4.7 Random Oracles

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

4.7 Random Oracles

Consider the class $c04-math-0835$ of all subsets of $c04-math-0836$ and define subclasses $c04-math-0837$ and $c04-math-0838$ . One of the approaches to study the relativized $c04-math-0839$ question is to compare the two subclasses $c04-math-0840$ and $c04-math-0841$ to see which one is larger. In this subsection, we give a brief introduction to this study based on the probability theory on the space $c04-math-0842$ .

To define the notion of probability on the space $c04-math-0843$ , it is most convenient to identify each element $c04-math-0844$ with its characteristic sequence $c04-math-0845$ (i.e., the kth bit of α_X is 1 if and only if the kth string of $c04-math-0849$ , under the lexicographic ordering, is in X) and treat $c04-math-0851$ as the set of all infinite binary sequences or, equivalently, the Cartesian product $c04-math-0852$ . We can define a topology on $c04-math-0853$ by letting the set {0,1} have the discrete topology and forming the product topology on $c04-math-0855$ . This is the well-known Cantor space. We now define the uniform probability measure μ on $c04-math-0857$ as the product measure of the simple equiprobable measure on {0,1}, that is, $c04-math-0859$ . In other words, for any integer n ≥ 1, the nth bit of a random sequence $c04-math-0862$ has the equal probability to be 0 or 1. If we identify each real number in $c04-math-0863$ with its binary expansion, then this measure μ is the Lebesgue measure on $c04-math-0865$ .⁵

For any $c04-math-0867$ , let Γ_u be the set of all infinite binary sequences that begin with u, that is, $c04-math-0870$ . Each set Γ_u is called a cylinder. All cylinders Γ_u, $c04-math-0873$ , together form a basis of open neighborhoods of the space $c04-math-0874$ (under the product topology). It is clear that $c04-math-0875$ for all $c04-math-0876$ . The smallest σ-field containing all Γ_u, for all $c04-math-0879$ , is called the Borel field.⁶ Each set in the Borel field, called a Borel set, is measurable.

The question of which of the two subclasses $c04-math-0881$ and $c04-math-0882$ is larger can be formulated, in this setting, as to whether $c04-math-0883$ is greater than $c04-math-0884$ . In the following, we show that $c04-math-0885$ .

An important idea behind the proof is Kolmogorov's zero–one law of tail events, which implies that if an oracle class is insensitive to a finite number of bit changes, then its probability is either zero or one. This property holds for the classes $c04-math-0886$ and $c04-math-0887$ as well as most other interesting oracle classes.

Theorem 4.18

Proof

Now we prove the main result of this section.

Theorem 4.19

Proof

Let $c04-math-0916$ . It is obvious that $c04-math-0917$ for all oracles B. We need to show that $c04-math-0919$ only for a small set of oracles B of probability zero. In the following, for any event E, we write $c04-math-0922$ to denote $c04-math-0923$ .

In order to show that $c04-math-0924$ , it suffices to show that for any fixed polynomial-time deterministic oracle TMM, the probability of M^B correctly computing L_B is zero, because there are only countably many such TMs. Assume that the time complexity of M is bounded by a polynomial function p, and assume that $c04-math-0930$ for all n ≥ 0. For any integer n ≥ 0, we let $c04-math-0933$ denote the set of oracles B such that M^B computes correctly the membership of 0ⁿ in L_B, that is, $c04-math-0938$ accepts $c04-math-0939$ . We are going to show that for any ε > 0, there exist integers $c04-math-0941$ such that $c04-math-0942$ . This implies $c04-math-0943$ and, hence, the theorem follows.

We identify each set $c04-math-0944$ with its characteristic sequence α_X. Let u be a string of length $c04-math-0947$ . Then, the cylinder Γ_u is the class of sets $c04-math-0949$ such that $c04-math-0950$ is fixed (by u). Note that the machine M, on input 0ⁿ, can only query the oracle about the membership of strings of length $c04-math-0954$ . Therefore, $c04-math-0955$ is the union of a finite number of cylinders Γ_u with $c04-math-0957$ .

