Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.
description
Transcript of Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.
![Page 1: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/1.jpg)
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.
Ronen Shaltiel, University of HaifaChris Umans, Caltech
![Page 2: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/2.jpg)
Arthur-Merlin Games [B,GMR]
Interactive games in which the all-powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier.
Merlin Arthur“xL”
toss coinscoin tosses
message
I accept
![Page 3: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/3.jpg)
Arthur-Merlin Games [B,GMR]
Completeness: If the statement is true then Arthur accepts.
Soundness: If the statement is false then Pr[Arthur accepts]<½.
Merlin Arthur“xL”
toss coinscoin tosses
message
I accept
![Page 4: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/4.jpg)
Arthur-Merlin Games [B,GMR]
Completeness: If the statement is true then Arthur accepts.
Soundness: If the statement is false then Pr[Arthur accepts]<½.
The class AM: All languages L which have an Arthur-Merlin protocol.
Contains many interesting problems not known to be in NP.
![Page 5: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/5.jpg)
Derandomization goals: Efficient deterministic
simulation of prob. algs. BPP=P BPPSUBEXP=DTIME(2no(1))
Efficient nondeterministic simulation of prob. protocols
AM=NP AMNSUBEXP=NTIME(2no(1))
• We don’t know how to separate BPP from NEXP.
• Such a separation implies certain circuit lower bounds [IKW01,KI02].
![Page 6: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/6.jpg)
Hardness versus Randomness
Initiated by [BM,Yao,Shamir,NW].
Assumption: hard functions exist.
Conclusion: Derandomization.
A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03,SU05,U05,…]
![Page 7: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/7.jpg)
A quick survey of (nonuniform) hardness/randomness tradeoffs
Assumption: There exists a function in E=DTIME(2O(l)) which is hard for “small” (size s(l)) circuits.
BPPAM
A hard function for:
Deterministic circuits
Nondeterministic circuits
High-end: s(l)=2Ω(l)
BPP=P [IW97,STV99]
AM=NP [KvM99,MV99,SU05]
Low-end:s(l)=lω(1)
BPPSUBEXP [BFNW93,SU01,U02]
AMNSUBEXP [SU01,SU05]
![Page 8: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/8.jpg)
A quick survey of (uniform) hardness/randomness tradeoffs
Assumption: There exists a function in E=DTIME(2O(l)) which is hard for “small” (time s(l)) algorithms/protocols.
BPPAM
A hard function for:
Prob. algsAM protocols.
High-end: s(l)=2Ω(l)
BPP=P (*) [TV02*]
AM=NP (*) [GST03]
Low-end:s(l)=lω(1)
BPPSUBEXP (*) [IW98]
AMNSUBEXP (*)
This paper*
)*(The simulation only succeeds on “feasibly generated inputs.”
![Page 9: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/9.jpg)
A low-end gap theorem for AM.
Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak.
Formal statement: Either E=DTIME(2O(l)) has Arthur-Merlin protocols
running in time 2(log l)3. Or, for every LAM there is a nondeterministic
machine M that runs in subexponential time and agrees with L on “feasibly generated inputs”.
No polynomial time machine can produce inputs on which M fails.
Should have been
poly(l)
Jargon: Just like [IW98]
paper but for AM instead of
BPP
![Page 10: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/10.jpg)
A uniform hardness vs. randomness tradeoff for AM
Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak.
Formal statement: For l<s(l)<2l. Either E=DTIME(2O(l)) has Arthur-Merlin protocols
running in time s(l). Or, for every LAM there is a nondeterministic
machine M that runs in time 2O(l) and agrees with L on “feasibly generated inputs” of length n=s(l)1/(log(l)-loglog(s(l)))2.
No polynomial time machine can produce inputs on which M fails.
Should have been
Ω(1)
![Page 11: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/11.jpg)
Motivation: weak unconditional derandomization
We believe that AM=NP (= Σ1). We only know that AM is in Σ3. Goal: Unconditional proof that AMΣ2
(or even AMΣ2-TIME(2no(1)). Conditional => Unconditional ?? Approach [GST03]:
Either AM is weak: AM=NP ⇒ AM⊆Σ2. Or AM is very strong: AM=E ⇒ ??? ⇒ AM=coAMΣ2. Missing step: remove “feasibly generated inputs”.
![Page 12: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/12.jpg)
A low-end gap theorem for AM∩coAM.
Informal statement: Either AM∩coAM is very strong. Or, AM∩coAM is somewhat weak.
Formal statement: Either E=DTIME(2O(l)) has Arthur-Merlin protocols
running in time 2(log l)3. Or, for every LAM∩coAM there is a
nondeterministic machine M that runs in subexponential time and agrees with L on all inputs (not necessarily feasibly generated).
Should have been
poly(l)
![Page 13: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/13.jpg)
Plan for rest of talk Explain the overall approach of getting
uniform hardness vs. randomness tradeoffs for AM (which is in [GST03]).
This approach uses a “hitting-set generator” construction by [MV99] which only works in the high end.
Main technical contribution of this paper is improving the [MV99] construction so that it works in the low-end.
Improvement uses “PCP tools” which were not used previously in this framework.
![Page 14: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/14.jpg)
The high level approach (following [GST03])
![Page 15: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/15.jpg)
The uniform tradeoff of [GST03]: resilient AM protocols
Arthur Merlin
nonuniform advice
Constructs nondet. Circuit C that is supposed to compute f
f(y)?= f(y)=b
witness showing C(y)=b
AM protocol verifying that C=f. (exists as f is complete for E)
C is supposed to define a function: For every y, C is supposed to have witnesses showing C(y)=0 or C(y)=1 but not both! (single valued circuit)
Use nonuniform tradeoffs for AM. Derandomization fails
=> hard function f has small nondeterministic circuits.
Want to show that: => f has small AM protocol.
Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single-valued (defines a function).
Suppose Arthur could verify that this is indeed the
case.
![Page 16: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/16.jpg)
The uniform tradeoff of [GST03]: Use nonuniform tradeoffs for
AM. Derandomization fails
=> hard function f has small nondeterministic circuits.
Want to show that: => f has small AM protocol.
Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single-valued (defines a function).
=> AM protocol for f. Problem: The [MV99] generator
only works in the “high end”. Our contribution: Modify [MV99]
into a “low-end” generator.
Arthur Merlin
C is supposed to compute f
f(y)?= f(y)=b
witness showing C(y)=b
AM protocol verifying that C=f. (exists as f is complete for E)
AM protocol in which Arthur receives a certified valid circuit C
C is guaranteed to define a function: For every y, C is has witnesses showing C(y)=0 or
C(y)=1 but not both !
![Page 17: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/17.jpg)
Abstraction: commit-and-evaluate AM protocols and resiliency.
Commit-and-evaluate AM protocols for function f(y).
Properties: Input y can be revealed to
Merlin after commit phase. Conformity: Honest Merlin
can make Arthur output f(y). Resiliency: Following
commit phase Merlin is (w.h.p) committed to some function g(y) (may differ from f).
Thm: If E has such AM protocols then E has standard AM protocols.
Arthur Merlin
f(y)?= f(y)=b
Evaluation phase: AM protocol that uses advice string and outputs a value v(y).
Commit phase: AM protocol generating “advice string”.
![Page 18: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/18.jpg)
The big picture: How to derandomize an AM protocol
Nondet machine M(x) (supposed to accept
LAM) Use function f to
construct small “hitting set” of “pseudorandom strings”.
Run AM protocol on input x (using pseudorandom strings as random coins) and accept if all runs accept.
Proof of correctness by reduction
Suppose M fails on an input x.
Construct an efficient commit-and-evaluate AM protocol that uses x and conforms resiliently with f.
=> f has a standard efficient AM protocol.
Where do “feasibly generated inputs” come in?
How can Arthur obtain x ?
From his point of view x is a nonuniform advice string.
No problem if we only care about
inputs that can be “feasibly
generated” by some efficient TM.
Following [GST03]: In the case of
AM∩coAM we can trust Merlin to send
a “good” x.
This is where uniformity comes
in: Protocols rather than
circuits.
![Page 19: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/19.jpg)
Improving Miltersen-Vinodchandran hitting set generator
(How to derandomize an AM language)
![Page 20: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/20.jpg)
The MV hitting set generator
Nondet. Machine M(x): derandomizes AM protocol with m coins For every output string guess a response for Merlin and accept if Arthur accepts all of
them. x∊L ⇒ Merlin can answer any string ⇒ M accepts (no error). x∉L ⇒ Merlin can answer ½ strings ⇒ M may err.
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2
A
{0,1}m
extractor
rows and
columns Z
small set
(≈2m)
deg 2l/2 polys
Hitting set
![Page 21: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/21.jpg)
A commit-and-evaluate AM protocol for p.
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2
A
{0,1}m
extractor
rows and columns
Z
very small set
![Page 22: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/22.jpg)
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
small set
(≈2m)
A commit-and-evaluate AM protocol for p.
