CSCI 1590 Intro to Computational Complexity Interactive Proofs and PSPACE

John . Savage

Brown University

April 27, 2009

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 1 / 19 Summary

1 Interactive Proofs

2 Zero-knowledge Proofs

3 IPand PSPACE

4 The Power of Interactive Proofs

5 Probabilistically Checkable Proofs

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 2 / 19 Interactive Proofs

An interactive proof is an interactive protocol in which a verifier, V , interacts with a prover, P. Given an input, x, V is allowed to ask P some number of questions. V is a Turing machine (TM) with bounded computational resources, but P can be an arbitrary function. A language, , is recognized by an interactive proof with completeness pc and soundness ps if: There exists a P such that for x ∈ L, V accepts with probability at least pc . For all P, when x 6∈ L, V rejects with probability at least ps . When specifying an interactive proof for L, we describe V . To prove correctness, we assume P is chosen to maximize the probability that V accepts. We consider classes of languages recognized by interactive proofs where V is a probabilistic TM that runs in polynomial time.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 3 / 19 IP[k]

Definition Let IP[k] be the class of all languages, L, for which their exists a polynomial time PTM, V , that can decided whether or not x ∈ L with completeness and soundness 2/3, after k total queries and responses to/from a prover, P. S c Let IP = c≥1 IP(n ).

Had we defined IP[k] using soundness 1, we would have IP = NP. In this definition, P has unbounded computational resources. Today we will show that P can be restricted to polynomial space computable functions without changing our IP[k] or IP. This implies IP ⊆ PSPACE.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 4 / 19 More Practical Provers

We can describe an interactive proof by describing a polynomial time PTM, V . To actually implement this protocol, however, we would need a valid prover P. Since this P may need to perform an arbitrary PSPACE computation, we do not appear to have an efficient implementation. To actually implement an interactive proof, we need P, as well as V , to be a PTM with polynomial runtime, but then what power does P provide? Suppose we provide P with access to a “secret” piece of information. If V knew this secret, it would be as powerful as P, but as long as V does not, P can answer questions P cannot (if P 6= NP). In a “zero-knowledge” interactive proof, P’s goal is to prove to V some fact about a secret without revealing any information about it. Examples: Do you have the right password? Is this graph 3 colorable?

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 5 / 19 One-way functions

A one-way function, f : {0, 1}n → {0, 1}n, is a polynomial-time that is hard to “invert” in the average case. In other words, f (x), is easy to compute, but finding an x such that y = f (x) takes super-polynomial time. Just as we conjecture that P 6= NP, we conjecture that one-way functions exist.

Factorization: find x1, x2 such that y = x1 · x2 Discrete log: find x such y = ax mod p (where p is a prime). Using one-way functions, data can be encrypted. To encrypt a short string, s, add random bits and treat the result as x written in binary. To encode x, compute y = ax mod p for some agreed upon a and p. y acts as a “locked-box”. If I give you y, I have committed to a specific value of x that I can later choose to reveal.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 6 / 19 A Simple Zero-Knowledge Proof

If one-way functions exist, 3-coloring has a simple zero-knowledge proof (or more precisely, a computationally zero-knowledge proof). A prover, which knows the how to color a graph, G = (V , E), can produce o(|E|) copies of the graph in which all vertices are colored, but their colors are encrypted. In each copy, the colors themselves are also randomly permuted, meaning “red” in one graph can be “blue” in another. For each copy, the verifier is allowed to ask the prover to decrypt only two adjacent vertices. If the graph is not 3-colorable, all of the graphs have at least one edge with endpoints of the same color. All problems in NP can be reduced to an instance of 3-coloring, so if one-way functions exist, all languages in IP have polynomial-time computational zero-knowledge proofs. The same holds for all languages in IP.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 7 / 19 PSPACE ⊆ IP

We have already shown that IP ⊆ PSPACE, now we will prove that they are equal. Recall that the language TQBF , totally quantified boolean formulas, is PSPACE-complete. Let φ(x1, ..., xn) be a boolean formula. Instances of TQBF are strings of the form Q1x1 ...Qnxn φ(x1, ..., xn), where each Qi is either an existential (∃) or universal (∀) quantifier. An instance is a “yes”-instance if and only if it evaluates to true. To give an interactive proof for TQBF, we first note that any boolean formula, φ(x1, ..., xn), can be mapped to a multilinear polynomial, p(x1, ..., xn), such that φ(x1, ..., xn) = p(x1, ..., xn) for all xi ∈ {0, 1} ¬xi ≡ 1 − xi xi ∧ xj ≡ xi xj xi ∨ xj ≡ 1 − (1 − xi ) · (1 − xj ) k xi ≡ xi for all k > 1. Now we can treat the quantified formula as an arithmetic expression. ∃x ≡ Σ1 i xi =0 ∀x ≡ Π1 i xi =0

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 8 / 19 The Arithmetization of TQBF

An instance of TQBF, ∀x1 ∃x2 ...∀xn−1 ∃xnφ(x1, ..., xn), to can be represented as an arithmetic expression, Π1 Σ1 ...Π1 Σ1 p(x , ..., x ), where p(x , ..., x ) is a x1=0 x2=0 xn−1=0 xn=0 1 n 1 n (potentially long) multilinear polynomial. Notice that Π1 Σ1 ...Π1 Σ1 p(x , ..., x ) > 0 if and only if x1=0 x2=0 xn−1=0 xn=0 1 n ∀x1 ∃x2 ... ∀xn−1∃xn φ(x1, ..., xn) ∈ TQBF . In our interactive proof for TQBF, the prover must convince the verifier that the arithmetic expression (which may be too long to actually write down) evaluates some value K 6= 0. K maybe exponentially long in n, so we use modular arithmetic. The prover selects a prime, p ∈ 2n, 22n such that K 6= 0 mod p. All arithmetic can be done modp (if K = 0, K = 0 mod p). Now we give an interactive proof (for an example) to verify that K = Π1 Σ1 ...Π1 Σ1 p(x , ..., x ) mod p. The verifier will x1=0 x2=0 xn−1=0 xn=0 1 n have perfect completeness.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 9 / 19 The Sum-Check Interactive Protocol

V wishes to verify that K = Π1 Σ1 ...Π1 Σ1 p(x , ..., x ) mod p. x1=0 x2=0 xn−1=0 xn=0 1 n V asks the prover P for K. If P lies, this will be discvored. Notice that f (x ) = Σ1 ...Π1 Σ1 p(x , ..., x ) mod p is 1 1 x2=0 xn−1=0 xn=0 1 n simply a linear function of the form f1(x1) = a · x1 + b. To verify the sum, V requests f1(x1) from P. Let h1 be P’s response. If h1(0) ∗ h1(1) 6= K, V rejects. (If the quantifier is ∃ instead of ∀ and h1(0) + h1(1) 6= K, V rejects.) If P is truthful, h1(x1) = f1(x1) for all values of x1. If P is lying, f1(x1) = h1(x1) for at most 2 values of x1.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 10 / 19 The Sum-Check Interactive Protocol (Cont.)

Now V selects a random value a1 and rejects unless h1(a) = f1(a). If h1(a) = f1(a), we recurse, requesting f (a , x ) = Π1 ...Π1 Σ1 p(a, x ..., x ) mod p from P and 2 1 2 x3=0 xn−1=0 xn=0 2 n verifying that for P’s response, h2(a1, 0) ∗ h2(a1, 1) = h1(a1) (or h2(a1, 0) ∗ h2(a1, 1) = h1(a1) when ∃ is the quantifier). The base-case, f (a , a , ..., a ) = Σ1 p(a , ..., a , x ) mod p n 1 2 n−1 xn=0 1 n−1 n can be verified directly.

If hi is wrong, the probability it fools V is at most (2/p) times the n−1 probability hi−1 fools V . Our soundness is at least (1 − (2/p)) .

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 11 / 19 Example of Sum-Check Interactive Protocol for ∃

Consider a simple instance of TQBF: (x1 ∨ x2) ∧ (x2 ∨ x3) ∧ (x1 ∨ x3) which can be represented as Σ1 Σ1 Σ1 p(x , x , x ), where x1=0 x2=0 x3=0 1 2 3 p(x1, x2, x3) = (1 − (1 − x1)(1 − x2))(1 − (1 − x2)x3)(1 − x1(1 − x3)). p(x1, x2, x3) evaluates to 1 when (x1, x2, x3) = (0, 1, 0), (0, 1, 1) and (1, 1, 1), so P says Σ1 Σ1 Σ1 p(x , x , x ) = 3. x1=0 x2=0 x3=0 1 2 3 When V asks for the quantified formula when x1 is no longer quantified, P should return f (x ) = Σ1 Σ1 p(x , x , x ) = 1 1 x2=0 x3=0 1 2 3 x1(1 − x1) + 0 + (1 − x1) + 1 = −x12 + 2. V verifies that f1(0) + f1(1) = 3, and then chooses a random x1, say 5. Since f (5) = −23, P now proves that f (5) = Σ1 Σ1 p(5, x , x ) = −23 1 x2=0 x3=0 2 3 The protocol repeats: V asks for Σ1 Σ1 p(5, x , x ) when x is no x2=0 x3=0 2 3 2 longer quantified. P should return that f2(5, x2) = (5 − 4x2)(−4) + (5 − 4x2)(x2) = −4x22 + 21x2 − 20. Now V can again verify that f2(5, 0) + f2(5, 1) = −23, choose a new random value, say 2, and then verifies that f2(5, 13) = −6 directly.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 12 / 19 Linearization of Sum-Check Interactive Protocol

∃x1 ∃x 2 ∃x3 p(x1, x2, x3) can be arithmetized by changing the existential quantifiers, ∃, to sums, but when we remove, say, ∃x1, the resulting arithmatization of ∃x 2, ∃x3p(x1, x2, x3) may have degree ¿ 1, because x1 can appear in multiple clauses. This is the case in the above example. To remedy this problem, one could add the ”linearization quantifiers”, L, and instead run the protocol on the expression ∃x1, Lx1, ∃x 2, Lx2, ∃x3, Lx3p(x1, x2, x3). Here Lx3p(x1, x2, x3) is taken to mean (1 − x3) ∗ p(x1, x2, 0) + x3 ∗ p(x1, x2, 0). Even though each Lxi acts as a logical identity, it ensure that P can always return a linear function. I did not incorporate these into my example however.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 13 / 19 The Power of Interactive Proofs

An interactive proof is an interactive protocol in which a probabilistic verifier, V , interacts with an “all-knowing” prover, P. In defining IP[k] (and IP = S IP[ ]), we considered the classes languages that can be recognized (with imperfect soundness) in polynomial-time using k rounds of interaction. We saw that IP = PSPACE, which suggests that interaction, when combined with randomness, is quite powerful. Using interaction, we can verify the solution to problems that appear to be far harder than those we can solve on our own.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 14 / 19 Multi-Prover Interactive Proofs

One interesting generalization of the class IP is MIP, the class of languages that can be verified in polynomial time using multiple provers that cannot communicate. In this model of computation, the verifier can pit the provers against each other, making it even more difficult for them to lie. It turns out that MIP = NEXPTIME. In fact, only two provers, and a single round of interaction, are needed. The second result relies on the idea of parallel repetition. In this light, interactive protocols appear even more powerful!

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 15 / 19 Probabilistically Checkable Proofs

In a Probabilistically Checkable Proof we modify our interactive proof model slightly. Instead of asking questions to an adaptive prover, P, the verifier queries a static proof/certificate, y. As before, the verifier, V , is a polynomial-time Turing machine with access to a string of random bits, . Languages are recognized with imperfect soundness (and possibly also imperfect completeness). In this new model, we are concerned not only with the length of the proof required to recognize a language, but with the number of queries, and amount of random bits V requires.

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 16 / 19 More Restricted Interactive Proofs

Results such as IP = PSPACE and MIP = NEXPTIME highlight the power of interactive proofs, but also their impracticality when the prover is given unbounded resources. Zero-knowledge proofs suggest one approach for restricting the power of the prover, and in so doing, making the protocol more practical. In a zero-knowledge proof, the prover is simply a probabilistic polynomial-time Turing machine with access to a “secret”. Another restriction that can be placed on the prover is the length of their response, as well as the length of the questions they can answer. If only questions of length O(log(n)) are allowed, the prover can be replaced with a polynomial length string (i.e. a certificate) that the verifier, V , selectively queries. This suggests that interaction can be used as a way to understand NP. What languages can V recognize with a restricted number of queries?

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 17 / 19 PCPpc ,ps [q(n), r(n)]

Definition Consider a probabilistic polynomial-time Turing machine V with access to a certificate y. Let n be the length of V ’s input, x.

Let PCPpc ,ps [q(n), r(n)] be the class of languages V can recognize using r(n) random bits and q(n) bits of y such that: If x ∈ L, there exists a y such that V accepts with probability at least pc

If x 6∈ L, any y causes V reject with probability at least ps

Recall our interactive proof from GNI . In this proof, V randomly 0 permuted either G1 or G2 to produce G . V gave all three graphs to P and asked which graph was permuted. Notice that P could be replaced with an exponentially long certificate.

This implies that GNI ∈ PCP1,1/2[O(poly(n)), O(poly(n))]

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 18 / 19 The power of PCPs

When q(n) is O(log(n)), y is polynomial in length.

This implies that PCPpc ,ps [O(log(n)), log(n)] ⊆ NP A nondeterministic Turing machine, M can guess y, then iterate over all random strings of length O(log(n)). In doing so, M can keep a count of what fraction of random strings cause V to accept.

Also notice that NP = PCPpc ,1[poly(n), log(n)], and

P = PCPpc ,ps [O(1), O(1)]. Surprisingly, the PCP Theorem states that:

NP = PCP1,1/2[O(1), O(log(n))]

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 19 / 19 The PCP Theorem

The PCP Theorem states that

NP = PCP1,1/2[O(1), O(log(n))]

One direction is easy, but for the other direction, it is not even easy to show that PCP1,1/2[O(log(n)), O(log(n))] ⊆ NP. This surprising result was discovered in the 1990’s, however a simpler proof was given in 2005. The proof relies on the idea of a “gap-introducing” reduction (also, the theorem itself implies that this type of reduction exists)

John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 20 / 19