Now we claim the following:

Claim. For any integer n such that $c04-math-0959$ , the conditional probability $c04-math-0960$ is at most 3/4 for all w of length $c04-math-0962$ .

In other words, if we fix the membership in the oracle B for all strings of length less than n, the probability is at least 1/4 that M^B will make a mistake on input 0ⁿ.

We first show why the theorem follows from the above claim. Let n and m satisfy the conditions $c04-math-0969$ , $c04-math-0970$ , and $c04-math-0971$ , and consider the probability of the event $c04-math-0972$ with respect to the condition Γ_u, where u is a string of length $c04-math-0975$ . We have observed that event $c04-math-0976$ is the union of a finite number of cylindersΓ_w with $c04-math-0978$ . Thus, for each u of length $c04-math-0980$ , either $c04-math-0981$ or $c04-math-0982$ . Let $c04-math-0983$ . Then, the claim implies that $c04-math-0984$ , and hence $c04-math-0985$ . Now, we have

Let k be large enough so that $c04-math-0988$ . We can choose k integers $c04-math-0990$ with $c04-math-0991$ for each $c04-math-0992$ , and $c04-math-0993$ for each $c04-math-0994$ , and repeat the above argument inductively to get

Therefore, the theorem follows from the claim.

It is left to prove the claim. Let n be an integer satisfying $c04-math-0997$ and w be a string of length $c04-math-0999$ . Define two sets of oracles $c04-math-1000$ and $c04-math-1001$ as follows: $c04-math-1002$ and $c04-math-1003$ unique x, $c04-math-1005$ . Note that $c04-math-1006$ for all $c04-math-1007$ and $c04-math-1008$ for all $c04-math-1009$ . For $c04-math-1010$ , let $c04-math-1011$ accepts $c04-math-1012$ . Then, the error probability of M on input 0ⁿ, relative to the condition Γ_w is at least $c04-math-1016$ , that is,

It is easy to check that

and

Both values approach $c04-math-1020$ as n approaches infinity. In particular, because $c04-math-1022$ and, hence, n > 3, we have $c04-math-1024$ .

What are the conditional accepting probabilities r₀ and r₁ of M? They depend on the machine M, and we cannot find an absolute upper or lower bound for them. However, we can show that for large n, r₀ and r₁ are very close toeach other. Intuitively, the machine M does not have enough resources to distinguish between an oracle B in $c04-math-1034$ and an oracle B^′in $c04-math-1036$ if they differ only at strings $c04-math-1037$ for some string x of length n, because M can query at most p(n) times and p(n) is much smaller than 2ⁿ. Formally, we define a random mapping f from $c04-math-1045$ to $c04-math-1046$ as follows: For each $c04-math-1047$ , choose a random y of length n and let $c04-math-1050$ . Now, with probability $c04-math-1051$ , the computation of $c04-math-1052$ does not query any string of the form $c04-math-1053$ , $c04-math-1054$ , and so $c04-math-1055$ . This implies that $c04-math-1056$ . More precisely, we treat f as a deterministic mapping from $c04-math-1058$ to $c04-math-1059$ : $c04-math-1060$ , where $c04-math-1061$ and $c04-math-1062$ , and consider the uniform probability distributions $c04-math-1063$ and $c04-math-1064$ on the spaces S₀ and S₁, respectively. This is a one-to-one mapping between the two spaces and, hence, preserving the probability measure. Let $c04-math-1067$ denote the event that the computation of $c04-math-1068$ does not query any string of the form $c04-math-1069$ for any $c04-math-1070$ . Note that

In addition, the event $c04-math-1072$ is obviously independent of the event of M^B accepting (or, rejecting) the input 0ⁿ. Thus, we have

Similarly, we have $c04-math-1076$ .

