Interactive Proofs
Nabil Mustafa
Computational Complexity
1 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
2 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
Clearly harder than 3SAT and 3SAT
3 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
Clearly harder than 3SAT and 3SAT
In fact, seems one has to enumerate all assignments
4 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
Clearly harder than 3SAT and 3SAT
In fact, seems one has to enumerate all assignments
Belongs to a class of counting problems (AB, Chapter 9)
5 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
Clearly harder than 3SAT and 3SAT
In fact, seems one has to enumerate all assignments
Belongs to a class of counting problems (AB, Chapter 9)
I
For example, how many independent sets of size k in G ?
6 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
Clearly harder than 3SAT and 3SAT
In fact, seems one has to enumerate all assignments
Belongs to a class of counting problems (AB, Chapter 9)
I
I
For example, how many independent sets of size k in G ?
How many Hamiltonian paths exist in G ?
7 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
Clearly harder than 3SAT and 3SAT
In fact, seems one has to enumerate all assignments
Belongs to a class of counting problems (AB, Chapter 9)
I
I
For example, how many independent sets of size k in G ?
How many Hamiltonian paths exist in G ?
We show that #SAT has an interactive proof
8 / 72
A Counting Problem
#SAT
Given φ = C1 ∨ . . . ∨ Cm in n variables x1 , . . . , xn , define
#φ: number of satisfying assignments for φ.
Given integer K , is #φ(x1 , . . . , xn ) = K ?
Clearly harder than 3SAT and 3SAT
In fact, seems one has to enumerate all assignments
Belongs to a class of counting problems (AB, Chapter 9)
I
I
For example, how many independent sets of size k in G ?
How many Hamiltonian paths exist in G ?
We show that #SAT has an interactive proof
Derive optimization version in polynomial time: binary search
9 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
10 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
11 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
12 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
13 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
One problem:
14 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
One problem: the arithmetization is incorrect now
15 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
One problem: the arithmetization is incorrect now
Recall Φ: xi → xi , x i → (1 − xi ), ∨ → +, ∧ → ·
16 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
One problem: the arithmetization is incorrect now
Recall Φ: xi → xi , x i → (1 − xi ), ∨ → +, ∧ → ·
Claim: For xi = ai , Φ(a1 , . . . , an ) = 0 iff ai don’t satisfy φ.
17 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
One problem: the arithmetization is incorrect now
Recall Φ: xi → xi , x i → (1 − xi ), ∨ → +, ∧ → ·
Claim: For xi = ai , Φ(a1 , . . . , an ) = 0 iff ai don’t satisfy φ.
X X
X
#φ(x1 , . . . , xn ) = 0 ⇐⇒
···
Φ(x1 , . . . , xn ) = 0
x1 =0,1 x2 =0,1
xn =0,1
18 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
One problem: the arithmetization is incorrect now
Recall Φ: xi → xi , x i → (1 − xi ), ∨ → +, ∧ → ·
Claim: For xi = ai , Φ(a1 , . . . , an ) = 0 iff ai don’t satisfy φ.
X X
X
#φ(x1 , . . . , xn ) = 0 ⇐⇒
···
Φ(x1 , . . . , xn ) = 0
x1 =0,1 x2 =0,1
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
xn =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
19 / 72
#SAT ∈ IP
Claim
#SAT ∈ IP
Given φ = C1 ∨ . . . ∨ Cm , and integer K
Actually, the same proof as for 3SAT works
Instead of checking g (0) + g (1) = 0, check g (0) + g (1) = K
One problem: the arithmetization is incorrect now
Recall Φ: xi → xi , x i → (1 − xi ), ∨ → +, ∧ → ·
Claim: For xi = ai , Φ(a1 , . . . , an ) = 0 iff ai don’t satisfy φ.
X X
X
#φ(x1 , . . . , xn ) = 0 ⇐⇒
···
Φ(x1 , . . . , xn ) = 0
x1 =0,1 x2 =0,1
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
xn =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Incorrect. Why?
20 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
21 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
22 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
23 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
New arithmetization so Φ(a1 , . . . , an ) = 1 iff ai satisfy φ
24 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
New arithmetization so Φ(a1 , . . . , an ) = 1 iff ai satisfy φ
New mappings: xi → (1 − xi ), x i → xi , ∧ → ·
25 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
New arithmetization so Φ(a1 , . . . , an ) = 1 iff ai satisfy φ
New mappings: xi → (1 − xi ), x i → xi , ∧ → ·
Clause (x i ∨ xj ∨ x k ) → 1 − (xi )(1 − xj )(xk )
26 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
New arithmetization so Φ(a1 , . . . , an ) = 1 iff ai satisfy φ
New mappings: xi → (1 − xi ), x i → xi , ∧ → ·
Clause (x i ∨ xj ∨ x k ) → 1 − (xi )(1 − xj )(xk )
Each clause C maps to a degree-3 polynomial Φ(C)
27 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
New arithmetization so Φ(a1 , . . . , an ) = 1 iff ai satisfy φ
New mappings: xi → (1 − xi ), x i → xi , ∧ → ·
Clause (x i ∨ xj ∨ x k ) → 1 − (xi )(1 − xj )(xk )
Each clause C maps to a degree-3 polynomial Φ(C)
Φ(x1 , . . . , xn ): product of polynomials Φ(C) for all clauses C
28 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
x1 =0,1 x2 =0,1
···
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
New arithmetization so Φ(a1 , . . . , an ) = 1 iff ai satisfy φ
New mappings: xi → (1 − xi ), x i → xi , ∧ → ·
Clause (x i ∨ xj ∨ x k ) → 1 − (xi )(1 − xj )(xk )
Each clause C maps to a degree-3 polynomial Φ(C)
Φ(x1 , . . . , xn ): product of polynomials Φ(C) for all clauses C Claim:
For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
29 / 72
Another Arithmetization
#φ(x1 , . . . , xn ) = K ⇐⇒
X
X
···
x1 =0,1 x2 =0,1
X
Φ(x1 , . . . , xn ) = K
xn =0,1
Need Claim: For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
For current arithmetization, this is not true. For each assignment ai
satisfying φ, Φ could be as high as 3m !
New arithmetization so Φ(a1 , . . . , an ) = 1 iff ai satisfy φ
New mappings: xi → (1 − xi ), x i → xi , ∧ → ·
Clause (x i ∨ xj ∨ x k ) → 1 − (xi )(1 − xj )(xk )
Each clause C maps to a degree-3 polynomial Φ(C)
Φ(x1 , . . . , xn ): product of polynomials Φ(C) for all clauses C Claim:
For xi = ai , Φ(a1 , . . . , an ) = 1 iff ai satisfy φ.
I
Each clause Φ(Ci ) is 1 iff Ci is satisfied
30 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
31 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
32 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
33 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
34 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
35 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
36 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
With prob. ≥ (1 − m/q) a1 not root of h(X ) − g (X )
37 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
With prob. ≥ (1 − m/q) a1 not root of h(X ) − g (X )
Prover: Returns a univariate polynomial g (a1 , X )
38 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
With prob. ≥ (1 − m/q) a1 not root of h(X ) − g (X )
Prover: Returns a univariate polynomial g (a1 , X )
Verifier: Rejects if g (a1 , 0) + g (a1 , 1) 6= g (a1 )
39 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
With prob. ≥ (1 − m/q) a1 not root of h(X ) − g (X )
Prover: Returns a univariate polynomial g (a1 , X )
Verifier: Rejects if g (a1 , 0) + g (a1 , 1) 6= g (a1 )
Claim: If h(a1 ) 6= g (a1 ), then g (a1 , X ) 6= h(a1 , X )
40 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
With prob. ≥ (1 − m/q) a1 not root of h(X ) − g (X )
Prover: Returns a univariate polynomial g (a1 , X )
Verifier: Rejects if g (a1 , 0) + g (a1 , 1) 6= g (a1 )
Claim: If h(a1 ) 6= g (a1 ), then g (a1 , X ) 6= h(a1 , X )
Know that g (a1 , 0) + g (a1 , 1) = g (a1 ) 6= h(a1 )
41 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
With prob. ≥ (1 − m/q) a1 not root of h(X ) − g (X )
Prover: Returns a univariate polynomial g (a1 , X )
Verifier: Rejects if g (a1 , 0) + g (a1 , 1) 6= g (a1 )
Claim: If h(a1 ) 6= g (a1 ), then g (a1 , X ) 6= h(a1 , X )
Know that g (a1 , 0) + g (a1 , 1) = g (a1 ) 6= h(a1 )
g (a1 , 0) + g (a1 , 1) 6= h(a1 ), where h(·) is correct.
42 / 72
Now Same Proof Works As For 3SAT
Verifier: What is h(X )
Prover: Returns a univariate polynomial g (X )
Verifier: If g (0) + g (1) 6= K , ‘reject’
Verifier suspects Prover is lying and g (X ) 6= h(X )
Verifier: Pick random integer a1 ∈ {0, . . . , q}. What is h(a1 , X )
Claim: With prob ≥ (1 − m/q) h(a1 ) 6= g (a1 )
With prob. ≥ (1 − m/q) a1 not root of h(X ) − g (X )
Prover: Returns a univariate polynomial g (a1 , X )
Verifier: Rejects if g (a1 , 0) + g (a1 , 1) 6= g (a1 )
Claim: If h(a1 ) 6= g (a1 ), then g (a1 , X ) 6= h(a1 , X )
Know that g (a1 , 0) + g (a1 , 1) = g (a1 ) 6= h(a1 )
g (a1 , 0) + g (a1 , 1) 6= h(a1 ), where h(·) is correct.
And continue on. When constant number of variables left, compute h(·),
and compare with g (·) to find if Prover lying.
43 / 72
QBF
GNI has a 2-round IP
44 / 72
QBF
GNI has a 2-round IP
3SAT has a n-round IP
45 / 72
QBF
GNI has a 2-round IP
3SAT has a n-round IP
#SAT has a n-round IP
46 / 72
QBF
GNI has a 2-round IP
3SAT has a n-round IP
#SAT has a n-round IP
Now show PSPACE complete QBF has a O(n2 )-round IP
47 / 72
QBF
GNI has a 2-round IP
3SAT has a n-round IP
#SAT has a n-round IP
Now show PSPACE complete QBF has a O(n2 )-round IP
This implies that PSPACE ⊆ IP
48 / 72
QBF
GNI has a 2-round IP
3SAT has a n-round IP
#SAT has a n-round IP
Now show PSPACE complete QBF has a O(n2 )-round IP
This implies that PSPACE ⊆ IP
Conversely, it can be shown that IP ⊆ PSPACE
49 / 72
IP for QBF
Given:
∀x1 ∃x2 · · · ∀xn−1 ∃xn
φ(x1 , . . . , xn )
50 / 72
IP for QBF
Given:
∀x1 ∃x2 · · · ∀xn−1 ∃xn
φ(x1 , . . . , xn )
Same protocol as before works, almost, except one problem
51 / 72
IP for QBF
Given:
∀x1 ∃x2 · · · ∀xn−1 ∃xn
φ(x1 , . . . , xn )
Same protocol as before works, almost, except one problem
Arithmetize the formula φ → Φ as before
52 / 72
IP for QBF
Given:
∀x1 ∃x2 · · · ∀xn−1 ∃xn
φ(x1 , . . . , xn )
Same protocol as before works, almost, except one problem
Arithmetize the formula φ → Φ as before
Then deciding satisfiability of QBF is equivalent to:
Y
Y
X
∀x1 · · · ∃xn φ(x1 , . . . , xn ) ⇐⇒
···
Φ(x1 , . . . , xn ) > 0
x1 =0,1
xn−1 =0,1 xn =0,1
53 / 72
IP for QBF
Given:
∀x1 ∃x2 · · · ∀xn−1 ∃xn
φ(x1 , . . . , xn )
Same protocol as before works, almost, except one problem
Arithmetize the formula φ → Φ as before
Then deciding satisfiability of QBF is equivalent to:
Y
Y
X
∀x1 · · · ∃xn φ(x1 , . . . , xn ) ⇐⇒
···
Φ(x1 , . . . , xn ) > 0
x1 =0,1
xn−1 =0,1 xn =0,1
Carry the protocol just like before
54 / 72
IP for QBF
Given:
∀x1 ∃x2 · · · ∀xn−1 ∃xn
φ(x1 , . . . , xn )
Same protocol as before works, almost, except one problem
Arithmetize the formula φ → Φ as before
Then deciding satisfiability of QBF is equivalent to:
Y
Y
X
∀x1 · · · ∃xn φ(x1 , . . . , xn ) ⇐⇒
···
Φ(x1 , . . . , xn ) > 0
x1 =0,1
xn−1 =0,1 xn =0,1
Carry the protocol just like before
In the i-th round, say eliminating variable xi in ∀xi
55 / 72
IP for QBF
Given:
∀x1 ∃x2 · · · ∀xn−1 ∃xn
φ(x1 , . . . , xn )
Same protocol as before works, almost, except one problem
Arithmetize the formula φ → Φ as before
Then deciding satisfiability of QBF is equivalent to:
Y
Y
X
∀x1 · · · ∃xn φ(x1 , . . . , xn ) ⇐⇒
···
Φ(x1 , . . . , xn ) > 0
x1 =0,1
xn−1 =0,1 xn =0,1
Carry the protocol just like before
In the i-th round, say eliminating variable xi in ∀xi
Then Verifier has to check g (0) · g (1) = 0, instead of addition
56 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
57 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
58 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
After n/2 ∀’s, the polynomial h(X ) could have degree 2n/2
59 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
After n/2 ∀’s, the polynomial h(X ) could have degree 2n/2
I
Then the Prover cannot transfer 2n/2 coefficients to Verifier
60 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
After n/2 ∀’s, the polynomial h(X ) could have degree 2n/2
I
Then the Prover cannot transfer 2n/2 coefficients to Verifier
Solution: If xi ∈ {0, 1}, then xik = xi
61 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
After n/2 ∀’s, the polynomial h(X ) could have degree 2n/2
I
Then the Prover cannot transfer 2n/2 coefficients to Verifier
Solution: If xi ∈ {0, 1}, then xik = xi
So, for example, x15 x22 + 4x12 x26 + 7x25 x32 = 5x1 x2 + 7x2 x3
62 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
After n/2 ∀’s, the polynomial h(X ) could have degree 2n/2
I
Then the Prover cannot transfer 2n/2 coefficients to Verifier
Solution: If xi ∈ {0, 1}, then xik = xi
So, for example, x15 x22 + 4x12 x26 + 7x25 x32 = 5x1 x2 + 7x2 x3
Formulate degree-reduction as an arithmetic operator Rxi :
63 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
After n/2 ∀’s, the polynomial h(X ) could have degree 2n/2
I
Then the Prover cannot transfer 2n/2 coefficients to Verifier
Solution: If xi ∈ {0, 1}, then xik = xi
So, for example, x15 x22 + 4x12 x26 + 7x25 x32 = 5x1 x2 + 7x2 x3
Formulate degree-reduction as an arithmetic operator Rxi :
Rxi P(x1 , . . . , xn ) = xi
P(x1 , . . . , xi−1 , 1, xi , . . . , xn ) +
(1 − xi ) P(x1 , . . . , xi−1 , 0, xi , . . . , xn )
64 / 72
IP for QBF
Unfortunately, there is one problem: degree of polynomial
Claim: With each ∀ quantifier, degree of xi could double
After n/2 ∀’s, the polynomial h(X ) could have degree 2n/2
I
Then the Prover cannot transfer 2n/2 coefficients to Verifier
Solution: If xi ∈ {0, 1}, then xik = xi
So, for example, x15 x22 + 4x12 x26 + 7x25 x32 = 5x1 x2 + 7x2 x3
Formulate degree-reduction as an arithmetic operator Rxi :
Rxi P(x1 , . . . , xn ) = xi
P(x1 , . . . , xi−1 , 1, xi , . . . , xn ) +
(1 − xi ) P(x1 , . . . , xi−1 , 0, xi , . . . , xn )
Rxi reduces the degree of xi to 1 anywhere in the formula
Y
X
Y
X
Rx1
Rx1 Rx2
· · · Rx1 ...Rxn
Φ(x1 , . . . , xn )
x1 =0,1
x2 =0,1
x3 =0,1
xn =0,1
65 / 72
IP for QBF
Given the new arithmetization, each variable has degree 1
66 / 72
IP for QBF
Given the new arithmetization, each variable has degree 1
There are O(n2 ) ‘operators’
P Q
,
and R
67 / 72
IP for QBF
Given the new arithmetization, each variable has degree 1
There are O(n2 ) ‘operators’
P Q
,
and R
In each round, check consistency of operators with previous answers
68 / 72
IP for QBF
Given the new arithmetization, each variable has degree 1
There are O(n2 ) ‘operators’
P Q
,
and R
In each round, check consistency of operators with previous answers
Each round eliminates one operator
69 / 72
IP for QBF
Given the new arithmetization, each variable has degree 1
There are O(n2 ) ‘operators’
P Q
,
and R
In each round, check consistency of operators with previous answers
Each round eliminates one operator
We evaluate polynomial in each round at a random ai
70 / 72
IP for QBF
Given the new arithmetization, each variable has degree 1
There are O(n2 ) ‘operators’
P Q
,
and R
In each round, check consistency of operators with previous answers
Each round eliminates one operator
We evaluate polynomial in each round at a random ai
With high probability, follow the correct path if Prover lying
71 / 72
IP for QBF
Given the new arithmetization, each variable has degree 1
There are O(n2 ) ‘operators’
P Q
,
and R
In each round, check consistency of operators with previous answers
Each round eliminates one operator
We evaluate polynomial in each round at a random ai
With high probability, follow the correct path if Prover lying
I
Same analysis as for 3SAT
72 / 72