Interactive Proofs

Nabil Mustafa

Computational Complexity

1 / 144 1 V runs in time polynomial in |x| 2 x ∈ L =⇒ ∃P s.t. V (x) = 1 after k-rounds with P 3 x ∈/ L =⇒ ∀PV (x) = 0 after k-rounds with P

Note: each message sent is one round Messages have to be of length polynomial in |x|

dIP dIP is the set of languages with a k(n)-round interactive proof system, where k(n) is a polynomial in n.

Deterministic Interactive Proof System

Deterministic Proof Systems A language L has a k-round deterministic interactive proof system if there exists a TM V such that on input x,

2 / 144 2 x ∈ L =⇒ ∃P s.t. V (x) = 1 after k-rounds with P 3 x ∈/ L =⇒ ∀PV (x) = 0 after k-rounds with P

Note: each message sent is one round Messages have to be of length polynomial in |x|

dIP dIP is the set of languages with a k(n)-round interactive proof system, where k(n) is a polynomial in n.

Deterministic Interactive Proof System

Deterministic Proof Systems A language L has a k-round deterministic interactive proof system if there exists a TM V such that on input x, 1 V runs in time polynomial in |x|

3 / 144 3 x ∈/ L =⇒ ∀PV (x) = 0 after k-rounds with P

Note: each message sent is one round Messages have to be of length polynomial in |x|

dIP dIP is the set of languages with a k(n)-round interactive proof system, where k(n) is a polynomial in n.

Deterministic Interactive Proof System

Deterministic Proof Systems A language L has a k-round deterministic interactive proof system if there exists a TM V such that on input x, 1 V runs in time polynomial in |x| 2 x ∈ L =⇒ ∃P s.t. V (x) = 1 after k-rounds with P

4 / 144 Note: each message sent is one round Messages have to be of length polynomial in |x|

dIP dIP is the set of languages with a k(n)-round interactive proof system, where k(n) is a polynomial in n.

Deterministic Interactive Proof System

5 / 144 Messages have to be of length polynomial in |x|

dIP dIP is the set of languages with a k(n)-round interactive proof system, where k(n) is a polynomial in n.

Deterministic Interactive Proof System

Note: each message sent is one round

6 / 144 dIP dIP is the set of languages with a k(n)-round interactive proof system, where k(n) is a polynomial in n.

Deterministic Interactive Proof System

Note: each message sent is one round Messages have to be of length polynomial in |x|

7 / 144 Deterministic Interactive Proof System

Note: each message sent is one round Messages have to be of length polynomial in |x|

dIP dIP is the set of languages with a k(n)-round interactive proof system, where k(n) is a polynomial in n.

8 / 144 I Mainly because the prover knows the veriﬁer algorithm I So prover just ‘simulates’ the messages all at once Now we consider when the veriﬁer is probabilistic

Deﬁning IP Let k : N → N be some function. A language L is in IP [k] if there is a k(|x|)-time probabilistic TM V such that:

x ∈ L =⇒ ∃P Pr [ V accepts x, V (x) = 1 ] ≥ 2/3

x ∈/ L =⇒ ∀P Pr [ V accepts x, V (x) = 1 ] ≤ 1/3

Deﬁnition [ IP = IP [nc ] c

The Class IP Interactivity doesn’t seem to give more power

9 / 144 I So prover just ‘simulates’ the messages all at once Now we consider when the veriﬁer is probabilistic

Deﬁning IP Let k : N → N be some function. A language L is in IP [k] if there is a k(|x|)-time probabilistic TM V such that:

x ∈ L =⇒ ∃P Pr [ V accepts x, V (x) = 1 ] ≥ 2/3

x ∈/ L =⇒ ∀P Pr [ V accepts x, V (x) = 1 ] ≤ 1/3

Deﬁnition [ IP = IP [nc ] c

The Class IP Interactivity doesn’t seem to give more power

I Mainly because the prover knows the veriﬁer algorithm

10 / 144 Now we consider when the veriﬁer is probabilistic

Deﬁning IP Let k : N → N be some function. A language L is in IP [k] if there is a k(|x|)-time probabilistic TM V such that:

x ∈ L =⇒ ∃P Pr [ V accepts x, V (x) = 1 ] ≥ 2/3

x ∈/ L =⇒ ∀P Pr [ V accepts x, V (x) = 1 ] ≤ 1/3

Deﬁnition [ IP = IP [nc ] c

The Class IP Interactivity doesn’t seem to give more power

I Mainly because the prover knows the veriﬁer algorithm I So prover just ‘simulates’ the messages all at once

11 / 144 Deﬁning IP Let k : N → N be some function. A language L is in IP [k] if there is a k(|x|)-time probabilistic TM V such that:

x ∈ L =⇒ ∃P Pr [ V accepts x, V (x) = 1 ] ≥ 2/3

x ∈/ L =⇒ ∀P Pr [ V accepts x, V (x) = 1 ] ≤ 1/3

Deﬁnition [ IP = IP [nc ] c

The Class IP Interactivity doesn’t seem to give more power

I Mainly because the prover knows the veriﬁer algorithm I So prover just ‘simulates’ the messages all at once Now we consider when the veriﬁer is probabilistic

12 / 144 Deﬁnition [ IP = IP [nc ] c

The Class IP Interactivity doesn’t seem to give more power

I Mainly because the prover knows the veriﬁer algorithm I So prover just ‘simulates’ the messages all at once Now we consider when the veriﬁer is probabilistic

Deﬁning IP Let k : N → N be some function. A language L is in IP [k] if there is a k(|x|)-time probabilistic TM V such that:

x ∈ L =⇒ ∃P Pr [ V accepts x, V (x) = 1 ] ≥ 2/3

x ∈/ L =⇒ ∀P Pr [ V accepts x, V (x) = 1 ] ≤ 1/3

13 / 144 The Class IP Interactivity doesn’t seem to give more power

I Mainly because the prover knows the veriﬁer algorithm I So prover just ‘simulates’ the messages all at once Now we consider when the veriﬁer is probabilistic

Deﬁning IP Let k : N → N be some function. A language L is in IP [k] if there is a k(|x|)-time probabilistic TM V such that:

x ∈ L =⇒ ∃P Pr [ V accepts x, V (x) = 1 ] ≥ 2/3

x ∈/ L =⇒ ∀P Pr [ V accepts x, V (x) = 1 ] ≤ 1/3

Deﬁnition [ IP = IP [nc ] c

14 / 144 Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn Have to accept φ iﬀ φ is not satisﬁable

We give a n-round interactive proof as follows: Proof steps:

I Reduce the problem to polynomial identity testing over {0, 1}

I Think of the polynomial over a larger domain

I Present a Veriﬁer protocol for proving this identity

3SAT

Claim 3SAT ∈ IP

15 / 144 Have to accept φ iﬀ φ is not satisﬁable

We give a n-round interactive proof as follows: Proof steps:

I Reduce the problem to polynomial identity testing over {0, 1}

I Think of the polynomial over a larger domain

I Present a Veriﬁer protocol for proving this identity

3SAT

Claim 3SAT ∈ IP

Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn

16 / 144 We give a n-round interactive proof as follows: Proof steps:

I Reduce the problem to polynomial identity testing over {0, 1}

I Think of the polynomial over a larger domain

I Present a Veriﬁer protocol for proving this identity

3SAT

Claim 3SAT ∈ IP

Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn Have to accept φ iﬀ φ is not satisﬁable

17 / 144 Proof steps:

I Reduce the problem to polynomial identity testing over {0, 1}

I Think of the polynomial over a larger domain

I Present a Veriﬁer protocol for proving this identity

3SAT

Claim 3SAT ∈ IP

Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn Have to accept φ iﬀ φ is not satisﬁable

We give a n-round interactive proof as follows:

18 / 144 I Reduce the problem to polynomial identity testing over {0, 1}

I Think of the polynomial over a larger domain

I Present a Veriﬁer protocol for proving this identity

3SAT

Claim 3SAT ∈ IP

Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn Have to accept φ iﬀ φ is not satisﬁable

We give a n-round interactive proof as follows: Proof steps:

19 / 144 I Think of the polynomial over a larger domain

I Present a Veriﬁer protocol for proving this identity

3SAT

Claim 3SAT ∈ IP

Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn Have to accept φ iﬀ φ is not satisﬁable

We give a n-round interactive proof as follows: Proof steps:

I Reduce the problem to polynomial identity testing over {0, 1}

20 / 144 I Present a Veriﬁer protocol for proving this identity

3SAT

Claim 3SAT ∈ IP

Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn Have to accept φ iﬀ φ is not satisﬁable

We give a n-round interactive proof as follows: Proof steps:

I Reduce the problem to polynomial identity testing over {0, 1}

I Think of the polynomial over a larger domain

21 / 144 3SAT

Claim 3SAT ∈ IP

Given φ = C1 ∨ ... ∨ Cm in n variables x1,..., xn Have to accept φ iﬀ φ is not satisﬁable

We give a n-round interactive proof as follows: Proof steps:

I Reduce the problem to polynomial identity testing over {0, 1}

I Think of the polynomial over a larger domain

I Present a Veriﬁer protocol for proving this identity

22 / 144 Prover: φ(x1,..., xn) has k satisfying assignments.

Lets say the Prover is lying. So how to catch that?

Veriﬁer: How many satisfying assignments does φ(0, x2 ..., xn) and φ(1, x2 ..., xn) have?

Prover: k0 and k1 satisfying assignments respectively

Now, if k0 + k1 6= k, obviously Prover lying. What if k0 + k1 = k?

Basic Idea of the Protocol

Veriﬁer: How many satisfying assignments for φ(x1,..., xn)?

23 / 144 Lets say the Prover is lying. So how to catch that?

Veriﬁer: How many satisfying assignments does φ(0, x2 ..., xn) and φ(1, x2 ..., xn) have?

Prover: k0 and k1 satisfying assignments respectively

Now, if k0 + k1 6= k, obviously Prover lying. What if k0 + k1 = k?

Basic Idea of the Protocol

Veriﬁer: How many satisfying assignments for φ(x1,..., xn)?

Prover: φ(x1,..., xn) has k satisfying assignments.

24 / 144 Veriﬁer: How many satisfying assignments does φ(0, x2 ..., xn) and φ(1, x2 ..., xn) have?

Prover: k0 and k1 satisfying assignments respectively

Now, if k0 + k1 6= k, obviously Prover lying. What if k0 + k1 = k?

Basic Idea of the Protocol

Veriﬁer: How many satisfying assignments for φ(x1,..., xn)?

Prover: φ(x1,..., xn) has k satisfying assignments.

Lets say the Prover is lying. So how to catch that?

25 / 144 Prover: k0 and k1 satisfying assignments respectively

Now, if k0 + k1 6= k, obviously Prover lying. What if k0 + k1 = k?

Basic Idea of the Protocol

Veriﬁer: How many satisfying assignments for φ(x1,..., xn)?

Prover: φ(x1,..., xn) has k satisfying assignments.

Lets say the Prover is lying. So how to catch that?

Veriﬁer: How many satisfying assignments does φ(0, x2 ..., xn) and φ(1, x2 ..., xn) have?

26 / 144 Now, if k0 + k1 6= k, obviously Prover lying. What if k0 + k1 = k?

Basic Idea of the Protocol

Veriﬁer: How many satisfying assignments for φ(x1,..., xn)?

Prover: φ(x1,..., xn) has k satisfying assignments.

Lets say the Prover is lying. So how to catch that?

Veriﬁer: How many satisfying assignments does φ(0, x2 ..., xn) and φ(1, x2 ..., xn) have?

Prover: k0 and k1 satisfying assignments respectively

27 / 144 Basic Idea of the Protocol

Veriﬁer: How many satisfying assignments for φ(x1,..., xn)?

Prover: φ(x1,..., xn) has k satisfying assignments.

Lets say the Prover is lying. So how to catch that?

Veriﬁer: How many satisfying assignments does φ(0, x2 ..., xn) and φ(1, x2 ..., xn) have?

Prover: k0 and k1 satisfying assignments respectively

Now, if k0 + k1 6= k, obviously Prover lying. What if k0 + k1 = k?

28 / 144 Now Verifier recursively verifies formulas φ(0, x2 ..., xn) and φ(1, x2 ..., xn). Eventually, reach where constant number of variables left. Then Verifier can check it himself and find out if Prover lied at any stage.

Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

Problem: Takes an exponential number of rounds.

Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

Actually, we end up just enumerating all possible assignments!

Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

29 / 144 Eventually, reach where constant number of variables left. Then Veriﬁer can check it himself and ﬁnd out if Prover lied at any stage.

Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

Problem: Takes an exponential number of rounds.

Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

Actually, we end up just enumerating all possible assignments!

Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

Now Veriﬁer recursively veriﬁes formulas φ(0, x2 ..., xn) and φ(1, x2 ..., xn).

30 / 144 Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

Problem: Takes an exponential number of rounds.

Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

Actually, we end up just enumerating all possible assignments!

Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

Now Verifier recursively verifies formulas φ(0, x2 ..., xn) and φ(1, x2 ..., xn). Eventually, reach where constant number of variables left. Then Verifier can check it himself and find out if Prover lied at any stage.

31 / 144 Problem: Takes an exponential number of rounds.

Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

Actually, we end up just enumerating all possible assignments!

Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

32 / 144 Takes an exponential number of rounds.

Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

Actually, we end up just enumerating all possible assignments!

Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

Problem:

33 / 144 Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

Actually, we end up just enumerating all possible assignments!

Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

Problem: Takes an exponential number of rounds.

34 / 144 Actually, we end up just enumerating all possible assignments!

Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

Problem: Takes an exponential number of rounds.

Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

35 / 144 Basic Idea of the Protocol

Claim: Then the Prover is lying for k0 and/or k1.

Idea: After telling one lie, the Prover is forced to keep lying. If he tells the truth at any later stage, gets caught!

Problem: Takes an exponential number of rounds.

Takes 2n rounds – T (n) = 2T (n − 1), T (O(1)) = 1

Actually, we end up just enumerating all possible assignments!

36 / 144 Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution:

37 / 144 At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

38 / 144 Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi

39 / 144 If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

40 / 144 If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct.

41 / 144 I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

42 / 144 I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

43 / 144 Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

44 / 144 Probability of rejection is exponentially low

Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

45 / 144 Basic Idea of the Protocol

Solution: Guess which answer is wrong and recurse there.

At each step i, eliminate the variable xi Total steps: n

If Prover is honest, no matter what we guess, in the end always ﬁnd the Prover’s answers correct. If Prover is lying, to ﬁnd out he’s lying, we have to:

I At each step, guess the correct ‘wrong’ answer

I Follow the right path at each step with probability 1/2

Veriﬁer correctly ﬁnds Prover’s lie with probability 1/2n

Probability of rejection is exponentially low

46 / 144 Given φ, construct the following polynomial:

I Each boolean variable xi becomes an integer variable xi

I Each clause Ci maps to a linear polynomial Φ(Ci )

I φ → Φ(x1,..., xn): product of polynomials for all clauses

xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

47 / 144 I Each boolean variable xi becomes an integer variable xi

I Each clause Ci maps to a linear polynomial Φ(Ci )

I φ → Φ(x1,..., xn): product of polynomials for all clauses

xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

Given φ, construct the following polynomial:

48 / 144 I Each clause Ci maps to a linear polynomial Φ(Ci )

I φ → Φ(x1,..., xn): product of polynomials for all clauses

xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

Given φ, construct the following polynomial:

I Each boolean variable xi becomes an integer variable xi

49 / 144 I φ → Φ(x1,..., xn): product of polynomials for all clauses

xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

Given φ, construct the following polynomial:

I Each boolean variable xi becomes an integer variable xi

I Each clause Ci maps to a linear polynomial Φ(Ci )

50 / 144 xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

Given φ, construct the following polynomial:

I Each boolean variable xi becomes an integer variable xi

I Each clause Ci maps to a linear polynomial Φ(Ci )

I φ → Φ(x1,..., xn): product of polynomials for all clauses

51 / 144 Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

Given φ, construct the following polynomial:

I Each boolean variable xi becomes an integer variable xi

I Each clause Ci maps to a linear polynomial Φ(Ci )

I φ → Φ(x1,..., xn): product of polynomials for all clauses

xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

52 / 144 Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

Given φ, construct the following polynomial:

I Each boolean variable xi becomes an integer variable xi

I Each clause Ci maps to a linear polynomial Φ(Ci )

I φ → Φ(x1,..., xn): product of polynomials for all clauses

xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

53 / 144 Reduction

i i i φ = C1 ∧ ... ∧ Cm, where Ci = (x1 ∨ x2 ∨ x3)

Given φ, construct the following polynomial:

I Each boolean variable xi becomes an integer variable xi

I Each clause Ci maps to a linear polynomial Φ(Ci )

I φ → Φ(x1,..., xn): product of polynomials for all clauses

xi → xi , xi → (1 − xi ), ∨ → +, ∧ → ·

Claim: Φ(a1,..., an) = 0 iﬀ xi = ai don’t satisfy φ.

Summing over all 2n assignments, we get: X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

54 / 144 h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

I At step i, ask for the polynomial Φ(a1,..., ai−1, X ,..., xn) I Given this polynomial, we can ourselves compute Φ(a1,..., ai−1, 0,..., xn) and Φ(a1,..., ai−1, 1,..., xn) I So, it is strictly a generalization of the previous protocol Idea: Instead of asking for only the number of satisfying assignments, ask more information about the formula Since Prover lies more, higher probability of getting caught

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

55 / 144 In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X

56 / 144 I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

57 / 144 I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

58 / 144 We can re-state the same protocol over Φ instead of φ:

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ

59 / 144 I At step i, ask for the polynomial Φ(a1,..., ai−1, X ,..., xn) I Given this polynomial, we can ourselves compute Φ(a1,..., ai−1, 0,..., xn) and Φ(a1,..., ai−1, 1,..., xn) I So, it is strictly a generalization of the previous protocol Idea: Instead of asking for only the number of satisfying assignments, ask more information about the formula Since Prover lies more, higher probability of getting caught

