Complexity and Cryptography

innocentsickAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)

69 views

Complexity and Cryptography

Haya Shulman

CGC Colloquium


Complexity Theory


Determines complexity (power and limitations)
of well defined tasks


Defines resources required to solve computational
problems


E.g. time, space, randomness, interaction


Classifies problems according to their difficulty


Defines relations between computational
phenomena

Complexity Theory


Provided a way of dividing computational world
into complexity classes


Evidence implying that these complexity classes
are distinct


Complexity Class is a fundamental notion of
complexity theory


Practical: relationship between computational classes
and real computational problems

Complexity Class


A model of computation


Turing machine


A resource or a set thereof


E.g. time, memory


A complexity bound for each resource


Complexity considers the worst case performance


Lower bounds are stated asymptotically


Constant factors are irrelevant, and only the order of the
lower bound is considered (linear, poly, exponential,…)

Turing Machine

Deterministic vs. Non
-
Deterministic
Turing Machine

Turing Machine


Was invented by Alan Turing in 1936


Turing machine is an abstract model of
computation


Embodies any computer program


Turing machine is composed of a "tape“, head and
the program, i.e. a list of transitions

Turing Machine vs. Computers


If a computer can compute an algorithm then so
can a Turing machine


Can a computer compute an algorithm if a
Turing machine can?


No computer is as powerful as a Turing machine


A computer is restricted while a Turing machine can do
all that is theoretically possible given unlimited resources,
e.g. time, memory

Deterministic Turing Machine


Deterministic machines model real computations


Transition function for a given state and symbol
under the tape head, specifies:


The symbol to be written to the tape


The direction to move the head


The state of the finite control



Given A on the tape in state 5, write B on the
tape move the head right, and switch to state 7

Non
-
Deterministic Turing Machine


The state and tape symbol do not uniquely
specify the computation


The machine "branches" into many copies, each
follows one possible transition


If any branch of the tree halts with an accept
condition, then the machine accepts the input


Given A on the tape in state 5, write B on the
tape move the head right, and switch to state 7
or write A, move left and stay in state 5

Deterministic vs. Non
-
Deterministic
Turing Machine


NDTM has a computation tree, while a DTM has
a single computation path


Is NDTM more powerful than DTM?


Any language recognized by an NDTM can also be
recognized by a DTM


DTM simulates each branch of NDTM


Makes multiple copies of states when multiple
transitions are possible


How long to simulate? P vs. NP

NP
P

Deterministic

Polynomial Time

Non
-
Deterministic

Polynomial Time

P vs. NP

P vs. NP


Is finding solutions to problems harder than verifying
their correctness?


P represents


Efficiently solvable tasks


Sets of assertions that can be efficiently verified from scratch


NP represents


Tasks for which solutions can be efficiently checked


Sets of assertions that can be efficiently verified with the help
of adequate proofs

P vs. NP


Complexity theory is concerned with manipulation
of information


A solution to a computational problem is a different
representation of the information


A representation in which the answer is explicit rather than
implicit


The problem contains all necessary information


Process the information in order to supply the answer


E.g. the answer to “is a given Boolean formula satisfiable” is
implicit in the formula itself and the task is to make the
answer explicit

Complexity Classes

P, NP, NPC

Definitions


A language is a set of strings


E.g.
Primes
={2,3,5,7,11,13,17,19…}



Decision problem:


Given some string determine if it is in the set


Given
i
, is
i



Primes
?


Primes



P

P

Complexity Class


The class of all languages that can be recognised
by a deterministic polynomial time machine



A language
L

is in
P

if there exists a TM M and a
polynomial
p()
, s.t.


M(
x
) halts in at most
p
(|
x
|) steps


M(
x
)=1 iff
x

in
L

P

Associated with Efficient
Computation


Showing that a problem not in
P
, implies that solution
by a DTM is impossible


Reductions: given efficient
f()

and
p()
,
h
=
f•p

efficient


Poly time is a boundary between feasible and infeasible


Given a polynomial algorithm apply mathematical and
algorithmic techniques to improve


All models of sequential computation yield the same
class
P


The notions of polynomial time for all models of sequential
computation yeild the same class


The class
P

captures the true notion of the problems that are
computable in polynomial time by sequential machines

NP Complexity Class


L

NP

if

L


P

and
p
(

), s.t. for every
x
,

x

L

iff

w
, s.t. |
w
|≤
p
(|
x
|) and (
x
,
w
)

L



Definition by means of DTM, which verifies correctness of
solutions


When
x

L, w
is the positive solution to the problem
represented by

x,
or a proof that

x

L



Class of problems, s.t.


