Presentation on theme: "Proving Without Explaining, and Checking Without Understanding Scott Aaronson (MIT) Symposium on Proof, UPenn, Nov. 9, 2012 Looks good to me!"— Presentation transcript:
Proving Without Explaining, and Checking Without Understanding Scott Aaronson (MIT) Symposium on Proof, UPenn, Nov. 9, 2012 Looks good to me!
For most of history, a mathematical proof meant a demonstration, in words, formulas, and pictures, that induces an all-of-a-sudden understanding of why a theorem must be true in humans who have understood it
-(n(x+y)=n(x)). n(n(n(x)+y)+n(x+y))=y. n(n(n(x+y)+n(x)+y)+y)=n(x+y). n(n(n(n(x)+y)+x+y)+y)=n(n(x)+y). n(n(n(n(x)+y)+x+y+y)+n(n(x)+y))=y. n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+z)+n(y+z))=z. n(n(n(n(x)+y)+n(n(x)+y)+x+y+y)+y)=n(n(x)+y). n(n(n(n(x)+y)+n(n(x)+y)+x+y+y+y)+n(n(x)+y))=y. n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z)=n(y+z). n(n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z+u)+n(n(y+z)+u))=u. n(n(n(n(x)+x)+x+x+x)+x)=n(n(x)+x). n(n(n(n(n(x)+x)+x+x+x)+x+y)+n(n(n(x)+x)+y))=y. n(n(n(n(x)+x)+x+x+x+x)+n(n(x)+x))=x. n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x)=n(n(x)+x). n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x+y)+n(n(n(x)+x)+y))=y. n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+n(n(n(x)+x)+x+x+x)+x)+x)=n(n(n(x)+x)+n(n(x)+x)+x+x+x+x). n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)=n(n(n(x)+x)+x+x+x). With people like Frege, Hilbert, Russell, and Gödel, a new, formal notion of proof entered the world: proof as a mathematical object in its own right A string of symbols that mechanically certifies that a theorem is truegenerally, by starting from axioms and then applying logical manipulations until the theorem is reached Proof that all Robbins algebras are Boolean. Discovered by the computer program EQP in 1996, solving a 63-year-old problem
Formal proofs are often absurdly tedious! Wittgenstein liked to ridicule this sort of formalization Famous example from Principia Mathematica, Volume II But
Sometimes the gap between proving and explaining has caused actual mathematical controversy Four-Color Map Theorem: Proved by Appel and Haken in 1976, with crucial help from computer enumeration of cases Critics: But what if the computer made a mistake? Response: Then check again with another computer!
Over the last 30 years, theoretical computer scientists have taken the concept of proof even further from explanation or understanding than Frege, Russell, et al. ever did A proof can now be: probabilistic, interactive, quantum-mechanical… in general, an ephemeral process that, once its over, need not leave any trace by which to convince somebody else (Sometimes, like in cryptography, the impossibility of understanding a proof is actually the goal!)
As a warmup, consider the power of random sampling… To probabilistically prove an algebraic identity: just plug in a bunch of random values and evaluate it! Not yet certain enough? Repeat! (But what if your random-number generator was bad?)
Upping the ante: proof by quantum sampling In 1994, Peter Shor sparked a scientific revolution, by showing that a quantum computer could quickly factor large numbersa task whose presumed difficulty is the basis for most modern cryptography But not all quantum algorithms necessarily share that property! Sometimes, the only feasible way to verify a quantum computers output might be using a different quantum computer! (indeed, there might be no classical proof that would fit inside the observable universe) But would you need to trust the quantum computer? In this case, no! Given alleged prime factors, you could multiply them yourself (and also use known classical methods to verify that theyre prime)
Today, when theoretical computer scientists talk about a proof system, they generally mean an interactive game… Completeness: If the claim is true, then there must be some way Merlin can behave that causes Arthur to output OK most of the time Merlin: Omniscient but untrustworthy wizard Soundness: If the claim is false, then regardless of how Merlin behaves, Arthur must output BS most of the time Arthur: Skeptical, polynomial-time king Challenges and responses OK!BS!
Example: Graph Non-Isomorphism Merlin wants to convince Arthur that two graphs are different Clever interactive solution: Arthur picks one of the graphs randomly, randomly permutes its vertices, and sends Merlin the result. He then asks Merlin which graph he started with Simply listing all permutations is astronomically inefficient Given any two non-isomorphic graphs, there might always be a short proof that theyre different, but no one has proved that
The IP=PSPACE Theorem (Lund et al. / Shamir 1990) showed that these sorts of interactive proof systems are incredibly powerful. For example, Merlin could quickly convince Arthur that White has the win in chess (assuming thats indeed true)!
The Graph Non-Isomorphism protocol has another amazing property, besides its efficiency. Arthur learns nothing whatsoever about why the graphs are non-isomorphic! Goldreich, Micali, and Wigderson showed that, under plausible cryptographic assumptions, every formal proof can likewise be converted into a zero-knowledge proof (Furthermore, here the prover need not be a wizard, but just an ordinary person who knows the original proof) Suppose youve proved the Riemann Hypothesis, but are paranoid that if you show anyone the proof theyll steal it. Zero-knowledge proofs provide a solution! (Return to the 1500s) Serious application: Cryptography. ZKIPs let agents on the Internet prove to each other that theyre following a protocol correctly, without revealing the secret information. The key is to start with an NP-complete problem, like Hamilton Cycle A solution to this problem can encode a formal proof of the Riemann Hypothesis, or of any other theorem you want!
To make the proof zero-knowledge: Merlin randomly permutes the nodes. Then, for each pair of nodes, he sends Arthur a locked box, inside of which hes written whether those nodes are connected by an edge. With the boxes in his possession, Arthur can either ask Merlin to unlock all the boxes, and show him the isomorphism between the new graph and the original graph, or he can ask Merlin to unlock only the boxes corresponding to a Hamilton cycle. To implement over the Internet: replace the locked boxes by encryption. Useful! Lets suspicious agents prove to each other that theyre carrying out a protocol correctly, without revealing the secrets on which the proofs are based One application: secure e-voting Renaissance court mathematicians were terrified of rivals stealing their secrets. Galileo once ensured his priority by sending Kepler a coded message: smaismrmilmepoetaleumibunenugttauiras Today, a paranoid prover of the Riemann Hypothesis could use the GMW protocol to establish priority without revealing the proof Theoretical computer science: surging ahead into the 1500s!
Another famous NP-complete problem is 3-coloring a graph Solution: Arthur puts the Merlins in separate rooms, like police suspects. He either picks a random node and asks both Merlins its color (and checks that they give the same answer), or he picks two neighboring nodes and asks one Merlin about each (and checks that they give different answers) Suppose two Merlins claim that they know how to 3-color a certain graph. Arthur will get a billion dollars if he can prove theyre lying, but hes only allowed to ask them for the color of one node each
Pushing this further leads to the PCP Theorem, one of the crown jewels of theoretical computer science Any formal proof can be rewritten in an error-correcting format, in such a way that its validity can be checked, with high confidence, by looking at only 10 or 20 random bits Application: Implies that, for many NP-complete problems, finding an approximate solution is as hard as finding an exact one Recent Realization: Even if they cant talk to each other, the two Merlins could still sometimes cheat by measuring quantum- mechanically entangled particles! (Related to the famous Bell Inequality) But we now know that every multi-prover protocol can be immunized against entangled provers (Ito-Vidick 2012)
Summary With Frege, Russell, Gödel, etc, proofs became mathematical objects in their own right: sequences of symbols that can be verified by a machine, and that no human needs to understand Today, theoretical computer science has taken the separation between verifying and understanding even further, by making proofs probabilistic, interactive, zero-knowledge, quantum… Whats the point of this? Russell et al.s redefinition of proof helped bring us the computer age. The modern redefinitions of proof helped bring us secure electronic commerce, as well as profound insights into the nature of computation Central irony: All these amazing discoveries about proof relied themselves on traditional, understanding-based proofs! Will we ever have a mechanistic account of explaining and understanding, in the same sense that we now have a mechanistic account of proving and verifying?