- 46 Views
- Uploaded on
- Presentation posted in: General

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

Danny Gutfreund, Hebrew U.

Ronen Shaltiel, Weizmann Inst.

Amnon Ta-Shma, Tel-Aviv U.

message

message

- Interactive games in which the all-powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier.

“xL”

Merlin

Arthur

toss coins

I accept

message

message

- Completeness: If the statement is true then Arthur accepts.
- Soundness: If the statement is false then Pr[Arthur accepts]<½.

“xL”

Merlin

Arthur

toss coins

I accept

- Completeness: If the statement is true then Arthur accepts.
- Soundness: If the statement is false then Pr[Arthur accepts]<½.

- The class AM: All languages L which have an Arthur-Merlin protocol.
- Contains many interesting problems not known to be in NP.

random permutation of Gb

“The graph Gc was permuted”

- L={G1,G2: the labeled graphs G1,G2 are not isomorphic}.
- L in coNP and is not known to be in NP.

(G1,G2) L

Merlin

Arthur

Randonly chooses: b {1,2}

Decides which of the two graphs was permuted.

Verifies that c=b.

Does AM=NP?

In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic?

Note that such a protocol is an NP proof.

- A paradigm that attempts to transform:
- Probabilistic algorithms => deterministic algorithms. (P BPP EXP NEXP).
- Probabilistic protocols => deterministic protocols. (NP AM EXP NEXP).

- We don’t know how to separate BPP and NEXP.
- Can derandomize BPP and AM under natural complexity theoretic assumptions.

Initiated by [BM,Yao,Shamir].

Assumption: hard functions exist.

Conclusion: Derandomization.

A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02]

Assumption: There exists a function in DTIME(2O(n)) which is hard for “small” circuits.

Assumption: hard functions exist.

Conclusion: Derandomization.

Assumption: hard functions exist.

Exists pseudo-random generator

Conclusion: Derandomization.

PRG

pseudo-random bits

seed

- A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits.

- Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms.
- For derandomizing AM: Feasible algorithms = nondeterministic circuits.
- ??????????????

- Nondeterministic circuits can identify pseudo-random strings.
- Given a long string, guess a short seed and check that PRG(seed)=long string.
- Can distinguish between random strings and pseudo-random strings.
- Assuming the circuit can run the PRG!!
- The Nisan-Wigderson setup: The circuit cannot run the PRG!!
- For example: The PRG runs in time n5 and fools (nondeterministic) circuits of size n3.
- Sufficient for derandomization!!

- We’re given a function f which is:
- Hard for small circuits.
- Computable by uniform machines with “slightly” larger time.

- Basic idea:
- G(x)=x,f(x)
- “f(x) looks random to a small circuit that sees x”.
- Warning: no composition theorems.
- Correctness proof of PRG can’t use it’s efficiency.

- The PRG runs in time “slightly” larger than the size of the circuit.

Assumption: hard functions exist.

Exists pseudo-random generator

Conclusion: Derandomization.

random message

message

- We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.

“xL”

Merlin

Arthur

Hardwire input

I accept

- We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.

“xL”

Merlin

Arthur

Hardwire input

input

Nondeterministic guess

random input

Nondeterministic guess

I accept

- We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.
- We can use pseudo-random bits instead of truly random bits.

“xL”

Merlin

Arthur

Hardwire input

input

Nondeterministic guess

pseudo-random input

Nondeterministic guess

I accept

- We have an AM protocol in which Arthur acts deterministically.
- (Arthur sends all pseudo-random strings and Merlin replies on each one.)
- Deterministic protocol => NP proof.

“xL”

Merlin

Arthur

pseudo-random input

Nondeterministic guess

I accept

Assumption: There exists a function in DTIME(2O(n)) which is hard for “small” circuits.

- The conclusion in the results above involve only uniform classes (BPP,AM,P,NP).
- The assumptions involve nonuniform classes.
- All the results above assume hardness for circuits (nonuniform machines).
- Can we get derandomization from uniform assumptions?
- Follow from uniform assumptions such as EXP≠PH [KL79].
- A stronger notion of uniformity was considered in [IW98,TV02].

