1 / 43

Zero Knowledge and Circuit Minimization

Zero Knowledge and Circuit Minimization. Joint work with Bireswar Das (IIT Gandinagar, DIMACS). MFCS, Budapest, August 26, 2014. The Cook-Levin Theorem. SAT is NP-Complete. Arguably the most important theorem in theoretical computer science. …but what were they thinking?.

tiger-nolan
Télécharger la présentation

Zero Knowledge and Circuit Minimization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zero Knowledge and Circuit Minimization Joint work with Bireswar Das (IIT Gandinagar, DIMACS) MFCS, Budapest, August 26, 2014

  2. The Cook-Levin Theorem SAT is NP-Complete Arguably the most important theorem in theoretical computer science. • …but what were they thinking?

  3. What they were thinking: The STOC deadline is nearly here…

  4. What they were thinking: Looks like I wont be able to prove a Graph Isomorphism result in time… So I’ll just submit this.

  5. What they were thinking: I refuse to publish a partial result! I need to be able to say something about the Minimum Circuit Size Problem…

  6. What they were thinking: …and Graph Isomorphism too! [Pemmaraju, Skiena]

  7. What they were thinking: …and Graph Isomorphism too! Leonid, Publish it!

  8. What they were thinking: OK…But only the 2-page version!

  9. NP-Intermediate Problems • Thus, as long as there has been a theory of NP-completeness, there have been two prominent candidates for “NP-Intermediate” status: in NP, but neither complete nor in P: • Graph Isomorphism (GI) • The Minimum Circuit Size Problem (MCSP) • After 4 decades, they still cling to this status. • …but is there any relationship between these problems?

  10. Graph Isomorphism • GI = {(G,H) : the vertices of G can be permuted, to yield H}

  11. MCSP • MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. • Why was Levin so interested in MCSP? • In the USSR in the 70’s (and before) there was great interest in problems requiring “perebor”, or “brute-force search”. For various reasons, MCSP was a focal point of this interest.

  12. MCSP • MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. • Why was Levin so interested in MCSP? • Yablonski [1959] proved a result that – to him and his students – meant “MCSP requires perebor”. (This would imply P < NP.) By the late 1960’s Yablonski “attained influential positions [dealing with] coordination and control of math…a time of rapid degradation of the moral climate within the Soviet math community” [Trakhtenbrot].

  13. GI and MCSP • This historical digression has established: • The questions of the complexity of GI and MCSP are as old as the theory of computational complexity (or perhaps even older). • No relationship between the complexity of these problems had been established. • Let’s take care of that right now.

  14. Today’s Goal • Theorem 1: GI reduces to MCSP. More precisely: GI є RPMCSP. • Theorem 2: More generally: Every problem with a Statistical Zero Knowledge Proof reduces to MCSP. That is: SZK is contained in BPPMCSP. • We’ll follow a well-established path: All reductions to MCSP seem to make use of pseudorandom generators. [Kabanets, Cai] [A,Buhrman,Koucky,van Melkebeek, Ronneburger]

  15. Pseudorandom Generators G seed PseudoRandom bits b1,b2,… For any efficient “test” T, Prob[T accepts a random string of length n] ≈ Prob[T accepts a pseudorandom string of length n]

  16. Pseudorandom Generators Gf seed PseudoRandom bits b1,b2,… [HILL]: Given a cryptographically- secure one-way function f, we can build a secure pseudorandom generator Gf.

  17. Pseudorandom Generators Gf seed PseudoRandom bits b1,b2,… [HILL]: If Gf is not secure, then f is easy to invert.

  18. Pseudorandom Generators Gf seed PseudoRandom bits b1,b2,… [HILL]: If T is a test that accepts half of the strings of length n, but accepts none of the strings output by Gf, then there is a probabilistic poly-time N such that Probx[f(NT(f(x))) = f(x)] > 1/poly.

  19. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… [HILL]: If T is a test that accepts half of the strings of length n, but accepts none of the strings output by Gfi, then there is a probabilistic poly-time N such that Probx[fi(NT(i,fi(x))) = x] > 1/poly.

  20. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity.

  21. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x).

  22. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits.

  23. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits. MCSP gives us a great test T to distinguish random and pseudorandom strings.

