MTAT Complexity Theory December 8th, Lecture 12

Similar documents
2 Evidence that Graph Isomorphism is not NP-complete

Lecture 12: Interactive Proofs

Introduction to Interactive Proofs & The Sumcheck Protocol

Interactive Proofs 1

Notes on Complexity Theory Last updated: November, Lecture 10

2 Natural Proofs: a barrier for proving circuit lower bounds

CS151 Complexity Theory. Lecture 14 May 17, 2017

Lecture 19: Interactive Proofs and the PCP Theorem

CS151 Complexity Theory. Lecture 13 May 15, 2017

Lecture 17: Interactive Proof Systems

MTAT Complexity Theory October 20th-21st, Lecture 7

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Lecture 26. Daniel Apon

Lecture 26: Arthur-Merlin Games

6.896 Quantum Complexity Theory 30 October Lecture 17

6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Theorem 11.1 (Lund-Fortnow-Karloff-Nisan). There is a polynomial length interactive proof for the

Time and space classes

Great Theoretical Ideas in Computer Science

Lecture 18: Zero-Knowledge Proofs

Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

Lecture : PSPACE IP

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

CSC 2429 Approaches to the P versus NP Question. Lecture #12: April 2, 2014

The Proof of IP = P SP ACE

Lecture 8. MINDNF = {(φ, k) φ is a CNF expression and DNF expression ψ s.t. ψ k and ψ is equivalent to φ}

x 2 +2 x 2 x 3 2x 2 +2x +1 (mod 5).

Nondeterministic Circuit Lower Bounds from Mildly Derandomizing Arthur-Merlin Games

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Real Interactive Proofs for VPSPACE

198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007

Lecture Notes 20: Zero-Knowledge Proofs

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

1 Randomized Computation

Cryptographic Protocols Notes 2

CSCI 1590 Intro to Computational Complexity

Exponential time vs probabilistic polynomial time

Lecture 11: Proofs, Games, and Alternation

Quantum Computing Lecture 8. Quantum Automata and Complexity

IP = PSPACE using Error Correcting Codes

Lecture Hardness of Set Cover

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

MTAT Complexity Theory September 15th, Lecture 3

B(w, z, v 1, v 2, v 3, A(v 1 ), A(v 2 ), A(v 3 )).

Interactive Proof System

Arthur-Merlin Streaming Complexity

MTAT Complexity Theory October 13th-14th, Lecture 6

Lecture 14: IP = PSPACE

Geometric Steiner Trees

Master of Science in Advanced Mathematics and Mathematical Engineering

Interactive Proofs. Merlin-Arthur games (MA) [Babai] Decision problem: D;

Umans Complexity Theory Lectures

1 Recap: Interactive Proofs

Lecture 7 Limits on inapproximability

Pseudo-Deterministic Proofs

CSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010

Zero-Knowledge Proofs 1

Notes on Zero Knowledge

Lecture 16 November 6th, 2012 (Prasad Raghavendra)

Classical Verification of Quantum Computations

Lecture 7: Pseudo Random Generators

Trusting the Cloud with Practical Interactive Proofs

Lecture 15 - Zero Knowledge Proofs

Lecture 24: Randomized Complexity, Course Summary

Probabilistically Checkable Arguments

Show that the following problems are NP-complete

Lecture 23: Introduction to Quantum Complexity Theory 1 REVIEW: CLASSICAL COMPLEXITY THEORY

Notes for Lecture 25

Lecture 23: Alternation vs. Counting

1 From previous lectures

Circuits. Lecture 11 Uniform Circuit Complexity

Lecture 26: QIP and QMIP

Other Complexity Classes and Measures Chapter 29 of the forthcoming CRC Handbook on Algorithms and Theory of Computation

Theoretical Cryptography, Lectures 18-20

arxiv: v1 [cs.cc] 30 Apr 2015

: Computational Complexity Lecture 3 ITCS, Tsinghua Univesity, Fall October 2007

Complexity Theory. Knowledge Representation and Reasoning. November 2, 2005

From Secure MPC to Efficient Zero-Knowledge

Essential facts about NP-completeness:

CS Communication Complexity: Applications and New Directions

Notes on Complexity Theory Last updated: October, Lecture 6

CSE 555 HW 5 SAMPLE SOLUTION. Question 1.

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

P = k T IME(n k ) Now, do all decidable languages belong to P? Let s consider a couple of languages:

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

PROBABILISTIC COMPUTATION. By Remanth Dabbati

: On the P vs. BPP problem. 30/12/2016 Lecture 11

NP-Completeness Review

Lecture 22: Quantum computational complexity

Instance Compression for the Polynomial Hierarchy and Beyond

1 PSPACE-Completeness

1 The Low-Degree Testing Assumption

Umans Complexity Theory Lectures

1.1 P, NP, and NP-complete

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Transcription:

MTAT.07.004 Complexity Theory December 8th, 2011 Lecturer: Peeter Laud Lecture 12 Scribe(s): Ilya Kuzovkin Introduction On the previous lecture we had a look onto interactive proofs, where the system consists of two parts Prover (P) and Verifier (V). Prover is computationally unbounded while Verifier is polynomial-time bounded. Basic scheme of interaction is 1. We provide the system with yes/no question 2. Verifier maps this question to some form Prover will accept and adds randomization 3. Verifier sends challenge to Prover 4. Prover responds with certificate 5. Verifier checks certificate and may proceed or repeat steps 2-5 to be more sure in Prover s capability of finding the answer 6. Verifier gives us yes/no answer This basic scheme describes complexity class IP (Interactive Proof). For formal definition please refer to the previous lecture s notes. There is slight variation of the IP protocol called Arthur-Merlin (AM) protocol. Arthur plays the Verifier role and Merlin is the omniscient Prover. The only difference is that in AM protocol Prover knows the random coins used by Verifier in step 2. Intuitively it seems that Arthur in an AM-protocol is more constrained than the Verifier in an IP-protocol. Hence the class AM might be smaller than IP. But we will see that actually these complexity classes are equal. IP = AM We will say Prover and Verifier when talking about IP protocol and Merlin and Arthur when talking about AM protocol. Theorem 1 IP = AM Proof To show that classes are equal we must show both way inclusions. AM IP We have a problem in AM and we want to simulate it in IP. Each AM-verifier is also an IP-verifier, hence this inclusion is trivial. 12-1

IP AM The opposite direction is more complicated. Here we have problem in IP and we want to simulate it in AM. Since Merlin knows all the randomization data he can fool Arthur with less effort than Prover would need to fool Verifier. Let V be a verifier algorithm and let P be the corresponding prover that makes the verifier accept with maximum possible probability. On the figure below you can see initial protocol in IP. To show that on every step on the simulation we are very close to the original protocol we define time limit T and assume that our protocol runs until limit is reached. Prover x 1 Verifier r random, r = l(n) y 1 x 2 y 2... x T (n) y T (n) check, accept / reject Figure 1: Initial protocol in IP The sequence of the messages (x 1, y 1, x 2, y 2,..., x n, y n ) we call transcript. there is a distinct transcript. Each transcript ends with accept or reject. For each r Definition 1 At some point of time τ we will have partial transcript t; we define ACC(w, t) to be a set of all random bit-strings r which make the transcript start with t and lead to accept. Now we can construct AM simulation for the protocol described on Figure 1. The idea is that after each round of the protocol (one x i, y i pair) Merlin provides best y i and wants to convince Arthur that ACC(w, t i ) covers almost all set of outcomes (e.g. almost all outcomes are accept). 12-2

Round i Merlin b 1 Arthur Random linear functions: h 1,..., h l (n) : {0, 1} m(n) 0, 1 b i+1 and random strings z 1,..., z l(n) 2 {0, 1} b i+1 Finding x i, y i, b i+1 : t current transcript d presume bitstring length ACC d = {x : 2 d 1 < ACC(w, t, x) 2 d } We look for d which will maximize ACC for all x-es: d max = arg max d b i+1 = 2 + log d max x i ACC dmax y i = P (w, t, x i ) x ACC d ACC(w, t, x) h 1,..., h l(n), z 1,..., z l(n) 2 x i, y i, b i+1 check j, k : h j (x i ) = z k last b i is different: b T (n) + 1 is chosen so that z i -s cover remaining answer space send the random coins which led to current transcript... T (n) 1 rounds... h 1,..., h l(n), z 1,..., z l(n) 2 x T (n), y T (n), b T (n)+1 h 1,..., h l(n), z 1,..., z l(n) 2 r Figure 2: Protocol in AM check j, k : h j (r) = z k check transcript gives true: V (w, r, x 1, y 1,..., x T (n), y T (n) ) = true check Merlin s b i -s: T (n) b i l(n) T (n) log l(n) i=1 12-3

Intuitively this protocol acts in the same way as IP one, but here instead of Verifier picking next x i randomly, Merlin himself chooses the best x i. And after protocol is finished the r is the transcript which can act as certificate in original IP protocol. Why Arthur needs to check j, k : h j (x i ) = z k in the end of each round? The reason is that Merlin must convince Arthur that the answer space, where ACC set is defined is big enough. And the way he convinces is by showing that for randomly chosen h j and z k Merlin is able to find original in the set of answers. Figure 3: Merlin should be able to find original of random z j in S This whole construction must convince us that after running protocol in AM final transcript r will be suitable transcript for IP. IP = PSPACE In this section we will show that every problem, which can be solved in IP can be solved in PSPACE and vice versa. As usually, if we want to show equality of the classes we will need to show both way inclusions. Theorem 2 IP = PSPACE Proof IP PSPACE Every problem solvable in IP is solvable in PSPACE. As we know from the previous section IP = AM, therefore AM PSPACE also. Assume we have usual AM protocol: 12-4

Merlin x 1 Arthur r random, r = l(n) y 1 x 2 y 2... x n y n check A(x 1, y 1,..., x n, y n, w) = true Figure 4: Abstract AM protocol For each function f : {0, 1} l(n) R we will define max f = max{f(x) : x {0, 1} l(n) } x {0,1} avgf = l(n) 2 l(n). At each round of the protocol Arthur randomly chooses x i and Merlin chooses best y i, so the probability that Arthur accepts at the end of the protocol can be written as avg x1 max y1... avg xn max yn A(x 1, y 1,..., x n, y n, w) (1) By definition we know that A(x 1, y 1,..., x n, y n, w) is computable in polynomial time (otherwise Arthur would not be able to perform final check). This implies that sizes of x i and y i are polynomial (otherwise computation of A(...) would take more than polynomial time). These two facts together show us that the value (1) is computable in polynomial space. PSPACE IP Here we must show that every problem solvable in PSPACE is solvable in IP. We will first demonstrate the techniques we re going to use on the problem #SAT D which is both NPhard and conp-hard. We will then generalize those techniques to the PSPACE-hard problem TQBF, showing that it belongs to IP. 12-5

Arithmetization We will now deviate from the main direction of the proof and study the idea of arithmetization, since we will use it later. If we have Boolean formula ϕ(x 1,..., x n ) we can transform it into n-variable polynomial as follows: P xi = x i For example formula can be arithmetized as P ϕ = 1 P ϕ P ϕ1 ϕ 2 = P ϕ1 P ϕ2 P ϕ1 ϕ 2 = 1 (1 P ϕ1 )(1 P ϕ2 ) (x 1 x 2 ) x 1 (1 (1 x 1 )(1 x 2 )) (1 x 1 ) Note that length on the polynomial is linear to length of the Boolean formula: O(P ϕ ) is O( ϕ ). #SAT D IP A pair ϕ, K belongs to the language #SAT D if the formula ϕ has exactly K satisfying valuations. Number of satisfying valuations can be calculated using #ϕ =... P ϕ (b 1,..., b n ). b 1 {0,1} b n {0,1} We note that the number of satisfying valuations is at most 2 n. A more general case of such type of verification is to check for any polynomial g whether K =... g(b 1,..., b m ). Sumcheck protocol b 1 {0,1} b m {0,1} For a polynomial g(x 1,..., x m ) let proj g (x) denote the single-variable polynomial proj g(x1,...,x m)(x) = b 2 {0,1}... b m {0,1} g(x, b 2,..., b m ). In the definition of proj g we implicitly assume that the variables of g are ordered and x is the first variable. Fig. 5 depicts the IP protocol for verifying K =... g(b 1,..., b m ) b 1 {0,1} b m {0,1} The base case for the Sumcheck protocol is m = 1. In this case, Verifier will check only if g(0) + g(1) = K. 12-6

Prover Verifier s 0 = proj g(x1,...,x m) a 1 random s 0 (0) + s 0 (1)? = K s 1 = proj g(a1,x 2,...,x m) a 2 random s 1 (0) + s 1 (1)? = s 0 (a 1 )... s m 1 = proj g(a1,...,a m 1,x m) s m 1 (0) + s m 1 (1)? = s m 2 (a m 1 ) accept / reject Figure 5: Sumcheck protocol TQBF IP The proof works in the same way as for #SAT D, but since TQBF includes universal quantifiers the formula will contain products. We will introduce prodcheck protocol, which works in the same way as sumcheck, but polynomials are more complex. Because degree of the polynomials are too large (exponential) Verifier would not be able to work with them, so we must provide the optimization steps to make polynomial degrees low. Optimizing TQ formula To make Prodcheck computation more efficient we can bring in new variables, which will allow us to move quantifiers closer to the variables bounded to these quantifiers. For example in the following formula x 2 x 3 ( x 1 (x 1 x 2 )) x 3 which can be represented as syntax tree, shown in Fig. 6, we can introduce x 2 = x 2 which will allow us to bring x 2 closer to variable x 2 : x 2 x 3 x 2(x 2 = x 2 x 1 (x 1 x 2) x 3 ) The syntax tree for this formula is depicted in Fig. 7. 12-7

x 2 x 3 x 1 x 3 x 1 x 2 Figure 6: Syntax tree for x 2 x 3 ( x 1 (x 1 x 2 )) x 3 x 2 x 3 x 2 x 2 = x 2 x 1 x 1 x 2 x 3 Figure 7: Syntax tree for x 2 x 3 x 2 (x 2 = x 2 x 1 (x 1 x 2 ) x 3) Before we move quantifiers closer to the variables we can bring all negations to the front of variables. After that we can arithmetize quantifiers: P xϕ = P ϕ (x b) P xϕ = b {0,1} b {0,1} P ϕ (x b) After these transformation we will get P ϕ which can be used in the prodcheck protocol to check if P ϕ has K satisfiable evaluations. Now the degree of a polynomial P ϕ is at most 2 ϕ. 12-8

Prodcheck As we have mentioned before the scheme of the protocol is the same as for sumcheck protocol. But there are some differences. If ϕ ϕ 1 ϕ 2 then Prover sends both values K 1 = P ϕ1 and K 2 = P ϕ2. Verifier checks that K = K 1 + K 2 and then runs the protocol for K 1? = Pϕ1 and K 2? = Pϕ2 If ϕ ϕ 1 ϕ 2 then Prover sends both values K 1 = P ϕ1 and K 2 = P ϕ2. Verifier checks that K = K 1 K 2 and then runs the protocol for K 1? = Pϕ1 and K 2? = Pϕ2 If ϕ xϕ then Prover sends the polynomial s(x) = P ϕ (x) to Verifier. Verifier checks s(0) + s(1) =? K, then picks number a random and run the protocol P ϕ (a) =? s(a). If ϕ xϕ then Prover sends the polynomial s(x) = P ϕ (x) to Verifier. Verifier checks s(0) s(1) =? K, then picks number a random and run the protocol P ϕ (a) =? s(a). Relationship between PSPACE, P/poly and MA Theorem 3 If PSPACE P/poly then PSPACE = MA Proof We use the fact that Merlin can work in PSPACE. PSPACE P/poly implies that Merlin can be represented as Boolean circuit of polynomial size, thus Merlin s algorithm can be sent to Arthur. And Arthur can himself run Merlin s algorithm in polynomial time (and polynomial space), thus solving any PSPACE problem in MA. 12-9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback