CS294 - Foundations of Probabilistic Proofs (original) (raw)
1
2020.08.27
Interactive Proofs 1 [intro video] [intro slides] [video] [slides]
- introduction to the course
- definition of interactive proofs
- GNI is contained in IP (with private coins)
- IP is contained in PSPACE
Formulation of interactive proofs:
- Babai 1985: Trading group theory for randomness
- Goldwasser Micali Rackoff 1989: The knowledge complexity of interactive proof systems
Video:
- Proofs, Secrets, and Computation (by Silvio Micali)
2
2020.09.01
Interactive Proofs 2 [video] [slides]
- sumcheck protocol
- coNP contained in IP
- arithmetization for UNSAT
- P#P contained in IP
- arithmetization for #SAT
The sumcheck protocol:
3
2020.09.03
Interactive Proofs 3 [video] [slides]
- definition of QBF
- PSPACE is contained in IP
- TQBF is the starting point
- arithmetization of formula and quantifiers
- Shamir's protocol (with Shen's degree reduction)
- TQBF is PSPACE-complete
Shamir's protocol:
Additional:
4
2020.09.08
Interactive Proofs 4 [video] [slides]
- private coins vs public coins
- definition of AM[k] and MA[k]
- GNI is contained in AM[2]
- reduction to approximate counting
- approximate counting via pairwise-independent hashing
- IP[k] is contained in AM[k+2]
- high-level intuition only
Goldwasser--Sipser transformation:
- Goldwasser Sipser 1986: Private coins versus public coins in interactive proof systems
- emulating any interactive proof, with public coins
Additional:
- Goldreich Leshkowitz 2016: On emulating interactive proofs with public coins
- an alternative emulation that is more efficient than GS86
- Furer Goldreich Mansour Sipser Zachos 1989: On completeness and soundness in interactive proof systems
- achieving perfect completeness for AM
- IP with perfect soundness is in NP
5
2020.09.10
Interactive Proofs 5 [video] [slides]
- IPs with bounded communication/randomness
- complexity classes IP[p,v,r] and AM[p,v,r] (prover bits ≤ p, verifier bits ≤ v, random bits ≤ r)
- IP[p,v,r] is contained in DTime(2O(p+v+r)poly)
- compute value of game tree
- IP[p,v] is contained in BPTime(2O(p+v)poly)
- approximate value of game tree (sub-sample by random tapes)
- proof via Chernoff bound and union bound
- AM[p] is contained in BPTime(2O(p log p)poly)
- approximate value of game tree (sub-sample by transcript-consistent next messages)
- refine previous analysis via hybrids
- IP[p] is contained in BPTime(2O(p log p)poly)NP
- (sketch) as above but transcript consistency is harder
The results presented in class:
Additional results:
- Boppana Håstad Zachos 1987: Does co-NP have short interactive proofs?
- Goldreich Vadhan Wigderson 2002: On interactive proofs with a laconic prover
6
2020.09.15
Interactive Proofs 6 [video] [slides]
- inefficiency of Shamir's protocol
- honest prover in Shamir's protocol is 2O(n^2)
- honest prover in Shen's protocol is 2O(n)
- T-time S-space machines yield 2O(S log T)-time provers
- doubly-efficient interactive proofs
- motivation of delegation of computation
- theorem statement for log-space uniform circuits
- low-degree extensions (univariate and multivariate)
- bare bones protocol for layered circuits
- one sumcheck per layer
The result presented in class:
A survey:
Additional on implementations of GKR's protocol:
- Cormode Mitzenmacher Thaler 2012: Practical verified computation with streaming interactive proofs
- Thaler Roberts Mitzenmacher Pfister 2012: Verifiable computation with massively parallel interactive proofs
- Thaler 2013: Time-optimal interactive proofs for circuit evaluation
- Wahby Howald Garg Shelat Walfish 2015: Verifiable ASICs
Additional on doubly-efficient interactive proofs:
- Reingold Rothblum Rothblum 2016: Constant-round interactive proofs for delegating computation
- Rothblum 2016: talk on the work above (basic)
- Rothblum 2016: talk on the work above (more technical)
7
2020.09.17
Interactive Proofs 7 [video] [slides]
- IP for GI
- definition of honest-verifier zero knowledge (HVZK)
- the IP for GI is HVZK
- definition of malicious-verifier zero knowledge (ZK)
- the IP for GI is ZK
- PZK ⊆ SZK ⊆ CZK
- towards SZK ⊆ coAM
- running simulator when x ∉ L
- IP for GI → IP for GNI (!)
