View
233
Download
0
Tags:
Embed Size (px)
Citation preview
PSPACE IP
Proshanto MukherjiCSC 486
April 23, 2001
Overview Definitions Proof
Arithmetization The protocol Soundness and Completeness
Related results Summary
Definitions(1): IP
Two components: Verifier: polynomial time-bounded probabilistic oracle TM Prover: deterministic TM with unlimited computational power
Interactive Proof Systems
VERIFIER
PROVER
QUERY TAPE
question
answer
Definitions(1): IPSoundness and Completeness
A language L has an interactive proof system, and is in IP, if there exists averifier V (recall that a verifier must be polynomial time-bounded) suchthat, *x,1. Completeness:If Lx, there exists some prover, such that V accepts x with probabilitygreater than
4
3, when interacting with that prover, AND
2. Soundness:If Lx, there is no prover P such that the probability of V accepting xthrough interactions with P attains or exceeds
4
1
Definitions(2): PSPACE
k
knSPACEPSPACE ][
PSPACEPHP
PSPACEP But we still don’t know whether
Overview Definitions Proof
Arithmetization The Protocol Soundness and Completeness
Related results Summary
Proof
Let L be an arbitrary language in PSPACE Let D be the corresponding PSPACE machine Assume that:
D has M states, D’s alphabet has N symbols, D’s tape usage is bound by the polynomial p D has exactly one accepting configuration for any
given length of input If D accepts x, it does so in exactly steps
Setting it up
},...,,{ 21 MqqqQ },...,,{ 21 Naaa
|)(|2 xr
Arithmetization Transform a computational problem
to one of evaluating a polynomial Let }1,0{, cb
cbcbAND ),(b c b.c
0 0 00 1 01 0 01 1 1
b (1-b)0 11 0
bbNOT 1)(
Arithmetization Transform a computational problem
to one of evaluating a polynomial Let }1,0{, cb
cbcbcbOR ),(b c (b+c)-b.c
0 0 0-0=00 1 1-0=11 0 1-0=11 1 2-1=1
12),( cbcbcbEQb c 2b.c-b-c+1
0 0 10 1 01 0 01 1 1
Arithmetization
otherwise ,0
1 oneexactly if,1),...,,]([ 21
ik
yyyykUNIQ
)1 oneleast (at )1 onemost (at ),...,,]([ 21 iik yyyyykUNIQ
))(())),((( ),...,,]([11
21 iki
jikji
k yNOTNOTyyANDNOTyyykUNIQ
))1(1()1( ),...,,]([11
21
ki
ikji
ik yyyyyykUNIQ j
Arithmetization
Define:
Configurations of D on x
otherwise,0
is statecurrent theif ,1][,,...,1 iq
isttMi
otherwise,0
position at the is head the,1][|),(|,...,1
thiiposxpi
otherwise,0
a islocation tape at the symbol the,1],[
,,...,1|),(|,...,1
jthi
jisym
Njxpi
|)(|)1(|)(|
on of state a zecharacteri tonecessary variablesof no.|)(|
xpNMxs
xDxs
ArithmetizationWhat is a “legal” configuration?
A legal configuration of D on x is one in which:1. The machine is in precisely one state Qq2. The tape head is at precisely one position |)}(|,...,1{ xphp3. For every |)(|1 xpi , there is exactly one Nj1 such that:
Symbol jais stored at tape position i
])[],...,2[],1[]([ MsttsttsttMUNIQ
|)])(|[],...,2[],1[|)]((|[ xpposposposxpUNIQ
|)(|
1
]),[],...,2,[],1,[]([xp
i
NisymisymisymNUNIQ
ArithmetizationWhat is a “legal” configuration?
))]),[],...,2,[],1,[]([
|)]),(|[],...,2[],1[|)]((|[(
]),[],...,2[],1[]([(
)(
|)(|
1
xp
iCCC
CCC
CCC
NisymisymisymNUNIQ
xpposposposxpUNIQAND
MsttsttsttMUNIQAND
CLCONF
Define:
Arithmetization
Let:
Transitions of D on x
D
offunction n transitio thebe
})1,0,1{()(
)),','(),,(( daqaq means that, if the current state of D is q, and
the symbol under the tape head is a, then D overwrites the a with thesymbol a', enters state q', and moves the head d spaces right
ArithmetizationWhat is a “legal” transition?
A legal transition NOi),( , of D, where )),,(),,(( dmlkjand i is the position of the head in O, is one in which:1. O is a legal configuration2. N is a legal configuration3. The position of the head changes appropriately4. The state changes appropriately5. The newly-written symbol appears in the correct tape cell6. The only tape position whose contents changes is the one just written to
itxpt NuNO
NO
NO
NO
utsymutsymEQ
misymkisymAND
lsttjsttAND
diposiposAND
|),(|1 1
)],[],,[(
],[],,[(
])[],[(
])[],[(
))(),(( NLCONFOLCONFAND}
ArithmetizationWhat is a “legal” transition?
itxpt NuNO
NO
NO
NO
utsymutsymEQ
misymkisymAND
lsttjsttAND
diposiposAND
NLCONFOLCONFAND
iNOLTRANS
|),(|1 1
)],[],,[(
],[],,[(
])[],[(
])[],[(
))(),((
)),(,,(
So, set
ArithmetizationReachability
)|)}(|,...1({),(
)),(,,(),(xpi
o iNOLTRANSNOR
Now we define a polynomial that captures whether, if D is in configuration O, it is possible to reach configuration N in one step
otherwise,0
in if,1),(
DNONORo
ArithmetizationMulti-step Reachability
And recursively extend this to get a set of polynomials that capture whether it is possible to get from O to N in 2k steps, for any
otherwise,0
in if,1),(|)},(|,...,1{
2 DNONORxrk
k
k
|)}(|,...,1{ xrk
ArithmetizationMulti-step Reachability
otherwise,0
in if,1),(|)},(|,...,1{
2 DNONORxrk
k
k
Configuration B
Configuration A
steps 2k
If:
Recall:
ArithmetizationMulti-step Reachability
otherwise,0
in if,1),(|)},(|,...,1{
2 DNONORxrk
k
k
Configuration B
Configuration A steps 2 1k
Configuration C
steps 2 1k
Then:
Recall:
ArithmetizationMulti-step Reachability
otherwise,0
in if,1),(|)},(|,...,1{
2 DNONORxrk
k
kRecall:
NO steps 2 1k
steps 2 1k
}1,0{ }1,0{|)(|11|)(|11
1 |)(|
),,...,(),...,,(...),(
|)},(|,...,1{
xs
NRORNOR
xrk
xskxskk
Arithmetization So, let Cini be the (unique) initial
configuration, and Cfin the (unique) final configuration of D on input x. Then
]1),([, |)(|* fininixr CCRLxx
Arithmetization (recap)
AND NOT OR
EQUNIQexactly one true equal
LCONF legal configuration
LTRANS legal transition
R0 reachability (1 step)
Rk reachability (2k steps)
ArithmetizationKey Point
All these polynomials have been discussed for cases where each variable is binary, but may be evaluated over any field
Their values at points outside {0,1} may not preserve their “key properties”
41155)25(2)5,5( e.g. EQ
Overview Definitions Proof
Arithmetization The Protocol Soundness and Completeness
Related results Summary
The ProtocolPreliminaries
Define:
}1,0{ |)(|1111
|)(|1111
}1,0{
111
|)(|
|)(|1)),,...,,,,...,((
)),...,,,,...,(,(...)](,,,,[
),...,(,,
|)},(|,...,1{|)},(|,...,1{
xsl e xsllk
xsllk
e
ll
xs
eeyR
eeyRylkG
ZZ
xslxrk
}1,0{ |)(|111
|)(|111
}1,0{ |)(|)),,...,,,...,((
)),...,,,...,(,(...],,,1,['
xsl e xsllk
xsllk
e eeR
eeRlkG
))(,)(()](,,,[
,,,|)},(|,...,1{
1
|)(|
yyRykH
Zxrk
k
xs
The ProtocolPreliminaries
Therefore: )1](,,,1,[)0](,,,1,[],,,,[' lkGlkGlkG
),(],,,0,[' kRkG (no constraint on )
),(),(],,|),(|,[' 11 kk RRxskG
),()0](,,,[ 1 kRkH
),()1](,,,[ 1 kRkH
)](,,,,[}]{,,,,[' ll lkGlkG
The Protocol1 . G e t a p r i m e n u m b e r ]2,2[ |)(|2|)(| xmxmQ f r o m t h e p r o v e r , w h e r e 3)1)()(4)(2)(()( nsnpnrnm .
S e t v r ( | x | ) , 0 = 1 , = C i n i , = C f i n .
2 . F o r k = r ( | x | ) d o w n t o 1( a ) F o r l = 1 , … , s ( | x | )
( i ) G e t p o l y n o m i a l ][ yZg Q , w h i c h t h e p r o v e r c l a i m s i s)(mod)](...,,,,[ 11 QylkG l
( i i ) T e s t w h e t h e r )(mod)1()0(1, Qggv lk . I f n o t , r e j e c t x .( i i i ) C h o o s e Ql Z a t r a n d o m . S e t )(mod)(, Qgv llk
( b ) L e t ),...,( |)(|1 xs . G e t p o l y n o m i a l ][ yZh Q , w h i c h t h e p r o v e r c l a m si s )(mod)](,,,[ QykH . I f )1()0(|)(|, hhv xsk , r e j e c t x .
( c ) C h o o s e QZr a t r a n d o m . S e t Qrhv k mod)(0,1 . S e t r)( , r)( .
3 . T e s t w h e t h e r )(mod),(00,0 QRv . I f s o , a c c e p t x , e l s e r e j e c t x .
Overview Definitions Proof
Arithmetization The Protocol Soundness and Completeness
Related results Summary
Soundness and Completeness
Proof Key
1.y probabilith accept wit toprotocol theforcethat
replies produce prover to for the possible isit then
],,...,,,,,[' becomes of valuethe
algorithm, theofexecution in the ,any for If,
1, llk lkGv
lk
Soundness and Completeness
CompletenessRecall: Completeness means that, if x is in L, there is at least one prover that causes the protocol to accept with probability > .75
I f Lx , t h e n 1],,,0|),(|[' finini CCxrG . T h a t m e a n s t h a t ],,,0|),(|['0|),(| xrGv xr .N o w c o n s i d e r t h e p r o v e r t h a t a l w a y s r e t u r n s t h e “ c o r r e c t ” p o l y n o m i a l , w h e n i t i s a s k e d f o ro n e . T h a t i s , f o r e v e r y i t e r a t i o n o f t h e i n n e r l o o p , i t r e t u r n s t h e t r u e p o l y n o m i a l
)](...,,,,[ 11 ylkG l , a n d a t e v e r y i t e r a t i o n o f t h e o u t e r l o o p , i t r e t u r n s t h e “ c o r r e c t ” p o l y n o m i a l)](,,,[ ykH .
N o w , e v e r y t i m e t h e v a l u e o f lkv , i s u p d a t e d i n t h e i n n e r l o o p , i t i s u p d a t e d t o )( lg f o r s o m er a n d o m l y s e l e c t e d l . T h u s ]...,,,,[' 1, llk lkGv .E v e r y t i m e t h e v a l u e o f 0,1kv i s u p d a t e d i n t h e o u t e r l o o p , i t i s s e t t o )(mod)(0,1 Qrhv k , f o rs o m e r a n d o m l y s e l e c t e d r . B u t n o w t h a t e q u a l s ],',',0,1[' kG , w h e r e r)(' ,
r)(' . T h u s , w e c a n r e p e a t t h e a r g u m e n t a g a i n .T h u s , w h e n t h e p r o g r a m r e a c h e s S t e p 3 , t h e t e s t w i l l p a s s , a n d V w i l l a c c e p t x w i t hp r o b a b i l i t y 1 .
Soundness and Completeness
Key Lemma
Let R be a ring without zero-divisors. Let d 1 be an integer such that, if themultiplicative group of R is finite, then its order is greater than d. Let f and g bepolynomials in R[x] of degree at most d, such that f g. Then f(r) = g(r) for atmost d points r of R.
Proof:Let )()()( xgxfxh .Then h is a non-zero polynomial of degree e d. Let a be a coefficient of xe in h(x).Now, there is no zero-divisor in R, so
a
xhxh
)()(' is defined.
The, for every Rr, 0)(' iff )()( rhrgrf .But now 'h cannot have more than d roots in R.Hence Proved.
Soundness and Completeness
Soundness
Recall: Soundness means that, if x is not in L, there is no prover that causes the protocol to accept with probability .25
If Lx , then 0],,,0|),(|[' finini CCxrG . That means that ],,,0|),(|['0|),(| xrGv xr .Now, the only way that this inconsistency can be eliminated before the program reaches Step 3(which will cause the verifier to reject x) is for, at some point, the value of lkv , to equal
]...,,,,[' 1 llkG . What is the probability that this occurs?At each iteration the program cannot possibly return the “correct” polynomial (either for g orh), or the tests in lines 2(a)-ii or 2(b) will fail. Thus it must return some other polynomial.But the probability that any of these “incorrect" polynomials evaluate to the same value as the“correct” polynomial is
Q
polynomial of degree . Thus, the probability of this happening at any
iteration is 8
1
Q
1)|)x|)(s(|x4)r(||)x(2p(|
, since |)(|2 xmQ , which is the probability that the verifier is
fooled.
Overview Definitions Proof
Arithmetization The Protocol Soundness and Completeness
Related results Summary
Related Results
IP PSPACE
MIP = NEXP
Overview Definitions Proof
Arithmetization The Protocol Soundness and Completeness
Related results Summary
SummaryHere’s how we proved it
Choose an arbitrary language in PSPACE, let D be a PSPACE machine that decides it
Get a polynomial that, on binary inputs, describes the “essential behavior” of D
Evaluate that at numerous points randomly picked from a large finite field, and use that to bound the probability of erroneous acceptance
Finis(that’s all, folks)