1 00:00:00,000 --> 00:00:01,497 [SQUEAKING] 2 00:00:01,497 --> 00:00:02,994 [RUSTLING] 3 00:00:02,994 --> 00:00:04,491 [CLICKING] 4 00:00:24,960 --> 00:00:28,150 MICHAEL SIPSER: Greetings, everybody. 5 00:00:28,150 --> 00:00:31,740 Welcome to our last lecture of the term. 6 00:00:31,740 --> 00:00:38,620 We have survived a semester online in 18.404 7 00:00:38,620 --> 00:00:45,160 and we are going to conclude our last topic 8 00:00:45,160 --> 00:00:49,120 today, which is interactive proof systems that we started 9 00:00:49,120 --> 00:00:50,080 last time. 10 00:00:50,080 --> 00:00:59,140 And with the big-- well, the big theorem 11 00:00:59,140 --> 00:01:04,209 of interactive proof systems is that IP equals PSPACE. 12 00:01:04,209 --> 00:01:06,130 And we're going to give the main idea 13 00:01:06,130 --> 00:01:13,280 for that in a slightly weaker theorem, as we'll see. 14 00:01:13,280 --> 00:01:16,070 So why don't we jump in? 15 00:01:16,070 --> 00:01:19,510 So we have been doing interactive proofs. 16 00:01:19,510 --> 00:01:24,610 We gave an example of showing that the graph isomorphism 17 00:01:24,610 --> 00:01:27,400 problem, the complement of that is 18 00:01:27,400 --> 00:01:29,590 an IP, as I hope you remember. 19 00:01:29,590 --> 00:01:33,820 We had that interaction with the approver and a verifier. 20 00:01:33,820 --> 00:01:35,530 We're going to go through it quickly. 21 00:01:35,530 --> 00:01:38,110 Not that protocol, but just the setup. 22 00:01:38,110 --> 00:01:44,590 And then we're going to finish by showing that this number SAT 23 00:01:44,590 --> 00:01:47,080 problem is an IP and should conclude 24 00:01:47,080 --> 00:01:51,080 that coNP is a subset of IP. 25 00:01:51,080 --> 00:01:56,050 All right, so let's go for it. 26 00:01:56,050 --> 00:01:56,550 Yes. 27 00:01:59,400 --> 00:02:03,360 So just remember, interactive proof systems, 28 00:02:03,360 --> 00:02:06,090 there are these two parties, the prover and the verifier. 29 00:02:06,090 --> 00:02:09,960 The prover has unlimited computational ability. 30 00:02:09,960 --> 00:02:23,400 I kind of model that as an army of students perhaps who can-- 31 00:02:23,400 --> 00:02:27,570 where we don't-- they can work all night. 32 00:02:27,570 --> 00:02:30,480 They can use computational resources. 33 00:02:30,480 --> 00:02:34,290 And the prover, however, we're not 34 00:02:34,290 --> 00:02:36,090 going to measure the computational power 35 00:02:36,090 --> 00:02:36,870 of the prover. 36 00:02:36,870 --> 00:02:38,950 That's unlimited. 37 00:02:38,950 --> 00:02:43,110 And so the prover can do things like find certificates. 38 00:02:43,110 --> 00:02:45,720 It can test whether things are satisfiable. 39 00:02:45,720 --> 00:02:49,410 It can factor numbers. 40 00:02:49,410 --> 00:02:50,220 We don't care. 41 00:02:50,220 --> 00:02:52,560 It can do whatever we'd like and there 42 00:02:52,560 --> 00:02:57,070 is no charge for the prover's computational demands. 43 00:02:57,070 --> 00:02:57,570 OK. 44 00:02:57,570 --> 00:03:00,360 So the setup we had was the prover and the verifier. 45 00:03:00,360 --> 00:03:01,680 Both see the input. 46 00:03:01,680 --> 00:03:04,450 The exchange of polynomial number of messages. 47 00:03:04,450 --> 00:03:06,285 And then the verifier accepts or rejects. 48 00:03:09,510 --> 00:03:16,530 And we had this notion of the probability 49 00:03:16,530 --> 00:03:19,560 that the verifier ends up accepting when paired 50 00:03:19,560 --> 00:03:22,440 with a particular prover. 51 00:03:22,440 --> 00:03:26,580 And what we want is that for strings in a language, 52 00:03:26,580 --> 00:03:29,790 that probability should be high for some prover. 53 00:03:29,790 --> 00:03:32,520 And for strings not in the language, 54 00:03:32,520 --> 00:03:35,280 that probability should be low no matter what the prover does. 55 00:03:35,280 --> 00:03:38,130 So there's nothing the prover can do. 56 00:03:38,130 --> 00:03:41,160 And the way it kind of suggests that at any prover. 57 00:03:41,160 --> 00:03:48,410 But whatever the prover's strategy cannot make 58 00:03:48,410 --> 00:03:50,563 the verifier accept with high probability. 59 00:03:50,563 --> 00:03:52,730 Just doesn't have enough information or it doesn't-- 60 00:03:52,730 --> 00:03:55,520 it's just not able to make the verifier accept 61 00:03:55,520 --> 00:03:56,570 with high probability. 62 00:04:00,080 --> 00:04:01,880 You might think of the prover as trying 63 00:04:01,880 --> 00:04:03,140 to make the verifier accept. 64 00:04:03,140 --> 00:04:06,710 So the P tilde is a crooked prover. 65 00:04:06,710 --> 00:04:09,980 I don't think that went down very well with everybody. 66 00:04:09,980 --> 00:04:11,160 So I have it here. 67 00:04:11,160 --> 00:04:13,220 Another way of looking at it, maybe it 68 00:04:13,220 --> 00:04:20,940 looks a little bit more like NP here where 69 00:04:20,940 --> 00:04:23,490 IP is the collection of languages where there's 70 00:04:23,490 --> 00:04:25,410 a verifier, just like we had. 71 00:04:25,410 --> 00:04:28,260 You can think of NP as having a verifier which 72 00:04:28,260 --> 00:04:29,940 can check certificates. 73 00:04:29,940 --> 00:04:32,400 Here the prover is going to be like the certificate 74 00:04:32,400 --> 00:04:34,860 so that for strings in the language, 75 00:04:34,860 --> 00:04:38,100 there's a prover which can interact with the verifier 76 00:04:38,100 --> 00:04:40,260 and make it accept a high probability. 77 00:04:40,260 --> 00:04:42,090 And you're not in the language, there 78 00:04:42,090 --> 00:04:45,270 is no prover, which can interact with the verifier 79 00:04:45,270 --> 00:04:48,540 and make the verifier accept with even 80 00:04:48,540 --> 00:04:50,400 more than low probability. 81 00:04:50,400 --> 00:04:53,940 What's important is this gap, just like with BPP, 82 00:04:53,940 --> 00:04:57,060 between acceptance or rejection. 83 00:04:57,060 --> 00:05:01,560 And that gap is there because we want 84 00:05:01,560 --> 00:05:03,510 to be able to use the amplification lemma. 85 00:05:03,510 --> 00:05:05,340 And if there was no gap, then you 86 00:05:05,340 --> 00:05:08,340 wouldn't be able to amplify and make 87 00:05:08,340 --> 00:05:11,190 the probability of acceptance extremely high when you want 88 00:05:11,190 --> 00:05:13,830 it to be in the language, when you're in the language, 89 00:05:13,830 --> 00:05:15,945 and extremely low when you're not in the language. 90 00:05:18,280 --> 00:05:18,780 OK. 91 00:05:18,780 --> 00:05:23,560 So I hope that refreshes your memory as to how that works. 92 00:05:23,560 --> 00:05:27,465 We're going to walk ourselves through the-- 93 00:05:32,940 --> 00:05:37,620 well, through what we did last time. 94 00:05:37,620 --> 00:05:40,660 But let's set the stage for that. 95 00:05:40,660 --> 00:05:42,670 So the surprising theorem, as I mentioned, 96 00:05:42,670 --> 00:05:46,110 is that IP equals PSPACE. 97 00:05:46,110 --> 00:05:51,180 One direction of that is a fairly standard simulation. 98 00:05:51,180 --> 00:05:54,510 With PSPACE, you can basically work your way 99 00:05:54,510 --> 00:05:56,490 through the tree of possibilities 100 00:05:56,490 --> 00:05:59,790 for an interactive proof protocol. 101 00:05:59,790 --> 00:06:02,340 And you can calculate the probability 102 00:06:02,340 --> 00:06:05,700 that the verifier would end up accepting 103 00:06:05,700 --> 00:06:08,010 if you had the best possible prover that would try 104 00:06:08,010 --> 00:06:09,390 to make the verifier accept. 105 00:06:09,390 --> 00:06:11,160 And you can just do that calculation. 106 00:06:11,160 --> 00:06:12,623 It's in the book. 107 00:06:12,623 --> 00:06:14,790 You're not going to be responsible for knowing that, 108 00:06:14,790 --> 00:06:15,290 actually. 109 00:06:15,290 --> 00:06:16,710 We haven't covered it in lecture. 110 00:06:16,710 --> 00:06:19,714 But it's not very hard. 111 00:06:19,714 --> 00:06:21,778 A little technical, I suppose. 112 00:06:21,778 --> 00:06:23,570 The other direction is the interesting one, 113 00:06:23,570 --> 00:06:25,070 and that's the direction we're going 114 00:06:25,070 --> 00:06:26,420 to be moving toward today. 115 00:06:26,420 --> 00:06:29,840 We won't quite get there, but the way it works 116 00:06:29,840 --> 00:06:33,860 is that to show that everything in PSPACE, which 117 00:06:33,860 --> 00:06:37,190 is kind of amazing, is contained with an IP. 118 00:06:37,190 --> 00:06:40,520 So everything in PSPACE can be done with an interactive proof 119 00:06:40,520 --> 00:06:43,010 system. 120 00:06:43,010 --> 00:06:45,650 And the way that is done is by using 121 00:06:45,650 --> 00:06:49,220 a PSPACE complete problem, TQBF, and showing that that problem 122 00:06:49,220 --> 00:06:51,590 itself is an IP. 123 00:06:51,590 --> 00:06:54,140 But we're not going to prove that. 124 00:06:54,140 --> 00:06:55,640 That would be sort of the next thing 125 00:06:55,640 --> 00:06:57,710 we would prove if we had a little bit more time. 126 00:06:57,710 --> 00:07:02,120 But we're going to be satisfied with just the somewhat 127 00:07:02,120 --> 00:07:09,350 weaker but very similar statement that coNP 128 00:07:09,350 --> 00:07:12,410 is contained in IP here. 129 00:07:12,410 --> 00:07:15,562 Again, still very surprising, because you 130 00:07:15,562 --> 00:07:18,020 have to be able to show, for example, that a formula is not 131 00:07:18,020 --> 00:07:19,910 satisfiable with a prover. 132 00:07:19,910 --> 00:07:22,970 How can a prover convince a verifier that a formula is not 133 00:07:22,970 --> 00:07:26,060 satisfiable? 134 00:07:26,060 --> 00:07:27,740 Showing that it is satisfiable, you just 135 00:07:27,740 --> 00:07:30,115 give the certificate, which is the satisfying assignment. 136 00:07:30,115 --> 00:07:32,510 But how do you show something's not satisfiable? 137 00:07:32,510 --> 00:07:34,940 It's unexpected. 138 00:07:34,940 --> 00:07:38,160 And the proof of that is pretty much similar, slightly 139 00:07:38,160 --> 00:07:42,650 is one kind of technical point which 140 00:07:42,650 --> 00:07:43,910 we don't have to get into. 141 00:07:43,910 --> 00:07:49,640 So it's slightly easier but very much in the same spirit. 142 00:07:49,640 --> 00:07:51,580 So remember this number set problem 143 00:07:51,580 --> 00:07:56,170 is you're given a formula and a number, 144 00:07:56,170 --> 00:07:57,970 and that number is supposed to be 145 00:07:57,970 --> 00:08:02,510 exactly the number of satisfying assignments of the formula. 146 00:08:02,510 --> 00:08:05,980 So in particular, a formula's unsatisfiable, then it 147 00:08:05,980 --> 00:08:07,810 would be paired with the number 0. 