Now, substitute this to the error probability, we get

and the claim is proven.

The above type of random oracle separation results holds for many complexity classes. see Exercise 4.15 and Section 9.5.

4.8 Structure of Relativized NP

Although the meaning of relativized collapsing and relativized separation results is still not clear, many relativized results have been proven. These results show a variety of possible relations between the well-known complexity classes. In this section, we demonstrate some of these relativized results on complexity classes within NP to show what the possible relations are between P, NP, $c04-math-1078$ , and UP. The relativized results on the classes beyond the class NP, that is, those on NP, PH, and PSPACE, will be discussed in later chapters.

The proofs of the following results are all done by the stage-construction diagonalization. The proofs sometimes need to satisfy simultaneously two or more potentially conflicting requirements that make the proofs more involved.

Theorem 4.20

Proof

a: This can be done by a standard diagonalization proof. We leave it as an exercise (Exercise 4.16(a)).

b: Let $c04-math-1083$ be an effective enumeration of all polynomial-time oracle DTMs and $c04-math-1084$ an effective enumeration of all polynomial-time oracle NTMs. For any set B, let $c04-math-1086$ accepts x in j moves}. Then, by the relativized proofof Theorem 2.11, K_B is $c04-math-1091$ -complete for the class NP^B. Let $c04-math-1093$ . Then, it is clear that $c04-math-1094$ . We are going to construct a set B to satisfy the following requirements:

$c04-math-1096$ : for each x of length t, $c04-math-1099$ ,
$c04-math-1100$ : $c04-math-1101$ does not accept 0ⁿ.

Note that if requirements $c04-math-1103$ are satisfied for all t ≥ 1, then $c04-math-1105$ and, hence, $c04-math-1106$ , and if requirements $c04-math-1107$ are satisfied for all i ≥ 1, then $c04-math-1109$ and, hence, $c04-math-1110$ .

We construct set B by a stage construction. At each stage n, we will construct finite sets B_n and $c04-math-1114$ such that $c04-math-1115$ , $c04-math-1116$ , and $c04-math-1117$ for all n ≥ 1. Set B is define as the union of all B_n, n ≥ 0.

The requirement $c04-math-1122$ , t ≥ 1, is to be satisfied by direct diagonalization at stage 2t. The requirements $c04-math-1125$ , i ≥ 1, are to be satisfied by a delayed diagonalization in the odd stages. We always try to satisfy the requirement $c04-math-1127$ with the least i such that $c04-math-1129$ is not yet satisfied. We cancel an integer i when $c04-math-1131$ is satisfied. Before stage 1, we assume that $c04-math-1132$ and that none of integers i is cancelled.

At stage $c04-math-1134$ , we try to satisfy $c04-math-1135$ . For every x, $c04-math-1137$ , we determine whether $c04-math-1138$ . If yes, we let $c04-math-1139$ and $c04-math-1140$ ; if not, we search for a stringxy, $c04-math-1142$ , which is not in $c04-math-1143$ , and let $c04-math-1144$ and $c04-math-1145$ .

At stage $c04-math-1146$ , we try to satisfy $c04-math-1147$ for the least i that is not yet cancelled. If $c04-math-1149$ (where p_i is the runtime of M_i) or if there exists a string of length $c04-math-1152$ that is in $c04-math-1153$ , then we delay the diagonalization and go to the next stage (with $c04-math-1154$ and $c04-math-1155$ ). Otherwise, we simulate $c04-math-1156$ on input 0ⁿ. If $c04-math-1158$ accepts 0ⁿ, then we let $c04-math-1160$ ; if it rejects 0ⁿ, then we search for a sting z of length n that is not queried by the computation of $c04-math-1164$ and let $c04-math-1165$ . In either case, we add all strings of length $c04-math-1166$ that are queried in the computation of $c04-math-1167$ (and answered NO) to the set $c04-math-1168$ to form $c04-math-1169$ . (Note that we add at most $c04-math-1170$ strings to $c04-math-1171$ .)

From the above construction, it is clear that $c04-math-1172$ , $c04-math-1173$ , and $c04-math-1174$ for all n ≥ 1. We define $c04-math-1176$ .

We first claim that the above construction is well defined, that is, the searches for strings of the form xy in the even stages and searches for strings z in the odd stages always succeed. To see this, we observe that by stage $c04-math-1179$ , $c04-math-1180$ is of size $c04-math-1181$ , because in any earlier odd stage $c04-math-1182$ , we added less than $c04-math-1183$ strings to $c04-math-1184$ . Therefore, there must be at least a string of the form xy, with $c04-math-1186$ , that is not in $c04-math-1187$ . Similarly, at the beginning of stage $c04-math-1188$ , $c04-math-1189$ is empty, and the computation in stage n can query at most 2^t strings of length n, and so there must be at least a string z of length n not queried and not in $c04-math-1195$ .

Next we claim that each requirement $c04-math-1196$ is satisfied in stage $c04-math-1197$ . From our standard encoding of pairing functions, we know that if $c04-math-1198$ , then $c04-math-1199$ . Thus, whether $c04-math-1200$ depends only on the set $c04-math-1201$ . It follows that the simulation of $c04-math-1202$ in stage 2t is the same as the computation of $c04-math-1204$ because we never added new strings of length $c04-math-1205$ to B after stage 2t. We conclude that requirement $c04-math-1208$ is satisfied in stage 2t.

Finally, we check that each requirement $c04-math-1210$ is eventually satisfied. By induction, it is easy to see that each requirement $c04-math-1211$ eventually becomes vulnerable by some stage $c04-math-1212$ (i.e., $c04-math-1213$ , $c04-math-1214$ and i is the least uncancelled integer by stage n). At this stage n, we made sure that $c04-math-1218$ and also made sure that all strings of length $c04-math-1219$ that were queried by $c04-math-1220$ were reserved in $c04-math-1221$ . Therefore, $c04-math-1222$ . This shows that the requirement $c04-math-1223$ is satisfied by stage n.

c: We let $c04-math-1225$ and $c04-math-1226$ be the enumerations of deterministic and nondeterministic oracle machines as defined in part (b) above. We need to construct a set C to satisfy two requirements: (i) $c04-math-1228$ and (ii) $c04-math-1229$ . The first requirement can, similarly to part (b) above, be divided into an infinite number of subrequirements $c04-math-1230$ , i ≥ 1:

$c04-math-1232$ : $c04-math-1233$ rejects 0ⁿ,

where $c04-math-1235$ . ( $c04-math-1236$ is a standard pairing function encoding two integers into one.) The second requirement, however, cannot be divided into simple subrequirements involving oracle NTMs, because whether two oracle NTMs accept complementary sets is not a syntactic property that can be determined simply from their machine descriptions. Therefore, we only try to satisfy as many subrequirements as possible and then, at the end, use an indirect argument to show that the requirement (ii) is also satisfied. We definesubrequirements $c04-math-1237$ , $c04-math-1238$ , as follows:

$c04-math-1239$ : $c04-math-1240$ neither $c04-math-1241$ nor $c04-math-1242$ accepts x.

Note that if $c04-math-1244$ is satisfied for some pair $c04-math-1245$ , with $c04-math-1246$ , then $c04-math-1247$ , and so N_j and N_k do not accept complementary sets.

Let $c04-math-1250$ and $c04-math-1251$ . As in part (b), we are going to define set C_n in stage n to have the property that $c04-math-1254$ for all n ≥ 1. In addition, C_n is either equal to $c04-math-1257$ or is $c04-math-1258$ plus a single string of length e(n).

