DOCSLIB.ORG

Derandomization

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Derandomization Derandomization In the early 1980's, Yao demonstrated how one way functions can be used to construct pseudorandom generators, which suffice for T n partial derandomization of BPP, i.e. BPP ⊆ >0 TIME(2 ). 1. A. Shamir. On the Generation of Cryptographically Strong Pseudorandom Sequences. ICALP, 1981. 2. M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. SIAM J. Computing, 1984. 3. Q. Yao. Theory and Applications of Trapdoor Functions. FOCS, 1982. Computational Complexity, by Fu Yuxi Derandomization 1 / 72 Since late 1980's researchers have looked for non-cryptographic assumptions for derandomization. I There is a hard function whose inverse is easy. I There is a hard function in EXP or E. Computational Complexity, by Fu Yuxi Derandomization 2 / 72 Synopsis 1. Derandomization Using Pseudorandom Generator 2. Hardness-Randomness Tradeoff 3. Derandomization Implies Circuit Lower Bound 4. Randomness vs Time Computational Complexity, by Fu Yuxi Derandomization 3 / 72 Derandomization Using Pseudorandom Generator Computational Complexity, by Fu Yuxi Derandomization 4 / 72 The strings produced by a generator must look pseudorandom to a class of distinguishers. There are several issues. 1. Quality of generator I stretch function I distinguisher's computing power I error bound (constant or reciprocal of polynomial) 2. Price of generator I seed length I running time Computational Complexity, by Fu Yuxi Derandomization 5 / 72 Pseudorandom generators used in cryptography are required to be P-time computable. In present setting we drop this requirement since it is not necessary for the purpose of derandomization. Computational Complexity, by Fu Yuxi Derandomization 6 / 72 Pseudorandomness A distribution Y over f0; 1gm is (S; )-pseudorandom, where S 2 N and > 0, if for every circuit C with jCj ≤ S it holds that jPr[C(Y ) = 1] − Pr[C(Um) = 1]j < . We require that distinguishers are nonuniform. Computational Complexity, by Fu Yuxi Derandomization 7 / 72 Pseudorandom Generator Suppose ` : N ! N is P-time computable and S : N ! N is time constructible and nondecreasing. We call a function family n `(n) S(`(n))o G = Gn : f0; 1g ! f0; 1g n2N an S(`)-pseudorandom generator if the distribution Gn(U`(n)) is 3 1 (S(`(n)) ; 10 )-pseudorandom for all input size n. I ` computes seed length from input size. I S is the stretch function. O(`) I S(`) is the computation bound, dominated by 2 . 3 O(`) I S(`) is the circuit size bound, dominated by 2 . O(`) I G is supposed to be computable in 2 time. Computational Complexity, by Fu Yuxi Derandomization 8 / 72 Derandomization Using Pseudorandom Generator Theorem. Suppose an S(`)-pseudorandom generator exists. Then BPTIME(S(`(n))) ⊆ TIME(2O(`(n))): Let L 2 BPTIME(S(`(n))) be accepted by PTM A. For each n, Pr S(`(n)) [ (x; r) = L(x)] ≥ 2=3: r2Rf0;1g A `(n) B(x) simulates A(x) using pseudorandom strings in G(f0; 1g ). 2 1 Suppose Pr[A(x; G(r)) = L(x)] ≤ 3 − 10 for infinitely many x's. Use Cook-Levin reduction to construct a distinguisher circuit computing r 7! A(x; r) with x hard-wired. [nonuniformity here] The size of the circuit is bounded by O(S(`(n))2). Contradiction. Computational Complexity, by Fu Yuxi Derandomization 9 / 72 An algorithm is superpolynomial if it runs in O(n!(1)) time. An algorithm is subpolynomial if it runs in O(no(1)) time. polylog(n) I QuasiP = TIME(2 ). T nc I SUBEXP = c>0 TIME(2 ). Computational Complexity, by Fu Yuxi Derandomization 10 / 72 Derandomization Using Pseudorandom Generator Corollary. 1. If there is a 2c`-pseudorandom generator for some c > 0, then BPP = P. 2. If there is a 2`c -pseudorandom generator for some c > 0, then BPP ⊆ QuasiP. 3. If for every c > 1 there is an `c -pseudorandom generator, then BPP ⊆ SUBEXP. Suppose the PTM we want to derandomize runs in nd time. c` d I S(`) = 2 and `(n) = c log(n). `c 1=c I S(`) = 2 and `(n) = (d log(n)) .[ c can be very close to 0] c d=c I S(`) = ` and `(n) = n for every c > 1. Computational Complexity, by Fu Yuxi Derandomization 11 / 72 Hardness-Randomness Tradeoff Computational Complexity, by Fu Yuxi Derandomization 12 / 72 Hardness-Randomness Tradeoffs, that computational hardness can be used as a source of computational randomness, are evidence that BPP can be derandomized. 1. N. Nisan and A. Wigderson. Hardness vs Randomness. FOCS 1988. JCSS 1994. 2. N. Nisan. Pseudorandom Bits for Constant Depth Circuits. Comninatorica, 1991. 3. L. Babai, L. Fortnow, N. Nisan and A. Wigderson. BPP has Subexponential Time Simulations Unless EXPTIME has Publishable Proofs. Complexity Theory, 1993. 4. R. Impagliazzo and A. Wigderson. BPP=P Unless E has Subexponential Circuits, Derandomizing the XOR Lemma. STOC 1997. Computational Complexity, by Fu Yuxi Derandomization 13 / 72 \Informally speaking, a pseudorandom generator is an easy to compute function which converts a few random bits to many pseudorandom bits that look random to any small circuit." Nisan and Wigderson, 1994 A pseudorandom generator G : f0; 1g` ! f0; 1gS(`) produces an S(`)-bit string from an `-bit string such that no S(`)-size circuit C 1 can distinguish the distributions G(U`), US(`) with probability S(`) . O(`) I The function G is computable in2 . I We want ` to be as small as possible. Ideally ` = O(log S). We will derive a pseudorandom generator G : f0; 1g` ! f0; 1gS(`) from a Boolean function f whose average case hardness is S(`). Computational Complexity, by Fu Yuxi Derandomization 14 / 72 Nisan-Wigderson Theorem Theorem. If some f 2 E exists such that 8n:Havg(f )(n) ≥ S(n), then there is an S0(`)-pseudorandom generator, where S0(`) = S(n)δ for some δ > 0 and n satisfies n ≥ δp` log S(n). N. Nisan and A. Wigderson. I Hardness vs Randomness. FOCS 1988. JCSS 1994. Computational Complexity, by Fu Yuxi Derandomization 15 / 72 Yao's Theorem. Let Y be a distribution over f0; 1gm. Suppose S > 10n and > 0 and the following holds: For every circuit C of size at most 2S and every i 2 [m], 1 Pr[C(r1;:::; ri−1) = ri ] − < : 2 m Then Y is (S; )-pseudorandom. I Theory and Applications of Trapdoor Functions. FOCS 1982. Computational Complexity, by Fu Yuxi Derandomization 16 / 72 Proof of Yao's Theorem Suppose Y is not (S; )-pseudorandom. Wlog, we may assume that there is circuit C of size S such that Pr[C(Y ) = 1] − Pr[C(Um) = 1] ≥ . (1) For i 2 [m], the hybrid distribution Yi is defined in terms of Y and Um in the standard way. Notice that Y0 = Um and Ym = Y . def Pm I pi = Pr[C(Yi ) = 1]. By (1), i=1 pi − pi−1 = pm − p0 ≥ . I pi − pi−1 ≥ /m for some i 2 [m] by averaging argument. Now design a random circuit D as follows: 1. Input y1;:::; yi−1; 2. Generate independent ri ;:::; rm 2R f0; 1g; 3. If C(y1;:::; yi−1; ri ;:::; rm) = 1 then ri else 1 − ri . Computational Complexity, by Fu Yuxi Derandomization 17 / 72 Proof of Yao's Theorem The probability that D(y1;:::; yi−1) = yi is 1 1 · Pr[C = 1jy = r ] + · Pr[C = 0jy = 1 − r ]; 2 i i 2 i i where C abbreviates C(y1;:::; yi−1; ri ;:::; rm). Pr[C = 1jyi = ri ] = pi . On the other hand, pi−1 = Pr[C = 1] = Pr[C = 1jyi = ri ]=2 + Pr[C = 1jyi = 1 − ri ]=2 = pi =2 + (1 − Pr[C = 0jyi = 1 − ri ])=2: Conclude that Pr[D(y1;:::; yi−1) = yi ] ≥ 1=2 + /m. By averaging argument, we get a deterministic