1 on the compressibility of np instances and cryptographic applications, moni naor weizmann...

1

On the Compressibility of NP instancesand Cryptographic Applications,

Moni Naor

Weizmann Institute of Science

Danny Harnik

Technion

2

Key Idea of Cryptography

Use the intractability of some problems for the advantage of constructing secure systems

Almost any cryptographic task provably requires using this idea.

Large research effort devoted to studying the relationship between cryptography and complexity

“Cryptography and Complexity: a match made in heaven”

3

This talk

Connections between• Complexity• Cryptography• (A new kind of) Compressibility

4

Garey and Johnson, 1979

I can’t find an algorithm for the

problem

Maybe I can approximate

it Solve it for some fixed parameters

Find an algorithm

that usually works?

Solve it in time 2n

Could we just postpone it ?

Approaches for dealing with NP-complete problems:Approaches for dealing with NP-complete problems:• Approximation algorithms • Sub-exponential time algorithms• Parameterized complexity• Average case complexity• Save it for the future

5

Compressing Instances• Rather than solving a problem, we are interested in

compressing it to be solved sometime in the future.

• Compression should be answer preserving rather than input preserving.

To compress a language L need: efficient algorithm Z and a language L’ such that:1. Z(x) L’ iff x L

2. |Z(x)| << |x|

Do not require that x can be restored from Z(x) !

L L’

z

6

Why deal with compression?

• Compression allows storing problems succinctly to be resolved in a future setting:• The future may introduce new and faster technologies

(Quantum computers?)• New algorithms (maybe P=NP??)• Lots of time in the future…

• Our actual motivation: powerful implications of compression for cryptography.

• Both positive and negative

Bandwidth to the future

7

Talk overviewIntroduce and define compression of NP instances.

• Example of compression: Vertex Cover

Motivation:• Cryptographic applications

• Collision Resistant Hashing from One-way Functions

• Complexity study of compression

• Witness Retrievability• OT from one-way functions• Impossibility

• Everlasting Security and Compression

• Open Problems

8

General ImpossibilityIf P≠NP then cannot hope to have a general

compression:• Given CNF formula of size m: hard to come up

with an equivalent formula that is much shorter– Otherwise would be possible to apply compression

recursively on until can solve exhaustively

Deal with NP languages with relatively short witnesses

9

Compressing NP Instances – DefinitionNP languages with short witnesses - two parameters considered:

• m – Instance length• n – Witness length

For every x of length m, if x L then it has a witness of length n.

The interesting case: n << m and n not too smallExample: satisfiability of CNF formula of m clauses on n variables

Compression for L: an efficient algorithm Z, a polynomial p(·, ·) and a language L’ such that for every x of length m:

1. Z(x) L’ iff x L

2. |Z(x)| < p(n,logm)

L L’

10

Notes on the Definition

• Length of Z(x) is dominated by witness length• potentially, Z(x) can be significantly shorter than x.

• Why p(n, log m)? This may be relaxed:• For complexity study log m may be replaced by any sub-

polynomial function of m• For some applications a compression of m1-ε suffices.

• Definition is only interesting when n << m• E.g. 3-SAT is not an interesting problem for compression

Compression for L: an efficient algorithm Z a polynomial p(·, ·) and a language L’ such that for every x of length m:1. Z(x) L’ iff x L2. |Z(x)| < p(n,logm)

11

Example: Vertex Cover

• Input: a graph G=(V,E)• Question: Is there a subset of n vertices that covers every

edge in E.

• Parameters (up to a log|V| factor): – m = |E| – n = size of cover

m - Instance size

n - Witness size

12

Vertex Cover of size n in graph of size mCompression algorithm:

1. Remove all vertices that have more than n neighbors – suppose k vertices were removed.

2. If there are more than n2 edges left then answer no.3. Else store the remaining graph G’ (of size at most n2) and the number k

Language L’ for compressed instance - vertex cover with size n’ = n - k

Correctness: If a cover exists in original graph, then in G’:• Every edge is covered by one of n vertices.• Every vertex has degree ≤ n

G’ has no more than n2 verticesEssentially the same witness

Such a vertex must be in the cover

13

What have we learned?Some interesting languages have non-trivial compressionBut…• Instance of Vertex Cover has a small core (kernel) that contains all

the hardness of the problem.*– Not necessarily true for other NP problems.

• Compression of one NP-complete problem does not imply compression for all of NP.– Clique, Dominating Set?

• The Karp reductions used for deriving NP-completeness do not preserve the length of the witness.

• New witness may be polynomial in m (not n).

* Related to the parameterized complexity of vertex cover.

* Related notions investigated there

14





• Complexity study of compression


• Witness Retrievability• OT from one-way functions• Impossibility

• Open Problems

15

Collision Resistant Hash

• A collection of collision resistant hash functions (CRH) is: a family H of hash functions s.t. for a random hRH it is hard to

find a collision. A pair xx’ s.t. h(x)=h(x’)

Length reducing functions For all PPTM

hx

x’

Wide range of cryptographic applications:Signatures [Merkle, Damgard] Strong Commitments [NY89] [DPP91]

Low Communication Protocols and CS Proofs [K92,M94,B01])

Efficiency:

•Can sample hRH

•Private/Public coins

•Can evaluate h(x)

given h and x

Compression by 1 bit

Compression to any poly factors.

16

One-way functions• One-way function (OWF) f: easy to compute but hard to invert.

– f(x) computable in poly-time– No PPTM can find an inverse to y=f(x) for a random x

• OWFs are the most fundamental building block in computationally based crypto. – Necessary for most crypto tasks.– Sufficient for many others (shared key encryption).

CRH and OWFs:• (existence of) CRHs implies (existence of) OWFs• But: OWF not known to imply CRH

– No “black box” construction of CRH from OWF [Simon98]

Current Status of CRH in Practice:

•For both SHA-1 and MD5: serious weaknesses discovered

•NIST Workshop following Crypto 2006

Related to the theoretical difficulties of showing equivalence between OWFs and CRHs??

17

CRH from OWF

Theorem: There exists a language L s.t. if there is an errorless compression of L then there exists a construction of CRH from any OWF.

E.g. SAT, Clique…

Overview of construction– Choose a hash function g from a naive hash family

• with no computational hardness guarantees• The selection function: g defined by position i. gi(x) = x[i]

• The new hash function h: a commitment to i • Output of h: a compression of a formula

gi(x) = 1

Intuitively: finding a collision requires guessing i.

x0000 1 011 1

m

18

Commitment Schemes

– Hiding: A computationally bounded receiver learns nothing about the value i.

– Binding: s can only be “opened” to the value i.

• Commitments can be based on any OWF [N89], [HILL90].

ReceiverSender

Assume one-way functions on n bits are hard

Commit

Phase

Sender Receiveri

s

Reveal

Phase v

i

i

Reveal Verification Algorithm

s, v, i

yes/no

19

Cj,s,xCj,sCj,sCj,sCj,sCj,s,x Cm,s,x

CRH from OWF?• Theorem: There exists a language L s.t. if there is an errorless

compression of L then there exists a construction of CRH from any OWF.

String s is a commitment to an index i[m]• For 1≤j≤m: formula Cj,s,x is satisfiable iff

s is a commitment to j and x[j]=1• Formula Cs,x: OR of all Cj,s,x

Cs,x is satisfiable iff x[i]=1

x

m

OR

Cs,x is the OR of m formulas

each of size poly(n) Instance size: m¢poly(n)Witness size: opening of commitment - poly(n).

Can Generate Cj,s,x without knowing the value iCook’s Theorem on the reveal verification algorithm.

20

CRH from OWF...• Z - a compression algorithm for formula Cs,x

– Takes as input a formula C and outputs some string• An hH is described by a commitment s

hs(x) = Z(Cs,x)

• hs is indeed shrinking due to the compression.

• Let xx’ be s.t. hs(x) = hs(x’).

• If s is a commitment to i then x(i)=x’(i). • If x and x’ differ in the jth bit, then conclude

that s is not a commitment to the value j!!

x

m

Cj,s

OR

An adversary that finds a collision xx’ can deduce information about i

contradicting the hiding of the commitment

Cj,sCj,sCj,sCj,sCj,s,x Cm,s,x

• The construction is inherently non-black-box.– Uses the code of the verification of commitment.

• The compressed problem is never actually solved…

From m¢poly(n) to m-1 bits

21

Which languages suffice for hashing?• For language L, OR(L) is

{x1, x2 … xm| where there 1 · i · m s.t. xi 2 L }

• If possible to compress OR(SAT) for CNF formulas on n variables and size poly(n), then can get the CRH construction• Claim: this is no harder than compressing CNF formulas of m

clauses on n variables

Claim: compressing Clique(m,n) suffices for CRH

A complexity study of the relative hardness of compression:VC0 VC1 VC2 … VC=NP

Hierarchy based on the complexity of verification after preprocessingCompressible

22





• Complexity study of compressionWitness Retrievability

• OT from one-way functions• Impossibility


• Open Problems

23

Witness Retrievability• Suppose instance x L with witness wx.

• The compressed instance y=Z(x) has witness wy to y L’.

A compression algorithm is witness retrievable if it is possible to obtain wy in poly-time from y and wx.

x

wx wy

yZ

Observation: almost all `natural’ compression schemes are witness retrievable

Or can easily be converted

24

Witness Retrievability

Theorem: There exists a language L such that if there is a witness retrievable compression of L then

Minicrypt = Cryptomania

It is possible to construct Oblivious Transfer and PIR Protocols from any one-way function

• OT is complete for Secure Computation !– General framework that captures many cryptographic tasks

• public key crypto, auctions, voting, e-commerce…

Impagliazzo and Rudich (89) proved: no black box construction of OT from OWF.

26

Limitations of Witness Retrievability

Theorem: if one-way functions exist, then there is no witness retrievable compression for SAT

Idea: compression of SAT allows low bandwidth broadcast encryption– A center and m users connected via a broadcast channel

• Users are given individual keys• The center can transmit to any “privileged” subset of the m users • The non-privileged users cannot reconstruct the original message

– Using their assigned keys

• Lower bound on encrypted message length: • Since possible to reconstruct precisely the subset whp: ciphertext is at least m bits

27

Broadcast Encryption and SAT Compression• m pairs of commitments to ‘1’– one pair per user

– hs10, s1

1i, hs20, s2

1i, …, hsm0, sm

1 i

• Key for user i – reveal string for ith commitment to ‘1’– hv1

0, v11i, hv2

0, v21i, …, hvm

0, vm1

i

• To broadcast a single bit b to a subset T ½ [m]– Choose corresponding commitments {si

b|i 2 T}

– Construct formula T,b at least one commitment sib is to ‘1’

– Broadcast the compression Z(T,b)

– For i 2 T to decrypt: see whether vib yields witness Z(T,b)

Claim: if compression is perfect, then vib

– for i 2 T yields a witness– For i not in T does not yields a witness

28





• Complexity study of compressionWitness Retrievability

• OT from one-way functions• Impossibility


• Open Problems

29

Everlasting Security• Common to many cryptographic schemes:

– leave a fingerprint that in the future can reveal private information

• Michael Rabin’s term: everlasting security– After a certain period of time, the adversary’s action will not affect the protected

entities• Things not done `online’ by the adversary will not influence the security

• Relevant: – bounded storage model– forward secure storage [Dziembowski]

Claim: incompressibility is essential for achieving efficiency in these setting

Adi Shamir: Existing public-key schemes with current key lengths are likely to be broken in less than 30 years! [RSA conference ’06]

30

Compression and the Bounded Storage ModelEverlasting Security

• The Bounded Storage Model (BSM) bounds the storage space of an adversary rather than its running time.

• Two settings:– Parties share a secret key – very efficient encryption.– No key is shared - honest parties need very high memory requirements

(square root of the space the adversary has).• Suggestion: A Hybrid BSM model – add a (temporary) bound

on the running time of the adversary. Use this to exchange an initial secret key.

• Dziembowski and Maurer [DM04]: there exists a hybrid scheme made with secure components that is insecure.

Theorem: If OR(SAT) is compressible then the hybrid model is no more powerful than the standard BSM.– All such schemes are insecure.

• Alternatively: One cannot prove that a hybrid scheme is secure without proving (or assuming) the incompressibility of many interesting languages.

31

Discussion & Open problems

• Given CNF formulae 1 and 2 on same variables– (not necessarily with short witnesses)

come up efficiently with a CNF formula that is 1. Satisfiable if and only if 1 v 2 is satisfiable

2. Shorter than |1|+|2|

Due to the impossibility results for SAT witness retrievable compression: a witness for either 1 or 2 cannot efficiently yield a

witness for .

Sufficiently short to apply recursively (1-) (|1|+|2|)

If impossible, hope for:•Hybrid Bounded Storage•Derandomization [Dubrov-Ishai]•Forward-secure storage [Dziembowski]

If possible:•CRH•OT

32

Discussion & Open problems• Topic must be studied – has too many interesting

implications/applications to be ignored• Many open questions:

– Where is the line between compressible and not? • somewhere in the low VC’s?

– What about incompressibility?• Dubrov & Ishai: a certain notion of incompressibility yields results in

derandomizationHow to have an efficient falsifiable assumption?

– Additional directions• Other natural classification? Connection to previous classifications?• Natural complete problem for VC1 ?

• Does error-prone compression imply CRH?

33

Thank You.

Full Paper: www.wisdom.weizmann.ac.il/~naor/PAPERS/compressibility.html

Compressed version in FOCS 2006

34

GapSAT and Some Speculation• GapSAT - a promise problem

– Input: A CNF formula (m clauses, n variables) that is either:• Satisfiable• Any assignment satisfies at most a 1-1/(2n) fraction of the clauses.