148 00:08:07,810 --> 00:08:13,120 And that's why the number set problem is coNP-hard, 149 00:08:13,120 --> 00:08:18,070 because you can easily reduce the unsatisfiability to number 150 00:08:18,070 --> 00:08:18,760 set. 151 00:08:18,760 --> 00:08:23,140 An unsatisfiability is coNP complete. 152 00:08:23,140 --> 00:08:26,680 OK, so remember we introduced this notation last time. 153 00:08:26,680 --> 00:08:29,480 This is going to be critical for understanding this proof. 154 00:08:29,480 --> 00:08:31,000 So let's go through it once again. 155 00:08:34,030 --> 00:08:38,299 So if you have some formula, what I'd like to do 156 00:08:38,299 --> 00:08:41,760 is preset some of the variables of that formula. 157 00:08:41,760 --> 00:08:46,500 So that's going to be a formula on m variables x1 to xm. 158 00:08:46,500 --> 00:08:54,690 And I'd like to preset the first i variables to zeros or ones 159 00:08:54,690 --> 00:08:57,280 as I wish. 160 00:08:57,280 --> 00:09:02,730 So I'm going to indicate that by phi with 0 means 161 00:09:02,730 --> 00:09:05,880 I'm setting x1 to 0 and the rest of the variables 162 00:09:05,880 --> 00:09:08,770 remain variables. 163 00:09:08,770 --> 00:09:15,700 And more generally, phi of i values a1 to ai, 164 00:09:15,700 --> 00:09:17,830 which to start off with are going 165 00:09:17,830 --> 00:09:20,380 to be just zeros and ones, just Boolean values. 166 00:09:20,380 --> 00:09:24,880 That's going to be the formula with those first x1 167 00:09:24,880 --> 00:09:32,840 to set to a1 dot, dot, dot xi set to ai for those i 168 00:09:32,840 --> 00:09:37,610 constants, which were zeros and ones. 169 00:09:37,610 --> 00:09:39,880 I'm going to call those presets, because we're 170 00:09:39,880 --> 00:09:44,722 presetting some of the variables in the formula. 171 00:09:44,722 --> 00:09:46,180 And the rest of the variables we're 172 00:09:46,180 --> 00:09:47,660 going to leave as variables. 173 00:09:47,660 --> 00:09:50,140 So we get a new formula on fewer variables 174 00:09:50,140 --> 00:09:52,345 by doing this pre-setting process. 175 00:09:54,880 --> 00:09:57,790 And we're going to get to do the same thing in terms 176 00:09:57,790 --> 00:10:02,060 of counting the number of satisfying assignments. 177 00:10:02,060 --> 00:10:06,770 So remember the notation number phi is the number 178 00:10:06,770 --> 00:10:09,170 of satisfying assignments. 179 00:10:09,170 --> 00:10:11,870 Number phi with a preset of 0 is the number 180 00:10:11,870 --> 00:10:16,320 of satisfying assignments when you've set x1 to 0. 181 00:10:16,320 --> 00:10:22,140 And no phi of a1 to ai is where you set the first i variables 182 00:10:22,140 --> 00:10:24,060 to those i values. 183 00:10:24,060 --> 00:10:29,340 And then you're going to look at the number of satisfying 184 00:10:29,340 --> 00:10:32,760 assignments with those presets in mind. 185 00:10:32,760 --> 00:10:34,930 So there were two facts. 186 00:10:34,930 --> 00:10:36,930 I'm going to call them identities, because we're 187 00:10:36,930 --> 00:10:41,970 going to rely on those and we're going to actually extend those 188 00:10:41,970 --> 00:10:44,890 to the non Boolean case, as we'll see shortly. 189 00:10:44,890 --> 00:10:54,710 So these two identities say that, first of all, 190 00:10:54,710 --> 00:10:57,940 if I preset, I think understanding 191 00:10:57,940 --> 00:11:00,850 the first one is clear just by thinking about it 192 00:11:00,850 --> 00:11:03,490 in the case where i equals 0. 193 00:11:03,490 --> 00:11:07,630 So this is the case where the number of satisfying 194 00:11:07,630 --> 00:11:12,240 assignments altogether is the number of satisfying 195 00:11:12,240 --> 00:11:15,870 assignments when I've set x1 to 0 plus the number of satisfying 196 00:11:15,870 --> 00:11:19,180 assignments when I've set x1 to 1. 197 00:11:19,180 --> 00:11:21,490 And this just generalizes that when 198 00:11:21,490 --> 00:11:27,340 I look at having already preset the first i variables. 199 00:11:27,340 --> 00:11:32,430 So if I preset the first i variables to these i values, 200 00:11:32,430 --> 00:11:33,930 the number of satisfying assignments 201 00:11:33,930 --> 00:11:36,480 I get there is the number of satisfying assignments 202 00:11:36,480 --> 00:11:39,870 I get with those presets plus the next variable being 203 00:11:39,870 --> 00:11:41,550 set either to 0 or to 1. 204 00:11:41,550 --> 00:11:42,960 And then you add those up. 205 00:11:42,960 --> 00:11:45,620 The same idea. 206 00:11:45,620 --> 00:11:49,990 And lastly, if I set all of the variables 207 00:11:49,990 --> 00:11:53,330 to values, so I have no variables left, and I look 208 00:11:53,330 --> 00:11:55,220 at the number of satisfying assignments 209 00:11:55,220 --> 00:12:01,320 consistent with that fully set variables, 210 00:12:01,320 --> 00:12:03,320 so there's no variables left, everything is set, 211 00:12:03,320 --> 00:12:06,650 everything is preset, that's just whether or not 212 00:12:06,650 --> 00:12:11,010 those values have satisfied the formula already or not. 213 00:12:11,010 --> 00:12:13,820 So this is going to be equal to 0 or 1, the number 214 00:12:13,820 --> 00:12:15,620 of consistent satisfying assignments 215 00:12:15,620 --> 00:12:18,920 with those m presets where m is a number of variables 216 00:12:18,920 --> 00:12:22,850 is just whether those m values satisfy the formula, in which 217 00:12:22,850 --> 00:12:26,270 case, I get 1, or they don't satisfy the formula, in which 218 00:12:26,270 --> 00:12:29,000 case, I get a 0. 219 00:12:29,000 --> 00:12:31,887 Critical to understand these in the Boolean case, 220 00:12:31,887 --> 00:12:33,470 because we're going to generalize this 221 00:12:33,470 --> 00:12:35,600 to the non Boolean case, and it's 222 00:12:35,600 --> 00:12:37,220 going to be just more abstract. 223 00:12:37,220 --> 00:12:39,410 The formulas are going to look the same. 224 00:12:39,410 --> 00:12:42,450 We're going to have to kind of-- 225 00:12:42,450 --> 00:12:44,160 we're going to lose the intuition 226 00:12:44,160 --> 00:12:47,990 that those things correspond to satisfying assignments. 227 00:12:47,990 --> 00:12:51,550 Or counting the number of satisfying assignments. 228 00:12:51,550 --> 00:12:52,400 All right. 229 00:12:52,400 --> 00:12:55,570 So let's have a quick check-in here. 230 00:12:55,570 --> 00:12:58,470 So we're just going to do an example to hope 231 00:12:58,470 --> 00:13:03,130 to nail this in, this idea. 232 00:13:03,130 --> 00:13:04,740 So here's a particular formula phi. 233 00:13:08,970 --> 00:13:12,100 And now remember, number phi is the number 234 00:13:12,100 --> 00:13:13,210 of satisfying assignments. 235 00:13:13,210 --> 00:13:15,790 So phi, the number of satisfying assignments where 236 00:13:15,790 --> 00:13:20,270 I've set x1 to 0 and so on. 237 00:13:20,270 --> 00:13:21,860 And here I'm really kind of giving you 238 00:13:21,860 --> 00:13:26,720 two options in each row for the value. 239 00:13:26,720 --> 00:13:28,670 Now you have to check all that are true. 240 00:13:28,670 --> 00:13:32,140 So it's really going to be at most one per row, presumably. 241 00:13:36,700 --> 00:13:37,540 All right. 242 00:13:37,540 --> 00:13:41,140 Let's see if you're with me here. 243 00:13:41,140 --> 00:13:47,880 So the number of satisfying assignments for altogether, 244 00:13:47,880 --> 00:13:52,170 well, there are two ways of satisfying this formula. 245 00:13:52,170 --> 00:13:54,660 This is really like exclusive or. 246 00:13:54,660 --> 00:14:01,140 So either x1 is 1, x2 is 0, or x1 is 0 and x2 is 1. 247 00:14:01,140 --> 00:14:03,540 So one of the variables has to be true. 248 00:14:03,540 --> 00:14:04,870 The other one has to be false. 249 00:14:04,870 --> 00:14:07,350 And then you're going to end up satisfying both clauses, 250 00:14:07,350 --> 00:14:09,780 as you can easily see. 251 00:14:09,780 --> 00:14:14,770 So b is correct in the first line. 252 00:14:14,770 --> 00:14:16,890 Now, if I'm going to already commit 253 00:14:16,890 --> 00:14:21,640 to saying the first variable is set to 0, now 254 00:14:21,640 --> 00:14:23,960 how many satisfying assignments can there be? 255 00:14:23,960 --> 00:14:25,480 Well, the second variable just has 256 00:14:25,480 --> 00:14:27,970 to be set to 1 in order to satisfy. 257 00:14:27,970 --> 00:14:31,270 So now there's going to be only one satisfying assignment 258 00:14:31,270 --> 00:14:34,720 consistent with setting the first variable to 0. 259 00:14:34,720 --> 00:14:38,470 Now if I set both variables to 0, 260 00:14:38,470 --> 00:14:41,080 now how many satisfying assignments can there 261 00:14:41,080 --> 00:14:43,060 be consistent with that assignment? 262 00:14:43,060 --> 00:14:50,230 There can be 0, because in order to satisfy this formula, 263 00:14:50,230 --> 00:14:51,730 one of the variables has to be 0. 264 00:14:51,730 --> 00:14:52,930 The other one has to be 1. 265 00:14:52,930 --> 00:14:54,585 If I'm presenting them both to 0, 266 00:14:54,585 --> 00:14:56,710 there's not going to be any satisfying assignments, 267 00:14:56,710 --> 00:15:01,700 because 0, 0 not satisfy the formula. 268 00:15:01,700 --> 00:15:08,370 OK, apologies for messing up that check in on the last day. 269 00:15:08,370 --> 00:15:09,000 Oh well. 270 00:15:12,420 --> 00:15:13,290 All right. 271 00:15:13,290 --> 00:15:28,960 Let's first go over the protocol we attempted for number SAT 272 00:15:28,960 --> 00:15:32,770 last week on Thursday. 273 00:15:32,770 --> 00:15:39,620 So we're given the input, the formula, and a k. 274 00:15:39,620 --> 00:15:41,760 And remember what we want to happen. 275 00:15:41,760 --> 00:15:43,790 We want the verifier to end up accepting 276 00:15:43,790 --> 00:15:47,150 with high probability when k is the correct value 277 00:15:47,150 --> 00:15:52,040 and with low probability when k is not the correct value. 278 00:15:52,040 --> 00:15:57,770 Now, this is going to be, as you may remember from last time, 279 00:15:57,770 --> 00:16:00,230 this is going to end up being a flawed protocol, 280 00:16:00,230 --> 00:16:01,730 because it's exponential. 281 00:16:01,730 --> 00:16:05,060 We're only allowed to have a polynomial size protocol. 282 00:16:05,060 --> 00:16:09,260 But just looking ahead in this protocol, 283 00:16:09,260 --> 00:16:11,420 the verifier is going to end up accepting 284 00:16:11,420 --> 00:16:17,000 with probability 1 for an honest prover and with probability 0 285 00:16:17,000 --> 00:16:18,590 no matter what the prover tries to do. 286 00:16:18,590 --> 00:16:24,080 So for any prover, the verifier cannot be made to accept. 