500 likes | 716 Views
On the Compressibility of NP instances and Cryptographic Applications, . Danny Harnik. Moni Naor. Weizmann Institute of Science. Technion. Key Idea of Cryptography. Use the intractability of some problems for the advantage of constructing secure systems.
E N D
On the Compressibility of NP instancesand Cryptographic Applications, Danny Harnik Moni Naor Weizmann Institute of Science Technion
Key Idea of Cryptography Use the intractability of some problems for the advantage of constructing secure systems Almost any cryptographic task provably requires using this idea. Large research effort devoted to studying the relationship between cryptography and complexity “Cryptography and Complexity: a match made in heaven”
This talk Connections between • Complexity • Cryptography • (A new kind of) Compressibility
Solve it in time 2n Maybe I can approximate it Could we just postpone it ? I can’t find an algorithm for the problem Solve it for some fixed parameters Find an algorithm that usually works? Approaches for dealing with NP-complete problems: • Approximation algorithms • Sub-exponential time algorithms • Parameterized complexity • Average case complexity • Save it for the future Garey and Johnson, 1979
Compressing Instances Do not require thatxcan be restored fromZ(x) ! • Rather than solving a problem, we are interested in compressing it to be solved sometime in the future. • Compression should beanswerpreservingrather thaninputpreserving. To compress a languageLneed: efficient algorithmZand a languageL’such that: • Z(x) L’ iff x L • |Z(x)| << |x| L’ L z
Why deal with compression? • Compression allows storing problems succinctly to be resolved in a future setting: • The future may introduce new and faster technologies (Quantum computers?) • New algorithms (maybe P=NP??) • Lots of time in the future… • Our actual motivation: powerful implications of compression for cryptography. • Both positive and negative Bandwidth to the future
Talk overview Introduce and define compression of NP instances. • Example of compression: Vertex Cover Motivation: • Cryptographic applications • Collision Resistant Hashing from One-way Functions • Complexity study of compression • Witness Retrievability • OT from one-way functions • Impossibility • Everlasting Security and Compression • Open Problems
General Impossibility If P≠NP then cannot hope to have a general compression: • Given CNF formula of size m: hard to come up with an equivalent formula that is much shorter • Otherwise would be possible to apply compression recursively on until can solve exhaustively Deal with NP languages with relatively short witnesses
Compressing NP Instances – Definition NP languages with short witnesses - two parameters considered: • m – Instance length • n – Witness length For every x of length m, ifx Lthen it has a witness of lengthn. The interesting case:n << m and nnot too small Example: satisfiability of CNF formula of m clauses on n variables Compression forL:an efficient algorithmZ, a polynomialp(·, ·)and a languageL’such that for everyxof lengthm: • Z(x) L’ iff x L • |Z(x)| < p(n,logm) L’ L
Notes on the Definition • Compression for L: an efficient algorithm Z a polynomial p(·, ·) and a language L’ such that for every x of length m: • Z(x) L’ iff x L • |Z(x)| < p(n,logm) • Length ofZ(x) is dominated by witness length • potentially,Z(x)can be significantly shorter thanx. • Whyp(n, log m)? This may be relaxed: • For complexity studylog mmay be replaced by any sub-polynomial function ofm • For some applications a compression ofm1-εsuffices. • Definition is only interesting whenn << m • E.g.3-SATis not an interesting problem for compression
Example: Vertex Cover • Input: a graphG=(V,E) • Question: Is there a subset of n vertices that covers every edge inE. • Parameters (up to alog|V|factor): • m = |E| • n = size of cover m - Instance size n - Witness size
Vertex Cover of size n in graph of size m Compression algorithm: • Remove all vertices that have more thannneighbors • suppose kvertices were removed. • If there are more thann2edges left then answer no. • Else store the remaining graph G’ (of size at mostn2) and the numberk LanguageL’for compressed instance - vertex cover with sizen’ = n - k Such a vertex must be in the cover Correctness: If a cover exists in original graph, then in G’: • Every edge is covered by one of n vertices. • Every vertex has degree≤ n • G’has no more than n2vertices Essentially the same witness
What have we learned? Some interesting languages have non-trivial compression But… • Instance of Vertex Cover has a small core (kernel) that contains all the hardness of the problem.* • Not necessarily true for other NP problems. • Compression of one NP-complete problem does not imply compression for all of NP. • Clique, Dominating Set? • The Karp reductions used for deriving NP-completeness do not preserve the length of the witness. • New witness may be polynomial in m (notn). • Related to the parameterized complexity of vertex cover. • Related notions investigated there
Talk overview Introduce and define compression of NP instances. • Example of compression: Vertex Cover Motivation: • Cryptographic applications • Collision Resistant Hashing from One-way Functions • Complexity study of compression • Everlasting Security and Compression • Witness Retrievability • OT from one-way functions • Impossibility • Open Problems
h x x’ For all PPTM Length reducing functions Collision Resistant Hash • A collection of collision resistant hash functions(CRH) is: a familyHof hash functions s.t. for a randomhRHit is hard to find a collision. A pair xx’s.t. h(x)=h(x’) • Efficiency: • Can sample hRH • Private/Public coins • Can evaluate h(x) • given handx • Compression by 1 bit • Compression to any poly factors • . • Wide range of cryptographic applications: • Signatures [Merkle, Damgard]Strong Commitments [NY89] [DPP91] • Low Communication Protocols and CS Proofs [K92,M94,B01])
One-way functions • Current Status of CRH in Practice: • For both SHA-1 and MD5: serious weaknesses discovered • NIST Workshop following Crypto 2006 • Related to the theoretical difficulties of showing equivalence between OWFs and CRHs?? • One-way function (OWF) f: easy to compute but hard to invert. • f(x) computable in poly-time • No PPTM can find an inverse to y=f(x) for a random x • OWFs are the most fundamental building block in computationally based crypto. • Necessary for most crypto tasks. • Sufficient for many others (shared key encryption). CRH and OWFs: • (existence of) CRHs implies (existence of) OWFs • But: OWF not known to imply CRH • No “black box” construction of CRH from OWF [Simon98]
CRH from OWF E.g. SAT, Clique… Theorem: There exists a language L s.t. if there is an errorless compression of L then there exists a construction of CRH from any OWF. Overview of construction • Choose a hash function g from a naive hash family • with no computational hardness guarantees • The selection function: g defined by positioni. gi(x) = x[i] • The new hash function h: a commitment to i • Output of h: a compression of a formula gi(x) = 1 m x gi 1 0 1 1 0 0 1 0 0 Intuitively: finding a collision requires guessing i.
Commitment Schemes i • Hiding: A computationally bounded receiver learns nothing about the valuei. • Binding:scan only be “opened” to the valuei. • Commitments can be based on any OWF [N89], [HILL90]. Commit Phase Sender Receiver s i Reveal Phase Sender i Receiver s, v, i v Reveal Verification Algorithm yes/no Assume one-way functions on n bits are hard
m x Cj,s Cj,s Cj,s Cj,s Cm,s,x Cj,s,x Cj,s,x OR CRH from OWF? • Theorem: There exists a language L s.t. if there is an errorless compression of L then there exists a construction of CRH from any OWF. String sis a commitment to an indexi[m] • For 1≤j≤m: formulaCj,s,xis satisfiable iffsis a commitment toj andx[j]=1 • Formula Cs,x: ORof allCj,s,x Cs,xis satisfiable iff x[i]=1 • Can Generate Cj,s,xwithoutknowing the valuei • Cook’s Theorem on the reveal verification algorithm. • Cs,x is the OR ofmformulas • each of sizepoly(n) • Instance size: m¢poly(n) • Witness size: opening of commitment - poly(n).
