Lecture 20: Interactive proofs. IP=PSPACE

advertisement
Computational Complexity Theory, Fall 2008
November 28
Lecture 20: Interactive proofs. IP=PSPACE
Lecturer: Kristoffer Arnsfelt Hansen
Scribe: Kasper Borup
Interactive proof
Machine with state
Turing Machine
Communication Tape
P
V
Input tape (read-only)
(Not necessary a TM)
Operation
At any point the verifier V can go to a speciel communication state. Then the prover P cen modify
the communication tape and the control switches back to V. V produces the output.
Definition 1 DIP
The class of languages restricted by interaction, where V is a polynomial time deterministic turing
machine, and the communication exchange terminates in a polynomial number of rounds in size of
the input.
Precisely: There is a prover P such that,
If x ∈ L then V accepts when interacting with P.
If x ∈
/ L then V does not accept when interaction with any prover p∗
Theorem 2 DIP = NP.
Proof By definition the communication transcript is the certificate.
L = {x|∃a communication transcript that makes V accept x}
To get an interesting of NP we need to introduce randomness.
Definition 3 IP
The class of languages recognized by interaction where V is a polynomial time Turing machine with
access to random bits.
Precisely: There is a prover P such that,
2
(Completeness) if x ∈ L Then V accepts when interacting with P with probability ≥
3
1
(Soundness) if x ∈
/ L For any prover P ∗ accepts when interaction with P ∗ with probability ≤
3
Theorem 4 N P ⊆ IP
1
Definition 5 Graph isomorphism
Given a graph G1 and G2 , does there exists a 1 to 1 correspondence Φ : V (G1 ) → V (G2 )
Such that (u, v) ∈ E(G1 ) ⇐⇒ (Φ(u), Φ(v)) ∈ E(G2 )
If G1 is isomorphic to G2 we write G1 ≡ G2
GI ∈ NP, we can use the permutation Φ as certificate.
The Graph nonisomorphism problem is the problem to decide if two graphs are not isomorphic
and GN I ∈ co − NP
Example 1 Interactive protocol for GN I
1. V chooses i ∈ {1, 2} uniformly at random, and chooses a permutation Φ of the nodes
(Assures the two graphs has the same number of nodes)
V sends Φ(Gi ) to P
2. P sends j ∈ {1, 2} to V
P sends the j such that Gj ≡ Φ(Gi ) (are isomorphic)
3. V accepts if i = j
Completeness: If G1 and G2 are not isomorphic, P can find the correct j (same as i), hence
V accepts with probability 1.
Soundness: If G1 and G2 are isomorphic, then the distribution of the two permutations
Φ(G1 ) and Φ(G2 ) of G1 and G2 are the same. This means that the prover cannot distingues
between them. Thus for any j ∈ {1, 2} Gj ≡ Φ(Gi ), we now have P r[i = j] = 12 , hence V
accepts with probability 12
Proposition 6 IP ⊆ PSPACE
Proof It is not clear how to simulate the protocol for any given prover.
Instead simulate the protocol for the optimal prover P i.e. the prover that maximizes the probability of accept.
Do a depth first search at the tree of possible messages the verifier can send
At a given V node, where V has to send a message, we want to compute what to send and
continue.
At a P node, where P has to send a message, run over all possible replies and recursively
compute the acceptance probability, and send the message that yield the maximum acceptance
probability.
2
Theorem 7 co − NP ⊆ IP
Proof Let Φ be 3-CNF formula with m clauses and n variables x1 , x2 , . . . , xn
Let the clauses be Li1 ∨ Li2 ∨ Li3 , where Lij is xk or xk
Define the arithmetization A : Φ → PΦ
xk → xk
xk → 1 − xk
Li1 ∨ Li2 ∨ Li3 → 1 − (1 − A(Li1 )(1 − A(Li2 )(1 − A(Li3 ))
m
Y
PΦ =
A(Ci )
i=1
1 X
1
X
Φ is satisfied ⇐⇒
···
x1 =0 x2 =0
1
X
PΦ(x1 ,x2 ,...,xn ) > 0
xn =0
Degree of PΦ is 3m. We will be design a protocol that can verify that the number of satisfying
assignments to the input formula is 0.
Definition 8 Sum-check protocol
INPUT: A degree d polynomial g(x1 , x2 , . . . , xn ), a integer K and a prime p.
Prover has to show
P1
x1 =0
P1
x2 =0 · · ·
P1
xn =0 g(x1 , x2 , . . . , xn )
= K (mod p)
1. n = 1 V computes g(0) + g(1) = K (mod p)
If n ≥ 2 ask P to send h(x1 )
2. Correct prover sends h(x1 ) =
P1
x2 =0
P1
x3 =0 · · ·
P1
xn =0 g(x1 , x2 , . . . , xn )
mod p
3. Verifier reject if h(0) + h(1) 6= K (mod p)
and otherwise
random a P
∈ Zp and run sum-check on h recusively to check
P1pick P
1
that h(a) = x2 =0 x3 =0 · · · 1xn =0 g(a, x2 , . . . , xn )
To get sum-check protocol for PΦ
P starts to send a prime p in the interval [2n ; 22n ] and then run sum-check with input Pφ ,0 and p.
Completeness: Correct prover makes V accept with probability 1
Soundness: If Φ is not satisfiable, P has to prove an incorrect sum-check statement.
If in the end V accepts then there is a round where P has an incorrect statement to prove and we
ask P to prove a correct statement.
d
3m
In a given round. If P has to prove an incorrect statement this happens with probability ≤ ≤ n
p
2
3
since a non-zero degreed polynomium has at most d roots.
Notable properties of the protocol
• Perfect completeness i.e. accepts with probability 1
• Randomness of V is public
It is not obvious to obtain these properties in another way!
Theorem 9 PSPACE ⊆ IP
Proof Reduction from T QBF (true quantified boolean formulas) to the an extension of the sumcheck protocol
T QBF is PSPACE − complete
ρ = ∃x1 ∀x2 ∃x3 . . . Qxn Φ(x1 , x2 , . . . , xn )
if n = 1(mod 2)Q = ∃if n = 0(mod 2)Q = ∀
Φ = c1 ∧ c2 ∧ · · · ∧ cn
ci is (Li1 ∨ Li2 ∨ Li3 ) as before.
Approach
1
1 X
1
X
Y
. . . Q1xn =0 PΦ(x1 ,x2 ,...,xn ) > 0
x1 =0 x2 =0 x3 =0
Q
Problem multiplication doubles the degree of hi (x) for every 1xi =0 , hence degrees can be as large
as 2n/2 , and the prover would not be able to send the required polynomials.
The idea to circumvent this is to first we have to transform ρ = ∃x1 ∀x2 ∃x3 . . . Qxn Φ(x1 , x2 , . . . , xn )
that ensures that the degree of the polynomials to be transmitted is at most 2. Assume wlog Q = ∀ :
ρ̃ = ∃x1 ∀x2 ∃x21 [(x1 = x21 )∧
∃x3 ∀x4 ∃x41 ∃x42 ∃x43 [(x21 = x41 ) ∧ (x2 = x42 ) ∧ (x3 = x43 ) ∧ . . .
n−2
n−2
∧ ∀xn ∃xn1 . . . ∃xnn−1 (x1n−2 = xn1 ) ∧ · · · ∧ (xn−1
= xn−1
)∧
φ(xn1 , . . . , xnn−1 , xn )]]
We have constructed a transformed equivilent formula ρ̃ where the degree of every hi (x) in sumcheck is degree(hi (x)) ≤ 2. To see this, note that in a suffix of the formula beginning with a ∀
quantifier, all the free variables are only used in the equality checks, and only once. An equality
constraint (x = y) is arithmetizied by the polynomial xy + (1 − x)(1 − y), where the degree of
each variable is 2. We can in this way perform the arithmetization and call a sum-check protocol
(modified in the natural way) and the reduction is complete.
4
Download