PCPs and Instance Compression from a Cryptographic Lens

Modern cryptography fundamentally relies on the assumption that the adversary trying to break the scheme is computationally bounded. This assumption lets us construct cryptographic protocols and primitives that are known to be impossible otherwise. In this work we explore the effect of bounding the adversary\u27s power in other information theoretic proof-systems and show how to use this assumption to bypass impossibility results. We first consider the question of constructing succinct PCPs. These are PCPs whose length is polynomial only in the length of the original NP witness (in contrast to standard PCPs whose length is proportional to the non-deterministic verification time). Unfortunately, succinct PCPs are known to be impossible to construct under standard complexity assumptions. Assuming the sub-exponential hardness of the learning with errors (LWE) problem, we construct succinct probabilistically checkable arguments or PCAs (Zimand 2001, Kalai and Raz 2009), which are PCPs in which soundness is guaranteed against efficiently generated false proofs. Our PCA construction is for every NP relation that can be verified by a small-depth circuit (e.g., SAT, clique, TSP, etc.) and in contrast to prior work is publicly verifiable and has constant query complexity. Curiously, we also show, as a proof-of-concept, that such publicly-verifiable PCAs can be used to derive hardness of approximation results. Second, we consider the notion of Instance Compression (Harnik and Naor, 2006). An instance compression scheme lets one compress, for example, a CNF formula $\varphi$ on $m$ variables and $n \gg m$ clauses to a new formula $\varphi\u27$ with only $poly(m)$ clauses, so that $\varphi$ is satisfiable if and only if $\varphi\u27$ is satisfiable. Instance compression has been shown to be closely related to succinct PCPs and is similarly highly unlikely to exist. We introduce a computational analog of instance compression in which we require that if $\varphi$ is unsatisfiable then $\varphi\u27$ is effectively unsatisfiable, in the sense that it is computationally infeasible to find a satisfying assignment for $\varphi\u27$ (although such an assignment may exist). Assuming the same sub-exponential LWE assumption, we construct such computational instance compression schemes for every bounded-depth NP relation. As an application, this lets one compress $k$ formulas $\phi_1,\dots,\phi_k$ into a single short formula $\phi$ that is effectively satisfiable if and only if at least one of the original formulas was satisfiable

Compression via Matroids: A Randomized Polynomial Kernel for Odd Cycle Transversal

The Odd Cycle Transversal problem (OCT) asks whether a given graph can be made bipartite by deleting at most $k$ of its vertices. In a breakthrough result Reed, Smith, and Vetta (Operations Research Letters, 2004) gave a \BigOh(4^kkmn) time algorithm for it, the first algorithm with polynomial runtime of uniform degree for every fixed $k$. It is known that this implies a polynomial-time compression algorithm that turns OCT instances into equivalent instances of size at most \BigOh(4^k), a so-called kernelization. Since then the existence of a polynomial kernel for OCT, i.e., a kernelization with size bounded polynomially in $k$, has turned into one of the main open questions in the study of kernelization. This work provides the first (randomized) polynomial kernelization for OCT. We introduce a novel kernelization approach based on matroid theory, where we encode all relevant information about a problem instance into a matroid with a representation of size polynomial in $k$. For OCT, the matroid is built to allow us to simulate the computation of the iterative compression step of the algorithm of Reed, Smith, and Vetta, applied (for only one round) to an approximate odd cycle transversal which it is aiming to shrink to size $k$. The process is randomized with one-sided error exponentially small in $k$, where the result can contain false positives but no false negatives, and the size guarantee is cubic in the size of the approximate solution. Combined with an \BigOh(\sqrt{\log n})-approximation (Agarwal et al., STOC 2005), we get a reduction of the instance to size \BigOh(k^{4.5}), implying a randomized polynomial kernelization.Comment: Minor changes to agree with SODA 2012 version of the pape

Parameterized Algorithms on Perfect Graphs for deletion to (r,ℓ)(r,\ell)-graphs

For fixed integers $r,\ell \geq 0$, a graph $G$ is called an {\em $(r,\ell)$-graph} if the vertex set $V(G)$ can be partitioned into $r$ independent sets and $\ell$ cliques. The class of $(r, \ell)$ graphs generalizes $r$-colourable graphs (when $\ell =0)$ and hence not surprisingly, determining whether a given graph is an $(r, \ell)$-graph is \NP-hard even when $r \geq 3$ or $\ell \geq 3$ in general graphs. When $r$ and $\ell$ are part of the input, then the recognition problem is NP-hard even if the input graph is a perfect graph (where the {\sc Chromatic Number} problem is solvable in polynomial time). It is also known to be fixed-parameter tractable (FPT) on perfect graphs when parameterized by $r$ and $\ell$. I.e. there is an f(r+\ell) \cdot n^{\Oh(1)} algorithm on perfect graphs on $n$ vertices where $f$ is some (exponential) function of $r$ and $\ell$. In this paper, we consider the parameterized complexity of the following problem, which we call {\sc Vertex Partization}. Given a perfect graph $G$ and positive integers $r,\ell,k$ decide whether there exists a set $S\subseteq V(G)$ of size at most $k$ such that the deletion of $S$ from $G$ results in an $(r,\ell)$-graph. We obtain the following results: \begin{enumerate} \item {\sc Vertex Partization} on perfect graphs is FPT when parameterized by $k+r+\ell$. \item The problem does not admit any polynomial sized kernel when parameterized by $k+r+\ell$. In other words, in polynomial time, the input graph can not be compressed to an equivalent instance of size polynomial in $k+r+\ell$. In fact, our result holds even when $k=0$. \item When $r,\ell$ are universal constants, then {\sc Vertex Partization} on perfect graphs, parameterized by $k$, has a polynomial sized kernel. \end{enumerate

Succinct Interactive Oracle Proofs: Applications and Limitations

\textit{Interactive Oracle Proofs} (IOPs) are a new type of proof-system that combines key properties of interactive proofs and PCPs: IOPs enable a verifier to be convinced of the correctness of a statement by interacting with an untrusted prover while reading just a few bits of the messages sent by the prover. IOPs have become very prominent in the design of efficient proof-systems in recent years. In this work we study \textit{succinct IOPs}, which are IOPs in which the communication complexity is polynomial (or even linear) in the original witness. While there are strong impossibility results for the existence of succinct PCPs (i.e., PCPs whose length is polynomial in the witness), it is known that the rich class of NP relations that are decidable in small space have succinct IOPs. In this work we show both new applications, and limitations, for succinct IOPs: \begin{itemize} \item First, using one-way functions, we show how to compile IOPs into zero-knowledge \textit{proofs}, while nearly preserving the proof length. This complements a recent line of work, initiated by Ben~Sasson~\etal{}~(TCC, 2016B), who compile IOPs into super-succinct zero-knowledge \textit{arguments}. Applying the compiler to the state-of-the-art succinct IOPs yields zero-knowledge proofs for bounded-space NP relations, with communication that is nearly equal to the original witness length. This yields the shortest known zero-knowledge proofs from the minimal assumption of one-way functions. \item Second, we give a barrier for obtaining succinct IOPs for more general NP relations. In particular, we show that if a language has a succinct IOP, then it can be decided in \textit{space} that is proportionate only to the witness length, after a bounded-time probabilistic preprocessing. We use this result to show that under a simple and plausible (but to the best of our knowledge, new) complexity-theoretic conjecture, there is no succinct IOP for CSAT. \end{itemize

Instance Compression for the Polynomial Hierarchy and beyond

Abstract. We define instance compressibility ([1], [7], [5], [6] ) for parametric problems in P H and P SP ACE. We observe that the problem ΣiCircuitSAT of deciding satisfiability of a quantified Boolean circuit with i−1 alternations of quantifiers starting with respect to W-reductions, and that analogously the problem QBCSAT (Quantified Boolean Circuit Satisfiability) is complete for parametric problems in P SP ACE with respect to W-reductions. We show the following results about these problems: 1. CircuitSAT is non-uniformly compressible within NP implies ΣiCircuitSAT is non-uniformly compressible within NP, for any i ≥ 1. 2. If QBCSAT is non-uniformly compressible (or even if satisfiability of quantified Boolean CNF formulae is non-uniformly compressible), then P SP ACE ⊆ NP/poly and PH collapses to the third level. Next, we define Succinct IP and show that QBF ormulaSAT (Quantified Boolean Formula Satisfiability) is in Succinct IP. with an existential quantifier is complete for parametric problems in Σ p i

On Polynomial Kernels for Integer Linear Programs: Covering, Packing and Feasibility

We study the existence of polynomial kernels for the problem of deciding feasibility of integer linear programs (ILPs), and for finding good solutions for covering and packing ILPs. Our main results are as follows: First, we show that the ILP Feasibility problem admits no polynomial kernelization when parameterized by both the number of variables and the number of constraints, unless NP \subseteq coNP/poly. This extends to the restricted cases of bounded variable degree and bounded number of variables per constraint, and to covering and packing ILPs. Second, we give a polynomial kernelization for the Cover ILP problem, asking for a solution to Ax >= b with c^Tx <= k, parameterized by k, when A is row-sparse; this generalizes a known polynomial kernelization for the special case with 0/1-variables and coefficients (d-Hitting Set)