m x Cj,s Cj,s Cj,s Cj,s Cj,s Cm,s,x Cj,s,x From m¢poly(n) to m-1 bits CRH from OWF... • Z - a compression algorithm for formula Cs,x • Takes as input a formulaC and outputs some string • AnhHis described by a commitments hs(x) = Z(Cs,x) • hsis indeed shrinking due to the compression. • Letxx’be s.t.hs(x) = hs(x’). • Ifsis a commitment to i then x(i)=x’(i). • If xandx’differ in thejthbit, then conclude that s is not a commitment to the valuej!! • The construction is inherently non-black-box. • Uses the code of the verification of commitment. • The compressed problem is never actually solved… OR • An adversary that finds a collision xx’ can deduce information about i • contradicting the hiding of the commitment
Which languages suffice for hashing? • For language L, OR(L) is {x1, x2 … xm| where there 1 · i · m s.t. xi2 L} • If possible to compress OR(SAT) for CNF formulas on n variables and size poly(n), then can get the CRH construction • Claim: this is no harder than compressing CNF formulas of m clauses on n variables Claim: compressing Clique(m,n) suffices for CRH A complexity study of the relative hardness of compression: VC0 VC1 VC2 … VC=NP Hierarchy based on the complexity of verification after preprocessing Compressible
Talk overview Introduce and define compression of NP instances. • Example of compression: Vertex Cover Motivation: • Cryptographic applications • Collision Resistant Hashing from One-way Functions • Complexity study of compression Witness Retrievability • OT from one-way functions • Impossibility • Everlasting Security and Compression • Open Problems
x y wx wy Witness Retrievability • Suppose instancex Lwith witnesswx. • The compressed instancey=Z(x)has witnesswy to y L’. A compression algorithm is witness retrievable if it is possible to obtain wyin poly-time from y and wx. Z • Observation: almost all `natural’ compression schemes are witness retrievable • Or can easily be converted
Witness Retrievability Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania It is possible to construct Oblivious Transfer and PIR Protocols from any one-way function • OT is complete for Secure Computation ! • General framework that captures many cryptographic tasks • public key crypto, auctions, voting, e-commerce… Impagliazzo and Rudich (89) proved: no black box construction of OT from OWF.
Limitations of Witness Retrievability Theorem: if one-way functions exist, then there is no witness retrievable compression for SAT Idea: compression of SAT allows low bandwidthbroadcast encryption • A center and m users connected via a broadcast channel • Users are given individual keys • The center can transmit to any “privileged” subset of the m users • The non-privileged users cannot reconstruct the original message • Using their assigned keys • Lower bound on encrypted message length: • Since possible to reconstruct precisely the subset whp: ciphertext is at least m bits
Broadcast Encryption and SAT Compression • m pairs of commitments to ‘1’– one pair per user • hs10, s11i, hs20, s21i, …, hsm0, sm1i • Key for user i – reveal string for ith commitment to ‘1’ • hv10, v11i, hv20, v21i, …, hvm0, vm1i • To broadcast a single bit b to a subset T ½ [m] • Choose corresponding commitments {sib|i 2 T} • Construct formula T,b at least one commitment sibis to ‘1’ • Broadcast the compressionZ(T,b) • For i 2 T to decrypt: see whether vib yields witness Z(T,b) Claim: if compression is perfect, then vib • for i 2 T yields a witness • For i not in T does not yields a witness
Talk overview Introduce and define compression of NP instances. • Example of compression: Vertex Cover Motivation: • Cryptographic applications • Collision Resistant Hashing from One-way Functions • Complexity study of compression Witness Retrievability • OT from one-way functions • Impossibility • Everlasting Security and Compression • Open Problems
Everlasting Security • Common to many cryptographic schemes: • leave a fingerprint that in the future can reveal private information • Michael Rabin’s term: everlasting security • After a certain period of time, the adversary’s action will not affect the protected entities • Things not done `online’ by the adversary will not influence the security • Relevant: • bounded storage model • forward secure storage [Dziembowski] Claim: incompressibility is essential for achieving efficiency in these setting Adi Shamir:Existing public-key schemes with current key lengths are likely to be broken in less than 30 years! [RSA conference ’06]
Compression and the Bounded Storage ModelEverlasting Security • The Bounded Storage Model (BSM) bounds the storagespace of an adversary rather than its running time. • Two settings: • Parties share a secret key – very efficient encryption. • No key is shared - honest parties need very high memory requirements (square root of the space the adversary has). • Suggestion: A Hybrid BSM model – add a (temporary) bound on the running time of the adversary. Use this to exchange an initial secret key. • Dziembowski and Maurer [DM04]: there exists a hybrid scheme made with secure components that is insecure. Theorem: IfOR(SAT)is compressible then the hybrid model is no more powerful than the standard BSM. • All such schemes are insecure. • Alternatively: One cannot prove that a hybrid scheme is secure without proving (or assuming) the incompressibility of many interesting languages.
