Lecture 19: Interactive Proofs and the PCP Theorem

Similar documents
Lecture 12: Interactive Proofs

Lecture 26. Daniel Apon

2 Evidence that Graph Isomorphism is not NP-complete

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

Interactive Proofs 1

CS151 Complexity Theory. Lecture 13 May 15, 2017

Lecture 16 November 6th, 2012 (Prasad Raghavendra)

Introduction to Interactive Proofs & The Sumcheck Protocol

198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

1 Randomized Computation

Lecture 14: IP = PSPACE

Shamir s Theorem. Johannes Mittmann. Technische Universität München (TUM)

Time and space classes

Great Theoretical Ideas in Computer Science

Notes on Complexity Theory Last updated: November, Lecture 10

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

1 PSPACE-Completeness

Lecture 23: More PSPACE-Complete, Randomized Complexity

Lecture 17 November 8, 2012

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

1 Agenda. 2 History. 3 Probabilistically Checkable Proofs (PCPs). Lecture Notes Definitions. PCPs. Approximation Algorithms.

Almost transparent short proofs for NP R

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

Notes for Lecture 2. Statement of the PCP Theorem and Constraint Satisfaction

Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

The Proof of IP = P SP ACE

CS151 Complexity Theory. Lecture 14 May 17, 2017

Complexity Classes V. More PCPs. Eric Rachlin

Essential facts about NP-completeness:

Lecture 15 - Zero Knowledge Proofs

Real Interactive Proofs for VPSPACE

Theorem 11.1 (Lund-Fortnow-Karloff-Nisan). There is a polynomial length interactive proof for the

INAPPROX APPROX PTAS. FPTAS Knapsack P

On the efficient approximability of constraint satisfaction problems

Exponential time vs probabilistic polynomial time

Complexity Classes IV

CSE200: Computability and complexity Space Complexity

2 Natural Proofs: a barrier for proving circuit lower bounds

Definition 1. NP is a class of language L such that there exists a poly time verifier V with

6.896 Quantum Complexity Theory 30 October Lecture 17

Lecture 24: Randomized Complexity, Course Summary

Lecture 18: PCP Theorem and Hardness of Approximation I

Basic Probabilistic Checking 3

Lecture 20: PSPACE. November 15, 2016 CS 1010 Theory of Computation

Lecture 3: Interactive Proofs and Zero-Knowledge

Interactive protocols & zero-knowledge

Dinur s Proof of the PCP Theorem

IP = PSPACE using Error Correcting Codes

Lecture : PSPACE IP

Interactive Proofs. Merlin-Arthur games (MA) [Babai] Decision problem: D;

6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

MTAT Complexity Theory December 8th, Lecture 12

On the Power of Multi-Prover Interactive Protocols. Lance Fortnow. John Rompel y. Michael Sipser z. Massachusetts Institute of Technology

B(w, z, v 1, v 2, v 3, A(v 1 ), A(v 2 ), A(v 3 )).

Lecture 10 + additional notes

x 2 +2 x 2 x 3 2x 2 +2x +1 (mod 5).

Lecture 26: Arthur-Merlin Games

arxiv: v1 [cs.cc] 30 Apr 2015

Umans Complexity Theory Lectures

1 Probabilistically checkable proofs

CS151 Complexity Theory. Lecture 15 May 22, 2017

Lecture 8. MINDNF = {(φ, k) φ is a CNF expression and DNF expression ψ s.t. ψ k and ψ is equivalent to φ}

CSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010

CS154, Lecture 18: 1

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for Advanced Study

THE BLACK-BOX QUERY COMPLEXITY OF POLYNOMIAL SUMMATION

Lecture 15: A Brief Look at PCP

6.896 Quantum Complexity Theory November 4th, Lecture 18

Beyond NP [HMU06,Chp.11a] Tautology Problem NP-Hardness and co-np Historical Comments Optimization Problems More Complexity Classes

Lecture 17: Interactive Proof Systems

1 Recap: Interactive Proofs

Identifying an Honest EXP NP Oracle Among Many

CSCI 1590 Intro to Computational Complexity

Umans Complexity Theory Lectures

Today. Few Comments. PCP Theorem, Simple proof due to Irit Dinur [ECCC, TR05-046]! Based on some ideas promoted in [Dinur- Reingold 04].

Interactive protocols & zero-knowledge

PCP Theorem and Hardness of Approximation

6-1 Computational Complexity

~

Interactive Proof System

Strong ETH Breaks With Merlin and Arthur. Or: Short Non-Interactive Proofs of Batch Evaluation

Classical Verification of Quantum Computations

Lecture 26: QIP and QMIP

Computational Complexity Theory

CSC 2429 Approaches to the P versus NP Question. Lecture #12: April 2, 2014

Introduction Long transparent proofs The real PCP theorem. Real Number PCPs. Klaus Meer. Brandenburg University of Technology, Cottbus, Germany

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

Approximation Algorithms and Hardness of Approximation. IPM, Jan Mohammad R. Salavatipour Department of Computing Science University of Alberta

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Permanent and Determinant

A An Overview of Complexity Theory for the Algorithm Designer

20.1 2SAT. CS125 Lecture 20 Fall 2016

Space Complexity. The space complexity of a program is how much memory it uses.

Lecture 15: Interactive Proofs

Lecture 1: Introduction

Keywords. Approximation Complexity Theory: historical remarks. What s PCP?

Transcription:

Lecture 19: Interactive Proofs and the PCP Theorem Valentine Kabanets November 29, 2016 1 Interactive Proofs In this model, we have an all-powerful Prover (with unlimited computational prover) and a polytime Verifier. Given a common input x, the prover and verifier exchange some messages, and at the end of this interaction, Verifier accepts or rejects. Ideally, we want the verifier accept an input in the language, and reject the input not in the language. For example, if the language is SAT, then Prover can convince Verifier of satisfiability of the given formula by simply presenting a satisfying assignment. On the other hand, if the formula is unsatisfiable, then any proof of Prover will be rejected by Verifier. This is nothing but the reformulation of the definition of NP. We can consider more complex languages. For instance, UNSAT is the set of unsatisfiable formulas. Can we design a protocol so that if the given formula is unsatisfiable, Prover can convince Verifier to accept; otherwise, Verifier will reject? We suspect that no such protocol is possible if Verifier is restricted to be a deterministic polytime algorithm. However, if we allow Verifier to be a randomized polytime algorithm, then indeed such a protocol can be designed. In fact, we ll show that every language in PSPACE has an interactive protocol. But first, we consider a simpler problem #SAT of counting the number of satisfying assignments to a given formula. 1.1 Interactive Proof Protocol for #SAT The problem is #SAT: Given a cnf-formula φ(x 1,..., x n ), compute the number of satisfying assignments of φ. We want to construct an interactive proof protocol for this language. It will turn out very useful to arithmetize the formula φ. Given a cnf φ(x 1,..., x n ), we can construct a multivariate polynomial p(x 1,..., x n ) of total degree at most φ(x 1,..., x n ) such that, on any Boolean string a 1,..., a n, we have { 1 if φ(a 1,..., a n ) is True, p(a 1,..., a n ) = 0 otherwise. The construction of such a polynomial is by induction. For the formula x, we define the corresponding polynomial to be x. For x, we define the polynomial 1 x. For α β, where α, β are formulas with corresponding polynomials p a and p b, we define the polynomial p a p b (the product of 1

the two polynomials). For ᾱ, we define the polynomial 1 p a. Finally, for α β, we define the polynomial 1 (1 p a )(1 p b ) (to see why this works, use de Morgan s laws). Claim 1. For a given formula φ(x 1,..., x n ), the above transformation produces a polynomial p(x 1,..., x n ) such that 1. for every a {0, 1} n, p( a) = φ( a) (where we equate True with 1, and False with 0), and 2. the degree of p is at most the size of φ. Proof. The proof of each item is by induction on the formula structure. Say that p(x 1,..., x n ) is such a translation of cnf φ into a polynomial. Then the number of satisfying assignments for φ is exactly p(x 1,..., x n ), where x 1,..., x n range over all assignments in {0, 1} n. In our protocol, we ll ensure that an honest prover always convinces the verifier to accept (by behaving honestly in each round). On the other hand, a cheating prover will be forced to cheat in each round. But the instances will get easier with each round, so that in the last round a cheating prover will be found out even by our randomized polynomial-time verifier. We want to design a protocol for the following problem: Given a polynomial p(x 1,..., x n ) of degree at most d n O(1), compute x 1 =0 x 2 =0 p(x 1, x 2,..., x n ). x n=0 The prover will send the verifier some number k, claiming it to be the correct answer for the summation problem above. We ll describe a verifier that, after interacting with the prover, will accept with probability 1 if the prover is honest, will reject with high probability if the prover is dishonest. More precisely, in the first round, the Prover will send the verifier some information, and the verifier will respond with the new challenge for the prover: prove that k = p (x 2,..., x n ), for some new k and polynomial p. After the first round, the following will be true. If k = p(x 1,..., x n ) was true before this round, then k = p (x 2,..., x n ) is true with probability 1 after this round. If k = p(x 1,..., x n ) was false before this round, then k = p (x 2,..., x n ) is false with very high probability after this round. In other words, true equalities will be preserved with probability 1. But, false equalities, with high probability (1 ɛ), will be replaced with new false equalities (here, ɛ is the error probability). Let s fix a prime number q > 2 n. All our computation will be modulo q. Define the polynomial f 1 (x 1 ) = p(x 1, x 2,..., x n ). x 2 x n Clearly, the degree of f 1 is at most that of p. In the first round of the protocol, Prover is supposed to send over the coefficient of the polynomial f 1 (x 1 ). In reality, Prover may or may not send the actual polynomial f 1. We denote by g 1 (x 1 ) the polynomial actually sent by Prover. 2

