\documentclass{article} \usepackage{amssymb,psbox} \newcommand{\by}{\times} \newcommand{\state}[1]{\left| #1 \right\rangle} \newcommand{\tensor}{\otimes} \newcommand{\field}{{\cal Z}/ (p-1)} \newcommand{\ceiling}[1]{\left\lceil #1 \right\rceil} \newcommand{\pcppolypoly}{\mathbf{PCP\left(\emph{poly,poly}\right)}} \newenvironment{proof-outline}{\noindent{\bf Outline of Proof}\hspace*{1em}}{\bigskip} %\newtheorem{claim}{Claim} %\newenvironment{proof}{\begin{trivlist}\item \textbf{Proof:}}{ $\Box$ \end{trivlist}} \input{preamble} \begin{document} \lecture{19}{24 April 2001}{Daniel Spielman}{Ken McCracken} In this lecture we begin the proof of the following theorem: \begin{theorem} $\mathbf{NEXP} \subseteq \pcppolypoly$ \end{theorem} %\Large{In this lecture we begin the proof of the following theorem: } %\theorem{$NEXP \subseteq PCP(poly,poly)$} The lecture is divided into three parts: \begin{itemize} \addtocounter{enumi}{0} \item %sec:lc Section 1 presents a review of $\epsilon$-reductions through arithmetization techniques from last lecture's proof that PSPACE is contained in IP. \item %sec:ics Section 2 provides an introduction to the EXP-complete language Implicit-Circuit-Sat as well as a proof outline for using Implicit-Circuit-Sat to show $\mathbf{NEXP} \subseteq \pcppolypoly$. \item %sec:mlp Section 3 contains an introduction to multilinear polynomials and applications to the Implicit-Circuit-Sat proof which contains the satisfying assignments of the circuit. \item %sec:mlt Section 4 introduces the multilinearity test to be used in arithmetization of said proof. \end{itemize} \addtocounter{section}{0} \section{Last Class} \label{sec:lc} Last class we proved that $\mathbf{PSPACE} \subseteq \mathbf{IP}$. Recall the proof strategy. Namely, for a $\mathbf{PSPACE} \ TM \ M$ with input $w$ consider the graph (e.g. tableau) of configurations of $M$ on $w$. We presented the $\{0,1\}$-function $FT_k \left(q_1, q_2 \right) = FromTo \left(q_1, q_2, k \right) \equiv 1 \Leftrightarrow \exists \ path \ p \ from \ state \ q_1 \ to \ q_2 \ of \ length \ at \ most \ k$. The proof merely asked if there's a path $FromTo \left(q_start, q_accept, 2^{\abs{w}} \right)$. Recall the main parts of an $\epsilon$-reduction: %\begin{displaymath} %\{ %\begin{array}{l} %\begin{flushleft} \begin{itemize} \item The two-for-one lemma. \item The $\Sigma$ protocol, where: $\Sigma_{\left(x_1, ..., x_n \right) \in \{0,1\}^n} \ f \left(x_1, \ldots, x_n \right) = s$ was solved by checking, for \ random $c_i \in \{ 1, \ldots, \ceiling{\frac{d}{\epsilon}} \}$, if $f \left( c_1, \dots, c_n \right) = r$. \end{itemize} %\end{flushleft} %\end{array} %\end{displaymath} Arithmetization was used with $\epsilon$-reductions from from $FT_k \left(x, y \right) = s \rightarrow FT_{\left( \frac{k}{2} \right)} \left(u, v \right) = r$. This divide-and-conquer technique brought us to statements of the form $FT_1 \left(u, v \right) = r$, which could evaluate in poly time. We will use a similar technique in approaching the proof of the statement $\mathbf{NEXP} \subseteq \pcppolypoly$. \section{Implicit Circuit Sat and The Proof Outline} \label{sec:ics} We use the definition $L \in \pcppolypoly \ if \ \exists \ a \ probabilistic \ poly \ time \ OTM \ V^? \ s.t.$ \\ \begin{tabular}{ll} \ \ \ \ \ \ & $w \in L \Rightarrow \exists \ \Pi \ s.t. \ Pr[ V^{\Pi} \left( w \right) accepts ] = 1$ \\ & $w \notin L \Rightarrow \forall \ \Pi \ Pr[ V^{\Pi} \left( w \right) accepts ] < \frac{1}{2}$ \end{tabular} \\ It is easy now to show \begin{lemma} $\mathbf{PSPACE} \subseteq \pcppolypoly$ \end{lemma} \begin{proof-sketch} Consider an $\mathbf{IP}$ problem in which a prover $P$ is a function from the dialog history thus far to the next statement. The act of parsing $\Pi$ turns it into a prover. The verifier $V$ replaces its interactions with the prover with queries to the oracle. The result is that $\mathbf{IP} \subseteq \pcppolypoly$. Since $\mathbf{PSPACE} \subseteq \mathbf{IP}$ the lemma holds. \end{proof-sketch} Now we return to the more interesting case of proving Theorem 1. Note first that for $\pcppolypoly$ the proof $\Pi$ may be at most exponential in length, since we need to be able to ask for a specific bit of the proof in poly time. \begin{theorem} Implicit-Circuit-Sat is $\mathbf{NEXP}$-complete \end{theorem} \begin{proof-idea} Follow the same reasoning as in proofs that SAT is $\mathbf{NP}$-complete, using $\mathbf{NEXP}$ machinery to solve the exponentially large problem. \end{proof-idea} If $w$ is the input to Implicit-Circuit-Sat, $C\left(w \right)$ describes an exponentially large circuit. Moreover, if $\Pi$ is a proof containing a satisfying assignment $A$ then $A$ has exponentially many variables. If the variables to $C$ are $\{x_1, \ldots, x_{2^n} \}$ then $A$ defines the mapping $x_i \rightarrow {0,1}$ for all $i$. The input to Implicit Circuit Sat is a circuit computing the function $C\left( x_1, \ldots, x_{2^n} \right) \Rightarrow \{0,1\}^{3n+3}$. Such a circuit describes an instance of SAT with $2^n$ clauses. We are asking if the 3cnf of expenential length that $C$ describes is satisfiable. But a poly time machine can't even read the satisfying assignment within its bounds. \begin{bf}Idea:\end{bf} Let $\phi \left( C \right)$ be the 3cnf instance described by $C$ \begin{lemma} $\exists$ a $\mathbf{PSPACE}$ OTM $M^?$ s.t. $M^A\left(C \right)$ accepts $\Leftrightarrow$ A is a satisfying assignment of the variables in $\phi\left( C \right)$. \end{lemma} \begin{proof-sketch} We consider the special case of Implicit-3Sat, which is also $\mathbf{NEXP}$-complete. This problem takes input $\left(x_1, \ldots, x_n \right) \in \{1, \ldots, 2^n \}$ and ouputs a description of a clause of the 3cnf formula it represents. That is, it outputs the three variables in the clause including any negations. A $\mathbf{PSPACE}$ Turing machine can, with access to the oracle $A$ containing the satisfying assignments, solve $C\left( w \right)$. It can iterate through every one of the clauses and verify that the corresponding assignments from $A$ satisfy the clause. If any clause isn't satisfied, reject. If no iteration has rejected we can accept. \end{proof-sketch} \begin{proof-outline} We return to Lemma 1. We now apply the prover-verifier ideas from the proof that $\mathbf{PSPACE} \subseteq \pcppolypoly$. In our case, the proof $\Pi$ should contain: \begin{itemize} \item $A$, the satisfying assignment of $\phi \left( C \right)$. \item The table for the prover in $\mathbf{IP}$ that shows $M^A \left( C \right)$ accepts. \end{itemize} At the very end of whatever analysis we do, the verifier evaluates some polynomial at some point. Womehow that involves checking A in just one place. Recall that in the PSPACE proof, we evaluate $FT_1\left(x,y\right)$ where x and y are states. We evaluated this polynomial for $x,y \in F^n$, instead of over all $\{0,1\}^n$. The field F was helpful because it placed less constraints on the computational complexity of the problem. Our problem in this case comes from dealing with the proof A:\\ \begin{tabular}{ll} \ \ \ \ \ \ & Problem 1. A enters into the transition function. The transition function is no longer a \\ & \ \ \ \ short description. Before we had 6 cells from the tableau from state x to state y to \\ & \ \ \ \ check if the move was valid. \\ & Problem 2. We need some way to arithmetize A as we arithmetized our function FT. \\ & Problem 3. Philosophy: If you change 1 bit of A, it can switch from a satisfying \\ & \ \ \ \ assignment to an unsatisfying one. You will never see this in your poly time machine. \\ & \ \ \ \ To overcome this predicament we will introduce error correcting code. \\ \end{tabular} \\ \end{proof-outline} \section{Multilinear Polynomials} \label{sec:mlp} We introduce multilinear polynomials as an approximation to use to arithmetize our exponential-length proof A. Once we can arithmetize it, it becomes tractable to reduce the problem of Implicit-Circuit-Sat using $\epsilon$-reductions that a $\pcppolypoly$ machine can handle within its time and oracle constraints. We can view A as a function $\{0,1\}^n \rightarrow \{0,1\}$. We represent this function by a multilinear polynomial $\hat{A}$, which we call the \emph{multilinear extension} of A. In a multilinear polynomial P, if we look at the degree in each variable, it is at most 1. We define P as follows \begin{displaymath} \begin{array}{c} P \equiv \Sigma_{\left(d_1, \ldots, d_n \right) \in \{0,1\}} \alpha_{d_1, \ldots, d_n} x_1^{d_1} x_2^{d_2} \ldots x_n^{d_n} \end{array} \end{displaymath} Note this is the sum of $2^n$ monomials. We have that $\exists$ a unique multilinear polynomial $P\left( \right) \mid P\left( \bar{x} \right) = A\left( \bar{x} \right) \forall \bar{x} \in \{0,1\}^n$. Hence our proof $\Pi$ should contain a table of values of P at all $\bar{x} \in F^n$. We denote this table by $\hat{A}$, the multilinear extension of A. We can now ask for $\hat{A}$ beyond $\{0,1\}$. \vspace{20pt} \hspace{20pt} \PSbox{configs.ps}{5in}{1.5in} %\vspace{5pt} In figure 1 we now have our normal configurations to check from time step 1 to step 2 but we also have a query tape to our function $\hat{A}$. Hence we are interested in the value of $1-\left( y - \hat{A} \left( x_1, \ldots, x_n \right) \right)^2$. In the 0,1-case, this equals 1 if $y=\hat{A}\left( x_1, \ldots, x_n \right)$ and 0 otherwise. We can be convinced that $\hat{A}$ is mostly a polynomial. This will handle Problems 1 and 2 mentioned earlier. The goal will therefore be to build $\hat{A}$ into the transition function. We will be able to evaluate $\hat{A}$ in poly time if it is multilinear. Once we have our table, we can evaluate $FT_1$ at any point by table lookup into $\hat{A}$. \section{The Multilinearity Test} \label{sec:mlt} We now present the idea of using a multilinearity test to determine whether or not $\hat{A}$ is, in fact, multilinear. Once we know this we can use it in our reductions to $FT_1$. We will come back to multilinearity tests next lecture and apply it to our proof of Lemma 1. It is important that we evaluate $\hat{A}$ at a random place to determine its multilinearity. The test procedure is as follows. Given an input table $\hat{A}$, query it in a poly number of places using a poly number of random bits. Then we have \\ \begin{displaymath} \begin{array}{ll} \ \ \ \ \ \ & if \ Pr[test accepts] > \frac{1}{2} \Rightarrow \exists ! \ multilinear \ polynomial \ P \ \mid Pr_{x \in F^n} [\hat{A} \left(x\right) \neq P\left(x\right) ] < \frac{1}{n^k} \\ & if \ \hat{A} \ is \ multilinear \ \Rightarrow \ Pr[accepts] = 1 \\ \end{array} \end{displaymath} \\ \begin{bf} Example \end{bf} of a multilinearity test in one variable. Given $A: F \rightarrow F$ on which to test for multilinearity. \newpage \hspace{10pt} For $i=1$ to $n^k$: \hspace{20pt} Query $A\left(0\right)$, $A\left(1\right)$, $A\left(r\right)$ where r is randomly chosen from F. \hspace{20pt} Verify that it looks linear here. That is, test if $A\left(r\right)=r\cdot\left(A\left(1\right) - A\left(0\right)\right)+A\left(0\right)$. \hspace{20pt} Reject if it ever fails. \hspace{10pt} If A always passes the test, then A is close to linear. Accept. \vspace{10pt} We will describe in more detail how this test is used in the next lecture. \end{document} \end{input} \section{Calculable Quantum Fourier Transforms} \label{sec:actual} So, which quantum transforms can we actually compute? When $N=2^n$, i.e. the size of the matrix is a power of 2, it is easy to compute the function: $$x \longrightarrow \frac{1}{\sqrt{N}} \sum_{y=0}^{2^n -1} e^{\frac{2 \pi i x y}{N}} \state{y}$$ Here's how it's done. Write $x$ and $y$ in binary notation: \begin{eqnarray*} x& =& 2^{n-1} x_1 + 2^{n-2} x_2 + \ldots 2 x_{n-1} + x_n \\ y& =& 2^{n-1} y_1 + 2^{n-2} y_2 + \ldots 2 y_{n-1} + y_n \end{eqnarray*} Then \begin{eqnarray*} xy \bmod 2^n &=& y_1 \left(2^{n-1} x_n\right)\\ && + y_2 \left(2^{n-2} x_n + 2^{n-1} x_{n-1}\right)\\ && \vdots\\ && + y_n \left(x_n + 2 x_{n-1} + \ldots 2^{n-1} x_1 \right) \end{eqnarray*} So, letting $\omega = e^{\frac{2i\pi}{N}}$, we can write the transform as: \begin{eqnarray*} (x_1, \ldots x_n) \longrightarrow &\frac{1}{\sqrt{N}}& \left( \state{0} + \omega^{x_n 2^{n-1}} \state{1} \right)\\ &\tensor& \left(\state{0} + \omega^{x_{n-1} 2^{n-1} + x_n 2^{n-2}} \state{1} \right)\\ & \vdots & \\ & \tensor& \left( \state{0} + \omega^{x_n + 2 x_{n-1} + \ldots +x_1 2^{n-1}} \state{1} \right) \end{eqnarray*} So, for bit $y_n$ of the output, we can construct the sequence of gates: \begin{center} \begin{picture}(250,100) \put(0,10){$x_n$} \put(0,20){$x_{n-1}$} \put(0,30){$\vdots$} \put(0,45){$x_3$} \put(0,55){$x_2$} \put(0,65){$x_1$} \put(40,60){\framebox(10,10){H}} \put(70,60){\framebox(35,15){$R_{\omega^{2^{n-2}}}$}} \put(120,60){\framebox(35,15){$R_{\omega^{2^{n-3}}}$}} \put(200,60){\framebox(35,15){$R_{\omega^{2^{n}}}$}} \put(15,10){\line(1,0){240}} \put(25,20){\line(1,0){230}} \put(15,45){\line(1,0){240}} \put(15,55){\line(1,0){240}} \put(15,65){\line(1,0){25}} \put(50,65){\line(1,0){20}} \put(105,65){\line(1,0){15}} \put(155,65){\line(1,0){15}} \put(185,65){\line(1,0){15}} \put(235,65){\line(1,0){20}} \put(172,65){$\ldots$} \put(88,60){\line(0,-1){5}} \put(138,60){\line(0,-1){15}} \put(218,60){\line(0,-1){50}} \put(88,55){\circle*{2}} \put(138,45){\circle*{2}} \put(218,10){\circle*{2}} \put(260,65){$y_n$} \end{picture} \end{center} where $R_{\omega^i}$ is the gate represented by the unary transform $$\left( \begin{array}{cc} 1 & 0 \\ 0 & \omega^i \\ \end{array} \right) $$ We then obtain bit $y_{n-1}$ in a similar way from bits $x_{2}, \ldots, x_{n}$, and so on. \section{Sufficiency of these Transforms} \label{sec:last} [\textbf{Scribe note:} Due to time constraints, the lecturer gave only a proof sketch of this.] Since we can only use transforms where the size is a power of 2, that's exactly what we do when actually performing Shor's algorithm. Replace $QFT_{p-1}$ with $QFT_{2^n}$, where $30 (p-1) \log p < 2^n < 60 (p-1) \log p$. Then, if we get $(c,d)$ out of the first algorithm, there is a non-negligible chance that we get: % $$ \left( \ceiling{\frac{2^n}{p-1} c}, \ceiling{\frac{2^n}{p-1} d} \right)$$ How much of a chance? We will see the pair on the right with probability at least $\frac{1}{10 \log p}\Pr[(c,d)]$. So, by using these larger transformations, we map each possible output of the original algorithm to something in a larger domain. Another way to see this is to look at the results of $$QFT_{2^n} \left( QFT_{p-1}^{-1} \left( \state{c} \right) \right)$$ Before we measure, we get out some superposition $$ \sum_{c' = 0}^{2^n} \beta_{c'} \state{c'}$$ where $\beta_{c'}$ is distributed nicely. If you graph the distribution\footnote{ Which I can't do easily in LaTeX...} of $\beta_{c'}$, you'll see that it is close to zero almost everywhere, with all the non-zero amplitudes in a nice bell-like distribution centered at $\ceiling{\frac{2^n c}{p-1}}$, with a width of $\frac{2^n}{p-1}$. In other words, using the calculable transformations instead of the exact transformations will give you results ``close'' to those from the exact algorithm. \end{document}