Probabilistically Checkable Proofs Madhu Sudan MIT CSAIL

Can Proofs Be Checked Efficiently? The Riemann Hypothesis is true (12 th Revision) By Ayror Sappen # Pages to follow: 15783

Proofs and Theorems Conventional belief: Proofs need to be read carefully to be verified. Conventional belief: Proofs need to be read carefully to be verified. Modern constraint: Don’t have the time (to do anything, leave alone) read proofs. Modern constraint: Don’t have the time (to do anything, leave alone) read proofs. This talk: This talk: New format for writing proofs. New format for writing proofs. Efficiently verifiable probabilistically, with small error probability. Efficiently verifiable probabilistically, with small error probability. Not much longer than conventional proofs. Not much longer than conventional proofs.

Outline of talk Quick primer on the Computational perspective on theorems and proofs (proofs can look very different than you’d think). Quick primer on the Computational perspective on theorems and proofs (proofs can look very different than you’d think). Definition of Probabilistically Checkable Proofs (PCPs). Definition of Probabilistically Checkable Proofs (PCPs). Overview of a new construction of PCPs due to Irit Dinur. Overview of a new construction of PCPs due to Irit Dinur.

Theorems: Deep and Shallow A Deep Theorem: A Deep Theorem: Proof: (too long to fit in this section). Proof: (too long to fit in this section). A Shallow Theorem: A Shallow Theorem: The number has a divisor between and The number has a divisor between and Proof: Proof: x ; y ; z 2 Z + ; n ¸ 3 ; x n + y n 6 = z n

Computational Perspective Theory of NP-completeness: Theory of NP-completeness: Every (deep) theorem reduces to shallow one. Every (deep) theorem reduces to shallow one. Shallow theorem easy to compute from deep one. Shallow theorem easy to compute from deep one. Shallow proofs are not much longer. Shallow proofs are not much longer. ( A ; B ; C compu t a bl e i npo l y ( n ) t i me f rom T. )

More Broadly: New formats for proofs New format for proof of T: Divisor D (A,B,C don’t have to be specified since they are known to (computable by) verifier.) New format for proof of T: Divisor D (A,B,C don’t have to be specified since they are known to (computable by) verifier.) Theory of Computation replete with examples of such “alternate” lifestyles for mathematicians (formats for proofs). Theory of Computation replete with examples of such “alternate” lifestyles for mathematicians (formats for proofs). Equivalence: (1) new theorem can be computed from old one efficiently, and (2) new proof is not much longer than old one. Equivalence: (1) new theorem can be computed from old one efficiently, and (2) new proof is not much longer than old one. Question: Why seek new formats? What Question: Why seek new formats? What benefits can they offer? benefits can they offer? Can they help ?

Probabilistically Checkable Proofs How do we formalize “formats”? How do we formalize “formats”? Answer: Formalize the Verifier instead. “Format” now corresponds to whatever the verifier accepts. Answer: Formalize the Verifier instead. “Format” now corresponds to whatever the verifier accepts. Will define PCP verifier (probabilistic, errs with small probability, reads few bits of proof) next. Will define PCP verifier (probabilistic, errs with small probability, reads few bits of proof) next.

V T P PCP Verifier 1.Reads Theorem 2. Tosses coins 3. Reads few bits of proof 4. Accepts/Rejects HTHTTH T i nva l i d ) 8 PV accep t sw. p. · 1 2. TV a l i d ) 9 P s. t. V accep t sw. p. 1.

Features of interest Number of bits of proof queried must be small (constant?). Number of bits of proof queried must be small (constant?). Length of PCP proof must be small (linear?, quadratic?) compared to conventional proofs. Length of PCP proof must be small (linear?, quadratic?) compared to conventional proofs. Optionally: Classical proof can be converted to PCP proof efficiently. (Rarely required in Logic.) Optionally: Classical proof can be converted to PCP proof efficiently. (Rarely required in Logic.) Do such verifiers exist? Do such verifiers exist? PCP Theorem [1992]: They do. PCP Theorem [1992]: They do. Today – New construction due to Dinur. Today – New construction due to Dinur.

Part II – PCP Construction of Dinur

Essential Ingredients of PCPs Locality of error: Locality of error: If theorem is wrong (and so “proof” has an error), then error in proof can be pinpointed locally (since it is found by verifier that reads only few bits of proof). If theorem is wrong (and so “proof” has an error), then error in proof can be pinpointed locally (since it is found by verifier that reads only few bits of proof). Abundance of error: Abundance of error: Errors in proof are abundant (i.e., easily seen in random probes of proof). Errors in proof are abundant (i.e., easily seen in random probes of proof). How do we construct a proof system with these features? How do we construct a proof system with these features?

Locality: From NP-completeness 3-Coloring 3-Coloring Color vertices s.t. endpoints of edge have different colors. is NP-complete: T P a c b e d f g a c db e f g

3-Coloring Verifier: To verify To verify Verifier constructs Verifier constructs Expects as proof. Expects as proof. To verify: Picks an edge and verifies endpoints distinctly colored. To verify: Picks an edge and verifies endpoints distinctly colored. Error: Monochromatic edge = 2 pieces of proof. Error: Monochromatic edge = 2 pieces of proof. Local! But errors not frequent. Local! But errors not frequent. T

Amplifying Error Dinur Transformation: There exists a linear-time algorithm A: Dinur Transformation: There exists a linear-time algorithm A: A ² A ( G ) 3 -co l ora bl e i f G i s 3 -co l ora bl e ² F rac t i ono f monoc h roma t i ce d ges i n A ( G ) i s t w i ce t h e f rac t i on i n G ( un l ess f rac t i on i n G i s ¸ ² 0 ).

Iterating the Dinur Transformation Logarithmically many iterations of the Dinur Transformation: Logarithmically many iterations of the Dinur Transformation: Leads to a polynomial time transformation. Leads to a polynomial time transformation. Preserve 3-colorability (valid theorems map to valid theorems). Preserve 3-colorability (valid theorems map to valid theorems). Convert invalid theorem into one where every proof has ε 0 fraction errors. Convert invalid theorem into one where every proof has ε 0 fraction errors.

Details of the Dinur Transformation Step 1: Step 1: “Gap Amplification”: Increase number of available colors, but make coloring more restrictive. “Gap Amplification”: Increase number of available colors, but make coloring more restrictive. Goal: Increase errors in this stage (at expense of longer questions). Goal: Increase errors in this stage (at expense of longer questions). Step 2: Step 2: “Color reduction”: Reduce number of colors back to 3. “Color reduction”: Reduce number of colors back to 3. Hope: Fraction of errors does not reduce by much (fraction will reduce though). Hope: Fraction of errors does not reduce by much (fraction will reduce though). Composition of Steps yields Transformation. Composition of Steps yields Transformation.

Step 2: Reducing #colors Form of classical “Reductions”: similar to task of reducing “k-coloring” to “3-coloring”. Form of classical “Reductions”: similar to task of reducing “k-coloring” to “3-coloring”. Unfortunately: Classical reductions lose by factor k. Can’t afford this. Unfortunately: Classical reductions lose by factor k. Can’t afford this. However: Prior work on PCPs gave a simple reduction: Lose only a universal constant, independent of k. This is good enough for Step 2. However: Prior work on PCPs gave a simple reduction: Lose only a universal constant, independent of k. This is good enough for Step 2. (So: Dinur does use prior work on PCPs, but the simpler, more elementary, parts.) (So: Dinur does use prior work on PCPs, but the simpler, more elementary, parts.)

Step 1: Increasing Error Task (for example): Create new graph H (and coloring restriction) from G s.t. H is 3 c -color if G is 3-colorable, but fraction of “invalidly colored” edges in H is twice the fraction in G. Task (for example): Create new graph H (and coloring restriction) from G s.t. H is 3 c -color if G is 3-colorable, but fraction of “invalidly colored” edges in H is twice the fraction in G. One idea: Graph Products. One idea: Graph Products. ² V ( H ) = V ( G ) £ V ( G ) ² ( u ; v ) $ H ( w ; x ), u $ G w & v $ G x ² C o l or i ngva l i d i ® i t i sva l i d coor d i na t ew i se. v x u w

