בניות קומבינטוריות של מערכות הוכחה הסתברותיות Combinatorial Constructions of Probabilistic Proof Systems

Transcription

1 Thesis for the degree Doctor of Philosophy Submitted to the Scientific Council of the Weizmann Institute of Science Rehovot, Israel עבודת גמר (תזה) לתואר דוקטור לפילוסופיה מוגשת למועצה המדעית של מכון ויצמן למדע רחובות, ישראל By Or Shalom Meir מאת אור שלום מאיר בניות קומבינטוריות של מערכות הוכחה הסתברותיות Combinatorial Constructions of Probabilistic Proof Systems מנחה: פרופ' עודד גולדרייך Advisor: Prof. Oded Goldreich June 2010 סיוון ה'תשע"א

2 1 Abstract Probabilistic proof systems is a paradigm of complexity theory whose study evolves around questions such as how can we use randomness to prove and verify assertions?, what do we gain from using randomness in verification procedures?, and what assertions can be verified by probabilistic verification procedures?. The study of those questions has began in the 1980 s, and led to several of the most important achievements of complexity theory since then. Many of the key results regarding probabilistic proof systems rely on sophisticated algebraic techniques. While those algebraic techniques are very important and useful, they seem to give little intuition as to why those results hold. Given this state of affairs, it is an important goal to gain a better understanding of those results and the reasons for which they hold. In her seminal paper, Dinur (J. ACM 54(3)) has made a big step toward achieving this goal by giving an alternative proof of one of the key results in this area, namely the PCP theorem, using a combinatorial approach. Her proof is not only considerably simpler than the original proof, but also seems to shed more light on the intuitions that underlie the theorem. In this thesis, we pursue this direction further, by providing alternative proofs for several key results about probabilistic proof systems. Our alternative proofs do not use algebra (or use almost no algebra), and are more intuitive, in our opinion. In particular: We show that it is possible to prove that IP = PSPACE using general error correcting codes and their tensor products, instead of low degree polynomials. We provide a combinatorial construction of PCPs with verifiers that are as efficient as those obtained by the algebraic methods. We provide an (almost) combinatorial construction of PCPs of length n (log n) O(log log n), coming very close to the state of the art obtained by algebraic constructions (whose proof length is n (log n) O(1) ). We provide a combinatorial construction of PCPs with sub-constant soundness error that match the state of the art obtained by algebraic constructions, and along the way develop a technique of derandomized parallel repetition.

3 2 Acknowledgement It is my pleasure to express my deepest gratitude to Oded Goldreich, my advisor. I feel that Oded has taught me how to do research, and has influenced considerably on my perspective of theoretical computer science, and of what does it mean to be a scientist in general. I also deeply appreciate his kindness and his devotion to his students. Not less important, working with Oded has been a very fun experience, and I enjoyed and learned very much from our conversations, both on professional and non-professional subjects. I would like to thank to Gillat Kol for being a great friend throughout my graduate studies, and making my time at the Weizmann institute the enjoyable experience it was. I would also like to thank Tal Kramer, Shira Kritchman, Inbal Talgam, Irit Dinur, Dana Moshkovitz, Zvika Brakersky, Chandan Dubey, Anat Ganor, Elazar Goldenberg, and Shachar Lovett for being such a fun and interesting company. As for Irit, I am also grateful to her for a much fun and educating collaboration, and of course, for her paper that led me to this thesis. As always, I am grateful to my parents for their everlasting support, care and love.

4 3 This thesis is based on the following works: IP = PSPACE using Error Correcting Codes, by the author [Mei10b]. Combinatorial PCPs with Efficient Verifiers, by the author [Mei09]. Combinatorial PCPs with Short Proofs by the author [Mei10a]. Derandomized Parallel Repetition of Structured PCPs by Irit Dinur and the author [DM10].

5 Contents Contents 4 1 Introduction Interactive Proof Systems Probabilistic Proof Systems IP = PSPACE using Error Correcting Codes Introduction Preliminaries Tensor Product Codes and Multiplication Codes Tensor Product of Codes Multiplication codes The Sum-Check Protocol Revisited A Proof of conp IP Proof overview Full proof Proof of Lemma The Proof of IP = PSPACE Proof overview The full proof Combinatorial PCPs with efficient verifiers Introduction Background and Our Results Our Techniques On Dinur s proof of the PCP theorem On Dinur and Reingold s construction of PCPPs Our construction vs. the DR construction Preliminaries and Our Main Results Notational Conventions PCPs PCPs of Proximity The definition of PCPPs Constructions of PCPPs and our results Error Correcting Codes Routing networks Overview The structure of the construction Assignment testers

