\documentclass{article}
\usepackage{amsmath}
\input{preamble.tex}

\newcommand{\NP}{\textrm{NP}}

\begin{document}

\lecture{15}{April 5, 2001}{Shanghua Teng}{Gregory Dennis}

\section*{Motivation}

When we first learned of $\NP$, we defined it as the class of all languages with polynomical time verifiers.  Thus if we have a language $L \in NP$, a word $w$ could be said to be in $L$ if and only if some prover could convince $L's$ verifier that $w$'s membership. This lead us to believe that we could define certain languages as the set of words, each of which a prover could convince a verifier of the word's membership in that language.

\section*{Interactive Proofs}

So what are Interactive proofs?  Imagine two parties and the conversation between them.  One party is an ''all-powerful'' \emph{Prover}, which we denote $P$. The Prover is a prodigy and has unlimited computational power.  The second party is the \emph{Verifier}, which we denote $V$. The Verifier is a polynomial time Turing Machine, which has access to randomness in the sense that it can toss coins and ask different questions depending on the outcome. The coins are kept \emph{private} to the Verifier. The conversation is a sequence of ''questions'' from $V$ and ''answers'' from $P$ in which the Prover is trying to convince the Verifier of some statement by answering the Verifier's questions.  The questions and answers are restriced to being polynomial in the length of the input. \newline

\noindent {\bf Concrete Example: Colored Balls} \newline
Say you wanted to convince your colorblind friend that two balls, one red and one blue but otherwise indistinguishable, are dfferent. He cannot for himself tell them apart. Let him hold the balls so that you may see them and say ``The ball in your right hand is red.'' Now, if you are right in that you can distinguish between the balls, you should have no problem telling which ball is which if  he put them behind his back and juggled them up. If, on the other hand, you were colorblind like your friend, you would have only a 50\% chance of guessing correctly. Hence, by repeating the experiment of exchanging (or not exchanging) the balls behind his back and showing them to you, your friend can be convinced to any degree of certainty that the balls are in fact distinguishable. If both balls were red, however, and therefore indistinguishable to you at a glance, you have again only a 50\% chance of guessing right. In this case, your friend can easily tell that you cannot tell the balls apart.


\begin{definition}
An \textbf{Interactive Proof} consists of a Prover function {\rm P(word, history)} with unlimited computational power, a polynomial-time Verifier function {\rm V(word, history, random bit string)}, and a conversation:

\begin{quote}
$V(w, \epsilon, r) \rightarrow V_{1}$ \newline
$P(w, V_{1}) \rightarrow P_{1}$ \newline
$V(w, V_{1} \cdot P_{1}, r) \rightarrow V_{2}$ \newline
$P(w, V_{1} \cdot P_{1} \cdot V_{2}) \rightarrow P_{2}$ \newline
$\vdots$ \newline
$V(w, V_{1} \cdot P_{1} \cdot V_{2} \cdot \cdot \cdot P_{f_{(|w|)}}, r) \rightarrow \{accept, reject\}$
\end{quote}
\newpage

We say $L \in IP\ if\ \exists V \in P\ s.t.\  \forall w \in L$ \newline
\begin{center}
$w \in L\    \Longrightarrow \exists \ Prover\  P:\ \underset{r}{Pr}[P \leftrightarrow V(w, r) = accept] > \frac{2}{3}$ \newline
$w \notin L\ \Longrightarrow \forall \ Provers\ P:\ \underset{r}{Pr}[P \leftrightarrow V(w, r) = accept] < \frac{1}{3}$ \newline
\end{center}

For {\rm IP} the function f is polynomial. We can also define {\rm IP}(k) with f(n) = k for the languages which accept or reject after a constant, k, number of rounds.
\end{definition}

\begin{theorem}
$IP(k)=IP(1)$, for constant $k$
\end{theorem}

This means that nothing is gained by having a constant number of rounds compared to a single round. \newline

\noindent {\bf Graph Isomoprhism} \newline
A classic problem in IP is Graph Non-Isomorphism, which we will define as follows:
\begin{quote}
	NONISO = \{($G_{1}$, $G_{2}$): $\forall$ permutations $\pi,\ G_{1} \neq \pi (G_{2})$\}
\end{quote}

\begin{theorem}
$NONISO \in  IP$
\end{theorem}
\begin{proof}
This is not exactly a formal proof, but it does address the major ideas. In this case, we can think of the Prover as trying to convince the Verfier that two graphs are non-isomorphic. The interaction between the  Prover and the Verfier proceeds as follows:\newline
{\bf Verfier:} Pick $G_{i}$ randomly one from \{$G_{1}$, $G_{2}$\} and then randomize $G_{i}$'s vertex numbering. Formally, let H = $\pi(G_{i})$ where $\pi$ is a random permutation. Show H to the Prover and ask it of which graph it is a permutation, $G_{0} or G_{1}$.\newline
{\bf Prover:} Compare H to $G_{1}$ and $G_{2}$. If H is isomorphic to just one of \{$G_{1}$,$G_{2}$\}, then respond with $G_{i}$, where $\pi(G_{i})$ = H. If H is isomorphic to both $G_{1}$ and $G_{2}$, then respond randomly with either $G_{1}$ or $G_{2}$.\newline
{\bf Verfier:} If the Prover is correct, accept. Otherwise, reject.

This ``proof'' works for exactly the same reason as it did for the colored balls.  For $G_{1} \not \cong G_{2}$, the Prover can make the Verfier accept. For $G_{1} \cong G_{2}$, however, the distribution over $G_{1}$ is the same as that over $G_{2}$. Hence the Prover can guess correctly only 50\% of the time.
\end{proof}

\section*{Zero-Knowledge Proofs}
Zero knowledge proofs are interactive proofs that yield nothing beyond the validity of the assertion. That is, the only information the Verfier gains from the conversation is that the Prover is correct or that the Prover is incorrect. We will now show that Graph Isomorphism, which we denote ISO, has a zero-knowledge proof.

\begin{theorem}
ISO has a Zero-Knowledge Proof
\end{theorem}

\begin{proof}
This is not exactly a formal proof, but it does address the major ideas. For two graphs $G_{0}$ and $G_{1}$, we think of the Prover as trying to convince the Verifier that they are isomorphic. If they are isomorphic, assume without loss of generality that $\pi(G_{0}) = G_{1}$. The interaction between the Prover and the Verifier proceeds as follows:\newline
{\bf Prover:} Picks a random permutation $\sigma$ and sends $H = \sigma(G_{0})$ to the Verifier.\newline
{\bf Verifier:} Flips its coin to obtain a random bit $r \in$ \{0,1\}. The Verifier then asks the Prover for a permutation that proves $G_{r} \cong H$.\newline
{\bf Prover:} If r = 0, the Prover responds with $\sigma$. If r = 1, it responds with $\sigma\pi^{-1}$.\newline
{\bf Verifier:} If the permutation sent by the Prover shows $G_{r} \cong H$, then accept. Otherwise, reject.\newline
({\bf Note:} Since $\pi(G_{0}) = G_{1}$ and $H = \sigma(G_{0})$, $H = \sigma\pi^{-1}(G_{1})$.)

If $G_{0} \cong G_{1}$, then the Prover will always be able to convince the Verifier of the isomorphism. And if $G_{0} \not \cong G_{1}$ and $r$ = 0, the Verifier will think the Prover if correct, because $H = \sigma(G_{0})$ regardless. But if $G_{0} \not \cong G_{1}$ and $r$ = 1, the Prover will not be able to create a permutation $\sigma\pi^{-1}$, because therre is no $\pi$ for which $G_{0} \cong G_{1}$. Thus, if $G_{0} \not \cong G_{1}$, the Prover will be right at most 50\% of the time. More importantly, notice that V never learns what the actual permutation $\pi$ is, and thus it learns nothing from the conversation other than whether $G_{0}$ and $G_{1}$ are ismorphic. We have, therefore, created a zero-knowledge proof for ISO.
\end{proof}

\section*{Arthur Merlin Games}

If we look back at the definition of $IP$, we can see that the Prover $P$ does not have access to the random bits, $r$.  The Prover gets only the word and the conversation history. What would happen if $P$ did have access to $r$?  That is, what would happen if we gave the Verifier $V$ a public coin instead of a private one? This type of model is referred to as an Arhur Merlin game.

\begin{definition}
An \textbf{Arthur-Merlin Game} consists of a Prover function {\rm M(word, sequence of random bit strings)} with unlimited computational power, a polynomial-time Verifier function {\rm A(word)}, and a conversation:

\begin{quote}
$A(w) \rightarrow r_{1}$ \newline
$M(w,r_{1}) \rightarrow M_{1}$ \newline
$A(w) \rightarrow r_{2}$ \newline
$M(w,r_{1}, r_{2}) \rightarrow M_{2}$ \newline
$\vdots$ \newline
$A(w,r_{1},...,r_{f_{(|w|)}}, M_{1},...,M_{f(|w|)}) \rightarrow \{accept, reject\}$
\end{quote}

We say $L \in AM\ if\ \exists A \in P\ s.t.\  \forall w \in L$ \newline
\begin{center}
$w \in L\    \Longrightarrow \exists M:\ \underset{r_{1},...,r_{f(|w|)}}{Pr}[M \leftrightarrow A(w, r_{i}) = accept] > \frac{2}{3}$ \newline
$w \notin L\ \Longrightarrow \forall M:\ \underset{r_{1},...,r_{f(|w|)}}{Pr}[M \leftrightarrow A(w, r_{i}) = accept] < \frac{1}{3}$ \newline
\end{center}

For {\rm AM} the function f is polynomial. We can also define {\rm AM}(k) with f(n) = k for the languages which accept or reject after a constant, k, number of rounds.
\end{definition}

\begin{theorem}
$AM(k)=AM(1)$ for constant $k$
\end{theorem}

This means that nothing is gained by having a constant number of rounds compared to a single round.

\begin{theorem}
$AM(f(n))=AM(\frac{f(n)}2 + 1)$
\end{theorem}

This means that it is always possible to speedup the protocol by a factor of 2. You can apply this theorem recursively, but only a constant number of times, because otherwise the size of each message between Arthur and Merlin blows up exponentially.

\begin{theorem}
$AM(\Theta(f(n)))=IP(f(n))$
\end{theorem}

This means that private coins are equivalent to public coins.

\begin{theorem}
If ISO is NP-complete, $\Sigma_{3}^{P}$ = $\Pi_{3}^{P}$.
\end{theorem}

\end{document}