Interactive Proofs: Theory and Connections
2.1
What is hardness?
Some problems are easy to solve, some harder. Similarly, some are easy to verify and
others hard. But what do we mean by "hardness”?
Given an input of size n, we define hardness by:
• Time to solve. O(n), O(n3 ), O(2n ).
• Approximability. O(1)-approximation? O(log n)-approximation?
• Space complexity. How much storage space do you need?
• Checking. What’s the cost in resources to verify a solution? How much to verify
that no solution exists?
• Randomness. How many random bits do you require? Can you accept an answer
as correct with high probability? Can you accept two-sided error?
2.2
Language definitions
Definition 2.1 (The class NP [1, Ch. 2]). A language L ⇢ {0, 1}⇤ is in NP if 9 p : N ! N
and polynomial-time TM M s.t 8 x 2 {0, 1}⇤ ,
x 2 L =) 9u 2 {0, 1} p(| x|) s.t M ( x, u) = 1
If M ( x, u) = 1 and u 2 {0, 1}⇤ , u is a certificate for x w.r.t. L and M.
Definition 2.2 (The class PSPACE [1, Ch. 4]). A language L ⇢ {0, 1}⇤ is in PSPACE if
9 p : N ! N and TM M s.t M uses at most p(| x |) space and 8 x 2 {0, 1}⇤ ,
x 2 L =) M( x ) = 1
x2
/ L =) M( x ) = 0.
PSPACE is the space equivalent of P.
PSPACE vs. NP
• Note that NP ✓ PSPACE.
• It is believed that NP ⇢ PSPACE
• An example of a PSPACE-Complete language: TQBF: the set of all qualified (8/9)
Boolean formulae that are true.
5
2
2. I NTERACTIVE P ROOFS : T HEORY AND C ONNECTIONS
An intuitive way to think about PSPACE is by thinking of a PSPACE language as a
“game.” The quantifiers in TQBF, for example, indicate when the attacking player (8)
“moves” by picking any adversarial variable assignment and when the defending player
(9) “moves” by finding a variable assignment that still makes the formula true. If the
formula evaluates as true, the defender “wins,” and the formula is in the language.
2.3
Interactivity [1, Ch. 8]
Models of interactivity
The power of verification depends on the model:
• Deterministic provers (D IP)
• Interactive protocols(IP)
• Arthur-Merlin(AM)
• Multiparty provers (MIP)
• Program checking
Formalizing Interaction
Let f , g : {0, 1}⇤ ! {0, 1}⇤ be functions. A k-round interaction between f and g on
x 2 {0, 1}⇤ is h f , gi( x ) = { a1 , . . . , an }.
a1 = f ( x )
a2 = g( x, a1 )
a3 = f ( x, a1 , a2 )
...
a2i+1 = f ( x, a1 , a2 , . . . , a2i )
a2i+2 = g( x, a1 , a2 , . . . , a2i+1 )
...
out f h f , gi( x ) = f ( x, a1 , a2 , . . . , ak )
Deterministic IP (D IP)
L is k-round deterministic, if 9 Turing machine V that on input x, a1 , a2 , . . . , an and polynomial time on | x | satisfies:
x 2 L =)
x2
/ L =)
6
9 P : {0, 1}⇤ ! {0, 1}⇤ outV hV, Pi( x ) = 1
8 P : {0, 1}⇤ ! {0, 1}⇤ outV hV, Pi( x ) = 0
2.4. Randomized Interaction
The important observation to make is that the verifier is weak (polynomial) and the prover
is arbitrarily powerful.
One way that we can interpret the above definition is that:
1. if it is a fact that Heathcliff is a cat, some prover out there should be able to convince
the verifier of that fact, and
2. no prover, however convincing and glib, should be able to convince the verifier that
Heathcliff is a dog.
We note that D IP = NP. This turns out to be fairly trivial; for NP ✓ D IP, P has arbitrary power and simply presents the certificate to V. Conversely, a nondeterministic
algorithm can guess P’s side of the conversation and can present the whole conversation
as a polynomially-sized certificate that V can verify, so D IP ✓ NP.
