CS151 Complexity Theory. Lecture 13 May 15, 2017

Similar documents
CS151 Complexity Theory. Lecture 14 May 17, 2017

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Notes on Complexity Theory Last updated: November, Lecture 10

2 Evidence that Graph Isomorphism is not NP-complete

Lecture 12: Interactive Proofs

Introduction to Interactive Proofs & The Sumcheck Protocol

Lecture 26: Arthur-Merlin Games

Lecture 19: Interactive Proofs and the PCP Theorem

CS21 Decidability and Tractability

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Time and space classes

Interactive Proofs 1

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

Lecture 17: Interactive Proof Systems

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Lecture Notes 20: Zero-Knowledge Proofs

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

Lecture Hardness of Set Cover

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

1 Recap: Interactive Proofs

Notes for Lecture 25

2 Natural Proofs: a barrier for proving circuit lower bounds

Zero-Knowledge Proofs and Protocols

Great Theoretical Ideas in Computer Science

Umans Complexity Theory Lectures

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

CSCI 1590 Intro to Computational Complexity

Lecture 3: Interactive Proofs and Zero-Knowledge

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

Lecture 26. Daniel Apon

Theorem 11.1 (Lund-Fortnow-Karloff-Nisan). There is a polynomial length interactive proof for the

Lecture : PSPACE IP

Lecture 15: Interactive Proofs

CS151 Complexity Theory. Lecture 15 May 22, 2017

From Secure MPC to Efficient Zero-Knowledge

CS154, Lecture 18: 1

Lecture 23: More PSPACE-Complete, Randomized Complexity

Interactive Proofs. Merlin-Arthur games (MA) [Babai] Decision problem: D;

CS 151 Complexity Theory Spring Solution Set 5

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

Interactive Proof System

Lecture 14: IP = PSPACE

Arthur-Merlin Streaming Complexity

Interactive protocols & zero-knowledge

198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

6.840 Language Membership

Umans Complexity Theory Lectures

6.896 Quantum Complexity Theory 30 October Lecture 17

Lecture 18: Zero-Knowledge Proofs

MTAT Complexity Theory December 8th, Lecture 12

Lecture 20: PSPACE. November 15, 2016 CS 1010 Theory of Computation

Interactive protocols & zero-knowledge

QMA(2) workshop Tutorial 1. Bill Fefferman (QuICS)

Theory of Computation Chapter 12: Cryptography

More NP-Complete Problems

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

Algorithm Design and Analysis

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Advanced Algorithms (XIII) Yijia Chen Fudan University

1 Agenda. 2 History. 3 Probabilistically Checkable Proofs (PCPs). Lecture Notes Definitions. PCPs. Approximation Algorithms.

Notes on Zero Knowledge

9. PSPACE. PSPACE complexity class quantified satisfiability planning problem PSPACE-complete

Intro to Theory of Computation

1 More finite deterministic automata

Complete problems for classes in PH, The Polynomial-Time Hierarchy (PH) oracle is like a subroutine, or function in

Lecture 21: Counting and Sampling Problems

Lecture 10: Zero-Knowledge Proofs

Strong ETH Breaks With Merlin and Arthur. Or: Short Non-Interactive Proofs of Batch Evaluation

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

NP-Completeness. Algorithmique Fall semester 2011/12

Chapter 9. PSPACE: A Class of Problems Beyond NP. Slides by Kevin Wayne Pearson-Addison Wesley. All rights reserved.

Real Interactive Proofs for VPSPACE

CS Communication Complexity: Applications and New Directions

PCP Theorem and Hardness of Approximation

INAPPROX APPROX PTAS. FPTAS Knapsack P

Probabilistically Checkable Arguments

Lecture 22: Counting

Lecture 24: Randomized Complexity, Course Summary

Approximate Verification

CPSC 467: Cryptography and Computer Security

Lecture 18: PCP Theorem and Hardness of Approximation I

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

COP 4531 Complexity & Analysis of Data Structures & Algorithms

9. PSPACE 9. PSPACE. PSPACE complexity class quantified satisfiability planning problem PSPACE-complete

Classical Verification of Quantum Computations

Cryptographic Protocols Notes 2

Space and Nondeterminism

Umans Complexity Theory Lectures

Lecture Notes CS:5360 Randomized Algorithms Lecture 20 and 21: Nov 6th and 8th, 2018 Scribe: Qianhang Sun

