Abstract
We present constant-round interactive proof systems for sufficiently uniform versions of \(\mathcal{AC}^0[2]\) and \(\mathcal{NC}^1\). Both proof systems are doubly-efficient, and offer a better trade-off between the round complexity and the total communication than the work of Reingold, Rothblum, and Rothblum (STOC, 2016). Our proof system for \(\mathcal{AC}^0[2]\) supports a more relaxed notion of uniformity and offers a better trade-off between the number of rounds and the round complexity that our proof system for \(\mathcal{NC}^1\). We observe that all three aforementioned systems yield constant-round doubly-efficient proof systems for the All-Pairs Shortest Paths problem.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Actually, the result of [15] can be applied to \(\mathcal{NC}^1\) circuits that can be constructed in polynomial time and \(n^{o(1)}\)-space.
- 2.
The need to feed both constants arises from the following conventions by which the circuit is layered and all gates in the same layer compute the same functionality.
- 3.
We stress that the term ‘leaf’ is used here also in the case that the circuit is not a formula (i.e., does not have a tree structure). One may prefer using the terms ‘terminal’ or ‘source’ instead.
- 4.
This can be assumed, without loss of generality, by replacing such a potential leaf at layer i with an auxiliary path of dummy gates that goes from layer d to layer i so that this path indirectly feeds the value of the desired input bit to the corresponding gate at layer i.
- 5.
This can be assumed, without loss of generality, by replacing each layer by three consecutive layers so that one layer is devoted to and-gates, one to or-gates, and one to parity-gates.
- 6.
Actually, we could reduce the verification of these logarithmically many claims to the verification of a single claim, by using a curve that passes through all the points in these claims, as done in [8]. But since here the number of rounds is a constant, we can afford an overhead that is exponential in the number of rounds (i.e., the overhead is \(O(\log n)^{d'}\), where \(d'\) is the number of layers having multiplication gates).
- 7.
In contrast, when using the approximation method in the context of worst-case to average-case reduction for the class \(\mathcal{AC}^0[2]\) presented in [6, Apdx A.2], the approximation error is absorbed by the (larger) error rate of the average-case solver.
- 8.
In the third construction of [1], the seed is viewed as a pair \((\zeta ,r)\), where \(\zeta \in \mathrm{GF}(2^k)\) and \(r\in \{0,1\}^k\), and the \(i^\mathrm{th}\) bit in the output is the inner-product (mod 2) of the binary representation of \(\zeta ^i\) and r. Note that computing \(\zeta ^i\) reduces to computing \(\prod _{j\ge 0}(i_j\cdot \zeta ^{2^j}+(1-i_j))\), where \((i_{k'-1},...,i_0)\in \{0,1\}^{k'}\) is the binary expansion of \(i\in [2^{k'}]\), and that \(\zeta ^{2},...,\zeta ^{2^{k'-1}}\) can be precomputed when \(\zeta \) is fixed. Note that each element of \(\mathrm{GF}(2^k)\) is represented as a k-bit long sequence over \(\{0,1\}\equiv \mathrm{GF}(2)\), and so multiplication in \(\mathrm{GF}(2^k)\) corresponds to k bilinear forms in these representations (and the product \(i_j\cdot \zeta ^{2^j}\) corresponds to the products of \(i_j\) and the bits in the representation of \(\zeta ^{2^j}\)).
- 9.
This is the case since we bound the approximation error of \(A'_n\) by employing a union bound to the errors that may occur in the various gates, and this holds regardless of the dependency between these error events.
- 10.
Jumping ahead, we stress that the relation between these functions will be checked by the interactive proof system presented in Sect. 2.3. This will be done by having the verifier ask the prover to provide the values of these functions at few places, while relying on the fact that these functions can be evaluated in polynomial-time. Note that these functions are too large to be communicated to the verifier (see analogous discussion in Sect. 3.1).
- 11.
Here we assume that the length of the seed is \(2\ell '\), which is justified by the fact that we can afford any \(\ell '=O(\log n)\). Recall that, for \((i_{\ell '},...,i_1)\in \{0,1\}^{\ell '}\), if \(\tau _j=\zeta ^{2^{j-1}}\), then \(\prod _{j\in [\ell ']}(i_j\cdot \tau _j+(1-i_j))=\zeta ^i\) such that \(i=\sum _{j\in [\ell ']}i_j\cdot 2^{j-1}\). (Recall the product is over \(\mathrm{GF}(2^{\ell '})\), but each multiplication over \(\mathrm{GF}(2^{\ell '})\) is emulated by bilinear forms in the bits of the representations of the \(\mathrm{GF}(2^{\ell '})\)-elements.) In this case, \({\widehat{G'}}(i_{\ell '},...,i_1)\) equals the inner product (mod 2) of r and the binary representation of \(\zeta ^i\), where \((\zeta ,r)=\sigma \) is the seed of the generator.
- 12.
Recall that we need to provide the circuit with the constants 1 and 0; hence, we set \(\{\alpha _d(n+1),\alpha _d(n+2)\}=\{0,1\}\). The setting of \(\alpha _d(j)=0\) for \(j\in [s]\setminus [n+2]\) is used in order to facilitate the evaluation of r.h.s. of Eq. (8), as discussed below and used in Step 3; that is, this setting ensures that, for every \(u\in \mathcal{F}^\ell \), it holds that \(\sum _{k\in \{0,1\}^\ell }\mathtt{EQ}(u,k)\cdot \alpha _d(k)\) equals \(\sum _{k\in I}\mathtt{EQ}(u,k)\cdot \alpha _d(k)\), where \(I\subset \{0,1\}^\ell \) corresponds to \([n+2]\). Alternatively, we could have used the setting \(\alpha _d(j)=1\) for \(j\in [s]\setminus [n+2]\), and rely on the fact that \(\sum _{k\in \{0,1\}^\ell }\mathtt{EQ}(u,k)\) equals 1.
- 13.
In contrast, we could have defined \(G',\alpha _i\) and \(\mathtt{EQ}\) over H-sequences from the start, rather than defining them over binary sequences. But doing so would not have allowed us to relate \(\psi _i\) to the other functions without using the transformation that we are going to introduce and use now.
- 14.
Actually, we could afford letting the verifier use the same random choices in all \(\ell '\) parallel executions, which would result in leaving it with a single claim regarding the value of \({\widehat{\alpha }}_i\) at one point (i.e., r).
- 15.
This dominates the length of the initial verifier-message \(\sigma \in \{0,1\}^{O(\log n)}\).
- 16.
- 17.
The fact that the value \(\ell '=\delta \cdot \log _2n\) is used both for \(\log _2|H|\) and for the distance between layers that we relate is a consequence of the fact that both parameters are subject to the same trade-off. Each of these parameters cuts the number of rounds by its value (i.e., \(\ell '\)), while incurring an exponential overhead (i.e., \(2^{\ell '}\)) in the total volume of communication.
- 18.
We mention that the fact that these \(2^{\ell '}\) points reside on a line makes the argument simpler, but not in a fundamental way. In general, the prover could have picked a curve of degree \(2^{\ell '}-1\) that goes through any \(2^{\ell '}\) points of interest, and provide a low degree polynomial describing the value of \({\widehat{\alpha }}_{i\cdot \ell '}\) on this curve. In this case, the claim to be proved in the next iteration would have been that the value of \({\widehat{\alpha }}_{i\cdot \ell '}\) at a random point on this curve equals the value provided by the polynomial sent by the prover.
- 19.
If \(P_i\) does not satisfy the current claim (i.e., \(\sum _{\sigma \in H}P_i(\sigma ) \ne v_{i-1}\)), then the prover can avoid upfront rejection only if it sends a degree d polynomial \({\widetilde{P}}\ne P_i\). But in such a case, \({\widetilde{P}}\) and \(P_i\) may agree on at most d points, since they are both degree d polynomials. Hence, if the chosen \(r_i\in \mathcal{F}\) is not one of these points, then it holds that \(v_i={\widetilde{P}}(r_i)\ne P_i(r_i)\), which means that the next iteration will also start with a false claim. Hence, starting with a false claim (i.e., \(\sum _{\sigma \in H}P_1(\sigma ) \ne v_{0}\) since Eq. (21) does not hold), with probability at least \(1-m\cdot d/|\mathcal{F}|\), after m iterations we reach a false claim regarding the value of P at a single point.
- 20.
Specifically, the value of \(P_i\) at p is obtained from the values of P at the points \((r_1,...,r_{i-1},p,\sigma )\), where \(\sigma \in H^{m-i}\).
References
Alon, N., Goldreich, O., Hastad, J., Peralta, R.: Simple construction of almost \(k\)-wise independent random variables. Random Struct. Algorithms 3(3), 289–304 (1992)
Barrington, D.A.M., Immerman, N., Straubing, H.: On uniformity within NC1. J. Comput. Syst. Sci. 41(3), 274–306 (1990)
Goldreich, O.: Computational Complexity: A Conceptual Perspective. Cambridge University Press, Cambridge (2008)
Goldreich, O.: On the doubly-efficient interactive proof systems of GKR. In: ECCC, TR17-101 (2017)
Goldreich, O., Rothblum, G.N.: Simple doubly-efficient interactive proof systems for locally-characterizable sets. In: ECCC, TR17-018 (2017). Extended abstract in 9th ITCS, pp. 18:1–18:19 (2018)
Goldreich, O., Rothblum, G.N.: Worst-case to average-case reductions for subclasses of P. In: ECCC TR17-130 (2017). See revised version in this volume
Goldreich, O., Rothblum, G.N.: Counting \(t\)-cliques: worst-case to average-case reductions and direct interactive proof systems. In: ECCC, TR18-046 (2018). Extended abstract in 59th FOCS, pp. 77–88 (2018)
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. J. ACM 62(4), 271–2764 (2015). Extended abstract in 40th STOC, pp. 113–122 (2008)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18, 186–208 (1989). Preliminary version in 17th STOC (1985)
Kalai, Y.T., Raz, R.: Interactive PCP. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 536–547. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_44
Kalai, Y.T., Rothblum, G.N.: Constant-round interactive proofs for NC1. Unpublished observation (2009)
Lund, C., Fortnow, L., Karloff, H., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992). Extended abstract in 31st FOCS (1990)
Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993). Preliminary version in 22nd STOC (1990)
Razborov, A.A.: Lower bounds on the size of bounded-depth networks over a complete basis with logical addition. Matematicheskie Zametki 41(4), 598–607 (1987). (in Russian). English translation in Math. Not. Acad. Sci. USSR 41(4), 333–338 (1987). https://doi.org/10.1007/BF01137685
Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: 48th ACM Symposium on the Theory of Computing, pp. 49–62 (2016)
Shamir, A.: IP = PSPACE. J. ACM 39(4), 869–877 (1992). Preliminary version in 31st FOCS (1990)
Smolensky, R.: Algebraic methods in the theory of lower bounds for Boolean circuit complexity. In: 19th ACM Symposium on the Theory of Computing, pp. 77–82 (1987)
Williams, R.: Faster all-pairs shortest paths via circuit complexity. In: 46th ACM Symposium on the Theory of Computing, pp. 664–673 (2014)
Acknowledgements
As noted in the body of the paper, an unpublished work by Kalai and Rothblum [11] proposed a constant-round doubly-efficient proof system for \(\mathcal{NC}^1\) under a very strict notion of uniformity. This unpublished work has inspired our own work, and we thank Yael for her contribution to it as well as for many other helpful conversations on these topics.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendix: The Sum-Check Protocol
Appendix: The Sum-Check Protocol
The Sum-Check protocol, designed by Lund, Fortnow, Karloff, and Nisan [12], is a key ingredient in the constructions that we present.
Fixing a finite field \(\mathcal{F}\) and a set \(H\subset \mathcal{F}\) (e.g., H may be a two-element set), we consider an m-variate polynomial \(P:\mathcal{F}^m\rightarrow \mathcal{F}\) of individual degree d. Given a value v, the Sum-Check protocol is used to prove that
assuming that the verifier can evaluate P by itself. The Sum-Check protocol proceeds in m iterations, such that in the \(i^\mathrm{th}\) iteration the number of summations (over H) decreases from \(m-i+1\) to \(m-i\). Specifically, the \(i^\mathrm{th}\) iteration starts with a claim of the form \(\sum _{\sigma _i,...,\sigma _m\in H} P(r_1,...,r_{i-1},\sigma _i,...,\sigma _m)=v_{i-1}\), where \(r_1,...,r_{i-1}\) and \(v_{i-1}\) are as determined in prior iterations (with \(v_0=v\)), and ends with a claim of the form \(\sum _{\sigma _{i+1},...,\sigma _m\in H} P(r_1,...,r_{i},\sigma _{i+1},...,\sigma _m)=v_{i}\), where \(r_i\) and \(v_i\) are determined in the \(i^\mathrm{th}\) iteration. Initializing the process with \(v_0=v\), in the \(i^\mathrm{th}\) iteration the parties act as follows.
-
Prover’s move: The prover computes a univariate polynomial of degree d over \(\mathcal{F}\)
$$\begin{aligned} P_i(z){\mathop {=}\limits ^\mathrm{def}}\sum _{\sigma _{i+1},...,\sigma _m\in H} P(r_1,...,r_{i-1},z,\sigma _{i+1},...,\sigma _m) \end{aligned}$$(22)where \(r_1,...,r_{i-1}\) are as determined in prior iterations, and sends \(P_i\) to the verifier (claiming that \(\sum _{\sigma \in H}P_i(\sigma )=v_{i-1}\)).
-
Verifier’s move: Upon receiving a degree d polynomial, denoted \({\widetilde{P}}\), the verifier checks that \(\sum _{\sigma \in H}{\widetilde{P}}(\sigma )=v_{i-1}\) and rejects if inequality holds. Otherwise, it selects \(r_i\) uniformly in \(\mathcal{F}\), and sends it to the prover, while setting \(v_i\leftarrow {\widetilde{P}}(r_i)\).
If all m iterations are completed successfully (i.e., without the verifier rejecting in any of them), then the verifier conducts a final check. It computes the value of \(P(r_1,...,r_m)\) and accepts if and only if this value equals \(v_m\).
Clearly, if Eq. (21) holds (and the prover acts according to the protocol), then the verifier accepts with probability 1. Otherwise (i.e., Eq. (21) does not hold), no matter what the prover does, the verifier accepts with probability at most \(m\cdot d/|\mathcal{F}|\), because in each iteration if the prover provides the correct polynomial, then the verifier rejects (since \(\sum _{\sigma \in H}P_i(\sigma )=P_{i-1}(r_{i-1})\ne v_{i-1}\)), and otherwise the (degree d) polynomial sent agrees with \(P_i\) on at most d points.Footnote 19
The complexity of verification is dominated by the complexity of evaluating P (on a single point). As for the prescribed prover, it may compute the relevant \(P_i\)’s by interpolation, which is based on computing the value of P at \((d+1)\cdot |H|^{m-i}\) points, for each \(i\in [m]\). (That is, the polynomial \(P_i\) is computed by obtaining its values at \(d+1\) points, where the value of \(P_i\) at each point is obtained by summing the values of P at \(|H|^{m-i}\) points.)Footnote 20
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Goldreich, O., Rothblum, G.N. (2020). Constant-Round Interactive Proof Systems for AC0[2] and NC1. In: Goldreich, O. (eds) Computational Complexity and Property Testing. Lecture Notes in Computer Science(), vol 12050. Springer, Cham. https://doi.org/10.1007/978-3-030-43662-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-43662-9_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43661-2
Online ISBN: 978-3-030-43662-9
eBook Packages: Computer ScienceComputer Science (R0)