Zero Knowledge and Circuit
Minimization
Eric Allender
Rutgers University
Joint work with Bireswar Das
(IIT Gandinagar, DIMACS)
MFCS, Budapest, August 26, 2014
The Cook-Levin Theorem
SAT is NP-Complete
Arguably the most important
theorem in theoretical computer
science.

…but what were they thinking?
Eric Allender: Zero Knowledge and Circuit Minimization
<2>
What they were thinking:
The STOC deadline
is nearly here…
Eric Allender: Zero Knowledge and Circuit Minimization
<3>
What they were thinking:
Looks like I wont be
able to prove a Graph
Isomorphism result in time…
So I’ll just submit this.
Eric Allender: Zero Knowledge and Circuit Minimization
<4>
What they were thinking:
I refuse to publish a partial
result! I need to be
able to say something about
the Minimum Circuit Size
Problem…
Eric Allender: Zero Knowledge and Circuit Minimization
<5>
What they were thinking:
…and Graph Isomorphism
too!
[Pemmaraju, Skiena]
Eric Allender: Zero Knowledge and Circuit Minimization
<6>
What they were thinking:
…and Graph Isomorphism
Leonid,
too!
Publish it!
Eric Allender: Zero Knowledge and Circuit Minimization
<7>
What they were thinking:
OK…But only the 2-page version!
Eric Allender: Zero Knowledge and Circuit Minimization
<8>
NP-Intermediate Problems

Thus, as long as there has been a theory of
NP-completeness, there have been two
prominent candidates for “NP-Intermediate”
status: in NP, but neither complete nor in P:
– Graph Isomorphism (GI)
– The Minimum Circuit Size Problem (MCSP)

After 4 decades, they still cling to this status.

…but is there any relationship between these
problems?
Eric Allender: Zero Knowledge and Circuit Minimization
<9>
Graph Isomorphism

GI = {(G,H) : the vertices of G can be
permuted, to yield H}
Eric Allender: Zero Knowledge and Circuit Minimization
< 10 >
MCSP

MCSP = {(x,i) : x is the truth table of a function
with a circuit of size at most i}.

Why was Levin so interested in MCSP?

In the USSR in the 70’s (and before) there
was great interest in problems requiring
“perebor”, or “brute-force search”. For various
reasons, MCSP was a focal point of this
interest.
Eric Allender: Zero Knowledge and Circuit Minimization
< 11 >
MCSP

MCSP = {(x,i) : x is the truth table of a function
with a circuit of size at most i}.

Why was Levin so interested in MCSP?

Yablonski [1959] proved a result that – to him
and his students – meant “MCSP requires
perebor”. (This would imply P < NP.) By the
late 1960’s Yablonski “attained influential
positions [dealing with] coordination and
control of math…a time of rapid degradation of
the moral climate within the Soviet math
community” [Trakhtenbrot].
Eric Allender: Zero Knowledge and Circuit Minimization
< 12 >
GI and MCSP

This historical digression has established:

The questions of the complexity of GI and
MCSP are as old as the theory of
computational complexity (or perhaps even
older).

No relationship between the complexity of
these problems had been established.

Let’s take care of that right now.
Eric Allender: Zero Knowledge and Circuit Minimization
< 13 >
Today’s Goal

Theorem 1: GI reduces to MCSP. More
precisely: GI є RPMCSP.

Theorem 2: More generally: Every problem
with a Statistical Zero Knowledge Proof
reduces to MCSP. That is: SZK is contained
in BPPMCSP.