6 CONTENTS The iterative structure The structure of a single iteration Our circuit decomposition method The DR decomposition Our decomposition The tensor product lemma Warm-up: Ignoring issues of robustness The actual proof Efficiency issues Modifying the formalism Efficient implementation of the tensor product lemma A finer analysis of Dinur s amplification theorem Increasing the representation size Bounding the fan-in and fan-out Revisiting known PCP techniques Organization of the rest of this chapter Super-Fast Assignment Testers: Definitions and Main Theorem DR-style assignment testers Super-fast assignment testers The size of the input circuit The size and number of the output circuits The queries sets Syntactic modifications The final definition Main theorem Tools for Constructing Assignment Testers Reverse Listers On the Proof Length of Assignment Testers Dinur s Amplification Theorem Composition of Assignment Testers Efficiently verifiable error-correcting codes Robustization of Assignment Testers with Block Access Increasing the Representation Size, and Universal Circuits Proof overview Universal circuits Bounding the fan-in and fan-out of input circuits Proof of the Main Theorem Circuit Decompositions with Matrix Access The main lemmas and the proof of the main theorem Circuit Decomposition Lemma Overview Warm-up: ignoring efficiency considerations Obtaining a super-fast circuit decomposition Proof of the circuit decomposition lemma The block structure of D The proof strings of D The output circuits of D Tensor Product Lemma Proof overview

7 CONTENTS The rejection ratio of A Implementing A I efficiently Showing that the queries of A I are contained in columns Robustization of decompositions with matrix access The intermediate assignment tester A I The proof strings of A I The block access circuit BA I The implementation of A I The reverse lister of A I The parameters of A I Proof of the Tensor Product Lemma Combinatorial PCPs with Short Proofs Introduction Background and Our Results Our techniques Preliminaries PCPs Error Correcting Codes Routing networks PCPs and Linear PCPPs Linear PCPPs Constructing PCPs from linear PCPPs A Generalization of the Robustization Technique Background on robustness and robustization Our generalized robustization Construction of Linear PCPPs with n Queries Simultaneous linear verifiers Linear PCPPs from simultaneous linear verifiers Construction of simultaneous linear verifiers A simple case The case of colorable constraint systems The general case Proof of the main theorem Combinatorial PCPs with Low Soundness Error Introduction Preliminaries Direct product testing [IKW09] Sampling tools Constraint graphs and PCPs Basic facts about random subspaces Similarity of distributions Expanders Main theorem PCPs with Linear Structure de Bruijn graphs as routing networks Proof overview Detailed proof

8 CONTENTS Derandomized Parallel Repetition of Constraint Graphs with Linear Structure The construction of G The specialized direct product test The soundness of the derandomized parallel repetition Proof of Proposition Proof of Proposition Decodable PCPs Recalling the definition of PCPPs The definition of decodable PCPs Recalling the definition of [DH09] Uniquely-decodable PCPs Decoding graphs The definition of decoding graphs Additional properties of decoding graphs General udpcps and decoding graphs Our construction of dpcps, Theorem Proof of the result of [MR08], Theorem Decoding PCPs with Linear Structure Auxiliary propositions Embedding decoding graphs on de Bruijn graphs Derandomized Parallel Repetition of Decoding Graphs with Linear Structure The construction of G and its parameters The soundness of G Proof of Proposition Proof of Proposition The Analysis of the Specialized Direct Product Test The P 2 -test The proof of Lemma Proofs of Auxiliary Claim The proof of Theorems and Bibliography 182

9 Chapter 1 Introduction Mathematicians have used mathematical proofs in order to establish their claims for thousands of years. However, it was only in the late 19th century when mathematicians began to study the notion of a mathematical proof itself. This study has lead to questions such as Can any valid mathematical claim be demonstrated by a mathematical proof? and Is there a systematic way for finding mathematical proofs?. The second question has lead to the birth of theoretical computer science, when Alan Turing has shown that there does not exist an algorithm for finding mathematical proofs. Since then, the notion of a proof has been of utmost importance to theoretical computer science, and in fact the central question of this field - often phrased as whether P is equal to NP - is a question about the relation between algorithms and proofs. During the 1980 s, computer scientists began to study models for proving claims other than mathematical proofs. Let us consider the situation in which an expert wishes to convince a skeptic in the validity of some claim. In the model of mathematical proofs, the expert would simply write the proof on a paper and hand it to the skeptic, and the skeptic would read the proof and verify that it indeed follows the rules of logic. Now, computer scientists raised the following questions: What if we allowed the skeptic to ask the expert questions? What if we allowed the skeptic to toss coins during the verification of the proof? What if the skeptic would have been willing to risk accepting a false claim with an extremely small probability?. It turns out that different models of proofs, which allow randomness and interaction between the expert and the skeptic, allow for establishing a rich family of claims that can not be demonstrated in the classic model of a mathematical proof. For example, there can be no mathematical proof that would convince a color-blind skeptic that two cards are of a different color. But, if the color-blind skeptic could shuffle cards randomly and ask the expert to distinguish them, then the expert would have no problem convincing the skeptic that the cards are indeed distinguishable. The study of such alternative models of proofs, known as probabilistic proof systems, has resulted in a line of interesting and surprising discoveries regarding the power of such models [GMR89, Bab85, GMW91, LFKN92, Sha92, FGL + 96, AS98, ALM + 98] (see also [Gol08] for a primer on the subject). Those discoveries are not only interesting in their own right, but have also played a key role in many of the achievements of theoretical computer science in the last two decades, and have contributed to the understanding of many other subjects. For example, the study of Probabilistically Checkable Proofs (PCPs) has played a key role in understanding the inherent hardness of finding approximate solutions to computational problems, and the study of zero knowledge proofs has been essential to the theoretical study of cryptographic protocols. A common theme that is shared by many of the key results about probabilistic proof systems is the use of algebraic techniques. Usually, such works construct a probabilistic proof system by going along the following lines: Given the claim to be verified, they begin with arithmetizing the claim, i.e., reducing the claim to a related algebraic claim about polynomials over finite fields. In the next step, they construct a probabilistic proof system for proving the algebraic claim. Constructing the proof 8

