Complexity Theory and Cryptography

Mihai Prunescu*

Recall the complexity classes P and NP. The class P consists of the sets A ⊆ {0, 1}∗ such that the
caracteristic function 1A is computable in polynomial time. This means that there is a polynomial
p(n) such that for every x ∈ {0, 1}∗ , the value 1A (x) is deterministically computed in at most
p(|x|) steps. The class NP consists of the sets B ⊆ {0, 1}∗ such that there is a set A ∈ P and a
polynomial q(n) with the property that:

∀x ∈ {0, 1}∗ x ∈ B ←→ ∃ y ∈ {0, 1}∗ |y| = q(|x|) ∧ (y, x) ∈ A.

Also, a set C belongs to coNP if and only its complement {0, 1}∗ \ C belongs to NP.
The question of P = NP is one of the most important and the most difficult questions of mathe-
matics, and is open.
There are various connections between this question and the cryptographic security. Most of the
public key algorithms rely on the supposition that the problem called FACTORING or the problem
called DISCRETE LOGARITHM are not solvable in polynomial time. Let us take a closer look
at FACTORING:
The function called multiplication (x, y) ; xy is polynomial time computable in the length of the
pair (x, y) written binary. It is not known if for prime numbers p, q ∈ N, the reverse operation
pq ; (p, q) is computable in polynomial time. In contrast, the set of COMPOSITE numbers
belongs to NP. To prove that a number x is composite, it is enough to guess a number y with
|y| < |x| and to perform the division x : y hoping that the remainder will be 0. (Observe that
division with remainder can be performed in polynomial time as well.) The complement of the set
COMPOSITE is the set PRIME which consequently belongs to coNP.
There was a serious earthquake in 2003 when Manindra Agrawal, Neeraj Kayal and Nitin Saxena
shown that the decision problems PRIME - and so also COMPOSITE - are in P. So for a product
of two primes pq we can decide in polynomial time that the number is composite, but we don’t
know yet if we can find in polynomial time one of its nontrivial divisors p and q. However, to
find such a divisor means to find a certificate proving that pq belongs to the set COMPOSITE, as
above. How sure can we be that the computational problem is not solvable in polynomial time,
while the decision problem is solvable in polynomial time?
The goal of this lecture is to explore some other connections between complexity theory and
cryptography.

Theorem 1 Suppose P = NP. Let (Enc, Dec) be a polynomial-time computable encryption scheme
with the keys shorter then the messages. Then there is a deterministic polynomial-time algorithm
A such that for every input-length m there is a pair of messages x0 , x1 ∈ {0, 1}m satisfying:
3
P r[A(Enck (xb )) = b] ≥ ,
4
where b ∈ {0, 1}, k ∈ {0, 1}n and n < m.
* This belongs to the content of the chapter ”Cryptography” from the book Computational Complexity by Arora
and Barak combined with some definitions and commentaries introduced by me.

1
Proof: Let S ⊂ {0, 1}∗ be the set of encryptions of 0m by all possible keys of length n. So
y ∈ S if and only if y = Enck (0m ) for some k. If P = NP then the membership to S can be
deterministically verified in polynomial time.
We define the algorithm A as follows: A(y) = 0 if y ∈ S and A(y) = 1 otherwise. We set x0 = 0m .
We claim that there is a x1 such that the hypothesis holds.
For some message x ∈ {0, 1}m let Dx be the set {Enck (x) | k ∈ {0, 1}n }. Of course Dx0 = D0m =
S. This means that:
P r[A(Dx0 ) = 0] = 1.
We observe that:
1 1 1 1
P r[A(Enck (xb )) = b] = P r[A(Dx0 ) = 0] + P r[A(Dx1 ) = 1] = + P r[A(Dx1 ) = 1],
2 2 2 2
so it would be sufficient to show that ∃ x1 ∈ {0, 1}m such that P r[A(Dx1 ) = 1] ≥ 12 .
By complementarity this would be sufficient to show that for some x1 ∈ {0, 1}m ,
1
P rk [Enck (x1 ) ∈ S] ≤ .
2

Suppose otherwise that for all x1 ∈ {0, 1}m :

1
P rk [Enck (x1 ) ∈ S] > .
2

Let Ω = {1, . . . , u} be a finite space of probability, let p : Ω → [0, 1] be the corresponding

probability and let X : Ω → R be some random variable. We recall that the expectation of X is
the sum:
E X := p(1)X(1) + · · · + p(u)X(u).