Assumption: Hard function for: circuits.

EXP≠P/poly

Conclusion: Derandomization of: probabilistic algorithms.

BPP SUBEXP

*Pseudo-containment

Assumption: Hard function for: probabilistic algorithms.

EXP≠BPP

Conclusion: Derandomization of: probabilistic algorithms.

BPP* SUBEXP

Assumption: Hard function for probabilistic algorithms.

Conclusion: Derandomization* of probabilistic algorithms.

Either the assumption isn’t true: probabilistic algorithms are very strong.

Or the assumption is true: Derandomization* of probabilistic algorithms.

Assumption: Hard function for Arthur-Merlin protocols.

Conclusion: Derandomization* of Arthur-Merlin protocols.

Either the assumption isn’t true: Arthur-Merlin protocols are very strong.

Or the assumption is true: Derandomization* of Arthur-Merlin protocols.

[IW98]: low-end. (Weak assumption and conclusion). Our result: high-end. (Strong assumption and conclusion).

- We believe that AM=NP (= Σ1).
- We only know that AM is in Σ3.
- Goal: Unconditional proof that AMΣ2 (or even AMΣ2-SUBEXP).
- Conditional => Unconditional ??
- Basic idea: AM is either weak or very strong.
- If AM can be derandomized (AM=NP) then AMΣ2.
- If AM is very strong (AM=EXP) then AMΣ2.

- Main problem: replace ‘*’ with ‘’.

- Intuitively, Containment only on feasibly generated inputs.
- L =* L’ if it is infeasible to generate counterexamples to the statement L=L’.
- No feasible algorithm R can output inputs which are in one language but not in the other (for a specified input length).
- C * D if for every L in C there exists L’ in D such that L =* L’.
- Formally, =* and * are relative to some complexity class of feasible R’s.

- If E=DTIME(2O(n)) is not in AMTIME(2an), for some constant a>0
- AM * NP.
- AM coAM = NP coNP.

- The class AM coAM contains:
- co-isomorphism of graphs.
- SZK (Statistical Zero Knowledge).

The proof

Hard function for AM (EXP≠AM)

Derandomization of AM

No derandomization of AM

No Hard function for AM (EXP=AM)

No Hard function for nondeter. Circuits (EXP NP/poly)

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform tradeoff [MV99,SU01]

Goal

Want to prove

Can’t prove it in general. Can prove it for the circuits constructed in phase 1.

The circuit C

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small nondeterministic circuit C

Verifies that C(x)=b

- Problems:
- Arthur cannot “run”C. It is a nondeterministic circuit.
- How can Arthur be sure that C(x)=f(x)?

The circuit C

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small deterministic circuit C

Verifies that C(x)=b

- Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.
- g=f => Pr[Tg(x)=f(x)]=1.
- g≠f => Pr[Tg (x) =fail]>½.

The circuit C

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small deterministic circuit C

Verifies that C(x)=b

by runningTC(x)

- Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.
- g=f => Pr[Tg(x)=f(x)]=1.
- g≠f => Pr[Tg (x) {fail,f(x)}]>½.

By sending C,

Merlin commits

to some function g!

- A nondeterministic circuit for f is a deterministic circuit C(x,y) such that:
- f(x)=1 => exists y, C(x,y)=1.
- f(x)=0 => for all y, C(x,y)=0.

- Arthur cannot use C to evaluate f.
- Merlin can help Arthur to evaluate f:
- Arthur sends an input x.
- If f(x)=1, Merlin can send y s.t. C(x,y)=1.

- If f(x)=0 ??

- By our assumption EXPNP/poly.
- fEXP => f has a nondeterministic circuit.
- => neg(f) has a nondeterministic circuit!

- Arthur can ask Merlin to send both circuits C,C’for f,neg(f).
- If f(x)=1, Merlin sends y s.t. C(x,y)=1.
- If f(x)=0, Merlin sends y s.t. C’(x,y)=1.

