probabilistic verification

Post on 09-Jan-2016

37 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Probabilistic verification. Mario Szegedy, Rutgers www/cs.rutgers.edu/~szegedy/07540 Lecture 1. Course outline. Probabilistic verification Codes, Polynomials, Fourier transforms The PCP Theorem and its generalizations Inapproximability Parallel repetition The unique game conjecture. - PowerPoint PPT Presentation

TRANSCRIPT

Probabilistic verification

Mario Szegedy, Rutgerswww/cs.rutgers.edu/~szegedy/07540

Lecture 1

Course outline

• Probabilistic verification

• Codes, Polynomials, Fourier transforms

• The PCP Theorem and its generalizations

• Inapproximability

• Parallel repetition

• The unique game conjecture

Grading

• Homeworks 40%

• Select an inapproximability problem 20%

• Talk 40%

A: 90-100%

B+: 80-90%

B: 70-80%

C+: 60-70%

C: 50-60%

Fail: below 50%

Literature

• Sanjeev Arora’s Thesis

• Dinur

• Hollenstein

• Khot

What is verification?

Informally, a clever Merlin convinces Arthur that a statement is true.

There exists an argument by Merlin such that Arthur accepts.

any such argument is fine (P Є Σ*) …… but what makes Arthur accept??

Arthur runs a predicate on Merlin’s argument…

Predicates

f(P) : ∑* → {0,1}

f(P) : ∑n → {0,1}

If f(P)=1 we say that P satisfies the predicate.

Existential Predicates

E

( P) f(P) (exists a proof s.t. predicate f holds)

• P comes from the prover (Merlin);

• If P satisfies the predicate, then P is called a proof (otherwise proof candidate)

•A proof is sometimes also called certificate.

• Verifier (Arthur) computes f(P)

Equivalence of existential predicates

E E

( P) f(P) ↔ ( Q) f(Q)

Sometimes we can show equivalence of two existential predicates without being able to tell if they are true or false.

EXAMPLES:

1. Riemann hypothesis is equivalent to computing the spectrum of a certain matrix

2. Equivalence between instances of different NP hard problems

3. Equivalence between two different halting problems

“Theorems”

What is the statement Merlin really proves? f()? Exists P such that f(P)? What?

In abstract proof systems we simply assume that f is associated to some “theorem” x Є Σ*:

x is true ↔ exists P such that f(P)

What is the relation between x and f? It depends what proof system we want.

(Abstract) Proof Systems

E

( Px) fx(Px)

A proof system is an existential predicate parameterized by elements x of Σ*.

The theorems are those x for which the above existential predicate evaluates to true.

The proof system is said to recognize the language

L = { x | x is a theorem }.

Prover and verifier both have access to x. A more typical notation is

L = { x | ( P) f(P,x) }.

E

Efficient (abstract) proof systems*

E

( P) f(P,x)

- f is polynomial time in |x|+|P| → RE (recursively enumerable)

- f is polynomial time in |x| → NP proof system

- f is linear time in |x| → NP proof system

- f is a first order predicate for x (and P is a variable relation) → NP

• Resources to compute f = Power of the verifier

• Power of the prover is (for us) infinite

*In CS we do not examine if f(P,x) really amounts to a proof of theorem x.We only care about the hardness of f in |x| and |P|.

soundness

completeness

Transformation of proof systems

Instance transformation: φ: x → x’ ; πx: P → Q

Witness transformation: ψx: Q → P.

I. f(P,x) → f’(πx(P), φ(x))

• f’(Q,φ(x)) → f(ψx(Q),x)

If φ, π, ψ exist then system Π’ is (at least) as powerful as system Π

Efficient transformation: φ, π, ψ are computed in poly time

( P) f(P,x) ( Q) f’(Q,x’)

E E

Π= Π’=

soundness

completeness

Second thought: do we need φ?

Instance transformation: πx: P → Q

Witness transformation: ψx: Q → P.

I. f(P,x) → f’(πx(P), x)

II. f’(Q,x) → f(ψx(Q),x)

( P) f(P,x) ( Q) f’(Q,x’)

E E

Π= Π’=

x’φ(x)x We can parameterize with x

Examples

• Predicate calculus together with the axioms of set theory

• The 3SAT problem

• The Max Clique problem

Novel Proof systems

• (Hopefully) smaller proof is sufficient to prove the same theorem

• The same verifier might be able to prove harder theorems

• “locality” restrictions + power of randomness, quantum

Revision of the notion “verification”

Does it make sense if Arthur and Merlin communicate in several rounds?