DTM: Given solution, test for validity efficiently


NDTM: Guess a solution and test for validity


NDTM has infinitely many parallel processors

NP Complexity Class


L
is set of composite numbers


DTM:


Given the proof, verify its correctness


Given proof that x is composite, i.e.
x
1
≥2 and
x
2

≥ 2, check if
x
1
x
2
=
x


NDTM:


Try all possible solutions at once, and identify the solution in
polynomial time


On input x the machine branches to write down guesses for
x
1

and
x
2


Then deterministically multiplies to test if
x
1
x
2
=
x


There exists an accepting computation path iff
x

is composite

Complexity


Failed to establish lower bounds on resources


Showed that many problems computationally
equivalent


All of them have efficient algorithms or all of them do
not


E.g. failed to determine complexity of finding satisfying
assignment of boolean formula (SAT) or 3COL


In contrast, established that these problems are
computationally equivalent

NP Complete Complexity Class


Identifies a set of problems that are as hard as NP


If Any of those problems is easy to solve, then so
are all problems in NP


Demonstrating NP
-
Completeness of a task is a
central tool in indicating hardness of problems


Showing that a problem is NPC provides
evidence to its intractability

NP Complete Complexity Class


A problem is NP Complete if


It is in NP


Every NP problem is reduced to it in polynomial
time



L

NPC if


L

NP


For every L’

NP, L’

P

L

Reducibility



Language L
1

is
polynomial
-
time reducible

to
language L
2


L
1


P

L
2



If there exists a polynomial
-
time computable
function f: {0, 1}
*

→ {0, 1}
*

such that for all

x


{0, 1}
*



x


L
1
iff f(x)


L
2


Significance:


If
L
2



P

and
L
1


P

L
2
, then
L
1



P

also

Reduction


Cook’s theorem:


Every decision problem in the class
NP

reduces to
the Boolean satisfiability problem SAT

SAT


The first decision problem proved to be NP
-
complete


Boolean satisfiability problem (SAT) is a decision problem


Its instance is a Boolean expression with only AND, OR, NOT, variables,
and parentheses


Is there some assignment of TRUE and FALSE values to the variables that
will make the entire expression true





Any problem that can be reduced to SAT in polynomial time is in
NPC

j
m
j
i
i
n
i
x
C
C
1
1

s.t.

,








SAT


Non
-
Deterministic algorithm:


Guess an assignment of the variables


Check if this is a satisfying assignment


Deterministic algorithm


Given an assignment, check if satisfying


Time for n variables:


Guess an assignment of the variables O(n)


Check if this is a satisfying assignment O(n)


Total time: O(n)

The satisfiability problem is an NP Complete Problem

Theorem: NP
-
Completeness


If any NP
-
complete problem is polynomial
-
time solvable,
then P = NP!


If L


NPC

and we can find a DTM accepting L in polynomial
time (so that L


P

), then
P

=
NP


All the problems in
NP

would have polynomial deterministic
solutions!



Equivalently, if any problem in NP is not polynomial
-
time
solvable, then no NP
-
complete problem is polynomial
-
time
solvable


If we prove that we cannot solve an NP
-
Complete problem in
Deterministic Polynomial Time, then we know: P


NP

Proof: NP
-
Completeness


Let L


P and L


NPC


For any L′


NP, L′≤
P

L


By definition of NP
-
completeness


Therefore, L′


P



P, NP, NPC Complexity Hierarchy

P



Primes

NP

NPC



SAT

Cryptography and Complexity

Basing cryptography on complexity

theoretic assumptions

Randomness

Interaction

Complexity Theory


Study the resources
required to solve
computational tasks


time, space(memory)


Understanding relations
between complexity
phenomena


Provides new perspective
on various concepts

Cryptography


Specify security
requirements of systems


Use the computational
infeasibility of problems to
obtain security


Almost any cryptographic
task requires using this idea

These disciplines are connected!


Cryptography and Complexity

Cryptography


Study of systems that are easy to use, but hard to
abuse


Crypto systems involve


Secrets


Randomness


Interaction


Complexity gap


Between proper usage by legitimate parties and
infeasibility of causing systems deviate from prescribed
functionality

Cryptography is Based on Complexity
Theoretic Assumptions


Transformations of simple primitives, e.g. One
Way Functions into complex constructions, e.g.
encryption schemes


Intractability of NPC problems is based on
hardest instances


But, some problems are easy on average


Breaking crypto
-
system must be hard for almost
all instances and not just some of them


For cryptography, use average case complexity analysis

Randomness

Pseudo
-
Random Generators (PRG)

Randomness and Intractability


Complexity defines objects as equivalent if they
cannot be told apart by efficient observer


Coin toss is random if it is infeasible to predict the
outcome


A distribution is random if it is infeasible to
distinguish from uniform distribution


Randomness is expandable


Random strings can be expanded into longer pseudo
random strings

Randomness and Intractability


Pseudo
-
randomness refers to intractability


i.e. infeasibility of distinguishing pseudo
-
random strings from
uniformly distributed strings



The assumption of One Way Functions implies the
existence of pseudo
-
random generators


Stretch short random seeds into long pseudo
-
random strings



Existence of PRGs is equivalent to the existence of OWFs

Derandomisation


Goal


Real random bits are difficult to obtain, use less
randomness


Idea


Replace random strings with pseudo
-
random


Security?


