\documentclass{article}
\usepackage{amsmath}
\input{preamble.tex}
\newcommand\beq{\begin{equation}}
\newcommand\eeq{\end{equation}}
\newcommand\ul{\underline}
\newcommand\bs{\bigskip}
\newcommand\ms{\medskip}
\newcommand\sP{{\bf$\sharp$P }}
\newcommand\IP{{\bf IP }}
\newcommand\PS{{\bf PSPACE }}
\newcommand\sS{{\bf$\sharp$3SAT }}
\newcommand\V{{\bf V }}
\newcommand\p{{\bf P }}
\newcommand\x{{\bf x }}
\newcommand\y{{\bf y }}
\newcommand\pr{\textup{Pr}}
\newcommand\nn{\nonumber}
\newcommand\eps{\varepsilon}
\begin{document}
\lecture{18}{April 19, 2001 }{Daniel A. Spielman}{Sergi Elizalde}
\section{\sP$\subseteq\IP$}
The main idea we will use to prove that \sP$\subseteq\IP$ will be
arithmetization. Using that \sS is complete for \sP, the proof
consists in reducing \sS to a language that is in \IP.
Define an {\bf arithmetic formula} as an expression containing
variables ($x_1,x_2,\ldots$), constants, and symbols
$\ast,+,-,(,)$, in the intuitive way. We can convert any Boolean
formula into an arithmetic formula using the following rules:
\begin{eqnarray}
\phi_1\wedge \phi_2&\longrightarrow&\phi_1\ast \phi_2\nn\\
\neg \phi_1&\longrightarrow&1-\phi_1\nn\\
\phi_1\vee \phi_2&\longrightarrow&1-(1-\phi_1)\ast(1-\phi_2)\nn
\end{eqnarray}
A Boolean formula and its arithmetization take the same values on
binary inputs. The advantage of the arithmetic formula is that it
can be evaluated on any input.
\begin{definition}
Define the language {\bf Arithmetic Formula Sum} to be
$$AFS=\{(f(x_1,\ldots,x_n),s):\sum _{x_1\in\{0,1\}}\sum
_{x_2\in\{0,1\}}\cdots\sum _{x_n\in\{0,1\}}f(x_1,\ldots,x_n)=s\}$$
\end{definition}
Note that if $f(x_1,\ldots,x_n)$ has been obtained by
arithmetization of a Boolean formula $\phi$, then
$(f(x_1,\ldots,x_n),s)\in AFS$ iff $\phi$ has $s$ satisfying
assignments. Now, to show that \sP$\subseteq\IP$ it will suffice
to prove the following theorem.
\begin{theorem}
$AFS\in$ \IP
\end{theorem}
The idea of the proof is to apply a sequence of reductions to
$AFS$. However, our notion of reduction has to be generalized
first so that it can be adapted to interactive proofs.
\begin{definition}
Let $A_1$,$A_2$ be two languages, and let $\varepsilon>0$. An
{\bf$\varepsilon$-reduction} from $A_1$ to $A_2$ is an \IP
subprotocol in which \V outputs \emph{reject} or $w_2$ in such a
way that\\ $w_1\in A_1\Longrightarrow\exists$ a prover \p s.t.
$\pr[(\V\longleftrightarrow\p)=w_2\in A_2]=1$\\ $w_1\not\in
A_1\Longrightarrow\forall$ prover \p,
$\pr[(\V\longleftrightarrow\p)=w_2\in A_2]\leq\varepsilon$
\end{definition}
Intuitively, this means that, up to a probability $\eps$ of error,
if we can convince that $w_2\in A_2$, then we can convince that
$w_1\in A_1$. Note that a 0-reduction is a standard reduction. The
following claim will help us understand this definition better.
\begin{claim}
If $A_2\in{\bf P}$ and there exists a $\frac{1}{3}$-reduction from
$A_1$ to $A_2$, then $A_1\in\IP$.
\end{claim}
\begin{proofof}{Claim}
The \IP protocol for $A_1$ is as follows. On input $w_1$, run the
subprotocol corresponding to the reduction. If \V rejects, reject.
Otherwise, assuming that $w_2$ is the output, accept if $w_2\in
A_2$ and reject otherwise.
Clearly this proves that $A_1\in\IP$, because if $w_1\in A_1$ then
there exists a prover for which \V accepts with probability 1, and
if $w_1\not\in A_1$ then, for all provers, \V rejects with
probability at least 2/3.
\end{proofof}
\begin{proof}
Let $L_n\subseteq AFS$ be the subset of those elements in which
the formula has $n$ variables. To prove the theorem, we will
construct a chain of $\eps$-reductions, for an appropriate
$\eps\leq\frac{1}{3m}$, each one from $L_n$ to $L_{n-1}$, so that
all together give a $\frac{1}{3}$-reduction from $L_m$ to $L_0$.
Then the result will be implied from the claim and the fact that
$L_0\in{\bf P}$. Now we give the reduction from $L_n$ to
$L_{n-1}$.
\subsubsection*{The reduction} Assume that the input is
$(f(x_1,\ldots,x_n),s)$.\\ Let $d$ be the length of $f$. Note that
since we gave the definition of arithmetic formulas without using
exponentiation, $d$ is an upper bound on the degree of $f$. Take
$\eps=\frac{1}{3m}$. Let $$f_1(x_1)=\sum
_{x_2\in\{0,1\}}\cdots\sum _{x_n\in\{0,1\}}f(x_1,\ldots,x_n)$$
Consider the following protocol.\ms
\begin{tabular}{ll}
\p: & Send $g_1(x_1)$, a polynomial of degree at most $d$.\\ \V: &
Check if $g_1(0)+g_1(1)=s$. If not, \emph{reject}.\\ & Choose a
constant $c_1\in\{1,\ldots,\lceil\frac{d}{\eps}\rceil\}$ at
random.\\ & Output ``$(f(c_1,x_2,\ldots,x_n),g_1(c_1))\in
L_{n-1}?$"
\end{tabular}
\ms
We have to show that this is indeed an $\eps$-reduction. If
$(f(x_1,\ldots,x_n),s)\in L_n$, consider the prover that sends
$g_1(x_1)=f_1(x_1)$. Then, \V will output
$(f(c_1,x_2,\ldots,x_n),f_1(c_1))$, which is clearly in $L_{n-1}$
by the definition of $f_1$.
Suppose now that $(f(x_1,\ldots,x_n),s)\not\in L_n$. This is
equivalent to $f_1(0)+f_1(1)\neq s$. If the polynomial $g_1(x_1)$
that \p sends verifies $g_1(0)+g_1(1)\neq s$, then \V rejects, so
the prover can't win this way. If, on the contrary,
$g_1(0)+g_1(1)=s$, then $g_1\not\equiv f_1$, because
$f_1(0)+f_1(1)\neq s$. So, since the non-zero polynomial $f_1-g_1$
has degree at most $d$, there are at most $d$ choices for $c_1$
such that $g_1(c_1)=f_1(c_1)$. Hence,
$$\underset{c_1}\pr[g_1(c_1)=f_1(c_1)]\leq\frac{d}{\lceil\frac{d}{\eps}\rceil}\leq\eps$$
When $g_1(c_1)\neq f_1(c_1)$, the output is not in $L_{n-1}$. So,
$$\underset{c_1}\pr[(f(c_1,x_2,\ldots,x_n),g_1(c_1))\in
L_{n-1}]\leq\eps$$ This proves that what we have given is an
$\eps$-reduction from $L_n$ to $L_{n-1}$. \ms
The proof of the main result \sP$\subseteq\IP$ follows easily now.
Assume that \V has to decide if a given input instance of the form
$(f(x_1,\ldots,x_m),s)$ (for some $m$) is in $AFS$ or not. To do
that, first it runs $\frac{1}{3m}$-reductions from $L_n$ to
$L_{n-1}$, for $n=m,m-1,\ldots,1$, as the one described above. The
output of these reductions is of the form $``w_{n-1}\in
L_{n-1}?"$. If \V has not rejected in any of them, then \V checks
if $w_0\in L_0$, which can be done in polynomial time. If that is
the case, \V accepts, otherwise rejects.
This gives an \IP protocol for $AFS$. Indeed, if $w_n\in L_n$,
then $\exists$\p such that $\pr[(\V\longleftrightarrow\p)\
accept]=1$. And if $w_n\not\in L_n$, then $\forall$\p
$\pr[(\V\longleftrightarrow\p)\ accept]\leq\frac{1}{3}$. Here we
use that in the chain of reductions the errors just add up,
because $\pr[w_m\not\in L_m\wedge w_0\in L_0]=\sum_n
\pr[w_n\not\in L_n\wedge w_{n-1}\in L_{n-1}]\leq m\
\frac{1}{3m}=\frac{1}{3}$.
\end{proof}
Observe that the chain of reductions is in fact an
$\frac{1}{3}$-reduction from $L_n$ to $L_0$.
\section{$\PS\subseteq\IP$}
The proof of this result will use again the same ideas, namely
arithmetization and $\eps$-reductions. When trying to find an
interactive protocol for \PS, we will have to deal with
polynomials in implicit form, like, as we had before,
$$f_1(x_1)=\sum _{x_2\in\{0,1\}}\cdots\sum
_{x_n\in\{0,1\}}f(x_1,\ldots,x_n)$$ This is certainly a
description of a polynomial, but it cannot be evaluated
efficiently. This problem will be overcome using arithmetization
and reductions as the previous ones.
Another difficulty that we will encounter is that, in some stage
of the protocol, the prover will try to convince the verifier
about the value that a polynomial takes in two certain points. The
following lemma will let us reduce this case to that of one single
point, which we are more familiar with.
\begin{lemma}[two-for-one]
Let $f(y_1,\ldots,y_k)$ be an implicitly represented polynomial.
There exists an $\eps$-reduction that reduces the verification of
$f(a_1,\ldots,a_k)=\alpha$ and $f(b_1,\ldots,b_k)=\beta$ to a
single verification of the form $f(c_1,\ldots,c_k)=\gamma$.
\end{lemma}
\begin{proof-of-lemma}{}
Let $d$ be an upper bound on $deg(f)$. We will evaluate the
polynomial in a line. Let
$l(t)=(1-t)(a_1,\ldots,a_k)+t(b_1,\ldots,b_k)$, and let
$f_1(t)=f(l(t))$. Note that $deg(f_1)\leq d$. Consider the
following protocol.
\begin{tabular}{ll}
\p: & Send $g_1(t)$, a polynomial of degree at most $d$.\\ \V: &
Check if $g_1(0)=\alpha$ and $g_1(1)=\beta$. If not, {\it
reject}.\\ & Choose a constant
$c\in\{1,\ldots,\lceil\frac{d}{\eps}\rceil\}$ at random.\\ & Ask
for a proof that $f(l(c))=g_1(c)$\\
\end{tabular}
This is indeed an $\eps$-reduction, by the same reasoning used
above.
\end{proof-of-lemma}
Now we can proof that $\PS\subseteq\IP$.
\ms
\begin{proof}
Let $M$ be any given \PS Turing Machine. On input $w$, consider
the graph of configurations of $M$ on $w$. Recall that when we
proved that $\PS={\bf APTIME}$ the second day of class, we defined
the function $$FromTo({\bf x},{\bf y},k)=\left\{
\begin{array}{l} 1 \quad\mbox{if $\exists$ a path from ${\bf x}$
to ${\bf y}$ of length $k$}
\\ 0 \quad\mbox{otherwise} \end{array} \right. $$
for any two configurations ${\bf x}$ and ${\bf y}$. Then, for a
big enough $K\sim 2^{poly(|w|)}$, $FromTo(start,accept,K)$ tells
us whether $M$ accepts $w$ or not. This function has the property
that $$FromTo({\bf x},{\bf y},k)=\exists {\bf z}: FromTo({\bf
x},{\bf z},\lceil k/2\rceil)\wedge FromTo({\bf z},{\bf y},\lfloor
k/2 \rfloor)$$ Now we will define several polynomials that will be
the arithmetization of these functions. For the first one,
$FT_1({\bf x},{\bf y})$, we can make a small arithmetic formula
satisfying $$FT_1({\bf x},{\bf y})=\left\{
\begin{array}{l} 1 \quad\mbox{if $M$ can go from ${\bf x}$ to ${\bf y}$ in one
step}
\\ 0 \quad\mbox{otherwise} \end{array} \right. $$
The other polynomials are defined recursively, and are given
implicitly. \begin{equation} FT_k({\bf x},{\bf y})=\sum
_{z_1\in\{0,1\}}\cdots\sum _{z_k\in\{0,1\}} FT_{k/2}({\bf x},{\bf
z})\ FT_{k/2}({\bf z},{\bf y})\label{rec}\end{equation} Note that
the degree of $FT_k$ in each variable is at most the degree in the
same variable of $FT_{k/2}$. For binary {\bf x} and {\bf y},
$FT_k({\bf x},{\bf y})$ evaluates as $FromTo({\bf x},{\bf y},k)$,
with the advantage that it can be evaluated in general points. In
principle, the coefficients of the polynomials can grow as $k$
increases, but this can be solved working over a finite field.
Next we will describe an $\eps$-reduction from a verification of
the value of $FT_k$ in a certain point to a verification of the
value of $FT_{k/2}$ in some other point. Suppose that \p wants to
convince \V of the fact that $FT_k({\bf x},{\bf y})=s$ for some
fixed \x and \y. Using the implicit expression (\ref{rec}) for
$FT_k$, we can apply a chain of $\eps'$-reductions as we did in
the proof of $AFS\in$ \IP to reduce it, up to a small enough
error, to an assertion of the form $FT_{k/2}({\bf x},{\bf c})\
FT_{k/2}({\bf c},{\bf y})=s'$.
Now, \p sends $\alpha$ and $\beta$ such that $\alpha \beta=s'$
(otherwise \V would reject immediately), trying to convince \V
that $FT_{k/2}({\bf x},{\bf c})=\alpha$ and $FT_{k/2}({\bf c},{\bf
y})=\beta$. By the two-for-one lemma, this can be reduced to an
assertion of the form $FT_{k/2}(l(t))=\gamma$, which only depends
on one evaluation.
Applying these reduction repeatedly, we eventually get down to
some verification of the form $FT_1({\bf a},{\bf b})=r$. So, after
a polynomial number of repetitions, checking that
$FT_K(start,accept)=1$ has been reduced to an evaluation of $FT_1$
in some particular point, which can be done in polynomial time.
This proves that we can decide whether $M$ accepts $w$ or not
using an interactive protocol.
Although we did not specify how to choose the $\eps$ and $\eps'$,
we can make them exponentially small if we work in a big enough
field, so that the total error of the general reduction is small.
\end{proof}
\end{document}