Probabilistic Proof Systems { Lecture Notes

Home , BPP (complexity), DTIME, Interactive proof system, IP (complexity), Oracle machine, RP (complexity)

Probabilistic Pro of Systems Lecture Notes

Oded Goldreich

Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel

September

Abstract

Various typ es of probabilistic pro of systems haveplayed a central role in the development

of computer science in the last decade In these notes we concentrate on three such pro of

systems interactive proofs zeroknow ledge proofsand probabilistic checkable proofs

Remark These are lecture notes in the strict sense of the word Surveys of mine on this sub ject

can b e obtained from URL httptheorylcsmitedu odedppshtml

These notes were prepared for a series of lectures given in the Theory Student Seminar of the CS

Department of UCBerkeley

Visiting Miller Professor Aug Sept EECS Dept UCBerkeley

Intro duction

The glory given to the creativity required to nd pro ofs makes us forget that it is the less glori

ed pro cedure of verication whichgives pro ofs their value Philosophically sp eaking pro ofs are

secondary to the verication pro cedure whereas technically sp eaking pro of systems are dened in

terms of their verication pro cedures

The notion of a verication pro cedure assumes the notion of computation and furthermore the

notion of ecient computation This implicit assumption is made explicit in the denition of NP

in which ecient computation is asso ciated with deterministic p olynomialtime algorithms

Traditionally NP is dened as the class of NPsets Yet each such NPset can b e viewed as a

pro of system For example consider the set of satisable Bo olean formulae Clearly a satisfying

assignment for a formula constitutes an NPpro of for the assertion is satisable the

verication pro cedure consists of substituting the variables of by the values assigned by and

computing the value of the resulting Bo olean expression

The formulation of NPpro ofs restricts the eective length of pro ofs to b e p olynomial in length

of the corresp onding assertions However longer pro ofs may b e allowed by padding the assertion

with suciently many blank symb ols So it seems that NP gives a satisfactory formulation of pro of

systems with ecientverication pro cedures This is indeed the case if one asso ciates ecient

pro cedures with deterministic p olynomialtime algorithms However wecangainalotifweare

willing to take a somewhat nontraditional step and allow probabilistic verication pro cedures In

particular

interactive proof systems Randomized and interactiveverication pro cedures giving rise to

seem much more p owerful ie expressive than their deterministic counterparts

Such randomized pro cedures allow the intro duction of zeroknow ledge proofs which are of

great theoretical and practical interest

NPpro ofs can b e eciently transformed into a redundant form which oers a tradeo

between the numb er of lo cations examined in the NPpro of and the condence in its validity

see probabilistical ly checkable proofs

In all ab ovementioned typ es of probabilistic pro of systems explicit b ounds are imp osed on the

computational complexity of the verication pro cedure which in turn is p ersonied by the notion

ofaverier Furthermore in all these pro of systems the verier is allowed to toss coins and

rule by statistical evidence Thus all these pro of systems carry a probability of error yet this

probability is explicitly b ounded and furthermore can b e reduced by successive application of the

pro of system

Interactive Pro of Systems

In lightofthegrowing acceptability of randomized and distributed computations it is only natural

to asso ciate the notion of ecient computation with probabilistic and interactive p olynomialtime

computations This leads naturally to the notion of interactive pro of systems in which the verica

tion pro cedure is interactive and randomized rather than b eing noninteractive and deterministic

Thus a pro of in this context is not a xed and static ob ject but rather a randomized dynamic

pro cess in which the verier interacts with the prover Intuitively one may think of this interaction

as consisting of tricky questions asked by the verier to which the prover has to reply convinc

ingly The ab ove discussion as well as the actual denition makes explicit reference to a prover

whereas a prover is only implicit in the traditional denitions of pro of systems eg NPpro ofs