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

60 / 144 I Given this polynomial, we can ourselves compute Φ(a1,..., ai−1, 0,..., xn) and Φ(a1,..., ai−1, 1,..., xn) I So, it is strictly a generalization of the previous protocol Idea: Instead of asking for only the number of satisfying assignments, ask more information about the formula Since Prover lies more, higher probability of getting caught

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

I At step i, ask for the polynomial Φ(a1,..., ai−1, X ,..., xn)

61 / 144 I So, it is strictly a generalization of the previous protocol Idea: Instead of asking for only the number of satisfying assignments, ask more information about the formula Since Prover lies more, higher probability of getting caught

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

I At step i, ask for the polynomial Φ(a1,..., ai−1, X ,..., xn) I Given this polynomial, we can ourselves compute Φ(a1,..., ai−1, 0,..., xn) and Φ(a1,..., ai−1, 1,..., xn)

62 / 144 Idea: Instead of asking for only the number of satisfying assignments, ask more information about the formula Since Prover lies more, higher probability of getting caught

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

63 / 144 Since Prover lies more, higher probability of getting caught

Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

64 / 144 Deﬁne the following: X X h(a1,..., ai−1, X ) = ··· Φ(a1,..., ai−1, X , xi+1,..., xn)

xi+1=0,1 xn=0,1

h(a1,..., ai−1, X ) is a univariate degree-m polynomial in X In previous protocol:

I At step i, ask for φ(a1,..., ai−1, 0/1,..., xn), where a1,... ai−1 are the previously ﬁxed assignments by Veriﬁer

I Prover returns two integers, no other information about φ We can re-state the same protocol over Φ instead of φ:

65 / 144 Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n

66 / 144 Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

67 / 144 However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

68 / 144 The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases:

69 / 144 The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’

70 / 144 Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

71 / 144 h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

72 / 144 Assume Veriﬁer correctly guesses g(0) 6= h(0)

Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1)

73 / 144 Re-Stating Old Protocol

Veriﬁer: What is h(X ) = P ··· P Φ(X , x ,..., x ) x2=0,1 xn=0,1 2 n Prover: Returns a univariate polynomial g(X )

Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

However, if g(0) + g(1) = 0, two cases: The formula is unsatisﬁable, in which case should ‘accept’ The Prover is lying, in which case should ‘reject’

Assume Prover lying: g(0) + g(1) = 0 while h(0) + h(1) > 0.

h(0) + h(1) 6= g(0) + g(1) =⇒ g(0) 6= h(0) or g(1) 6= h(1) Assume Veriﬁer correctly guesses g(0) 6= h(0)

74 / 144 Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

By deﬁnition, h(a1,... ai ) = h(a1,... ai , 0) + h(a1,... ai , 1) So Prover is lying about g(0, X ), or about g(X ) Claim: If g(0, 0) + g(0, 1) = g(0) and Prover lied at Step 1, Prover is also lying now. If Prover lied at step 1, and assuming we guessed correctly which part he was lying about, g(0) 6= h(0) But g(0, 0) + g(0, 1) = g(0) 6= h(0), so g(0, X ) is incorrect. Same Idea: During the protocol, if the Prover lies even once, from then on, it has to keep lying, otherwise will get caught. If we guessed correctly which part he was lying about at each step, in the end he will get caught.

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X )

75 / 144 Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X )

76 / 144 By deﬁnition, h(a1,... ai ) = h(a1,... ai , 0) + h(a1,... ai , 1) So Prover is lying about g(0, X ), or about g(X ) Claim: If g(0, 0) + g(0, 1) = g(0) and Prover lied at Step 1, Prover is also lying now. If Prover lied at step 1, and assuming we guessed correctly which part he was lying about, g(0) 6= h(0) But g(0, 0) + g(0, 1) = g(0) 6= h(0), so g(0, X ) is incorrect. Same Idea: During the protocol, if the Prover lies even once, from then on, it has to keep lying, otherwise will get caught. If we guessed correctly which part he was lying about at each step, in the end he will get caught.

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

77 / 144 So Prover is lying about g(0, X ), or about g(X ) Claim: If g(0, 0) + g(0, 1) = g(0) and Prover lied at Step 1, Prover is also lying now. If Prover lied at step 1, and assuming we guessed correctly which part he was lying about, g(0) 6= h(0) But g(0, 0) + g(0, 1) = g(0) 6= h(0), so g(0, X ) is incorrect. Same Idea: During the protocol, if the Prover lies even once, from then on, it has to keep lying, otherwise will get caught. If we guessed correctly which part he was lying about at each step, in the end he will get caught.

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

By deﬁnition, h(a1,... ai ) = h(a1,... ai , 0) + h(a1,... ai , 1)

78 / 144 Claim: If g(0, 0) + g(0, 1) = g(0) and Prover lied at Step 1, Prover is also lying now. If Prover lied at step 1, and assuming we guessed correctly which part he was lying about, g(0) 6= h(0) But g(0, 0) + g(0, 1) = g(0) 6= h(0), so g(0, X ) is incorrect. Same Idea: During the protocol, if the Prover lies even once, from then on, it has to keep lying, otherwise will get caught. If we guessed correctly which part he was lying about at each step, in the end he will get caught.

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

By deﬁnition, h(a1,... ai ) = h(a1,... ai , 0) + h(a1,... ai , 1) So Prover is lying about g(0, X ), or about g(X )

79 / 144 If Prover lied at step 1, and assuming we guessed correctly which part he was lying about, g(0) 6= h(0) But g(0, 0) + g(0, 1) = g(0) 6= h(0), so g(0, X ) is incorrect. Same Idea: During the protocol, if the Prover lies even once, from then on, it has to keep lying, otherwise will get caught. If we guessed correctly which part he was lying about at each step, in the end he will get caught.

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

80 / 144 But g(0, 0) + g(0, 1) = g(0) 6= h(0), so g(0, X ) is incorrect. Same Idea: During the protocol, if the Prover lies even once, from then on, it has to keep lying, otherwise will get caught. If we guessed correctly which part he was lying about at each step, in the end he will get caught.

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

81 / 144 Same Idea: During the protocol, if the Prover lies even once, from then on, it has to keep lying, otherwise will get caught. If we guessed correctly which part he was lying about at each step, in the end he will get caught.

Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

82 / 144 Re-Stating Old Protocol

Veriﬁer: If g(0) + g(1) = 0, ask Prover for h(0, X ) Prover: Returns a univariate polynomial g(0, X ) Veriﬁer: If g(0) 6= g(0, 0) + g(0, 1), ‘reject’

83 / 144 Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Assume g(a1,..., ai−1, 0) = g(..., ai−1, 0, 0) + g(..., ai−1, 0, 1) Claim: g(a1,..., ai−1, 0, X ) 6= h(a1,..., ai−1, 0, X ) I g(a1,..., ai−1, 0) = g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0) I h(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I But h(·) is correct, so g(a1,..., ai−1, 0, X ) must be incorrect.

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied

84 / 144 g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

85 / 144 Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

86 / 144 Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

87 / 144 Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

88 / 144 Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X )

89 / 144 g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

90 / 144 Assume g(a1,..., ai−1, 0) = g(..., ai−1, 0, 0) + g(..., ai−1, 0, 1) Claim: g(a1,..., ai−1, 0, X ) 6= h(a1,..., ai−1, 0, X ) I g(a1,..., ai−1, 0) = g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0) I h(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I But h(·) is correct, so g(a1,..., ai−1, 0, X ) must be incorrect.

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

91 / 144 Claim: g(a1,..., ai−1, 0, X ) 6= h(a1,..., ai−1, 0, X ) I g(a1,..., ai−1, 0) = g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0) I h(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I But h(·) is correct, so g(a1,..., ai−1, 0, X ) must be incorrect.

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Assume g(a1,..., ai−1, 0) = g(..., ai−1, 0, 0) + g(..., ai−1, 0, 1)

92 / 144 I g(a1,..., ai−1, 0) = g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0) I h(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I But h(·) is correct, so g(a1,..., ai−1, 0, X ) must be incorrect.

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

Assume g(a1,..., ai−1, 0) = g(..., ai−1, 0, 0) + g(..., ai−1, 0, 1) Claim: g(a1,..., ai−1, 0, X ) 6= h(a1,..., ai−1, 0, X )

93 / 144 I g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0) I h(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I But h(·) is correct, so g(a1,..., ai−1, 0, X ) must be incorrect.

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

94 / 144 I h(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1) I But h(·) is correct, so g(a1,..., ai−1, 0, X ) must be incorrect.

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

95 / 144 I But h(·) is correct, so g(a1,..., ai−1, 0, X ) must be incorrect.

Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

96 / 144 Re-Stating Old Protocol

Assume until i − 1 steps, Prover has not lied Assume that i-th answer from Prover is incorrect, i.e.

g(a1,..., ai−1, X ) 6= h(a1,..., ai−1, X )

Assume g(a1,..., ai−1, 0) 6= h(a1,..., ai−1, 0)

Veriﬁer guesses correctly and asks for h(a1,..., ai−1, 0, X )

Prover returns g(a1,..., ai−1, 0, X ) Veriﬁer rejects if Prover is inconsistent with previous answer:

g(a1,..., ai−1, 0) 6= g(a1,..., ai−1, 0, 0) + g(a1,..., ai−1, 0, 1)

97 / 144 Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Of course we can’t tell since we don’t know h(X ) I Again, have to make a random choice with probability 1/2 Showed that if h(0) 6= g(0), then h(0, X ) 6= g(0, X ) And so continue on by induction Idea: Instead of checking h(0), h(1), why not check if polynomials h(X ) = g(X )

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X )

98 / 144 I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

99 / 144 I Note: Other way around is not true. Why?

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1)

100 / 144 I Of course we can’t tell since we don’t know h(X ) I Again, have to make a random choice with probability 1/2 Showed that if h(0) 6= g(0), then h(0, X ) 6= g(0, X ) And so continue on by induction Idea: Instead of checking h(0), h(1), why not check if polynomials h(X ) = g(X )

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

101 / 144 I Again, have to make a random choice with probability 1/2 Showed that if h(0) 6= g(0), then h(0, X ) 6= g(0, X ) And so continue on by induction Idea: Instead of checking h(0), h(1), why not check if polynomials h(X ) = g(X )

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Of course we can’t tell since we don’t know h(X )

102 / 144 Showed that if h(0) 6= g(0), then h(0, X ) 6= g(0, X ) And so continue on by induction Idea: Instead of checking h(0), h(1), why not check if polynomials h(X ) = g(X )

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Of course we can’t tell since we don’t know h(X ) I Again, have to make a random choice with probability 1/2

103 / 144 And so continue on by induction Idea: Instead of checking h(0), h(1), why not check if polynomials h(X ) = g(X )

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Of course we can’t tell since we don’t know h(X ) I Again, have to make a random choice with probability 1/2 Showed that if h(0) 6= g(0), then h(0, X ) 6= g(0, X )

104 / 144 Idea: Instead of checking h(0), h(1), why not check if polynomials h(X ) = g(X )

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

105 / 144 I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

106 / 144 I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above

107 / 144 Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s

108 / 144 I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

109 / 144 To Recap

Prover gives Veriﬁer the polynomial g(X ) Prover has given the wrong polynomial (i.e., g(X ) 6= h(X ))

I Problematic if g(0) 6= h(0) or g(1) 6= h(1) I Note: Other way around is not true. Why?

I Clearly h(0) 6= g(0) or h(1) 6= g(1) imply the above I Advantage: If h(X ) 6= g(X ), h(y) 6= g(y) for many y’s Claim: If h(X ) 6= g(X ), h(y) = g(y) for at most m y’s

I h(y) = g(y) iﬀ y is a root of h(X ) − g(X ), of degree m

110 / 144 Prover: Returns a univariate polynomial g(X ) Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’ Veriﬁer suspects Prover is lying and g(X ) 6= h(X )

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Final Protocol Veriﬁer: What is h(X )

111 / 144 Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’ Veriﬁer suspects Prover is lying and g(X ) 6= h(X )

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Final Protocol Veriﬁer: What is h(X ) Prover: Returns a univariate polynomial g(X )

112 / 144 Veriﬁer suspects Prover is lying and g(X ) 6= h(X )

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Final Protocol Veriﬁer: What is h(X ) Prover: Returns a univariate polynomial g(X ) Veriﬁer: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’

113 / 144 Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Final Protocol Verifier: What is h(X ) Prover: Returns a univariate polynomial g(X ) Verifier: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’ Verifier suspects Prover is lying and g(X ) 6= h(X )

114 / 144 Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

115 / 144 With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

116 / 144 Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

117 / 144 Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

118 / 144 Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

119 / 144 Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

120 / 144 g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

121 / 144 And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct.

122 / 144 Final Protocol Verifier: What is h(X ) Prover: Returns a univariate polynomial g(X ) Verifier: If g(0) + g(1) > 0, ∃ satisfying assignments, so ‘reject’ Verifier suspects Prover is lying and g(X ) 6= h(X )

Veriﬁer: Pick random integer a1 ∈ {0,..., q}. What is h(a1, X )

Claim: With prob ≥ (1 − m/q) h(a1) 6= g(a1)

With prob. ≥ (1 − m/q) a1 not root of h(X ) − g(X )

Prover: Returns a univariate polynomial g(a1, X )

Veriﬁer: Rejects if g(a1, 0) + g(a1, 1) 6= g(a1)

Claim: If h(a1) 6= g(a1), then g(a1, X ) 6= h(a1, X )

Know that g(a1, 0) + g(a1, 1) = g(a1) 6= h(a1)

g(a1, 0) + g(a1, 1) 6= h(a1), where h(·) is correct. And continue on. When constant number of variables left, compute h(·), and compare with g(·) to ﬁnd if Prover lying.

