Transcript Probabilistic verification Mario Szegedy, Rutgers www/cs.rutgers.edu/~szegedy/07540 Lecture 1

Probabilistic verification
Mario Szegedy, Rutgers
www/cs.rutgers.edu/~szegedy/07540
Lecture 1
Course outline
•
•
•
•
•
•
Probabilistic verification
Codes, Polynomials, Fourier transforms
The PCP Theorem and its generalizations
Inapproximability
Parallel repetition
The unique game conjecture
Grading
• Homeworks 40%
• Select an inapproximability problem 20%
• Talk 40%
A: 90-100%
B+: 80-90%
B: 70-80%
C+: 60-70%
C: 50-60%
Fail: below 50%
Literature
•
•
•
•
Sanjeev Arora’s Thesis
Dinur
Hollenstein
Khot
What is verification?
Informally, a clever Merlin convinces Arthur that a statement is true.
There exists an argument by Merlin such that Arthur accepts.
any such argument is fine (P Є Σ*) …… but what makes Arthur accept??
Arthur runs a predicate on Merlin’s argument…
Predicates
f(P) : ∑* → {0,1}
f(P) : ∑n → {0,1}
If f(P)=1 we say that P satisfies the predicate.
Existential Predicates
E
( P) f(P)
(exists a proof s.t. predicate f holds)
• P comes from the prover (Merlin);
• If P satisfies the predicate, then P is called a proof (otherwise proof candidate)
•A proof is sometimes also called certificate.
• Verifier (Arthur) computes f(P)
Equivalence of existential
predicates
↔ ( Q) f(Q)
E
E
( P) f(P)
Sometimes we can show equivalence of two existential predicates
without being able to tell if they are true or false.
EXAMPLES:
1. Riemann hypothesis is equivalent to computing the spectrum of a certain
matrix
2. Equivalence between instances of different NP hard problems
3. Equivalence between two different halting problems
“Theorems”
What is the statement Merlin really proves? f()? Exists P such that f(P)? What?
In abstract proof systems we simply assume that f is associated to some
“theorem” x Є Σ*:
x is true
↔
exists P such that f(P)
What is the relation between x and f? It depends what proof system we want.
(Abstract) Proof Systems
E
( Px) fx(Px)
A proof system is an existential predicate parameterized by elements x
of Σ*.
The theorems are those x for which the above existential predicate
evaluates to true.
The proof system is said to recognize the language
L = { x | x is a theorem }.
Prover and verifier both have access to x. A more typical notation is
E
L = { x | ( P) f(P,x) }
.
Efficient (abstract) proof systems*
E
( P) f(P,x)
- f is polynomial time in |x|+|P| → RE (recursively enumerable)
• Resources
- f is polynomial
to compute
time in
f =|x|
Power
→ NPofproof
the verifier
system
• Power
- f is linear
of thetime
prover
in |x|
is (for
→ NP
us) proof
infinitesystem
- f is a first order predicate for x (and P is a variable relation) → NP
*In CS we do not examine if f(P,x) really amounts to a proof of theorem x.We only
care about the hardness of f in |x| and |P|.
Transformation of proof systems
Π=
( Q) f’(Q,x’)
E
E
( P) f(P,x)
Π’=
Instance transformation: φ: x → x’ ; πx: P → Q
Witness transformation: ψx: Q → P.
I.
II.
f(P,x) → f’(πx(P), φ(x))
f’(Q,φ(x)) → f(ψx(Q),x)
completeness
soundness
If φ, π, ψ exist then system Π’ is (at least) as powerful as system Π
Efficient transformation: φ, π, ψ are computed in poly time
Second thought: do we need φ?
Π=
Π’=
( Q) f’(Q,x’)
E
E
( P) f(P,x)
Instance transformation: πx: P → Q
Witness transformation: ψx: Q → P.
I.
f(P,x) → f’(πx(P), x)
completeness
II.
f’(Q,x) → f(ψx(Q),x)
soundness
x
φ(x)
x’
We can parameterize with x
Examples
• Predicate calculus together with the
axioms of set theory
• The 3SAT problem
• The Max Clique problem
Novel Proof systems
• (Hopefully) smaller proof is sufficient to
prove the same theorem
• The same verifier might be able to prove
harder theorems
• “locality” restrictions + power of
randomness, quantum
Revision of the notion “verification”
Does it make sense if Arthur and Merlin communicate in several rounds?