circuit D0 by fixing 0 some ri ;:::; rm while preserving the bias. Clearly jD j ≤ 2S. Computational Complexity, by Fu Yuxi Derandomization 18 / 72 Nisan-Wigderson Construction: Extending One Bit 4 Lemma. Suppose that there exists f 2 E with Havg(f ) ≥ n . Then there exists an S(`)-pseudorandom generator G for S(`) = ` + 1. For z 2 f0; 1g` set the (` + 1)-generator G by G(z) = z ◦ f (z). Clearly S(jzj) = ` + 1 = jG(z)j. By Yao's Theorem we only have to prove that there do not exist any circuit C of size ≤ 2(` + 1)3 < `4 and any i 2 [` + 1] such that 1 1 1 Pr [C(r ;:::; r ) = r ] > + · : (2) r=G(U`) 1 i−1 i 2 ` + 1 10 The inequality (2) fails for i 2 [`]. If i = ` + 1, the inequality (2) 4 4 contradicts to the assumption Havg(f ) ≥ n since 10(` + 1) < ` . Computational Complexity, by Fu Yuxi Derandomization 19 / 72 Nisan-Wigderson Construction: Extending Two Bit 4 Lemma. Suppose that there exists f 2 E with Havg(f ) ≥ n . Then there exists an S(`)-pseudorandom generator G for S(`) = ` + 2. G(z) = z1 ··· z`=2 ◦ f (z1;:::; z`=2) ◦ z`=2+1 ··· z` ◦ f (z`=2+1;:::; z`). 1. The inequality (2) cannot hold for i 2 [` + 1]. 2. In the case i = ` + 2, the inequality (2) becomes 0 0 1 1 1 Pr 0 `=2 [C(r ◦ f (r) ◦ r ) = f (r )] > + · : r;r 2Rf0;1g 2 ` + 2 10 By averaging principle, there is some r such that the above 0 `=2 inequality holds for probability over r 2R f0; 1g . Now hardwire the bits r ◦ f (r) to C. We obtain a circuit of size ≤ 2(` + 2)3 < (`=2)4 that would lead to contradiction. Computational Complexity, by Fu Yuxi Derandomization 20 / 72 Nisan-Wigderson Construction: NW Generator Let f : f0; 1gn ! f0; 1g. Let I = fI1;:::; Img be a family of subsets of [`] with 8j:jIj j = n.
Load more

Recommended publications
  • If Np Languages Are Hard on the Worst-Case, Then It Is Easy to Find Their Hard Instances
    IF NP LANGUAGES ARE HARD ON THE WORST-CASE, THEN IT IS EASY TO FIND THEIR HARD INSTANCES Dan Gutfreund, Ronen Shaltiel, and Amnon Ta-Shma Abstract. We prove that if NP 6⊆ BPP, i.e., if SAT is worst-case hard, then for every probabilistic polynomial-time algorithm trying to decide SAT, there exists some polynomially samplable distribution that is hard for it. That is, the algorithm often errs on inputs from this distribution. This is the ¯rst worst-case to average-case reduction for NP of any kind. We stress however, that this does not mean that there exists one ¯xed samplable distribution that is hard for all probabilistic polynomial-time algorithms, which is a pre-requisite assumption needed for one-way func- tions and cryptography (even if not a su±cient assumption). Neverthe- less, we do show that there is a ¯xed distribution on instances of NP- complete languages, that is samplable in quasi-polynomial time and is hard for all probabilistic polynomial-time algorithms (unless NP is easy in the worst case). Our results are based on the following lemma that may be of independent interest: Given the description of an e±cient (probabilistic) algorithm that fails to solve SAT in the worst case, we can e±ciently generate at most three Boolean formulae (of increasing lengths) such that the algorithm errs on at least one of them. Keywords. Average-case complexity, Worst-case to average-case re- ductions, Foundations of cryptography, Pseudo classes Subject classi¯cation. 68Q10 (Modes of computation (nondetermin- istic, parallel, interactive, probabilistic, etc.) 68Q15 Complexity classes (hierarchies, relations among complexity classes, etc.) 68Q17 Compu- tational di±culty of problems (lower bounds, completeness, di±culty of approximation, etc.) 94A60 Cryptography 2 Gutfreund, Shaltiel & Ta-Shma 1.
    [Show full text]
  • Interactive Proofs for Quantum Computations
    Innovations in Computer Science 2010 Interactive Proofs For Quantum Computations Dorit Aharonov Michael Ben-Or Elad Eban School of Computer Science, The Hebrew University of Jerusalem, Israel [email protected] [email protected] [email protected] Abstract: The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked [21]: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results to predictions? To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard Interactive Proofs [13] the prover is computationally unbounded, here our prover is in BQP, representing a quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access to few qubits. Our main theorem can be roughly stated as: ”Any language in BQP has a QPIP, and moreover, a fault tolerant one” (providing a partial answer to a challenge posted in [1]). We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault tolerant. Our second protocol uses polynomial codes QAS due to Ben-Or, Cr´epeau, Gottesman, Hassidim, and Smith [8], combined with quantum fault tolerance and secure multiparty quantum computation techniques.
    [Show full text]
  • Solution of Exercise Sheet 8 1 IP and Perfect Soundness
    Complexity Theory (fall 2016) Dominique Unruh Solution of Exercise Sheet 8 1 IP and perfect soundness Let IP0 be the class of languages that have interactive proofs with perfect soundness and perfect completeness (i.e., in the definition of IP, we replace 2=3 by 1 and 1=3 by 0). Show that IP0 ⊆ NP. You get bonus points if you only use the perfect soundness (not the perfect complete- ness). Note: In the practice we will show that dIP = NP where dIP is the class of languages that has interactive proofs with deterministic verifiers. You may use that fact. Hint: What happens if we replace the proof system by one where the verifier always uses 0 bits as its randomness? (More precisely, whenever V would use a random bit b, the modified verifier V0 choses b = 0 instead.) Does the resulting proof system still have perfect soundness? Does it still have perfect completeness? Solution. Let L 2 IP0. We want to show that L 2 NP. Since dIP = NP, it is sufficient to show that L 2 dIP. I.e., we need to show that there is an interactive proof for L with a deterministic verifier. Since L 2 IP0, there is an interactive proof (P; V ) for L with perfect soundness and completeness. Let V0 be the verifier that behaves like V , but whenever V uses a random bit, V0 uses 0. Note that V0 is deterministic. We show that (P; V0) still has perfect soundness and completeness. Let x 2 L. Then Pr[outV hV; P i(x) = 1] = 1.
    [Show full text]
  • A Study of the NEXP Vs. P/Poly Problem and Its Variants by Barıs
    A Study of the NEXP vs. P/poly Problem and Its Variants by Barı¸sAydınlıoglu˘ A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Sciences) at the UNIVERSITY OF WISCONSIN–MADISON 2017 Date of final oral examination: August 15, 2017 This dissertation is approved by the following members of the Final Oral Committee: Eric Bach, Professor, Computer Sciences Jin-Yi Cai, Professor, Computer Sciences Shuchi Chawla, Associate Professor, Computer Sciences Loris D’Antoni, Asssistant Professor, Computer Sciences Joseph S. Miller, Professor, Mathematics © Copyright by Barı¸sAydınlıoglu˘ 2017 All Rights Reserved i To Azadeh ii acknowledgments I am grateful to my advisor Eric Bach, for taking me on as his student, for being a constant source of inspiration and guidance, for his patience, time, and for our collaboration in [9]. I have a story to tell about that last one, the paper [9]. It was a late Monday night, 9:46 PM to be exact, when I e-mailed Eric this: Subject: question Eric, I am attaching two lemmas. They seem simple enough. Do they seem plausible to you? Do you see a proof/counterexample? Five minutes past midnight, Eric responded, Subject: one down, one to go. I think the first result is just linear algebra. and proceeded to give a proof from The Book. I was ecstatic, though only for fifteen minutes because then he sent a counterexample refuting the other lemma. But a third lemma, inspired by his counterexample, tied everything together. All within three hours. On a Monday midnight. I only wish that I had asked to work with him sooner.