Verifier will check if g 1 (x 1 ) is of low degree. If not, the Verifier rejects. Then Verifier checks if g 1 (0) + g 1 (1) = k. If not, Verifier rejects. Finally, Verifier picks a random number r 1 from the set Z q, and sends this r 1 to Prover. In the next stage, Verifier wants to be convinced that g 1 (r 1 ) = p(r 1, x 2,..., x n ). x 2 x n Let s analyze this protocol. First, consider the case of an Honest Prover, the prover that follows the correct protocol. The prover starts off by giving the verifier the correct value k. Then, this prover sends over to Verifier the correct function g 1 = f 1. Since k = f 1 (0)+f 1 (1), the honest prover will pass the checks of the verifier. Also, since f 1 = g 1, and f 1 (r 1 ) = x 2 x n p(r 1, x 2,..., x n ) by definition of f 1, the honest prover will be faced with a correct equality in the next round. So, the honest prover will always be able to convince the verifier to accept. Now consider the case of a Dishonest Prover. In the beginning, this prover gives a wrong value for k. That is, the prover gives some number m which is not equal to x 1 x n p(x 1,..., x n ). Then the prover sends over a polynomial g 1. The verifier checks if g 1 (0) + g 1 (1) = m. If not, the verifier rejects. Otherwise, we know that g 1 (0) + g 1 (1) f 1 (0) + f 1 (1), and so g 1 f 1. By picking a random r 1, the verifier creates a new instance g 1 (r 1 ) = p(r 1, x 2,..., x n ). x 2 x n The right-hand side is f 1 (r 1 ). Since g 1 and f 1 are distinct low degree polynomial, the probability that they agree on a random point from Z q is at most (the degree of f 1 )/q, which is o(1) for large enough n. Thus, with probability 1 o(1), g 1 (r 1 ) x 2 x n p(r 1, x 2,..., x n ), and so the dishonest prover is faced with an incorrect equality in the new round. Thus, after n rounds, with high probability, the dishonest prover will claim that two distinct numbers are equal, which will be caught by the verifier, and the verifier will reject. This concludes the description of the interactive proof protocol for #SAT. 1.2 Generalizing to PSPACE We formally define a new complexity class IP (Interactive Proof) as follows: a language L IP if there is a randomized polytime verifier V such that, for every input x {0, 1} n, if x L, then there is a Prover that convinces the verifier V to accept with probability 1, if x L, then every prover will be rejected by the verfieir V with probability at least 1/2. We have the following result. Theorem 1 (Lund,Fortnow,Karloff,Nisan 92; Shamir 92). IP = PSPACE 3

The direction IP PSPACE is fairly straightforward: we can evaluate in PSPACE a game tree of the interaction between the Prover and the Verifier, computing the maximum acceptance probability of the Verifier (over all possible prover strategies). (See the textbook for more details.) A more interesting is the direction PSPACE IP. We will just outline some ideas of the proof below. First recall a PSPACE-complete problem TQBF: Given a quantified Boolean formula x 1 x 2 x 3... φ(x 1, x 2, x 3,..., x n ), decide if it s true. We can arithmetize φ as before, getting a polynomial p(x 1,..., x n ) that agrees with φ on all Boolean n-tuples. Then we can define an arithmetic expression: 1 x 1 =0 x 2 =0 x 3 =0... p(x 1, x 2, x 3,..., x n ). It s not hard to argue that the original qbf is true iff the above arithmetic expression evaluates to a non-zero. We can try to run a protocol similar to #SAT, replacing the sum check (g 1 (0) + g 1 (1) = m) with the product check (g 1 (0) g 1 (1) = m) for the sign. One important technical difficulty is that if we do it naively, the degrees of univariate polynomials that our Prover will be asked to send us will be too big! There is a trick (to modify the arithmetic expression above, by introducing extra variables see, e.g., the text for the full proof) that will ensure that all these polynomials are of low degree. Thereafter, our sum check/product check protocol will work. Thus, it can be shown that every PSPACE-problem can be solved by an interactive proof protocol, using randomized polytime verifier and a polynomial number of rounds of interaction with the prover! 1.3 Multiple Provers We can generalize our Interactive Proofs by allowing 2 Provers. These provers may agree in advance on their joint strategy, but cannot communicate with each other during the actual protocol (interaction) with the Verifier. (As before, the verifier is polytime randomized algorithm, and the number of rounds is polynomially bounded.) Clearly, the new class of 2-prover interactive proofs (denoted 2IP or MIP) should contain PSPACE (as it is a generalization of the class IP). It turns out that Theorem 2 (Babai, Fortnow, Lund, 1991). MIP = NEXP. Here NEXP is nondeterministic exponential time (an exponential-time version of NP). 2 PCP Theorem Scaling the above result that MIP = NEXP down to NP, one gets the PCP Theorem; here PCP stands for Probabilistically Checkable Proofs. Rather than multiple provers, we have a single proof π that is written down before the Verifier starts the verification task. The Verifier has limited access to that proof, though: it is allowed to read only a constant number of symbols of the proof, 4

albeit the verifier is free to choose which positions it wants to see. The verifier uses random coin flips to decide on the positions in the proof to see. The PCP Theorem basically says the following: Theorem 3 (PCP Theorem). Every language L in NP has a verifier V such that V is randomized polytime algorithm, V reads only a constant number of symbols in a given proof, and such that, for every x {0, 1} n, if x L, then there is a proof π such that V π (x) accepts with probability at least 2/3 (where V π means that V has random access to the proof π: V can read any chosen symbol of the proof, but remember that V is allowed to read only a constant number, say 3, of symbols of π), if x L, then every candidate proof π is such that V π (x) rejects with probability at least 2/3. The PCP Theorem was proved by Arora, Safra, and Arora, Lund, Motwani, Sudan, Szegedy in two papers from 1998 that in turn built upon rich body of work on interactive proof systems done earlier by many researchers. Later, the authors of these two papers have been honored with the Gödel prize for their contribution to computer science. An important application of the PCP Theorem is to proving that certain optimization problems are not only NP-hard to solve in the worst case, but also remain NP-hard to approximate to within certain approximation ratios. 2.1 Hardness of Approximation Recall that a Vertex Cover Minimization problem is: Given a graph G = (V, E) find a smallest-size set S V that covers all the edges of G (i.e., every edge in G shares at least one of its endpoints with the set S). We know that the decision version of Vertex Cover is NP -complete. Hence, the Minimization version is NP -hard. Assuming that P NP, this means that there is no polytime algorithm that finds an optimum-size vertex cover in any given graph. If we can t hope to find a smallest vertex cover, perhaps we can efficiently find a set cover which is almost optimal. We say that the Vertex Cover Minimization problem can be efficiently c-approximated, for some c 1, if there is a polytime algorithm that, on any input graph G, returns a vertex cover S of G such that S opt S c S opt, where S opt is a smallest-size vertex cover for G. For some c, such an approximation algorithm exists. Theorem 4. VC is efficiently 2-approximable. Proof. Let G = (V, E) be any input graph. Here s the algorithm for finding a vertex cover S of G. Initially set S =. Until there are no edges left, repeat the following: Take any edge e = {u, v}. Add vertices u and v to S. Remove e from G, as well as remove all edges that touch e (at u or v). Clearly, the described algorithm runs in polytime, and produces a vertex cover S. Next we argue that S 2 S opt. To this end, observe that the set S corresponds to (the endpoints of) a set of mutually disjoint edges of G. Any vertex cover of G (including an optimal S opt ) must cover each of these S /2 edges; so every vertex cover must contain at least one vertex for each of these edges. This means that S opt S /2, as promised. 5

Now that we have a 2-approximating algorithm for VC, we may ask for a 3/2-approximating algorithm, or more generally, for a (1 + ɛ)-approximating algorithm for any ɛ > 0. If such an algorithm exists, then it s almost as good as being able to solve VC optimally. Does it exists??? It turns out that the answer is No, unless P = NP. In other words, it is NP-hard to approximate VC to within some constant 1 < α 2 (currently, the best known value of α is 10 5 21 1.3607, due to a result by Dinur and Safra from 2001). This result (as well as many similar results for other optimization problems) is proved using the machinery of PCPs (and is technically quite involved). Note that it is hopeless to try to show unconditionally that VC cannot be γ-approximated. This is because if P = NP, then certainly VC can be 1-approximated. Thus, proving that VC is NP-hard to approximate is the next best thing. Remark This can be viewed as a generalization of NP-hardness from exact optimization problems to approximation problems. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback