Presentation is loading. Please wait.

Presentation is loading. Please wait.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Published byKarley Ducksworth Modified over 10 years ago

Similar presentations

Presentation on theme: "Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent."— Presentation transcript:

1 Complexity Theory Lecture 9 Lecturer: Moni Naor

2 Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent –Interactive Proofs Proof for graph non-isomorphism This Week: IP=PSPACE Start with #P in PSPACE Public vs. Private Coins IP[k]=AM Mechanism for showing non NP-Completeness

3 Interactive Proofs Definition: an interactive proof system for L is an interactive protocol (P, V) – completeness: x  L: Pr[V accepts in an execution of (P, V)(x)]  2/3 – soundness: x  L   P* Pr[V accepts in an execution of (P*, V)(x)]  1/3 – efficiency : V is PPT machine We can reduce the error to any  Perfect Completeness : V accepts with Prob 1

4 Lack of certificate Bug or feature? Disadvantages clear, but: Advantage: proof remains `property’ of prover and not automatically shared with verifier Very important in cryptographic applications –Zero-knowledge Many variants Can be used to transform any protocol designed to work with benign players into one working with malicious ones –The computational variant is useful for this purpose Can be used to obtain (plausible) deniability Honest verifier perfect zero-knowledge

5 The power of IP Last week GNI 2 IP IP µ PSPACE Today : coNP µ P #P µ IP and Theorem : IP=PSPACE

6 Idea of the Protocol for #SAT Idea: think of the rush hour protocol Input:  (x 1, x 2, …, x n ) –prover: “  has k satisfying assignments” –true iff  ( x 1 =0, x 2, …, x n ) has k 0 satisfying assignments  ( x 1 =1, x 2, …, x n ) has k 1 satisfying assignments k = k 0 + k 1 –prover sends k 0, k 1 –verifier sends random c  R {0,1} –prover recursively proves “  ( x 1 =c, x 2, …, x n ) has k c satisfying assignments” –at the end of the protocol, verifier can check for itself.

7 Protocol analysis Completeness: if  (x 1, x 2, …, x n ) has k satisfying assignments – accept with Prob. 1 Soundness: if  (x 1, x 2, …, x n ) does not have k satisfying assigns. – accept with Prob at most 1 – 2 -n –At the recursive call prover must cheat regarding at least one of k 0 or k 0 Prob ½ of choosing the `correct’ one –Have to be correct on any recursive call: 2 -n

8 Decreasing the Probability of Cheating Solution to problem: –replace {0,1} n with (F q ) n –verifier substitutes random field element at each step – vast majority of field elements catch cheating prover* (rather than just 1 out of 2) Theorem : L = {( , k): CNF  has exactly k satisfying assignments} is in IP In particular can prover non-sat ( k=0 )

9 Arithmetization of  Transform  (x 1, x 2, …, x n ) into polynomial P  (x 1, x 2, … x n ) of degree d over a field F q where q is a prime > 2 n –recursively: x i  x i    (1 - P  )    ’  ( P  )( P  ’ )    ’  1 - (1 - P  )(1 - P  ’ ) Claim : for all x  {0,1} n we have P  (x) =  (x) –degree d  |  | Can compute P  (x 1, x 2, … x n ) in poly time from  and x 1, x 2, … x n

10 The Interactive protocol for counting Prover wishes to prove: k = Σ x 1 = 0, 1 Σ x 2 =0,1 … Σ x n = 0, 1 P  (x 1, x 2, … x n ) Define: k z = Σ x 2 =0,1 … Σ x n = 0, 1 P  (x 1 =z, x 2, … x n ) Suppose prover sends: k z for all z  F q verifier: –Check the consistency: that k 0 + k 1 = k Answers are consistent with a polynomial in z –Send random z  F q continue with proof that k z = Σ x 2 = 0,1 … Σ x n = 0, 1 P  (x 1 =z, x 2, … x n ) At the end: verifier checks for itself To perform the computation mod q we need q>2^n

11 The Interactive protocol for counting Prover wishes to prove: k = Σ x 1 = 0, 1 Σ x 2 = 0,1 … Σ x n = 0, 1 P  (x 1, x 2, … x n ) Define: k z = Σ x 2 = 0,1 … Σ x n = 0, 1 P  (x 1 =z, x 2, … x n ) How to send k z for all z  F q ? Solution: send the univariate polynomial in z ! –recall degree d  |  |

12 The actual protocol Prover Verifier Input: ( , k ) P 1 (0)+P 1 (1)=k? pick random z 1 in F q P 1 (x) = Σ x 2, …, x n  {0,1} P  ( x, x 2, …, x n ) P 1 (x) z1z1 P 2 (x) = Σ x 3, …, x n  {0,1} P  (z 1, x, x 3, …, x n ) P 2 (x) z2z2 P 2 (0)+P 2 (1)=P 1 (z 1 )? pick random z 2 in F q P 3 (x) = Σ x 4, …, x n  {0,1} P  (z 1, z 2, x, x 4 …, x n ) P 3 (0)+P 3 (1)=P 2 (z 2 )? pick random z 3 in F q P 3 (x) P n (x) P n (0)+P n (1)=p n-1 (z n-1 )? pick random z n in F q. P n (z n ) = P  (z 1, z 2, …, z n )? The only connection to 

13 Analysis of protocol Completeness: –if ( , k)  L then the (honest) prover always makes the verifier accept By inspection

14 Soundness Analysis –let P i (x) be the correct polynomials –let P i *(x) be the polynomials actually sent by a (cheating) prover At first step: ( , k)  L  P 1 (0) + P 1 (1) ≠ k Either P 1 *(0) + P 1 *(1) ≠ k (and V rejects) or P 1 * ≠ P 1  Pr z 1 [P 1 *(z 1 ) = P 1 (z 1 )]  d/q  |  |/2 n At each step i, assume P i (z i ) ≠ P i *(z i ) either P i+1 *(0) + P i+1 *(1) ≠ P i *(z i ) (and V rejects) or P i+1 * ≠ P i+1  Pr z i+1 [P i+1 *(z i+1 ) = P i+1 (z i+1 )]  |  |/2 n

15 Analysis of protocol Soundness (continued): –if verifier does not reject, there must be some i for which: P i * ≠ P i and yet P i *(z i ) = P i (z i ) –for each i, probability is  |  |/2 n Union bound: probability that there exists an i for which the bad event occurs is at most n|  |/2 n  poly(n)/2 n << 1/3

16 Extending the protocol to TQBF Given a TQBF 9 x 1 8 x 2 9 x 3 … 8 x n  (x 1, x 2, …, x n ) can transform  (x 1, x 2, …, x n ) into a polynomial P  (x 1, x 2, … x n ). Now the problem is to prove: k = Σ x 1 = 0, 1  x 2 =0,1 Σ x 3 = 0 … Σ x n = 0, 1 P  (x 1, x 2, … x n ) > 0 First attempt: repeat the same protocol with checking multiplication at the right places Problem: multiplication increases the degree After n step the degree might be 2 n Solution : since we are only interested in the {0,1} values, can approximate the polynomial with a multi-linear function. New operator Rx i for linearization Rx i [p(x 1, x 2, …, x n )]=(1-x 1 ) p(0, x 2, …, x n )+ x 1 p(1, x 2, …, x n )

17 The TQBF Protocol Given a TQBF 9 x 1 8 x 2 9 x 3 … 8 x n  (x 1, x 2, …, x n ) transform  (x 1, x 2, …, x n ) into a polynomial P  (x 1, x 2, … x n ). and transform 9 x 1 8 x 2 9 x 3 … 8 x n into 9 x 1 Rx 1 8 x 2 Rx 1 Rx 2 9 x 3 Rx 1 Rx 2 Rx 3 … 8 x n Rx 1 Rx 2 Rx 3 … Run the protocol as before, but in rounds corresponding to Rx i use Rx i [p(x 1, x 2, …, x n )]=(1-x 1 ) p(0, x 2, …, x n )+ x 1 p(1, x 2, …, x n ) to reduce the degree. The polynomials remain linear. Theorem : IP = PSPACE

18 Public Coins Arthur-Merlin Games Definition of IP permits the verifier to keep its coin-flips private –necessary feature? –The Graph Non-Isomorphism protocol we saw breaks without it New characters: Arthur as the verifier and Merlin as the prover Arthur-Merlin ( ArtMer ) game : interactive protocol in which coin- flips are public –Arthur (verifier) may as well just send the results of coin-flips. No point in doing any computation until the final step If more complicated computation are need, Merlin (prover) can perform by himslef any computation Arthur would have done –Merlin does not know in advance the coin flips

19 Arthur and Merlin

20 Arthur-Merlin Games Clearly ArtMer µ IP –private (secret) coins are at least as powerful as public coins. Can release them when the right time comes The TQBF protocol (proof that IP = PSPACE) actually shows PSPACE µ ArtMer µ IP µ PSPACE –public coins are as powerful as private coins! When the number of rounds is not bounded!

21 Arthur-Merlin Games Limiting the # of rounds: –AM[k] = Arthur-Merlin game with k rounds, Arthur (verifier) goes first –MA[k] = Arthur-Merlin game with k rounds, Merlin (prover) goes first We will see: Theorem : AM[k] ( MA[k] ) equals AM[2] ( MA[2] ) with perfect completeness.

22 Perfect Completeness of Arthur Merlin Games Theorem : If L 2 AM[k], then L 2 MA[k+1]. I.e. has a k+1 round protocol with perfect completeness Proof : think of the BPP ½ PH proof Run m games simultaneously Make sure probability of error in each game is smaller than 1/3m Preliminary round Merlin: gives shifts ρ 1, ρ 1,… ρ m Each ρ j is sufficiently long to cover the coins for all k rounds ρ j = ρ j 1 ρ j 2 … ρ j k In each round Arthur : chooses in each round 1 · i · k a set of coins r i the m games are played in the i th round with coins (r i © ρ 1 i, r i © ρ 2 i,…, r i © ρ m j ( Arthur : accepts if any of the m games accepts m has to large enough to contain a hitting set for all r 1, r 2,…r k

23 Collapse of Arthur-Merlin Games Theorem : for all constant k  2 AM[k] = AM[2]. Proof: –Will show MA[2]  AM[2] –The same argument can be used to move all of Arthur’s messages to the beginning of interaction: AMAMAM…AM=AAMMAM…AM… = AAA…AMMM…M

24 Equivalent definition of MA and AM with perfect completeness Definitions without reference to interaction: –L  MA iff  poly-time relation R x  L   m Pr r [(x, m, r)  R] = 1 x  L   m Pr r [(x, m, r)  R]  ½ –L  AM iff  poly-time language R x  L  Pr r [  m (x, m, r)  R] = 1 x  L  Pr r [  m (x, m, r)  R]  ½ Even easier to reduce the error to any 

25 MA[2]  AM[2] Given L  MA[2] x  L   m Pr r [(x, m, r)  R] = 1 Pr r [  m (x, m, r)  R] = 1 x  L   m Pr r [(x, m, r)  R]  ε Pr r [  m (x, m, r)  R]  2 |m| ε –Need to reduce the error ε < 2 - ℓ. –By repeating ℓ =|m|+1 times with independent random strings r get 2 |m| ε < ½. Homework : what happens to the time analysis when repeated k times? order reversed

26 MA and AM Two important classes: –MA = MA[2] –AM = AM[2] We saw MA µ AM Confusion alert : when talking about AM is it the unbounded version or AM[2]? Not all the literature is consistent

27 MA and AM Relation to other complexity classes: both MA and AM contain NP can choose to not use randomness at all both MA and AM contained in  2 P L   2 P iff  R  P for which : x  L  Pr r [  m (x, m, r)  R] = 1 x  L  Pr r [  m (x, m, r)  R] < 1 –so AM µ  2 P We know that MA  AM