Depends on the power of the distinguisher


For restricted distinguisher, probability to distinguish is ½


For an unbounded distinguisher, probability to distinguish is 1

Generating Computational
Randomness

Pseudo
-
Random
Generator

random seed

Pseudo
-
random string

Insecure against computationally unbounded distinguisher


Secure against computationally bounded distinguisher

Pseudo
-
Random Generator

PRG

random seed

Pseudo
-
random string

truly

random string


Appear indistinguishable

to any Efficient Observer



PRG is a polynomial time deterministic function whose
output is indistinguishable from random by any efficient
distinguisher

PRG and P vs. NP


Theorem:


If P=NP there are no PRGs


Proof sketch:


Let
G
be a PRG and let
D

be a distinguisher, s.t. on
input
y

it accepts iff there is an
x

s.t.
G
(
x
)=
y


D



NP
-

can guess
x’

and check if
G
(
x’
)=
y


Since P=NP,
D

is efficient


Accepts all strings except those output by
G


G

is not PRG

Information vs. Knowledge

Interactive Proofs

Zero Knowledge Proofs

Knowledge and Secrecy


A result of hard computation


Not a knowledge if can be efficiently computed by anyone


Zero Knowledge Interaction


Interactions in which no knowledge is gained


Assert correctness of data provided beforehand


Motivation for interaction is gaining knowledge


Showing a possession of a secret to other party without
revealing the secret



Knowledge is something one party has and the other does
not and cannot feasibly obtain


“Knowledge is a secret”

What is a
gain

of knowledge?


Defined with respect to
computational ability


Bob
gains knowledge

after interacting with
Alice if:


After the interaction Bob can easily compute
something that was infeasible for him before

Recall: The complexity class NP


The languages in NP are those whose members
all have short certificates of membership, which
can be easily verified


NP can be characterized as the set of languages
for which an efficient procedure exists to
check

if a string belongs to that language


Given a string
x

from a language
L

and a
certificate

w

it is easy to check if
x
belongs to
L

Proof Systems and NP


We can view this as follows:


There is an unbounded prover


The prover has to convince the verifier that
the input is indeed a member of the language


It sends the verifier a short (polynomial)
certificate


The verifier is bounded


The verification of the certificate cannot take
more than polynomial time

Interactive Proof System


Interactive proofs is a generalisation of the concept of a
proof system


It is obtained by adding two more properties


Interaction between the parties (interaction adds power)


Letting the verifier toss coins (randomisation)


Why?



An Interactive Proof System is a two
-
party game
between a verifier and a prover that interact on a
common input for a polynomial amount of time


Eventually the verifier accepts (x


L) or rejects the
input otherwise

Properties of an Interactive Proof
System


Prover and verifier interact with each other


Two Turing machines, sharing a common tape


The unbounded prover has to convince the bounded
(polynomial) verifier


Correctness:


Soundness

-

I’ll not believe a false statement


For a false assertion no proof strategy exists


Completeness

-

I’ll believe all true statements


For a true assertion there is a convincing proof strategy


Proofs are defined by their
verification procedure


Verification is typically simple
-

proving is typically hard


IP =
class of languages that have interactive proofs

Example: IP for SAT


Check the membership of a given boolean formula:

=(x

y

z’)

(
x’

·




The prover must convince the verifier this formula
is satisfiable


It sends an assignment, which supposedly satisfies the
formula


x=0, y=1, z=0


It is not difficult for the prover to find such, if such
exists; why?


The prover is unbounded

Example: IP for SAT


The verifier checks the truth value of the
formula under the assignment it received


Finds out whether the prover was right


This takes polynomial time

Zero Knowledge Proof System


(P,V) is ZKIP, if


It is complete and sound


It is zero knowledge


The verifier does not learn anything except the truth of the statement


For every verifier interacting with a prover, there is a
simulator


This simulator does not have access to the interactive
prover


Yet, it can simulate the interaction between
P

and
V


Hence,
V

did not gain any knowledge from
P



Since the same output could have been generated without any access to
P

Questions?

Thank you.