PHYS771 Lecture 16: Interactive Proofs and More

Scribe: Chris Granade

Last lecture, I ended by giving you a puzzle problem: can I do ornithology without leaving my office?

I want to know if all ravens are black. The old-fashioned approach would involve *going outside*, looking for a bunch of ravens and seeing if they're black or not. The more modern approach: look around the room at all of the things which are not black and note that they also are not ravens. In this way, I become increasingly convinced that *all* not-black things are not ravens, or equivalently, that all ravens are black. Can I be a leader in the field of ornithology this way?

A:Well, when you're doing the not-black things, there's a lot more possible observations. You could get the same effect as measuring millions of not-black things by measuring just one raven.

Scott:Yeah, I think that's a large part of it. Anyone else?

A:You wouldn't be getting a good random sample of non-black things by just sitting in your office.

Scott:I wouldn't be getting a random sample of all ravens either. I'd be getting some of those ravens that live in Waterloo.

Something completely tangential that I'm reminded of: there's this game where you're given four cards, each of which you're promised has a letter on one side and a number on the other. If what you can see of the cards is shown in the figure below, which cards do you need to flip over to test the rule that *all cards with a K on one side have a 3 on the other*?

Anyway, the point is that there are many, many more not-black things then there are ravens, so if there were a pair (raven, not-black), then we would be *much* more likely to find it by randomly sampling a raven then sampling a not-black thing. Therefore, if we sample ravens and fail to find a not-black raven, then we're much more confident in saying that "all ravens are black," because our hypothesis had a much higher chance of being falsified by sampling ravens.

Interactive Proofs

Why should we in quantum computing care about interactive proofs? I'll answer this question in a rather unconventional way, by asking a different question: *can quantum computers be simulated efficiently by classical computers?*

I was talking to Ed Fredkin a while ago, and he said that he believes that the whole universe is a classical computer and thus everything can be simulated classically. But instead of saying that quantum computing is impossible, he takes things in a very interesting direction, and says that BQP must be equal to P. Even though we have factoring algorithms for quantum computers that are faster than known classical algorithms, that doesn't mean that there isn't a fast classical factoring algorithm that we don't know about. On the other side you have David Deutsch, who makes an argument that we've talked about several times before: if Shor's Algorithm doesn't involve these "parallel universes," then *how* is it factoring the number? Where was the number factored, if not using these exponentially many universes? I guess one way that you could criticize Deutsch's argument (certainly not the only way), is to say he's assuming that there *isn't* an efficient classical simulation. We believe that there's no way for Nature to perform the same computation using polynomial classical resources, but we don't know that. We can't prove that.

Q:How many people have tried to prove that you can't classically simulate a quantum computer?

Scott:I don't even know that anyone has looked specifically at this question or tried to prove this directly. The crucial point is that if you could prove that P≠BQP, then you would have also proved that P≠PSPACE. (Physicists might think it's obvious these classes are unequal and it doesn't even require proof, but that's another matter...) As for going in the other direction and proving P = BQP, I guess peoplehavetried that. I don't know if I should say this in public, but I've even spent a day or two on it. It would at least be nice to put BQP in AM, or the polynomial hierarchy---some preliminary fact like that. Unfortunately, I think we simply don't yet understand efficient computation well enough to answer such questions, completely leaving aside the quantum aspect.

