Interactive Proofs
Lecture 17 IP = PSPACE
1 So far
2 So far
IP
2 So far
IP
AM, MA
2 So far
IP
AM, MA
GNI ∈ IP
2 So far
IP
AM, MA
GNI ∈ IP GNI ∈ AM
2 So far
IP
AM, MA
GNI ∈ IP GNI ∈ AM Using AM protocol for set lower-bound
2 So far
IP
AM, MA
GNI ∈ IP GNI ∈ AM Using AM protocol for set lower-bound
In fact, IP[k] in AM[k+2]
2 IP = PSPACE
3 IP = PSPACE
Recall, IP means IP[poly]
3 IP = PSPACE
Recall, IP means IP[poly]
IP ⊆ PSPACE
3 IP = PSPACE
Recall, IP means IP[poly]
IP ⊆ PSPACE
Even though prover unbounded, cannot convince poly time verifier of everything
3 IP = PSPACE
Recall, IP means IP[poly]
IP ⊆ PSPACE
Even though prover unbounded, cannot convince poly time verifier of everything
PSPACE ⊆ IP
3 IP = PSPACE
Recall, IP means IP[poly]
IP ⊆ PSPACE
Even though prover unbounded, cannot convince poly time verifier of everything
PSPACE ⊆ IP
Prover can convince verifier of high complexity statements
3 IP ⊆ PSPACE
4 IP ⊆ PSPACE
Easier direction!
4 IP ⊆ PSPACE
Easier direction!
Plan: For given input calculate Pr[yes] of honest verifier, maximum over all “prover strategies”
4 IP ⊆ PSPACE
Easier direction!
Plan: For given input calculate Pr[yes] of honest verifier, maximum over all “prover strategies”
Warm-up: public-coins (i.e., AM[poly])
4 IP ⊆ PSPACE
Easier direction!
Plan: For given input calculate Pr[yes] of honest verifier, maximum over all “prover strategies”
Warm-up: public-coins (i.e., AM[poly])
Could then use the “fact” that IP[poly]=AM[poly]
4 IP ⊆ PSPACE
Easier direction!
Plan: For given input calculate Pr[yes] of honest verifier, maximum over all “prover strategies”
Warm-up: public-coins (i.e., AM[poly])
Could then use the “fact” that IP[poly]=AM[poly]
Or modify the proof (as we’ll do)
4 AM[poly] ⊆ PSPACE
5 AM[poly] ⊆ PSPACE
Plan: For given input calculate max Pr[yes] over all “prover strategies”
5 AM[poly] ⊆ PSPACE
Plan: For given input calculate max Pr[yes] over all “prover strategies”
Assume for convenience (w.l.o.g) each message is a single bit and P, V a lte r n ate
5 AM[poly] ⊆ PSPACE
Plan: For given input calculate max Pr[yes] over all “prover strategies”
Assume for convenience (w.l.o.g) each message is a single bit and P, V a lte r n ate
Since public-coin, V messages are simply uniform random bits
5 AM[poly] ⊆ PSPACE
Plan: For given input calculate max Pr[yes] over all “prover strategies”
Assume for convenience (w.l.o.g) each message is a single bit and P, V a lte r n ate
Since public-coin, V messages are simply uniform random bits
Protocol’s configuration tree: path to a node corresponds to the transcript so far
5 AM[poly] ⊆ PSPACE
V Plan: For given input calculate max Pr[yes] over all “prover strategies”
Assume for convenience (w.l.o.g) P P each message is a single bit and P, V a lte r n ate V V V Since public-coin, V messages are simply uniform random bits
Protocol’s configuration tree: path to a node corresponds to the transcript so far
5 AM[poly] ⊆ PSPACE
V
P P
V V V
6 AM[poly] ⊆ PSPACE
Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V
P P
V V V
6 AM[poly] ⊆ PSPACE
Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P
V V V
6 AM[poly] ⊆ PSPACE
Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes] V V V
6 AM[poly] ⊆ PSPACE
Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]
Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program
6 AM[poly] ⊆ PSPACE
Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]
Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program P nodes: max of children
6 AM[poly] ⊆ PSPACE
Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]
Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program P nodes: max of children V nodes: average of children
6 AM[poly] ⊆ PSPACE
Plan: For given input calculate maximum value, over all “prover strategies,” of Pr[yes] V Note that finding the honest prover strategy may require super-PSPACE computation P P Recursively for each node, calculate maximum Pr[yes]
Leaves: Pr[yes] = 0 or 1, determined by V V V running verifier’s program P nodes: max of children V nodes: average of children In PSPACE: depth polynomial
6 IP ⊆ PSPACE
V
P P
V V V
7 IP ⊆ PSPACE
Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins
P P
V V V
7 IP ⊆ PSPACE
Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P
V V V
7 IP ⊆ PSPACE
Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V
7 IP ⊆ PSPACE
Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V Leaves: Pr[yes] determined by running verifier’s program on all consistent random-tapes of verifier
7 IP ⊆ PSPACE
Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V Leaves: Pr[yes] determined by running verifier’s program on all consistent random-tapes of verifier P nodes: max of children
7 IP ⊆ PSPACE
Calculate max Pr[yes] when prover’s strategy can V depend only on messages and not private coins Maintain the set of consistent random-tapes at each V node P P Children of V node not always chosen with 1/2-1/2 probability. Instead weighted by fraction of consistent random-tapes V V V Leaves: Pr[yes] determined by running verifier’s program on all consistent random-tapes of verifier P nodes: max of children V nodes: (weighted) average of children
7 PSPACE ⊆ IP
8 PSPACE ⊆ IP
Enough to show an IP protocol for TQBF
8 PSPACE ⊆ IP
Enough to show an IP protocol for TQBF
For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership
8 PSPACE ⊆ IP
Enough to show an IP protocol for TQBF
For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership
Recall TQBF
8 PSPACE ⊆ IP
Enough to show an IP protocol for TQBF
For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership
Recall TQBF
Decide whether a QBF is true or not
8 PSPACE ⊆ IP
Enough to show an IP protocol for TQBF
For any L in PSPACE, both prover and verifier can first reduce input to a TQBF instance, and then prover proves its membership
Recall TQBF
Decide whether a QBF is true or not
QBF: Q1x1 Q2x2 ... Qnxn F(x1,...,xn) for quantifiers Qi and a formula F on boolean variables
8 Arithmetization
9 Arithmetization
A Boolean formula as a polynomial
9 Arithmetization
A Boolean formula as a polynomial
Arithmetic over a field (finite, exponentially large characteristic)
9 Arithmetization
A Boolean formula as a polynomial
Arithmetic over a field (finite, exponentially large characteristic)
0 and 1 (identities of addition and multiplication) instead of False and True
9 Arithmetization
A Boolean formula as a polynomial
Arithmetic over a field (finite, exponentially large characteristic)
0 and 1 (identities of addition and multiplication) instead of False and True
For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)
9 Arithmetization
A Boolean formula as a polynomial
Arithmetic over a field (finite, exponentially large characteristic)
0 and 1 (identities of addition and multiplication) instead of False and True
For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)
NOT: (1-x); AND: x.y
9 Arithmetization
A Boolean formula as a polynomial
Arithmetic over a field (finite, exponentially large characteristic)
0 and 1 (identities of addition and multiplication) instead of False and True
For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)
NOT: (1-x); AND: x.y
OR (as NOT of AND of NOT): 1 - (1-x).(1-y)
9 Arithmetization
A Boolean formula as a polynomial
Arithmetic over a field (finite, exponentially large characteristic)
0 and 1 (identities of addition and multiplication) instead of False and True
For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)
NOT: (1-x); AND: x.y
OR (as NOT of AND of NOT): 1 - (1-x).(1-y)
Alternately, OR: x+y. True corresponds to ! 0
9 Arithmetization
A Boolean formula as a polynomial
Arithmetic over a field (finite, exponentially large characteristic)
0 and 1 (identities of addition and multiplication) instead of False and True
For formula F, polynomial P such that for boolean vector b and corresponding 0-1 vector x we have F(b) = P(x)
NOT: (1-x); AND: x.y
OR (as NOT of AND of NOT): 1 - (1-x).(1-y)
Alternately, OR: x+y. True corresponds to ! 0
Can always use a polynomial linear in each variable since xn=x for x=0 and x=1 9 Arithmetization
10 Arithmetization A QBF as a polynomial
10 Arithmetization A QBF as a polynomial
TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)
10 Arithmetization A QBF as a polynomial
TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)
Suppose for Boolean formula F, polynomial P
10 Arithmetization A QBF as a polynomial
TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)
Suppose for Boolean formula F, polynomial P
∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)
10 Arithmetization A QBF as a polynomial
TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)
Suppose for Boolean formula F, polynomial P
∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)
∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)
10 Arithmetization A QBF as a polynomial
TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)
Suppose for Boolean formula F, polynomial P
∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)
∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)
Extends to more quantifiers: i.e., if F(x) is a QBF above
10 Arithmetization A QBF as a polynomial
TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)
Suppose for Boolean formula F, polynomial P
∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)
∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)
Extends to more quantifiers: i.e., if F(x) is a QBF above
So, how do you arithmetize ∃x∀y G(x,y) and ∀y∃x G(x,y)?
10 Arithmetization A QBF as a polynomial
TRUE will correspond to ! 0, and FALSE = 0 (when variables are assigned 1/0 for TRUE/FALSE)
Suppose for Boolean formula F, polynomial P
∃x F(x) → P(0) + P(1) > 0 (i.e., Σx=0,1 P(x) > 0)
∀x F(x) → P(0).P(1) > 0 (i.e., Πx=0,1 P(x) > 0)
Extends to more quantifiers: i.e., if F(x) is a QBF above
So, how do you arithmetize ∃x∀y G(x,y) and ∀y∃x G(x,y)?
Σx=0,1 Πy=0,1 P(x,y) > 0 and Πy=0,1 Σx=0,1 P(x,y) > 0
10 Arithmetization
11 Arithmetization
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial
11 Arithmetization
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial
Instead suppose all Qi are Σ
11 Arithmetization
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial
Instead suppose all Qi are Σ
Counts number of satisfying assignments to an (unquantified) boolean formula F
11 Arithmetization
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial
Instead suppose all Qi are Σ
Counts number of satisfying assignments to an (unquantified) boolean formula F
Proving > 0 is trivial
11 Arithmetization
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π, and P is a (multi-linear) polynomial
Instead suppose all Qi are Σ
Counts number of satisfying assignments to an (unquantified) boolean formula F
Proving > 0 is trivial
Consider proving = K (will be useful in the general case)
11 Sum-check protocol
12 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
For n>0: Let R(X) := Σx2...Σxn P(X,x2,...,xn)
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
For n>0: Let R(X) := Σx2...Σxn P(X,x2,...,xn)
Σx1...Σxn P(x1,...,xn) = R(0) + R(1)
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
For n>0: Let R(X) := Σx2...Σxn P(X,x2,...,xn)
Σx1...Σxn P(x1,...,xn) = R(0) + R(1)
R has only one variable and degree at most d
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)
R has only one variable and degree at most d
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)
R has only one variable and degree at most d
Prover sends T=R (as d+1 coefficients) to verifier
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)
R has only one variable and degree at most d Needs degree to be small Prover sends T=R (as d+1 coefficients) to verifier
12 Verifier has only oracle Sum-check protocol access to P
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Note: to evaluate need to add up 2n values
Base case: n=0. Verifier will simply use oracle access to P.
