Lecture 17: Interactive Proof Systems

Similar documents
Lecture 12: Interactive Proofs

Notes on Complexity Theory Last updated: November, Lecture 10

CS151 Complexity Theory. Lecture 13 May 15, 2017

2 Evidence that Graph Isomorphism is not NP-complete

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

CSCI 1590 Intro to Computational Complexity

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

Lecture 26: Arthur-Merlin Games

Lecture 7: Polynomial time hierarchy

1 Recap: Interactive Proofs

Notes for Lecture 25

198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007

Lecture 3: Interactive Proofs and Zero-Knowledge

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Lecture 15: Interactive Proofs

Lecture 18: Zero-Knowledge Proofs

MTAT Complexity Theory December 8th, Lecture 12

2 Natural Proofs: a barrier for proving circuit lower bounds

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Lecture 24: Randomized Complexity, Course Summary

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Lecture 19: Interactive Proofs and the PCP Theorem

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

Lecture 26. Daniel Apon

Interactive Proofs 1

CS151 Complexity Theory. Lecture 14 May 17, 2017

Lecture 23: More PSPACE-Complete, Randomized Complexity

Advanced Algorithms (XIII) Yijia Chen Fudan University

Lecture 22: Counting

Interactive Proofs. Merlin-Arthur games (MA) [Babai] Decision problem: D;

The Cook-Levin Theorem

Introduction to Interactive Proofs & The Sumcheck Protocol

Interactive Proof System

NP-completeness. Chapter 34. Sergey Bereg

Lecture : PSPACE IP

Lecture 18: PCP Theorem and Hardness of Approximation I

Time to learn about NP-completeness!

Umans Complexity Theory Lectures

x 2 +2 x 2 x 3 2x 2 +2x +1 (mod 5).

Advanced topic: Space complexity

A Threshold of ln(n) for approximating set cover

Zero-Knowledge Proofs and Protocols

SOLUTION: SOLUTION: SOLUTION:

Time and space classes

Notes for Lecture 3... x 4

CS 151 Complexity Theory Spring Solution Set 5

Introduction to Advanced Results

PROBABILISTIC COMPUTATION. By Remanth Dabbati

CS Lecture 29 P, NP, and NP-Completeness. k ) for all k. Fall The class P. The class NP

6.840 Language Membership

Lecture 6: Oracle TMs, Diagonalization Limits, Space Complexity

Complexity Theory Final Exam

Lecture 20: PSPACE. November 15, 2016 CS 1010 Theory of Computation

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 1/29/2002. Notes for Lecture 3

Cryptographic Protocols Notes 2

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

The Proof of IP = P SP ACE

Lecture 16 November 6th, 2012 (Prasad Raghavendra)

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

P = k T IME(n k ) Now, do all decidable languages belong to P? Let s consider a couple of languages:

Theory of Computer Science to Msc Students, Spring Lecture 2

COL 352 Introduction to Automata and Theory of Computation Major Exam, Sem II , Max 80, Time 2 hr. Name Entry No. Group

Technische Universität München Summer term 2010 Theoretische Informatik August 2, 2010 Dr. J. Kreiker / Dr. M. Luttenberger, J. Kretinsky SOLUTION

The Class NP. NP is the problems that can be solved in polynomial time by a nondeterministic machine.

CMPT307: Complexity Classes: P and N P Week 13-1

Lecture Examples of problems which have randomized algorithms

Notes for Lecture 2. Statement of the PCP Theorem and Constraint Satisfaction

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Lecture 14: IP = PSPACE

Interactive proof and zero knowledge protocols

Lecture Notes 20: Zero-Knowledge Proofs

Complexity, P and NP

Lecture 23: Introduction to Quantum Complexity Theory 1 REVIEW: CLASSICAL COMPLEXITY THEORY

6.045 Final Exam Solutions

(x 1 +x 2 )(x 1 x 2 )+(x 2 +x 3 )(x 2 x 3 )+(x 3 +x 1 )(x 3 x 1 ).

Lecture 3: Nondeterminism, NP, and NP-completeness

Space Complexity. The space complexity of a program is how much memory it uses.

Theoretical Cryptography, Lectures 18-20

Great Theoretical Ideas in Computer Science

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

Shamir s Theorem. Johannes Mittmann. Technische Universität München (TUM)

Lecture 22: Quantum computational complexity

Randomized Computation

an efficient procedure for the decision problem. We illustrate this phenomenon for the Satisfiability problem.

Complexity Classes IV

CS154, Lecture 13: P vs NP

CS154, Lecture 18: 1

CS256 Applied Theory of Computation

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

Umans Complexity Theory Lectures

6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

1 PSPACE-Completeness

Theory of Computation Chapter 12: Cryptography

Lecture 2: Relativization

Lecture 8: Complete Problems for Other Complexity Classes

CS151 Complexity Theory. Lecture 1 April 3, 2017

Transcription:

Computational Complexity Theory, Fall 2010 November 5 Lecture 17: Interactive Proof Systems Lecturer: Kristoffer Arnsfelt Hansen Scribe: Søren Valentin Haagerup 1 Interactive Proof Systems Definition 1. Let a prover P : Σ Σ be any function. Let a verifier V be a polynomial time Probablistic Turing Machine. P and V has access to input x. Let V be equipped with a special communication tape (in addition to the usual input and work tapes) and an additional communication state. If V enters the communication state, the control goes to the prover, which can modify the communication tape. Afterwards V is restarted. If m 1,..., m k has been contents of the communication tape in the k rounds including the current, m k+1 = P ( x, m 1,..., m k ) will be written on the communication tape (m j is written by V for odd j, and by P for even j). Define IP = the class of languages L which can be computed by interaction between any prover P and verifier V with the following properties There is polynomially many rounds of communication (Completeness) If x L, V will accept with probability 2 3 by interaction with P (Soundness) If x / L, V will accept with probability 1 3 by interaction with any prover ˆP Observation 2. N P IP. V is deterministic. P sends certificate for witness to V (full completeness and soundness). Thus any N P -language has an interactive proof system, i.e. one-way communication from prover to verifier. 1.1 Why does V need to be probablistic? Lemma 3. If V was deterministic, we would only characterize languages in NP. (Also see Lemma 8.4 in Arora et. al). Proof. Assume P is any function and V is a deterministic Turing Machine, and let L be a language with x L if and only if V accepts after k rounds of communication between P and V. Then P could make do without V : A certificate that x L is a transcript m 1,..., m k of the communication between P and V. We can thus replace V by V that simulates V, using the transcribe to handle communication states: When V is started with m j on the communication tape, it is verified that if it stops in the communication state, m j+1 is on the tape. The machine is restarted with m j+2 on the communication tape. 1

Then V accepts on input x, m 1,... m k if and only if V accepts after k rounds of communication between P and V. But then L NP, since the transcript m 1,..., m k is a certificate, and V is a polynomial time checker. Definition 4. Graph Isomorphism (GI NP ) Given graphs G 1, G 2 : Are G 1, G 2 isomorphic? That is, does there exist bijection Φ : V (G 1 ) V (G 2 ) s.t. (u, v) E(G 2 ) (φ(u), φ(v)) E(G 2 ) It is not known whether GI P or whether GI is NP-hard. Definition 5. Graph Non-isomorphism (GNI co NP ) Given graphs G 1, G 2, decide if they are not isomorphic. It is not known if GNI NP. Theorem 6. GNI IP Proof. Communication protocol V: If V (G 1 ) V (G 2 ) accept. Else V (G 1 ) = V (G 2 ) = {1,..., n} Choose i {1, 2} uniformly at random. Choose permutation σ of vertices {1,..., n} uniformly at random Send σ(g i ) to P. P: Send j {1, 2} to V (such that σ(g i ) is a permutation of G j ) V: Accept i = j Completeness: If (G 1, G 2 ) GNI, G 1 G 2, and P will be able to find the correct j, s.t. σ(g i ) = G j and i = j, and send it to V. Thus V accepts with probability 1. Soundness: If (G 1, G 2 ) / GNI. Then the distributions of graphs σ(g 1 ) and σ(g 2 ) are identical. Thus any prover ˆP will with probability 1 2 give the right answer s.t. j = i. Repeat the communication to get smaller success probability. Observation 7. If the protocol is iterated sequentially k times, 2 3 1 3 can be replaced with 1 2 Ω(k) can be replaced with 2 Ω(k) The analysis is analogous to the success amplification analysis for BPP with Chernoff bounds. 2

