Zero Knowledge and Circuit Minimization

Eric AllenderRutgers University

Zero Knowledge and Circuit Minimization

Zero Knowledge and Circuit Minimization

Joint work with Bireswar Das

(IIT Gandinagar, DIMACS)

MFCS, Budapest, August 26, 2014

Eric Allender: Zero Knowledge and Circuit Minimization < 2 >

The Cook-Levin TheoremThe Cook-Levin Theorem

Arguably the most important theorem

in theoretical computer science.

…but what were they thinking?

SAT is NP-Complete


What they were thinking:What they were thinking:

The STOC deadline

is nearly here…



Looks like I wont be

able to prove a Graph

Isomorphism result in time…

So I’ll just submit this.



I refuse to publish a partial

result! I need to be

able to say something about

the Minimum Circuit Size

Problem…



…and Graph Isomorphism

too!

[Pemmaraju, Skiena]



…and Graph Isomorphism

too!Leonid,

Publish it!



OK…But only the 2-page version!


NP-Intermediate ProblemsNP-Intermediate Problems

Thus, as long as there has been a theory of NP-completeness, there have been two prominent candidates for “NP-Intermediate” status: in NP, but neither complete nor in P:

– Graph Isomorphism (GI)

– The Minimum Circuit Size Problem (MCSP) After 4 decades, they still cling to this status. …but is there any relationship between these

problems?


Graph IsomorphismGraph Isomorphism

GI = {(G,H) : the vertices of G can be permuted, to yield H}


MCSPMCSP

MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}.

Why was Levin so interested in MCSP? In the USSR in the 70’s (and before) there

was great interest in problems requiring “perebor”, or “brute-force search”. For various reasons, MCSP was a focal point of this interest.


MCSPMCSP

MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}.

Why was Levin so interested in MCSP? Yablonski [1959] proved a result that – to him

and his students – meant “MCSP requires perebor”. (This would imply P < NP.) By the late 1960’s Yablonski “attained influential positions [dealing with] coordination and control of math…a time of rapid degradation of the moral climate within the Soviet math community” [Trakhtenbrot].


GI and MCSPGI and MCSP

This historical digression has established: The questions of the complexity of GI and

MCSP are as old as the theory of computational complexity (or perhaps even older).

No relationship between the complexity of these problems had been established.

Let’s take care of that right now.


Today’s GoalToday’s Goal

Theorem 1: GI reduces to MCSP. More precisely: GI є RPMCSP.

Theorem 2: More generally: Every problem with a Statistical Zero Knowledge Proof reduces to MCSP. That is: SZK is contained in BPPMCSP.

We’ll follow a well-established path: All reductions to MCSP seem to make use of pseudorandom generators. [Kabanets, Cai] [A,Buhrman,Koucky,van Melkebeek, Ronneburger]


Pseudorandom GeneratorsPseudorandom Generators

For any efficient “test” T,

Prob[T accepts a random string of length n]

≈

Prob[T accepts a pseudorandom string of length n]

PseudoRandom bits b1,b2,…seed

G



[HILL]: Given a cryptographically-

secure one-way function f,

we can build a secure

pseudorandom generator Gf.

PseudoRandom bits b1,b2,…seedGf



[HILL]: If Gf is not secure,

then f is easy to invert.




[HILL]: If T is a test that accepts half of the

strings of length n, but accepts none of the

strings output by Gf,

then there is a probabilistic poly-time N such

that Probx[f(NT(f(x))) = f(x)] > 1/poly.




[HILL]: If T is a test that accepts half of the

strings of length n, but accepts none of the

strings output by Gfi,

then there is a probabilistic poly-time N such

that Probx[fi(NT(i,fi(x))) = x] > 1/poly.

PseudoRandom bits b1,b2,…seedGfi



The output of Gfi has small time-bounded K-complexity.





KT(x) ≈ Circuit.size(x).






Most x require very large circuits.






Most x require very large circuits.

MCSP gives us a great test T to distinguish random

and pseudorandom strings.




Specifically, the set

T = {x | Circuit.Size(x) >√|x|}

is computable relative to MCSP

and breaks all pseudorandom generators.