- There are appropriate witnesses for both cases.

I want to evaluate f at x1,..,xt

Appropriate witnesses for x1,..,xt

The circuits C,C’

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f and neg(f) have small nondeterministic circuits C,C’

Computes queries x1,..,xt for the instance checker.

Verifies that f(x)=b using the instance checker.

Is it true that by sending C,C’

Merlin commits himself to some function g?

- If Merlin sends C,C’ which accept all inputs, he is not at all commited: For every x he can “open”x as both 0 and 1.
- A pair (C,C’) defines a functiong only if L(C’)=L(C)c. Such a pair is called “single valued”.
- Can Arthur verify that C,C’ is a single valued pair?

Nondeterministic circuits for EXP (EXPNP/poly)

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform tradeoff [MV99,SU01]

Goal

Want to prove

Can’t prove it in general. Can prove it for the circuits constructed in phase 1.

EXP is computable by pairs of nondeterministic circuits which can be certified (probabilistically) as single valued.

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform hardness vs. randomness tradeoff with a resilient reconstruction.

Goal

The protocol I just showed

I want to evaluate f at x1,..,xt

Appropriate witnesses for x1,..,xt

The certified circuits C,C’

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f and neg(f) have small nondeterministic circuits C,C’

Computes queries x1,..,xt for the instance checker.

Verifies that f(x)=b using the instance checker.

As C,C’are certified!

Merlin commits himself to some function g!

EXP is computable by pairs of nondeterministic single-valued circuits

No derandomization of AM

Nonuniform tradeoff [MV99,SU01]

The proofs give efficient (prob) “reconstruction algorithms”R(x,a):

If the derandomization fails on x, then there exists an a such that R(x,a) outputs a single-valued pair C,C’ for f.

What does R do when x and a are incorrect?

We cannot expect R to output circuits for f.

We can hope that R outputs a single-valued pair for some function g! We call such an R resilient.

- When Merlin sends the circuits C,C’ he will also send x and a.
- Arthur verifies that R(x,a)=(C,C’).
- This guarantees that (C,C’) is a single-valued pair of nondeterministic circuits.
- Open problem: Does there exist a resilient reconstruction algorithm?
- We show that the reconstruction algorithm of [MV99] is “somewhat resilient”.
- It is resilient to errors in a, but vulnerable to errors in x. (This is why we get * ).

- We show: the (probabilistic) reconstruction algorithm of [MV99] is resilient to errors in a.
- If the derandomization fails on x then for every a w.h.p. R(x,a) outputs a single-valued pair C,C’ for some function g.
- We only get ‘*’ containments because of this weak resiliency.
- We cannot trust Merlin to send x, so when the derandomization fails we need a feasible way to come up with x’s on which it failed.

- Actually, we can handle some errors in x.
- Previous slide: If the derandomization of the AM language L fails on x then resiliency…
- Stronger resiliency: If x is not in L then resiliency…
- We can trust Merlin to send x if he can give an AM proof that xL.
- We can trust Merlin when L is in AM intersect coAM.
- No ‘*’ for AM intersect coAM.

Main result:

- Either Arthur-Merlin protocols are very strong.
- Or Arthur-Merlin protocols can be derandomized on feasibly generated inputs.
The technique:

- Uses nonuniform hardness vs. randomness.
- Resiliet reconstruction algorithms.
- Enables using a modified [BFL] protocol.

- We show that the [MV99] generator has a (partially) resilient reconstruction algorithm.
- The [MV99] result only works for the high-end.
- A low-end result by [SU01] which is not even partially resilient!
- Open problem: Prove a low-end version of our result.

- We show that the [MV99] generator has a partially resilient reconstruction algorithm.
- Construct a generator with a fully resilient reconstruction algorithm.
- This will remove the * (pseudo-containment).
- Solving both open problems will give an unconditional proof that AMΣ2-SUBEXP!

That’s it…