In Chapter 4, we saw some examples of problems that are known to be in NP but are not known to be in P or to be NP-complete. In Examples 10.1 and 10.2, we showed that the complements of two of these problems, GISO and QR, have two-round interactive proof systems. From the above result, we know that the complements of GISO and QR are actually in and, hence, by Theorem 10.20, GISO and QR cannot be NP-complete unless the polynomial-time hierarchy collapses to the second level. Thus, the study of interactive proof systems yields some surprising results regarding the NP-completeness of some natural problems.
Corollary 10.25
Proof
10.5 IP Versus PSPACE
In the past few sections, we have established that the computational power of the interactive proof systems of a constant number of rounds is quite limited and is just alevel beyond NP. A critical step of this collapsing result is Theorem 10.14, where two complementary -predicates are converted to two complementary -predicates. A careful analysis shows that this result cannot be extended to complementary -predicates if k(n) is not bounded by a constant (cf. Exercise 10.6). Therefore, the collapsing result stops at the constant-round AM hierarchy. Indeed, we show in the following that IP is actually equal to PSPACE, and so any result collapsing IP to the polynomial-time hierarchy would be a major breakthrough.
Theorem 10.26
Proof
We remark that the above proof also establishes Theorem 10.22. In particular, the above sum check proof system has only a one-sided error.
In Chapter 4, we mentioned that most results that separate complexity classes by the diagonalization techniques or collapsing complexity classes by the simulation techniques are relativizable, that is, these results hold relative to all oracles (if the relativized complexity classes can be defined in a natural way). It is, therefore, interesting to point out here that the above result of is not relativizable. (Exercise 10.13 constructs an oracle A such that .) Thus, this algebraic proof technique may potentially lead to more separating or collapsing results that are not provable by the standard diagonalization or the simulation techniques.
Exercises
10.1In this exercise, we present a balanced view of the interactive proof systems (in contrast to the verifier's view of the interactive proof systems defined in Definition 10.5). We define an interactive protocol as a pair of machines , where Mv is a polynomial-time PTM, Mp is a DTM, and they share a common read-only input tape and a common communication tape. The two machines take turns in being active. During its active stage, the machine (except for the first stage) first reads the string in the communication tape, performs some local computation on its local tapes, and then writes a string on the communication tape (or if the machine is Mv, it may choose to halt the computation and accept or reject). We say a set has an interactive proof system with error bound ε if there exists a polynomial-time PTM Mv such that the following hold:
There exists a DTM Mp such that is an interactive protocol and for each , the probability of Mv and Mp together accepting x is at least ; and
For any DTM M such that forms an interactive protocol and for any , the probability of Mv and M together accepting x is at most ε.
Show that the above definition of interactive proof systems is equivalent to Definition 10.5.
10.2Assume that A has a k(n)-round interactive proof system with the error probability . Further assume that in the system , each message exchanged between the prover and the verifier is of length at most q(n) and the machine Mv uses at most r(n) random bits, if the input is of length n. Prove that for any polynomial p, there is a k(n)-round interactive proof system for A with the error probability , in which the message length is bounded by and the number of random bits used is bounded by . In particular, for any m > 0, there is a k(n)-round interactive proof system for A with the error probability , where is the number of random bits used by .
10.3It is shown through Theorem 10.24 that the problem is in . Give a direct proof for this fact by demonstrating an Arthur–Merlin proof system for . [Hint: Let be a graph and be a permutation of the vertices of G. We write to denote the graph , where if and only if . Let be the set of all automorphisms of G, that is, the set of all permutations π over V such that is identical to G. We observe that in the interactive proof system of Example 10.1, if the inputs G1 and G2 are isomorphic, then there are only different messages that could be sent by the verifier to the prover in round 1 (called legal messages). Otherwise, if G1 and G2 are not isomorphic, then there are different legal messages. Design an Arthur–Merlin proof system for in which Merlin tries to convince Arthur that there are “many” legal messages for the given inputs G1 and G2.]
10.4Design an interactive proof system for .
10.5There is a natural extension of Merlin machines to oracle Merlin machines in which Merlin can make queries to an oracle X. Define the notion of relativized based on oracle Merlin machines.
Show that the class has an alternating quantifier characterization like that of Theorem 10.15.
Prove that .
10.6It is straightforward to extend the notion of complementary -predicates to complementary -predicates, where k(n) is a function of the input n.
Can you prove an alternating quantifier characterization for by the notion of complementary -predicates? If so, what is the best bound for the probability c you can prove?
Assume that R1 and R0 are twocomplementary -predicates, with for some polynomial p. Show that R1 and R0 are two complementary -predicates. Can you generalize this result to show that R1 and R0 are two complementary -predicates (if necessary, assuming a smaller c1 to begin with)?
10.7Show that .
10.8Recall that almost-P denotes the class of languages A such that (see Exercise 8.16). Extend this notion to almost-NP . Show that almost-.
10.9Prove that . Are these three classes equal?
10.10Prove that if , then .
10.11Prove that for each of the following statements, there is an oracle X relative to which the statement is false.
.
.
.
10.12Extend the Arthur–Merlin proof system A2 of Theorem 10.24 to work for every k ≥ 1. In particular, for any , find a -round Arthur–Merlin proof system for L.
10.13Prove that there exists an oracle A such that .
10.14Prove that if f(n) and g(n) are two functions bounded by some polynomial functions such that , then there exists an oracle A such that , where is the class of sets in PSPACE that have the form (3.7) in Corollary 3.20, with g(n) levels of quantifiers, beginning with , and is this class relative to set A.
The following three problems are about zero-knowledge proof systems. Intuitively, a proof session of an interactive proof system provides zero knowledge if the prover is able to convince the verifier that an input x is in the set L and yet the verifier learns no extra knowledge other than the fact that . For instance, consider the graph isomorphism problem GISO. For two given graphs and , a simple proof system is to let the prover send a mapping to the verifier and let the verifier check that π is an isomorphism between the two graphs. This proof system, however, reveals exactly what the isomorphism is between G1 and G2. Alternatively, the following proof system for GISO does not reveal this information and yet can convince the verifier that : The prover first sends a graph that is isomorphic to G1 (and G2) to the verifier. Then, the verifier picks a random number and sends it to the prover. The prover sends a function that is an isomorphism between Gi and G3. Note that although the verifier learns the isomorphism function between Gi and G3, he/she is not able to find the isomorphism between G1 and G2 from this side knowledge.
We are going to define the notion of zero-knowledge proof systems based on the balanced view of interactive proof systems defined in Exercise 10.1. Recall that on an input x and for a sequence α of random bits, a k-round interactive proof system has a unique history (see the proof of Theorem 10.21). Here, we modify it and attach α itself to the history and define . We notice that for a fixed prover machine Mp, an interactive protocol defines, for each input x, a probability distribution on the histories hx,α. We say a PTM M on input x generates a probability distribution if for each string w, the probability of M(x) prints w is . Formally, we define that an interactive proof system for set L is a perfect zero-knowledge proof system forMv, if there exists a polynomial-time PTM M that on each input x generates a probabilistic distribution that is identical to . We say is a perfect zero-knowledge proof system, if for every verifier machine that forms an interactive protocol with Mp, there exists a polynomial-time PTM M that on each input x generates a probabilistic distribution that is identical to .
10.15Prove that the above second interactive protocol for GISO is a perfect zero-knowledge proof system.
10.16The interactive protocol for of Example 10.1 is not perfect zero-knowledge, because a verifier may send a graph G′ to the prover that is not randomly generated from G1 or G2 and gain information of whether G′ is isomorphic to G1 or G2. Modify this interactive protocol to a perfect zero-knowledge proof system for .
10.17Prove that if a set L has a perfect zero-knowledge proof system, then .
If you are going to do something wrong,at least enjoy it.
—Leo Rosten
Historical Notes
Interactive proof systems were first introduced by Goldwasser, Micali, and Rackoff (1989). Their formulation is close to the one presented in Exercise 10.1. Our equivalent formulation is based on the work of Fortnow et al. (1994). Arthur–Merlin proof systems were introduced by Babai (1985) and Babai and Moran (1988) from a different motivation. A number of survey papers have been written about the properties and applications of these proof systems, including Johnson (1988, 1992). Example 10.1 is from Goldreich et al. (1991), and Example 10.3 is from Lund et al. (1992). The robustness of the notion of complementary AMk-predicates and the collapsing of the AM hierarchy are contained in Babai and Moran (1988). Theorem 10.20 was first proved by Boppana et al. (1987). The equivalence between IPk and AMk was first proved by Goldwasser and Sipser (1989). The simpler proof of the weaker form of the equivalence presented in Theorem 10.21 is due to Killian (see Goldwasser (1988)). The notion of universal hashing functions as that used in Lemma 10.23 was first defined by Carter and Wegman (1979). The interactive proof system for the problem was first presented by Goldreich et al. (1991). Schöning (1987) contains a direct construction of an Arthur–Merlin proof system for the graph nonisomorphism problem (Exercise 10.3). The equivalence of IP and PSPACE was first proved byShamir (1990), based on the idea of Lund et al. (1992). Both proofs worked on the PSPACE-complete problem QBF. Our proof of Theorem 10.26 was based on the unpublished idea of Hartmanis (1991). The characterization of AM as almost-NP (Exercise 10.8) is from Nisan and Wigderson (1994). Exercise 10.14 is from Fortnow and Sipser (1988) and Aiello et al. (1990). Exercise 10.9 is from Goldreich and Zuckerman (1997) and Arvind and Köbler (1997). Zero-knowledge proof systems were first introduced inGoldwasser, Micali, and Rackoff (1989). Exercises 10.15 and 10.16 are from Goldreich et al. (1991). Exercise 10.17 is from Fortnow (1989) and Aiello and Hastad (1991). Goldreich (1997) contains a recent survey on zero-knowledge proof systems.