Complexity
24-1
Interactive Proofs
Complexity
Andrei Bulatov
Complexity
24-2
Interactive Proofs
Prover
Verifier
Has unlimited computational
power
Can perform polynomial time
computations
Wants to convince Verifier
in something
Accepts or rejects after
performing some computation
They can exchange messages
Complexity
Formal Model
Prover and Verifier are represented by functions:
Verifier (V)
Input:
an input string, w
a random string, r
message history m1 # m2 ## mi
Output: A message, that is a string mi 1, or accept or reject
Prover (P)
Input:
an input string, w
message history m1 # m2 ## mi
Output: A message, that is a string mi 1
24-3
Complexity
A Prover’s move is the message
P( w, m1 ## mi )  mi1 for odd i
A Verifier’s move is the message
V ( w, r, m1 ## mi )  mi1 for even i
We write (V  P)( w, r )  accept if for some k mk  accept and
(V  P)( w, r )  reject if for some k mk  reject
We assume that the length of messages, the length of r, and k are
bounded with a polynomial p(|w|)
Finally, we denote
Pr[V  P accepts w]  Pr[(V  P)( w, r)  accept]
Pr[V  P rejects w]  Pr[(V  P)( w, r )  reject ]
where r is a random string of length p(|w|)
24-4
Complexity
The Class IP
Definition
A language L belongs to IP if some polynomial time function V
and arbitrary function P exist, such that for every function R and
string w
2
• w  L implies Pr[V  P accepts w] 
3
• w  L implies Pr[V  R accepts w]  1
3
24-5
Complexity
Examples
Graph Non-Isomorphism
Instance: Graphs G and H.
Question: Are G and H non-isomorphic?
#SAT
Instance: A formula  in CNF and a number k
Question: Is it true that  has exactly k satisfying assignments?
Theorem
#SAT  IP
24-6
Complexity
24-7
Proof
Given a formula  and a number k. Let X 1 , X 2 ,, X n be the variables
of 
The first stage is “arithmetization” of :
We construct a polynomial
1
f ( x1 , x2 ,, xn )  
0
f ( x1 , x2 ,, xn )
such that
if ( X 1 , X 2 ,, X n ) is true
otherwise
Complexity
Arithmetization
By induction
• for X define the corresponding polynomial to be x
• for X define the corresponding polynomial to be 1 – x
• for    with corresponding polynomials g and h, define
the corresponding polynomial to be gh (the product)
• for  with corresponding polynomial g, define
the corresponding polynomial to be 1 – g
• for    with corresponding polynomials g and h, define
the corresponding polynomial to be 1 – (1 – g)(1 – h)
24-8
Complexity
Protocol
Let f ( x1 , x2 ,, xn ) be the result of arithmetization of 
Then
 f ( x1 , x2 ,, xn )
# SAT 
x1 , x2 ,, xn{0 ,1}
The protocol will go in n rounds
On every round, we will construct from an equality
k
 g ( x1 , x2 ,, xn )
x1 , x2 ,, xn{0 ,1}
an equality of the form
k' 
 g ' ( x 2 ,, x n )
x2 ,, xn{0 ,1}
24-9
Complexity
24-10
The property we are trying to achieve is
k   g ( x1 , x2 ,, xn )
if and only if
k '   g ' ( x 2 , , x n )
If this is possible, starting off with
 f ( x1 , x2 ,, xn )
k
x1 , x2 ,, xn{0 ,1}
after n rounds we get an equality
k''  a
which is easy to verify
The last equality is true if and only if the first one is true
Complexity
Randomness
Unfortunately, the condition above is impossible to achieve
Instead, we use a probabilistic one
• If k   g ( x1 , x2 ,, xn ) was true before this round, then
k '   g ' ( x2 ,, xn ) is true after this round with probability 1
• If k   g ( x1 , x2 ,, xn ) was false before the this round, then
k '   g ' ( x2 ,, xn ) is false after this round with probability 1– 
24-11
Complexity
24-12
Thus, after n rounds
• We get an equality of the form k ' '  a that can be easily checked
• If we started off with a correct equality, then after n rounds
we have a correct equality with probability 1
• If we started off with an incorrect equality, then after n rounds
the probability that we end up with a correct equality is the probability
that the error was made in one of the n rounds, which is at most n.
Thus, with probability at least 1 – n, we will have an incorrect equality
We need to organize every round such that
1
n 
3
1

3n
Complexity
24-13
Round
Having the equality k 
 g ( x1 , x2 ,, xn )
x1 , x2 ,, xn{0 ,1}
• Verifier sends to Prover the polynomial g
• Prover returns the polynomial h( x1 ) 
 g ( x1 , x2 ,, xn )
x2 ,, xn{0 ,1}
or what he pretends this polynomial is
• Verifier checks if the degree of h is not higher than that of g
• Verifier checks if h(0)  h(1)  k
• Verifier randomly chooses a number r, such that 0  r  3mn2
where m is the number of clauses in , and replace the original
equality with
h( r ) 
 g ( r , x 2 , , x n )
x2 ,, xn{0 ,1}
Complexity
Analysis
• If the original equality is true then Prover should behave honestly,
that is return actual coefficients of h(x). Then
- The degree of h is not higher than that of g
- h(0) + h(1) = k
- For any r, h( r ) 
 g ( r , x 2 , , x n )
x2 ,, xn{0 ,1}
24-14
Complexity
24-15
• If the original equation is not true then consider two cases
- if Prover is honest that is he returns the actual coefficients of h, then
h(0) + h(1)  k
- if Prover is dishonest that is he returns some polynomial p(x) such
that the degree of p is not higher than that of g and
p(0) + p(1) = k
In this case g and h are different. Therefore their values can be
equal for at most d = max{deg(g), deg(h)} values of x.
The probability that
p( r )  h( r ) 
 g ( r , x 2 , , x n )
x2 ,, xn{0 ,1}
for a randomly chosen 0  r  3mn
2
d
is  
3mn2
Complexity
Note that the degree of f is at most mn. Therefore
d
mn
1



3mn 2 3mn 2 3n
24-16
Complexity
IP = PSPACE
Theorem
IP = PSPACE
Proof.
IP  PSPACE
If we consider Prover’s messages as nondeterministic guesses, then we get
IP  NPSPACE
Then, by Savitch’s theorem
IP  NPSPACE = PSPACE
24-17
Complexity
PSPACE  IP
It is sufficient to show that some PSPACE-complete problem belongs to IP
Quantified Boolean Formula
Instance: A quantified Boolean formula
  (Q1 X 1 )(Q2 X 2 )(Qn X n ) ( X 1 , X 2 ,, X n )
where each X l is a Boolean variable, ( X 1 , X 2 ,, X n )
is a Boolean expression involving X 1 , X 2 ,, X n and
each Ql is a quantifier ( or ).
Question: Is  logically valid ?
24-18
Complexity
24-19
Arithmetization
Given a formula   (Q1 X 1 )(Q2 X 2 )(Qn X n ) ( X 1 , X 2 ,, X n )
Let f n ( x1 , , x n ) be the arithmetization of 
Then define polynomials
1
f i ( x1 , x2 ,, xi )  
0
if (Qi 1 X i 1 )(Qn X n )(  |X1 x1 ,, X i  xi ) is true
otherwise
by setting
Qi   :
f i ( x1 ,, xi )  f i1 ( x1 ,, xi ,0)  f i1 ( x1 ,, xi ,1)
Qi   :
f i ( x1 ,, xi )  1  (1  f i1 ( x1 ,, xi ,0))  (1  f i1 ( x1 ,, xi ,1))
Clearly,  is true if and only if f 0 ( )  1
Complexity
24-20
Reducing degree
Since the degree of f 0 may be exponential, we need to reduce it. Replace  with
'  (Q1 X 1 )( R X 1 )(Q2 X 2 )( R X 1 )( R X 2 )(Qn X n )( R X 1 )( R X n )
( X 1 , X 2 ,, X n )
or
  ( S1Y1 )( S2Y2 )( SkYk ) ( X 1 , X 2 ,, X n )
where Si {, , R} and Yi {X 1 ,, X n }
We define gi as follows:
gk ( x1 ,, xn )  f n ( x1 ,, xn )
Si   :
gi ()  gi1 (,0)  gi1 (,1)
Si   :
gi ()  1  (1  gi1 (,0))  (1  gi 1 (,1))
Si  R :
gi (, x)  (1  x)  gi1 (,0)  x  gi1 (,1)
Complexity
24-21
Properties of the new polynomials
then gi (, x)  gi1 (, x)
when x {0,1}
•
If Si  R
•
(1  x)  gi 1 (,0)  x  gi1 (,1) is linear in x
•
Therefore if Si {, } then gi 1 is a linear polynomial
Complexity
24-22
Protocol
Step 0.
P  V:
Prover sends g0 () to Verifier
Verifier checks if g0 ()  1 and reject if not
Step i.
P  V:
Prover sends gi ( r1 ,, z ) as a polynomial in z. Here r1 ,
denotes the previously selected random values for variables
Verifier computes gi ( r1 ,,0) and gi ( r1 ,,1) . Then it checks the degree
of the polynomial and that
or
gi ( r1 ,,0)  gi ( r1 ,,1)
if S  
gi 1 ( r1 ,)  
1  (1  g ( r ,,0))  (1  g ( r ,,1)) if S  

i 1
i 1
gi 1 (r1 ,, r )  (1  r )  gi (r1 ,,0)  r  gi (r1 ,,1)
If either fails, Verifier rejects
V  P:
Verifier picks a random value and sends it to Prover
Complexity
Step k + 1.
Verifier checks if f n ( r1 ,, rn )  gk ( r1 ,, rn )
If yes then Verifier accept, if not rejects
24-23