What could Arthur say to Merlin that Merlin would not know?
Something that Arthur does not know either: A random question.
Interactive Proof Systems (IP)
Classical:
One round proof
Interactive:
Many round proof
Prover: all powerful;
Verifier: bounded
P
Prover: all powerful;
Random verifier: bounded
P1
Q1
P2
Q2
…
And an infinite variety of proof
systems with many provers…
Multiple Provers (deterministic)
Arthur
Merlin1,
Merlin2
goal:
To verify theorem x
.
To prove that x is
not a theorem
To prove that x is
a theorem
predicate:
(V y1) ( y2) (V y3) …. V(x,y1,y2,y3,…)
E
V is deterministic polynomial time
Polynomial time hierarchy
AE
A
E
•
•
•
•
EA
•
unbounded
NP = ∑1
coNP = Π1
NPNP = ∑2
coNPNP = Π2
PSPACE
Arthur-Merlin Games (Babai)
•
•
•
•
(A y)
=
for an average y
( y)
=
exists y
φ(x) = (A y1) ( y1) (Ay2)…. V(x,y1,y2,…)
V is a determinstic polynomial time
predicate. It computes language L if
• x Є L → φ(x) ≥ 2/3
• x Є L → φ(x) ≤ 1/3
E
E
Equivalently
•
•
•
•
(A y)
=
for an average y
( y)
=
exists y
φ(x) = (A y1) ( y1) (Ay2)…. V(x,y1,y2,…)
V is a determinstic polynomial time
predicate. It computes language L if
• x Є L → φ(x) ≥ 1 – (1/2)m
• x Є L → φ(x) ≤ (1/2)m
E
E
(m is polynomial in |x|)
AM classes
• A
BPP
• M
NP
• MA
Verifier uses a randomized poly time . ….. ...
machine
• AM
Prover gets a random challenge before . .
.
sending the proof
• AMA
Prover gets a random challenge before . .
.
sending the proof and verifier uses a .
………… randomized poly time machine
• MAM
• MAMA,
etc.
Similar to polynomial time hierarchy
U
MA
AM
Let L in MA.
x Є L → (M w) (A r) V(x,w,r) ≥ 1 – (1/2)m
x Є L → (M w) (A r) V(x,w,r) ≤ (1/2)m
AM protocol for L:
1. Arthur sends r;
2. Merlin sends a w such that V(x,w, r) holds (if can).
If x Є L then with probability ≥ 1 – (1/2)m exists such w
If x Є L then with probability ≤ 2|w| (1/2)m exists such w
U
MA
AM (with perfect
completeness)
Let L in MA.
x Є L → (M w) (A r) V(x,w,r) ≥ 1 – (1/2)m
x Є L → (M w) (A r) V(x,w,r) ≤ (1/2)m
AM protocol for L:
1. Arthur sends r1 r2 r3 …rm;
2. Merlin sends a w, r’ such that V(x,w, r’+r1) …, V(x,w,
. r’ + rm) all hold (if can).
If x Є L then with probability ≥ 1 – m(1/2)m exists such w
If x Є L then with probability ≤ 2|w| (1/2)m exists such w
Graph Isomorhism
φ
G
G’
NP Proof system for graph iso
E
(
φ)
Iso(φ,(G,G’))
Iso(φ,(G,G’)) ↔
.
φ is an isomorphism
between G and G’
Theorems: { (G,G’) | G is isomorphic with G’}
Iso(φ,(G,G’)) is computable in poly time in
|(G,G’)|. → NP proof system
NP Proof system for graph noniso?
E
( ξ) Niso( ξ,(G,G’))
Niso(ξ,(G,G’)) ↔ ξ certifies a non-isomorphism
.
between G and G’
Theorems: { (G,G’) | G is non-isomorphic with G’}
Niso(ξ,(G,G’)) is computable in poly time in
|(G,G’)|. → NP proof system
IP system for graph nonisomormpism
1. Flip a coin: b Є {0,1}
2. Pick a random permutation π. If b=1 show the prover π(G), otherwise π(G’).
3. In response the prover says which graph is being shown to it.
4. If the prover is correct then accept, else reject.
If G is not isomorphic to G’ then the prover can be always correct.
If G is isomorphic to G’ then the prover can be only 50% correct.
Repeating the protocol k times one can reduce the this to 1/2k.