2.4
Randomized Interaction
What if we add randomness to D IP?
Let f , g : {0, 1}⇤ ! {0, 1}⇤ be functions. A k-round interaction between f and g on
x 2 {0, 1}⇤ is h f , gi( x ) = { a1 , . . . , ak }, with m-bit random input r to f .
a1 = f ( x, r )
a2 = g( x, a1 )
a3 = f ( x, r, a1 , a2 )
...
a2i+1 = f ( x, r, a1 , a2 , . . . , a2i )
a2i+2 = g( x, a1 , a2 , . . . , a2i+1 )
...
out f h f , gi( x ) = f ( x, r, a1 , a2 , . . . , ak )
Notice that g (the prover) has no access to r.
Randomized IP (Or Just IP)
A language L is in IP[k ] if there is a TM V that on inputs x, a1 , a2 , . . . , ak runs in time
polynomial in | x | and such that
x 2 L =)
9 P s.t Pr[outV hV, Pi( x ) = 1]
x2
/ L =)
8 P, Pr[outV hV, Pi( x ) = 1] 
1
3
2
3
7
2. I NTERACTIVE P ROOFS : T HEORY AND C ONNECTIONS
• Define IP = IP (poly).
• Note for later that the random string r is not available to prover.
Is BPP ✓ IP? Yes, in one round.
One of the most important results in this realm of complexity theory is the following
result:
Theorem 2.1 ([3]). IP = PSPACE.
We won’t expand on this result here.
Checking Graph non-isomorhpism
Check that graphs G1 and G2 are non-isomorphic as follows.
V: Pick i 2 {1, 2} randomly. Permute vertices of Gi to get H and send to P.
P: Check which of G1 or G2 was used to produce H. Send verifier back j 2 {1, 2}
accordingly.
V: Accept if i = j, reject otherwise.
Note that enumerating all possible isomorphisms would take n! or exponential time. Also,
if P knew the random bit of V, would this scheme break? As mentioned below, the answer
is “no.”
2.5
Arthur-Merlin interaction
Let f , g : {0, 1}⇤ ! {0, 1}⇤ be functions. A k-round interaction between f and g on
x 2 {0, 1}⇤ is h f , gi( x ) = {r1 , . . . , rk }, with k m-bit random strings r2i 1 , 1  i  k.
a1 = f ( x, r1 )
a2 = g( x, r1 , a1 )
a3 = f ( x, r3 )
a4 = g( x, r1 , r3 , a1 , a2 , a3 )
...
a2i = g( x, r1 , r3 . . . , r2i
1 , a1 , a2 , . . . , a2i 1 )
...
out f h f , gi( x ) = f (r1 , r3 , . . . , r2k
1 , a1 , a2 , . . . a k )
2 {0, 1}
Notice that g (the prover) has access to coins flipped in the past.
8
2.5. Arthur-Merlin interaction
AM interaction
A language L is in AM[k ] if there is a TM V that on inputs x, a1 , a2 , . . . , ak runs in time
polynomial in | x | and such that
x 2 L =)
9 P s.t Pr[outV hV, P, (i x ) = 1]
x2
/ L =)
8 P, Pr[outV hV, Pi( x ) = 1] 
1
3
2
3
Here the random string r is available to prover.
Public vs private randomness
Note that AM (k ) ✓ IP (k ). Simulate an AM (k ) protocol by a IP (k) verifier revealing
the random string every round. In general, is IP (poly) more powerful than AM (poly)?
Amazingly - no! IP (k ) ✓ AM (k + 2) [2]. The only difference between IP and AM is 2
rounds.
The power of AM (k )
Consider set S = { H : H ⌘ G1 or H ⌘ G2 }. It’s easy to certify that h 2 S:
• Each graph has n! permutations.
• If G1 ⌘ G2 , then |S| = n!, else |S| = 2(n!).
We use the following set lower bound protocol to check size of S.
Set Lower Bound
The problem.
• S ✓ {0, 1}m is a set whose membership can be verified.
• Both P and V know a number K.
