Zero Knowledge and Circuit Minimization

1
Zero Knowledge and Circuit Minimization

• Joint work with Bireswar Das
• (IIT Gandinagar, DIMACS)

MFCS, Budapest, August 26, 2014
2
The Cook-Levin Theorem
SAT is NP-Complete

• Arguably the most important theorem in
  theoretical computer science.
• but what were they thinking?

3
What they were thinking
The STOC deadline is nearly here
4
What they were thinking
Looks like I wont be able to prove a
Graph Isomorphism result in time So Ill just
submit this.
5
What they were thinking
I refuse to publish a partial result! I need to
be able to say something about the Minimum
Circuit Size Problem
6
What they were thinking
and Graph Isomorphism too!
Pemmaraju, Skiena
7
What they were thinking
and Graph Isomorphism too!
Leonid, Publish it!
8
What they were thinking
OKBut only the 2-page version!
9
NP-Intermediate Problems

• Thus, as long as there has been a theory of
  NP-completeness, there have been two prominent
  candidates for NP-Intermediate status in NP,
  but neither complete nor in P
• Graph Isomorphism (GI)
• The Minimum Circuit Size Problem (MCSP)
• After 4 decades, they still cling to this status.
• but is there any relationship between these
  problems?

10
Graph Isomorphism

• GI (G,H) the vertices of G can be permuted,
  to yield H

11
MCSP

• MCSP (x,i) x is the truth table of a
  function with a circuit of size at most i.
• Why was Levin so interested in MCSP?
• In the USSR in the 70s (and before) there was
  great interest in problems requiring perebor,
  or brute-force search. For various reasons,
  MCSP was a focal point of this interest.

12
MCSP

• MCSP (x,i) x is the truth table of a
  function with a circuit of size at most i.
• Why was Levin so interested in MCSP?
• Yablonski 1959 proved a result that to him
  and his students meant MCSP requires perebor.
  (This would imply P lt NP.) By the late 1960s
  Yablonski attained influential positions
  dealing with coordination and control of matha
  time of rapid degradation of the moral climate
  within the Soviet math community Trakhtenbrot.

13
GI and MCSP

• This historical digression has established
• The questions of the complexity of GI and MCSP
  are as old as the theory of computational
  complexity (or perhaps even older).
• No relationship between the complexity of these
  problems had been established.
• Lets take care of that right now.

14
Todays Goal

• Theorem 1 GI reduces to MCSP. More precisely
  GI ? RPMCSP.
• Theorem 2 More generally Every problem with a
  Statistical Zero Knowledge Proof reduces to MCSP.
  That is SZK is contained in BPPMCSP.
• Well follow a well-established path All
  reductions to MCSP seem to make use of
  pseudorandom generators. Kabanets, Cai
  A,Buhrman,Koucky,van Melkebeek, Ronneburger

15
Pseudorandom Generators
G
seed
PseudoRandom bits b1,b2,
For any efficient test T, ProbT accepts a
random string of length n ProbT accepts a
pseudorandom string of length n
16
Pseudorandom Generators
Gf
seed
PseudoRandom bits b1,b2,
HILL Given a cryptographically- secure one-way
function f, we can build a secure pseudorandom
generator Gf.
17
Pseudorandom Generators
Gf
seed
PseudoRandom bits b1,b2,
HILL If Gf is not secure, then f is easy to
invert.
18
Pseudorandom Generators
Gf
seed
PseudoRandom bits b1,b2,
HILL If T is a test that accepts half of
the strings of length n, but accepts none of
the strings output by Gf, then there is a
probabilistic poly-time N such that
Probxf(NT(f(x))) f(x) gt 1/poly.
19
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
HILL If T is a test that accepts half of
the strings of length n, but accepts none of
the strings output by Gfi, then there is a
probabilistic poly-time N such that
Probxfi(NT(i,fi(x))) x gt 1/poly.
20
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
The output of Gfi has small time-bounded
K-complexity.
21
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
The output of Gfi has small time-bounded
K-complexity. KT(x) Circuit.size(x).
22
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
The output of Gfi has small time-bounded
K-complexity. KT(x) Circuit.size(x). Most x
require very large circuits.
23
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
The output of Gfi has small time-bounded
K-complexity. KT(x) Circuit.size(x). Most x
require very large circuits. MCSP gives us a
great test T to distinguish random and
pseudorandom strings.
24
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
Specifically, the set T x Circuit.Size(x)
gtvx is computable relative to MCSP and breaks
all pseudorandom generators.
25
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
Specifically, the set T x Circuit.Size(x)
gtvx is computable relative to MCSP and breaks
all pseudorandom generators. Thus
Probxfi(NMCSP(i,fi(x))) f(x) gt 1/poly.
26
Pseudorandom Generators
Gfi
seed
PseudoRandom bits b1,b2,
This idea was used before, to show Factoring is
in ZPPMCSP Discrete Log is in BPPMCSP Closest
Vector Problem is in BPPMCSP
We suspect that these are crypto-secure.
27
Reducing GI to MCSP

• The main idea of the reduction is to follow this
  same approach, using a function that has never
  seemed like a good candidate for a one-way
  function.

28
Our Indexed Family of Functions

• Given graph H and permutation p, let
  fH(p) p(H).
• To find out if G and H are isomorphic
• Pick a random permutation p.
• Run NMCSP(H, p(G)) and obtain output ß.
• Accept if p(G) ß(H).
• If G and H are isomorphic, this accepts with
  probability 1/poly(n).
• QED!

29
Zero Knowledge

• The Graph Isomorphism problem was one of the
  first few problems known to have a Zero Knowledge
  Interactive Proof.

30
Zero Knowledge

• The Graph Isomorphism problem was one of the
  first few problems known to have a Zero Knowledge
  Interactive Proof.

NP
coNP
MCSP
GI
SZK
31
Some facts about SZK

• SZK is contained in NP/poly n coNP/poly.
• There are complete problems for SZK.
• but in order to introduce these complete
  problems, we need to talk about promise
  problems.

32
Promise Problems
No
Yes
Ordinary decision problems.
33
Promise Problems
No
Yes
Ordinary decision problems.
Yes
Dont Care
No
Promise Problems.
34
Statistical Difference

• The standard complete promise problem for SZK
  is Statistical Difference (SD).
• The inputs to SD are pairs of circuits (C,D) we
  view the circuits as representing probability
  distributions, where ProbC(y) is the probability,
  over x chosen uniformly at random, that C(x)y.
• The Yes Instances of SD are (C,D) such that these
  probability distributions are quite close.
• The No Instances of SD are (C,D) where the
  distributions are far apart.

35
Image Intersection Density

• We will actually use a restricted version of SD,
  called Image Intersection Density (IID). The Yes
  instances look the same as in SD.
• The No instances are pairs (C,D) such that, with
  probability exponentially close to 1 (over
  randomly chosen x) C(x) is not in the image of D.
• IID was shown by Ben-Or, Gutfreund to be
  complete for a subclass of SZK, which was
  subsequently shown to coincide with SZK
  Chailloux, Ciodan, Kerenidis, Vadhan.

36
Reducing SZK to MCSP

• For any circuit C, let FC(x) C(x). These are
  the one-way functions that well try to invert,
  with MCSP as an oracle.
• Given a pair (C,D), repeat the following K times
• Pick x at random, and compute yC(x).
• Run NMCSP(D, y) and obtain output z.
• Accept if D(z) y.
• On Yes instances, we expect K/poly acceptances,

37
Reducing SZK to MCSP

• For any circuit C, let FC(x) C(x). These are
  the one-way functions that well try to invert,
  with MCSP as an oracle.
• Given a pair (C,D), repeat the following K times
• Pick x at random, and compute yC(x).
• Run NMCSP(D, y) and obtain output z.
• Accept if D(z) y.
• On Yes instances, we expect K/poly acceptances,
  on No instances we expect K/2n.

38
Reducing SZK to MCSP

• For any circuit C, let FC(x) C(x). These are
  the one-way functions that well try to invert,
  with MCSP as an oracle.
• Given a pair (C,D), repeat the following K times
• Pick x at random, and compute yC(x).
• Run NMCSP(D, y) and obtain output z.
• Accept if D(z) y.
• On Yes instances, we expect K/poly acceptances,
  on No instances we expect K/2n.

QED
39
How hard is MCSP?
40
How hard is MCSP?

• Kabanets, Cai showed that if MCSP were
  NP-complete under natural m reductions, then
  BPPP.
• This is not evidence against being NP-complete,
  but it is evidence that it might be hard to
  prove.
• Vinodchandran considered SNCMP (like MCSP but for
  strong nondeterministic circuits) it will be a
  breakthrough if GI reduces to SNCMP under
  natural reductions.
• but our argument provides an RP-reduction!

41
Open Questions

• Is GI in ZPPMCSP?
• or in PMCSP?
• or is MCSP NP-hard, perhaps under P/poly
  reductions?
• Note in this regard, that the Minimum QBF
  Circuit Size Problem is complete for PSPACE
  under P/poly reductions, and analogous results
  hold for other classes.

42
Open Questions

• Or is there a promise problem related to MCSP
  that is complete for SZK?
• Consider the promise problem that has
• Yes instances x Circuit.Size(x) gtvx
• No instances x Circuit.Size(x) ltx1/4
• Can this problem be in SZK? Or in some other
  nearby class?

43
Thank you!