10 CHAPTER 1. INTRODUCTION 9 system for the algebraic claim, in turn, relies on arsenal of tools that employ the algebraic structure of polynomials. While those algebraic techniques are very important and useful, it seems somewhat odd that one has to go through algebra in order to prove those theorems, which do not refer to algebra. Furthermore, those techniques seem to give little intuition as to why those results hold. Given this state of affairs, it is an important goal to gain a better understanding of those results and the reasons for which they hold 1. In her seminal paper, Dinur [Din07] has made a big step toward achieving this goal by giving an alternative proof of one of the key results in this area, namely the PCP theorem, using a combinatorial approach 2. Her proof is not only considerably simpler than the original proof, but also seems to shed more light on the intuitions that underlie the theorem. In this thesis, we pursue this direction further, by providing alternative proofs for several key results about probabilistic proof systems. Our alternative proofs do not use algebra (or use almost no algebra), and are more intuitive, in our opinion. We focus on two types of proof systems, namely, interactive proof systems and probabilistically checkable proofs. In the following two sections, we describe those types of proof systems, and along the way describe our results and the structure of this thesis. 1.1 Interactive Proof Systems In the settings of interactive proofs [GMR89], a computationally unbounded prover (i.e., an expert) wishes to convince a polynomial-time verifier (i.e., a skeptic) of the validity of some claim. The verifier and the prover may toss coins and may interact with each other, but may only exchange a polynomial number of messages. The proof system must satisfy the following property: if the claim is correct, then the prover can always convince the verifier. On the other hand, if the claim is incorrect, then no matter what strategy the prover employs, the probability that it manages to fool the verifier to accepting the claim is small. Such systems are interesting in their own right, but also have several applications in theoretical computer science, and in particular they provide the framework for defining zero knowledge proofs, which are essential for theoretical cryptography [GMR89, GMW91]. A celebrated theorem of [LFKN92, Sha92] established that the class of claims that can be proved using such a proof system is exactly the class of claims that can be decided using polynomial space, or formally that IP = PSPACE. This theorem is fundamental to our understanding of both interactive proofs and polynomial space computations, and in addition has important applications in theoretical computer science. While the original proof of the aforementioned theorem relies on low degree polynomials, it is commonly believed that the intuition for the proof should be explained in terms of error correcting codes. In Chapter 2, we provide evidence for this intuition by showing an alternative proof of the theorem that uses error correcting codes instead of low degree polynomials. This chapter was published separately as [Mei10b]. 1.2 Probabilistic Proof Systems In the setting of probabilistically checkable proofs (PCPs [BFLS91, FGL + 96]), we consider again a prover that wishes to convince a polynomial-time verifier of the validity of a claim. However, this time the interaction of prover and the verifier is extremely limited: the prover may only send to the verifier an alledged proof of the claim, and may not interact with the verifier any further. The verifier, in turn, may read only few bits of the alledged proof, although it may choose which bits to read. Again, we require 1 This goal was stated and advocated for the first time by [GS00] 2 We mention that the works of [GS00, DR06] have mades advances toward this goal prior to Dinur s work [Din07], but fell short of obtaining Dinur s result.

11 CHAPTER 1. INTRODUCTION 10 that if the claim is correct, then there is always a proof that will convince the verifier. On the other hand, if the claim is incorrect, then no matter what proof is provided to the verifier, the probability that the verifier will accept the claim is small. At first glance, this proof system may seem very weak, and it may not be clear that it can prove any interesting claims. Surprisingly, the PCP theorem of [AS98, ALM + 98] asserts that any claim that can be decided within the complexity class NP (roughly, any claim that has a short mathematical proof), can also be proved in a proof system of the PCP type. This theorem is one of the major achievements of complexity theory. Besides of being interesting in its own right, the theorem has also found many applications, most notably in establishing limits on the accuarcy of approximation algorithms. As discussed above, the original proof of the PCP theorem of [AS98, ALM + 98], as well as its extensions [BSGH + 06, BSS06, BSGH + 05, MR08, DH09], were based on algebraic machinery, while the later work of Dinur [Din07] has suggested a simpler and more intuitive proof of the PCP theorem, which was based on a combinatorial approach. However, Dinur s approach fell short of proving the later improvements of the theorem. The second part of this thesis is devoted to the goal of matching these improvements (originally obtained by algebraic techniques) using a combinatorial approach. Specifically, this thesis deals the following aspects: Efficiency: As mentioned above, the defining feature of PCPs is that they allow verifying the validity of the claim by reading only few bits of the proof. This means that the verification procedure may potentially be extremely efficient, and in particular may run in time that is much shorter than the proof length. Indeed, in state of the art algebraic PCPs [BSGH + 05], the verification procedure runs in time that is poly-logarithmic in the length of the proof. On the other hand, the work of [Din07] yields a much slower verification procedure, which runs in time that is polynomial in the length of the proof. We note that the running time of the verification procedure is not only interesting for its own sake: The difference between the efficiency of the verification procedures of [BSGH + 05] and [Din07] is crucial for some applications (in particular, instance checking [BFL91, BK95]). In Chapter 3, we show a combinatorial construction of PCPs whose verification procedure runs in poly-logarithmic time, thus matching the state of the art algebraic PCPs. This chapter was published separately as [Mei09]. Length: One important parameter of PCP systems is the length of the proofs they employ. More specifically, given a claim that can be proved both by a standard (mathematical) proof and by a probabilistically checkable proof (PCP), the question is how long should the PCP be compared to the standard proof? In the original PCP theorem [AS98, ALM + 98], if the standard proof is of length n, then the length of the corresponding PCP is some fixed polynomial in n. However, in subsequent improvements of the PCP theorem [BSS08, Din07] 3, the PCP is of length only n log c n (for some constant c). The combinatorial approach of [Din07] yields PCPs whose length matches the PCPs of [AS98, ALM + 98], but falls short of matching the shorter PCPs. In Chapter 4, we show how to construct PCPs of length n (log n) log log n based on a combinatorial approach, thus almost matching the state of the art PCPs. It should be mentioned that our constuction does use algebra at one point, but this use is a very restricted one, and is confined to the construction of error correcting codes with a simple multiplication property. This chapter was published separately as [Mei10a]. Soundness error: An additional important parameter of the PCP systems is their soundness error, which is the probability that the verifier accepts false claims. In the original PCP theorem of [AS98, ALM + 98] as well as in the work of [Din07], the soundness error is a constant independent 3 Here we refer to a different part in the work of [Din07] than the parts discussed in the rest of this document.

12 CHAPTER 1. INTRODUCTION 11 of the claim length. However, subsequent improvements of the theorem [DFK + 99, MR08, DH09] have shown that the soundness can be pushed to be a decreasing function of the input length, and can be traded with the other parameters of the PCP. In Chapter 5, we consider PCPs with low soundness error in a range of parameter that is especially important for applications of PCPs to lower bounds of approximation algorithms. The state of the art for such PCPs are the works of [MR08, DH09], which achieve their results by combining a folklore algebraic construction of PCPs with a novel combinatorial method. In Chapter 5, we show that the algebraic component in the constructions of [MR08, DH09] can be replaced with a combinatorial substitute. Our works thus yields a fully combinatorial construction of PCPs with low soundness error which matches the state of the art parameters. Along the way, we develop a technique of derandomized parallel repetition, which may be interesting in its own right. This chapter is based on a joint work with Irit Dinur [DM10].

13 Chapter 2 IP = PSPACE using Error Correcting Codes 2.1 Introduction The IP theorem [LFKN92, Sha92] asserts that IP = PSPACE, or in other words, that any set in PSPACE has an interactive proof. This theorem is fundamental to our understanding of both interactive proofs and polynomial space computations. In addition, it has important applications, such as the existence of program checkers for PSPACE-complete sets, and the existence of zero knowledge proofs for every set in PSPACE. Indeed, the theorem is one of the major achievements of complexity theory. We note that an additional proof of the IP theorem has been suggested by [She92], and also that the work of [GKR08] implicitly gives an alternative proof of the IP theorem. The known proofs of the IP theorem go roughly along the following lines: Suppose that we are given a claim that can be verified in polynomial space, and we are required to design an interactive protocol for verifying the claim. We begin by expressing the claim as a quantified Boolean formula, using the PSPACE-completeness of the TQBF problem. Then, we arithmetize the formula, transforming it into a claim about the value of a particular arithmetic expression. Finally, we use the celebrated sum-check protocol in order to verify the value of the arithmetic expression. One key point is that the sum-check protocol employs the fact that certain restrictions of the arithmetic expression are low-degree polynomials. While the arithmetization technique used in the proof turned out to be extremely useful, it seems somewhat odd that one has to go through algebra in order to prove the theorem, since the theorem itself says nothing about algebra. The intuition behind the use of algebra in the proof is usually explained by the fact that low-degree polynomials constitute good error correcting codes. In order to demonstrate this intuition, let us consider the special case of proving that conp IP, which amounts to designing a protocol for verifying that a given Boolean formula has no satisfying assignments. In this case, the main difficulty that the verifier faces is that it has to distinguish between a formula that has no satisfying assignments and a formula that has only one satisfying assignment. If we consider the truth tables of those formulas, then the verifier has to distinguish two exponential-length strings that differ only on at one coordinate, which seems difficult to do in polynomial time. However, if the verifier could access an encodings of the truth tables via an error correcting code, then its task would have been easy: An error correcting code has the property that any two distinct strings are encoded by strings that differ on many coordinates, even if the original strings were very close to each other. Therefore, if the verifier could access an error-correcting encoding of the truth table of the formula, it could just pick a random coordinate of the encoding and check that it matches the encoding of the all-zeroes truth table. 12

14 CHAPTER 2. IP = PSPACE USING ERROR CORRECTING CODES 13 The role of algebra in the proof of the IP theorem is now explained as follows: The arithmetization technique transforms the formula into a low-degree polynomial. Since low-degree polynomials are good error correcting codes, the arithmetization should have a similar effect to that of encoding the truth table of the formula via an error correcting code. Morally, this should help the verifier in distinguishing between satisfiable and unsatisfiable formulas. While the above intuition is very appealing, it is not clear what is the relation between this intuition and the actual proof, and whether the actual proof indeed implements this intuition. In particular, the polynomial that is obtained from the arithmetization of a formula is not the encoding of the formula s truth table by the corresponding polynomial code 1, but rather an arbitrary polynomial that agrees with the formula on the Boolean hypercube. Furthermore, the known proofs of the IP theorem use algebraic manipulations that can not be applied to general error correcting codes. Those considerations give raise to the natural question of whether the foregoing intuition is correct or not. In other words, we would like to know whether the error correcting properties of polynomials are indeed the crux of the proof of the IP theorem, or are there other properties of polynomials that are essential to the proof. In this chapter, we show that the IP theorem can actually be proved by using only error correcting codes, while making no reference to polynomials. We believe that this establishes a rigorous basis for the aforementioned intuition. While our proof is somewhat more complicated than the previous proofs of the IP theorem, we believe that it is valuable as it explains the role of error correcting codes in the IP theorem. Our techniques. Our proof relies heavily on the notion of tensor product of codes, which is a classical operation on codes. The tensor product operation generalizes the process of moving from univariate polynomials to multivariate polynomials, in the sense that if we view univariate polynomials as error correcting codes, then multivariate polynomials are obtained by applying the tensor product operation to univariate polynomials. We refer to error correcting codes that are obtained via the tensor product operation as tensor codes. Our first main observation is the following. Recall that in the proof of the IP theorem, the sumcheck protocol is applied to multivariate polynomials. We show that the sum-check protocol can in fact be applied to any tensor code. Specifically, we note that tensor codes have the following property: A codeword c of a tensor code can be viewed as a function from some hypercube [l] m to a finite field F, such that if a function f : [l] F is defined by an expression of the form f(x i ) = x i+1... x m c (r 1,..., r i 1, x i, x i+1,..., x m ) then f is a codeword of some other error correcting code. We observe that this is the only property that is required for the sum-check protocol to work, and therefore the protocol can be used with any tensor code. In other words, the essential property of multivariate polynomials that is used in the sum-check protocol is the fact that multivariate polynomials are tensor codes. Our next step is to use the foregoing observation to prove that conp IP without using polynomials. To this end, we replace the multivariate polynomials used in the proof with general tensor codes. In particular, we replace the polynomial that is obtained from the arithmetization with a tensor codeword that agrees with the formula on the Boolean hypercube. We perform this replacement by generalizing the arithmetization technique to work with general error correcting codes instead of polynomials. This generalization is done by constructing multiplication codes, which are error correcting codes that emulate polynomial multiplication, and may be of independent interest. 1 In other words, the polynomial generated by the arithmetization is not the low-degree extension of the truth table. To see this, note that the arithmetization of an unsatisfiable formula may produce a non-zero polynomial. For example, the arithmetization of the unsatisfiable formula x x is x (1 x), which is not the zero polynomial.