  24. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators.

  25. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators. Thus Probx[fi(NMCSP(i,fi(x))) = f(x)] > 1/poly.

  26. Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… This idea was used before, to show: Factoring is in ZPPMCSP Discrete Log is in BPPMCSP Closest Vector Problem is in BPPMCSP We suspect that these are crypto-secure.

  27. Reducing GI to MCSP • The main idea of the reduction is to follow this same approach, using a function that has never seemed like a good candidate for a one-way function.

  28. Our Indexed Family of Functions • Given graph H and permutation π, let fH(π) = π(H). • To find out if G and H are isomorphic: • Pick a random permutation π. • Run NMCSP(H, π(G)) and obtain output β. • Accept if π(G) = β(H). • If G and H are isomorphic, this accepts with probability 1/poly(n). • QED!

  29. Zero Knowledge • The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof.

  30. Zero Knowledge • The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof. coNP NP MCSP GI SZK

  31. Some facts about SZK • SZK is contained in NP/poly ∩ coNP/poly. • There are complete problems for SZK. • …but in order to introduce these complete problems, we need to talk about “promise problems”.

  32. Promise Problems No Yes Ordinary decision problems.

  33. Promise Problems No Yes Ordinary decision problems. Yes Don’t Care No Promise Problems.

  34. Statistical Difference • The “standard” complete promise problem for SZK is Statistical Difference (SD). • The inputs to SD are pairs of circuits (C,D); we view the circuits as representing probability distributions, where ProbC(y) is the probability, over x chosen uniformly at random, that C(x)=y. • The Yes Instances of SD are (C,D) such that these probability distributions are quite close. • The No Instances of SD are (C,D) where the distributions are far apart.

  35. Image Intersection Density • We will actually use a restricted version of SD, called Image Intersection Density (IID). The Yes instances look the same as in SD. • The No instances are pairs (C,D) such that, with probability exponentially close to 1 (over randomly chosen x) C(x) is not in the image of D. • IID was shown by [Ben-Or, Gutfreund] to be complete for a subclass of SZK, which was subsequently shown to coincide with SZK [Chailloux, Ciodan, Kerenidis, Vadhan].

  36. Reducing SZK to MCSP • For any circuit C, let FC(x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle. • Given a pair (C,D), repeat the following K times: • Pick x at random, and compute y=C(x). • Run NMCSP(D,y) and obtain output z. • Accept if D(z) = y. • On Yes instances, we expect K/poly acceptances,

  37. Reducing SZK to MCSP • For any circuit C, let FC(x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle. • Given a pair (C,D), repeat the following K times: • Pick x at random, and compute y=C(x). • Run NMCSP(D,y) and obtain output z. • Accept if D(z) = y. • On Yes instances, we expect K/poly acceptances, on No instances we expect K/2n.

  38. Reducing SZK to MCSP • For any circuit C, let FC(x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle. • Given a pair (C,D), repeat the following K times: • Pick x at random, and compute y=C(x). • Run NMCSP(D,y) and obtain output z. • Accept if D(z) = y. • On Yes instances, we expect K/poly acceptances, on No instances we expect K/2n. QED

  39. How hard is MCSP?

  40. How hard is MCSP? • [Kabanets, Cai] showed that if MCSP were NP-complete under “natural” ≤m reductions, then BPP=P. • This is not evidence against being NP-complete, but it is evidence that it might be hard to prove. • Vinodchandran considered SNCMP (like MCSP but for “strong nondeterministic circuits”); it will be a breakthrough if GI reduces to SNCMP under “natural” reductions. • …but our argument provides an RP-reduction!

  41. Open Questions • Is GI in ZPPMCSP? • …or in PMCSP? • …or is MCSP NP-hard, perhaps under P/poly reductions? • Note in this regard, that the “Minimum QBF Circuit Size Problem” is complete for PSPACE under P/poly reductions, and analogous results hold for other classes.

  42. Open Questions • Or is there a promise problem related to MCSP that is complete for SZK? • Consider the promise problem that has: • Yes instances: {x | Circuit.Size(x) >√|x|} • No instances: {x | Circuit.Size(x) <|x|1/4} • Can this problem be in SZK? Or in some other “nearby” class?

  43. Thank you!

More Related