Probabilistic Pro of Systems { Lecture Notes Oded Goldreich Department of Computer Science and Applied Mathematics Weizmann Institute of Science, Rehovot, Israel. Septemb er 1996 Abstract Various typ es of probabilistic pro of systems have played a central role in the development of computer science in the last decade. In these notes, we concentrate on three such pro of systems | interactive proofs, zero-know ledge proofs, and probabilistic checkable proofs. Remark: These are lecture notes in the strict sense of the word. Surveys of mine on this sub ject can b e obtained from URL http://theory.lcs.mit.edu/ ~oded/pps.html. These notes were prepared for a series of lectures given in the Theory Student Seminar of the CS Department of UC-Berkeley. Visiting Miller Professor, Aug. { Sept. 1996, EECS Dept., UC{Berkeley. 0 1 Intro duction The glory given to the creativity required to nd pro ofs, makes us forget that it is the less glori- ed pro cedure of veri cation which gives pro ofs their value. Philosophically sp eaking, pro ofs are secondary to the veri cation pro cedure; whereas technically sp eaking, pro of systems are de ned in terms of their veri cation pro cedures. The notion of a veri cation pro cedure assumes the notion of computation and furthermore the notion of ecient computation. This implicit assumption is made explicit in the de nition of NP, in which ecient computation is asso ciated with deterministic p olynomial-time algorithms. Traditionally, NP is de ned as the class of NP-sets. Yet, each such NP-set can b e viewed as a pro of system. For example, consider the set of satis able Bo olean formulae. Clearly, a satisfying assignment for a formula constitutes an NP-pro of for the assertion \ is satis able" the veri cation pro cedure consists of substituting the variables of by the values assigned by and computing the value of the resulting Bo olean expression. The formulation of NP-pro ofs restricts the \e ective" length of pro ofs to b e p olynomial in length of the corresp onding assertions. However, longer pro ofs may b e allowed by padding the assertion with suciently many blank symb ols. So it seems that NP gives a satisfactory formulation of pro of systems with ecientveri cation pro cedures. This is indeed the case if one asso ciates ecient pro cedures with deterministic p olynomial-time algorithms. However, we can gain a lot if we are willing to take a somewhat non-traditional step and allow probabilistic veri cation pro cedures. In particular, Randomized and interactiveveri cation pro cedures, giving rise to interactive proof systems, seem much more p owerful i.e., \expressive" than their deterministic counterparts. Such randomized pro cedures allow the intro duction of zero-know ledge proofs which are of great theoretical and practical interest. NP-pro ofs can b e eciently transformed into a redundant form which o ers a trade-o between the numb er of lo cations examined in the NP-pro of and the con dence in its validity see probabilistical ly checkable proofs. In all ab ovementioned typ es of probabilistic pro of systems, explicit b ounds are imp osed on the computational complexity of the veri cation pro cedure, which in turn is p ersoni ed by the notion ofaveri er. Furthermore, in all these pro of systems, the veri er is allowed to toss coins and rule by statistical evidence. Thus, all these pro of systems carry a probability of error; yet, this probability is explicitly b ounded and, furthermore, can b e reduced by successive application of the pro of system. 2 Interactive Pro of Systems In light of the growing acceptability of randomized and distributed computations, it is only natural to asso ciate the notion of ecient computation with probabilistic and interactive p olynomial-time computations. This leads naturally to the notion of interactive pro of systems in which the veri ca- tion pro cedure is interactive and randomized, rather than b eing non-interactive and deterministic. Thus, a \pro of " in this context is not a xed and static ob ject but rather a randomized dynamic pro cess in which the veri er interacts with the prover. Intuitively, one may think of this interaction 1 as consisting of \tricky" questions asked by the veri er to which the prover has to reply \convinc- ingly". The ab ove discussion, as well as the actual de nition, makes explicit reference to a prover, whereas a prover is only implicit in the traditional de nitions of pro of systems e.g., NP-pro ofs. 2.1 The De nition Interaction: Going b eyond the uni-directional \interaction" of