15 CHAPTER 2. IP = PSPACE USING ERROR CORRECTING CODES 14 Finally, we consider the proof of the full IP theorem, i.e, IP = PSPACE. To this end, we devise a protocol for verifying the validity of a quantified Boolean formula. In the known proofs of the IP theorem, when considering quantified Boolean formulas we encounter the following obstacle: The arithmetization of a quantified formula results in an arithmetic expression that contains polynomials of very high degree, and not low degree as required by the sum-check protocol. This issue translates in our proof to certain limitations of the aforementioned multiplication codes. Recall that the proofs of the IP theorem by [Sha92, She92] resolve the foregoing issue by performing algebraic manipulations on the arithmetic expression to ensure that the involved polynomials are of low degree. Obviously, such a solution can not applied in our setting. Instead, we build on an idea from [GKR08], which shows that one can use the sum-check protocol to reduce the degree of the polynomials. While their technique still uses the algebraic structure of polynomials, we show that this technique can be adapted to our setting, allowing us to show that IP = PSPACE. The adaptation of [GKR08] is done by generalizing the sum-check protocol, and observing that it can be used to reduce the task of evaluating a coordinate of a tensor codeword to the task of evaluating a coordinate of another tensor codeword. This generalization may be of independent interest. The organization of this chapter. In Section 2.2, we review the basic notions of error correcting codes and define the notation that we use. In Section 2.3, we review the notion of tensor product codes, and introduce the notion of multiplication codes. In Section 2.4, we revisit the sum-check protocol and generalize it. In Section 2.5, we prove that conp IP, and along the way present our generalization of the arithmetization technique. Finally, in Section 2.6, we prove the full IP theorem. Remark regarding algebrization. Recall that the IP theorem is a classical example for a nonrelativizing result. Recently, [AW08] suggested a framework called algebrization as a generalization of the notion of relativization, and showed that the IP theorem relativizes in this framework, or in other words, the IP theorem algebrizes. We note that while our proof of the IP theorem does not seem to algebrize, one can generalize the algebrization framework to include our proof as well. Some details are given in a remark at the end of Section Preliminaries For any n N we denote [n] def = {0, 1..., n 1} - note that this is a non-standard notation. Similarly, if x is a string of length n over any alphabet, we denote its set of coordinates by [n], and in particular, the first coordinate will be denoted 0. Throughout the chapter, we will refer to algorithms that take as input a finite field F. We assume that the finite field F is represented, say, by a list of its elements and the corresponding addition and multiplication tables. For any two strings x, y of equal length n and over any alphabet, the relative Hamming distance between x and y is the fraction of coordinates on which x and y differ, and is denoted by δ(x, y) def = {x i y i : i [n]} /n. All the error correcting codes that we consider in this chapter are linear codes, to be defined next. Let F be a finite field, and let k, l N. A (linear) code C is a linear one-to-one function from F k to F l, where k and l are called the code s message length and block length, respectively. We will sometimes identify C with its image C(F k ). Specifically, we will write c C to indicate the fact that there exists x F k such that c = C(x). In such case, we also say that c is a codeword of C. The relative distance of a code C is the minimal relative Hamming distance between two different codewords of C, and is denoted def by δ C = min c1 c 2 C {δ(c 1, c 2 )}.

16 CHAPTER 2. IP = PSPACE USING ERROR CORRECTING CODES 15 Due to the linearity of C, there exists an n k matrix G, called the generator matrix of C, such that for every x F k it holds that C(x) = G x. Observe that given the generator matrix of C one can encode messages by C as well as verify that a string in F l is a codeword of C in time that is polynomial in l. Moreover, observe that the code C always encodes the all-zeroes vector in F k to the all-zeroes vector in F l. We say that C is systematic if the first k symbols of a codeword contain the encoded message, that is, if for every x F k it holds that (C (x)) [k] = x. By applying Gaussian elimination to the generator matrix of C, we may assume, without loss of generality, that C is systematic. The following fact asserts the existence of (rather weak) linear codes. Such codes are all we need for this chapter. Fact The exists an algorithm that when given as input k N and δ (0, 1) and a finite field F such that F poly (1/ (1 δ)), runs in time that is polynomial in k, log F, and 1/ (1 δ), and outputs the generator matrix of a linear code C over F that has message length k, block length l def = k/poly (1 δ), and relative distance at least δ. Fact can be proved via a variety of techniques from coding theory, where many of them do not use polynomials (see, e.g., [Var57, ABN + 92, GI05] 2 ). 2.3 Tensor Product Codes and Multiplication Codes In this section we review the notion of tensor product of codes (in Section 2.3.1) and introduce the notion of multiplication codes (in Section 2.3.2). We note that while the tensor product is a standard operation in coding theory, and a reader who is familiar with it may skip Section 2.3.1, with the exception of Propositions and which are non-standard. On the other hand, the notion of multiplication codes is a non-standard notion that we define for this work (though it may be seen as a variant of the notion of error correcting pairs, see [Köt92, Pel92, Sud01, Lect. 11 (1.4)]) Tensor Product of Codes In this section we define the tensor product operation on codes and present some of its properties. See [MS88] and [Sud01, Lect. 6 (2.4)] for the basics of this subject. Definition Let R : F k R F l R, C : F k C F l C be codes. The tensor product code R C is a code of message length k R k C and block length l R l C that encodes a message x F k R k C as follows: In order to encode x, we first view x as a k C k R matrix, and encode each of its rows via the code R, resulting in a k C l R matrix x. Then, we encode each of th columns of x via the code C. The resulting l C l R matrix is defined to be the encoding of x via R C. The following fact lists some of the basic and standard properties of the tensor product operation. Fact Let R : F k R F l R, C : F k C F l C be linear codes. We have the following: 1. An l C l R matrix x over F is a codeword of R C if and only if all the rows of x are codewords of R and all the columns of x are codewords of C. 2. Let δ R and δ C be the relative distances of R and C respectively. Then, the code R C has relative distance δ R δ C. 2 We note that the work of [GI05] does make use of polynomials, but this use of polynomials can be avoided at the expense of having somewhat worse parameters, which we can still afford. Also, we note that the work of [ABN + 92] requires F exp (1/ (1 δ)), but this limitation can be waived by means of concatenation.

17 CHAPTER 2. IP = PSPACE USING ERROR CORRECTING CODES The tensor product operation is associative. That is, if D : F k D F l D is a code then (R C) D = R (C D). The following standard feature of tensor codes will be very useful. Fact Let R and C be as before and let r R and c C. Define the tensor product r c of r and c as the l C l R matrix defined by (r c) i,j = c i r j. Then, r c is a codeword of R C. Proof. Observe that each row of r c is equal to r multiplied by a scalar, and therefore it is a codeword of R. Similarly, each column of r c is a codeword of C. By Item 1 of Fact 2.3.2, it follows that r c R C, as required. The associativity of the tensor product operation allows us to use notation such as C C C, and more generally: Notation Let C : F k F l be a code. For every m N we denote by C m : F km F lm the code C } C {{... C }. Formally, C m = C m 1 C. m Notation When referring to the code C m and its codewords, we will often identify the sets of coordinates [k m ] and [l m ] with the hypercubes [k] m and [l] m respectively. Using the latter identification, one can view a string x F km as a function x : [k] m F, and view strings in F lm similarly. With a slight abuse of notation, we say that C m is systematic if for every codeword c C m, the restriction of c to [k] m equals the message encoded by c m. It is easy to see that if C is systematic (in the usual sense), then C m is systematic as well. Using Fact 2.3.2, one can prove by induction the following. Fact Let C : F k F l be a code. Then, the codewords of C m are precisely all the functions f : [l] m F such that the restriction of f to any axis-parallel line of the hypercube is a codeword of C. That is, a function f : [l] m F is a codeword of C m if and only if for every 1 t m and i 1,..., i t 1, i t+1,..., i m [l] it holds that the function f(i 1,..., i t 1,, i t+1,..., i m ) is a codeword of C. Less standard features. We turn to prove two less standard features of the tensor product operation that will be useful in Section 2.4. The following claim expresses a coordinate of a tensor codeword using an expression of a sum-check form. We will use this claim later to show that one can use the sum-check protocol to evaluate the coordinates of a tensor codeword. Claim Let C : F k F l be a systematic code, and let m N. Then, for every coordinate (i 1,..., i m ) [l] m there exist scalars α t,j F (for every 1 t m and j [k]) such that for every codeword c C m it holds that c(i 1,..., i m ) = α 1,j1 α 2,j2... α m,jm c(j 1,..., j m ) j 1 [k] j 2 [k] Furthermore, the coefficients α t,j can be computed in polynomial time from the tuple (i 1,..., i m ) and the generator matrix of C. Proof. By induction on m. Suppose that m = 1. In this case, c is a codeword of C. Let i 1 [l]. Since C is a linear function, it holds that c(i 1 ) is a linear combination of the elements of the message encoded by c. Since C is systematic, it holds that c (0),..., c(k 1) are equal to the message encoded by c. Thus, we get that c(i 1 ) is a linear combination of c (0),..., c(k 1), as required. Furthermore, the corresponding coefficients α 1,j are simply the corresponding row in the generator matrix of C. j m [k]

18 CHAPTER 2. IP = PSPACE USING ERROR CORRECTING CODES 17 We now assume that the claim holds for some m N, and prove it for m + 1. Let C : F k F l be a systematic code, let c C m+1, and let (i 1,..., i m+1 ) [l] m+1 be a coordinate of c. We first observe that by Fact 2.3.6, it holds that c(, i 2,..., i m+1 ) is a codeword of C. Thus, by the same considerations as in the case of m = 1, it follows that there exist coefficients α 1,j1 F for j 1 [k] such that c(i 1,..., i m+1 ) = α 1,j1 c(j 1, i 2,..., i m+1 ) j 1 [k] Next, observe that Fact implies that for every j 1, it holds that c(j 1,,..., ) is a codeword of C }{{} m. m The induction hypothesis now implies that there exist coefficients α t,j F (for every 2 t m + 1 and j [k]) such that for every j 1 [k] it holds that c (j 1, i 2,..., i m+1 ) = α 2,j2... α m+1,jm+1 c(j 1,..., j m+1 ) j 2 [k] j m+1 [k] Note that the latter coefficients α t,j do not depend on j 1. It follows that c(i 1,..., i m+1 ) = α 1,j1 α 2,j2... α m+1,jm+1 c(j 1,..., j m+1 ) j 1 [k] j 2 [k] j m+1 [k] as required. Furthermore, it is easy to see that the coefficients α t,j can indeed be computed in polynomial time. The following claim says that the intermediate sum that occurs in a single step of the sum-check protocol is a codeword of C. This is the key property used in each single step of the sum-check protocol. Claim Let C : F k F l be a code, let m N, and let c C m. Then, for every sequence of scalars α t,j (for every 2 t m and j [l]) it holds that the function f : [l] F defined by f(j 1 ) = α 2,j2 α 3,j3... α m,jm c(j 1,..., j m ) is a codeword of C. j 2 [l] j 3 [l] Proof. The proof is by induction on m. For m = 1 the claim is trivial. We assume that the claim holds for some m N, and prove it for m + 1. Let C : F k F l be a code, let c C m+1, and let α t,j be scalars for every 2 t m + 1 and j [l]. We wish to show that the function f : [l] F defined by f(j 1 ) def = α 2,j2... α m+1,jm+1 c(j 1,..., j m+1 ) j 2 [l] j m+1 [l] is a codeword of C. To this end, let us observe that Fact implies that for every j m+1 [l], the function g j2 : [l] m F defined by j m [l] g jm+1 (j 1,,..., j m ) def = c(j 1,..., j m, j m+1 ) is a codeword of C m. Therefore, by the induction hypothesis, the function h jm+1 : [l] F defined by def h jm+1 (j 1 ) = α 2,j2... α m,jm g jm+1 (j 1,..., j m ) j 2 [l] j m [l] is a codeword of C. Now, observe that we can express f as f(j 1 ) = α m+1,jm+1 h jm+1 (j 1 ) j m+1 [l] In other words, it holds that f is a linear combination of codewords of C. By the linearity of C, it follows that f is a codeword of C.

19 CHAPTER 2. IP = PSPACE USING ERROR CORRECTING CODES Multiplication codes The arithmetization technique, which transforms a Boolean formula into a low-degree polynomial, uses two basic properties of polynomials: The first property is that low-degree polynomials form a linear subspace. The second property is that the product of two low-degree polynomials is a low-degree polynomial (provided that the field is sufficiently large compared to the degree). Therefore, in order to generalize the arithmetization technique to use general error correcting codes, we would like to have error correcting codes with similar properties. The first property is attained by every linear code. The challenge is to obtain codes emulating the second multiplication property. To this end, we use the following notation. Notation Let F be a finite field, let l N, and let u, v F l. Then, we denote by u v the string in F l defined by (u v) i = u i v i We can now phrase the multiplication property of polynomials as follows. If c 1 and c 2 are codewords of polynomial codes (of sufficiently low degree), then c 1 c 2 is a codeword of a another polynomial code (of a higher degree). The following proposition shows that one can construct codes with such property without using polynomials. Proposition For every k N, δ (0, 1) and a finite field F such that F poly (1/ (1 δ)), there exists a triplet (C A, C B, C M ) of systematic linear codes over F that have the following properties: 1. Multiplication: For every c A C A and c B C B it holds that c A c B C M. 2. C A and C B have message length k, and C M has message length k C A, C B, and C M all have block length l def = k 2 /poly (1 δ), and relative distance δ. Furthermore, the exists an algorithm that when given as input k, δ, and F, runs in time that is polynomial in k, log F, and 1/ (1 δ), and outputs the generating matrices of C A, C B and C M. Remark Again, it is trivial to construct codes as in Proposition using polynomials. Indeed, taking C A, C B, and C M to be Reed-Solomon codes of appropriate degree would yield codes with the same multiplication property and with better parameters. The novelty of our proof of Proposition is that the construction of the codes is based on generic codes, and not on polynomial codes. Specifically, we will only use the tensor product operation. Proof. The algorithm begins by invoking the algorithm of Fact on input k, δ, and F. This results in a code C with message length k, relative distance ( δ, and block length 3 l C = k/poly 1 ) δ k/poly (1 δ). Next, the algorithm sets l = l 2 C and constructs the generating matrices of the codes C A, C B, and C M that are defined as follows: 1. The codewords of C A are precisely all the l C l C matrices c A such that all the rows of c A are identical and are equal to some codeword of C. 2. C B is defined similarly to C A, but with columns instead of rows. 3. The code C M is the code C 2. 3 The inequality can be seen by defining α def = 1 δ, noting that δ = 1 α observing that the latter yields 1 δ 1 (1 α/2) = (1 δ)/2. (1 α/2) 2 = 1 α/2, and then