An Introduction to Probabilistically Checkable Proofs and the PCP Theorem Jose Falcon, Mitesh Jain June 2, 2013 1 Introduction Define the languages of NP as the languages with efficient proof systems. Definition 1. A language L is in NP if there is a polynomial-time deter- ministic Turing machine V that, given an input x, verifies proofs, denoted π, of x 2 L. The following properties hold: x 2 L =) 9π : Vπ(x) = 1 (1) x2 = L =) 8π : Vπ(x) = 0: (2) Vπ(x) has access to an input string x and a certificate string π. Note that we use \proof" and \certificate" interchangeably. It is instructive to pose NP-problems as a game between a solver and a veri- fier. A solver must produce a certificate π of the existence of x 2 L, whereas a verifier correctly and efficiently determines the validity of π. Consider the problem SAT: a certificate is merely an assignment to the variables of the input formula. The verifier can substitute the assignment into the original formula and quickly discern satisfiability. Notice, however, the verifier scans every bit of π. An astute reader may ask if it is necessary to read every bit of a certifi- cate. Certainly we must if we rely on substitution as a means of verification. However, if we change the structure of our certificate, can we provide a new proof system which is verifiable by reading a constant number of bits of π, if only probabilistically? Surprisingly, we can. 1 1.1 PCP Verifiers Let us generalize our notion of a verifier. First, outfit the verifier with an address tape so that it may randomly access individual bits of π. An address is written to the tape by throwing r(n) random coins, where each coin corresponds to a bit on the tape. Next, limit the number of queries to the proof to q(n). Relative to the classical verifier, this restricts the power of the PCP verifier. We allow the verifier to err, and consider the following questions: • what is the tradeoff between the query complexity and the error in- curred by the verifier; and • how small can the probabilistically checkable proof be relative to the classical proof? 1.1.1 Formalization A probabilistic verifier admits the following properties: a correct proof of x 2 L is always accepted, i.e., Pr[accepting a correct proof] = 1; and, if x2 = L, then every claimed certificate of x 2 L is rejected with high probability. Definition 2. Let L be a language and q; r : N ! N. L has an (r(n); q(n))- PCP verifier if there is a polynomial-time probabilistic algorithm V such that it is: • Efficient: given an input x 2 f0; 1gn and random access to a cer- tificate π 2 f0; 1g∗, V uses at most r(n) random coins and makes at most q(n) queries to π. V accepts or rejects when it outputs \1" or \0" respectively. • Complete: if x 2 L then there exists a certificate π 2 f0; 1g∗ such that Pr[Vπ(x) = 1] = 1. • Sound: if x2 = L then for every certificate π 2 f0; 1g∗, Pr[Vπ(x) = 1 0] > 2 . A language L is in PCP(r(n); q(n)), if L has a (c·r(n); d·q(n))-PCP verifier, for constants c; d > 0. 2 Notice this formulation dictates the maximum size of a proof that can be verified. Given an address tape of length r(n) we may access 2r(n) bits. Querying the proof q(n) times is equivalent to accessing q(n) proofs of size 2r(n). Thus, proofs may be at most q(n) · 2r(n) bits. 1.2 The PCP Theorem The following theorem is known as the PCP theorem and was shown by Arora et al. in 1992 [1]. Theorem 3. NP = PCP(log n; 1). A proof of this result is outside the scope of this project. Theorem 3 shows, in short, that every NP-language has a PCP verifier that verifies certificates of at most poly(n) bits by reading a constant number of bits. The follow- ing section outlines a proof of a weaker PCP theorem that provides some intuition of the proof of 3. 2 A Proof of a Weak PCP Theorem The primary contribution of this project is a pedagogical proof of the fol- lowing PCP theorem: Theorem 4. NP ⊆ PCP(poly(n); 1). Theorem 4 is weaker than the PCP theorem stated in the previous sec- tion in the sense that the proofs it validates may be much larger. The former verifies proofs of exponential size, whereas the latter verifies proofs of poly- nomial size. It is interesting, still, that exponentially sized proofs can be verified by a constant number of queries. The remainder of this section outlines a proof of a (poly(n); 1)-PCP ver- ifier for CIRCUIT-SAT. Because CIRCUIT-SAT is known to be NP-complete, any NP-language has a PCP verifier by first reducing to CIRCUIT-SAT. For simplicity, we assume the problem is translated into a set of equivalent boolean quadratic constraints. The pith of the verifier is to encode solutions to these constraints as functions which can be quickly tested and decoded. Our main tools include, boolean linear functions, Walsh-Hadamard codes and boolean quadratic equations. Finally, we prove the verifier is efficient, complete and sound. 3 2.1 Linear Functions and Bit Vectors Throughout our study of the Walsh-Hadamard code (section 2.2) and theo- rem 4, we frequently depend on linear functions from f0; 1gn to f0; 1g. Definition 5. A function f : f0; 1gn ! f0; 1g is linear if, for every x; y 2 f0; 1gn, f(x + y) = f(x) + f(y), and f(αx) = αf(x). It is also convenient to reason about bit strings as vectors. Consider the dot product of u; x 2 f0; 1gn as vectors. Definition 6. The dot product of any u; x 2 f0; 1gn is defined as n X `u(x) = uixi (mod 2) i=1 Corollary 7. `u(x) is a linear function. The next lemma shows that if two bit strings u; v are different, then for half the choices of x, `u(x) 6= `v(x). It appears frequently throughout the 1 design of the PCP verifier (section 2.3) in the form, Pr[`u(x) 6= `v(x)] = . x 2 Lemma 8. Let u; v 2 f0; 1gn. If u 6= v, then for half the choices of x, `u(x) 6= `v(x). n n Proof. Let u = u1u2 : : : un 2 f0; 1g and v = v1v2 : : : vn 2 f0; 1g such that u 6= v. Then u and v differ in at least one bit. Without loss of generality, let k be the least index such that uk 6= vk. We show that `u(x) 6= `v(x) for half the choices of x 2 f0; 1gn by a simple counting argument. Let x = x1x2 : : : xn and consider the following. n X uixi (3) i=1;i6=k n X vixi (4) i=1;i6=k By definition, `u(x) = (3) + ukxk (mod 2) (5) `v(x) = (4) + vkxk (mod 2) (6) Suppose (3) = (4); we are forced to set xk = 1 to ensure `u(x) 6= `v(x). Otherwise (3) 6= (4) and setting xk = 0 ensures the inequality. Since there are 2n possible choices of x, but a single bit is fixed for every choice, there n−1 are 2 possible choices of x where `u(x) 6= `v(x). 4 A useful fact for conceptualizing Walsh-Hadamard codewords (section n 2.2) is that the set Ln = f`u j u 2 f0; 1g g is equal to the set of all linear functions from f0; 1gn to f0; 1g. Lemma 9. A function f : f0; 1gn ! f0; 1g is linear if and only if there n exists some u 2 f0; 1g such that f(x) = `u(x). Proof. Starting in the \if" direction, suppose f(x) = `u(x). It follows from corollary 7 that f is linear. In the \only if" direction, suppose f : f0; 1gn ! f0; 1g is linear. We must show there exists some u such that f(x) = `u(x). Consider the following bit vectors, e1 = 100 ::: 0; e2 = 010 ::: 0; : : : ; en = 000 ::: 1; n where ei 2 f0; 1g . Any bit vector x = x1x2 : : : xn can be decomposed as the summation of the following unit vectors, x = x1e1 + x2e2 + ::: + xnen Here, xi acts as a scalar. Since f(x) is linear, f(x) = f(x1e1) + f(x2e2) + ::: + f(xnen) = x1f(e1) + x2f(e2) + ::: + xnf(en) n X = xiui; where ui = f(ei) i=1 = `u(x): n Corollary 10. The set Ln = f`u j u 2 f0; 1g g is the set of all linear func- tions from f0; 1gn to f0; 1g. 2.2 The Walsh-Hadamard Code The Walsh-Hadamard code is an encoding of binary strings of length n as binary strings of length 2n. The Walsh-Hadamard encoding function WH : f0; 1gn ! f0; 1g2n is defined as: Definition 11. WH(u) = `u. 5 This definition may seem counterintuitive; WH maps binary strings to bi- nary strings, but clearly `u is a function. It is useful, then, to think of WH(u) as a binary string encoding the dot product of u with every i 2 f0; 1gn. Ob- th serve that the i bit of WH(u), written WH(u)i, is equal to the dot product of u with i.