\documentclass[10pt]{article} \usepackage{amsfonts} \usepackage{fullpage} %\usepackage{epsfig} \newcommand{\zo}{\{0,1\}} \begin{document} \input{preamble.tex} \lecture{15}{Apr 4, 2007}{Madhu Sudan}{David Glasser} The classes AM and IP. Proof by Goldwasser and Sipser that private coins with 2-sided error can be simulated with public coins and 1-sided error. Start to show that PSPACE is in IP. \section{AM and IP} \label{sec:am-ip} When defining notions of interactive proof protocols, there are three aspects of the definition that appear flexible. First, the verifier's coin tosses can either be public (visible to the prover) or private (hidden from the prover). Second, the error rate can be one-sided (always accepting if $x \in L$, say) or two-sided. Third, the bound on the number of rounds of interaction can be constant or polynomial. We showed last time (with the proof of Kilian) that for polynomially many rounds, the same languages have proofs with private coins as with public coins, and with one-sided error as with two-sided error. (Specifically, we converted a two-sided error private coin protocol into a one-sided error public coin protocol). Today we will show that the same is true for languages with a constant number of rounds. However, we do believe (but can't show) that the number of rounds \emph{is} important. For somewhat-historical reasons, we call the class of languages with constant-round protocols AM (after Arthur-Merlin protocols) and the class of languages with polynomial-round protocols IP (after interactive proofs); we believe that AM is strictly contained in IP. The standard two-rounds public-coin Arthur-Merlin model for AM is as follows. $L$ is in AM if there exists a PPT $V$ such that $x\in L$ implies that the probability over random strings $R$ that there exists an $a$ such that $V(x,R,a)$ accepts is at least $c(n)$, and if $x\not\in L$ then the probability is at most $s(n)$. For two-sided error, we can set $c(n)=\frac{2}{3}$ and $s(n) = \frac{1}{3}$, though the exact values don't matter (as with BPP). Recalling the quantifiers for complexity classes introduced in the proof of Toda's theorem, we can also define AM as $BP \cdot \exists \cdot P$. Now, $AM[k]$ (AM with $k$ rounds of interaction) is $BP \cdot \exists BP \cdot \exists \cdots BP \cdot \exists \cdot P$, but via a proof similar to Toda's theorem, we can show that $BP \cdot \exists\cdot \mathcal{C} = \exists \cdot BP \cdot \mathcal{C}$; thus any constant number of rounds of interaction (starting with Arthur) gives us the class AM. (The proof that this swap works is on problem set 3.) \section{Goldwasser-Sipser Approximate Counting Protocol} \label{sec:goldw-sips-appr} We haven't proved yet that coin privacy and 1-sided error is irrelevant for constant-round protocols. In order to do so, we examine the problem of approximating the size of a set. (We will eventually apply this to a set of coin tosses which make a protocol accept.) The input to this promise problem is a set $S \subseteq \zo^n$ and a number $N$. $S$ is specified not explicitly but by a protocol proving membership. Because we are using this in the context of interactive proofs, this protocol can be in AM. The problem is a YES example if $\abs{S} \geq N$ and NO if $\abs{S} < \frac{N}{10n^2}$ (the precise formula here doesn't matter, but the point is that there is a reasonable gap where we aren't expected to be able to determine the answer). We'll come up with an Arthur-Merlin protocol for this; we'll first consider some special cases. (Note first that this is only hard for $N$ which is superpolynomial in $n$; for small $N$, Merlin can just provide proofs that $N$ specific elements are in $S$.) What if $N = 2^n$? That is, it is a YES instance if every element of $\zo^n$ is in $S$, and a NO instance if an element is in $S$ with probability at most $\frac{1}{10n^2}$. We can accomplish this pretty easily with one-sided error: the verifier (Arthur) picks a random $x \in \zo^n$ and asks the prover to prove that $x \in S$. The protocol is accepted iff the prover manages to do so. If this is a YES instance, the prover can definitely prove $x \in S$; if this is a NO instance then the prover can only prove $x \in S$ (and make the protocol incorrectly accept) with probability $\frac{1}{10n^2}$. Thus this is an AM protocol for the special case $N = 2^n$. What if $N$ is still big, but not the whole universe? Say, $N = \frac{2^n}{100}$. The \emph{prover} starts the protocol by stating $O(n)$ strings $x_i \in \zo^n$; the verifier picks an $x \in \zo^n$ at random and sends it; the prover then proves that for some $i$, $x \oplus x_i \in S$. The idea is that if $S$ is pretty big, there exists some tuple $(x_1,\dots,x_{O(n)})$ such that any fixed ``shift'' of its elements will leave at least one element in $S$; but if $S$ is a factor of $n^2$ smaller, it is likely that a random shift will leave all of the elements out of $S$. The proof that this works (with one-sided error!) is very similar to the Lautemann-Sipser proof that BPP is in $\Sigma_2^P$. This sort of protocol works for any $N = \frac{2^n}{poly(n)}$ but stops working once $S$ is small enough that the prover can't find a tuple whose shifts all intersect with $S$. For example, this doesn't work for $N = 2^{\sqrt{n}}$. So in the most general case, the problem is that $S$ may be much smaller than $\zo^n$. Thus it's really hard for us to ``guess'' elements in $S$. The trick we use is the same as in Valiant-Vazirani: hashing! If we can come up with a ``good'' hash function $h$ mapping us into a smaller universe then we're mostly reduced to a previous case: showing that $h(S)$ fills up a large part of its universe. The verifier chooses an $m = O(\log N)$ and a hash function $h\colon \zo^n \to \zo^m$ and sends them to the prover; we recall from the Valiant-Vazirani proof that there exist universal hash function families where a randomly chosen function is ``good''. Then just like in the previous special case, the prover sends $l$ elements $y_i \in \zo^m$. The verifier picks a $y \in \zo^m$, and then the prover sends back an $i$ and an $x \in \zo^n$ such that $h(x) = y \oplus y_i$ and $x \in S$. Combining some calculations from the Lautemann-Sipser and Valiant-Vazirani proofs, we can show that this is in fact an AM protocol for the set size approximation problem. \section{Applying Goldwasser-Sipser to public vs private coins} \label{sec:apply-goldw-sips} Now let's use that problem to show that (for constant rounds) public and private coins are equivalent. What does a general one-round private-coin protocol look like? $V$ chooses a random $R \in \zo^n$, computes a question $q = q(x,R) \in \zo^l$, and sends it to $P$; $P$ responds with some $a$. If $V(x,R,a)$ accepts, then we accept $x$. If $x$ is in the language, then the set of $R$ making $V$ accept should be large; if it's not, then it should be small. Thus we should be able to somehow apply the Goldwasser-Sipser problem\dots{} Fix $q$ and $a$; let $S_{qa}$ be the set of $R$ with $q(R) = q$ and $V(x,R,a)$ accepts. (For example, consider graph non-isomorphism; here $q$ is a graph (a permutation of either $G_1$ or $G_2$ and $a$ is both a statement of which graph it's isomorphic to \emph{and} a proof of that isomorphism.) Let's consider a simple case first. For $x \in L$, then for all $q$ there exists $a$ such that $\abs{S_{qa}} \geq N$; for $x \not\in L$, then for all $q$ and $a$, $\abs{S_{qa}} \leq \frac{N}{10n^2}$. Additionally, we assume that somehow the verifier knows (and believes!) $N$. We can use a pretty simple protocol here: first $P$ says a $q$ and an $a$, and then it goes into a Goldwasser-Sipser protocol to prove that $\abs{S_{qa}} \geq \frac{2}{3} N$. That is, it says ``here's a possible question/answer pair which would have made you accept; I'm going to prove that it is likely you would have asked this question''. However, in general $N$ depends on $q$ (we'll call it $N_q$), and the verifier doesn't actually know its value. How do we get around this? The prover will tell us a ``typical'' value of $N_q$, which it will call $N$, and it will prove that lots of questions have $N_q \geq N$. Specifically, it will prove that $\abs{\{ q \mid N_q \geq N \}} \geq \frac{2^n}{N} \cdot \frac{1}{2n}$. How will it do that? By using Goldwasser-Sipser! So the complete protocol looks like this. The prover sends a value $N$ to the verifier. It then starts a Goldwasser-Sipser protocol to prove that $\abs{\{ q \mid N_q \geq N \}} \geq \frac{2^n}{N} \cdot \frac{1}{2n}$. Then it chooses a specific $q_0$ and proves that $N_{q_0} \geq N$ with another Goldwasser-Sipser protocol. \section{Next Time: IP is PSPACE} \label{sec:next-time:-ip} We already know that IP is contained in PSPACE. Over the next two lectures, we will show that the converse is true as well. Here's some intuition and history. Lipton (1989) showed that the permanent is ``random self-reducible''. (Recall that the permanent of a matrix is like the determinant, without the alternating signs. It's also the number of cycle covers of a graph. It's hard to compute!) That is, if there is an efficient algorithm that can compute the permanent of random matrices then there is an efficient algorithm to compute the permanent of any matrix. I.e., a good algorithm for the average case implies a good algorithm for the worst case. Next, Blum-Luby-Rubinfeld (1990) showed ``checkability'' (that you can check that a program is always correct --- it's a promise sort of thing, so you can check that either the instance you gave multiplied correctly, or that we can find some example where the algorithm is wrong) is implied by random self-reductions and shrinking self-reductions. Now permanent is self-reducible: the standard calculation based on minors is a shrinking self-reduction. So the permanent is checkable. Then Lund-Fortnow-Karloff-Nisan showed that this means that permanent is in IP. This was the first proof that coNP is in IP. In fact, the whole hierarchy is in IP, because PSPACE is. We will start to show this next time. \end{document} % LocalWords: Administrivia Yao Karchmer Wigderson th subcircuit recurse EQ IP % LocalWords: subcircuits Madhu Glasser Goldwasser Sipser PSPACE PPT BPP iff % LocalWords: Toda's tuple Lautemann superpolynomial Vazirani Rubinfeld Luby % LocalWords: Blum checkable