First, let Q be a PSPACE-complete set that has no string of length e(n) for any n ≥ 0. Note that from Theorem 4.14(a), we know that $c04-math-1263$ . In addition, if $c04-math-1264$ accepts some string x, then we can use oracle Q to find an accepting computation of $c04-math-1267$ in deterministic polynomial time (see Exercise 4.12). We let $c04-math-1268$ .

For each integer i > 0, let $c04-math-1270$ be a polynomial function bounding the runtimes of both M_i and N_i. A requirement $c04-math-1273$ is said to be vulnerable at stage n, if $c04-math-1275$ , and a requirement $c04-math-1276$ , with $c04-math-1277$ , is vulnerable at stage n if there exists a string x such that $c04-math-1280$ and neither $c04-math-1281$ nor $c04-math-1282$ accepts x. At stage n, we try to satisfy the requirement R_t with the least t such that R_t is uncancelled and vulnerable.

Case 1. No such t exists. We just let $c04-math-1289$ and go to the next stage.
Case 2. Such a t exists and $c04-math-1291$ for some i ≥ 1. Then, we simulate $c04-math-1293$ . If it accepts $c04-math-1294$ , then we let $c04-math-1295$ , else we search for a string z of length e(n) that was not queried in the computation of $c04-math-1298$ , and let $c04-math-1299$ . We cancel R_t.
Case 3. Such a t exists and $c04-math-1302$ with $c04-math-1303$ . We simply let $c04-math-1304$ and cancel R_t.

The above completes the construction of set $c04-math-1306$ . As in part (b), it is easy to verify that the search in Case 2 of each stage always succeeds since M_i only queries $c04-math-1308$ strings on input $c04-math-1309$ .

We first show that each requirement $c04-math-1310$ is eventually satisfied. Suppose otherwise and let i₀ be the least integer such that $c04-math-1312$ is not satisfied. Then, by some stage m, all requirements R_t with $c04-math-1315$ that are eventually satisfied are already cancelled and $c04-math-1316$ is vulnerable. So it will be attacked at stage m. By the construction in stage m, it is clear that $c04-math-1319$ behaves exactly the same as $c04-math-1320$ , and so $c04-math-1321$ would be satisfied. This is a contradiction.

Next, we show that if $c04-math-1322$ , then $c04-math-1323$ . We note that if $c04-math-1324$ had been cancelled, then there would be an x such that $c04-math-1326$ and $c04-math-1327$ (because all later stages do not affect the computations of $c04-math-1328$ and $c04-math-1329$ ). Therefore, $c04-math-1330$ . Thus, we know that $c04-math-1331$ has never been cancelled. We choose a large integer m satisfying the following properties:

For each $c04-math-1333$ , $c04-math-1334$ (therefore,there is at most one integer n satisfying $c04-math-1336$ ); and
All requirements $c04-math-1337$ , with $c04-math-1338$ less than $c04-math-1339$ , that are eventually cancelled are already cancelled by stage m.

We now describe a deterministic algorithm for S, using oracle C.

Algorithm for S. For any input x of length $c04-math-1345$ , we use a finite table to decide whether $c04-math-1346$ . For input x of length $c04-math-1348$ , we first find the least n such that $c04-math-1350$ . Note that $c04-math-1351$ . Then, we find set D of all strings w that were added to C in stages 1 to n − 1. This can be done by querying oracle C over all strings of length $c04-math-1357$ , $c04-math-1358$ , $c04-math-1359$ , $c04-math-1360$ . Note that we only make $c04-math-1361$ queries because $c04-math-1362$ .