8. INTRACTABILITY I. Lecture slides by Kevin Wayne Copyright 2005 Pearson-Addison Wesley. Last updated on 2/6/18 2:16 AM

Shamir s Theorem. Johannes Mittmann. Technische Universität München (TUM)

Lecture 11: Proofs, Games, and Alternation

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Stanford University CS254: Computational Complexity Handout 8 Luca Trevisan 4/21/2010

Interactive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science

SOLUTION: SOLUTION: SOLUTION:

NP-Complete Reductions 2

Transcription:

CS151 Complexity Theory Lecture 13 May 15, 2017

Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P PSPACE Toda s Theorem (homework): PH P #P. May 15, 2017 2

Relationship to other classes Question: is #P hard because it entails finding NP witnesses? or is counting difficult by itself? May 15, 2017 3

Bipartite Matchings Definition: G = (U, V, E) bipartite graph with U = V a perfect matching in G is a subset M E that touches every node, and no two edges in M share an endpoint May 15, 2017 4

Bipartite Matchings Definition: G = (U, V, E) bipartite graph with U = V a perfect matching in G is a subset M E that touches every node, and no two edges in M share an endpoint May 15, 2017 5

Bipartite Matchings #MATCHING: given a bipartite graph G = (U, V, E) how many perfect matchings does it have? Theorem: #MATCHING is #P-complete. But can find a perfect matching in polynomial time! counting itself must be difficult May 15, 2017 6

Cycle Covers Claim: 1-1 correspondence between cycle covers in G and perfect matchings in G #MATCHING and #CYCLE-COVER parsimoniously reducible to each other 1 2 3 4 5 1 2 3 4 5 G = (U, V, E) May 15, 2017 7 1 2 5 G = (V, E ) 3 4

Cycle Covers cycle cover: collection of node-disjoint directed cycles that touch every node #CYCLE-COVER: given directed graph G = (V, E) how many cycle covers does it have? Theorem: #CYCLE-COVER is #P-complete. implies #MATCHING is #P-complete May 15, 2017 8

Cycle Cover is #P-complete variable gadget: every cycle cover includes left cycle or right cycle clause gadget: cycle cover cannot use all three outer edges and each of 7 ways to exclude at least one gives exactly 1 cover using those external edges May 15, 2017 9 x i x i

Cycle Cover is #P-complete May 15, 2017 10

Cycle Cover is #P-complete May 15, 2017 11

Cycle Cover is #P-complete clause gadget corresponding to (A B C) has xor gadget between outer 3 edges and A, B, C u v xor v u A A B B xor gadget ensures that exactly one of two edges can be in cover C C May 15, 2017 12

Cycle Cover is #P-complete Proof outline (reduce from #SAT) ( x 1 x 2 x 3 ) ( x 3 x 1 ) (x 3 x 2 ) xor gadgets (exactly 1 of two edges is in cover)... clause gadgets x 1 x 1 x 2 x 2 x 3 x 3 N.B. must avoid reducing SAT to MATCHING! variable gadgets May 15, 2017 13

Cycle Cover is #P-complete Introduce edge weights cycle cover weight is product of weights of its edges implement xor gadget by weight of cycle cover that obeys xor multiplied by 4 (mod N) weight of cycle cover that violates xor multiplied by N large integer May 15, 2017 14

Cycle Cover is #P-complete Weighted xor gadget: N-1 u v xor v u weight of cycle cover that obeys xor multiplied by 4 (mod N) weight of cycle cover that violates xor multiplied by N u v (unlabeled weights are 1) N-1 N-1 2 3 v u May 15, 2017 15

Cycle Cover is #P-complete Simulating positive edge weights need to handle 2, 3, 4, 5,, N-1 2 2 k k times 3 May 15, 2017 16

Cycle Cover is #P-complete ( x 1 x 2 x 3 ) ( x 3 x 1 ) (x 3 x 2 ) xor gadget (exactly 1 of two edges is in cover)... clause gadget variable gadgets: x 1 x 1 x 2 x 2 x 3 x 3 m = # xor gadgets; n = # variables; N > 4 m 2 n # covers (mod N) = (4 m ) (#sat. assignments) May 15, 2017 17

