Download presentation
Presentation is loading. Please wait.
Published byRoderick Lawson Modified over 9 years ago
1
CS151 Complexity Theory Lecture 13 May 11, 2015
2
2 Outline proof systems interactive proofs and their power Arthur-Merlin games
3
May 11, 20153 Proof systems L = { (A, 1 k ) : A is a true mathematical assertion with a proof of length k} What is a “proof”? complexity insight: meaningless unless can be efficiently verified
4
May 11, 20154 Proof systems given language L, goal is to prove x L proof system for L is a verification algorithm V –completeness: x L 9 proof, V accepts (x, proof) “true assertions have proofs” –soundness: x L 8 proof*, V rejects (x, proof*) “false assertions have no proofs” –efficiency: 8 x, proof: V(x, proof) runs in polynomial time in |x|
5
May 11, 20155 Classical Proofs previous definition: “classical” proof system recall: L NP iff expressible as L = { x | 9 y, |y| < |x| k, (x, y) R } and R P. NP is the set of languages with classical proof systems (R is the verifier)
6
May 11, 20156 Interactive Proofs Two new ingredients: –randomness: verifier tosses coins, errs with some small probability –interaction: rather than “reading” proof, verifier interacts with computationally unbounded prover NP proof systems lie in this framework: prover sends proof, verifier does not use randomness
7
May 11, 20157 Interactive Proofs interactive proof system for L is an interactive protocol (P, V) ProverVerifier...... common input: x accept/ reject # rounds = poly(|x|)
8
May 11, 20158 Interactive Proofs interactive proof system for L is an interactive protocol (P, V) –completeness: x L Pr[V accepts in (P, V)(x)] 2/3 –soundness: x L 8 P* Pr[V accepts in (P*, V)(x)] 1/3 –efficiency: V is p.p.t. machine repetition: can reduce error to any ε
9
May 11, 20159 Interactive Proofs IP = {L : L has an interactive proof system} Observations/questions: –philosophically interesting: captures more broadly what it means to be convinced a statement is true –clearly NP IP. Potentially larger. How much larger? –if larger, randomness is essential (why?)
10
May 11, 201510 Graph Isomorphism graphs G 0 = (V, E 0 ) and G 1 = (V, E 1 ) are isomorphic (G 0 G 1 ) if exists a permutation π:V V for which (x, y) E 0 (π(x), π(y)) E 1 1 2 3 4 1 2 4 3 1 4 3 2
11
May 11, 201511 Graph Isomorphism GI = {(G 0, G 1 ) : G 0 G 1 } –in NP –not known to be in P, or NP-complete GNI = complement of GI –not known to be in NP Theorem (GMW): GNI IP –indication IP may be more powerful than NP
12
May 11, 201512 GNI in IP interactive proof system for GNI: ProverVerifier input: (G 0, G 1 ) flip coin c {0,1}; pick random π H = π(G c ) if H G 0 r = 0, else r = 1 r accept iff r = c
13
May 11, 201513 GNI in IP completeness: –if G 0 not isomorphic to G 1 then H is isomorphic to exactly one of (G 0, G 1 ) –prover will choose correct r soundness: –if G 0 G 1 then prover sees same distribution on H for c = 0, c = 1 –no information on c any prover P* can succeed with probability at most 1/2
14
May 11, 201514 The power of IP We showed GNI 2 IP GNI IP suggests IP more powerful than NP, since we don’t know how to show GNI in NP GNI in coNP Theorem (LFKN): coNP IP
15
May 11, 201515 The power of IP Proof idea: input: φ(x 1, x 2, …, x n ) –prover: “I claim φ has k satisfying assignments” –true iff φ(0, x 2, …, x n ) has k 0 satisfying assignments φ(1, x 2, …, x n ) has k 1 satisfying assignments k = k 0 + k 1 –prover sends k 0, k 1 –verifier sends random c {0,1} –prover recursively proves “φ’ = φ(c, x 2, …, x n ) has k c satisfying assignments” –at end, verifier can check for itself.
16
May 11, 201516 The power of IP Analysis of proof idea: –Completeness: φ(x 1, x 2, …, x n ) has k satisfying assignments accept with prob. 1 –Soundness: φ(x 1, x 2, …, x n ) does not have k satisfying assigns. accept prob. 1 – 2 -n –Why? It is possible that k is only off by one; verifier only catches prover if coin flips c are successive bits of this assignment
17
May 11, 201517 The power of IP Solution to problem (ideas): –replace {0,1} n with (F q ) n –verifier substitutes random field element at each step –vast majority of field elements catch cheating prover (rather than just 1) Theorem: L = { (φ, k): CNF φ has exactly k satisfying assignments} is in IP
18
May 11, 201518 The power of IP First step: arithmetization –transform φ(x 1, … x n ) into polynomial p φ (x 1, x 2, … x n ) of degree d over a field F q ; q prime > 2 n –recursively: x i x i φ (1 - p φ ) φ φ’ (p φ )(p φ’ ) φ φ’ 1 - (1 - p φ )(1 - p φ’ ) –for all x {0,1} n we have p φ (x) = φ(x) –degree d |φ| –can compute p φ (x) in poly time from φ and x
19
May 11, 201519 The power of IP Prover wishes to prove: k = Σ x 1 = 0, 1 Σ x 2 = 0,1 … Σ x n = 0, 1 p φ (x 1, x 2, …, x n ) Define: k z = Σ x 2 = 0,1 … Σ x n = 0, 1 p φ (z, x 2, …, x n ) prover sends: k z for all z F q verifier: –checks that k 0 + k 1 = k –sends random z F q continue with proof that k z = Σ x 2 = 0,1 … Σ x n = 0, 1 p φ (z, x 2, …, x n ) at end: verifier checks for itself
20
May 11, 201520 The power of IP Prover wishes to prove: k = Σ x 1 = 0, 1 Σ x 2 = 0,1 … Σ x n = 0, 1 p φ (x 1, x 2, …, x n ) Define: k z = Σ x 2 = 0,1 … Σ x n = 0, 1 p φ (z, x 2, …, x n ) a problem: can’t send k z for all z F q solution: send the polynomial ! –recall degree d |φ|
21
May 11, 201521 The actual protocol ProverVerifier input: ( φ, k ) p 1 (0)+p 1 (1)=k? pick random z 1 in F q p 1 (x) = Σ x 2, …, x n {0,1} p φ ( x, x 2, …, x n ) p 1 (x) z1z1 p 2 (x) = Σ x 3, …, x n {0,1} p φ (z 1, x, x 3, …, x n ) p 2 (x) z2z2 p 2 (0)+p 2 (1)=p 1 (z 1 )? pick random z 2 in F q p 3 (x) = Σ x 4, …, x n {0,1} p φ (z 1, z 2, x, x 4 …, x n ) p 3 (0)+p 3 (1)=p 2 (z 2 )? pick random z 3 in F q p 3 (x) p n (x) p n (0)+p n (1)=p n-1 (z n-1 )? pick random z n in F q. p n (z n ) = p φ (z 1, z 2, …, z n )?
22
May 11, 201522 Analysis of protocol Completeness: –if (φ, k) L then honest prover on previous slide will always cause verifier to accept
23
May 11, 201523 Analysis of protocol Soundness: –let p i (x) be the correct polynomials –let p i *(x) be the polynomials sent by (cheating) prover –(φ, k) L p 1 (0) + p 1 (1) ≠ k –either p 1 *(0) + p 1 *(1) ≠ k (and V rejects) –or p 1 * ≠ p 1 Pr z 1 [p 1 *(z 1 ) = p 1 (z 1 )] d/q |φ|/2 n –assume (p i+1 (0)+p i+1 (1)= ) p i (z i ) ≠ p i *(z i ) –either p i+1 *(0) + p i+1 *(1) ≠ p i *(z i ) (and V rejects) –or p i+1 * ≠ p i+1 Pr z i+1 [p i+1 *(z i+1 ) = p i+1 (z i+1 )] |φ|/2 n
24
May 11, 201524 Analysis of protocol Soundness (continued): –if verifier does not reject, there must be some i for which: p i * ≠ p i and yet p i *(z i ) = p i (z i ) –for each i, probability is |φ|/2 n –union bound: probability that there exists an i for which the bad event occurs is n|φ|/2 n poly(n)/2 n << 1/3
25
May 11, 201525 Analysis of protocol Conclude: L = { (φ, k): CNF φ has exactly k satisfying assignments} is in IP L is coNP-hard, so coNP IP Question remains: –NP, coNP IP. Potentially larger. How much larger?
26
May 11, 201526 IP = PSPACE Theorem: (Shamir) IP = PSPACE –Note: IP PSPACE enumerate all possible interactions, explicitly calculate acceptance probability interaction extremely powerful ! An implication : you can interact with master player of Generalized Geography and determine if she can win from the current configuration even if you do not have the power to compute optimal moves!
27
May 11, 201527 IP = PSPACE need to prove PSPACE IP –use same type of protocol as for coNP –some modifications needed
28
May 11, 201528 IP = PSPACE protocol for QSAT –arithmetization step produces arithmetic expression p φ : ( 9 x i ) φ Σ x i = 0, 1 p φ ( 8 x i ) φ ∏ x i = 0, 1 p φ –start with QSAT formula in special form (“simple”) no occurrence of x i separated by more than one “ 8 ” from point of quantification
29
May 11, 201529 IP = PSPACE –quantified Boolean expression φ is true if and only if p φ > 0 –Problem: ∏’s may cause p φ > 2 2 |φ| –Solution: evaluate mod 2 n q 2 3n –prover sends “good” q in first round “good” q is one for which p φ mod q > 0 –Claim: good q exists # primes in range is at least 2 n
30
May 11, 201530 The QSAT protocol ProverVerifier input: φ p 1 (0)+p 1 (1) = k? or p 1 (0)p 1 (1) = k? pick random z 1 in F q p 1 (x): remove outer Σ or ∏ from p φ k, q, p 1 (x) z1z1 p 2 (x): remove outer Σ or ∏ from p φ [x 1 z 1 ] p 2 (x) z2z2 p 2 (0)+p 2 (1)=p 1 (z 1 )? or p 2 (0)p 2 (1) = p 1 (z 1 )? pick random z 2 in F q p 3 (x): remove outer Σ or ∏ from p φ [x 1 z 1, x 2 z 2 ] p 3 (x) p n (x) p n (0)+p n (1)=p n-1 (z n-1 )? or p n (0)p n (1) = p n-1 (z n-1 )? pick random z n in F q p n (z n ) = p φ [x 1 z 1,…, x n z n ].
31
May 11, 201531 Analysis of the QSAT protocol Completeness: –if φ QSAT then honest prover on previous slide will always cause verifier to accept
32
May 11, 201532 Analysis of the QSAT protocol Soundness: –let p i (x) be the correct polynomials –let p i *(x) be the polynomials sent by (cheating) prover –φ QSAT 0 = p 1 (0) +/x p 1 (1) ≠ k –either p 1 *(0) +/x p 1 *(1) ≠ k (and V rejects) –or p 1 * ≠ p 1 Pr z 1 [p 1 *(z 1 ) = p 1 (z 1 )] 2|φ|/2 n –assume (p i+1 (0) +/x p i+1 (1)=) p i (z i ) ≠ p i *(z i ) –either p i+1 *(0) +/x p i+1 *(1) ≠ p i *(z i ) (and V rejects) –or p i+1 * ≠ p i+1 Pr z i+1 [p i+1 *(z i+1 ) = p i+1 (z i+1 )] 2|φ|/2 n φ is “simple”
33
May 11, 201533 Analysis of protocol Soundness (continued): –if verifier does not reject, there must be some i for which: p i * ≠ p i and yet p i *(z i ) = p i (z i ) –for each i, probability is 2|φ|/2 n –union bound: probability that there exists an i for which the bad event occurs is 2n|φ|/2 n poly(n)/2 n << 1/3 Conclude: QSAT is in IP
34
May 11, 201534 Example Papadimitriou – pp. 475-480 φ = 8 x 9 y(x y) 8 z((x z) (y z)) 9 w(z (y w)) p φ = ∏ x=0,1 Σ y=0,1 [(x + y) * ∏ z=0,1 [(xz + y(1-z)) + Σ w=0,1 (z + y(1-w))]] (p φ = 96 but V doesn’t know that yet !)
35
May 11, 201535 Example p φ = ∏ x=0,1 Σ y=0,1 [(x + y) * ∏ z=0,1 [(xz + y(1-z)) + Σ w=0,1 (z + y(1-w))]] Round 1: (prover claims p φ > 0) –prover sends q = 13; claims p φ = 96 mod 13 = 5; sends k = 5 –prover removes outermost “∏”; sends p 1 (x) = 2x 2 + 8x + 6 –verifier checks: p 1 (0)p 1 (1) = (6)(16) = 96 5 (mod 13) –verifier picks randomly: z 1 = 9
36
May 11, 201536 Example φ = 8 x 9 y(x y) 8 z((x z) (y z)) 9 w(z (y w)) p φ = ∏ x=0,1 Σ y=0,1 [(x + y) * ∏ z=0,1 [(xz + y(1-z)) + Σ w=0,1 (z + y(1-w))]] p φ [x 9] = Σ y=0,1 [(9 + y) * ∏ z=0,1 [(9z + y(1-z)) + Σ w=0,1 (z + y(1-w))]]
37
May 11, 201537 Example p 1 (9) = Σ y=0,1 [(9 + y) * ∏ z=0,1 [(9z + y(1-z)) + Σ w=0,1 (z + y(1-w))]] Round 2: (prover claims this = 6) –prover removes outermost “Σ”; sends p 2 (y) = 2y 3 + y 2 + 3y –verifier checks: p 2 (0) + p 2 (1) = 0 + 6 = 6 6 (mod 13) –verifier picks randomly: z 2 = 3
38
May 11, 201538 Example φ = 8 x 9 y(x y) 8 z((x z) (y z)) 9 w(z (y w)) p φ = ∏ x=0,1 Σ y=0,1 [(x + y) * ∏ z=0,1 [(xz + y(1-z)) + Σ w=0,1 (z + y(1-w))]] p φ [x 9, y 3] = [(9 + 3) * ∏ z=0,1 [(9z + 3(1-z)) + Σ w=0,1 (z + 3(1-w))]]
39
May 11, 201539 Example p 2 (3) = [(9 + 3) * ∏ z=0,1 [(9z + 3(1-z)) + Σ w=0,1 (z + 3(1-w))]] Round 3: (prover claims this = 7) –everyone agrees expression = 12*(…) –prover removes outermost “∏”; sends p 3 (z) = 8z + 6 –verifier checks: p 3 (0) * p 3 (1) = (6)(14) = 84; 12*84 7 (mod 13) –verifier picks randomly: z 3 = 7
40
May 11, 201540 Example φ = 8 x 9 y(x y) 8 z((x z) (y z)) 9 w(z (y w)) p φ = ∏ x=0,1 Σ y=0,1 [(x + y) * ∏ z=0,1 [(xz + y(1-z)) + Σ w=0,1 (z + y(1-w))]] p φ [x 9, y 3, z 7] = 12 * [(9*7 + 3(1-7)) + Σ w=0,1 (7 + 3(1-w))]
41
May 11, 201541 Example 12*p 3 (7) = 12 * [(9*7 + 3(1-7)) + Σ w=0,1 (7 + 3(1-w))] Round 4: (prover claims = 12*10) –everyone agrees expression = 12*[6+(…)] –prover removes outermost “Σ”; sends p 4 (w) = 10w + 10 –verifier checks: p 4 (0)+p 4 (1) = 10 + 20 = 30; 12*[6+30] 12*10 (mod 13) –verifier picks randomly: z 4 = 2 –Final check: 12*[(9*7+3(1-7))+(7+3(1-2))] = 12*[6+p 4 (2)] = 12*[6+30]
42
May 11, 201542 Arthur-Merlin Games IP permits verifier to keep coin-flips private –necessary feature? –GNI protocol breaks without it Arthur-Merlin game: interactive protocol in which coin-flips are public –Arthur (verifier) may as well just send results of coin-flips and ask Merlin (prover) to perform any computation Arthur would have done
43
May 11, 201543 Arthur-Merlin Games Clearly Arthur-Merlin IP –“private coins are at least as powerful as public coins” Proof that IP = PSPACE actually shows PSPACE Arthur-Merlin IP PSPACE –“public coins are at least as powerful as private coins” !
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.