Lecture 20

In-class notes: CS 505 Spring 2025 Lecture 20

Set Lower Bound IP

Building off of our discussion from last lecture, what we want is a set lower bound protocol. Let $S$ be some set that is known to both the prover $P$ and verifier $V$, in the following sense.

• $P$ knows $S$ explicitly.
• $V$ can certify membership in $S$ with a certificate (e.g., like an NP language).

The set lower bound protocol, due to Goldwasser and Sipser, will be a public coin protocol that proves $|S|\ge k$ for some $k$. The protocol will have the following guarantees:

1. If $|S|\ge k$, then $V$ accepts with probability at least $2/3$;
2. If $|S|\le k/2$, then $V$ rejects with probability at least $2/3$ for any prover strategy $P^{\ast }$.

Tool: Pairwise-Independent Hash Functions

Before we can describe the protocol, we need a technical tool. The protocol will require something called a pairwise-independent hash function family (also known as $2$-wise independent or $2$-universal).

Definition. Let ${\mathcal{H}}_{n,k}$ be a family of functions $h:\{0,1{\}}^n\to \{0,1{\}}^k$. We say that ${\mathcal{H}}_{n,k}$ is pairwise-indepedent if for all $x\ne x^{\prime }\in \{0,1{\}}^n$ and for all $y,y^{\prime }\in \{0,1{\}}^k$, it holds that $$\underset{h\stackrel{\$}{\leftarrow }{\mathcal{H}}_{n,k}}{\mathrm{Pr}}[h(x)=y\wedge h(x^{\prime })=y^{\prime }]=\frac{1}{2^{2k}}.$$

Example. The following hash function family is pairwise independent. Let $\mathbb{F}=\mathbb{GF}(2^n)$ be a finite field of size $2^n$.¹ Define a hash function family $\mathcal{H}$ as follows. $${\mathcal{H}}_{n,n}=\{h(X)=a\cdot X+b|a,b\in \mathbb{F}\}.$$ In fact, we can define it as ${\mathcal{H}}_{n,k}$ for any $k\le n$, where it is identical to ${\mathcal{H}}_{n,n}$ except each function $h$ truncates the output to $k$ bits.

The Set LB Protocol

We now describe the protocol.

Setup.

• Let $S\subset \{0,1{\}}^m$ for some $m$ be a set with efficient membership certification (i.e., an NP language).
• Let $k\in {\mathbb{Z}}^{+}$ be a parameter and let $\ell \in {\mathbb{Z}}^{+}$ such that $2^{\ell -2}<k\le 2^{\ell -1}$.
• Let ${\mathcal{H}}_{m,\ell }$ be a pairwise-independent hash function family.

Goal. If $|S|\ge k$, then $V$ accepts with probability $\ge 2/3$, and if $|S|\le k/2$, then $V$ rejects with probability $\ge 2/3$.

Protocol.

1. $V$ samples $h\stackrel{\$}{\leftarrow }{\mathcal{H}}_{m,\ell }$ and $y\stackrel{\$}{\leftarrow }\{0,1{\}}^{\ell }$. $V$ sends $(h,y)$ to $P$.
2. $P$ computes a certificate $w$ for the statement “$x\in S$”, and finds $x\in S$ such that $h(x)=y$. $P$ sends $(x,w)$ to $V$.
3. $V$ outputs $1$ if and only if $h(x)=y$ and $w$ is a valid certificate for $x\in S$.

Completeness and Soundness. Showing completeness and soundness of this protocol will rely on the following claim.

Claim. If $|S|\le 2^{\ell }/2$, then for $p=|S|/2^{\ell }$, we have $$\frac{3}{4}p\le \underset{h,y}{\mathrm{Pr}}[\exists x\in S:h(x)=y]\le p,$$ where $h\in {\mathcal{H}}_{m,\ell }$ and $y\in \{0,1{\}}^{\ell }$, and the probability is taken to be uniform.

Proof. First, we show the upper bound. Notice that for any function $h$, we have that $|h(S)|\le |S|$; that is, $|\{y:y=h(s),s\in S\}|\le |S|$. In other words, it doesn’t matter which $h$ we sample from ${\mathcal{H}}_{m,\ell }$. This tells us $$\underset{h,y}{\mathrm{Pr}}[\exists x\in S:h(x)=y]\le \sum _{x\in S}\underset{h,y}{\mathrm{Pr}}[h(x)=y]\le \frac{|S|}{2^{\ell }}=p.$$

Now, we show the upper bound. For $x\in S$, let $E_x$ be the event “$h(x)=y$” Then, we can rewrite the probability as $$\underset{h,y}{\mathrm{Pr}}[\exists x\in S:E_x]=\underset{h,y}{\mathrm{Pr}}[{\cup }_{x\in S}{E}_x].$$ By the inclusion-exclusion principle, we can lower bound this as $$\underset{h,y}{\mathrm{Pr}}[{\cup }_{x\in S}{E}_x]\ge \sum _{x\in S}\underset{h,y}{\mathrm{Pr}}[E_x]-\frac{1}{2}\sum _{x\ne x^{\prime }\in S}\underset{h,y}{\mathrm{Pr}}[E_x\cap E_{x^{\prime }}].$$ Recall that $E_x$ is the event “$h(x)=y$.” Therefore, $E_x\cap E_{x^{\prime }}$ is the event “$h(x)=y\wedge h(x^{\prime })=y$” for $x\ne x^{\prime }$. By definition, $h$ is drawn from a family of pairwise independent hash functions, so we have $$\begin{array}{c}\underset{h,y}{\mathrm{Pr}}[E_x]=2^{-\ell };\\ \underset{h,y}{\mathrm{Pr}}[E_x\cap E_{x^{\prime }}|x\ne x^{\prime }]=2^{-2\ell }.\end{array}$$

Therefore, we have $$\begin{array}{rl}\underset{h,y}{\mathrm{Pr}}[{\cup }_{x\in S}{E}_x]& \ge \sum _{x\in S}\underset{h,y}{\mathrm{Pr}}[E_x]-\frac{1}{2}\sum _{x\ne x^{\prime }\in S}\underset{h,y}{\mathrm{Pr}}[E_x\cap E_{x^{\prime }}]\\ & \ge \frac{|S|}{2^{\ell }}-\frac{1}{2}\cdot \frac{|S{|}^2}{2^{-2\ell }}\\ & =\frac{|S|}{2^{\ell }}\left(1-\frac{|S|}{2^{\ell +1}}\right)\\ & \ge \frac{3}{4}\cdot \frac{|S|}{2^{\ell }}=\frac{3}{4}\cdot p.\end{array}$$ This establishes the lower bound. $\square$

So, what does this tell us? Well, as in the protocol, let $\ell$ be an integer such that $2^{\ell -2}<k\le 2^{\ell -1}$.

1. If $|S|=k\le 2^{\ell -1}=2^{\ell }/2$, then we know that $$\begin{array}{rl}\underset{h,y}{\mathrm{Pr}}[\exists x\in S:h(x)=y]& \ge \frac{3}{4}\cdot \frac{|S|}{2^{\ell }}=\frac{3}{4}\cdot \frac{k}{2^{\ell }}\\ & >\frac{3}{4}\cdot \frac{2^{\ell -2}}{2^{\ell }}=\frac{3}{16}\end{array}$$ Note that this case corresponds to the honest prover case, and we can boost $3/16$ to greater than $2/3$ probability using a constant number of parallel repetitions.

2. If $|S|\le k/2$, then $$\begin{array}{rl}\underset{h,y}{\mathrm{Pr}}[\exists x\in S:h(x)=y]& \le \frac{|S|}{2^{\ell }}\le \frac{k}{2^{\ell +1}}\\ & \le \frac{2^{\ell -1}}{2^{\ell +1}}=\frac{1}{4}<\frac{1}{3}.\end{array}$$ Note that this case corresponds to any dishonest prover.

Final Public-coin GNI Protocol

With the set lower bound protocol, we can now give a public-coin protocol for GNI. To do so, we first modify the definition of the set $S$ from before to the following set. $$S=\{(H,\pi ):(H\cong G_0\vee H\cong G_1)\wedge \pi \in \mathrm{aut}(H)\}$$ Here, $\pi \in \mathrm{aut}(H)$ is an automorphism of $H$; that is, $\pi$ is a permutation such that $\pi (H)=H$ and $\pi$ is not the identity permutation. We need this set of pairs $(H,\pi )$ explicitly to handle the case when $G_0$ or $G_1$ have less than $n!$ equivalent graphs. Notice also that membership in $S$ is again easy (i.e., polynomial-time) verifiable given some certificate $w$ (i.e., $\pi$ and some other permutation $\sigma$ for isomorphism between $H$ and one of the graphs).

Under our new definition of $H$, we have that $|S|=n!$ if $G_0\cong G_1$ and $|S|=2n!$ if $G_0\ncong G_1$. Notice there is a factor of two difference between these two cases, so we will be able to use the set lower bound protocol to prove that $G_0\ncong G_1$.

Setup.

• Set $k=2n!$ and choose $\ell$ such that $2^{\ell -2}<k\le 2^{\ell -1}$.
• Choose some pairwise independent hash function family ${\mathcal{H}}_{m,\ell }$, where $m$ is the maximum number of bits needed to encode any element $(H,\pi )\in S$.

The Protocol.

1. The verifier $V$ samples $h\leftarrow {\mathcal{H}}_{m,\ell }$ and $y\leftarrow \{0,1{\}}^m$ uniformly at random. $V$ sends $(h,m)$ to the prover $P$.
2. $P$ finds a pair $(H,\pi )\in S$ such that $h(H,\pi )=y$, and computes $\sigma$ such that $\sigma (H)=G_0$ or $\sigma (H)=G_1$. $P$ sends $(H,\pi ,\sigma )$ to $V$.
3. $V$ checks (a) $h(H,\pi )=y$; (b) $\pi (H)=H$, (c) $\pi \ne \text{identity}$; and (d) $\sigma (H)=G_0$ or $\sigma (H)=G_1$.

Note this is just the set lower bound protocol! In particular, we have shown:

Theorem. $\mathrm{GNI}\in \mathbf{AM}[2]$.

We’ll now define what the class $\mathbf{AM}$ is.

Arthur-Merlin Protocols

Arthur-Merlin protocols (named after the fabled King of England and his court Wizard) are simply public-coin interactive proofs, like we saw above.

Definition. For any $k\ge 2$, $\mathbf{AM}[k]\subseteq \mathbf{IP}[\lceil k/2\rceil ]$ with the following properties:

1. $V$ sends the first message and $P$ and $V$ exchange exactly $k$ messages;
2. All of $V$’s messages are uniformly and independently random bits; and
3. $V$’s output only depends on these random coins, $P$’s messages, and the common public input (i.e., $V$ has no hidden state to make its decision).

The following is commonly used notation for $\mathbf{AM}$ protocols.

• $\mathbf{AM}[2]=\mathbf{AM}$
• $\mathbf{AM}[3]=\mathbf{AMA}$
• $\mathbf{AM}[4]=\mathbf{AMAM}$
• $\cdots$
• $\mathbf{AM}[2\ell ]=\mathbf{AMAM}\dots \mathbf{AM}$
• $\mathbf{AM}[2\ell +1]=\mathbf{AMAM}\dots \mathbf{AMA}$

Note that there is also the class $\mathbf{MA}[k]$, which is identical to $\mathbf{AM}[k]$ except the prover $P$ speaks first.

Properties of AM Protocols

1. $P$ does not see all the randomness sampled by $V$ all at once; it gets it in a round-by-round fashion.
2. You are asked to show on your homework that $\mathbf{AM}[2]=\mathbf{BP}\cdot \mathbf{NP}$. Notably, it also holds that $\mathbf{AM}[2]\subseteq {\Sigma }_3^p$.
3. For all $k=\Theta (1)\ge 2$, it holds that $\mathbf{AM}[k]=\mathbf{AM}[2]$. This is surprising since $\mathbf{AM}[k]$ has a ${\Pi }_k^p$-like structure.
4. For any slowly growing function $\sigma (n)$ (e.g., $\sigma (n)=\log \log (n)$), it is unknown if $\mathbf{AM}[\sigma (n)]$ has any “nice” characterization.

Equivalence of Public- and Private-coin Protocols

By definition, $\mathbf{AM}[k]\subseteq \mathbf{IP}[\lceil k/2\rceil ]$. And on an intuitive level, it feels that private-coin protocols should have more power than public-coin ones. However, we have already seen an example where they are equivalent: the public-coin protocol for GNI. We’ll see in our next lecture that public- and private-coin protocols are equivalent. Namely, we’ll show the following.

Theorem. For all $k(n)$ computable in $\mathrm{poly}(n)$ time, it holds that $\mathbf{IP}[\lceil k/2\rceil ]\subseteq \mathbf{AM}[k+2]$.

1. For example, $\mathbb{F}={\mathbb{F}}_2[X]/(X^n+X+1)$. ↩