New Topic proof systems interactive proofs and their power Arthur-Merlin games May 15, 2017 18

Proof systems L = { (A, 1 k ) : A is a true mathematical assertion with a proof of length k} What is a proof? complexity insight: meaningless unless can be efficiently verified May 15, 2017 19

Proof systems given language L, goal is to prove x L proof system for L is a verification algorithm V completeness: x L 9 proof, V accepts (x, proof) true assertions have proofs soundness: x L 8 proof*, V rejects (x, proof*) false assertions have no proofs efficiency: 8 x, proof: V(x, proof) runs in polynomial time in x May 15, 2017 20

Classical Proofs previous definition: recall: classical proof system L NP iff expressible as L = { x 9y, y < x k, (x, y) R } and R P. NP is the set of languages with classical proof systems (R is the verifier) May 15, 2017 21

Interactive Proofs Two new ingredients: randomness: verifier tosses coins, errs with some small probability interaction: rather than reading proof, verifier interacts with computationally unbounded prover NP proof systems lie in this framework: prover sends proof, verifier does not use randomness May 15, 2017 22

Interactive Proofs interactive proof system for L is an interactive protocol (P, V) Prover common input: x Verifier... # rounds = poly( x ) accept/ reject May 15, 2017 23

Interactive Proofs interactive proof system for L is an interactive protocol (P, V) completeness: x L Pr[V accepts in (P, V)(x)] 2/3 soundness: x L 8 P* Pr[V accepts in (P*, V)(x)] 1/3 efficiency: V is p.p.t. machine repetition: can reduce error to any ε May 15, 2017 24

Interactive Proofs IP = {L : L has an interactive proof system} Observations/questions: philosophically interesting: captures more broadly what it means to be convinced a statement is true clearly NP IP. Potentially larger. How much larger? if larger, randomness is essential (why?) May 15, 2017 25

Graph Isomorphism graphs G 0 = (V, E 0 ) and G 1 = (V, E 1 ) are isomorphic (G 0 G 1 ) if exists a permutation π:v V for which (x, y) E 0 (π(x), π(y)) E 1 1 1 1 2 3 4 2 3 2 4 4 3 May 15, 2017 26

Graph Isomorphism GI = {(G 0, G 1 ) : G 0 G 1 } in NP not known to be in P, or NP-complete GNI = complement of GI not known to be in NP Theorem (GMW): GNI IP indication IP may be more powerful than NP May 15, 2017 27

GNI in IP interactive proof system for GNI: Prover if H G 0 r = 0, else r = 1 input: (G 0, G 1 ) H = π(g c ) r Verifier flip coin c {0,1}; pick random π accept iff r = c May 15, 2017 28

GNI in IP completeness: if G 0 not isomorphic to G 1 then H is isomorphic to exactly one of (G 0, G 1 ) prover will choose correct r soundness: if G 0 G 1 then prover sees same distribution on H for c = 0, c = 1 no information on c any prover P* can succeed with probability at most 1/2 May 15, 2017 29

The power of IP We showed GNI 2 IP GNI IP suggests IP more powerful than NP, since we don t know how to show GNI in NP GNI in conp Theorem (LFKN): conp IP May 15, 2017 30

The power of IP Proof idea: input: φ(x 1, x 2,, x n ) prover: I claim φ has k satisfying assignments true iff φ(0, x 2,, x n ) has k 0 satisfying assignments φ(1, x 2,, x n ) has k 1 satisfying assignments k = k 0 + k 1 prover sends k 0, k 1 verifier sends random c {0,1} prover recursively proves φ = φ(c, x 2,, x n ) has k c satisfying assignments at end, verifier can check for itself. May 15, 2017 31

The power of IP Analysis of proof idea: Completeness: φ(x 1, x 2,, x n ) has k satisfying assignments accept with prob. 1 Soundness: φ(x 1, x 2,, x n ) does not have k satisfying assigns. accept prob. 1 2 -n Why? It is possible that k is only off by one; verifier only catches prover if coin flips c are successive bits of this assignment May 15, 2017 32