28 MA and AM Theorem : if coNP µ AM then PH = AM and the hiereachy collapses. Proof: coNP µ AM means that there is an AM protocol for any poly relation R for proving (if true) for a given x the statement  z (x, z)  R Suffices to show Σ 2 P µ AM (and use the fact AM µ Π 2 P ) –L  Σ 2 P iff  poly-time relation R x  L   y  z (x, y, z)  R x  L   y  z (x, y, z)  R The AM protocol for x  L : –Merlin sends y –Run an AM protocol for proving for (x,y) that  z (x,y,z)  R Altogether an MAM protocol. MAM = AM µ Π 2 P

29 MA and AM P NP coNP PP 2P2P AMcoAM MAcoMA

30 Relationship between The Complexity classes P NP coNP PSPACE=IP EXP PH Δ2PΔ2P #P BPP Co-AMAM Co-MAMA PP 2P2P

31 Public vs Private Coins in constant number of rounds We know ArtMer = IP. –public coins = private coins Definition: IP[k]={L|L has a k round IP protocol } Theorem : IP[k] µ AM[O(k)] –implies for all constant k  2, IP[k] = AM[O(k)] = AM[2] So in particular: GNI  IP[2] = AM

32 Public coins protocol for GNI Want to prove that (G 0, G 1 ) 2 GNI Idea: use the size of set protocol we have already seen The set in question is the number of transcripts that make the verifier accept For a graph G let aut(G)={  |  (G)=G} Assume for simplicity but with loss of generality that |aut(G 0 )|=|aut(G 1 )|=1 Let S={H| H  G 0 or H  G 1 }. Then –If G 0  G 1 we have that |S|=n! –Else |S|=2n! Can amplify the gap to 2 m by m repetition In general S={(H,  )| H  G 0 or H  G 1 and  2 aut(H)}.

33 Size of set protocol Want to prove that S is large. –Suppose S µ U –Let H be a pairwise independent hash function h 2 H maps elements in U in {0,1} ℓ Arthur : choose h 2 R H Merlin : find x 2 S such that h(x)= 0 ℓ If |S| ¸ 2 ℓ If then Pr h [ 9 x 2 S such that h(x)=0 ℓ ] ¸ 1/2 Use inclusion-exclusion and the pairwise independence of events h(x)=0 ℓ and h(x’)=0 ℓ If |S| < 1/100 ¢ 2 ℓ then Pr h [ 9 x 2 S such that h(x)= 0 ℓ ] < 1/100 In general: if |S| ¸ 2 k ¢ 2 ℓ then Pr h [ 9 x 2 S s. t. h(x)=0 ℓ ] ¸ 1- 2 -k And if |S| · 2 -k ¢ 2 ℓ then Pr h [ 9 x 2 S s. t. h(x)=0 ℓ ] · 2 -k

34 Implications to Graph Isomorphism It is not known whether GI is NP -complete. –Conclusion from previous Theorems: if GI is NP -complete then PH = AM –does not seem likely! Proof : GI being NP -complete means that GNI is coNP - complete  coNP  AM  PH = AM

35 A mechanism for showing non-hardness of problems By placing a problem in AM Å Co-AM one demonstrates that the problem is not NP-Complete according to the current world view Alternatively, one can view it as a method for showing impossibility of certain types of protocols

36 Random Self Reductions Definition: A non-adaptive random self reduction for a function f is a probabilistic algorithm C such that on input x – C produces y 1, y 2,  y k 2 {0,1} m and –Given f(y 1 ), f(y 2 ),  f(y k ), C computes f(x) We require the following –Each of the y i ‘s is uniformly distributed in {0,1} m There may be dependence between the y i ‘s –All sizes ( k,m ) are polynomial –The probability of successfully computing f(x) given correct answers to f(y 1 ), f(y 2 ),  f(y k ) is large for any input x Example: the permanent

