Computational Complexity Theory, Fall 2010 10 November Lecture 18: IP=PSPACE. Arthur-Merlin Games Lecturer: Kristoffer Arnsfelt Hansen Scribe: Andreas Hummelshøj J Update: Ω(n) Last time, we were looking at MOD3◦MOD2. We mentioned that AND required size 2 MOD3◦ MOD2 circuits. We also mentioned, as being open, whether NEXP ⊆ (nonuniform)MOD2 ◦ MOD3 ◦ MOD2. Since 9/11-2010, this is no longer open. Definition 1 ACC0 = class of languages: 0 0 ACC = [m>2ACC [m]; where AC0[m] = class of languages computed by depth O(1) size nO(1) circuits with AND-, OR- and MODm-gates. This is in fact in many ways a natural class of languages, like AC0 and NC1. 0 Theorem 2 NEXP * (nonuniform)ACC . New open problem: Is EXP ⊆ (nonuniform)MOD2 ◦ MOD3 ◦ MOD2? Recap: We defined arithmetization A(φ) of a 3-SAT formula φ: A(xi) = xi; A(xi) = 1 − xi; 3 Y A(l1 _ l2 _ l3) = 1 − (1 − A(li)); i=1 m Y A(c1 ^ · · · ^ cm) = A(cj): j=1 1 1 X X ]φ = ··· P (x1; : : : ; xn);P = A(φ): x1=0 xn=0 1 Sumcheck: Given g(x1; : : : ; xn), K and prime number p, decide if 1 1 X X ··· g(x1; : : : ; xn) ≡ K (mod p): x1=0 xn=0 True Quantified Boolean Formulae: 0 0 Given φ ≡ 9x18x2 ::: 8xnφ (x1; : : : ; xn), where φ is a 3SAT formula, decide if φ is true. Observation: φ true , P1 Q1 P ··· Q1 P (x ; : : : ; x ) > 0, P = A(φ0). x1=0 x2=0 x3 x1=0 1 n Protocol: Can't we just do it analogous to Sumcheck? Id est: remove outermost P, P sends polynomial S, V checks if S(0) + S(1) ≡ K, asks P to prove Q1 P1 ··· Q1 P (a) ≡ S(a), where x2=0 x3=0 xn=0 a 2 f0; 1; : : : ; p − 1g is chosen uniformly at random. Problem: n deg S may be as large as (3m) 2 . Solution: Linearise. Let P (x1; : : : ; xn) be a polynomial. Define LiP (x1; : : : ; xn) = xiP (x1; : : : ; xi−1; 1; xi+1; : : : ; xn) + (1 − xi)P (x1; : : : ; xi−1; 0; xi+1; : : : ; xn): Lemma 3 For all x 2 f0; 1gn we have: P (x1; : : : ; xn) = L1L2 :::LnP (x1; : : : ; xn): PQ P Don't show ··· P (x1; : : : ; xn) ≡ K. Instead, show X Y X X L1 L1L2 L1L2L3 ··· L1L2 :::LnP (x1; : : : ; xn) ≡ K x1 x2 x3 Protocol: (Modification of Sumcheck) Start: n 2n P P sends prime p 2 2 + 1; 2 such that p - L:::P (x), and also K (we intend that we should have P L:::P (x) ≡ K (mod p)). The protocol now proceed as the sumcheck protocol by in each round of communication stripping P Q of one of ; ; or Li. 2 P: P must prove P1 L :::P (a ; : : : ; a ; x ; : : : ; x ) ≡ k. P sends polynomium S(x ) (NB: degree xi=0 1 1 i−1 i n i at most 1) to V . V checks S(0) + S(1) ≡ K or rejects. V chooses a 2 f0; 1; : : : ; p − 1g uniformly at random and asks P to show that L1 :::LnP (a1; : : : ; ai−1; a; xi+1; : : : ; xn) ≡ S(a). Q: P must prove Q1 L :::P (a ; : : : ; a ; x ; : : : ; x ) ≡ K. P sends polynomium S(x ) (NB: degree xi=0 1 1 i−1 i n i at most 1) to V . V checks S(0)S(1) ≡ k or rejects. V chooses a 2 f0; 1; : : : ; p − 1g uniformly at random and asks P to show that L1 :::LnP (a1; : : : ; ai−1; a; xi+1; : : : ; xn) ≡ S(a). L: P must prove LiLi+1 :::P (a1; : : : ; ak; xk+1; : : : ; xn) ≡ K, where 1 ≤ i ≤ k, for some k. P sends polynomial S(xi) (NB: degree at most 2, except at the end with LnP (x1; : : : xn), where the degree is at most 3m) to V . V verifies that aiS(1)+(1−ai)S(0) ≡ K or rejects. V chooses a 2 f0; : : : ; p − 1g uniformly at random and asks P to prove Li+1 :::P (a1; : : : ; ai−1; a; ai+1; : : : ; ak; xk+1; : : : ; xn) ≡ S(a). The analysis of the protocol is analogous to the analysis of the sumcheck protocol. Completeness: We have completeness 1, since if x 2 L we will always accept if the prover follows the protocol specified. Soundness: If the verifier accepts, when x2 = L, then there is some round where the prover must prove a wrong statement, but in the next round we ask him to prove a correct statement. For a given round, this 3m happens with probability at most p (since a nonzero polynomial of degree at most 3m has at most 3m roots in GF(p).) Thus taking a union bound over the number of rounds (≤ n2), the total error 2 3m is at most n p by union bound. This is exponentially small, since p is exponentially large, Remarks: • We have completeness is 1. Thus all interactive protocols can in principle be converted to protocols with completeness 1. • All messages from V are just the random bits which have been flipped since last round of communication. Next we are going to explore interactive proofs that have this last property, but using only a constant number of rounds of communication. 3 Arthur-Merlin proof: AM[k] = class of languages computed by interactive protocols, where V 's messages are the random bits V has flipped since last communication, and total number of messages between P and V is at most k. Further, we denote AM[2] simply by AM. Theorem 4 Graph Non-Isomorphism 2 AM. Proof Let G1;G2 be graphs with vertices f1; : : : ; ng. ∼ ∼ Define S := f(H; π)j[H = G1 or H = G2] and π(H) = Hg. ∼ Lemma 5 If G1 = G2 then jSj = n!, if G1 G2 then jSj = 2(n!). Goldwasser-Sipser Set lower protocol: Given S ⊆ f0; 1gn, where we can verify that \x 2 S" efficiently given a certificate, and given a number K. P is supposed to prove that jSj ≥ K. The protocol will ensure, that if jSj ≥ K, V 2 1 accepts with probability at least 3 . Otherwise, V accepts with probablity < 3 . Protocol: 2k 2k Choose k such that 4 ≤ K ≤ 2 , and a family of pair-wise independent hash-functions Hm;k. k • V: Pick y 2 f0; 1g and h 2 Hm;k uniformly at random and send to P . • P: Try to find x such that h(x) = y, send x and proof that x 2 S. • V: Accept , h(x) = y. (Repeat these 3 steps in parallel to use succes amplification to get desired error.) For the analysis we need the following lemma. m 2k Lemma 6 Let S ⊆ f0; 1g , jSj ≤ 2 . 3 jSj jSj Then 4 2k ≤ P rh;y[9x 2 S : h(x) = y] ≤ 2k . jSj Proof For the inequality on the right we simply have jh(S) ≤ jSjj ) P r[9x 2 S : h(x) = y] ≤ 2k : For the inequality on the left, we can in fact fix y. Then: P rh[9x 2 S : h(x) = y] = P rh[[x2S fh(x) = yg] X 1 X ≥ P r [h(x) = y] − P r [h(x) = y ^ h(x0) = y] h 2 h x2S x6=x0;2S 1 1 jSj(jSj − 1) = jSj − 2k 2 22k jSj jSj − 1 1 = (1 − ) 2k 2 2k jSj 2k=2 1 ≥ (1 − ) 2k 2 2k 3 jSj = : 4 2k 4 where in the first inequality we used inclusion-exclusion to bound the probability of the union of events. We can now analyse the acceptance probability of the protocol. 3 jSj 3 K K If jSj ≥ K, V accepts with probability at least 4 2k ≥ 4 2k . If jSj ≤ 2 , V accepts with jSj 1 K 3 K 1 K probability at most 2k ≤ 2 2k . We can now utilize the gap between 4 2k and 2 2k to run a number of independent trials in parallel and obtain completeness 2=3 and soundness 1=3. 5.