Σ Σ For n>0: Let R(X) := x2... xn P(X,x2,...,xn) Π Σ, no Only Σx1...Σxn P(x1,...,xn) = R(0) + R(1)
R has only one variable and degree at most d Needs degree to be small Prover sends T=R (as d+1 coefficients) to verifier
Verifier checks K = T(0) + T(1). Still needs to check T=R
12 Sum-check protocol
13 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
13 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)
13 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)
Picks random field element a (large enough field)
13 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)
Picks random field element a (large enough field)
Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)
13 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)
Picks random field element a (large enough field)
Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)
Recurse on P1(x2,...,xn) = P(a,x2,...,xn) of one variable less
13 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)
Picks random field element a (large enough field)
Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)
Recurse on P1(x2,...,xn) = P(a,x2,...,xn) of one variable less
i.e., Recurse to prove Σx2...Σxn P1(x2,...,xn) = T(a)
13 Sum-check protocol
To prove: Σx1...Σxn P(x1,...,xn) = K for some degree d polynomial P
Verifier wants to check T(X) = R(X) := Σx2...Σxn P(X,x2,...,xn)
Picks random field element a (large enough field)
Asks prover to prove that T(a) = R(a) = Σx2...Σxn P(a,x2,...,xn)
Recurse on P1(x2,...,xn) = P(a,x2,...,xn) of one variable less
i.e., Recurse to prove Σx2...Σxn P1(x2,...,xn) = T(a)
Note: P1 has degree at most d; verifier has oracle access to P1 (as it knows a, and has oracle access to P)
13 Sum-check protocol
14 Sum-check protocol Why does sum-check protocol work?
14 Sum-check protocol Why does sum-check protocol work?
Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field
14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?
Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field
14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?
Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field
Completeness is obvious
14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?
Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field
Completeness is obvious
Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree
14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?
Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field
Completeness is obvious
Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree
Error (picking a bad a), with probability " d/p, where field is of size p
14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?
Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field
Completeness is obvious
Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree
Error (picking a bad a), with probability " d/p, where field is of size p
Also possible error in recursive step (despite good a)
14 Can’t afford Sum-check protocol more than one check Why does sum-check protocol work?
Instead of checking T(X) = R(X), simply checks (recursively) if T(a)=R(a) for a single random a in the field
Completeness is obvious
Soundness: Since T(X) and R(X) are of degree d, if T!R, at most d points where they agree
Error (picking a bad a), with probability " d/p, where field is of size p
Also possible error in recursive step (despite good a)
At most nd/p if n variables. Can take p exponential.
14 IP Protocol for TQBF
15 IP Protocol for TQBF
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial
15 IP Protocol for TQBF
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial
In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K
15 IP Protocol for TQBF
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial
In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K
Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)
15 IP Protocol for TQBF
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial
In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K
Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)
Instead of T, can work with “linearization” of T.
15 IP Protocol for TQBF
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial
In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K
Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)
Instead of T, can work with “linearization” of T.
Prover sends L(X) = ( T(1)-T(0) ) X + T(0)
15 IP Protocol for TQBF
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial
In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K
Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)
Instead of T, can work with “linearization” of T.
Prover sends L(X) = ( T(1)-T(0) ) X + T(0) Verifier checks (as appropriate) L(1).L(0) = K or L(1)+L(0) = K
15 IP Protocol for TQBF
For a protocol for TQBF: Give a protocol for proving that Q1(x1=0,1) Q2(x2=0,1) ... Qn(xn=0,1) P(x1,...,xn) > 0, where Qi are Σ or Π and P is a multi-linear polynomial
In fact a protocol to prove: Q1 x1... Qn xn P(x1,...,xn) = K
Problem with generalizing sum-check protocol: the univariate poly R(X) := Q2 x2... Qn xn P(X,x2,...,xn) has exponential degree. Verifier can’t read T(X)=R(X)
Instead of T, can work with “linearization” of T.
Prover sends L(X) = ( T(1)-T(0) ) X + T(0) Verifier checks (as appropriate) L(1).L(0) = K or L(1)+L(0) = K Verifier picks random a, and asks prover to show R’(a) = L(a)
linearization of R(X) 15 IP Protocol for TQBF
16 IP Protocol for TQBF
IP = PSPACE
16 IP Protocol for TQBF
IP = PSPACE
Protocol is public-coin
16 IP Protocol for TQBF
IP = PSPACE
Protocol is public-coin
IP = AM[poly] = PSPACE
16 IP Protocol for TQBF
IP = PSPACE
Protocol is public-coin
IP = AM[poly] = PSPACE
Protocol has perfect completeness
16