View
18
Download
0
Category
Tags:
Preview:
DESCRIPTION
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U. message. message. Arthur-Merlin Games [BM]. - PowerPoint PPT Presentation
Citation preview
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.
Danny Gutfreund, Hebrew U.Ronen Shaltiel, Weizmann
Inst.Amnon Ta-Shma, Tel-Aviv U.
Arthur-Merlin Games [BM] Interactive games in which the all-
powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier.
Merlin Arthur“xL”
toss coinsmessage
message
I accept
Arthur-Merlin Games [BM] Completeness: If the statement is
true then Arthur accepts. Soundness: If the statement is
false then Pr[Arthur accepts]<½.
Merlin Arthur“xL”
toss coinsmessage
message
I accept
Arthur-Merlin Games [BM] Completeness: If the statement is
true then Arthur accepts. Soundness: If the statement is
false then Pr[Arthur accepts]<½.
The class AM: All languages L which have an Arthur-Merlin protocol.
Contains many interesting problems not known to be in NP.
Example: Co-isomorphism of Graphs. L={G1,G2: the labeled graphs G1,G2 are
not isomorphic}. L in coNP and is not known to be in NP.
Merlin Arthur(G1,G2 ) L
Randonly chooses:
b {1,2} random permutation of
Gb
“The graph Gc was permuted”
Decides which of the two graphs
was permuted.
Verifies that c=b.
The big question:
Does AM=NP?
In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic?
Note that such a protocol is an NP proof.
Derandomization: a brief overview A paradigm that attempts to transform:
Probabilistic algorithms => deterministic algorithms. (P BPP EXP NEXP).
Probabilistic protocols => deterministic protocols. (NP AM EXP NEXP).
We don’t know how to separate BPP and NEXP.
Can derandomize BPP and AM under natural complexity theoretic assumptions.
Hardness versus Randomness Initiated by [BM,Yao,Shamir].
Assumption: hard functions exist.
Conclusion: Derandomization.
A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02]
A quick surveyAssumption: There exists a function in
DTIME(2O(n)) which is hard for “small” circuits.
ClassBPPAM
A hard function for:
Deterministic circuits
Nondeterministic circuits
High-endBPP=PAM=NP
Low-endBPPSUBEXPAM NSUBEXP
Hardness versus Randomness
Assumption: hard functions exist.
Conclusion: Derandomization.
Hardness versus Randomness
Assumption: hard functions exist.
Exists pseudo-random generator
Conclusion: Derandomization.
Pseudo-random generators A pseudo-random generator (PRG) is an algorithm
that stretches a short string of truly random bits into a long string of pseudo-random bits.
pseudo-random bits
PRG seed
Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms.
For derandomizing AM: Feasible algorithms = nondeterministic circuits.
??????????????
Pseudo-random generators for nondeterministic circuits Nondeterministic circuits can identify pseudo-
random strings. Given a long string, guess a short seed and check
that PRG(seed)=long string. Can distinguish between random strings and
pseudo-random strings. Assuming the circuit can run the PRG!! The Nisan-Wigderson setup: The circuit cannot run
the PRG!! For example: The PRG runs in time n5 and fools
(nondeterministic) circuits of size n3. Sufficient for derandomization!!
The Nisan-Wigderson setting We’re given a function f which is:
Hard for small circuits. Computable by uniform machines with “slightly”
larger time. Basic idea:
G(x)=x,f(x) “f(x) looks random to a small circuit that sees x”.
Warning: no composition theorems. Correctness proof of PRG can’t use it’s efficiency.
The PRG runs in time “slightly” larger than the size of the circuit.
Hardness versus Randomness
Assumption: hard functions exist.
Exists pseudo-random generator
Conclusion: Derandomization.
PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a
nondeterministic circuit which gets the random coins as input.
Merlin Arthur“xL”
random message
message
I accept
Hardwire input
PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a
nondeterministic circuit which gets the random coins as input.
Merlin Arthur“xL”
random input
Nondeterministic guess
I accept
inputNondeterministic guessHardwire input
PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a
nondeterministic circuit which gets the random coins as input.
We can use pseudo-random bits instead of truly random bits.
Merlin Arthur“xL”
pseudo-random input
Nondeterministic guess
I accept
Nondeterministic guess inputHardwire input
PRG’s for nondeterministic circuits derandomize AM We have an AM protocol in which Arthur
acts deterministically. (Arthur sends all pseudo-random strings
and Merlin replies on each one.) Deterministic protocol => NP proof.
Merlin Arthur“xL”
pseudo-random input
Nondeterministic guess
I accept
A quick surveyAssumption: There exists a function in
DTIME(2O(n)) which is hard for “small” circuits.
