here are my PowerPoint slides

advertisement
Proving Without Explaining, and
Checking Without Understanding
Looks good
to me!
Scott Aaronson (MIT)
Symposium on Proof, UPenn, Nov. 9, 2012
For most of history, a “mathematical proof” meant
a demonstration, in words, formulas, and pictures,
that induces an “all-of-a-sudden” understanding of
why a theorem must be true in humans who have
understood it
c  a  b  2ab  a  b
2
2
2
2
With people like Frege, Hilbert, Russell, and Gödel,
a new, formal notion of proof entered the world:
proof as a mathematical object in its own right
A string of symbols that “mechanically certifies” that a theorem
is true—generally, by starting from axioms and then applying
logical manipulations until the theorem is reached
Proof that all Robbins algebras
are Boolean. Discovered by the
computer program EQP in 1996,
solving a 63-year-old problem
-(n(x+y)=n(x)).
n(n(n(x)+y)+n(x+y))=y.
n(n(n(x+y)+n(x)+y)+y)=n(x+y).
n(n(n(n(x)+y)+x+y)+y)=n(n(x)+y).
n(n(n(n(x)+y)+x+y+y)+n(n(x)+y))=y.
n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+z)+n(y+z))=z.
n(n(n(n(x)+y)+n(n(x)+y)+x+y+y)+y)=n(n(x)+y).
n(n(n(n(x)+y)+n(n(x)+y)+x+y+y+y)+n(n(x)+y))=y.
n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z)=n(y+z).
n(n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z+u)+n(n(y+z)+u))=u.
n(n(n(n(x)+x)+x+x+x)+x)=n(n(x)+x).
n(n(n(n(n(x)+x)+x+x+x)+x+y)+n(n(n(x)+x)+y))=y.
n(n(n(n(x)+x)+x+x+x+x)+n(n(x)+x))=x.
n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x)=n(n(x)+x).
n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x+y)+n(n(n(x)+x)+y))=y.
n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+n(n(n(x)+x)+x+x+x)+x)+x)=n(n(n(x)+x)+n(n(x)+x)+x+x+x+x).
n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)=n(n(n(x)+x)+x+x+x).
Formal proofs are often absurdly tedious!
Famous example from
Principia Mathematica,
Volume II
Wittgenstein liked to
ridicule this sort of
formalization
But
Sometimes the gap between “proving” and “explaining”
has caused actual mathematical controversy
Four-Color Map Theorem: Proved by
Appel and Haken in 1976, with crucial help
from computer enumeration of cases
Critics: “But what if the computer made a mistake?”
Response: “Then check again with another computer!”
Over the last 30 years, theoretical computer
scientists have taken the concept of “proof” even
further from “explanation” or “understanding”
than Frege, Russell, et al. ever did
(Sometimes, like in cryptography, the impossibility of
understanding a proof is actually the goal!)
A “proof” can now be: probabilistic, interactive,
quantum-mechanical… in general, an ephemeral
process that, once it’s over, need not leave any trace
by which to convince somebody else
As a warmup, consider the power of random sampling…
To “probabilistically prove” an
algebraic identity: just plug in a bunch
of random values and evaluate it!
Not yet certain enough? Repeat!
(But what if your random-number
generator was bad?)
Upping the ante: proof by quantum sampling
In 1994, Peter Shor sparked a scientific revolution, by showing that a
quantum computer could quickly factor large numbers—a task
whose presumed difficulty is the basis for most modern cryptography
But would you need to trust the quantum computer? In this case, no!
Given alleged prime factors, you could multiply them yourself
(and also use known classical methods to verify that they’re prime)
But not all quantum algorithms necessarily share that property!
Sometimes, the only feasible way to verify a quantum computer’s
output might be using a different quantum computer!
(indeed, there might be no “classical” proof that would fit inside
the observable universe)
Today, when theoretical computer scientists talk about a
“proof system,” they generally mean an interactive game…
Challenges and responses
OK!
BS!