Specifically, the set

T = {x | Circuit.Size(x) >√|x|}

is computable relative to MCSP

and breaks all pseudorandom generators.

Thus Probx[fi(NMCSP(i,fi(x))) = f(x)] > 1/poly.




This idea was used before, to show:

Factoring is in ZPPMCSP

Discrete Log is in BPPMCSP

Closest Vector Problem is in BPPMCSP


We suspect that these are crypto-secure.


Reducing GI to MCSPReducing GI to MCSP

The main idea of the reduction is to follow this same approach, using a function that has never seemed like a good candidate for a one-way function.


Our Indexed Family of FunctionsOur Indexed Family of Functions

Given graph H and permutation π, let fH(π) = π(H).

To find out if G and H are isomorphic:

– Pick a random permutation π.

– Run NMCSP(H, π(G)) and obtain output β.

– Accept if π(G) = β(H). If G and H are isomorphic, this accepts with

probability 1/poly(n). QED!


Zero KnowledgeZero Knowledge

The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof.


Zero KnowledgeZero Knowledge

The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof.

NPcoNP

SZKGI

MCSP


Some facts about SZKSome facts about SZK

SZK is contained in NP/poly ∩ coNP/poly. There are complete problems for SZK. …but in order to introduce these complete

problems, we need to talk about “promise problems”.


Promise ProblemsPromise Problems

Ordinary decision problems.

Yes No


Promise ProblemsPromise Problems

Ordinary decision problems.

Yes No

Promise Problems.

Yes Don’t Care No


Statistical DifferenceStatistical Difference

The “standard” complete promise problem for SZK is Statistical Difference (SD).

The inputs to SD are pairs of circuits (C,D); we view the circuits as representing probability distributions, where ProbC(y) is the probability, over x chosen uniformly at random, that C(x)=y.

The Yes Instances of SD are (C,D) such that these probability distributions are quite close.

The No Instances of SD are (C,D) where the distributions are far apart.


Image Intersection DensityImage Intersection Density

We will actually use a restricted version of SD, called Image Intersection Density (IID). The Yes instances look the same as in SD.

The No instances are pairs (C,D) such that, with probability exponentially close to 1 (over randomly chosen x) C(x) is not in the image of D.

IID was shown by [Ben-Or, Gutfreund] to be complete for a subclass of SZK, which was subsequently shown to coincide with SZK [Chailloux, Ciodan, Kerenidis, Vadhan].


Reducing SZK to MCSPReducing SZK to MCSP

For any circuit C, let FC(x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle.

Given a pair (C,D), repeat the following K times:

– Pick x at random, and compute y=C(x).

– Run NMCSP(D, y) and obtain output z.

– Accept if D(z) = y. On Yes instances, we expect K/poly

acceptances,








acceptances, on No instances we expect K/2n.








acceptances, on No instances we expect K/2n.

QED


How hard is MCSP?How hard is MCSP?


How hard is MCSP?How hard is MCSP?

[Kabanets, Cai] showed that if MCSP were NP-complete under “natural” ≤m reductions, then BPP=P.

This is not evidence against being NP-complete, but it is evidence that it might be hard to prove.

Vinodchandran considered SNCMP (like MCSP but for “strong nondeterministic circuits”); it will be a breakthrough if GI reduces to SNCMP under “natural” reductions.

…but our argument provides an RP-reduction!


Open QuestionsOpen Questions

Is GI in ZPPMCSP? …or in PMCSP? …or is MCSP NP-hard, perhaps under P/poly

reductions?

– Note in this regard, that the “Minimum QBF Circuit Size Problem” is complete for PSPACE under P/poly reductions, and analogous results hold for other classes.


Open QuestionsOpen Questions

Or is there a promise problem related to MCSP that is complete for SZK?

Consider the promise problem that has:

– Yes instances: {x | Circuit.Size(x) >√|x|}

– No instances: {x | Circuit.Size(x) <|x|1/4} Can this problem be in SZK? Or in some

other “nearby” class?


Thank you!Thank you!

Documents

Zero Knowledge and Circuit Minimization