On the Compressibility of NP instances and Cryptographic Applications, - PowerPoint PPT Presentation

About This Presentation
Title:

On the Compressibility of NP instances and Cryptographic Applications,

Description:

Commitment Schemes Hiding: A ... v21i, , hvm0, vm1 i To broadcast a single bit b to a subset T [m] Choose corresponding ... (Quantum computers?) New ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 51
Provided by: 8027
Category:

less

Transcript and Presenter's Notes

Title: On the Compressibility of NP instances and Cryptographic Applications,


1
On the Compressibility of NP instancesand
Cryptographic Applications,
  • Moni Naor

Danny Harnik
Weizmann Institute of Science
Technion
2
Key Idea of Cryptography
  • Use the intractability of some problems for the
    advantage of constructing secure systems

Almost any cryptographic task provably requires
using this idea. Large research effort devoted
to studying the relationship between cryptography
and complexity Cryptography and Complexity a
match made in heaven
3
This talk
  • Connections between
  • Complexity
  • Cryptography
  • (A new kind of) Compressibility

4
Maybe I can approximate it
Could we just postpone it ?
I cant find an algorithm for the problem
Solve it for some fixed parameters
Find an algorithm that usually works?
  • Approaches for dealing with NP-complete problems
  • Approximation algorithms
  • Sub-exponential time algorithms
  • Parameterized complexity
  • Average case complexity
  • Save it for the future

Garey and Johnson, 1979
5
Compressing Instances
Do not require that x can be restored from Z(x) !
  • Rather than solving a problem, we are interested
    in compressing it to be solved sometime in the
    future.
  • Compression should be answer preserving rather
    than input preserving.
  • To compress a language L need efficient
    algorithm Z and a language L such that
  • Z(x) ? L iff x ? L
  • Z(x) ltlt x

L
L
z
6
Why deal with compression?
  • Compression allows storing problems succinctly to
    be resolved in a future setting
  • The future may introduce new and faster
    technologies (Quantum computers?)
  • New algorithms (maybe PNP??)
  • Lots of time in the future
  • Our actual motivation powerful implications of
    compression for cryptography.
  • Both positive and negative

Bandwidth to the future
7
Talk overview
  • Introduce and define compression of NP instances.
  • Example of compression Vertex Cover
  • Motivation
  • Cryptographic applications
  • Collision Resistant Hashing from One-way
    Functions
  • Complexity study of compression
  • Witness Retrievability
  • OT from one-way functions
  • Impossibility
  • Everlasting Security and Compression
  • Open Problems

8
General Impossibility
  • If P?NP then cannot hope to have a general
    compression
  • Given CNF formula ? of size m hard to come up
    with an equivalent formula ? that is much shorter
  • Otherwise would be possible to apply compression
    recursively on ? until can solve exhaustively
  • Deal with NP languages with relatively short
    witnesses

9
Compressing NP Instances Definition
  • NP languages with short witnesses - two
    parameters considered
  • m Instance length
  • n Witness length
  • For every x of length m, if x ? L then it has a
    witness of length n.
  • The interesting case n ltlt m and n not too small
  • Example satisfiability of CNF formula of m
    clauses on n variables
  • Compression for L an efficient algorithm Z, a
    polynomial p(, ) and a language L such that
    for every x of length m
  • Z(x) ? L iff x ? L
  • Z(x) lt p(n,logm)

L
L
10
Notes on the Definition
  • Compression for L an efficient algorithm Z a
    polynomial p(, ) and a language L such that
    for every x of length m
  • Z(x) ? L iff x ? L
  • Z(x) lt p(n,logm)
  • Length of Z(x) is dominated by witness length
  • potentially, Z(x) can be significantly shorter
    than x.
  • Why p(n, log m)? This may be relaxed
  • For complexity study log m may be replaced by any
    sub-polynomial function of m
  • For some applications a compression of m1-e
    suffices.
  • Definition is only interesting when n ltlt m
  • E.g. 3-SAT is not an interesting problem for
    compression

11
Example Vertex Cover
  • Input a graph G(V,E)
  • Question Is there a subset of n vertices that
    covers every edge in E.
  • Parameters (up to a logV factor)
  • m E
  • n size of cover

m - Instance size n - Witness size
12
Vertex Cover of size n in graph of size m
  • Compression algorithm
  • Remove all vertices that have more than n
    neighbors
  • suppose k vertices were removed.
  • If there are more than n2 edges left then answer
    no.
  • Else store the remaining graph G (of size at
    most n2) and the number k
  • Language L for compressed instance - vertex
    cover with size n n - k

