1 / 31

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech. coin tosses. message. Arthur-Merlin Games [B,GMR].

wilbur
Télécharger la présentation

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech

  2. coin tosses message Arthur-Merlin Games [B,GMR] • Interactive games in which the all-powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier. “xL” Merlin Arthur toss coins I accept

  3. coin tosses message Arthur-Merlin Games [B,GMR] • Completeness: If the statement is true then Arthur accepts. • Soundness: If the statement is false then Pr[Arthur accepts]<½. “xL” Merlin Arthur toss coins I accept

  4. Arthur-Merlin Games [B,GMR] • Completeness: If the statement is true then Arthur accepts. • Soundness: If the statement is false then Pr[Arthur accepts]<½. • The class AM: All languages L which have an Arthur-Merlin protocol. • Contains many interesting problems not known to be in NP.

  5. Efficient deterministic simulation of prob. algs. BPP=P BPPSUBEXP=DTIME(2no(1)) Efficient nondeterministic simulation of prob. protocols AM=NP AMNSUBEXP=NTIME(2no(1)) Derandomization goals: • We don’t know how to separate BPP from NEXP. • Such a separation implies certain circuit lower bounds [IKW01,KI02].

  6. Hardness versus Randomness Initiated by [BM,Yao,Shamir,NW]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03,SU05,U05,…]

  7. A quick survey of (nonuniform) hardness/randomness tradeoffs Assumption: There exists a function in E=DTIME(2O(l)) which is hard for “small” (size s(l)) circuits.

  8. A quick survey of (uniform) hardness/randomness tradeoffs Assumption: There exists a function in E=DTIME(2O(l)) which is hard for “small” (time s(l)) algorithms/protocols. This paper* (*) The simulation only succeeds on “feasibly generated inputs”.

  9. Jargon: Just like [IW98] paper but for AM instead of BPP A low-end gap theorem for AM. • Informal statement: • Either AM protocols are very strong. • Or, AM protocols are somewhat weak. • Formal statement: • Either E=DTIME(2O(l)) has Arthur-Merlin protocols running in time 2(log l)3. • Or, for every LAM there is a nondeterministic machineM that runs in subexponential time and agrees with L on “feasibly generated inputs”. • No polynomial time machine can produce inputs on which M fails. Should have been poly(l)

  10. A uniform hardness vs. randomness tradeoff for AM • Informal statement: • Either AM protocols are very strong. • Or, AM protocols are somewhat weak. • Formal statement: For l<s(l)<2l. • Either E=DTIME(2O(l)) has Arthur-Merlin protocols running in time s(l). • Or, for every LAM there is a nondeterministic machineM that runs in time2O(l) and agrees with L on “feasibly generated inputs” of length n=s(l)1/(log(l)-loglog(s(l)))2. • No polynomial time machine can produce inputs on which M fails. Should have been Ω(1)

  11. Motivation: weak unconditional derandomization • We believe that AM=NP (= Σ1). • We only know that AM is in Σ3. • Goal: Unconditional proof that AMΣ2 (or even AMΣ2-TIME(2no(1)). • Conditional => Unconditional ?? • Approach [GST03]: • Either AM is weak: AM=NP⇒ AM⊆Σ2. • Or AM is very strong: AM=E⇒ ??? • ⇒ AM=coAMΣ2. • Missing step: remove “feasibly generated inputs”.

  12. A low-end gap theorem for AM∩coAM. • Informal statement: • Either AM∩coAM is very strong. • Or, AM∩coAM is somewhat weak. • Formal statement: • Either E=DTIME(2O(l)) has Arthur-Merlin protocols running in time 2(log l)3. • Or, for every LAM∩coAMthere is a nondeterministic machine M that runs in subexponential time and agrees with L on all inputs (not necessarily feasibly generated). Should have been poly(l)

  13. Plan for rest of talk • Explain the overall approach of getting uniform hardness vs. randomness tradeoffs for AM (which is in [GST03]). • This approach uses a “hitting-set generator” construction by [MV99] which only works in the high end. • Main technical contribution of this paper is improving the [MV99] construction so that it works in the low-end. • Improvement uses “PCP tools” which were not used previously in this framework.

