Algebrization: A New Barrier in Complexity Theory Scott Aaronson (MIT) Avi Wigderson (IAS) 4xyw-12yz+17xyzw-2x-2y-2z-2w IP=PSPACE MA EXP  P/poly MIP=NEXP PP  SIZE(n) PromiseMA  SIZE(n) PP  P/poly  PP=MA NEXP  P/poly  NEXP=MA RG=EXP NEXP  P/poly NP  SIZE(n) -15xyz+43xy-5x 13xw-44xz+x-7y+ P  NP P=BPP

Any proof of P  NP will have to defeat two terrifying monsters… P  NP A Relativization [Baker-Gill-Solovay 1975] Natural Proofs [Razborov-Rudich 1993] ARITHMETIZATION Furthermore, even our best weapons seem to work against one monster but not the other… DIAGONALIZATION

Yet within the last decade, we’ve seen circuit lower bounds that overcome both barriers [Buhrman-Fortnow-Thierauf 1998]: MA EXP  P/poly Furthermore, this separation doesn’t relativize [Vinodchandran 2004]: PP  SIZE(n k ) for every fixed k [Aaronson. 2006]: This separation is doesn’t relativize [Santhanam 2007]: PromiseMA  SIZE(n k ) for fixed k Vinodchandran’s Proof: PP  P/poly  We’re done PP  P/poly  P #P = MA [LFKN]  P #P = PP   2 P  PP [Toda]  PP  SIZE(n k ) [Kannan] Non-Relativizing Non-Naturalizing

Bottom Line: Relativization and natural proofs, even taken together, are no longer insuperable barriers to circuit lower bounds Obvious Question [Santhanam 2007]: Is there a third barrier? This Talk: Unfortunately, yes. “Algebrization”: A generalization of relativization where the simulating machine gets access not only to an oracle A, but also a low-degree extension à of A over a finite field or ring We show: Almost all known techniques in complexity theory algebrize Any proof of P  NP, P=RP or NEXP  P/poly --- will require non-algebrizing techniques

Algebrizing Relativizing Naturalizing [Toda], [Impagliazzo- Wigderson], [Valiant- Vazirani], [Kannan], hundreds more [LFKN], [Shamir], [BFL], [BFT], [Vinodchandran], [Santhanam], [IKW], … [Furst-Saxe-Sipser], [Razborov-Smolensky], [Raz], dozens more [Your result here]

Plan for the rest of the talk -Definition of algebraization & algebraizing results -Almost every non relativized results algebraizes -Almost all remaining open problems don’t algebraize

Definitions The inclusion C  D relativizes if C A  D A for all oracles A Given an oracle A={A n } with A n :{0,1} n  {0,1}, an extension à of A is a collection of polynomials à n :Z n  Z satisfying: (i) à n (x)=A n (x) for all Boolean x  {0,1} n, (ii) deg(à n )=O(n), (iii) size(à n (x))  p(size(x)) for some polynomial p, where Note: Can also consider extensions over finite fields instead of the integers. Will tell you when this distinction matters.

A complexity class inclusion C  D algebrizes if C A  D à for all oracles A and all extensions à of A Proving C  D requires non-algebrizing techniques if there exist A,à such that C A  D à A complexity class separation C  D algebrizes if C à  D A for all A,à Proving C  D requires non-algebrizing techniques if there exist A,à such that C à  D A Notice we’ve defined things so that every relativizing result is also algebrizing.

Algebraizing results

Why coNP  IP Algebrizes The only time Arthur ever has to evaluate the polynomial p directly is in the very last round—when he checks that p(r 1,…,r n ) equals what Merlin said it does, for some r 1,…,r n chosen randomly in the previous rounds. Recall the usual coNP  IP proof of [LFKN]: Bullshit!