    [Show full text]
  • IBM Research Report Derandomizing Arthur-Merlin Games And
    H-0292 (H1010-004) October 5, 2010 Computer Science IBM Research Report Derandomizing Arthur-Merlin Games and Approximate Counting Implies Exponential-Size Lower Bounds Dan Gutfreund, Akinori Kawachi IBM Research Division Haifa Research Laboratory Mt. Carmel 31905 Haifa, Israel Research Division Almaden - Austin - Beijing - Cambridge - Haifa - India - T. J. Watson - Tokyo - Zurich LIMITED DISTRIBUTION NOTICE: This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g. , payment of royalties). Copies may be requested from IBM T. J. Watson Research Center , P. O. Box 218, Yorktown Heights, NY 10598 USA (email: [email protected]). Some reports are available on the internet at http://domino.watson.ibm.com/library/CyberDig.nsf/home . Derandomization Implies Exponential-Size Lower Bounds 1 DERANDOMIZING ARTHUR-MERLIN GAMES AND APPROXIMATE COUNTING IMPLIES EXPONENTIAL-SIZE LOWER BOUNDS Dan Gutfreund and Akinori Kawachi Abstract. We show that if Arthur-Merlin protocols can be deran- domized, then there is a Boolean function computable in deterministic exponential-time with access to an NP oracle, that cannot be computed by Boolean circuits of exponential size. More formally, if prAM ⊆ PNP then there is a Boolean function in ENP that requires circuits of size 2Ω(n).
    [Show full text]
  • Probabilistic Proof Systems: a Primer
    Probabilistic Proof Systems: A Primer Oded Goldreich Department of Computer Science and Applied Mathematics Weizmann Institute of Science, Rehovot, Israel. June 30, 2008 Contents Preface 1 Conventions and Organization 3 1 Interactive Proof Systems 4 1.1 Motivation and Perspective ::::::::::::::::::::::: 4 1.1.1 A static object versus an interactive process :::::::::: 5 1.1.2 Prover and Veri¯er :::::::::::::::::::::::: 6 1.1.3 Completeness and Soundness :::::::::::::::::: 6 1.2 De¯nition ::::::::::::::::::::::::::::::::: 7 1.3 The Power of Interactive Proofs ::::::::::::::::::::: 9 1.3.1 A simple example :::::::::::::::::::::::: 9 1.3.2 The full power of interactive proofs ::::::::::::::: 11 1.4 Variants and ¯ner structure: an overview ::::::::::::::: 16 1.4.1 Arthur-Merlin games a.k.a public-coin proof systems ::::: 16 1.4.2 Interactive proof systems with two-sided error ::::::::: 16 1.4.3 A hierarchy of interactive proof systems :::::::::::: 17 1.4.4 Something completely di®erent ::::::::::::::::: 18 1.5 On computationally bounded provers: an overview :::::::::: 18 1.5.1 How powerful should the prover be? :::::::::::::: 19 1.5.2 Computational Soundness :::::::::::::::::::: 20 2 Zero-Knowledge Proof Systems 22 2.1 De¯nitional Issues :::::::::::::::::::::::::::: 23 2.1.1 A wider perspective: the simulation paradigm ::::::::: 23 2.1.2 The basic de¯nitions ::::::::::::::::::::::: 24 2.2 The Power of Zero-Knowledge :::::::::::::::::::::: 26 2.2.1 A simple example :::::::::::::::::::::::: 26 2.2.2 The full power of zero-knowledge proofs ::::::::::::
    [Show full text]
  • 1 Class PP(Probabilistic Poly-Time) 2 Complete Problems for BPP?
    E0 224: Computational Complexity Theory Instructor: Chandan Saha Lecture 20 22 October 2014 Scribe: Abhijat Sharma 1 Class PP(Probabilistic Poly-time) Recall that when we define the class BPP, we have to enforce the condition that the success probability of the PTM is bounded, "strictly" away from 1=2 (in our case, we have chosen a particular value 2=3). Now, we try to explore another class of languages where the success (or failure) probability can be very close to 1=2 but still equality is not possible. Definition 1 A language L ⊆ f0; 1g∗ is said to be in PP if there exists a polynomial time probabilistic turing machine M, such that P rfM(x) = L(x)g > 1=2 Thus, it is clear from the above definition that BPP ⊆ PP, however there are problems in PP that are much harder than those in BPP. Some examples of such problems are closely related to the counting versions of some problems, whose decision problems are in NP. For example, the problem of counting how many satisfying assignments exist for a given boolean formula. We will discuss this class in more details, when we discuss the complexity of counting problems. 2 Complete problems for BPP? After having discussed many properties of the class BPP, it is natural to ask whether we have any BPP- complete problems. Unfortunately, we do not know of any complete problem for the class BPP. Now, we examine why we appears tricky to define complete problems for BPP in the same way as other complexity classes.
    [Show full text]
  • Lecture 16 1 Interactive Proofs
    Notes on Complexity Theory Last updated: October, 2011 Lecture 16 Jonathan Katz 1 Interactive Proofs Let us begin by re-examining our intuitive notion of what it means to \prove" a statement. Tra- ditional mathematical proofs are static and are veri¯ed deterministically: the veri¯er checks the claimed proof of a given statement and is either convinced that the statement is true (if the proof is correct) or remains unconvinced (if the proof is flawed | note that the statement may possibly still be true in this case, it just means there was something wrong with the proof). A statement is true (in this traditional setting) i® there exists a valid proof that convinces a legitimate veri¯er. Abstracting this process a bit, we may imagine a prover P and a veri¯er V such that the prover is trying to convince the veri¯er of the truth of some particular statement x; more concretely, let us say that P is trying to convince V that x 2 L for some ¯xed language L. We will require the veri¯er to run in polynomial time (in jxj), since we would like whatever proofs we come up with to be e±ciently veri¯able. A traditional mathematical proof can be cast in this framework by simply having P send a proof ¼ to V, who then deterministically checks whether ¼ is a valid proof of x and outputs V(x; ¼) (with 1 denoting acceptance and 0 rejection). (Note that since V runs in polynomial time, we may assume that the length of the proof ¼ is also polynomial.) The traditional mathematical notion of a proof is captured by requiring: ² If x 2 L, then there exists a proof ¼ such that V(x; ¼) = 1.
    [Show full text]
  • Computational Complexity
    Computational Complexity The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citation Vadhan, Salil P. 2011. Computational complexity. In Encyclopedia of Cryptography and Security, second edition, ed. Henk C.A. van Tilborg and Sushil Jajodia. New York: Springer. Published Version http://refworks.springer.com/mrw/index.php?id=2703 Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:33907951 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Open Access Policy Articles, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#OAP Computational Complexity Salil Vadhan School of Engineering & Applied Sciences Harvard University Synonyms Complexity theory Related concepts and keywords Exponential time; O-notation; One-way function; Polynomial time; Security (Computational, Unconditional); Sub-exponential time; Definition Computational complexity theory is the study of the minimal resources needed to solve computational problems. In particular, it aims to distinguish be- tween those problems that possess efficient algorithms (the \easy" problems) and those that are inherently intractable (the \hard" problems). Thus com- putational complexity provides a foundation for most of modern cryptogra- phy, where the aim is to design cryptosystems that are \easy to use" but \hard to break". (See security (computational, unconditional).) Theory Running Time. The most basic resource studied in computational com- plexity is running time | the number of basic \steps" taken by an algorithm. (Other resources, such as space (i.e., memory usage), are also studied, but they will not be discussed them here.) To make this precise, one needs to fix a model of computation (such as the Turing machine), but here it suffices to informally think of it as the number of \bit operations" when the input is given as a string of 0's and 1's.
    [Show full text]
  • Probabilistic Proof Systems Basic Research in Computer Science
    BRICS BRICS RS-94-28 O. Goldreich: Probabilistic Proof Systems Basic Research in Computer Science Probabilistic Proof Systems Oded Goldreich BRICS Report Series RS-94-28 ISSN 0909-0878 September 1994 Copyright c 1994, BRICS, Department of Computer Science University of Aarhus. All rights reserved. Reproduction of all or part of this work is permitted for educational or research use on condition that this copyright notice is included in any copy. See back inner page for a list of recent publications in the BRICS Report Series. Copies may be obtained by contacting: BRICS Department of Computer Science University of Aarhus Ny Munkegade, building 540 DK - 8000 Aarhus C Denmark Telephone:+45 8942 3360 Telefax: +45 8942 3255 Internet: [email protected] Probabilisti c Pro of Systems Oded Goldreich Department of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot Israel September Abstract Various typ es of probabilistic pro of systems haveplayed a central role in the de velopment of computer science in the last decade In this exp osition we concentrate on three such pro of systems interactive proofs zeroknow ledge proofsand proba bilistic checkable proofs stressing the essential role of randomness in each of them This exp osition is an expanded version of a survey written for the pro ceedings of the International Congress of Mathematicians ICM held in Zurichin It is hop e that this exp osition may b e accessible to a broad audience of computer scientists and mathematians Partially supp orted by grant No from the
    [Show full text]
  • Probabilistic Turing Machines and Complexity Classes
    6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch Today • Probabilistic Turing Machines and Probabilistic Time Complexity Classes • Now add a new capability to standard TMs: random choice of moves. • Gives rise to new complexity classes: BPP and RP • Topics: – Probabilistic polynomial-time TMs, BPP and RP – Amplification lemmas – Example 1: Primality testing – Example 2: Branching-program equivalence – Relationships between classes • Reading: – Sipser Section 10.2 Probabilistic Polynomial-Time Turing Machines, BPP and RP Probabilistic Polynomial-Time TM • New kind of NTM, in which each nondeterministic step is a coin flip: has exactly 2 next moves, to each of which we assign probability ½. • Example: – To each maximal branch, we assign Computation on input w a probability: ½ × ½ × … × ½ number of coin flips 1/4 on the branch 1/4 • Has accept and reject states, as 1/8 1/8 1/8 for NTMs. 1/16 1/16 • Now we can talk about probability of acceptance or rejection, on input w. Probabilistic Poly-Time TMs Computation on input w • Probability of acceptance = Σb an accepting branch Pr(b) • Probability of rejection = 1/4 1/4 Σb a rejecting branch Pr(b) • Example: 1/8 1/8 1/8 – Add accept/reject information 1/16 1/16 – Probability of acceptance = 1/16 + 1/8 + 1/4 + 1/8 + 1/4 = 13/16 – Probability of rejection = 1/16 + 1/8 = 3/16 • We consider TMs that halt (either Acc Acc accept or reject) on every branch-- -deciders. Acc Acc Rej • So the two probabilities total 1. Acc Rej Probabilistic Poly-Time TMs • Time complexity: – Worst case over all branches, as usual.
    [Show full text]
  • Biophysical Profile
    Texas Tech University Health Sciences Center El Paso Department of Obstetrics and Gynecology Protocol #3 The Biophysical Profile Background The biophysical profile (BPP) is based on the concept that fetal breathing, movement and tone are mediated by neurological pathways and therefore reflect the fetal CNS status at the time of the examination. Amniotic fluid level is a measure of chronic asphyxia or placental function. The addition of the evaluation of the fetal heart rate variability (NST) to the BPP increases the sensitivity for acute status changes. The BPP represents the in-utero APGAR score and has been shown to correlate well with the acid-base status of babies delivered by cesarean section prior to the onset of labor. The earliest signs of fetal acidosis are a nonreactive NST and loss of fetal breathing. A significant inverse correlation between the BPP score and perinatal morbidity and mortality has been documented. BPP ≥ 8/10 accurately predicts normal tissue oxygenation with false negative rate <1% BPP ≤ 6/10 is a relatively accurate predictor of acidemia BPP = 0/10 has near 100% sensitivity for acidemia Administration of antenatal corticosteroids can decrease the BPP score. This effect usually resolves within 48 hours. A. Indications 1. Patients with a nonreactive NST 2. Any patient where further confirmation of fetal well-being is desired 3. The BPP should not be performed before 24 weeks B. Technique 1. The patient is placed into a supine position. 2. The fetus is observed, by ultrasound, for up to 30 minutes. During the 30 minutes, the components of the BPP are sought.
    [Show full text]