof that

x

L

Class of problems, s.t.

DTM: Given solution, test for validity efficiently

NDTM: Guess a solution and test for validity

NDTM has infinitely many parallel processors

NP Complexity Class

L
is set of composite numbers

DTM:

Given the proof, verify its correctness

Given proof that x is composite, i.e.
x
1
≥2 and
x
2

≥ 2, check if
x
1
x
2
=
x

NDTM:

Try all possible solutions at once, and identify the solution in
polynomial time

On input x the machine branches to write down guesses for
x
1

and
x
2

Then deterministically multiplies to test if
x
1
x
2
=
x

There exists an accepting computation path iff
x

is composite

Complexity

Failed to establish lower bounds on resources

Showed that many problems computationally
equivalent

All of them have efficient algorithms or all of them do
not

E.g. failed to determine complexity of finding satisfying
assignment of boolean formula (SAT) or 3COL

In contrast, established that these problems are
computationally equivalent

NP Complete Complexity Class

Identifies a set of problems that are as hard as NP

If Any of those problems is easy to solve, then so
are all problems in NP

Demonstrating NP
-
Completeness of a task is a
central tool in indicating hardness of problems

Showing that a problem is NPC provides
evidence to its intractability

NP Complete Complexity Class

A problem is NP Complete if

It is in NP

Every NP problem is reduced to it in polynomial
time

L

NPC if

L

NP

For every L’

NP, L’

P

L

Reducibility

Language L
1

is
polynomial
-
time reducible

to
language L
2

L
1

P

L
2

If there exists a polynomial
-
time computable
function f: {0, 1}
*

→ {0, 1}
*

such that for all

x

{0, 1}
*

x

L
1
iff f(x)

L
2

Significance:

If
L
2

P

and
L
1

P

L
2
, then
L
1

P

also

Reduction

Cook’s theorem:

Every decision problem in the class
NP

reduces to
the Boolean satisfiability problem SAT

SAT

The first decision problem proved to be NP
-
complete

Boolean satisfiability problem (SAT) is a decision problem

Its instance is a Boolean expression with only AND, OR, NOT, variables,
and parentheses

Is there some assignment of TRUE and FALSE values to the variables that
will make the entire expression true

Any problem that can be reduced to SAT in polynomial time is in
NPC

j
m
j
i
i
n
i
x
C
C
1
1

s.t.

,

SAT

Non
-
Deterministic algorithm:

Guess an assignment of the variables

Check if this is a satisfying assignment

Deterministic algorithm

Given an assignment, check if satisfying

Time for n variables:

Guess an assignment of the variables O(n)

Check if this is a satisfying assignment O(n)

Total time: O(n)

The satisfiability problem is an NP Complete Problem

Theorem: NP
-
Completeness

If any NP
-
complete problem is polynomial
-
time solvable,
then P = NP!

If L

NPC

and we can find a DTM accepting L in polynomial
time (so that L

P

), then
P

=
NP

All the problems in
NP

would have polynomial deterministic
solutions!

Equivalently, if any problem in NP is not polynomial
-
time
solvable, then no NP
-
complete problem is polynomial
-
time
solvable

If we prove that we cannot solve an NP
-
Complete problem in
Deterministic Polynomial Time, then we know: P

NP

Proof: NP
-
Completeness

Let L

P and L

NPC

For any L′

NP, L′≤
P

L

By definition of NP
-
completeness

Therefore, L′

P

P, NP, NPC Complexity Hierarchy

P

Primes

NP

NPC

SAT

Cryptography and Complexity

Basing cryptography on complexity

theoretic assumptions

Randomness

Interaction

Complexity Theory

Study the resources
required to solve

time, space(memory)

Understanding relations
between complexity
phenomena

Provides new perspective
on various concepts

Cryptography

Specify security
requirements of systems

Use the computational
infeasibility of problems to
obtain security

Almost any cryptographic

These disciplines are connected!

Cryptography and Complexity

Cryptography

Study of systems that are easy to use, but hard to
abuse

Crypto systems involve

Secrets

Randomness

Interaction

Complexity gap

Between proper usage by legitimate parties and
infeasibility of causing systems deviate from prescribed
functionality

Cryptography is Based on Complexity
Theoretic Assumptions

Transformations of simple primitives, e.g. One
Way Functions into complex constructions, e.g.
encryption schemes

Intractability of NPC problems is based on
hardest instances

But, some problems are easy on average

Breaking crypto
-
system must be hard for almost
all instances and not just some of them

For cryptography, use average case complexity analysis

Randomness

Pseudo
-
Random Generators (PRG)

Randomness and Intractability

Complexity defines objects as equivalent if they
cannot be told apart by efficient observer

Coin toss is random if it is infeasible to predict the
outcome

A distribution is random if it is infeasible to
distinguish from uniform distribution

Randomness is expandable

Random strings can be expanded into longer pseudo
random strings

Randomness and Intractability

Pseudo
-
randomness refers to intractability

i.e. infeasibility of distinguishing pseudo
-
random strings from
uniformly distributed strings

The assumption of One Way Functions implies the
existence of pseudo
-
random generators

Stretch short random seeds into long pseudo
-
random strings

Existence of PRGs is equivalent to the existence of OWFs

Derandomisation

Goal

Real random bits are difficult to obtain, use less
randomness

Idea

Replace random strings with pseudo
-
random

Security?