The Denition

Interaction Going b eyond the unidirectional interaction of the NPpro of system If the

verier do es not toss coins then interaction can b e collapsed to a single message

computationall y unb ounded Prover As in NPwe start by not considering the complexity

of proving

probabilistic p olynomialtime Verier We maintain the paradigm that verication ought

to b e easyalaswe allow random choices in our notion of easiness

Completeness and Soundness We relax the traditional soundness condition by allowing small

probability of b eing fo oled by false pro ofs The probabilityistaken over the veriers random

choices We still require p erfect completeness that is that correct statements are proven with

probability Error probability b eing a parameter can b e further reduced by successive rep eti

tions

Variations Relaxing the p erfect completeness requirement yields a twosided error variantof

IP ie error probability allowed also in the completeness condition Restricting the verier to

send only random ie uniformly chosen messages yields the restricted ArthurMerlin interactive

pro ofs aka publiccoins interactive pro ofs Alas b oth variants are essentially as p owerful as the

one ab ove

An Example interactive pro of of Graph NonIsomorphism

The problem not known to b e in NP Proving that two graphs are isomorphic can b e done

by presenting an isomorphism but howdoyou prove that no such isomorphism exists

The construction the two dierent ob ject proto col if you claim that two ob jects are dierent

then you should b e able to tell which is which when I presentthemtoyou in random order In

the context of the Graph NonIsomorphism interactive pro of two supp osedly dierentobjects

are dened by taking random isomorphic copies of each of the input graphs If these graphs are

indeed nonisomorphic then the ob jects are dierent the distributions have distinct supp ort else

the ob jects are identical

Interactive pro of of NonSatisability

Arithmetization of Bo olean CNF formulae Observe that the arithmetic expression is a

low degree p olynomial Observe that in any case the value of the arithmetic expression is b ounded

Moving to a Finite Field Whenever wecheck equalitybetween twointegers in M it suces

to check equalitymodq where qM The b enet is that the arithmetic is now in a nite eld

mo d q and so certain things are nicer eg uniformly selecting a value Thus proving that a

CNF formula is not satisable reduces to proving equality of the following form

X X

x x modq

x x

where is a lowdegreemultivariant p olynomial

The construction stripping summations in iterations In each iteration the prover is supp osed

to supply the p olynomial describing the expression in one currently stripp ed variable By the

ab ove observation this is a low degree p olynomial and so has a short description The verier

checks that the p olynomial is of low degree and that it corresp onds to the currentvalue b eing

claimed ie p p v Next the verier randomly instantiates the variable yielding a new

r for uniformly chosen r GFq value to b e claimed for the resulting expression ie v p

The verier sends the uniformly chosen instantiation to the prover At the end of the last iteration

the verier has a fully sp ecied expression and can easily check it against the claimed value

Completeness of the ab ove When the claim holds the prover has no problem supplying the

correct p olynomials and this will lead the verier to always accept

Soundness of the ab ove It suces to b ound the probability that for a particular iteration the

initial claim is false whereas the ending claim is correct Both claims refer to the current summation

expression b eing equal to the currentvalue where current means either at the b eginning of the

iteration or at its end Let T b e the actual p olynomial representing the expression when stripping

the currentvariable and let pbeany p otential answer by the prover Wemay assume that

p p v and that p is of lowdegree as otherwise the verier will reject Using our

hyp othesis that the initial claim is false we know that T T v Thus p and T are

dierentlowdegree p olynomials and so they may agree on very few p oints In case the verier

instantiation do es not happ en to b e one of these few p oints the ending claim is false to o

Op en Problem alternative pro of of coNP IP Polynomials play a fundamental role in the

above construction and this trend has even deepened in subsequent works on PCP It does not seem

possible to abstract that role which seems to be very annoying I consider it important to obtain

an alternative proof of coNP IPa proof in which al l the underlying ideas can bepresentedat

an abstract level

The Power of Interactive Pro ofs

IP PSPACE

Interactive Pro ofs for PSPACE Recall that PSPACE languages can b e expressed by Quan

tied Bo olean Formulae The numb er of quantiers is p olynomial in the input but there are

b oth existential and universal quantiers and furthermore these quantiers may alternate Con

sidering the arithmetization of these formulae wefacetwo problems Firstly the value of the

formulae is only b ounded by a double exp onential function in the length of the input and sec

ondly when stripping out summations the expression may b e a p olynomial of high degree due

to the universal quantiers which are replaced by pro ducts The rst problem is easy to deal

with by using the Chinese Reminder Theorem ie if twointegers in M are dierent then they

must b e dierent mo dulo most of the primes upto p oly log M The second problem is resolved

by refreshing variables after eachuniversal quantier eg xy zx y z is transformed into

xy x x x yx yz

IP in PSPACE Weshow that for every interactive pro of there exists an optimal prover strategy

and furthermore that this strategy can b e computed in p olynomialspace This follows by lo oking

at the tree of all p ossible executions

The IP Hierarchy Let IPr denote the class of languages having an interactive pro of in

which at most r messages are exchanges Then IP coRP B P P The class IP is a

randomized version of NP witnesses are veried via a probabilistic p olynomialtime ppro cedure

rather than a deterministic one The class IP seems fundamentally dierent the verication

pro cedure here is truly interactive Still this class seems close to NP sp ecically itiscontained in

the p olynomialtime hierarchy which seems low when contrasted with PSPACE IPp oly In

terestingly IP r IP r and so in particular IP O IP Note that IPr

IPr can b e applied successively a constantnumb er of times but not more

Op en Problem the structure of the IP hierarchy

Suppose that L IPr Whatcan besaidabout L

Currently we only know to argue as fol lows IPr IPp oly PSPACE and so L P S P AC E

and is in IP p oly This seems ridiculous we do not use the extra information on IPr On the

L to bein IP g r for any function g sincethiswillput coNP other hand we dont expect

coIP in IP So another parameter may berelevant here how about the lengths of the

messages exchanged in the interaction Indeed if L has an interactive proof in which the total

message length is m then L has an interactive proof in which the total message length is O m

This just fol lows by the known PSPACE IP construction I consider it important to obtain a

better result In general it would be interesting to get a better understanding of the IP Hierarchy

HowPowerful Should the Prover b e

The Cryptographic Angle Interactive pro ofs o ccur inside cryptographic proto cols and so

the prover is merely a probabilistic p olynomialtime machine yet it mayhave access to an auxiliary

input given to it or generated by it in the past Suchprovers are relatively weak ie they can only

prove languages in IP yet they maybeofinterest for other reasons eg see zeroknowledge

The Complexity Theoretic Angle It make sense to try to relate the complexity of proving

a statement to another party to the complexity of deciding whether the statement holds This

gives rise to two related approaches

The prover is a probabilistic p olynomialtime oracle machine with access to the language This

approach can b e thought of as extending the notion of selfreducibil i ty of NPlanguages

These languages have an NPpro of system in which the prover is a p olynomialtime machine

with oracle access to the language Indeed alike NPcomplete languages the IPcomplete

languages also have such a relatively ecient prover Recall that an optimal prover strategy

can b e implemented in p olynomialspace and thus by a p olynomialtime machine having

oracle access to a PSPACEcomplete language

The prover runs in time which is p olynomial in the complexity of the languages

Op en Problem Further investigate the power of the various notions and in particular the one

extending selfreducibility on NP languages Better understanding of the latter is also long due

