Arthur-Merlin Games

Klaus Sutner Carnegie Mellon University 2020/04/23 1 Arthur and Merlin

2 More on Proofs Digression: Size Matters 2

Let S ⊆ 2m be a set of binary strings of length m. We call S large if |S| ≥ (1 − 1/m)2m, and small if |S| < 2m/m. So S is small iff 2m − S is large.

Challenge: Suppose membership in S is polynomial time. We would like an IP protocol to check largeness. How can the prover convince the verifier that S is large?

Obviously, checking a lot of elements is not an option.

Instead, we consider shifts of S: for z ∈ 2m write

z ⊕ S = { z ⊕ x | x ∈ S }. Small 3

m S m Claim 1: If S is small, then for all z1, . . . , zm ∈ 2 we have zi ⊕ S 6= 2 .

To see why, note

[ X m zi ⊕ S ≤ |zi ⊕ S| ≤ m|S| < 2 Large 4

m Claim 2: If S is large, then there exist z1, . . . , zm ∈ 2 such that S m zi ⊕ S = 2 .

In fact, we can pick the zi at random:

h[ mi m Pr z ⊕ S = 2 ≥ 1 − (2/m) z i The probability that some particular x is not hit is

h [ i Y m Pr x∈ / zi ⊕ S = Pr [x∈ / z ⊕ S] ≤ (1/m) z z i But then the probability some x is not hit is at most (2/m)m.

The z1, . . . , zm can be construed as a proof for S being large. p Application: BPP ⊆ Σ2 5

Suppose L is in BPP. So there is a polynomial p and an algorithm M that uses at most m = p(|x|) random bits and has error bound 1/m.

m Define Sx = { r ∈ 2 | M(x, r) = 1 }.

Then x ∈ L implies Sx is large, and x∈ / L implies Sx is small.

But then

m m [
x ∈ L ⇐⇒ ∃ z1, . . . , zm ∈ 2 ∀ y ∈ 2 y ∈ zi ⊕ Sx

Since y ∈ z ⊕ Sx iff y ⊕ z ∈ Sx, we’re done.

p Since BPP is closed under complements, this also shows BPP ⊆ Π2. Public Coins 6

Recall that in our definition of IP the verifier had accesse to private random bits (the private coin model).

What would happen if the prover had access to these bits? Obviously, our protocols would break, just take a look at Graph Non-Isomorphism. But is there some other way to get mileage out of shared random bits?

By shared we mean that the prover gets access in each round to the random bits generated by the verifier, but does not know ahead of time all the bits that will be generated through the whole interaction, something like

V : a2i+1 = f(x, r, a1, a2, . . . , a2i)

P : a2i+2 = g(x, r, a1, a2, . . . , a2i+1) Arthur and Merlin 7

Here is a concrete incarnation of this idea. It is customary to refer to the prover as Merlin, and the verifier as Arthur.

MA Merlin sends Arthur a proof. Arthur generates random bits r, and decides whether the proof is acceptable.

AM Arthur sends random bits r to Merlin, who returns a proof. Arthur decides whether the proof is acceptable.

We need to formally define how these protocols determine a language. We’ll write π for the “proof” offered by Merlin. Completeness and Soundness 8

MA Completeness x ∈ L implies ∃ π ∀ r V(x, π, r) = 1
.
Soundness x∈ / L implies ∀ π Prr[V(x, π, r) = 1] ≤ 1/2 .

AM Completeness x ∈ L implies ∀ r ∃ π V(x, π, r) = 1
.
Soundness x∈ / L implies ∃ π Prr[V(x, π, r) = 1] ≤ 1/2 .

By repeating a few such rounds we get MA[k] and AM[k]. Error Bounds 9

Note that we have one-sided errors: for yes-instances, Arthur always gets the right answer. We could define MAβ analogously, where some error β is allowed.

Lemma

MAβ = MA.

Proof. Let π be the proof Merlin sends, and Rx,π the set of coins for which Arthur accepts. Intuitively, if x is a yes-instance, then Rx,π is large for some π, and small for all π otherwise. But then Merlin can send π together with a proof that Rx,π is large.