Depends on the power of the distinguisher

For restricted distinguisher, probability to distinguish is ½

For an unbounded distinguisher, probability to distinguish is 1

Generating Computational
Randomness

Pseudo
-
Random
Generator

random seed

Pseudo
-
random string

Insecure against computationally unbounded distinguisher

Secure against computationally bounded distinguisher

Pseudo
-
Random Generator

PRG

random seed

Pseudo
-
random string

truly

random string

Appear indistinguishable

to any Efficient Observer

PRG is a polynomial time deterministic function whose
output is indistinguishable from random by any efficient
distinguisher

PRG and P vs. NP

Theorem:

If P=NP there are no PRGs

Proof sketch:

Let
G
be a PRG and let
D

be a distinguisher, s.t. on
input
y

it accepts iff there is an
x

s.t.
G
(
x
)=
y

D

NP
-

can guess
x’

and check if
G
(
x’
)=
y

Since P=NP,
D

is efficient

Accepts all strings except those output by
G

G

is not PRG

Information vs. Knowledge

Interactive Proofs

Zero Knowledge Proofs

Knowledge and Secrecy

A result of hard computation

Not a knowledge if can be efficiently computed by anyone

Zero Knowledge Interaction

Interactions in which no knowledge is gained

Assert correctness of data provided beforehand

Motivation for interaction is gaining knowledge

Showing a possession of a secret to other party without
revealing the secret

Knowledge is something one party has and the other does
not and cannot feasibly obtain

“Knowledge is a secret”

What is a
gain

of knowledge?

Defined with respect to
computational ability

Bob
gains knowledge

after interacting with
Alice if:

After the interaction Bob can easily compute
something that was infeasible for him before

Recall: The complexity class NP

The languages in NP are those whose members
all have short certificates of membership, which
can be easily verified

NP can be characterized as the set of languages
for which an efficient procedure exists to
check

if a string belongs to that language

Given a string
x

from a language
L

and a
certificate

w

it is easy to check if
x
belongs to
L

Proof Systems and NP

We can view this as follows:

There is an unbounded prover

The prover has to convince the verifier that
the input is indeed a member of the language

It sends the verifier a short (polynomial)
certificate

The verifier is bounded

The verification of the certificate cannot take
more than polynomial time

Interactive Proof System

Interactive proofs is a generalisation of the concept of a
proof system

It is obtained by adding two more properties

Interaction between the parties (interaction adds power)

Letting the verifier toss coins (randomisation)

Why?

An Interactive Proof System is a two
-
party game
between a verifier and a prover that interact on a
common input for a polynomial amount of time

Eventually the verifier accepts (x

L) or rejects the
input otherwise

Properties of an Interactive Proof
System

Prover and verifier interact with each other

Two Turing machines, sharing a common tape

The unbounded prover has to convince the bounded
(polynomial) verifier

Correctness:

Soundness

-

I’ll not believe a false statement

For a false assertion no proof strategy exists

Completeness

-

I’ll believe all true statements

For a true assertion there is a convincing proof strategy

Proofs are defined by their
verification procedure

Verification is typically simple
-

proving is typically hard

IP =
class of languages that have interactive proofs

Example: IP for SAT

Check the membership of a given boolean formula:

=(x

y

z’)

(
x’

·

The prover must convince the verifier this formula
is satisfiable

It sends an assignment, which supposedly satisfies the
formula

x=0, y=1, z=0

It is not difficult for the prover to find such, if such
exists; why?

The prover is unbounded

Example: IP for SAT

The verifier checks the truth value of the
formula under the assignment it received

Finds out whether the prover was right

This takes polynomial time

Zero Knowledge Proof System

(P,V) is ZKIP, if

It is complete and sound

It is zero knowledge

The verifier does not learn anything except the truth of the statement

For every verifier interacting with a prover, there is a
simulator

prover

Yet, it can simulate the interaction between
P

and
V

Hence,
V

did not gain any knowledge from
P

Since the same output could have been generated without any access to
P

Questions?

Thank you.