Case 1. $c04-math-1363$ . Then, the computation of $c04-math-1364$ is the same as $c04-math-1365$ , because the computation cannot query any string of length $c04-math-1366$ . Thus, we can use oracle $c04-math-1367$ to decide whether $c04-math-1368$ accepts x:
First, we construct a new oracle NTM $c04-math-1370$ such that $c04-math-1371$ . Next notice that $c04-math-1372$ accepts z in t moves} is complete for NP^Q and, hence, in P^Q. So, we can query oracle Q to determine whether $c04-math-1379$ is in K_Q (which is equivalent to $c04-math-1381$ accepting x, or $c04-math-1383$ accepting x).
Case 2. . Then, we observe that either or accepts x, because otherwise would be the least uncancelled integer for which is vulnerable at stage n and would be cancelled. Note that , and we can, as in Case 1, determine whether accepts x or accepts x in time polynomial in ℓ. Assume that accepts x. Then, as proved in Exercise 4.12, we can find an accepting computation of in polynomial time. This computation is of length and makes at most queries. We query the oracle C to find out whether it queries a string in or not.
1. Subcase 2.1. The accepting computation of $c04-math-1406$ does not query a string in $c04-math-1407$ . Then, $c04-math-1408$ also accepts x because the accepting computation path of $c04-math-1410$ remains unchanged in the computation of $c04-math-1411$ . We conclude that $c04-math-1412$ .
2. Subcase 2.2. Not Subcase 2.1. Then, the accepting computation of $c04-math-1413$ that we found is not necessarily correct relative to the oracle C_n. But we have found a string $c04-math-1415$ and, by the construction, we know that this is the only string in $c04-math-1416$ . Thus, we can add it to set D and then, as in Case 1, use oracle Q together with set D to determine whether $c04-math-1420$ accepts x.

The above completes the deterministic algorithm for S, using oracle C, as well as the proof of the theorem.

Similar relations between relativized UP and the relativized P and NP can be proved using the same proof techniques. We leave them as exercises.

Theorem 4.21

Exercises

4.1 Let k ≥ 1. An NTM M is k-ambiguous if for any input x, there are at most k distinct accepting computations in M(x). Let k-UP denote the class of sets acceptable by polynomial-time k-ambiguous NTMs. Prove that $c04-math-1435$ if and only if $c04-math-1436$ -UP.

4.2 Let DGISO be the problem of determining whether two directed graphs are isomorphic. Show that DGISO and GISO are equivalent under the $c04-math-1437$ -reducibility.

4.3 Prove Theorem 4.4.

4.4 Recall the notion of strong NP reducibility $c04-math-1438$ defined in Exercise 3.1. Prove that if $c04-math-1439$ , then there is a set $c04-math-1440$ that is not $c04-math-1441$ -complete for NP.

4.5 a. Prove Proposition 4.10(b).

For any complexity class $c04-math-1442$ , let $c04-math-1443$ denote the class $c04-math-1444$ . Prove that there exists a one-way function $c04-math-1445$ such that $c04-math-1446$ restricted to $c04-math-1447$ is not polynomial-time computable if and only if $c04-math-1448$ .
Prove that there exists a one-way function $c04-math-1449$ such that $c04-math-1450$ and that $c04-math-1451$ restricted to $c04-math-1452$ is not polynomial-time computable if and only if $c04-math-1453$ .

4.6 In electronic data communication, a digital signature sent by a party X to a party Y is a message M that has the following properties: (i) Y must be able to verify that M is indeed sent by X; (ii) It is not possible for anyone except X, including Y, to forge the message M; (iii) X cannot deny sending the message M. Describe how to implement digital signatures in a public-key cryptosystem (allowing a negligible error).

4.7 Intuitively, a pseudorandom generator is a function $c04-math-1458$ that takes a random seed s of length n and outputs a string x of length l(n), where $c04-math-1463$ such that no feasible algorithm can predict the last bit of x from the first $c04-math-1465$ bits of x. Formally, we say that a function $c04-math-1467$ is a pseudorandom generator if

for all inputs x of length n, $c04-math-1470$ ; and
for any polynomial-time computable function $c04-math-1471$ , and any polynomial function p,
for almost all n > 0, where $c04-math-1475$ and $c04-math-1476$ .

A commonly used function to generate pseudorandom numbers is the linear congruence generator: Let m be a fixed integer and a,b be two integers less than m. Let $c04-math-1480$ , where $c04-math-1481$ and $c04-math-1482$ for $c04-math-1483$ . Prove that the function $c04-math-1484$ is not a pseudorandom generator in the above sense if $c04-math-1485$ . In other words, find a polynomial-time algorithm g that, on given $c04-math-1487$ , can find x_k if $c04-math-1489$ and if $c04-math-1490$ .

4.8 We continue the last exercise. Let n be a positive integer and $c04-math-1492$ . Define $c04-math-1493$ if i ≥ 0, and let x_n,i be the square root of $c04-math-1496$ if i < 0. Let $c04-math-1498$ be the parity of x_n,i, that is, it is 1 if x_n,i is odd and is 0 if x_n,i is even. The quadratic residue generator is the function $c04-math-1502$ . Prove that QRG is a pseudorandom generator if $c04-math-1504$ for some fixed polynomial p, assuming that the sets QR_n are strongly unpredictable in the sense of Section 4.2. That is, prove that if QR_n are strongly unpredictable, then there exists an infinite set N of integers such that for any polynomial-time computable function $c04-math-1509$ and any polynomial functions p and q,

for almost all $c04-math-1513$ .

4.9 In this exercise, we study the application of one-way functions to the problem of finding a random bit to be shared by two parties. Suppose two parties X and Y need to have an unbiased random bit to be shared by both parties. One way to do it is to let each of X and Y pick a random bit b_X and b_Y, respectively, write them down on a piece of paper, and then let them exchange the bits b_X and b_Y and use $c04-math-1518$ as the random bit, where $c04-math-1519$ is the exclusive-or operation. As X and Y must commit their own bit before seeing the other party's bit, neither of the parties can create a biased bit $c04-math-1520$ as long as the other bit is unpredictable. Assume, however, that the two parties are in two remote locations and cannot exchange their random bits b_X and b_Y both efficiently and reliably. Then, we need to use one-way functions to implement this idea. In each of the following communication environments, design a protocol to implement the above idea to find the shared random bit efficiently and reliably (assuming the existence of strong one-way functions).

X and Y communicate in a computer network with the software capable of efficiently generating large primes and performing multiplications of large integers.
X and Y communicate through a telephone line. They have two identical copies of a 1000-page telephone directory. (Note that this scheme should work even if $c04-math-1523$ . Can this scheme be implemented in a computer network?)

4.10 For each set A, let $c04-math-1525$ denote the class of sets B for which there exist a polynomial-space oracle DTM M and a polynomial function p such that for every x, $c04-math-1530$ if and only if M^A accepts x and the total number of queries made by M in the computation tree of $c04-math-1534$ is bounded by $c04-math-1535$ . For any two sets $c04-math-1536$ , let $c04-math-1537$ .

Prove that for each set A, $c04-math-1539$ .
Prove that $c04-math-1540$ if and only if $c04-math-1541$ .

4.11 Recall the definition of tally and sparse sets in Exercise 1.30. Also recall the relativized polynomial-time hierarchy defined in Exercise 3.1. In this exercise, we study the power of tally and sparse oracles in relativization.

Prove that $c04-math-1542$ if and only if for all tally sets T, $c04-math-1544$ .
Prove that for k ≥ 2, $c04-math-1546$ if and only if for all sparse sets S, $c04-math-1548$ .
Prove that $c04-math-1549$ if and only if for all sparse sets S, $c04-math-1551$ .

4.12 Assume that $c04-math-1552$ . Prove that for any polynomial-time oracle NTM M, there exists a polynomial-time oracle DTM M₁ such that for any input $c04-math-1555$ , $c04-math-1556$ outputs an accepting computation of $c04-math-1557$ , and for any input $c04-math-1558$ , $c04-math-1559$ rejects x.

