SECURITY and CRYPTOGRAPHY 15-827 9 OCT 01 Lecture #7 M.B. 4615 Wean Recall HW 2. Come up with an original PHONOID. More specifically, come up with 10 original PHONOIDS, but show me your best. Be prepared to exhibit your protocol in class on Tue October 9. Did anyone come up with a protocol that does NOT require any arithmetic at all? (Is such protocol even possible? Yes!) Q: What is Gaussian Elimination? A: It is an efficient (i.e. poly-time) linear equation solver. :... in size of input, always! Q: What is Gaussian Elimination with Errors (GEWE)? A: Informally, GAUSSIAN ELIMINATION WITH ERRORS (GEWE) is the problem of solving poly(n) equations in n unknowns when some fraction say 10% of the equations have an error. A: Formally, there is the GEWE SEARCH/OPTIMIZATION problem and the GEWE DECISION problem: The GEWE SEARCH/OPTIMIZATION problem: INPUT: poly(n) linear eqtns in n unknowns over finite field F. OUTPUT: an assignment of values from F to the n unknowns that maximizes the number of equations that are satisfied. The GEWE DECISION problem: INSTANCE: poly(n) linear equations in n unknowns over finite field F; and a positive integer k. QUESTION: Is there an assignment of values of F to the n unknowns that satisfies at least k of the equations? THEOREM: The GEWE search problem is poly-time equivalent to the GEWE decision problem. This means that there exists a poly-time algorithm to solve (either) one, given an oracle for the other. As a consequence, a poly-time algorithm for one implies a poly-time algorithm for the other. PROOF: 1.The decision problem reduces to the search problem, i.e. there is a poly-time reduction from the decision problem to the search problem. This means that there is an algorithm for the decision problem that works by making calls to an oracle for the search problem. This decision algorithm runs in poly time, counting one step for each atomic operation and one step for each call to the oracle. 2.The search problem reduces to the decision problem. How? Use the decision oracle to determine the maximum k for which the answer is YES. Then use it to eliminate equations outside that set of k equations. Finally, use Gaussian Elimination (withOUT errors) to find a satisfying assignment, i.e. an assignment of values of F to the variables that satisfies the k (remaining) equations. QED THEOREM: GEWE is NP-complete. PROOF: 1. GEWE is in NP. This means that there is a polynomial length proof (as usual, polynomial means polynomial in the input length) when the answer is YES. (The TIME to find the proof is permitted to be exponential, but the LENGTH of the proof must be polynomial.) 2. 3SAT is poly-time reducible to GEWE. Simpler to use the known fact that 3SAT is poly-time reducible to MAX 2-SAT, and then show that MAX 2-SAT is poly-time reducible to GEWE. MAX 2-SAT (Decision problem) INSTANCE: n variables; poly(n) clauses, each clause containing 2 literals, each literal being one of the n variables or its complement; and a positive integer k. QUESTION: Is there a truth assignment (an assignment of True and False) to the variables that satisfies at least k of the clauses? NOTE: MAX 3-SAT is clearly NP-complete. It is in NP (Why?) and 3SAT is poly-time reducible to MAX 3-SAT (Why?). On the other hand, it is less clear that MAX 2-SAT is NP-complete since 2SAT is in P. PROOF that MAX 2-SAT is poly-time reducible to GEWE: We prove this for the case that F = GF(2), the integers under addition and multiplication mod 2. The proof for more general fields is similar. Initially, we permit ourselves multiple copies of an equation. Later, we remove this flexibility. IDEA: Map each clause {x,y} to the 3 equations: x=1, y=1, x+y=1. Note that for any assignment of the variables to elements of GF(2), these 3 equations have either 0 solutions or 2 solutions (1 solution or 3 solutions is impossible). Similarly, map {x,y'} to x=1, y=0, x+y=0, and so on. Now observe that k of these 2-SAT clauses can be satisfied iff 2k of the linear equations can be satisfied. Details? QED Since GEWE is NP-complete, it must be hard to decide at least SOME instances of GEWE. It is conceivable, however, that GEWE is easy to solve on random instances. What we REALLY want is a probability distribution on the instances, and a proof that random instances are hard. This means that if P != NP, then no algorithm can solve some small fraction, say 1/10 or 1 in poly, of GEWE problems in polynomial time. A proof of the above UNIFORM HARDNESS would be a great PhD thesis. An alternative Black Box description of the above problem: A Black Box (BB) contains unknown private constants a1,...,an of the finite field F. When a button on the BB is pressed, the box selects x1,...,xn uniformly at random from F and computes b = a1*x1 + ... + an*xn. BB then tosses a weighted coin. With probability .9 the coin comes up Heads and BB outputs b. Else (with probability .1) the coin comes up tails, in which case BB outputs a random element of F. Possibly related but surely not the same thing is Johan Hastad's inapproximability result: Reading: Johan Hastad, "Some optimal inapproximability results," in Proc of the 29th ACM STOC(Symposium on Theory of Computing), pp1-10, El Paso, Texas, 4-6 May 1997. ABSTRACT: We prove optimal, up to an arbitrary epsilon > 0, inapproximability results for Max-Ek-Sat for k >= 3 and optimizing the number of satisfied linear equations modulo a prime p. Max-Ek-Sat is the variant of CNF-Sat where each clause is of length exactly k. As a consequence of these results we get improved lower bounds for many problems studied previously. In particular, for Max-E2-Sat, Max-Cut, Max-Di-Cut and Vertex cover. For Max-E2-Sat the obtained lower bound is essentially 22/21 ~ 1.047 while the strongest upper bound is around 1.074.