The power of IP Solution to problem (ideas): replace {0,1} n with (F q ) n verifier substitutes random field element at each step vast majority of field elements catch cheating prover (rather than just 1) Theorem: L = { (φ, k): CNF φ has exactly k satisfying assignments} is in IP May 15, 2017 33

The power of IP First step: arithmetization transform φ(x 1, x n ) into polynomial p φ (x 1, x 2, x n ) of degree d over a field F q ; q prime > 2 n recursively: x i x i φ (1 - p φ ) φ φ (p φ )(p φ ) φ φ 1 - (1 - p φ )(1 - p φ ) for all x {0,1} n we have p φ (x) = φ(x) degree d φ can compute p φ (x) in poly time from φ and x May 15, 2017 34

The power of IP Prover wishes to prove: k = Σ x1 = 0, 1 Σ x 2 = 0,1 Σ xn = 0, 1 p φ (x 1, x 2,, x n ) Define: k z = Σ x2 = 0,1 Σ xn = 0, 1 p φ (z, x 2,, x n ) prover sends: k z for all z F q verifier: checks that k 0 + k 1 = k sends random z F q continue with proof that k z = Σ x2 = 0,1 Σ xn = 0, 1 p φ (z, x 2,, x n ) at end: verifier checks for itself May 15, 2017 35

The power of IP Prover wishes to prove: k = Σ x1 = 0, 1 Σ x 2 = 0,1 Σ xn = 0, 1 p φ (x 1, x 2,, x n ) Define: k z = Σ x2 = 0,1 Σ xn = 0, 1 p φ (z, x 2,, x n ) a problem: can t send k z for all z F q solution: send the polynomial! recall degree d φ May 15, 2017 36

The actual protocol input: (φ, k) Prover p 1 (x) p 1 (x) = Σ x2,,x n {0,1} p φ (x, x 2,, x n ) p 2 (x) = Σ x3,,x n {0,1} p φ (z 1, x, x 3,, x n ) p 2 (x) z 2 z 1 Verifier p 1 (0)+p 1 (1)=k? pick random z 1 in F q p 2 (0)+p 2 (1)=p 1 (z 1 )? pick random z 2 in F q p 3 (x) = Σ x4,,x n {0,1} p φ (z 1, z 2, x, x 4, x n ) p 3 (x) p 3 (0)+p 3 (1)=p 2 (z 2 )?. pick random z 3 in F q. p n (x) p n (0)+p n (1)=p n-1 (z n-1 )? p n (z n ) = p φ (z 1, z 2,, z n )? pick random z n in F q May 15, 2017 37

Analysis of protocol Completeness: if (φ, k) L then honest prover on previous slide will always cause verifier to accept May 15, 2017 38

Analysis of protocol Soundness: let p i (x) be the correct polynomials let p i *(x) be the polynomials sent by (cheating) prover (φ, k) L p 1 (0) + p 1 (1) k either p 1 *(0) + p 1 *(1) k (and V rejects) or p 1 * p 1 Pr z1 [p 1 *(z 1 ) = p 1 (z 1 )] d/q φ /2 n assume (p i+1 (0)+p i+1 (1)= ) p i (z i ) p i *(z i ) either p i+1 *(0) + p i+1 *(1) p i *(z i ) (and V rejects) or p i+1 * p i+1 Pr zi+1 [p i+1 *(z i+1 ) = p i+1 (z i+1 )] φ /2 n May 15, 2017 39

Analysis of protocol Soundness (continued): if verifier does not reject, there must be some i for which: p i * p i and yet p i *(z i ) = p i (z i ) for each i, probability is φ /2 n union bound: probability that there exists an i for which the bad event occurs is n φ /2 n poly(n)/2 n << 1/3 May 15, 2017 40

Analysis of protocol Conclude: L = { (φ, k): CNF φ has exactly k satisfying assignments} is in IP L is conp-hard, so conp IP Question remains: NP, conp IP. Potentially larger. How much larger? May 15, 2017 41

IP = PSPACE Theorem: (Shamir) IP = PSPACE Note: IP PSPACE enumerate all possible interactions, explicitly calculate acceptance probability interaction extremely powerful! An implication: you can interact with master player of Generalized Geography and determine if she can win from the current configuration even if you do not have the power to compute optimal moves! May 15, 2017 42

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback