# Lecture 12: Interactive Proofs

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization of NP as an interaction between two entities P and V. For a language L NP, x is in L if and only if P can send V a certificate (that depends on x) that V can use to check in polynomial time that x is indeed in L. P is the prover and V is the verifier. For NP only one interaction is allowed. We can expand the power of the verifier TM: let it be a probabilistic TM that can make a polynomial number of queries of the prover. Now the verifier and the prover exchange a polynomial number of polynomial length messages. Both the prover and verifier see the input x. The prover is trying to convince the verifier that x L. Formally, we define the class IP of languages that have such interactive proofs: Definition 1 (IP) A language L is in IP if there is probabilistic, polynomial-time TM V with coin flips r that interacts with an all-powerful prover, where in round i its query q i (x, r, a 1,...,a i 1 ) depends on the input, the random string, and the prover s responses a 1,...,a i 1 in the previous rounds. The verifier has the property that: (i) x L P Pr r [V accepts x after interaction with P ] 2/3 (ii) x L P Pr r [V rejects x after interacting with P ] 2/3. Since P cannot see the coin flips of V, we say the protocol is private coin. We further define IP[k] (for k 2) be the set of all languages that have a k round interactive proof in this private coin model, where a round is either a query or a response. If V were not allowed to be probabilistic it is easy to see that IP is equivalent to NP: the prover can compute all the queries the verifier will make ahead of time and offer this entire transcript to the verifier straightaway. By allowing V random bits, we get a more powerful class. The probabilities of correctly classifying an input can be made arbitrarily large by using the same boosting technique we used for BPP: sequentially repeat the protocol k times. If x L then the same prover can be used on each repetition. If x L then on each repetition, the chance that the verifier will accept x is less than 1/3. We can define similar classes AM and AM[k] in which P does see the coin flips of V this is the public coin model. We state the following comments about IP[ ], AM[ ], without proof: (i) IP[k] AM[k + 2] for all constants k. (ii) For constants k 2wehaveAM[k] = AM[2]. This is surprising because AM[k] seems similar to PH with the quantifiers changed to probabilistic quantifiers, where most of the branches lead to acceptance. See figure 1. It is open whether there is any nice characterization of AM[σ(n)], where σ(n) isa suitably slow growing function of n, such as log log n. 1

2 2 { existential quantifer for prover response V P V } probabilistic for all quantifier over the coin flips } probabilistic for all quantifier over the coin flips Figure 1: AM[k] looks like p k Figure 2: Two isomorphic graphs. (iii) Changing 2/3 to 1 in the definition of IP does not change the class. That is, defining the IP in a manner similar to corp is equivalent to defining it like BPP. Whereas BPP is a probabilistic version of P, AM[2] is as probabilistic version of NP. AM[2] can be thought of as BP-NP languages for which there is a bounded probabilistic nondeterministic TM. (iv) It is relatively easy to see that AM[poly(n)] PSPACE; the proof is left as an exercise. It is possible, in PSPACE, to come up with a good strategy for choosing the edges in figure 1. Let us look at an example of a language in IP. Example 1 (Graph non-isomorphism) Given two graphs G 1 and G 2 we say they are isomorphic to each other if there is a permutation π of the labels of the nodes of G 1 such that πg 1 = G 2. The graphs in figure 2, for example, are isomorphic with π = (12)(3654). If G 1 and G 2 are isomorphic, we write G 1 G 2. The Graph Non-isomorphism problem is this: given two graphs, are they not isomorphic? It is clear that the complement of Graph Non-isomorphism is in NP a certificate is simply the permutation π that is an isomorphism. What is more surprising is that Graph Non-isomorphism is in IP. To show this, we give a private-coin protocol that satisfies definition 1:

3 3 Protocol: Private-coin Graph Non-isomorphism V : pick i {1, 2} uniformly randomly. Randomly permute the vertices of G i to get a new graph H. Send H to P. P : identify which of G 1,G 2 was used to produce H. Let G j be that graph. Send j to V. V : accept if i = j; reject otherwise. To see that definition 1 is satisfied by the above protocol, note that if G 1 G 2 then there exists a prover such that Pr[V accepts] = 1, because if the graphs are non-isomorphic, an all-powerful prover can certainly tell which one of the two is isomorphic to H. On the other hand, if G 1 G 2 the best any prover can do is to randomly guess, because a random permutation of G 1 looks exactly like a random permutation of G 2 ; that is Pr[V accepts] 1/2. The above example depends crucially on the fact that P cannot see the random bits of V. If P knew those bits, P would know i and so could trivially always guess correctly. By comment (i), any problem with a private-coin interactive proof with a constant number of rounds has a public-coin proof. We now present such a protocol for Graph Nonisomorphism. Example 2 (Public-coin protocol for Graph Non-isomorphism) To develop a publiccoin protocol, we need to look at the problem in a different way. Consider the set S = {H : H G 1 or H G 2 }. The size of this set depends on whether G 1 is isomorphic to G 2. For a graph of n vertices, there are n! possible ways to label the vertices, so we have if G 1 G 2 then S =2n! if G 1 G 2 then S = n! We can amplify the gap between the two cases. Choose an integer m such that n! 2 m. Let S be the Cartesian product of S with itself a sufficient number of times so that the following hold: if G 1 G 2 then S m (A) if G 1 G 2 then S m (B) We can now use the size of S to determine if G 1 G 2. The question that remains is: how do we design an interactive protocol that can distinguish between cases (A) and (B) above? Let H be a set of 2-universal hash functions from U to {0, 1} m, where U is a superset of S. Given h H,ifS is much bigger than {0, 1} m, as it is in case (A), then for every y {0, 1} m it is very likely that there is some x S such that h(x) =y. Conversely, if the size of S is much smaller than {0, 1} m, if (B) holds then for most y {0, 1} m there is no x S such that h(x) =y. This is the basis of our protocol: V gives P an h Hand y {0, 1} m, and if P can find an x S that h maps to y, the verifier guesses that the set is large, otherwise, we guess that the set is small. See figure 3. More formally, we have:

4 4 U 01 S h {0,1} m Figure 3: The bigger S is, the more likely h(s ) will hit a given point in {0, 1} m. Protocol: Goldwasser-Sipser Set Lowerbound V: Randomly pick h H, and y R {0, 1} m. Send h, y to P. P: Try to find an x S such that h(x) =y. Send such an x to V, or send a random element in U if no such x exists. V: If x S and h(x) =y, accept; otherwise reject. It remains to be shown that the above protocol fits Definition 1. Suppose (B) holds, then since the domain (S )is1/10th the size of the range ({0, 1} m ), we have Pr[V accepts if G 1 G 2 ] 1/10. To find the probability of acceptance if case (A) holds we need a lemma that tells us that if S is bigger than a certain size, any hash function we pick will likely map S to a large fraction its range. The following lemma s proof is left as an exercise: Lemma 1 ( ) ] Suppose S μ2 m. Then Pr h H [ h(s) 1 1 μ 2 m 1 1 μ. Here we have μ = 100. Even if the hash function that we choose in the protocol is good, there is still a chance 1/ μ that we will pick a y {0, 1} m that is not mapped to by S. Hence, Pr[V accepts if G 1 G 2 ] = That Graph Non-isomorphism AM follows from the definition. We now turn to our main theorem. Theorem 2 (LFKN, Shamir, 1990) IP = PSPACE. Proof: By comment (iv), we need only show that PSPACE IP[poly(n)]. To do so, we ll show that TQBF IP[poly(n)]. This is sufficient because every L PSPACE is polytime reducible to TQBF. Again, we change the representation of the problem. For any Boolean formula of n variables φ(b 1,b 2,...,b n ) there is a polynomial P φ (x 1,x 2,...,x n ) that is 1 if φ is true and 0 if φ is false. To see that this is true, consider the following correspondence between formulas

5 5 and polynomials: x y X Y x y 1 (1 X)(1 Y ) x 1 X For example, φ = x y z 1 (1 X)(1 Y )Z. If φ is a 3CNF formula with n variables and m clauses then we can write such a polynomial for each clause and multiply those polynomials to get a polynomial P φ in n variables, with degree at most m in each variable. This conversion of φ to P φ is called arithmetization and will be useful in our protocol. Rather than tackle the job of finding a protocol for TQBF right away, we first present a protocol for #SAT L, where #SAT L = { φ, K : K is the number of sat. assignments of φ}. and φ is a 3CNF formula of n variables and m clauses. Theorem 3 #SAT L IP Proof: Given φ, we construct, by arithmetization, P φ. The number of satisfying assignments #φ of φ is: #φ = P φ (b 1,...,b n ) (1) b 1 {0,1} b 2 {0,1} There is a general protocol, Sumcheck, for verifying equations such as (1). Sumcheck protocol. Given a degree d polynomial g(x 1,...,x n ) and an integer K, we present an interactive proof for the claim K = g(x 1,...,x n ). (2) b 1 {0,1} b 2 {0,1} V simply needs to be able to arbitrarily evaluate g. Define h(x 1 )= g(x 1,b 2...,b n ). b 2 {0,1} If (2) is true, it must be the case that h(0) + h(1) = K. To start, V randomly picks a prime p in the interval [n 3,n 4 ] and instructs the prover to reduce all numbers modulo p in the remaining protocol. (For instance, if the prover wants to send a polynomial, it only needs to send the coefficients modulo p.) All computations described below are also modulo p. Consider the following protocol:

6 6 Protocol: Sumcheck protocol to check claim (2) V: If n = 1 check that g(1) + g(0) = K. If so accept, otherwise reject. If n 2, ask P to send h(x 1 ) as defined above. P: Send h(x 1 ). V: Let s(x 1 ) be the polynomial received. Reject if s(0)+s(1) K; otherwise pick a random a. Recursively use this protocol to check that s(a) = g(a, b 2,...,b n ). b {0,1} If Claim (2) is true, the prover that always returns the correct polynomial will always convince V. We prove by induction on n that if (2) is false, V rejects with high probability; we prove ( Pr[V rejects K, g ] 1 d n. (3) p) With our choice of p, the right hand side is about 1 dn/p, which is very close to 1 since p n 3. We prove (3) by induction on n. The statement is true for n = 1 since V simply evaluates g(0),g(1) and rejects with probability 1 if their sum is not K. Assume the hypothesis is true for degree d polynomials in n 1 variables. In the first round, the prover P is supposed to return the polynomial h. Suppose that P returns s h. If s(0) + s(1) K, then V rejects with probability 1. So assume that s(0) + s(1) = K. In this case, V picks a random a. If s and h are two different degree d polynomials, then there are at most d values of x 1 such that s(x 1 )=h(x 1 ). Thus, Pr a [s(a) h(a)] 1 d p. (4) If s(a) h(a) then the prover is left with an incorrect claim to prove in the recursive step. ( n 1, By the induction hypothesis, with probability 1 p) d P cannot prove this false claim. Thus we have ( Pr[V rejects] 1 d ) ( 1 d n 1 ( = 1 p p) d n (5) p) This finishes the induction. We still have to justify why it is OK to perform all operations modulo p. The fear, of course, is that equation (2) might be false over the integers, but true over p, which happens if p divides the difference of the two sides of (2). The following lemma implies that the chance that this happens for a random choice of p is small, since an n-bit integer (which is what K is) has at most n prime divisors. Lemma 4 (Fingerprinting) Suppose x, y, x y are n-bit integers. Then there are at most n primes that divide x y.

7 7 An interactive proof for #SAT L is obtained by letting g = P φ. We use a very similar idea to obtain a protocol for TQBF. Given a true, fully qualified Boolean formula x 1 x 2 x 3 x n φ(x 1,...,x n ), we use arithmetization to construct the polynomial P φ. We have that φ TQBF if and only if 0 < P φ (b 1,...,b n ) b 1 {0,1} b 2 {0,1} b 3 {0,1} A first thought is that we could use the same protocol as in the #SAT L case, except check that s(0) s(1) = K when you have a. But, alas, multiplication, unlike addition, increases the degree of the polynomial after n steps when V must evaluate g directly, the degree could be 2 n. There could be exponentially many coefficients. The solution is to observe that we are only interested in {0, 1} values. You can always approximate a polynomial with a multi-linear function if you only evaluate it at {0, 1} n. Let Rx i be a linearization operator defined as Rx 1 [p(x 1,...,x n )]=(1 x 1 )p(0,x 2,...,x n )+(x 1 )p(1,x 2,...,x n ). (6) Now, instead of working with x 1 x 2 x 3 x n φ(x 1,...,x n ), work with x 1 Rx 1 x 2 Rx 1 Rx 2 x 3 Rx 1 Rx 2 R x 3 φ(x 1,...,x n ) (7) The size of the expression is n n 2. The protocol for #SAT L can be used suitably modified, where in rounds involving the linearization operator, the verifier uses (6). The use of the linearization operator ensures that the polynomial which the prover needs to send at every round is linear, and hence the blowup in degrees is avoided.

### 2 Natural Proofs: a barrier for proving circuit lower bounds

Topics in Theoretical Computer Science April 4, 2016 Lecturer: Ola Svensson Lecture 6 (Notes) Scribes: Ola Svensson Disclaimer: These notes were written for the lecturer only and may contain inconsistent

### Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

E0 4 Computational Complexity Theory Indian Institute of Science, Bangalore Fall 04 Department of Computer Science and Automation Lecture : Oct 9, 04 Lecturer: Chandan Saha

### Lecture 23: More PSPACE-Complete, Randomized Complexity

6.045 Lecture 23: More PSPACE-Complete, Randomized Complexity 1 Final Exam Information Who: You On What: Everything through PSPACE (today) With What: One sheet (double-sided) of notes are allowed When:

### Theorem 11.1 (Lund-Fortnow-Karloff-Nisan). There is a polynomial length interactive proof for the

Lecture 11 IP, PH, and PSPACE May 4, 2004 Lecturer: Paul Beame Notes: Daniel Lowd 11.1 IP and PH Theorem 11.1 (Lund-Fortnow-Karloff-Nisan). There is a polynomial length interactive proof for the predicate

### Time and space classes

Time and space classes Little Oh (o,

### Lecture 20: PSPACE. November 15, 2016 CS 1010 Theory of Computation

Lecture 20: PSPACE November 15, 2016 CS 1010 Theory of Computation Recall that PSPACE = k=1 SPACE(nk ). We will see that a relationship between time and space complexity is given by: P NP PSPACE = NPSPACE

### Interactive Proofs 1

CS294: Probabilistically Checkable and Interactive Proofs January 24, 2017 Interactive Proofs 1 Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Mariel Supina 1 Pspace IP The first proof that Pspace

### Lecture 18: Zero-Knowledge Proofs

COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be

### Lecture 14: IP = PSPACE

IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Basic Course on Computational Complexity Lecture 14: IP = PSPACE David Mix Barrington and Alexis Maciel August 3, 2000 1. Overview We

### Notes on Complexity Theory Last updated: October, Lecture 6

Notes on Complexity Theory Last updated: October, 2015 Lecture 6 Notes by Jonathan Katz, lightly edited by Dov Gordon 1 PSPACE and PSPACE-Completeness As in our previous study of N P, it is useful to identify

### 1 Recap: Interactive Proofs

Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive

### 6.840 Language Membership

6.840 Language Membership Michael Bernstein 1 Undecidable INP Practice final Use for A T M. Build a machine that asks EQ REX and then runs M on w. Query INP. If it s in P, accept. Note that the language

### DRAFT. Algebraic computation models. Chapter 14

Chapter 14 Algebraic computation models Somewhat rough We think of numerical algorithms root-finding, gaussian elimination etc. as operating over R or C, even though the underlying representation of the

### Computer Sciences Department

Computer Sciences Department 1 Reference Book: INTRODUCTION TO THE THEORY OF COMPUTATION, SECOND EDITION, by: MICHAEL SIPSER Computer Sciences Department 3 ADVANCED TOPICS IN C O M P U T A B I L I T Y

### 6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

6.841/18.405J: Advanced Complexity Wednesday, February 12, 2003 Lecture Lecture 3 Instructor: Madhu Sudan Scribe: Bobby Kleinberg 1 The language MinDNF At the end of the last lecture, we introduced the

### 6.896 Quantum Complexity Theory 30 October Lecture 17

6.896 Quantum Complexity Theory 30 October 2008 Lecturer: Scott Aaronson Lecture 17 Last time, on America s Most Wanted Complexity Classes: 1. QMA vs. QCMA; QMA(2). 2. IP: Class of languages L {0, 1} for

CMPSCI611: NP Completeness Lecture 17 Essential facts about NP-completeness: Any NP-complete problem can be solved by a simple, but exponentially slow algorithm. We don t have polynomial-time solutions

### Lecture 8. MINDNF = {(φ, k) φ is a CNF expression and DNF expression ψ s.t. ψ k and ψ is equivalent to φ}

6.841 Advanced Complexity Theory February 28, 2005 Lecture 8 Lecturer: Madhu Sudan Scribe: Arnab Bhattacharyya 1 A New Theme In the past few lectures, we have concentrated on non-uniform types of computation

### Lecture 20: conp and Friends, Oracles in Complexity Theory

6.045 Lecture 20: conp and Friends, Oracles in Complexity Theory 1 Definition: conp = { L L NP } What does a conp computation look like? In NP algorithms, we can use a guess instruction in pseudocode:

