pspace ip proshanto mukherji csc 486 april 23, 2001

PSPACE IP

Proshanto MukherjiCSC 486

April 23, 2001

Overview Definitions Proof

Arithmetization The protocol Soundness and Completeness

Related results Summary

Definitions(1): IP

Two components: Verifier: polynomial time-bounded probabilistic oracle TM Prover: deterministic TM with unlimited computational power

Interactive Proof Systems

VERIFIER

PROVER

QUERY TAPE

question

answer

Definitions(1): IPSoundness and Completeness

A language L has an interactive proof system, and is in IP, if there exists averifier V (recall that a verifier must be polynomial time-bounded) suchthat, *x,1. Completeness:If Lx, there exists some prover, such that V accepts x with probabilitygreater than

4

3, when interacting with that prover, AND

2. Soundness:If Lx, there is no prover P such that the probability of V accepting xthrough interactions with P attains or exceeds

4

1

Definitions(2): PSPACE

k

knSPACEPSPACE ][

PSPACEPHP

PSPACEP But we still don’t know whether


Arithmetization The Protocol Soundness and Completeness


Proof

Let L be an arbitrary language in PSPACE Let D be the corresponding PSPACE machine Assume that:

D has M states, D’s alphabet has N symbols, D’s tape usage is bound by the polynomial p D has exactly one accepting configuration for any

given length of input If D accepts x, it does so in exactly steps

Setting it up

},...,,{ 21 MqqqQ },...,,{ 21 Naaa

|)(|2 xr

Arithmetization Transform a computational problem

to one of evaluating a polynomial Let }1,0{, cb

cbcbAND ),(b c b.c

0 0 00 1 01 0 01 1 1

b (1-b)0 11 0

bbNOT 1)(

Arithmetization Transform a computational problem

to one of evaluating a polynomial Let }1,0{, cb

cbcbcbOR ),(b c (b+c)-b.c

0 0 0-0=00 1 1-0=11 0 1-0=11 1 2-1=1

12),( cbcbcbEQb c 2b.c-b-c+1

0 0 10 1 01 0 01 1 1

Arithmetization

otherwise ,0

1 oneexactly if,1),...,,]([ 21

ik

yyyykUNIQ

)1 oneleast (at )1 onemost (at ),...,,]([ 21 iik yyyyykUNIQ

))(())),((( ),...,,]([11

21 iki

jikji

k yNOTNOTyyANDNOTyyykUNIQ

))1(1()1( ),...,,]([11

21

ki

ikji

ik yyyyyykUNIQ j

Arithmetization

Define:

Configurations of D on x

otherwise,0

is statecurrent theif ,1][,,...,1 iq

isttMi

otherwise,0

position at the is head the,1][|),(|,...,1

thiiposxpi

otherwise,0

a islocation tape at the symbol the,1],[

,,...,1|),(|,...,1

jthi

jisym

Njxpi

|)(|)1(|)(|

on of state a zecharacteri tonecessary variablesof no.|)(|

xpNMxs

xDxs

ArithmetizationWhat is a “legal” configuration?

A legal configuration of D on x is one in which:1. The machine is in precisely one state Qq2. The tape head is at precisely one position |)}(|,...,1{ xphp3. For every |)(|1 xpi , there is exactly one Nj1 such that:

Symbol jais stored at tape position i

])[],...,2[],1[]([ MsttsttsttMUNIQ

|)])(|[],...,2[],1[|)]((|[ xpposposposxpUNIQ

|)(|

1

]),[],...,2,[],1,[]([xp

i

NisymisymisymNUNIQ

ArithmetizationWhat is a “legal” configuration?

))]),[],...,2,[],1,[]([

|)]),(|[],...,2[],1[|)]((|[(

]),[],...,2[],1[]([(

)(

|)(|

1

xp

iCCC

CCC

CCC

NisymisymisymNUNIQ

xpposposposxpUNIQAND

MsttsttsttMUNIQAND

CLCONF

Define:

Arithmetization

Let:

Transitions of D on x

D

QQ

offunction n transitio thebe

})1,0,1{()(

)),','(),,(( daqaq means that, if the current state of D is q, and

the symbol under the tape head is a, then D overwrites the a with thesymbol a', enters state q', and moves the head d spaces right

ArithmetizationWhat is a “legal” transition?

A legal transition NOi),( , of D, where )),,(),,(( dmlkjand i is the position of the head in O, is one in which:1. O is a legal configuration2. N is a legal configuration3. The position of the head changes appropriately4. The state changes appropriately5. The newly-written symbol appears in the correct tape cell6. The only tape position whose contents changes is the one just written to

itxpt NuNO

NO

NO

NO

utsymutsymEQ

misymkisymAND

lsttjsttAND

diposiposAND

|),(|1 1

)],[],,[(

],[],,[(

])[],[(

])[],[(

))(),(( NLCONFOLCONFAND}

ArithmetizationWhat is a “legal” transition?

itxpt NuNO

NO

NO

NO

utsymutsymEQ

misymkisymAND

lsttjsttAND

diposiposAND

NLCONFOLCONFAND

iNOLTRANS

|),(|1 1

)],[],,[(

],[],,[(

])[],[(

])[],[(

))(),((

)),(,,(

So, set

ArithmetizationReachability

)|)}(|,...1({),(

)),(,,(),(xpi

o iNOLTRANSNOR

Now we define a polynomial that captures whether, if D is in configuration O, it is possible to reach configuration N in one step

otherwise,0

in if,1),(

DNONORo

ArithmetizationMulti-step Reachability

And recursively extend this to get a set of polynomials that capture whether it is possible to get from O to N in 2k steps, for any

otherwise,0

in if,1),(|)},(|,...,1{

2 DNONORxrk

k

k

|)}(|,...,1{ xrk


otherwise,0

in if,1),(|)},(|,...,1{

2 DNONORxrk

k

k

Configuration B

Configuration A

steps 2k

If:

Recall:


otherwise,0

in if,1),(|)},(|,...,1{

2 DNONORxrk

k

k

Configuration B

Configuration A steps 2 1k

Configuration C

steps 2 1k

Then:

Recall:


otherwise,0

in if,1),(|)},(|,...,1{

2 DNONORxrk

k

kRecall:

NO steps 2 1k

steps 2 1k

}1,0{ }1,0{|)(|11|)(|11

1 |)(|

),,...,(),...,,(...),(

|)},(|,...,1{

xs

NRORNOR

xrk

xskxskk

Arithmetization So, let Cini be the (unique) initial

configuration, and Cfin the (unique) final configuration of D on input x. Then

]1),([, |)(|* fininixr CCRLxx

Arithmetization (recap)

AND NOT OR

EQUNIQexactly one true equal

LCONF legal configuration

LTRANS legal transition

R0 reachability (1 step)

Rk reachability (2k steps)

ArithmetizationKey Point

All these polynomials have been discussed for cases where each variable is binary, but may be evaluated over any field

Their values at points outside {0,1} may not preserve their “key properties”

41155)25(2)5,5( e.g. EQ

The ProtocolPreliminaries

Define:

}1,0{ |)(|1111

|)(|1111

}1,0{

111

|)(|

|)(|1)),,...,,,,...,((

)),...,,,,...,(,(...)](,,,,[

),...,(,,

|)},(|,...,1{|)},(|,...,1{

xsl e xsllk

xsllk

e

ll

xs

eeyR

eeyRylkG

ZZ

xslxrk

}1,0{ |)(|111

|)(|111

}1,0{ |)(|)),,...,,,...,((

)),...,,,...,(,(...],,,1,['

xsl e xsllk

xsllk

e eeR

eeRlkG

))(,)(()](,,,[

,,,|)},(|,...,1{

1

|)(|

yyRykH

Zxrk

k

xs

The ProtocolPreliminaries

Therefore: )1](,,,1,[)0](,,,1,[],,,,[' lkGlkGlkG

),(],,,0,[' kRkG (no constraint on )

),(),(],,|),(|,[' 11 kk RRxskG

),()0](,,,[ 1 kRkH

),()1](,,,[ 1 kRkH

)](,,,,[}]{,,,,[' ll lkGlkG

The Protocol1 . G e t a p r i m e n u m b e r ]2,2[ |)(|2|)(| xmxmQ f r o m t h e p r o v e r , w h e r e 3)1)()(4)(2)(()( nsnpnrnm .

S e t v r ( | x | ) , 0 = 1 , = C i n i , = C f i n .

2 . F o r k = r ( | x | ) d o w n t o 1( a ) F o r l = 1 , … , s ( | x | )

( i ) G e t p o l y n o m i a l ][ yZg Q , w h i c h t h e p r o v e r c l a i m s i s)(mod)](...,,,,[ 11 QylkG l

( i i ) T e s t w h e t h e r )(mod)1()0(1, Qggv lk . I f n o t , r e j e c t x .( i i i ) C h o o s e Ql Z a t r a n d o m . S e t )(mod)(, Qgv llk

( b ) L e t ),...,( |)(|1 xs . G e t p o l y n o m i a l ][ yZh Q , w h i c h t h e p r o v e r c l a m si s )(mod)](,,,[ QykH . I f )1()0(|)(|, hhv xsk , r e j e c t x .

( c ) C h o o s e QZr a t r a n d o m . S e t Qrhv k mod)(0,1 . S e t r)( , r)( .

3 . T e s t w h e t h e r )(mod),(00,0 QRv . I f s o , a c c e p t x , e l s e r e j e c t x .

Soundness and Completeness

Proof Key

1.y probabilith accept wit toprotocol theforcethat

replies produce prover to for the possible isit then

],,...,,,,,[' becomes of valuethe

algorithm, theofexecution in the ,any for If,

1, llk lkGv

lk


CompletenessRecall: Completeness means that, if x is in L, there is at least one prover that causes the protocol to accept with probability > .75

I f Lx , t h e n 1],,,0|),(|[' finini CCxrG . T h a t m e a n s t h a t ],,,0|),(|['0|),(| xrGv xr .N o w c o n s i d e r t h e p r o v e r t h a t a l w a y s r e t u r n s t h e “ c o r r e c t ” p o l y n o m i a l , w h e n i t i s a s k e d f o ro n e . T h a t i s , f o r e v e r y i t e r a t i o n o f t h e i n n e r l o o p , i t r e t u r n s t h e t r u e p o l y n o m i a l

)](...,,,,[ 11 ylkG l , a n d a t e v e r y i t e r a t i o n o f t h e o u t e r l o o p , i t r e t u r n s t h e “ c o r r e c t ” p o l y n o m i a l)](,,,[ ykH .

N o w , e v e r y t i m e t h e v a l u e o f lkv , i s u p d a t e d i n t h e i n n e r l o o p , i t i s u p d a t e d t o )( lg f o r s o m er a n d o m l y s e l e c t e d l . T h u s ]...,,,,[' 1, llk lkGv .E v e r y t i m e t h e v a l u e o f 0,1kv i s u p d a t e d i n t h e o u t e r l o o p , i t i s s e t t o )(mod)(0,1 Qrhv k , f o rs o m e r a n d o m l y s e l e c t e d r . B u t n o w t h a t e q u a l s ],',',0,1[' kG , w h e r e r)(' ,

r)(' . T h u s , w e c a n r e p e a t t h e a r g u m e n t a g a i n .T h u s , w h e n t h e p r o g r a m r e a c h e s S t e p 3 , t h e t e s t w i l l p a s s , a n d V w i l l a c c e p t x w i t hp r o b a b i l i t y 1 .


Key Lemma

Let R be a ring without zero-divisors. Let d 1 be an integer such that, if themultiplicative group of R is finite, then its order is greater than d. Let f and g bepolynomials in R[x] of degree at most d, such that f g. Then f(r) = g(r) for atmost d points r of R.

Proof:Let )()()( xgxfxh .Then h is a non-zero polynomial of degree e d. Let a be a coefficient of xe in h(x).Now, there is no zero-divisor in R, so

a

xhxh

)()(' is defined.

The, for every Rr, 0)(' iff )()( rhrgrf .But now 'h cannot have more than d roots in R.Hence Proved.


Soundness

Recall: Soundness means that, if x is not in L, there is no prover that causes the protocol to accept with probability .25

If Lx , then 0],,,0|),(|[' finini CCxrG . That means that ],,,0|),(|['0|),(| xrGv xr .Now, the only way that this inconsistency can be eliminated before the program reaches Step 3(which will cause the verifier to reject x) is for, at some point, the value of lkv , to equal

]...,,,,[' 1 llkG . What is the probability that this occurs?At each iteration the program cannot possibly return the “correct” polynomial (either for g orh), or the tests in lines 2(a)-ii or 2(b) will fail. Thus it must return some other polynomial.But the probability that any of these “incorrect" polynomials evaluate to the same value as the“correct” polynomial is

Q

polynomial of degree . Thus, the probability of this happening at any

iteration is 8

1

Q

1)|)x|)(s(|x4)r(||)x(2p(|

, since |)(|2 xmQ , which is the probability that the verifier is

fooled.

pspace ip proshanto mukherji csc 486 april 23, 2001

Documents

arithmetization slide

completeness slide

protocol slide

step slide

x slide

arithmetization reachability

n o slide

completeness proof key