CS294: Probabilistically Checkable and Interactive Proof Systems (S2017)

Basics


Instructor(s): Alessandro Chiesa, Igor Shinkar
Teaching Assistant(s): none
Time: Tuesdays and Thursdays 14.00-15.30
Location: 320 Soda Hall
Office Hours: fix appointment via email (to Alessandro or Igor)

Course Description


This course offers a graduate introduction to probabilistically checkable and interactive proof systems. Such proof systems play a central role in complexity theory and in cryptography. Their formulation and construction is arguably one of the leading conceptual and technical achievements in theoretical computer science. Results typically draw on techniques from coding theory, property testing, and graph theory.

Topics covered include:

  • interactive proofs
    • IP=PSPACE
    • public to private coins
    • bounded communication/randomness
    • doubly-efficient interactive proofs (aka interactive proofs for muggles)
    • zero knowledge
  • basic probabilistic checking
    • exponential-size PCPs (Hadamard)
    • polynomial-size PCPs (Reed--Muller)
  • optimized probabilistic checking
    • redicing query complexity (proof composition, parallel repetition, 3-query PCPs, ...)
    • reducing proof length (routing, proximity testing to Reed--Solomon, ...)

Emphasis is on getting students up to speed for research in the area; lectures will often contain open problems or suggestions for future research.

The Piazza website is here.

Prerequisites


The official prerequisite is CS 170 (or equivalent). All students with "mathematical maturity" (ease with proofs, algorithms, elementary number theory, and discrete probability) and curiosity about proof systems are welcome.

Requirements


Completing the course requires regular attendance/participation, scribing (once or twice), and a research project. Grading will be based 30% on attendance/participation, and 30% on the scribe notes, and 40% on the research project. Occasionally simple assignments may be handed out.

Note: please use this TeX file for scribing.

Reading and Resources


This course has no required textbook, but much of the material covered in class can be found online; we give specific references for each lecture. In addition, the following online resources could be helpful:

Assignments


None.

Schedule


# Date Topic Reading
1 2017.01.19

Introduction (scribe notes by Pratyush Mishra)

  • introduction to the course
  • definition of interactive proofs
  • sumcheck protocol
    • coNP contained in IP
      • arithmetization
    • #P contained in IP (and thus all of PH)
      • better arithmetization
  • IP contained in PSPACE

Lecture notes:

Formulation of interactive proofs:

The sumcheck protocol:

Additional:

2 2017.01.24

Interactive Proofs 1 (scribe notes by Mariel Supina)

  • definition of QBF
  • PSPACE is contained in IP
    • TQBF is the starting point
    • arithmetizing formula and quantifiers
    • Shamir's protocol (with Shen's degree reduction)
  • TQBF is PSPACE-complete

Lecture notes:

Shamir's protocol:

Additional:

3 2017.01.26

Interactive Proofs 2 (scribe notes by Bryan O'Gorman)

  • public vs private coins
  • GNI is contained in IP (with private coins)
  • definition of AM (same as IP but public coins)
  • GNI is contained in AM[2]
    • reduction to approximate counting
    • approximate counting via universal hashing
  • IP[k] is contained in AM[k+2]
  • achieving perfect completeness in AM

Lecture notes:

Goldwasser--Sipser transformation:

Additional:

4 2017.01.31

Interactive Proofs 3 (scribe notes by Peter Manohar)

  • interactive proofs with bounded communication/randomness
    • prover bits ≤ p
    • verifier bits ≤ v
    • random bits ≤ r
    • IP[p,v,r] and AM[p,v,r]
  • IP[p,v,r] is contained in DTime(2O(p+v+r)poly)
  • IP[p,v] is contained in BPTime(2O(p+v)poly)
    • [GH98, Theorem 2]
    • approximate value of game tree
      • sub-sample by random tapes
    • proof via Chernoff bound and union bound
  • AM[p] is contained in BPTime(2O(p log p)poly)
    • [GH98, Theorem 3]
    • approximate value of game tree
      • sub-sample by transcript-consistent next messages
    • refine previous analysis via hybrids
  • IP[p] is contained in BPTime(2O(p log p)poly)NP

Main:

Additional:

5 2017.02.02

Interactive Proofs 4 (scribe notes by Lynn Chua)

  • inefficiency of Shamir's protocol
    • honest prover in Shamir's protocol is 2O(n^2)
    • honest prover in Shen's protocol is 2O(n)
    • T-time S-space machines yield 2O(S log T)-time provers
  • doubly-efficient interactive proofs
  • bare bones protocol [GKR, Section 3]
    • layered arithmetic circuits
    • wiring predicates
    • one sumcheck per layer

Main:

Additional on doubly-efficient interactive proofs:

6 2017.02.07

Interactive Proofs 5 (scribe notes by Patrick Lutz)

Main:

Additional on doubly-efficient interactive proofs:

Additional on interactive proofs of proximity:

Additional on implementations of GKR's protocol:

7 2017.02.09

Interactive Proofs 6

  • IP for GI
  • definition of honest-verifier zero knowledge (HVZK)
  • the IP for GI is HVZK
  • definition of malicious-verifier zero knowledge (ZK)
  • the IP for GI is ZK
  • PZK ⊆ SZK ⊆ CZK
  • towards SZK ⊆ coAM
    • running simulator when x ∉ L
    • IP for GI → IP for GNI (!)

