Friday, March 28, 2008

* IP is subset of PSPACE 
* co-NP is subset of IP

IP IS SUBSET OF PSPACE

Theorem: IP is subset of PSPACE

Proof: Given a language L in IP, we will produce a PSPACE TM M for
deciding L.  This proof is similar to other simulations we have done.
The only tricky thing is to be able to do this regardless of the power
of the prover (which, recall, could have unbounded time complexity).

The computation of the verifier V is a deterministic function of three
components: (1) input string w, (2) random input, and (3) partial
message history m_1#m_2#...#m_k.

The prover is a function with two inputs: (1) input string w, and (2)
partial message history.

Note first that if the IP prover was a PSPACE machine, then the above
claim is easy.  Why?  Well, M can simply simulate the entire IP
protocol, one after another for each choice of the random bits of the
IP verifier V.  Keep count of the number of random strings for which V
accepts.  If it is at least 1/2 fraction, then accept; else reject.

How do we simulate a potentially time-unbounded prover?  One
observation is to simulate a prover that aims to maximize the
probability that V accepts the string w (regardless of whether w is in
L).  Suppose w is in L.  The particular prover P that certifies that w
is in L with a >= 2/3 acceptance probability will guarantee that the
acceptance probability with the "maximizing" prover is >= 2/3.  If w
is not in L, then by the definition of IP, no prover including the
maximizing prover will achieve an acceptance probability of >= 1/3.
This separation of acceptance probabilities is easy to check and will
be used to decide L.

We calculate this acceptance probability as a function of the partial
message history.  Suppose we have a p-round IP protocol for language
L.  The prover sends messages in even rounds and the verifier in odd
rounds.  (So p is odd, since the last message is an accept or reject
by the verifier.)

N(<m_1, m_2, ..., m_p>) = 1 if m_p = accept

N(<m_1, m_2, ..., m_p>) = 0 if m_p = accept

N(<m_1, m_2, ..., m_j>) = max_{m_{j+1}} N(<m_1, m_2, ..., m_{j+1}>) if
j is odd

N(<m_1, m_2, ..., m_j>) = sum_{m_{j+1}} wt(m_{j+1})N(<m_1, m_2, ..., m_{j+1}>) if
j is even,

where wt(m_{j+1}) is the probability that m_{j+1} is output by the
verifier.  

The above recursive calculation can be done in polynomial space using
a depth-first search procedure since the depth of the recursion is
polynomial.  To calculate N(<m_1, m_2, ..., m_j>) for odd j, we
calculate N(<m_1, m_2, ..., m_{j+1}>) for all possible m_{j+1} one by
one for the polynomially number of m_{j+1}, keeping track of the
maximum value achieved so far.  To calculate N(<m_1, m_2, ..., m_j>)
for even j, we calculate it as

sum_{random bit stream r_{j+1} for round j+1} Pr[r_{j+1}]*N(<m_1, m_2,
..., V(m_1,m_2,...,m_j,r_{j+1})m_{j+1}>)

So we try each choice of random bits, each leading to a particular
m_{j+1}, and keep track of the above sum.  Since the number of random
bits is polynomial and the size of the messages is polynomial, the
maximum count that needs to be kept track of is polynomial-bits long.

End Proof

CO-NP IS SUBSET OF IP

UNSAT = {f : f is unsatisfiable} is a complete problem for co-NP.

Given a 3CNF formula f, we would like to decide if it is not
satisfiable.  We arithmetize it.  Replace 

L_1 OR L_2 OR L_3 by (L_1 + L_2 + L_3)

C_1 AND C_2 by (C_1 * C_2)

x_i by x_i and ~x_i by (1 - x_i)

For formula f, we get a polynomial F(x_1, ..., x_n).  Degree of the
polynomial, at most m in each variable.

f is not in SAT iff Sum_{x_1 in 0,1} Sum_{x_2 in 0,1} ... Sum_{x_n in
0,1} F(x_1, ..., x_n) = 0

Note that the above expression is a number.  Maximum value it can take
is 2^n 3^m.  Suppose we want to calculate it mod prime q, where q is a
prime bigger than 2^n 3^m.  Can do so since |q| is poly in n and m.

Unfortunately, cannot evaluate the sum since there are exponential
number of terms.  Arithmetization transforms questions of logic to
questions of abstract mathematics for which we have a number of
powerful tools.  Here is the protocol for UNSAT.

1. Both the prover and verifier have f.  They both compute the
polynomial F.  The prover wants to show that Sum_{x_1}... S_{x_n}
F(...) = 0.

2. The prover sends a prime q such that q > 2^n3^m.  The verifier
verifies that q is indeed a prime.

3. The verifier initializes v_0 to 0.

4. For i = 1 to n:

[P wants to convince V that

Sum_{x_i}Sum_{x_{i+1}}...Sum_{x_n} F(r_1,...,r_{i-1},x_i,...,x_n) = v_{i-1}.]

-- P sends a 1-variable polynomial P'_i of degree at most m.

-- The verifier checks that P'_i has degree at most m and that P'_i(0) +
P'_i(1) = v_{i-1} (mod q).  If not, the verifier rejects.  Otherwise,
the prover chooses a random r_i in F_q, computes v_i = P'_i(r_i) and
sends r_i to the prover.

5. The verifier accepts if F(r_1,...,r_n) = v_n and rejects otherwise.

Completeness proof: The honest prover computes

P_i = Sum_{x_{i+1} in {0,1}} ... Sum_{x_n in {0,1}} F(r_1, r_2, ...,
r_{i-1}, x_i, x_{i_1}, ..., x_n)

If f is unsatisfiable, we prove that the verifier will always accept.
Clearly P_i always has degree at most m.

It is easy to check what with probability 1, the prover passes all the
tests of the verifier.

Soundness proof: What is the probability that we have a sequence of
polynomials P'_1(x_1), P'_2(x_2),..., P'_n(x_n) satisfying the
following properties?

P'_1(0) + P'_1(1) = 0

P'_i(0) + P'_i(1) = P'_{i-1}(r_{i-1}) mod q

P'_n(r_n) = F(r_1,...,r_n) mod q

Lemma: Define Q_i = P_i(r_i).  If Q_i != v_i, then the probability
that the verifier does not reject but v_{i+1} = Q_{i+1} is at most
m/q.

Proof: Assume v_i != Q_i and the prover sends a degree-m polynomial
P'_{i+1}.  There are two cases.  If P_{i+1} = P'_{i+1}, then

P'_{i+1}(0) + P'_{i+1}(1) = P_{i+1}(0) + P_{i+1}(1) = P_i(r_i) = Q_i
!= v_i.

So the verifier will reject.

If P_{i+1} != P'_{i+1}, then the probability that they would evaluate
to the same value on a given point is at most m/q.  Q_{i+1} is
P_{i+1}(r_{i+1}) while v_{i+1} = P'_{i+1}(r_{i+1}).

End Proof

Note that the verifier has no way of finding the second case scenario
out in round i+1.  But the verifier does check in the last round
whether v_n = Q_n.  The probability that v_n = Q_n but v_{n-1} !=
Q_{n-1} is at most m/q.  We assume this does not happen.  The
probability that v_{n-1} = Q_{n-1} but v_{n-2} != Q_{n-2} is at most
m/q.  And so on.  And we know that v_0 = Q_0 because otherwise the
verifier would have rejected in the first round itself.  So the
probability of error is at most mn/q, which is very small.