CS294: Foundations of Probabilistic Proofs (F2020)

Basics


Instructor(s): Alessandro Chiesa
Teaching Assistant(s): n/a
Time: Tuesdays and Thursdays 11.00-12:30 (California time)
Location: live via Zoom (see Piazza website for links)
Office Hours: time slots announced in the Piazza website

Course Description


The discovery and study of probabilistic proof systems, such as PCPs and IPs, have had a tremendous impact on theoretical computer science. These proof systems have numerous applications (e.g., to hardness of approximation) but one of their most compelling uses is a direct one: to construct cryptographic protocols that enable super fast verification of long computations. This course will introduce students to the foundations of probabilistic proof systems, covering both classical results as well as modern efficient constructions.

Each lecture's Zoom link and discussions will be on Piazza at this link.

Prerequisites


This course requires knowledge of basic algorithms (CS 170) and complexity (CS 172).

Requirements


Completing the course for credit requires regular attendance/participation (on Piazza or during online lecture), completing occasional homework, scribing (once or twice), and a research project.

Reading and Resources


This course has no required textbook. Each lecture will have specific references. This course is a new revision of a prior course on probabilistic proofs from [Spring 2019].

Assignments


TBA

Schedule


# Date Topic Reading
1 2020.08.27

Interactive Proofs 1

  • introduction to the course
  • definition of interactive proofs
  • GNI is contained in IP (with private coins)
  • IP is contained in PSPACE

Formulation of interactive proofs:

Video:

2 2020.09.01

Interactive Proofs 2

  • sumcheck protocol
  • coNP contained in IP
    • arithmetization for UNSAT
  • P#P contained in IP
    • arithmetization for #SAT

The sumcheck protocol:

3 2020.09.03

Interactive Proofs 3

  • definition of QBF
  • PSPACE is contained in IP
    • TQBF is the starting point
    • arithmetization of formula and quantifiers
    • Shamir's protocol (with Shen's degree reduction)
  • TQBF is PSPACE-complete

Shamir's protocol:

Additional:

4 2020.09.08

Interactive Proofs 4

  • private coins vs public coins
  • definition of AM[k] and MA[k]
  • GNI is contained in AM[2]
    • reduction to approximate counting
    • approximate counting via pairwise-independent hashing
  • IP[k] is contained in AM[k+2]
    • high-level intuition only

Goldwasser--Sipser transformation:

Additional:

5 2020.09.10

Interactive Proofs 5

  • IPs with bounded communication/randomness
    • complexity classes IP[p,v,r] and AM[p,v,r] (prover bits ≤ p, verifier bits ≤ v, random bits ≤ r)
  • IP[p,v,r] is contained in DTime(2O(p+v+r)poly)
    • compute value of game tree
  • IP[p,v] is contained in BPTime(2O(p+v)poly)
    • approximate value of game tree (sub-sample by random tapes)
    • proof via Chernoff bound and union bound
  • AM[p] is contained in BPTime(2O(p log p)poly)
    • approximate value of game tree (sub-sample by transcript-consistent next messages)
    • refine previous analysis via hybrids
  • IP[p] is contained in BPTime(2O(p log p)poly)NP
    • (sketch) as above but transcript consistency is harder

The results presented in class:

Additional results:

6 2020.09.15

Interactive Proofs 6

  • inefficiency of Shamir's protocol
    • honest prover in Shamir's protocol is 2O(n^2)
    • honest prover in Shen's protocol is 2O(n)
    • T-time S-space machines yield 2O(S log T)-time provers
  • doubly-efficient interactive proofs
    • motivation of delegation of computation
    • theorem statement for log-space uniform circuits
  • low-degree extensions (univariate and multivariate)
  • bare bones protocol for layered circuits
    • one sumcheck per layer

The result presented in class:

A survey:

Additional on implementations of GKR's protocol:

Additional on doubly-efficient interactive proofs:

7 2020.09.17

Interactive Proofs 7

  • IP for GI
  • definition of honest-verifier zero knowledge (HVZK)
  • the IP for GI is HVZK
  • definition of malicious-verifier zero knowledge (ZK)
  • the IP for GI is ZK
  • PZK ⊆ SZK ⊆ CZK
  • towards SZK ⊆ coAM
    • running simulator when x ∉ L
    • IP for GI → IP for GNI (!)

On zero knowledge:

Video:

8 2020.09.22

Probabilistically Checkable Proofs 1

  • definition of a PCP verifier
  • the complexity class PCPc,s[r,q]Σ
  • simple class inclusions
  • delegation of computation via PCPs
  • PSPACE ⊆ PCP

Video:

New York Times article about the PCP Theorem:

9 2020.09.24

Probabilistically Checkable Proofs 2

  • exponential-size PCPs
    • NP ⊆ PCP1,0.5[poly(n),O(1)]{0,1}
    • good query complexity, bad proof length
  • linear PCPs
    • the complexity class LPCPc,s[l,r,q]Σ
    • NP ⊆ LPCP1,0.75[O(n2),O(m+n),4]{0,1}

The exponential-size constant-query PCP is the inner PCP in this paper:

10 2020.09.29

Probabilistically Checkable Proofs 3

  • compiling any LPCP into a PCP
  • self-correction
  • linearity testing
    • BLR test
    • analysis via majority decoding

Main:

Additional:

Video:

11 2020.10.01

Probabilistically Checkable Proofs 4

  • NP ⊆ PCP[log, polylog] (up to low-degree testing)
    • start from satisfiability of quadratic equations
    • amplify gap via an error-correcting code
    • arithmetization via Reed--Muller instead of Hadamard
    • reduce to sumcheck problem

Main:

12 2020.10.06

Probabilistically Checkable Proofs 5

  • NP ⊆ PCP[log, polylog] with low-degree testing
  • definition of low-degree testing
  • univariate polynomials
  • multivariate polynomials

Main:

Additional:

13 2020.10.08

PCPs with Sublinear Verification 1

Main:

14 2020.10.13

PCPs with Sublinear Verification 2

  • NTIME(T) ⊆ PCP[ptime=poly(T), vtime=poly(n,log(T))]
  • PCP-based delegation of computation

Main:

15 2020.10.15

Hardness of Approximation 1

16 2020.10.20

Hardness of Approximation 2

17 2020.10.22

Reducing Query Complexity 1

18 2020.10.27

Reducing Query Complexity 2

19 2020.10.29

Reducing Query Complexity 3

20 2020.11.03

Parallel Repetition 1

21 2020.11.05

Parallel Repetition 2

22 2020.11.10

Interactive Oracle Proofs 1

23 2020.11.12

Interactive Oracle Proofs 2

24 2020.11.17

Interactive Oracle Proofs 3

25 2020.11.19

Interactive Oracle Proofs 4

X 2020.11.24

No class.

X 2020.11.26

No class.

26 2020.12.01

Class Project Presentations 1

27 2020.12.03

Class Project Presentations 2

X 2020.12.08

No class.

X 2020.12.10

No class.