OK, but how do we convince Arthur that Rx,π is large? We use the exact same trick as for BPP above. 2

A similar trick works for AMβ . Changing Order 10

Theorem MA ⊆ AM.

Proof. Assume L ∈ MA and use error reduction to get a soundness error of at most 1/2p(|x|)+1 where p is a polynomial bound on the proof length. Now flip the order of messages: Arthur picks r and sends to Merlin. Merlin responds with a proof π. Arthur verifies the proof. If x ∈ L then Merlin can send the honest proof. But if x∈ / L then a union bound shows that the probability that some bad proof π exists is at most 1/2. 2 Collapse 11

The theorem actually shows that an MA step in a protocol can be replaced by a AM step.

So AMA = AAM = AM and MAM = AMM = AM.

This works for any constant number of steps: AM[c] collapses to AM (only MA might be strictly smaller). Digression: Pairwise Independent Hashing 12

Suppose we have a family H of hash functions with codomain of size c. H is pairwise independent if

∀ x 6= x0, y, y0 Pr [h(x) = y ∧ h(x0) = y0] = 1/c2
h∈H

Another way of expressing this is to consider the random variables Yd = h(d) for each d in the domain, h ∈ H uniformly.

For pairwise independent H, the Yd are uniformly distributed, and they are independent.

How do we get our hands on a pairwise independent family that has reasonable computational properties? A Nice Field 13

We choose as domain and codomain a finite field F of characteristic 2.

This means the elements can be thought of as bitvectors a ∈ 2n.

Addition is easy: a ⊕ b.

Multiplication takes work: think of a and b as coefficients of a polynomial over Z2, multiply and then take the remainder wrto an irreducible polynomial of degree n in Z2[x].

Amazingly, the choice of the irreducible does not matter: there is only one field of size 2n up to isomorphism. An Affine Family 14

Over F, pick elements a and b and define an affine hash function

ha,b(x) = ax + b

and let H = { ha,b | a, b ∈ F }. Note that these functions are easy to compute.

Claim: H is a pairwise independent family.

To see why, let y = ax + b and y0 = ax0 + b. Then

a = (y − y0)/(x − x0) b = y − ax

2 The probability that this happens is clearly 1/|F| . AM and Graph Non-Isomorphism 15

Theorem Graph Non-Isomorphism is in AM.

To see why, write

aut(G) = automorphisms of G iso(G) = isomorphs of G

Here G is a vertex-labeled undirected graph.

Then |aut(G)| · |iso(G)| = n! Example: C4 16

Here are the automorphisms of the cycle on 4 points, C4:

2 1 4 3

1 3 4 2 3 1 2 4

4 3 2 1 4 1 2 3

1 3 2 4 3 1 4 2

2 3 4 1 Dihedral 17

Expressed as permutations, these automorphisms are as follows:

1 2 3 4 1 4 3 2 2 1 4 3 2 3 4 1 3 2 1 4 3 4 1 2 4 1 2 3 4 3 2 1

This is the dihedral group D4 of order 8, acting on C4.

There are 3 isomorph types, generated by

(1, 2, 3, 4), (1, 3, 2, 4), (1, 3, 4, 2) Isomorphs 18

Given the two graphs G1 and G2 on n points, define

I = { (H, σ) | H ∈ iso(G1) ∪ iso(G2), σ ∈ aut(H) }

Then |I| = n! when G1 and G2 are isomorphic, but |I| = 2n! otherwise.

Membership in I can be established by providing the appropriate isomorphism for H (checking the automorphism σ is easy).

The protocol will work with J = I × I, which has cardinality (n!)2 and 4(n!)2, respectively. Protocol 19

Arthur: Compute m = log 4(n!)2. Select a hash function h ∈ H with codomain 2m, send to Merlin.

Merlin: Find x ∈ J such that h(x) = 0m, send to Arthur with a membership proof. Crash if there is none.

Arthur: Check and accept/reject accordingly.

So m is the number of bits we need (at most) to specify an element of J.

m has length polynomial in n, so Arthur can actually compute this number.

Send h means: send the parameters that define h (as in ha,b above). Analysis 20

First suppose the graphs are isomorphic. Then

m X m Pr[∃ x ∈ J (h(x) = 0 )] ≤ Pr[h(x) = 0 ] h h x∈J

= (n!)22−m = 1/4

In the non-isomorphic case

m X m Pr[∃ x ∈ J (h(x) = 0 )] ≥ Pr[h(x) = 0 ] − h h x∈J

X m m 1/2 Pr[h(x) = 0 ∧ h(y) = 0 ] x6=y

> 1 − 1/2 (4(n!)2)22−2m = 1/2

This uses inclusion-exclusion and independence. Done by error reduction as usual. And Equality? 21

It is currently an open problem whether AM = MA.

It is known that

NP, BPP ⊆ MA ⊆ AM ⊆ PH 1 Arthur and Merlin

2 More on Proofs Keeping Secrets 23

Prof. Wurzelbrunft thinks he has a proof of the Riemann hypothesis. He would like a panel of experts to check before he goes public. Alas, academia is a blood sport, so he would like to make sure that the experts cannot steal his proof.

Question: Is there a way Wurzelbrunft can convince the experts that he has a proof, without revealing a single detail of the proof?

Your intuition might say NO, he has to hand over the proof so the other guys can check it. Not knowing the proof prevents any type of quality control.

OK, in reality Wurzelbrunft could start with a proof sketch, but lets not quibble. Zero Knowledge Proofs 24

A zero knowledge proof is a probabilistic protocol like the ones we have already seen, but with an additional condition:

Completeness: as before

Soundness: as before

Zero Knowledge: the verifier learns nothing about x during the interaction.

Think of the last condition as the verifier being able to compute all the information on its own. This is a bit difficult to formalize, we’ll refrain. ZKP for Graph Isomorphism 25

The input is two ugraphs G0 and G1. If we have a yes-instance, then the prover can easily compute a corresponding isomorphism π (which we want to hide from the verifier).

0 0 P: Pick a random permutation π , compute H = π (G0), send to V.

V: Pick b ∈ 2 at random, send to P.

P: If b = 0 send π00 = π0; else send π00 = π ◦ π0.

00 V: Verify that H = π (Gb).

Ignoring technical details, this protocol reveals no information about the permutation π to the verifier. Probabilistically Checkable Proofs (PCP) 26

Let’s focus on problems in NP. In the usual deterministic protocol for NP (P: send witness, V: verify), the verifier reads the whole witness (proof) π sent by the prover at least in some cases. For SAT, think about a branch in a BDD that involves all variables.

In a probabilistic protocol we allow errors, so it seems natural that the verifier could read only part of π.

Huge Surprise: It turns out that we can get away reading just a constant number of bits in π. This is about as counterintuitive as one an imagine. PCP Protocol 27

Given two functions r and q define the class PCP(r, q) as follows: There is a probabilistic polynomial time verifier V such that for |x| = n the version Vπ with oracle π satsifies:

Constraint Vπ(x) uses O(r(n)) random bits and reads O(q(n)) bits of π.

Completeness x ∈ L implies ∃ π Pr[Vπ(x) = 1] = 1.

Soundness x∈ / L implies ∀ π Pr[Vπ(x) = 1] < 1/2.

We think of π as an oracle rather than writing it on a tape so that is easier for V to ask just for bit π[i] without reading all of π.

It is straightforward to generalize to function classes: PCP(F1, F2). Poly Proof Bits 28

It is easy to see that PCP(0, poly) = NP. Here is a less obvious result: logarithmically many random bits don’t help to get out of NP.

Theorem PCP(log, poly) = NP.

Proof. Suppose x ∈ L. We cannot simply use a nice proof π as witness for x since π might be too long, we need “compression.” Think about running V on all length log n random sequences. Collect a set S of positions where V might read π. Note that S has polynomial size, so we can use these queries (i, π[i])i∈S as a witness for x. 2 PCP Theorem 29

Here is the big surprise, with a rather difficult proof, due to Arora-Safra 1992 and Arora-Lund-Motwani-Sudan-Szegedy 1992.

Theorem (PCP Theorem)

PCP(log, 1) = NP.

Actually, the same constant works for all languages in NP.