Uniform hardness vs randomness tradeoffs for arthur merlin games
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. PowerPoint PPT Presentation


  • 46 Views
  • Uploaded on
  • Presentation posted in: General

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U. message. message. Arthur-Merlin Games [BM].

Download Presentation

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Uniform hardness vs randomness tradeoffs for arthur merlin games

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

Danny Gutfreund, Hebrew U.

Ronen Shaltiel, Weizmann Inst.

Amnon Ta-Shma, Tel-Aviv U.


Arthur merlin games bm

message

message

Arthur-Merlin Games [BM]

  • Interactive games in which the all-powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier.

“xL”

Merlin

Arthur

toss coins

I accept


Arthur merlin games bm1

message

message

Arthur-Merlin Games [BM]

  • Completeness: If the statement is true then Arthur accepts.

  • Soundness: If the statement is false then Pr[Arthur accepts]<½.

“xL”

Merlin

Arthur

toss coins

I accept


Arthur merlin games bm2

Arthur-Merlin Games [BM]

  • Completeness: If the statement is true then Arthur accepts.

  • Soundness: If the statement is false then Pr[Arthur accepts]<½.

  • The class AM: All languages L which have an Arthur-Merlin protocol.

  • Contains many interesting problems not known to be in NP.


Example co isomorphism of graphs

random permutation of Gb

“The graph Gc was permuted”

Example: Co-isomorphism of Graphs.

  • L={G1,G2: the labeled graphs G1,G2 are not isomorphic}.

  • L in coNP and is not known to be in NP.

(G1,G2) L

Merlin

Arthur

Randonly chooses: b {1,2}

Decides which of the two graphs was permuted.

Verifies that c=b.


The big question

The big question:

Does AM=NP?

In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic?

Note that such a protocol is an NP proof.


Derandomization a brief overview

Derandomization: a brief overview

  • A paradigm that attempts to transform:

    • Probabilistic algorithms => deterministic algorithms. (P  BPP EXP NEXP).

    • Probabilistic protocols => deterministic protocols. (NP  AM EXP  NEXP).

  • We don’t know how to separate BPP and NEXP.

  • Can derandomize BPP and AM under natural complexity theoretic assumptions.


Hardness versus randomness

Hardness versus Randomness

Initiated by [BM,Yao,Shamir].

Assumption: hard functions exist.

Conclusion: Derandomization.

A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02]


A quick survey

A quick survey

Assumption: There exists a function in DTIME(2O(n)) which is hard for “small” circuits.


Hardness versus randomness1

Hardness versus Randomness

Assumption: hard functions exist.

Conclusion: Derandomization.


Hardness versus randomness2

Hardness versus Randomness

Assumption: hard functions exist.

Exists pseudo-random generator

Conclusion: Derandomization.


Pseudo random generators

PRG

pseudo-random bits

seed

Pseudo-random generators

  • A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits.

  • Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms.

  • For derandomizing AM: Feasible algorithms = nondeterministic circuits.

  • ??????????????


Pseudo random generators for nondeterministic circuits

Pseudo-random generators for nondeterministic circuits

  • Nondeterministic circuits can identify pseudo-random strings.

  • Given a long string, guess a short seed and check that PRG(seed)=long string.

  • Can distinguish between random strings and pseudo-random strings.

  • Assuming the circuit can run the PRG!!

  • The Nisan-Wigderson setup: The circuit cannot run the PRG!!

  • For example: The PRG runs in time n5 and fools (nondeterministic) circuits of size n3.

  • Sufficient for derandomization!!


The nisan wigderson setting

The Nisan-Wigderson setting

  • We’re given a function f which is:

    • Hard for small circuits.

    • Computable by uniform machines with “slightly” larger time.

  • Basic idea:

    • G(x)=x,f(x)

    • “f(x) looks random to a small circuit that sees x”.

      • Warning: no composition theorems.

      • Correctness proof of PRG can’t use it’s efficiency.

    • The PRG runs in time “slightly” larger than the size of the circuit.


Hardness versus randomness3

Hardness versus Randomness

Assumption: hard functions exist.

Exists pseudo-random generator

Conclusion: Derandomization.


Prg s for nondeterministic circuits derandomize am

random message

message

PRG’s for nondeterministic circuits derandomize AM

  • We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.

“xL”

Merlin

Arthur

Hardwire input

I accept


Prg s for nondeterministic circuits derandomize am1

PRG’s for nondeterministic circuits derandomize AM

  • We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.

“xL”

Merlin

Arthur

Hardwire input

input

Nondeterministic guess

random input

Nondeterministic guess

I accept


Prg s for nondeterministic circuits derandomize am2

PRG’s for nondeterministic circuits derandomize AM

  • We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.

  • We can use pseudo-random bits instead of truly random bits.

“xL”

Merlin

Arthur

Hardwire input

input

Nondeterministic guess

pseudo-random input

Nondeterministic guess

I accept


Prg s for nondeterministic circuits derandomize am3

PRG’s for nondeterministic circuits derandomize AM

  • We have an AM protocol in which Arthur acts deterministically.

  • (Arthur sends all pseudo-random strings and Merlin replies on each one.)

  • Deterministic protocol => NP proof.

“xL”

Merlin

Arthur

pseudo-random input

Nondeterministic guess

I accept


A quick survey1

A quick survey

Assumption: There exists a function in DTIME(2O(n)) which is hard for “small” circuits.


Uniform hardness versus randomness

Uniform Hardness versus Randomness

  • The conclusion in the results above involve only uniform classes (BPP,AM,P,NP).

  • The assumptions involve nonuniform classes.

  • All the results above assume hardness for circuits (nonuniform machines).

  • Can we get derandomization from uniform assumptions?

  • Follow from uniform assumptions such as EXP≠PH [KL79].

  • A stronger notion of uniformity was considered in [IW98,TV02].


A closer look at nonuniform tradeoffs for bpp bfnw93

A closer look at nonuniform tradeoffs for BPP [BFNW93]

Assumption: Hard function for: circuits.

EXP≠P/poly

Conclusion: Derandomization of: probabilistic algorithms.

BPP SUBEXP


Impagliazzo wigderson 98 a uniform tradeoff for bpp

*Pseudo-containment

Impagliazzo-Wigderson 98: A uniform tradeoff for BPP

Assumption: Hard function for: probabilistic algorithms.

EXP≠BPP

Conclusion: Derandomization of: probabilistic algorithms.

BPP* SUBEXP


Impagliazzo wigderson 98 a uniform tradeoff for bpp1

Assumption: Hard function for probabilistic algorithms.

Conclusion: Derandomization* of probabilistic algorithms.

Either the assumption isn’t true: probabilistic algorithms are very strong.

Or the assumption is true: Derandomization* of probabilistic algorithms.

Impagliazzo-Wigderson 98: A uniform tradeoff for BPP


Our result a uniform tradeoff for am

Assumption: Hard function for Arthur-Merlin protocols.

Conclusion: Derandomization* of Arthur-Merlin protocols.

Either the assumption isn’t true: Arthur-Merlin protocols are very strong.

Or the assumption is true: Derandomization* of Arthur-Merlin protocols.

Our result: A uniform tradeoff for AM

[IW98]: low-end. (Weak assumption and conclusion). Our result: high-end. (Strong assumption and conclusion).


Motivation weak unconditional derandomization

Motivation: weak unconditional derandomization

  • We believe that AM=NP (= Σ1).

  • We only know that AM is in Σ3.

  • Goal: Unconditional proof that AMΣ2 (or even AMΣ2-SUBEXP).

  • Conditional => Unconditional ??

  • Basic idea: AM is either weak or very strong.

    • If AM can be derandomized (AM=NP) then AMΣ2.

    • If AM is very strong (AM=EXP) then AMΣ2.

  • Main problem: replace ‘*’ with ‘’.


Pseudo containmnets kab99

Pseudo-containmnets [Kab99]: *

  • Intuitively, Containment only on feasibly generated inputs.

  • L =* L’ if it is infeasible to generate counterexamples to the statement L=L’.

  • No feasible algorithm R can output inputs which are in one language but not in the other (for a specified input length).

  • C * D if for every L in C there exists L’ in D such that L =* L’.

  • Formally, =* and * are relative to some complexity class of feasible R’s.


Formal statement of our result

Formal statement of our result

  • If E=DTIME(2O(n)) is not in AMTIME(2an), for some constant a>0

    • AM * NP.

    • AM  coAM = NP  coNP.

  • The class AM  coAM contains:

    • co-isomorphism of graphs.

    • SZK (Statistical Zero Knowledge).


The proof

The proof


We want to show that

Hard function for AM (EXP≠AM)

Derandomization of AM

No derandomization of AM

No Hard function for AM (EXP=AM)

We want to show that


Basic idea use nonuniform tradeoff

No Hard function for nondeter. Circuits (EXP  NP/poly)

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform tradeoff [MV99,SU01]

Goal

Want to prove

Basic idea: Use nonuniform tradeoff

Can’t prove it in general. Can prove it for the circuits constructed in phase 1.


Attempt prove that exp np poly exp am

The circuit C

Attempt: Prove that EXPNP/poly => EXPAM

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small nondeterministic circuit C

Verifies that C(x)=b

  • Problems:

  • Arthur cannot “run”C. It is a nondeterministic circuit.

  • How can Arthur be sure that C(x)=f(x)?


Thm bfl91 exp p poly exp am

The circuit C

Thm: [BFL91] EXPP/poly => EXPAM

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small deterministic circuit C

Verifies that C(x)=b

  • Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.

  • g=f => Pr[Tg(x)=f(x)]=1.

  • g≠f => Pr[Tg (x) =fail]>½.


Thm bfl91 exp p poly exp am1

The circuit C

Thm: [BFL91] EXPP/poly => EXPAM

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small deterministic circuit C

Verifies that C(x)=b

by runningTC(x)

  • Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.

  • g=f => Pr[Tg(x)=f(x)]=1.

  • g≠f => Pr[Tg (x)  {fail,f(x)}]>½.

By sending C,

Merlin commits

to some function g!


Nondeterministic circuits

Nondeterministic Circuits

  • A nondeterministic circuit for f is a deterministic circuit C(x,y) such that:

    • f(x)=1 => exists y, C(x,y)=1.

    • f(x)=0 => for all y, C(x,y)=0.

  • Arthur cannot use C to evaluate f.

  • Merlin can help Arthur to evaluate f:

    • Arthur sends an input x.

    • If f(x)=1, Merlin can send y s.t. C(x,y)=1.

  • If f(x)=0 ??


Pairs of nondeterministic circuits

Pairs of Nondeterministic Circuits

  • By our assumption EXPNP/poly.

    • fEXP => f has a nondeterministic circuit.

    • => neg(f) has a nondeterministic circuit!

  • Arthur can ask Merlin to send both circuits C,C’for f,neg(f).

    • If f(x)=1, Merlin sends y s.t. C(x,y)=1.

    • If f(x)=0, Merlin sends y s.t. C’(x,y)=1.

  • There are appropriate witnesses for both cases.


Attempt 2 prove that exp in np poly exp in am

I want to evaluate f at x1,..,xt

Appropriate witnesses for x1,..,xt

The circuits C,C’

Attempt 2: Prove that EXP in NP/poly => EXP in AM

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f and neg(f) have small nondeterministic circuits C,C’

Computes queries x1,..,xt for the instance checker.

Verifies that f(x)=b using the instance checker.

Is it true that by sending C,C’

Merlin commits himself to some function g?


Single valued pairs of nondeterministic circuits

Single Valued pairs of Nondeterministic Circuits

  • If Merlin sends C,C’ which accept all inputs, he is not at all commited: For every x he can “open”x as both 0 and 1.

  • A pair (C,C’) defines a functiong only if L(C’)=L(C)c. Such a pair is called “single valued”.

  • Can Arthur verify that C,C’ is a single valued pair?


The big picture

Nondeterministic circuits for EXP (EXPNP/poly)

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform tradeoff [MV99,SU01]

Goal

Want to prove

The big picture

Can’t prove it in general. Can prove it for the circuits constructed in phase 1.


The argument

EXP is computable by pairs of nondeterministic circuits which can be certified (probabilistically) as single valued.

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform hardness vs. randomness tradeoff with a resilient reconstruction.

Goal

The protocol I just showed

The argument


The final protocol using cerified circuits

I want to evaluate f at x1,..,xt

Appropriate witnesses for x1,..,xt

The certified circuits C,C’

The final protocol: Using cerified circuits

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f and neg(f) have small nondeterministic circuits C,C’

Computes queries x1,..,xt for the instance checker.

Verifies that f(x)=b using the instance checker.

As C,C’are certified!

Merlin commits himself to some function g!


Resilient reconstruction algorithms

EXP is computable by pairs of nondeterministic single-valued circuits

No derandomization of AM

Resilient reconstruction algorithms

Nonuniform tradeoff [MV99,SU01]

The proofs give efficient (prob) “reconstruction algorithms”R(x,a):

If the derandomization fails on x, then there exists an a such that R(x,a) outputs a single-valued pair C,C’ for f.

What does R do when x and a are incorrect?

We cannot expect R to output circuits for f.

We can hope that R outputs a single-valued pair for some function g! We call such an R resilient.


Resilient reconstruction gives certified pairs

Resilient reconstruction gives certified pairs

  • When Merlin sends the circuits C,C’ he will also send x and a.

  • Arthur verifies that R(x,a)=(C,C’).

  • This guarantees that (C,C’) is a single-valued pair of nondeterministic circuits.

  • Open problem: Does there exist a resilient reconstruction algorithm?

  • We show that the reconstruction algorithm of [MV99] is “somewhat resilient”.

  • It is resilient to errors in a, but vulnerable to errors in x. (This is why we get * ).


Partial resiliency

Partial resiliency

  • We show: the (probabilistic) reconstruction algorithm of [MV99] is resilient to errors in a.

  • If the derandomization fails on x then for every a w.h.p. R(x,a) outputs a single-valued pair C,C’ for some function g.

  • We only get ‘*’ containments because of this weak resiliency.

  • We cannot trust Merlin to send x, so when the derandomization fails we need a feasible way to come up with x’s on which it failed.


Stronger partial resiliency

Stronger partial resiliency

  • Actually, we can handle some errors in x.

  • Previous slide: If the derandomization of the AM language L fails on x then resiliency…

  • Stronger resiliency: If x is not in L then resiliency…

  • We can trust Merlin to send x if he can give an AM proof that xL.

  • We can trust Merlin when L is in AM intersect coAM.

  • No ‘*’ for AM intersect coAM.


Conclusions

Conclusions

Main result:

  • Either Arthur-Merlin protocols are very strong.

  • Or Arthur-Merlin protocols can be derandomized on feasibly generated inputs.

    The technique:

  • Uses nonuniform hardness vs. randomness.

  • Resiliet reconstruction algorithms.

  • Enables using a modified [BFL] protocol.


Open problems 1 a low end result

Open problems: 1. A low-end result.

  • We show that the [MV99] generator has a (partially) resilient reconstruction algorithm.

  • The [MV99] result only works for the high-end.

  • A low-end result by [SU01] which is not even partially resilient!

  • Open problem: Prove a low-end version of our result.


Open problems remove pseudo containments

Open problems: Remove pseudo-containments

  • We show that the [MV99] generator has a partially resilient reconstruction algorithm.

  • Construct a generator with a fully resilient reconstruction algorithm.

  • This will remove the * (pseudo-containment).

  • Solving both open problems will give an unconditional proof that AMΣ2-SUBEXP!


That s it

That’s it…


  • Login