We’ll follow a well-established path: All
reductions to MCSP seem to make use of
pseudorandom generators. [Kabanets, Cai]
[A,Buhrman,Koucky,van Melkebeek, Ronneburger]
Eric Allender: Zero Knowledge and Circuit Minimization
< 14 >
Pseudorandom Generators
G
seed
PseudoRandom bits b1,b2,…
For any efficient “test” T,
Prob[T accepts a random string of length n]
≈
Prob[T accepts a pseudorandom string of length n]
Eric Allender: Zero Knowledge and Circuit Minimization
< 15 >
Pseudorandom Generators
Gf
seed
PseudoRandom bits b1,b2,…
[HILL]: Given a cryptographicallysecure one-way function f,
we can build a secure
pseudorandom generator Gf.
Eric Allender: Zero Knowledge and Circuit Minimization
< 16 >
Pseudorandom Generators
Gf
seed
PseudoRandom bits b1,b2,…
[HILL]: If Gf is not secure,
then f is easy to invert.
Eric Allender: Zero Knowledge and Circuit Minimization
< 17 >
Pseudorandom Generators
Gf
seed
PseudoRandom bits b1,b2,…
[HILL]: If T is a test that accepts half of the
strings of length n, but accepts none of the
strings output by Gf,
then there is a probabilistic poly-time N such
that Probx[f(NT(f(x))) = f(x)] > 1/poly.
Eric Allender: Zero Knowledge and Circuit Minimization
< 18 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
[HILL]: If T is a test that accepts half of the
strings of length n, but accepts none of the
strings output by Gfi,
then there is a probabilistic poly-time N such
that Probx[fi(NT(i,fi(x))) = x] > 1/poly.
Eric Allender: Zero Knowledge and Circuit Minimization
< 19 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
The output of Gfi has small time-bounded K-complexity.
Eric Allender: Zero Knowledge and Circuit Minimization
< 20 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
The output of Gfi has small time-bounded K-complexity.
KT(x) ≈ Circuit.size(x).
Eric Allender: Zero Knowledge and Circuit Minimization
< 21 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
The output of Gfi has small time-bounded K-complexity.
KT(x) ≈ Circuit.size(x).
Most x require very large circuits.
Eric Allender: Zero Knowledge and Circuit Minimization
< 22 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
The output of Gfi has small time-bounded K-complexity.
KT(x) ≈ Circuit.size(x).
Most x require very large circuits.
MCSP gives us a great test T to distinguish random
and pseudorandom strings.
Eric Allender: Zero Knowledge and Circuit Minimization
< 23 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
Specifically, the set
T = {x | Circuit.Size(x) >√|x|}
is computable relative to MCSP
and breaks all pseudorandom generators.
Eric Allender: Zero Knowledge and Circuit Minimization
< 24 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
Specifically, the set
T = {x | Circuit.Size(x) >√|x|}
is computable relative to MCSP
and breaks all pseudorandom generators.
Thus Probx[fi(NMCSP(i,fi(x))) = f(x)] > 1/poly.
Eric Allender: Zero Knowledge and Circuit Minimization
< 25 >
Pseudorandom Generators
seed
Gfi
PseudoRandom bits b1,b2,…
This idea was used before, to show:
Factoring is in ZPPMCSP
Discrete Log is in BPPMCSP
Closest Vector Problem is in BPPMCSP
We suspect that these are crypto-secure.
Eric Allender: Zero Knowledge and Circuit Minimization
< 26 >
Reducing GI to MCSP

The main idea of the reduction is to follow this
same approach, using a function that has
never seemed like a good candidate for a oneway function.
Eric Allender: Zero Knowledge and Circuit Minimization
< 27 >
Our Indexed Family of Functions

Given graph H and permutation π, let
fH(π) = π(H).

To find out if G and H are isomorphic:
– Pick a random permutation π.
– Run NMCSP(H, π(G)) and obtain output β.
– Accept if π(G) = β(H).

If G and H are isomorphic, this accepts with
probability 1/poly(n).

QED!
Eric Allender: Zero Knowledge and Circuit Minimization
< 28 >
Zero Knowledge

The Graph Isomorphism problem was one of
the first few problems known to have a Zero
Knowledge Interactive Proof.
Eric Allender: Zero Knowledge and Circuit Minimization
< 29 >
Zero Knowledge

The Graph Isomorphism problem was one of
the first few problems known to have a Zero
Knowledge Interactive Proof.
coNP
NP
MCSP
GI
SZK
Eric Allender: Zero Knowledge and Circuit Minimization
< 30 >
Some facts about SZK

SZK is contained in NP/poly ∩ coNP/poly.

There are complete problems for SZK.

…but in order to introduce these complete
problems, we need to talk about “promise
problems”.
Eric Allender: Zero Knowledge and Circuit Minimization
< 31 >
Promise Problems
Yes
No
Ordinary decision problems.
Eric Allender: Zero Knowledge and Circuit Minimization
< 32 >
Promise Problems
Yes
No
Ordinary decision problems.
Yes
Don’t Care
No
Promise Problems.
Eric Allender: Zero Knowledge and Circuit Minimization
< 33 >
Statistical Difference

The “standard” complete promise problem for
SZK is Statistical Difference (SD).

The inputs to SD are pairs of circuits (C,D); we
view the circuits as representing probability
distributions, where ProbC(y) is the probability,
over x chosen uniformly at random, that
C(x)=y.

The Yes Instances of SD are (C,D) such that
these probability distributions are quite close.

The No Instances of SD are (C,D) where the
distributions are far apart.
Eric Allender: Zero Knowledge and Circuit Minimization
< 34 >
Image Intersection Density

We will actually use a restricted version of SD,
called Image Intersection Density (IID). The
Yes instances look the same as in SD.

The No instances are pairs (C,D) such that,
with probability exponentially close to 1 (over
randomly chosen x) C(x) is not in the image of
D.

IID was shown by [Ben-Or, Gutfreund] to be
complete for a subclass of SZK, which was
subsequently shown to coincide with SZK
[Chailloux, Ciodan, Kerenidis, Vadhan].
Eric Allender: Zero Knowledge and Circuit Minimization
< 35 >
Reducing SZK to MCSP

For any circuit C, let FC(x) = C(x). These are
the “one-way functions” that we’ll try to invert,
with MCSP as an oracle.

Given a pair (C,D), repeat the following K
times:
– Pick x at random, and compute y=C(x).
– Run NMCSP(D, y) and obtain output z.
– Accept if D(z) = y.

On Yes instances, we expect K/poly
acceptances,
Eric Allender: Zero Knowledge and Circuit Minimization
< 36 >
Reducing SZK to MCSP

For any circuit C, let FC(x) = C(x). These are
the “one-way functions” that we’ll try to invert,
with MCSP as an oracle.

Given a pair (C,D), repeat the following K
times:
– Pick x at random, and compute y=C(x).
– Run NMCSP(D, y) and obtain output z.
– Accept if D(z) = y.

On Yes instances, we expect K/poly
acceptances, on No instances we expect K/2n.
Eric Allender: Zero Knowledge and Circuit Minimization
< 37 >
Reducing SZK to MCSP

For any circuit C, let FC(x) = C(x). These are
the “one-way functions” that we’ll try to invert,
with MCSP as an oracle.

Given a pair (C,D), repeat the following K
times:
– Pick x at random, and compute y=C(x).
– Run NMCSP(D, y) and obtain output z.
– Accept if D(z) = y.

On Yes instances, we expect K/poly
acceptances, on No instances we expect K/2n.
Eric Allender: Zero Knowledge and Circuit Minimization
< 38 >
How hard is MCSP?
Eric Allender: Zero Knowledge and Circuit Minimization
< 39 >
How hard is MCSP?

[Kabanets, Cai] showed that if MCSP were
NP-complete under “natural” ≤m reductions,
then BPP=P.

This is not evidence against being NPcomplete, but it is evidence that it might be
hard to prove.

Vinodchandran considered SNCMP (like
MCSP but for “strong nondeterministic
circuits”); it will be a breakthrough if GI
reduces to SNCMP under “natural” reductions.

…but our argument provides an RP-reduction!
Eric Allender: Zero Knowledge and Circuit Minimization
< 40 >
Open Questions

Is GI in ZPPMCSP?

…or in PMCSP?

…or is MCSP NP-hard, perhaps under P/poly
reductions?
– Note in this regard, that the “Minimum QBF
Circuit Size Problem” is complete for
PSPACE under P/poly reductions, and
analogous results hold for other classes.
Eric Allender: Zero Knowledge and Circuit Minimization
< 41 >
Open Questions

Or is there a promise problem related to
MCSP that is complete for SZK?

Consider the promise problem that has:
– Yes instances: {x | Circuit.Size(x) >√|x|}
– No instances: {x | Circuit.Size(x) <|x|1/4}
 Can
this problem be in SZK? Or in some
other “nearby” class?
Eric Allender: Zero Knowledge and Circuit Minimization
< 42 >
Thank you!
Eric Allender: Zero Knowledge and Circuit Minimization
< 43 >