Main:

Additional:

Videos:

8 2017.02.14

Basic Probabilistic Checking 1

  • the PCP complexity class PCPc,s[r,q]Σ
  • PCPc,s[r,q]Σ ↔ gap of 2r q-ary constraints over Σ
  • simple class inclusions
  • exponential-size PCP for circuit satisfiability
    • NP ⊆ PCP1,0.5[poly(n),O(1)]{0,1}
    • good query complexity, bad proof length

Lecture notes:

Additional:

New York Times article about the PCP Theorem:

9 2017.02.16

Basic Probabilistic Checking 2

  • linear PCPs
    • the complexity class LPCPc,s[r,q,l]Σ
    • last time: NP ⊆ LPCP1,0.75[m,3,(n+1)2]{0,1}
    • today: compiling any LPCP into a PCP via linearity test
  • testing linearity
    • BLR test
    • analysis via majority decoding

Lecture notes:

Main:

Additional:

New York Times article about ZCash, which uses linear PCPs as part of so-called zkSNARKs:

10 2017.02.21

Basic Probabilistic Checking 3

  • NP ⊆ PCP[log, polylog] (up to low-degree testing)
    • start from satisfiability of degree-3 polynomials
    • amplify gap via an error-correcting code such as Reed--Solomon
    • arithmetization via Reed--Muller instead of Hadamard
    • reduce to sumcheck problem

Lecture notes:

Main:

Additional:

11 2017.02.23

Basic Probabilistic Checking 4

  • NP ⊆ PCP[log, polylog] with low-degree testing
  • definition of low-degree testing
  • univariate polynomials
  • multivariate polynomials

Lecture notes:

Additional:

12 2017.02.28

Basic Probabilistic Checking 5

  • NEXP is contained in PCP[poly, poly]
    • low-degree constraints

Lecture notes:

Main:

Additional:

13 2017.03.02

Basic Probabilistic Checking 6

  • consequences of the PCP Theorem
    • delegation of computation
    • hardness of approximitation
      • example: CLIQUE

Lecture notes:

Main:

Additional:

14 2017.03.07

Reducing Query Complexity 1

  • towards polynomial proof length and constant query complexity
  • proof composition
    • outer robustness and inner proximity

Lecture notes:

Main:

Additional:

15 2017.03.09

Reducing Query Complexity 2

  • NP is contained in PCP[log, 1]
  • outer Reed--Muller, inner Hadamard

Same as last lecture.

16 2017.03.14

Reducing Query Complexity 3

  • parallel repetition
  • application to PCPs
  • statement of sliding scale conjecture

Main:

Additional:

17 2017.03.16

Reducing Query Complexity 4

  • towards 3-query PCPs
  • long code

Lecture notes:

Main:

Additional:

18 2017.03.21

Reducing Query Complexity 5

  • 3-query PCPs

Main:

Additional:

19 2017.03.23

Reducing Proof Length 1

  • parametrized BFLS
  • discussion of limits to short proof length

Main:

Additional:

X 2017.03.28

No class (spring break).

X 2017.03.30

No class (spring break).

20 2017.04.04

Reducing Proof Length 2

  • routing circuits

Main:

Additional:

21 2017.04.06

Reducing Proof Length 3

  • towards quasilinear-size PCPs
  • univariate arithmetization
    • reduction to PCPP for Reed--Solomon

Lecture notes:

Main:

Additional:

22 2017.04.11

Reducing Proof Length 4

  • PCPPs for Reed--Solomon
  • bivariate testing

Lecture notes:

Main:

Additional:

23 2017.04.13

Reducing Proof Length 5

  • TBA

Main:

Additional:

24 2017.04.18

Cryptographic Compilers 1

  • from PCPs to argument systems

Main:

Additional:

25 2017.04.20

Cryptographic Compilers 2

  • from MIPs to argument systems

Main:

Additional:

26 2017.04.25

Class project presentations.

TBA

27 2017.04.27

Class project presentations.

TBA

X 2017.05.02

No class.

X 2017.05.04

No class.