• P has to convince V that |S|
• V should reject if |S| 
K.
K
2.
The tool. We use a pairwise-independent hash function family:
• Let Hn,k be a collection of functions from {0, 1}n to {0, 1}k .
• 8 x, x 0 2 {0, 1}n with x 6= x 0 and 8y, y0 2 {0, 1}k , Prh2 H [ h( x ) = y \ h( x 0 ) = y0 ] =
2 2k .
Or simply, any two distinct elements map to the same bucket with probability ( 21k )2 .
9
2. I NTERACTIVE P ROOFS : T HEORY AND C ONNECTIONS
The AM protocol. Let k be a number such that 2k
2
 K  2k 1 .
V: Randomly pick h from Hm,k . Pick random k-bit string y(a hash "bucket”). Send to
prover.
P: Try to find an x 2 S such that h( x ) = y and send to V alongwith certificate u that
x 2 S.
V: If h( x ) = y and u validates x 2 S accept, else reject.
Intuition: If |S| is large enough, then with good probability a random bucket y will
contain at least 1 element of S.
2.6
Some other tricks.
We will mention two useful elementary tools.
• Arithmetization
• Sum-check
Arithmetization
In general, any problem can be expressed as one of Boolean formula satisfaction, and any
Boolean formula can be converted to a polynomial:
x^y $ X·Y
¬ x $ (1 X )
x _ y $ 1 (1 X )(1
Y)
A powerful idea is that we can evaluate these polynomials at arbitrary values and not just
at 0 or 1.
Sumcheck
The problem.
• We are given a degree d polynomial g( X1 , X2 , . . . , Xn ), an integer K, and all computations are modulo a given prime p.
• Verify K = Â X1 2{0,1} Â X2 2{0,1} . . . Â Xn 2{0,1} g( X1 , X2 , . . . , Xn ).
Note that computing all these sums would take exponential time, as there are 2n possible
assignments.
10
2.7. Other models
Preliminaries. Define h( X1 ) = Âb2 2{0,1} Âb3 2{0,1} . . . Âbn 2{0,1} g( X1 , X2 , . . . , Xn ). h( X1 )
is the marginal polynomial, with all other variables summed out. If the claim is true,
K = h (0) + h (1).
Protocol.
V: If n = 1, check that g(1) + g(0) = K. If so accept, otherwise reject. If n
send h( X1 ).
2, ask P to
P: Sends some polynomial s( X1 ).
V: Reject if s(0) + s(1) 6= K. Else, pick random a from 0 to p 1. Recursively use
sumcheck to verify s( a) = Âb2 2{0,1} . . . Âbn 2{0,1} g( a, X2 , . . . , Xn )
Key idea: s( a) h( a) is a degree d polynomial, and hence either s
s( a) = h( a) with at most dp probability over random a.
2.7
h is 0 everywhere, or
Other models
Program checking
C is a program checker for a claimed program P on task T if for all inputs x:
• If P is a correct program for T, then Pr [C accepts P( x )]
2
3.
• If P( x ) 6= T ( x ), then Pr [C accepts P( x )]  13 .
Graph-isomorphism and permanent problem have checkers.
Multiple provers
There can be multiple provers, and the provers do not communicate amongst themselves.
This class is believed to be strictly stronger than IP (MIP = NEXP).
2.8
The take-away
Randomization, use of polynomials and arithmetization gives us power to check solutions
without concise certificate. We shall see more applications of these principles next week.
11
2. I NTERACTIVE P ROOFS : T HEORY AND C ONNECTIONS
2.9
Bibliography
[1] S. Arora and B. Barak. Computational complexity: a modern approach, volume 1. Cambridge University Press Cambridge, UK, 2009.
[2] S Goldwasser and M Sipser. Private coins versus public coins in interactive proof
systems. In Proceedings of the eighteenth annual ACM symposium on Theory of computing,
STOC ’86, pages 59–68, New York, NY, USA, 1986. ACM.
[3] Adi Shamir. IP = PSPACE. J. ACM, 39(4):869–877, October 1992.
12