THEOREMS = {(S, 1^n) | S is provable in a particular mathematical theory
with an n step proof} is in NP, and for any sufficiently rich theory,
e.g. number theory, is NP-hard

Definition: IP[k] = class of languages for which there
is a k round Interactive proof. Intuitively, think of it from the
verifier's point of view, and assume that the skeptical verifier
doesn't trust the prover at all. And the prover is always trying
to convince the verifier of membership, even if this is a lie.

Observation: IP with only one round of communication from prover
to verifier is clearly exactly NP

Theorem: If the verifier is deterministic then IP[poly]=NP

Example: Sock (Uno card) distinction to color blind person,
or change denomination distinction to the blind,
to show power of randomized verifier

So technically the verifier in the definition of IP is a BPP machine

Example: Graph non-ismorphism. 2 messages, one from verifier to prover,
and then one from prover to verifier


GNI Protocol on graphs G and H

Verfier: 
Generates random permutation pi on the vertices and random bit i
If i = 0 then the verifier sends the prove K=pi(G) else the verifier sends the prover K=pi(H)

Prover:
Sends the verifier a proof/advice bit A

Verifier:
If A=i then accept else reject


Definition: IP[1], IP[2], IP[3], IP[k], IP = IP[poly]

Definition: Completeness = error probability when the input is in the language
soundness= error probability when the input is not in the language

Question: So if the verifier is an RP machine then you have perfect ?
Answer: Soundness

Question: Perfect soundness or perfect completeness for graph-non isomorphism protocol?
Answer: perfect completeness


Fact: Many interactive proofs boil down to count. 
Example: Graph non-isomorphism. Let S be all possible messages K that the verifier could send. 
If the two graphs are isomorphic then |S|=n!
If the two graphs are not isomorphic then |S|=2*n!


Warm-up Problem: Someone is claiming that there are 1000 people inside a building. 
You know that either that is true, or that are at most 100 people in the building.
Imagine you ask some question of the form "Is there a person in the building where X is true about his person?" What would X be?
Which question constitutes the best way to ascertain the truth of this claim:
A) If somebody in the building is born in January, come out to show you drivers licence to prove this?
B) If somebody in the building is born on January 24, come out to show you drivers licence to prove this?
C) If somebody in the building is born at 11:56:59 AM on January 24, come out to show your birth certificate o prove this?




Example: Set size lower bound
Let S, subset 2^m, be a set such that membership can be certified in poly time
(e.g. the satisfying assignments of a Boolean formula)
The prover wants to argue the cardinality of S is at least
a certain amount 2^k. If the cardinality of S is at least 2^k, 
then the prover should be successful with high probability,
if the cardinality of S is < 1/2 the claimed amount, that is < 2^{k-1}
then with high probability the prover should fail.


Protocol:
Verifier: Pick a random function f:2^m -> 2^{k+1}, and a random y 
in 2^{k+1}. Send f and y to the prover
Prover: Send an x in 2^m to the verifier
Verifier: Check if f(x)=y

Calculation: First consider the case that |S| is at least 2^k.
Expected number of distinct elements in the range of f is
at least |S| - Sum_{x, z in S} Prob[f(x)=f(z)] >= 
|S| - (|S| choose 2) /2^{k+1} 
If 2^k=|S| then this is about
= 2^k - [(2^k)^2 / 2] /2^{k+1} = 3 2^k / 4
Thus the expected success probability for the prover is at least 3/8.

Now consider the case that |S| is at most  2^{k-1}.
Then the number of distinct elements in the range is at most 2^{k-1}
Thus the expected success probability for the prover is at most 1/4.




One problem: A random f is not really practical
Question: Why?
Answer: It has entropy > k * 2^m  
Recall source coding theorem

Question: What do you need of f? 
Answer: Prob[f(x)=f(z)]=1/2^k
So you need an f with pairwise independence

If is sufficient to pick a, b uniformly at random and let
f(x)= a x + b mod 2^k
where a and b are of size about 2^m
Entropy = 2m



Question: What is the difference between the two protocols for GNI?
Answer (or one possible answer): The set size algorithm can be
implemented using a real-time beacon of random bits that both
the prover and the verifier can listen to. So in this model,
there doesn't have to be any messages from the verifier to the
prover. 

Definition: AM = languages accepted by an interactive protocol
where the verifier sends a random string to the prover and
the prover replies with a proof. So all the randomness
available to the verifier is known to the prover.

