Eric Allender Rutgers University Zero Knowledge and Circuit Minimization Joint work with Bireswar Das (IIT Gandinagar, DIMACS) MFCS, Budapest, August 26, 2014

Eric Allender: Zero Knowledge and Circuit Minimization < 2 >< 2 > The Cook-Levin Theorem Arguably the most important theorem in theoretical computer science.  …but what were they thinking? SAT is NP-Complete

Eric Allender: Zero Knowledge and Circuit Minimization < 3 >< 3 > What they were thinking: The STOC deadline is nearly here…

Eric Allender: Zero Knowledge and Circuit Minimization < 4 >< 4 > What they were thinking: Looks like I wont be able to prove a Graph Isomorphism result in time… So I’ll just submit this.

Eric Allender: Zero Knowledge and Circuit Minimization < 5 >< 5 > What they were thinking: I refuse to publish a partial result! I need to be able to say something about the Minimum Circuit Size Problem…

Eric Allender: Zero Knowledge and Circuit Minimization < 6 >< 6 > What they were thinking: …and Graph Isomorphism too! [Pemmaraju, Skiena]

Eric Allender: Zero Knowledge and Circuit Minimization < 7 >< 7 > What they were thinking: …and Graph Isomorphism too! Leonid, Publish it!

Eric Allender: Zero Knowledge and Circuit Minimization < 8 >< 8 > What they were thinking: OK…But only the 2-page version!

Eric Allender: Zero Knowledge and Circuit Minimization < 9 >< 9 > NP-Intermediate Problems  Thus, as long as there has been a theory of NP-completeness, there have been two prominent candidates for “NP-Intermediate” status: in NP, but neither complete nor in P: – Graph Isomorphism (GI) – The Minimum Circuit Size Problem (MCSP)  After 4 decades, they still cling to this status.  …but is there any relationship between these problems?

Eric Allender: Zero Knowledge and Circuit Minimization Graph Isomorphism  GI = {(G,H) : the vertices of G can be permuted, to yield H}

Eric Allender: Zero Knowledge and Circuit Minimization MCSP  MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}.  Why was Levin so interested in MCSP?  In the USSR in the 70’s (and before) there was great interest in problems requiring “perebor”, or “brute-force search”. For various reasons, MCSP was a focal point of this interest.

Eric Allender: Zero Knowledge and Circuit Minimization MCSP  MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}.  Why was Levin so interested in MCSP?  Yablonski [1959] proved a result that – to him and his students – meant “MCSP requires perebor”. (This would imply P < NP.) By the late 1960’s Yablonski “attained influential positions [dealing with] coordination and control of math…a time of rapid degradation of the moral climate within the Soviet math community” [Trakhtenbrot].

Eric Allender: Zero Knowledge and Circuit Minimization GI and MCSP  This historical digression has established:  The questions of the complexity of GI and MCSP are as old as the theory of computational complexity (or perhaps even older).  No relationship between the complexity of these problems had been established.  Let’s take care of that right now.

Eric Allender: Zero Knowledge and Circuit Minimization Today’s Goal  Theorem 1: GI reduces to MCSP. More precisely: GI є RP MCSP.  Theorem 2: More generally: Every problem with a Statistical Zero Knowledge Proof reduces to MCSP. That is: SZK is contained in BPP MCSP.  We’ll follow a well-established path: All reductions to MCSP seem to make use of pseudorandom generators. [Kabanets, Cai] [A,Buhrman,Koucky,van Melkebeek, Ronneburger]

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators For any efficient “test” T, Prob[T accepts a random string of length n] ≈ Prob[T accepts a pseudorandom string of length n] PseudoRandom bits b 1,b 2,… seed G

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: Given a cryptographically- secure one-way function f, we can build a secure pseudorandom generator G f. PseudoRandom bits b 1,b 2,… seed GfGf

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: If G f is not secure, then f is easy to invert. PseudoRandom bits b 1,b 2,… seed GfGf

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: If T is a test that accepts half of the strings of length n, but accepts none of the strings output by G f, then there is a probabilistic poly-time N such that Prob x [f(N T (f(x))) = f(x)] > 1/poly. PseudoRandom bits b 1,b 2,… seed GfGf

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: If T is a test that accepts half of the strings of length n, but accepts none of the strings output by G f i, then there is a probabilistic poly-time N such that Prob x [f i (N T (i,f i (x))) = x] > 1/poly. PseudoRandom bits b 1,b 2,… seed GfiGfi

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. PseudoRandom bits b 1,b 2,… seed GfiGfi

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). PseudoRandom bits b 1,b 2,… seed GfiGfi

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits. PseudoRandom bits b 1,b 2,… seed GfiGfi

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits. MCSP gives us a great test T to distinguish random and pseudorandom strings. PseudoRandom bits b 1,b 2,… seed GfiGfi

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators. PseudoRandom bits b 1,b 2,… seed GfiGfi

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators. Thus Prob x [f i (N MCSP (i,f i (x))) = f(x)] > 1/poly. PseudoRandom bits b 1,b 2,… seed GfiGfi

Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators This idea was used before, to show: Factoring is in ZPP MCSP Discrete Log is in BPP MCSP Closest Vector Problem is in BPP MCSP PseudoRandom bits b 1,b 2,… seed GfiGfi We suspect that these are crypto-secure.

Eric Allender: Zero Knowledge and Circuit Minimization Reducing GI to MCSP  The main idea of the reduction is to follow this same approach, using a function that has never seemed like a good candidate for a one- way function.

Eric Allender: Zero Knowledge and Circuit Minimization Our Indexed Family of Functions  Given graph H and permutation π, let f H (π) = π(H).  To find out if G and H are isomorphic: – Pick a random permutation π. – Run N MCSP (H, π(G)) and obtain output β. – Accept if π(G) = β(H).  If G and H are isomorphic, this accepts with probability 1/poly(n).  QED!

Eric Allender: Zero Knowledge and Circuit Minimization Zero Knowledge  The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof.

Eric Allender: Zero Knowledge and Circuit Minimization Zero Knowledge  The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof. NPcoNP SZK GI MCSP

Eric Allender: Zero Knowledge and Circuit Minimization Some facts about SZK  SZK is contained in NP/poly ∩ coNP/poly.  There are complete problems for SZK.  …but in order to introduce these complete problems, we need to talk about “promise problems”.

Eric Allender: Zero Knowledge and Circuit Minimization Promise Problems Ordinary decision problems. Yes No

Eric Allender: Zero Knowledge and Circuit Minimization Promise Problems Ordinary decision problems. Yes No Promise Problems. YesDon’t Care No

Eric Allender: Zero Knowledge and Circuit Minimization Statistical Difference  The “standard” complete promise problem for SZK is Statistical Difference (SD).  The inputs to SD are pairs of circuits (C,D); we view the circuits as representing probability distributions, where Prob C (y) is the probability, over x chosen uniformly at random, that C(x)=y.  The Yes Instances of SD are (C,D) such that these probability distributions are quite close.  The No Instances of SD are (C,D) where the distributions are far apart.

Eric Allender: Zero Knowledge and Circuit Minimization Image Intersection Density  We will actually use a restricted version of SD, called Image Intersection Density (IID). The Yes instances look the same as in SD.  The No instances are pairs (C,D) such that, with probability exponentially close to 1 (over randomly chosen x) C(x) is not in the image of D.  IID was shown by [Ben-Or, Gutfreund] to be complete for a subclass of SZK, which was subsequently shown to coincide with SZK [Chailloux, Ciodan, Kerenidis, Vadhan].

Eric Allender: Zero Knowledge and Circuit Minimization Reducing SZK to MCSP  For any circuit C, let F C (x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle.  Given a pair (C,D), repeat the following K times: – Pick x at random, and compute y=C(x). – Run N MCSP (D, y) and obtain output z. – Accept if D(z) = y.  On Yes instances, we expect K/poly acceptances,

Eric Allender: Zero Knowledge and Circuit Minimization Reducing SZK to MCSP  For any circuit C, let F C (x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle.  Given a pair (C,D), repeat the following K times: – Pick x at random, and compute y=C(x). – Run N MCSP (D, y) and obtain output z. – Accept if D(z) = y.  On Yes instances, we expect K/poly acceptances, on No instances we expect K/2 n.

Eric Allender: Zero Knowledge and Circuit Minimization Reducing SZK to MCSP  For any circuit C, let F C (x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle.  Given a pair (C,D), repeat the following K times: – Pick x at random, and compute y=C(x). – Run N MCSP (D, y) and obtain output z. – Accept if D(z) = y.  On Yes instances, we expect K/poly acceptances, on No instances we expect K/2 n. QED

Eric Allender: Zero Knowledge and Circuit Minimization How hard is MCSP?

Eric Allender: Zero Knowledge and Circuit Minimization How hard is MCSP?  [Kabanets, Cai] showed that if MCSP were NP-complete under “natural” ≤ m reductions, then BPP=P.  This is not evidence against being NP- complete, but it is evidence that it might be hard to prove.  Vinodchandran considered SNCMP (like MCSP but for “strong nondeterministic circuits”); it will be a breakthrough if GI reduces to SNCMP under “natural” reductions.  …but our argument provides an RP-reduction!

Eric Allender: Zero Knowledge and Circuit Minimization Open Questions  Is GI in ZPP MCSP ?  …or in P MCSP ?  …or is MCSP NP-hard, perhaps under P/poly reductions? – Note in this regard, that the “Minimum QBF Circuit Size Problem” is complete for PSPACE under P/poly reductions, and analogous results hold for other classes.

Eric Allender: Zero Knowledge and Circuit Minimization Open Questions  Or is there a promise problem related to MCSP that is complete for SZK?  Consider the promise problem that has: – Yes instances: {x | Circuit.Size(x) >√|x|} – No instances: {x | Circuit.Size(x) <|x| 1/4 }  Can this problem be in SZK? Or in some other “nearby” class?

Eric Allender: Zero Knowledge and Circuit Minimization Thank you!