Such a vertex must be in the cover
  • Correctness
  • If a cover exists in original graph, then in G
  • Every edge is covered by one of n vertices.
  • Every vertex has degree n
  • G has no more than n2 vertices
  • Essentially the same witness

13
What have we learned?
  • Some interesting languages have non-trivial
    compression
  • But
  • Instance of Vertex Cover has a small core
    (kernel) that contains all the hardness of the
    problem.
  • Not necessarily true for other NP problems.
  • Compression of one NP-complete problem does not
    imply compression for all of NP.
  • Clique, Dominating Set?
  • The Karp reductions used for deriving
    NP-completeness do not preserve the length of the
    witness.
  • New witness may be polynomial in m (not n).
  • Related to the parameterized complexity of vertex
    cover.
  • Related notions investigated there

14
Talk overview
  • Introduce and define compression of NP instances.
  • Example of compression Vertex Cover
  • Motivation
  • Cryptographic applications
  • Collision Resistant Hashing from One-way
    Functions
  • Complexity study of compression
  • Everlasting Security and Compression
  • Witness Retrievability
  • OT from one-way functions
  • Impossibility
  • Open Problems

15
Collision Resistant Hash
For all PPTM
Length reducing functions
  • A collection of collision resistant hash
    functions (CRH) is
  • a family H of hash functions s.t. for a random
    h?RH it is hard to find a collision.

A pair x?x s.t. h(x)h(x)
  • Efficiency
  • Can sample h?RH
  • Private/Public coins
  • Can evaluate h(x)
  • given h and x

Compression by 1 bit ?Compression to any poly
factors .
Wide range of cryptographic applications Signatur
es Merkle, Damgard Strong Commitments NY89
DPP91 Low Communication Protocols and CS Proofs
K92,M94,B01)
16
One-way functions
  • One-way function (OWF) f easy to compute but
    hard to invert.
  • f(x) computable in poly-time
  • No PPTM can find an inverse to yf(x) for a
    random x
  • OWFs are the most fundamental building block in
    computationally based crypto.
  • Necessary for most crypto tasks.
  • Sufficient for many others (shared key
    encryption).
  • Current Status of CRH in Practice
  • For both SHA-1 and MD5 serious weaknesses
    discovered
  • NIST Workshop following Crypto 2006
  • Related to the theoretical difficulties of
    showing equivalence between OWFs and CRHs??
  • CRH and OWFs
  • (existence of) CRHs implies (existence of) OWFs
  • But OWF not known to imply CRH
  • No black box construction of CRH from OWF
    Simon98

17
CRH from OWF
E.g. SAT, Clique
  • Theorem There exists a language L s.t. if there
    is an errorless compression of L then there
    exists a construction of CRH from any OWF.
  • Overview of construction
  • Choose a hash function g from a naive hash family
  • with no computational hardness guarantees
  • The selection function
  • g defined by position i. gi(x) xi
  • The new hash function h a commitment to i
  • Output of h a compression of a formula ?
  • ? ? gi(x) 1

m
x
gi
0
0
0
0
1
0
1
1
1
Intuitively finding a collision requires
guessing i.
18
Commitment Schemes
  • Hiding A computationally bounded receiver learns
    nothing about the value i.
  • Binding s can only be opened to the value i.
  • Commitments can be based on any OWF N89,
    HILL90.

i
Commit Phase
Sender
Receiver
s
i
Reveal Phase
Sender
i
Receiver
s, v, i
v
Reveal Verification Algorithm
yes/no
Assume one-way functions on n bits are hard
19
CRH from OWF?
  • Theorem There exists a language L s.t. if there
    is an errorless compression of L then there
    exists a construction of CRH from any OWF.
  • String s is a commitment to an index i?m
  • For 1jm formula Cj,s,x is satisfiable iff s
    is a commitment to j and xj1
  • Formula Cs,x OR of all Cj,s,x
  • ? Cs,x is satisfiable iff xi1

