sign in sign up
<<
Home , CC (complexity)

Interactive Proofs

Lecture 17 IP = PSPACE

1 So far

2 So far

IP

2 So far

IP

AM, MA

2 So far

IP

AM, MA

GNI ∈ IP

2 So far

IP

AM, MA

GNI ∈ IP GNI ∈ AM

2 So far

IP

AM, MA

GNI ∈ IP GNI ∈ AM Using AM protocol for set lower-bound

2 So far

IP

AM, MA

GNI ∈ IP GNI ∈ AM Using AM protocol for set lower-bound

In fact, IP[k] in AM[k+2]

2 IP = PSPACE

3 IP = PSPACE

Recall, IP means IP[poly]

3 IP = PSPACE

Recall, IP means IP[poly]

IP ⊆ PSPACE

3 IP = PSPACE

Recall, IP means IP[poly]

IP ⊆ PSPACE

Even though prover unbounded, cannot convince poly time verifier of everything

3 IP = PSPACE

Recall, IP means IP[poly]

IP ⊆ PSPACE

Even though prover unbounded, cannot convince poly time verifier of everything

PSPACE ⊆ IP

3 IP = PSPACE

Recall, IP means IP[poly]

IP ⊆ PSPACE

Even though prover unbounded, cannot convince poly time verifier of everything

PSPACE ⊆ IP

Prover can convince verifier of high complexity statements

3 IP ⊆ PSPACE

4 IP ⊆ PSPACE

Easier direction!

4 IP ⊆ PSPACE

Easier direction!

Plan: For given input calculate Pr[yes] of honest verifier, maximum over “prover strategies”

4 IP ⊆ PSPACE

Easier direction!

Plan: For given input calculate Pr[yes] of honest verifier, maximum over all “prover strategies”

Warm-: public-coins (i.e., AM[poly])

4 IP ⊆ PSPACE

Easier direction!

Plan: For given input calculate Pr[yes] of honest verifier, maximum over all “prover strategies”

Warm-up: public-coins (i.e., AM[poly])

Could then use the “fact” that IP[poly]=AM[poly]

4 IP ⊆ PSPACE

Easier direction!

Plan: For given input calculate Pr[yes] of honest verifier, maximum over all “prover strategies”

Warm-up: public-coins (i.e., AM[poly])

Could then use the “fact” that IP[poly]=AM[poly]

Or modify the proof (as we’ll do)

4 AM[poly] ⊆ PSPACE

5 AM[poly] ⊆ PSPACE

Plan: For given input calculate max Pr[yes] over all “prover strategies”

5 AM[poly] ⊆ PSPACE

Plan: For given input calculate max Pr[yes] over all “prover strategies”

Assume for convenience (w..o.g) each message is a single bit and P, V a lte n ate

5 AM[poly] ⊆ PSPACE

Plan: For given input calculate max Pr[yes] over all “prover strategies”

Assume for convenience (w.l.o.g) each message is a single bit and P, V a lte r n ate

Since public-coin, V messages are simply uniform random bits

5 AM[poly] ⊆ PSPACE

Plan: For given input calculate max Pr[yes] over all “prover strategies”

Assume for convenience (w.l.o.g) each message is a single bit and P, V a lte r n ate

Since public-coin, V messages are simply uniform random bits

Protocol’s configuration tree: path to a node corresponds to the transcript so far

5 AM[poly] ⊆ PSPACE

V Plan: For given input calculate max Pr[yes] over all “prover strategies”

Assume for convenience (w.l.o.g) P P each message is a single bit and P, V a lte r n ate V V V Since public-coin, V messages are simply uniform random bits

Protocol’s configuration tree: path to a node corresponds to the transcript so far

5 AM[poly] ⊆ PSPACE

V

P P

V V V

6 AM[poly] ⊆ PSPACE

Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V

P P

V V V

6 AM[poly] ⊆ PSPACE

Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P

V V V

6 AM[poly] ⊆ PSPACE

Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes] V V V

6 AM[poly] ⊆ PSPACE

Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]

Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program

6 AM[poly] ⊆ PSPACE

Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]

Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program P nodes: max of children

6 AM[poly] ⊆ PSPACE

Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]

Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program P nodes: max of children V nodes: average of children

6 AM[poly] ⊆ PSPACE

Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]

Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program P nodes: max of children V nodes: average of children In PSPACE: depth polynomial

6 IP ⊆ PSPACE

V

P P

V V V

7 IP ⊆ PSPACE

Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins

P P

V V V

7 IP ⊆ PSPACE

Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P

V V V

7 IP ⊆ PSPACE

Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V

7 IP ⊆ PSPACE

Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V Leaves: Pr[yes] determined by running verifier’s program on all consistent random-tapes of verifier

7 IP ⊆ PSPACE

Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V Leaves: Pr[yes] determined by running verifier’s program on all consistent random-tapes of verifier P nodes: max of children

7 IP ⊆ PSPACE

Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V Leaves: Pr[yes] determined by running verifier’s program on all consistent random-tapes of verifier P nodes: max of children V nodes: (weighted) average of children

7 PSPACE ⊆ IP

8 PSPACE ⊆ IP

Enough to show an IP protocol for TQBF

8 PSPACE ⊆ IP

Enough to show an IP protocol for TQBF

For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership

8 PSPACE ⊆ IP

Enough to show an IP protocol for TQBF

For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership

Recall TQBF

8 PSPACE ⊆ IP

Enough to show an IP protocol for TQBF

For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership

Recall TQBF

Decide whether a QBF is true or not

8 PSPACE ⊆ IP

Enough to show an IP protocol for TQBF

For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership

Recall TQBF

Decide whether a QBF is true or not

QBF: Q1x1 Q2x2 ... Qnxn F(x1,...,xn) for quantifiers Qi and a formula F on boolean variables

8 Arithmetization

9 Arithmetization

A Boolean formula as a polynomial

9 Arithmetization

A Boolean formula as a polynomial

Arithmetic over a field (finite, exponentially large characteristic)

9 Arithmetization

A Boolean formula as a polynomial

Arithmetic over a field (finite, exponentially large characteristic)

0 and 1 (identities of addition and multiplication) instead of False and True

9 Arithmetization

A Boolean formula as a polynomial

Arithmetic over a field (finite, exponentially large characteristic)

0 and 1 (identities of addition and multiplication) instead of False and True

For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)

9 Arithmetization

A Boolean formula as a polynomial

Arithmetic over a field (finite, exponentially large characteristic)

0 and 1 (identities of addition and multiplication) instead of False and True

For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)

NOT: (1-x); AND: x.y

9 Arithmetization

A Boolean formula as a polynomial

Arithmetic over a field (finite, exponentially large characteristic)

0 and 1 (identities of addition and multiplication) instead of False and True

For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)

NOT: (1-x); AND: x.y

OR (as NOT of AND of NOT): 1 - (1-x).(1-y)

9 Arithmetization

A Boolean formula as a polynomial

Arithmetic over a field (finite, exponentially large characteristic)

0 and 1 (identities of addition and multiplication) instead of False and True

For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)

NOT: (1-x); AND: x.y

OR (as NOT of AND of NOT): 1 - (1-x).(1-y)

Alternately, OR: x+y. True corresponds to ! 0

9 Arithmetization

A Boolean formula as a polynomial

Arithmetic over a field (finite, exponentially large characteristic)

0 and 1 (identities of addition and multiplication) instead of False and True

For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)

NOT: (1-x); AND: x.y

OR (as NOT of AND of NOT): 1 - (1-x).(1-y)

Alternately, OR: x+y. True corresponds to ! 0

Can always use a polynomial linear in each variable since xn=x for x=0 and x=1 9 Arithmetization

10 Arithmetization A QBF as a polynomial

10 Arithmetization A QBF as a polynomial

TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)

10 Arithmetization A QBF as a polynomial

TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)

Suppose for Boolean formula F, polynomial P

10 Arithmetization A QBF as a polynomial

TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)

Suppose for Boolean formula F, polynomial P

∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)

10 Arithmetization A QBF as a polynomial

TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)

Suppose for Boolean formula F, polynomial P

∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)

∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)

10 Arithmetization A QBF as a polynomial

TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)

Suppose for Boolean formula F, polynomial P

∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)

∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)

Extends to more quantifiers: i.e., if F(x) is a QBF above

10 Arithmetization A QBF as a polynomial

TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)

Suppose for Boolean formula F, polynomial P

∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)

∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)

Extends to more quantifiers: i.e., if F(x) is a QBF above

So, how do you arithmetize ∃x∀y G(x,y) and ∀y∃x G(x,y)?

10 Arithmetization A QBF as a polynomial

TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)

Suppose for Boolean formula F, polynomial P

∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)

∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)

Extends to more quantifiers: i.e., if F(x) is a QBF above

So, how do you arithmetize ∃x∀y G(x,y) and ∀y∃x G(x,y)?

