low-end uniform hardness vs. randomness tradeoffs for arthur-merlin games. ronen shaltiel,...
TRANSCRIPT
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games.
Ronen Shaltiel, University of HaifaChris Umans, Caltech
Arthur-Merlin Games [B,GMR]
Interactive games in which the all-powerful prover Merlin attempts to prove some statement to a probabilistic poly-time verifier.
Merlin Arthur“xL”
toss coinscoin tosses
message
I accept
Arthur-Merlin Games [B,GMR]
Completeness: If the statement is true then Arthur accepts.
Soundness: If the statement is false then Pr[Arthur accepts]<½.
Merlin Arthur“xL”
toss coinscoin tosses
message
I accept
Arthur-Merlin Games [B,GMR]
Completeness: If the statement is true then Arthur accepts.
Soundness: If the statement is false then Pr[Arthur accepts]<½.
The class AM: All languages L which have an Arthur-Merlin protocol.
Contains many interesting problems not known to be in NP.
Derandomization goals: Efficient deterministic
simulation of prob. algs. BPP=P BPPSUBEXP=DTIME(2no(1))
Efficient nondeterministic simulation of prob. protocols
AM=NP AMNSUBEXP=NTIME(2no(1))
• We don’t know how to separate BPP from NEXP.
• Such a separation implies certain circuit lower bounds [IKW01,KI02].
Hardness versus Randomness
Initiated by [BM,Yao,Shamir,NW].
Assumption: hard functions exist.
Conclusion: Derandomization.
A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03,SU05,U05,…]
A quick survey of (nonuniform) hardness/randomness tradeoffs
Assumption: There exists a function in E=DTIME(2O(l)) which is hard for “small” (size s(l)) circuits.
BPPAM
A hard function for:
Deterministic circuits
Nondeterministic circuits
High-end: s(l)=2Ω(l)
BPP=P [IW97,STV99]
AM=NP [KvM99,MV99,SU05]
Low-end:s(l)=lω(1)
BPPSUBEXP [BFNW93,SU01,U02]
AMNSUBEXP [SU01,SU05]
A quick survey of (uniform) hardness/randomness tradeoffs
Assumption: There exists a function in E=DTIME(2O(l)) which is hard for “small” (time s(l)) algorithms/protocols.
BPPAM
A hard function for:
Prob. algsAM protocols.
High-end: s(l)=2Ω(l)
BPP=P (*) [TV02*]
AM=NP (*) [GST03]
Low-end:s(l)=lω(1)
BPPSUBEXP (*) [IW98]
AMNSUBEXP (*)
This paper*
)*(The simulation only succeeds on “feasibly generated inputs.”
A low-end gap theorem for AM.
Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak.
Formal statement: Either E=DTIME(2O(l)) has Arthur-Merlin protocols
running in time 2(log l)3. Or, for every LAM there is a nondeterministic
machine M that runs in subexponential time and agrees with L on “feasibly generated inputs”.
No polynomial time machine can produce inputs on which M fails.
Should have been
poly(l)
Jargon: Just like [IW98]
paper but for AM instead of
BPP
A uniform hardness vs. randomness tradeoff for AM
Informal statement: Either AM protocols are very strong. Or, AM protocols are somewhat weak.
Formal statement: For l<s(l)<2l. Either E=DTIME(2O(l)) has Arthur-Merlin protocols
running in time s(l). Or, for every LAM there is a nondeterministic
machine M that runs in time 2O(l) and agrees with L on “feasibly generated inputs” of length n=s(l)1/(log(l)-loglog(s(l)))2.
No polynomial time machine can produce inputs on which M fails.
Should have been
Ω(1)
Motivation: weak unconditional derandomization
We believe that AM=NP (= Σ1). We only know that AM is in Σ3. Goal: Unconditional proof that AMΣ2
(or even AMΣ2-TIME(2no(1)). Conditional => Unconditional ?? Approach [GST03]:
Either AM is weak: AM=NP ⇒ AM⊆Σ2. Or AM is very strong: AM=E ⇒ ??? ⇒ AM=coAMΣ2. Missing step: remove “feasibly generated inputs”.
A low-end gap theorem for AM∩coAM.
Informal statement: Either AM∩coAM is very strong. Or, AM∩coAM is somewhat weak.
Formal statement: Either E=DTIME(2O(l)) has Arthur-Merlin protocols
running in time 2(log l)3. Or, for every LAM∩coAM there is a
nondeterministic machine M that runs in subexponential time and agrees with L on all inputs (not necessarily feasibly generated).
Should have been
poly(l)
Plan for rest of talk Explain the overall approach of getting
uniform hardness vs. randomness tradeoffs for AM (which is in [GST03]).
This approach uses a “hitting-set generator” construction by [MV99] which only works in the high end.
Main technical contribution of this paper is improving the [MV99] construction so that it works in the low-end.
Improvement uses “PCP tools” which were not used previously in this framework.
The high level approach (following [GST03])
The uniform tradeoff of [GST03]: resilient AM protocols
Arthur Merlin
nonuniform advice
Constructs nondet. Circuit C that is supposed to compute f
f(y)?= f(y)=b
witness showing C(y)=b
AM protocol verifying that C=f. (exists as f is complete for E)
C is supposed to define a function: For every y, C is supposed to have witnesses showing C(y)=0 or C(y)=1 but not both! (single valued circuit)
Use nonuniform tradeoffs for AM. Derandomization fails
=> hard function f has small nondeterministic circuits.
Want to show that: => f has small AM protocol.
Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single-valued (defines a function).
Suppose Arthur could verify that this is indeed the
case.
The uniform tradeoff of [GST03]: Use nonuniform tradeoffs for
AM. Derandomization fails
=> hard function f has small nondeterministic circuits.
Want to show that: => f has small AM protocol.
Observation [GST03]: The [MV99] tradeoff has an AM protocol in which Arthur verifies that the circuit obtained is single-valued (defines a function).
=> AM protocol for f. Problem: The [MV99] generator
only works in the “high end”. Our contribution: Modify [MV99]
into a “low-end” generator.
Arthur Merlin
C is supposed to compute f
f(y)?= f(y)=b
witness showing C(y)=b
AM protocol verifying that C=f. (exists as f is complete for E)
AM protocol in which Arthur receives a certified valid circuit C
C is guaranteed to define a function: For every y, C is has witnesses showing C(y)=0 or
C(y)=1 but not both !
Abstraction: commit-and-evaluate AM protocols and resiliency.
Commit-and-evaluate AM protocols for function f(y).
Properties: Input y can be revealed to
Merlin after commit phase. Conformity: Honest Merlin
can make Arthur output f(y). Resiliency: Following
commit phase Merlin is (w.h.p) committed to some function g(y) (may differ from f).
Thm: If E has such AM protocols then E has standard AM protocols.
Arthur Merlin
f(y)?= f(y)=b
Evaluation phase: AM protocol that uses advice string and outputs a value v(y).
Commit phase: AM protocol generating “advice string”.
The big picture: How to derandomize an AM protocol
Nondet machine M(x) (supposed to accept
LAM) Use function f to
construct small “hitting set” of “pseudorandom strings”.
Run AM protocol on input x (using pseudorandom strings as random coins) and accept if all runs accept.
Proof of correctness by reduction
Suppose M fails on an input x.
Construct an efficient commit-and-evaluate AM protocol that uses x and conforms resiliently with f.
=> f has a standard efficient AM protocol.
Where do “feasibly generated inputs” come in?
How can Arthur obtain x ?
From his point of view x is a nonuniform advice string.
No problem if we only care about
inputs that can be “feasibly
generated” by some efficient TM.
Following [GST03]: In the case of
AM∩coAM we can trust Merlin to send
a “good” x.
This is where uniformity comes
in: Protocols rather than
circuits.
Improving Miltersen-Vinodchandran hitting set generator
(How to derandomize an AM language)
The MV hitting set generator
Nondet. Machine M(x): derandomizes AM protocol with m coins For every output string guess a response for Merlin and accept if Arthur accepts all of
them. x∊L ⇒ Merlin can answer any string ⇒ M accepts (no error). x∉L ⇒ Merlin can answer ½ strings ⇒ M may err.
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2
A
{0,1}m
extractor
rows and
columns Z
small set
(≈2m)
deg 2l/2 polys
Hitting set
A commit-and-evaluate AM protocol for p.
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2
A
{0,1}m
extractor
rows and columns
Z
very small set
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
small set
(≈2m)
A commit-and-evaluate AM protocol for p.
Conformity: v Resiliency: v (RS code).
w.h.p. over S ∀univariate poly g∊Z, g(S) is unique.
Efficiency: (on high end m=2Ω(l)).
Protocol runs in time poly(m). Protocol requires passing
polynomials of degree 2l/2.
Arthur Merlin
p(x,y)=?
p(x,y)=b
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
deg 2l/2 polys truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
A commit-and-evaluate AM protocol for p.
Conformity: v Resiliency: v (RS code).
w.h.p. over S ∀univariate poly g∊Z, g(S) is unique.
Efficiency: (on high end m=2Ω(l)).
Protocol runs in time poly(m). Protocol requires passing
polynomials of degree 2l/2.
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
For low end (say
m=lO(1) ) we need to reduce degree
Can get deg=2l/d
using p(x1,..,xd)
with d variables .
S2→Sd |Sd|=2Ω(l) no
gain!
p(x,y)=?
p(x,y)=b
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
The best of both worlds
Best of both worlds: Use p(x1,..,xd) deg 2l/d. Run MV as if p=p(x,y). Resiliency: v (RM code). Size of box=|S|2 ≈ m2.
doesn’t depend on d! Sending p|”line” costs 2l/2 bits.
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
p(x,y)=?
p(x,y)=b
p(x1,..,xd/2;xd/
2+1,..,xd).
p|”line” has many
coefficients
Suppose p|”line”
could be sent more
efficiently:
p|”line” has small
(non-det) circuit
p|”line” has commit-and-
evaluate protocol
Arthur can verify that he gets a low-degree polynomial by
performing low-degree testing!
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
Locally computable extractors
Story so far: Use polynomials p with
many variables and pretend they are bivariate.
Assume that p|”line” can be sent efficiently. (Not yet justified).
Is the AM protocol efficient?
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
p(x,y)=?
p(x,y)=b
v
v
vv
v
X
Requires running the extractor on p|line(t) for all qd inputs t to p|line.
Need locally
computable
extractors!
• Thm: [V] no locally computable extractors for low-entropy.• We know that inputs to extractors are low-degree polynomials!• Can use extractor construction [SU01] which is locally computable.
• Thm: [V] no locally computable extractors for low-entropy.• We know that inputs to extractors are low-degree polynomials!• Can use extractor construction [SU01] which is locally computable.
v
Efficient AM protocol!
v
truth table f:{0,1}l→{0,1}
field size q=102l/2
p(x,y)
deg. 2l/2 A
{0,1}m
extractor
rows and
columns Z
very small set
Win-win analysis
Main ideas: Use polynomials p with many
variables and pretend they are bivariate.
Assume that p|”line” can be sent efficiently. (Not yet justified).
Use locally computable extractors (exist when inputs are low degree polynomials.
Arthur Merlin
commit phase:S∊RField of size mp(S2)
evaluation phase:• Both compute path to
(x,y)• ∀ line on path:p|line and witness
w Arthur checks:
• small set: p|line∊Z using w.
• consistency of p|line.
deg 2l/2 polys
p(x,y)=?
p(x,y)=b
v
v
vv
v
Efficient AM protocol!
????
Intuition: If p|”line” doesn’t have an efficient
commit-and-evaluate protocol then it’s better to use it as the hard function. (It is over less variables!)Recursive win-win analysis a-la [ISW99].
The recursive HSGtruth table of f
…
each row and column
ALL rows and
columns
to extractor
(2l bits)
(2l/2 bits each )
Recursive commit-and-evaluate AM protocol
truth table of f
…
• Arthur: random m x m box• Merlin: commits to top board• ! (input revealed)• Arthur/ Merlin: commit to each
line’s board• Arthur: random points for
checking lines• Merlin: commits to lines…
Parameters
Start with 2l bit truth table < log l levels # “lines” ≈ 2O(l). v Efficiency of AM protocol:
poly(m) blow-up at each level ) poly(m)log l
running time convert O(log l) rounds to two rounds )
poly(m)(log l)2 time for final AM protocol
Conclusions Key ideas:
commit-and-evaluate protocols as abstraction. operate implicitly on lines.
PCP tools: low-degree testing, self-correction. “local extractor” when know in advance it will
applied to low-degree polynomials. “Recursive win-win analysis” allows large objects to
have short descriptions. Open problems:
improve poly(m)(log l)2 to poly(m) (“optimal”). remove “feasibly generated inputs” from main
theorem. ⇒ Uncondtional proof that AM⊆Σ2 (TIME(2no(1))).
That’s it…