Can Generate Cj,s,x without knowing the value
i Cooks Theorem on the reveal verification
algorithm.
Cs,x is the OR of m formulas each of size
poly(n) Instance size mpoly(n) Witness size
opening of commitment - poly(n).
20
CRH from OWF...
From mpoly(n) to m-1 bits
  • Z - a compression algorithm for formula Cs,x
  • Takes as input a formula C and outputs some
    string
  • An h?H is described by a commitment s
  • hs(x) Z(Cs,x)
  • hs is indeed shrinking due to the compression.
  • Let x?x be s.t. hs(x) hs(x).
  • If s is a commitment to i then x(i)x(i).
  • If x and x differ in the jth bit, then conclude
    that s is not a commitment to the value j!!
  • The construction is inherently non-black-box.
  • Uses the code of the verification of commitment.
  • The compressed problem is never actually solved

OR
An adversary that finds a collision x?x can
deduce information about i contradicting the
hiding of the commitment
21
Which languages suffice for hashing?
  • For language L, OR(L) is
  • x1, x2 xm where there 1 i m s.t. xi 2 L
  • If possible to compress OR(SAT) for CNF formulas
    on n variables and size poly(n),
  • then can get the CRH construction
  • Claim this is no harder than compressing CNF
    formulas of m clauses on n variables
  • Claim compressing Clique(m,n) suffices for CRH
  • A complexity study of the relative hardness of
    compression
  • VC0 ? VC1 ? VC2 ? ? VCNP
  • Hierarchy based on the complexity of
    verification after preprocessing

Compressible
22
Talk overview
  • Introduce and define compression of NP instances.
  • Example of compression Vertex Cover
  • Motivation
  • Cryptographic applications
  • Collision Resistant Hashing from One-way
    Functions
  • Complexity study of compression
  • Witness Retrievability
  • OT from one-way functions
  • Impossibility
  • Everlasting Security and Compression
  • Open Problems

23
Witness Retrievability
  • Suppose instance x ? L with witness wx.
  • The compressed instance yZ(x) has witness wy to
    y ? L.
  • A compression algorithm is witness retrievable if
    it is possible to obtain wy in poly-time from y
    and wx.

Z
Observation almost all natural compression
schemes are witness retrievable Or can easily be
converted
24
Witness Retrievability
  • Theorem There exists a language L such that if
    there is a witness retrievable compression of L
    then
  • Minicrypt Cryptomania
  • It is possible to construct Oblivious Transfer
    and PIR Protocols from any one-way function
  • OT is complete for Secure Computation !
  • General framework that captures many
    cryptographic tasks
  • public key crypto, auctions, voting, e-commerce

Impagliazzo and Rudich (89) proved no black box
construction of OT from OWF.
25
Witness Retrievability
  • Theorem There exists a language L such that if
    there is a witness retrievable compression of L
    then
  • Minicrypt Cryptomania
  • It is possible to construct Oblivious Transfer
    and PIR Protocols from any one-way function
  • OT is complete for Secure Computation !
  • General framework that captures many
    cryptographic tasks
  • public key crypto, auctions, voting, e-commerce

Impagliazzo and Rudich (89) proved no black box
construction of OT from OWF.
26
Limitations of Witness Retrievability
  • Theorem if one-way functions exist, then there
    is no witness retrievable compression for SAT
  • Idea compression of SAT allows low bandwidth
    broadcast encryption
  • A center and m users connected via a broadcast
    channel
  • Users are given individual keys
  • The center can transmit to any privileged
    subset of the m users
  • The non-privileged users cannot reconstruct the
    original message
  • Using their assigned keys
  • Lower bound on encrypted message length
  • Since possible to reconstruct precisely the
    subset whp
  • ciphertext is at least m bits

27
Broadcast Encryption and SAT Compression
  • m pairs of commitments to 1 one pair per user
  • hs10, s11i, hs20, s21i, , hsm0, sm1 i
  • Key for user i reveal string for ith commitment
    to 1
  • hv10, v11i, hv20, v21i, , hvm0, vm1 i
  • To broadcast a single bit b to a subset T ½ m
  • Choose corresponding commitments sibi 2 T
  • Construct formula ?T,b ? at least one commitment
    sib is to 1
  • Broadcast the compression Z(?T,b)
  • For i 2 T to decrypt see whether vib yields
    witness Z(?T,b)
  • Claim if compression is perfect, then vib
  • for i 2 T yields a witness
  • For i not in T does not yields a witness

28
Talk overview
  • Introduce and define compression of NP instances.
  • Example of compression Vertex Cover
  • Motivation
  • Cryptographic applications
  • Collision Resistant Hashing from One-way
    Functions
  • Complexity study of compression
  • Witness Retrievability
  • OT from one-way functions
  • Impossibility
  • Everlasting Security and Compression
  • Open Problems