287 00:16:24,080 --> 00:16:27,470 So this is kind of an extreme case 288 00:16:27,470 --> 00:16:30,140 where there's not going to end up being any probabilities. 289 00:16:30,140 --> 00:16:31,880 But it's an exponential protocol. 290 00:16:31,880 --> 00:16:34,440 So in that sense, it doesn't do what we need. 291 00:16:34,440 --> 00:16:37,790 So let's go through it, because it really sets us up 292 00:16:37,790 --> 00:16:43,960 for the polynomial protocol with the non Boolean values. 293 00:16:43,960 --> 00:16:45,070 All right. 294 00:16:45,070 --> 00:16:48,130 So first the prover sends-- 295 00:16:48,130 --> 00:16:50,980 let's just look at it and not rush it. 296 00:16:50,980 --> 00:16:57,520 The prover sends the number of satisfying assignments 297 00:16:57,520 --> 00:17:00,150 according to the prover. 298 00:17:00,150 --> 00:17:05,240 The verifier checks that is equal to k. 299 00:17:05,240 --> 00:17:06,829 And I think it's best to understand 300 00:17:06,829 --> 00:17:12,170 this first with the case that the input is in the language. 301 00:17:12,170 --> 00:17:15,937 So k is correct and we have an honest prover. 302 00:17:15,937 --> 00:17:17,520 And then we'll understand what happens 303 00:17:17,520 --> 00:17:19,500 if k is not in the language. 304 00:17:19,500 --> 00:17:23,160 And we'll see that no matter what the prover tries to do, 305 00:17:23,160 --> 00:17:27,079 the verifier is going to end up not accepting. 306 00:17:27,079 --> 00:17:32,490 And again, this is just a setup for the real protocol. 307 00:17:32,490 --> 00:17:34,010 So this is kind of a dopey protocol. 308 00:17:34,010 --> 00:17:36,920 You're going to think, what in the world, why am I doing this? 309 00:17:39,800 --> 00:17:42,320 It seems like I'm making something that's 310 00:17:42,320 --> 00:17:45,830 very simple complicated, but it's really just the framework 311 00:17:45,830 --> 00:17:47,330 that I'm putting together. 312 00:17:47,330 --> 00:17:51,090 Because, well, you'll see. 313 00:17:51,090 --> 00:17:51,590 All right. 314 00:17:51,590 --> 00:17:53,840 So the proof is going to send the claim 315 00:17:53,840 --> 00:17:56,660 for the number of satisfying assignments, 316 00:17:56,660 --> 00:17:59,960 which in the honest case is going to be the correct value. 317 00:17:59,960 --> 00:18:02,870 The verifier checks that it matches the input. 318 00:18:02,870 --> 00:18:05,540 Now the verifier says, well, I want to be convinced 319 00:18:05,540 --> 00:18:07,410 that your claim is correct. 320 00:18:07,410 --> 00:18:12,070 So the prover is going to justify that claim 321 00:18:12,070 --> 00:18:14,320 by saying, well, the total number of satisfying 322 00:18:14,320 --> 00:18:16,690 assignments is whatever it is, 100 323 00:18:16,690 --> 00:18:23,590 because the number when I have x1 set to 0 is 60. 324 00:18:23,590 --> 00:18:26,440 And the number when I have x1 set to 1 is 40. 325 00:18:26,440 --> 00:18:28,750 And that adds up to 100, which is what 326 00:18:28,750 --> 00:18:30,880 you would need to have happen. 327 00:18:30,880 --> 00:18:35,330 So the verifier checks that the sum is correct and then says, 328 00:18:35,330 --> 00:18:37,980 well, now how do I know those two values are right? 329 00:18:37,980 --> 00:18:41,850 So then the prover unpacks it one level further. 330 00:18:41,850 --> 00:18:46,850 So breaks those two down by justifying 331 00:18:46,850 --> 00:18:50,000 that phi 0 was correct, that value 60 was correct, 332 00:18:50,000 --> 00:18:53,180 by saying, well, now if I set the next variable, 333 00:18:53,180 --> 00:18:57,260 x2 to 0 and 1, that's going to have to add up to phi 0. 334 00:18:57,260 --> 00:19:01,370 So maybe to get 60, I had 50 and 10. 335 00:19:01,370 --> 00:19:09,180 And to get 40 for number phi of one, I had 20 and 20. 336 00:19:09,180 --> 00:19:14,350 So these I have to add up. 337 00:19:14,350 --> 00:19:18,760 So each level justifies the preceding level. 338 00:19:18,760 --> 00:19:20,410 We're going to have that happen again. 339 00:19:23,480 --> 00:19:28,250 Now, the prover says, well, I mean, I need to be convinced. 340 00:19:28,250 --> 00:19:29,000 I don't trust you. 341 00:19:29,000 --> 00:19:32,970 I need to be convinced that these values are correct. 342 00:19:32,970 --> 00:19:37,130 So level by level, the prover is going 343 00:19:37,130 --> 00:19:40,910 to be setting more and more of the variables in all 344 00:19:40,910 --> 00:19:42,680 the possible ways until it gets down 345 00:19:42,680 --> 00:19:46,430 to the very bottom where it's setting the variables 346 00:19:46,430 --> 00:19:47,970 in all possible ways. 347 00:19:47,970 --> 00:19:52,740 So exponentially many settings here. 348 00:19:52,740 --> 00:19:56,950 And the verifier now checks that the previous round was correct. 349 00:19:56,950 --> 00:20:00,450 So that's where we set only the first m minus 1, 350 00:20:00,450 --> 00:20:03,510 the very last variable hadn't yet been set. 351 00:20:03,510 --> 00:20:06,690 So checks all of those 2 to the n 352 00:20:06,690 --> 00:20:11,130 minus 1 possible settings in terms 353 00:20:11,130 --> 00:20:14,460 of the new settings that we got where 354 00:20:14,460 --> 00:20:18,060 we set those m minus 1 settings, but we extended it 355 00:20:18,060 --> 00:20:19,710 by 0 and by 1. 356 00:20:19,710 --> 00:20:23,175 Again, this is the same identity that we used from before. 357 00:20:26,400 --> 00:20:31,890 And now that the prover has sent all of those possible values, 358 00:20:31,890 --> 00:20:36,510 the verifier needs to be sure that those are still correct. 359 00:20:36,510 --> 00:20:39,900 But the thing is that at this point, 360 00:20:39,900 --> 00:20:42,150 those are all zeros and ones because they all 361 00:20:42,150 --> 00:20:47,460 say whether that assignment satisfies the formula 362 00:20:47,460 --> 00:20:49,390 or doesn't satisfy the formula. 363 00:20:49,390 --> 00:20:52,810 So the verifier can check those directly. 364 00:20:52,810 --> 00:20:55,720 Checks each of those, whether just 365 00:20:55,720 --> 00:20:58,390 by plugging into the formula and seeing 366 00:20:58,390 --> 00:20:59,890 does it satisfy the formula or not. 367 00:20:59,890 --> 00:21:02,240 So each one of these is a 0, 1 value, 368 00:21:02,240 --> 00:21:05,320 which is supposed to correspond to whether the formula was 369 00:21:05,320 --> 00:21:06,910 satisfied or not. 370 00:21:06,910 --> 00:21:13,540 Those all are correct and everything else along the way 371 00:21:13,540 --> 00:21:14,380 has been correct. 372 00:21:14,380 --> 00:21:16,090 The verifier is going to accept. 373 00:21:16,090 --> 00:21:21,490 Otherwise if at any point one of those checks failed, 374 00:21:21,490 --> 00:21:23,590 the verifier has already rejected or at this point 375 00:21:23,590 --> 00:21:25,590 it just rejects. 376 00:21:25,590 --> 00:21:34,890 So that is the protocol, the exponential protocol. 377 00:21:34,890 --> 00:21:39,760 And I'm not sure if this is helpful to you or not, 378 00:21:39,760 --> 00:21:44,050 but I like to think of it sort of as a tree of possibilities. 379 00:21:44,050 --> 00:21:49,440 So these yellow values are what the prover is sending. 380 00:21:49,440 --> 00:21:51,870 So the prover first sends the number 381 00:21:51,870 --> 00:21:53,910 of satisfying assignments all together. 382 00:21:53,910 --> 00:21:57,600 The verifier in white is checking-- 383 00:21:57,600 --> 00:21:58,920 are doing these checks. 384 00:21:58,920 --> 00:22:00,420 So it checks that it equals k. 385 00:22:06,430 --> 00:22:11,020 And then the prover sends the next level. 386 00:22:11,020 --> 00:22:14,440 The verifier checks that the addition works out. 387 00:22:14,440 --> 00:22:19,870 Then the prover unpacks it further, 388 00:22:19,870 --> 00:22:22,690 assigns values to the first two variables, 389 00:22:22,690 --> 00:22:27,640 and the verifier checks that just the assignments, just 390 00:22:27,640 --> 00:22:31,960 a single variable are consistent with that and so on. 391 00:22:31,960 --> 00:22:37,540 And to assign all m variables and then it checks directly 392 00:22:37,540 --> 00:22:40,310 with the formula. 393 00:22:40,310 --> 00:22:44,340 Now, what happens-- and here is the case. 394 00:22:44,340 --> 00:22:47,240 It's going to be important to understand in both here 395 00:22:47,240 --> 00:22:49,280 and in the non Boolean case. 396 00:22:49,280 --> 00:22:55,500 What happens if we had an incorrect value for the input? 397 00:22:55,500 --> 00:22:58,800 And what I want to show you is that the prover is going to-- 398 00:22:58,800 --> 00:23:01,620 I want to show you that the verifier is 399 00:23:01,620 --> 00:23:09,310 going to end up rejecting in this case with certainty. 400 00:23:09,310 --> 00:23:13,130 Later on it's just going to reject with high probability. 401 00:23:13,130 --> 00:23:16,970 But for this protocol, it's going to accept with certainty. 402 00:23:16,970 --> 00:23:18,020 And why is that? 403 00:23:18,020 --> 00:23:27,180 Because first of all, if the prover, if k was wrong, 404 00:23:27,180 --> 00:23:29,940 so I'm indicating the wrong values in red. 405 00:23:29,940 --> 00:23:34,080 If k was wrong, so it did not equal the number of satisfying 406 00:23:34,080 --> 00:23:37,680 assignments, if the prover sends the correct value, 407 00:23:37,680 --> 00:23:40,860 the verifier is just going to say it doesn't match up. 408 00:23:40,860 --> 00:23:43,050 I reject right away. 409 00:23:43,050 --> 00:23:46,660 So what can the prover possibly do 410 00:23:46,660 --> 00:23:48,580 to prevent the verifier from accepting? 411 00:23:48,580 --> 00:23:51,320 You're going to see that there's nothing you can do. 412 00:23:51,320 --> 00:23:54,620 But later on, there's a chance that the prover can get lucky. 413 00:23:54,620 --> 00:23:56,690 But here there's nothing you can do. 414 00:23:56,690 --> 00:24:02,270 Let's try to humor me and see-- 415 00:24:02,270 --> 00:24:07,610 let the prover try to manage to keep the verifier going 416 00:24:07,610 --> 00:24:09,210 as long as possible. 417 00:24:09,210 --> 00:24:12,230 So the prover in order to prevent the verifier 418 00:24:12,230 --> 00:24:14,180 from rejecting at the beginning would 419 00:24:14,180 --> 00:24:19,340 have to lie about the number of satisfying assignments. 420 00:24:19,340 --> 00:24:24,890 But then the prover is going to say, well, OK, 421 00:24:24,890 --> 00:24:29,377 you're claiming there's only 99 satisfying assignments. 422 00:24:29,377 --> 00:24:31,460 Prover doesn't know what the right real answer is. 423 00:24:31,460 --> 00:24:34,910 But we know it was 100, let's say. 424 00:24:34,910 --> 00:24:38,710 But let's say k was equal to 99. 