IP=PSPACE. Arthur-Merlin Games

Computational Complexity Theory, Fall 2010 10 November Lecture 18: IP=PSPACE. Arthur-Merlin Games

Lecturer: Kristoﬀer Arnsfelt Hansen Scribe: Andreas Hummelshøj J

Update: Ω(n) Last time, we were looking at MOD3◦MOD2. We mentioned that AND required size 2 MOD3◦ MOD2 circuits. We also mentioned, as being open, whether NEXP ⊆ (nonuniform)MOD2 ◦ MOD3 ◦ MOD2. Since 9/11-2010, this is no longer open.

Deﬁnition 1 ACC0 = class of languages:

0 0 ACC = ∪m>2ACC [m], where AC0[m] = class of languages computed by depth O(1) size nO(1) circuits with AND-, OR- and MODm-gates.

This is in fact in many ways a natural class of languages, like AC0 and NC1.

0 Theorem 2 NEXP * (nonuniform)ACC .

New open problem:

Is EXP ⊆ (nonuniform)MOD2 ◦ MOD3 ◦ MOD2?

Recap: We deﬁned arithmetization A(φ) of a 3-SAT formula φ:

A(xi) = xi,

A(xi) = 1 − xi, 3 Y A(l1 ∨ l2 ∨ l3) = 1 − (1 − A(li)), i=1 m Y A(c1 ∧ · · · ∧ cm) = A(cj). j=1 1 1 X X ]φ = ··· P (x1, . . . , xn),P = A(φ).

x1=0 xn=0

1 Sumcheck:

Given g(x1, . . . , xn), K and prime number p, decide if

1 1 X X ··· g(x1, . . . , xn) ≡ K (mod p).

x1=0 xn=0

True Quantiﬁed Boolean Formulae: 0 0 Given φ ≡ ∃x1∀x2 ... ∀xnφ (x1, . . . , xn), where φ is a 3SAT formula, decide if φ is true.

Observation: φ true ⇔ P1 Q1 P ··· Q1 P (x , . . . , x ) > 0, P = A(φ0). x1=0 x2=0 x3 x1=0 1 n

Protocol: Can’t we just do it analogous to Sumcheck? Id est: remove outermost P, P sends polynomial S, V checks if S(0) + S(1) ≡ K, asks P to prove Q1 P1 ··· Q1 P (a) ≡ S(a), where x2=0 x3=0 xn=0 a ∈ {0, 1, . . . , p − 1} is chosen uniformly at random.

Problem: n deg S may be as large as (3m) 2 .

Solution:

Linearise. Let P (x1, . . . , xn) be a polynomial. Deﬁne

LiP (x1, . . . , xn) = xiP (x1, . . . , xi−1, 1, xi+1, . . . , xn) + (1 − xi)P (x1, . . . , xi−1, 0, xi+1, . . . , xn).

Lemma 3 For all x ∈ {0, 1}n we have:

P (x1, . . . , xn) = L1L2 ...LnP (x1, . . . , xn). PQ P Don’t show ··· P (x1, . . . , xn) ≡ K. Instead, show X Y X X L1 L1L2 L1L2L3 ··· L1L2 ...LnP (x1, . . . , xn) ≡ K x1 x2 x3

Protocol: (Modiﬁcation of Sumcheck)

Start: n 2n P P sends prime p ∈ 2 + 1, 2 such that p - L...P (x), and also K (we intend that we should have P L...P (x) ≡ K (mod p)). The protocol now proceed as the sumcheck protocol by in each round of communication stripping P Q of one of , , or Li.

2 P: P must prove P1 L ...P (a , . . . , a , x , . . . , x ) ≡ k. P sends polynomium S(x ) (NB: degree xi=0 1 1 i−1 i n i at most 1) to V . V checks S(0) + S(1) ≡ K or rejects. V chooses a ∈ {0, 1, . . . , p − 1} uniformly at random and asks P to show that L1 ...LnP (a1, . . . , ai−1, a, xi+1, . . . , xn) ≡ S(a).

Q: P must prove Q1 L ...P (a , . . . , a , x , . . . , x ) ≡ K. P sends polynomium S(x ) (NB: degree xi=0 1 1 i−1 i n i at most 1) to V . V checks S(0)S(1) ≡ k or rejects. V chooses a ∈ {0, 1, . . . , p − 1} uniformly at random and asks P to show that L1 ...LnP (a1, . . . , ai−1, a, xi+1, . . . , xn) ≡ S(a).

P must prove LiLi+1 ...P (a1, . . . , ak, xk+1, . . . , xn) ≡ K, where 1 ≤ i ≤ k, for some k. P sends polynomial S(xi) (NB: degree at most 2, except at the end with LnP (x1, . . . xn), where the degree is at most 3m) to V . V veriﬁes that aiS(1)+(1−ai)S(0) ≡ K or rejects. V chooses a ∈ {0, . . . , p − 1} uniformly at random and asks P to prove Li+1 ...P (a1, . . . , ai−1, a, ai+1, . . . , ak, xk+1, . . . , xn) ≡ S(a). The analysis of the protocol is analogous to the analysis of the sumcheck protocol.

Completeness: We have completeness 1, since if x ∈ L we will always accept if the prover follows the protocol speciﬁed.

Soundness: If the veriﬁer accepts, when x∈ / L, then there is some round where the prover must prove a wrong statement, but in the next round we ask him to prove a correct statement. For a given round, this 3m happens with probability at most p (since a nonzero polynomial of degree at most 3m has at most 3m roots in GF(p).) Thus taking a union bound over the number of rounds (≤ n2), the total error 2 3m is at most n p by union bound. This is exponentially small, since p is exponentially large,

Remarks: • We have completeness is 1. Thus all interactive protocols can in principle be converted to protocols with completeness 1.

• All messages from V are just the random bits which have been ﬂipped since last round of communication.

Next we are going to explore interactive proofs that have this last property, but using only a constant number of rounds of communication.

3 Arthur-Merlin proof: AM[k] = class of languages computed by interactive protocols, where V ’s messages are the random bits V has ﬂipped since last communication, and total number of messages between P and V is at most k. Further, we denote AM[2] simply by AM.

Theorem 4 Graph Non-Isomorphism ∈ AM.

Proof Let G1,G2 be graphs with vertices {1, . . . , n}. ∼ ∼ Deﬁne S := {(H, π)|[H = G1 or H = G2] and π(H) = H}. ∼ Lemma 5 If G1 = G2 then |S| = n!, if G1 G2 then |S| = 2(n!).

Goldwasser-Sipser Set lower protocol: Given S ⊆ {0, 1}n, where we can verify that “x ∈ S” eﬃciently given a certiﬁcate, and given a number K. P is supposed to prove that |S| ≥ K. The protocol will ensure, that if |S| ≥ K, V 2 1 accepts with probability at least 3 . Otherwise, V accepts with probablity < 3 .

Protocol: 2k 2k Choose k such that 4 ≤ K ≤ 2 , and a family of pair-wise independent hash-functions Hm,k. k • V: Pick y ∈ {0, 1} and h ∈ Hm,k uniformly at random and send to P . • P: Try to find x such that h(x) = y, send x and proof that x ∈ S. • V: Accept ⇔ h(x) = y. (Repeat these 3 steps in parallel to use succes amplification to get desired error.) For the analysis we need the following lemma. m 2k Lemma 6 Let S ⊆ {0, 1} , |S| ≤ 2 . 3 |S| |S| Then 4 2k ≤ P rh,y[∃x ∈ S : h(x) = y] ≤ 2k . |S| Proof For the inequality on the right we simply have |h(S) ≤ |S|| ⇒ P r[∃x ∈ S : h(x) = y] ≤ 2k . For the inequality on the left, we can in fact fix y. Then:

P rh[∃x ∈ S : h(x) = y] = P rh[∪x∈S {h(x) = y}] X 1 X ≥ P r [h(x) = y] − P r [h(x) = y ∧ h(x0) = y] h 2 h x∈S x6=x0,∈S 1 1 |S|(|S| − 1) = |S| − 2k 2 22k |S| |S| − 1 1 = (1 − ) 2k 2 2k |S| 2k/2 1 ≥ (1 − ) 2k 2 2k 3 |S| = . 4 2k

4 where in the ﬁrst inequality we used inclusion-exclusion to bound the probability of the union of events. We can now analyse the acceptance probability of the protocol. 3 |S| 3 K K If |S| ≥ K, V accepts with probability at least 4 2k ≥ 4 2k . If |S| ≤ 2 , V accepts with |S| 1 K 3 K 1 K probability at most 2k ≤ 2 2k . We can now utilize the gap between 4 2k and 2 2k to run a number of independent trials in parallel and obtain completeness 2/3 and soundness 1/3.