Limits of Minimum Circuit Size Problem as Oracle Shuichi Hirahara ( The University of Tokyo ) Osamu Watanabe ( Tokyo Institute of Technology ) CCC 2016/05/30
Minimum Circuit Size Problem (MCSP) Input Output • Truth table 𝑈 ∈ 0,1 2 𝑜 Decide if ∃ circuit of size ≤ 𝑡 whose truth table is 𝑈 . • Size parameter 𝑡 ∈ ℕ ∨ 𝒚 𝟐 𝒚 𝟑 𝒚 𝟐 xor 𝒚 𝟑 0 0 0 ∧ ∧ 0 1 1 1 0 1 ¬ ¬ 1 1 0 𝑦 1 𝑦 2 Easy to see that MCSP ∈ NP. Question: Is MCSP NP-complete?
Importance of MCSP [Kabanets & Cai (2000)] EXP NP ⊄ P/poly MCSP ∈ P coNP NP P
Importance of MCSP [Kabanets & Cai (2000)] EXP NP ⊄ P/poly MCSP ∈ P [ABKvMR06] MA = NP MCSP ∈ coNP Few evidences coNP NP Q. NP ≤ MCSP ? P P or ≤ 𝑈 BPP ≤ 𝑈
Importance of MCSP [Kabanets & Cai (2000)] EXP NP ⊄ P/poly MCSP ∈ P Oracle-independent [ABKvMR06] MA = NP MCSP ∈ coNP reductions Our Main Contributions Provide strong evidences that “current reduction techniques” Few evidences 𝑞 nor ≤ 𝑛 BPP ). cannot establish NP-hardness of MCSP (under ≤ 𝑈 coNP NP Q. NP ≤ MCSP ? P P or ≤ 𝑈 BPP ≤ 𝑈
Today’s Agenda 1. Background 2. Oracle-independent Reductions • Why are current reductions oracle-independent? 3. Our Results • Limits of oracle-independent reductions • Hardness of MCSP implies separations 4. Conclusions
Today’s Agenda 1. Background 2. Oracle-independent Reductions • Why are current reductions oracle-independent? 3. Our Results • Limits of oracle-independent reductions • Hardness of MCSP implies separations 4. Conclusions
Two Sides on Hardness of MCSP General reductions [Allender & Das (2014)] • MCSP is SZK-hard under BPP-Turing reductions BPP ≤ 𝑈 Hardness under general reductions Difficulty of proving hardness under restricted reductions [Murry & Williams (2015)] 𝑞 . 𝑞 ≤ 𝑛 • Difficult to prove its NP-hardness under ≤ 𝑛 Restricted reductions
Background: Hardness of MCSP [Allender, Buhrman, Koucký, van Melkebeek and Ronneburger (2006)] • Integer factorization is in ZPP MCSP . • Discrete logarithm is in BPP MCSP . Discrete log coNP NP Integer Factorization Harder than P NP-intermediate problems
Background: Hardness of MCSP [Allender & Das (2014)] • Statistical Zero Knowledge (SZK) is included in BPP MCSP . Discrete log coNP NP Integer Factorization P MCSP is SZK -hard SZK
Difficulty of Proving Hardness of MCSP An extension of [Murray & Williams (CCC 2015)] [Kabanets & Cai (2000)] 𝑞 MCSP ⟹ ZPP ≠ EXP . • NP ≤ 𝑛 Proving NP-hardness is at least as difficult as proving ZPP ≠ EXP .
Two Sides on Hardness of MCSP General reductions [Allender & Das (2014)] • MCSP is SZK-hard under BPP-Turing reductions BPP ≤ 𝑈 Hardness Our Results BPP ≤ 𝑛 under 1. Showing inherent limits of “current reduction general reductions 𝑞 and ≤ 𝑛 Difficulty of proving BPP ) techniques” (for ≤ 𝑈 𝑞 ≤ 𝑈 hardness under 𝑞 and ≤ 𝑈 𝑞 2. Extending Murray & Williams results to ≤ 𝑢𝑢 restricted reductions 𝑞 ≤ 𝑢𝑢 [Murry & Williams (2015)] 𝑞 . 𝑞 ≤ 𝑛 • Difficult to prove its NP-hardness under ≤ 𝑛 Restricted reductions
Today’s Agenda 1. Background 2. Oracle-independent Reductions • Why are current reductions oracle-independent? 3. Our Results • Limits of oracle-independent reductions • Hardness of MCSP implies separations 4. Conclusions
Strategy : “Relativize” [Allender & Das (2014)] SZK ⊆ BPP MCSP The reduction can be generalized to a reduction to MCSP 𝐵 for all oracle 𝐵. BPP MCSP 𝐵 SZK ⊆ 𝐵 oracle- independent
Minimum Oracle Circuit Size Problem • Let 𝐵 ∶ 0, 1 ∗ → 0,1 be an arbitrary oracle. Def (Minimum 𝑩 -Oracle Circuit Size Problem; 𝐍𝐃𝐓𝐐 𝑩 ) Input: Truth table 𝑈 ∈ 0, 1 2 𝑜 and size parameter 𝑡 ∈ ℕ Output: Does there exists an 𝐵 -oracle circuit of size ≤ 𝑡 whose truth table is 𝑈 ? 𝐵 𝑦 1 , … , 𝑦 4 ∨ ∧ ¬ In addition to gates, 𝐵 𝐵 -oracle gates can be used. 𝐵 𝑦 1 𝑦 2 𝑦 3 𝑦 4 Remark: MCSP is not necessarily reducible to MCSP 𝐵
Oracle-independent Reductions Def (Oracle-independent Reductions) A reduction to MCSP is oracle-independent if the reduction can be generalized to a reduction to MCSP 𝐵 for any oracle 𝐵 . Idea: The reduction relies on common properties of MCSP 𝐵 for all 𝐵 (instead of a non-relativizing property of MCSP ) For example: 𝑀 reduces to MCSP via an oracle-independent P-Turing reduction def 𝑀 ∈ P MCSP 𝐵 for any oracle 𝐵 . ⟺ P MCSP 𝐵 . ⟺ 𝑀 ∈ 𝐵
Relativization vs. Oracle-independent [Ko (1991)] There exists an oracle 𝐵 such that NP 𝐵 ⊈ P MCSP 𝐵 , 𝐵 . (MCSP is not NP-hard relative to 𝐵 ) A specific oracle 𝐵 All oracles 𝐵 Instead, we will show Do not allow direct access to 𝐵 P MCSP 𝐵 , 𝐵 NP ⊈ unless P = NP . 𝐵
Known Reductions Are Oracle-independent • The reduction of [Allender & Das (2014)] is oracle-independent: BPP MCSP 𝐵 SZK ⊆ Let’s look 𝐵 at it. • Other reductions are also oracle-independent: [Kabanets & Cai (2000)] ZPP MCSP 𝐵 BPP ⊆ 𝐵 [Allender, Grochow & Moore (2015)] ZPP MCSP 𝐵 Rigid GI ∈ 𝐵
Review of SZK -hardness Claim: SZK ⊆ BPP MCSP [Allender & Das (2014)] Important Observation PRGs can be broken with oracle access to MCSP. ⟹ [Hastad, Impagliazzo, Levin & Luby (1999)] Any one-way function can be inverted. ⟹ [Allender & Das (2014)] SZK can be solved in polynomial time.
