Interactive Turing Machine

📖Definition 44 (interactive Turing machine). An interactive TM MM is a probabilistic TM equipped also with a write-only query tape and a read-only answer tape, and has two new special states, a query state and a continue state. The symbols allowed on the query and answer tape are given by a communication alphabet Λ\Lambda.

When MM enters the query state, the contents mm of the query tape as a message mm sent by MM. We say that we send a reply rr to mm by performing the following steps: The query tape is reinitialized to a blank tape, the string rr is placed on the answer tape, and computation of MM is resumed in the continue state.

Given two interactive TM, consider running both TM on the same input xx and relaying messages back and forth. In this way we define interactive proof systems having one TM be the verifier VV, assumed to be Polynomial-time bounded, and the other TM to be the prover PP, just assume that PP will always produce a reply to any message received.

P:ΛΛP:\Lambda^*\to\Lambda^*

Given also a polynomial time interactive TM VV, denote by (V,P)(x)(V,P)(x) the computation of VV on input xx where the replies to messages of VV are determined as follows.

Suppose that VV enters query states and m1,,mim_1,\cdots,m_i is the list of all messages sent by VV. The reply given to the message mim_i is P(x,m1,,mi)P(\langle x,m_1,\cdots,m_i\rangle).

📖Definition 45 (interactive proof system). Let vv be a polynomial time interactive Turing machine VV, P:ΛΛP:\Lambda^*\to\Lambda^*, and let 0s<c10\le s\lt c\le1. We say that the pair (V,P)(V,P) is an interactive proof system for LL with completeness cc and soundness error ss if:

x\in L\Rarr\Pr[(V,P)(x)=yes]\ge c\\ \and\\ x\not\in L\Rarr\Pr[(V,\hat P)(x)=yes]\le s\forall \hat P

Define IPIP as the class of all languages that has an interactive proof system with completeness 3/43/4 and soundness error 1/41/4. We say that VV is the verifier and PP the prover of the interactive proof system (V,P)(V,P).

We can view NPNP as a proof system without randomness or interaction other than a single message.

🤔Proposition 14. NPIPNP\subseteq IP.

An example of a non-trivial interactive proof system for checking that two graph are not isomorphic (GNIGNI).

GNI 问题:判断两图是否不是同构的。

Given a graph G=(V,E)G=(V,E) and a permutation π:VV\pi:V\to V. Denote by π(G)\pi(G) the graph with vertex set VV and edge set {(π(u),π(v))(u,v)E}\{(\pi(u),\pi(v))\vert(u,v)\in E\}.

We say that graphs G1(V,E1),G2(V,E2)G_1(V,E_1),G_2(V,E_2) with the same set of vertices are isomorphic, denoted G1G2G_1\cong G_2, if there exist a permutation π\pi of VV s.t. π(G1)=G2\pi(G_1)=G_2.

Problem of GNIGNI:

  • Instance: Graphs G1(V,E1),G2(V,E2)G_1(V,E_1),G_2(V,E_2) on the same set of vertices VV
  • Question: Is π(G1)G2\pi(G_1)\neq G_2 for all permutations π\pi of VV?

Clearly, GNIcoNPGNI\in coNP. It is not known whether GNINPGNI\in NP.

A very interesting property of this proof system is that it is a so-called zero-knowledge proof.

零知识证明,扯到密码学上去

🎯Theorem 48. GNIIPGNI\in IP.

GMW Protocol for GNIGNI:

  • Input: G1=(V,E1),G2=(V,E2)G_1=(V,E_1),G_2=(V,E_2).
  • Goal: Prove G1≇G2G_1\not\cong G_2.

VV: Pick i{1,2}i\in\{1,2\} and permutation π\pi of VV uniformly at random. Send H=π(Gi)H=\pi(G_i) to PP.

PP: Pick j{1,2}j\in\{1,2\} s.t. HGjH\cong G_j. Send jj to VV.

VV: Accept if i=ji=j. Otherwise reject.

这个 GMW 协议是什么意思:验证器随机选一个图并将边的编号打乱(记为 HH),发送给证明器。证明器从两个原图中随便选一个和 HH 同构的图,将其编号发回验证器。验证器验证同构图编号是否与 HH 对应原图的编号相等。如果不相等的话,那就认为给定的俩图不同构。

Suppose first G1≇G2G_1\not\cong G_2. In this case PP has a unique choice of jj s.t. H≇GjH\not\cong G_j, which means that i=ji=j making VV accept with probability 11. Suppose next that G1V2G_1\cong V_2. Then the distribution of π(H)\pi(H) is independent of ii since the composition of a fixed permutation with a uniformly random permutation is again a uniformly random permutation.

Now since P^\hat P chooses jj based only on HH we have Pr[i=j]=1/2\Pr[i=j]=1/2. It follows that the completeness of the protocol is 11 and the soundness error of the protocol is 1/21/2. The soundness error may be reduced to 2k2^{-k} by iterating protocol kk times.

It is not known whether GNINPGNI\in NP.

🤔Proposition 15. IPPSPACEIP\in PSPACE.

Hard proof.

The Sumcheck Protocol

How to utilize the power of interactive proofs? Converting Boolean formulas to arithmetic formulas and exploit that polynomials can be evaluated on inputs outside the Boolean cube.

Arithmetization: The process of converting a Boolean formula into an arithmetic formula.

By arithmetization, we can prove that P#PIPP^{\#P}\subseteq IP, where #P\#P is a class capturing the complexity of counting the number of satisfying assignments of a Boolean formula.

A weaker result: coNPIPcoNP\subseteq IP.

The method can be generalized to show PSPACEIPPSPACE\subseteq IP.

📖Definition 46 (Arithmetization). Let φ\varphi be a 3CNF3CNF formula with mm classes C1,,CmC_1,\cdots,C_m and nn variables x1,,xnx_1,\cdots,x_n. We define the arithmetic formula AφA_\varphi, aka arithmetization of φ\varphi, recursively. For a variable xix_i we let A(xi)=xiA(x_i)=x_i, for a negated variable ¬xi\neg x_i we let A(¬xi)=1xiA(\neg x_i)=1-x_i. For a clause C_j=(\ell_{j,1}\or\ell_{j,2}\or\ell_{j,3}) we let

A(Cj)=1A(¬Cj)=1A(¬j,1)A(¬j,2)A(¬j,3)=1(1A(j,1))(1A(j,2))(1A(j,3))A(C_j)=1-A(\neg C_j)=1-A(\neg \ell_{j,1})A(\neg \ell_{j,2})A(\neg \ell_{j,3})\\ =1-(1-A(\ell_{j,1}))(1-A(\ell_{j,2}))(1-A(\ell_{j,3}))

Finally, we define Aφ=j=1mA(Cj)A_\varphi=\prod_{j=1}^mA(C_j).

Expanding A(φ)A(\varphi) into a sum of monomials would take exponential time.

The number of satisfying assignments #φ\#\varphi of φ\varphi:

#φ=x1=01x2=01xn=01Aφ(x1,,xn)\#\varphi=\sum_{x_1=0}^1\sum_{x_2=0}^1\cdots\sum_{x_n=0}^1A_\varphi(x_1,\cdots,x_n)

Then we define an interactive proof for proving #φ=K\#\varphi=K, for given KK. For K=0K=0 allow us prove that coNPIPcoNP\subseteq IP. The protocol is called Sumcheck protocol:

  • Input: Arithmetic formula F(x1,,xn)F(x_1,\cdots,x_n) of total degree dd, prime pp, number KK.
  • Goal: Prove x1=01x2=01xn=01F(x1,,xn)Kmodp\sum_{x_1=0}^1\sum_{x_2=0}^1\cdots\sum_{x_n=0}^1F(x_1,\cdots,x_n)\equiv K\mod p.
  • Verifier: If n=0n=0, evaluate the arithmetic formula FF, which only have constants as inputs. Accept it FKmodpF\equiv K\mod p and reject otherwise. If N1N\ge1, await message from PP.
  • Prover: Send the uni-variate degree dd polynomial Q(x1)Q(x_1) to Verifier, where Q(x1)Q(x_1) is given by Q(x1)=x2=01xn=01F(x1,,xn)Q(x_1)=\sum_{x_2=0}^1\cdots\sum_{x_n=0}^1F(x_1,\cdots,x_n).
  • Verifier: If Q(0)+Q(1)≢KmodpQ(0)+Q(1)\not\equiv K\mod p, reject. Otherwise, pick a1Zpa_1\in\mathbb Z_p uniformly at random. Send a1a_1 to PP and recursively invoke the protocol for proving that x2=01xn=01F(a1,x2,,xn)Q(a1)modp\sum_{x_2=0}^1\cdots\sum_{x_n=0}^1F(a_1,x_2,\cdots,x_n)\equiv Q(a_1)\mod p.

🤔Proposition 16. Let F(x1,,xn)F(x_1,\cdots,x_n) be an arithmetic formula of total degree dd, which is polynomial in nn, let pp be a prime of bi-length polynomial in nn, and let KK be an integer. The Sumcheck protocol is an interactive proof for the statement

x1=01x2=01xn=01F(x1,,xn)Kmodp\sum_{x_1=0}^1\sum_{x_2=0}^1\cdots\sum_{x_n=0}^1F(x_1,\cdots,x_n)\equiv K\mod p

with completeness 11 and soundness error at most nd/pnd/p.

🤔Corollary 11. coNPIPcoNP\subseteq IP.

Show that 3SATIP\overline{3SAT}\in IP.

Interactive Proof for Polynomial Space

PSPACEIPPSPACE\subseteq IP

Consider PSPACEPSPACE-complete TQBFTQBF.

Consider whether ψ=x1{0,1}x2{0,1}xn{0,1}φ(x1,,xn)\psi=\exist x_1\in\{0,1\}\forall x_2\in\{0,1\}\cdots\exist x_n\in\{0,1\}\varphi(x_1,\cdots,x_n) is true.

WLOG, quantifiers are strictly alternating, φ\varphi is a 3CNF3CNF formula with nn variables and mm clauses.

Note that ψ\psi is true iff

x1x2x3xnAφ(x1,,xn)>0.\sum_{x_1}\prod_{x_2}\sum_{x_3}\cdots\sum_{x_n}A_\varphi(x_1,\cdots,x_n)\gt0.

Unbinding outermost summation over x1x_1 is polynomial of exponential degree.

One solution to around the obstacle: limiting the scope of each variable using variable renaming.

Making use of linearization for the same purpose:

📖Definition 47. Let Q(x1,,xn)Q(x_1,\cdots,x_n) be a polynomial. By Lxi\large\mathbf L_{x_i} binds the variable xix_i, at the same time introducing a new variable xix_i (reusing the variable name xix_i). Now replace the condition x1x2x3xnAφ(x1,,xn)>0\sum_{x_1}\prod_{x_2}\sum_{x_3}\cdots\sum_{x_n}A_\varphi(x_1,\cdots,x_n)\gt0 by

x1Lx1x2Lx1Lx2xnLx1LxnAφ(x1,,xn)>0.\sum_{x_1}\mathbf L_{x_1}\sum_{x_2}\mathbf L_{x_1}\mathbf L_{x_2}\cdots\sum_{x_n}\mathbf L_{x_1}\cdots\mathbf L_{x_n}A_\varphi(x_1,\cdots,x_n)\gt0.

The extension of the Sumcheck protocol:

  • The prover sends a prime pp and a number K≢0modpK\not\equiv0\mod p s.t. the LHS is K mod pK\text{ mod }p.

    The LHS is a non-negative integer of magnitude at most 22n2^{2^n}, hence is divisible by ay most 2n2^n distinct primes.

    By property of prime distribution function, the prime pp has bit-length n+O(logn)n+O(\log n).

  • Each of the operators of the form xi,xi,Lxi\sum_{x_i},\prod_{x_i},\mathbf L_{x_i} are unbound one by one, and PP sends the resulting uni-variate polynomial Q(xi)Q(x_i).

🎯Theorem 49. IP=PSPACEIP=PSPACE.

Two interesting observation:

  1. The completeness of the extended Sumcheck protocol is 11. Any interactive proof system may be converted into an equivalent interactive proof system with completeness 11.
  2. The message sent to the Prover by the Verifier may be viewed as just consisting of all random bits read since the last message sent.