425 00:24:38,710 --> 00:24:42,460 The prover claimed it's 99 now. 426 00:24:42,460 --> 00:24:47,650 And so the verifier says, OK, well, it's 99. 427 00:24:47,650 --> 00:24:48,513 Convince me of that. 428 00:24:48,513 --> 00:24:49,930 So now the prover is going to have 429 00:24:49,930 --> 00:24:52,360 to say the number of satisfying assignments for 0 430 00:24:52,360 --> 00:24:54,318 and the number of satisfying assignments for 1, 431 00:24:54,318 --> 00:24:55,480 they have to add up. 432 00:24:55,480 --> 00:24:58,070 At least one of those has to be wrong, 433 00:24:58,070 --> 00:25:00,530 because you can't have the two correct values adding up 434 00:25:00,530 --> 00:25:04,510 to the false value. 435 00:25:04,510 --> 00:25:08,280 So a lie here has to yield a lie in at least one 436 00:25:08,280 --> 00:25:10,400 of those two places. 437 00:25:10,400 --> 00:25:12,950 And then a lie there is going to have 438 00:25:12,950 --> 00:25:14,900 to yield a lie in one of those two places, 439 00:25:14,900 --> 00:25:18,800 just like each lie kind of forces more lies. 440 00:25:18,800 --> 00:25:21,080 As you know, you're trying to lie. 441 00:25:21,080 --> 00:25:25,100 The story gets more and more complicated in order 442 00:25:25,100 --> 00:25:27,960 to try to justify all this. 443 00:25:27,960 --> 00:25:31,260 And so in the end, you're going to get an inequality. 444 00:25:31,260 --> 00:25:35,015 And the verifier is going to end up rejecting. 445 00:25:35,015 --> 00:25:36,390 Somewhere along the line, there's 446 00:25:36,390 --> 00:25:38,310 going to have to be an inequality, 447 00:25:38,310 --> 00:25:40,680 if not along the way then at the very end 448 00:25:40,680 --> 00:25:43,790 when the verifier does the check itself. 449 00:25:43,790 --> 00:25:46,940 Because one of those, you could trace that down, there's 450 00:25:46,940 --> 00:25:49,040 going to be lies and lies and lies 451 00:25:49,040 --> 00:25:54,590 and then there's going to be at the very bottom one 452 00:25:54,590 --> 00:25:57,297 of these values is going to be wrong. 453 00:25:57,297 --> 00:25:58,880 And when the verifier checks them all, 454 00:25:58,880 --> 00:26:02,207 it's going to find out that there is an inequality there. 455 00:26:02,207 --> 00:26:04,040 And so one of those checks is going to fail. 456 00:26:10,415 --> 00:26:11,790 So I'm getting one question here. 457 00:26:11,790 --> 00:26:13,498 Why is this any better than just checking 458 00:26:13,498 --> 00:26:16,830 all possible assignments without a prover? 459 00:26:16,830 --> 00:26:18,060 It isn't. 460 00:26:18,060 --> 00:26:20,340 The only reason I'm doing this is 461 00:26:20,340 --> 00:26:28,030 to get us ready for the arithmetized protocol 462 00:26:28,030 --> 00:26:31,830 where we have non Boolean values coming in. 463 00:26:31,830 --> 00:26:33,030 So questions on this? 464 00:26:33,030 --> 00:26:39,080 I think it's important to understand this one. 465 00:26:39,080 --> 00:26:40,940 Don't ask the question why. 466 00:26:40,940 --> 00:26:43,730 The why is just going to be we are getting 467 00:26:43,730 --> 00:26:45,290 ourselves ready for something later, 468 00:26:45,290 --> 00:26:47,450 which you don't know yet. 469 00:26:47,450 --> 00:26:51,260 But I want you to understand it for what it is, 470 00:26:51,260 --> 00:26:53,956 even if it seems unnecessarily complicated. 471 00:26:57,290 --> 00:27:00,530 OK, so let's keep going. 472 00:27:00,530 --> 00:27:02,560 So how are we going to fix that protocol 473 00:27:02,560 --> 00:27:03,940 so it's not exponential? 474 00:27:03,940 --> 00:27:07,510 So again, here is a picture of that exponential protocol. 475 00:27:07,510 --> 00:27:10,540 And we have that exponential blow 476 00:27:10,540 --> 00:27:12,910 up occurring because at every stage, 477 00:27:12,910 --> 00:27:15,400 each value is going to be justified in terms of two 478 00:27:15,400 --> 00:27:18,080 values at the next stage. 479 00:27:18,080 --> 00:27:22,270 So it's going to be exponentially many values 480 00:27:22,270 --> 00:27:23,720 after a while. 481 00:27:23,720 --> 00:27:26,890 So instead, we're going to try to justify each value here 482 00:27:26,890 --> 00:27:29,800 in terms of just a single value at the next stage. 483 00:27:32,800 --> 00:27:34,690 But it's not going to be good enough just 484 00:27:34,690 --> 00:27:38,430 to pick either the 0 or the 1 at random. 485 00:27:38,430 --> 00:27:40,470 Because it might be each-- 486 00:27:40,470 --> 00:27:42,090 there might be just a single course 487 00:27:42,090 --> 00:27:45,740 of lies going through here. 488 00:27:45,740 --> 00:27:49,790 And the only way you would be to catch that 489 00:27:49,790 --> 00:27:55,040 would be to guess correctly at each stage which was the lie. 490 00:27:55,040 --> 00:27:57,778 And then you would catch it at the end. 491 00:27:57,778 --> 00:27:59,570 If you're just going to be randomly picking 492 00:27:59,570 --> 00:28:03,580 zeros and ones, you're not going to have 493 00:28:03,580 --> 00:28:07,910 a high probability of catching the prover when it's lying. 494 00:28:07,910 --> 00:28:12,250 And so that's not going to be good enough. 495 00:28:12,250 --> 00:28:16,220 The input might be the wrong value 496 00:28:16,220 --> 00:28:17,770 and you might have a prover which 497 00:28:17,770 --> 00:28:23,800 just has one path of lies, and then your probability, 498 00:28:23,800 --> 00:28:25,600 you would still have a high probability 499 00:28:25,600 --> 00:28:30,020 of accepting in that case, even though the input was wrong. 500 00:28:30,020 --> 00:28:31,120 It's not what you want. 501 00:28:31,120 --> 00:28:33,490 When the input is wrong, you have 502 00:28:33,490 --> 00:28:38,795 to have only a tiny chance, a very small chance of accepting. 503 00:28:38,795 --> 00:28:40,170 So the way we're going to achieve 504 00:28:40,170 --> 00:28:42,930 that is by having these-- 505 00:28:42,930 --> 00:28:48,600 instead of picking a 0 or a 1 for these random values, 506 00:28:48,600 --> 00:28:52,980 we're going to have non Boolean assignments to the variables. 507 00:28:52,980 --> 00:28:54,910 And we have to make sense of that. 508 00:28:54,910 --> 00:28:56,660 And we've already seen an example of that. 509 00:28:56,660 --> 00:28:58,160 It's going to be very much the same. 510 00:29:01,670 --> 00:29:03,428 All right. 511 00:29:03,428 --> 00:29:09,070 Are we all together here? 512 00:29:09,070 --> 00:29:11,250 So this is a place where we could 513 00:29:11,250 --> 00:29:21,460 try, if you have a question, we can try to answer that. 514 00:29:21,460 --> 00:29:22,410 Are we good? 515 00:29:22,410 --> 00:29:24,240 Let's keep moving. 516 00:29:24,240 --> 00:29:27,660 OK, so how are we going to arithmetize Boolean formulas? 517 00:29:27,660 --> 00:29:29,940 It's, again, the same idea we had before. 518 00:29:29,940 --> 00:29:33,180 Simulating ands and ors with plus and times. 519 00:29:33,180 --> 00:29:35,900 So we had this from before, same exact picture. 520 00:29:35,900 --> 00:29:37,940 Actually it's even simpler, because now we're 521 00:29:37,940 --> 00:29:43,040 going to be using the true simulation of or instead 522 00:29:43,040 --> 00:29:46,040 of some kind of a special case simulation of 523 00:29:46,040 --> 00:29:49,670 or, which we had in the branching program case. 524 00:29:49,670 --> 00:29:54,762 So these faithfully do what and and 525 00:29:54,762 --> 00:30:01,380 or does when you plug in 0 for false and 1 for true. 526 00:30:01,380 --> 00:30:04,910 So that means that we can take an entire formula 527 00:30:04,910 --> 00:30:06,200 and arithmetize it. 528 00:30:06,200 --> 00:30:09,500 The formula built out of ands and ors and negations. 529 00:30:09,500 --> 00:30:11,720 And you're going to get a polynomial that comes out. 530 00:30:15,250 --> 00:30:17,710 And that polynomial, what's going to be important for us 531 00:30:17,710 --> 00:30:20,800 is not going to be of extremely high degree. 532 00:30:20,800 --> 00:30:23,350 The actual degree is going to be at most the length 533 00:30:23,350 --> 00:30:25,870 of the formula in terms of the number of symbols it has. 534 00:30:25,870 --> 00:30:28,330 You can check that on your own. 535 00:30:28,330 --> 00:30:30,310 But for now you can just trust me. 536 00:30:30,310 --> 00:30:33,760 The degree of the polynomial, because it only goes up 537 00:30:33,760 --> 00:30:39,040 during the multiplications, but the degree doesn't 538 00:30:39,040 --> 00:30:39,700 become too big. 539 00:30:46,910 --> 00:30:48,260 And we're going to be doing-- 540 00:30:48,260 --> 00:30:50,450 and I don't want this to be a confusing issue here. 541 00:30:50,450 --> 00:30:57,215 We're going to be doing-- but we have to be correct. 542 00:30:57,215 --> 00:30:58,590 I don't want to be cheating here. 543 00:30:58,590 --> 00:31:02,700 So all of the arithmetic is going to be done in a field. 544 00:31:02,700 --> 00:31:12,840 So we have to do plus and times mod some number, which 545 00:31:12,840 --> 00:31:15,030 turns out needs to be a prime number for reasons 546 00:31:15,030 --> 00:31:17,070 I'm not going to get into. 547 00:31:17,070 --> 00:31:18,300 But it doesn't really matter. 548 00:31:18,300 --> 00:31:19,800 It's just modular arithmetic. 549 00:31:19,800 --> 00:31:21,240 And that's one thing that enables 550 00:31:21,240 --> 00:31:23,880 us to pick random values in a natural way, 551 00:31:23,880 --> 00:31:26,830 because there's only finitely many values in the field. 552 00:31:26,830 --> 00:31:29,210 And so you're just going to pick one at random. 553 00:31:29,210 --> 00:31:33,850 But here we want to be able to represent-- 554 00:31:33,850 --> 00:31:36,790 it's going to be more important for us to have a larger 555 00:31:36,790 --> 00:31:40,120 field, because we want to be able to represent 556 00:31:40,120 --> 00:31:42,520 the number of satisfying assignments which 557 00:31:42,520 --> 00:31:46,000 can be a number between 0 and 2 to the m. 558 00:31:46,000 --> 00:31:48,040 So we have to have a field which has at least 2 559 00:31:48,040 --> 00:31:52,030 to the m elements in it so that we can in a sensible way 560 00:31:52,030 --> 00:31:53,230 write down those numbers. 561 00:31:57,790 --> 00:31:59,950 Let's not get caught up with that. 562 00:31:59,950 --> 00:32:04,870 But we can try to answer those questions offline if you want. 563 00:32:04,870 --> 00:32:07,990 But just think about it for this first pass. 564 00:32:07,990 --> 00:32:10,750 We're doing the arithmetic mod sum prime. 565 00:32:14,740 --> 00:32:21,090 So now we have the same notion of presets as we had before. 566 00:32:21,090 --> 00:32:26,210 So if we have a formula and we preset some of the values 567 00:32:26,210 --> 00:32:28,775 but now those values may be non Boolean values. 568 00:32:31,620 --> 00:32:35,820 We may be plugging in values for the formula. 569 00:32:35,820 --> 00:32:39,000 Not just zeros and ones, but we might be plugging in sevens 570 00:32:39,000 --> 00:32:41,340 or 23's or whatever. 571 00:32:41,340 --> 00:32:44,400 And the formula is going to in order 572 00:32:44,400 --> 00:32:47,430 to have a value, a meaning to that, 573 00:32:47,430 --> 00:32:49,890 we're going to treat that formula as the polynomial 574 00:32:49,890 --> 00:32:51,780 from the arithmetization. 575 00:32:51,780 --> 00:32:54,180 And just plug in those values into the polynomial 576 00:32:54,180 --> 00:32:57,920 and see what the polynomial does for you. 577 00:32:57,920 --> 00:32:59,620 So here we're going to be presetting 578 00:32:59,620 --> 00:33:02,270 some of the values of the formula like we did before. 579 00:33:02,270 --> 00:33:04,750 And now it's going to be the same thing. 580 00:33:04,750 --> 00:33:06,640 But now in the polynomial, we're going 581 00:33:06,640 --> 00:33:10,510 to be pre-assigning some of the values of the variables 582 00:33:10,510 --> 00:33:14,050 to these a's from the field. 583 00:33:14,050 --> 00:33:16,870 And the remaining variables are going to stay as unset. 584 00:33:21,820 --> 00:33:24,170 Now we have to give an interpretation. 585 00:33:27,210 --> 00:33:29,325 So the new polynomial here. 586 00:33:32,417 --> 00:33:33,500 So I'm getting a question. 587 00:33:33,500 --> 00:33:35,180 Well, maybe I better take this. 588 00:33:35,180 --> 00:33:39,890 Let me hold off on that for now what the degree is. 589 00:33:47,880 --> 00:33:51,000 I'll answer the questions in a second. 590 00:33:51,000 --> 00:33:57,260 So now remember from before, number phi 591 00:33:57,260 --> 00:33:59,840 was the number of satisfying assignments when 592 00:33:59,840 --> 00:34:04,438 I preset the first i values. 593 00:34:04,438 --> 00:34:07,740 It no longer makes sense to talk about satisfying assignments, 594 00:34:07,740 --> 00:34:12,050 because these values may no longer be Booleans. 595 00:34:12,050 --> 00:34:19,510 So I'm going to have to write this formally 596 00:34:19,510 --> 00:34:27,380 as I'm going to plug in those values, those i values, 597 00:34:27,380 --> 00:34:28,969 for the first i variables. 598 00:34:28,969 --> 00:34:34,130 And the remaining are variables which I have not set. 599 00:34:34,130 --> 00:34:36,350 I'm going to assign them to zeros and ones 600 00:34:36,350 --> 00:34:37,580 in all possible ways. 601 00:34:37,580 --> 00:34:38,870 Only to zeros and ones. 602 00:34:41,449 --> 00:34:45,112 Because what I want to have, you might think, well, 603 00:34:45,112 --> 00:34:47,570 why aren't we assigning these to other values in the field? 604 00:34:47,570 --> 00:34:51,455 Well, because what I'm aiming at is that if I were to plug 605 00:34:51,455 --> 00:34:57,870 in zeros and ones at this point into the polynomial, 606 00:34:57,870 --> 00:35:00,750 I'm supposed to get exactly the same values as I had before, 607 00:35:00,750 --> 00:35:03,390 because I'm simulating and's and or's. 608 00:35:03,390 --> 00:35:11,820 So I'm just extending the definition, the evaluation 609 00:35:11,820 --> 00:35:13,320 into a new realm. 610 00:35:13,320 --> 00:35:15,330 But I shouldn't change the values 611 00:35:15,330 --> 00:35:19,070 on the old Boolean realm. 612 00:35:19,070 --> 00:35:23,540 So I'm going to be adding up the unassigned, the unset variables 613 00:35:23,540 --> 00:35:25,700 in all possible Boolean ways. 614 00:35:25,700 --> 00:35:30,520 And the first i values could be non Boolean values. 615 00:35:30,520 --> 00:35:34,980 So you have to just accept this as an abstract notion. 616 00:35:34,980 --> 00:35:38,478 No longer has an interpretation as satisfying assignments. 617 00:35:41,890 --> 00:35:43,990 So as I said, what's important is 618 00:35:43,990 --> 00:35:49,090 that if I happen to put Boolean values in now, 619 00:35:49,090 --> 00:35:54,790 then phi and number phi give the same values 620 00:35:54,790 --> 00:35:57,380 as they would have before. 621 00:35:57,380 --> 00:36:02,270 Because the polynomial acts identically 622 00:36:02,270 --> 00:36:04,715 to the formula on Boolean values. 623 00:36:08,710 --> 00:36:09,210 OK. 624 00:36:09,210 --> 00:36:11,100 So this is what I'm repeating what I said. 625 00:36:11,100 --> 00:36:15,820 And there's another point that also you have to check, 626 00:36:15,820 --> 00:36:20,800 which is that the identities that we had earlier 627 00:36:20,800 --> 00:36:24,730 that connected up what happens when I set the first i values 628 00:36:24,730 --> 00:36:30,870 and I set the first i plus 1 values, those still hold. 629 00:36:30,870 --> 00:36:37,200 So if I set the first i values now to possibly some non 630 00:36:37,200 --> 00:36:40,520 Boolean assignment, that's what I 631 00:36:40,520 --> 00:36:48,410 get when I extend those values to one more variable being 632 00:36:48,410 --> 00:36:49,010 assigned. 633 00:36:49,010 --> 00:36:52,160 But I just need to assign that variable to 0 and to 1 634 00:36:52,160 --> 00:36:53,960 and add those up because of the way 635 00:36:53,960 --> 00:36:56,250 I've defined things over here. 636 00:36:56,250 --> 00:37:02,030 So I've assigned those variables to zeros-- the unset variable 637 00:37:02,030 --> 00:37:07,280 to zeros and ones when I'm defining the number phi 638 00:37:07,280 --> 00:37:09,910 function. 639 00:37:09,910 --> 00:37:13,750 And then lastly, when I assign everything 640 00:37:13,750 --> 00:37:18,970 now to possibly non Boolean values, that's going to be-- 641 00:37:18,970 --> 00:37:20,890 there's no longer anything to add up. 642 00:37:20,890 --> 00:37:25,990 So I'm going to get exactly the same as I got from 643 00:37:25,990 --> 00:37:27,490 before when I-- 644 00:37:27,490 --> 00:37:31,330 so assigning number phi of totally preset input, 645 00:37:31,330 --> 00:37:35,540 it's the same as phi with a totally preset input. 646 00:37:35,540 --> 00:37:37,910 Because in that case, there are no variables 647 00:37:37,910 --> 00:37:39,980 left to add up over. 648 00:37:39,980 --> 00:37:41,660 So there's just one. 649 00:37:41,660 --> 00:37:44,480 I just get one single. 650 00:37:44,480 --> 00:37:46,010 I sum it as just one element in it. 651 00:37:48,600 --> 00:37:53,000 So I got a question here for earlier. 652 00:37:53,000 --> 00:37:55,670 What happens to the degrees of the polynomials? 653 00:37:58,540 --> 00:38:01,480 Well, the degree of number phi is 654 00:38:01,480 --> 00:38:03,730 going to be at most the degree of phi, 655 00:38:03,730 --> 00:38:05,230 because I'm just adding things up. 656 00:38:05,230 --> 00:38:06,730 And addition doesn't change degrees. 657 00:38:10,860 --> 00:38:14,920 As I preset values, the number of variables goes down, 658 00:38:14,920 --> 00:38:19,320 but the degree may not necessarily go down. 659 00:38:19,320 --> 00:38:23,210 So the question was I got are the new polynomials having 660 00:38:23,210 --> 00:38:24,170 lower degrees? 661 00:38:24,170 --> 00:38:27,400 Not necessarily. 662 00:38:27,400 --> 00:38:30,445 They have fewer variables but not a smaller degree. 663 00:38:37,000 --> 00:38:38,488 So let's do this check. 664 00:38:38,488 --> 00:38:39,280 Let's see if that-- 665 00:38:42,820 --> 00:38:46,030 now again, this is I think I have messed up on this. 666 00:38:49,270 --> 00:38:51,880 Well, there's one of these that's-- 667 00:38:55,366 --> 00:38:57,280 I'll give it away in part. 668 00:38:57,280 --> 00:38:59,950 There's only one of them that was true anyway. 669 00:38:59,950 --> 00:39:04,090 So you can check the one that's true according 670 00:39:04,090 --> 00:39:07,000 to the way we've defined it. 671 00:39:07,000 --> 00:39:08,890 So this is a little bit of a trick question 672 00:39:08,890 --> 00:39:10,695 here, as I'll explain. 673 00:39:10,695 --> 00:39:12,070 But there's only one of them that 674 00:39:12,070 --> 00:39:15,070 faithfully does the arithmetization 675 00:39:15,070 --> 00:39:17,830 as I described on this page. 676 00:39:17,830 --> 00:39:20,910 And that's the one you should check. 677 00:39:20,910 --> 00:39:25,370 So remember, over here this is the formula. 678 00:39:25,370 --> 00:39:29,770 This is the recipe for how I'm doing the arithmetization. 679 00:39:29,770 --> 00:39:33,020 This whole process here. 680 00:39:33,020 --> 00:39:37,360 So one of these lines, one of these, a, b, or c, 681 00:39:37,360 --> 00:39:38,470 corresponds to doing that. 682 00:39:42,622 --> 00:39:43,830 I'm going to close this down. 683 00:39:43,830 --> 00:39:45,450 So are we all in? 684 00:39:48,920 --> 00:39:50,090 Yeah. 685 00:39:50,090 --> 00:39:51,335 So a is the correct answer. 686 00:39:55,000 --> 00:39:58,930 A does the arithmetization according to the recipe 687 00:39:58,930 --> 00:40:00,430 that I just described. 688 00:40:00,430 --> 00:40:04,030 Because if you look at x1 or x2, we 689 00:40:04,030 --> 00:40:10,480 can just check it in the very first part of the polynomial. 690 00:40:10,480 --> 00:40:12,070 x1 or x2. 691 00:40:12,070 --> 00:40:15,142 Well, it's x1 plus x2 minus the product x1 x2. 692 00:40:15,142 --> 00:40:16,600 So you can just see it right there. 693 00:40:16,600 --> 00:40:19,110 The others don't have that. 694 00:40:19,110 --> 00:40:23,130 And similarly for x1 bar and x2 bar. 695 00:40:23,130 --> 00:40:25,510 It becomes 1 minus x1, 1 minus x2, 696 00:40:25,510 --> 00:40:26,760 and then the product of those. 697 00:40:29,540 --> 00:40:35,570 So a is pretty straightforward as the arithmetization of phi. 698 00:40:35,570 --> 00:40:39,020 Now, in fact, any of those would work. 699 00:40:39,020 --> 00:40:40,400 I don't want to confuse you here. 700 00:40:40,400 --> 00:40:43,010 But any of those would have worked, because they all agree 701 00:40:43,010 --> 00:40:44,612 on the Boolean assignment. 702 00:40:44,612 --> 00:40:46,070 And that's all that really matters. 703 00:40:48,810 --> 00:40:50,360 So if you have any-- 704 00:40:50,360 --> 00:40:52,430 all I care about is that they agree. 705 00:40:52,430 --> 00:40:55,670 The formula agrees with the polynomial 706 00:40:55,670 --> 00:40:57,530 and the Boolean cases, and these all 707 00:40:57,530 --> 00:41:00,890 happen to agree and zeros and ones. 708 00:41:00,890 --> 00:41:02,330 Doesn't matter though. 709 00:41:02,330 --> 00:41:04,730 I put those there just in case you tried it 710 00:41:04,730 --> 00:41:07,250 by just substitution of zeros and ones in. 711 00:41:07,250 --> 00:41:08,990 You might have picked the wrong thing. 