On the Compressibility of NP instances and Cryptographic Applications,

About This Presentation

Title:

On the Compressibility of NP instances and Cryptographic Applications,

Description:

Commitment Schemes Hiding: A ... v21i, , hvm0, vm1 i To broadcast a single bit b to a subset T [m] Choose corresponding ... (Quantum computers?) New ... – PowerPoint PPT presentation

Number of Views:66

Avg rating:3.0/5.0

Slides: 51

Provided by: 8027

Category:

more less

Transcript and Presenter's Notes

Title: On the Compressibility of NP instances and Cryptographic Applications,

1
On the Compressibility of NP instancesand
Cryptographic Applications,

Moni Naor

Danny Harnik
Weizmann Institute of Science
Technion
2
Key Idea of Cryptography

Use the intractability of some problems for the
advantage of constructing secure systems

Almost any cryptographic task provably requires
using this idea. Large research effort devoted
to studying the relationship between cryptography
and complexity Cryptography and Complexity a
match made in heaven
3
This talk

Connections between
Complexity
Cryptography
(A new kind of) Compressibility

4
Maybe I can approximate it
Could we just postpone it ?
I cant find an algorithm for the problem
Solve it for some fixed parameters
Find an algorithm that usually works?

Approaches for dealing with NP-complete problems
Approximation algorithms
Sub-exponential time algorithms
Parameterized complexity
Average case complexity
Save it for the future

Garey and Johnson, 1979
5
Compressing Instances
Do not require that x can be restored from Z(x) !

Rather than solving a problem, we are interested
in compressing it to be solved sometime in the
future.
Compression should be answer preserving rather
than input preserving.
To compress a language L need efficient
algorithm Z and a language L such that
Z(x) ? L iff x ? L
Z(x) ltlt x

L
L
z
6
Why deal with compression?

Compression allows storing problems succinctly to
be resolved in a future setting
The future may introduce new and faster
technologies (Quantum computers?)
New algorithms (maybe PNP??)
Lots of time in the future
Our actual motivation powerful implications of
compression for cryptography.
Both positive and negative

Bandwidth to the future
7
Talk overview

Introduce and define compression of NP instances.
Example of compression Vertex Cover
Motivation
Cryptographic applications
Collision Resistant Hashing from One-way
Functions
Complexity study of compression
Witness Retrievability
OT from one-way functions
Impossibility
Everlasting Security and Compression
Open Problems

8
General Impossibility

If P?NP then cannot hope to have a general
compression
Given CNF formula ? of size m hard to come up
with an equivalent formula ? that is much shorter
Otherwise would be possible to apply compression
recursively on ? until can solve exhaustively
Deal with NP languages with relatively short
witnesses

9
Compressing NP Instances Definition

NP languages with short witnesses - two
parameters considered
m Instance length
n Witness length
For every x of length m, if x ? L then it has a
witness of length n.
The interesting case n ltlt m and n not too small
Example satisfiability of CNF formula of m
clauses on n variables
Compression for L an efficient algorithm Z, a
polynomial p(, ) and a language L such that
for every x of length m
Z(x) ? L iff x ? L
Z(x) lt p(n,logm)

L
L
10
Notes on the Definition

Compression for L an efficient algorithm Z a
polynomial p(, ) and a language L such that
for every x of length m
Z(x) ? L iff x ? L
Z(x) lt p(n,logm)

Length of Z(x) is dominated by witness length
potentially, Z(x) can be significantly shorter
than x.
Why p(n, log m)? This may be relaxed
For complexity study log m may be replaced by any
sub-polynomial function of m
For some applications a compression of m1-e
suffices.
Definition is only interesting when n ltlt m
E.g. 3-SAT is not an interesting problem for
compression

11
Example Vertex Cover

Input a graph G(V,E)
Question Is there a subset of n vertices that
covers every edge in E.
Parameters (up to a logV factor)
m E
n size of cover

m - Instance size n - Witness size
12
Vertex Cover of size n in graph of size m

Compression algorithm
Remove all vertices that have more than n
neighbors
suppose k vertices were removed.
If there are more than n2 edges left then answer
no.
Else store the remaining graph G (of size at
most n2) and the number k
Language L for compressed instance - vertex
cover with size n n - k

Such a vertex must be in the cover

Correctness
If a cover exists in original graph, then in G
Every edge is covered by one of n vertices.
Every vertex has degree n
G has no more than n2 vertices
Essentially the same witness

13
What have we learned?

Some interesting languages have non-trivial
compression
But
Instance of Vertex Cover has a small core
(kernel) that contains all the hardness of the
problem.
Not necessarily true for other NP problems.
Compression of one NP-complete problem does not
imply compression for all of NP.
Clique, Dominating Set?

The Karp reductions used for deriving
NP-completeness do not preserve the length of the
witness.
New witness may be polynomial in m (not n).

Related to the parameterized complexity of vertex
cover.
Related notions investigated there

14
Talk overview

Introduce and define compression of NP instances.
Example of compression Vertex Cover
Motivation
Cryptographic applications
Collision Resistant Hashing from One-way
Functions
Complexity study of compression
Everlasting Security and Compression
Witness Retrievability
OT from one-way functions
Impossibility
Open Problems

15
Collision Resistant Hash
For all PPTM
Length reducing functions

A collection of collision resistant hash
functions (CRH) is
a family H of hash functions s.t. for a random
h?RH it is hard to find a collision.

A pair x?x s.t. h(x)h(x)

Efficiency
Can sample h?RH
Private/Public coins
Can evaluate h(x)
given h and x

Compression by 1 bit ?Compression to any poly
factors .
Wide range of cryptographic applications Signatur
es Merkle, Damgard Strong Commitments NY89
DPP91 Low Communication Protocols and CS Proofs
K92,M94,B01)
16
One-way functions

One-way function (OWF) f easy to compute but
hard to invert.
f(x) computable in poly-time
No PPTM can find an inverse to yf(x) for a
random x
OWFs are the most fundamental building block in
computationally based crypto.
Necessary for most crypto tasks.
Sufficient for many others (shared key
encryption).

Current Status of CRH in Practice
For both SHA-1 and MD5 serious weaknesses
discovered
NIST Workshop following Crypto 2006
Related to the theoretical difficulties of
showing equivalence between OWFs and CRHs??

CRH and OWFs
(existence of) CRHs implies (existence of) OWFs
But OWF not known to imply CRH
No black box construction of CRH from OWF
Simon98

17
CRH from OWF
E.g. SAT, Clique

Theorem There exists a language L s.t. if there
is an errorless compression of L then there
exists a construction of CRH from any OWF.

Overview of construction
Choose a hash function g from a naive hash family
with no computational hardness guarantees
The selection function
g defined by position i. gi(x) xi
The new hash function h a commitment to i
Output of h a compression of a formula ?
? ? gi(x) 1

m
x
gi
0
0
0
0
1
0
1
1
1
Intuitively finding a collision requires
guessing i.
18
Commitment Schemes

Hiding A computationally bounded receiver learns
nothing about the value i.
Binding s can only be opened to the value i.
Commitments can be based on any OWF N89,
HILL90.

i
Commit Phase
Sender
Receiver
s
i
Reveal Phase
Sender
i
Receiver
s, v, i
v
Reveal Verification Algorithm
yes/no
Assume one-way functions on n bits are hard
19
CRH from OWF?

Theorem There exists a language L s.t. if there
is an errorless compression of L then there
exists a construction of CRH from any OWF.

String s is a commitment to an index i?m
For 1jm formula Cj,s,x is satisfiable iff s
is a commitment to j and xj1
Formula Cs,x OR of all Cj,s,x
? Cs,x is satisfiable iff xi1

Can Generate Cj,s,x without knowing the value
i Cooks Theorem on the reveal verification
algorithm.
Cs,x is the OR of m formulas each of size
poly(n) Instance size mpoly(n) Witness size
opening of commitment - poly(n).
20
CRH from OWF...
From mpoly(n) to m-1 bits

Z - a compression algorithm for formula Cs,x
Takes as input a formula C and outputs some
string
An h?H is described by a commitment s

hs(x) Z(Cs,x)
hs is indeed shrinking due to the compression.
Let x?x be s.t. hs(x) hs(x).
If s is a commitment to i then x(i)x(i).
If x and x differ in the jth bit, then conclude
that s is not a commitment to the value j!!

The construction is inherently non-black-box.
Uses the code of the verification of commitment.
The compressed problem is never actually solved

OR
An adversary that finds a collision x?x can
deduce information about i contradicting the
hiding of the commitment
21
Which languages suffice for hashing?

For language L, OR(L) is
x1, x2 xm where there 1 i m s.t. xi 2 L
If possible to compress OR(SAT) for CNF formulas
on n variables and size poly(n),
then can get the CRH construction
Claim this is no harder than compressing CNF
formulas of m clauses on n variables
Claim compressing Clique(m,n) suffices for CRH
A complexity study of the relative hardness of
compression
VC0 ? VC1 ? VC2 ? ? VCNP
Hierarchy based on the complexity of
verification after preprocessing

Compressible
22
Talk overview

Introduce and define compression of NP instances.
Example of compression Vertex Cover
Motivation
Cryptographic applications
Collision Resistant Hashing from One-way
Functions
Complexity study of compression
Witness Retrievability
OT from one-way functions
Impossibility
Everlasting Security and Compression
Open Problems

23
Witness Retrievability

Suppose instance x ? L with witness wx.
The compressed instance yZ(x) has witness wy to
y ? L.
A compression algorithm is witness retrievable if
it is possible to obtain wy in poly-time from y
and wx.

Z
Observation almost all natural compression
schemes are witness retrievable Or can easily be
converted
24
Witness Retrievability

Theorem There exists a language L such that if
there is a witness retrievable compression of L
then
Minicrypt Cryptomania
It is possible to construct Oblivious Transfer
and PIR Protocols from any one-way function
OT is complete for Secure Computation !
General framework that captures many
cryptographic tasks
public key crypto, auctions, voting, e-commerce

Impagliazzo and Rudich (89) proved no black box
construction of OT from OWF.
25
Witness Retrievability

Theorem There exists a language L such that if
there is a witness retrievable compression of L
then
Minicrypt Cryptomania
It is possible to construct Oblivious Transfer
and PIR Protocols from any one-way function
OT is complete for Secure Computation !
General framework that captures many
cryptographic tasks
public key crypto, auctions, voting, e-commerce

Impagliazzo and Rudich (89) proved no black box
construction of OT from OWF.
26
Limitations of Witness Retrievability

Theorem if one-way functions exist, then there
is no witness retrievable compression for SAT
Idea compression of SAT allows low bandwidth
broadcast encryption
A center and m users connected via a broadcast
channel
Users are given individual keys
The center can transmit to any privileged
subset of the m users
The non-privileged users cannot reconstruct the
original message
Using their assigned keys
Lower bound on encrypted message length
Since possible to reconstruct precisely the
subset whp
ciphertext is at least m bits

27
Broadcast Encryption and SAT Compression

m pairs of commitments to 1 one pair per user
hs10, s11i, hs20, s21i, , hsm0, sm1 i
Key for user i reveal string for ith commitment
to 1
hv10, v11i, hv20, v21i, , hvm0, vm1 i
To broadcast a single bit b to a subset T ½ m
Choose corresponding commitments sibi 2 T
Construct formula ?T,b ? at least one commitment
sib is to 1
Broadcast the compression Z(?T,b)
For i 2 T to decrypt see whether vib yields
witness Z(?T,b)
Claim if compression is perfect, then vib
for i 2 T yields a witness
For i not in T does not yields a witness

28
Talk overview

Introduce and define compression of NP instances.
Example of compression Vertex Cover
Motivation
Cryptographic applications
Collision Resistant Hashing from One-way
Functions
Complexity study of compression
Witness Retrievability
OT from one-way functions
Impossibility
Everlasting Security and Compression
Open Problems

29
Everlasting Security

Common to many cryptographic schemes
leave a fingerprint that in the future can reveal
private information
Michael Rabins term everlasting security
After a certain period of time, the adversarys
action will not affect the protected entities
Things not done online by the adversary will
not influence the security
Relevant
bounded storage model
forward secure storage Dziembowski
Claim incompressibility is essential for
achieving efficiency in these setting

Adi Shamir Existing public-key schemes with
current key lengths are likely to be broken in
less than 30 years! RSA conference 06
30
Compression and the Bounded Storage
ModelEverlasting Security

The Bounded Storage Model (BSM) bounds the
storage space of an adversary rather than its
running time.
Two settings
Parties share a secret key very efficient
encryption.
No key is shared - honest parties need very high
memory requirements (square root of the space the
adversary has).
Suggestion A Hybrid BSM model add a
(temporary) bound on the running time of the
adversary. Use this to exchange an initial secret
key.
Dziembowski and Maurer DM04 there exists a
hybrid scheme made with secure components that is
insecure.
Theorem If OR(SAT) is compressible then the
hybrid model is no more powerful than the
standard BSM.
All such schemes are insecure.

Alternatively One cannot prove that a hybrid
scheme is secure without proving (or assuming)
the incompressibility of many interesting
languages.

31
Discussion Open problems

Given CNF formulae ?1 and ?2 on same variables
(not necessarily with short witnesses)
come up efficiently with a CNF formula ? that is
Satisfiable if and only if ?1 v ?2 is satisfiable
Shorter than ?1?2
Due to the impossibility results for SAT witness
retrievable compression
a witness for either ?1 or ?2 cannot efficiently
yield a witness for ?.

Sufficiently short to apply recursively (1-?)
(?1?2)

If impossible, hope for
Hybrid Bounded Storage
Derandomization Dubrov-Ishai
Forward-secure storage Dziembowski

If possible
CRH
OT

32
Discussion Open problems

Topic must be studied has too many interesting
implications/applications to be ignored
Many open questions
Where is the line between compressible and not?
somewhere in the low VCs?
What about incompressibility?
Dubrov Ishai a certain notion of
incompressibility yields results in
derandomization
How to have an efficient falsifiable assumption?
Additional directions
Other natural classification? Connection to
previous classifications?
Natural complete problem for VC1 ?
Does error-prone compression imply CRH?

33
Thank You.
Full Paper www.wisdom.weizmann.ac.il/naor/PAPERS
/compressibility.html Compressed version in FOCS
2006
34
GapSAT and Some Speculation

GapSAT - a promise problem
Input A CNF formula (m clauses, n variables)
that is either
Satisfiable
Any assignment satisfies at most a 1-1/(2n)
fraction of the clauses.
Compression for GapSAT choose a random subset of
O(n2) of the clauses.
With high probability maintains the
satisfiability of the original problem.
Idea Use the PCP theorem

Instance of GapSAT
Instance of SAT
PCP
Compressed Instance
Compress

The problem the PCP reduction creates many new
variables (poly(m, n)). The witness is no longer
short!
Challenge gap amplification without introducing
many new variables.

35
On Compression of search problems

Decision problem does there exist a witness to
x?L?
Search problem find a witness to x?L (if it
exists).
Compression for search Z(x) contains the
information regarding a witness to x?L.
Theorem If there exists compression for
(decision) problems in a class C, then there
exists compression for the corresponding search
problems in C.

36
Complexity Study

Want to know which problems can be compressed
For crypto positive applications want to know
which problems are sufficient
Can we use the compressibility of vertex cover?
If clique is compressible, it is good enough?
For crypto negative applications for which
problems is it reasonable to assume
incompressibility?
What about other types of problems search,
counting
How can a compression algorithm look like?

Hybrid Bounded Storage
Derandomization Dubrov-Ishai
Forward-secure storage Dziembowski

37
Compressible languages

Variety of techniques allow compression
L 2 P - trivial
Vertex Cover, Minimum Fill-in find a small core
Related to parameterized complexity
Sparse languages (PRG-output) - hashing
Sparse Subset Sum - hashing
GapSAT sampling
Call the class VC0

38
W-Reductions and Compression

Classical NP classification does not suffice for
compression
Similar to other approaches for dealing with
NP-hard problems
approximation, parameterized complexity etc
new classifications introduced.
Key to classification is the type of reduction is
used
Definition L W-reduces to L if there exists a
polynomial time algorithm R and a polynomial
p(.,.) such that for instance x for L with
parameters m,n
R(x) ? L iff x ? L
If R(x) ? L then it has a witness of length at
most p(n,logm).
Matching notion of compression-complete and
compression-hard languages for a class C

Witness
Claim If L W-reduces to L and L has a
compression algorithm then L has a compression
algorithm.
39
The VC classification

Aim a classification of NP with respect to
compression.
An indication of which languages are potentially
easier/harder to compress.
The VC classification
The verification algorithm of a language plays a
central role in the classification.
Verification the verification algorithm
running on the instance after a preprocessing
stage.

Verification Complexity
witness
Verification algorithm
Preproc.
input
Yes/No
40
The VC Classification

VCk for k?2 - languages that have verification
in depth k.
VC1 languages that have local verification
read only poly(n, log m) locations of the
instance. Moral equivalent of sublinear.
VC0 all compressible languages
VC VCm ( NP)

Why Depth? Tradeoff between depth and of
variables
Standard technique (Cooks theorem) can reduce
depth of a verification circuit by adding new
variables.
Reducing depth without adding many variables
would entail a collapse in the hierarchy

Can be represented as a depth k (unbounded
fan-in) Circuit.