The question is, if P≠BQP, P≠NP, etc., why can't anyone prove these things? There are several arguments that have been given for that. One of them is **relativaztion**. We can talk about giving a P computer and a BQP computer access to the same oracle. That is, give them the same function that they can compute in a single computation step. There will exist an oracle that makes them equal and there will exist another oracle that makes them unequal. The oracle that makes them equal, for example, could just be a PSPACE oracle which kind of sandwiches everything and just makes everything equal to PSPACE. The oracle that makes them unequal could be an oracle for Simon's Problem, or some period-finding problem that the quantum computer can solve but the classical one can't. Then, you see that any proof technique is going to have to be sensitive to the presence of these oracles. This doesn't sound like such a big deal until you realize that almost every proof technique we have is *not* sensitive to the presence of oracles. It's very hard to come up with a technique that *is* sensitive, and that---to me---is why interactive proofs are interesting. This is the one clear and unambiguous example I can show you of a technique we have that doesn't relativize. In other words, we can prove that something is true, which wouldn't be true if you just gave everything an oracle. You can see this as the foot in the door or the one distant point of light in this cave that we're stuck in. Through the interactive proof results, we can get a tiny glimmer of what the separation proofs would eventually have to look like if we ever came up with them. The interactive proof techniques seem much too weak to prove anything like P≠NP, or else you would have heard about it. (*Note:* A year after giving this lecture, Avi Wigderson and I proposed *algebrization*, which gives a formal explanation for *why* the interactive proof techniques are too weak to prove P≠NP and other basic conjectures in complexity theory.) Already, though, we can use these techniques to get some non-relativizing separation results. I'll show you some examples of that also.

Q:What about P versus BPP? What's the consensus there?

The consensus is that P and BPP actually *are* equal. We know from Impagliazzo and Wigderson that if we could prove that there exists a problem solvable in 2^{n} time that requires circuits of size 2^{Ω(n)}, then we could construct a very good pseudorandom generator; that is, one which cannot be distinguished from random by any circuit of fixed polynomial size. Once you have such a generator, you can use it to derandomize any probabilistic polynomial-time algorithm. You can feed your algorithm the output of the pseudorandom generator, and your algorithm won't be able to tell the difference between it and a truly random string. Therefore, the probabilistic algorithm could be simulated deterministically. So we really seem to be seeing a difference between classical randomness and *quantum* randomness. It seems like classical randomness really can be efficiently simulated by a deterministic algorithm, whereas quantum "randomness" can't. One intuition for this is that, with a classical randomized algorithm, you can always just "pull the randomness out" (i.e., treat the algorithm as deterministic and the random bits as part of its input). On the other hand, if we want to simulate a quantum algorithm, what does it mean to "pull the quantumness out?"

Q:I could see how, with two classes that are different, adding an oracle could kind of "boost" them up to the same level, but if two classes are the same, intuitively, how can giving them more power make them different?

Scott:That's a good question, and the key is to realize that when we feed an oracle to a class, we aren't acting on the class itself. We're acting on thedefinitionof the class. As an example, even though we believe P = BPP in the real world, it's very easy to construct an oracle O where P^{O}≠BPP^{O}. Clearly, if what we were doing was operating on the classes, then operating on two equal classes would give two results that were still equal. But that'snotwhat we're doing, and maybe the notation is confusing that way. (A rough analogy: "The third planet from the Sun is the third planet from the Sun" is a tautology, whereas "Earth is the third planet from the Sun" isnota tautology---even though, as it turns out, Earth = the third planet from the Sun.)

Q:Are there any classes that areprovablyequal, for which there's an oracle that makes them unequal?

Scott:Yes. We're going to see that today.

So let's see this one example of a non-relativizing technique. So we've got a Boolean formula (like the ones used in SAT) in *n* variables which is *not* satisfiable. What we'd like is a *proof* that it's not satisfiable. That is, we'd like to be convinced that there is no setting of the *n* variables that causes our formula to evaluate to TRUE. This is what we saw before as an example of a coNP-complete problem. The trouble is that we don't have enough time to loop through every possible assignment and check that none of them work. Now the question that was asked in the 80s was, "what if we have some super-intelligent alien that comes to Earth and can interact with us?" We don't trust the alien and its technology, but we'd like it to *prove* to us that the formula is unsatisfiable in such a way that we don't *have* to trust it. Is this possible?

Normally in computational complexity, when you can't answer a question, the first thing you do is find an oracle where the question is true or false. It's probably like what physicists do when they do perturbative calculations. You do it because it you *can*, not because it necessarily tells you what you ultimately want to know. So this is what Fortnow and Sipser did in the late 80s. They said, all right, suppose you have an exponentially long string, and the alien wants to convince you that this exponentially long string is the all-zero string. That is, that there are no 1's anywhere. So can this prover do it? Let's think of what could happen. The prover could say, "the string is all zeroes."