Conformity: v Resiliency: v (RS code).
w.h.p. over S ∀univariate poly g∊Z, g(S) is unique.
Efficiency: (on high end m=2Ω(l)).
Protocol runs in time poly(m). Protocol requires passing
polynomials of degree 2l/2.
Arthur Merlin
p(x,y)=?
p(x,y)=b
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
![Page 23: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/23.jpg)
deg 2l/2 polys truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
A commit-and-evaluate AM protocol for p.
Conformity: v Resiliency: v (RS code).
w.h.p. over S ∀univariate poly g∊Z, g(S) is unique.
Efficiency: (on high end m=2Ω(l)).
Protocol runs in time poly(m). Protocol requires passing
polynomials of degree 2l/2.
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
For low end (say
m=lO(1) ) we need to reduce degree
Can get deg=2l/d
using p(x1,..,xd)
with d variables .
S2→Sd |Sd|=2Ω(l) no
gain!
p(x,y)=?
p(x,y)=b
![Page 24: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/24.jpg)
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
The best of both worlds
Best of both worlds: Use p(x1,..,xd) deg 2l/d. Run MV as if p=p(x,y). Resiliency: v (RM code). Size of box=|S|2 ≈ m2.
doesn’t depend on d! Sending p|”line” costs 2l/2 bits.
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
p(x,y)=?
p(x,y)=b
p(x1,..,xd/2;xd/
2+1,..,xd).
p|”line” has many
coefficients
Suppose p|”line”
could be sent more
efficiently:
p|”line” has small
(non-det) circuit
p|”line” has commit-and-
evaluate protocol
Arthur can verify that he gets a low-degree polynomial by
performing low-degree testing!
![Page 25: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/25.jpg)
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
Locally computable extractors
Story so far: Use polynomials p with
many variables and pretend they are bivariate.
Assume that p|”line” can be sent efficiently. (Not yet justified).
Is the AM protocol efficient?
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
p(x,y)=?
p(x,y)=b
v
v
vv
v
X
Requires running the extractor on p|line(t) for all qd inputs t to p|line.
Need locally
computable
extractors!
• Thm: [V] no locally computable extractors for low-entropy.• We know that inputs to extractors are low-degree polynomials!• Can use extractor construction [SU01] which is locally computable.
• Thm: [V] no locally computable extractors for low-entropy.• We know that inputs to extractors are low-degree polynomials!• Can use extractor construction [SU01] which is locally computable.
v
Efficient AM protocol!
![Page 26: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/26.jpg)
v
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
Win-win analysis
Main ideas: Use polynomials p with many
variables and pretend they are bivariate.
Assume that p|”line” can be sent efficiently. (Not yet justified).
Use locally computable extractors (exist when inputs are low degree polynomials.
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
p(x,y)=?
p(x,y)=b
v
v
vv
v
Efficient AM protocol!
????
Intuition: If p|”line” doesn’t have an efficient
commit-and-evaluate protocol then it’s better to use it as the hard function. (It is over less variables!)Recursive win-win analysis a-la [ISW99].
![Page 27: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/27.jpg)
The recursive HSGtruth table of f
…
each row and column
ALL rows and
columns
to extractor
(2l bits)
(2l/2 bits each )
![Page 28: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/28.jpg)
Recursive commit-and-evaluate AM protocol
truth table of f
…
• Arthur: random m x m box• Merlin: commits to top board• ! (input revealed)• Arthur/ Merlin: commit to each
line’s board• Arthur: random points for
checking lines• Merlin: commits to lines…
![Page 29: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/29.jpg)
Parameters
Start with 2l bit truth table < log l levels # “lines” ≈ 2O(l). v Efficiency of AM protocol:
poly(m) blow-up at each level ) poly(m)log l
running time convert O(log l) rounds to two rounds )
poly(m)(log l)2 time for final AM protocol
![Page 30: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/30.jpg)
Conclusions Key ideas:
commit-and-evaluate protocols as abstraction. operate implicitly on lines.
PCP tools: low-degree testing, self-correction. “local extractor” when know in advance it will
applied to low-degree polynomials. “Recursive win-win analysis” allows large objects to
have short descriptions. Open problems:
improve poly(m)(log l)2 to poly(m) (“optimal”). remove “feasibly generated inputs” from main
theorem. ⇒ Uncondtional proof that AM⊆Σ2 (TIME(2no(1))).
![Page 31: Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.](https://reader036.fdocuments.net/reader036/viewer/2022070406/5681415c550346895dad37f6/html5/thumbnails/31.jpg)
That’s it…