- 80 Views
- Uploaded on
- Presentation posted in: General

Slides by Dana Moshkovitz. Adapted from Oded Goldreich’s course lecture notes.

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Interactive Proofs

Slides by Dana Moshkovitz.

Adapted from Oded Goldreich’s course lecture notes.

- Proof systems: NP revisited.
- Interactive proofs
- The complexity class IP
- Example: An interactive proof for Graph Non-Isomorphism
- IP=PSPACE
- Public coins

- In order to understand the notion of Proof Systems, let us observe NP again.
- In a way, the complexity class we will define and discuss later is a probabilistic analog of NP.
- The languages in NP are those whose members all have short certificates of membership, which can be easily verified.

- We can view this as follows:
- There is a mighty powerful Prover.
- The Prover needs to convince a Verifier that the input is indeed a member of the language.
- So it sends the Verifier a short (polynomial) certificate.
- The Verifier has limited resources: the verification of the certificate cannot take more than polynomial time.

(x)=false

(y)=true

(z)=false

We will demonstrate this process for 3SAT:

We would like to check the membership of a given formula:

(xyz’)(x’y’)z’

The verifier simply needs to check the truth value of the formula under the assignment it received in order to find out whether the prover was right. This merely takes polynomial time.

polynomial in the number of variables

The prover must convince the verifier this formula is satisfiable, so it sends it an assignment, which supposedly satisfies the formula. It is not difficult for the mighty prover to find such, if such exists.

- Let us specifically define the properties of a Proof System:
- The verifier’s strategy is efficient
- Correctness Requirements:
- Completeness: For a true assertion, there is a convincing proof strategy.
- Soundness: For a false assertion, no proof strategy exists.

Make sure you understand why does the the proof system we presented for 3SAT satisfy these properties.

- We will introduce the notion of Interactive Proofs, which is a generalization of the concept of a Proof System we have already observed.
- This generalization is obtained by adding two more features to the model:
- allowing a two-way dialog between the parties (interaction)
- allowing the verifier to toss coins (randomness).

- An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties:
- The verifier’s strategy is a probabilistic polynomial-time procedure.
- Correctness requirements:
- Completeness: There exists a prover strategy P, such that for every xL, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3.
- Soundness: For every xL, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3.

- The complexity classIP consists of all the languages having an interactive proof system.
- The number of messages exchanged during the protocol between the two parties is called the number of rounds in the system.
- For every integer function r(.), the complexity class IP(r(.)) consists of all the languages that have an interactive proof system, in which, on common input x, at most r(|x|) rounds are used.
- For a set of integer functions R, we denote IP(R)=UrRIP(r(.)).

- NPIP
- Since the verifier must run in polynomial-time, IP=IP(poly), where poly is the set of polynomial functions.
- The definition of IP can be expanded to require Perfect Completeness (acceptance probability 1).
- On the other hand, if we demand Perfect Soundness, the class will collapse to NP-proof systems.
- Again, the constants 1/3 and 2/3 in the definition can be amplified to probabilities 1-2-p(.) and 2-p(.), for any polynomial p(.).

- If we omit randomness, IP collapses to NP-proof systems (Make sure you understand why).
- If we omit the interaction between the parties, we get IP(1) (also denoted AM), which seems to be a randomized (perhaps stronger) version of NP.
- Together these two features yield a very powerful complexity class. How powerful? This will be clarified later.
- First, let us observe an example.

- The graphs G1=(V1,E1) and G2=(V2,E2) are called isomorphic (denoted G1G2) if there exists a 1-1 and onto mapping :V1V2 such that (u,v) E1 iff ((u),(v)) E1.
- A mapping between two isomorphic graphs is called an isomorphism between the graphs.
- If no such mapping exists, the graphs are called non-isomorphic.
- We define the language GNI as follows: GNI={(G1,G2): G1 and G2 are non-isomorphic}
- We will use this language in order to demonstrate an interactive proof.

- Take these two graphs

- Although they seem very different, they are in fact isomorphic. Click to see the isomorphism between them.

GNI Motivation

- This illustration shows us that GI is in NP (Why?).
- Interestingly, it is not known whether it is NP-hard.
- GNI - on the other hand - seems much harder (We need to check no isomorphism exists).
- And indeed, it is not known whether GNI is in NP.
- Thus it will be interesting to show that if two graphs are non-isomorphic, a Prover can convince a Verifier of this fact.

- Common Input:G1=({1,...,n},E1) and G2=({1,...,n},E2)

Make sure you understand why could we assume,

without loss of generality, that V1=V2.

- The Verifier chooses randomly i in{1,2} and a permutation of {1,...,n}.
- Then it applies on the i-th graph to get: H=({1,...,n},{((u),(v)):(u,v)E})
- And sends H to the Prover.
- The prover sends j{1,2} to the Verifier.
- The Verifier accepts iff i=j.

The common input

The Prover

- The verifier chooses one of the two graphs randomly.

- The verifier constructs randomly a graph isomorphic to the graph it chose.

- If the two input graphs are truly non-isomorphic, the prover can find which of the two graphs is isomorphic to the graph he received from the verifier, and send it the correct answer.

- The verifier sends the prover the graph

- The verifier can check the answer easily (The verifier knows which graph was chosen)

The 2nd Graph

The Verifier

- The described protocol is indeed an interactive proof system for GNI.
- Make sure you can prove it.
- Since the proof was implemented with only 2rounds we can state: GNIIP(2).

We shall prove next a rather surprising result, stating

IP=PSPACE

To do so, we will prove the following two claims:

1. IPPSPACE this will follow if we can simulate every interactive proof using polynomial space.

2. PSPACEIP this will follow if we can exhibit a PSPACE-complete language which is in IP.

- The proof of this direction is based on a very simple observation: If we know the verifier’s strategy, we can build a polynomial space optimal prover.
- At each point that prover would choose the strategy, which has the highest probability to result in acceptance.
- How would it know which one is the best? It will simply go over all possible interactions and check.
- That’s why a polynomial space is necessary.

- In order to formalize the former observation, we introduce the following notations:
- Let F(1,1,...,i-1,i) be the probability that an interaction beginning with 1,1,...,i-1,i will result in acceptance. Where: iand iare i-th messages sent by the verifier and by the prover respectively.
- Let r be the outcome of all the verifier’s coin tosses.
- Let R1,1,...,i-1,i be the set of all r’s consistent with the interaction 1,1,...,i-1,i.
- Let V(r,1,...,i-1) be the message i+1 sent by the verifier.
- We will show F can be computed using polynomial space, and that for every i, an iwhich maximizes the probability, can be found in the process.

- Using those notations we can write:

- And get the recursion formula for F:

- Although they might seem intimidating at first sight, the formulas presented here are quite trivial. Make sure you fully understand them.

- Why can we compute F according to the previous formula in polynomial space?
- Finding which r’s are consistent (rR1,1,...,i-1,i) can be done by simulating the verifier, which works in polynomial time for fixed random bits. Note that |r| is poly.
- Similarly, we can can find the verifier’s answer (V(r,1,...,i-1)).
- The recursion stops, once a full transcript of the interaction is reached. Then the probability can be computed directly, by enumerating all the r’s consistent with it.
- Thus the depth of the recursion is bounded by the number of rounds, which is polynomial.

Do you remember that verifier strategy?

- choose one of the two graphs at random
- construct a random graph isomorphic to the graph you chose
- send that graph to the prover
- accept iff the prover sent back the same index you chose.

- Let us demonstrate this for the GNI example. Suppose we take the same strategy for the verifier as we described earlier.
- What would the optimal prover do?

½

1

½

2

Input:

- Suppose these are the two input graphs.

accept

Prob. For acceptance:

reject

Received:

reject

accept

- And this is the graph the prover received from the verifier.

- The prover should check which possible answer (1 or 2) yields the highest possibility for acceptance.

- For each possible answer, the prover should go over all possible random bits and find out which are consistent with the message it received.

- Clearly, in this example there are two possible r’s (the verifier could have chosen both the first graph and the second one).

- Here we don’t have to go too far: in the next move the verifier decides whether to accept, so by simulating it, we can find the desired probabilities.

- Finally, let us prove this containment:
- Suppose we have a language L in IP.
- Hence, there exists an interactive proof for L.
- According to what we have just proven, there also exists a polynomial space optimal prover.
- Therefore, for all possible verifier’s coin tosses we can simulate an interaction between the verifier and the optimal prover.
- We accept iff more than 2/3 of the outcomes are accepting.
- Clearly, we accept iff the input is in the language.
- Consequently: IP PSPACE

- We will show the following PSPACE-complete language has an interactive proof:
- TQBF: Let be a quantified boolean formula of the form: =Q1x1...Qmxm[], where is a CNF formula and each Qiis either or . We ask if is true.
- Next we will present the ideas, which will eventually allow us to write an interactive proof for TQBF.

- Suppose we have a TQBF formula =Q1x1...Qmxm[].
- For 1im and a1,...,am{0,1} let fi(a1,...,ai)=1 iff Qi+1xi+1...Qmxm[(a1,...,ai)] is true. (Otherwise fi(a1,...,ai)=0).
- f0() is the truth value of .

- The general idea behind the interactive proof is to convince the verifier f0()=1 and f0() is indeed the truth value of the formula.This will be done by supplying it all the fi’s so it can check each one really follows its successor.
- The problem is that there is an exponential number of assignments to the variables.
- This disqualifies the naive representation of the functions.
- This also makes ensuring the validity of the functions seem impossible for the verifier.
- The solution is based on a technique called arithmization, which will provide us with a better way for representing the functions and will allow the verifier to take advantage of its ability to use randomness.

With each CNF formula , we associate a polynomial p in the following manner:

0

F

1

T

xi

xi

1-

1-(1-)(1-)

The bottom Line: (x1,...,xn) is false iff p(x1,...,xn)=0

x1

x2

x1

(x1 x2)x1

(1-x2)

(1-x1)

1-

(1-(1-x2))

1-

(1-x1)

x2

x1x2-x2+1

(x1x2-x2+1)x1

x12x2-x1x2+x1

Note that in the resulting polynomial the degree of each variable is at most n (the number of variables in the formula).

- Suppose now we have a QBF=Q1x1...Qmxm[].
- we define: ’=Q1x1R1x1Q2x2R1x1R2x2...QmxmR1x1...Rmxm[].
- R is a reduction operator, which is designed to keep the degree of the polynomials small. Further explanations follow.
- We rewrite this as: ’=S1y1...Skyk[] where: Si{,,R},yi{x1,...,xm}.
- fk(x1,...,xm) is the polynomial obtained by arithmetizing .
- If i<k then
- if Si= : fi(...)=fi+1(...,0)fi+1(...,1)
- if Si= : fi (...)=1-(1-fi+1(...,0))(1-fi+1(...,1))
- if Si=R : fi(...,a)=(1-a)fi+1(...,0)+afi+1(...,1)

- The Rx operation on polynomials does not change their values on boolean input.
- But it does produce a polynomial that is linear in x.

Why is this definition of f

the same as the previous one

for boolean input?

Note, that we reorder

the inputs to the

functions, so the

variable yi+1 is the last

argument

=x1x2[(x1x2)x1]

Take this formula:

’=x1Rx1x2Rx1Rx2[(x1x2)x1]

We build ’

f5(x1,x2)=x12x2-x1x2+x1

f4(x1,x2)=(1-x2)f5(x1,0)+x2f5(x1,1)

=(1-x1)(x12·0-x1·0+x1)+x2(x12·1-x1·1+x1)

=x1-x12+x12x2

f3(x1,x2)=(1-x1)f4(0,x2)+x1f4(1,x2)

=(1-x1)·0+x1x2

=x1x2

f2(x1) =f3(x1,0)·f3(x1,1)

=x1

f1(x1) =(1-x1)f2(0)+x1f2(1)

=x1

f0() =1-(1-f1(0))(1-f1(1))

=1

Now we can use

our former

computation in order

to calculate:

f0()

fi(...,z)

A setting of the

variables to the

previously selected

random values

r

- V chooses a prime q>n4. All arithmetic operations will be carried over GF[q].

- Phase 1: V verifies f0()=1

. . .

- Phase i: V finds fi(...,0) and fi(...,1)

- V checks that the degree is at most n.

- Suppose S denotes the current quantifier. V checks the following:

- If S=, fi-1(...)=1-(1-fi(...,0))(1-fi(...,1))

- If S=, fi-1(...)=fi(...,0)fi(...,1)

- If S=R, fi-1(...,r)=(1-r)fi(...,0)+rfi(...,1)

- V picks r in GF[q] at random and sends it to the prover.

. . .

- Phase k+1: V evaluates p(r1,...,rm) to compare with the value V has for fm(r1,...,rm).

- Clearly, when the formula is true, a honest prover can compute the functions, and V will accept (completeness).
- What if the formula is false (soundness)?
- If V has incorrect value for fi-1(...), one of the values fi(...,0) and fi(...,1) must be incorrect and the polynomial for fi must be incorrect.
- Consequently, for a random r the probability that a prover gets lucky in this phase because fi(...,r) is correct is at most the polynomial degree divided by the field’s size.
- This statement will be clarified next.

- This statement is the heart of the proof. In order to understand it, we need to take a better look at some properties of polynomials.
- A polynomial in a single variable of degree at most d can have no more than d roots, unless it always evaluates to zero.
- Therefore any two polynomials in a single variable of degree at most d can agree in at most d places, unless they agree everywhere.

- Because of the reduction operator, the degrees of the polynomials obtained are bounded by n, the length of the CNF formula. This results from n also being the bound on the degree of fk.
- This means that there are at most n places in which both fi(...,r) and the polynomial we got instead agree.
- Hence, the probability that they agree in a random r is at most n divided by the field’s size, n4, and this is what we stated earlier.

- Since this protocol proceeds for O(n2) phases (why?), the probability a prover gets lucky at some phase is at most 1/n.
- If a prover is never lucky, V will reject at phase k+1.
- This completes our proof for the correctness of the protocol for TQBF, and allows us to state:
- PSPACE IP

- Let’s review what have we accomplished so far:
- We proved that if we have an interactive proof for testing membership in some language, we can build a polynomial space Turing machine, which simulates the interaction between the verifier and an optimal prover, and thus accepts the language.
- We also proved that there is an interactive proof for a PSPACE-complete language.
- It follows that IP=PSPACE.

- According to our definition of interactive proofs, the coins tossed by the verifier are private.
- That is, they are not visible to the prover.
- One might wonder, if this property is really necessary or we can even allow our coins to be public.

- Clearly, our previous protocol for GNI fails when the verifier has to reveal the outcome of its coin tosses.
- Still, an interactive proof with public coins can be constructed for GNI.
- Consider the following observation:
- Roughly speaking, in the last protocol, the verifier had 2n! different graphs it could send the prover, if the graphs were indeed non-isomorphic, and only n! different graphs, if they were not.

- This motivates us to use this approach:
- The prover should try to convince the verifier the set of all graphs it could have sent in the former protocol is BIG.
- This will be done by mapping the elements of the set (denoted W) into a table T of size 4m! and looking at the probability that a random entry in T is filled.

A family of hash functions H is 2-universal,

if whenever h is chosen uniformly from H,

(h(x),h(y)) is also uniformly distributed.

Can you prove that the functions we defined are

indeed 2-universal?

- The protocol is:
- LetS={0,1}n{0,1}n. V chooses s=(a,b)RS and R{1,...,|T|} and sends them to P.
- P computes Sn and c{1,2} and sends to V the graph (Gc).
- V accepts iff hs((Gc))=, where the 2-universal hash functions hs(x) are defined as ax+b (The arithmetic operations are with respect to the finite field GF[2n]).
- Note that V sends all the random bits it uses to P, so they are truly public.

- We want to show, that if the two input graphs are non-isomorphic, there is a fairly decent chance the prover P will be able to find a graph in W which is mapped to by hs.
- Given {1,...,2N} Define Ei to be the event that element i is mapped to the given .

Pr[at least one element in the size N set is mapped to ]

inclusion-exclusion

= Pr[E1... EN]

i Pr[Ei]- i<j Pr[Ei,Ej]

3/8

= N/2N-C(N,2)1/4N2

We used a 2-universal hash family

- If xL, the probability V accepts is thus at least 3/8.
- If xL, W is 1/4 the size of the table, so the probability V accepts is at most 1/4.
- The gap between these probabilities can be boosted in the usual way.
- This concludes our proof for the correctness of the interactive proof with public coins for GNI.
- Yet the question remains:
- Are public coins as powerful as private coins in interactive proofs?
- Next we introduce the related notations and quote some interesting theorems regarding public coins.

- Public Coin Proof Systems (also known as Arthur-Merlin Games) are interactive proof systems, in which at each round the verifier can only toss coins and send their outcome to the prover. In the last round the verifier decides whether to accept or reject.
- Intuitively: Arthur cannot ask Merlin tricky questions, only random ones, ‘cause Merlin knows all his tricks...
- For every integer function r(.) the complexity class AM(r(.)) consists of all the languages that have Arthur-Merlin proof system in which, on common input x, at most r(|x|) rounds are used.
- Denote AM=AM(2)

- We quote the following results without proof:
- Relating IP to AM:
- r(.) IP(r(.))AM(r(.)+2)

- Linear Speed-UP Theorem:
- r(.)2 AM(2r(.))=AM(r(.))

- We conclude:
- r(.)2 IP(2r(.))=IP(r(.))
- IP(O(1))=AM(2)

- In addition to the lecture notes taken from Oded Goldreich’s course (written by: Danny Harnik, Tzvika Hartman and Hillel Kugler), I also used:
- Sipser’s Advanced Topics in Complexity Theory for the IP=PSPACE proof.
- Michael Luby, Avi Wigderson, Pairwise Independence and Derandomization, July 1995 for the public coins interactive proof for GNI.