Presentation is loading. Please wait.

Presentation is loading. Please wait.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Published byEstevan Densford Modified over 10 years ago

Similar presentations

Presentation on theme: "Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech."— Presentation transcript:

1 Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech

2 Arthur-Merlin Games [B,GMR] Interactive games in which the all- powerful prover Merlin attempts to prove some statement to a probabilistic poly- time verifier. Merlin Arthur x L toss coins coin tosses message I accept

3 Arthur-Merlin Games [B,GMR] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. Merlin Arthur x L toss coins coin tosses message I accept

4 Arthur-Merlin Games [B,GMR] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP.

5 Derandomization goals: Efficient deterministic simulation of prob. algs. BPP=P BPP SUBEXP=DTIME(2 n o(1) ) Efficient nondeterministic simulation of prob. protocols AM=NP AM NSUBEXP=NTIME(2 n o(1) ) We don t know how to separate BPP from NEXP. Such a separation implies certain circuit lower bounds [IKW01,KI02].

6 Hardness versus Randomness Initiated by [BM,Yao,Shamir,NW]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03,SU05,U05, … ]

7 A quick survey of (nonuniform) hardness/randomness tradeoffs Assumption: There exists a function in E=DTIME(2 O(l) ) which is hard for small (size s(l)) circuits. AMBPP Nondeterministic circuits Deterministic circuits A hard function for: AM=NP [KvM99,MV99,SU05] BPP=P [IW97,STV99] High-end: s(l)=2 Ω(l) AM NSUBEXP [SU01,SU05] BPP SUBEXP [BFNW93,SU01,U02] Low-end: s(l)=l ω(1)

8 A quick survey of (uniform) hardness/randomness tradeoffs Assumption: There exists a function in E=DTIME(2 O(l) ) which is hard for small (time s(l)) algorithms/protocols. AMBPP AM protocols.Prob. algsA hard function for: AM=NP (*) [GST03] BPP=P (*) [TV02*] High-end: s(l)=2 Ω(l) AM NSUBEXP (*) BPP SUBEXP (*) [IW98] Low-end: s(l)=l ω(1) This paper* (*) The simulation only succeeds on feasibly generated inputs.

9 A low-end gap theorem for AM. Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak. Formal statement: Either E=DTIME(2 O(l) ) has Arthur-Merlin protocols running in time 2 (log l) 3. Or, for every L AM there is a nondeterministic machine M that runs in subexponential time and agrees with L on feasibly generated inputs. No polynomial time machine can produce inputs on which M fails. Should have been poly(l) Jargon: Just like [IW98] paper but for AM instead of BPP

10 A uniform hardness vs. randomness tradeoff for AM Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak. Formal statement: For l<s(l)<2 l. Either E=DTIME(2 O(l) ) has Arthur-Merlin protocols running in time s(l). Or, for every L AM there is a nondeterministic machine M that runs in time 2 O(l) and agrees with L on feasibly generated inputs of length n=s(l) 1/(log(l)-loglog(s(l))) 2. No polynomial time machine can produce inputs on which M fails. Should have been Ω(1)

11 Motivation: weak unconditional derandomization We believe that AM=NP (= Σ 1 ). We only know that AM is in Σ 3. Goal: Unconditional proof that AM Σ 2 (or even AM Σ 2 -TIME(2 n o(1) ). Conditional => Unconditional ?? Approach [GST03]: Either AM is weak: AM=NP AM Σ 2. Or AM is very strong: AM=E ??? AM=coAM Σ 2. Missing step: remove feasibly generated inputs.

12 A low-end gap theorem for AM coAM. Informal statement: Either AM coAM is very strong. Or, AM coAM is somewhat weak. Formal statement: Either E=DTIME(2 O(l) ) has Arthur-Merlin protocols running in time 2 (log l) 3. Or, for every L AM coAM there is a nondeterministic machine M that runs in subexponential time and agrees with L on all inputs (not necessarily feasibly generated). Should have been poly(l)

13 Plan for rest of talk Explain the overall approach of getting uniform hardness vs. randomness tradeoffs for AM (which is in [GST03]). This approach uses a hitting-set generator construction by [MV99] which only works in the high end. Main technical contribution of this paper is improving the [MV99] construction so that it works in the low-end. Improvement uses PCP tools which were not used previously in this framework.

14 The high level approach (following [GST03])

15 The uniform tradeoff of [GST03]: resilient AM protocols Arthur Merlin nonuniform advice Constructs nondet. Circuit C that is supposed to compute f f(y)=? f(y)=b witness showing C(y)=b AM protocol verifying that C=f. (exists as f is complete for E) C is supposed to define a function: For every y, C is supposed to have witnesses showing C(y)=0 or C(y)=1 but not both! (single valued circuit) Use nonuniform tradeoffs for AM. Derandomization fails => hard function f has small nondeterministic circuits. Want to show that: => f has small AM protocol. Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single- valued (defines a function). Suppose Arthur could verify that this is indeed the case.

16 The uniform tradeoff of [GST03]: Use nonuniform tradeoffs for AM. Derandomization fails => hard function f has small nondeterministic circuits. Want to show that: => f has small AM protocol. Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single- valued (defines a function). => AM protocol for f. Problem: The [MV99] generator only works in the high end. Our contribution: Modify [MV99] into a low-end generator. Arthur Merlin C is supposed to compute f f(y)=? f(y)=b witness showing C(y)=b AM protocol verifying that C=f. (exists as f is complete for E) AM protocol in which Arthur receives a certified valid circuit C C is guaranteed to define a function: For every y, C is has witnesses showing C(y)=0 or C(y)=1 but not both!

17 Abstraction: commit-and-evaluate AM protocols and resiliency. Commit-and-evaluate AM protocols for function f(y). Properties: Input y can be revealed to Merlin after commit phase. Conformity: Honest Merlin can make Arthur output f(y). Resiliency: Following commit phase Merlin is (w.h.p) committed to some function g(y) (may differ from f). Thm: If E has such AM protocols then E has standard AM protocols. Arthur Merlin f(y)=? f(y)=b Evaluation phase: AM protocol that uses advice string and outputs a value v(y). Commit phase: AM protocol generating advice string.

18 The big picture: How to derandomize an AM protocol Nondet machine M(x) (supposed to accept L AM) Use function f to construct small hitting set of pseudorandom strings. Run AM protocol on input x (using pseudorandom strings as random coins) and accept if all runs accept. Proof of correctness by reduction Suppose M fails on an input x. Construct an efficient commit- and-evaluate AM protocol that uses x and conforms resiliently with f. => f has a standard efficient AM protocol. Where do feasibly generated inputs come in? How can Arthur obtain x? From his point of view x is a nonuniform advice string. No problem if we only care about inputs that can be feasibly generated by some efficient TM. Following [GST03]: In the case of AM coAM we can trust Merlin to send a good x. This is where uniformity comes in: Protocols rather than circuits.

19 Improving Miltersen-Vinodchandran hitting set generator (How to derandomize an AM language)

20 The MV hitting set generator Nondet. Machine M(x): derandomizes AM protocol with m coins For every output string guess a response for Merlin and accept if Arthur accepts all of them. x L Merlin can answer any string M accepts (no error). xL Merlin can answer ½ strings M may err. truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z small set (2 m ) deg 2 l/2 polys Hitting set

21 A commit-and-evaluate AM protocol for p. truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set

22 truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z small set (2 m ) A commit-and-evaluate AM protocol for p. Conformity: v Resiliency: v (RS code). w.h.p. over S univariate poly g Z, g(S) is unique. Efficiency: (on high end m=2 Ω(l) ). Protocol runs in time poly(m). Protocol requires passing polynomials of degree 2 l/2. Arthur Merlin p(x,y)=? p(x,y )= b commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys

23 truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set A commit-and-evaluate AM protocol for p. Conformity: v Resiliency: v (RS code). w.h.p. over S univariate poly gZ, g(S) is unique. Efficiency: (on high end m=2 Ω(l) ). Protocol runs in time poly(m). Protocol requires passing polynomials of degree 2 l/2. Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. For low end (say m=l O(1) ) we need to reduce degree Can get deg=2 l/d using p(x 1,..,x d ) with d variables. S 2 S d |S d |=2 Ω(l) no gain! p(x,y)=? p(x,y )= b

24 truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set The best of both worlds Best of both worlds: Use p(x 1,..,x d ) deg 2 l/d. Run MV as if p=p(x,y). Resiliency: v (RM code). Size of box=|S| 2 m 2. doesnt depend on d! Sending p| line costs 2 l/2 bits. Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys p(x,y)=? p(x,y )= b p(x 1,..,x d/2 ;x d/2+1,..,x d ). p| line has many coefficients Suppose p| line could be sent more efficiently: p| line has small (non- det) circuit p| line has commit-and- evaluate protocol Arthur can verify that he gets a low-degree polynomial by performing low-degree testing!

25 truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set Locally computable extractors Story so far: Use polynomials p with many variables and pretend they are bivariate. Assume that p| line can be sent efficiently. (Not yet justified). Is the AM protocol efficient? Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys p(x,y)=? p(x,y )= b v v v v v X Requires running the extractor on p| line (t) for all q d inputs t to p| line. Need locally computable extractors! Thm: [V] no locally computable extractors for low-entropy. We know that inputs to extractors are low-degree polynomials! Can use extractor construction [SU01] which is locally computable. Thm: [V] no locally computable extractors for low-entropy. We know that inputs to extractors are low-degree polynomials! Can use extractor construction [SU01] which is locally computable. v Efficient AM protocol!

26 v truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set Win-win analysis Main ideas: Use polynomials p with many variables and pretend they are bivariate. Assume that p| line can be sent efficiently. (Not yet justified). Use locally computable extractors (exist when inputs are low degree polynomials. Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys p(x,y)=? p(x,y )= b v v v v v Efficient AM protocol! ???? Intuition: If p| line doesnt have an efficient commit-and-evaluate protocol then its better to use it as the hard function. (It is over less variables!) Recursive win-win analysis a-la [ISW99].

27 The recursive HSG truth table of f … each row and column ALL rows and columns to extractor (2 l bits) (2 l/2 bits each )

28 Recursive commit-and-evaluate AM protocol truth table of f … Arthur: random m x m box Merlin: commits to top board ! (input revealed) Arthur/ Merlin: commit to each lines board Arthur: random points for checking lines Merlin: commits to lines…

29 Parameters Start with 2 l bit truth table < log l levels # lines 2 O(l). v Efficiency of AM protocol: poly(m) blow-up at each level ) poly(m) log l running time convert O(log l) rounds to two rounds ) poly(m) (log l) 2 time for final AM protocol

30 Conclusions Key ideas: commit-and-evaluate protocols as abstraction. operate implicitly on lines. PCP tools: low-degree testing, self-correction. local extractor when know in advance it will applied to low-degree polynomials. Recursive win-win analysis allows large objects to have short descriptions. Open problems: improve poly(m) (log l) 2 to poly(m) ( optimal ). remove feasibly generated inputs from main theorem. Uncondtional proof that AM Σ 2 (TIME(2 n o(1) )).

31 That s it …

Download ppt "Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech."

Similar presentations

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.
Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :

Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.

Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Similar presentations

Ads by Google