Computational Complexity Theory, Fall 2010
10 November
Lecture 18: IP=PSPACE. Arthur-Merlin Games
Lecturer: Kristoffer Arnsfelt Hansen
Scribe: Andreas Hummelshøj J
Update:
Last time, we were looking at M OD3 ◦M OD2 . We mentioned that AN D required size 2Ω(n) M OD3 ◦
M OD2 circuits. We also mentioned, as being open, whether N EXP ⊆ (nonuniform)M OD2 ◦
M OD3 ◦ M OD2 . Since 9/11-2010, this is no longer open.
Definition 1 ACC 0 = class of languages:
ACC 0 = ∪m>2 ACC 0 [m],
where AC 0 [m] = class of languages computed by depth O(1) size nO(1) circuits with AN D-, ORand M ODm -gates.
This is in fact in many ways a natural class of languages, like AC 0 and N C 1 .
Theorem 2 N EXP * (nonuniform)ACC 0 .
New open problem:
Is EXP ⊆ (nonuniform)M OD2 ◦ M OD3 ◦ M OD2 ?
Recap:
We defined arithmetization A(φ) of a 3-SAT formula φ:
A(xi ) = xi ,
A(xi ) = 1 − xi ,
3
Y
A(l1 ∨ l2 ∨ l3 ) = 1 −
(1 − A(li )),
i=1
A(c1 ∧ · · · ∧ cm ) =
m
Y
A(cj ).
j=1
]φ =
1
X
x1 =0
···
1
X
xn =0
1
P (x1 , . . . , xn ), P = A(φ).
Sumcheck:
Given g(x1 , . . . , xn ), K and prime number p, decide if
1
X
···
x1 =0
1
X
g(x1 , . . . , xn ) ≡ K
(mod p).
xn =0
True Quantified Boolean Formulae:
Given φ ≡ ∃x1 ∀x2 . . . ∀xn φ0 (x1 , . . . , xn ), where φ0 is a 3SAT formula, decide if φ is true.
Observation:
φ true ⇔
P1
x1 =0
Q1
x2 =0
P
x3
···
Q1
x1 =0 P (x1 , . . . , xn )
> 0, P = A(φ0 ).
Protocol:
P
Can’t we just do it analogous to Sumcheck? Id est:Qremove
outermost
Q1 , P sends polynomial
P1
1
S, V checks if S(0) + S(1) ≡ K, asks P to prove x2 =0 x3 =0 · · · xn =0 P (a) ≡ S(a), where
a ∈ {0, 1, . . . , p − 1} is chosen uniformly at random.
Problem:
n
deg S may be as large as (3m) 2 .
Solution:
Linearise. Let P (x1 , . . . , xn ) be a polynomial. Define
Li P (x1 , . . . , xn ) = xi P (x1 , . . . , xi−1 , 1, xi+1 , . . . , xn ) + (1 − xi )P (x1 , . . . , xi−1 , 0, xi+1 , . . . , xn ).
Lemma 3 For all x ∈ {0, 1}n we have:
P (x1 , . . . , xn ) = L1 L2 . . . Ln P (x1 , . . . , xn ).
Don’t show
PQ
P
P (x1 , . . . , xn ) ≡ K. Instead, show
X Y
X
X
L1
L1 L2
L1 L2 L3 · · ·
L1 L2 . . . Ln P (x1 , . . . , xn ) ≡ K
x1
···
x2
x3
Protocol:
(Modification of Sumcheck)
Start:
n
P
2n such that p P sends
L . . . P (x), and also K (we intend that we should
P prime p ∈ 2 + 1, 2
have
L . . . P (x) ≡ K (mod p)).
The protocol
P Q now proceed as the sumcheck protocol by in each round of communication stripping
of one of , , or Li .
2
P
:
P
P must prove 1xi =0 L1 . . . P (a1 , . . . , ai−1 , xi , . . . , xn ) ≡ k. P sends polynomium S(xi ) (NB: degree
at most 1) to V . V checks S(0) + S(1) ≡ K or rejects. V chooses a ∈ {0, 1, . . . , p − 1} uniformly
at random and asks P to show that L1 . . . Ln P (a1 , . . . , ai−1 , a, xi+1 , . . . , xn ) ≡ S(a).
Q
:
Q
P must prove 1xi =0 L1 . . . P (a1 , . . . , ai−1 , xi , . . . , xn ) ≡ K. P sends polynomium S(xi ) (NB: degree
at most 1) to V . V checks S(0)S(1) ≡ k or rejects. V chooses a ∈ {0, 1, . . . , p − 1} uniformly at
random and asks P to show that L1 . . . Ln P (a1 , . . . , ai−1 , a, xi+1 , . . . , xn ) ≡ S(a).
