1 / 25

Adapted from Oded Goldreich’s course lecture notes.

Interactive Proofs. Adapted from Oded Goldreich’s course lecture notes. Outline. Proof systems: NP revisited. Interactive proofs The complexity class IP Example: An interactive proof for Graph Non-Isomorphism IP=PSPACE Public coins. Proof Systems Back to NP.

lynde
Télécharger la présentation

Adapted from Oded Goldreich’s course lecture notes.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

  2. Outline • Proof systems: NP revisited. • Interactive proofs • The complexity class IP • Example: An interactive proof for Graph Non-Isomorphism • IP=PSPACE • Public coins

  3. Proof Systems Back to NP • In order to understand the notion of Proof Systems, let us observe NP again. • In a way, the complexity class we will define and discuss later is a probabilistic analog of NP. • The languages in NP are those whose members all have short certificates of membership, which can be easily verified.

  4. Proof Systems Back to NP • We can view this as follows: • There is a mighty powerful Prover. • The Prover needs to convince a Verifier that the input is indeed a member of the language. • So it sends the Verifier a short (polynomial) certificate. • The Verifier has limited resources: the verification of the certificate cannot take more than polynomial time.

  5. (x)=false (y)=true (z)=false Proof Systems Back to NP We will demonstrate this process for 3SAT: We would like to check the membership of a given formula: (xyz’)(x’y’)z’ The verifier simply needs to check the truth value of the formula under the assignment it received in order to find out whether the prover was right. This merely takes polynomial time. polynomial in the number of variables The prover must convince the verifier this formula is satisfiable, so it sends it an assignment, which supposedly satisfies the formula. It is not difficult for the mighty prover to find such, if such exists.

  6. Proof Systems Requirements • Let us specifically define the properties of a Proof System: • The verifier’s strategy is efficient • Correctness Requirements: • Completeness: For a true assertion, there is a convincing proof strategy. • Soundness: For a false assertion, no proof strategy exists. Make sure you understand why does the the proof system we presented for 3SAT satisfy these properties.

  7. Interactive Proofs • We will introduce the notion of Interactive Proofs, which is a generalization of the concept of a Proof System we have already observed. • This generalization is obtained by adding two more features to the model: • allowing a two-way dialog between the parties (interaction) • allowing the verifier to toss coins (randomness).

  8. Interactive Proofs • An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact on a common input in a way satisfying the following properties: • The verifier’s strategy is a probabilistic polynomial-time procedure. • Correctness requirements: • Completeness: There exists a prover strategy P, such that for every xL, when interacting on a common input x, the prover P convinces the verifier with probability at least 2/3. • Soundness: For every xL, when interacting on the common input x, any prover strategy P* convinces the verifier with probability at most 1/3.

  9. IP • The complexity classIP consists of all the languages having an interactive proof system. • The number of messages exchanged during the protocol between the two parties is called the number of rounds in the system. • For every integer function r(.), the complexity class IP(r(.)) consists of all the languages that have an interactive proof system, in which, on common input x, at most r(|x|) rounds are used. • For a set of integer functions R, we denote IP(R)=UrRIP(r(.)).

  10. IP Observations • NPIP • Since the verifier must run in polynomial-time, IP=IP(poly), where poly is the set of polynomial functions. • The definition of IP can be expanded to require Perfect Completeness (acceptance probability 1). • On the other hand, if we demand Perfect Soundness, the class will collapse to NP-proof systems. • Again, the constants 1/3 and 2/3 in the definition can be amplified to probabilities 1-2-p(.) and 2-p(.), for any polynomial p(.).

  11. Would IP Retain Its Strength Even Without Either Interaction or Randomness? • If we omit randomness, IP collapses to NP-proof systems (Make sure you understand why). • If we omit the interaction between the parties, we get IP(1) (also denoted AM), which seems to be a randomized (perhaps stronger) version of NP. • Together these two features yield a very powerful complexity class. How powerful? This will be clarified later. • First, let us observe an example.

