Outline

• Interactive Proofs
• The Class IP
• Quiz
• Protocols for GI and GNI

Interactive Proofs

• The math notion of proof consists of getting a proof/certificate, and a verifier checking the certificate that it is valid.
• When people usually try to convince one another about something, one typically has a multiple rounds of back-and-forth exchanges where one round is of the form "explanation of sticking point/check explanation seems reasonable". This can be thought of as "certificate/check certificate is correct".
• Are there ways to capture notions of computation involving such multi-round interactions?
• The answer is "yes" and forms the basis of the complexity area known as interactive proofs.

Example Deterministic Verifiers

• Consider the following interactive proof for membership in 3SAT:
  • The verifier asks the prover to announce the values for the literals in each clause.
  • The verifier keeps a record of these answers, and accepts at the end of all clauses if all clauses were satisfied, and if the prover never gave conflicting values for variables.
• Here both the prover and verifier are deterministic.
• Notice we could have done this protocol in one round by just having the prover announce the values of all the clauses in the first exchange.
• This gives some hint as to why if everything is deterministic only one round is needed for proofs.

Probabilistic Verifiers

• Suppose we now let the verifier be probabilistic and we allow it to come to the wrong conclusion with some low probability.
• We require though that the verifier reject proofs for a wrong statement with good probability regardless of the strategy the prover uses.
• For example, suppose I am color-blind and you are trying to convince me that my two socks are different colors: red and yellow.
• I can present you my socks and ask: Which is the yellow one?
• You, as a prover, point at the purported yellow one.
• I then go to another room and flip a coin (that you don't see). If its heads, I switch which foot my socks are on, if its tails I leave them on the same feet. I then ask you which foot has the yellow one.
• If they really are different, you can always answer truthfully. If, however, there are the same then in any given round I catch you lying 50% of the time.
• By doing multiple rounds, I can reduce my error as much as I want.

Interactive Proof System

Definition. Let `f, g : {0,1}^star -> {0,1}^star` be functions, let `k ge 0` be an integer, and let `r` be a random `m` bit string. A `k`-round interaction of `f` and `g` on input `x in {0,1}^star`, denoted by `langle f, g rangle(x)`, is the sequence of `a_1, ..., a_k in {0,1}^star` defined as follows:
`\qquad\qquad a_1 = f(x, r)`
`\qquad\qquad a_2 = g(x, a_1)`
`\qquad\qquad`...
`\qquad\qquad a_(2i+1) = f(x, r, a_1, ... a_(2i))` for `2i < k`
`\qquad\qquad a_(2i+2) = g(x, a_1, ..., a_(2i+1))` for `2i +1 < k`.

• Notice only `f` (the verifier) has access to the random string (private coins).
• The output of `f` at the end of the computation is denoted by `out_f` `langle f, g rangle(x)` is defined to be `f(x, r, a_1, ... a_k)`.
• We assume this value is from `{0, 1}`.

The class IP

Definition For an integer `k ge 1`, we say that `L` is in `IP[k]` if there is a probabilistic TM `V` that can have a `k`-round interaction with a function `P:{0,1}^star -> {0,1}^star` such that on input `x`, `V` runs in time bounded by `q(|x|)` for some polynomial `q` and:
(Completeness) `x in L => exists P Pr[out_V langle V, P rangle(x) = 1] ge 2/3`
(Soundness) `x !in L => forall P Pr[out_V langle V, P rangle(x) = 1] le 1/3`
where all probabilities are over the choice of `r`.

We define `IP = cup_(c ge 1) IP[n^c]`.

Remarks about IP

• First off, if `L in IP` then there is a prover `P` which makes the verifier accept `x in L` with probability `2/3` and if `x !in L` no prover can make the verifier accept with probability greater than `1/3`. We can use Chernoff bounds to make these probabilities respectively `1 - 2^(-n^s)` and `2^(-n^s)` for arbitrary fixed `s > 0`.
• Second, we can allow the prover to be probabilistic and not affect the class IP.
• A prover can use an arbitrary function, it can use unbounded computational powers. That said, one can show that the optimal prover can be computed using polynomial space. This result is due to you on the HW, thanks for your efforts! So `\I\P subseteq \P\S\P\A\C\E`.

Remarks about Interactive Protocols and Approximability

• Imagine `L in NP`. Then it can be recognized with the aid of certificates.
• For the particular case of SAT, the certificate might be a truth assignment that satisfies all the clauses of the formula `phi` we are interested in.
• A malicious prover might try to fool a computationally limited (imagine BPLOGTIME with only three lookups in the proofs) verifier by outputting an assignment which was very close to satisfied.
• If we have a good interactive protocol for NP with these weak verifiers, then for the prover task of getting such a close approximation of a satisfying assignment must be at least as hard as finding an actual assignment.
• Hence, restricted protocols in IP are connected with hardness of approximation results.
• The PCP theorem (AS92, ALM+92) says that a language in NP has a one round protocol where the prover sends a proof, and the verifier operates in bounded probabilistic log time with only 3 lookups to determine if the proof is valid.
• An application of this result is that if one could approximate finding a solution of 3-SAT instances within a factor of `(7/8 + epsilon)` in p-time then `P=NP`.
• Hardness of approximation results for many NP-complete languages follow from the PCP theorem.

Quiz

Which of the following statements is true?

1. The proof that our random walk algorithm for 2-SAT discovers a truth assignment with probability 1/2 used Chernoff Bounds.
2. The proof that the choice of 2/3 in the definition of BPP didn't matter directly used Markov's Inequality.
3. BPP is contained in the polynomial time hierarchy.

Graph Isomorphism and Nonisomorphism

• We present now an example of a language in IP that is not known to be in `NP`.
• We say two graphs `G_1`, `G_2` are isomorphic if they are the same up to a renumbering of vertices. That is, there is a permutation of the vertice `pi`, such that `pi(G_1) = G_2`.
• The problem GI is given two graphs determine if they are isomorphic.
• Obviously, this problem is in NP because we can guess the permutation and then verify whether the two graphs are the same.
• However, this problem is not known to be `NP`-complete and it is not known to be in `P`.
• The best published algorithm for GI runs in time `2^{O(\sqrt{n}log n)}` (ZKT '85). In 2015, Babai claimed a `2^{O(log^c n)}` algorithm, but there have been issues with its proof.
• BHZ '87 show that if GI is NP-complete then `Sigma_2^p = Pi_2^p` (Proof uses material we cover this week and is in our book).
• The problem GNI is given two graphs determine if they are not isomorphic.
• That is, it is the complement of GI, so in `coNP` and not known to be in `P`.

Interactive Protocol for GNI

Protocol:
  V: Pick i in {1,2} uniformly at random. 
     Randomly permutes the vertices of Gi to get a new graph H.
     Send  H to P.
  P: Identify which of G1, G2 was used to produce H.
     Let Gj be that graph. 
     Send j to V.
  V: Accept if i=j; otherwise reject.

• If `G_1` and `G_2` are nonisomorphic, then the prover with enough resources identify which of `G_1` and `G_2` that `H` came from.
• If they are the same, `P` is reduced to randomly guessing, and will be caught 50% of the time.
• So the above is an IP protocol for GNI.
• Note the above protocol can also be used as an introduction to an area known as program checking. The prover can be thought of a program which is supposed to be computing GNI, and the verifier as some kind of checker/unit tester for this program.
• Surprisingly, we can often test a program to high probability with a weaker tester, than the algorithm needed to solve the problem. It can be shown any P-complete under NC reductions language has an NC computable program checker (proof is in the book).

Public coins and AM

Definition. For every `k` the complexity class `AM[k]` is defined as the subset of `IP[k]` obtained when we restrict the verifier's messages to be random bits, and not allowing it to use any other randoms bits that are not contained in these messages.

• An interactive proof of this form is called a public coin proof or Arthur Merlin proof. Merlin is a powerful wizard who knows King Arthur's previous coin tosses, but cannot predict his future ones.
• Clearly, `AM[k] subseteq IP[k]`.
• Often `AM[2]` is written as just `AM`, `AM[3]` as AMA, etc.
• For `AM[2]`, we can assume the first message is from Arthur.
• We say `L in MA` if there is a proof system for `L` that consists of the prover sending the first message (this seem to be weaker than AM).
• In general, `k` can be some polynomial in the input length `n`. It is known, but we won't show in this class, that `AM = MAM` and so `AM =AM[k]` for positive integer `k`. (Babai 85).

Another Characterization of AM

• The bounded error aspect of `BPP` can be viewed as an operator `BP \cdot` that we can apply to other complexity classes `C`:
  Definition. `BP \cdot C` consists of those languages `L` such that for some language `B in C`, some polynomial `p` and all inputs `x` of length `n`, we have
  `\qquad Pr_{y in \{0,1\}^{p(n)}}[(x,y) in B \harr x in L] > 2/3.`
• For example, on the homework I ask you to look at bounded-error probabilistic logspace `BP cdot L`.
• Similarly, we can view polynomial length existential and universal guesses as operators `exists \cdot` and `forall \cdot`.
• Roughly, if `k` is a positive integer, then A turns corresponds to a `BP\cdot` operator and `M` turns correspond to `exists \cdot` operators.
• It is known that `AM = BPNP` and `MA = exists BPP`.

Public Coin Simulation of Private Coins

Theorem. (Goldwasser Sipser 1987). For all polynomials k(n),
`IP[k] subseteq AM[k+2]`.

Before we show this proof we show the following subcase:

Theorem. `GNI in AM[2]`

Proof. Let `S = {H | H ~= G_1 mbox( or ) H~= G_2}`. An `n` vertex graph has at most `n!` equivalent graphs. Let's assume this is exactly `n!` for the graphs `G_1` and `G_2`. Then the size of `S` differs by a factor of 2 depending on whether `G_1` and `G_2` are isomorphic.

Now consider the general case where `G_1` or `G_2` may have less than `n!` equivalent graphs. An `n`-vertex graph has less than `n!` equivalent graphs iff it has a nontrivial automorphism, which is a permutation that is not the identity permutation. Let `aut(G)` denote the automorphisms of `G`. We change the definition of `S` to
`S = {(H, pi) | H ~=G_1 mbox( or ) H ~=G_2 mbox( and ) pi in aut(H)}`.
using the fact that `aut(G)` is a subgroup. One can verify that this `S` has size `2 cdot (n!)` or `n!` depending on whether `G_1` and `G_2` are isomorphic. So to convince the verifier these two graphs are nonisomorphic it suffices for the prover to convince the first case happens rather than the second. We will do this with the set lower bound protocol which we describe on Monday.