520 likes | 585 Views
Minimum Circuit Size, Graph Isomorphism, and Related Problems. Joint work with Joshua A. Grochow, Dieter van Melkebeek (Wisconsin), Cristopher Moore (SFI), and Andrew Morgan (Wisconsin). NYCAC, November 17, 2017. There seems to be a pattern…. NYCAC 2015: Graph Automorphism and Circuit Size
E N D
Minimum Circuit Size, Graph Isomorphism, and Related Problems Joint work with Joshua A. Grochow, Dieter van Melkebeek (Wisconsin), Cristopher Moore (SFI), and Andrew Morgan (Wisconsin) NYCAC, November 17, 2017
There seems to be a pattern… • NYCAC 2015: Graph Automorphism and Circuit Size • NYCAC 2016: New Insights on the (Non)hardness of Circuit Minimization and Related Problems • NYCAC 2017: Minimum Circuit Size, Graph Isomorphism, and Related Problems • All about MCSP and GA or GI. • … and about the “related problem”: MKTP
The Context • The Minimum Circuit Size Problem (MCSP) = {(f,i) : f is the truth-table of a function that has a circuit of size ≤ i}. • In NP, but not known (or widely believed) to be NP-complete. [Kabanets, Cai], [Murray, Williams], [A, Holden,Kabanets], [Carmosino, Impagliazzo,Kabanets,Kolokova], [Hirahara, Santhanam], [Hirahara,Watanabe], [Hitchcock, Pavan], [Impagliazzo,Kabanets,Volkovich]… • Lots of reasons to believe it’s not in P.
More Context • Factoring is in ZPPMCSP. • Graph Isomorphism is in RPMCSP. • Every promise problem in SZK is in (Promise) BPPMCSP. • A motivating question: Is Graph Isomorphism in ZPPMCSP?
More Context • Factoring is in ZPPMCSP. • Graph Isomorphism is in RPMCSP. • Every promise problem in SZK is in (Promise) BPPMCSP. • An obstacle: EACH of these reductions follows the same route….
Yet More Context • The well-trodden path: • MCSP is a wonderful test to distinguish random from pseudorandom distributions. • Thus, via [HILL], MCSP is an oracle that allows a probabilistic algorithm to invert poly-time functions with high probability. • Note that this approach can’t show a result like “A is in ZPPMCSP” unless we already know that A is in NP∩coNP.
Context, Context, Context • MCSP is more like a family of problems, than a single problem. • For instance “size” could mean “# of wires” or “# of gates”, or “# of bits to describe the circuit”, etc. • None of these is known to be reducible to any other – but all can stand in for “MCSP”. • One more such variant: MKTP = {(x,i) : KT(x) ≤ i}
What Can We Show? (2015) • Graph Automorphism is in ZPPMKTP. • As observed on an earlier slide, this involves a different type of reduction than all earlier reductions to MKTP or MCSP (since Graph Automorphism is not known to be in NP∩coNP). • We are unable to extend this, to show Graph Automorphism is in ZPPMCSP. • This is a new phenomenon; all other reductions to MKTP carried over to MCSP.
What Can We Show? (2017) • Graph ISOmorphism is in ZPPMKTP! • As observed on an earlier slide, this involves a different type of reduction than all earlier reductions to MKTP or MCSP (since Graph Automorphism is not known to be in NP∩coNP). • We are unable to extend this, to show Graph Automorphism is in ZPPMCSP. • This is a new phenomenon; all other reductions to MKTP carried over to MCSP.
What Can We Show? (2017) • A big chunk of SZK is in ZPPMKTP! • As observed on an earlier slide, this involves a different type of reduction than all earlier reductions to MKTP or MCSP (since Graph Automorphism is not known to be in NP∩coNP). • We are unable to extend this, to show Graph Automorphism is in ZPPMCSP. • This is a new phenomenon; all other reductions to MKTP carried over to MCSP.
