Loading in 2 Seconds...

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

Loading in 2 Seconds...

- By
**elie** - Follow User

- 65 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. ' - elie

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

Danny Gutfreund, Hebrew U.

Ronen Shaltiel, Weizmann Inst.

Amnon Ta-Shma, Tel-Aviv U.

message

Arthur-Merlin Games [BM]- Interactive games in which the all-powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier.

“xL”

Merlin

Arthur

toss coins

I accept

message

Arthur-Merlin Games [BM]- Completeness: If the statement is true then Arthur accepts.
- Soundness: If the statement is false then Pr[Arthur accepts]<½.

“xL”

Merlin

Arthur

toss coins

I accept

Arthur-Merlin Games [BM]

- Completeness: If the statement is true then Arthur accepts.
- Soundness: If the statement is false then Pr[Arthur accepts]<½.

- The class AM: All languages L which have an Arthur-Merlin protocol.
- Contains many interesting problems not known to be in NP.

“The graph Gc was permuted”

Example: Co-isomorphism of Graphs.- L={G1,G2: the labeled graphs G1,G2 are not isomorphic}.
- L in coNP and is not known to be in NP.

(G1,G2) L

Merlin

Arthur

Randonly chooses: b {1,2}

Decides which of the two graphs was permuted.

Verifies that c=b.

The big question:

Does AM=NP?

In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic?

Note that such a protocol is an NP proof.

Derandomization: a brief overview

- A paradigm that attempts to transform:
- Probabilistic algorithms => deterministic algorithms. (P BPP EXP NEXP).
- Probabilistic protocols => deterministic protocols. (NP AM EXP NEXP).
- We don’t know how to separate BPP and NEXP.
- Can derandomize BPP and AM under natural complexity theoretic assumptions.

Hardness versus Randomness

Initiated by [BM,Yao,Shamir].

Assumption: hard functions exist.

Conclusion: Derandomization.

A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02]

A quick survey

Assumption: There exists a function in DTIME(2O(n)) which is hard for “small” circuits.

Hardness versus Randomness

Assumption: hard functions exist.

Exists pseudo-random generator

Conclusion: Derandomization.

pseudo-random bits

seed

Pseudo-random generators- A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits.

- Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms.
- For derandomizing AM: Feasible algorithms = nondeterministic circuits.
- ??????????????

Pseudo-random generators for nondeterministic circuits

- Nondeterministic circuits can identify pseudo-random strings.
- Given a long string, guess a short seed and check that PRG(seed)=long string.
- Can distinguish between random strings and pseudo-random strings.
- Assuming the circuit can run the PRG!!
- The Nisan-Wigderson setup: The circuit cannot run the PRG!!
- For example: The PRG runs in time n5 and fools (nondeterministic) circuits of size n3.
- Sufficient for derandomization!!

The Nisan-Wigderson setting

- We’re given a function f which is:
- Hard for small circuits.
- Computable by uniform machines with “slightly” larger time.
- Basic idea:
- G(x)=x,f(x)
- “f(x) looks random to a small circuit that sees x”.
- Warning: no composition theorems.
- Correctness proof of PRG can’t use it’s efficiency.
- The PRG runs in time “slightly” larger than the size of the circuit.

Hardness versus Randomness

Assumption: hard functions exist.

Exists pseudo-random generator

Conclusion: Derandomization.

message

PRG’s for nondeterministic circuits derandomize AM- We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.

“xL”

Merlin

Arthur

Hardwire input

I accept

PRG’s for nondeterministic circuits derandomize AM

- We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.

“xL”

Merlin

Arthur

Hardwire input

input

Nondeterministic guess

random input

Nondeterministic guess

I accept

PRG’s for nondeterministic circuits derandomize AM

- We can model the AM protocol as a nondeterministic circuit which gets the random coins as input.
- We can use pseudo-random bits instead of truly random bits.

“xL”

Merlin

Arthur

Hardwire input

input

Nondeterministic guess

pseudo-random input

Nondeterministic guess

I accept

PRG’s for nondeterministic circuits derandomize AM

- We have an AM protocol in which Arthur acts deterministically.
- (Arthur sends all pseudo-random strings and Merlin replies on each one.)
- Deterministic protocol => NP proof.

“xL”

Merlin

Arthur

pseudo-random input

Nondeterministic guess

I accept

A quick survey

Assumption: There exists a function in DTIME(2O(n)) which is hard for “small” circuits.

Uniform Hardness versus Randomness

- The conclusion in the results above involve only uniform classes (BPP,AM,P,NP).
- The assumptions involve nonuniform classes.
- All the results above assume hardness for circuits (nonuniform machines).
- Can we get derandomization from uniform assumptions?
- Follow from uniform assumptions such as EXP≠PH [KL79].
- A stronger notion of uniformity was considered in [IW98,TV02].

A closer look at nonuniform tradeoffs for BPP [BFNW93]

Assumption: Hard function for: circuits.

EXP≠P/poly

Conclusion: Derandomization of: probabilistic algorithms.

BPP SUBEXP

Impagliazzo-Wigderson 98: A uniform tradeoff for BPP

Assumption: Hard function for: probabilistic algorithms.

EXP≠BPP

Conclusion: Derandomization of: probabilistic algorithms.

BPP* SUBEXP

Assumption: Hard function for probabilistic algorithms.

Conclusion: Derandomization* of probabilistic algorithms.

Either the assumption isn’t true: probabilistic algorithms are very strong.

Or the assumption is true: Derandomization* of probabilistic algorithms.

Impagliazzo-Wigderson 98: A uniform tradeoff for BPPAssumption: Hard function for Arthur-Merlin protocols.

Conclusion: Derandomization* of Arthur-Merlin protocols.

Either the assumption isn’t true: Arthur-Merlin protocols are very strong.

Or the assumption is true: Derandomization* of Arthur-Merlin protocols.

Our result: A uniform tradeoff for AM[IW98]: low-end. (Weak assumption and conclusion). Our result: high-end. (Strong assumption and conclusion).

Motivation: weak unconditional derandomization

- We believe that AM=NP (= Σ1).
- We only know that AM is in Σ3.
- Goal: Unconditional proof that AMΣ2 (or even AMΣ2-SUBEXP).
- Conditional => Unconditional ??
- Basic idea: AM is either weak or very strong.
- If AM can be derandomized (AM=NP) then AMΣ2.
- If AM is very strong (AM=EXP) then AMΣ2.
- Main problem: replace ‘*’ with ‘’.

Pseudo-containmnets [Kab99]: *

- Intuitively, Containment only on feasibly generated inputs.
- L =* L’ if it is infeasible to generate counterexamples to the statement L=L’.
- No feasible algorithm R can output inputs which are in one language but not in the other (for a specified input length).
- C * D if for every L in C there exists L’ in D such that L =* L’.
- Formally, =* and * are relative to some complexity class of feasible R’s.

Formal statement of our result

- If E=DTIME(2O(n)) is not in AMTIME(2an), for some constant a>0
- AM * NP.
- AM coAM = NP coNP.
- The class AM coAM contains:
- co-isomorphism of graphs.
- SZK (Statistical Zero Knowledge).

Hard function for AM (EXP≠AM)

Derandomization of AM

No derandomization of AM

No Hard function for AM (EXP=AM)

We want to show thatNo Hard function for nondeter. Circuits (EXP NP/poly)

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform tradeoff [MV99,SU01]

Goal

Want to prove

Basic idea: Use nonuniform tradeoffCan’t prove it in general. Can prove it for the circuits constructed in phase 1.

Attempt: Prove that EXPNP/poly => EXPAM

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small nondeterministic circuit C

Verifies that C(x)=b

- Problems:
- Arthur cannot “run”C. It is a nondeterministic circuit.
- How can Arthur be sure that C(x)=f(x)?

Thm: [BFL91] EXPP/poly => EXPAM

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small deterministic circuit C

Verifies that C(x)=b

- Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.
- g=f => Pr[Tg(x)=f(x)]=1.
- g≠f => Pr[Tg (x) =fail]>½.

Thm: [BFL91] EXPP/poly => EXPAM

Let f be an EXP complete function.

f(x)=b

Merlin

Arthur

f has a small deterministic circuit C

Verifies that C(x)=b

by runningTC(x)

- Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g.
- g=f => Pr[Tg(x)=f(x)]=1.
- g≠f => Pr[Tg (x) {fail,f(x)}]>½.

By sending C,

Merlin commits

to some function g!

Nondeterministic Circuits

- A nondeterministic circuit for f is a deterministic circuit C(x,y) such that:
- f(x)=1 => exists y, C(x,y)=1.
- f(x)=0 => for all y, C(x,y)=0.
- Arthur cannot use C to evaluate f.
- Merlin can help Arthur to evaluate f:
- Arthur sends an input x.
- If f(x)=1, Merlin can send y s.t. C(x,y)=1.
- If f(x)=0 ??

Pairs of Nondeterministic Circuits

- By our assumption EXPNP/poly.
- fEXP => f has a nondeterministic circuit.
- => neg(f) has a nondeterministic circuit!
- Arthur can ask Merlin to send both circuits C,C’for f,neg(f).
- If f(x)=1, Merlin sends y s.t. C(x,y)=1.
- If f(x)=0, Merlin sends y s.t. C’(x,y)=1.
- There are appropriate witnesses for both cases.