L:
P must prove Li Li+1 . . . P (a1 , . . . , ak , xk+1 , . . . , xn ) ≡ K, where 1 ≤ i ≤ k, for some k. P sends
polynomial S(xi ) (NB: degree at most 2, except at the end with Ln P (x1 , . . . xn ), where the degree is
at most 3m) to V . V verifies that ai S(1)+(1−ai )S(0) ≡ K or rejects. V chooses a ∈ {0, . . . , p − 1}
uniformly at random and asks P to prove Li+1 . . . P (a1 , . . . , ai−1 , a, ai+1 , . . . , ak , xk+1 , . . . , xn ) ≡
S(a).
The analysis of the protocol is analogous to the analysis of the sumcheck protocol.
Completeness:
We have completeness 1, since if x ∈ L we will always accept if the prover follows the protocol
specified.
Soundness:
If the verifier accepts, when x ∈
/ L, then there is some round where the prover must prove a wrong
statement, but in the next round we ask him to prove a correct statement. For a given round, this
happens with probability at most 3m
p (since a nonzero polynomial of degree at most 3m has at most
3m roots in GF(p).) Thus taking a union bound over the number of rounds (≤ n2 ), the total error
is at most n2 3m
p by union bound. This is exponentially small, since p is exponentially large,
Remarks:
• We have completeness is 1. Thus all interactive protocols can in principle be converted to
protocols with completeness 1.
• All messages from V are just the random bits which have been flipped since last round of
communication.
Next we are going to explore interactive proofs that have this last property, but using only a
constant number of rounds of communication.
3
Arthur-Merlin proof:
AM [k] = class of languages computed by interactive protocols, where V ’s messages are the random
bits V has flipped since last communication, and total number of messages between P and V is at
most k.
Further, we denote AM [2] simply by AM .
Theorem 4 Graph Non-Isomorphism ∈ AM .
Proof Let G1 , G2 be graphs with vertices {1, . . . , n}.
Define S := {(H, π)|[H ∼
= G1 or H ∼
= G2 ] and π(H) = H}.
Lemma 5 If G1 ∼
= G2 then |S| = n!, if G1 G2 then |S| = 2(n!).
Goldwasser-Sipser Set lower protocol:
Given S ⊆ {0, 1}n , where we can verify that “x ∈ S” efficiently given a certificate, and given a
number K. P is supposed to prove that |S| ≥ K. The protocol will ensure, that if |S| ≥ K, V
accepts with probability at least 23 . Otherwise, V accepts with probablity < 13 .
Protocol:
Choose k such that
2k
4
≤K≤
2k
2 ,
and a family of pair-wise independent hash-functions Hm,k .
• V: Pick y ∈ {0, 1}k and h ∈ Hm,k uniformly at random and send to P .
• P: Try to find x such that h(x) = y, send x and proof that x ∈ S.
• V: Accept ⇔ h(x) = y.
(Repeat these 3 steps in parallel to use succes amplification to get desired error.)
For the analysis we need the following lemma.
k
Lemma 6 Let S ⊆ {0, 1}m , |S| ≤ 22 .
Then 34 |S|
≤ P rh,y [∃x ∈ S : h(x) = y] ≤
2k
|S|
.
2k
Proof For the inequality on the right we simply have |h(S) ≤ |S|| ⇒ P r[∃x ∈ S : h(x) = y] ≤
For the inequality on the left, we can in fact fix y. Then:
P rh [∃x ∈ S : h(x) = y] = P rh [∪x∈S {h(x) = y}]
X
1
≥
P rh [h(x) = y] −
2
x∈S
1
1 |S|(|S| − 1)
−
2
2k
22k
|S|
|S| − 1 1
= k (1 −
)
2 2k
2
|S|
2k /2 1
)
≥ k (1 −
2 2k
2
3 |S|
=
.
4 2k
= |S|
4
X
x6=x0 ,∈S
P rh [h(x) = y ∧ h(x0 ) = y]
|S|
.
2k
where in the first inequality we used inclusion-exclusion to bound the probability of the union of
events.
We can now analyse the acceptance probability of the protocol.
If |S| ≥ K, V accepts with probability at least 34 |S|
≥ 34 2Kk . If |S| ≤
2k
|S|
2k
1K
2 2k .
3K
4 2k
K
2, V
1K
2 2k to
probability at most
≤
We can now utilize the gap between
and
of independent trials in parallel and obtain completeness 2/3 and soundness 1/3.
5
accepts with
run a number