# Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

## Presentation on theme: "Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech."— Presentation transcript:

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech

Arthur-Merlin Games [B,GMR] Interactive games in which the all- powerful prover Merlin attempts to prove some statement to a probabilistic poly- time verifier. Merlin Arthur x L toss coins coin tosses message I accept

Arthur-Merlin Games [B,GMR] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. Merlin Arthur x L toss coins coin tosses message I accept

Arthur-Merlin Games [B,GMR] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP.

Derandomization goals: Efficient deterministic simulation of prob. algs. BPP=P BPP SUBEXP=DTIME(2 n o(1) ) Efficient nondeterministic simulation of prob. protocols AM=NP AM NSUBEXP=NTIME(2 n o(1) ) We don t know how to separate BPP from NEXP. Such a separation implies certain circuit lower bounds [IKW01,KI02].

Hardness versus Randomness Initiated by [BM,Yao,Shamir,NW]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03,SU05,U05, … ]

A quick survey of (nonuniform) hardness/randomness tradeoffs Assumption: There exists a function in E=DTIME(2 O(l) ) which is hard for small (size s(l)) circuits. AMBPP Nondeterministic circuits Deterministic circuits A hard function for: AM=NP [KvM99,MV99,SU05] BPP=P [IW97,STV99] High-end: s(l)=2 Ω(l) AM NSUBEXP [SU01,SU05] BPP SUBEXP [BFNW93,SU01,U02] Low-end: s(l)=l ω(1)

A quick survey of (uniform) hardness/randomness tradeoffs Assumption: There exists a function in E=DTIME(2 O(l) ) which is hard for small (time s(l)) algorithms/protocols. AMBPP AM protocols.Prob. algsA hard function for: AM=NP (*) [GST03] BPP=P (*) [TV02*] High-end: s(l)=2 Ω(l) AM NSUBEXP (*) BPP SUBEXP (*) [IW98] Low-end: s(l)=l ω(1) This paper* (*) The simulation only succeeds on feasibly generated inputs.

A low-end gap theorem for AM. Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak. Formal statement: Either E=DTIME(2 O(l) ) has Arthur-Merlin protocols running in time 2 (log l) 3. Or, for every L AM there is a nondeterministic machine M that runs in subexponential time and agrees with L on feasibly generated inputs. No polynomial time machine can produce inputs on which M fails. Should have been poly(l) Jargon: Just like [IW98] paper but for AM instead of BPP

A uniform hardness vs. randomness tradeoff for AM Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak. Formal statement: For l { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/3/1350493/slides/slide_10.jpg", "name": "A uniform hardness vs.", "description": "randomness tradeoff for AM Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak. Formal statement: For l

Motivation: weak unconditional derandomization We believe that AM=NP (= Σ 1 ). We only know that AM is in Σ 3. Goal: Unconditional proof that AM Σ 2 (or even AM Σ 2 -TIME(2 n o(1) ). Conditional => Unconditional ?? Approach [GST03]: Either AM is weak: AM=NP AM Σ 2. Or AM is very strong: AM=E ??? AM=coAM Σ 2. Missing step: remove feasibly generated inputs.

A low-end gap theorem for AM coAM. Informal statement: Either AM coAM is very strong. Or, AM coAM is somewhat weak. Formal statement: Either E=DTIME(2 O(l) ) has Arthur-Merlin protocols running in time 2 (log l) 3. Or, for every L AM coAM there is a nondeterministic machine M that runs in subexponential time and agrees with L on all inputs (not necessarily feasibly generated). Should have been poly(l)

Plan for rest of talk Explain the overall approach of getting uniform hardness vs. randomness tradeoffs for AM (which is in [GST03]). This approach uses a hitting-set generator construction by [MV99] which only works in the high end. Main technical contribution of this paper is improving the [MV99] construction so that it works in the low-end. Improvement uses PCP tools which were not used previously in this framework.

The high level approach (following [GST03])

The uniform tradeoff of [GST03]: resilient AM protocols Arthur Merlin nonuniform advice Constructs nondet. Circuit C that is supposed to compute f f(y)=? f(y)=b witness showing C(y)=b AM protocol verifying that C=f. (exists as f is complete for E) C is supposed to define a function: For every y, C is supposed to have witnesses showing C(y)=0 or C(y)=1 but not both! (single valued circuit) Use nonuniform tradeoffs for AM. Derandomization fails => hard function f has small nondeterministic circuits. Want to show that: => f has small AM protocol. Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single- valued (defines a function). Suppose Arthur could verify that this is indeed the case.

The uniform tradeoff of [GST03]: Use nonuniform tradeoffs for AM. Derandomization fails => hard function f has small nondeterministic circuits. Want to show that: => f has small AM protocol. Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single- valued (defines a function). => AM protocol for f. Problem: The [MV99] generator only works in the high end. Our contribution: Modify [MV99] into a low-end generator. Arthur Merlin C is supposed to compute f f(y)=? f(y)=b witness showing C(y)=b AM protocol verifying that C=f. (exists as f is complete for E) AM protocol in which Arthur receives a certified valid circuit C C is guaranteed to define a function: For every y, C is has witnesses showing C(y)=0 or C(y)=1 but not both!

Abstraction: commit-and-evaluate AM protocols and resiliency. Commit-and-evaluate AM protocols for function f(y). Properties: Input y can be revealed to Merlin after commit phase. Conformity: Honest Merlin can make Arthur output f(y). Resiliency: Following commit phase Merlin is (w.h.p) committed to some function g(y) (may differ from f). Thm: If E has such AM protocols then E has standard AM protocols. Arthur Merlin f(y)=? f(y)=b Evaluation phase: AM protocol that uses advice string and outputs a value v(y). Commit phase: AM protocol generating advice string.