### NP Complete Problems. COMP 215 Lecture 20

NP Complete Problems COMP 215 Lecture 20 Complexity Theory Complexity theory is a research area unto itself. The central project is classifying problems as either tractable or intractable. Tractable Worst

### A.Antonopoulos 18/1/2010

Class DP Basic orems 18/1/2010 Class DP Basic orems 1 Class DP 2 Basic orems Class DP Basic orems TSP Versions 1 TSP (D) 2 EXACT TSP 3 TSP COST 4 TSP (1) P (2) P (3) P (4) DP Class Class DP Basic orems

### Lecture 10: Zero-Knowledge Proofs

Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam

### 6.045 Final Exam Solutions

6.045J/18.400J: Automata, Computability and Complexity Prof. Nancy Lynch, Nati Srebro 6.045 Final Exam Solutions May 18, 2004 Susan Hohenberger Name: Please write your name on each page. This exam is open

### Notes for Lecture 25

U.C. Berkeley CS276: Cryptography Handout N25 Luca Trevisan April 23, 2009 Notes for Lecture 25 Scribed by Alexandra Constantin, posted May 4, 2009 Summary Today we show that the graph isomorphism protocol

### Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof

### 6.842 Randomness and Computation Lecture 5

6.842 Randomness and Computation 2012-02-22 Lecture 5 Lecturer: Ronitt Rubinfeld Scribe: Michael Forbes 1 Overview Today we will define the notion of a pairwise independent hash function, and discuss its

### DRAFT. Diagonalization. Chapter 4

Chapter 4 Diagonalization..the relativized P =?NP question has a positive answer for some oracles and a negative answer for other oracles. We feel that this is further evidence of the difficulty of the

### Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

Rational Proofs with Multiple Provers Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science Outline of the Talk RATIONAL INTERACTIVE PROOFS with MULTI-PROVERs Interactive Proofs [GMR,

### Lecture Hardness of Set Cover

PCPs and Inapproxiability CIS 6930 October 5, 2009 Lecture Hardness of Set Cover Lecturer: Dr. My T. Thai Scribe: Ying Xuan 1 Preliminaries 1.1 Two-Prover-One-Round Proof System A new PCP model 2P1R Think

### Lecture 22: PSPACE

6.045 Lecture 22: PSPACE 1 VOTE VOTE VOTE For your favorite course on automata and complexity Please complete the online subject evaluation for 6.045 2 Final Exam Information Who: You On What: Everything

### DRAFT. PCP and Hardness of Approximation. Chapter 19

Chapter 19 PCP and Hardness of Approximation...most problem reductions do not create or preserve such gaps...to create such a gap in the generic reduction (cf. Cook)...also seems doubtful. The intuitive

### 15-855: Intensive Intro to Complexity Theory Spring Lecture 7: The Permanent, Toda s Theorem, XXX

15-855: Intensive Intro to Complexity Theory Spring 2009 Lecture 7: The Permanent, Toda s Theorem, XXX 1 #P and Permanent Recall the class of counting problems, #P, introduced last lecture. It was introduced

### Interactive proof and zero knowledge protocols

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir

### Real Interactive Proofs for VPSPACE

Brandenburgische Technische Universität, Cottbus-Senftenberg, Germany Colloquium Logicum Hamburg, September 2016 joint work with M. Baartse 1. Introduction Blum-Shub-Smale model of computability and complexity

### Space Complexity. The space complexity of a program is how much memory it uses.

Space Complexity The space complexity of a program is how much memory it uses. Measuring Space When we compute the space used by a TM, we do not count the input (think of input as readonly). We say that

### The Polynomial Hierarchy

The Polynomial Hierarchy Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Motivation..synthesizing circuits is exceedingly difficulty. It is even

### Ma/CS 117c Handout # 5 P vs. NP

Ma/CS 117c Handout # 5 P vs. NP We consider the possible relationships among the classes P, NP, and co-np. First we consider properties of the class of NP-complete problems, as opposed to those which are

### Bipartite Perfect Matching

Bipartite Perfect Matching We are given a bipartite graph G = (U, V, E). U = {u 1, u 2,..., u n }. V = {v 1, v 2,..., v n }. E U V. We are asked if there is a perfect matching. A permutation π of {1, 2,...,

### Randomized Complexity Classes; RP

Randomized Complexity Classes; RP Let N be a polynomial-time precise NTM that runs in time p(n) and has 2 nondeterministic choices at each step. N is a polynomial Monte Carlo Turing machine for a language

### 6.045J/18.400J: Automata, Computability and Complexity Final Exam. There are two sheets of scratch paper at the end of this exam.

6.045J/18.400J: Automata, Computability and Complexity May 20, 2005 6.045 Final Exam Prof. Nancy Lynch Name: Please write your name on each page. This exam is open book, open notes. There are two sheets

### Nondeterministic Circuit Lower Bounds from Mildly Derandomizing Arthur-Merlin Games

Nondeterministic Circuit Lower Bounds from Mildly Derandomizing Arthur-Merlin Games Barış Aydınlıo glu Department of Computer Sciences University of Wisconsin Madison, WI 53706, USA baris@cs.wisc.edu Dieter

### On Interactive Proofs with a Laconic Prover

On Interactive Proofs with a Laconic Prover Oded Goldreich Salil Vadhan Avi Wigderson February 11, 2003 Abstract We continue the investigation of interactive proofs with bounded communication, as initiated

### Interactive protocols & zero-knowledge

Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes

### Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Complexity Theory Jörg Kreiker Chair for Theoretical Computer Science Prof. Esparza TU München Summer term 2010 Lecture 4 NP-completeness Recap: relations between classes EXP PSPACE = NPSPACE conp NP conp

### Computational Complexity: A Modern Approach. Draft of a book: Dated January 2007 Comments welcome!

i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University complexitybook@gmail.com Not to be reproduced or distributed

### arxiv: v1 [cs.cc] 30 Apr 2015

Rational Proofs with Multiple Provers Jing Chen Stony Brook University jingchen@cs.stonybrook.edu Shikha Singh Stony Brook University shiksingh@cs.stonybrook.edu Samuel McCauley Stony Brook University

### Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole

### CS6840: Advanced Complexity Theory Mar 29, Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K.

CS684: Advanced Complexity Theory Mar 29, 22 Lecture 46 : Size lower bounds for AC circuits computing Parity Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K. Theme: Circuit Complexity Lecture Plan: Proof

### 1 More finite deterministic automata

CS 125 Section #6 Finite automata October 18, 2016 1 More finite deterministic automata Exercise. Consider the following game with two players: Repeatedly flip a coin. On heads, player 1 gets a point.

### CSCI 1590 Intro to Computational Complexity

CSCI 1590 Intro to Computational Complexity Complement Classes and the Polynomial Time Hierarchy John E. Savage Brown University February 9, 2009 John E. Savage (Brown University) CSCI 1590 Intro to Computational

### 6.045: Automata, Computability, and Complexity (GITCS) Class 15 Nancy Lynch

6.045: Automata, Computability, and Complexity (GITCS) Class 15 Nancy Lynch Today: More Complexity Theory Polynomial-time reducibility, NP-completeness, and the Satisfiability (SAT) problem Topics: Introduction

### Other Complexity Classes and Measures Chapter 29 of the forthcoming CRC Handbook on Algorithms and Theory of Computation

Other Complexity Classes and Measures Chapter 29 of the forthcoming CRC Handbook on Algorithms and Theory of Computation 1 Introduction In the previous two chapters, we have Eric Allender 1 Rutgers University

### Lecture 26: QIP and QMIP

Quantum Computation (CMU 15-859BB, Fall 2015) Lecture 26: QIP and QMIP December 9, 2015 Lecturer: John Wright Scribe: Kumail Jaffer 1 Introduction Recall QMA and QMA(2), the quantum analogues of MA and

### P, NP, NP-Complete, and NPhard

P, NP, NP-Complete, and NPhard Problems Zhenjiang Li 21/09/2011 Outline Algorithm time complicity P and NP problems NP-Complete and NP-Hard problems Algorithm time complicity Outline What is this course

### 3 Probabilistic Turing Machines

CS 252 - Probabilistic Turing Machines (Algorithms) Additional Reading 3 and Homework problems 3 Probabilistic Turing Machines When we talked about computability, we found that nondeterminism was sometimes

### Definition: Alternating time and space Game Semantics: State of machine determines who

CMPSCI 601: Recall From Last Time Lecture 3 Definition: Alternating time and space Game Semantics: State of machine determines who controls, White wants it to accept, Black wants it to reject. White wins

### Identifying an Honest EXP NP Oracle Among Many

Identifying an Honest EXP NP Oracle Among Many Shuichi Hirahara The University of Tokyo CCC 18/6/2015 Overview Dishonest oracle Honest oracle Queries Which is honest? Our Contributions Selector 1. We formulate

### PSPACE COMPLETENESS TBQF. THURSDAY April 17

PSPACE COMPLETENESS TBQF THURSDAY April 17 Definition: Language B is PSPACE-complete if: 1. B PSPACE 2. Every A in PSPACE is poly-time reducible to B (i.e. B is PSPACE-hard) QUANTIFIED BOOLEAN FORMULAS

### Foundations of Machine Learning and Data Science. Lecturer: Avrim Blum Lecture 9: October 7, 2015

10-806 Foundations of Machine Learning and Data Science Lecturer: Avrim Blum Lecture 9: October 7, 2015 1 Computational Hardness of Learning Today we will talk about some computational hardness results

### 1 The Low-Degree Testing Assumption

Advanced Complexity Theory Spring 2016 Lecture 17: PCP with Polylogarithmic Queries and Sum Check Prof. Dana Moshkovitz Scribes: Dana Moshkovitz & Michael Forbes Scribe Date: Fall 2010 In this lecture

### Notes for Lecture 2. Statement of the PCP Theorem and Constraint Satisfaction

U.C. Berkeley Handout N2 CS294: PCP and Hardness of Approximation January 23, 2006 Professor Luca Trevisan Scribe: Luca Trevisan Notes for Lecture 2 These notes are based on my survey paper [5]. L.T. Statement

### Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle

### The Complexity of Optimization Problems

The Complexity of Optimization Problems Summary Lecture 1 - Complexity of algorithms and problems - Complexity classes: P and NP - Reducibility - Karp reducibility - Turing reducibility Uniform and logarithmic

### CS5371 Theory of Computation. Lecture 19: Complexity IV (More on NP, NP-Complete)

CS5371 Theory of Computation Lecture 19: Complexity IV (More on NP, NP-Complete) Objectives More discussion on the class NP Cook-Levin Theorem The Class NP revisited Recall that NP is the class of language

### Boolean circuits. Lecture Definitions

Lecture 20 Boolean circuits In this lecture we will discuss the Boolean circuit model of computation and its connection to the Turing machine model. Although the Boolean circuit model is fundamentally

### Q = Set of states, IE661: Scheduling Theory (Fall 2003) Primer to Complexity Theory Satyaki Ghosh Dastidar

IE661: Scheduling Theory (Fall 2003) Primer to Complexity Theory Satyaki Ghosh Dastidar Turing Machine A Turing machine is an abstract representation of a computing device. It consists of a read/write

### Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions

### CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir

### Ταουσάκος Θανάσης Αλγόριθμοι και Πολυπλοκότητα II 7 Φεβρουαρίου 2013

Ταουσάκος Θανάσης Αλγόριθμοι και Πολυπλοκότητα II 7 Φεβρουαρίου 2013 Alternation: important generalization of non-determinism Redefining Non-Determinism in terms of configurations: a configuration lead

### Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to

### MTAT Complexity Theory October 13th-14th, Lecture 6

MTAT.07.004 Complexity Theory October 13th-14th, 2011 Lecturer: Peeter Laud Lecture 6 Scribe(s): Riivo Talviste 1 Logarithmic memory Turing machines working in logarithmic space become interesting when

### Definition: conp = { L L NP } What does a conp computation look like?

Space Complexity 28 Definition: conp = { L L NP } What does a conp computation look like? In NP algorithms, we can use a guess instruction in pseudocode: Guess string y of x k length and the machine accepts

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key

### Complexity and NP-completeness

Lecture 17 Complexity and NP-completeness Supplemental reading in CLRS: Chapter 34 As an engineer or computer scientist, it is important not only to be able to solve problems, but also to know which problems

### PCPs and Inapproximability Gap-producing and Gap-Preserving Reductions. My T. Thai

PCPs and Inapproximability Gap-producing and Gap-Preserving Reductions My T. Thai 1 1 Hardness of Approximation Consider a maximization problem Π such as MAX-E3SAT. To show that it is NP-hard to approximation

### Logic: The Big Picture

Logic: The Big Picture A typical logic is described in terms of syntax: what are the legitimate formulas semantics: under what circumstances is a formula true proof theory/ axiomatization: rules for proving

### Computational Complexity IV: PSPACE

Seminar on Theoretical Computer Science and Discrete Mathematics Aristotle University of Thessaloniki Context 1 Section 1: PSPACE 2 3 4 Time Complexity Time complexity of DTM M: - Increasing function t:

### Definition: Alternating time and space Game Semantics: State of machine determines who

CMPSCI 601: Recall From Last Time Lecture Definition: Alternating time and space Game Semantics: State of machine determines who controls, White wants it to accept, Black wants it to reject. White wins

### The space complexity of a standard Turing machine. The space complexity of a nondeterministic Turing machine

298 8. Space Complexity The space complexity of a standard Turing machine M = (Q,,,, q 0, accept, reject) on input w is space M (w) = max{ uav : q 0 w M u q av, q Q, u, a, v * } The space complexity of

### The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for Advanced Study

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for Advanced Study Plan of the talk Computational complexity -- efficient algorithms, hard and easy problems, P

### 14 Diffie-Hellman Key Agreement

14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n

### 1 Reductions and Expressiveness

15-451/651: Design & Analysis of Algorithms November 3, 2015 Lecture #17 last changed: October 30, 2015 In the past few lectures we have looked at increasingly more expressive problems solvable using efficient

### Descriptive Complexity and Some Unusual Quantifiers

MASSACHUSETTS INSTITUTE OF TECHNOLOGY 18.405J / 6.841J, ADVANCED COMPLEXITY THEORY Descriptive Complexity and Some Unusual Quantifiers Chelsea Voss May 6, 2016 Abstract. It is possible to define and operators

### NONDETERMINISTIC CIRCUIT LOWER BOUNDS FROM MILDLY DERANDOMIZING ARTHUR-MERLIN GAMES

NONDETERMINISTIC CIRCUIT LOWER BOUNDS FROM MILDLY DERANDOMIZING ARTHUR-MERLIN GAMES Barış Aydınlıoğlu and Dieter van Melkebeek March 24, 2014 Abstract. In several settings derandomization is known to follow

### Finish K-Complexity, Start Time Complexity

6.045 Finish K-Complexity, Start Time Complexity 1 Kolmogorov Complexity Definition: The shortest description of x, denoted as d(x), is the lexicographically shortest string such that M(w) halts

### Kernel-Size Lower Bounds. The Evidence from Complexity Theory

: The Evidence from Complexity Theory IAS Worker 2013, Warsaw Part 2/3 Note These slides are a slightly revised version of a 3-part tutorial given at the 2013 Workshop on Kernelization ( Worker ) at the

### Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Linear Congruences The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: ax b (mod m), a, b Z, m N +. (1) If x 0 is a solution then so is x k :=

### CS Introduction to Complexity Theory. Lecture #11: Dec 8th, 2015

CS 2401 - Introduction to Complexity Theory Lecture #11: Dec 8th, 2015 Lecturer: Toniann Pitassi Scribe Notes by: Xu Zhao 1 Communication Complexity Applications Communication Complexity (CC) has many

### Lecture 16: Time Complexity and P vs NP

6.045 Lecture 16: Time Complexity and P vs NP 1 Time-Bounded Complexity Classes Definition: TIME(t(n)) = { L there is a Turing machine M with time complexity O(t(n)) so that L = L(M) } = { L L is a language

### Intro to Theory of Computation

Intro to Theory of Computation LECTURE 24 Last time Relationship between models: deterministic/nondeterministic Class P Today Class NP Sofya Raskhodnikova Homework 9 due Homework 0 out 4/5/206 L24. I-clicker

### Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il

### Lecture 13: Foundations of Math and Kolmogorov Complexity

6.045 Lecture 13: Foundations of Math and Kolmogorov Complexity 1 Self-Reference and the Recursion Theorem 2 Lemma: There is a computable function q : Σ* Σ* such that for every string w, q(w) is the description

### U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 9/6/2004. Notes for Lecture 3

U.C. Berkeley CS278: Computational Complexity Handout N3 Professor Luca Trevisan 9/6/2004 Notes for Lecture 3 Revised 10/6/04 1 Space-Bounded Complexity Classes A machine solves a problem using space s(

### A Probabilistic Algorithm for -SAT Based on Limited Local Search and Restart

A Probabilistic Algorithm for -SAT Based on Limited Local Search and Restart Uwe Schöning Universität Ulm, Abteilung Theoretische Informatik James-Franck-Ring, D-89069 Ulm, Germany e-mail: schoenin@informatik.uni-ulm.de

### 1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number

### 3 The language of proof

3 The language of proof After working through this section, you should be able to: (a) understand what is asserted by various types of mathematical statements, in particular implications and equivalences;

### Lecture 38: Secure Multi-party Computation MPC

Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party