29
Everlasting Security
  • Common to many cryptographic schemes
  • leave a fingerprint that in the future can reveal
    private information
  • Michael Rabins term everlasting security
  • After a certain period of time, the adversarys
    action will not affect the protected entities
  • Things not done online by the adversary will
    not influence the security
  • Relevant
  • bounded storage model
  • forward secure storage Dziembowski
  • Claim incompressibility is essential for
    achieving efficiency in these setting

Adi Shamir Existing public-key schemes with
current key lengths are likely to be broken in
less than 30 years! RSA conference 06
30
Compression and the Bounded Storage
ModelEverlasting Security
  • The Bounded Storage Model (BSM) bounds the
    storage space of an adversary rather than its
    running time.
  • Two settings
  • Parties share a secret key very efficient
    encryption.
  • No key is shared - honest parties need very high
    memory requirements (square root of the space the
    adversary has).
  • Suggestion A Hybrid BSM model add a
    (temporary) bound on the running time of the
    adversary. Use this to exchange an initial secret
    key.
  • Dziembowski and Maurer DM04 there exists a
    hybrid scheme made with secure components that is
    insecure.
  • Theorem If OR(SAT) is compressible then the
    hybrid model is no more powerful than the
    standard BSM.
  • All such schemes are insecure.
  • Alternatively One cannot prove that a hybrid
    scheme is secure without proving (or assuming)
    the incompressibility of many interesting
    languages.

31
Discussion Open problems
  • Given CNF formulae ?1 and ?2 on same variables
  • (not necessarily with short witnesses)
  • come up efficiently with a CNF formula ? that is
  • Satisfiable if and only if ?1 v ?2 is satisfiable
  • Shorter than ?1?2
  • Due to the impossibility results for SAT witness
    retrievable compression
  • a witness for either ?1 or ?2 cannot efficiently
    yield a witness for ?.

Sufficiently short to apply recursively (1-?)
(?1?2)
  • If impossible, hope for
  • Hybrid Bounded Storage
  • Derandomization Dubrov-Ishai
  • Forward-secure storage Dziembowski
  • If possible
  • CRH
  • OT

32
Discussion Open problems
  • Topic must be studied has too many interesting
    implications/applications to be ignored
  • Many open questions
  • Where is the line between compressible and not?
  • somewhere in the low VCs?
  • What about incompressibility?
  • Dubrov Ishai a certain notion of
    incompressibility yields results in
    derandomization
  • How to have an efficient falsifiable assumption?
  • Additional directions
  • Other natural classification? Connection to
    previous classifications?
  • Natural complete problem for VC1 ?
  • Does error-prone compression imply CRH?

33
Thank You.
Full Paper www.wisdom.weizmann.ac.il/naor/PAPERS
/compressibility.html Compressed version in FOCS
2006
34
GapSAT and Some Speculation
  • GapSAT - a promise problem
  • Input A CNF formula (m clauses, n variables)
    that is either
  • Satisfiable
  • Any assignment satisfies at most a 1-1/(2n)
    fraction of the clauses.
  • Compression for GapSAT choose a random subset of
    O(n2) of the clauses.
  • With high probability maintains the
    satisfiability of the original problem.
  • Idea Use the PCP theorem

Instance of GapSAT
Instance of SAT
PCP
Compressed Instance
Compress
  • The problem the PCP reduction creates many new
    variables (poly(m, n)). The witness is no longer
    short!
  • Challenge gap amplification without introducing
    many new variables.

35
On Compression of search problems
  • Decision problem does there exist a witness to
    x?L?
  • Search problem find a witness to x?L (if it
    exists).
  • Compression for search Z(x) contains the
    information regarding a witness to x?L.
  • Theorem If there exists compression for
    (decision) problems in a class C, then there
    exists compression for the corresponding search
    problems in C.

