PSPACE  IP
Proshanto Mukherji
CSC 486
April 23, 2001
Overview


Definitions
Proof





Arithmetization
The protocol
Soundness and Completeness
Related results
Summary
Definitions(1): IP
Interactive Proof Systems

Two components:


Verifier: polynomial time-bounded probabilistic oracle TM
Prover: deterministic TM with unlimited computational power
VERIFIER
question
QUERY TAPE
answer
PROVER
Definitions(1): IP
Soundness and Completeness
A language L has an interactive proof system, and is in IP, if there exists a
verifier V (recall that a verifier must be polynomial time-bounded) such
that, x  * ,
1. Completeness:
If x  L , there exists some prover, such that V accepts x with probability
greater than
3
4
, when interacting with that prover, AND
2. Soundness:
If x  L , there is no prover P such that the probability of V accepting
through interactions with P attains or exceeds 1
4
x
Definitions(2): PSPACE
PSPACE   SPACE[n ]
k
k
P  PH  PSPACE
But we still don’t know whether
P  PSPACE
Overview


Definitions
Proof





Arithmetization
The Protocol
Soundness and Completeness
Related results
Summary
Proof
Setting it up



Let L be an arbitrary language in PSPACE
Let D be the corresponding PSPACE machine
Assume that:
 D has M states, Q  {q1 , q2 ,..., qM }
 D’s alphabet has N symbols,   {a1 , a2 ,..., a N }
 D’s tape usage is bound by the polynomial p
 D has exactly one accepting configuration for any given
length of input
r (| x|)
 If D accepts x, it does so in exactly
steps
2
Arithmetization


Transform a computational problem to
one of evaluating a polynomial
Let b, c {0,1}
NOT (b)  1  b
AND(b, c)  b  c
b
c
0
0
1
1
b.c
0
1
0
1
b
0
0
0
1
(1-b)
0
1
1
0
Arithmetization


Transform a computational problem to
one of evaluating a polynomial
Let b, c {0,1}
OR (b, c)  b  c  b  c EQ(b, c)  2b  c  b  c  1
b
c
0
0
1
1
0
1
0
1
(b+c)-b.c
0-0=0
1-0=1
1-0=1
2-1=1
b
c
0
0
1
1
0
1
0
1
2b.c-b-c+1
1
0
0
1
Arithmetization
1, if exactly one yi  1
UNIQ[k ]( y1 , y2 ,..., yk )  
0, otherwise
UNIQ[k ]( y1 , y2 ,..., yk )  (at most one yi  1)  (at least one yi  1)
UNIQ[k ]( y1 , y2 ,..., yk )   ( NOT ( AND( yi , y j )))  NOT (  NOT ( yi ))
1i  j  k
UNIQ[k ]( y1 , y2 ,..., yk ) 
1i  k
 (1  y
1i  j  k
i
y j )  (1   (1  yi ))
1i  k
Arithmetization
Configurations of D on x

Define:
1, if the current state is qi
i  1,..., M , stt[i ]  
0, otherwise
1, the head is at the i th position
i  1,..., p(| x |), pos[i]  
0, otherwise
i  1,..., p (| x |), j  1,..., N ,
th

1, the symbol at the i tape location is a j
sym[i, j ]  

0, otherwise
s(| x |)  no. of variables necessary to characteri ze a state of D on x
s(| x |)  M  ( N  1) p(| x |)
Arithmetization
What is a “legal” configuration?
UNIQ[ p(| x |)]( pos[1], pos[2],..., pos[ p(| x |)])
A legal configuration of D on x is one in which:
1. The machine is in precisely one state q  Q
2.
The tape head is at precisely one position hp  {1,..., p (| x |)}
3.
For every 1  i  p (| x |) , there is exactly one 1  j  N such that:
Symbol a j is stored at tape position i
p (| x|)
UNIQ[ N ]( sym[i,1], sym[i,2],..., sym[i, N ])
i 1
UNIQ[ M ]( stt[1], stt[2],..., stt[ M ])
Arithmetization
What is a “legal” configuration?

Define:
LCONF (C ) 
AND(UNIQ[ M ]( sttC [1], sttC [2],..., sttC [ M ]),
AND(UNIQ[ p (| x |)]( posC [1], posC [2],..., posC [ p (| x |)]),
p (| x|)
UNIQ[ N ]( sym
C
i 1
[i,1], symC [i,2],..., symC [i, N ])))
Arithmetization
Transitions of D on x

Let:
  (Q  )  (Q   {1,0,1})
be the transitio n function of D
(( q, a ), (q ' , a ' , d ))   means that, if the current state of D is q, and
the symbol under the tape head is a, then D overwrites the a with the
symbol a', enters state q', and moves the head d spaces right
Arithmetization
What is a “legal” transition?
A legal transition
i , )
O (
 N , of D, where   (( j , k ), (l , m, d ))  
and i is the position of the head in O, is one in which:
1. O is a legal configuration
AND( LCONF (O), LCONF ( N ))
2. N is a legal configuration
3. The position of the head changes appropriately
4. The state changes appropriately
5. The newly-written symbol appears in the correct tape cell
6. The only tape position whose contents changes is the one just written to
}
AND( posO [i ], pos N [i  d ]) 
AND( sttO [ j ], stt N [l ]) 
AND( symO [i, k ], sym N [i, m] 

 EQ( sym
1t  p (| x|), t  i 1u  N
O
[t , u ], sym N [t , u ])
Arithmetization
What is a “legal” transition?

So, set
LTRANS (O, N , (i, )) 
AND( LCONF (O), LCONF ( N )) 
AND( posO [i ], pos N [i  d ]) 
AND( sttO [ j ], stt N [l ]) 
AND( symO [i, k ], sym N [i, m] 

 EQ( sym
1 t  p (| x|), t  i 1 u  N
O
[t , u ], sym N [t , u ])
Arithmetization
Reachability

Now we define a polynomial that captures whether, if
D is in configuration O, it is possible to reach
configuration N in one step
1, if O  N in D
Ro (O, N )  
0, otherwise
Ro (O, N ) 
 LTRANS (O, N , (i, ))
( i , )({1,... p (| x|)} )
Arithmetization
Multi-step Reachability

And recursively extend this to get a set of
polynomials that capture whether it is possible to get
from O to N in 2k steps, for any k  {1,..., r (| x |)}
2

N in D
1, if O 
k  {1,..., r (| x |)}, Rk (O, N )  

0, otherwise
k
Arithmetization
Multi-step Reachability
2

N in D
1, if O 
k  {1,..., r (| x |)}, Rk (O, N )  

0, otherwise
k
Recall:
If:
Configuration A
2 k steps
Configuration B
Arithmetization
Multi-step Reachability
2

N in D
1, if O 
k  {1,..., r (| x |)}, Rk (O, N )  

0, otherwise
k
Recall:
Then:
Configuration A
2 k 1 steps
2 k 1 steps
Configuration C
Configuration B
Arithmetization
Multi-step Reachability
2

N in D
1, if O 
k  {1,..., r (| x |)}, Rk (O, N )  

0, otherwise
k
Recall:
k  {1,..., r (| x |)},
Rk (O, N ) 

 1 {0 ,1}
...
R
k 1
 s (| x|) {0 ,1}
(O,  1 ,...,  s (| x|) )  Rk 1 ( 1 ,...,  s (| x|) , N )
O
2k 1 steps

2k 1 steps
N
Arithmetization

So, let Cini be the (unique) initial
configuration, and Cfin the (unique) final
configuration of D on input x. Then
x   , x  L  [ Rr (| x|) (Cini , C fin )  1]
*
Arithmetization (recap)
Rk
exactly one true
AND
reachability (2k steps)
R0
reachability (1 step)
LTRANS
legal transition
LCONF
legal configuration
UNIQ
EQ
NOT
OR
equal
Arithmetization
Key Point


All these polynomials have been discussed for cases
where each variable is binary, but may be
evaluated over any field
Their values at points outside {0,1} may not preserve
their “key properties”
e.g. EQ(5,5)  2(25)  5  5  1  41
Overview


Definitions
Proof





Arithmetization
The Protocol
Soundness and Completeness
Related results
Summary
The Protocol
Preliminaries

Define:
k  {1,..., r (| x |)}, l  {1,..., s (| x |)},
 ,   Z s (| x|) ,   ( 1 ,...,  l 1 )  Z l 1
 Rk 1 ( , ( 1 ,...,  l 1 , y , el 1 ,..., es (| x|) )) 
G[ k , l ,  ,  ,  ]( y )   ...  

el 1{0 ,1} es (| x|) {0 ,1} 
 Rk 1 (( 1 ,...,  l 1 , y , el 1 ,..., es (| x|) ),  ) 
 Rk 1 ( , ( 1 ,...,  l 1 , el ,..., es (| x|) )) 
G'[k , l  1, ,  ,  ]   ...  

el {0 ,1} es (| x|) {0 ,1} 
 Rk 1 (( 1 ,...,  l 1 , el ,..., es (| x|) ),  ) 
k {1,..., r (| x |)},  ,  ,   Z s (| x|) ,
H [k , ,  ,  ]( y)  Rk 1 ((   ) y   , (    ) y   )
The Protocol
Preliminaries
Therefore:
G '[k , l ,  ,  ,  ]  G[k , l  1,  ,  ,  ](0)  G[k , l  1,  ,  ,  ](1)

G '[ k , l ,  ,  , {   l }]  G[k , l ,  ,  ,  ]( l )
G '[ k ,0,  ,  ,  ]  Rk ( ,  )
(no constraint on )
G '[k , s (| x |),  ,  ,  ]  Rk 1 ( ,  )  Rk 1 ( ,  )
H [ k ,  ,  ,  ]( 0)  Rk 1 ( ,  )
H [k ,  ,  ,  ](1)  Rk 1 ( ,  )
The Protocol
1. Get a prime number Q  [2 m (| x|) ,2 2 m (| x|) ] from the prover, where
Set v r(|x|),0 = 1,  =Cini, =Cfin .
2. For k=r(|x|) downto 1
(a) For l=1,…,s(|x|)
(i)
Get polynomial
g  Z Q [ y ] , which the
G[ k , l ,  ,  ,  1 ... l 1 ]( y ) (mod Q )
m ( n )  r ( n )( 2 p ( n )  4 )( s ( n )  1)  3 .
prover claims is
(ii)
Test whether vk ,l 1  g (0)  g (1) (mod Q ) . If not, reject x.
(iii)
Choose  l  Z Q at random. Set vk ,l  g ( l ) (mod Q )
(b) Let   ( 1 ,...,  s (| x|) ) . Get polynomial h  Z Q [ y ] , which the prover clams
H [ k ,  ,  ,  ]( y ) (mod Q )
is
. If vk ,s (| x|)  h(0)  h(1) , reject x.
  (   ) r     (    ) r  
r  ZQ
v
 h( r ) mod Q
(c) Choose
at random. Set k 1,0
. Set
,
.
3. Test whether
v0 , 0  R0 ( ,  ) (mod Q )
. If so, accept x, else reject x.
Overview


Definitions
Proof





Arithmetization
The Protocol
Soundness and Completeness
Related results
Summary
Soundness and Completeness
Proof Key
If, for any k , l in the execution of the algorithm,
the value of vk ,l becomes G '[k , l , ,  ,  1 ,...,  l ],
then it is possible for the prover to produce replies
that force the protocol to accept wit h probabilit y 1.
Soundness and Completeness
Completeness
Recall: Completeness means that, if x is in L, there is at least one prover
that causes the protocol to accept with probability > .75
If x  L , then G '[r (| x |),0, C , C ,  ]  1 . That means that v  G '[r (| x |),0, ,  ,  ] .
Now consider the prover that always returns the “correct” polynomial, when it is asked for
one. That is, for every iteration of the inner loop, it returns the true polynomial
G[ k , l ,  ,  ,  ... ]( y ) , and at every iteration of the outer loop, it returns the “correct” polynomial
H [ k ,  ,  ,  ]( y ) .
Now, every time the value of v is updated in the inner loop, it is updated to g ( ) for some
randomly selected  . Thus v  G '[k , l , ,  ,  ... ] .
Every time the value of v is updated in the outer loop, it is set to v  h(r ) (mod Q ) , for
some randomly selected r. But now that equals G ' [ k  1,0,  ' ,  ' ,  ] , where  '  (   ) r   ,
 '  (    )r  
. Thus, we can repeat the argument again.
Thus, when the program reaches Step 3, the test will pass, and V will accept x with
probability 1.
ini
1
fin
r (| x|), 0
l 1
k ,l
k ,l
l
k 1, 0
l
1
l
k 1, 0
Soundness and Completeness
Key Lemma
Let R be a ring without zero-divisors. Let d  1 be an integer such that, if the
multiplicative group of R is finite, then its order is greater than d. Let f and g be
polynomials in R[x] of degree at most d, such that f  g. Then f(r) = g(r) for at
most d points r of R.
Proof:
Let h( x)  f ( x)  g ( x) .
Then h is a non-zero polynomial of degree e  d. Let a be a coefficient of x e in h(x).
Now, there is no zero-divisor in R, so h' ( x)  h( x) is defined.
a
The, for every r  R , f (r )  g (r ) iff h' (r )  0 .
But now h' cannot have more than d roots in R.
Hence Proved.
Soundness and Completeness
Soundness
Recall: Soundness means that, if x is not in L, there is no prover that
causes the protocol to accept with probability  .25
If x  L , then G '[r (| x |),0, C , C ,  ]  0 . That means that v  G '[r (| x |),0, ,  ,  ] .
Now, the only way that this inconsistency can be eliminated before the program reaches Step 3
(which will cause the verifier to reject x) is for, at some point, the value of v to equal
G ' [ k , l ,  ,  ,  ... ] . What is the probability that this occurs?
At each iteration the program cannot possibly return the “correct” polynomial (either for g or
h), or the tests in lines 2(a)-ii or 2(b) will fail. Thus it must return some other polynomial.
But the probability that any of these “incorrect" polynomials evaluate to the same value as the
degree of polynomial
“correct” polynomial is
. Thus, the probability of this happening at any
Q
ini
fin
r (| x|), 0
k ,l
1
iteration is
fooled.
l
(2p(| x |)  4)r(| x |)(s(| x |)  1) 1
 ,
Q
8
since
Q  2 m (| x|)
, which is the probability that the verifier is
Overview


Definitions
Proof





Arithmetization
The Protocol
Soundness and Completeness
Related results
Summary
Related Results

IP  PSPACE

MIP = NEXP
Overview


Definitions
Proof





Arithmetization
The Protocol
Soundness and Completeness
Related results
Summary
Summary
Here’s how we proved it



Choose an arbitrary language in PSPACE, let
D be a PSPACE machine that decides it
Get a polynomial that, on binary inputs,
describes the “essential behavior” of D
Evaluate that at numerous points randomly
picked from a large finite field, and use that
to bound the probability of erroneous
acceptance
Finis
(that’s all, folks)