Notes on Complexity Theory Last updated: October, 2011 Lecture 18 Jonathan Katz 1 The Power of IP We have seen a (surprising!) interactive proof for graph non-isomorphism. This begs the question: how powerful is IP? 1.1 coN P ⊆ IP As a \warm-up" we show that coN P ⊆ IP. We have seen last time that coNP is unlikely to have a constant-round interactive proof system (since this would imply1 that the polynomial hierarchy collapses). For this reason it was conjectured at one point that IP was not \too much more powerful" than NP. Here, however, we show this intuition wrong: any language in coNP has a proof system using a linear number of rounds. We begin by arithmetizing a 3CNF formula Á to obtain a polynomial expression that evaluates to 0 i® Á has no satisfying assignments. (This powerful technique, by which a \combinatorial" statement about satis¯ability of a formula is mapped to an algebraic statement about a polynomial, will come up again later in the course.) We then show how to give an interactive proof demonstrating that the expression indeed evaluates to 0. To arithmetize Á, the prover and veri¯er proceed as follows: identify 0 with \false" and positive integers with \true." The literal xi becomes the variable xi, and the literalx ¹i becomes (1¡xi). We replace \^" by multiplication, and \_" by addition. Let © denote the polynomial that results from this arithmetization; note that this is an n-variate polynomial in the variables x1; : : : ; xn, whose total degree is at most the number of clauses in Á. Now consider what happens when the fxig are assigned boolean values: all literals take the value 1 if they evaluate to \true," and 0 if they evaluate to \false." Any clause (which is a disjunction of literals) takes a positive value i® at least one of its literals is true; thus, a clause takes a positive value i® it evaluates to \true." Finally, note that © itself (which is a conjunction of clauses) takes on a positive value i® all of its constituent clauses are positive. We can summarize this as: ©(x1; : : : ; xn) > 0 if Á(x1; : : : ; xn) = true, and ©(x1; : : : ; xn) = 0 if Á(x1; : : : ; xn) = false. Summing over all possible (boolean) settings to the variables, we see that X X Á 2 SAT , ¢ ¢ ¢ ©(x1; : : : ; xn) = 0: x12f0;1g xn2f0;1g If Á has m clauses, then © has degree (at most) m (where the [total] degree of a polynomial is the maximum degree on any of its monomials, and the degree of a monomial is the sum of the degrees of its constituent variables). Furthermore, the sum above is at most 2n ¢ 3m. So, if we work 1In more detail: a constant-round proof system for coNP would imply a constant-round public-coin proof system for coNP, which would in turn imply coN P ⊆ AM. We showed last time that the latter implies the collapse of PH. 18-1 modulo a prime q > 2n ¢ 3m the above is equivalent to: X X Á 2 SAT , ¢ ¢ ¢ ©(x1; : : : ; xn) = 0 mod q: x12f0;1g xn2f0;1g Working modulo a prime (rather than over the integers) confers two advantages: it keeps the numbers from getting too large (since all numbers will be reduced modulo q; note that jqj = log q is polynomial) and it means that we are working over the ¯nite ¯eld Fq (which simpli¯es the analysis). We have now reduced the question of whether Á is unsatis¯able to the question of proving that a particular polynomial expression sums to 0! This already hints at the power of arithmeti- zation: it transforms questions of logic (e.g., satis¯ability) into questions of abstract mathematics (polynomials, group theory, algebraic geometry, . ) and we can then use all the powerful tools of mathematics to attack our problem. Luckily, for the present proof the only \deep" mathematical result we need is that a non-zero polynomial of degree m over a ¯eld has at most m roots. An easy corollary is that two di®erent polynomials of degree (at most) m can agree on at most m points. We now show the sum-check protocol, which is an interactive proof that Á is not satis¯able. ² Both prover and veri¯er have Á. They both generate the polynomial ©. Note that the (polynomial-time) veri¯er cannot write out © explicitly, but it su±ces for the veri¯er to be ableP to evaluateP © on any given values of x1; : : : ; xn. The prover wants to show that 0 = ¢ ¢ ¢ ©(x ; : : : ; x ). x12f0;1g xn2f0;1g 1 n ² The prover sends a prime q such that q > 2n ¢ 3m. The veri¯er checks the primality of q. (The veri¯er could also generate q itself, and send it to the prover.) All subsequent operations are performed modulo q. ² The veri¯er initializes v0 = 0. ² The following is repeated for i = 1 to n: { The prover sends a polynomial P^i (in one variable) of degree at most m. { The veri¯er checks that P^i has degree at most m and that P^i(0) + P^i(1) = vi¡1 (addition is done in Fq). If not, the veri¯er rejects. Otherwise, the veri¯er chooses a random ri 2 Fq, computes vi = P^i(ri), and sends ri to the prover. ² The veri¯er accepts if ©(r1; : : : ; rn) = vn mod q and rejects otherwise. (Note that even though we originally only \cared" about the values © takes when its inputs are boolean, nothing stops us from evaluating © at any points in the ¯eld.) Claim 1 If Á is unsatis¯able then a prover can make the veri¯er accept with probability 1. For every 1 · i · n (and given the veri¯er's choices of r1; : : : ; ri¡1) de¯ne the degree-m polynomial: def X X Pi(xi) = ¢ ¢ ¢ ©(r1; : : : ; ri¡1; xi; xi+1; : : : ; xn): xi+12f0;1g xn2f0;1g We claim that if Á is unsatis¯able and the prover always sends P^i = Pi, then the veri¯er always accepts. In the ¯rst iteration (i = 1), we have 0 1 X X X P1(0) + P1(1) = @ ¢ ¢ ¢ ©(x1; : : : ; xn)A = 0 = v0; x12f0;1g x22f0;1g xn2f0;1g 18-2 since Á is unsatis¯able. For i > 1 we have: X X X Pi(0) + Pi(1) = ¢ ¢ ¢ ©(r1; : : : ; ri¡1; xi; : : : ; xn) xi2f0;1g xi+12f0;1g xn2f0;1g = Pi¡1(ri¡1) = vi¡1: def Finally, vn = Pn(rn) = ©(r1; : : : ; rn) so the veri¯er accepts. Claim 2 If Á is satis¯able, then no matter what the prover does the veri¯er will accept with prob- ability at most nm=q. The protocol can be viewed recursively, where in iteration i the prover is trying to convince the veri¯er that X X vi¡1 = ¢ ¢ ¢ ©i(xi; : : : ; xn) (1) xi2f0;1g xn2f0;1g for some degree-m polynomial ©i that the veri¯er can evaluate. (In an execution of the protocol, we have ©1 = ©; for i > 1 we have ©i(xi; : : : ; xn) = ©(r1; : : : ; ri¡1; xi; : : : ; xn).) Each iteration i 0 proceeds as follows:P the proverP sends some degree-m polynomial Pi (xi) (this polynomial is supposed to be equal to ¢ ¢ ¢ ©i(xi; : : : ; xn) but may not be if the prover is cheating). xi+12f0;1Pg xn2f0;1g The veri¯er checks that P 0(x ) = v and, if so, then chooses a random point r ; the xi2f0;1g i i i¡1 i prover then needs to convince the veri¯er that X X def 0 vi = Pi (ri) = ¢ ¢ ¢ ©i+1(xi+1; : : : ; xn); xi+12f0;1g xn2f0;1g where ©i+1(xi+1; : : : ; xn) = ©i(ri; xi+1; : : : ; xn). Looking now abstractly at Eq. (1), we claim that if Eq. (1) does not hold then the prover can make the veri¯er accept with probability at most km=q, where k = n ¡ i + 1 is the number of variables we are summing over. The proof is by induction on k: Base case. When k = 1 we have X vn 6= ©n(xn) (2) xn2f0;1g 0 but the prover is trying to convince the veri¯er otherwise. The prover sends some polynomial Pn(xn). 0 0 0 0 If Pn = ©n the veri¯er always rejects since, by Eq. (2), Pn(0) + Pn(1) 6= vn. If Pn 6= ©n, then 0 the polynomials Pn and ©n agree on at most m points; since the veri¯er chooses random rn and 0 accepts only if Pn(rn) = ©n(rn), the veri¯er accepts with probability at most m=q. Inductive step. Say the claim is true for some value of k, and look at Eq. (1) for k + 1. Renum- bering the variables, we have X X v 6= ¢ ¢ ¢ ©(x1; : : : ; xk+1); x12f0;1g xk+12f0;1g 0 but the proverP is trying to convinceP the veri¯er otherwise. The prover sends some polynomial P (x1). Let P^(x ) = ¢ ¢ ¢ ©(x ; : : : ; x ) (this is what the prover is \supposed" to 1 x22f0;1g xk+12f0;1g 1 k+1 18-3 send). There are again two possibilities: if P 0 = P^, then P 0(0) + P 0(1) 6= v and the veri¯er always rejects. If P 0 6= P^ then these polynomials agree on at most m points. So with probability at most 0 m=q the veri¯er chooses a point r1 for which P (r1) = P^(r1); if this happens, we will just say the prover succeeds. If this does not occur, then X X 0 def 0 v = P (r1) 6= ¢ ¢ ¢ ©(r1; x2; : : : ; xk+1); x22f0;1g xk+12f0;1g and we have reduced to a case where we are summing over k variables.