Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Arthur-Merlin Games [BM] Interactive games in which the all- powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier. Merlin Arthur “xL”“xL” toss coins message I accept
Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. Merlin Arthur “xL”“xL” toss coins message I accept
Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP.
Example: Co-isomorphism of Graphs. L={G 1,G 2 : the labeled graphs G 1,G 2 are not isomorphic}. L in coNP and is not known to be in NP. Merlin Arthur (G 1,G 2 ) L Randonly chooses: b {1,2} random permutation of G b “ The graph G c was permuted ” Decides which of the two graphs was permuted. Verifies that c=b.
The big question: Does AM=NP? In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic? Note that such a protocol is an NP proof.
Derandomization: a brief overview A paradigm that attempts to transform: Probabilistic algorithms => deterministic algorithms. (P BPP EXP NEXP). Probabilistic protocols => deterministic protocols. (NP AM EXP NEXP). We don ’ t know how to separate BPP and NEXP. Can derandomize BPP and AM under natural complexity theoretic assumptions.
Hardness versus Randomness Initiated by [BM,Yao,Shamir]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02]
A quick survey Assumption: There exists a function in DTIME(2 O(n) ) which is hard for “ small ” circuits. AMBPPClass Nondeterministic circuits Deterministic circuits A hard function for: AM=NPBPP=PHigh-end AM NSUBEXPBPP SUBEXP Low-end
Hardness versus Randomness Assumption: hard functions exist. Conclusion: Derandomization.
Hardness versus Randomness Assumption: hard functions exist. Exists pseudo-random generator Conclusion: Derandomization.
Pseudo-random generators A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits. pseudo-random bits PRG seed Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms. For derandomizing AM: Feasible algorithms = nondeterministic circuits. ??????????????
Pseudo-random generators for nondeterministic circuits Nondeterministic circuits can identify pseudo-random strings. Given a long string, guess a short seed and check that PRG(seed)=long string. Can distinguish between random strings and pseudo- random strings. Assuming the circuit can run the PRG!! The Nisan-Wigderson setup: The circuit cannot run the PRG!! For example: The PRG runs in time n 5 and fools (nondeterministic) circuits of size n 3. Sufficient for derandomization!!
The Nisan-Wigderson setting We ’ re given a function f which is: Hard for small circuits. Computable by uniform machines with “ slightly ” larger time. Basic idea: G(x)=x,f(x) “ f(x) looks random to a small circuit that sees x ”. Warning: no composition theorems. Correctness proof of PRG can ’ t use it ’ s efficiency. The PRG runs in time “ slightly ” larger than the size of the circuit.
Hardness versus Randomness Assumption: hard functions exist. Exists pseudo-random generator Conclusion: Derandomization.
PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random message message I accept Hardwire input
PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random input Nondeterministic guess I accept input Nondeterministic guess Hardwire input
PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. We can use pseudo-random bits instead of truly random bits. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept Nondeterministic guess input Hardwire input
PRG ’ s for nondeterministic circuits derandomize AM We have an AM protocol in which Arthur acts deterministically. (Arthur sends all pseudo-random strings and Merlin replies on each one.) Deterministic protocol => NP proof. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept
A quick survey Assumption: There exists a function in DTIME(2 O(n) ) which is hard for “ small ” circuits. AMBPPClass Nondeterministic circuits Deterministic circuits A hard function for: AM=NPBPP=PHigh-end AM NSUBEXPBPP SUBEXP Low-end
Uniform Hardness versus Randomness The conclusion in the results above involve only uniform classes (BPP,AM,P,NP). The assumptions involve nonuniform classes. All the results above assume hardness for circuits (nonuniform machines). Can we get derandomization from uniform assumptions? Follow from uniform assumptions such as EXP≠PH [KL79]. A stronger notion of uniformity was considered in [IW98,TV02].
A closer look at nonuniform tradeoffs for BPP [BFNW93] Assumption: Hard function for: circuits. EXP≠P/poly Conclusion: Derandomization of: probabilistic algorithms. BPP SUBEXP
Impagliazzo-Wigderson 98: A uniform tradeoff for BPP Assumption: Hard function for: probabilistic algorithms. EXP≠BPP Conclusion: Derandomization of: probabilistic algorithms. BPP * SUBEXP * Pseudo-containment
Impagliazzo-Wigderson 98: A uniform tradeoff for BPP Assumption: Hard function for probabilistic algorithms. Conclusion: Derandomization * of probabilistic algorithms. Either the assumption isn ’ t true: probabilistic algorithms are very strong. Or the assumption is true: Derandomization * of probabilistic algorithms.
Our result: A uniform tradeoff for AM Assumption: Hard function for Arthur-Merlin protocols. Conclusion: Derandomization * of Arthur-Merlin protocols. Either the assumption isn ’ t true: Arthur-Merlin protocols are very strong. Or the assumption is true: Derandomization * of Arthur-Merlin protocols. [IW98]: low-end. (Weak assumption and conclusion). Our result: high-end. (Strong assumption and conclusion).
Motivation: weak unconditional derandomization We believe that AM=NP (= Σ 1 ). We only know that AM is in Σ 3. Goal: Unconditional proof that AM Σ 2 (or even AM Σ 2 -SUBEXP). Conditional => Unconditional ?? Basic idea: AM is either weak or very strong. If AM can be derandomized (AM=NP) then AM Σ 2. If AM is very strong (AM=EXP) then AM Σ 2. Main problem: replace ‘ * ’ with ‘ ’.
Pseudo-containmnets [Kab99]: * Intuitively, Containment only on feasibly generated inputs. L =* L ’ if it is infeasible to generate counterexamples to the statement L=L ’. No feasible algorithm R can output inputs which are in one language but not in the other (for a specified input length). C * D if for every L in C there exists L ’ in D such that L =* L ’. Formally, =* and * are relative to some complexity class of feasible R ’ s.
Formal statement of our result If E=DTIME(2 O(n) ) is not in AMTIME(2 an ), for some constant a>0 AM * NP. AM coAM = NP coNP. The class AM coAM contains: co-isomorphism of graphs. SZK (Statistical Zero Knowledge).
The proof
We want to show that Hard function for AM (EXP≠AM) Derandomization of AM No derandomization of AM No Hard function for AM (EXP=AM)
Basic idea: Use nonuniform tradeoff No Hard function for nondeter. Circuits (EXP NP/poly) No derandomization of AM No Hard function for AM (EXP=AM) Nonuniform tradeoff [MV99,SU01] Goal Want to prove Can ’ t prove it in general. Can prove it for the circuits constructed in phase 1.
Attempt: Prove that EXP NP/poly => EXP AM Let f be an EXP complete function. Merlin Arthur f(x)=b The circuit C f has a small nondeterministic circuit C Verifies that C(x)=b Problems: 1.Arthur cannot “ run ” C. It is a nondeterministic circuit. 2.How can Arthur be sure that C(x)=f(x)?
Thm: [BFL91] EXP P/poly => EXP AM Let f be an EXP complete function. Merlin Arthur f(x)=b The circuit C f has a small deterministic circuit C Verifies that C(x)=b Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g. g=f => Pr[T g (x)=f(x)]=1. g≠f => Pr[T g (x) =fail]> ½.
Thm: [BFL91] EXP P/poly => EXP AM Let f be an EXP complete function. Merlin Arthur f(x)=b The circuit C f has a small deterministic circuit C Verifies that C(x)=b by running T C (x) Instance Checker [BK95]: A probabilistic poly-time T which gets oracle access to a function g. g=f => Pr[T g (x)=f(x)]=1. g≠f => Pr[T g (x) {fail,f(x)}]> ½. By sending C, Merlin commits to some function g!
Nondeterministic Circuits A nondeterministic circuit for f is a deterministic circuit C(x,y) such that: f(x)=1 => exists y, C(x,y)=1. f(x)=0 => for all y, C(x,y)=0. Arthur cannot use C to evaluate f. Merlin can help Arthur to evaluate f: Arthur sends an input x. If f(x)=1, Merlin can send y s.t. C(x,y)=1. If f(x)=0 ??
Pairs of Nondeterministic Circuits By our assumption EXP NP/poly. f EXP => f has a nondeterministic circuit. => neg(f) has a nondeterministic circuit! Arthur can ask Merlin to send both circuits C,C ’ for f,neg(f). If f(x)=1, Merlin sends y s.t. C(x,y)=1. If f(x)=0, Merlin sends y s.t. C ’ (x,y)=1. There are appropriate witnesses for both cases.