  12. Isomorphism between Graphs • The graphs G1=(V1,E1) and G2=(V2,E2) are called isomorphic (denoted G1G2) if there exists a 1-1 and onto mapping :V1V2 such that (u,v) E1 iff ((u),(v)) E1. • A mapping  between two isomorphic graphs is called an isomorphism between the graphs. • If no such mapping exists, the graphs are called non-isomorphic. • We define the language GNI as follows: GNI={(G1,G2): G1 and G2 are non-isomorphic} • We will use this language in order to demonstrate an interactive proof.

  13. Isomorphic Graphs Example: • Take these two graphs • Although they seem very different, they are in fact isomorphic. Click to see the isomorphism between them.

  14. GNI Motivation • This illustration shows us that GI is in NP (Why?). • Interestingly, it is not known whether it is NP-hard. • GNI - on the other hand - seems much harder (We need to check no isomorphism exists). • And indeed, it is not known whether GNI is in NP. • Thus it will be interesting to show that if two graphs are non-isomorphic, a Prover can convince a Verifier of this fact.

  15. An Interactive Proof for GNI • Common Input:G1=({1,...,n},E1) and G2=({1,...,n},E2) Make sure you understand why could we assume, without loss of generality, that V1=V2. • The Verifier chooses randomly i in{1,2} and a permutation of {1,...,n}. • Then it applies  on the i-th graph to get: H=({1,...,n},{((u),(v)):(u,v)E}) • And sends H to the Prover. • The prover sends j{1,2} to the Verifier. • The Verifier accepts iff i=j.

  16. The common input An Interactive Proof for GNI Simulation The Prover • The verifier chooses one of the two graphs randomly. • The verifier constructs randomly a graph isomorphic to the graph it chose. • If the two input graphs are truly non-isomorphic, the prover can find which of the two graphs is isomorphic to the graph he received from the verifier, and send it the correct answer. • The verifier sends the prover the graph • The verifier can check the answer easily (The verifier knows which graph was chosen) The 2nd Graph The Verifier

  17. The protocol is IP • Completeness:If G1and G2 are non-isomorphic, the graph the verifier sends is isomorphic to only one out of the two graphs, thus the prover can always send the correct answer. • Soundness:If G1and G2 are isomorphic, then, since the verifier chooses i randomly, the probability that j=i is ½. This can be increased to 2/3 by repeating the protocol sufficiently many times.

  18. 1 2 3 4 1 5 2 3 4 5 G3C • Common Input: A graph • Prover can color the graph using 3 colors. • Prover must keep the coloring secret.

  19. 1 2 3 4 1 5 2 3 4 4 3 5 1 2 5 G3C is in Zero-Knowledge Construction (ZK IP for G3C): • Prover chooses a random color permutation. • Prover puts all the vertices` colors inside envelopes. • And sends them to the verifier.

  20. 1 2 3 4 5 1 2 3 4 5 G3C is in ZK (cont.) • Verifier receives envelopes supposedly containing a legal 3-coloring of the graph • Verifier chooses an edge at random. • And asks Prover to open the 2 envelopes.

  21. 1 2 3 4 5 1 2 3 G3C is in ZK (cont.) • Prover opens the envelopes, revealing the colors. • Verifier accepts if the colors are different.

  22. Formally, • G = (V,E) is 3-colorable if there exists a mapping so that for every . • Let  be a 3-coloring of G, and let  be a permutation over {1,2,3} chosen randomly. • Define a random 3-coloring. • Put each (v) in a box with v marked on it. • Send all the boxes to the verifier.

  23. Formally, (cont.) • Verifier selects an edge at random asking to inspect the colors. • Prover sends the keys to boxes u and v. • Verifier uses the keys to open the boxes. • If the Verifier finds 2 different colors from {1,2,3} - Accept. • Otherwise - Reject.

  24. 1 2 n (1) (2) (n) P V P V Keyu , keyv P V G3C (diagram)

  25. The construction is in ZK: • Completeness:If G is 3-colorable and both P and V follow the rules, V accepts. • Soundness:Suppose G is not 3-colorable and P* tries to cheat. Then at least one edge (u,v) will be monochromatic:  (u) =  (v).V hence picks a bad edge with probability 1/|E|, which can be increased to 2/3 by repeating the protocol sufficiently many times.

More Related