In usual calculus, exponential function plays a central role and this is due to (I believe) it links in a really beautiful way sums and (usual) products.

I have tried reading the suggested book “Tools for PDE” by M.E. Taylor, but I found it really hard for me. So, what can we say about functions with similar properties than exponential function considering paraproducts instead of usual products?

Please, if someone has any idea I would really appreciate her (or his) help. Thanks!! I have some conjectures…

You can find my e-mail on this website

http://www.usc.es/es/centros/matematicas/profesor.html?Num_Puesto=16662&Num_Persona=198874&ano=66

I have tried reading the suggested book “Tools for PDE” but I found it really hard for me.

]]>Hi Gil,

You are right that in crypto we have the freedom to choose the distribution over inputs that will make the problem hardest, and that distribution doesn’t have to be the uniform distribution. However, in many cases, crypto is concerned with clean distributions such as uniform strings, random matrices, product of two random primes etc.. In fact, crypto may be the only “real world” application where one indeed needs to solve instances generated by such clean distributions (in contrast, instances coming from “nature” will be at best only approximately from a model distribution).

Levin gave a general definition of what it means to have a “polynomial on the average” algorithm for a given problem F and a distribution D (it turns out there are some subtleties in defining these). He then showed some completeness results, although unfortunately the reductions seem to always either make the problem or the distribution “unnatural”.

There is a subtle reason why Levin’s notion is not immediately useful to cryptography. This is explained beautifully in this survey of Russell Impagliazzo who calls it the difference between “Pessiland” and “Minicrypt”. Roughly speaking, to be useful for crypto, we need a way to sample “planted hard instances” of the distribution. For some natural distributions such as random clique and random 3SAT this is easy due to the symmetries of the distribution, but it can conceivably be the case that there is a problem F (in NP) and a distribution D such that we can efficiently sample an input from D, but we have no procedure to sample a pair (x,y) of an input from D and a solution (i.e. “witness”) y to this input. It is the latter procedure that is needed to use F as a basis for cryptography.

]]>It is worth mentioning also that there are various notions of “average case analysis”. The most naive notion is about uniform distribution on the inputs. A more sophisticated notion is about an arbitrary “computable” distribution of the inputs which is (I believe) what “Levin’s average case complexity” is more or less about. Levin’s notion of average case complexity is probably the more intimately connected with cryptography but I am sure Boaz can explain it much better than me.

]]>