CSCI 1590 Intro to Computational Complexity Interactive Proofs and PSPACE John E. Savage Brown University April 27, 2009 John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 1 / 19 Summary 1 Interactive Proofs 2 Zero-knowledge Proofs 3 IPand PSPACE 4 The Power of Interactive Proofs 5 Probabilistically Checkable Proofs John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 2 / 19 Interactive Proofs An interactive proof is an interactive protocol in which a verifier, V , interacts with a prover, P. Given an input, x, V is allowed to ask P some number of questions. V is a Turing machine (TM) with bounded computational resources, but P can be an arbitrary function. A language, L, is recognized by an interactive proof with completeness pc and soundness ps if: There exists a P such that for all x 2 L, V accepts with probability at least pc . For all P, when x 62 L, V rejects with probability at least ps . When specifying an interactive proof for L, we describe V . To prove correctness, we assume P is chosen to maximize the probability that V accepts. We consider classes of languages recognized by interactive proofs where V is a probabilistic TM that runs in polynomial time. John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 3 / 19 IP[k] Definition Let IP[k] be the class of all languages, L, for which their exists a polynomial time PTM, V , that can decided whether or not x 2 L with completeness and soundness 2/3, after k total queries and responses to/from a prover, P. S c Let IP = c≥1 IP(n ). Had we defined IP[k] using soundness 1, we would have IP = NP. In this definition, P has unbounded computational resources. Today we will show that P can be restricted to polynomial space computable functions without changing our IP[k] or IP. This implies IP ⊆ PSPACE. John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 4 / 19 More Practical Provers We can describe an interactive proof by describing a polynomial time PTM, V . To actually implement this protocol, however, we would need a valid prover P. Since this P may need to perform an arbitrary PSPACE computation, we do not appear to have an efficient implementation. To actually implement an interactive proof, we need P, as well as V , to be a PTM with polynomial runtime, but then what power does P provide? Suppose we provide P with access to a \secret" piece of information. If V knew this secret, it would be as powerful as P, but as long as V does not, P can answer questions P cannot (if P 6= NP). In a \zero-knowledge" interactive proof, P's goal is to prove to V some fact about a secret without revealing any information about it. Examples: Do you have the right password? Is this graph 3 colorable? John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 5 / 19 One-way functions A one-way function, f : f0; 1gn ! f0; 1gn, is a polynomial-time computable function that is hard to \invert" in the average case. In other words, f (x), is easy to compute, but finding an x such that y = f (x) takes super-polynomial time. Just as we conjecture that P 6= NP, we conjecture that one-way functions exist. Factorization: find x1; x2 such that y = x1 · x2 Discrete log: find x such y = ax mod p (where p is a prime). Using one-way functions, data can be encrypted. To encrypt a short string, s, add random bits and treat the result as x written in binary. To encode x, compute y = ax mod p for some agreed upon a and p. y acts as a \locked-box". If I give you y, I have committed to a specific value of x that I can later choose to reveal. John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 6 / 19 A Simple Zero-Knowledge Proof If one-way functions exist, 3-coloring has a simple zero-knowledge proof (or more precisely, a computationally zero-knowledge proof). A prover, which knows the how to color a graph, G = (V ; E), can produce o(jEj) copies of the graph in which all vertices are colored, but their colors are encrypted. In each copy, the colors themselves are also randomly permuted, meaning \red" in one graph can be \blue" in another. For each copy, the verifier is allowed to ask the prover to decrypt only two adjacent vertices. If the graph is not 3-colorable, all of the graphs have at least one edge with endpoints of the same color. All problems in NP can be reduced to an instance of 3-coloring, so if one-way functions exist, all languages in IP have polynomial-time computational zero-knowledge proofs. The same holds for all languages in IP. John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 7 / 19 PSPACE ⊆ IP We have already shown that IP ⊆ PSPACE, now we will prove that they are equal. Recall that the language TQBF , totally quantified boolean formulas, is PSPACE-complete. Let φ(x1; :::; xn) be a boolean formula. Instances of TQBF are strings of the form Q1x1 :::Qnxn φ(x1; :::; xn), where each Qi is either an existential (9) or universal (8) quantifier. An instance is a \yes"-instance if and only if it evaluates to true. To give an interactive proof for TQBF, we first note that any boolean formula, φ(x1; :::; xn), can be mapped to a multilinear polynomial, p(x1; :::; xn), such that φ(x1; :::; xn) = p(x1; :::; xn) for all xi 2 f0; 1g :xi ≡ 1 − xi xi ^ xj ≡ xi xj xi _ xj ≡ 1 − (1 − xi ) · (1 − xj ) k xi ≡ xi for all k > 1. Now we can treat the quantified formula as an arithmetic expression. 9x ≡ Σ1 i xi =0 8x ≡ Π1 i xi =0 John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 8 / 19 The Arithmetization of TQBF An instance of TQBF, 8x1 9x2 :::8xn−1 9xnφ(x1; :::; xn), to can be represented as an arithmetic expression, Π1 Σ1 :::Π1 Σ1 p(x ; :::; x ), where p(x ; :::; x ) is a x1=0 x2=0 xn−1=0 xn=0 1 n 1 n (potentially long) multilinear polynomial. Notice that Π1 Σ1 :::Π1 Σ1 p(x ; :::; x ) > 0 if and only if x1=0 x2=0 xn−1=0 xn=0 1 n 8x1 9x2 ::: 8xn−19xn φ(x1; :::; xn) 2 TQBF . In our interactive proof for TQBF, the prover must convince the verifier that the arithmetic expression (which may be too long to actually write down) evaluates some value K 6= 0. K maybe exponentially long in n, so we use modular arithmetic. The prover selects a prime, p 2 2n; 22n such that K 6= 0 mod p. All arithmetic can be done modp (if K = 0, K = 0 mod p). Now we give an interactive proof (for an example) to verify that K = Π1 Σ1 :::Π1 Σ1 p(x ; :::; x ) mod p. The verifier will x1=0 x2=0 xn−1=0 xn=0 1 n have perfect completeness. John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 9 / 19 The Sum-Check Interactive Protocol V wishes to verify that K = Π1 Σ1 :::Π1 Σ1 p(x ; :::; x ) mod p. x1=0 x2=0 xn−1=0 xn=0 1 n V asks the prover P for K. If P lies, this will be discvored. Notice that f (x ) = Σ1 :::Π1 Σ1 p(x ; :::; x ) mod p is 1 1 x2=0 xn−1=0 xn=0 1 n simply a linear function of the form f1(x1) = a · x1 + b. To verify the sum, V requests f1(x1) from P. Let h1 be P's response. If h1(0) ∗ h1(1) 6= K, V rejects. (If the quantifier is 9 instead of 8 and h1(0) + h1(1) 6= K, V rejects.) If P is truthful, h1(x1) = f1(x1) for all values of x1. If P is lying, f1(x1) = h1(x1) for at most 2 values of x1. John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 10 / 19 The Sum-Check Interactive Protocol (Cont.) Now V selects a random value a1 and rejects unless h1(a) = f1(a). If h1(a) = f1(a), we recurse, requesting f (a ; x ) = Π1 :::Π1 Σ1 p(a; x :::; x ) mod p from P and 2 1 2 x3=0 xn−1=0 xn=0 2 n verifying that for P's response, h2(a1; 0) ∗ h2(a1; 1) = h1(a1) (or h2(a1; 0) ∗ h2(a1; 1) = h1(a1) when 9 is the quantifier). The base-case, f (a ; a ; :::; a ) = Σ1 p(a ; :::; a ; x ) mod p n 1 2 n−1 xn=0 1 n−1 n can be verified directly. If hi is wrong, the probability it fools V is at most (2=p) times the n−1 probability hi−1 fools V . Our soundness is at least (1 − (2=p)) . John E. Savage (Brown University) CSCI 1590 Intro to Computational Complexity April 27, 2009 11 / 19 Example of Sum-Check Interactive Protocol for 9 Consider a simple instance of TQBF: (x1 _ x2) ^ (x2 _ x3) ^ (x1 _ x3) which can be represented as Σ1 Σ1 Σ1 p(x ; x ; x ), where x1=0 x2=0 x3=0 1 2 3 p(x1; x2; x3) = (1 − (1 − x1)(1 − x2))(1 − (1 − x2)x3)(1 − x1(1 − x3)).