Computational Complexity Multiprover Interactive Proof, Lecture Notes - Computer Science, Study notes of Computational Methods

Prof. Salil Vadhan, Computer Science, Computational Complexity, Multiprover Interactive Proofs, Probabilistically Checkable Proofs, Babai–Fortnow–Lund, PCP Theorem, Harvard, Lecture Notes

Typology: Study notes

2010/2011

Uploaded on 10/28/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS221: Computational Complexity Prof. Salil Vadhan
Lecture 31: Multiprover Interactive Proofs and
Probabilistically Checkable Proofs
12/09 Scribe: Qian Zhang
Contents
1 Recap
Note on hardness of approximate counting: Even though we used allowed randomized algo-
rithms in our definition of α-approximation algorithm, the reductions we give to show hardness of
approximate counting are not randomized. For example, if there is deterministic polynomial time
algorithm to approximate the number of cycles in a graph, we can conclude P=NP.
Figure 1: Complexity classes involving interactive proofs
AM andMA seem much closer to NP than IP does. There even exists some evidence that
AM =MA =NP. (Shown in CS225)
2 Multiprover IP
We want to generalize IP to have several cooperating provers. The provers are cooperating since
they all want to convince the verifier of the same thing, however, the provers are not allowed to
communicate with each other. This is similar to the interrogation of criminals where each suspect
is interrogated separately and without allowing them to hear what the others have told the police.
1
pf3
pf4

Partial preview of the text

Download Computational Complexity Multiprover Interactive Proof, Lecture Notes - Computer Science and more Study notes Computational Methods in PDF only on Docsity!

CS221: Computational Complexity Prof. Salil Vadhan

Lecture 31: Multiprover Interactive Proofs and

Probabilistically Checkable Proofs

12/09 Scribe: Qian Zhang

Contents

1 Recap

Note on hardness of approximate counting: Even though we used allowed randomized algo- rithms in our definition of α-approximation algorithm, the reductions we give to show hardness of approximate counting are not randomized. For example, if there is deterministic polynomial time algorithm to approximate the number of cycles in a graph, we can conclude P = NP.

Figure 1: Complexity classes involving interactive proofs

AM andMA seem much closer to NP than IP does. There even exists some evidence that AM = MA = NP. (Shown in CS225)

2 Multiprover IP

We want to generalize IP to have several cooperating provers. The provers are cooperating since they all want to convince the verifier of the same thing, however, the provers are not allowed to communicate with each other. This is similar to the interrogation of criminals where each suspect is interrogated separately and without allowing them to hear what the others have told the police.

Definition 1 A k-prover proof system for a language L is a protocol between k provers (P 1 ,... , Pk) and verifer V such that

  1. (Efficiency) V runs in probabilistic polynomial time, and the number and length of all mes- sages exchanged is at most polynomial in the common input x. (As with IP, the provers P 1 ,... , Pk are computationally unbounded)
  2. (Noncommunicating provers) ∀j 6 = i, Pi doesn’t see the messages between Pj and V.
  3. (Completeness) x ∈ L =⇒ Pr[V accepts in ((P 1 , P 2 ,... , Pk), V ) (x)] ≥ 2 / 3.
  4. (Soundness) x /∈ L =⇒ ∀P 1 ∗ , P 2 ∗ ,... , P (^) k∗ , Pr[V accepts in ((P 1 ∗ , P 2 ∗ ,... , P (^) k∗ ), V ) (x)] ≤ 1 / 3.

k-MIP is the class of languages with k-prover proof systems, and MIP =

k k-MIP.

More generally, one may also allow the number of provers to grow (polynomially) with the input, but we stick to a constant number of provers for simplicity.

The original motivation for studying MIP was cryptography (specifically, one can construct zero- knowledge MIP’s for NP without any intractability assumptions such as the existence of one-way functions). But our interest in them is complexity-theoretic: Does MIP contain more languages than IP? Is it true that (k + 1 )-MIP ) k-MIP? We answer that question below.

3 Probabilistically Checkable Proofs

Instead of a prover, we have a proof “oracle”. The proof oracle is like a memory-less prover. Thus, while normally provers can remember the history of its interaction with the verifier to avoid contradicting itself, the proof oracle cannot.

Definition 2 A language L has a probabilistically checkable proof (PCP) if there exists a proba- bilistic polynomial-time verifier V such that

  1. (Completeness) x ∈ L =⇒ ∃π : { 0 , 1 }∗^ → { 0 , 1 } : Pr [V π(x) = accept] ≥ 2 / 3.
  2. (Soundness) x /∈ L =⇒ ∀π∗, Pr

[

V π ∗ (x) = accept

]

PCP is the class of languages possessing probabilistically checkable proofs.

We will sometimes write πx to emphasize that the PCP may depend on the input x. (With IP and

MIP we gave the input x to the provers.)

Theorem 3 PCP = MIP = 2 - MIP

Note the gap between the completeness probability (1 − 2 −n) and the soundness probability (1 − 1 / 2 m). Repeating the PCP verifier Θ(m) times, we can amplify the gap to any desired constant.

While we have this nice equivalence between MIP and PCP, we still have not answered the question of whether MIP is more powerful than IP = 1 - MIP. Soon after IP = PSPACE, the power of MIP was completely characterized:

Theorem 4 (Babai–Fortnow–Lund) MIP = PCP = NEXP

We won’t prove this theorem, but rather look at a remarkable “scaling down” of it that characterizes NP.

Theorem 5 (PCP Theorem) NP equals PCP where the verifier tosses O(log n) coins and reads only a constant number of bits from the proof.