What could Arthur say to Merlin that Merlin would not know?

Something that Arthur does not know either: A random question.

Interactive Proof Systems (IP)

Classical: Prover: all powerful; Verifier: bounded

One round proof P

Interactive: Prover: all powerful; Random verifier: bounded

Many round proof P1

Q1

P2

Q2

And an infinite variety of proof systems with many provers…

Multiple Provers (deterministic)

Arthur Merlin1, Merlin2

goal:To verify theorem x To prove that x is To prove that x is

. not a theorem a theorem

predicate:

(V y1) ( y2) (V y3) …. V(x,y1,y2,y3,…)

E

V is deterministic polynomial time

Polynomial time hierarchy

• NP = ∑1

• coNP = Π1

• NPNP = ∑2

• coNPNP = Π2

• unbounded PSPACE

EA

AE

E

A

Arthur-Merlin Games (Babai)

• (A y) = for an average y

• ( y) = exists y

• φ(x) = (A y1) ( y1) (Ay2)…. V(x,y1,y2,…)

• V is a determinstic polynomial time predicate. It computes language L if

• x Є L → φ(x) ≥ 2/3

• x Є L → φ(x) ≤ 1/3

E

E

Equivalently

• (A y) = for an average y• ( y) = exists y

• φ(x) = (A y1) ( y1) (Ay2)…. V(x,y1,y2,…)• V is a determinstic polynomial time

predicate. It computes language L if• x Є L → φ(x) ≥ 1 – (1/2)m

• x Є L → φ(x) ≤ (1/2)m

(m is polynomial in |x|)

EE

AM classes

• A BPP• M NP• MA Verifier uses a randomized poly time .

….. ... machine• AM Prover gets a random challenge before . .

. sending the proof• AMA Prover gets a random challenge before . .

. sending the proof and verifier uses a . ………… randomized poly time machine

• MAM• MAMA, etc.

Similar to polynomial time hierarchy

MA AM

Let L in MA. x Є L → (M w) (A r) V(x,w,r) ≥ 1 – (1/2)m

x Є L → (M w) (A r) V(x,w,r) ≤ (1/2)m

AM protocol for L: 1. Arthur sends r; 2. Merlin sends a w such that V(x,w, r) holds (if can).

If x Є L then with probability ≥ 1 – (1/2)m exists such wIf x Є L then with probability ≤ 2|w| (1/2)m exists such wU

MA AM (with perfect completeness)

Let L in MA. x Є L → (M w) (A r) V(x,w,r) ≥ 1 – (1/2)m

x Є L → (M w) (A r) V(x,w,r) ≤ (1/2)m

AM protocol for L:

1. Arthur sends r1 r2 r3 …rm;

2. Merlin sends a w, r’ such that V(x,w, r’+r1) …, V(x,w, . r’ + rm) all hold (if can).

If x Є L then with probability ≥ 1 – m(1/2)m exists such wIf x Є L then with probability ≤ 2|w| (1/2)m exists such w

U

Graph Isomorhism

φ

G G’

NP Proof system for graph iso

( φ) Iso(φ,(G,G’))

Iso(φ,(G,G’)) ↔ φ is an isomorphism . between G and G’

Theorems: { (G,G’) | G is isomorphic with G’}

Iso(φ,(G,G’)) is computable in poly time in |(G,G’)|. → NP proof system

E

NP Proof system for graph non-iso?

( ξ) Niso( ξ,(G,G’))

Niso(ξ,(G,G’)) ↔ ξ certifies a non-isomorphism . between G and G’

Theorems: { (G,G’) | G is non-isomorphic with G’}

Niso(ξ,(G,G’)) is computable in poly time in |(G,G’)|. → NP proof system

EUnknown

IP system for graph non-isomormpism

1. Flip a coin: b Є {0,1}

2. Pick a random permutation π. If b=1 show the prover π(G), otherwise π(G’).

3. In response the prover says which graph is being shown to it.

4. If the prover is correct then accept, else reject.

If G is not isomorphic to G’ then the prover can be always correct.

If G is isomorphic to G’ then the prover can be only 50% correct.

Repeating the protocol k times one can reduce the this to 1/2k.

top related