123 / 144 I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

124 / 144 I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

125 / 144 I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

126 / 144 If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

127 / 144 I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

128 / 144 I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

129 / 144 If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

130 / 144 I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

131 / 144 I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

132 / 144 n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step

133 / 144 Analysis

If φ is unsatisﬁable

I An honest Prover always replies h(·) = g(·)

I Then, for any ai , h(·) = g(·) are always equal

I In the end, Veriﬁer ﬁnds no lying and accepts.

If φ is satisﬁable

I An honest Prover always replies h(·) = g(·)

I Veriﬁer ﬁnds g(0) + g(1) 6= 0 and rejects

If φ is satisﬁable

I A lying Prover lies at about g(·)

I Veriﬁer takes ‘correct’ path with prob. (1 − m/q) at each step n I Prob. Prover caught lying in the end: (1 − m/q) > 1 − mn/q > 2/3 if q > 3mn.

134 / 144 n m I Summed over all assignments, Φ has value at most 2 3 Therefore, the following are equivalent, for q > 2n3m. X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

So, without any loss, one can do protocol over (mod q) Need a ﬁeld to guarantee at most m roots in (mod q), so pick q to be a prime. There exists a prime q ∈ [2n2m, 2 · 2n2m] n m Picking random ai requires log(2 · 2 2 ) = O(n + m) bits Similarly, the polynomials take space O(m(n + m))

Analysis Finally, note that: m I For each ﬁxed assignment, Φ has value at most 3

135 / 144 Therefore, the following are equivalent, for q > 2n3m. X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

Analysis Finally, note that: m I For each ﬁxed assignment, Φ has value at most 3 n m I Summed over all assignments, Φ has value at most 2 3

136 / 144 X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

Analysis Finally, note that: m I For each ﬁxed assignment, Φ has value at most 3 n m I Summed over all assignments, Φ has value at most 2 3 Therefore, the following are equivalent, for q > 2n3m.

137 / 144 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

Analysis Finally, note that: m I For each ﬁxed assignment, Φ has value at most 3 n m I Summed over all assignments, Φ has value at most 2 3 Therefore, the following are equivalent, for q > 2n3m. X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1

138 / 144 So, without any loss, one can do protocol over (mod q) Need a ﬁeld to guarantee at most m roots in (mod q), so pick q to be a prime. There exists a prime q ∈ [2n2m, 2 · 2n2m] n m Picking random ai requires log(2 · 2 2 ) = O(n + m) bits Similarly, the polynomials take space O(m(n + m))

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

139 / 144 Need a ﬁeld to guarantee at most m roots in (mod q), so pick q to be a prime. There exists a prime q ∈ [2n2m, 2 · 2n2m] n m Picking random ai requires log(2 · 2 2 ) = O(n + m) bits Similarly, the polynomials take space O(m(n + m))

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

So, without any loss, one can do protocol over (mod q)

140 / 144 There exists a prime q ∈ [2n2m, 2 · 2n2m] n m Picking random ai requires log(2 · 2 2 ) = O(n + m) bits Similarly, the polynomials take space O(m(n + m))

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

So, without any loss, one can do protocol over (mod q) Need a ﬁeld to guarantee at most m roots in (mod q), so pick q to be a prime.

141 / 144 n m Picking random ai requires log(2 · 2 2 ) = O(n + m) bits Similarly, the polynomials take space O(m(n + m))

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

So, without any loss, one can do protocol over (mod q) Need a ﬁeld to guarantee at most m roots in (mod q), so pick q to be a prime. There exists a prime q ∈ [2n2m, 2 · 2n2m]

142 / 144 Similarly, the polynomials take space O(m(n + m))

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

143 / 144 Analysis Finally, note that: m I For each ﬁxed assignment, Φ has value at most 3 n m I Summed over all assignments, Φ has value at most 2 3 Therefore, the following are equivalent, for q > 2n3m. X X X φ(x1,..., xn) unsatisﬁable ⇐⇒ ··· Φ(x1,..., xn) = 0

x1=0,1 x2=0,1 xn=0,1 X X X ⇐⇒ ··· Φ(x1,..., xn) = 0 (mod q)

x1=0,1 x2=0,1 xn=0,1

144 / 144