36
Complexity Study
  • CRH
  • OT
  • Want to know which problems can be compressed
  • For crypto positive applications want to know
    which problems are sufficient
  • Can we use the compressibility of vertex cover?
  • If clique is compressible, it is good enough?
  • For crypto negative applications for which
    problems is it reasonable to assume
    incompressibility?
  • What about other types of problems search,
    counting
  • How can a compression algorithm look like?
  • Hybrid Bounded Storage
  • Derandomization Dubrov-Ishai
  • Forward-secure storage Dziembowski

37
Compressible languages
  • Variety of techniques allow compression
  • L 2 P - trivial
  • Vertex Cover, Minimum Fill-in find a small core
  • Related to parameterized complexity
  • Sparse languages (PRG-output) - hashing
  • Sparse Subset Sum - hashing
  • GapSAT sampling
  • Call the class VC0

38
W-Reductions and Compression
  • Classical NP classification does not suffice for
    compression
  • Similar to other approaches for dealing with
    NP-hard problems
  • approximation, parameterized complexity etc
  • new classifications introduced.
  • Key to classification is the type of reduction is
    used
  • Definition L W-reduces to L if there exists a
    polynomial time algorithm R and a polynomial
    p(.,.) such that for instance x for L with
    parameters m,n
  • R(x) ? L iff x ? L
  • If R(x) ? L then it has a witness of length at
    most p(n,logm).
  • Matching notion of compression-complete and
    compression-hard languages for a class C

Witness
Claim If L W-reduces to L and L has a
compression algorithm then L has a compression
algorithm.
39
The VC classification
  • Aim a classification of NP with respect to
    compression.
  • An indication of which languages are potentially
    easier/harder to compress.
  • The VC classification
  • The verification algorithm of a language plays a
    central role in the classification.
  • Verification the verification algorithm
    running on the instance after a preprocessing
    stage.

Verification Complexity
witness
Verification algorithm
Preproc.
input
Yes/No
40
The VC Classification
  • VCk for k?2 - languages that have verification
    in depth k.
  • VC1 languages that have local verification
    read only poly(n, log m) locations of the
    instance. Moral equivalent of sublinear.
  • VC0 all compressible languages
  • VC VCm ( NP)
  • Why Depth? Tradeoff between depth and of
    variables
  • Standard technique (Cooks theorem) can reduce
    depth of a verification circuit by adding new
    variables.
  • Reducing depth without adding many variables
    would entail a collapse in the hierarchy

Can be represented as a depth k (unbounded
fan-in) Circuit.
  • Local verification yields natural families
  • Graph embedding problems does a large graph
    have a small graph embedded in it. Includes
    Clique, long cycle, etc
  • Small Subset-Sum is there a small subset that
    adds up to a target number.

Only non-trivial fact VC1 ? VC2
Claim VC0 ? VC1 ? VC2 ? ? VC
41
One more class- VCOR
  • OR(CircuitSAT)
  • Input m circuits, each of size n
  • Membership If at least one has a satisfying
    assignment.
  • VCOR verification by an instance of
    OR(CircuitSAT)
  • Complete problems The OR of any NP-complete
    language is compression-complete for VCOR
  • e.g., OR(3-SAT), OR(Clique), etc
  • Claim Clique is compression-hard for VCOR
  • Compression of a language that is
    compression-hard for VCOR suffices for crypto
    apps!
  • E.g. OR(3-SAT), SAT, Clique

Claim VC0 ? VCOR ? VC1
42
Classification
Class Languages / Compression Complete Language Compression-Hard
VC0 P, Sparse languages (PRG-output),Vertex Cover, Minimum Fill-in, GapSAT
VCOR OR(L) (for any L), OR(SAT), languages from crypto applications Clique, Long Path
VC1 Graph Embedding (Clique, Long Path, Long Cycle), Sparse SubsetSum, LocalCircuitSAT
VC2 OR of large CNFs, SAT DS, IP
VC3 Dominating Set (DS), Depth3CircuitSAT
VC4 Weighted SAT, Depth4CircuitSAT

VCO(logn) Integer Programming (IP), XOR(SAT)

VC CircuitSAT
43
The VC classification
  • Possibilities for the hierarchy
  • If no compression of complete languages then a
    full hierarchy.
  • Compression of a compression-complete language
    collapses to VC0 everything from that point
    down.
  • Collapse of VCk1 to VCk does not necessarily
    entail further collapse.
  • The main question where is the border between
    compressible and not?

