1 / 12

COS 433: Cryptography

COS 433: Cryptography. Princeton University Fall 2005 Boaz Barak. Lecture 3: Computational Hardness. “Impatient Cryptography”. Last Lecture: Simple algorithm (~10 lines of C code) to break every encryption with key-length < message-length.

maille
Download Presentation

COS 433: Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 3: Computational Hardness

  2. “Impatient Cryptography” • Last Lecture: Simple algorithm (~10 lines of C code) to break every encryption with key-length < message-length. • Caveat: Takes roughly 2key length steps to run. • For 1KB key will take more than galaxy’s lifetime to finish. • This holds even if we run in parallel one processor for each atom of the universe each running in light speed. • Encryption that takes this long to break seems to provide “pretty good privacy”.

  3. Measuring Computational Steps • Church-Turing thesis: every physically feasible computation can be described roughly as follows • memory in initial state • Step 1 • Step 2 • Step i • Step i+1 • Final state • s Bit in state i+1 depends on constant (e.g. 3) bits of state i. • t • Captures every computer or other computing device ever built, including human brain. • W.l.o.g, each bit depends on · 2 bits, using either Æ, Ç or : functions. • We call this a t¢s –sized Boolean circuit.

  4. Computational Hardness • Fact 1:8f:{0,1}n{0,1}n, 9 n22n-sized Boolean circuit C s.t. C computes f. • Def: Let f:{0,1}n{0,1}m be a function. We say that f is (T,)-hard if for every T-sized circuit C • Prx{0,1}n [ C(x) = f(x) ] <  • We know: If f:{0,1}n{0,1}n then f can’t be (n22n,1)- hard and can’t be (T,0)-hard for any T (where T>n). • Thm:8n, there exists a function f:{0,1}n {0,1}n that is (2n/10,2-n/10)-hard

  5. Asymptotic Hardness • 1 n<106 • 1/3 • Examples:h(n) = 2n , h(n)=nlog n , h(n) = 2n , h(n) = • 2n n¸106 • Def: Let f:{0,1}n{0,1}m be a function. We say that f is (T,)-hard if for every T-sized circuit C • Def: A function h:NN is super-polynomial if 8 polynomial q(¢), 9n s.t. h(n)>q(n). • Prx{0,1}n [ C(x) = f(x) ] <  • In other words h(n)=n(1). • Def: Let { fn } be family of functions, where fn:{0,1}n{0,1}n . We say that { fn } is hard if 9 super-poly h(¢) s.t. for every n, fn is (h(n) , 1/h(n) ) –hard. • We know: There exists a hard family of functions.

  6. Asymptotic Easyness • Def: Let { fn } be family of functions, where fn:{0,1}n{0,1}n . We say that { fn } is hard if 9 super-poly h(¢) s.t. for every n, fn is (h(n) , 1/h(n) ) –hard. • Def: Let { fn } be family of functions, where fn:{0,1}n{0,1}m . We say that { fn } is in the class P/poly if 9 polynomial q(¢) and circuit family { Cn } s.t.8n |Cn| · q(n) and • 8 x 2 {0,1}n , C(x) = f(x) • If the family {Cn} is uniform then { fn } is in the class P. • We say that a circuit family {Cn} is uniform if there’s a (constant-size) Turing machine that on input n,i outputs the ith gate of Cnin · |Cn|2 steps.

  7. World View Hard function families • All function families Mildly hard func. families • P/poly-easy for poly-size circuits • P-easy for poly-size uniform circuits

  8. Functions Known to be in P • Arithmetic functions: f1(a,b) = a+b , f2(a,b) = a¢ b , etc.. • (elementary school algorithms) • GCD(a,b) = largest c s.t. c|a , c|b • Arithmetic mod n: f1(a,b,n) = a+b (mod n) , f2(a,b,n) = a¢ b (mod n) • Inverse(a): If GCD(a,n)=1 find a-1 (mod n) • EXP(a,b) = ab (mod n) • Maximal Ind. Set: Given graph G(V,E), we say that Sµ V is independent if 8 u,v 2 S , (u,v) E. Find S s.t. forall v S , S[{ v } is not independent.

  9. Functions Believed Outside of P/poly • Factoring: f1(a) = prime factors of a • 1/3 • (can be computed in time 2|a|, even in 2|a| ) • Believed to be a hard function family • Maximum Ind. Set: Given graph G(V,E), find S of maximum size s.t. S independent (i.e., 8u,v2 S, (u,v) E) • 3SAT: Given 3CNF Boolean formula  on n variables, find (if exist) x1,…,xn such that (x1,…,xn) is true. • = (x1Ç: x7Ç x9) Æ (: x2Ç x9Ç: x12) Æ … Æ (x1Ç x2Ç x100) • For all these functions, it is easy to verify a given solution. • Such functions are in the class NP • If either max-ind-set or 3SAT is in P/poly then every problem in NP is in P/poly • Such functions are called NP-complete

  10. Proving NP - Completeness • Maximum Ind. Set: Given graph G(V,E), find S of maximum size s.t. S independent (i.e., 8u,v2 S, (u,v) E) • 3SAT: Given 3CNF Boolean formula  on n variables, find (if exist) x1,…,xn such that (x1,…,xn) is true. • = (x1Ç: x7Ç x9) Æ (: x2Ç x9Ç: x12) Æ … Æ (x1Ç x2Ç x100) • If either max-ind-set or 3SAT is in P/poly then every problem in NP is in P/poly • This is proven using a reduction. For example. • Thm: Assume that 9 poly(n) circuit family for IND-SET. Then 9 poly(n) circuit family for 3SAT. Circuit to compute 3SAT Circuit to compute IND-SET  G S x

  11. World View Hard function families • All function families Mildly hard func. families Factoring • P/poly-easy for poly-size circuits • P-easy for poly-size uniform circuits 3SAT, Ind-SET, NP-Complete add, mult, GCD, EXP, maximal IS

  12. Randomization • Possible objection to our model: Can circuits get more power by tossing coins? • Input • Probabilistic circuit • Output • Random bits • In this context, answer is NO. • Thm: If f:{0,1}n{0,1}m is (T,)-hard for standard (deterministic) circuits, then it is (T/10,)-hard for probabilistic circuits.

More Related