1 / 41

Interactive Protocols

Interactive Protocols. Back to NP. L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?. . Interactive Protocols. Two new ingredients: Several rounds Randomness. Interactive Proofs Formally. Interactive Proof System for L is a game:.

selma
Download Presentation

Interactive Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interactive Protocols

  2. Back to NP LNPiff members have short, efficiently checkable, certificatesof membership. Is  satisfiable? 

  3. Interactive Protocols Two new ingredients: • Several rounds • Randomness

  4. Interactive Proofs Formally Interactive Proof System for L is a game: probabilistic polynomial-time verifier unlimited prover Vs. • Completeness: There is a prover strategy P, s.t for xL, P convinces V with probability  ⅔. • Soundness: For xL, any prover strategy P* convinces V with probability ⅓.

  5. The Players A verifier is a polynomial function: inputrandom-string past-interaction  reply A prover is a function: input past-interaction  reply all previous prover and verifier replies

  6. Example: Graph Non-Isomorphism • Input: Two graphs G=(V,E), G’=(V’,E’). • Question: Does for every 1-1 map f of V onto V’ exist v,uV s.t (v,u)E but (f(v),f(u))E’(or (v,u)E, but (f(v),f(u))E’ )?

  7. Are They Isomorphic?

  8. IP for Non-Isomorphism common input 1 2 OK! 2 answers which graph was chosen. • chooses one of the graphs at random. • send P an isomorphic graph.

  9. Correctness • Completeness: non-isomorphic graphs  P can check which is isomorphic to the sent one. • Soundness: isomorphic graphs  both isomorphic to the sent one. P succeeds with probability ½.

  10. IP • Definition:IP is the class of all languages having interactive protocols with polynomial number of rounds.

  11. Easy Claims • Claim:NPIP. • Proof’s Idea: Every NP proof is also an IP proof. • Claim: If LIP, and it has a verifier that does not flip coins, then LNP. • Proof’s Idea:P would provide the answers for all V’s questions in advance.

  12. Amplification • Observation: The constants ⅓ and ⅔ in the definition can be amplified to probabilities 1-2-p(.) and 2-p(.), for any polynomial p(.). • Proof’s Sketch: Given a protocol which is correct with probability ⅔, repeat it p(.) times independently. Apply Chernoff’s inequality.

  13. Arthur-Merlin Games The prover(M for Merlin)is a function of the random string of the verifier (A for Arthur) as well. Define AM/MA – according to who gets to start. …

  14. Easy Claim • Claim:AMIP. • Proof’s Idea: If A is convinced when he assumes M is that powerful, he is surely convinced when M is only less powerful.

  15. The Graph Non-Isomorphism Example Revisited • Is the graph non-isomorphism protocol, also an AM protocol? • No!M knows which graph was chosen! Is there an AM protocol for this language?

  16. IP and AM Theorem (without proof):IP=AM i.e, knowing the random string essentially does not increase M’s power.

  17. IP=PSPACE [Shamir90] given a verifier, construct an optimal prover using poly-space  IP PSPACE  show the PSPACE-complete TQBF is in IP

  18. Optimal Prover possible verifier coin tosses [defines verifier’s reply] . . . best prover reply ? ? ? . . . ? ? ? rounds . . . find recursively prover reply most probable to result in acceptance . . .

  19. Poly-Space Is Sufficient for the Prover • Claim:IPPSPACE • Proof: Given a verifier, the optimal strategy for the prover may be computed in poly-space. [as described above]

  20. TQBF x1x2x3 (x10  (x2>0  (|x3|<x2  |sinx3/x3-1|<x1)) • Instance:A quantified Boolean formula =x1x2…xm[(x1,…,xm)] • Goal: Is  true?

  21. TQBF and PSPACE Claim (without proof):TQBF is PSPACE-Complete.

  22. The Proof: Evaluation Tree x1x2 … (x1,x2,…)  x1=0 x1=1  x2 … (0,x2,…) x2 … (1,x2,…) x1=0 x1=1 …(0,0,…) …(0,1,…) . . . I can’t scan the entire tree! . . . (0,0,..,0) (0,0,..,1) (0,0,...,1,0) (0,0,...,1,1)

  23. IP for TQBF • We’ll show the verifier may be convinced (with reasonable confidence) even without scanning the entire (exponential) proof specified by the prover.

  24. First Idea • Represent the QBF by a polynomial.

  25. Arithmization P(x,y,z)=xyz+yz-xy+1 Q(x,y,z)=xy+xz-y x (x) (0)(1) (0)(1) x (x) 0 F 1 T xi xi  1-    1-(1-)(1-)

  26. Polynomials: Basic Facts • Claim: A polynomial of degree ≤r on d variables over a field F may have ≤r|F|d-1 roots, unless it is identically zero. • Corollary: Two polynomials of degree ≤r on d variables over a field F may agree on ≤r|F|d-1 places, unless they agree everywhere.

  27. Polynomials: Basic Facts • Corollary: Two different polynomials of degree ≤r over a field F agree on a random point with probability ≤r/|F|.

  28. Low Degree Extension We can evaluate on a larger field! P1() . . . P2(x1) . . . P3(x1,x2) . . . . . . . . . . . . . . . Pm(x1,…,xm)

  29. How To Convince? Check a random path! P1() . . . P2(x1) . . . P3(x1,x2) . . . . . . . . . . . . . . . Pm(x1,…,xm)

  30. How To Convince? verify this is 1 P1() r1 . . . verify P2(x1) could have resulted P1(). P2(x1) . . . r2 P3(x1,x2) . . . . . . verify P3(r1,x2) could have resulted P2(r1). . . . . . . . . . Pm(x1,…,xm) verify Pm(r1,…,rm-1,xm) could have resulted Pm-1(r1,…,rm-1). check Pm(r1,…,rm).

  31. Example • What would an honest prover do, given the formula:x1x2 (x1x2) ?  verify this is 1 0∙1 = 0 . . . 1- (1-x1∙0)(1-x1∙1) = x1 . . . . . . x1x2

  32. Example • What would a (dishonest) prover might do, given the formula:x1x2 (x1x2) ? verify this is 1  1 1  verify P2(x1)=1 could have resulted P1(). . . . 1 1∙1 = 1 5 . . . . . . x1x2 verify P3(1,x2)=x2 could have resulted P2(1).  1-(1-0)(1-1) = 1  check P3(1,5).

  33. Correctness • Completeness: If the formula is true, the prover may compute the true polynomials, and the verifier will always accept. • Soundness: What if the formula is not true?

  34. If The Formula Is False… if this is not 1, we immediately reject P1() . . . P2(x1) . . . P3(x1,x2) . . . . . . If we nevertheless accept, we get fooled somewhere! . . . . . . . . . Pm(x1,…,xm) if this is not the real Pm(x1,…,xm), we also immediately reject

  35. Soundness the two different polynomials agree on a random point • The probability we get fooled at some specific level is ≤ r/|F|, where r bounds the polynomials’ degrees. • The probability we get fooled somewhere down the path is ≤ mr/|F| [union-bound] • |F| can be made polynomially large in m.

  36. Bound The Degrees • Alas, the degree of the polynomials might be exponential in m, as each stage up might double it! • To solve this problem, we’ll somewhat lengthen the tree, but make sure the degrees are kept small.

  37. Auxiliary Quantifier • Suppose now we have a QBF =Q1x1...Qmxm[]. • ’=Q1x1R1x1Q2x2R1x1R2x2...QmxmR1x1...Rmxm[]. • R is an auxiliary quantifier, designed to keep the degree of the polynomials small. • We’ll arithmetize it as follows: Rx(x)  (1-x)∙(0) + x∙(1) • The degree of x is made 1. • The value remains the same for 0-1 variables

  38. Summing Up • Now we can apply the former analysis, and get that PSAPCEIP, • Hence IP=PSPACE.

  39. Multi-Prover Interactive Protocol poly many provers

  40. What is MIP? Theorem (without proof):MIP=NEXP

  41. Scaling-Down • Similarly, one can show NPis contained in MIP with O(1) provers and O(logn) random bits. • Interestingly, this has implications to hardness of approximation TO BE CONTINUED…

More Related