I want to evaluate f at x1,..,xt

Appropriate witnesses for x1,..,xt

The circuits C,C’

Attempt 2: Prove that EXP in NP/poly => EXP in AMLet f be an EXP complete function.

f(x)=b

Merlin

Arthur

f and neg(f) have small nondeterministic circuits C,C’

Computes queries x1,..,xt for the instance checker.

Verifies that f(x)=b using the instance checker.

Is it true that by sending C,C’

Merlin commits himself to some function g?

Single Valued pairs of Nondeterministic Circuits

- If Merlin sends C,C’ which accept all inputs, he is not at all commited: For every x he can “open”x as both 0 and 1.
- A pair (C,C’) defines a functiong only if L(C’)=L(C)c. Such a pair is called “single valued”.
- Can Arthur verify that C,C’ is a single valued pair?

Nondeterministic circuits for EXP (EXPNP/poly)

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform tradeoff [MV99,SU01]

Goal

Want to prove

The big pictureCan’t prove it in general. Can prove it for the circuits constructed in phase 1.

EXP is computable by pairs of nondeterministic circuits which can be certified (probabilistically) as single valued.

No derandomization of AM

No Hard function for AM (EXP=AM)

Nonuniform hardness vs. randomness tradeoff with a resilient reconstruction.

Goal

The protocol I just showed

The argumentI want to evaluate f at x1,..,xt

Appropriate witnesses for x1,..,xt

The certified circuits C,C’

The final protocol: Using cerified circuitsLet f be an EXP complete function.

f(x)=b

Merlin

Arthur

f and neg(f) have small nondeterministic circuits C,C’

Computes queries x1,..,xt for the instance checker.

Verifies that f(x)=b using the instance checker.

As C,C’are certified!

Merlin commits himself to some function g!

EXP is computable by pairs of nondeterministic single-valued circuits

No derandomization of AM

Resilient reconstruction algorithmsNonuniform tradeoff [MV99,SU01]

The proofs give efficient (prob) “reconstruction algorithms”R(x,a):

If the derandomization fails on x, then there exists an a such that R(x,a) outputs a single-valued pair C,C’ for f.

What does R do when x and a are incorrect?

We cannot expect R to output circuits for f.

We can hope that R outputs a single-valued pair for some function g! We call such an R resilient.

Resilient reconstruction gives certified pairs

- When Merlin sends the circuits C,C’ he will also send x and a.
- Arthur verifies that R(x,a)=(C,C’).
- This guarantees that (C,C’) is a single-valued pair of nondeterministic circuits.
- Open problem: Does there exist a resilient reconstruction algorithm?
- We show that the reconstruction algorithm of [MV99] is “somewhat resilient”.
- It is resilient to errors in a, but vulnerable to errors in x. (This is why we get * ).

Partial resiliency

- We show: the (probabilistic) reconstruction algorithm of [MV99] is resilient to errors in a.
- If the derandomization fails on x then for every a w.h.p. R(x,a) outputs a single-valued pair C,C’ for some function g.
- We only get ‘*’ containments because of this weak resiliency.
- We cannot trust Merlin to send x, so when the derandomization fails we need a feasible way to come up with x’s on which it failed.

Stronger partial resiliency

- Actually, we can handle some errors in x.
- Previous slide: If the derandomization of the AM language L fails on x then resiliency…
- Stronger resiliency: If x is not in L then resiliency…
- We can trust Merlin to send x if he can give an AM proof that xL.
- We can trust Merlin when L is in AM intersect coAM.
- No ‘*’ for AM intersect coAM.

Conclusions

Main result:

- Either Arthur-Merlin protocols are very strong.
- Or Arthur-Merlin protocols can be derandomized on feasibly generated inputs.

The technique:

- Uses nonuniform hardness vs. randomness.
- Resiliet reconstruction algorithms.
- Enables using a modified [BFL] protocol.

Open problems: 1. A low-end result.

- We show that the [MV99] generator has a (partially) resilient reconstruction algorithm.
- The [MV99] result only works for the high-end.
- A low-end result by [SU01] which is not even partially resilient!
- Open problem: Prove a low-end version of our result.

Open problems: Remove pseudo-containments

- We show that the [MV99] generator has a partially resilient reconstruction algorithm.
- Construct a generator with a fully resilient reconstruction algorithm.
- This will remove the * (pseudo-containment).
- Solving both open problems will give an unconditional proof that AMΣ2-SUBEXP!

Download Presentation

Connecting to Server..