Lecture 19

In-class notes: CS 505 Spring 2025 Lecture 19

Interactive Proofs

Recall the definition of NP with respect to deterministic Turing machines (i.e., verifiers). $$\mathbf{NP}=\{L|\exists \text{poly-time DTM }{M}_L\text{ s.t. }x\in L⟺\exists w{M}_L(x,w)=1\}$$ In some sense, the string $w$ is a “proof” that $x\in L$.

Interactive Proofs (IPs) were an attempt to re-define NP languages using interaction. Every IP is described by two interactive algorithms/Turing machines $(P,V)$. For a given language $L\in \mathbf{NP}$ (or other classes, as we will see), an IP seeks to answer/certify whether $x\in L$.

In an IP, the prover algorithm is assumed to be computationally unbounded; that is, it can perform any computation, even decide undecidable problems. However, we restrict the verifier to be strictly polynomial-time in the length of the input to the protocol $x$. We restrict ourselves to the protocol format described in the above picture, where the protocol has $k$ rounds and has $2k+1$ messages, where $P$ always sends the first and last message. Note that this model can capture when the verifier sends the first and last messages (the prover’s first and last messages are simply empty).

Every message of the prover is a function of the input $x$ and all prior messages sent in the protocol; i.e., $m_i=P(x,(m_j,c_j{)}_{j=1}^{i-1})$. Similarly, the verifier messages are a function of the input $x$ and all prior messages received in the protocol; i.e., $c_i=V(x,(m_j,c_j{)}_{j=1}^{i-1},m_i)$. The output of the protocol is denoted by $⟨P(y),V(z)⟩(x)$, where $y$ is a private input that $P$ may receive, and $z$ is a private input that $V$ may receive, and $x$ is the common/public input that both parties receive. Note that in the case that $P$ and $V$ receive a private input, then the messages each party sends are also a function of these private inputs. The output is defined as $b=V(x,(m_j,c_j{)}_{j=1}^{k-1},m_k)$, and is a bit $b$ indicating whether the verifier accepts the interaction (i.e., if $V$ should believe that $x\in L$ is a true statement).

Note that because we are restricting the verifier to be strictly polynomial time, this naturally restricts the size of all $m_i,c_i$ to be at most $\mathrm{poly}(|x|)$ bits.

Some natural questions come to mind with the above model.

1. Should $P$ and $V$ be allowed to use randomness? We will address this question soon.
2. What is an accepting or rejecting proof? We will also address this question soon.
3. Who sends the first/last message? We discussed this briefly above; it doesn’t matter too much.
4. What is the size of the proof? This is simply the total number of bits exchanged between both parties; by the above discussion, all proofs are $\mathrm{poly}(|x|)$ bits.

Deterministic IPs

In this model, we restrict both the prover and the verifier to be deterministic.

Definition. We say that a language $L$ is in the class $\mathbf{dIP}[k]$ if there exists a $k$-round ($2k+1$ message) IP $(P,V)$ such that for any $x$, $⟨P,V⟩(x)$ has the following properties:

1. (Completeness) If $x\in L$, then $⟨P,V⟩(x)=1$.
2. (Soundness) If $x\notin L$, then for any algorithm $P^{\ast }$, $⟨P^{\ast },V⟩(x)=0$.
3. (Rounds) The IP has $k(|x|)$ rounds.

The class $\mathbf{dIP}$ is defined as $\mathbf{dIP}={\cup }_{c\ge 0}\mathbf{dIP}[n^c]$.

Unfortunately, deterministic IPs are no more powerful than NP.

Theorem. $\mathbf{dIP}=\mathbf{NP}$.

Proof.

1. $\mathbf{NP}\subseteq \mathbf{dIP}$. If $L\in \mathbf{NP}$, then there exists a DTM $M_L$ running in strict polynomial time such that $x\in L$ if and only if $\exists w$ such that $M_L(x,w)=1$, which implies that $x\notin L$ if and only if $\forall w$, $M_L(x,w)=0$. In both cases, $|w|=\mathrm{poly}(|x|)$. Then, a simple dIP for $L$ is the following: (a) the prover $P$, on input $x$, simply computes a witness $w$ such that $M_L(x,w)=1$ and sends $w$ to the verifier $V$; (b) $V$ outputs $M_L(x,w)=1$. It is not hard to see that this dIP $(P,V)$ satisfies the above definition.

2. $\mathbf{dIP}\subseteq \mathbf{NP}$. Let $L\in \mathbf{dIP}$. Then, there exists a $k$-round dIP $(P,V)$ such that

   • $x\in L⟹⟨P,V⟩(x)=1$;
   • $x\notin L⟹\forall P^{\ast },⟨P^{\ast },V⟩(x)=0$; and
   • $k(|x|)=\mathrm{poly}(|x|)$.

   We construct a NP verifier $M_L$ to decide $L$. $M_L$ will simply be the final computation performed by the verifier $V$. Recall that the output of the protocol is defined as $b=V(x,(m_i,c_i{)}_{i=1}^{k-1},m_k)$. We set the witness $w=((m_i,c_i{)}_{i=1}^{k-1},m_k)$. Since $k,m_i,c_i$ are all polynomial in $|x|$ for all $i$, we have that $|w|=\mathrm{poly}(|x|)$. If $x\in L$, then there is a valid witness such that $V$ accepts, so $M_L$ will accept. If $x\notin L$, then there is no prover strategy $P^{\ast }$ that causes the verifier to accept; in other words, all possible transcripts are rejected by the verifier, so $M_L$ always rejects. $\square$

The Class IP: Random Verifiers

The above discussion tells us that dIP is no more powerful than NP. It turns out the reason is a lack of randomness in the protocol. Whereas researchers do not believe that BPP is more powerful than P, the class IP, which we define next, will be much more powerful than NP.¹

Definition. The class $\mathbf{IP}[k]$ is the set of all languages that have a $k$-round IP $(P,V)$ such that: $P$ is deterministic and computationally unbounded; $V$ is a probabilistic polynomial time (PPT) algorithm/machine (that is, $V$ runs in strict polynomial time and is allowed to sample random coins); and the following hold:

1. (Completeness) If $x\in L$ then ${\mathrm{Pr}}_V[⟨P,V⟩(x)=1]\ge 2/3$; and
2. (Soundness) If $x\notin L$, then for all $P^{\ast }$, ${\mathrm{Pr}}_V[⟨P^{\ast },V⟩(x)=1]\le 1/3$.

The class $\mathbf{IP}$ is defined as $\mathbf{IP}={\cup }_{n\ge 0}\mathbf{IP}[n^c]$.

Some notes about the above definition.

1. The verifier $V$ in the above definition is not required to reveal the random coins, and can sample coins as a function if its input and the messages it has seen so far. An IP where the verifier does not reveal its randomness to the prover is called a private coin protocol. If all the verifier messages are uniformly random strings, then it is a public coin protocol. We will see later that private coins are not necessary!
2. Does $P$ being probabilistic change the class IP? No! $P$ being computationally unbounded, for any probabilistic strategy, it can optimally compute the messages of this prover strategy to maximize the success probability of the verifier. So they are equivalent. Moreover, this can be done only using $\mathrm{poly}(|x|)$ space. Intuitively, this implies that $\mathbf{IP}\subseteq \mathbf{PSPACE}$.
3. As we will see in the below lemma, we can amplify both the completeness and soundness to be arbitrarily close to $1$, which does not change the class $\mathbf{IP}$. Moreover, the lemma below can be performed in parallel, so the resulting amplified protocol still has $k$ rounds.
4. In fact, setting the completeness probability equal to $1$ (so-called *perfect completeness) does not change the class $\mathbf{IP}$. This is a non-trivial fact!
5. On the contrary, setting the soundness error equal to $0$ collapses $\mathbf{IP}$ to $\mathbf{dIP}$.

Lemma. The class $\mathbf{IP}$ remains the same if we require completeness to hold with at least $1-2^{-n^s}$ probability and soundness to hold with at most $2^{-n^s}$ probability for fixed constant $s>0$.

Proof Sketch. Given $(P,V)$ with completeness/soundness error $1/3$, we can construct a new IP $(P^{\prime },V^{\prime })$ which runs $(P,V)$ sequentially for some number $m$ times. The output of $V^{\prime }$ is the majority of the $m$ answers obtained from $V$. Setting $m=O(n^s)$ gives us the desired result via a Chernoff bound.

IP for Graph Non-Isomorphism

To demonstrate the power of the class IP, we will give an IP for the graph non-isomorphism problem, which is in coNP. Note that we do not know if languages in coNP have short certificates, and yet we can give an IP with a polynomial sized proof and polynomial-time verification.

First, let $G_0,G_1$ both be undirected simple graphs on $n$ vertices. We say that $G_0$ is isomorphic to $G_1$, which is denoted by $G_0\cong G_1$, if you can relabel the vertices of $G_0$ and obtain the graph $G_1$. In other words, there exists a permutation $\pi$ on the set $[n]$ such that $\pi (G_0)=G_1$ (i.e., you relabel the vertices of $G_0$ according to the permutation $\pi$ and obtain the graph $G_1$).

The language of graph isomorphism, denoted as $\mathrm{GI}=\{(G_0,G_1):G_0\cong G_1\}$, is known to be in NP; it is unknown if $\mathrm{GI}$ is NP-complete (and we have evidence that it is not; we’ll see this in a later lecture). Then, $\mathrm{GNI}=\overline{\mathrm{GI}}=\{(G_0,G_1):G_0\ncong G_1\}$ is the graph non-isomorphism problem, and is in coNP.

GNI Interactive Proof

Below, we sketch the interactive proof for $\mathrm{GNI}$. Let $(G_0,G_1)$ be two $n$ vertex graphs. Our proof system $(P,V)$ will operate as follows on input $(G_0,G_1)$.

1. The verifier $V$ samples $b\leftarrow \$\{0,1\}$ uniformly at random and samples a uniformly random permutation $\sigma :[n]\to [n]$. $V$ defines $H=\sigma (G_b)$ and sends $H$ to $P$.
2. The prover $P$ receives $H$ and computes a bit $b^{\prime }$. $P$ sends $b^{\prime }$ to $V$.
3. $V$ outputs $1$ if and only if $b=b^{\prime }$.

Analysis

1. If $G_0\ncong G_1$, then no $\sigma$ exists such that $\sigma (G_0)=\sigma (G_1)$. This means that $P$, being computationally unbounded, can trivially compute $b^{\prime }=b$ from $H$; i.e., identify which graph $H$ is isomorphic to.
2. If $G_0\cong G_1$, then $P$ can only guess the correct bit $b^{\prime }$ and succeed with probability at most $1/2$.

GNI with Public Coins?

The above IP for $\mathrm{GNI}$ crucially relies on $b,\sigma$ being hidden. It is not hard to see why: if $P$ knows $b$, $P$ can always respond correctly; the same thing happens if $P$ knows $\sigma$. Can we give a $\mathrm{GNI}$ IP that uses public coins? To do so, we’ll need to take a more quantitative (but equivalent) approach to $\mathrm{GNI}$.

Let $G_0,G_1$ be two $n$ vertex graphs. Define a new set $S$ as $$S=\{H|H\cong G_0\text{ or }H\cong G_1\}.$$

Notice that it is easy to certify if $H\in S$ for any $H$: simply provide a permutation $\pi$ such that $\pi (H)=G_0$ or $\pi (H)=G_1$. Now, any graph $G$ on $n$ vertices can have at most $n!$ equivalent graphs, where a graph $G^{\prime }$ is equivalent to $G$ if $G^{\prime }\ne G$ and $G^{\prime }\cong G$. If we pretend that $G_0,G_1$ both have exactly $n!$ equivalent graphs, we know that $S$ is the set of all graphs $H$ which are equivalent to either $G_0$ or $G_1$. This leads us to the following observations.

1. If $G_0\cong G_1$, then $|S|=n!$.
2. If $G_0\ncong G_1$, then $|S|=2n!$.

These observations will be a stepping stone to obtaining a public-coin protocol for $\mathrm{GNI}$.

1. Under standard and widely believe complexity theory conjectures. ↩