Proposition 8. IP P SP ACE Proof. Let L P be given by (P, V ). We will simulate the interaction between P and V where P is the prover which maximize the probability for V to accept. We compute the probability that V accepts by interaction with P recursively. average max average P* Random choices Possible answers for any function P accept (...) reject In the following, let p be a polynomial that bounds the running time of V. We define the following algorithm: AcceptProb(V, x, coins, ctape) : Deterministically simulate V with input x, communication tape ctape and random choices coins, and stop if V enters communication state. If V is in accept state return 1. If V is in reject state, return 0. If V is in communication state, return max z {0,1} p( x ) avg r {0,1} p( x )AcceptProb(V, x, r, z) We see that AcceptProb can be computed in PSPACE: Computing max and average requires only very little storage (for max, it is the current maximum. For the average, it is a sum and a counter) - i.e. they are bounded by a polynomial. Since V has to accept/reject within a polynomial number of rounds, there are only polynomially many recursions, so in total, we only need polynomial space. The actual probability we seek is P r = avg coins {0,1} p( x )AcceptProb(V, x, coins, ɛ) which is also in PSPACE. Checking P r 2 3, then x L. If P r 1 3, x / L. 3

Theorem 9. Let #SAT D = { Φ, k Φ is a 3-CNF formula with k assignments satisfying Φ} Then #SAT D IP. Note: A consequence of this is that co NP IP (By setting k = 0). Proof. We introduce the aritmetization of Φ. A(Φ) is a polynomial. A(x i ) = x i A( x i ) = 1 x i A(l 1 l 2 l 3 ) = 1 (1 A(l 1 ))(1 A(l 2 ))(1 A(l 3 )) A(c 1 c 2... c n ) = A(c 1 )A(c 2 )... A(c n ) If Φ has n variables and m clauses, then A(φ) is a polynomial in x 1,..., x n of degree 3m. If P (x) = A(Φ) then #Φ = 1 1 x 1 =0 x 2 =0 1 x P (x). n=0 SUMCHECK-protocol: Given prime p, number K, polynomial Q(x 1,... x n ) of degree d, decide if 1 1 1 Q(x) K Protocol: x 1 =0 x 2 =0 P: Send polynomial S(x 1 ). (The idea is we should have: S(x 1 ) = 1 x 2 =0 1 Q(x)) V: If S(0) + S(1) K, reject. If n > 1: We will ensure that P doesn t cheat us. Choose a {0,..., p 1} uniformly at random. Send a to P. Recursively require that P proves 1 1 Q(a, x 2,... x n ) S(a) x 2 =0 (this is also a SUMCHECK problem). If n = 1: Accept Q(0) + Q(1) = K. There is maximally n rounds, and the verifier can evaluate the polynomial in polynomial time. Completeness: If 1 1 1 Q(x) K x 1 =0 x 2 =0 V will accept with probability 1. Soundness: If V accepts even though 1 1 x 1 =0 x 2 =0 1 Q(x) K, then there exists a round where P has to prove a wrong statement, and V asks in next round to prove a correct statement. What is the probability that this happens? 4

It has to hold that 1 1 S(x 1 ) Q(x 1,... x n ) K x 2 =0 and S(a) 1 x 2 =0 1 Q(a, x 2,... x n ) K Then T (x 1 ) = S(x 1 ) 1 x 2 =0 1 x Q( 1,... x n ) K is a polynomial of degree maximally d, with T (a) 0. This happens with probability d p, since there is maximally d roots of a polynomial with degree d in Z p, since Z p is a field. {0,..., p 1} are all potential roots, therefore p in the denominator The total error for all rounds is n d p by union bound. Protocol for #SAT D Choose p {2 n +1... 2(2 n +1)} prime (there are maximally 2 n satisfying assigments). Run SUMCHECK. The probability of error is now nd p < n3m 2. n 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback