Introduction to Interactive Proofs & The Sumcheck Protocol

Similar documents
Interactive Proofs 1

CS151 Complexity Theory. Lecture 13 May 15, 2017

2 Evidence that Graph Isomorphism is not NP-complete

Lecture 19: Interactive Proofs and the PCP Theorem

Basic Probabilistic Checking 3

Lecture 26. Daniel Apon

Lecture 12: Interactive Proofs

Lecture 26: QIP and QMIP

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

MTAT Complexity Theory December 8th, Lecture 12

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

B(w, z, v 1, v 2, v 3, A(v 1 ), A(v 2 ), A(v 3 )).

6.896 Quantum Complexity Theory 30 October Lecture 17

Shamir s Theorem. Johannes Mittmann. Technische Universität München (TUM)

Lecture 24: Randomized Complexity, Course Summary

Great Theoretical Ideas in Computer Science

Lecture 3: Interactive Proofs and Zero-Knowledge

Theorem 11.1 (Lund-Fortnow-Karloff-Nisan). There is a polynomial length interactive proof for the

CS151 Complexity Theory. Lecture 14 May 17, 2017

CS154, Lecture 18: 1

IP = PSPACE using Error Correcting Codes

Lecture 14: IP = PSPACE

Lecture 16 November 6th, 2012 (Prasad Raghavendra)

Probabilistically Checkable Arguments

Lecture Notes 20: Zero-Knowledge Proofs

1 Randomized Computation

Identifying an Honest EXP NP Oracle Among Many

From Secure MPC to Efficient Zero-Knowledge

Notes on Complexity Theory Last updated: November, Lecture 10

Lecture : PSPACE IP

Strong ETH Breaks With Merlin and Arthur. Or: Short Non-Interactive Proofs of Batch Evaluation

Lecture 26: Arthur-Merlin Games

IP=PSPACE. Adi Shamir. Applied Mathematics Department The Weizmann Institute of Science Rehovot, Israel

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

CSC 2429 Approaches to the P versus NP Question. Lecture #12: April 2, 2014

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

CSC 2429 Approaches to the P vs. NP Question and Related Complexity Questions Lecture 2: Switching Lemma, AC 0 Circuit Lower Bounds

Notes for Lecture 2. Statement of the PCP Theorem and Constraint Satisfaction

Interactive Proof System

Space and Nondeterminism

Lecture 17: Interactive Proof Systems

Lecture 4 : Quest for Structure in Counting Problems

Cryptographic Protocols Notes 2

The Proof of IP = P SP ACE

198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007

Almost transparent short proofs for NP R

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

Lecture 11: Proofs, Games, and Alternation

6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

Lecture 23: More PSPACE-Complete, Randomized Complexity

Lecture Examples of problems which have randomized algorithms

arxiv: v1 [cs.cc] 30 Apr 2015

Definition 1. NP is a class of language L such that there exists a poly time verifier V with

CS21 Decidability and Tractability

CSCI 1590 Intro to Computational Complexity

CS286.2 Lecture 8: A variant of QPCP for multiplayer entangled games

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

20.1 2SAT. CS125 Lecture 20 Fall 2016

On Interactive Proofs with a Laconic Prover

CS6840: Advanced Complexity Theory Mar 29, Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K.

Lecture 15 - Zero Knowledge Proofs

Lecture 20: PSPACE. November 15, 2016 CS 1010 Theory of Computation

Some Results on Circuit Lower Bounds and Derandomization of Arthur-Merlin Problems

Nondeterminism LECTURE Nondeterminism as a proof system. University of California, Los Angeles CS 289A Communication Complexity

Doubly Efficient Interactive Proofs. Ron Rothblum

Umans Complexity Theory Lectures

Lecture 8. MINDNF = {(φ, k) φ is a CNF expression and DNF expression ψ s.t. ψ k and ψ is equivalent to φ}

Permanent and Determinant

Arthur-Merlin Streaming Complexity

Notes on Zero Knowledge

Introduction to Advanced Results

Complexity Classes V. More PCPs. Eric Rachlin

Lecture 29: Computational Learning Theory

Efficient Probabilistically Checkable Debates

Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

Real Interactive Proofs for VPSPACE

Spatial Isolation Implies Zero Knowledge Even in a Quantum World

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

Approximate Verification

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

CS Communication Complexity: Applications and New Directions

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan August 30, Notes for Lecture 1

Lecture 18: PCP Theorem and Hardness of Approximation I

1 The Low-Degree Testing Assumption

Lecture 18: Zero-Knowledge Proofs

Interactive protocols & zero-knowledge

CS Introduction to Complexity Theory. Lecture #11: Dec 8th, 2015

EXPONENTIAL TIME HAS TWO-PROVER. Laszlo Babai, Lance Fortnow. and Carsten Lund. Abstract. We determine the exact power of two-prover interactive

Complete problems for classes in PH, The Polynomial-Time Hierarchy (PH) oracle is like a subroutine, or function in

2 Natural Proofs: a barrier for proving circuit lower bounds

Majority is incompressible by AC 0 [p] circuits

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Interactive protocols & zero-knowledge

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Theory of Computation Chapter 12: Cryptography

Interactive Proofs & Arguments, Low-Degree & Multilinear Extensions. 1 Definitions: Interactive Proofs and Argument Systems

Author s address: Applied Mathematics Department, The Weizmann Institute of Science, Rehovot,

Transcription:

CS294: Probabilistically Checkable and Interactive Proofs January 19, 2017 Introduction to Interactive Proofs & The Sumcheck Protocol Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Pratyush Mishra 1 Introduction Traditional mathematical proofs are static objects: a prover P writes down a seuence of mathematical statements, and then at some later time a verifier V checks that these statements are consistent and correct. Over the years, computer science has changed the notion of a mathematical proof. The first such change was the observation that for all practical purposes, the verification procedure should be efficient; V should not have to expend large amounts of effort to verify the proof of a claim (at least much less than P expended to find the proof). This notion of efficient verification corresponds to the complexity class NP: Definition 1 A language L belongs to the class NP if and only if there exists an efficient algorithm V such that the following conditions hold. COMPLETENESS: For all x L, there exists a proof π that makes V accept: V(x, π) = 1. SOUNDNESS: For all x L, for all claimed proofs π, V rejects: V(x, π ) = 0. Even though the verification procedure is now efficient, the proof is still a static object. Computer scientists in the 80 s and 90 s changed this view by introducing interaction and randomness into the mix: the prover and verifier were no longer reuired to be deterministic, and could now talk to each other. How did this change things? As we shall see, introducing interaction allows a computationally bounded (but randomized) verifier to check extraordinary claims efficiently. For instance, Lund, Fortnow, Karloff and Lund (LFKN) showed that an unbounded prover interacting with an efficient verifier can convince the verifier that a boolean formula is unsatisfiable [LFKN92]. Assuming that CoNP = NP, an efficient verifier cannot verify such a claim in the static proof model described above. Now we formalize the interactive proof model, and then describe (and prove correct) the LFKN protocol, thus showing that all of CoNP has an interactive proof. Definition 2 A language L has an interactive proof (and belongs to the class IP) if there exists an efficient, randomized, interactive algorithm V that satisfies the following conditions: COMPLETENESS: For all x L, there exists an unbounded interactive prover algorithm P such that V interacts with P and accepts with high probability: Pr [ P, V (x) = 1] 2 3 I-1

SOUNDNESS: For all x L, for all algorithms P, V interacts with P and rejects with high probability: Pr [ P, V (x) = 1] 1 3 Here, denotes interaction. 2 The Sumcheck protocol Which languages have interactive proofs? The discussion above indicates that CoNP IP, but do we have a tight characterization of the power of interactive proof systems? Yes. In fact, we ll see in the next lecture that interactive proof systems are extraordinarily powerful: Shamir, building on the LFKN protocol, proved that every language in PSPACE has an interactive proof system [Sha92]! For now, we will describe the core ingredient of the LFKN protocol, called the Sumcheck Protocol. Theorem 3 ([LFKN92]) CoNP IP. Proof: We proceed by demonstrating an interactive proof system for the CoNP-complete language UNSAT, which is the language of all unsatisfiable 3CNF boolean formulae. Assume the prover P and verifier V are given a 3CNF boolean formula ϕ having n variables and m clauses. P s task is to convince V that ϕ is unsatisfiable. The first step to doing this is to arithmetize the formula. Arithmetization. Arithmetization is the techniue of converting a boolean formula ϕ (over {0, 1}) to an euivalent polynomial p (over some field F) such that the polynomial has certain properties if and only if the formula is satisfiable. In particular, we want p to be 0 if and only if ϕ is unsatisfiable. One such transformation is as follows: x y x + y: Convert every disjunction to addition. x y x y: Convert every conjunction to multiplication. x (1 x): Convert every negation as indicated. Thus under this mapping, the clause (x y z) gets transformed to the polynomial (x + y + (1 z)). Notice now that if a formula is satisfied by an assignment, then the corresponding polynomial (evaluated at the same points) takes on only positive values. If it is not satisfied, the polynomial (on the same assignment) evaluates to zero. For example, plugging in x = 1, y = 1, z = 1 into the previous clause and its polynomial, we get values 1 and 2 respectively. However, if we plug in x = 0, y = 0, z = 1, the clause and polynomial both evaluate to 0. Let us fix a formula ϕ having n variables and m clauses. Let the arithmetization of this formula result in a polynomial p in n variables. The formula is unsatisfiable if and only if p takes on the value 0 at all possible evaluations over the Boolean hypercube {0, 1} n. This means that the summation of all such evaluations should also be 0, and this gives us a new way to attack the problem: we can reduce the problem of interactively I-2

proving that ϕ is unsatisfiable to the problem of interactively proving that evaluations of p over the Boolean hypercube sum up to zero, i.e. that p(x 1,..., x n ) = 0. x 1,...,x n {0,1} Notice that the maximum value of the arithmetization of each clause is 3, and thus the maximum value of the above summation is at most 2 n 3 m. Hence we do not need to work over Z, but can instead work over the field Z, where is a prime number greater than 2 n 3 m. The above condition is thus euivalent to: ϕ UNSAT p(x 1,..., x n ) = 0 (mod ). x 1,...,x n {0,1} The benefit of this is that we do not have to worry about intermediate computations resulting in large numbers (results will wrap around). Finally, notice that the degree of p is at most m. This property will come in handy later. We are now ready to present an interactive protocol for the following problem: Definition 4 The Sumcheck problem is the problem of proving that evaluations of the arithmetization of a boolean formula over the Boolean hypercube sum up to a value s. All arithmetic is performed in a finite field Z that is large enough to represent the result of the summation. The Sumcheck protocol (see Figure 1) solves the Sumcheck problem. Informally, the protocol proceeds as follows: 1. The prover P and verifier V are given as input a boolean formula ϕ and a field element s. Both arithmetize ϕ to obtain a polynomial p in n variables x 1,..., x n. 2. V generates a random prime that is greater than 2 n 3 m and sends it to P. 3. V initializes the 0 th check-value v 0 := s. 4. The following interaction is repeated for all i = 1 to n: (a) Leaving x i free, P evaluates p at x i+1 {0, 1},..., x n {0, 1} to obtain polynomial p i in x i : p i (x i ) := p(r 1, r 2,..., x i,..., x n ). x i+1,...,x n {0,1} P sends p i over to V. (b) V checks that p i (0) + p i (1) = v i 1. If so, it samples a random field element r i, computes the next check-value v i := p i (r i ), and sends r i to P. 5. In the final round, instead of sending r n over to P, V checks that p(r 1,..., r n ) = v n. Theorem 5 The sumcheck protocol solves the sumcheck problem with completeness 1 and soundness nm/. Proof: We analyze the completeness and soundness of the sumcheck protocol. COMPLETENESS: If polynomial p indeed does some up to s over the Boolean hypercube, then at each step P can evaluate the polynomial correctly, and thus every test of the verifier will pass. For each i = 1 to n, let p i (x i ) := x i+1,...,x n {0,1} p(r 1, r 2,..., x i,..., x n ). Then we show that if in the i th round, P sends p i, V will always accept. I-3

ARITHMETIZE ϕ. ϕ p PROVER(ϕ, s) VERIFIER(ϕ, s) ARITHMETIZE ϕ. ϕ p GENERATE PRIME AND INITIALIZE v 0. ROUND 1: GENERATE p 1. p 1 (x 1 ) := x 2,...,x n {0,1} p(x 1, x 2,..., x n). Sample a prime > 2 n 3 m. v 0 = s p 1 ( ) CHECK CORRECTNESS OF p 1. ROUND 2: GENERATE p 2. p 2 (x 2 ) := x 3,...,x n {0,1} p(r 1, x 2,..., x n). r 1 p 2 ( ). p 1 (0) + p 1 (1)? = v 0. SAMPLE NEXT MESSAGE r 1 AND INITIALIZE v 1. Sample a random field element r 1. Set v 1 := p 1 (r 1 ). ROUND n: GENERATE p n. p n(x n) := p(r 1, r 2,..., r n 1, x n). r n 1 p n( ) CHECK CORRECTNESS OF p n. Figure 1: The Sumcheck protocol. p n(0) + p n(1)? = v n 1. SAMPLE r n AND INITIALIZE vn. Sample a random field element r n. Set v n := p n(r n). CHECK THAT p n IS CONSISTENT WITH p. p(r 1,..., r n)? = v n. I-4

Base case. When i = 1, if the prover sends p 1, then p 1 (0) + p 1 (1) = ( p(x 1, x 2,..., x n )) = v 0 = s. x 1 {0,1} x 2,...,x n {0,1} Inductive step. we have that p k (0) + p k (1) = Assume that for all 1 i k, the prover s i th message was the polynomial p i. Then, ( x i {0,1} x i+1,...,x n {0,1} p(r 1, r 2,..., r i 1, x i,..., x n )) = p i 1 (r i 1 ) = v i 1. For k = n, we additionally have that p n (r n ) = p(r 1,..., r n ) = v n (by assumption), and so all checks pass, and the verifier accepts. SOUNDNESS. Let E i be the event that the malicious prover P sends a polynomial p i = p i in the i th round. Let W be the event that P wins. Notice that Pr [W E 1 E n ] = 0. This is because if P sends the correct polynomial in the last step, then p n (0) + p n (1) v n 1. Claim 6 Pr [W ] nm + Pr [W E 1 E n ] nm Proof: We proceed by induction, proving the following hypothesis: Pr [W ] + Pr [W E j... E n ] Base case: j = n. Pr [W ] Pr [ W E n ] + Pr [W En ] m + Pr [W E n] (Schwartz-Zippel Lemma) Inductive step: Pr [W ] + Pr [W E j... E n ] Pr [W ] + Pr [ ] W E j 1 E j... E n + Pr [W Ej 1 E j... E n ] + m + Pr [W E j 1 E j... E n ] (Schwartz-Zippel Lemma) (n j)m + Pr [W E j 1 E j... E n ] (n j)m + 0 (p j 1 (0) + p j 1 (1) v j 2 ) I-5

3 Stronger results via different arithmetizations The arithmetization we used to prove that CoNP IP was very coarse: if the formula was satisfiable, then its arithmetization was positive; otherwise, it was zero. However, with more precise arithmetizations, we can do better: x y (1 (1 x)(1 y)): Convert every disjunction as indicated. x y x y: Convert every conjunction to multiplication. x (1 x): Convert every negation as indicated. Thus a clause (x y z) gets arithmetized to (1 (1 x)(1 y)(z)). This arithmetization evaluates to 1 if a satisfying assignment to the clause is plugged in, and 0 otherwise. Thus, by summing over the values taken by the arithmetization of a formula when evaluated on the Boolean hypercube, we can get the number of satisfying assignments for the formula, thus putting #P inside IP. This is a powerful result, because PH P #P IP. 4 Upper bounds on the power of interactive proofs So far, we have described the classes that have interactive proofs, but what is the limit to the power of interactive proofs? As it turns out, IP is contained in PSPACE. To see this, consider any language L in IP. It has a particular proof system where the verifier accepts with probability greater than 2/3. Our approach is to show that a polynomial-space machine can check that over 2/3 of the prover-verifier interactions accept if an instance x L, and at most 1/3 interactions accept if x L. To do this, we model the prover-verifier interaction as a game. Because each message is of polynomial size, there are at most 2 poly(n) choices at each node of the game tree. Furthermore, the depth of the tree is also at most poly(n). Thus, to perform depth-first search on the tree, a machine needs at most poly(n) bits. Thus the language can be recognized by a poly-space machine. I-6

References [LFKN92] Carsten Lund, Lance Fortnow, Howard J. Karloff, and Noam Nisan, Algebraic methods for interactive proof systems, Journal of the ACM 39 (1992), no. 4, 859 868. [Sha92] Adi Shamir, IP = PSPACE, Journal of the ACM 39 (1992), no. 4, 869 877. I-7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback