Computational Complexity Theory, Fall 2008 November 28 Lecture 20: Interactive proofs. IP=PSPACE Lecturer: Kristoffer Arnsfelt Hansen Scribe: Kasper Borup Interactive proof Machine with state Turing Machine Communication Tape P V Input tape (read-only) (Not necessary a TM) Operation At any point the verifier V can go to a speciel communication state. Then the prover P cen modify the communication tape and the control switches back to V. V produces the output. Definition 1 DIP The class of languages restricted by interaction, where V is a polynomial time deterministic turing machine, and the communication exchange terminates in a polynomial number of rounds in size of the input. Precisely: There is a prover P such that, If x ∈ L then V accepts when interacting with P. If x ∈ / L then V does not accept when interaction with any prover p∗ Theorem 2 DIP = NP. Proof By definition the communication transcript is the certificate. L = {x|∃a communication transcript that makes V accept x} To get an interesting of NP we need to introduce randomness. Definition 3 IP The class of languages recognized by interaction where V is a polynomial time Turing machine with access to random bits. Precisely: There is a prover P such that, 2 (Completeness) if x ∈ L Then V accepts when interacting with P with probability ≥ 3 1 (Soundness) if x ∈ / L For any prover P ∗ accepts when interaction with P ∗ with probability ≤ 3 Theorem 4 N P ⊆ IP 1 Definition 5 Graph isomorphism Given a graph G1 and G2 , does there exists a 1 to 1 correspondence Φ : V (G1 ) → V (G2 ) Such that (u, v) ∈ E(G1 ) ⇐⇒ (Φ(u), Φ(v)) ∈ E(G2 ) If G1 is isomorphic to G2 we write G1 ≡ G2 GI ∈ NP, we can use the permutation Φ as certificate. The Graph nonisomorphism problem is the problem to decide if two graphs are not isomorphic and GN I ∈ co − NP Example 1 Interactive protocol for GN I 1. V chooses i ∈ {1, 2} uniformly at random, and chooses a permutation Φ of the nodes (Assures the two graphs has the same number of nodes) V sends Φ(Gi ) to P 2. P sends j ∈ {1, 2} to V P sends the j such that Gj ≡ Φ(Gi ) (are isomorphic) 3. V accepts if i = j Completeness: If G1 and G2 are not isomorphic, P can find the correct j (same as i), hence V accepts with probability 1. Soundness: If G1 and G2 are isomorphic, then the distribution of the two permutations Φ(G1 ) and Φ(G2 ) of G1 and G2 are the same. This means that the prover cannot distingues between them. Thus for any j ∈ {1, 2} Gj ≡ Φ(Gi ), we now have P r[i = j] = 12 , hence V accepts with probability 12 Proposition 6 IP ⊆ PSPACE Proof It is not clear how to simulate the protocol for any given prover. Instead simulate the protocol for the optimal prover P i.e. the prover that maximizes the probability of accept. Do a depth first search at the tree of possible messages the verifier can send At a given V node, where V has to send a message, we want to compute what to send and continue. At a P node, where P has to send a message, run over all possible replies and recursively compute the acceptance probability, and send the message that yield the maximum acceptance probability. 2 Theorem 7 co − NP ⊆ IP Proof Let Φ be 3-CNF formula with m clauses and n variables x1 , x2 , . . . , xn Let the clauses be Li1 ∨ Li2 ∨ Li3 , where Lij is xk or xk Define the arithmetization A : Φ → PΦ xk → xk xk → 1 − xk Li1 ∨ Li2 ∨ Li3 → 1 − (1 − A(Li1 )(1 − A(Li2 )(1 − A(Li3 )) m Y PΦ = A(Ci ) i=1 1 X 1 X Φ is satisfied ⇐⇒ ··· x1 =0 x2 =0 1 X PΦ(x1 ,x2 ,...,xn ) > 0 xn =0 Degree of PΦ is 3m. We will be design a protocol that can verify that the number of satisfying assignments to the input formula is 0. Definition 8 Sum-check protocol INPUT: A degree d polynomial g(x1 , x2 , . . . , xn ), a integer K and a prime p. Prover has to show P1 x1 =0 P1 x2 =0 · · · P1 xn =0 g(x1 , x2 , . . . , xn ) = K (mod p) 1. n = 1 V computes g(0) + g(1) = K (mod p) If n ≥ 2 ask P to send h(x1 ) 2. Correct prover sends h(x1 ) = P1 x2 =0 P1 x3 =0 · · · P1 xn =0 g(x1 , x2 , . . . , xn ) mod p 3. Verifier reject if h(0) + h(1) 6= K (mod p) and otherwise random a P ∈ Zp and run sum-check on h recusively to check P1pick P 1 that h(a) = x2 =0 x3 =0 · · · 1xn =0 g(a, x2 , . . . , xn ) To get sum-check protocol for PΦ P starts to send a prime p in the interval [2n ; 22n ] and then run sum-check with input Pφ ,0 and p. Completeness: Correct prover makes V accept with probability 1 Soundness: If Φ is not satisfiable, P has to prove an incorrect sum-check statement. If in the end V accepts then there is a round where P has an incorrect statement to prove and we ask P to prove a correct statement. d 3m In a given round. If P has to prove an incorrect statement this happens with probability ≤ ≤ n p 2 3 since a non-zero degreed polynomium has at most d roots. Notable properties of the protocol • Perfect completeness i.e. accepts with probability 1 • Randomness of V is public It is not obvious to obtain these properties in another way! Theorem 9 PSPACE ⊆ IP Proof Reduction from T QBF (true quantified boolean formulas) to the an extension of the sumcheck protocol T QBF is PSPACE − complete ρ = ∃x1 ∀x2 ∃x3 . . . Qxn Φ(x1 , x2 , . . . , xn ) if n = 1(mod 2)Q = ∃if n = 0(mod 2)Q = ∀ Φ = c1 ∧ c2 ∧ · · · ∧ cn ci is (Li1 ∨ Li2 ∨ Li3 ) as before. Approach 1 1 X 1 X Y . . . Q1xn =0 PΦ(x1 ,x2 ,...,xn ) > 0 x1 =0 x2 =0 x3 =0 Q Problem multiplication doubles the degree of hi (x) for every 1xi =0 , hence degrees can be as large as 2n/2 , and the prover would not be able to send the required polynomials. The idea to circumvent this is to first we have to transform ρ = ∃x1 ∀x2 ∃x3 . . . Qxn Φ(x1 , x2 , . . . , xn ) that ensures that the degree of the polynomials to be transmitted is at most 2. Assume wlog Q = ∀ : ρ̃ = ∃x1 ∀x2 ∃x21 [(x1 = x21 )∧ ∃x3 ∀x4 ∃x41 ∃x42 ∃x43 [(x21 = x41 ) ∧ (x2 = x42 ) ∧ (x3 = x43 ) ∧ . . . n−2 n−2 ∧ ∀xn ∃xn1 . . . ∃xnn−1 (x1n−2 = xn1 ) ∧ · · · ∧ (xn−1 = xn−1 )∧ φ(xn1 , . . . , xnn−1 , xn )]] We have constructed a transformed equivilent formula ρ̃ where the degree of every hi (x) in sumcheck is degree(hi (x)) ≤ 2. To see this, note that in a suffix of the formula beginning with a ∀ quantifier, all the free variables are only used in the equality checks, and only once. An equality constraint (x = y) is arithmetizied by the polynomial xy + (1 − x)(1 − y), where the degree of each variable is 2. We can in this way perform the arithmetization and call a sum-check protocol (modified in the natural way) and the reduction is complete. 4