Outline

• Facts about IP
• Graph Nonisomorphism
• Public coins

Facts about IP

• Last day, we introduced the class IP which consisted of polynomial length interactive proof protocols with a probabilistic polynomial time verifier.
• We begin today with some facts about IP.
• First off, if `L in IP` then there is a prover `P` which makes the verifier accept `x in L` with probability `2/3` and if `x !in L` no prover can make the verifier accept with probability greater than `1/3`. We can use Chernoff bounds to make these probabilities respectively `1 - 2^(-n^s)` and `2^(-n^s)` for arbitrary fixed `s > 0`.
• Second, we can allow the prover to be probabilistic and not affect the class IP.
• A prover can use an arbitrary function, it can use unbounded computational powers. That said, one can show that the optimal prover can be computed using polynomial space. So `\I\P subseteq \P\S\P\A\C\E`.

Quiz

Which of the following is known to be true?

1. The `Sigma_2^p` algorithm for a BPP language decided using DTM `M(x,r)` consists in guessing a set of shift vectors, then checking for every random string `r` of `m` bits that the shift of `r` by at least one of them causes `M` to accept.
2. The definition of `IP` makes use of public and private coins.
3. If `S subseteq {0,1}^m` and `|S| <2^(m-n)` then the odds that the union of `k` uniformly chosen shifts `S +u_i` of `S` contains all of `{0,1}^m` is at least `2^(-m)`.

Graph Isomorphism and Nonisomorphism

• We present now an example of a language in IP that is not known to be in `NP`.
• We say two graphs `G_1`, `G_2` are isomorphic if they are the same up to a renumbering of vertices. That is, there is a permutation of the vertice `pi`, such that `pi(G_1) = G_2`.
• The problem GI is given two graphs determine if they are isomorphic.
• Obviously, this problem is in NP because we can guess the permutation and then verify whether the two graphs are the same.
• However, this problem is not known to be `NP`-complete and it is not known to be in `P`.
• The problem GNI is given two graphs determine if they are not isomorphic.

Interactive Protocol for GNI

Protocol:

V: Pick `i in {1,2}` uniformly at random. Randomly permutes the vertices of `G_i` to get a new graph `H`. Send `H` to `P`.

P: Identify which of `G_1`, `G_2` was used to produce `H`. Let `G_j` be that graph. Send `j` to `V`.

V: Accept if `i=j`; otherwise reject.

Public coins and AM

Definition. For every `k` the complexity class `AM[k]` is defined as the subset of `IP[k]` obtained when we restrict the verifier's messages to be random bits, and not allowing it to use any other randoms bits that are not contained in these messages.

An interactive proof of this form is called a public coin proof or Arthur Merlin proof.

Clearly, `AM[k] subseteq IP[k]`.

Simulating Private Coins

Theorem. (Goldwasser Sipser 1987). For every `k:NN -> NN` with `k(n)` computable in poly(n).
`IP[k] subseteq AM[k+2]`.

Before we show this proof we show the following subcase:

Theorem. `GNI in AM[2]`

Proof. Let `S = {H | H ~= G_1 mbox( or ) H~= G_2}`. An `n` vertex graph has at most `n!` equivalent graphs. Let's assume this is exactly `n!` for the graphs `G_1` and `G_2`. Then the size of `S` differs by a factor of 2 depending on whether `G_1` and `G_2` are isomorphic.

Now consider the general case where `G_1` or `G_2` may have less than `n!` equivalent graphs. An `n`-vertex graph has less than `n!` equivalent graphs iff it has a nontrivial automorphism, which is a permutation that is not the identity permutation. Let `aut(G)` denote the automorphisms of `G`. We change the definition of `S` to
`S = {(H, pi) | H ~=G_1 mbox( or ) H ~=G_2 mbox( and ) pi in aut(G)}`.
using the fact that `aut(G)` is a subgroup. One can verify that this `S` has size `2 cdot (n!)` or `n!` depending on whether `G_1` and `G_2` are isomorphic. So to convince the verifier these two graphs are nonisomorphic it suffices for the prover to convince the first case happens rather than the second. We will do this with the set lower bound protocol which we describe on Monday.