• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Interactive Proof Systems and An Introduction to PCP
 

Interactive Proof Systems and An Introduction to PCP

on

  • 787 views

Presented at Computer Science Department, Sharif University of Technology (Complexity Theory Seminar).

Presented at Computer Science Department, Sharif University of Technology (Complexity Theory Seminar).

Statistics

Views

Total Views
787
Views on SlideShare
722
Embed Views
65

Actions

Likes
0
Downloads
8
Comments
0

1 Embed 65

http://www.ics.uci.edu 65

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Interactive Proof Systems and An Introduction to PCP Interactive Proof Systems and An Introduction to PCP Presentation Transcript

    • Interactive Proof Systems and An Introduction to PCP M. Reza Rahimi, Sharif University of Technology, Tehran, Iran.
    • 2 Outline• Introduction• Another Way to Look at NP• Interactive Proof Systems (IP)• Arthur-Merlin Proof Systems (AM)• IP=PSPACE• Probabilistically Checkable Proofs (PCPs)• Conclusion
    • 3 Introduction• One of the most important events in the complexity theory is Interactive Proof Systems.• It sheds light on the characteristic of some complexity classes.• It has also influenced on some practical areas such as Cryptography and Algorithm Design.• Before presentation of technical points, let’s start with the source of its main idea and its philosophy.
    • 4• Computation is basically a physical fact. This is the origin of Church-Turing-Markov thesis, which implies that: A Partial function is computable (in any accepted informal sense) if and only if it is computable by some binary Turing machine. Any Physical Process in Universe Turing Machine Program
    • 5• So in this view point, efficient solving of a special problem needs its efficient model of computation.• Let’s see what happens in human society.• Men communicate through languages with each other.• Consider the following set. Σ={ x | all symbols that we know} ={A, ⊕∈ ∫∫∫ , ζ ,...}, , , ∗ Farsi ⊂Σ , ∗ English ⊂Σ ,....
    • 6• Remember your childhood. When you was curious and want to underestand something. What did you do? Child::(Verifier) Dad::(Prover) 1. Daddy, Can I play with fire? 2. No. 3. Why? 4. Because You may be burnt. 5. What will happen, if I burn? 6. You will go to hospital and Dr injects you. Ok!
    • 7• Let’s model this process according to our knowledge. T = {x | All true statements in the universe}. T ⊆ Σ∗ , Input :: x =" Playing with fire is good." Query :: x ∈T, x ∉T ?• So, Interaction is one of the instinctive ways that human being solves its problems.• It is called Social Computational Model.• We will show that in another way NP, IP,…, are abstract models of this model of computation.
    • 8 IP, NP, AM, MA,MIP, PCP,…. Computational Models.Social Computational Models.
    • 9• In society we have some general strategies to interact with People. • We start from general questions to detailed questions. • If we want to ask all the questions it will be very time consuming so we select some questions. We will use these techniques for our mathematical protocols.
    • 10 Another Way to Look at NP• We know the following definition about NP: L ∈ NP ⇔ ∃V(.,.) ∈ P, ∃P(.), ∀x ∈ Σ ∗ , 1. x ∈ L ⇒ ∃y, y ≤ P( x ) and V(x, y) accepts. 2. x ∉ L ⇒ ∀y, y ≤ P( x ) and V(x, y) rejects.• We can look at this process like this: y Prover Verifier x x
    • 11• For prover we don’t consider any limit in time or space or computation power.• But verifier is deterministic polynomial time machine.• In this model of computation NP is defined like this: L ∈ NP ⇔ ∃ Prover, ∃ (Polynomia l Time Verifier) V, ∀x ∈ Σ ∗ , 1. x ∈ L ⇒ Prover has a strategy t o convince Verifier. 2. x ∉ L ⇒ Prover has no strategy t o convince Verifier.• So NP is single message interaction. What will happen if we – Allow multiple rounds of interactions, – Verifier can be randomized polynomial time machine?
    • 12• NP+ Multiple Round Interaction: Y1 Y2 Prover Y3 Verifier Yn x Y1Y2Y3…Yn x• According to the above it is obvious that NP=NP+Multiple Round of Interaction.• NP+ Randomized Polynomial Time Verifier: y Randomized Prover Polynomial Time Verifier x x
    • 13• The languages recognized by the previous model are in class MA. Conjecture: MA=NP.• So, It seems that only using one feature will not make NP machine stronger. What will happen when we add both features? Y1 Y2 Randomized Y3 Prover Polynomial Time Yn Verifier x x• This machine will lead us to the Interactive Proof Systems.
    • 14 Interactive Proof Systems (IP)• IP Model: q1 x a1 q2 Polynomial x Prover Time ai Verifier Random String OK or NO
    • 15• IP Class Definition: L ∈ IP ⇔ ∃V ∈ Probabilistic Polynomial Time TM, ∀x ∈ Σ ∗ 2 1. x ∈ L ⇒ ∃P Pr{ V ↔ P ok} ≥ . 3 1 2. x ∉ L ⇒ ∀P Pr{ V ↔ P ok} ≤ . 3• Note that Prover can not see the random string of verifier, so Verifier has Private Coin.• Round of Interaction r(n) =The total number of messages exchanged.• IP[K]::K round of interaction.
    • 16• Example: Graph Non-Isomorphism NONISO = { G1 , G2 G 1 and G 2 are not isomorphic graphs.} ISO = { G1 , G2 G 1 and G 2 are isomorphic graphs.}• It is obvious that ISO є NP so NONISO є CO-NP.• But we don’t know if it is NP-Complete or not. These two are very important in complexity theory. We know that it is in IP. It is proved that if ISO є NP-Complete then PH collapses.
    • 17Protocol: Private-Coin Graph Non-IsomorphismV ∴Pick i ∈{1,2} uniformly randomly. Randomly permute the vertices of G i to get newgraph call it H. Send H to P.P ∴Show that which of G1 or G 2 was the source of permutation. send its index to verifier.V ∴Yes if i = j else No. x ∈ NONISO ⇒ Pr{V ↔P Yes} =1 1 x ∉ NONISO ⇒Pr{V ↔P Yes} ≤ 2
    • 18Arthur-Merlin Proof Systems (AM)• AM Model: q1 x a1 q2 Arthur x Polynomial Merlin Time ai Verifier Random String OK or NO qi , ai = O( Poly ( x ), Random String = O( Poly ( x ), Number of Exchanged Messages = O( Poly ( x ), A( R, x, q1 , a1 , q 2 ,..., ai ) = qi +1 , Yes or No. M ( R, x, q1 , a1 , q 2 ,..., qi ) = ai .
    • 19• AM Class Definition: L ∈ AM ⇔ ∃ A ∈ Probabilistic Polynomial Time TM, ∀x ∈ Σ ∗ 2 1.x ∈ L ⇒ ∃M, Pr{ A ↔ M ok} ≥ . 3 1 2.x ∉ L ⇒ ∀M, Pr{ A ↔ M ok} ≤ . 3• Note that Prover can see the random string of verifier, so Verifier has Public Coin.• Round of Interaction r(n) =The total number of messages exchanged.• AM[K]=K round of interaction.
    • 20• It seems that the pervious protocol doesn’t work for this machine.• If Merlin can see random bits he always answers correctly.• But it is proved that NONISO є AM[2]. Theorem:: (Goldwasser, Sipser) NONISO є AM[2].
    • 21 Some Results About IP and AM Relation• IP[K] ⊆ AM[k+2] for all Constants k.• For constant k ≥ 2 we have AM[K]=AM[2].• So we can move all of Arthur’s messages to beginning of interaction: AMAMAM…AM = AAMMAM…AM … = AAA…AMMM…M
    • 22IP=PSPACE ( Shamir’s Theorem)• We describe it in two phase.IP ⊆PSPACE• Proof Idea: – Given any Verifier V , We will compute a using Polynomial Space machine. ∀x ∈ Σ* , V ⇒ a = max Pr{ V ↔ P = Ok}  P
    • 23PSPACE ⊆ IP• We need only to design an IP protocol for TQBF.• Before presentation of this protocol Lets review some basic concepts.Arithmetization:Arithmetization The usefulness of this technique is that we can extract more property from boolean expressions. Boolean Domain Polynomial Domain Φ ( x1 , x2 ,..., xm ) ⇔ P ( x1 , x2 ,..., xm ) x∧ y ⇔ x.y ¬x ⇔ 1− x x∨ y ⇔ 1-( 1-x)( 1-y).
    • 24Example:Example Φ( x1 , x2 , x3 ) = x1 ∨ x2 ∨ ¬x3 ↔ (1 − (1 − x1 )(1 − x2 )) ∨ (1 − x3 ) → (1 − (1 − (1 − (1 − x1 )(1 − x2 )))(1 − (1 − x3 )) → (1 − (1 − x1 )(1 − x2 )) x3 → P ( x1 , x2 , x3 ) = (1 − (1 − x1 )(1 − x2 )) x3 . { x1 ∨ x2 ∨ ¬x3 ⇔ (1 − (1 − x1 )(1 − x2 )) x3 }Lemma:Lemma Φ( x1 , x2 ,..., xm ) = 0 ⇔ P( x1 , x2 ,..., xm ) = 0. Φ( x1 , x2 ,..., xm ) = 1 ⇔ P( x1 , x2 ,..., xm ) = 1. ∴ ∑ ∑ x1∈{0 ,1} x2 ∈{0 ,1} ... ∑ P( x , x ,..., x xm ∈{0 ,1} 1 2 m )=k k = Number of Assignment of Φ.
    • 25• To catch general idea of the TQBF protocol lets review a protocol for following language. # SAT = {< Φ , k >: Φ is a cnf - formula with exactly k satisfying assignments}. Theorem :: # SAT ∈ IP.Main Idea :• Lets investigate the problem intuitively.
    • 26• Think that we are Verifier and want to know that if x ∈ SAT is true or not.• We usually start from General questions to detailed questions.• If the prover is trustful he/she will answer all the questions correctly.• If not we will catch him/her with detailed questions.• Lets review some basic definition.
    • 27Φ( x1 , x2 ,..., xm ) → P( x1 , x2 ,..., xm )f i ( x1 , x2 ,..., xi ) = ∑ ∑ xi +1∈ 0 ,1} xi +2 ∈ 0 ,1} { { ... ∑ P( x , x ,..., x xm ∈ 0 ,1} { 1 2 m )= Number of satisfying assignment when input is x1 , x2 ,..., xi .Example :Φ( x1 , x2 ) → P ( x1 , x2 )f 0 () = ∑ ∑ P( x , x ) =P(0,0) + P(0,1) + P(1,0) + P(1,1). x1∈ 0 ,1} x2 ∈ 0 ,1} { { 1 2f1 ( x1 ) = ∑ P( x , x ) =P( x ,0) + P( x ,1). x2 ∈ 0 ,1} { 1 2 1 1f 2 ( x1 , x2 ) = P ( x1 , x2 ).f 0 () :: Number of satisfying assignment.In General we have :f i ( x1 , x2 ,..., xi ) = f i +1 ( x1 , x2 ,..., xi ,0) + f i +1 ( x1 , x2 ,..., xi ,1).
    • 28Prover Verifier
    • 29• It is obvious that the foregoing Protocol is very large ( exponential message size).• So we must use randomness for shortening the messages and protocol.• In each phase, the message will be doubled. So we must reduce this phase.
    • 30Prover Verifier
    • 31Proof Idea:• If x ∈ # SAT then trusted prover always answer correctly.• Else devoius prover can cheat verifier with low probability in each phase. It means that: d n Pr{ f i = f i } ≤ ≤ n q 2
    • 32• Now it is the time to revise the last protocol for TQBF.• We know that: ∃ x1∀ x2 ...∀ xm Φ ( x1 , x2 ,..., xm ) ∈ TQBF ⇔ ∑ ∏ x1∈{0,1} x2 ∈{0 ,1} ... ∏ P( x , x ,..., x xm ∈{0,1} 1 2 m )0 • At first glance it seems when we see ∏ instead of addition we use multiplication. • But it may increase the size of the polynomial exponentially.
    • 33• So, we use clever idea for overcoming this problem. Linearization Operator R :: Rx1 [ P(x1 , x 2 ,..., x m )] ≡ (1 − x1 )P(0, x 2 ,..., x m ) + (x1 )P(1, x 2 ,..., x m )• Now we use this operator for TQBF. ∃ x1∀ x2 ...∀ xm Φ ( x1 , x2 ,..., xm ) ⇒ ∃ x1 Rx1∀ x2 Rx1Rx2 ...∀ xm Φ ( x1 , x2 ,..., xm )
    • 34 Probabilistically Checkable Proofs (PCPs)• Again, lets review the definition of NP class. L ∈ NP ⇔ ∃V(.,.) ∈ P, ∃P(.), ∀x ∈ Σ∗ , 1. x ∈ L ⇒ ∃y, y ≤ P( x ) and V(x, y) accepts. 2. x ∉ L ⇒ ∀y, y ≤ P( x ) and V(x, y) rejects.• So, if the input string is the member of language, verifier can access the whole bits of the polynomial size proof.
    • 35• What will happen if we restrict the verifier to access the subset of the proof but not all of it?• It seems that in this case the verifier will lose its power. (Maybe)• If we empower the verifier with randomization what will happen? • The answers of these questions will lead us to PCP machine.
    • 36 O(q(n)): The number of query about the bits of the proof. x Polynomial Time Randomized O(r(n)) :Length Verifier Of random stringWhole Proof
    • 37 Definition : PCP(r(n), q(n)) is the class of all languages accepted by an (r(n), q(n)) - restricted verifier V in the following sense : x ∈ L ⇒ ∃y, Pr[V y (x) = 1] = 1. 1 x ∉ L ⇒ ∀y, Pr[V y (x) = 1] ≤ . 2Some Points:• We don’t have any restriction on the size of the proof.• If the Verifier uses its history for the questioning, it is called adaptive else nonadaptive.
    • 38Some Clear Facts: NP = PCP(0, Poly(n)) =  PCP(0, n c ). c 0 CoRP = PCP(Poly(n),0).And this is one of the most important theoremsthat describes NP. PCP Theorem :: NP = PCP(Log n,1)
    • 39• Hastaad proved Stronger result : NP Equals PCP with O(logn) random bits and Exactly 3 query bits.• PCP technique resaults into finding optimum band for NP-Hard optimization problems, such as MAX-3SAT and MAX-CLIQUE.
    • 40 Conclusion• In this talk I focused on general ideas of IP and PCP.• It seems that these results and techniques will have many things to say, especially in the area of complexity.• In future, we would see many wonderful results. The END