INTERACTIVE PROOF FOR THE PERMANENT

equivalent to#SAT_D. In particular, if the permanent can be computedin polynomial time thenP = NP. Here we show that the permanent is random-self-reducible. The main observation usedis that if we think of perm(A)as a function of n² variables (denoting the entries of the matrixA), then by (8.16) this function is a polynomial of degreen.

Theorem 8.33(Lipton[Lip91]) There is a randomized algorithm that, given an oracle that can compute the permanent on1− _3n¹ fraction of the inputs in F^n×n (where the finite fieldFhas size>3n), can compute the permanent on all inputs correctly with high

probability. #

Proof: LetAbe some input matrix. Pick a random matrixR∈R F^n×nandletB(x)= A+x·Rfor a variablex. Notice that

• perm(B(x))is a degreenunivariate polynomial.

• For any fixeda=0,B(a)is a random matrix, and hence the probability that the oracle computesperm(B(a))correctly is at least 1−_3n¹.

Now the algorithm for computing the permanent ofAis straightforward. Fix any n+1 distinct pointsa₁,a₂,. . .,a_n+1 in the fieldandquery the oracle on all matrices {B(ai)|1 ≤ i ≤ n +1}. According to the union bound, with probability of at least 1−ⁿ⁺¹_n ≈²₃, the oracle will compute the permanent correctly on all matrices.

Recall the fact (see Theorem A.35) that givenn+1 (point, value) pairs {(ai,b_i)|i ∈ [n +1]}, there exists a unique degree n polynomial p that satisfies∀i p(a_i) = b_i. Therefore, given that the valuesB(ai)are correct, the algorithm can interpolate the polynomialB(x)andcomputeB(0)=perm(A).

The hypothesis of Theorem8.33can be weakenedso that the oracle only needs to compute the permanent correctly on a fraction of ¹₂ +εfor any constantε >0 of the inputs. This uses a stronger interpolation theorem; see Section19.6.

8.7 INTERACTIVE PROOF FOR THE PERMANENT

Although the existence of an interactive proof for the Permanent follows from that for

#SATandTQBF, we describe a specialized protocol as well. This is both for historical context (this protocol was discoveredbefore the other two protocols) andalso because this protocol may be helpful for further research.

The protocol will use the random-self-reducibility of the permanent and downward self-reducibility, a property encountered in Chapter2in the context ofSAT(see also Exercise8.9). In the case of permanent, this is the observation that

perm(A)= n i=1

a_1iperm(A1,i)

whereA_1,iis a(n−1)×(n−1)submatrix ofAobtainedby removing the first row and ith column ofA(recall that the analogous formula for the determinant uses alternating signs). Thus computing then×npermanent reduces to computingn permanents of (n−1)×(n−1)matrices.

For ease of notation, we assume the fieldFis equal to GF(p)for some primep>n, andso 1, 2,. . .,n ∈ F, andreservea_ij for the(i,j)th element of the matrix. For every n×nmatrixA, andi∈ [n], we defineD_A(i)to be the(n−1)×(n−1)matrixA_1,i. If x∈F\ [n]; then we defineD_A(x)in the unique way such that for everyj,k∈ [n−1], the function(DA(x))j,kis a univariate polynomial of degree at mostn. Note that since the permanent of an(n−1)×(n−1)matrix is a degree-(n−1)polynomial in the entries of the matrix,perm(D_A(x))is a univariate polynomial of degree at most(n−1)n<n².

8.7.1 The protocol

We now show an interactive proof for the permanent. Specifically, defineL_perm to contain all tuplesA,p,ksuch thatp>n⁴is prime,Ais ann×nmatrix over GF(p), andperm(A)=k. We prove the following theorem.

Theorem 8.34 Lperm∈IP. #

Proof: The proof is by induction—we assume that we have an interactive proof for matrices up to size(n−1), andshow a proof forn×nmatrices. That is, we assume inductively that for each(n−1)×(n−1)matrixB, the prover can make the verifier accept the claimperm(B)=kwith probability 1 if it is true andwith probability at most if it is false. (Clearly, in the base case whenn−1=1, the permanent computation is trivial for the verifier andhence=0 in the base case.) Then we show that for every n×nmatrixAthe prover can make the verifier accept the claimperm(A)= kwith probability 1 if it is true andwith probability at most+(n−1)²/pif it is false. The following simple exchange shows this.

• Round 1: Prover sends to verifier a polynomial g(x) of degree (n−1)², which is supposedlyperm(D_A(x)).

• Round 2:Verifier checks whether:k=_m

i=1a1,ig(i). If not, it rejects at once. Otherwise, the verifier picks a random element of the fieldb∈RFpandasks the prover to prove thatg(b)=perm(D_A(b)). Notice,D_A(b)is an(n−2)×(n−2)matrix overFp, andso now use the inductive hypothesis to design a protocol for this verification.

Now we analyze this protocol. If perm(A)= k, then an all-powerful prover can provideperm(D_A(x)) andthus by the inductive hypothesis make the verifier accept with probability 1.

On the other hand, suppose thatperm(A)=k. If in the first round, the polynomial g(x)sent is the correct polynomialperm(D_A(x)), then

m i=1

a_1,ig(i)=perm(A)=k

andthe verifier wouldimmediately reject. Hence we only needto consider a prover that sendsg(x)=perm(D_A(x)). Since two polynomials of degree(n−1)²can only agree for less than(n−1)²values ofx, the chance that the randomly chosenb ∈ Fp is one of them is at most(n−1)²/p. ifbis not one of these values, then the prover is stuck with proving an incorrect claim, which by the inductive hypothesis he can prove with conditional probability at most. This finishes the proof of correctness.

Chapter Notes 169 Unwrapping the inductive claim, we see that the probability that the prover can convince this verifier about an incorrect value of the permanent of ann×nmatrix is at most

(n−1)²

p +(n−2)²

p + · · · +1 p ≤ n³

p which is much smaller than¹/³for our choice ofp.

What have we learned?

• Aninteractive proof is a generalization of mathematical proofs in which the prover andpolynomial-time probabilistic verifier interact.

• Allowing randomization and interaction seems to add significantly more power to proof system: The classIPof languages provable by a polynomial-time interactive proofs is equal toPSPACE.

• All languages provable by aconstant roundproof system are in the classAM; that is, they have a proof system consisting of the the verifier sending a single random string to the prover, andthe prover responding with a single message.

• Interactive proofs have surprising connections to cryptography, approximation algorithms (rather, their nonexistence), andprogram checking.

CHAPTER NOTES AND HISTORY

Interactive proofs were defined in 1985 by Goldwasser, Micali, and Rackoff [GMR85]

for cryptographic applications and (independently, and using the public-coin def-inition) by Babai [Bab85]; see also Babai andMoran [BM88]. The private-coins interactive proof for graph non-isomorphism was given by Goldreich, Micali, and Wigderson [GMW87]. Simulations of private coins by public coins (Theorem 8.12) were given by Goldwasser and Sipser [GS87] (see [Gol08, Appendix A] for a good exposition of the full proof). It was influencedby earlier results such as BPP ⊆ PH (Section7.5.2) andthe fact that one can approximate#SAT_DinP^p2.Multiprover inter-active proofs were defined by Ben-Or et al. [BOGKW88] for the purposes of obtaining zero-knowledge proof systems forNP(see also Section9.4) without any cryptographic assumptions.

The general feeling at the time was that interactive proofs are only a “slight” exten-sion ofNPandthat not even3SAThas interactive proofs. For example, Fortnow and Sipser [FS88] conjecturedthat this is the case andeven showedan oracleOrelative to whichcoNP^O IP^O (thus in the terminology of Section3.4,IP = PSPACEis a nonrelativizingtheorem).

The result thatIP = PSPACE was a big surprise, andthe story of its discovery is very interesting. In the late 1980s, Blum andKannan [BK95] introduced the notion of program checking. Aroundthe same time, Beaver andFeigenbaum [BF90] and Lipton [Lip91] publishedpapers appearedthat fleshedout the notion of random-self-reducibility andthe connection to checking. Inspiredby some of these developments,

Nisan provedin December 1989 that the permanent problem (hence also#SAT_D) has multiproverinteractive proofs. He announcedhis proof in an email to several col-leagues andthen left on vacation to South America. This email motivateda flurry of activity in research groups aroundthe world. Lund, Fortnow, andKarloff showedthat

#SAT_Dis inIP(they added Nisan as a coauthor and the final paper is [LFKN90]). Then Shamir showedthatIP=PSPACE[Sha90] andBabai, Fortnow, andLund[BFL90]

showedMIP =NEXP. This story—as well as subsequent developments such as the PCPTheorem—is described in Babai’s entertaining surveys [Bab90,Bab94]. See also the chapter notes to Chapter11.

The proof ofIP=PSPACEusing the linearization operator is due to Shen [She92].

The question about the power of the prover is relatedto the complexity of deci-sion versus search, as exploredby Bellare andGoldwasser [BG94]; see also Vadhan [Vad00]. Theorem 8.30 has been generalizedto languages within NC by Goldwasser et al. [GGH⁺07].

The result that approximating the shortest vector to within a!

n/lognis inAM[2]

andhence probably notNP-hard (as mentioned in the introduction) is due to Goldreich andGoldwasser [GG98]. Aharonov andRegev [AR04] provedthat approximating this problem to within√

nis inNP∩coNP.

EXERCISES

8.1. Prove the assertions about IP made in Section8.1. That is, prove:

(a) LetIPdenote the class obtained by allowing the prover to be probabilistic in Definition8.6. That is, the prover’s strategy can be chosen at random from some distribution on functions. Prove thatIP=IP.

(b) Prove thatIP⊆PSPACE.

(c) Let IP denote the class obtained by changing the constant 2/3 in (8.2) to 1.

Prove thatIP=IP.

H534

(d) Let IP denote the class obtained by changing the constant 1/3 in (8.3) to 0.

Prove thatIP=NP.

8.2. LetIPdenote the class obtained by requiring in the completeness condition (8.2) that there exists a single proverPfor everyx∈L(rather than for everyx∈Lthere is a prover). Prove thatIP=IP.

8.3. Show thatAM[2] =BP·NP.

8.4. Letk≤n. Prove that the following familyHn,kis a collection of pairwise independent functions from{0, 1}ⁿto{0, 1}^k: Identify{0, 1}with the fieldGF(2). For everyk×n matrixAwith entries in GF(2), andb∈ GF(2)^k,Hn,kcontains the functionh_A,b : GF(2)ⁿ→GF(2)^kdefined ashA,b(x)=Ax+b.

8.5. Prove that there exists a perfectly completeAM[O(1)]protocol for proving a lower boundon set size.

H534

Exercises 171 8.6. Prove that for everyAM[2]protocol for a languageL, if the prover andthe verifier repeat the protocolktimes in parallel (verifier runskindependent random strings for each message) andthe verifier accepts only if allkcopies accept, then the probability that the verifier acceptsx∈Lis at most(1/3)^k. (Note that youcannotassume the prover is acting independently in each execution.) Can you generalize your proof for everyk?

8.7. (Babai-Moran [BM88]) Prove that for every constantk≥2,AM[k+1] ⊆AM[k].

H534

8.8. In this exercise we explore an alternative way to generalize the proof thatcoNP⊆IP