712 00:41:11,490 --> 00:41:11,990 OK. 713 00:41:11,990 --> 00:41:16,160 So let's take a break here, and then we 714 00:41:16,160 --> 00:41:22,250 will see about how to go about fixing the protocol 715 00:41:22,250 --> 00:41:25,130 after the break. 716 00:41:25,130 --> 00:41:26,590 All right. 717 00:41:26,590 --> 00:41:28,312 So also happy to take any questions. 718 00:41:28,312 --> 00:41:29,770 We haven't really done a whole lot. 719 00:41:29,770 --> 00:41:32,740 We basically, this has all been review 720 00:41:32,740 --> 00:41:36,070 of what we did last time. 721 00:41:36,070 --> 00:41:41,315 But let me start the timer. 722 00:41:45,260 --> 00:41:46,890 But feel free to ask questions. 723 00:41:49,460 --> 00:41:51,770 I'll tell you where we're going. 724 00:41:51,770 --> 00:41:54,830 This whole proof really comes down 725 00:41:54,830 --> 00:41:57,710 to understanding one line, which is 726 00:41:57,710 --> 00:41:59,930 going to be in the second half. 727 00:42:02,990 --> 00:42:04,490 So I'm really kind of-- 728 00:42:04,490 --> 00:42:07,070 this is all big setup here to get 729 00:42:07,070 --> 00:42:09,050 you ready to be able to understand that one. 730 00:42:09,050 --> 00:42:10,342 I'll tell you when it's coming. 731 00:42:10,342 --> 00:42:14,270 So you won't have to worry that you'll miss it. 732 00:42:14,270 --> 00:42:17,580 But that line is not easy to understand. 733 00:42:17,580 --> 00:42:20,810 So I think it's important to get all of the framework 734 00:42:20,810 --> 00:42:27,110 and all of the context all set up for you so then you 735 00:42:27,110 --> 00:42:30,860 can understand that line and hopefully you see that line 736 00:42:30,860 --> 00:42:32,120 and understand it. 737 00:42:32,120 --> 00:42:37,535 OK, so the important fact. 738 00:42:42,230 --> 00:42:42,998 So let's go back. 739 00:42:42,998 --> 00:42:44,540 You wanted to see the important fact. 740 00:42:51,405 --> 00:42:51,905 OK. 741 00:43:01,130 --> 00:43:02,960 So this is what I was saying before. 742 00:43:08,040 --> 00:43:14,110 If I plug in Boolean values into the arithmetization, 743 00:43:14,110 --> 00:43:16,150 I get the same exact thing as I would 744 00:43:16,150 --> 00:43:19,420 have if I applied the Boolean operations before I 745 00:43:19,420 --> 00:43:22,320 did the arithmetization. 746 00:43:22,320 --> 00:43:25,400 So plus and times in the arithmetization 747 00:43:25,400 --> 00:43:30,890 give a faithful simulation of and and or according 748 00:43:30,890 --> 00:43:35,780 to these little formulas. 749 00:43:35,780 --> 00:43:38,090 That's all I'm saying with this. 750 00:43:38,090 --> 00:43:45,630 And so if I plug in Boolean values for the a's 751 00:43:45,630 --> 00:43:48,230 I get exactly the same as I would have gotten before I 752 00:43:48,230 --> 00:43:49,230 did the arithmetization. 753 00:43:49,230 --> 00:43:52,823 Because the arithmetization is a faithful simulation. 754 00:43:52,823 --> 00:43:53,990 Not sure how else to say it. 755 00:43:53,990 --> 00:43:55,940 Let's see. 756 00:43:55,940 --> 00:43:57,980 What does the or rule now-- 757 00:43:57,980 --> 00:44:01,490 why does the or rule now contain the minus ab term while 758 00:44:01,490 --> 00:44:06,170 the previous instance of arithmetization didn't? 759 00:44:06,170 --> 00:44:08,000 Remember in the case of branching programs, 760 00:44:08,000 --> 00:44:14,080 we didn't need the minus ab term over here. 761 00:44:14,080 --> 00:44:16,740 And that was because we could argue that it was a disjoint 762 00:44:16,740 --> 00:44:20,200 or in the case of the branching programs. 763 00:44:20,200 --> 00:44:24,620 I don't want to get confusing by trying to explain why that was. 764 00:44:24,620 --> 00:44:31,290 But in that earlier case, we never took an or of two ones. 765 00:44:31,290 --> 00:44:38,160 It was an of 0, 0 or possibly 0, 1 or possibly 1, 0. 766 00:44:38,160 --> 00:44:40,170 So therefore we never had to deal with a case 767 00:44:40,170 --> 00:44:42,600 when we had an or of a 1, 1. 768 00:44:42,600 --> 00:44:44,910 And here we can have that. 769 00:44:44,910 --> 00:44:47,730 So we have to subtract off that ab term, 770 00:44:47,730 --> 00:44:49,470 because otherwise we'd have-- 771 00:44:49,470 --> 00:44:53,110 if we just had a plus b, then the 1, 1 case, 772 00:44:53,110 --> 00:44:55,050 we would end up with a 2. 773 00:44:55,050 --> 00:44:57,150 And that would not be a faithful simulation 774 00:44:57,150 --> 00:45:02,700 of the or operation, because 1 or 1 should be just 1, not 2. 775 00:45:02,700 --> 00:45:04,785 So this is a good question here. 776 00:45:04,785 --> 00:45:06,660 Do all the numbers need to be zeros and ones? 777 00:45:06,660 --> 00:45:09,210 I'm not sure how negation would work with larger numbers. 778 00:45:12,880 --> 00:45:15,580 The negation, you just blindly follow it. 779 00:45:15,580 --> 00:45:22,810 Even though we're going to be plugging in non Boolean values, 780 00:45:22,810 --> 00:45:24,653 it's going to be 1 minus 7. 781 00:45:24,653 --> 00:45:25,945 So you're going to get minus 6. 782 00:45:25,945 --> 00:45:31,600 You have to do that mod P, mod Q, whatever that value you get. 783 00:45:31,600 --> 00:45:35,200 But you can no longer think about it 784 00:45:35,200 --> 00:45:38,720 as negation in the former sense. 785 00:45:38,720 --> 00:45:41,410 Now it just becomes a formal thing. 786 00:45:41,410 --> 00:45:45,910 You're just plugging along doing what the polynomial says. 787 00:45:45,910 --> 00:45:47,750 Numbers are coming out. 788 00:45:47,750 --> 00:45:49,263 You think this is just nonsense. 789 00:45:49,263 --> 00:45:51,430 But the thing is it's going to have a meaning that's 790 00:45:51,430 --> 00:45:52,840 going to be useful to us. 791 00:45:52,840 --> 00:45:54,670 That's what this protocol is going to show. 792 00:45:57,410 --> 00:46:00,660 So you can't think about it as negation anymore. 793 00:46:00,660 --> 00:46:03,590 It's just negation becomes 1 minus x 794 00:46:03,590 --> 00:46:07,020 in the arithmetized world and you just 795 00:46:07,020 --> 00:46:08,810 have to live with that. 796 00:46:08,810 --> 00:46:09,380 Let's see. 797 00:46:16,210 --> 00:46:17,950 Another question here. 798 00:46:17,950 --> 00:46:21,910 If all the phi are equivalent for Boolean inputs in the check 799 00:46:21,910 --> 00:46:24,950 in, so this is back into this check in here, 800 00:46:24,950 --> 00:46:26,050 so if all of the-- 801 00:46:33,670 --> 00:46:34,570 yeah. 802 00:46:34,570 --> 00:46:38,260 So the question is if they're all equivalent in the Boolean 803 00:46:38,260 --> 00:46:42,580 case, why is only a correct? 804 00:46:42,580 --> 00:46:48,500 Because I defined P sub phi in a particular way. 805 00:46:48,500 --> 00:46:51,160 And so this was the value you got if you follow 806 00:46:51,160 --> 00:46:53,350 the way I define P sub phi. 807 00:46:53,350 --> 00:46:56,650 The others would work, they just weren't the way I defined it. 808 00:47:01,948 --> 00:47:02,990 Any other questions here? 809 00:47:02,990 --> 00:47:05,450 We should probably move on. 810 00:47:05,450 --> 00:47:07,490 Can arithmetization be used in other contexts? 811 00:47:13,240 --> 00:47:15,380 Offhand, I don't know. 812 00:47:15,380 --> 00:47:17,660 There are these two cases where arithmetization works. 813 00:47:17,660 --> 00:47:21,350 Whether there are other cases too, I'm actually not sure. 814 00:47:21,350 --> 00:47:23,850 OK, so let's move on. 815 00:47:23,850 --> 00:47:31,180 So our timer is up. 816 00:47:31,180 --> 00:47:33,440 The candle has burned down. 817 00:47:33,440 --> 00:47:33,940 OK. 818 00:47:33,940 --> 00:47:35,680 So this was-- 819 00:47:35,680 --> 00:47:37,540 OK, here we go. 820 00:47:37,540 --> 00:47:38,820 This is the real protocol. 821 00:47:42,440 --> 00:47:45,730 So I'm going to present it to you the way I did before. 822 00:47:45,730 --> 00:47:47,740 Let's think about it with the case 823 00:47:47,740 --> 00:47:50,470 first where the input is in the language 824 00:47:50,470 --> 00:47:51,750 and we have an honest prover. 825 00:47:55,810 --> 00:48:00,140 So we start off the same way. 826 00:48:00,140 --> 00:48:06,200 The prover sends phi, sends number phi. 827 00:48:06,200 --> 00:48:07,747 Which in the old sense was the number 828 00:48:07,747 --> 00:48:08,830 of satisfying assignments. 829 00:48:08,830 --> 00:48:11,820 It actually still is, because since we're not 830 00:48:11,820 --> 00:48:15,890 presetting anything, there's no non Booleans in the picture 831 00:48:15,890 --> 00:48:16,390 yet. 832 00:48:16,390 --> 00:48:18,730 So this is going to be the same value as before. 833 00:48:18,730 --> 00:48:21,610 The verifier checks that k equals number phi. 834 00:48:21,610 --> 00:48:24,250 So that's why we have to have a big enough field there, 835 00:48:24,250 --> 00:48:27,370 so that we can represent numbers up 836 00:48:27,370 --> 00:48:30,380 to the number of potential number of satisfying 837 00:48:30,380 --> 00:48:30,880 assignments. 838 00:48:30,880 --> 00:48:33,010 But that's a side note. 839 00:48:33,010 --> 00:48:36,230 But anyway, this is exactly what we did before. 840 00:48:36,230 --> 00:48:37,830 No change. 841 00:48:37,830 --> 00:48:40,140 The number of satisfying assignments if you like. 842 00:48:40,140 --> 00:48:41,100 Now, let's just see. 843 00:48:41,100 --> 00:48:42,090 Let's remember. 844 00:48:42,090 --> 00:48:44,760 And this is one of those cases where not having 845 00:48:44,760 --> 00:48:47,580 a big blackboard hampers us. 846 00:48:47,580 --> 00:48:50,280 So I'm just going to remind you what we did last time. 847 00:48:50,280 --> 00:48:51,880 But I'm going to change this. 848 00:48:51,880 --> 00:48:55,110 So remember before P sent-- 849 00:48:55,110 --> 00:48:57,030 and unpacked at one level. 850 00:48:57,030 --> 00:48:59,640 Sent the number of satisfying assignments 851 00:48:59,640 --> 00:49:03,360 said number phi of 0 and number phi of 1. 852 00:49:03,360 --> 00:49:05,970 And then we did that check to justify 853 00:49:05,970 --> 00:49:08,545 the previous value, which the verifier doesn't necessarily 854 00:49:08,545 --> 00:49:09,045 trust. 855 00:49:11,640 --> 00:49:12,810 OK. 856 00:49:12,810 --> 00:49:14,640 Fasten your seatbelts, everybody. 857 00:49:14,640 --> 00:49:18,150 This is the whole proof in the next line. 858 00:49:21,630 --> 00:49:22,545 But it's a doozy. 859 00:49:26,960 --> 00:49:29,930 All right. 860 00:49:29,930 --> 00:49:37,670 P is going to send phi of z as a polynomial in z. 861 00:49:37,670 --> 00:49:40,070 It's going to send just a single object. 862 00:49:40,070 --> 00:49:42,290 But that object is an entire polynomial. 863 00:49:44,910 --> 00:49:46,410 And the way it's going to send that 864 00:49:46,410 --> 00:49:51,180 is by sending the coefficients of that polynomial. 