Applications of Promise Problems to Cryptocomplexity

Nathan Russell May 3, 2011

Abstract We show that, assuming a slightly stronger version of a long-open conjecture, no probabilistic public-key cryptosystem is NP-hard to crack. This strengthens the evidence for believing that public key cryptography cannot capture the full power of NP.

Introduction

A public-key cryptosystem, of the sort heavily involved in (e.g.) the security of the Internet, relies on a pair consisting of a public key K1 and a private key K2 . The fundamental security assumption is that messages encrypted using the public key cannot be eciently decrypted without knowledge of the private key. Certain problems in the security of public-key cryptosystems have been addressed by proposing probabilistic cryptosystems, in which either encryption, decryption, or both use randomized algorithms. Our work to date shows that, subject to a slight extension of a long-open conjecture, no probabilistic public-key cryptosystem can be NP-hard to break, unless it behaves improperly nearly half of the time (as measured over choices of random bits). This represents a substantial extension of several known results [ESY84] [GS88]. This is not a nail in the con of public-key cryptography since, even if our new conjecture is true, there might exist (indeed, it is widely believed that there do exist) public-key cryptosystems which, while not NP-hard to crack, are infeasible to crack, at least in the average case. NP-hardness is a worstcase statement, which is not only not sucient for average-case hardness, but is also not necessary.

In fact, it is interesting to briey note that the most commonly used public-key cryptosystems fundamentally depend on the hardness of the factorization problem. Between the fundamental theorem of arithmetic, which states that every integer has a unique prime factorization, and the result of [AKS04] stating that primality testing is in P, it is easy to see that the factoring decision problem (that is, whether given a pair n, k , n has a prime factor at most k ) can be positively and negatively witnessed by simply giving the prime factorization of n; as such, factorization is in NP coNP, making it extremely unlikely that this problem is NP-hard.

Prior research

A promise problem is a pair of sets (Q, R) in which a machine must determine membership in the problem set R subject to the assumption that the input belongs to the promise set Q (in other words, it must accept for inputs belonging to R Q, must reject for inputs belonging to Q R, but may behave . Perhaps one of the most famous appliarbitrarily on inputs belonging to Q cations of promise problems is the class USAT, in which the problem is to determine whether a formula is satisable, subject to the promise that it has at most one satisfying assignment. Applying promise problems to the study of public-key cryptography was introduced by [ESY84] (including a conjecture to be stated later, under which the authors showed that no deterministic public-key cryptosystem is NP-hard to crack, and their results were extended by [GS88]. The later paper introduced the application of similar reasoning to probabilistic public-key cryptosystems, and showed that under certain assumptions about the cryptosystem, no such cryptosystem could be hard to crack unless complexity classes collapse. Our work to date focuses on removing these assumptions about the cryptosystem, but does not directly attain complexity-class collapses. Instead, we formulate a conjecture about promise problems that is a strengthening of the conjecture of [ESY84]. [GG00] found certain direct complexity collapses, while making certain assumptions about the cryptosystem. Our work diers in that we avoid these assumptions, but attain only the falsity of a variant of a long-open conjecture.

Current Status

The long-open ESY Conjecture [ESY84] follows: Conjecture 3.1. There does not exist a promise problem (Q, R) with: 1. Promise Q in NP. 2

2. (Q, R) = Q R in NP coNP. (that is, an NP machine or co NPmachine can distinguish members of Q R from members of Q R. 3. (Q, R) is NP-hard (that is, every member of NP reduces to discriminating membership in Q R from membership in Q R This means that if the cracking problem for any cryptosystem obeys the rst two points, either the Conjecture is false, or said cracking problem is not NP-hard. Largely following [ESY84], dene a probabilistic public key cryptosystem to have public encryption key k1 , private decryption key k2 , cyphertext c, message m, and let r be the random data used by the encryption function. Let the random bits used by the generator, or the trapdoor, be X . Additionally, there is a probabilistic polynomial-time-computable encryption function E (m, r, k1 ) = c, decryption function D(c, k2 ) = m, and generator G(x) = k1 , k2 . For the Goldwasser-Micali [GM84] cryptosystem, the message is a single bit (call it b). This is our simplest result: We have that the cryptosystem never errs (that is, that for all messages m, random strings r and trapdoors X , if G(X ) = k1 , k2 then D(E (m, r, k1 ), k2 ) = m). Let the input be a cyphertext c and public key k1 , that is, the input is a tuple c, k1 . Let promise Q = { c, k1 | m, r, x, k2 such that E (m, r, k1 ) = c and G(x) = k1 , k2 }. Additionally, let the problem R = { c, k1 | D c, k2 = 0 (where the choice of bit 0 is arbitrary). In other words, the cracking promise problem is to distinguish messages which encrypt 0 from those which encrypt 1. Clearly, this is sucient to break the systems security. Theorem 3.2. Unless ESY is false, the Goldwasser-Micali crytosystem is not NP-hard to crack; that is, the cracking promise problem as dened above is not NP-hard. Proof. 1. Q NP as witnessed by a machine that behaves as follows On input k1 , c , nondeterministically choose x and r, and verify that either E (0, k1 , r) = c or E (1, k1 , r) = c and G(x) = k1 , k2 for some k2 . That is, verify that c is an encryption of some message bit b and that the public key k1 is valid. 2. (Q, R) NP coNP. It is in NP as witnessed by a machine that behaves as follows: On input c, k1 nondeterministically choose r and accept i E (0, k1 , r) = c. Membership of the promise problem in coNP is witnessed by a machine that behaves similarly, except attempting to encrypt 1. Here is where we use the assumption that the system 3

never errs, and so the machine can assume it has found the ONLY message that encrypts to c. That is, if any random string r, when fed into the encryption function along with k1 and b for some b, returns a cryphertext c, then there is no random string which encrypts the other bit b 1 to c). 3. Now, if (Q, R) is NP-hard, we have a counterexample to ESY. Now we are ready to dene the generic version of the cracking problem, which allows multi-bit messages m. For this variant, we still assume that the cryptosystem never errs, that is, for all messages m, random strings r and trapdoors x, if G(x) = k1 , k2 then D(E (m, r, k1 ), k2 ) = m (that is, for any valid keypair, decrypting any encryption of any message gives us the original message). In dening this variant of the cracking problem, we nd it convenient to make searching for the message reduce to calls to the (decision) promise problem in a natural way. As such, let the input be a cyphertext, guessed message m and public key c, k1 , m . Let promise Q = { c, k1 , m | m, r, x and k2 such that E (m, r, k1 ) = c and G(x) = k1 , k2 }. Additionally, let predicate R = { c, k1 , m | D(c, k2 ) > m }. Theorem 3.3. Unless ESY is false, the generic-no-error cracking promise problem as dened above is not NP-hard. Proof. 1. Q N P as witnessed by M = ( On input k1 , c, nondeterministically choose x and r, and verify that E (m, k1 , r) = c and G(x) = k1 , k2 for some k2 . That is, verify that c is an encryption of some m and that the public key k1 is valid. ) 2. (Q, R) NP coNP as witnessed by MNP = ( On input c, k1 , m , where recall m is a guessed message, nondeterministically choose r and m , and accept i E (m, k1 , r) = c and m < m ) and McoNP which behaves similarly, except accepting i m m . Here is where we use the assumption that the system never errs, and so the machine can assume it has found the ONLY message which encrypts to c. 3. Now, if (Q, R) is NP-hard, we have a counterexample to ESY. Corollary 3.4. Assuming ESY, the Goldwasser-Micali cryptosystem, as well as Gentrys homomorphic cryptosystem [Gen09], cannot be NP-hard to crack.

Proof. This is immediate by the combination of the observation that these systems do not err and the above theorem. The Ajtai-Dwork [AD97] cryptosystem has the property that 0 is encrypted by an algorithm that makes use of instructions in the public key so that the cyphertext is a lattice point near one of the hidden hyperplanes that constitute the private key. 1 is encrypted as a random lattice point so that, with low probability, 1 might be encrypted as a cyphertext that is also a valid decryption of 0 (and even for the recipient it is impossible to determine that the sender meant to encrypt a 1 in this case). We side-step this problem by dening the cracking problem in terms of detecting encryptions of 0 as follows: Q = { k1 , m | x, r such that G(x) = k1 , k2 for some k2 , and m is a valid encryption using k1 } and R = {(m, k1 ) | D(m, k2 ) = 0} Theorem 3.5. In the Ajtai-Dwork cryptosystem, it is not NP-hard to determine whether a given cyphertext is a valid encryption of 0, unless ESY is false. Proof. Now, assuming the ESY conjecture, this promise problem is not NPhard to solve. Note that Q NP as outlined above, and (Q, R) NP coNP as witnessed by a machine that nondeterministically chooses x and run the key generator to get k1 , k2 , rejecting when k1 is not the given public key, then checking if D(m, k2 ) = 0 and accepting if so. For the coNP case, the machine compares the decryption to 1 rather than 0. So, again, this promise problem is not NP-hard unless ESY is false. Note that in the case where the system has what I call two-sided error (that is, where an encryption of 0 can be decrypted as 1, an encryption of 1 can be decrypted as 0, or a multi-bit message can be decrypted as another arbitrary multi-bit message with some low probability), the strategy in the last theorem does not work since, if encryption and decryption can both err, it is impossible to be totally sure that we have the correct decryption m, even if the operations work correctly with high probability. For the AjtaiDwork cryptosystem, encryptions of 0 were guaranteed to decrypt to 0, so posing the promise problem in terms of 0 messages suced. We propose a new conjecture, which substitutes MA for NP in several places. Dene the error version of the cracking problem: for all messages m, random strings r and trapdoors X , if G(x) = k1 , k2 then D(E (m, r, k1 ), k2 ) = m) with high probability over the randomness used by the encryption and decryption functions. Let the input be a cyphertext, guessed message m and public key c, k1 , m .

Let promise Q = { c, k1 , m | m, x, k2 such that D(c, r, k2 ) = m with high probability over r and G(x) = k1 , k2 }, and let predicate R = { c, k1 , m | D(c, m , k2 ) > m with high probability}. First, stating the strengthened form of the conjecture: Conjecture 3.6. There does not exist a promise problem (Q, R) with: 1. Promise Q in MA. 2. (Q, R) MA coMA (that is, there are MA-proof systems in which Merlin is able to convince Arthur with high probability that an input belongs to Q R, but unable to do so when it actually belongs to Q R, as well as visa versa). 3. (Q, R) is NP-hard. Theorem 3.7. Assuming the above conjecture, no probabilistic polynomial time cryptosystem is NP-hard to crack, as long as it does not err with prob1 + . ability (arbitrarily) 2 Proof. Intuitively, the use of MA allows us to sidestep the issues of the system erring since the verier, Arthur, can use randomness to conduct experiments that permit him to detect cases in which the system has erred. Q MA is necessary if decryption can err, making it impossible to speak of the correct decryption of a given cyphertext. Note that if only encryption can err, and decryption and key generation cannot, we have Q NP by stating the cracking problem in terms of cyphertexts that decrypt to m < m , independent of whether the sender meant to encrypt that m (and the later determination is not guaranteed to be even information theoretically possible). However, as long as decryption can err, there is no way to phrase the problem of something being the correct encryption in a natural way in NP. In other words, if we require only Q NP, we might be faced with inputs including a cyphertext c that decrypts to some plaintext with low probability, but for which there is no plaintext m such that D(k2 , r, c) = m with high probability. In this case, the proof fails in the next paragraph (since with no high-probability message, Merlin cannot prove that that was the correct message). As such, we need to use the promise to eliminate these instances, and this is the reason for weakening the requirement on the promise to Q MA. The (more) formal proof that Q MA follows: Merlin can send Arthur the pair k2 , m , where m is the high-probability message whose existence must be proven, and k2 is the decryption key. Arthur, even if the decryption function is probabilistic and can err, can check that D(k2 , c, r) = m with 6