44
The Minicrypt Cryptomania question
  • Minicrypt Cryptomania? is the most important
    problem in complexity and cryptography where
  • We do not know the answer
  • There is a good chance to resolve it in the near
    future

Omer Reingold NL L is a contender for the title
45
A more refined view
Trapdoor Permutations
IBE
cryptomania
PIR
CCA-Secure PKE
OT
Secure MPC
Secret Key Exchange
Public Key Encryption
2 rounds
minicrypt
Shared-key Encryption and Authentication
Signature Scheme
One-way functions
Computational Pseudorandomness
ZK Proofs for all of NP
Commitment scheme
Coin flipping
Efficient online memory checking
UOWHFs
46
Separating the worlds
Trapdoor Permutations
cryptomania
PIR
CCA-Secure PKE
OT
Secure MPC
Public Key Encryption
SKE
minicrypt
Shared-key Encryption and Authentication
Signature Scheme
One-way functions
Computational Psuedorandomness
Impagliazzo and Rudich 1989 there is no blackbox
construction of OT from OWF.
ZK Proofs for all of NP
Commitment scheme
Coin flipping
Efficient online memory checking
UOWHFs
47
Recent RSA Cryptographers Panel Feb 2006
  • Adi Shamirs prediction no existing Public-key
    Cryptoysystem will survive 30 years from now
  • Martin Hellman very little genetic diversity in
    public-key cryptosystems.
  • RSA and Diffie-Hellman 1970s
  • Elliptic curves 1980s
  • Should add lattice based schemes

48
Oblivious Transfer
  • Impagliazzo (95) describes 5 possible worlds
    based on different computational assumptions.
  • The top two worlds
  • Minicrypt OWFs exist, some of crypto possible
    (shared key encryption, commitments, signatures)
  • Cryptomania Oblivious Transfer (OT) exists,
    almost anything possible.

Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica
Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica
  • OT protocol
  • Bob gets sc.
  • Bob doesnt learn s1-c.
  • Alice does not learn c.

OT is complete for Secure Computation ! General
framework that captures many cryptographic tasks
(e.g. public key crypto, auctions, voting,
e-commerce)
  • OWFs not known to imply OT
  • Impagliazzo and Rudich (89) prove that there is
    no black box construction of OT from OWF.

c
s0,s1
sc
49
OT from OWF?
E.g., SAT, Clique
  • Theorem There exists a language L such that if
    there is a witness retrievable compression of L
    then
  • Minicrypt Cryptomania
  • Suppose instance x ? L with witness wx.
  • The compressed instance yZ(x) has witness wy to
    y ? L.
  • Compression is witness retrievable if it is
    possible to obtain wy in poly-time from y and wx.

Z
50
OT from OWF?
  • Theorem There exists a language L such that if
    there is a witness retrievable compression of L
    then Minicrypt Cryptomania
  • Proof
  • Construct a Private Information Retrieval (PIR)
    protocol. PIR implies OT DMO00.
  • Input Database x of m bits.
  • Given a commitment s to an index i?m, define
    the circuit Cs,x
  • as in the CRH case
  • Cs,x is satisfiable iff x(i)1
  • Cs,x is the OR of m circuits, each of size n
  • PIR protocol
  • Alice holds m bit database x.
  • Bob holds index i.
  • Bob learns x(i).
  • Alice does not learn i.
  • Total communication is less than m bits!

i?m
x?0,1m
x(i)
51
OT from OWF, cont.
  • Theorem There exists a language L such that if
    there is a witness retrievable compression of L
    then Minicrypt Cryptomania
  • Proof
  • Bob creates a commitment s to his choice index
    i?m. Sends s to Alice.
  • Alice generates the circuit Cs,x based on x and
    s.
  • Alice sends Z(Cs,x) to Bob.
  • Z(Cs,x) contains the information about the bit
    x(i).
  • Bob can retrieve it using the witness retrieval
    property.
  • Security
  • Bobs i is hidden by the commitment
  • total communication is low.

i
x
x(i)
Generates a 2-message PIR Sufficient also
for Public Key Encryption from any OWF!
52
Definitions
  • DepthkCircuitSAT
  • Input a circuit C of depth k
  • size m and n variables (unbounded fanin)
  • Membership If C has a satisfying assignment?
  • LocalCircuitSAT
  • Input
  • a string x of length m
  • a circuit C over nn log m variables.
  • Membership if there exists a list I of n
    location in x such that C(X(I), I) 1

x
k
1?
x
1?
53
Complete problems
  • By Definition
  • For VCk DepthkCircuitSAT, possible to restrict
    top gate to AND.
  • For VC1 LocalCircuitSAT
  • Notable
  • SAT is complete for VC2
  • CircuitSAT is complete for all of VC (NP)
Write a Comment
User Comments (0)
About PowerShow.com