On zero knowledge:
- Goldwasser Micali Rackoff 1989: The knowledge complexity of interactive proofs systems
- Goldreich 2010: Zero knowledge - a tutorial
- Fortnow 1987: The complexity of perfect zero-knowledge
Video:
- Zero knowledge probabilistic proof systems (by Shafi Goldwasser)
8
2020.09.22
Probabilistically Checkable Proofs 1 [video] [slides]
- definition of a PCP verifier
- the complexity class PCPc,s[r,q]Σ
- simple class inclusions
- delegation of computation via PCPs
- PSPACE ⊆ PCP
Video:
New York Times article about the PCP Theorem:
9
2020.09.24
Probabilistically Checkable Proofs 2 [video] [slides]
- exponential-size PCPs
- NP ⊆ PCP1,0.5[poly(n),O(1)]{0,1}
- good query complexity, bad proof length
- linear PCPs
- the complexity class LPCPc,s[l,r,q]Σ
- NP ⊆ LPCP1,0.75[O(n2),O(m+n),4]{0,1}
The exponential-size constant-query PCP is the inner PCP in this paper:
- Arora Lund Motwani Sudan Szegedy 1998: Proof verification and the hardness of approximation problems
10
2020.09.29
Probabilistically Checkable Proofs 3 [video] [slides]
- compiling any LPCP into a PCP
- self-correction
- linearity testing
- BLR test
- analysis via majority decoding
Main:
Additional:
- Bellare Coppersmith Håstad Kiwi Sudan 1996: Linearity testing in characteristic two
- first connection of Fourier analysis and testing
Video:
11
2020.10.01
Probabilistically Checkable Proofs 4 [video] [slides]
- NP ⊆ PCP[log, polylog] (up to low-degree testing)
- start from satisfiability of quadratic equations
- amplify gap via an error-correcting code
- arithmetization via Reed--Muller instead of Hadamard
- reduce to sumcheck problem
Main:
12
2020.10.06
Probabilistically Checkable Proofs 5 [video] [slides]
- NP ⊆ PCP[log, polylog] with low-degree testing
- definition of low-degree testing
- univariate polynomials
- d+2 random points (any ε)
* [S92, Section 3.1.1] - d+2 random evenly-spaced points (ε ~ 1/d2)
* [S92, Section 3.1.2]
- d+2 random points (any ε)
- multivariate polynomials
- total degree via random lines (ε ~ 1/d2)
* [S92, Section 3.2.1]
- total degree via random lines (ε ~ 1/d2)
Main:
Additional:
- Arora Safra 1998, Section 4
- Sudan 1992: Efficient checking of polynomials and proofs and the hardness of approximation problems
13
2020.10.08
PCPs with Sublinear Verification 1 [video] [slides]
- NEXP ⊆ PCP[poly, poly]
- why last lecture's approach fails
* verifier would run in exponential time - definition of oracle satisfiability (OSAT)
* [BFL90, Definition 4.1] - OSAT is NEXP-complete
* [BFL90, Proposition 4.2] - OSAT to zero testing
- zero testing to sumcheck
* Method 1: via random evaluation [BFLS91, Section 5.2]
* Method 2: via additional polynomials [BS08, Lemma 4.11]
- why last lecture's approach fails
Main:
14
2020.10.13
PCPs with Sublinear Verification 2 [video] [slides]
- NTIME(T) ⊆ PCP[ptime=poly(T), vtime=poly(n,log(T))]
- low-degree extension with H of logarithmic size
* [BFLS91, Section 4.1] - low-degree projection polynomials to obtain bits
* [BFLS91, Section 6]
- low-degree extension with H of logarithmic size
- PCP-based delegation of computation
Main:
- Babai Fortnow Levin Szegedy 1991: Checking computations in polylogarithmic time
- Kilian 1992: A note on efficient zero-knowledge proofs and arguments
- Micali 1994: Computationally sound proofs
15
2020.10.15
Interactive Oracle Proofs 1 [video] [slides]
- definition of the IOP model
- PCP as a special case of IOP
- IP as a special case of IOP
- IOP=NEXP
- IOP-based delegation of computation
IOP model and its compilation into non-interactive arguments:
16
2020.10.20
Interactive Oracle Proofs 2 [video] [slides]
- linear-size IOPs for arithmetic computations
- R1CS(𝔽) ∈ IOP[k=O(log n),l=O(n),q=O(log n)]𝔽
- the Reed--Solomon encoding
- univariate sumcheck
IOPs for R1CS(𝔽):
Aditional on IOPs for CSAT(𝔽2):
17
2020.10.22
Interactive Oracle Proofs 3 [video] [slides]
- testing proximity to the Reed--Solomon code
- the main challenges
- the FRI protocol
FRI protocol:
18
2020.10.27
Interactive Oracle Proofs 4 [video] [slides]
- soundness analysis of the FRI protocol
FRI protocol:
Additional reading:
- Ben-Sasson Kopparty Saraf 2018: Worst-case to average case reductions for the distance to a code
- Ben-Sasson Goldberg Kopparty Saraf 2019: DEEP-FRI: sampling outside the box improves soundness
- Ben-Sasson Carmon Ishai Kopparty Saraf 2020: Proximity Gaps for Reed--Solomon Codes
19
2020.10.29
Interactive Oracle Proofs 5 [video] [slides]
- automata computations over fields
- linear-size IOP for automata computations (with succinct verification)
- machines as time trace + memory trace
- permutation check
Main:
- Ben-Sasson Bentov Horesh Riabzev 2018: Scalable, transparent, and post-quantum secure computational integrity
- Ben-Sasson Chiesa Goldberg Gur Riabzev Spooner 2019: Linear-Size Constant-Query IOPs for Delegating Computation
20
2020.11.03
Proof Composition 1 [video] [slides]
- definition of robust PCPs/IOPs
- definition of PCPs/IOPs of proximity
- proof composition theorem (non-interactive and interactive)
Main:
- Ben-Sasson Goldreich Harsha Sudan Vadhan 2006: Robust PCPs of proximity, shorter PCPs, and applications to coding
- Dinur Reingold 2006: Assignment testers: towards a combinatorial proof of the PCP Theorem
- Ben-Sasson Chiesa Gabizon Riabzev Spooner 2016: Interactive oracle proofs with constant rate and query complexity
21
2020.11.05
Proof Composition 2 [video] [slides]
- definition of robust PCP
- robustification
- query bundling
- construction of a robust PCPs
Robustification:
Additional on O(1)-query tests:
- Section 7.2 of Arora Lund Motwani Sudan Szegedy 1998: Proof verification and the hardness of approximation problems
22
2020.11.10
Proof Composition 3 [video] [slides]
- definition of PCP of proximity (PCPP)
- PCPP from local decoder and special PCP
- exp-size constant-query PCPP for NP
- poly-size polylog-query PCPP for NP
- PCP Theorem via proof composition
Main:
- Ben-Sasson Goldreich Harsha Sudan Vadhan 2006: Robust PCPs of proximity, shorter PCPs, and applications to coding
- Dinur Reingold 2006: Assignment testers: towards a combinatorial proof of the PCP Theorem
23
2020.11.12
Parallel Repetition [video] [slides]
- reducing queries at expense of alphabet size
- 2-query PCPs vs 2-player 1-round games
- Verbitsky's Theorem
Main on parallel repetition:
Counterexamples:
- Feige 1991: On the success probability of the two provers in one-round proof systems
- Feige Verbitsky 1996: Error reduction by parallel repetition: a negative result
Additional on explicit bounds for Furstenberg–Katznelson:
24
2020.11.17
Limitation of PCPs and IOPs [video] [slides]
- statement of the Parallel Repetition Theorem (exponential decay)
- statement of the Sliding Scale Conjecture
- limitations of PCPs wrt to soundness error
- limitations of IOPs wrt to soundness error
Main:
- Raz 1998: A parallel repetition theorem
- Moshkovitz 2019: Sliding scale conjectures in PCP
- Chiesa Yogev 2020: Barriers for succinct arguments in the random oracle model
Towards the sliding scale conjecture:
- Bellare Goldwasser Lund Russell 1991: Efficient probabilistically checkable proofs and applications to approximations
- Dinur Fischer Kindler Raz Safra 1999: PCP characterizations of NP: Toward a polynomially-small error-probability
- Moshkovitz 2016: Low degree test with polynomially small error
25
2020.11.19
Holographic Proofs [video] [slides]
- sublinear verification for any computation
- offline/online model
- from holography to preprocessing
- holographic PCP for NP
- holographic IOP for NP
Main:
- Chiesa Hu Maller Mishra Vesely Ward 2020: Marlin: Preprocessing zkSNARKs with universal and updatable SRS
- Chiesa Ojha Spooner 2020: Fractal: Post-quantum and transparent recursive proofs from holography
X
2020.11.24
No class (Thanksgiving week).
X
2020.11.26
No class (Thanksgiving week).
26
2020.12.01
Class Project Presentations 1
27
2020.12.03
Class Project Presentations 2
X
2020.12.08
No class (RRR week).
X
2020.12.10
No class (RRR week).