Breaking PRGs Using MCSP Important Observation PRGs can be broken with oracle access to MCSP. ← small circuit complexity Pseudorandom distribution 𝐻 𝑉 𝑛 • 𝐻 𝑉 𝑛 can be efficiently computed (by the definition of PRGs). ← high circuit complexity Uniform distribution 𝑉 2 𝑜 • Uniformly chosen strings require high circuit complexity (by a counting argument).
Breaking PRGs Using MCSP 𝐵 Important Observation PRGs can be broken with oracle access to MCSP 𝐵 . ← small circuit complexity Pseudorandom distribution 𝐻 𝑉 𝑛 Remains true even • 𝐻 𝑉 𝑛 can be efficiently computed (by the definition of PRGs). if 𝐵 -oracle gates can be used. ← high circuit complexity Uniform distribution 𝑉 2 𝑜 • Uniformly chosen strings require high circuit complexity (by a counting argument). A similar counting arguments can be applied.
Breaking PRGs Using MCSP 𝐵 Important Observation PRGs can be broken with oracle access to MCSP 𝐵 . ← small circuit complexity Pseudorandom distribution 𝐻 𝑉 𝑛 Corollary [Allender & Das (2014)] Remains true even • 𝐻 𝑉 𝑛 can be efficiently computed (by the definition of PRGs). if 𝐵 -oracle gates can BPP MCSP 𝐵 . be used. SZK ⊆ ← high circuit complexity Uniform distribution 𝑉 2 𝑜 𝐵 • Uniformly chosen strings require high circuit complexity (by a counting argument). A similar counting arguments can be applied.
Why Are Current Techniques Oracle-independent? • For upper bounds: Pseudorandom distribution 𝐻 𝑉 𝑛 Adding 𝐵 -oracle gates does not increase the circuit complexity. • For lower bounds: Uniform distribution 𝑉 2 𝑜 We know very few lower bounds for general circuits. ⟹ We are prone to rely on counting arguments. ⟹ Counting arguments can be generalized to 𝐵 -oracle circuits. This is “weakness” of current reduction techniques.
Today’s Agenda 1. Background 2. Oracle-independent Reductions • Why are current reductions oracle-independent? 3. Our Results • Limits of oracle-independent reductions • Hardness of MCSP implies separations 4. Conclusions
Our Results (1/2) Theorem 1. (Limit of Oracle-independent P-Reductions) If 𝑀 reduces to MCSP via an oracle-independent polynomial- time Turing reduction, then 𝑀 ∈ P. (In other words) If 𝑀 ∈ P MCSP 𝐵 for any oracle 𝐵 , then 𝑀 ∈ P . ⟺ P MCSP 𝐵 = P. ⟺ 𝐵 • In particular, MCSP is not NP -hard under such reductions (unless P = NP ) . • This captures the limits of current reduction techniques. No (nontrivial) deterministic reduction to MCSP is known.
Our Results (2/2) Theorem 2. (Limit of Oracle-independent BPP-Reductions) If 𝑀 reduces to MCSP via an oracle-independent one-query BPP-Turing reduction ( with negligible error probability ), then 𝑀 ∈ AM ∩ coAM. BPP MCSP 𝐵 [1] ⊆ AM ∩ coAM. In short, 𝐵 MCSP is not NP -hard under such randomized reductions (unless polynomial hierarchy collapses).
Theorem 1. (Limit of P-Reductions) Proof Sketch of P MCSP 𝐵 = P. 𝐵 Step 1. Swap the order of quantifiers. ∀𝐵, ∃𝑁, 𝑁 MCSP 𝐵 𝑦 = 𝑀 𝑦 The theorem says: ⟹ 𝑀 ∈ P . However, it is sufficient to prove: Lemma. ∃𝑁, ∀𝐵, 𝑁 MCSP 𝐵 𝑦 = 𝑀 𝑦 ⟹ 𝑀 ∈ P (Proof of Lemma ⟹ Theorem) A simple diagonalization argument. (omitted)
Recommend
More recommend