• Compression for GapSAT: choose a random subset of O(n2) of the clauses.– With high probability maintains the satisfiability of the original problem.

• Idea: Use the PCP theorem:

Instance of SAT

Instance of GapSAT

Compressed InstancePCP Compres

s

• The problem: the PCP reduction creates many new variables (poly(m, n)). The witness is no longer short!

• Challenge: gap amplification without introducing many new variables.

35

On Compression of search problems

• Decision problem: does there exist a witness to xL?• Search problem: find a witness to xL (if it exists).• Compression for search: Z(x) contains the information

regarding a witness to xL.

Theorem: If there exists compression for (decision) problems in a class C, then there exists compression for the corresponding search problems in C.

36

Complexity Study

• Want to know which problems can be compressed• For crypto `positive’ applications: want to know which

problems are sufficient– Can we use the compressibility of vertex cover?– If clique is compressible, it is good enough?

• For crypto `negative’ applications: for which problems is it reasonable to assume incompressibility?

• What about other types of problems: search, counting…• How can a compression algorithm look like?

•CRH•OT

•Hybrid Bounded Storage•Derandomization [Dubrov-Ishai]•Forward-secure storage [Dziembowski]

37

Compressible languages

Variety of techniques allow compression• L 2 P - trivial• Vertex Cover, Minimum Fill-in – find a small core

– Related to parameterized complexity • Sparse languages (PRG-output) - hashing• Sparse Subset Sum - hashing• GapSAT – sampling

Call the class VC0

38

W-Reductions and Compression• Classical NP classification does not suffice for compression

• Similar to other approaches for dealing with NP-hard problems • approximation, parameterized complexity etc… • new classifications introduced.

• Key to classification is the type of reduction is used

• Definition: L W-reduces to L’ if there exists a polynomial time algorithm R and a polynomial p(.,.) such that for instance x for L with parameters m,n:1. R(x) L’ iff x L2. If R(x) L’ then it has a witness of length at most p(n,logm).

• Matching notion of compression-complete and compression-hard languages for a class C

Claim: If L W-reduces to L’ and L’ has a compression algorithm then L has a compression algorithm.

Witness

39

The VC classification• Aim: a classification of NP with respect to compression.• An indication of which languages are potentially

easier/harder to compress.

• The VC classification• The verification algorithm of a language plays a central role in

the classification.• “Verification” – the verification algorithm running on the

instance after a preprocessing stage.

Verification Complexity

input Preproc.

witness

Verification algorithm Yes/No

40

The VC Classification

• VCk for k2 - languages that have “verification” in depth k.

• VC1 – languages that have local “verification”: read only poly(n, log m) locations of the instance. Moral equivalent of sublinear.

• VC0 – all compressible languages

• VC = VCm ( =NP)

Claim: VC0 VC1 VC2 … VC

Only non-trivial fact:VC1 VC2

Why Depth? Tradeoff between depth and # of variables: • Standard technique (Cook’s theorem) can reduce depth of a verification circuit by adding new variables.• Reducing depth without adding many variables would entail a collapse in the hierarchyLocal verification yields natural families:• Graph embedding problems: does a large graph have a small graph embedded in it. Includes Clique, long cycle, etc…• Small Subset-Sum: is there a small subset that adds up to a target number.

Can be represented as a depth k (unbounded fan-in) Circuit.

41

One more class- VCOR

• OR(CircuitSAT) – • Input: m circuits, each of size n • Membership: If at least one has a satisfying assignment.

• VCOR – “verification” by an instance of OR(CircuitSAT)

• Complete problems: The OR of any NP-complete language is compression-complete for VCOR

• e.g., OR(3-SAT), OR(Clique), etc…

Claim: Clique is compression-hard for VCOR

Claim:

VC0 VCOR VC1

OR

C1 C2 Cm

Compression of a language that is compression-hard for VCOR suffices for crypto apps!• E.g. OR(3-SAT), SAT, Clique…

42

Class Languages / Compression Complete Language Compression-Hard

VC0P, Sparse languages (PRG-output),Vertex Cover, Minimum Fill-in, GapSAT

VCOROR(L) (for any L), OR(SAT), languages from crypto applications Clique, Long Path…

VC1Graph Embedding (Clique, Long Path, Long Cycle), Sparse SubsetSum, LocalCircuitSAT

VC2OR of large CNFs, SAT DS, IP

VC3Dominating Set (DS), Depth3CircuitSAT

VC4Weighted SAT, Depth4CircuitSAT

…

VCO(logn)Integer Programming (IP), XOR(SAT)

…

VC CircuitSAT

Classification

43

The VC classification

Possibilities for the hierarchy:• If no compression of complete languages: then a full hierarchy.

• Compression of a compression-complete language: collapses to VC0 everything from that point down.• Collapse of VCk+1 to VCk does not necessarily entail further collapse.

• The main question: where is the border between compressible and not?

44

The Minicrypt = Cryptomania question

“Minicrypt = Cryptomania?” is the most important problem in complexity and cryptography where

• We do not know the answer

• There is a good chance to resolve it in the near future

Omer Reingold: NL = L is a contender for the title

45

A more refined view

OTPublic Key Encryption

CCA-Secure PKEPIR

Secure MPC

ZK Proofs for all of NP

Shared-key Encryption and Authentication

Commitment scheme

Signature Scheme

UOWHFs Coin flipping

Efficient online memory checking

minicrypt

cryptomaniaTrapdoor Permutations

One-way functions

Computational Pseudorandomness

2 roundsSecret Key Exchange

IBE

46

Separating the worlds

OTPublic Key EncryptionSKE

CCA-Secure PKEPIR

Secure MPC

ZK Proofs for all of NP

Shared-key Encryption and Authentication

Commitment scheme

Signature Scheme

UOWHFs Coin flipping

Efficient online memory checking

minicrypt

cryptomaniaTrapdoor Permutations

One-way functions

Computational Psuedorandomness

Impagliazzo and Rudich 1989: there is no blackbox construction of OT from OWF.

47

Recent RSA Cryptographers Panel Feb 2006

• Adi Shamir’s prediction: no existing Public-key Cryptoysystem will survive 30 years from now

• Martin Hellman: very little genetic diversity in public-key cryptosystems. – RSA and Diffie-Hellman 1970’s– Elliptic curves – 1980’s Should add: lattice based schemes

48

Oblivious Transfer• Impagliazzo (95) describes 5 possible worlds

based on different computational assumptions. • The top two worlds:

– Minicrypt – OWFs exist, some of crypto possible (shared key encryption, commitments, signatures…)

– Cryptomania – Oblivious Transfer (OT) exists, almost anything possible.

Alice

Bob

c

sc

OT protocol:• Bob gets sc.• Bob doesn’t learn s1-c.• Alice does not learn c.

s0,s1

Cryptomania

Minicrypt

Pessiland

Heuristica

Algoritmica

Cryptomania

Minicrypt

Pessiland

Heuristica

Algoritmica• OWFs not known to imply OT• Impagliazzo and Rudich (89) prove that there is no black box

construction of OT from OWF.

OT is complete for Secure Computation !General framework that captures many cryptographic tasks (e.g. public key crypto, auctions, voting, e-commerce…)

49

OT from OWF?Theorem: There exists a language L such that if there is a

witness retrievable compression of L then Minicrypt = Cryptomania

• Suppose instance x L with witness wx.

• The compressed instance y=Z(x) has witness wy to y L’.

• Compression is witness retrievable if it is possible to obtain wy in poly-time from y and wx.

x

wx wy

yZ

E.g., SAT, Clique…

50

OT from OWF?

Proof:• Construct a Private Information Retrieval

(PIR) protocol. PIR implies OT [DMO00].• Input: Database x of m bits.• Given a commitment s to an index

i[m], define the circuit Cs,x

as in the CRH case:– Cs,x is satisfiable iff x(i)=1

– Cs,x is the OR of m circuits, each of size n

x

m

Cj,sCj,sCj,sCj,sCj,sCj,s,x Cm,s,x

OR

Alice

Bobi[m]

x(i)

x{0,1}m

• Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania

PIR protocol:• Alice holds m bit database x.• Bob holds index i.

• Bob learns x(i).– Alice does not learn i.– Total communication is less than m bits!

51

• Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania

OT from OWF, cont.

Proof:• Bob creates a commitment s to his choice

index i[m]. Sends s to Alice.

• Alice generates the circuit Cs,x based on x and s.

• Alice sends Z(Cs,x) to Bob.

• Z(Cs,x) contains the information about the bit x(i).

• Bob can retrieve it using the witness retrieval property.

• Security: – Bob’s i is hidden by the commitment – total communication is low.

Alice

Bob

ixs

Z(Cs,x)

x(i)Generates a 2-message PIR: Sufficient also for Public Key Encryption from any OWF!

1 on the compressibility of np instances and cryptographic applications, moni naor weizmann...

Documents

complexity cryptography

future slide

heaven slide

key idea of cryptography

npcomplete problems

efficient algorithm

cryptographic applications

cryptographic task