Introduction

Last day, we had introduced the classes `AM`, `AM[k]` which were subclasses of `IP` and `IP[k]` where the verifier needs to send the prover its random coin tosses whenever its sends a message to the prover.
We said that Goldwasser and Sipser 1987 have shown that `IP[k] subseteq AM[k+2]`. Here `k(n)` is a polynomial in the input length.
As a special case of this result, we were working to show that `GNI in AM[2]`.
On Monday, we already gave a proof that GNI was in IP, but this proof used private coins.
On Monday, to show `GNI in AM[2]`, we had formed a set `S = {langle H, pi rangle: H ~= G_1 text( or ) H~=G_2 text( and ) pi in aut(H)}`
This set has `2(n!)` elements if the graphs are nonisomorphic and `n!` many elements if they are isomorphic.
So we have reduced the nonisomorphism problem to a problem of estimating the size of a set using an interactive protocol.

In-Class Exercise

Suppose we have two graphs each with four vertices and with edges to make a square along with one additional diagonal edge.
Draw a picture of your two graphs. Choose the vertices of these graphs so there is a non-trivial isomorphism and explicitly write it down.
Then for one of the two graphs explicitly write down an automorphism.
Post your solution to the May 3 In-Class Exercise Thread.

The Set Lower Bound Protocol - Intuition

Imagine we have a subset of graphs `S` from the space of all graphs of n vertices.
Just like you can use Monte Carlo techniques to estimate volumes, we can use randomness to estimate its size.
Suppose we have a hash function `h` that maps from graphs on `n` vertices into some `[K]`. Given a value from `y` from`[K]`, it is more likely if `S` is bigger that there is some `x in S` such that `h(x) = y` than if `S` is a smaller set. We are going to exploit this property in our protocol.
To get our argument to work we need to make statements about our hash function, and for that, it actually helps if we choose the hash function at random from a collection of hash functions.

Pairwise Independent Hash Functions

Definition. Let `H_(n,k)` be a collection of functions from `{0,1}^n` to `{0,1}^k`. We say that `H_(n,k)` is pairwise independent if for every `x, x' in {0,1}^n` with `x ne x'` and for every `y,y' in {0,1}^k`, `Pr_(h in_R H_(n,k))[h(x) = y ^^ h(x') = y'] = 2^(-2k)`.

We identify `{0,1}^n` with the finite field `GF(2^n)` containing `2^n` elements. The following theorem gives a construction of a family of efficiently computable pairwise independent hash functions.

Theorem. For every `n`, define the collection `H_(n,n)` to be `{h_(a,b)}_(a,b in GF(2^n))` where `a,b in GF(2^n)`, the function `h_(a,b):GF(2^n) -> GF(2^n)` maps `x` to `ax+b mod 2^n`. Then `H_(n,n)` is a collection of pairwise independent hash functions.

Proof. For every `x ne x' in GF(2^n)` and `y,y' in GF(2^n)`, `h_(a,b)(x) = y` and `h_(a,b)(x') = y'` iff `a` and `b` satisfy the equations:
`a cdot x +b =y`
`a cdot x' +b = y'`
These equations imply that `a = (y-y')(x-x')^(-1)`. This is well-defined because `x-x' ne 0`. Since `b = y - a cdot x`., the pair `langle a,b rangle` is completely determined by these equations, and so the probability that this happens over choices of `a` and `b` is exactly one over the number of possible pairs, `1/2^(2n)`.

The Set Lower Bound Protocol

Conditions: `S subseteq {0,1}^m` is a set such that membership in `S` can be certified. Both parties know a number `K`. The prover's goal is to convince the verifier that `|S| ge K` and the verifier should reject with good probability if `|S| < K/2`. Let `k` be an integer such that `2^(k-2) < K le 2^(k-1)`.

V: Randomly pick a function `h:{0,1}^m -> {0,1}^k` from a pairwise independent hash collection `H_(m,k)`. Pick `y in_R {0,1}^k`. Send `h,y` to prover.

P: Try to find an `x in S` such that `h(x) = y`. Send such an `x` to `V`, together with a certificate that `x in S`.

V output. If `h(x)=y` and the certificate validates that `x in S` accept. otherwise reject.

A Probability Gap

For `p^star = K/2^k`, we will see there is a gap of `3/4p^star` (`|S| ge K`) versus `p^star/2` (`|S| < K/2`) in the probability that there is an `x in S` such that the prover can be sure to make the verifier accept.

Claim. Let `S subseteq {0,1}^m` satisfy `|S| le 2^k/2`. Then for `p = |S|/2^k`
`p ge Pr_(h in_R H_(m,k), y in_(R) {0,1}^k)[(exists x in S) h(x) = y] ge (3p)/4 - p/2^k.`

Proof. The upper bound on the probability follows by noticing that the set `h(S)` of `y`'s with preimages in `S` has size at most `|S|`. To prove the lower bound we show
`Pr_(h in_R H_(m,k))[(exists x in S)h(x) = y] ge (3p)/4`
for every `y in {0,1}^k`. For every `x inS` define `E_x` as the event `h(x) = y`. Then, `Pr[(exists x in S) h(x) = y] = Pr[vv_(x in S) E_x]`. By the inclusion-exclusion principle, this is at least:
`sum_(x in S)Pr[E_x] - 1/2sum_(x ne x' in S)Pr[E_x cap E_(x')]`.
However, by pairwise independence of the hash functions, `if x ne x'`, then `Pr[E_x] = 2^(-k)` and `Pr[E_x cap E_(x')] = 2^(-2k)` and so this probability (up to low order term `|S|/2^(2k)`) is at least
`|S|/2^k - 1/2|S|^2/2^(2k) = |S|/2^k(1- |S|/2^(k+1)) ge (3p)/4`

Conclusion of Proof that `GNI in AM[2]`

The public coin interactive proof system for GNI consists of the verifier and prover running several iterations of the set lower bound protocol in parallel (so will be AM[2]) for the set `S` as defined at the start of the lecture.
If at least `(5p^\star)/8` of the iterations of the protocol accepts, we know are hashing from the set involving two non-isomorphic graphs.
We can use Chernoff bounds to reduce the errors as needed to ensure completeness.

`IP[k] \subseteq AM[k+2]` -- Proof Definitions

By padding messages, we can assume the messages the verifier sends are all the same length `m` and that at most `f(n)` many coin tosses are used in the `IP[k]` protocol.
We'll use `r` to denote a possible sequence of coin flips of length `f(n)`.
Let `V(w,r, hs_i) = v_{i+1}` mean that the verifier on input `w` with random sequence `r` and history `hs_i` outputs next message `v_{i+1}`.
Let `P(hs_i, v_{i+1}) = p_{i+1}` mean that the prover given history `hs_i` and message `v_{i+1}` outputs `p_{i+1}`.
For a given `r`, let `prefix(w,r)` be the set of prefixes `s` of the sequence `hs = {v_1, p_1, ..., v_{k(n)}, p_{k(n)}}` for an optimal prover.
Let `#a\c\c\ept(s,w)` be the number of random sequences `r` such that `s in prefix(w,r)` and the verifier accepts at the end of `h`.
Let `\epsilon` be the empty word. Then the probability that `V` accepts input `w` is by definition `(#a\c\c\ept(\epsilon,w))/(2^{f(n)})`.
To prove `x in L` our `AM[k+2]` tries to show `#a\c\c\ept(\epsilon,w) > 2^{f(n)}(2/3)`.

`IP[k] \subseteq AM[k+2]` -- Proof Protocol

Unlike the GNI case, Arthur doesn't have two fixed choices in size for `#a\c\c\ept(\epsilon,w)`.
So as a first step in the protocol, Merlin sends the purported size of `#a\c\c\ept(\epsilon,w)` as a string `b_1`. The protocol is then:
For round `t in [1, k(n)]`:

V: Randomly pick `f(n)` functions `h_j:{0,1}^m -> {0,1}^{b_t+1}` from a pairwise independent hash collection `H_(m,b_t+1)` and randomly picks `(f(n))^2` strings `y_p` in `{0,1}^{b_t+1}`. Send `h_1, ... h_{f(n)}, y_1, ..., y_{(f(n))^2}` to prover.

P: Find a next `IP[k]` verifier message `v_{t+1}`, and prover message `p_{t+1}` for some `r` on which `IP[k]` verifier accepts such that `V(w,r, hs_t) = v_{t+1}` and so there is a `j`, `p`, `h_j(v_{t+1})= y_p`. Send `v_{t+1}`, `p_{t+1}`, and `b_{t+1} := #a\c\c\ept(hs_t, w)` to `V`.

V: Checks there is a `j` and `p` such that `h_j(v_{t+1})= y_p`, if so goes to next round, otherwise rejects.
For round `k(n)+1`, (since we started with 0, the total rounds will be `k+2`):

V: Randomly pick `f(n)` functions `h_j:{0,1}^{f(n)} -> {0,1}^{b_{k+1}+1}` from a pairwise independent hash collection `H_({f(n)},b_{k+1}+1)` and randomly picks `(f(n))^2` strings `y_p` in `{0,1}^{b_{k+1}+1}`.

P: Send the random bits `r`, that it used in its computation of the last round.

V: Checks there is a `j` and `p` such that `h_j(r)= y_p`. The verifier then then uses r, to check for each round `t` of the IP protocol `V(w,r, hs_t) = v_{t+1}` and that for the final the IP verifier accepted.
We skip the proof that the above protocol works, but the proof is similar to the GNI case.

Public Versus Private Coins, Set Lower Bound Protocol

Outline