  14. The high level approach (following [GST03])

  15. Use nonuniform tradeoffs for AM. Derandomization fails => hard function f has small nondeterministic circuits. Want to show that: => f has small AM protocol. Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single-valued (defines a function). C is supposed to define a function: For every y, C is supposed to have witnesses showing C(y)=0 or C(y)=1but not both! (single valued circuit) The uniform tradeoff of [GST03]: resilient AM protocols f(y)=? f(y)=b Merlin Arthur nonuniform advice Constructs nondet. Circuit C that is supposed to compute f AM protocol verifying that C=f. (exists as f is complete for E) Suppose Arthur could verify that this is indeed the case. witness showing C(y)=b

  16. Use nonuniform tradeoffs for AM. Derandomization fails => hard function f has small nondeterministic circuits. Want to show that: => f has small AM protocol. Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single-valued (defines a function). => AM protocol for f. Problem: The [MV99] generator only works in the “high end”. Our contribution: Modify [MV99] into a “low-end” generator. C is guaranteed to define a function: For every y, C is has witnesses showing C(y)=0 or C(y)=1 but not both! The uniform tradeoff of [GST03]: f(y)=? f(y)=b Merlin Arthur AM protocol in which Arthur receives a certified valid circuit C C is supposed to compute f AM protocol verifying that C=f. (exists as f is complete for E) witness showing C(y)=b

  17. Commit-and-evaluate AM protocols for function f(y). Properties: Input y can be revealed to Merlin after commit phase. Conformity: Honest Merlin can make Arthur output f(y). Resiliency: Following commit phase Merlin is (w.h.p) committed to some function g(y) (may differ from f). Thm: If E has such AM protocols then E has standardAM protocols. Abstraction: commit-and-evaluate AM protocols and resiliency. Merlin Arthur Commit phase: AM protocol generating “advice string”. f(y)=? f(y)=b Evaluation phase: AM protocol that uses advice string and outputs a value v(y).

  18. Following [GST03]: In the case of AM∩coAM we can trust Merlin to send a “good”x. No problem if we only care about inputs that can be “feasibly generated” by some efficient TM. Nondet machine M(x) (supposed to accept LAM) Use function f to construct small “hitting set” of “pseudorandom strings”. Run AM protocol on input x (using pseudorandom strings as random coins) and accept if all runs accept. Proof of correctness by reduction Suppose M fails on an input x. Construct an efficient commit-and-evaluate AM protocol that uses x and conforms resiliently with f. => f has a standard efficient AM protocol. This is where uniformity comes in: Protocols rather than circuits. The big picture: How to derandomize an AM protocol How can Arthur obtain x? From his point of view x is a nonuniformadvice string. Where do “feasibly generated inputs” come in?

  19. Improving Miltersen-Vinodchandran hitting set generator (How to derandomize an AM language)

  20. The MV hitting set generator {0,1}m deg 2l/2 polys truth table f:{0,1}l→{0,1} • Nondet. Machine M(x): derandomizes AM protocol with m coins • For every output string guess a response for Merlin and accept if Arthur accepts all of them. • x∊L ⇒ Merlin can answer any string ⇒ M accepts (no error). • x∉L ⇒ Merlin can answer ½ strings ⇒ M may err. Z p(x,y) deg. 2l/2 rows and columns A Hitting set small set (≈2m) extractor field size q=102l/2

  21. {0,1}m truth table f:{0,1}l→{0,1} Z p(x,y) deg. 2l/2 rows and columns A very small set extractor field size q=102l/2 A commit-and-evaluate AM protocol for p.

  22. {0,1}m truth table f:{0,1}l→{0,1} Z p(x,y) deg. 2l/2 rows and columns A small set (≈2m) extractor field size q=102l/2 A commit-and-evaluate AM protocol for p. p(x,y)=b p(x,y)=? deg 2l/2 polys Merlin Arthur • Conformity: v • Resiliency: v (RS code). • w.h.p. over S∀univariate poly g∊Z, g(S) is unique. • Efficiency: (on high end m=2Ω(l)). • Protocol runs in time poly(m). • Protocol requires passing polynomials of degree 2l/2. commit phase: S∊RField of size m p(S2) evaluation phase: • Both compute path to (x,y) • ∀ line on path: p|line andwitness w • Arthur checks: • small set: p|line∊Z using w. • consistency of p|line.

  23. S2→Sd|Sd|=2Ω(l) no gain! {0,1}m truth table f:{0,1}l→{0,1} Z p(x,y) deg. 2l/2 rows and columns A very small set extractor field size q=102l/2 A commit-and-evaluate AM protocol for p. deg 2l/2 polys For low end (say m=lO(1)) we need to reduce degree Merlin Arthur • Conformity: v • Resiliency: v (RS code). • w.h.p. over S∀univariate poly g∊Z, g(S) is unique. • Efficiency: (on high end m=2Ω(l)). • Protocol runs in time poly(m). • Protocol requires passing polynomials of degree 2l/2. Can get deg=2l/dusing p(x1,..,xd) with d variables. commit phase: S∊RField of size m p(S2) p(x,y)=b p(x,y)=? evaluation phase: • Both compute path to (x,y) • ∀ line on path: p|line andwitness w • Arthur checks: • small set: p|line∊Z using w. • consistency of p|line.

