vs Algebraic Computational Problems Boaz Barak MSR New England Based on joint works with Benny Applebaum Guy Kindler David Steurer and Avi Wigderson Erd ő s Centennial Budapest July 2013 ID: 246229
Download Presentation The PPT/PDF document "On Combinatorial" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
On Combinatorial
vs AlgebraicComputational Problems
Boaz Barak – MSR New England
Based on joint works with Benny Applebaum, Guy Kindler, David Steurer, and Avi Wigderson
Erd
ő
s Centennial, Budapest, July 2013Slide2
Heuristic Classification of Computational Problems
“Combinatorial”
/ “Unstructured
”“Algebraic” / “structured”Boolean Satisfiability, Graph Coloring, Clique, Stable Set, …Integer Factoring, Primality
Testing, Discrete Logarithm, Matrix Multiplication, …Simple algorithms
(greedy, convex optimization, ….)Surprising algorithms
(cancellations, manipulations,…)
Either very easy or very hard
(NP-hard, “
)
Useful for
Private-Key Cryptography
Useful for (private and)
Public-Key Crypto
Often intermediate difficulty
(
subexp
, quantum,
)
Slide3
Heuristic Classification of Computational Problems
“Combinatorial”
/ “Unstructured
”“Algebraic” / “structured”Boolean Satisfiability, Graph Coloring, Clique, Stable Set, …Integer Factoring, Primality
Testing, Discrete Logarithm, Matrix Multiplication, …Simple algorithms
(greedy, convex optimization, ….)Surprising algorithms
(cancellations, manipulations,…)
Either very easy or very hard
(NP-hard, “
)
Useful for
Private-Key Cryptography
Useful for (private and)
Public-Key Crypto
Often intermediate difficulty
(
subexp
, quantum,
)
Unproven Thesis:
Classification
captures a real phenomena
.
For
many
“combinatorial”
problems,
“
best” algorithm is one of few possibilities.Slide4
Research QuestionsCan we make this classification formal?
Can we predict whether combinatorial problems are easy or hard?
Is there a general way to figure out the
optimal algorithm
for a combinatorial problem?
Could be particularly useful for
average-case
problems.
Is algebraic structure necessary for exponential quantum speedup?
What could we do with an 100
qubit
quantum computer?
Is algebraic structure necessary for public key cryptography?
Can we build public key cryptosystems resilient to quantum attacks?
Principled reasons to assume non-existence of surprising classical attacks?Slide5
This TalkCan we make this classification formal?
Can we predict whether combinatorial problems are easy or hard?
Is there a general way to figure out the
optimal algorithm
for a combinatorial problem?
Could be particularly useful for
average-case
problems.
Is algebraic structure necessary for exponential quantum speedup?
What could we do with an 100
qubit
quantum computer?
Is algebraic structure necessary for public key cryptography?
Can we build public key cryptosystems resilient to quantum attacks?
Principled reasons to assume non-existence of surprising classical attacks?
Phase
transition
between “combinatorial” and “algebraic”
regimes
“
meta-conjecture” on
optimal
algorithm for
random
constraint
satisfaction problems
.
[B-Kindler-
Steurer
‘13]
Construction
of
public key encryption
from random CSPs,
expansion
problems on graphs.
[
Applebaum
-B-
Wigderson
‘10]Slide6
Part I: Average-Case Complexity of Combinatorial Problems
Canonical way of showing hardness:
web of reductions
Almost no reductions for average-case complexity.Main Issue: Reductions don’t maintain natural input distributions.As a result, in average-case complexity we have a collection of problems with very few relations known between them(Integer Factoring, Random k-SAT, Planted Clique, Learning Parity with Noise, …)Reduction: Show problem A no harder than B, by mapping A-instance
to B-instance
s.t. solution for can be mapped back to sol’n for
Typically map from
to
introduces gadgets, grows instances size
In particular even if
is uniform,
is not.
A
solver
B
solver
Slide7
Alternative Approach to Showing HardnessInstead of conjecturing one problem hard and reducing
many problems to it…
Conjecture a single algorithm
is optimal for all problems in a large class
Reduces checking if
is hard or easy to analyzing
’s performance on
Main Challenge:
Can we find such conjecture that is both
true
and
useful
?
What
evidence
can support such a conjecture?
Attempt
[
B-Kindler-Steurer’13]
:
The
basic semi-definite program
is optimal for
random constraint satisfaction problems
.
Next:
Precise formulation
Applications
Evidence
Natural convex optimization
Generalization of
Lovász
function.
See also
[Raghavendra ‘08]Slide8
Optimal Algorithm for Random CSP’sPrototypical combinatorial problem:
Predicate
(e.g., for 3SAT) Instance of
: -tuples
of literals over variables
e.g
.,
where each
is some variable
or its negation
.
Random
:
chosen at
random
,
(
overconstrained
regime)
Relaxation for
:
Algorithm
s.t.
for all
Hypothesis
[B-Kindler-Steurer’13]
:
the Basic SDP relaxation
is the
tightest efficient relaxation
for
r
andom
:
efficient relaxation
and
it holds that
The probabilistic (
Erd
ő
s) method
non-constructively
Slide9
Optimal Algorithm for Random CSP’sPrototypical combinatorial problem:
Predicate
(e.g., for 3SAT) Instance of
: -tuples
of literals over variables
e.g
.,
where each
is some variable
or its negation
.
Random
:
chosen at
random
,
(
overconstrained
regime)
Relaxation for
:
Algorithm
s.t.
for all
Hypothesis
[B-Kindler-Steurer’13]
:
the Basic SDP relaxation
is the
tightest efficient relaxation
for
r
andom
:
efficient relaxation
and
it holds that
The probabilistic (
Erd
ő
s) method
non-constructively
Slide10
Instance of
: -tuples
of literals over
Relaxation:
s.t.
for all
Hypothesis
[B-Kindler-Steurer’13]
:
the Basic SDP relaxation
is the
tightest efficient relaxation
for
r
andom
:
efficient relaxation
and
it holds that
Hypothesis implies:
Random
is
hard to certify
iff
Theorem:
over
pairwise independent
dist
over
Predicate
3XOR
3SAT
MAX-CUT
Random instance:
Slide11
Instance of
: -tuples
of literals over
Relaxation:
s.t.
for all
Hypothesis
[B-Kindler-Steurer’13]
:
the Basic SDP relaxation
is the
tightest efficient relaxation
for
r
andom
:
efficient relaxation
and
it holds that
Hypothesis implies:
Random
is
hard to certify
iff
Theorem:
over
pairwise independent
dist
over
Predicate
3XOR
3SAT
MAX-CUT
Random instance:
Slide12
Hypothesis
[B-Kindler-Steurer’13]:
the Basic SDP relaxation is the tightest efficient relaxation for random Applications: Hardness of approx for Expanding Label Cover, Densest Subgraph, characterization of “approximation resistant” predicates.Evidence:
Coincides with Feige’s Hypothesis for 3-ary predicates.
Sometimes proven that potentially stronger algorithms
(SDP hierarchies) do not outperform Basic CSP.
Some
hardness of approximation “predictions”
verified.
[Chan ‘13]Slide13
Part II: Structure and Public Key CryptoPublic Key Cryptography (
Diffie-Hellman ‘76): Two parties can communicate confidentially without a shared secret keyAll widely deployed variants based on Integer Factoring
or related problems (RSA, discrete log, elliptic curve dlog, etc..).
Significant structure:Non-trivial algorithms (e.g., for factoring [Buhler-Lenstra-Pomerance ‘94]) Cannot be NP-hard (inside
or , etc..)
Quantum polynomial time algorithm
[
Shor
‘94]
.
Can
we be sure the current classical algorithms are optimal?
e.g.,
halving
the exponent for factoring will
square the key size
for RSA and will increase running time to
the 4
th to 6th
power.Slide14
Is Structure needed for Public Key Crypto?
Current best (only?) public-key alternative: Lattice-based crypto.
-hard
“unstructured” Useful for public key cryptoHardness of lattice problems for given approximation factor*
In
[
Goldreich
-Goldwasser 98,
Aharonov-Regev
‘04]
Polynomial time
Is there “combinatorial”/”unstructured” public-key crypto?
“structured”?
Perhaps give more confidence that known attacks are optimal?Slide15
Public-Key Crypto from Random 3SAT
Theorem 1
[Applebaum-B-Wigderson ’10]:
Can build public-key crypto from (problem related to) random 3SATHard?“unstructured”?Useful for PKC
In*
[Feige-Kim-
Ofek
‘06]
Polynomial time
“structured”?
Hardness of random 3SAT for given number of clauses*
Not a satisfactory answer….Slide16
Public-Key Crypto from Random 3SAT
Theorem 1
[Applebaum-B-Wigderson ’10]:
Can build public-key crypto from (problem related to) random 3SATHardness of random 3SAT for given number of clauses*Hard?“unstructured”?Useful for PKC
In*
[Feige-Kim-
Ofek
‘06]
Polynomial time
“structured”?
Not a satisfactory answer….Slide17
Hard?
“unstructured”?
Useful for PKC
In*
[Feige-Kim-Ofek ‘06]
Polynomial time
“structured”?
Theorem 2
[
Applebaum
-B-
Wigderson
’10]
:
Can build PKC from
(problem related to)
random 3SAT in
“unstructured regime”
and
random
“unbalanced expansion”
problem.
No known
attacks on the “unbalanced expansion” problem
…but structure and critical parameters are yet to be fully understood.
Not (yet?) a satisfactory answer….Slide18
(Some of the many) Open QuestionsJustify/refute intuition that some classes of problems have
single optimal algorithm.
Find
more “meta-conjectures” on optimal algorithms.
Vefirify
/refute
hardness-of-
approx
predictions
of [BKS] hypothesis.
More
candidate public key
cryptosystems..
.. and better ways to classify their “structure”.
Relations between structure and
quantum speedup
..
..candidate hard distributions for combinatorial problems with quantum speedup?
... in particular for
under-constrained
CSP’s (see
[
Achlioptas
Coja-Oghlan
‘12]
)