


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Prof. Salil Vadhan, Computer Science, Computational Complexity, Average-Case Complexity, Low-Degree Extensions, Harvard, Lecture Notes
Typology: Study notes
1 / 4
This page cannot be seen from the preview
Don't miss anything!



CS221: Computational Complexity Prof. Salil Vadhan
11/27 Scribe: Saurabh Sanghvi
1 Recap 1
2 Main Result 1
3 Multilinear Extension 3
Today we will finish up our coverage of average-case complexity with a proof of the theorem stated last time, which effectively gave an example of a problem that is hard in the average-case if it is hard in the worst-case.
Last time, we defined the problem Modular Permanent as follows:
We are in the process of relating the worst-case complexity of this problem to its average-case complexity under the distribution μk,p — the uniform distribution over M ∈ Zkp ×k.
Theorem 1 If there exists a probabilistic polynomial time (PPT) algorithm A such that PrM ←μk,p [A(1k, 1 p, M ) 6 = Perm(M ) mod p ] ≤ (^) 3(k^1 +1) , then there exists a PPT algorithm B such
that for every M ∈ Zkp ×k, Prcoins of B[B(1k, 1 p, M ) 6 = Perm(M ) mod p] ≤ 1 / 3
In particular, we’d have that ModPerm ∈ BPP, and thus P#P^ = BPP. (We proved ModPerm was #P-hard last class). Note that this theorem is usually read negatively—since we don’t believe these consequences hold, it is unlikely such an A exists. The proof of this theorem follows (as shown in the last class), from this more general one, which we will now prove:
Theorem 2 For F finite field, |F| ≥ d + 2, given oracle access to f : Fm^ → F disagreeing with some polynomial p : Fm^ → F of degree ≤ d in fewer than (^) 3(d^1 +1) fraction of points in Fm, one can compute p everywhere with high probability in time poly(d, m, log |F|).
Proof: The basic method we will use is called random self-reducibility—the process of taking an algorithm that works on random points and making it work at an arbitrary point.
More specifically, what is going to happen here is that we have a polynomial defined over an Fm hypercube, and we want to evaluate the polynomial at any given point, using an oracle that errs on a certain percentage of them. The strategy is to pick a random line coming out of the point. Since the points on this line are uniformly random, with high probability we’ll be able to evaluate the polynomial at sufficiently many points along the line. But since they are still related in this close way to the original point, using the value of the polynomial at those points we can interpolate and get the polynomial at the desired point.
Use the following algorithm to compute p(x), given oracle for f :
: F → Fm,(t) = x + ty.(1)),... f ((d + 1)).Before we formally analyze this proof, one should note the use of two key observations early on that gave us this algorithm:
(t)) is a univariate polynomial of t that has degree d. This is clear because p is a polynomial of n variables with degree at most d, and is linear—and so plugging in ` will not increase the degree. This is critical because basically we are trying to capture this polynomial with q to get p(x), without knowing p in general, and so we need it to have a particular low degree.(i) is uniformly random in Fm. Granted, since each point lies on the same line they are very correlated and not independent, but still y is a completely random direction, and so each point x + ty is random. This property is critical to ensuring the likelihood that we can get p((t)).Another note: the choice of 1,... , d + 1 as the points to be queried in step 3 was arbitrary—we just needed d + 1 distinct points in the field.
To analyze this, we want to bound the probability this algorithm fails—i.e., Pr[q(0) 6 = p(x)]. The following does just that:
Pr[q(0) 6 = p(x)] ≤ Pr[∃i ∈ { 1 ,... , d + 1} such that f ((i)) 6 = p((i))] (1) ≤ (d + 1) ·
3(d + 1)
(1) clearly holds because if in fact for all i, f ((i)) = p((i)), then clearly we will succeed because we will be able to recover p((t)) (by Observation 1) and so will correctly calculate p(x) = p((0)). Thus, the probability of failure is at most the probability that one f (`(i)) is wrong.
Corollary 4 If PSPACE 6 = BPP (or EXP 6 = BPP), then PSPACE (respectively, EXP) has a problem which is hard on average with respect to the uniform distribution. (That is, there will not be a PPT algorithm A solving the problem with error ≤ (^) p(^1 n) for some polynomial p).
Proof:
Let f ∈ PSPACE\BPP. Then fˆ ∈ PSPACE\BPP: fˆ ∈ PSPACE because fˆ ∈ PSPACEf^ , and f /ˆ∈ BPP because f reduces to fˆ. This means that fˆ is hard in the worst case.
But if there were to exist PPT algorithm A such that Prx[A(x) 6 = fˆ (x)] ≤ (^) 3(n^1 +1) , then by theorem
2 we would have that fˆ ∈ BPP. Contradiction—and so fˆ is hard on average.
(Note that the application of theorem 2 requires that the degree of fˆ is at most n.)
So with this corollary we now know how to relate average case with uniform distribution to the worst case, for #P and above. (The corollary won’t work with anything lower, of course, because then we won’t be able to conclude that fˆ is in that lower class, since at best we know fˆ ∈ P#P f ).
A reasonable question to ask here is: what about NP? As mentioned before cryptography is very interested in the average case, and so a similar result for NP would be most useful. Unfortunately, this is still an open problem. Ajtai in 1997 gave a worst-case/average-case equivalence for lattice problems (given an n-dimensional lattice L, find an approximately shortest vector in L), which are in NP but not known to be NP-complete (but the problems still appear to be hard—they are not known to be in BPP).
Looking back over these results, two points to take away are the important roles played by algebra and randomization:
Needless to say, these two tools show up together in many more parts of complexity theory, as we will see.