Aspecic chal lenge provide an NPproof system for Quadratic NonResiducity QNR using a

probabilistic polynomialtime prover with access to QNR language

ComputationallySound Pro ofs

Such pro ofs systems are fundamentally dierent from the ab ove discussion which did not eect

the soundness of the pro of systems Here we consider relations of the soundness conditions false

pro ofs may exist even with high probability but are hard to nd Variants may corresp ond to the

ab ove approaches sp ecically the following has b een investigated

Argument Systems One only considers prover strategies implementable by p ossibly non

uniform p olynomialsize circuits eq probabilistic p olynomialtime machines with auxiliary in

puts Under some reasonable assumptions there exist argument systems for NP having p oly

logarithmic communication complexity Analogous interactive pro ofs cannot exists unless NP is

contained in QuasiPolynomial Time ie NP Dtimeexpp oly log n

CS Pro ofs One only considers prover strategies implementable in time p olynomial in the com

plexity of the language In an noninteractive version one asks for certicates a la NPtyp e which

are only computationally sound In a mo del allowing b oth prover and verier access to a random

oracle one can convert interactive pro ofs alike CS pro ofs into noninteractive ones As a heuris

tics it is also suggested to replace the random oracle by use of random public functions a fuzzy

notion not to b e confused with pseudorandom functions

Op en Problem Try to provide rm grounds for the heuristics of making proof systems non

interactive by use of random public functions I advise not to try to dene the latter notion in a

general form but rather devise some adhocmethod using some specic but widely believedcom

plexity assumptions eg hardness of deciding Quadratic Residucity modulo a composite number

for this specic application

ZeroKnowledge Pro ofs

Zeroknowledge pro ofs are central to cryptographyFurthermore zeroknowledge pro ofs are very

intriguing from a conceptual p oint of view since they exhibit an extreme contrast b etween b eing

convinced of the validity of a statement and learning anything in addition while receiving such

a convincing pro of Namely zeroknowledge pro ofs have the remarkable prop erty of b eing b oth

convincing while yielding nothing to the verier b eyond the fact that the statementisvalid

The zeroknowledge paradigm Whatever can b e eciently computed after interacting with

the prover on some common input can b e eciently computed from this input alone without

simulated in interacting with anyone That is the interaction with the prover can b e eciently

solitude

ATechnical Note Ihave deviated from other presentation in which the simulator works in

average probabilistic p olynomialtime and require that it works in strict probabilistic p olynomial

Clearly this time Yet I allow the simulator to halt without output with probabilityatmost

implies an average p olynomialtime simulator but the converse is not known In particular some

known p ositive results regarding p erfect zeroknowledge with average p olynomialtime simulators

are not known to hold under the ab ove more strict notion

Perfect ZeroKnowledge

The Denition Asimulator can pro duce exactly the same distribution as o ccurring in an inter

action with the prover Furthermore in the general denition this is required with resp ect to any

probabilistic p olynomialtime verier strategy not necessarily the one sp ecied for the verier

Thus the zeroknowledge prop erty protects the prover from any attempt to obtain anything from

it b eyond conviction in the validity of the assertion

ZeroKnowledge NPpro ofs Extending the NPframework to interactive pro of is essential for

the nontriviality of zeroknowledge It is easy to see that zeroknowledge NPpro ofs exist only for

languages in RP Actually thats a go o d exercise

A p erfect zeroknowledge pro of for Graph Isomorphism The prover sends the verier a

random isomorphic copy of the rst input graph The verier challenges the prover by asking the

prover to present an isomorphism of graph sent to either the rst input graph or to the second

input graph The veriers choice is made at random

The fact that this interactive pro of system is zeroknowledge is more subtle than it seems for

example many parallel rep etitions of the pro of system are unlikely to b e zeroknowledge

Computational ZeroKnowledge

This denition is obtained by substituting the requirement that the sim ulation is identical to the

real interaction by the requirement that the twoare computational indistinguishable

Computational Indistinguishabili ty is a fundamental concept of indep endentinterest Two

ensembles are considered indistinguishabl e by an algorithm A if As b ehavior is almost invariantof

whether its input is taken from the rst ensemble or from the second one Weinterpret b ehavior

as a binary verdict and require that the probability that A outputs in b oth cases is the same upto

a negligible dierence ie smaller than pn for any p ositive p olynomial p and all suciently

long input lengths denoted by n Two ensembles are computational indistinguishable if they are

indistinguishabl e by all probabilistic p olynomialtime algorithms

A zeroknowledge pro of for NP abstract b oxes setting It suces to construct sucha

pro of system for Colorability COL To obtain a pro of system for other NPlanguages use the

fact that the standard reduction of NP to COL is p olynomialtime invertible

The prover uses a xed coloring of the input graph and pro ceeds as follows First it uniformly

selects a relab eling of the colors ie one of the p ossible ones and puts the resulting color of

eachvertex in a lo cked b ox marked with the vertex name All b oxes are sent to the verier who

resp onse with a uniformly chosen edge asking to op en the b oxes corresp onding to the endp ointof

erier op ens the twoboxes and this edge The prover sends over the corresp onding keys and the v

accepts i he sees two dierent legal colors

A zeroknowledge pro of for NP real setting The lo cked b oxes need to b e implemented

digitally Thisisdonebyacommitment scheme a cryptographic primitive designed to implement

suchlocked b oxes Lo osely sp eaking a commitmentscheme is a twoparty proto col which pro ceeds

in two phases so that at the end of the rst phase called the commit phase the rst party

called sender is committed to a single value which is the only value he can later reveal in the

second phase whereas at this p oint the other party gains no knowledge on the committed value

Commitmentschemes exist if and actually i oneway functions exist Thus the mildest of all

cryptographic assumptions suces for constructing zeroknowledge pro ofs for NP and actually for

all of IP Furthermore zeroknowledge pro ofs for languages which are hard on the average imply

the existence of oneway functions thus the ab ove construction essentially utilizes the minimal

p ossible assumption

oneway functions imply

IP ZKIP

Concluding Remarks

The provers strategy in the ab ove zeroknowledge pro of for NP can b e implemented

by a probabilistic p olynomialtime machine whichisgiven as auxiliary input an NPwitness

for the input This is clear for COL and for other NPlanguages one needs to use the fact

that the relevant reductions are coupled with ecient witness transformations The ecient

implementation of the prover strategy is essential to the applications b elow

Applications to Cryptography Zeroknowledge pro ofs are a p owerful to ol for the design of

cryptographic proto cols in which one typically wants to guarantee prop er b ehavior of a party

without asking him to reveal all his secrets Note that prop er b ehavior is typically a p olynomial

time computation based on the partys secrets as well as on some known data Thus the claim

that the partybehaves consistently with its secrets and the known data can b e casted as an NP

statement and the ab ove result can b e utilized More generally using additional ideas one can

provide a secure proto col for any functional b ehavior These general results have to b e considered as

plausibili tyarguments you would not like to apply these general constructions to sp ecic practical

problems yet you should know that these sp ecic problems are solvable

Op en Problems do exists but seem more sp ecialized in nature For example it would b e

interesting to gure out and utilize the minimal p ossible assumption required for constructing

zeroknowledge proto cols for NP in various mo dels like constantround interactive pro ofs the

noninteractive mo del and p erfect zeroknowledge arguments

see chapter on ZeroKnowledge in my fragments of a b o ok on Foundations Further Reading

of Cryptography available from URL httptheorylcsmiteduodedfraghtml

Solution to Exercise regarding ZeroKnowledge NPpro ofs An NPpro of system for a

language L yields an NPrelation for L dened using the verier On input x L a p erfect

zeroknowledge simulator either halts without output or outputs an accepting conversation ie

an NPwitness for x

Probabilistically Checkable Pro of Systems

When viewed in terms of an interactive pro of system the probabilistically checkable pro of setting

consists of a prover which is memoryless Namely one can think of the prover as b eing an oracle

and of the messages sent to it as b eing queries A more app ealing interpretation is to view the prob

abilistically checkable pro of setting as an alternativeway of generalizing NP Instead of receiving

the entire pro of and conducting a deterministic p olynomialtime computation as in the case of

NP the verier may toss coins and prob e the pro of only at lo cation of its choice Potentially

this allows the verier to utilize very long pro ofs ie of sup erp olynomial length or alternatively

examine very few bits of an NPpro of

The Denition

The Basic Mo del A probabilisticall y checkable pro of system consists of a probabilistic p olynomial

time verier having access to an oracle which represents a pro of in redundant form Typically the

verier accesses only few of the oracle bits and these bit p ositions are determined by the outcome

of the veriers coin tosses Completeness and soundness are dened similarly to the way they

were dened for interactive pro ofs for valid assertions there exist pro ofs making the verier always

accepts whereas no oracle can make the verier accept false assertions with probabilityabove

Weve sp ecied the error probability since weintend to b e very precise regarding some complexity

measures

Additional complexity measures of fundamental imp ortance are the randomness and query

complexities Sp ecically PCPr q denotes the set of languages having a probabilistic check

able pro of system in which the verier on any input of length n makes at most r n coin tosses

and at most q n oracle queries As usual in complexity theory unless stated otherwise the oracle

answers are always binary ie either or

Observed that the eective oracle length is at most q ie lo cations whichmay b e accessed

on some random choices In particular the eective length of oracles in a PCPlog system is

p olynomial

the traditional notion of a pro of An oracle whichalways makes the p cp PCP augments

verier accept constitutes a pro of in the standard mathematical sense However a p cp system has

the extra prop erty of enabling a lazy verier to toss coins take its chances and assess the validity

of the pro of without reading all of it but rather by reading a tiny p ortion of it

The p ower of probabilistically checkable pro ofs

The PCP Characterization Theorem states that

PCPlogO NP

Thus probabilistically checkable pro ofs in which the verier tosses only logarithmically many coins

and makes only a constantnumb er of queries exist for every NPlanguage It follows that NPpro ofs

can b e transformed into NPpro ofs which oer a tradeo b etween the p ortion of the pro of b eing

read and the condence it oers Sp ecically if the verier is willing to tolerate an error probability

of then it suces to let it examine O log bits of the transformed NPpro of These bit

lo cations need to b e selected at random Furthermore an original NPpro of can b e transformed

into an NPpro of allowing such tradeo in p olynomialtime The latter is an artifact of the pro of

of the PCP Theorem

The Pro of of the PCP Characterization Theorem is one of the most complicated pro ofs

in the Theory of Computation Its main ingredients are

A pcp log p oly log pro of system for NPFurthermore this pro of system has additional

prop erties which enable pro of comp osition as in item b elow

A pcpp oly O pro of system for NP This pro of system also has additional prop erties

enabling pro of comp osition as in item

The pro of comp osition paradigm Supp ose you havea pcpr O system for NP in

which a constantnumb er of queries are made nonadaptively to an valued oracle and

the veriers decision regarding the answers may b e implemented by a p oly size circuit

Further supp ose that you havea pcpr qlike system for P in which the input is given in

enco ded form via an additional oracle so that the system accepts inputoracles which enco de

inputs in the language and reject any inputoracle which is far from the enco ding of any

input in the language In this latter system access to the inputoracle is accounted in the

urthermore supp ose that the latter system may handle inputs which query complexity F

result from concatenation of a constantnumb er of subinputs each enco ded in a separate

def

subinput oracle Then NP has a pcpr r s q s where sn polyn

The extra factor of is an artifact of the need to amplify each of the two p cp systems so

that the total error probability sums up to at most

In particular the pro of system of item is comp osed with itself using r r log q

p oly log and sn p oly logn yielding a pcp log p oly log log system for NP which is then

comp osed with the system of item using r log p oly log log r poly q O and

sn p oly log log n yielding the desired pcplog O system for NP

The pcp log p oly log system for NP We start with a dierent arithmetization of CNF for

mulae than the one used for constructing an interactive pro of for coNP Logarithmically many

variables are used to represent in binary the names of variables and clauses in the input formula

and an oracle from variables to Bo olean values is supp osed to represent a satisfying assignment

