# Final Exam, Spring 2010

### Directions:

• Answer the problems on the exam pages.
• There are five short problems, for ten points each, and three long problems for 25 points each. Attempt all the short problems and only two of the long ones -- the maximum score is thus 100. If you attempt all three long problems I will take the scores of the best two. Actual scale was A = 84, B = 56.
• No books, notes, calculators, or collaboration.

```  Q1: 10 points
Q2: 10 points
Q3: 10 points
Q4: 10 points
Q5: 10 points
Q6: 25 points
Q7: 25 points
Q8: 25 points

Total: max 100 points
```

• Question 1 (10): An oblivious Turing machine has an input tape and k worktapes for some constant k. It has the property that the positions of the head on each tape depend on the input size, not on the input contents. That is, there are functions pI(n,t), p1(n,t), ..., pk(n,t) such that pj(n,t), for example, gives the position of tape j's head after t steps on any input of size n.

Define OBL-P to be the set of languages A such that A = L(M) for some oblivious Turing machine with a polynomial time bound. Prove carefully that OBL-P = P. (This result is in the book, of course, but you must present it rather than quote it!) (Notes added during exam: You may use without proof the result that a k-tape TM may be simulated by a one-tape TM with polynomial time overhead. "P" is defined in terms of multitape TM's.)

• Question 2 (10): The language CKT-SAT is defined to be all pairs (C, x) where C is a boolean circuit of fan-in at most 2, C has n + m inputs, x is a string of length n, and there exists a string y of length m such that C(x, y) = 1. Prove that CKT-SAT is NP-complete. You may assume the NP-completeness of languages proven to be NP-complete in Chapter 2 or its exercises, but of course not the NP-completeness of CKT-SAT itself which is proved in Chapter 6. (Note added during exam: C is part of the input (C, x).)

• Question 3 (10): Let A be any language in the class L = DSPACE(log n). Prove that A ∈ AC1, meaning that there is a log-space uniform circuit family {Cn} deciding A, where the circuit Cn has size nO(1), depth O(log n), and unbounded fan-in. Argue the log-space uniformity of the circuit family carefully, making clear that you understand the definition.

• Question 4 (10): Let p be an odd prime number and let {ha: a ∈ Zp} be a family of hash functions from Zp to itself, defined by the rule ha(b) = a + b where the addition is taken modulo p. Is this a family of pairwise independent hash functions? Prove your answer. (Note added during exam: Zp = GF(p) = "the integers modulo p", and p is fixed for the problem.)

• Question 5 (10): Consider a quantum register of three qubits, so that a state of the register is a quantum superposition of the eight pure states |000>, |001>, ..., |111>. A Toffoli gate is a quantum operation that takes each pure state |abc> to the pure state |abd>, where d = c ⊕ (a ∧ b).

Prove that the Toffoli gate is a valid quantum operation because its matrix is unitary (i.e., it satisfies the rule AAT = I where AT is the transpose of A). (Hint: Find the inverse of the operation and argue from there. You can solve this problem with or without working with any specific 8 by 8 matrices.)

What is the result of applying a Toffoli gate to a register with state that is the sum, over all a, b, and c in {0,1}, of (1/√8)|abc>? What is the probability of observing each pure state if this register is observed after the Toffoli gate is applied?

What is the result of applying a Toffoli gate to a register with state (1/2)(|000> + |011> + |101> + |110>)? What is the probability of observing each pure state if this register is observed after the Toffoli gate is applied?

• Question 6 (25): This problem involves a hierarchy theorem for alternating time. We assume throughout that f and g are time-constructible functions, with f(n) ≥ n and g(n) ≥ n, and that alternating machines have random access to their input.

• (a,5) Briefly justify the claims that ATIME(f) ⊆ DSPACE(f) and that DSPACE(f) ⊆ ATIME(f2). (These are two of the four parts of the Alternation Theorem.)

• (b,5) Use the facts from (a), and the Space Hierarchy Theorem, to prove that if f = o(g), then ATIME(f) is strictly contained in ATIME(g2).

• (c,10) Prove that with f and g as defined above, if ATIME(n) = ATIME(g), then ATIME(f) = ATIME(g º f). (Recall that (g º f)(n) is defined to be g(f(n)).)

• (d,5) Use parts (b) and (c) to argue that for any constant ε > 0, ATIME(n) is strictly contained in ATIME(n1 + ε).

• Question 7 (25): These questions all involve the complexity class BPP. Recall that a language A is in BPP if there exists a poly-time probabilistic Turing machine M such that if x ∈ A, Pr[M(x) = 1] ≥ 2/3, and if x ∉ A, Pr[M(x) = 1] ≤ 1/3.

• (a,5) Explain why BPP is contained within alternating polynomial time. (Note added during exam: You may not use the Sipser-Gacs theorem (that BPP ⊆ Σ2p) without proof.)

• (b,10) Explain why if A is any language in BPP, there exists a circuit family {Cn} deciding A, where the size of Cn is nO(1). (Note that this family is not necessarily a uniform family.

• (c,5) Argue that if NP = BPP, then the polynomial hierarchy collapses. (You may combine a known result with part (b).)

• (d,5) Secure pseudorandom generators are defined in Question 8 below. Prove that if a secure PRG exists with stretch 2n, then P = BPP.

• Question 8 (25): Recall that a pseudorandom generator or PRG is a function taking strings of length n to strings of length s(n), where s(n) is a function called the stretch and s(n) > n for all n. A PRG is said to be secure if for any probabilistic poly-time function A, the probability that A(x) = 1, for a string x of length s(n) generated from a uniformly chosen seed of length n, differs from the probability that A(y) = 1, for a uniformly chosen random y of length s(n), by a negligible function of n.

• (a,5) Prove that no secure PRG can exist if P = NP.

• (b,10) Let the encryption scheme E be defined so that for any key k, a binary string of length n, and any plaintext string x of length L(n), Ek = x ⊕ G(k) where G is a secure PRG of stretch L(n). Prove that no probabilistic poly-time algorithm can use Ek(x) to predict any bit of x with much greater than 1/2 probability. Specifically, prove that if A is any such function, the probability (over a uniform random choice of k and any choices made by A) that A(Ek(x)) = (i,b) and xi = b is at most 1/2 + ε(n), where ε is a negligible function.

• (c,10) As in part (b), define E to be the encryption scheme defined from a secure PRG G of stretch L(n). Let x0, the chosen plaintext, be some fixed string of length L(n). Also assume that L(n) ≥ 2n.

A chosen plaintext attacker for this scheme is a probabilistic poly-time algorithm A such that if a string y is equal to Ek(x0) for some key k Pr[A(y) = 1] is at least n-c for some constant c, and Pr[A(y) = 1] < ε(n) if there is no such k.

Show that there cannot exist such a chosen plaintext attacer for E. (Hint: Given a hypothetical attacker A, construct a probabilistic poly-time machine B that operates on the pseudorandom or random one-time pads, and use the assumed security of G.) (Note added during exam: You may quote results from HW #8 without proof.)