Probabilistic verification Mario Szegedy, Rutgers www/cs.rutgers.edu/~szegedy/07540 Lecture 1

Course outline Probabilistic verification Codes, Polynomials, Fourier transforms The PCP Theorem and its generalizations Inapproximability Parallel repetition The unique game conjecture

Grading Homeworks 40% Select an inapproximability problem 20% Talk 40% A: % B+: 80-90% B: 70-80% C+: 60-70% C: 50-60% Fail: below 50%

Literature Sanjeev Arora’s Thesis Dinur Hollenstein Khot

What is verification? Informally, a clever Merlin convinces Arthur that a statement is true. There exists an argument by Merlin such that Arthur accepts. any such argument is fine (P Є Σ*) …… but what makes Arthur accept?? Arthur runs a predicate on Merlin’s argument…

Predicates f(P) : ∑* → {0,1} f(P) : ∑ n → {0,1} If f(P)=1 we say that P satisfies the predicate.

Existential Predicates E ( P) f(P) (exists a proof s.t. predicate f holds) P comes from the prover (Merlin); If P satisfies the predicate, then P is called a proof (otherwise proof candidate) A proof is sometimes also called certificate. Verifier (Arthur) computes f(P)

Equivalence of existential predicates E E ( P) f(P) ↔ ( Q) f(Q) Sometimes we can show equivalence of two existential predicates without being able to tell if they are true or false. EXAMPLES: 1.Riemann hypothesis is equivalent to computing the spectrum of a certain matrix 2.Equivalence between instances of different NP hard problems 3.Equivalence between two different halting problems

“Theorems” What is the statement Merlin really proves? f()? Exists P such that f(P)? What? In abstract proof systems we simply assume that f is associated to some “theorem” x Є Σ*: x is true ↔ exists P such that f(P) What is the relation between x and f? It depends what proof system we want.

(Abstract) Proof Systems E ( P x ) f x (P x ) A proof system is an existential predicate parameterized by elements x of Σ*. The theorems are those x for which the above existential predicate evaluates to true. The proof system is said to recognize the language L = { x | x is a theorem }. Prover and verifier both have access to x. A more typical notation is L = { x | ( P) f(P,x) }. E

Efficient (abstract) proof systems* E ( P) f(P,x) - f is polynomial time in |x|+|P| → RE (recursively enumerable) - f is polynomial time in |x| → NP proof system - f is linear time in |x| → NP proof system - f is a first order predicate for x (and P is a variable relation) → NP Resources to compute f = Power of the verifier Power of the prover is (for us) infinite *In CS we do not examine if f(P,x) really amounts to a proof of theorem x.We only care about the hardness of f in |x| and |P|.

soundness completeness Transformation of proof systems Instance transformation: φ: x → x’ ; π x : P → Q Witness transformation: ψ x : Q → P. I. f(P,x) → f’(π x (P), φ(x)) II. f’(Q,φ(x)) → f(ψ x (Q),x) If φ, π, ψ exist then system Π’ is (at least) as powerful as system Π Efficient transformation: φ, π, ψ are computed in poly time ( P) f(P,x) ( Q) f’(Q,x’) E E Π= Π’=

soundness completeness Second thought: do we need φ? Instance transformation: π x : P → Q Witness transformation: ψ x : Q → P. I. f(P,x) → f’(π x (P), x) II. f’(Q,x) → f(ψ x (Q),x) ( P) f(P,x) ( Q) f’(Q,x’) E E Π= Π’= x’ φ(x) x We can parameterize with x

Examples Predicate calculus together with the axioms of set theory The 3SAT problem The Max Clique problem

Novel Proof systems (Hopefully) smaller proof is sufficient to prove the same theorem The same verifier might be able to prove harder theorems “locality” restrictions + power of randomness, quantum

Revision of the notion “verification” Does it make sense if Arthur and Merlin communicate in several rounds? What could Arthur say to Merlin that Merlin would not know? Something that Arthur does not know either: A random question.

Interactive Proof Systems (IP) Classical: Prover: all powerful; Verifier: bounded One round proof P Interactive: Prover: all powerful; Random verifier: bounded Many round proof P 1 Q 1 P 2 Q 2 …

And an infinite variety of proof systems with many provers…

Multiple Provers (deterministic) Arthur Merlin1, Merlin2 goal: To verify theorem x To prove that x is To prove that x is. not a theorem a theorem predicate: (V y 1 ) ( y 2 ) (V y 3 ) …. V(x,y 1,y 2,y 3,…) E V is deterministic polynomial time

Polynomial time hierarchy NP = ∑ 1 coNP = Π 1 NP NP = ∑ 2 coNP NP = Π 2 unbounded PSPACE EA AE E A

Arthur-Merlin Games (Babai) (A y) = for an average y ( y) = exists y φ(x) = (A y 1 ) ( y 1 ) (Ay 2 )…. V(x,y 1,y 2,…) V is a determinstic polynomial time predicate. It computes language L if x Є L → φ(x) ≥ 2/3 x Є L → φ(x) ≤ 1/3 E E

Equivalently (A y) = for an average y ( y) = exists y φ(x) = (A y 1 ) ( y 1 ) (Ay 2 )…. V(x,y 1,y 2,…) V is a determinstic polynomial time predicate. It computes language L if x Є L → φ(x) ≥ 1 – (1/2) m x Є L → φ(x) ≤ (1/2) m (m is polynomial in |x|) E E

AM classes A BPP M NP MA Verifier uses a randomized poly time. …..... machine AM Prover gets a random challenge before... sending the proof AMA Prover gets a random challenge before... sending the proof and verifier uses a. ………… randomized poly time machine MAM MAMA, etc. Similar to polynomial time hierarchy

MA AM Let L in MA. x Є L → (M w) (A r) V(x,w,r) ≥ 1 – (1/2) m x Є L → (M w) (A r) V(x,w,r) ≤ (1/2) m AM protocol for L: 1. Arthur sends r; 2. Merlin sends a w such that V(x,w, r) holds (if can). If x Є L then with probability ≥ 1 – (1/2) m exists such w If x Є L then with probability ≤ 2 |w| (1/2) m exists such w U

MA AM (with perfect completeness) Let L in MA. x Є L → (M w) (A r) V(x,w,r) ≥ 1 – (1/2) m x Є L → (M w) (A r) V(x,w,r) ≤ (1/2) m AM protocol for L: 1. Arthur sends r 1 r 2 r 3 … r m ; 2. Merlin sends a w, r’ such that V(x,w, r’+r 1 ) …, V(x,w,. r’ + r m ) all hold (if can). If x Є L then with probability ≥ 1 – m(1/2) m exists such w If x Є L then with probability ≤ 2 |w| (1/2) m exists such w U

Graph Isomorhism φ G G’

NP Proof system for graph iso ( φ ) Iso( φ,(G,G’)) Iso( φ,(G,G’)) ↔ φ is an isomorphism. between G and G’ Theorems: { (G,G’) | G is isomorphic with G’} Iso( φ,(G,G’)) is computable in poly time in |(G,G’)|. → NP proof system E

NP Proof system for graph non- iso? ( ξ) Niso( ξ,(G,G’)) Niso(ξ,(G,G’)) ↔ ξ certifies a non-isomorphism. between G and G’ Theorems: { (G,G’) | G is non-isomorphic with G’} Niso(ξ,(G,G’)) is computable in poly time in |(G,G’)|. → NP proof system E Unknown

IP system for graph non- isomormpism 1. Flip a coin: b Є {0,1} 2.Pick a random permutation π. If b=1 show the prover π(G), otherwise π(G’). 3.In response the prover says which graph is being shown to it. 4.If the prover is correct then accept, else reject. If G is not isomorphic to G’ then the prover can be always correct. If G is isomorphic to G’ then the prover can be only 50% correct. Repeating the protocol k times one can reduce the this to 1/2 k.