1 adapted from oded goldreich’s course lecture notes
Post on 19-Dec-2015
227 views
TRANSCRIPT
1
Adapted from Adapted from Oded Goldreich’sOded Goldreich’s course lecture course lecture notes.notes.
2
OutlineOutline
Proof systems: NP revisited. Interactive proofs The complexity class IP Example: An interactive proof for Graph
Non-Isomorphism IP=PSPACE Public coins
3
Proof Systems Proof Systems Back to NPBack to NP
In order to understand the notion of Proof Systems, let us observe NP again.
In a way, the complexity class we will define and discuss later is a probabilistic analog of NP.
The languages in NP are those whose members all have short certificates of membership, which can be easily verified.
4
Proof Systems Proof Systems Back to NPBack to NP
We can view this as follows:– There is a mighty powerful Prover.– The Prover needs to convince a Verifier that the input is
indeed a member of the language.– So it sends the Verifier a short (polynomial) certificate.– The Verifier has limited resources: the verification of the
certificate cannot take more than polynomial time.
5
Proof Systems Proof Systems Back to NPBack to NP
We will demonstrate this process for 3SAT:
(xyz’)(x’y’)z’
We would like to check the membership of a given formula:
The prover must convince the verifier this formula is satisfiable, so it sends it an assignment, which supposedly satisfies the formula. It is not difficult for the mighty prover to find such, if such exists.
The verifier simply needs to check the truth
value of the formula under the assignment it received in order to find out whether the
prover was right. This merely takes
polynomial time.
(x)=false(y)=true(z)=false
polynomial in the number of variables
6
Proof Systems Proof Systems RequirementsRequirements
Let us specifically define the properties of a Proof System:– The verifier’s strategy is efficient– Correctness Requirements:
– Completeness: For a true assertion, there is a convincing proof strategy.
– Soundness: For a false assertion, no proof strategy exists.
Make sure you understand why does the the proof system we presented for 3SAT satisfy these properties.
7
Interactive ProofsInteractive Proofs We will introduce the notion of Interactive
Proofs, which is a generalization of the concept of a Proof System we have already observed.
This generalization is obtained by adding two more features to the model: – allowing a two-way dialog between the parties
(interaction)– allowing the verifier to toss coins (randomness).
8
Interactive ProofsInteractive Proofs An Interactive Proof System for a language L is a
two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties:– The verifier’s strategy is a probabilistic polynomial-time
procedure.– Correctness requirements:
– Completeness: There exists a prover strategy P, such
that for every xL, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3.
– Soundness: For every xL, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3.
9
IPIP The complexity class IP consists of all the
languages having an interactive proof system. The number of messages exchanged during the
protocol between the two parties is called the number of rounds in the system.
For every integer function r(.), the complexity class IP(r(.)) consists of all the languages that have an interactive proof system, in which, on common input x, at most r(|x|) rounds are used.
For a set of integer functions R, we denote IP(R)=UrRIP(r(.)).
10
IP IP ObservationsObservations
NPIP Since the verifier must run in polynomial-time,
IP=IP(poly), where poly is the set of polynomial functions.
The definition of IP can be expanded to require Perfect Completeness (acceptance probability 1).
On the other hand, if we demand Perfect Soundness, the class will collapse to NP-proof systems.
Again, the constants 1/3 and 2/3 in the definition can be amplified to probabilities 1-2-p(.) and 2-p(.), for any polynomial p(.).
11
Would IP Retain Its Strength Even Without Would IP Retain Its Strength Even Without Either Interaction or Randomness?Either Interaction or Randomness?
If we omit randomness, IP collapses to NP-proof systems (Make sure you understand why).
If we omit the interaction between the parties, we get IP(1) (also denoted AM), which seems to be a randomized (perhaps stronger) version of NP.
Together these two features yield a very powerful complexity class. How powerful? This will be clarified later.
First, let us observe an example.
12
Isomorphism between Isomorphism between GraphsGraphs The graphs G1=(V1,E1) and G2=(V2,E2) are called
isomorphic (denoted G1G2) if there exists a 1-1 and onto mapping :V1V2 such that (u,v) E1 iff ((u),(v)) E1.
A mapping between two isomorphic graphs is called an isomorphism between the graphs.
If no such mapping exists, the graphs are called non-isomorphic.
We define the language GNI as follows: GNI={(G1,G2): G1 and G2 are non-isomorphic}
We will use this language in order to demonstrate an interactive proof.
13
Isomorphic Graphs Isomorphic Graphs Example:Example: Take these two graphs Although they seem very different, they are in fact
isomorphic. Click to see the isomorphism between them.
14
GNI GNI MotivationMotivation
This illustration shows us that GI is in NP (Why?). Interestingly, it is not known whether it is NP-hard. GNI - on the other hand - seems much harder (We
need to check no isomorphism exists). And indeed, it is not known whether GNI is in NP. Thus it will be interesting to show that if two
graphs are non-isomorphic, a Prover can convince a Verifier of this fact.
15
An Interactive Proof for GNIAn Interactive Proof for GNI
Common Input: G1=({1,...,n},E1) and G2=({1,...,n},E2)
Make sure you understand why could we assume, without loss of generality, that V1=V2.
The Verifier chooses randomly i in {1,2} and a permutation of {1,...,n}.
Then it applies on the i-th graph to get: H=({1,...,n},{((u),(v)):(u,v)E})
And sends H to the Prover. The prover sends j{1,2} to the Verifier. The Verifier accepts iff i=j.
16
An Interactive Proof for GNI An Interactive Proof for GNI SimulationSimulation
The verifier chooses one of the two graphs randomly.
The verifier constructs randomly a graph isomorphic to the graph it chose.
The common input
The verifier sends the prover the graph
If the two input graphs are truly non-isomorphic, the prover can find which of the two graphs is isomorphic to the graph he received from the verifier, and send it the correct answer.
The verifier can check the answer easily (The verifier knows which graph was chosen)
The Prover
The Verifier
17
The protocol is IPThe protocol is IP Completeness:
If G1 and G2 are non-isomorphic, the graph the verifier sends is isomorphic to only one out of the two graphs, thus the prover can always send the correct answer.
Soundness:If G1 and G2 are isomorphic, then, since the verifier chooses i randomly, the probability that j=i is ½. This can be increased to 2/3 by repeating the protocol sufficiently many times.
18
G3CG3C
Common Input: A graph1
2
3 4
5
12
3 4
5
Prover can color the graph using 3 colors.
Prover must keep the coloring secret.
19
12
3 4
5
12
3 4
5
12
3 4
5
G3C is in Zero-G3C is in Zero-KnowledgeKnowledge
Prover chooses a random color permutation.
Prover puts all the vertices` colors inside envelopes.
And sends them to the verifier.
Construction (ZK IP for G3C):
20
G3C is in ZK (cont.)G3C is in ZK (cont.) Verifier receives envelopes
supposedly containing a legal 3-coloring of the graph 1
2
3 4
5
12
3 4
5
Verifier chooses an edge at random.
And asks Prover to open the 2 envelopes.
21
G3C is in ZK (cont.)G3C is in ZK (cont.) Prover opens the envelopes,
revealing the colors.1
2
3 4
5
12
3 Verifier accepts if the colors are different.
22
Formally,Formally,
G = (V,E) is 3-colorable if there exists a mapping so that for every .
Let be a 3-coloring of G, and let be a permutation over {1,2,3} chosen randomly.
Define a random 3-coloring. Put each (v) in a box with v marked
on it. Send all the boxes to the verifier.
}3,2,1{: V )()( vu Evu ),(
))(()( vv
23
Formally, (cont.)Formally, (cont.)
Verifier selects an edge at random asking to inspect the colors.
Prover sends the keys to boxes u and v.
Verifier uses the keys to open the boxes.
If the Verifier finds 2 different colors from {1,2,3} - Accept.
Otherwise - Reject.
Evue R ),(
24
G3C (diagram)G3C (diagram)
(1) (n)(2)1 2 n
P V
Evue R ),(P V
Keyu , keyv
P V
25
The construction is in The construction is in ZK:ZK:
Completeness:If G is 3-colorable and both P and V follow the rules, V accepts.
Soundness:Suppose G is not 3-colorable and P* tries to cheat. Then at least one edge (u,v) will be monochromatic: (u) = (v).V hence picks a bad edge with probability 1/|E|, which can be increased to 2/3 by repeating the protocol sufficiently many times.