Discussion & Open problems • Given CNF formulae 1 and 2 on same variables • (not necessarily with short witnesses) come up efficiently with a CNF formula that is • Satisfiable if and only if 1 v 2 is satisfiable • Shorter than |1|+|2| Due to the impossibility results for SAT witness retrievable compression: a witness for either 1 or 2 cannot efficiently yield a witness for . Sufficiently short to apply recursively (1-) (|1|+|2|) • If impossible, hope for: • Hybrid Bounded Storage • Derandomization [Dubrov-Ishai] • Forward-secure storage [Dziembowski] • If possible: • CRH • OT
Discussion & Open problems • Topic must be studied – has too many interesting implications/applications to be ignored • Many open questions: • Where is the line between compressible and not? • somewhere in the lowVC’s? • What about incompressibility? • Dubrov & Ishai: a certain notion of incompressibility yields results in derandomization How to have an efficient falsifiable assumption? • Additional directions • Other natural classification? Connection to previous classifications? • Natural complete problem forVC1? • Does error-prone compression imply CRH?
Thank You. Full Paper:www.wisdom.weizmann.ac.il/~naor/PAPERS/compressibility.html Compressed version in FOCS 2006
GapSAT and Some Speculation • GapSAT - a promise problem • Input: A CNF formula (m clauses, n variables) that is either: • Satisfiable • Any assignment satisfies at most a1-1/(2n)fraction of the clauses. • Compression for GapSAT: choose a random subset ofO(n2)of the clauses. • With high probability maintains the satisfiability of the original problem. • Idea: Use the PCP theorem: Instance of GapSAT Instance of SAT PCP Compress Compressed Instance • The problem: the PCP reduction creates many new variables (poly(m, n)). The witness is no longer short! • Challenge: gap amplification without introducing many new variables.
On Compression of search problems • Decision problem: does there exist a witness toxL? • Search problem: find a witness toxL (if it exists). • Compression for search:Z(x)contains the information regarding a witness toxL. Theorem: If there exists compression for (decision) problems in a class C, then there exists compression for the corresponding search problems inC.
CRH • OT Complexity Study • Want to know which problems can be compressed • For crypto `positive’ applications: want to know which problems are sufficient • Can we use the compressibility of vertex cover? • If clique is compressible, it is good enough? • For crypto `negative’ applications: for which problems is it reasonable to assume incompressibility? • What about other types of problems: search, counting… • How can a compression algorithm look like? • Hybrid Bounded Storage • Derandomization [Dubrov-Ishai] • Forward-secure storage [Dziembowski]
Compressible languages Variety of techniques allow compression • L 2 P - trivial • Vertex Cover, Minimum Fill-in – find a small core • Related to parameterized complexity • Sparse languages (PRG-output) - hashing • Sparse Subset Sum - hashing • GapSAT – sampling Call the classVC0
W-Reductions and Compression • Classical NP classification does not suffice for compression • Similar to other approaches for dealing with NP-hard problems • approximation, parameterized complexity etc… • new classifications introduced. • Key to classification is the type of reduction is used • Definition:LW-reduces to L’if there exists a polynomial time algorithmRand a polynomialp(.,.)such that for instancexforLwith parametersm,n: • R(x) L’ iff x L • If R(x) L’then it has a witness of length at mostp(n,logm). • Matching notion of compression-complete and compression-hard languages for a classC Witness Claim:IfLW-reduces toL’ and L’has a compression algorithm thenLhas a compression algorithm.
The VC classification • Aim: a classification of NP with respect to compression. • An indication of which languages are potentially easier/harder to compress. • TheVCclassification • The verification algorithm of a language plays a central role in the classification. • “Verification” – the verification algorithm running on the instance after a preprocessing stage. Verification Complexity witness Verification algorithm Preproc. input Yes/No
The VC Classification • VCk for k2 - languages that have “verification” in depth k. • VC1 – languages that have local “verification”: read onlypoly(n, log m)locations of the instance. Moral equivalent of sublinear. • VC0– all compressible languages • VC = VCm ( =NP) • Why Depth?Tradeoff between depth and # of variables: • Standard technique (Cook’s theorem) can reduce depth of a verification circuit by adding new variables. • Reducing depth without adding many variables would entail a collapse in the hierarchy Can be represented as a depth k (unbounded fan-in) Circuit. • Local verificationyields natural families: • Graph embedding problems: does a large graph have a small graph embedded in it. Includes Clique, long cycle, etc… • Small Subset-Sum: is there a small subset that adds up to a target number. Only non-trivial fact: VC1 VC2 Claim: VC0 VC1 VC2 … VC
C1 C2 Cm OR One more class- VCOR • OR(CircuitSAT) – • Input:mcircuits, each of sizen • Membership: If at least one has a satisfying assignment. • VCOR – “verification” by an instance of OR(CircuitSAT) • Complete problems: The OR of any NP-complete language is compression-complete forVCOR • e.g., OR(3-SAT), OR(Clique), etc… Claim: Clique is compression-hard for VCOR Compression of a language that is compression-hard for VCOR suffices for crypto apps! • E.g. OR(3-SAT), SAT, Clique… Claim: VC0 VCOR VC1
The VC classification Possibilities for the hierarchy: • If no compression of complete languages: then a full hierarchy. • Compression of a compression-complete language: collapses toVC0everything from that point down. • Collapse ofVCk+1to VCkdoes not necessarily entail further collapse. • The main question: where is the border between compressible and not?
TheMinicrypt = Cryptomania question “Minicrypt = Cryptomania?” is the most important problem in complexity and cryptography where • We do notknow the answer • There is a good chance to resolve it in the near future Omer Reingold: NL = L is a contender for the title
A more refined view Trapdoor Permutations IBE cryptomania PIR CCA-Secure PKE OT Secure MPC Secret Key Exchange Public Key Encryption 2rounds minicrypt Shared-key Encryption and Authentication Signature Scheme One-way functions Computational Pseudorandomness ZK Proofs for all of NP Commitment scheme Coin flipping Efficient online memory checking UOWHFs
Separating the worlds Trapdoor Permutations cryptomania PIR CCA-Secure PKE OT Secure MPC Public Key Encryption SKE minicrypt Shared-key Encryption and Authentication Signature Scheme One-way functions Computational Psuedorandomness Impagliazzo and Rudich 1989: there is no blackbox construction of OT from OWF. ZK Proofs for all of NP Commitment scheme Coin flipping Efficient online memory checking UOWHFs
Recent RSA Cryptographers Panel Feb 2006 • Adi Shamir’s prediction: no existing Public-key Cryptoysystem will survive 30 years from now • Martin Hellman: very little genetic diversity in public-key cryptosystems. • RSA and Diffie-Hellman 1970’s • Elliptic curves – 1980’s Should add: lattice based schemes
Alice Bob Oblivious Transfer • Impagliazzo (95) describes 5 possible worlds based on different computational assumptions. • The top two worlds: • Minicrypt – OWFs exist, some of crypto possible (shared key encryption, commitments, signatures…) • Cryptomania – Oblivious Transfer (OT) exists, almost anything possible. • OT protocol: • Bob getssc. • Bob doesn’t learns1-c. • Alice does not learnc. • OT is complete for Secure Computation ! • General framework that captures many cryptographic tasks (e.g. public key crypto, auctions, voting, e-commerce…) • OWFs not known to imply OT • Impagliazzo and Rudich (89) prove that there is no black box construction of OT from OWF. c s0,s1 sc
x y wx wy E.g., SAT, Clique… OT from OWF? Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania • Suppose instance x L with witness wx. • The compressed instance y=Z(x) has witness wy to y L’. • Compression is witness retrievable if it is possible to obtain wy in poly-time from y and wx. Z
m x Alice Bob Cj,s Cj,s Cj,s Cj,s Cj,s Cm,s,x Cj,s,x OR OT from OWF? • Theorem: There exists a languageLsuch that if there is a witness retrievable compression ofLthen Minicrypt = Cryptomania Proof: • Construct a Private Information Retrieval (PIR) protocol. PIR implies OT [DMO00]. • Input: Database x of m bits. • Given a commitment s to an indexi[m], define the circuitCs,x as in the CRH case: • Cs,xis satisfiable iff x(i)=1 • Cs,xis theOR of mcircuits, each of sizen PIR protocol: • Alice holds m bit database x. • Bob holds index i. • Bob learns x(i). • Alice does not learn i. • Total communication is less than m bits! i[m] x{0,1}m x(i)
Alice Bob s Z(Cs,x) OT from OWF, cont. • Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania Proof: • Bob creates a commitment s to his choice index i[m]. Sends s to Alice. • Alice generates the circuit Cs,xbased on x and s. • Alice sends Z(Cs,x) to Bob. • Z(Cs,x) contains the information about the bit x(i). • Bob can retrieve it using the witness retrieval property. • Security: • Bob’s i is hidden by the commitment • total communication is low. x i x(i) Generates a 2-message PIR: Sufficient also for Public Key Encryption from any OWF!