How was the polynomial p produced? By starting from a Boolean circuit, assign a variable to every gate, then multiply together terms that enforce “correct propagation” at each gate: xyg + (1-xy)(1-g)  x y g Arthur and Merlin then reinterpret p not as a Boolean function, but as a polynomial over some larger field. But what if the circuit contained oracle gates? Then how could Arthur evaluate p over the larger field? A(x,y)g + (1-A(x,y))(1-g) A That’s why IP=PSPACE doesn’t relativize! But if Arthur has access to an extension à of A…. Ã(x,y)g + (1-Ã(x,y))(1-g)

Other Results That Algebrize Notation: C A[poly] : Polynomial-size queries to A only PSPACE A[poly]  IP Ã [Shamir] NEXP A[poly]  MIP Ã [BFL] PP Ã  P Ã /poly  PP A  MA Ã [LFKN] NEXP Ã[poly]  P Ã /poly  NEXP A[poly]  MA Ã [IKW] MA EXP Ã  P A /poly [BFT] PP Ã  SIZE A (n)[Vinodchandran] PromiseMA Ã  SIZE A (n)[Santhanam]  OWF f  P Ã, f -1  BPP Ã  NP A  ZKIP Ã [GMW]

Proving P  NP Will Require Non- Algebrizing Techniques Theorem: There exists an oracle A, and an extension Ã, such that NP à  P A. Proof: Let A be a PSPACE-complete [BGS]. Let à be the unique multilinear extension of A. Then à is also PSPACE-complete [BFL]. Hence NP à = P A = PSPACE.

Harder Example: Proving P=NP Will Require Non-Algebrizing Techniques Theorem: There exist A,Ã such that NP A  P Ã. What’s the difficulty here, compared to [BGS] NP A  P A ? L A (n): does A(z)=1 for any z  {0,1} n ? (find a needle in a haystack). We’ll answer P-machine queries to A by 0. But if the machine queries Ã, a low-degree polynomial extension of A, we can’t toggle each Ã(x) freely! I.e. the algorithm we’re fighting is no longer looking for a needle in a haystack—it can also look in the haystack’s low-degree extension! Can access to a haystack extension help? Yes & No

Polynomial extensions help Theorem: [JKRS] For A: {0,1} n  {0,1} let #A=  x A(x) Let Ã: F n  F be the multilinear extension of A with char(F)  2. Then #A  P Ã Proof: #A = 2 n Ã(½, ½ … ½ )

Theorem: Let F be a field, and let Y  F n be the set of points queried by the algorithm. Then there exists a polynomial p:F n  F, of degree at most 2n, such that (i) p(y)=0 for all y  Y. (ii) p(z)=1 for at least 2 n -|Y| Boolean points z. (iii) p(z)=0 for the remaining Boolean points Y Polynomial extensions don’t help

If |Y|=poly(n), the algorithm can’t even distinguish if A is all 0’s or A is mostly 1’s on {0,1} n. Proved RP A  P Ã ! Proof: Given a Boolean point z, let  z be the unique multilinear polynomial that’s 1 at z and 0 at all other Boolean points. Then we can express any multilinear polynomial r as Requiring r(y)=0 for all y  Y yields |Y| linear equations in 2 n unknowns. Hence there exists a solution r such that r(z)  0 for at least 2 n -|Y| Boolean points z. We now set In the integers case, we can no longer use Gaussian elimination to construct r. However, using Chinese remaindering and Hensel lifting, some proof works provided every query y satisfies size(y)=O(poly(n)). A standard diagonalization argument now yields the separation between P and RP we wanted—at least in the case of finite fields.

Other Oracle Results We Can Prove By Building “Designer Polynomials”  A,Ã : NP A  coNP Ã  A,Ã : NP A  BPP Ã (only for finite fields, not integers)  A,Ã : NEXP Ã  P A /poly  A,Ã : NP Ã  SIZE A (n) MA EXP  P/poly, and PromiseMA  SIZE(n) do algebrize! MA EXP  P/poly, and PromiseMA  SIZE(n) do algebrize! We seem to get a precise explanation for why progress on non-relativizing circuit lower bounds stopped where it did

From Algebraic Query Algorithms to Communication Protocols A(000)=1 A(001)=0 A(010)=0 A(011)=1 A(100)=0 A(101)=0 A(110)=1 A(111)=1 Truth table of a Boolean function A Alice and Bob’s Goal: Compute some property of the function A:{0,1} n  {0,1}, using minimal communication Theorem: If a problem can be solved using T queries to Ã, then it can also be solved using O(Tnlog|F|) bits of communication between Alice and Bob Let Ã:F n  F be the unique multilinear extension of A over a finite field F A0A0 A1A1

Proof: Given any point y  F n, we can write Theorem: If a problem can be solved using T queries to Ã, then it can also be solved using O(Tnlog|F|) bits of communication between Alice and Bob The protocol is now as follows: y 1 (O(nlog|F|) bits) Ã 1 (y 1 ) (O(log|F|) bits) y 2 (O(nlog|F|) bits) This argument works just as well in the randomized world, the nondeterministic world, the quantum world… Also works with integer extensions (we didn’t have to use a finite field). Ã(y 1 )=Ã 0 (y 1 )+Ã 1 (y 1 )

The Harvest: Separations in Communication Complexity Imply Algebraic Oracle Separations  (2 n ) randomized lower bound for Disjointness [KS 1987] [Razborov 1990]  A,Ã : NP A  BPP Ã  (2 n/2 ) quantum lower bound for Disjointness [Razborov 2002]  A,Ã : NP A  BQP Ã  (2 n/2 ) lower bound on MA-protocols for Disjointness [Klauck 2003]  A,Ã : coNP A  MA Ã Exponential separation between classical and quantum communication complexities [Raz 1999]  A,Ã : BQP A  BPP Ã Exponential separation between MA and QMA communication complexities [Raz- Shpilka 2004]  A,Ã : QMA A  MA Ã Advantages of this approach: Ã is just the multilinear extension of A! Works automatically with integer extensions Advantages of this approach: Ã is just the multilinear extension of A! Works automatically with integer extensions Disadvantage: The functions achieving the separations are more contrived (e.g. Disjointness instead of OR).

Conclusions Arithmetization had a great run: led to IP=PSPACE, the PCP Theorem, non-relativizing circuit lower bounds… Yet we showed it’s fundamentally unable to resolve barrier problems like P vs. NP, or even P vs. BPP or NEXP vs. P/poly. Why? It “doesn’t pry open the black-box wide enough.” I.e. it uses a polynomial-size Boolean circuit to produce a low-degree polynomial, which it then evaluates as a black box. It doesn’t exploit the small size of the circuit in any “deeper” way. To reach this conclusion, we introduced a new model of algebraic query complexity, which has independent applications (e.g. to communication complexity) and lots of nooks and crannies to explore in its own right. OPEN: Prove a non-algebrizing result!

Open Problems Develop non-algebrizing techniques! Do there exist A,Ã such that coNP A  AM Ã ? Improve PSPACE A[poly]  IP Ã to PSPACE Ã[poly] = IP Ã The power of “double algebrization” Integer queries of unbounded size Generalize to arbitrary error-correcting codes (not just low-degree extensions)? Test if a low-degree extension came from a small circuit? Algebraize other crypto results (oblivious function eval)

Can also go the other way: algebrization- inspired communication protocols [Klauck 2003]: Disjointness requires  (  N) communication, even if there’s a Merlin to prove Alice and Bob’s sets are disjoint “Obvious” Conjecture: Klauck’s lower bound can be improved to  (N) This conjecture is false! We give an MA-protocol for Disjointness (and indeed Inner Product) with total communication cost O(  N log N) “Hardest” communication predicate?

O(  N log N) MA-protocol for Inner Product A:[  N]  [  N]  {0,1} B:[  N]  [  N]  {0,1} Alice and Bob’s Goal: Compute First step: Let F be a finite field with |F|  [N,2N]. Extend A and B to degree-(  N-1) polynomials If Merlin is honest, then But how to check S’=S? If S’  S, then Now let rRFrRF Claimed value S’ for S