  24. Arthur can verify that he gets a low-degree polynomial by performing low-degree testing! {0,1}m truth table f:{0,1}l→{0,1} Z p(x,y) deg. 2l/2 rows and columns A very small set extractor field size q=102l/2 p|”line” has many coefficients The best of both worlds deg 2l/2 polys Merlin Arthur • Best of both worlds: • Use p(x1,..,xd) deg 2l/d. • Run MV as ifp=p(x,y). • Resiliency: v (RM code). • Size of box=|S|2 ≈ m2. doesn’t depend on d! • Sending p|”line” costs 2l/2 bits. commit phase: S∊RField of size m p(S2) p(x1,..,xd/2;xd/2+1,..,xd). p(x,y)=b p(x,y)=? evaluation phase: • p|”line” has small (non-det) circuit • p|”line” has commit-and-evaluate protocol • Suppose p|”line” could be sent more efficiently: • Both compute path to (x,y) • ∀ line on path: p|line andwitness w • Arthur checks: • small set: p|line∊Z using w. • consistency of p|line.

  25. Need locally computable extractors! Requires running the extractor on p|line(t) for all qd inputs t to p|line. {0,1}m truth table f:{0,1}l→{0,1} Z p(x,y) deg. 2l/2 rows and columns A very small set extractor field size q=102l/2 Locally computable extractors deg 2l/2 polys Merlin Arthur Story so far: • Use polynomials p with many variables and pretend they are bivariate. • Assume that p|”line”can be sent efficiently. (Not yet justified). • Is the AM protocol efficient? commit phase: v S∊RField of size m v p(S2) Efficient AM protocol! p(x,y)=b p(x,y)=? evaluation phase: • Thm: [V] no locally computable extractors for low-entropy. • We know that inputs to extractors are low-degree polynomials! • Can use extractor construction [SU01] which is locally computable. • Both compute path to (x,y) v • ∀ line on path: v p|line andwitness w • Arthur checks: • small set: p|line∊Z using w. • consistency of p|line. X v v

  26. {0,1}m truth table f:{0,1}l→{0,1} Z p(x,y) deg. 2l/2 rows and columns A very small set extractor field size q=102l/2 Intuition: If p|”line” doesn’t have an efficient commit-and-evaluate protocol then it’s better to use it as the hard function. (It is over less variables!) Recursive win-win analysis a-la [ISW99]. Win-win analysis deg 2l/2 polys Merlin Arthur Main ideas: • Use polynomials p with many variables and pretend they are bivariate. • Assume that p|”line”can be sent efficiently. (Not yet justified). • Use locally computable extractors (exist when inputs are low degree polynomials. commit phase: v S∊RField of size m v p(S2) Efficient AM protocol! p(x,y)=b p(x,y)=? evaluation phase: • Both compute path to (x,y) ???? v • ∀ line on path: v p|line andwitness w • Arthur checks: • small set: p|line∊Z using w. • consistency of p|line. v v

  27. The recursive HSG truth table of f (2l bits) ALL rows and columns to extractor each row and column (2l/2 bits each ) …

  28. Recursive commit-and-evaluate AM protocol truth table of f • Arthur: random m x m box • Merlin: commits to top board • ! (input revealed) • Arthur/ Merlin: commit to each line’s board • Arthur: random points for checking lines • Merlin: commits to lines… …

  29. Parameters • Start with 2l bit truth table • <log l levels • # “lines”≈ 2O(l).v • Efficiency of AM protocol: • poly(m) blow-up at each level )poly(m)logl running time • convert O(log l) rounds to two rounds )poly(m)(log l)2 time for final AM protocol

  30. Conclusions • Key ideas: • commit-and-evaluate protocols as abstraction. • operate implicitly on lines. • PCP tools: low-degree testing, self-correction. • “local extractor” when know in advance it will applied to low-degree polynomials. • “Recursive win-win analysis” allows large objects to have short descriptions. • Open problems: • improve poly(m)(log l)2 to poly(m)(“optimal”). • remove “feasibly generated inputs” from main theorem. • ⇒ Uncondtional proof that AM⊆Σ2(TIME(2no(1))).

  31. That’s it…

More Related