Introduction

Last day, we had introduced the classes `AM`, `AM[k]` which were subclasses of `IP` and `IP[k]` where the verifier needs to send the prover its random coin tosses whenever its sends a message to the prover.
We said that Goldwasser and Sipser 1987 have shown that `IP[k] subseteq AM[k+2]`.
As a special case of this result we were working to show that `GNI in AM[2]`.
To do this we had formed a set `S = {langle H, pi rangle: H ~= G_1 text( or ) H~=G_2 text( and ) pi in aut(H)}`
This set has `2(n!)` elements if the graphs are nonisomorphic and `n!` many elements if they are isomorphic.
So we have reduced the nonisomorphism problem to a problem of estimating the size of a set using an interactive protocol.

The Set Lower Bound Protocol - Intuition

Imagine we have a subset of graphs `S` from the space of all graphs of n vertices.
Just like you can use Monte Carlo techniques to estimate volumes, we can use randomness to estimate its size.
Suppose we have a hash function `h` that maps from graphs on `n` vertices into some `[K]`. Given a value from `y` from`[K]`, it is more likely if `S` is bigger that there is some `x in S` such that `h(x) = y` than if `S` is a smaller set. We are going to exploit this property in our protocol.
To get our argument to work we need to make statements about our hash function, and for that, it actually helps if we choose the hash function at random from a collection of hash functions.

Quiz

Which of the following is known to be true?

We can require the verifier in the definition of IP to be deterministic and not affect the class.
The GNI and colored-socks interactive protocols we have given had nothing to do with each other.
We can allow the Prover to be probabilistic in the definition of IP and not affect the class.

Pairwise Independent Hash Functions

Definition. Let `H_(n,k)` be a collection of functions from `{0,1}^n` to `{0,1}^k`. We say that `H_(n,k)` is pairwise independent if for every `x, x' in {0,1}^n` with `x ne x'` and for every `y,y' in {0,1}^k`, `Pr_(h in_R H_(n,k))[h(x) = y ^^ h(x') = y'] = 2^(-2k)`.

We identify `{0,1}^n` with the finite field `GF(2^n)` containing `2^n` elements. The following theorem gives a construction of a family of efficiently computable pairwise independent hash functions.

Theorem. For every `n`, define the collection `H_(n,n)` to be `{h_(a,b)}_(a,b in GF(2^n))` where `a,b in GF(2^n)`, the function `h_(a,b):GF(2^n) -> GF(2^n)` maps `x` to `ax+b`. Then `H_(n,n)` is a collection of pairwise independent hash functions.

Proof. For every `x ne x' in GF(2^n)` and `y,y' in GF(2^n)`, `h_(a,b)(x) = y` and `h_(a,b)(x') = y'` iff `a` and `b` satisfy the equations:
`a cdot x +b =y`
`a cdot x' +b = y'`
These equations imply that `a = (y-y')(x-x')^(-1)`. This is well-defined because `x-x' ne 0`. Since `b = y - a cdot x`., the pair `langle a,b rangle` is completely determined by these equations, and so the probability that this happens over choices of `a` and `b` is exactly one over the number of possible pairs, `1/2^(2n)`.

The Set Lower Bound Protocol

Conditions: `S subseteq {0,1}^m` is a set such that membership in `S` can be certified. Both parties know a number `K`. The prover's goal is to convince the verifier that `|S| ge K` and the verifier should reject with good probability if `|S| < K/2`. Let `k` be an integer such that `2^(k-2) < K le 2^(k-1)`.

V: Randomly pick a function `h:{0,1}^m -> {0,1}^k` from a pairwise independent hash collection `H_(m,k)`. Pick `y in_R {0,1}^k`. Send `h,y` to prover.

P: Try to find an `x in S` such that `h(x) = y`. Send such an `x` to `V`, together with a certificate that `x in S`.

V output. If `h(x)=y` and the certificate validates that `x in S` accept. otherwise reject.

A Probability Gap

For `p^star = K/2^k`, we will see there is a gap of `3/4p^star` (`|S| ge K`) versus `p^star/2` (`|S| < K/2`) in the probability that there is an `x in S` such that the prover can be sure to make the verifier accept.

Claim. Let `S subseteq {0,1}^m` satisfy `|S| le 2^k/2`. Then for `p = |S|/2^k`
`p ge Pr_(h in_R H_(m,k), y in_(R) {0,1}^k)[(exists x in S) h(x) = y] ge (3p)/4 - p/2^k.`

Proof. The upper bound on the probability follows by noticing that the set `h(S)` of `y`'s with preimages in `S` has size at most `|S|`. To prove the lower bound we show
`Pr_(h in_R H_(m,k))[(exists x in S)h(x) = y] ge (3p)/4`
for every `y in {0,1}^k`. For every `x inS` define `E_x` as the event `h(x) = y`. Then, `Pr[(exists x in S) h(x) = y] = Pr[vv_(x in S) E_x]`. By the inclusion-exclusion principle, this is at least:
`sum_(x in S)Pr[E_x] - 1/2sum_(x ne x' in S)Pr[E_x cap E_(x')]`.
However, by pairwise independence of the hash functions, `if x ne x'`, then `Pr[E_x] = 2^(-k)` and `Pr[E_x cap E_(x')] = 2^(-2k)` and so this probability (up to low order term `|S|/2^(2k)`) is at least
`|S|/2^k - 1/2|S|^2/2^(2k) = |S|/2^k(1- |S|/2^(k+1)) ge (3p)/4`

Finish Interactive Proofs