the NP-pro of system. If the veri er do es not toss coins then interaction can b e collapsed to a single message. computationall y unb ounded Prover: As in NP,we start by not considering the complexity of proving. probabilistic p olynomial-time Veri er: We maintain the paradigm that veri cation ought to b e easy, alas we allow random choices in our notion of easiness. Completeness and Soundness: We relax the traditional soundness condition by allowing small probability of b eing fo oled by false pro ofs. The probability is taken over the veri er's random choices. We still require \p erfect completeness"; that is, that correct statements are proven with probability 1. Error probability, b eing a parameter, can b e further reduced by successive rep eti- tions. Variations: Relaxing the \p erfect completeness" requirement yields a two-sided error variantof IP i.e., error probability allowed also in the completeness condition. Restricting the veri er to send only \random" i.e., uniformly chosen messages yields the restricted Arthur-Merlin interactive pro ofs aka public-coins interactive pro ofs. Alas, b oth variants are essentially as p owerful as the one ab ove. 2.2 An Example: interactive pro of of Graph Non-Isomorphism The problem: not known to b e in NP. Proving that two graphs are isomorphic can b e done by presenting an isomorphism, but howdoyou prove that no such isomorphism exists? The construction: the \two di erent ob ject proto col" { if you claim that two ob jects are di erent then you should b e able to tell which is which when I present them to you in random order. In the context of the Graph Non-Isomorphism interactive pro of, two supp osedly di erent ob jects are de ned by taking random isomorphic copies of each of the input graphs. If these graphs are indeed non-isomorphic then the ob jects are di erent the distributions have distinct supp ort else the ob jects are identical. 2.3 Interactive pro of of Non-Satis ability Arithmetization of Bo olean CNF formulae: Observe that the arithmetic expression is a low degree p olynomial. Observe that, in any case, the value of the arithmetic expression is b ounded. 2 Moving to a Finite Field: Whenever wecheck equalitybetween twointegers in [0;M], it suces to check equalitymodq, where q>M. The b ene t is that the arithmetic is now in a nite eld mo d q and so certain things are \nicer" e.g., uniformly selecting a value. Thus, proving that a CNF formula is not satis able reduces to proving equality of the following form X X x ; :::; x 0modq 1 n x =0;1 x =0;1 n 1 where isalow degree multi-variant p olynomial. The construction: stripping summations in iterations. In each iteration the prover is supp osed to supply the p olynomial describing the expression in one currently stripp ed variable. By the ab ove observation, this is a low degree p olynomial and so has a short description. The veri er checks that the p olynomial is of low degree, and that it corresp onds to the currentvalue b eing claimed i.e., p0 + p1 v . Next, the veri er randomly instantiates the variable, yielding a new value to b e claimed for the resulting expression i.e., v pr , for uniformly chosen r 2 GFq . The veri er sends the uniformly chosen instantiation to the prover. At the end of the last iteration, the veri er has a fully sp eci ed expression and can easily check it against the claimed value. Completeness of the ab ove: When the claim holds, the prover has no problem supplying the correct p olynomials, and this will lead the veri er to always accept. Soundness of the ab ove: It suces to b ound the probability that for a particular iteration the initial claim is false whereas the ending claim is correct. Both claims refer to the current summation expression b eing equal to the currentvalue, where `current' means either at the b eginning of the iteration or at its end. Let T b e the actual p olynomial representing the expression when stripping the currentvariable, and let pbeany p otential answer by the prover. Wemay assume that p0 + p1 v and that p is of low-degree as otherwise the veri er will reject. Using our hyp othesis that the initial claim is false, we know that T 0 + T 1 6 v . Thus, p and T are di erentlow-degree p olynomials and so they may agree on very few p oints. In case the veri er instantiation do es not happ en to b e one of these few p oints, the ending claim is false to o. Op en Problem 1 alternative pro of of coNP IP: Polynomials play a fundamental role in the above construction and this trend has even deepened in subsequent works on PCP.