high probability over r, choosing his own r to ensure uniformly sampling the space. He can also, if provided with x, verify the key validity by running the key generation algorithm forwards as before. Even if decryption and encryption can both err, we still have Q R coMA MA since Merlin can send Arthur the pair k2 , m , Arthur can draw polynomially many random r and perform exponential amplication to verify D(k2 , E (k1 , m, r)) = m, D(k2 , c, r) = m (in the case where the decryption algorithm is randomized) and m < m (resp. m m for the coMA case). Stating Q R is NP-hard still makes sense, since MA certainly includes NP-hard problems (and is strongly believed not to include coNP-hard problems, which prevents the new conjecture from being trivially false by choosing an empty promise, and a predicate hard for both NP and coNP). We now consider some analogs to various theorems from the Even-SelmanYacobi and Grollmann-Selman papers for the new conjecture. By and large, these are either immediate because the new conjecture is a stronger form of the old, or are relatively straightforward strengthenings. Theorem 3.8. The new conjecture implies that probabilistic cryptosystems with NP-hard cracking problems do not exist. Additionally, the original ESY conjecture implies that such systems can only exist if they do not err (that is, if for all messages and random strings, every decryption of an encryption of a message is the original message.) Proof. This is a restatement of the above theorems. It a strengthening of proposition 2, pg 168, of Even, Selman, Yacobi. [ESY84] Theorem 3.9. The new conjecture implies NP = UP. Proof. Trivial from the observation that the new conjecture is a strengthening of the rst, and the rst conjecture implies this ([ESY84] thm 5). The following is a theorem of Grollmann and Selman (theorem 3, page 321) modied for the new conjecture. The same essential proof holds. Theorem 3.10. There exists a promise problem (Q, R) satisfying the conditions of the new conjecture if and only if there exist disjoint p T -hard for NP sets A and B in MA such that for every recursive set L, if A L and , then L is NP-hard. BL Proof. Given a promise problem (Q, R) that satises the conditions of the new conjecture, the sets A = Q R and B = Q R are p T -complete for NP sets in MA (since both R and its complement are in MA, as is Q). The sets that separate A and B are precisely the solutions of (Q, R), and it follows that every set that separates A and B is NP-hard. Conversely, if such an A and B exist, (A B, B ) satises the conditions of the conjecture. 7

Proposed Research

There exist several possible research directions expanding on the work we have completed to date. In particular, it should be possible to nd interesting results about probabilistic one-way functions, perhaps based on the worstcase to average-case reduction results of [AGGM06]. Another possibility is to consider analogs of the theorems proved for the original conjecture by [ESY84] and [GS88], both of whom showed many interesting results about promise problems related to the original conjecture for NP. There is no reason to believe that interesting analogs for MA could not be found. Alternatively, perhaps any of several derandomization results, the two conjectures could be shown to be equivalent. Note that if BPP = P, MA immediately collapses to NP (since Arthur can act as a P-verier. This is true, by Impagliazzo and Wigderson [IW96], assuming that every problem in E lacks subexponential circuits. An interesting question is whether an oracle exists relative to whcih MA does not have a complete language. Intuition suggests that this is true, especially given the sets close connection with probabilistic classes such as BPP which do not have known complete languages. Finally, we might consider the issue of how the new conjecture relates to propositional proof systems? Would P-inseperability using MA rather than NP make sense?

References
[AD97] Miklos Ajtai and Cynthia Dwork. A public-key cryptosystem with worst-case/average-case equivalence. pages 284293, 1997.

[AGGM06] Adi Akavia, Oded Goldreich, Sha Goldwasser, and Dana Moshkovitz. On basing one-way functions on np-hardness. In Proceedings of the thirty-eighth annual ACM symposium on Theory of computing, STOC 06, pages 701710, New York, NY, USA, 2006. ACM. [AKS04] [ESY84] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. PRIMES is in P. 2004. Shimon Even, Alan L. Selman, and Yacov Yacobi. The complexity of promise problems with applications to public-key cryptography. Information and Control, 61(2):159 173, 1984.

[Gen09] [GG00] [GM84] [GS88]

Craig Gentry. Fully homomorphic encryption using ideal lattices. In STOC, pages 169178, 2009. Oded Goldreich and Sha Goldwasser. On the possibility of basing cryptography on the assumption that p!=np. page ps, 2000. Sha Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28:270299, 1984. Joachim Grollmann and Alan L. Selman. Complexity measures for public-key cryptosystems. SIAM J. Comput., 17:309335, April 1988. Russell Impagliazzo and Avi Wigderson. P = BPP unless E has sub-exponential circuits: Derandomizing the xor lemma (preliminary version). In In Proceedings of the 29th STOC, pages 220229. ACM Press, 1996.

[IW96]