An arithmetic expression involving a logarithmic numb er of summations is used to represent the

value of the formula under the truth assignment represented by the oracle This expression is a

lowdegree p olynomial in the new variables and has a cubic dep endency on the assignmentoracle

Smallbiased probability spaces are used to generate a p olynomial numberofsuch expressions so

that if the formula is satisable then all these expressions evaluate to zero and otherwise at most

half of them evaluate to zero Using a summation test as in the interactive pro of for coNPand

def

alowdegree test this yields a pcptt system for NPwheretn O logn log log n

We use a nite eld of p oly logn elements and so weneedlogn O log log n random bits

O log n

for the summation test To obtain the desired p cp system one uses long sequences over

log log n

f log ng to representvariableclause names rather than logarithmicallylong binary sequences

O log n

O log log n We can still use a nite eld of p oly logn elements and so we need only

log log n

random bits for the summation test All this is relatively easy compared to what is needed in order

to transform the p cp system so that only a constantnumb er of queries are made to a multivalued

oracle This is obtained via randomnessecient parallelization of p cp systems which in turn

dep ends heavily on ecientlowdegree tests

Op en Problem As a rst step towards the simplication of the proof of the PCP Characteri

zation one may want to provide an alternative paral lelizationprocedure which does not rely on

polynomials or any other algebraic creatures A rst step towards this partial goal was taken by

Safra and myself see TR of httpwwwecccunitrierdeecccWehaveconstructed

an ecient lowdegree test which utilizes a simpleinecient lowdegree test which is paral lelized

using a new combinatorial consistency lemma

The pcpp oly O system for NP It suces to prove the satisability of a systems of

quadratic equations over GF as this problem in NPC The oracle is supp osed to hold the

values of all quadratic expressions under a satisfying assignment to the variables We distinguish

n n

two tables in the oracle One corresp onding to the linear expressions and the other to the

pure bilinear expressions Each table is tested for selfconsistency via a linearity test and the two

tables are tested to b e consistent via a matrixequality test which utilizes selfcorrection Each

of these tests utilizes a constantnumb er of Bo olean queries and randomness which is logarithmic

in the size of the corresp onding table

PCP and Approximation

tral role in recent developments concerning the diculty PCPCharacterizations of NP plays a cen

of approximation problems To demonstrate this relationship we rst note that the PCP Char

acterization Theorem can b e rephrased without mentioning the class PCP altogether Instead a

new typ e of p olynomialtime reductions whichwe call amplifying emerges

Amplifying reductions There exists a constant and a p olynomialtime reduction f of

SAT to itself so that f maps nonsatisable CNF formulae to CNF formulae for whichevery

truth assignment satises at most a fraction of the clauses I call the reduction f amplify

ing Its existence follows from the PCP Characterization Theorem by considering the guaranteed

p cp system for SAT asso ciating the bits of the oracle with Bo olean variables and intro ducing a

constant size Bo olean formula for each p ossible outcome of the sequence of O log n coin tosses

describing whether the verier would have accepted given this outcome

Amplifying reductions and NonApproximability The ab ove amplifying reduction of SAT

implies that it is NPHard to distinguish satisable CNF formulae from CNF formulae for which

every truth assignment satises less than a fraction of its clauses Thus MaxSAT is NPHard

to approximate to within a factor

Stronger NonApproximability Results were obtained via alternative PCP Characterizations

of NPFor example the NPHardness of approximating MaxClique to within N was

obtained via NP FPCPlog where the second parameter in FPCP measures the amortized

freebit complexity of the p cp system

Op en Problems regarding various parameters in PCP Characterizations of NP will probably

remain also after the turbulence currently created byworks in progress by Hastad and byRaz

Safra