Consider the random variable S : {0, 1}m × {0, 1}k → R given by:
(
1, Enck (x) ∈ S,
S(x, k) =
0, Enck (x) ∈
/ S.

We define:
T = Ex,k S(x, k).

From our supposition, it follows T > 21 . But on the other hand:

1
T = Ek [Ex S(x, k)] ≤ ,
2
because for all k ∈ {0, 1}n , the function x ; Enck (x) is injective, hence at most 2n ≤ 2m /2 many
x can be mapped to the set S, which has itself size ≤ 2n . This is a contradiction. 2
Definition: A non-deterministic Turing machine (probabilistic Turing machine) is a Turing ma-
chine which has two different transition functions δ0 , δ1 : S × Γ → S × Γ × {1, −1, 0} and outputs
only 1 (accept) or 0 (reject). At every step, one of the two functions is chosen and the step is
performed. 2
Definition: For T : N → N and L ⊆ {0, 1}∗ we say that a probabilistic Turing machine M decides
L in time T (n) if for every x ∈ {0, 1}∗ , M stops in T (|x|) steps regardless of its random choices
and P r[M (x) = L(x)] ≥ 2/3. Here the constant 2/3 is not relevant and can be replaced by any
real number which is strictly bigger than 1/2.S We let BPTIME(T (n)) be the class of languages
decided in time O(T (n)) and define BPP = c BPTIME(nc ). 2

2
Definition: A function ε : N → [0, 1] is called negligible if and only if for all c ∈ N and all
sufficiently large n, ε(n) < n−c . 2
Definition: Let f : {0, 1}∗ → {0, 1}∗ a function which is computable in polynomial time. The
function f is called a one way function if for every polynomial time probabilistic algorithm A
there is a negligible function ε : N → [0, 1] such that for all n:

P r|x|=n,y=f (x) [f (A(y)) = y] < ε(n).

Conjecture: One-way functions exist.

Possible examples:
Multiplication: x = (x1 , x2 ) ; bin(num(x1 ) num(x2 )). The inverse would be the problem FAC-
TORING. Moreover, numbers have different decompositions as a product, only for product of
primes one has a unique decomposition if the factors are sorted by absolute value.
RSA function: Given N ∈ N, e ∈ N relatively prime with |Z× ×
N | and t ∈ ZN arbitrary, the function
t ; t is known to be one-to-one and hard to invert. In fact, this is easy to invert if the prime
e

decomposition of N is known.
Rabin’s function: N = pq where p, q = 1 mod 4 are prime numbers. Then the function t ∈ QRN →
QRN given by t ; t2 mod N is one to one and hard to invert. This is also easy to invert if the
factorisation of N is known.
Levin’s Universal One-Way Function: The name is justified by the fact that if one-way functions
exist, then it is known that the following function is a one-way function. We denote by Mi the
i-th Turing machine. For a Turing machine M, let M t be the output of M on input x if M needs
at most t steps to stop, and 0|x| if not.
An input x of length n is considered to be a list x1 . . . xlog n of strings of length n/ log n. Then we
define the universal one-way function fU to be:
2 2
fU (x) = M1n (x1 ) . . . Mlog
n
n (xlog n ).

Definition: Let (Enc, Dec) be some encryption system for |k| = n and |x| = m. This system
is called computationally secure if for every probabilistic polynomial time algorithm A there is a
negligible function ε : N → [0, 1] such that:
1
P r[A(Enck (x)) = (i, b) | xi = b] ≤ + ε(n).
2

It is known that if one-way functions exist, then for every c ∈ N, c 6= 0, there is a computationally
secure encryption method with |k| = n and |x| = nc . Our goal is to understand this fact to some
extent.
Definition: Let G : {0, 1}∗ → {0, 1}∗ and l : N → N functions computable in polynomial time
such that l(n) > n. G is a function of stretch l(n) if for all x ∈ {0, 1}∗ , |G(x)| = l(|x|). Such a
function is a secure pseudorandom generator if for every probabilistic polynomial time algorithm
A there is a negligible function ε : N → [0, 1] such that:

|P r|x|=n [A(G(x)) = 1] − P r|y|=l(n) [A(y) = 1]| < ε(n).

It is a known fact that if one-way functions exist then for all c ∈ N there is a secure pseudorandom
generator with stretch l(n) = nc . We will prove this only in the special case in which the one-way
function is a permutation. This is not really a strong restriction because using the Feistel net
method, every one-way function can be transformed in a one-way permutation.

Lemma 2 Suppose there is an injective one-way function f : {0, 1}∗ → {0, 1}∗ such that |f (x)| =
|x|. Then for all c, there is a computationally secure pseudorandom generator of stretch nc .

3
Before we proceed in this direction, we introduce an alternative definition of the computationally
secure pseudorandom generator.
Definition: Let G : {0, 1}∗ → {0, 1}∗ be a polynomial time computable function of stretch
l(n). G is called unpredictable if for every polynomial time probabilistic algorithm B there is
ε : N → [0, 1] negligible function such that:
1
P ry=G(x),1≤i≤l(n) [B(1n , y1 . . . , yi−1 ) = yi ] ≤ + ε(n),
2
where x is a random word of length n. 2
With other words, to predict the next bit is difficult even if you have all the previous bits. Of
course, pseudorandom implies unpredictable. But the converse is also true.

Theorem 3 (Yao, 1982) Let G : {0, 1}∗ → {0, 1}∗ and l : N → N functions computable in
polynomial time such that l(n) > n. G is a function of stretch l(n) if for all x ∈ {0, 1}∗ , |G(x)| =
l(|x|). If G is unpredictable, then G is a secure pseudorandom generator. Moreover: If for every
probabilistic polynomial time algorithm A there is a probabilistic polynomial time algorithm B such
that from ∀ n ∈ N, ∀ ε > 0, if:

|P r|x|=n [A(G(x)) = 1] − P r|y|=l(n) [A(y) = 1]| ≥ ε

then:
1 ε
P ry=G(x),1≤i≤l(n) [B(1n , y1 . . . , yi−1 ) = yi ] ≥ + ,
2 l(n)

Proof: We observe that the ”moreover” part implies the whole theorem. So let us prove it.
Let A be some polynomial time probabilistic algorithm that is supposed to more likely output 1
on inputs from G({0, 1}n ) then on inputs from {0, 1}l(n) . We construct a predictor algorithm B
as follows:
B chooses zi , . . . , zl(n) random,
B computes a = A(y1 , . . . , yi−1 , zi , . . . , zl(n) ),
If a = 1, B outputs zi ,
If a = 0, B outputs 1 − zi .
Let us show that:
1 ε
P ry=G(x),1≤i≤l(n) [B(1n , y1 . . . , yi−1 ) = yi ] ≥ + .
2 l(n)

We fix n and let l = l(n). We define following distributions of probability D0 , . . . , Dl over {0, 1}l .
For some i, Di is constructed as follows: Take x ∈ {0, 1}n arbitrary, y = G(x), and output
y1 , . . . , yi , zi+1 , . . . , zl where all zk are chosen randomly in {0, 1}. Then D0 = {0, 1}l with the
uniform probability distribution and Dl = G({0, 1}n ) is the probability distribution on the image
of G, supposing that the inputs from {0, 1}n are equally probable.
Denote with pi := P r[A(Di ) = 1]. Observe that pl − p0 ≥ ε. Observe also that:

pl − p0 = (pl − pl−1 ) + (pl−1 − pl−2 ) + · · · + (p1 − p0 ) ≥ ε.

It follows that:
ε
E1≤i≤l [pi − pi−1 ] ≥ .
l
We show that that for every i between 1 and l(n):
1
P ry=G(x) [B(1n , y1 . . . , yi−1 ) = yi ] ≥ + (pi − pi−1 ).
2

4
B predicts yi correctly if and only if (a = 1 ∧ yi = zi ) ∨ (a 6= 1 ∧ yi = 1 − zi ), so this happens with
probability:
1 1
P r[a = 1 | zi = yi ] + (1 − P r[a = 1 | zi = 1 − yi ]).
2 2
If zi = yi , B invokes A with the distribution Di so P r[a = 1 | zi = yi ] = pi . If not, then B invokes
A with the distribution Di−1 . Hence:
1 1 1 1
pi−1 = P r[a = 1] = P r[a = 1 | zi = yi ] + P r[a = 1 | zi = 1 − yi ] = pi + P r[a = 1 | zi = 1 − yi ].
2 2 2 2
So B predicts yi with probability 1
2 + pi − pi−1 . 2
Here we recall some technical facts:

Lemma 4 If a1 , a2 , . . . , an ≥ 0 are numbers whose average is c, then the fraction of ai ’s that are
at least kc is at most 1/k.

Lemma 5 (Markov) Any nonnegative random variable X satisfies:

1
P r[ X ≥ kE(X) ] ≤ .
k

Definition: For a random variable X we consider the random variable (X −E X)2 . Its expectation
is denoted:
V ar(X) = E (X − E X)2
and is called the variance of X. 2
The following facts are easy to prove:
V ar(X) ≥ 0,
V ar(X) = E X 2 − (E X)2 .

If X1 , . . . , Xn are pairwise independent random variables, then:

X X
V ar( Xi ) = V ar(Xi ).

p
Definition: The quantity σ = V ar(X) is called the standard deviation of X.

Lemma 6 (Chebyshev) If X is a random variable with standard deviation σ, then for every k > 0:
1
P r[ |X − E X| > kσ ] ≤ .
k2

Proof: Apply Markov’s inequality to the random variable (X − E X)2 , and its expectation is σ 2 .
2
Now we can finally formulate our main result:

Theorem 7 (Goldreich - Levin) Let f : {0, 1}∗ → {0, 1}∗ an injective one-way function with
|f (x)| = |x|. Then for every probabilistic polynomial time algorithm A there is a negligible function
ε : N → [0, 1] such that:
1
P rx,r [A(f (x), r) = hx, ri] ≤ + ε(n)
2
Pn
where x, r ∈ {0, 1}n and hx, ri = ( i=1 xi ri ) mod 2.

5
This means that G(x, r) = f (x), r, hx, ri is a secure pseudorandom generator that extends its input
by one bit, so has stretch l(n) = n + 1.
Proof: For every probabilistic polynomial time algorithm A that violates the conclusion, we
construct a probabilistic polynomial time algorithm B that invert the permutation f , contradicting
the hypothesis that f is a one-way permutation. Specifically, if for some n,
1
P rx,r [A(f (x), r) = hx, ri] ≥ +ε
2
then B will run in time O(n2 /ε2 ) and inverts the one-way permutation f on inputs of length n
with probability at least Ω(ε).
According to the hypothesis, by average arguments, for at least a ε/2 fraction of the x’s (with r
fixed), the probability that A(f (x), r) = hx, ri is at least 1/2 + ε/2. We call such an x good. We
show that B with high probability inverts f (x) for x good.
For example, if P rr [A(f (x), r) = hx, ri] = 1 then it is easy to recover x from f (x). Just run
A(f (x), 10 . . . 0), A(f (x), 01 . . . 0), . . . , A(f (x), 00 . . . 1) to get the first bit of x, the second bit of
x, . . . , the last bit of x. We find them to be exactly the products hx, ei i.
A special case:
In order to ilustrate the general idea, we first show the particular case with:

P rr [A(f (x), r) = hx, ri] ≥ 0.9.