ClassBPPAM
A hard function for:
Deterministic circuits
Nondeterministic circuits
High-endBPP=PAM=NP
Low-endBPPSUBEXPAMNSUBEXP
Uniform Hardness versus Randomness The conclusion in the results above involve
only uniform classes (BPP,AM,P,NP). The assumptions involve nonuniform classes. All the results above assume hardness for
circuits (nonuniform machines). Can we get derandomization from uniform
assumptions? Follow from uniform assumptions such as
EXP≠PH [KL79]. A stronger notion of uniformity was considered
in [IW98,TV02].
A closer look at nonuniform tradeoffs for BPP [BFNW93]Assumption: Hard function for:
circuits. EXP≠P/poly
Conclusion: Derandomization of: probabilistic
algorithms. BPP SUBEXP
Impagliazzo-Wigderson 98: A uniform tradeoff for BPP Assumption: Hard function for:
probabilistic algorithms. EXP≠BPP
Conclusion: Derandomization of: probabilistic
algorithms. BPP * SUBEXP*Pseudo-
containment
Impagliazzo-Wigderson 98: A uniform tradeoff for BPP
Assumption: Hard function for
probabilistic algorithms.
Conclusion: Derandomization* of
probabilistic algorithms.
Either the assumption isn’t true:
probabilistic algorithms are very
strong.
Or the assumption is true: Derandomization*
of probabilistic algorithms.
Our result: A uniform tradeoff for AM
Assumption: Hard function for Arthur-Merlin protocols.
Conclusion: Derandomization* of
Arthur-Merlin protocols.
Either the assumption isn’t true:
Arthur-Merlin protocols are very strong.
Or the assumption is true: Derandomization* of
Arthur-Merlin protocols.
[IW98 :]low-end. )Weak assumption and conclusion(. Our result: high-end. )Strong assumption and conclusion(.
Motivation: weak unconditional derandomization We believe that AM=NP (= Σ1). We only know that AM is in Σ3. Goal: Unconditional proof that AMΣ2 (or even
AMΣ2-SUBEXP). Conditional => Unconditional ?? Basic idea: AM is either weak or very strong.
If AM can be derandomized (AM=NP) then AMΣ2.
If AM is very strong (AM=EXP) then AMΣ2.
Main problem: replace ‘*’ with ‘’.
Pseudo-containmnets [Kab99]: * Intuitively, Containment only on feasibly
generated inputs. L =* L’ if it is infeasible to generate
counterexamples to the statement L=L’. No feasible algorithm R can output inputs
which are in one language but not in the other (for a specified input length).
C * D if for every L in C there exists L’ in D such that L =* L’.
Formally, =* and * are relative to some complexity class of feasible R’s.
Formal statement of our result If E=DTIME(2O(n)) is not in
AMTIME(2an), for some constant a>0 AM * NP. AM coAM = NP coNP.
The class AM coAM contains: co-isomorphism of graphs. SZK (Statistical Zero Knowledge).
The proof
We want to show that
Hard function for AM (EXP≠AM)
Derandomization of AM
No derandomization of AM
No Hard function for AM (EXP=AM)
Basic idea: Use nonuniform tradeoff
No Hard function for nondeter. Circuits (EXP NP/poly)
No derandomization of AM
No Hard function for AM (EXP=AM)
Nonuniform tradeoff
[MV99,SU01]
Goal
Want to prove
Can’t prove it in general. Can prove it for the circuits
constructed in phase 1.
Attempt: Prove that EXPNP/poly => EXPAMLet f be an EXP complete function.
Merlin Arthurf(x)=b
The circuit Cf has a small nondeterminist
ic circuit C
Verifies that C(x)=b
Problems:
1. Arthur cannot “run” C. It is a nondeterministic circuit.
2. How can Arthur be sure that C(x)=f(x)?
Thm: [BFL91] EXPP/poly => EXPAMLet f be an EXP complete function.
Merlin Arthurf(x)=b
The circuit Cf has a small deterministic
circuit C
Verifies that C(x)=b
Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.
• g=f => Pr[Tg(x)=f(x)]=1.
• g≠f => Pr[Tg (x) =fail]>½.
Thm: [BFL91] EXPP/poly => EXPAMLet f be an EXP complete function.
Merlin Arthurf(x)=b
The circuit Cf has a small deterministic
circuit C
Verifies that C(x)=b
by running TC(x)
Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.
• g=f => Pr[Tg(x)=f(x)]=1.
• g≠f => Pr[Tg (x) {fail,f(x)}]>½.
By sending C ,Merlin commits
to some function g!
Nondeterministic Circuits A nondeterministic circuit for f is a
deterministic circuit C(x,y) such that: f(x)=1 => exists y, C(x,y)=1. f(x)=0 => for all y, C(x,y)=0.
Arthur cannot use C to evaluate f. Merlin can help Arthur to evaluate f:
Arthur sends an input x. If f(x)=1, Merlin can send y s.t. C(x,y)=1.
If f(x)=0 ??