"Well, I don't believe you. Convince me."

"Here, this location's a zero. This one's also a zero. So is this one..."

OK, now there's only 2^{10,000} bits left to check, and so the alien says "trust me, they're all zeroes." There's not a whole lot the prover can do. Fortnow and Sipser basically formally proved this obvious intuition. Take any protocol of messages between you and the prover that terminates with you saying "yes" if you're convinced and "no" if you aren't. What we could then do is to then pick one of the bits of the string at random, surreptitiously change it to a 1, and almost certainly, the entire protocol goes through as before. You'll still say that the string is all zeroes.

As always, we can define a complexity class: IP. This is the set of problems where you can be convinced of a "yes" answer by interacting with the prover. So we talked before about these classes like MA and AM---those are where you have a *constant* number of interactions. MA is where the prover sends a message to you and you perform a probabilistic computation to check it. In AM, you send a message to the prover, and then the prover sends a message back to you and you run a probabilistic computation. It turns out that with any *constant* number of interactions, you get the same class AM, so let's be generous and allow polynomially many interactions. The resulting class is IP. So what Fortnow and Sipser did is they gave a way of constructing an oracle relative to which coNP is not in IP. They showed that, relative to this oracle, you *cannot* verify the unsatisfiability of a formula via a polynomial number of interactions with a prover. Following the standard paradigm of the field, of course we can't prove unconditionally that coNP is not in IP, but this gives us some evidence; that is, it tells us what we might *expect* to be true.

Now for the bombshell (which was discovered by Lund, Fortnow, Karloff, and Nisan): in the "real," unrelativized world, how do we show that a formula is unsatisfiable? We're going to somehow have to use the *structure* of the formula. We'll have to use that it's a Boolean formula that was explicitly given to us, and not just some abstract Boolean function. What will we do? Let's assume this is a 3SAT problem (since 3SAT is NP-complete, that assumption is without loss of generality). There's a bunch of clauses (*n* of them) involving three variables each, and we want to verify that there's no way to satisfy all the clauses. Now what we'll do is map this formula to a polynomial over a finite field. This trick is called **arithmetization**. Basically, we're going to convert this logic problem into an algebra problem, and that'll give us more leverage to work with. This is how it works: we rewrite our 3SAT instance as a product of degree-3 polynomials. Each clause---that is, each OR of three literals---just becomes 1 minus the product of 1 minus each of the literals: e.g., (x OR y OR z) becomes 1-(1-x)(1-y)(1-z). Notice that, so long as x, y, and z can only take the values 0 and 1, this polynomial is exactly equivalent to the logic expression that started with. But now, what we can do is reinterpret the polynomial as being over some much *larger* field. Pick some reasonably large prime number *N*, and we'll interpret the polynomial as being over GF_{N} (the field of *N* elements). I'll call the polynomial *P*(*x*_{1},...,*x _{n}*). Now what we want to verify is this: there are no satisfying assignments, or equivalently, that if you take

Q:Why does it follow that if the formula is unsatisfiable, then the sum evaluates to zero?

Scott:If the formula is unsatisfiable, then no matter what settingx_{1},...,xyou pick for the variables, there's going to be some clause in the formula that isn't satisfied. Hence one of the degree-3 polynomials that we're multiplying together will be zero, and hence the product will itself be zero. And since this is true for all_{n}2Boolean settings of^{n}x_{1},...,x, you'll still get zero if you sum_{n}P(x_{1},...,x) over all of them._{n}

So now what can we do? What we ask the prover to do is to sum for us over all 2^{n−1} possible settings of the variables *x*_{2}, ..., *x _{n}*, leaving

Check that *Q*_{2}(0)+*Q*_{2}(1)=*Q*_{1}(*r*_{1}), then pick another element *r*_{2} at random and send it to the prover. In response, he'll send us a polynomial *Q*_{3}(*X*). This will be a sum of *P*(*x*_{1},...,*x _{n}*) over all possible Boolean settings of

We have a bunch of tests that we're doing along the way. My first claim is that if there is no satisfying assignment, and if the prover was not lying to us, then each of the *n* tests accepts with certainty. The second claim is that if there was a satisfying assignment, then with high probability, at least one of these tests would fail. Why is that the case? The way I think of it is that the prover is basically like the girl in Rumpelstiltskin. The prover is just going to get trapped in bigger and bigger lies as time goes on until finally the lies that will be so preposterous that we'll be able to catch them. This is what's going on. Why? Let's say that, for the first iteration, the real polynomial that the prover should give us is *Q*_{1}, but that the prover gives us *Q*_{1}' instead. Here's the thing: these are polynomials of not too large a degree. The final polynomial, *P*, has degree at most three times the number of clauses. We can easily fix the field size to be larger. So let the degree *d* of the polynomial be much smaller than the field size *N*.

A quick question: suppose we have two polynomials *P*_{1} and *P*_{2} of degree *d*. How many points can they be equal at (assuming they aren't identical)? Consider the difference *P*_{1}−*P*_{2}. Since this is also a polynomial of degree at most *d*, by the Fundamental Theorem of Algebra, it can have at most *d* distinct roots (again, assuming it's not identically zero). Thus, two polynomials that are not equal can agree in at most *d* places, where *d* is the degree. This means that if these are polynomials over a field of size *N*, and we pick a random element in the field, we can bound the probability that the two will agree at that point: it's at most *d*/*N*.

Going back to the protocol, we assumed that *d* is much less than *N*, and so the probability that *Q*_{1} and *Q*_{1}' agree at some random element of the field is much less than 1. So when we pick *r*_{1} at random, the probability that *Q*_{1}(*r*_{1})=*Q*_{1}'(*r*_{1}) is at most *d*/*N*. Only if we've gotten very unlucky will we pick *r*_{1} such that these are equal, so we can go on and assume that *Q*_{1}(*r*_{1})≠*Q*_{1}'(*r*_{1}). Now, you can picture the prover sweating a little. He's trying to convince us of a lie, but maybe he can still recover. But next, we're going to pick an *r*_{2} at random. Again, the probability that he'll be able to talk himself out of the next lie is going to be at most *d*/*N*. This is the same in each of the iterations, so the probability that he can talk himself out of *any* of the lies is at most *nd*/*N*. We can just choose *N* to be big enough that this will be much smaller than 1.

Q:Why not just run this protocol over the positive integers?

Scott:Because we don't have a way of generating arandompositive integer, and we need to be able to do that. So we just pick a very large finite field.

So this protocol gives us that coNP ⊆ IP. Actually, it gives us something stronger. Does anyone see the stronger thing that it gives us?

A:Strictly contained?

Scott:No, we can't show that, though it would be nice.

A standard kind of argument shows us that the biggest IP could possibly be in our wildest dreams would be PSPACE. You can prove that anything you can do with an interactive protocol, you can *simulate* in PSPACE. Can we bring IP up? Make it bigger? What we were trying to verify was that all of these values of *P*(*x*_{1},...,*x _{n}*) summed to zero, but the same proof would go through as before if we were trying to verify that they summed to some other constant (whatever we want). So that actually lets us do counting, and shows that IP contains P

Q:Chess on ann×nboard, right?

Scott:Sure. The protocol works in particular forn= 8, but you can generalize chess to arbitrary board sizes. You just have to limit the number of moves to some polynomial inn, or else you get EXP. Then you'd needtwoprovers to convince you---which is another story!

This is already something that is---to me---pretty counterintuitive. Like I said, it gives us a very small glimpse of the kinds of techniques we'd need to use to prove non-relativizing results like P≠NP. A lot of people seem to think that the key is somehow to transform these problems from Boolean to algebraic ones. The question is how to do that. I can show you, though, how these techniques already let you get some new lower bounds. Heck, even some quantum circuit lower bounds.

First claim: if we imagine that there are polynomial-size circuits for counting the number of satisfying assignments of a Boolean formula, then there's also a way to *prove* to someone what the number of solutions is. Does anyone see why this would follow from the interactive proof result? Well, notice that, to convince the verifier about the number of satisfying assignments of a Boolean formula, the prover *itself* does not need to have more computational power than is needed to count the number of assignments. After all, the prover just keeps having to compute these exponentially large sums! In other words, the prover for ♯P can be implemented in ♯P. If you had a ♯P oracle, then you too could be the prover.
Using this fact, Lund et al. pointed out that if ♯P⊂P/poly---that is, if there's some circuit of size polynomial in *n* for counting the number of solutions to a formula of size *n*---then P^{♯P}=MA. For in MA, Merlin can give Arthur the polynomial-size circuit for solving ♯P problems, and then Arthur just has to verify that it works. To do this, Arthur just runs the interactive protocol from before, but where he plays the part of both the prover and the verifier, and uses the circuit itself to simulate the prover. This is an example of what are called *self-checking programs*. You don't have to trust an alleged circuit for counting the number the solutions to a formula, since you can put it in the role of a prover in an interactive protocol.

Now, we can prove that the class PP, consisting of problems solvable in probabilistic polynomial-time with unbounded error, does not have linear-sized circuits. (This result is originally due to Vinodchandran.) Why? Well, there are two cases. If PP doesn't even have polynomial-sized circuits, then we're done. On the other hand, if PP *does* have polynomial-sized circuits, then so does P^{♯P}, by the basic fact (which you might enjoy proving) that P^{♯P}=P^{PP}. Therefore P^{♯P} = MA by the LFKN Theorem, so P^{♯P} = MA = PP, since PP is sandwiched in between MA and P^{♯P}. But one can prove (and we'll do this shortly) that P^{♯P} doesn't have linear-sized circuits, using a direct diagonalization argument. Therefore, PP doesn't have linear-sized circuits either.

All I'm trying to say is that once you have this interactive proof result, you can leverage it to get new circuit lower bounds. For example, you can show that there's a language in the class PP that doesn't have linear-sized circuits. In fact, for *any* fixed *k*, there's a language in PP that doesn't have circuits of size *n ^{k}*. Of course, that's much weaker than showing that PP doesn't have polynomial-sized circuits, but it's something. (Note: After I gave this lecture, Santhanam improved on Vinodchandran's result, to show that for every fixed

I'd like to go back now and fill in the missing step in the argument. Let's say you wanted to show for some fixed *k* that P^{♯P} doesn't have circuits of size *n ^{k}*. How many possible circuits are there of size

But does this actually give us a non-relativizing circuit lower bound? That is, does there exist an oracle relative to which PP *has* linear-sized circuits? A couple years ago, I was able to construct such an oracle. This shows that Vinodchandran's result was non-relativizing---indeed, it's one of the few examples in all of complexity theory of an indisputably non-relativizing separation result. In other words, the relativization barrier---which is one of the main barriers to showing P≠NP---can be overcome in some very limited cases. It would be nice to overcome it in other cases, but this is what we can do.

Q:So these arguments show that there are no quadratic-size circuits for PP?

Scott:Yes. Let me put this another way: for any fixedk, there exists a languageLin PP such thatLcannot be decided by a circuit of sizeO(n). That's very different from saying that there is a single language in PP that does not have any circuits of any polynomial size. The second statement is much harder to show! If you give me your (polynomial) bound, then I find a PP problem that defeats circuits constrained by your bound, but the problem might be solvable by circuits with some larger polynomial bound. I could also defeat that larger polynomial bound, but I'd have to construct a different problem, and so on indefinitely.^{k}

While we're waiting for better circuit lower bounds in the classical case, I can tell you about the quantum case. We always have to ask about the quantum case. Here, a simple extension of the previous argument shows that not only does PP not have circuits of size *n ^{k}*, it doesn't even have

We can define a complexity class QIP: Quantum Interactive Proofs. This is the same as IP, except that now you're a quantum polynomial-time verifier, and instead of exchanging classical messages with the prover, you can exchange quantum messages. For example, you could send the prover half of an EPR pair and keep the other half, and play whatever other such games you want.

Certainly, this class is at least as powerful as IP. You could just restrict yourself to classical messages if that's what you wanted to do. Since IP = PSPACE, QIP has to be *at least* as big as PSPACE. The other thing that was proved by Kitaev and Watrous, using a semidefinite programming argument, was that QIP is contained in EXP. This is actually all we know about where QIP lies. It would be a great Ph.D. thesis for any of you to show (for example) that QIP can be simulated in PSPACE, and hence QIP=PSPACE. The exciting thing that we *do* know (also due to Kitaev and Watrous) is that any quantum interactive protocol can be simulated by one that takes place in *three rounds*. In the classical case, we had to play this whole Rumpelstiltskin game, where we kept asking the prover one question after another until we finally caught him in a lie. We had to ask the prover polynomially many questions. But in the quantum case it's no longer necessary to do that. The prover sends you a message, you send a message back, then the prover sends you one more message and that's it. That's all you ever need.

We don't have time today to prove why that's true, but I can give you some intuition. Basically, the prover prepares a state that looks like ∑_{r}|*r*⟩|*q*(*r*)⟩. This *r* is the sequence of all the random bits that you would use in the classical interactive protocol. Let's say that we're taking the classical protocol for solving coNP or PSPACE, and we just want to simulate it by a three-round quantum protocol. We sort of glom together all the random bits that the verifier would use in the entire protocol and take a superposition over all possible settings of those random bits. Now what's *q*(*r*)? It's the sequence of messages that the prover would send back to you if you were to feed it the random bits in *r*. Now, the prover will just take the *q* register and second *r* register and will send it to you. Certainly, the verifier can check that then *q*(*r*) is a valid sequence of messages given *r*. What's the problem? Why isn't this a good protocol?

A:It could be a superposition over a subset of the possible random bits.

Right! How do we know that the prover didn't just cherry-pick *r* to be only drawn from those that he could successfully lie about? The *verifier* needs to pick the challenges. You can't have the prover picking them for you. But now, we're in the quantum world, so maybe things are better. If you imagine in the classical world that there was some way to verify that a bit is random, then maybe this would work. In the quantum world, there *is* such a way. For example, if you were given a state like

Still, the trouble is that our |*r*⟩ is entangled with the |*q*(*r*)⟩ qubits. So we can't just apply Hadamard operations to |*r*⟩---if we did, we'd just get garbage out. However, it turns out that what the verifier can do is to pick a random round *i* of the protocol being simulated---say there are *n* such rounds---and then ask the prover to *uncompute* everything after round *i*. Once the prover has done that, he's eliminated the entanglement, and the verifier can then check by measuring in the Hadamard basis that the bits for round *i* really were random. If the prover cheated in some round and didn't send random bits, this lets the verifier detect that with probability that scales inversely with the number of rounds. Finally, you can repeat the whole protocol in parallel a polynomial number of times to increase your confidence. (I'm skipping a whole bunch of details---my goal here was just to give some intuition.)

Q:So this is kind of like quantum MAM (Merlin-Arthur-Merlin)?

Scott:Yes. In the classical world, you've just got MA and AM: every proof protocol between Arthur and Merlin with a larger constant number of rounds collapses to AM. If you allow a polynomial number of rounds, then you go up to IP (which equals PSPACE). In the quantum world, you've QMA, QAM and then QMAM which is the same as QIP. There's also another class, QIP[2], which is different from QAM in that Arthur can send any arbitrary string to Merlin (or even a quantum state) instead of just a random string. In the classical case, AM and IP[2] are the same, but in the quantum case, we have no idea.

That's our tour of interactive proofs, so I'll end with a puzzle for next week. God flips a fair coin. Assuming that the coin lands tails, She creates a room with a red-haired person. If the coin lands heads, She creates two rooms: one has a person with red hair and the other has a person with green hair. Suppose that you know that this is the whole situation, then wake up to find a mirror in the room. Your goal is to find out which way the coin landed. If you see that you've got green hair, then you know right away how the coin landed. Here's the puzzle: if you see that you have red hair, what is the probability that the coin landed heads?

[Discussion of this lecture on blog]