Σx=0,1 Πy=0,1 P(x,y) > 0 and Πy=0,1 Σx=0,1 P(x,y) > 0

10 Arithmetization

11 Arithmetization

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial

11 Arithmetization

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial

Instead suppose all Qi are Σ

11 Arithmetization

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial

Instead suppose all Qi are Σ

Counts number of satisfying assignments to an (unquantified) boolean formula F

11 Arithmetization

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial

Instead suppose all Qi are Σ

Counts number of satisfying assignments to an (unquantified) boolean formula F

Proving > 0 is trivial

11 Arithmetization

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial

Instead suppose all Qi are Σ

Counts number of satisfying assignments to an (unquantified) boolean formula F

Proving > 0 is trivial

Consider proving = K (will be useful in the general case)

11 Sum-check protocol

12 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

For n>0: Let R(X) := Σx2...Σxn P(X,x2,...,xn)

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

For n>0: Let R(X) := Σx2...Σxn P(X,x2,...,xn)

Σx1...Σxn P(x1,...,xn) = R(0) + R(1)

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

For n>0: Let R(X) := Σx2...Σxn P(X,x2,...,xn)

Σx1...Σxn P(x1,...,xn) = R(0) + R(1)

R has only one variable and degree at most d

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)

R has only one variable and degree at most d

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)

R has only one variable and degree at most d

Prover sends T=R (as d+1 coefficients) to verifier

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)

R has only one variable and degree at most d Needs degree to be small Prover sends T=R (as d+1 coefficients) to verifier

12 Verifier has only oracle Sum-check protocol access to P

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Note: to evaluate need to add up 2n values

Base case: n=0. Verifier will simply use oracle access to P.

Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)

R has only one variable and degree at most d Needs degree to be small Prover sends T=R (as d+1 coefficients) to verifier

Verifier checks K = T(0) + T(1). Still needs to check T=R

12 Sum-check protocol

13 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

13 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)

13 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)

Picks random field element a (large enough field)

13 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)

Picks random field element a (large enough field)

Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)

13 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)

Picks random field element a (large enough field)

Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)

Recurse on P1(x2,...,xn) = P(a,x2,...,xn) of one variable less

13 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)

Picks random field element a (large enough field)

Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)

Recurse on P1(x2,...,xn) = P(a,x2,...,xn) of one variable less

i.e., Recurse to prove Σx2...Σxn P1(x2,...,xn) = T(a)

13 Sum-check protocol

To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P

Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)

Picks random field element a (large enough field)

Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)

Recurse on P1(x2,...,xn) = P(a,x2,...,xn) of one variable less

i.e., Recurse to prove Σx2...Σxn P1(x2,...,xn) = T(a)

Note: P1 has degree at most d; verifier has oracle access to P1 (as it knows a, and has oracle access to P)

13 Sum-check protocol

14 Sum-check protocol Why does sum-check protocol work?

14 Sum-check protocol Why does sum-check protocol work?

Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field

14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?

Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field

14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?

Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field

Completeness is obvious

14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?

Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field

Completeness is obvious

Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree

14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?

Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field

Completeness is obvious

Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree

Error (picking a bad a), with probability " d/p, where field is of size p

14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?

Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field

Completeness is obvious

Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree

Error (picking a bad a), with probability " d/p, where field is of size p

Also possible error in recursive step (despite good a)

14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?

Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field

Completeness is obvious

Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree

Error (picking a bad a), with probability " d/p, where field is of size p

Also possible error in recursive step (despite good a)

At most nd/p if n variables. Can take p exponential.

14 IP Protocol for TQBF

15 IP Protocol for TQBF

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial

15 IP Protocol for TQBF

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial

In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K

15 IP Protocol for TQBF

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial

In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K

Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)

15 IP Protocol for TQBF

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial

In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K

Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)

Instead of T, can work with “linearization” of T.

15 IP Protocol for TQBF

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial

In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K

Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)

Instead of T, can work with “linearization” of T.

Prover sends L(X) = ( T(1)-T(0) ) X + T(0)

15 IP Protocol for TQBF

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial

In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K

Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)

Instead of T, can work with “linearization” of T.

Prover sends L(X) = ( T(1)-T(0) ) X + T(0) Verifier checks (as appropriate) L(1).L(0) = K or L(1)+L(0) = K

15 IP Protocol for TQBF

For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial

In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K

Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)

Instead of T, can work with “linearization” of T.

Prover sends L(X) = ( T(1)-T(0) ) X + T(0) Verifier checks (as appropriate) L(1).L(0) = K or L(1)+L(0) = K Verifier picks random a, and asks prover to show R’(a) = L(a)

linearization of R(X) 15 IP Protocol for TQBF

16 IP Protocol for TQBF

IP = PSPACE

16 IP Protocol for TQBF

IP = PSPACE

Protocol is public-coin

16 IP Protocol for TQBF

IP = PSPACE

Protocol is public-coin

IP = AM[poly] = PSPACE

16 IP Protocol for TQBF

IP = PSPACE

Protocol is public-coin

IP = AM[poly] = PSPACE

Protocol has perfect completeness

16