Interactive Proof Systems Interactive Proof Systems and An Introduction to and An Introduction to

PCPPCP

Interactive Proof Systems Interactive Proof Systems and An Introduction to and An Introduction to

PCPPCPM. Reza Rahimi,M. Reza Rahimi,

Sharif University of Technology,Sharif University of Technology,Tehran, Iran.Tehran, Iran.

2

Outline

• Introduction• Another Way to Look at NP• Interactive Proof Systems (IP)• Arthur-Merlin Proof Systems (AM)• IP=PSPACE• Probabilistically Checkable Proofs (PCPs)• Conclusion

3

Introduction

• One of the most important events in the complexity theory is Interactive Proof Systems.

• It sheds light on the characteristic of some complexity classes.

• It has also influenced on some practical areas such as Cryptography and Algorithm Design.

• Before presentation of technical points, let’s start with the source of its main idea and its philosophy.

4

Any Physical Process Any Physical Process in Universein Universe

• Computation is basically a physical fact. This is the origin of Church-Turing-Markov thesis, which implies that:

A Partial function is computable (A Partial function is computable (in any accepted in any accepted

informal senseinformal sense) if and only if it is computable by some ) if and only if it is computable by some binary Turing machine.binary Turing machine.

Turing Machine Turing Machine ProgramProgram

5

• So in this view point, efficient solvingSo in this view point, efficient solving of a special problem needs its efficient model of computation.efficient model of computation.

• Let’s see what happens in human society.human society.• Men communicateMen communicate through languages with each

other. • Consider the following set.

,....

,

,...},,,,{A,

know} that wesymbols all|{

English

Farsi

x

6

• Remember your childhood. When you was curious and want to underestand something. What did you do?

Child::(Verifier) Dad::(Prover)

1. Daddy, Can I play with fire?

2. No.

3. Why?

4. Because You may be burnt.

5. What will happen, if I burn?

6. You will go to hospital and Dr injects you.

Ok!Ok!

7

• Let’s model this process according to our knowledge.

• So, Interaction is one of the instinctive ways that human being solves its problems.

• It is called Social Computational Model.Social Computational Model.• We will show that in another way NP, IP,…, are

abstract models of this model of computation.

? T xT, x::Query

good." is fire with Playing " x::Input

,T

universe}. in the statements trueAll |{xT

8

Social Computational Models.Social Computational Models.

IP, NP, AM, MA,MIP, IP, NP, AM, MA,MIP, PCP,…. Computational Models.PCP,…. Computational Models.

9

• In society we have some general strategies to interact with People.

1. We start from general questionsfrom general questions to detailed questionsdetailed questions.

2. If we want to ask all the questions it will be very time consuming so we select some select some questions.questions.

We will use these techniques for our mathematical protocols.

10

Another Way to Look at NP

• We know the following definition about NP:

• We can look at this process like this:

rejects. y)V(x, and )xP(y y, L x2.

accepts. y)V(x, and )xP(y y, L x1.

, x P(.), P, V(.,.) NPL

Prover Verifier

x x

y

11

• For prover we don’t consider any limit in time or space or computation power.

• But verifier is deterministic polynomial time machine.

• In this model of computation NP is defined like this:

• So NP is single message interaction. What will happen if we

– Allow multiple rounds of interactions,– Verifier can be randomized polynomial time

machine?

Verifier. convince ostrategy t no hasProver L x2.

Verifier. convince ostrategy t a hasProver L x1.

,x V, Verifier) Time l(Polynomia Prover, NP L

12

• NP+ Multiple Round Interaction:

• According to the above it is obvious that

NP=NP+Multiple Round of Interaction.NP=NP+Multiple Round of Interaction.• NP+ Randomized Polynomial Time Verifier:

Prover Verifier

x x

Y1Y2

Y3

Yn

Y1Y2Y3…YnY1Y2Y3…Yn

ProverRandomized

Polynomial TimeVerifier

x x

y

13

• The languages recognized by the previous model are in class MA.

Conjecture: MA=NP.Conjecture: MA=NP.• So, It seems that only using one feature will

not make NP machine stronger. What will What will happen whenhappen when we add both features?we add both features?

• This machine will lead us to the Interactive Proof Systems.

ProverRandomized

Polynomial TimeVerifier

x x

Y1Y1Y2Y2Y3Y3

YnYn

14

Interactive Proof Systems (IP)

• IP Model:

ProverPolynomial

Time Verifier

xx

xx

Random StringRandom String

q1q1a1a1q2q2

aiai

OK or NOOK or NO

15

• IP Class Definition:

• Note that Prover can not see the random string of verifier, so Verifier has Private Coin.Verifier has Private Coin.

• Round of Interaction r(n) =Round of Interaction r(n) =The total number of messages exchanged.

• IP[K]::K round of interaction.

.3

1ok PVPr P L x2.

.3

2ok PVPr P L x1.

x TM, Time Polynomial ticProbabilis V

IPL

16

• Example: Graph Non-Isomorphism

• It is obvious that ISO є NP so NONISO є CO-NP.• But we don’t know if it is NP-Complete or not.

These two are very important in complexity theory.

We know that it is in IP.We know that it is in IP.

It is proved that if ISO It is proved that if ISO єє NP-Complete then NP-Complete then PH collapsesPH collapses..

graphs. isomorphicnot are G and G , 2121 GGNONISO

graphs. isomorphic are G and G , 2121 GGISO

17

Protocol: Private-Coin Graph Non-Isomorphism

No. else ji if Yes

verifier.index to its send n.permutatio of source the wasGor G ofh that whicShow

P. toH Send H.it callgraph

newget toG of vertices thepermuteRandomly randomly.uniformly 1,2 iPick

21

i

V

P

V

2

1Yes PVPr

1Yes PVPr

NONISOx

NONISOx

18

Arthur-Merlin Proof Systems (AM)

• AM Model:

Merlin

ArthurPolynomial

Time Verifier

xx

xx

Random StringRandom String

q1q1a1a1q2q2

aiai

OK or NOOK or NO

.),...,,,,,(

No.or Yes,),...,,,,,(

),((Messages Exchanged ofNumber

),(( String Random

),((,

211

1211

ii

ii

ii

aqqaqxRM

qaqaqxRA

xPolyO

xPolyO

xPolyOaq

19

• AM Class Definition:

• Note that Prover can see the random string of verifier, so Verifier has Public Coin.Verifier has Public Coin.

• Round of Interaction r(n) =Round of Interaction r(n) =The total number of messages exchanged.

• AM[K]=K round of interaction.AM[K]=K round of interaction.

.3

1ok MAPr M, L2.x

.3

2ok MAPr M,L1.x

x TM, Time Polynomial ticProbabilisA AML

20

• It seems that the pervious protocol doesn’t work for this machine.

• If Merlin can see random bits he always answers correctly.

• But it is proved that NONISO є AM[2].

Theorem:: (Goldwasser, Sipser)Theorem:: (Goldwasser, Sipser)

NONISO NONISO єє AM[2]. AM[2].

21

Some Results About IP and AM Relation

1. IP[K] AM[k+2] for all Constants k.2. For constant k 2 we have AM[K]=AM[2].

3. So we can move all of Arthur’s messages to beginning of interaction:

AMAMAM…AM = AAMMAM…AM… = AAA…AMMM…M

22

IP PSPACE• Proof Idea:

– Given any Verifier V , We will compute Given any Verifier V , We will compute aa using using PolynomialPolynomial

Space machine.Space machine.

OkPVPrmax V ,* P

ax

IP=PSPACE ( Shamir’s Theorem)

• We describe it in two phase.

23

PSPACE IP

.111

1

),...,,( ),...,,(

Domain Polynomial Domain Boolean

2121

-y)-x)(-(yx

x x

x.y yx

xxxPxxx mm

ArithmetizationArithmetization:

The usefulness of this technique is that we can extractextract more more property property from boolean expressions.

• We need only to design an IP protocol for TQBF.

• Before presentation of this protocol Lets review some basic concepts.

24

. of Assignment ofNumber

),...,,(...

.1),...,,(1),...,,(

.0),...,,(0),...,,(

21}1,0{ }1,0{ }1,0{

2121

2121

1 2

k

kxxxP

xxxPxxx

xxxPxxx

mx x x

mm

mm

m

LemmaLemma:

321321

321321

321

321

321

321321

))1)(1(1(

.))1)(1(1(),,(

))1)(1(1(

))1(1)))(1)(1(1(1(1(

)1())1)(1(1(

),,(

xxxxxx

xxxxxxP

xxx

xxx

xxx

xxxxxx

ExampleExample:

25

• To catch general idea of the TQBF protocol lets review a protocol for following language.

. #

::

}.sassignment satisfyingk exactly with formula-cnf a is :,{#

IPSAT

Theorem

kSAT

Main Idea :• Lets investigate the problem intuitively.

26

• Think that we are Verifier and want to know that if is true or not.

• We usually start from General questionsfrom General questions to detailed questionsdetailed questions..

• If the prover is trustfulprover is trustful he/she will answer all the questions correctly.

• If not we will catchwill catch him/her with detailed questions.

• Lets review some basic definition.

SATx

27

).1,,...,,()0,,...,,(),...,,(

:

. ::()

).,(),(

).1,()0,(),()(

).1,1()0,1()1,0()0,0(),(()

),(),(

:

.,...,,

),...,,(...),...,,(

),...,,(),...,,(

21121121

0

21212

11}1,0{

2111

}1,0{ }1,0{210

2121

21

}1,0{ }1,0{ }1,0{2121

2121

2

1 2

1 2

iiiiii

x

x x

i

x x xmii

mm

xxxfxxxfxxxf

haveweGeneralIn

assignmentsatisfyingofNumberf

xxPxxf

xPxPxxPxf

PPPPxxPf

xxPxx

Example

xxxisinputwhenassignmentsatisfyingofNumber

xxxPxxxf

xxxPxxx

i i m

28

Prover Verifier

29

• It is obvious that the foregoing Protocol is very large ( exponential message size).

• So we must use randomnessrandomness for shorteningshortening the messages and protocol.

• In each phase, the message will be doubled. So In each phase, the message will be doubled. So we must reduce this phase.we must reduce this phase.

30

Prover Verifier

31

SATx #

Proof Idea:

• If then trusted prover always answer correctly.

• Else devoius prover can cheat verifier with low probability in each phase. It means that:

nii

n

q

dff

2}Pr{

32

0),...,,(...),...,,(... 21}1,0{ }1,0{ }1,0{

2121

1 2

mx x x

mm xxxPTQBFxxxxxxm

• Now it is the time to revise the last protocol for TQBF.

• We know that:

• At first glance it seems when we see instead of addition we use multiplication.

• But it may increase the size of the polynomial exponentially.

33

• So, we use clever idea for overcoming this problem.

)x,...,x)P(1,(x)x,...,xP(0,)1()x,...,x,P(xRx

::ROperator ion Linearizat

m21m21m211 x

• Now we use this operator for TQBF.

),...,,(...),...,,(... 21212112121 mmmm xxxxRxRxxRxxxxxxxx

34

Probabilistically Checkable Proofs (PCPs)

• Again, lets review the definition of NP class.

rejects. y)V(x, and )xP(y y, L x2.

accepts. y)V(x, and )xP(y y, L x1.

, x P(.), P, V(.,.) NPL

• So, if the input string is the member of language, verifier can access the whole whole bitsbits of the polynomial size proof.

35

• What will happen if we restrict the verifier to access the subset of the proof but not all of it?

• It seems that in this case the verifier will lose its power. (Maybe)

• If we empower the verifier with randomization what will happen?

• The answers of these questions will lead The answers of these questions will lead us to PCP machine.us to PCP machine.

36

Polynomial TimePolynomial TimeRandomized Randomized

VerifierVerifier

xx

O(r(n)) :Length O(r(n)) :Length Of random stringOf random string

O(q(n)): The number of query O(q(n)): The number of query about the bits of the proof.about the bits of the proof.

Whole ProofWhole Proof

37

.2

11](x)Pr[V y,L x

1.1](x)Pr[V y,L x

:sense

following in the V verifier restricted-q(n))(r(n),an by

accepted languages all of class theis q(n))PCP(r(n),

:Definition

y

y

Some Points:1. We don’t have any restrictionrestriction on the size of

the proof.2. If the Verifier uses its history for the

questioning, it is called adaptiveadaptive else nonadaptive.nonadaptive.

38

),0).PCP(Poly(nCoRP

).nPCP(0,Poly(n))PCP(0,NP0c

c

Some Clear Facts:

n,1) PCP(LogNP

::Theorem PCP

And this is one of the most important theorems that describes NP.

39

• Hastaad Hastaad proved Stronger result : NP Equals NP Equals PCP with O(logn) random bits and Exactly PCP with O(logn) random bits and Exactly 3 query bits.3 query bits.

• PCP technique resaults into finding optimum band for NP-Hard optimization problems, such as MAX-3SAT and MAX-CLIQUE.

40

• In this talk I focused on general ideas of IP and PCP.

• It seems that these results and techniques will have many things to say, especially in the area of complexity.

• In future, we would see many wonderful results.

The ENDThe END

Conclusion