Pairs of Nondeterministic Circuits By our assumption EXPNP/poly.
fEXP => f has a nondeterministic circuit. => neg(f) has a nondeterministic circuit!
Arthur can ask Merlin to send both circuits C,C’ for f,neg(f). If f(x)=1, Merlin sends y s.t. C(x,y)=1. If f(x)=0, Merlin sends y s.t. C’(x,y)=1.
There are appropriate witnesses for both cases.
Attempt 2: Prove that EXP in NP/poly => EXP in AMLet f be an EXP complete function.
Merlin Arthurf(x)=b
The circuits C,C’f and neg(f) have small
nondeterministic circuits C,C’
Computes queries x1,..,xt
for the instance checker .I want to evaluate f at
x1,..,xt
Appropriate witnesses for x1,..,xt
Verifies that f(x)=b using the
instance checker .Is it true that by sending C,C’
Merlin commits himself to some function g?
Single Valued pairs of Nondeterministic Circuits If Merlin sends C,C’ which accept all
inputs, he is not at all commited: For every x he can “open” x as both 0 and 1.
A pair (C,C’) defines a function g only if L(C’)=L(C)c . Such a pair is called “single valued”.
Can Arthur verify that C,C’ is a single valued pair?
The big picture
Nondeterministic circuits for EXP (EXPNP/poly)
No derandomization of AM
No Hard function for AM (EXP=AM)
Nonuniform tradeoff
[MV99,SU01]
Goal
Want to prove
Can’t prove it in general. Can prove it for the circuits
constructed in phase 1.
The argument
EXP is computable by pairs of nondeterministic
circuits which can be certified (probabilistically)
as single valued.
No derandomization of AM
No Hard function for AM (EXP=AM)
Goal
The protocol I just showed
Nonuniform hardness vs. randomness tradeoff with a
resilient reconstruction .
The final protocol: Using cerified circuits Let f be an EXP complete function.
Merlin Arthurf(x)=b
The certified circuits C,C’f and neg(f) have small
nondeterministic circuits C,C’
Computes queries x1,..,xt
for the instance checker .I want to evaluate f at
x1,..,xt
Appropriate witnesses for x1,..,xt
Verifies that f(x)=b using the
instance checker .As C,C’ are certified!
Merlin commits himself to some function g!
Resilient reconstruction algorithms
EXP is computable by pairs of nondeterministic
single-valued circuits
No derandomization of AM
Nonuniform tradeoff
[MV99,SU01]
The proofs give efficient (prob) “reconstruction algorithms” R(x,a):
If the derandomization fails on x, then there exists an a such that R(x,a) outputs a single-valued pair C,C’ for f.
What does R do when x and a are incorrect?
We cannot expect R to output circuits for f.
We can hope that R outputs a single-valued pair for some function g! We call such an R resilient.
Resilient reconstruction gives certified pairs When Merlin sends the circuits C,C’ he will also
send x and a. Arthur verifies that R(x,a)=(C,C’). This guarantees that (C,C’) is a single-valued
pair of nondeterministic circuits. Open problem: Does there exist a resilient
reconstruction algorithm? We show that the reconstruction algorithm of
[MV99] is “somewhat resilient”. It is resilient to errors in a, but vulnerable to
errors in x. (This is why we get * ).
Partial resiliency We show: the (probabilistic) reconstruction
algorithm of [MV99] is resilient to errors in a. If the derandomization fails on x then for
every a w.h.p. R(x,a) outputs a single-valued pair C,C’ for some function g.
We only get ‘*’ containments because of this weak resiliency.
We cannot trust Merlin to send x, so when the derandomization fails we need a feasible way to come up with x’s on which it failed.
Stronger partial resiliency Actually, we can handle some errors in x. Previous slide: If the derandomization of the
AM language L fails on x then resiliency… Stronger resiliency: If x is not in L then
resiliency… We can trust Merlin to send x if he can give
an AM proof that xL. We can trust Merlin when L is in AM
intersect coAM. No ‘*’ for AM intersect coAM.
ConclusionsMain result: Either Arthur-Merlin protocols are very strong. Or Arthur-Merlin protocols can be
derandomized on feasibly generated inputs.
The technique: Uses nonuniform hardness vs. randomness. Resiliet reconstruction algorithms. Enables using a modified [BFL] protocol.
Open problems: 1. A low-end result. We show that the [MV99] generator has
a (partially) resilient reconstruction algorithm.
The [MV99] result only works for the high-end.
A low-end result by [SU01] which is not even partially resilient!
Open problem: Prove a low-end version of our result.
Open problems: Remove pseudo-containments We show that the [MV99] generator has a
partially resilient reconstruction algorithm. Construct a generator with a fully resilient
reconstruction algorithm. This will remove the * (pseudo-
containment). Solving both open problems will give an
unconditional proof that AMΣ2-SUBEXP!
That’s it…
Recommended