In this case we cannot trust anymore the result of A(f (x), ei ) because ei could belong to the 2n /10
values of r for which the answer is false. But we observe that:

P rr [A(f (x), r) 6= hx, ri ∨ A(f (x), r ⊕ ei ) 6= hx, r ⊕ ei i] ≤ 0.2

But hx, r ⊕ ei i = (hx, ri + hx, ei i) mod 2, so if r is chosen at random, and we compute z = hx, ri
and z 0 = hx, r ⊕ ei i then z ⊕ z 0 is equal to xi with probability at least 0.8. We can amplify this
probability by taking majorities.
Algorithm B1 :
1. Choose r1 , . . . , rm independently and random in {0, 1}n . The number m is still to determine.
2. For every 1 ≤ i ≤ n:
- Compute the values z1 = A(f (x), r1 ), z10 = A(f (x), r1 ⊕ ei ), . . . , zm = A(f (x), rm ), zm
0
=
m
A(f (x), r ⊕ ei ).
- Guess that xi is the majority value among {zj ⊕ zj0 } with 1 ≤ j ≤ m.
We will see that if m = 200n then for every i this value will be correct with probability at least
1 − 1/(10n) so the word x is correct with probability at least 0.9. To prove this, let the random
variable Zj be 1 if A(f (x), rj ) = hx, rj i ∧ A(f (x), rj ⊕ ei ) = hx, rj ⊕ ei i, and 0 if not. Observe
that the random variables Z1 , . . . , Zm are independent and E(Zj ) ≥ 0.8 for every j. It is enough
to show that with probability of 1 − 1/(10n) strictly more than m/2 of the Zj are equal with 1.
This is equivalent for Z = Z1 + · · · + Zm that:

P r[ Z ≤ m/2 ] ≤ 1/(10n).

But we know that E(Z) ≥ 0.8m so we need only a bound for P r[ |Z − E(Z)| ≥ 0.3m ]. By the
Chebychev’s inequality: p
P r[ |Z − E(Z)| ≥ k V ar(Z) ] ≤ 1/k 2 .
P
As the random variables Zj are independent, V ar(Z) = V ar(Zj ). As they are 0 - 1 variables,
p √ √
V ar(Zj ) ≤ 1, so V ar(Z) ≤ m. So for k = 0.3 m one has:
√
P r[ |Z − E(Z)| ≥ 0.3m ] ≤ 1/(0.3 m)2 ,

6
which is smaller than 1/(10n) by our choice of m = 200n.
The general case:
If the success probability is only 1/2 + ε/2, which is much smaller than 0.75, the idea from above
seems not to work anymore.
But it does. The new idea is to show how to pick r1 , . . . , rm pairwise independent such that we
already ”know” each hx, ri i. Let k be such that m ≤ 2k − 1.
1. Choose k strings s1 , . . . , sk independently at random from {0, 1}m .
2. For every P1 ≤ j ≤ m we associate a unique nonempty set Tj ⊂ {1, . . . k} in some fashion and
define rj = ( t∈Tj st ) mod 2.
It can be shown that the strings rj are now pairwise independent. Moreover, hx, rj i = t∈Tj hx, st i.
P

So if we know the k values hx, st i, then we can deduce the m values hx, rj i. Since 2k = O(m) we
can enumerate over all possible guesses for hx, st i in polynomial time. This leads to the following
algorithm to invert f :
Algorithm B: Input y ∈ {0, 1}m , where y = f (x) for unknown x. We suppose that x is good
because it does not matters what happens if x is not good.
Operation: Let m = 200n/ε2 and k be the smallest natural number such that m ≤ 2k − 1. Choose
s1 , . . . , sk independently at random in {0, 1}k and define r1 , . . . , rm as previously. For every
w ∈ {0, 1}k do the following:
- Run the algorithm B1 under the assumption that hx, st i = P wt for all 1 ≤ t ≤ k. For every
1 ≤ i ≤ n we compute our guess zj for hx, rj i by setting zj = t∈Tj wt . We compute the guess
zj0 = A(y, rj ⊕ ei ).
- For every i, the guess for xi is the majority value among {zj ⊕ zj0 } with 1 ≤ j ≤ m.
- For x = x1 . . . xm we test if f (x) = y. When we find such an x, we stop.
2
After having constructed a pseudo-random generator of stretch l(n) = n + 1, we can now construct
pseudorandom generators of arbitrary polynomial stretch:

Theorem 8 If f is a one-way permutation and c ∈ N then the function G that maps x, r ∈ {0, 1}n
to:
r, hf l (x), ri, hf l−1 (x), ri, . . . hf (x), ri
where l = nc is a secure pseudorandom generator of stretch l(2n) = n + nc .