Graph Products and Gap Amplification Problem 1: Not clear that error amplifies. Non- trivial question. Many counter-examples to naïve conjectures. (But might work …) Problem 1: Not clear that error amplifies. Non- trivial question. Many counter-examples to naïve conjectures. (But might work …) Problem 2: Quadratic-blow up in size. Does not work in linear time!!! Problem 2: Quadratic-blow up in size. Does not work in linear time!!! Dinur’s solution: Take a “derandomized graph product” Dinur’s solution: Take a “derandomized graph product”

Step 1: The final construction Definition of H (and legal coloring): Definition of H (and legal coloring): ² V er t i ceso f H = B a ll so f ra d i us t i n G ² E d geso f H = W a lk so fl eng t h t i n G

Analysis of the construction. Does this always work? Does this always work? No! E.g., if G is a collection of disconnected graphs, some 3-colorable and others not. No! E.g., if G is a collection of disconnected graphs, some 3-colorable and others not. Fortunately, connectivity is the only bottleneck. If G is well-connected, then H has the right properties. (Intuition developed over several decades of work in “expanders” and “derandomization”.) Fortunately, connectivity is the only bottleneck. If G is well-connected, then H has the right properties. (Intuition developed over several decades of work in “expanders” and “derandomization”.) Formal analysis: Takes only couple of pages Formal analysis: Takes only couple of pages

Conclusion A moderately simple proof of the PCP theorem. (Hopefully motivates you. Read original paper at ECCC. Search for “Dinur”, “Gap Amplification”). A moderately simple proof of the PCP theorem. (Hopefully motivates you. Read original paper at ECCC. Search for “Dinur”, “Gap Amplification”). Matches many known parameters (but doesn’t match others). Matches many known parameters (but doesn’t match others). E.g., [Håstad] shows can verify proof by reading 3 bits, rejecting invalid proofs w.p..4999… E.g., [Håstad] shows can verify proof by reading 3 bits, rejecting invalid proofs w.p..4999… Can’t (yet) reproduce such constructions using Dinur’s technique. Can’t (yet) reproduce such constructions using Dinur’s technique.

Conclusions (contd.) PCPs illustrate the power of specifying a format for proofs. PCPs illustrate the power of specifying a format for proofs. Can we use this for many computer generated proofs? Can we use this for many computer generated proofs? More broadly: Revisits the complexity of proving theorems vs. verifying proofs. More broadly: Revisits the complexity of proving theorems vs. verifying proofs. Is P=NP? Is P=NP?

Brief History Definition conceived in 1991 (based on extensive series of works in 1980s motivated principally by cryptography). Definition conceived in 1991 (based on extensive series of works in 1980s motivated principally by cryptography). Quick Series of Results ( ) culminating in the PCP theorem: Quick Series of Results ( ) culminating in the PCP theorem: There exists an efficient PCP verifier who checks proofs probabilistically by looking at constant number of bits of the proof; accepts valid proofs; rejects invalid theorems w.p. ½; There exists an efficient PCP verifier who checks proofs probabilistically by looking at constant number of bits of the proof; accepts valid proofs; rejects invalid theorems w.p. ½; PCP proofs not much longer than conventional proofs. PCP proofs not much longer than conventional proofs.

PCP constructions: 1992 construction quite complex (won’t discuss today) construction quite complex (won’t discuss today). Since : Constructions got more efficient, and more complex! Since : Constructions got more efficient, and more complex! 2005: A new construction 2005: A new construction [Irit Dinur, The PCP Theorem by Gap Amplification, ECCC, 2005.] Much simpler – exploits improved understanding of computational randomness (1970s-2000s).

The Burden of Checking Proofs Editor sees articles that are hundreds of pages long. Sometimes, almost surely wrong. But how can we check. Editor sees articles that are hundreds of pages long. Sometimes, almost surely wrong. But how can we check. Probabilistically Checkable Proofs: Can proofs be checkable efficiently, without reading the whole proof? Probabilistically Checkable Proofs: Can proofs be checkable efficiently, without reading the whole proof? First reaction: NO! Proof may only have one error. How are we going to find it. (Recall the many proofs of 1=2 you’ve seen.) First reaction: NO! Proof may only have one error. How are we going to find it. (Recall the many proofs of 1=2 you’ve seen.) Goal of this talk: A Better Answer: YES! Goal of this talk: A Better Answer: YES!

Logic, Computation, and Probability First clarification: Proofs as we know it are not even checkable, leave alone “probabilistically” and “efficiently”. (I.e., an typo in proof in journal is not considered fatal.) First clarification: Proofs as we know it are not even checkable, leave alone “probabilistically” and “efficiently”. (I.e., an typo in proof in journal is not considered fatal.) Distinction between Informal Proofs and Formal Proofs: Readability vs. Syntactic correctness. Distinction between Informal Proofs and Formal Proofs: Readability vs. Syntactic correctness. Reliance on Informal Proofs based on implicit belief that we can translate proofs to Formal, syntactically correct, ones. Reliance on Informal Proofs based on implicit belief that we can translate proofs to Formal, syntactically correct, ones. Study of such formal, syntactically correct, proofs and their verification: Logic Study of such formal, syntactically correct, proofs and their verification: Logic

Logic and Theory of Computing Principal thesis of Logic: There exists a format for writing theorems and proofs so that: Principal thesis of Logic: There exists a format for writing theorems and proofs so that: Proofs can be verified (easily). Proofs can be verified (easily). Completeness: Every true theorem has a (short) proof. Completeness: Every true theorem has a (short) proof. Soundness: No false theorem has a proof. Soundness: No false theorem has a proof. In fact, there are many formats. In fact, there are many formats. Theory of Computing: If we interpret “easily” and “short” properly, then we can produce many unlikely formats! Theory of Computing: If we interpret “easily” and “short” properly, then we can produce many unlikely formats!

Easy vs. Hard; Short vs. Long Underlying hypothesis: Theorem (T), Proof (P) are just sentences/sequence of letters from some finite alphabet. Indeed w.l.o.g., alphabet = {0,1}. Underlying hypothesis: Theorem (T), Proof (P) are just sentences/sequence of letters from some finite alphabet. Indeed w.l.o.g., alphabet = {0,1}. Easy Verification: Validity(T,P) computable in time polynomial in the length of T, P. Easy Verification: Validity(T,P) computable in time polynomial in the length of T, P. “Short”: Length of P is not much longer than length of P in any other reasonable format. “Short”: Length of P is not much longer than length of P in any other reasonable format.

Non-standard formats for Proofs. Standard Language: T = Riemann Hypothesis; and say P is expected to be of length n. Standard Language: T = Riemann Hypothesis; and say P is expected to be of length n. Non-standard language: T’ = (A,B,C) integers. Proof P’ = D another integer. Non-standard language: T’ = (A,B,C) integers. Proof P’ = D another integer. Valid?(T’,P’): D divides A, and B ≤ D ≤ C. Valid?(T’,P’): D divides A, and B ≤ D ≤ C. Equivalence: Given T and n, can efficiently compute T’ = (A,B,C) with 0 ≤ A,B,C ≤ exp(n c ); such that T’ valid in non-standard format iff T valid in standard format. Equivalence: Given T and n, can efficiently compute T’ = (A,B,C) with 0 ≤ A,B,C ≤ exp(n c ); such that T’ valid in non-standard format iff T valid in standard format.

Aside: Theory of NP-completeness Theory provides a wide variety of “formats” for proof systems (proving they are all equivalent). Theory provides a wide variety of “formats” for proof systems (proving they are all equivalent). Fundamental question: P = NP? Fundamental question: P = NP? Equivalent to: Is proving a theorem as easy as verifying its proof? Equivalent to: Is proving a theorem as easy as verifying its proof? More provocative version: Can we replace every mathematician by a computer? More provocative version: Can we replace every mathematician by a computer?

Logic, Computation, and Randomness What new formats emerge when we introduce randomness into the mix. What new formats emerge when we introduce randomness into the mix. Verifier allowed to Verifier allowed to Toss random coins. Toss random coins. Make error with small probability. Make error with small probability. What benefits can this provide? What benefits can this provide? Can we ensure verifier reads Can we ensure verifier reads