Attempt 2: Prove that EXP in NP/poly => EXP in AM Let f be an EXP complete function. Merlin Arthur f(x)=b The circuits C,C ’ f and neg(f) have small nondeterministic circuits C,C ’ Computes queries x 1,..,x t for the instance checker. I want to evaluate f at x 1,..,x t Appropriate witnesses for x 1,..,x t Verifies that f(x)=b using the instance checker. Is it true that by sending C,C ’ Merlin commits himself to some function g?
Single Valued pairs of Nondeterministic Circuits If Merlin sends C,C ’ which accept all inputs, he is not at all commited: For every x he can “ open ” x as both 0 and 1. A pair (C,C ’ ) defines a function g only if L(C ’ )=L(C) c. Such a pair is called “ single valued ”. Can Arthur verify that C,C ’ is a single valued pair?
The big picture Nondeterministic circuits for EXP (EXP NP/poly) No derandomization of AM No Hard function for AM (EXP=AM) Nonuniform tradeoff [MV99,SU01] Goal Want to prove Can ’ t prove it in general. Can prove it for the circuits constructed in phase 1.
The argument EXP is computable by pairs of nondeterministic circuits which can be certified (probabilistically) as single valued. No derandomization of AM No Hard function for AM (EXP=AM) Goal The protocol I just showed Nonuniform hardness vs. randomness tradeoff with a resilient reconstruction.
The final protocol: Using cerified circuits Let f be an EXP complete function. Merlin Arthur f(x)=b The certified circuits C,C ’ f and neg(f) have small nondeterministic circuits C,C ’ Computes queries x 1,..,x t for the instance checker. I want to evaluate f at x 1,..,x t Appropriate witnesses for x 1,..,x t Verifies that f(x)=b using the instance checker. As C,C ’ are certified! Merlin commits himself to some function g!
Resilient reconstruction algorithms EXP is computable by pairs of nondeterministic single- valued circuits No derandomization of AM Nonuniform tradeoff [MV99,SU01] The proofs give efficient (prob) “ reconstruction algorithms ” R(x,a): If the derandomization fails on x, then there exists an a such that R(x,a) outputs a single-valued pair C,C ’ for f. What does R do when x and a are incorrect? We cannot expect R to output circuits for f. We can hope that R outputs a single-valued pair for some function g! We call such an R resilient.
Resilient reconstruction gives certified pairs When Merlin sends the circuits C,C ’ he will also send x and a. Arthur verifies that R(x,a)=(C,C ’ ). This guarantees that (C,C ’ ) is a single-valued pair of nondeterministic circuits. Open problem: Does there exist a resilient reconstruction algorithm? We show that the reconstruction algorithm of [MV99] is “ somewhat resilient ”. It is resilient to errors in a, but vulnerable to errors in x. (This is why we get * ).
Partial resiliency We show: the (probabilistic) reconstruction algorithm of [MV99] is resilient to errors in a. If the derandomization fails on x then for every a w.h.p. R(x,a) outputs a single-valued pair C,C ’ for some function g. We only get ‘ * ’ containments because of this weak resiliency. We cannot trust Merlin to send x, so when the derandomization fails we need a feasible way to come up with x ’ s on which it failed.
Stronger partial resiliency Actually, we can handle some errors in x. Previous slide: If the derandomization of the AM language L fails on x then resiliency … Stronger resiliency: If x is not in L then resiliency … We can trust Merlin to send x if he can give an AM proof that x L. We can trust Merlin when L is in AM intersect coAM. No ‘ * ’ for AM intersect coAM.
Conclusions Main result: Either Arthur-Merlin protocols are very strong. Or Arthur-Merlin protocols can be derandomized on feasibly generated inputs. The technique: Uses nonuniform hardness vs. randomness. Resiliet reconstruction algorithms. Enables using a modified [BFL] protocol.
Open problems: 1. A low-end result. We show that the [MV99] generator has a (partially) resilient reconstruction algorithm. The [MV99] result only works for the high- end. A low-end result by [SU01] which is not even partially resilient! Open problem: Prove a low-end version of our result.
Open problems: Remove pseudo-containments We show that the [MV99] generator has a partially resilient reconstruction algorithm. Construct a generator with a fully resilient reconstruction algorithm. This will remove the * (pseudo- containment). Solving both open problems will give an unconditional proof that AM Σ 2 -SUBEXP!
That ’ s it …