4.13 Use the relativized separation results of Section 4.5 to show that the relation $c04-math-1561$ is not transitive.

4.14 a. In the following, we let w be a fixed finite binary string in $c04-math-1563$ and β be a fixed infinite binary sequence in $c04-math-1565$ . For any infinite binary sequence $c04-math-1566$ , we write $c04-math-1567$ to denote the kth bit of α and write α^k to denote the string of the first k bits of α. We say an infinite binary sequence $c04-math-1573$ is recursive if the set X with $c04-math-1575$ is recursive. For each set Λ_i, $c04-math-1577$ , of infinite binary sequences defined below, verify that it satisfies the assumption of the zero–one law and, hence, $c04-math-1578$ is either 0 or 1:

$c04-math-1579$ $c04-math-1580$ occurs in α infinitely often}.
$c04-math-1583$ $c04-math-1584$ occurs in α for all $c04-math-1586$ .
$c04-math-1587$ $c04-math-1588$ is recursive}.
$c04-math-1590$ $c04-math-1591$ the series $c04-math-1592$ converges}.

For each $c04-math-1594$ , decide whether $c04-math-1595$ is equal to 0 or 1.

4.15 Prove that with probability one, (a) $c04-math-1596$ and (b) $c04-math-1597$ .

4.16 a. Prove Theorem 4.20(a).

Prove that there exists an oracle A relative to which $c04-math-1599$ .

4.17 Prove Theorem 4.21

Historical Notes

The existence of problems in $c04-math-1600$ that are not NP-complete was first suggested by Karp (1972), who listed the problems primality testing, GISO, and linear programming as candidates. (Linear programming was later shown to be in P; see Khachiyan (1979) and Karmarkar (1984). Primality testing was shown to be in P by Agrawal et al. (2004).) Theorem 4.3 is from Ladner (1975a). Schöning (1982) discussed the technique of delayed diagonalization. The complexity of problem QR has been widely studied; see, for instance, Kranakis (1986), Loxton (1990), and Bach and Shallit (1996) for more references. The complexity of the problem GISO will be further studied in Chapter 10. The class UP was defined by Valiant (1976). The relation between the class UP and one-way functions (Proposition 4.10) was first proved by Ko (1985a) and Grollman and Selman (1988). The notion of public-key cryptography was introduced by Diffie and Hellman (1976). The RSA cryptosystem was designed by Rivest et al. (1978). Rabin (1979) relates the security of the RSA cryptosystem and the complexity of integer factoring. The relativization results on P, NP, and coNP (Theorems 4.14 and 4.20) were first presented by Baker et al. (1975). The independence result of Theorem 4.15 is from Hartmanis and Hopcroft (1976), which includes some other independence results in computer science. The positive relativization result of Theorem 4.17 is from Book et al. (1984). Book et al. (1985) contains results on different types of positive relativization. Random oracles were first studied by Bennett and Gill (1981). Theorem 4.19 is from there. For more results on random oracles, see Chapters 8 and 9 and the survey paper by Vollmer and Wagner (1997). Relativization results on the relation between UP and NP (Theorem 4.21) were proved in Rackoff (1982).

Digital signatures and pseudorandom generators are important topics in cryptography; see any cryptography textbook for more references. For the linear congruence generator, see Plumstead (1982) and Frieze et al. (1984). For the quadratic residue generator, see Blum et al. (1986). In general, pseudorandom generators exist if strong one-way functions exist. See Håstad et al. (1999) for the detailed discussion. Exercise 4.11 is from Long and Selman (1986). The relativized separation of the second level of PH (Exercise 4.16(b)) was first proved by Heller (1984). The relativized separation of the higher levels of PH will be studied in Chapter 9.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 4.7 Random Oracles

Create new playlist

Sign In

Sign Up

4.7 Random Oracles

Theorem 4.18

Proof

Theorem 4.19

Proof

4.8 Structure of Relativized NP

Theorem 4.20

Proof

Theorem 4.21

Exercises

Historical Notes

Table of Contents for
4.7 Random Oracles