37 Random Self Reduction and NP- Completeness Theorem : if any NP-Complete language has a non- adaptive random self reduction, then PH collapses to the third level. The function we are interested in is f(x)=1 if x 2 L and f(x)=0 otherwise Proof: Need some non-uniformity: the fraction  m of {y 2 {0,1} m |f(y) 2 L} This value cannot be negligible, or NP µ BPP

38 The AM Protocol If f(x)=1 then x 2 L and since L 2 NP there is a proof If f(x)=0 then run ℓ times in parallel: Verifier: use C to produce y 1, y 2,  y k 2 {0,1} m Prover: send f(y 1 ), f(y 2 ),  f(y k ) for each y i, such that f(y 1 )=1 add NP proof Verifier: Verify the NP proofs for f(y 1 )=1. Run C on result to obtain f(x) Global test: make sure that the fraction of y i such that f(y i )=0 in all ℓ executions is roughly  m Accept if all test are verified and all the executions conclude that f(x)=0 Conclusion: cannot expect such a reduction for an NP-Complete problem

39 Difference in distribution generated by circuits For a circuit C with n inputs and m outputs call the distribution on {0,1} m of C(x) when x 2 R {0,1} n the distribution generated by C. Given two circuits C 1 and C 2 we would like to check whether these two distributions are close or far from each other. The variation distance (or statistical difference) between distribution D 1 and D 2 on universe U is V(D 1, D 2 )= max S µ U |Pr D 1 [x 2 S] – Pr D 2 [x 2 S]|. The VD( ,  ) Problem: Separate the cases V(D 1, D 2 ) ·  V(D 1, D 2 ) ¸  when D 1 and D 2 are the distributions generated by C 1 and C 2.

40 Homework Show that if the Graph Isomorphism problem is not in BPP, then there is no probabilistic polynomial time algorithm that solves VD(0,1) Show an AM protocol for VD(0,1). For distributions D 1 and D 2 let S 1 ={x | Pr D 1 [x] > Pr D 2 [x ]} and S 2 ={x | Pr D 2 [x] > Pr D 1 [x ]} Show: V(D 1, D 2 )=  x 2 U Pr D 1 [x 2 S 1 ] - Pr D 2 [x 2 S 1 ]=  x 2 U Pr D 2 [x 2 S 2 ] - Pr D 2 [x 2 S 2 ] Show an AM protocol for distinguishing the general case, i.e. VD( ,  ). What is the complexity of the protocol as a function of  -  ?

41 References Average Hardness of permanent: Lipton 1990 Interactive Proof system: –Public coins version: Babai 1985 ( Babai, Moran ) –Private Coins: Goldwasser Micali and Rackoff Proof system for GNI: Goldreich, Micali and Wigderson, 1986 Private coins equals public coins: Goldwasser and Sipser, 1986 Proof system for #P: Lund, Fortnow, Karloff and Nisan Proof system for PSPACE: Shamir Impossibility of non-adaptive random self reductions: Feigenbaum and Fortnow

Download ppt "Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent."

Similar presentations

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Complexity Theory Lecture 8

Complexity Theory Lecture 8
A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.

A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 7

Complexity Theory Lecture 7
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Complexity Theory Lecture 3 Lecturer: Moni Naor. Recap Last week: Non deterministic communication complexity Probabilistic communication complexity Their.

Complexity Theory Lecture 3 Lecturer: Moni Naor. Recap Last week: Non deterministic communication complexity Probabilistic communication complexity Their.
IP=PSPACE Nikhil Srivastava CPSC 468/568. Outline IP Warmup: coNP  IP by arithmetization PSPACE (wrong) attempt at PSPACE  IP (revised) PSPACE  IP.

IP=PSPACE Nikhil Srivastava CPSC 468/568. Outline IP Warmup: coNP  IP by arithmetization PSPACE (wrong) attempt at PSPACE  IP (revised) PSPACE  IP.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Similar presentations

Ads by Google