MCSP • MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. • Levin delayed publishing his results on SAT and NP, because he wanted to prove a similar result about MCSP.
MCSP • MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. • Why was Levin so interested in MCSP? • In the USSR in the 70’s (and before) there was great interest in problems requiring “perebor”, or “brute-force search”. For various reasons, MCSP was a focal point of this interest.
MCSP • MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. • Why was Levin so interested in MCSP? • Yablonski [1959] proved a result that – to him and his students – meant “MCSP requires perebor”. (This would imply P < NP.) By the late 1960’s Yablonski “attained influential positions [dealing with] coordination and control of math…a time of rapid degradation of the moral climate within the Soviet math community” [Trakhtenbrot].
MCSP • MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. • MCSP is in NP. (Guess a circuit of size ≤ |x|, and verify that it gives the correct answer for each y of length log |x|.) • If MCSP is NP-complete, then EXP is not equal to ZPP [Murray & Williams, 2015]. • A prominent candidate for “NP-intermediate” status.
MCSP • If MCSP is NP-complete under poly-time reductions, then EXP is not equal to ZPP [MW15]. • If MCSP is NP-complete under uniform AC0 reductions, then NP is not in P/poly [MW15].
MKTP • If MKTP is NP-complete under poly-time reductions, then EXP is not equal to ZPP [MW15]. • If MKTP is NP-complete under uniform AC0 reductions, then NP is not in P/poly [MW15]. • If MKTP is NOT NP-complete under nonuniform AC0 reductions, then NP is not equal to DET. [A,Hirahara] • Is there an obstacle that prevents a proof today, that MKTP is NP-complete under non-uniform reductions?
MKTP • If MKTP is NP-complete under poly-time reductions, then EXP is not equal to ZPP [MW15]. • If MKTP is NP-complete under uniform AC0 reductions, then NP is not in P/poly [MW15]. • If MKTP is NOT NP-complete under nonuniform AC0 reductions, then NP is not equal to DET. [A,Hirahara] • Is there an obstacle that prevents a proof today, or that MKTP is NOT NP-complete under uniform reductions?
NP-Intermediate Problems NPC P
NP-Intermediate Problems NPC Ladner (1975) showed that intermediate problems exist unless P=NP. But these problems are “unnatural”. P
NP-Intermediate Problems NPC Some prominent candidates were studied early on… P
NP-Intermediate Problems NPC Some prominent candidates were studied early on… Graph Genus Linear Programming P …but subsequently “moved”.
NP-Intermediate Problems NPC MCSP is still here: Graph Isomorphism, too. P
Probabilistic Complexity Classes • RP: Like NP, but with many witnesses. BPP coNP NP coRP RP ZPP
Pseudorandom Generators G seed PseudoRandom bits b1,b2,… For any efficient “test” T, Prob[T accepts a random string of length n] ≈ Prob[T accepts a pseudorandom string of length n]
Pseudorandom Generators Gf seed PseudoRandom bits b1,b2,… [HILL]: Given a cryptographically- secure one-way function f, we can build a secure pseudorandom generator Gf.
Pseudorandom Generators Gf seed PseudoRandom bits b1,b2,… [HILL]: If Gf is not secure, then f is easy to invert.
Pseudorandom Generators Gf seed PseudoRandom bits b1,b2,… [HILL]: If T is a test that accepts half of the strings of length n, but accepts none of the strings output by Gf, then there is a probabilistic poly-time N such that Probx[f(NT(f(x))) = f(x)] > 1/poly.
Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity.
Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x).
Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits.
Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… The output of Gfi has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits. MCSP gives us a great test T to distinguish random and pseudorandom strings.
Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators.
Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators. Thus Probx[fi(NMCSP(i,fi(x))) = f(x)] > 1/poly.
Pseudorandom Generators Gfi seed PseudoRandom bits b1,b2,… This idea was used before, to show: Factoring is in ZPPMCSP Discrete Log is in ZPPMCSP Closest Vector (promise) Problem is in BPPMCSP Graph Isomorphism is in RPMCSP. Every promise problem in SZK is in (Promise) BPPMCSP.
Graph Isomorphism • GI = {(G,H) : the vertices of G can be permuted, to yield H}
Zero Knowledge • The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof.
Zero Knowledge • The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof. coNP NP MCSP GI SZK
Some facts about SZK • SZK is contained in NP/poly ∩ coNP/poly. • There are complete problems for SZK. • …but in order to introduce these complete problems, we need to talk about “promise problems”.
Promise Problems No Yes Ordinary decision problems.
Promise Problems No Yes Ordinary decision problems. Yes Don’t Care No Promise Problems.
Some Important Promise Problems • RIGID GI: • YES: {(G,H) :G and H are rigid, and G≡H} • NO: {(G,H) :G and H are rigid, and G≡H} • Entropy Approximation • YES: {(C,θ) : the entropy of the distribution generated by C is > θ+1} • NO: {(C,θ) : the entropy of the distribution generated by C is < θ-1}
Entropy Approximation • Entropy Approximation is complete for SZK under poly-time Turing reductions [Goldreich, Sahai, Vadhan]
What’s New? • Outline for the rest of the talk. • 1. Give a reduction from RIGID Graph Isomorphism to MKTP. • 2. Discuss why we were stuck at this point for a while. • 3. Sketch how MKTP allows us to estimate the value (n!/|Aut(G)|), via “entropy estimation”. • 4. Discuss how MKTP allows us to estimate the entropy in (almost) flat distributions.
Reducing RIGID GI to MKTP • On input (G0,G1) • Randomly pick a bit string w=w1w2…wt. • Pick random permutations π1…πt. • Let z= π1(Gw1)π2(Gw2)…πt(Gwt) • If G0 and G1 are not isomorphic, then z allows us to reconstruct w and π1…πt, so that z has (non-time-bounded) K-complexity around t+ts (where s = log n!), whp. Hence KT(z) > t+ts. • Otherwise, KT(z) is around n2+ts.
Entropy • The critical line in the previous slide is: “s = log n!”, because a random permutation π has KT complexity about s, with high probability. • But if the graphs are NOT rigid, then the entropy in π(G) is (n! / |Aut(G)|). • …and computing |Aut(G)| is as hard as Graph Automorphism! • Solution: Use the MKTP oracle!
MKTP and GI • We already knew that GI BPP-reduces to MKTP. • With an oracle for GI, we can produce a list of generators for Aut(G) w.h.p. (Pick a new permutation, and see if it’s in Aut(G) and is not already in the group generated by the previous permutations.) We can compute the size of the group generated by our list of permutations. • Thus this can be done with MKTP as an oracle. (Lots of details, to make this a ZPP reduction.)
Min and Max Entropy • Let D be a distribution. • Max-Entropy = min {k : for all x D(x) > 1/2k} • Entropy = E[log(1/D(x))] • Min-Entropy = max {k : for all x D(x) < 1/2k}
Entropy Estimation Corollary • Let D be a distribution represented by circuit C. (That is, D(x) = Proby[C(y)=x].) • Let Δ be the difference between the max-entropy and the min-entropy of D. • Let z be the concatenation of t random samples from D. • Then KT(z)/t is a probably-approximately-correct underestimator for the entropy of D, with deviation Δ. • Proof: Establish a connection between Hashing and KT complexity.
So What? • Are there any interesting problems reducible to “Entropy Estimation for Flat Distributions”? • Matrix Subspace Conjugacy • Permutation Group Conjugacy • Code Equivalence • GI
Open Questions • Is Graph Automorphism in ZPPMCSP? • Is there some way to relate the complexities of MKTP and (the many versions of) MCSP? • …through Gap Amplification, or via some other means? • MKTP is not in AC0[p] for any prime p. How about MCSP?