Merlin: Omniscient but
untrustworthy wizard
Arthur: Skeptical,
polynomial-time king
“Completeness”: If the claim is true, then there must be some
way Merlin can behave that causes Arthur to output “OK” most
of the time
“Soundness”: If the claim is false, then regardless of how Merlin
behaves, Arthur must output “BS” most of the time
Example: Graph Non-Isomorphism
Merlin wants to convince Arthur that two graphs are different
“

”
Given any two non-isomorphic graphs, there might always be a
short proof that they’re different, but no one has proved that
Simply listing all permutations is astronomically inefficient
Clever interactive solution: Arthur picks one of the graphs
randomly, randomly permutes its vertices, and sends Merlin
the result. He then asks Merlin which graph he started with
The IP=PSPACE Theorem (Lund et al. / Shamir 1990)
showed that these sorts of interactive proof systems are
incredibly powerful. For example, Merlin could quickly
convince Arthur that White has the win in chess
(assuming that’s indeed true)!
qx ,, x mod p
x1 ,, xn  0,1
1
n
The Graph Non-Isomorphism protocol has another amazing
property, besides its efficiency. Arthur learns nothing whatsoever
about why the graphs are non-isomorphic!
Goldreich, Micali, and Wigderson showed that, under plausible
cryptographic assumptions, every formal proof can likewise be
converted into a “zero-knowledge proof”
(Furthermore, here the prover need not be a wizard, but just an
ordinary person who knows the original proof)
The key is to start with an NP-complete
problem, like Hamilton Cycle
A solution to this problem can
encode a formal proof of the
Riemann Hypothesis, or of any
other theorem you want!
To make the proof zero-knowledge:
Merlin randomly permutes the nodes. Then, for each pair of nodes,
he sends Arthur a “locked box,” inside of which he’s written
whether those nodes are connected by an edge.
With the boxes in his possession, Arthur can either ask Merlin to
Renaissance
were
terrified of rivals
stealing
unlock
all thecourt
boxes,mathematicians
and show him the
isomorphism
between
the
theirgraph
secrets.
once graph,
ensured
sending
Kepler a
new
andGalileo
the original
orhis
he priority
can ask by
Merlin
to unlock
coded
smaismrmilmepoetaleumibunenugttauiras
only
themessage:
boxes corresponding
to a Hamilton cycle.
Today, a paranoid prover ofTo
theimplement
Riemann Hypothesis
could use
the
over the Internet:
replace
GMW protocol to establish priority
without
the proof
the locked
boxesrevealing
by encryption.
Theoretical computer science:
surging
ahead
into the
1500s!
Useful!
Lets
suspicious
agents
prove to
each other that they’re carrying out a
protocol correctly, without revealing the
secrets on which the proofs are based
One application: secure e-voting
Another famous NP-complete problem is 3-coloring a graph
Suppose two Merlins claim that they know how to 3-color a
certain graph. Arthur will get a billion dollars if he can prove
they’re lying, but he’s only allowed to ask them for the color
of one node each
Solution: Arthur puts the Merlins in separate rooms, like police
suspects. He either picks a random node and asks both
Merlins its color (and checks that they give the same answer),
or he picks two neighboring nodes and asks one Merlin about
each (and checks that they give different answers)
Pushing this further leads to the PCP Theorem, one of the crown
jewels of theoretical computer science
Any formal proof can be rewritten in an “error-correcting”
format, in such a way that its validity can be checked, with
high confidence, by looking at only 10 or 20 random bits
Application: Implies that, for many NP-complete problems,
finding an approximate solution is as hard as finding an exact one
Recent Realization: Even if they can’t talk to each other, the two
Merlins could still sometimes cheat by measuring quantummechanically entangled particles! (Related to the famous Bell Inequality)
But we now know that every multi-prover protocol can be
“immunized” against entangled provers (Ito-Vidick 2012)
Summary
With Frege, Russell, Gödel, etc, “proofs” became mathematical
objects in their own right: sequences of symbols that can be
verified by a machine, and that no human needs to understand
Will we ever
have ascience
mechanistic
account
of
Today, theoretical
computer
has taken
the separation
explaining
and
understanding,
in the same
between
verifying and
understanding
even further,
by making
“proofs” probabilistic,
zero-knowledge,
quantum…
sense that interactive,
we now have
a mechanistic
account of proving and verifying?
What’s the point of this? Russell et al.’s redefinition of proof
helped bring us the computer age. The modern redefinitions
of proof helped bring us secure electronic commerce, as well
as profound insights into the nature of computation
Central irony: All these amazing discoveries about proof relied
themselves on “traditional,” understanding-based proofs!
Download