interactive proof systems and an introduction to pcp
DESCRIPTION
Presented at Computer Science Department, Sharif University of Technology (Complexity Theory Seminar).TRANSCRIPT
Interactive Proof Systems Interactive Proof Systems and An Introduction to and An Introduction to
PCPPCP
Interactive Proof Systems Interactive Proof Systems and An Introduction to and An Introduction to
PCPPCPM. Reza Rahimi,M. Reza Rahimi,
Sharif University of Technology,Sharif University of Technology,Tehran, Iran.Tehran, Iran.
2
Outline
• Introduction• Another Way to Look at NP• Interactive Proof Systems (IP)• Arthur-Merlin Proof Systems (AM)• IP=PSPACE• Probabilistically Checkable Proofs (PCPs)• Conclusion
3
Introduction
• One of the most important events in the complexity theory is Interactive Proof Systems.
• It sheds light on the characteristic of some complexity classes.
• It has also influenced on some practical areas such as Cryptography and Algorithm Design.
• Before presentation of technical points, let’s start with the source of its main idea and its philosophy.
4
Any Physical Process Any Physical Process in Universein Universe
• Computation is basically a physical fact. This is the origin of Church-Turing-Markov thesis, which implies that:
A Partial function is computable (A Partial function is computable (in any accepted in any accepted
informal senseinformal sense) if and only if it is computable by some ) if and only if it is computable by some binary Turing machine.binary Turing machine.
Turing Machine Turing Machine ProgramProgram
5
• So in this view point, efficient solvingSo in this view point, efficient solving of a special problem needs its efficient model of computation.efficient model of computation.
• Let’s see what happens in human society.human society.• Men communicateMen communicate through languages with each
other. • Consider the following set.
,....
,
,...},,,,{A,
know} that wesymbols all|{
English
Farsi
x
6
• Remember your childhood. When you was curious and want to underestand something. What did you do?
Child::(Verifier) Dad::(Prover)
1. Daddy, Can I play with fire?
2. No.
3. Why?
4. Because You may be burnt.
5. What will happen, if I burn?
6. You will go to hospital and Dr injects you.
Ok!Ok!
7
• Let’s model this process according to our knowledge.
• So, Interaction is one of the instinctive ways that human being solves its problems.
• It is called Social Computational Model.Social Computational Model.• We will show that in another way NP, IP,…, are
abstract models of this model of computation.
? T xT, x::Query
good." is fire with Playing " x::Input
,T
universe}. in the statements trueAll |{xT
8
Social Computational Models.Social Computational Models.
IP, NP, AM, MA,MIP, IP, NP, AM, MA,MIP, PCP,…. Computational Models.PCP,…. Computational Models.
9
• In society we have some general strategies to interact with People.
1. We start from general questionsfrom general questions to detailed questionsdetailed questions.
2. If we want to ask all the questions it will be very time consuming so we select some select some questions.questions.
We will use these techniques for our mathematical protocols.
10
Another Way to Look at NP
• We know the following definition about NP:
• We can look at this process like this:
rejects. y)V(x, and )xP(y y, L x2.
accepts. y)V(x, and )xP(y y, L x1.
, x P(.), P, V(.,.) NPL
Prover Verifier
x x
y
11
• For prover we don’t consider any limit in time or space or computation power.
• But verifier is deterministic polynomial time machine.
• In this model of computation NP is defined like this:
• So NP is single message interaction. What will happen if we
– Allow multiple rounds of interactions,– Verifier can be randomized polynomial time
machine?
Verifier. convince ostrategy t no hasProver L x2.
Verifier. convince ostrategy t a hasProver L x1.
,x V, Verifier) Time l(Polynomia Prover, NP L
12
• NP+ Multiple Round Interaction:
• According to the above it is obvious that
NP=NP+Multiple Round of Interaction.NP=NP+Multiple Round of Interaction.• NP+ Randomized Polynomial Time Verifier:
Prover Verifier
x x
Y1Y2
Y3
Yn
Y1Y2Y3…YnY1Y2Y3…Yn
ProverRandomized
Polynomial TimeVerifier
x x
y
13
• The languages recognized by the previous model are in class MA.
Conjecture: MA=NP.Conjecture: MA=NP.• So, It seems that only using one feature will
not make NP machine stronger. What will What will happen whenhappen when we add both features?we add both features?
• This machine will lead us to the Interactive Proof Systems.
ProverRandomized
Polynomial TimeVerifier
x x
Y1Y1Y2Y2Y3Y3
YnYn
14
Interactive Proof Systems (IP)
• IP Model:
ProverPolynomial
Time Verifier
xx
xx
Random StringRandom String
q1q1a1a1q2q2
aiai
OK or NOOK or NO
15
• IP Class Definition:
• Note that Prover can not see the random string of verifier, so Verifier has Private Coin.Verifier has Private Coin.
• Round of Interaction r(n) =Round of Interaction r(n) =The total number of messages exchanged.
• IP[K]::K round of interaction.
.3
1ok PVPr P L x2.
.3
2ok PVPr P L x1.
x TM, Time Polynomial ticProbabilis V
IPL
16
• Example: Graph Non-Isomorphism
• It is obvious that ISO є NP so NONISO є CO-NP.• But we don’t know if it is NP-Complete or not.
These two are very important in complexity theory.
We know that it is in IP.We know that it is in IP.
It is proved that if ISO It is proved that if ISO єє NP-Complete then NP-Complete then PH collapsesPH collapses..
graphs. isomorphicnot are G and G , 2121 GGNONISO
graphs. isomorphic are G and G , 2121 GGISO
17
Protocol: Private-Coin Graph Non-Isomorphism
No. else ji if Yes
verifier.index to its send n.permutatio of source the wasGor G ofh that whicShow
P. toH Send H.it callgraph
newget toG of vertices thepermuteRandomly randomly.uniformly 1,2 iPick
21
i
V
P
V
2
1Yes PVPr
1Yes PVPr
NONISOx
NONISOx
18
Arthur-Merlin Proof Systems (AM)
• AM Model:
Merlin
ArthurPolynomial
Time Verifier
xx
xx
Random StringRandom String
q1q1a1a1q2q2
aiai
OK or NOOK or NO
.),...,,,,,(
No.or Yes,),...,,,,,(
),((Messages Exchanged ofNumber
),(( String Random
),((,
211
1211
ii
ii
ii
aqqaqxRM
qaqaqxRA
xPolyO
xPolyO
xPolyOaq
19
• AM Class Definition:
• Note that Prover can see the random string of verifier, so Verifier has Public Coin.Verifier has Public Coin.
• Round of Interaction r(n) =Round of Interaction r(n) =The total number of messages exchanged.
• AM[K]=K round of interaction.AM[K]=K round of interaction.
.3
1ok MAPr M, L2.x
.3
2ok MAPr M,L1.x
x TM, Time Polynomial ticProbabilisA AML
20
• It seems that the pervious protocol doesn’t work for this machine.
• If Merlin can see random bits he always answers correctly.
• But it is proved that NONISO є AM[2].
Theorem:: (Goldwasser, Sipser)Theorem:: (Goldwasser, Sipser)
NONISO NONISO єє AM[2]. AM[2].
21
Some Results About IP and AM Relation
1. IP[K] AM[k+2] for all Constants k.2. For constant k 2 we have AM[K]=AM[2].
3. So we can move all of Arthur’s messages to beginning of interaction:
AMAMAM…AM = AAMMAM…AM… = AAA…AMMM…M
22
IP PSPACE• Proof Idea:
– Given any Verifier V , We will compute Given any Verifier V , We will compute aa using using PolynomialPolynomial
Space machine.Space machine.
OkPVPrmax V ,* P
ax
IP=PSPACE ( Shamir’s Theorem)
• We describe it in two phase.
23
PSPACE IP
.111
1
),...,,( ),...,,(
Domain Polynomial Domain Boolean
2121
-y)-x)(-(yx
x x
x.y yx
xxxPxxx mm
ArithmetizationArithmetization:
The usefulness of this technique is that we can extractextract more more property property from boolean expressions.
• We need only to design an IP protocol for TQBF.
• Before presentation of this protocol Lets review some basic concepts.
24
. of Assignment ofNumber
),...,,(...
.1),...,,(1),...,,(
.0),...,,(0),...,,(
21}1,0{ }1,0{ }1,0{
2121
2121
1 2
k
kxxxP
xxxPxxx
xxxPxxx
mx x x
mm
mm
m
LemmaLemma:
321321
321321
321
321
321
321321
))1)(1(1(
.))1)(1(1(),,(
))1)(1(1(
))1(1)))(1)(1(1(1(1(
)1())1)(1(1(
),,(
xxxxxx
xxxxxxP
xxx
xxx
xxx
xxxxxx
ExampleExample:
25
• To catch general idea of the TQBF protocol lets review a protocol for following language.
. #
::
}.sassignment satisfyingk exactly with formula-cnf a is :,{#
IPSAT
Theorem
kSAT
Main Idea :• Lets investigate the problem intuitively.
26
• Think that we are Verifier and want to know that if is true or not.
• We usually start from General questionsfrom General questions to detailed questionsdetailed questions..
• If the prover is trustfulprover is trustful he/she will answer all the questions correctly.
• If not we will catchwill catch him/her with detailed questions.
• Lets review some basic definition.
SATx
27
).1,,...,,()0,,...,,(),...,,(
:
. ::()
).,(),(
).1,()0,(),()(
).1,1()0,1()1,0()0,0(),(()
),(),(
:
.,...,,
),...,,(...),...,,(
),...,,(),...,,(
21121121
0
21212
11}1,0{
2111
}1,0{ }1,0{210
2121
21
}1,0{ }1,0{ }1,0{2121
2121
2
1 2
1 2
iiiiii
x
x x
i
x x xmii
mm
xxxfxxxfxxxf
haveweGeneralIn
assignmentsatisfyingofNumberf
xxPxxf
xPxPxxPxf
PPPPxxPf
xxPxx
Example
xxxisinputwhenassignmentsatisfyingofNumber
xxxPxxxf
xxxPxxx
i i m
28
Prover Verifier
29
• It is obvious that the foregoing Protocol is very large ( exponential message size).
• So we must use randomnessrandomness for shorteningshortening the messages and protocol.
• In each phase, the message will be doubled. So In each phase, the message will be doubled. So we must reduce this phase.we must reduce this phase.
30
Prover Verifier
31
SATx #
Proof Idea:
• If then trusted prover always answer correctly.
• Else devoius prover can cheat verifier with low probability in each phase. It means that:
nii
n
q
dff
2}Pr{
32
0),...,,(...),...,,(... 21}1,0{ }1,0{ }1,0{
2121
1 2
mx x x
mm xxxPTQBFxxxxxxm
• Now it is the time to revise the last protocol for TQBF.
• We know that:
• At first glance it seems when we see instead of addition we use multiplication.
• But it may increase the size of the polynomial exponentially.
33
• So, we use clever idea for overcoming this problem.
)x,...,x)P(1,(x)x,...,xP(0,)1()x,...,x,P(xRx
::ROperator ion Linearizat
m21m21m211 x
• Now we use this operator for TQBF.
),...,,(...),...,,(... 21212112121 mmmm xxxxRxRxxRxxxxxxxx
34
Probabilistically Checkable Proofs (PCPs)
• Again, lets review the definition of NP class.
rejects. y)V(x, and )xP(y y, L x2.
accepts. y)V(x, and )xP(y y, L x1.
, x P(.), P, V(.,.) NPL
• So, if the input string is the member of language, verifier can access the whole whole bitsbits of the polynomial size proof.
35
• What will happen if we restrict the verifier to access the subset of the proof but not all of it?
• It seems that in this case the verifier will lose its power. (Maybe)
• If we empower the verifier with randomization what will happen?
• The answers of these questions will lead The answers of these questions will lead us to PCP machine.us to PCP machine.
36
Polynomial TimePolynomial TimeRandomized Randomized
VerifierVerifier
xx
O(r(n)) :Length O(r(n)) :Length Of random stringOf random string
O(q(n)): The number of query O(q(n)): The number of query about the bits of the proof.about the bits of the proof.
Whole ProofWhole Proof
37
.2
11](x)Pr[V y,L x
1.1](x)Pr[V y,L x
:sense
following in the V verifier restricted-q(n))(r(n),an by
accepted languages all of class theis q(n))PCP(r(n),
:Definition
y
y
Some Points:1. We don’t have any restrictionrestriction on the size of
the proof.2. If the Verifier uses its history for the
questioning, it is called adaptiveadaptive else nonadaptive.nonadaptive.
38
),0).PCP(Poly(nCoRP
).nPCP(0,Poly(n))PCP(0,NP0c
c
Some Clear Facts:
n,1) PCP(LogNP
::Theorem PCP
And this is one of the most important theorems that describes NP.
39
• Hastaad Hastaad proved Stronger result : NP Equals NP Equals PCP with O(logn) random bits and Exactly PCP with O(logn) random bits and Exactly 3 query bits.3 query bits.
• PCP technique resaults into finding optimum band for NP-Hard optimization problems, such as MAX-3SAT and MAX-CLIQUE.
40
• In this talk I focused on general ideas of IP and PCP.
• It seems that these results and techniques will have many things to say, especially in the area of complexity.
• In future, we would see many wonderful results.
The ENDThe END
Conclusion