Definition: MAM

Theorem: One can simulate IP[k] with an O(k) round protocol
with public coins
Proof: Explain the idea of the proof with in the context of graph isomorophism


Verifier sends to prover: random a, b, y (repsenting the hash function f(x) = a x + b mod 2^r  and y an element of the range of f)
Prover sends verifier: A, K, pi and i
Verifier checks that:
1. f(K)=y 
2. If A=0 then pi(G))= K and if A=1 then fi(H))=K



End proof





Theorem: PSPACE =  IP
Proof:  
Homework: Show IP in PSPACE

Now we will show PSPACE in IP
Use the fact that TQBF is PSPACE-complete
Show how to give an interactive proof for deciding the
truth of a quantified Boolean formula


Consider a formula of the form
F = Thereexists x Forall y Thereexists z  (x or y or not z) and (not x or not y or z)
Replace  (x or y or not z) and (not x or not y or z) by 
P(x, y, z) = [1-(1-x)(1-y)z][1-xy(1-z)]
Fact:   (x or y or not z) and (not x or not y or z) is true iff P(x, y, z) = 1

We want to give an interactive proof that 
H = Sum_{x in {0,1} Product_{y in {0, 1} Sum_{z in {0,1} P(x, y, z)   > 0
Fact: F is true iff H > 0

IP PROTOCOL: 

PROVER: 
Send H' (what the prover is purporting to be H)

VERIFIER: 
If H' > 0 then 
	comment: check if H = H'
	Let h(x) = Product_{y in {0, 1} Sum_{z in {0,1} P(x, y, z)  
else reject

PROVER:
Send h'(x)  (what the prover is purporting to be h(x))

VERIFIER:
If H' = h'(0) + h'(1) then 
	comment: the prover is telling a consistent story
	comment: now want to check the h(x) = h'(x), which we do by checking this at a random point (KEY IDEA)
	Let r be a random rational in [0, 1]
	comment: want to check if h(r) = h'(r)
	comment: this is like checking whether H = H'
	Let g(y) = Sum_{z in {0,1} P(r, y, z)  
	send r to prover
else reject

PROVER: 
Send g'(y)  (what the prover is purporting to be g(y))

VERIFIER
If g(r)' = h'(0) * h'(1) then 
	comment: the prover is telling a consistent story
	comment: now want to check the g(y) = g'(y), which we do by checking this at a random point
	Let s be a random rational in [0, 1]
	comment: want to check if g(s) = g'(s)
	Let f(z) = P(r, s, z)   
	send s to prover
else reject

PROVER
Send f'(z)  (what the prover is purporting to be f(z))


VERIFIER
If f(z) = f'(z) then accept
else reject



AN ISSUE: Because of universal quantifiers, or equivalently because of
multiplication, the degree of h(x) can exponential.
FIX: Because at the end of the day, we only care about 0/1 variables,
and for 0/1 x^2=x, we can linearize high degree polymials.
L (5x^4 + 6y^5x^3 + 7 x^2 + 8 x + 9 ) = (5+7 + 8) x 6xy+ 9 = 20 x + 6 xy  + 9


So we can work with 
H = Sum_{x in {0,1} L(Product_{y in {0, 1} Sum_{z in {0,1} L( P(x, y, z)   ))
h(x) = L ( Product_{y in {0, 1} L  ( Sum_{z in {0,1} L ( P(x, y, z)   ) ) )
instead of the original h(x)


Theorem: If GI=Graph Isomorphism={(G_1, G_2)|G_1 is isomorphic to G_2} is NP-complete then
Sigma_2^p subset of Pi_2^p (and hence the polynomial time hierarchy collapses to the second level).
Question: Why is this interesting?

Proof: Show how to reduce Sigma_2 SAT to Pi_2 SAT

Let F = Thereexists x Forall y phi(x, y)  be an element of Sigma_2^p

Since GI is NP-complete, GNI is coNP-complete. Hence there is a poly time
many to one mapping g such that F is equivalent to 

Let F' = Thereexists x g(x) in GNI


We break into two case.

CASE F' is false:
Hence: Forall x g(x) is not in GNI
By AM protocol V for GNI: Forall x Most random R Forall advice A V(g(x), R, A) =  0
By using the BPP subset P/poly trick, we can conclude that: Thereexists an R Forall x Forall advice A V(g(x), R, A) =  0

CASE F' is true: 
Hence Thereexists x g(x) in GNI
By AM protocol V for GNI, Thereexists x Most random R Thereexists advice A V(g(x), R, A) =  1


Homework: There is an AM protocol for GNI with perfect completeness


Hence by homework, we can conclude something stronger: Thereexists x Forall R Thereexists advice A V(g(x), R, A) =  1
By first order logic, then it also must be true that: Forall R Thereexists x Therexists advice A V(g(x),R,A) = 1

Note that this last formula is the negation of the formula for the case that F' is false, and that this is a Pi_2^p formula.
So we have now reduced deciding the true of a Sigma_2^p formula to a Pi_2^p formula





QUESTION: Why do you need a public coins IP protocol for
GNI to make this proof work?
ANSWER: One place you use is is when you express the fact that
the AM protocol will accept g(I) if F is true by
"For all random strings R Thereexists advice A that the prover can give such that V(g(x), R, A) = 1 "
In the statement above, the advice A can depend on the random
string R, which couldn't be the case in a private coin protocol.