Interactive Protocols

Dana MoshkovitzDana Moshkovitz


Back to NPBack to NP

LNP iff members have short, efficiently checkable, certificates of membership.

Is satisfiable?

x1 = true x11 = true

x2 = false x12 = false






x8 = false x18 = true


x10 = false ……


Interactive ProtocolsInteractive Protocols

Two new ingredients:Two new ingredients: Several roundsSeveral rounds RandomnessRandomness


Interactive Proofs FormallyInteractive Proofs FormallyInteractive Proof SystemInteractive Proof System for for L L is a game:is a game:

Completeness:Completeness: There is a prover strategy There is a prover strategy PP, , s.t for s.t for xxLL, , PP convinces convinces VV with probability with probability ⅔⅔. .

Soundness:Soundness: For For xxLL, any prover strategy , any prover strategy P*P* convinces convinces VV with probability with probability ⅓⅓. .

probabilistiprobabilistic c

polynomial-polynomial-time time

verifierverifier

unlimitunlimited ed

proverproverVs.Vs.


The PlayersThe Players

A verifier is a A verifier is a polynomialpolynomial function: function:

input random-string past-interaction reply

A prover is a function:A prover is a function:

input past-interaction reply

all previous prover and verifier replies


Example: Graph Non-Example: Graph Non-IsomorphismIsomorphism

Input:Input: Two graphs Two graphs G=(V,E)G=(V,E), , G’=(V’,E’)G’=(V’,E’)..

Question:Question: Does for every 1-1 map Does for every 1-1 map ff of of VV onto onto V’V’ exist exist v,uv,uVV s.t s.t (v,u)(v,u)E E but but (f(v),f(u))(f(v),f(u))E’E’ (or (or (v,u)(v,u)EE, but, but

(f(v),f(u))(f(v),f(u))E’E’ ) )??


Are They Isomorphic?Are They Isomorphic?


IP for Non-IsomorphismIP for Non-Isomorphismcommon inputcommon input

• chooses one of the graphs at random.• send P an isomorphic graph.

answers which graph was chosen.

2

OK!

1 2


CorrectnessCorrectness

Completeness:Completeness: non-isomorphic non-isomorphic graphs graphs PP can check which is can check which is isomorphic to the sent one.isomorphic to the sent one.

Soundness:Soundness: isomorphic graphs isomorphic graphs both isomorphic to the sent one. both isomorphic to the sent one. PP succeeds with probability succeeds with probability ½½..


IPIP

Definition:Definition: IPIP is the class of all is the class of all languages having interactive languages having interactive protocols with polynomial number of protocols with polynomial number of rounds.rounds.


Easy ClaimsEasy Claims

Claim:Claim: NPNPIPIP.. Proof’s Idea:Proof’s Idea: Every Every NPNP proof is also an proof is also an

IPIP proof. proof.

Claim:Claim: If If LLIPIP, and it has a verifier that , and it has a verifier that does not flip coins, then does not flip coins, then LLNPNP..

Proof’s Idea:Proof’s Idea: PP would provide the would provide the answers for all answers for all VV’s questions in ’s questions in advance.advance.


AmplificationAmplification

Observation:Observation: The constants The constants ⅓⅓ and and ⅔⅔ in the definition can be amplified to in the definition can be amplified to probabilities probabilities 1-21-2-p(.)-p(.) and and 22-p(.)-p(.), for any , for any polynomial polynomial p(.)p(.)..

Proof’s Sketch:Proof’s Sketch: Given a protocol Given a protocol which is correct with probability which is correct with probability ⅔⅔, , repeat it repeat it p(.)p(.) times independently. times independently. Apply Chernoff’s inequality.Apply Chernoff’s inequality.


AArthur-rthur-MMerlin Gameserlin Games

…

The prover (M for Merlin) is a function of the random string of the verifier (A for Arthur) as well.

Define AM/MA – according to who gets to start.


Easy ClaimEasy Claim

Claim:Claim: AMAMIPIP.. Proof’s Idea:Proof’s Idea: If If AA is convinced when is convinced when

he assumes he assumes MM is that powerful, he is is that powerful, he is surely convinced when surely convinced when MM is only less is only less powerful.powerful.


The Graph Non-Isomorphism The Graph Non-Isomorphism Example RevisitedExample Revisited

Is the graph non-isomorphism Is the graph non-isomorphism protocol, also an protocol, also an AMAM protocol? protocol?

No!No! MM knows which graph was chosen! knows which graph was chosen!

Is there an Is there an AMAM protocol for this protocol for this

language?language?


IP and AMIP and AM

Theorem (without proof):Theorem (without proof): IP=AMIP=AM

i.e, knowing the random string i.e, knowing the random string essentially does not increase essentially does not increase MM’s ’s power.power.


IP=PSPACE [Shamir90]IP=PSPACE [Shamir90]

given a verifier, construct an optimal prover using poly-space

show the PSPACE-complete TQBF is in IP


Optimal ProverOptimal Prover

. . .possible verifier coin tosses [defines verifier’s reply]

. . .

.

.

.

. . .

rounds

best prover reply

? ? ?

? ? ?

find recursively prover reply most probable to result in acceptance


Poly-Space Is Sufficient for the Poly-Space Is Sufficient for the ProverProver

Claim:Claim: IPIPPSPACEPSPACE Proof:Proof: Given a verifier, the optimal Given a verifier, the optimal

strategy for the prover may be strategy for the prover may be computed in poly-space. computed in poly-space. [as described [as described above]above]


TQBFTQBF

Instance:Instance: A quantified A quantified Boolean formula Boolean formula ==xx11xx22……xxmm[[(x(x11,,…,x…,xmm)])]

Goal:Goal: Is Is true? true?

x1x2x3

(x10 (x2>0 (|x3|<x2

|sinx3/x3-1|<x1))


TQBF and PSPACETQBF and PSPACE

Claim (without proof):Claim (without proof): TQBFTQBF is is PSPACE-PSPACE-CompleteComplete..


The Proof: Evaluation TreeThe Proof: Evaluation Tree

.

.

.

. . .

x1=0 x1=1

x1=0 x1=1

x1x2 … (x1,x2,…)

x2 … (0,x2,…)

x2 … (1,x2,…)

…(0,0,…) …(0,1,…)

(0,0,..,0

)(0,0,..,1) (0,0,...,1,0

)(0,0,...,1,1

)

I can’t scan the

entire tree!


IP for TQBFIP for TQBF

We’ll show the verifier We’ll show the verifier may be convinced may be convinced (with (with reasonable confidence)reasonable confidence) even without scanning even without scanning the entire the entire (exponential)(exponential) proof specified by the proof specified by the prover. prover.


First IdeaFirst Idea

Represent the Represent the QBFQBF by a by a polynomial.polynomial.


ArithmizationArithmization

xxii

1-1-

xxii

1-(1-1-(1-)(1-)(1-))

FF 00

TT 11

xx ((xx))

xx ((xx)) ((00))((11) )

((00))((11))


Polynomials: Basic FactsPolynomials: Basic Facts

Claim:Claim: A polynomial of degree A polynomial of degree ≤≤ rr on on dd variables over a field variables over a field FF may have may have ≤≤ r|F|r|F|d-1d-1 roots, unless it is identically roots, unless it is identically zero.zero.

Corollary:Corollary: Two polynomials of degree Two polynomials of degree ≤≤ rr on on dd variables over a field variables over a field FF may may agree on agree on ≤≤ r|F|r|F|d-1d-1 places, unless they places, unless they agree everywhere.agree everywhere.


Polynomials: Basic FactsPolynomials: Basic Facts

Corollary:Corollary: Two different polynomials Two different polynomials of degree of degree ≤≤ rr over a field over a field FF agree on agree on a random point with probability a random point with probability ≤≤ r/|r/|F|F|..


Low Degree ExtensionLow Degree Extension

.

.

.

. . .

P1()

P2(x1

)

P3(x1,x2)

Pm(x1,…,xm)

. . .

. . .

We can evaluate on a larger field!

. . . . . .

.

.

.


How To Convince?How To Convince?Check a random path!

P1()

P2(x1

)

P3(x1,x2)

Pm(x1,…,xm)

.

.

.

.

.

.

. . .

. . .

. . .

. . . . . .


How To Convince?How To Convince?

P1()

P2(x1

)

P3(x1,x2)

Pm(x1,…,xm)

.

.

.

.

.

.

. . .

. . .

. . .

. . . . . .

verify this is 1

verify P2(x1) could have resulted P1().

verify P3(r1,x2) could have resulted P2(r1).

verify Pm(r1,…,rm-1,xm) could have resulted Pm-1(r1,…,rm-1).

r1

r2

check Pm(r1,…,rm).


ExampleExample

What would an honest prover do, given the formula:x1x2 (x1x2) ?

x1x2

1- (1-x1∙0)(1-x1∙1) = x1

0∙1 = 0

verify this is 1

. . .

. . .

. . .


ExampleExample

What would a (dishonest) prover might do, given the formula:x1x2 (x1x2) ?

x1x2

1

1

verify this is 1

verify P2(x1)=1 could have resulted P1().

1∙1 = 1

. . .

. . .

. . .

1

verify P3(1,x2)=x2 could have resulted P2(1).

5

1-(1-0)(1-1) = 1

check P3(1,5).


CorrectnessCorrectness

Completeness:Completeness: If the formula is true, If the formula is true, the prover may compute the true the prover may compute the true polynomials, and the verifier will polynomials, and the verifier will always accept.always accept.

Soundness:Soundness: What if the formula is not What if the formula is not true?true?


If The Formula Is If The Formula Is FalseFalse……

P1()

P2(x1

)

P3(x1,x2)

Pm(x1,…,xm)

.

.

.

.

.

.

. . .

. . .

. . .

. . . . . .

if this is not 1, we immediately reject

if this is not the real Pm(x1,…,xm), we also immediately reject

If we nevertheless accept, we get fooled somewhere!


SoundnessSoundness

The probability we The probability we get fooledget fooled at at some specific level is ≤ some specific level is ≤ r/|F|r/|F|, where , where rr bounds the polynomials’ degrees.bounds the polynomials’ degrees.

The probability we get fooled The probability we get fooled somewhere down the path is somewhere down the path is ≤ mr/|F| ≤ mr/|F| [union-bound][union-bound]

|F||F| can be made polynomially large in can be made polynomially large in mm..

the two different polynomials agree on a

random point


Bound The DegreesBound The Degrees

Alas, the degree of the Alas, the degree of the polynomials might be polynomials might be exponential in exponential in mm, as each , as each stage up might double it!stage up might double it!

To solve this problem, To solve this problem, we’ll somewhat lengthen we’ll somewhat lengthen the tree, but make sure the tree, but make sure the degrees are kept the degrees are kept small.small.


Auxiliary QuantifierAuxiliary Quantifier

Suppose now we have a QBF Suppose now we have a QBF =Q=Q11xx11...Q...Qmmxxmm[[]]..

’’==QQ11xx11RR11xx11QQ22xx22RR11xx11RR22xx22...Q...QmmxxmmRR11xx11...R...Rmmxxmm[[]]..

RR is an auxiliary quantifier, designed to is an auxiliary quantifier, designed to keep the degree of the polynomials small. keep the degree of the polynomials small.

We’ll arithmetize it as follows:We’ll arithmetize it as follows: RxRx ((xx) ) (1-(1-xx)∙)∙(0)(0) + + xx∙∙(1)(1)

• The degree of x is made 1.• The value remains the same for 0-1 variables


Summing UpSumming Up

Now we can apply the former Now we can apply the former analysis, and get that analysis, and get that PSAPCEPSAPCEIPIP, ,

Hence Hence IP=PSPACEIP=PSPACE..


Multi-Prover Interactive Multi-Prover Interactive ProtocolProtocol

poly many provers


What is MIP?What is MIP?

Theorem (without proof):Theorem (without proof): MIP=NEXPMIP=NEXP


Scaling-DownScaling-Down

Similarly, one can show Similarly, one can show NP NP is is contained incontained in MIP MIP with with O(1) O(1) provers provers andand O(logn) O(logn) random bits.random bits.

Interestingly, this has implications to Interestingly, this has implications to hardness of approximationhardness of approximation

TO BE CONTINUED…TO BE CONTINUED…

Documents

Interactive Protocols