Local verification yields natural families
Graph embedding problems does a large graph
have a small graph embedded in it. Includes
Clique, long cycle, etc
Small Subset-Sum is there a small subset that
adds up to a target number.

Only non-trivial fact VC1 ? VC2
Claim VC0 ? VC1 ? VC2 ? ? VC
41
One more class- VCOR

OR(CircuitSAT)
Input m circuits, each of size n
Membership If at least one has a satisfying
assignment.
VCOR verification by an instance of
OR(CircuitSAT)
Complete problems The OR of any NP-complete
language is compression-complete for VCOR
e.g., OR(3-SAT), OR(Clique), etc
Claim Clique is compression-hard for VCOR

Compression of a language that is
compression-hard for VCOR suffices for crypto
apps!
E.g. OR(3-SAT), SAT, Clique

Claim VC0 ? VCOR ? VC1
42
Classification
Class Languages / Compression Complete Language Compression-Hard
VC0 P, Sparse languages (PRG-output),Vertex Cover, Minimum Fill-in, GapSAT
VCOR OR(L) (for any L), OR(SAT), languages from crypto applications Clique, Long Path
VC1 Graph Embedding (Clique, Long Path, Long Cycle), Sparse SubsetSum, LocalCircuitSAT
VC2 OR of large CNFs, SAT DS, IP
VC3 Dominating Set (DS), Depth3CircuitSAT
VC4 Weighted SAT, Depth4CircuitSAT

VCO(logn) Integer Programming (IP), XOR(SAT)

VC CircuitSAT
43
The VC classification

Possibilities for the hierarchy
If no compression of complete languages then a
full hierarchy.
Compression of a compression-complete language
collapses to VC0 everything from that point
down.
Collapse of VCk1 to VCk does not necessarily
entail further collapse.
The main question where is the border between
compressible and not?

44
The Minicrypt Cryptomania question

Minicrypt Cryptomania? is the most important
problem in complexity and cryptography where
We do not know the answer
There is a good chance to resolve it in the near
future

Omer Reingold NL L is a contender for the title
45
A more refined view
Trapdoor Permutations
IBE
cryptomania
PIR
CCA-Secure PKE
OT
Secure MPC
Secret Key Exchange
Public Key Encryption
2 rounds
minicrypt
Shared-key Encryption and Authentication
Signature Scheme
One-way functions
Computational Pseudorandomness
ZK Proofs for all of NP
Commitment scheme
Coin flipping
Efficient online memory checking
UOWHFs
46
Separating the worlds
Trapdoor Permutations
cryptomania
PIR
CCA-Secure PKE
OT
Secure MPC
Public Key Encryption
SKE
minicrypt
Shared-key Encryption and Authentication
Signature Scheme
One-way functions
Computational Psuedorandomness
Impagliazzo and Rudich 1989 there is no blackbox
construction of OT from OWF.
ZK Proofs for all of NP
Commitment scheme
Coin flipping
Efficient online memory checking
UOWHFs
47
Recent RSA Cryptographers Panel Feb 2006

Adi Shamirs prediction no existing Public-key
Cryptoysystem will survive 30 years from now
Martin Hellman very little genetic diversity in
public-key cryptosystems.
RSA and Diffie-Hellman 1970s
Elliptic curves 1980s
Should add lattice based schemes

48
Oblivious Transfer

Impagliazzo (95) describes 5 possible worlds
based on different computational assumptions.
The top two worlds
Minicrypt OWFs exist, some of crypto possible
(shared key encryption, commitments, signatures)
Cryptomania Oblivious Transfer (OT) exists,
almost anything possible.

Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica
Cryptomania
Minicrypt
Pessiland
Heuristica
Algoritmica

OT protocol
Bob gets sc.
Bob doesnt learn s1-c.
Alice does not learn c.

OT is complete for Secure Computation ! General
framework that captures many cryptographic tasks
(e.g. public key crypto, auctions, voting,
e-commerce)

OWFs not known to imply OT
Impagliazzo and Rudich (89) prove that there is
no black box construction of OT from OWF.

c
s0,s1
sc
49
OT from OWF?
E.g., SAT, Clique

Theorem There exists a language L such that if
there is a witness retrievable compression of L
then
Minicrypt Cryptomania

Suppose instance x ? L with witness wx.
The compressed instance yZ(x) has witness wy to
y ? L.
Compression is witness retrievable if it is
possible to obtain wy in poly-time from y and wx.

Z
50
OT from OWF?