On Interactive Proofs with a Laconic Prover

Total Page:16

File Type:pdf, Size:1020Kb

On Interactive Proofs with a Laconic Prover ON INTERACTIVE PROOFS WITH A LACONIC PROVER Oded Goldreich Salil Vadhan and Avi Wigderson Abstract We continue the investigation of interactive pro ofs with b ounded communication as initiated by Goldreich and Hastad IPL Let L be a language that has an interactive pro of in which the prover sends few say b bits to the verier We prove that the com plement L has a constantround interactive pro of of complexity that dep ends only exp onentially on b This provides the rst evidence that for NPcomplete languages we cannot exp ect interactive provers to b e much more laconic than the standard NP pro of When the pro of system is further restricted eg when b or when we have p erfect completeness we get signicantly b etter upp er b ounds on the complex ityofL Keywords Interactive Pro of systems ArthurMerlin games NP sam pling proto cols statistical zeroknowledge game theory Sub ject classication Q Q Q A Intro duction Interactive pro of systems were intro duce by Goldwasser Micali and Rack o GMR in order to capture the most general way in which one party can eciently verify claims made by another more powerful party That is interactive pro of systems are twoparty randomized proto cols through which a computationally unbounded prover can convince a probabilistic p olynomial time verier of the memb ership of a common input in a predetermined lan guage Thus interactive pro of systems generalize and contain as a sp ecial case the traditional NPpro of systems in which verication is deterministic and noninteractive It is wellknown that this generalization buys us a lot The IP Characteriza tion Theorem of Lund Fortnow Karlo Nisan and Shamir LFKN Sha ArthurMerlin games intro duced by Babai Bab are a sp ecial typ e of interactive pro ofs in which the verier is restricted to send the outcome of eachcoinittosses Suchproof systems are also called public coin and are known to b e as expressive as general interactive pro ofs GS Wewarn that the latter assertion refers to the entire class but not to rened complexity measures such as the total number of bits sentby the prover considered b elow Goldreich Vadhan Wigderson states that every language in PSPACE has an interactive pro of system and it is easy to see that only languages in PSPACE haveinteractive pro of systems It is wellknown that the strong expressive power of interactive pro ofs is largely due to the presence of interaction In particular interactive pro ofs in which a single message is sent like in NPpro ofs yield a complexity class known as MA that seems very close to NP It is interesting to explore what happ ens between these extremes of unb ounded interaction and no interaction That is what is the expressive power of interactive proofs that utilize a bounded but nonzero amount of interaction Prior work regarding interactive pro ofs with b ounded interac tion Interactive Pro ofs with Few Messages The earliest investigations of the ab ove question examined the message complexity of interactive pro ofs ie the number of messages exchanged Sometimes we refer to rounds which are a pair of verierprover messages The Sp eedup Theorem of Babai and Moran BM together with GS shows that the number of messages in an interactive pro of can be always reduced by a constant factor provided the numb er of messages remains at least On the other hand there is a large gap between constantround interactive pro ofs and unrestricted interactive pro ofs As mentioned ab ove all of PSPACE has a general interactive pro of LFKN Sha In contrast the class AM of problems with constantround interactive pro ofs is b elieved to be relatively close to NP Sp ecically AM lies in the second level of the p olynomialtime hierarchy BM cannot contain coNP unless the p olynomialtime hierarchy collapses BHZ and actually equals NP under plausible circuit complexity assumptions AK KvM MV Laconic Provers A more rened investigation of the ab ove question was initiated by Goldreich and Hastad GH who gave b ounds on the complex ity of languages p ossessing interactive pro ofs with various restrictions on the number of bits of communication andor randomness used One of the re strictions they considered and the main fo cus of our investigation limits the number of bits sent from the prover to the verier by some bound b That is what languages can b e proven by laconic provers Since the prover is trying to convey something to the verier this seems to b e the most interesting direction of communication Moreover for applications of interactive pro ofs eg in cryptographic proto cols it mo dels the common On Interactive Pro ofs with a Laconic Prover situation in which communication is more exp ensive in one direction eg if the prover is a handheld wireless device On one hand we know of interactive pro ofs for several hard problems eg Quadratic Nonresiduosity GMR Graph Nonisomorphism GMW and others GKGG SV in which the communication from the prover to the verier is severely b ounded in fact to one bit On the other hand NP laconic provers exist only for problems in BPP resp BPP in case the pro of system is of the publiccoin typ e GH Furthermore it was conjec tured that NPcomplete problems cannot have general interactive pro ofs with laconic provers but the results in GH fall short of supp orting this conjec ture In this work we provide strong supp ort for this conjecture New results regarding interactive pro ofs with b ounded interac tion Our main fo cus is on laconic provers that is on interactive pro ofs in which the total number of bits sent by the prover is b ounded Laconic Provers Consider interactive pro ofs in which the prover sends at most b bn bits to the verier on inputs of length n Goldreich and NP Hastad GH Thm placed such languages in BPTIMET where polyb T p olyn which clearly implies nothing for languages in NP In contrast weshow that the complements of such languages have constantround interactive pro ofs of complexity T ie the veriers computation time and the total communication is bounded by T In particular NPcomplete problems cannot have interactive pro ofs in which the prover sends p olylogarithmically many bits to the verier unless coNP is in the quasip olynomial analogue of AM In fact assuming NP has constantround interactive pro ofs with logarithmic provertoverier communication we conclude coNP AM As mentioned ab ove this is highly unlikely We obtain stronger results in two sp ecial cases We show that if a language has an interactive pro of of p erfect complete ness ie zero error probability on yes instances in which the prover sends at most bn bits then it is in coNTIMET where T n bn p olyn Thus unless NP coNP NPcomplete languages can not have interactive pro of systems of p erfect completeness in which the prover sends logarithmically many bits We show that if a language has an interactive pro of in which the prover sends a single bit with some restrictions on the error probabilities then it has a statistical zeroknowledge interactive pro of that is is in the Goldreich Vadhan Wigderson class SZK This is a stronger conclusion than our main result b ecause SZK AM coAM as shown by Fortnow For and Aiello and Hastad AH Recalling that Sahai and Vadhan SV showed that any language in SZK has an interactive pro of in which the prover sends a single bit we obtain a surprising equivalence b etween these two classes Interactive Pro ofs with Few Messages We obtain one apparently new result regarding message complexity A question that is left op en by the re sults mentioned earlier is what happ ens in between constant rounds and p olynomially many rounds Phrased dierently can the Sp eedup Theorem of Babai and Moran be improved to show that mnmessage interactive pro ofs can be emulated by and hence are no more p owerful than m nmessage in teractive pro ofs for some m om By combining careful parameterizations of LFKN Sha and BM we observethatsuchanimprovementspeedup is unlikely More precisely for every nice function m we show that there is a language which has an mnmessage interactive pro of but not an omn message one provided that SAT is not contained in the subexp onential ana logue of coAM Additional related work We note that GoldreichandHastad GH have presented signicantly stronger results regarding interactive pro ofs with laconic provers when further restrictions are imp osed on the interactive pro of NP In particular they obtain an upp er b ound of BPTIMET rather than BPTIMET polyb with T polyn for languages p ossessing either of the following kinds of interactive pro ofs publiccoin pro ofs in which the prover sends at most b bits pro ofs in which the communication in both directions is b ounded by b Multiprover interactive pro ofs and PCP The expressivepower of multi prover interactive proofs MIPs and probabilistical ly checkable proofs PCPs with low communication has b een the fo cus of extensive research Much of this research is motivated by the imp ortance of the communication parameter in the applications of MIPPCP to inapproximability In particular Bellare Goldreich and Sudan BGSgive negative results ab out the expressivepower of laconic PCPs and MIPs Since onequery PCPs are equivalent to inter active pro ofs in which the prover sends a single message our results provide bounds on the former On Interactive Pro ofs with a Laconic Prover Knowledge complexityofinteractive pro ofs Our work is also related to work on know ledge complexity Knowledge complexity prop osed by GMR aims to measure how much knowledge is leaked from the prover to the ver ier in an interactive pro of Several
Recommended publications
  • Arxiv:2104.04742V2 [Quant-Ph] 13 Apr 2021 Keywords: Quantum Cryptography, Remote State Preparation, Zero-Knowledge, Learning with Errors Table of Contents
    Non-Destructive Zero-Knowledge Proofs on Quantum States, and Multi-Party Generation of Authorized Hidden GHZ States Léo Colisson 1, Frédéric Grosshans 1, Elham Kashefi1,2 1 Laboratoire d’Informatique de Paris 6 (LIP6), Sorbonne Université, 4 Place Jussieu, 75252 Paris CEDEX 05, France {leo.colisson, frederic.grosshans}@lip6.fr 2 School of Informatics, University of Edinburgh, 10 Crichton Street, Edinburgh EH8 9AB, UK Abstract. Due to the special no-cloning principle, quantum states appear to be very useful in cryptography. But this very same property also has drawbacks: when receiving a quantum state, it is nearly impossible for the receiver to efficiently check non-trivial properties on that state without destroying it. This allows a malicious sender to send maliciously crafted states without being detected. The natural (destructive) method for testing a quantum state is the “cut-and-choose” method. However, this method has many drawbacks: the security is only linear, and the class of states and properties that can be tested is quite restricted. In this work, we propose a different approach, and we initiate the study of Non-Destructive Zero-Knowledge Proofs on Quantum States. Our method binds a quantum state to a classical encryption of that quantum state. That way, the receiver can obtain guarantees on the quantum state by asking to the sender to prove properties directly on the classical encryption. This method is therefore non-destructive, and it is possible to verify a very large class of properties. For instance, we can force the sender to send different categories of states depending on whether they know a classical password or not.
    [Show full text]
  • Complexity Theory Lecture 9 Co-NP Co-NP-Complete
    Complexity Theory 1 Complexity Theory 2 co-NP Complexity Theory Lecture 9 As co-NP is the collection of complements of languages in NP, and P is closed under complementation, co-NP can also be characterised as the collection of languages of the form: ′ L = x y y <p( x ) R (x, y) { |∀ | | | | → } Anuj Dawar University of Cambridge Computer Laboratory NP – the collection of languages with succinct certificates of Easter Term 2010 membership. co-NP – the collection of languages with succinct certificates of http://www.cl.cam.ac.uk/teaching/0910/Complexity/ disqualification. Anuj Dawar May 14, 2010 Anuj Dawar May 14, 2010 Complexity Theory 3 Complexity Theory 4 NP co-NP co-NP-complete P VAL – the collection of Boolean expressions that are valid is co-NP-complete. Any language L that is the complement of an NP-complete language is co-NP-complete. Any of the situations is consistent with our present state of ¯ knowledge: Any reduction of a language L1 to L2 is also a reduction of L1–the complement of L1–to L¯2–the complement of L2. P = NP = co-NP • There is an easy reduction from the complement of SAT to VAL, P = NP co-NP = NP = co-NP • ∩ namely the map that takes an expression to its negation. P = NP co-NP = NP = co-NP • ∩ VAL P P = NP = co-NP ∈ ⇒ P = NP co-NP = NP = co-NP • ∩ VAL NP NP = co-NP ∈ ⇒ Anuj Dawar May 14, 2010 Anuj Dawar May 14, 2010 Complexity Theory 5 Complexity Theory 6 Prime Numbers Primality Consider the decision problem PRIME: Another way of putting this is that Composite is in NP.
    [Show full text]
  • On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs*
    On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs* Benny Applebaum† Eyal Golombek* Abstract We study the randomness complexity of interactive proofs and zero-knowledge proofs. In particular, we ask whether it is possible to reduce the randomness complexity, R, of the verifier to be comparable with the number of bits, CV , that the verifier sends during the interaction. We show that such randomness sparsification is possible in several settings. Specifically, unconditional sparsification can be obtained in the non-uniform setting (where the verifier is modelled as a circuit), and in the uniform setting where the parties have access to a (reusable) common-random-string (CRS). We further show that constant-round uniform protocols can be sparsified without a CRS under a plausible worst-case complexity-theoretic assumption that was used previously in the context of derandomization. All the above sparsification results preserve statistical-zero knowledge provided that this property holds against a cheating verifier. We further show that randomness sparsification can be applied to honest-verifier statistical zero-knowledge (HVSZK) proofs at the expense of increasing the communica- tion from the prover by R−F bits, or, in the case of honest-verifier perfect zero-knowledge (HVPZK) by slowing down the simulation by a factor of 2R−F . Here F is a new measure of accessible bit complexity of an HVZK proof system that ranges from 0 to R, where a maximal grade of R is achieved when zero- knowledge holds against a “semi-malicious” verifier that maliciously selects its random tape and then plays honestly.
    [Show full text]
  • Chapter 24 Conp, Self-Reductions
    Chapter 24 coNP, Self-Reductions CS 473: Fundamental Algorithms, Spring 2013 April 24, 2013 24.1 Complementation and Self-Reduction 24.2 Complementation 24.2.1 Recap 24.2.1.1 The class P (A) A language L (equivalently decision problem) is in the class P if there is a polynomial time algorithm A for deciding L; that is given a string x, A correctly decides if x 2 L and running time of A on x is polynomial in jxj, the length of x. 24.2.1.2 The class NP Two equivalent definitions: (A) Language L is in NP if there is a non-deterministic polynomial time algorithm A (Turing Machine) that decides L. (A) For x 2 L, A has some non-deterministic choice of moves that will make A accept x (B) For x 62 L, no choice of moves will make A accept x (B) L has an efficient certifier C(·; ·). (A) C is a polynomial time deterministic algorithm (B) For x 2 L there is a string y (proof) of length polynomial in jxj such that C(x; y) accepts (C) For x 62 L, no string y will make C(x; y) accept 1 24.2.1.3 Complementation Definition 24.2.1. Given a decision problem X, its complement X is the collection of all instances s such that s 62 L(X) Equivalently, in terms of languages: Definition 24.2.2. Given a language L over alphabet Σ, its complement L is the language Σ∗ n L. 24.2.1.4 Examples (A) PRIME = nfn j n is an integer and n is primeg o PRIME = n n is an integer and n is not a prime n o PRIME = COMPOSITE .
    [Show full text]
  • Succinctness of the Complement and Intersection of Regular Expressions Wouter Gelade, Frank Neven
    Succinctness of the Complement and Intersection of Regular Expressions Wouter Gelade, Frank Neven To cite this version: Wouter Gelade, Frank Neven. Succinctness of the Complement and Intersection of Regular Expres- sions. STACS 2008, Feb 2008, Bordeaux, France. pp.325-336. hal-00226864 HAL Id: hal-00226864 https://hal.archives-ouvertes.fr/hal-00226864 Submitted on 30 Jan 2008 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Symposium on Theoretical Aspects of Computer Science 2008 (Bordeaux), pp. 325-336 www.stacs-conf.org SUCCINCTNESS OF THE COMPLEMENT AND INTERSECTION OF REGULAR EXPRESSIONS WOUTER GELADE AND FRANK NEVEN Hasselt University and Transnational University of Limburg, School for Information Technology E-mail address: [email protected] Abstract. We study the succinctness of the complement and intersection of regular ex- pressions. In particular, we show that when constructing a regular expression defining the complement of a given regular expression, a double exponential size increase cannot be avoided. Similarly, when constructing a regular expression defining the intersection of a fixed and an arbitrary number of regular expressions, an exponential and double expo- nential size increase, respectively, can in worst-case not be avoided.
    [Show full text]
  • Interactive Proofs
    Interactive proofs April 12, 2014 [72] L´aszl´oBabai. Trading group theory for randomness. In Proc. 17th STOC, pages 421{429. ACM Press, 1985. doi:10.1145/22145.22192. [89] L´aszl´oBabai and Shlomo Moran. Arthur-Merlin games: A randomized proof system and a hierarchy of complexity classes. J. Comput. System Sci., 36(2):254{276, 1988. doi:10.1016/0022-0000(88)90028-1. [99] L´aszl´oBabai, Lance Fortnow, and Carsten Lund. Nondeterministic ex- ponential time has two-prover interactive protocols. In Proc. 31st FOCS, pages 16{25. IEEE Comp. Soc. Press, 1990. doi:10.1109/FSCS.1990.89520. See item 1991.108. [108] L´aszl´oBabai, Lance Fortnow, and Carsten Lund. Nondeterministic expo- nential time has two-prover interactive protocols. Comput. Complexity, 1 (1):3{40, 1991. doi:10.1007/BF01200056. Full version of 1990.99. [136] Sanjeev Arora, L´aszl´oBabai, Jacques Stern, and Z. (Elizabeth) Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. In Proc. 34th FOCS, pages 724{733, Palo Alto CA, 1993. IEEE Comp. Soc. Press. doi:10.1109/SFCS.1993.366815. Conference version of item 1997:160. [160] Sanjeev Arora, L´aszl´oBabai, Jacques Stern, and Z. (Elizabeth) Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. J. Comput. System Sci., 54(2):317{331, 1997. doi:10.1006/jcss.1997.1472. Full version of 1993.136. [111] L´aszl´oBabai, Lance Fortnow, Noam Nisan, and Avi Wigderson. BPP has subexponential time simulations unless EXPTIME has publishable proofs. In Proc.
    [Show full text]
  • NP As Games, Co-NP, Proof Complexity
    CS 6743 Lecture 9 1 Fall 2007 1 Importance of the Cook-Levin Theorem There is a trivial NP-complete language: k Lu = {(M, x, 1 ) | NTM M accepts x in ≤ k steps} Exercise: Show that Lu is NP-complete. The language Lu is not particularly interesting, whereas SAT is extremely interesting since it’s a well-known and well-studied natural problem in logic. After Cook and Levin showed NP-completeness of SAT, literally hundreds of other important and natural problems were also shown to be NP-complete. It is this abundance of natural complete problems which makes the notion of NP-completeness so important, and the “P vs. NP” question so fundamental. 2 Viewing NP as a game Nondeterministic computation can be viewed as a two-person game. The players are Prover and Verifier. Both get the same input, e.g., a propositional formula φ. Prover is all-powerful (but not trust-worthy). He is trying to convince Verifier that the input is in the language (e.g., that φ is satisfiable). Prover sends his argument (as a binary string) to Verifier. Verifier is computationally bounded algorithm. In case of NP, Verifier is a deterministic polytime algorithm. It is not hard to argue that the class NP of languages L is exactly the class of languages for which there is a pair (Prover, Verifier) with the property: For inputs in the language, Prover convinces Verifier to accept; for inputs not in the language, any string sent by Prover will be rejected by Verifier. Moreover, the string that Prover needs to send is of length polynomial in the size of the input.
    [Show full text]
  • Simple Doubly-Efficient Interactive Proof Systems for Locally
    Electronic Colloquium on Computational Complexity, Revision 3 of Report No. 18 (2017) Simple doubly-efficient interactive proof systems for locally-characterizable sets Oded Goldreich∗ Guy N. Rothblumy September 8, 2017 Abstract A proof system is called doubly-efficient if the prescribed prover strategy can be implemented in polynomial-time and the verifier’s strategy can be implemented in almost-linear-time. We present direct constructions of doubly-efficient interactive proof systems for problems in P that are believed to have relatively high complexity. Specifically, such constructions are presented for t-CLIQUE and t-SUM. In addition, we present a generic construction of such proof systems for a natural class that contains both problems and is in NC (and also in SC). The proof systems presented by us are significantly simpler than the proof systems presented by Goldwasser, Kalai and Rothblum (JACM, 2015), let alone those presented by Reingold, Roth- blum, and Rothblum (STOC, 2016), and can be implemented using a smaller number of rounds. Contents 1 Introduction 1 1.1 The current work . 1 1.2 Relation to prior work . 3 1.3 Organization and conventions . 4 2 Preliminaries: The sum-check protocol 5 3 The case of t-CLIQUE 5 4 The general result 7 4.1 A natural class: locally-characterizable sets . 7 4.2 Proof of Theorem 1 . 8 4.3 Generalization: round versus computation trade-off . 9 4.4 Extension to a wider class . 10 5 The case of t-SUM 13 References 15 Appendix: An MA proof system for locally-chracterizable sets 18 ∗Department of Computer Science, Weizmann Institute of Science, Rehovot, Israel.
    [Show full text]
  • Lecture 10: Space Complexity III
    Space Complexity Classes: NL and L Reductions NL-completeness The Relation between NL and coNL A Relation Among the Complexity Classes Lecture 10: Space Complexity III Arijit Bishnu 27.03.2010 Space Complexity Classes: NL and L Reductions NL-completeness The Relation between NL and coNL A Relation Among the Complexity Classes Outline 1 Space Complexity Classes: NL and L 2 Reductions 3 NL-completeness 4 The Relation between NL and coNL 5 A Relation Among the Complexity Classes Space Complexity Classes: NL and L Reductions NL-completeness The Relation between NL and coNL A Relation Among the Complexity Classes Outline 1 Space Complexity Classes: NL and L 2 Reductions 3 NL-completeness 4 The Relation between NL and coNL 5 A Relation Among the Complexity Classes Definition for Recapitulation S c NPSPACE = c>0 NSPACE(n ). The class NPSPACE is an analog of the class NP. Definition L = SPACE(log n). Definition NL = NSPACE(log n). Space Complexity Classes: NL and L Reductions NL-completeness The Relation between NL and coNL A Relation Among the Complexity Classes Space Complexity Classes Definition for Recapitulation S c PSPACE = c>0 SPACE(n ). The class PSPACE is an analog of the class P. Definition L = SPACE(log n). Definition NL = NSPACE(log n). Space Complexity Classes: NL and L Reductions NL-completeness The Relation between NL and coNL A Relation Among the Complexity Classes Space Complexity Classes Definition for Recapitulation S c PSPACE = c>0 SPACE(n ). The class PSPACE is an analog of the class P. Definition for Recapitulation S c NPSPACE = c>0 NSPACE(n ).
    [Show full text]
  • Complements of Nondeterministic Classes • from P
    Complements of Nondeterministic Classes ² From p. 133, we know R, RE, and coRE are distinct. { coRE contains the complements of languages in RE, not the languages not in RE. ² Recall that the complement of L, denoted by L¹, is the language §¤ ¡ L. { sat complement is the set of unsatis¯able boolean expressions. { hamiltonian path complement is the set of graphs without a Hamiltonian path. °c 2011 Prof. Yuh-Dauh Lyuu, National Taiwan University Page 181 The Co-Classes ² For any complexity class C, coC denotes the class fL : L¹ 2 Cg: ² Clearly, if C is a deterministic time or space complexity class, then C = coC. { They are said to be closed under complement. { A deterministic TM deciding L can be converted to one that decides L¹ within the same time or space bound by reversing the \yes" and \no" states. ² Whether nondeterministic classes for time are closed under complement is not known (p. 79). °c 2011 Prof. Yuh-Dauh Lyuu, National Taiwan University Page 182 Comments ² As coC = fL : L¹ 2 Cg; L 2 C if and only if L¹ 2 coC. ² But it is not true that L 2 C if and only if L 62 coC. { coC is not de¯ned as C¹. ² For example, suppose C = ff2; 4; 6; 8; 10;:::gg. ² Then coC = ff1; 3; 5; 7; 9;:::gg. ¤ ² But C¹ = 2f1;2;3;:::g ¡ ff2; 4; 6; 8; 10;:::gg. °c 2011 Prof. Yuh-Dauh Lyuu, National Taiwan University Page 183 The Quanti¯ed Halting Problem ² Let f(n) ¸ n be proper. ² De¯ne Hf = fM; x : M accepts input x after at most f(j x j) stepsg; where M is deterministic.
    [Show full text]
  • Zero Knowledge and Circuit Minimization
    Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 68 (2014) Zero Knowledge and Circuit Minimization Eric Allender1 and Bireswar Das2 1 Department of Computer Science, Rutgers University, USA [email protected] 2 IIT Gandhinagar, India [email protected] Abstract. We show that every problem in the complexity class SZK (Statistical Zero Knowledge) is efficiently reducible to the Minimum Circuit Size Problem (MCSP). In particular Graph Isomorphism lies in RPMCSP. This is the first theorem relating the computational power of Graph Isomorphism and MCSP, despite the long history these problems share, as candidate NP-intermediate problems. 1 Introduction For as long as there has been a theory of NP-completeness, there have been attempts to understand the computational complexity of the following two problems: – Graph Isomorphism (GI): Given two graphs G and H, determine if there is permutation τ of the vertices of G such that τ(G) = H. – The Minimum Circuit Size Problem (MCSP): Given a number i and a Boolean function f on n variables, represented by its truth table of size 2n, determine if f has a circuit of size i. (There are different versions of this problem depending on precisely what measure of “size” one uses (such as counting the number of gates or the number of wires) and on the types of gates that are allowed, etc. For the purposes of this paper, any reasonable choice can be used.) Cook [Coo71] explicitly considered the graph isomorphism problem and mentioned that he “had not been able” to show that GI is NP-complete.
    [Show full text]
  • Is It Easier to Prove Theorems That Are Guaranteed to Be True?
    Is it Easier to Prove Theorems that are Guaranteed to be True? Rafael Pass∗ Muthuramakrishnan Venkitasubramaniamy Cornell Tech University of Rochester [email protected] [email protected] April 15, 2020 Abstract Consider the following two fundamental open problems in complexity theory: • Does a hard-on-average language in NP imply the existence of one-way functions? • Does a hard-on-average language in NP imply a hard-on-average problem in TFNP (i.e., the class of total NP search problem)? Our main result is that the answer to (at least) one of these questions is yes. Both one-way functions and problems in TFNP can be interpreted as promise-true distri- butional NP search problems|namely, distributional search problems where the sampler only samples true statements. As a direct corollary of the above result, we thus get that the existence of a hard-on-average distributional NP search problem implies a hard-on-average promise-true distributional NP search problem. In other words, It is no easier to find witnesses (a.k.a. proofs) for efficiently-sampled statements (theorems) that are guaranteed to be true. This result follows from a more general study of interactive puzzles|a generalization of average-case hardness in NP|and in particular, a novel round-collapse theorem for computationally- sound protocols, analogous to Babai-Moran's celebrated round-collapse theorem for information- theoretically sound protocols. As another consequence of this treatment, we show that the existence of O(1)-round public-coin non-trivial arguments (i.e., argument systems that are not proofs) imply the existence of a hard-on-average problem in NP=poly.
    [Show full text]