30 research outputs found
Average-Case Complexity
We survey the average-case complexity of problems in NP.
We discuss various notions of good-on-average algorithms, and present
completeness results due to Impagliazzo and Levin. Such completeness results
establish the fact that if a certain specific (but somewhat artificial) NP
problem is easy-on-average with respect to the uniform distribution, then all
problems in NP are easy-on-average with respect to all samplable distributions.
Applying the theory to natural distributional problems remain an outstanding
open question. We review some natural distributional problems whose
average-case complexity is of particular interest and that do not yet fit into
this theory.
A major open question whether the existence of hard-on-average problems in NP
can be based on the PNP assumption or on related worst-case assumptions.
We review negative results showing that certain proof techniques cannot prove
such a result. While the relation between worst-case and average-case
complexity for general NP problems remains open, there has been progress in
understanding the relation between different ``degrees'' of average-case
complexity. We discuss some of these ``hardness amplification'' results
Recommended from our members
Unconditional Relationships within Zero Knowledge
Zero-knowledge protocols enable one party, called a prover, to "convince" another party, called a verifier, the validity of a mathematical statement such that the verifier "learns nothing" other than the fact that the proven statement is true. The different ways of formulating the terms "convince" and "learns nothing" gives rise to four classes of languages having zero-knowledge protocols, which are: statistical zero-knowledge proof systems, computational zero-knowledge proof systems, statistical zero-knowledge argument systems, and computational zero-knowledge argument systems.
We establish complexity-theoretic characterization of the classes of languages in NP having zero-knowledge argument systems. Using these characterizations, we show that for languages in NP:
-- Instance-dependent commitment schemes are necessary and sufficient for zero-knowledge protocols. Instance-dependent commitment schemes for a given language are commitment schemes that can depend on the instance of the language, and where the hiding and binding properties are required to hold only on the YES and NO instances of the language, respectively.
-- Computational zero knowledge and computational soundness (a property held by argument systems) are symmetric properties. Namely, we show that the class of languages in NP intersect co-NP having zero-knowledge arguments is closed under complement, and that a language in NP has a statistical zero-knowledge **argument** system if and only if its complement has a **computational** zero-knowledge proof system.
-- A method of transforming any zero-knowledge protocol that is secure only against an honest verifier that follows the prescribed protocol into one that is secure against malicious verifiers. In addition, our transformation gives us protocols with desirable properties like having public coins, being black-box simulatable, and having an efficient prover.
The novelty of our results above is that they are **unconditional**, meaning that they do not rely on any unproven complexity assumptions such as the existence of one-way functions. Moreover, in establishing our complexity-theoretic characterizations, we give the first construction of statistical zero-knowledge argument systems for NP based on any one-way function
์์ ์ปดํจํฐ์ ๋ํ ์ํธํ์ ์๊ณ ๋ฆฌ์ฆ
ํ์๋
ผ๋ฌธ(๋ฐ์ฌ) -- ์์ธ๋ํ๊ต๋ํ์ : ์์ฐ๊ณผํ๋ํ ์๋ฆฌ๊ณผํ๋ถ, 2022. 8. ์ดํํฌ.The advent of a quantum mechanical computer presents a clear threat to existing cryptography. On the other hand, the quantum computer also suggests the possibility of a new cryptographic protocol through the properties of quantum mechanics. These two perspectives, respectively, gave rise to a new field called post-quantum cryptography as a countermeasure against quantum attacks and quantum cryptography as a new cryptographic technology using quantum mechanics, which are the subject of this thesis.
In this thesis, we reconsider the security of the current post-quantum cryptography through a new quantum attack, model, and security proof. We present the fine-grained quantum security of hash functions as cryptographic primitives against preprocessing adversaries. We also bring recent quantum information theoretic research into cryptography, creating new quantum public key encryption and quantum commitment. Along the way, we resolve various open problems such as limitations of quantum algorithms with preprocessing computation, oracle separation problems in quantum complexity theory, and public key encryption using group action.์์์ญํ์ ์ด์ฉํ ์ปดํจํฐ์ ๋ฑ์ฅ์ ์ผ์ด์ ์๊ณ ๋ฆฌ์ฆ ๋ฑ์ ํตํด ๊ธฐ์กด ์ํธํ์ ๋ช
๋ฐฑํ ์ํ์ ์ ์ํ๋ฉฐ, ์์์ญํ์ ์ฑ์ง์ ํตํ ์๋ก์ด ์ํธํ๋กํ ์ฝ์ ๊ฐ๋ฅ์ฑ ๋ํ ์ ์ํ๋ค. ์ด๋ฌํ ๋ ๊ฐ์ง ๊ด์ ์ ๊ฐ๊ฐ ์ด ํ์ ๋
ผ๋ฌธ์ ์ฃผ์ ๊ฐ ๋๋ ์์๊ณต๊ฒฉ์ ๋ํ ๋์์ฑ
์ผ๋ก์จ์ ๋์์์ํธ์ ์์์ญํ์ ์ด์ฉํ ์ํธ๊ธฐ์ ์ธ ์์์ํธ๋ผ๊ณ ๋ถ๋ฆฌ๋ ์๋ก์ด ๋ถ์ผ๋ฅผ ๋ฐ์์์ผฐ๋ค.
์ด ํ์ ๋
ผ๋ฌธ์์๋ ํ์ฌ ๋์์์ํธ์ ์์ ์ฑ์ ์๋ก์ด ์์์ํธ ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ๊ณผ ๋ชจ๋ธ, ์์ ์ฑ ์ฆ๋ช
์ ํตํด ์ฌ๊ณ ํ๋ค. ํนํ ์ํธํ์ ํด์ฌํจ์์ ์ผ๋ฐฉํฅํจ์, ์ํธํ์ ์์ฌ๋์์์ฑ๊ธฐ๋ก์์ ๋์์ ์ํธ ์์ ์ฑ์ ๊ตฌ์ฒด์ ์ธ ํ๊ฐ๋ฅผ ์ ์ํ๋ค. ๋ํ ์ต๊ทผ ์์์ญํ์ ์ฐ๊ตฌ๋ฅผ ์์์ํธ์ ๋์
ํจ์ผ๋ก์จ ์๋ก์ด ์์ ๊ณต๊ฐํค์ํธ์ ์์ ์ปค๋ฐ๋จผํธ ๋ฑ์ ์๋ก์ด ๋ฐ๊ฒฌ์ ์ ์ํ๋ค. ์ด ๊ณผ์ ์์ ์ ์ฒ๋ฆฌ ๊ณ์ฐ์ ํฌํจํ ์์์๊ณ ๋ฆฌ์ฆ์ ํ๊ณ, ์์ ๋ณต์ก๊ณ๋ค์ ์ค๋ผํด๋ถ๋ฆฌ ๋ฌธ์ , ๊ตฐ์ ์์ฉ์ ์ด์ฉํ ๊ณต๊ฐํค ์ํธ ๋ฑ์ ์ฌ๋ฌ ์ด๋ฆฐ๋ฌธ์ ๋ค์ ํด๊ฒฐ์ ์ ์ํ๋ค.1 Introduction 1
1.1 Contributions 3
1.2 Related Works 11
1.3 Research Papers 13
2 Preliminaries 14
2.1 Quantum Computations 15
2.2 Quantum Algorithms 20
2.3 Cryptographic Primitives 21
I Post-Quantum Cryptography: Attacks, New Models, and Proofs 24
3 Quantum Cryptanalysis 25
3.1 Introduction 25
3.2 QROM-AI Algorithm for Function Inversion 26
3.3 Quantum Multiple Discrete Logarithm Problem 34
3.4 Discussion and Open problems 39
4 Quantum Random Oracle Model with Classical Advice 42
4.1 Quantum ROM with Auxiliary Input 44
4.2 Function Inversion 46
4.3 Pseudorandom Generators 56
4.4 Post-quantum Primitives 58
4.5 Discussion and Open Problems 59
5 Quantum Random Permutations with Quantum Advice 62
5.1 Bound for Inverting Random Permutations 64
5.2 Preparation 64
5.3 Proof of Theorem 68
5.4 Implication in Complexity Theory 74
5.5 Discussion and Open Problems 77
II Quantum Cryptography: Public-key Encryptions and Bit Commitments 79
6 Equivalence Theorem 80
6.1 Equivalence Theorem 81
6.2 Non-uniform Equivalence Theorem 83
6.3 Proof of Equivalence Theorem 86
7 Quantum Public Key Encryption 89
7.1 Swap-trapdoor Function Pairs 90
7.2 Quantum-Ciphertext Public Key Encryption 94
7.3 Group Action based Construction 99
7.4 Lattice based Construction 107
7.5 Discussion and Open Problems 113
7.6 Deferred Proof 114
8 Quantum Bit Commitment 119
8.1 Quantum Commitments 120
8.2 Efficient Conversion 123
8.3 Applications of Conversion 126
8.4 Discussion and Open Problems 137๋ฐ
Does Fiat-Shamir Require a Cryptographic Hash Function?
The Fiat-Shamir transform is a general method for reducing interaction in public-coin protocols by replacing the random verifier messages with deterministic hashes of the protocol transcript. The soundness of this transformation is usually heuristic and lacks a formal security proof. Instead, to argue security, one can rely on the random oracle methodology, which informally states that whenever a random oracle soundly instantiates Fiat-Shamir, a hash function that is ``sufficiently unstructured\u27\u27 (such as fixed-length SHA-2) should suffice. Finally, for some special interactive protocols, it is known how to (1) isolate a concrete security property of a hash function that suffices to instantiate Fiat-Shamir and (2) build a hash function satisfying this property under a cryptographic assumption such as Learning with Errors.
In this work, we abandon this methodology and ask whether Fiat-Shamir truly requires a cryptographic hash function. Perhaps surprisingly, we show that in two of its most common applications --- building signature schemes as well as (general-purpose) non-interactive zero-knowledge arguments --- there are sound Fiat-Shamir instantiations using extremely simple and non-cryptographic hash functions such as sum-mod-p or bit decomposition. In some cases, we make idealized assumptions about the interactive protocol (i.e., we invoke the generic group model), while in others, we argue soundness in the plain model. At a high level, the security of each resulting non-interactive protocol derives from hard problems already implicit in the original interactive protocol.
On the other hand, we also identify important cases in which a cryptographic hash function is provably necessary to instantiate Fiat-Shamir. We hope that this work leads to an improved understanding of the precise role of the hash function in the Fiat-Shamir transformation
Dynamical systems via domains:Toward a unified foundation of symbolic and non-symbolic computation
Non-symbolic computation (as, e.g., in biological and artificial neural networks) is astonishingly good at learning and processing noisy real-world data. However, it lacks the kind of understanding we have of symbolic computation (as, e.g., specified by programming languages). Just like symbolic computation, also non-symbolic computation needs a semanticsโor behavior descriptionโto achieve structural understanding. Domain theory has provided this for symbolic computation, and this thesis is about extending it to non-symbolic computation. Symbolic and non-symbolic computation can be described in a unified framework as state-discrete and state-continuous dynamical systems, respectively. So we need a semantics for dynamical systems: assigning to a dynamical system a domainโi.e., a certain mathematical structureโdescribing the systemโs behavior. In part 1 of the thesis, we provide this domain-theoretic semantics for the โsymbolicโ state-discrete systems (i.e., labeled transition systems). And in part 2, we do this for the โnon-symbolicโ state-continuous systems (known from ergodic theory). This is a proper semantics in that the constructions form functors (in the sense of category theory) and, once appropriately formulated, even adjunctions and, stronger yet, equivalences. In part 3, we explore how this semantics relates the two types of computation. It suggests that non-symbolic computation is the limit of symbolic computation (in the โprofiniteโ sense). Conversely, if the systemโs behavior is fairly stable, it may be described as realizing symbolic computation (here the concepts of ergodicity and algorithmic randomness are useful). However, the underlying concept of stability is limited by a no-go result due to a novel interpretation of Fitchโs paradox. This also has implications for AI-safety and, more generally, suggests fruitful applications of philosophical tools in the non-symbolic computation of modern AI
Commitments to Quantum States
What does it mean to commit to a quantum state? In this work, we propose a
simple answer: a commitment to quantum messages is binding if, after the commit
phase, the committed state is hidden from the sender's view. We accompany this
new definition with several instantiations. We build the first non-interactive
succinct quantum state commitments, which can be seen as an analogue of
collision-resistant hashing for quantum messages. We also show that hiding
quantum state commitments (QSCs) are implied by any commitment scheme for
classical messages. All of our constructions can be based on
quantum-cryptographic assumptions that are implied by but are potentially
weaker than one-way functions.
Commitments to quantum states open the door to many new cryptographic
possibilities. Our flagship application of a succinct QSC is a
quantum-communication version of Kilian's succinct arguments for any language
that has quantum PCPs with constant error and polylogarithmic locality.
Plugging in the PCP theorem, this yields succinct arguments for NP under
significantly weaker assumptions than required classically; moreover, if the
quantum PCP conjecture holds, this extends to QMA. At the heart of our security
proof is a new rewinding technique for extracting quantum information
Statistical Zero-Knowledge Arguments for NP Using Approximable-Preimage-Size One-Way Functions
A statistical zero knowledge argument for NP is a cryptographic primitive that allows a polynomial-time prover to convince another
polynomial-time verifier of the validity of an NP statement. It is guaranteed that even an infinitely powerful verifier does not learn any
additional information but the validity of the claim.
Naor et al., Journal of Cryptology 1998, showed how to implement such a protocol using any one-way permutation. We achieve such a
protocol using any approximable-preimage-size one-way function. These are one-way functions with the additional feature that there is a
feasible way to approximate the number of preimages of a given output. A special case is regular one-way functions where each output has the
same number of preimages.
Our result is achieved by showing that a variant of the computationally-binding bit-commitment protocol of Naor et al. can be implemented using
a any one-way functions with ``sufficiently dense\u27\u27 output distribution. We construct such functions from approximable-preimage-size one-way
functions using ``hashing techniques\u27\u27 inspired by Hastad et al., SIAM Journal on Computing 1998