The big picture: How to derandomize an AM protocol Nondet machine M(x) (supposed to accept L AM) Use function f to construct small hitting set of pseudorandom strings. Run AM protocol on input x (using pseudorandom strings as random coins) and accept if all runs accept. Proof of correctness by reduction Suppose M fails on an input x. Construct an efficient commit- and-evaluate AM protocol that uses x and conforms resiliently with f. => f has a standard efficient AM protocol. Where do feasibly generated inputs come in? How can Arthur obtain x? From his point of view x is a nonuniform advice string. No problem if we only care about inputs that can be feasibly generated by some efficient TM. Following [GST03]: In the case of AM coAM we can trust Merlin to send a good x. This is where uniformity comes in: Protocols rather than circuits.

Improving Miltersen-Vinodchandran hitting set generator (How to derandomize an AM language)

The MV hitting set generator Nondet. Machine M(x): derandomizes AM protocol with m coins For every output string guess a response for Merlin and accept if Arthur accepts all of them. x L Merlin can answer any string M accepts (no error). xL Merlin can answer ½ strings M may err. truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z small set (2 m ) deg 2 l/2 polys Hitting set

A commit-and-evaluate AM protocol for p. truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set

truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z small set (2 m ) A commit-and-evaluate AM protocol for p. Conformity: v Resiliency: v (RS code). w.h.p. over S univariate poly g Z, g(S) is unique. Efficiency: (on high end m=2 Ω(l) ). Protocol runs in time poly(m). Protocol requires passing polynomials of degree 2 l/2. Arthur Merlin p(x,y)=? p(x,y )= b commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys

truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set A commit-and-evaluate AM protocol for p. Conformity: v Resiliency: v (RS code). w.h.p. over S univariate poly gZ, g(S) is unique. Efficiency: (on high end m=2 Ω(l) ). Protocol runs in time poly(m). Protocol requires passing polynomials of degree 2 l/2. Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. For low end (say m=l O(1) ) we need to reduce degree Can get deg=2 l/d using p(x 1,..,x d ) with d variables. S 2 S d |S d |=2 Ω(l) no gain! p(x,y)=? p(x,y )= b

truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set The best of both worlds Best of both worlds: Use p(x 1,..,x d ) deg 2 l/d. Run MV as if p=p(x,y). Resiliency: v (RM code). Size of box=|S| 2 m 2. doesnt depend on d! Sending p| line costs 2 l/2 bits. Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys p(x,y)=? p(x,y )= b p(x 1,..,x d/2 ;x d/2+1,..,x d ). p| line has many coefficients Suppose p| line could be sent more efficiently: p| line has small (non- det) circuit p| line has commit-and- evaluate protocol Arthur can verify that he gets a low-degree polynomial by performing low-degree testing!

truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set Locally computable extractors Story so far: Use polynomials p with many variables and pretend they are bivariate. Assume that p| line can be sent efficiently. (Not yet justified). Is the AM protocol efficient? Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys p(x,y)=? p(x,y )= b v v v v v X Requires running the extractor on p| line (t) for all q d inputs t to p| line. Need locally computable extractors! Thm: [V] no locally computable extractors for low-entropy. We know that inputs to extractors are low-degree polynomials! Can use extractor construction [SU01] which is locally computable. Thm: [V] no locally computable extractors for low-entropy. We know that inputs to extractors are low-degree polynomials! Can use extractor construction [SU01] which is locally computable. v Efficient AM protocol!

v truth table f:{0,1} l {0,1} field size q=102 l/2 p(x,y) deg. 2 l/2 A {0,1} m extractor rows and columns Z very small set Win-win analysis Main ideas: Use polynomials p with many variables and pretend they are bivariate. Assume that p| line can be sent efficiently. (Not yet justified). Use locally computable extractors (exist when inputs are low degree polynomials. Arthur Merlin commit phase: S R Field of size m p(S 2 ) evaluation phase: Both compute path to (x,y) line on path: p| line and witness w Arthur checks: small set: p| line Z using w. consistency of p| line. deg 2 l/2 polys p(x,y)=? p(x,y )= b v v v v v Efficient AM protocol! ???? Intuition: If p| line doesnt have an efficient commit-and-evaluate protocol then its better to use it as the hard function. (It is over less variables!) Recursive win-win analysis a-la [ISW99].

The recursive HSG truth table of f … each row and column ALL rows and columns to extractor (2 l bits) (2 l/2 bits each )

Recursive commit-and-evaluate AM protocol truth table of f … Arthur: random m x m box Merlin: commits to top board ! (input revealed) Arthur/ Merlin: commit to each lines board Arthur: random points for checking lines Merlin: commits to lines…

Parameters Start with 2 l bit truth table < log l levels # lines 2 O(l). v Efficiency of AM protocol: poly(m) blow-up at each level ) poly(m) log l running time convert O(log l) rounds to two rounds ) poly(m) (log l) 2 time for final AM protocol

Conclusions Key ideas: commit-and-evaluate protocols as abstraction. operate implicitly on lines. PCP tools: low-degree testing, self-correction. local extractor when know in advance it will applied to low-degree polynomials. Recursive win-win analysis allows large objects to have short descriptions. Open problems: improve poly(m) (log l) 2 to poly(m) ( optimal ). remove feasibly generated inputs from main theorem. Uncondtional proof that AM Σ 2 (TIME(2 n o(1) )).

That s it …

Download ppt "Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech."

Similar presentations