865 00:49:51,180 --> 00:50:02,050 So let's digest that statement. 866 00:50:02,050 --> 00:50:08,210 So first of all, let's understand 867 00:50:08,210 --> 00:50:09,510 the value of doing that. 868 00:50:09,510 --> 00:50:13,070 So if I can send the entire polynomial phi 869 00:50:13,070 --> 00:50:17,320 sub z represented as a polynomial, 870 00:50:17,320 --> 00:50:21,715 I can plug in 0 and 1 into that polynomial 871 00:50:21,715 --> 00:50:24,340 and allow the verifier to do the check 872 00:50:24,340 --> 00:50:32,600 that it needs to do to demonstrate 873 00:50:32,600 --> 00:50:36,540 that number phi is correct. 874 00:50:36,540 --> 00:50:40,940 So it's going to check that number phi is number phi of 0 875 00:50:40,940 --> 00:50:43,220 plus number phi of 1. 876 00:50:43,220 --> 00:50:45,290 But instead of getting those values directly 877 00:50:45,290 --> 00:50:48,890 from the prover, it's going to take that polynomial it got 878 00:50:48,890 --> 00:50:51,980 and evaluate that polynomial at 0 and 1. 879 00:50:56,040 --> 00:50:59,840 And just to remember, let's go back 880 00:50:59,840 --> 00:51:03,200 and remember how we defined-- 881 00:51:03,200 --> 00:51:06,620 defined number phi to make sure that we 882 00:51:06,620 --> 00:51:11,580 understand what it means to have a polynomial here. 883 00:51:11,580 --> 00:51:16,710 So remember, here we're just taking the very first value. 884 00:51:16,710 --> 00:51:19,380 But you are OK with putting a constant 0 or 1 885 00:51:19,380 --> 00:51:24,240 and then adding up over all possible extensions, 886 00:51:24,240 --> 00:51:27,990 all possible Boolean extensions to that. 887 00:51:27,990 --> 00:51:32,880 And maybe it's OK to put in a non Boolean value here, like 7. 888 00:51:32,880 --> 00:51:34,800 And then you take the remaining variables 889 00:51:34,800 --> 00:51:37,350 and assign them zeros and ones in all possibilities 890 00:51:37,350 --> 00:51:38,820 and add it up. 891 00:51:38,820 --> 00:51:41,010 Now I'm going to do something even a little wilder. 892 00:51:41,010 --> 00:51:45,190 I'm going to put in a variable for a1. 893 00:51:45,190 --> 00:51:51,560 Some symbolic, if you want, symbolic value. 894 00:51:51,560 --> 00:51:54,070 So I'm going to put in a value z for a1. 895 00:51:54,070 --> 00:51:56,920 So now I plug in z for a1 here. 896 00:51:56,920 --> 00:52:00,370 And a2 through am are going to be zeros and ones 897 00:52:00,370 --> 00:52:02,710 in all possible ways. 898 00:52:02,710 --> 00:52:05,280 So I just get a polynomial in z. 899 00:52:05,280 --> 00:52:08,580 The other variables get assigned and added up 900 00:52:08,580 --> 00:52:10,710 over the various Boolean assignments. 901 00:52:10,710 --> 00:52:12,510 And now I get some polynomial. 902 00:52:12,510 --> 00:52:14,880 So I get some expression in z. 903 00:52:14,880 --> 00:52:17,310 That's just going to be a single variable polynomial. 904 00:52:21,348 --> 00:52:22,640 Whose degree is it going to be? 905 00:52:22,640 --> 00:52:26,940 At most the degree of number phi. 906 00:52:26,940 --> 00:52:28,740 So degree is not going to be too big. 907 00:52:32,470 --> 00:52:34,440 So it sends the coefficients so the degree 908 00:52:34,440 --> 00:52:35,512 of that is not too big. 909 00:52:35,512 --> 00:52:37,470 So there are not too many coefficients to send. 910 00:52:43,140 --> 00:52:45,180 So the coefficients are in terms of the xi's. 911 00:52:45,180 --> 00:52:45,690 No. 912 00:52:45,690 --> 00:52:47,898 I'm not sure what the mean-- the coefficients are not 913 00:52:47,898 --> 00:52:50,760 in terms-- the xi's are gone at this point. 914 00:52:50,760 --> 00:52:54,000 The xi's, we've added up the xi's 915 00:52:54,000 --> 00:52:56,790 being assigned to zeros and ones in all possible ways. 916 00:52:59,608 --> 00:53:01,150 So there are no other variables left. 917 00:53:01,150 --> 00:53:04,290 There's only z. 918 00:53:04,290 --> 00:53:07,020 So I'm going to do the same protocol in a more 919 00:53:07,020 --> 00:53:09,730 pictorial way in a minute. 920 00:53:09,730 --> 00:53:12,150 So you're going to see this whole thing twice. 921 00:53:12,150 --> 00:53:13,650 But try to get it. 922 00:53:13,650 --> 00:53:15,150 You'll have two chances to get this. 923 00:53:15,150 --> 00:53:17,160 Try to get it. 924 00:53:17,160 --> 00:53:18,150 Try hard each time. 925 00:53:20,880 --> 00:53:23,660 So I've got send phi of z as a polynomial in z. 926 00:53:23,660 --> 00:53:26,240 Now, that's going to be enough for me to figure out 927 00:53:26,240 --> 00:53:29,180 what number phi of 0 and number phi of 1 928 00:53:29,180 --> 00:53:33,710 is, because I plug it in for 0 and 1 for z. 929 00:53:33,710 --> 00:53:37,880 But now I can figure out what number phi of 2 930 00:53:37,880 --> 00:53:41,660 is also, because I can plug 2 in for z or number phi of 7. 931 00:53:41,660 --> 00:53:42,970 I plug 7 in for z. 932 00:53:45,810 --> 00:53:49,420 So let's stop here and see are there other questions. 933 00:53:49,420 --> 00:53:54,110 So is the size of number phi-- 934 00:53:54,110 --> 00:53:56,660 I don't understand. 935 00:53:56,660 --> 00:53:59,300 This question about the size of no phi. 936 00:53:59,300 --> 00:54:01,280 Is it 2 to the m? 937 00:54:01,280 --> 00:54:06,830 No, it's not 2 to the m, because the degree of that polynomial, 938 00:54:06,830 --> 00:54:12,480 number phi of z, I mean, it's a very large expression 939 00:54:12,480 --> 00:54:15,720 if you want to initially-- yes, it's going 940 00:54:15,720 --> 00:54:17,250 to be an exponentially big sum. 941 00:54:17,250 --> 00:54:20,940 But the prover adds it all up for you, 942 00:54:20,940 --> 00:54:24,810 and you're just going to have at most a small number 943 00:54:24,810 --> 00:54:27,600 of coefficients, because the polynomial is only 944 00:54:27,600 --> 00:54:29,130 of a certain degree. 945 00:54:29,130 --> 00:54:33,030 And a polynomial in one variable of degree d 946 00:54:33,030 --> 00:54:35,820 has at most d or d plus 1 coefficients to worry about. 947 00:54:35,820 --> 00:54:40,460 So it's not that many coefficients as an expression. 948 00:54:40,460 --> 00:54:44,920 So shouldn't the summation take 2 to the m time? 949 00:54:44,920 --> 00:54:46,630 I'm not caring about the prover's time. 950 00:54:46,630 --> 00:54:48,830 The prover has a lot of work to do. 951 00:54:48,830 --> 00:54:52,600 But the prover sends phi of z. 952 00:54:52,600 --> 00:54:58,070 So yes, the prover has an exponential job. 953 00:54:58,070 --> 00:54:59,230 I don't care. 954 00:54:59,230 --> 00:55:02,728 The verifier needs to be able to check it in polynomial time. 955 00:55:02,728 --> 00:55:05,020 And that checking is going to, well, we'll have to see. 956 00:55:05,020 --> 00:55:08,860 How does the verifier know that that polynomial is right? 957 00:55:08,860 --> 00:55:11,200 That's a question maybe you should be asking. 958 00:55:17,270 --> 00:55:17,900 Yeah. 959 00:55:17,900 --> 00:55:19,610 I'm getting lots of questions about how much time 960 00:55:19,610 --> 00:55:20,420 the prover needs to take. 961 00:55:20,420 --> 00:55:22,878 Yeah, the prover is going to have to spend exponential time 962 00:55:22,878 --> 00:55:24,480 to figure out that polynomial. 963 00:55:24,480 --> 00:55:25,767 That's all right. 964 00:55:25,767 --> 00:55:27,350 We don't care about the prover's time. 965 00:55:32,470 --> 00:55:33,400 Yeah. 966 00:55:33,400 --> 00:55:36,108 So the summation here is going to be adding up polynomials. 967 00:55:36,108 --> 00:55:36,775 That is correct. 968 00:55:40,540 --> 00:55:42,970 I'm happy to spend time, because really here this 969 00:55:42,970 --> 00:55:44,202 is the whole proof. 970 00:55:44,202 --> 00:55:45,160 You have to understand. 971 00:55:45,160 --> 00:55:47,260 Well, we have to understand why this works. 972 00:55:47,260 --> 00:55:51,290 But we kind of understand half of it, 973 00:55:51,290 --> 00:55:57,530 because knowing that polynomial is enough to-- 974 00:55:57,530 --> 00:56:02,270 if you could certify that that was the correct polynomial 975 00:56:02,270 --> 00:56:07,760 for number phi of z, then we can use that polynomial 976 00:56:07,760 --> 00:56:12,130 to confirm the previous value, what number phi was, 977 00:56:12,130 --> 00:56:14,980 because you just plug in zeros and ones for z, 978 00:56:14,980 --> 00:56:15,970 and you add it up. 979 00:56:19,150 --> 00:56:20,978 But now how are we going to justify 980 00:56:20,978 --> 00:56:22,270 that the polynomial is correct? 981 00:56:22,270 --> 00:56:23,978 Because this looks like even a worse job. 982 00:56:23,978 --> 00:56:25,780 Now we have a whole bunch of coefficients 983 00:56:25,780 --> 00:56:27,770 and have to make sure all of those coefficients are right. 984 00:56:27,770 --> 00:56:29,230 And so instead of just two values, 985 00:56:29,230 --> 00:56:33,050 now we have d values where d is the degree of that polynomial, 986 00:56:33,050 --> 00:56:36,770 which could be at most the length of the formula. 987 00:56:42,280 --> 00:56:44,260 So here is the next idea. 988 00:56:47,930 --> 00:56:51,520 So the prover needs to show that phi of z is correct. 989 00:56:57,130 --> 00:57:01,150 The way it's going to do that, so even before we do that, 990 00:57:01,150 --> 00:57:06,940 so phi of z is going to be some polynomial. 991 00:57:06,940 --> 00:57:09,580 Now, the prover may be lying, may be 992 00:57:09,580 --> 00:57:11,290 sending the wrong polynomial. 993 00:57:15,490 --> 00:57:17,730 How does the prover convince the verifier 994 00:57:17,730 --> 00:57:22,830 that the polynomial is the right polynomial? 995 00:57:22,830 --> 00:57:24,960 Well, that seems like a tough job. 996 00:57:24,960 --> 00:57:28,450 So what it's going to do is remember that the-- 997 00:57:32,930 --> 00:57:37,760 so there is a correct polynomial that you 998 00:57:37,760 --> 00:57:39,860 would get by plugging in to this expression 999 00:57:39,860 --> 00:57:41,400 for the correct value. 1000 00:57:41,400 --> 00:57:43,220 So there's some correct polynomial. 1001 00:57:43,220 --> 00:57:48,830 The prover may be sending some incorrect polynomial. 1002 00:57:48,830 --> 00:57:51,460 So now we have the correct polynomial and the possibly 1003 00:57:51,460 --> 00:57:54,010 incorrect polynomial. 1004 00:57:54,010 --> 00:57:57,130 And the point is those two can only 1005 00:57:57,130 --> 00:57:59,650 agree in a small number of places 1006 00:57:59,650 --> 00:58:05,110 by that fact we proved a couple of lectures back regarding 1007 00:58:05,110 --> 00:58:06,560 polynomials. 1008 00:58:06,560 --> 00:58:10,840 So two different polynomials can agree only rarely. 1009 00:58:10,840 --> 00:58:12,790 So what we're going to do, the way 1010 00:58:12,790 --> 00:58:15,670 the prover is going to justify that this polynomial was 1011 00:58:15,670 --> 00:58:21,210 the correct one, is by evaluating it at a random place 1012 00:58:21,210 --> 00:58:24,150 and then demonstrating that that value you get 1013 00:58:24,150 --> 00:58:27,800 is a correct value. 1014 00:58:27,800 --> 00:58:32,410 If the polynomial was the wrong polynomial, 1015 00:58:32,410 --> 00:58:34,990 then evaluating it at a random place 1016 00:58:34,990 --> 00:58:38,560 is probably going to disagree with the correct polynomial 1017 00:58:38,560 --> 00:58:40,810 at that place, because they can only agree rarely. 1018 00:58:43,780 --> 00:58:46,780 So the prover is going to demonstrate that 1019 00:58:46,780 --> 00:58:52,720 by evaluating that polynomial at a random place, that value you 1020 00:58:52,720 --> 00:58:54,730 get is going to be the correct value, 1021 00:58:54,730 --> 00:58:57,740 and it's going to continue to do that in the way, 1022 00:58:57,740 --> 00:59:00,613 using the same protocol, as we'll see. 1023 00:59:00,613 --> 00:59:01,780 So that's where we're going. 1024 00:59:01,780 --> 00:59:04,950 So in order to show that phi of z is correct, 1025 00:59:04,950 --> 00:59:09,150 the verifier now gets to pick a random value in the field. 1026 00:59:09,150 --> 00:59:13,230 And the prover is going to show that evaluating that polynomial 1027 00:59:13,230 --> 00:59:16,590 at r1 is correct. 1028 00:59:16,590 --> 00:59:19,530 Remember this looks a lot like what we had from before 1029 00:59:19,530 --> 00:59:23,310 where we were showing that number phi of 0 is correct 1030 00:59:23,310 --> 00:59:25,210 and number phi of 1 is correct. 1031 00:59:25,210 --> 00:59:27,570 Now we're trying to show that number phi of r1, 1032 00:59:27,570 --> 00:59:31,870 this random value from the field is correct. 1033 00:59:31,870 --> 00:59:34,530 So the way we're going to do that is now 1034 00:59:34,530 --> 00:59:40,380 by unpacking it one level down. 1035 00:59:40,380 --> 00:59:46,590 And we're going to be using that identity, because this value 1036 00:59:46,590 --> 00:59:51,270 here is going to be equal to number phi of r1 comma 1037 00:59:51,270 --> 00:59:55,500 0 plus number phi of r1 comma 1. 1038 00:59:55,500 --> 00:59:57,340 But we don't want to send both of those. 1039 00:59:57,340 --> 00:59:59,130 So we're going to send them combined 1040 00:59:59,130 --> 01:00:04,080 into a polynomial of number phi of r1 of z 1041 01:00:04,080 --> 01:00:05,340 as a polynomial in z. 1042 01:00:05,340 --> 01:00:09,350 This is a new polynomial in z. 1043 01:00:09,350 --> 01:00:13,370 So now if you understood the previous line, 1044 01:00:13,370 --> 01:00:16,380 then hopefully this one won't be too hard to swallow. 1045 01:00:16,380 --> 01:00:24,190 Because now we're going to check the identity, but here 1046 01:00:24,190 --> 01:00:29,200 by evaluating the polynomial again but one level 1047 01:00:29,200 --> 01:00:31,980 at the next level. 1048 01:00:31,980 --> 01:00:39,060 So this is perhaps a good place to take questions, 1049 01:00:39,060 --> 01:00:40,660 because this is the-- 1050 01:00:40,660 --> 01:00:44,490 this is really what I spent all the time setting things up 1051 01:00:44,490 --> 01:00:47,910 for so that you would be ready to get this thing hopefully 1052 01:00:47,910 --> 01:00:49,280 without-- 1053 01:00:49,280 --> 01:00:51,770 and hopefully be able to appreciate it 1054 01:00:51,770 --> 01:00:52,520 and understand it. 1055 01:01:01,970 --> 01:01:03,710 So I'm not getting questions. 1056 01:01:03,710 --> 01:01:05,310 Let's move on a little further. 1057 01:01:05,310 --> 01:01:11,140 So now again, the prover had sent 1058 01:01:11,140 --> 01:01:15,520 this polynomial in stage two. 1059 01:01:18,370 --> 01:01:20,230 Now the verifier needs to be sure 1060 01:01:20,230 --> 01:01:21,860 that that polynomial is correct. 1061 01:01:21,860 --> 01:01:27,370 So it's going to evaluate that new polynomial 1062 01:01:27,370 --> 01:01:28,660 at a random location. 1063 01:01:31,790 --> 01:01:37,050 So by picking a random value r2 in the field. 1064 01:01:37,050 --> 01:01:42,970 And now we need to show that this value is correct, 1065 01:01:42,970 --> 01:01:46,330 because if that polynomial had been the wrong polynomial, 1066 01:01:46,330 --> 01:01:48,970 it disagreed with the correct polynomial almost everywhere. 1067 01:01:48,970 --> 01:01:51,280 And by picking a random place, it's 1068 01:01:51,280 --> 01:01:56,060 probably not going to be the right value and so on. 1069 01:01:56,060 --> 01:02:06,960 Until we get to the end where we have almost all of the values 1070 01:02:06,960 --> 01:02:11,220 have been picked, and so we have one last value 1071 01:02:11,220 --> 01:02:12,870 to select a 0 and 1. 1072 01:02:12,870 --> 01:02:15,660 This corresponds to the n-th. 1073 01:02:15,660 --> 01:02:20,310 It would be great if I could put both pictures on your screen, 1074 01:02:20,310 --> 01:02:22,140 but I can't. 1075 01:02:22,140 --> 01:02:23,730 So this very much corresponds to what 1076 01:02:23,730 --> 01:02:25,920 happened in the exponential protocol 1077 01:02:25,920 --> 01:02:32,100 but just along sort of this arithmetization single path. 1078 01:02:32,100 --> 01:02:38,120 So it checks that the previous value 1079 01:02:38,120 --> 01:02:42,260 is correct in terms of expanding it with 0 and 1. 1080 01:02:42,260 --> 01:02:45,710 But again, the 0 and 1 comes from evaluating the polynomial. 1081 01:02:49,040 --> 01:02:52,060 And now the verifier needs to be convinced 1082 01:02:52,060 --> 01:02:54,670 that that polynomial was right. 1083 01:02:54,670 --> 01:02:57,160 So it picks a random value, but now it 1084 01:02:57,160 --> 01:02:59,200 doesn't rely on the prover anymore. 1085 01:02:59,200 --> 01:03:10,950 It's going to see whether that assignment that it gets 1086 01:03:10,950 --> 01:03:14,950 by evaluating the polynomial with that random value rn 1087 01:03:14,950 --> 01:03:18,510 plugged in is the same as what I get by evaluating 1088 01:03:18,510 --> 01:03:22,820 the polynomial for the formula itself 1089 01:03:22,820 --> 01:03:25,850 that the verifier can do directly. 1090 01:03:25,850 --> 01:03:30,050 Because this is now a polynomial now just plugging 1091 01:03:30,050 --> 01:03:32,270 into the formula and using the arithmetization 1092 01:03:32,270 --> 01:03:33,110 to get a value out. 1093 01:03:36,350 --> 01:03:39,290 So this was the last line of the identity. 1094 01:03:42,740 --> 01:03:45,000 We had those two identities. 1095 01:03:45,000 --> 01:03:47,107 So this is the second identity. 1096 01:03:47,107 --> 01:03:48,815 And we had to check that this is correct. 1097 01:03:52,530 --> 01:03:54,735 So I'm going to show this to you in a picture. 1098 01:03:58,760 --> 01:04:02,880 Not sure it'll help if you're confused. 1099 01:04:02,880 --> 01:04:05,430 But why don't we take some questions on this? 1100 01:04:05,430 --> 01:04:07,410 So as I said, I'm going to give you 1101 01:04:07,410 --> 01:04:09,780 two chances to understand this. 1102 01:04:09,780 --> 01:04:11,790 Because I know it's tough. 1103 01:04:11,790 --> 01:04:13,980 Especially with the constraints of Zoom, 1104 01:04:13,980 --> 01:04:16,680 this is a particularly challenging idea to explain. 1105 01:04:21,510 --> 01:04:22,680 OK, so let's see. 1106 01:04:22,680 --> 01:04:26,790 So the benefit of this approach is that the prover only 1107 01:04:26,790 --> 01:04:29,490 sends one item for each depth level instead 1108 01:04:29,490 --> 01:04:30,390 of multiple items. 1109 01:04:30,390 --> 01:04:31,290 That's right. 1110 01:04:31,290 --> 01:04:35,280 But that one item is the polynomial. 1111 01:04:35,280 --> 01:04:40,700 So that captures all of the values for the entire field. 1112 01:04:40,700 --> 01:04:43,880 But taking advantage of the arithmetization, 1113 01:04:43,880 --> 01:04:48,860 that one polynomial has a lot of information in it. 1114 01:04:48,860 --> 01:04:50,780 And what's nice is that you can check 1115 01:04:50,780 --> 01:04:53,510 that polynomial by just evaluating it at one 1116 01:04:53,510 --> 01:04:54,293 random place. 1117 01:04:54,293 --> 01:04:56,210 You can check that that polynomial is correct. 1118 01:05:09,310 --> 01:05:11,860 So I'm getting another question here. 1119 01:05:11,860 --> 01:05:14,150 Where does this come from here? 1120 01:05:14,150 --> 01:05:16,010 V checks that this here. 1121 01:05:16,010 --> 01:05:18,580 So this where does this-- 1122 01:05:18,580 --> 01:05:20,860 so you have to look-- to understand where 1123 01:05:20,860 --> 01:05:23,720 this is coming from, you have to-- we're at the n-th round 1124 01:05:23,720 --> 01:05:24,220 now. 1125 01:05:24,220 --> 01:05:26,320 So you have to look back like at round two. 1126 01:05:26,320 --> 01:05:30,700 V has to check that phi of r1, which 1127 01:05:30,700 --> 01:05:34,510 comes from the end of the first round. 1128 01:05:34,510 --> 01:05:36,820 So this checks that this phi of r1 1129 01:05:36,820 --> 01:05:42,610 is correct because that was how we justified the polynomial 1130 01:05:42,610 --> 01:05:44,580 with just a single variable. 1131 01:05:44,580 --> 01:05:48,860 The very first polynomial was correct. 1132 01:05:48,860 --> 01:05:50,710 A little hard to say. 1133 01:05:50,710 --> 01:05:54,520 But this comes from the previous round, this guy here. 1134 01:06:00,230 --> 01:06:02,600 So this is the polynomial for the current round. 1135 01:06:02,600 --> 01:06:06,410 This is the value from the previous round. 1136 01:06:06,410 --> 01:06:07,850 All right. 1137 01:06:07,850 --> 01:06:08,840 More questions. 1138 01:06:17,060 --> 01:06:18,972 So why doesn't this run in exponential time? 1139 01:06:18,972 --> 01:06:20,180 Another question I'm getting. 1140 01:06:20,180 --> 01:06:22,280 Doesn't V need to check twice at each layer? 1141 01:06:22,280 --> 01:06:24,650 Yes. 1142 01:06:24,650 --> 01:06:26,420 The verifier needs to check-- 1143 01:06:29,580 --> 01:06:31,920 gets two values, but those two values 1144 01:06:31,920 --> 01:06:36,040 come from the one polynomial. 1145 01:06:36,040 --> 01:06:38,820 So there's no blow up anymore. 1146 01:06:38,820 --> 01:06:39,528 Those two values. 1147 01:06:39,528 --> 01:06:41,945 Maybe you'll see it in the picture that I'm going to show. 1148 01:06:41,945 --> 01:06:43,680 So maybe just hold that question. 1149 01:06:43,680 --> 01:06:45,915 Maybe this will become clearer in the diagram. 1150 01:06:52,717 --> 01:06:53,550 So another question. 1151 01:06:53,550 --> 01:06:56,850 Does this work because the polynomial kind of encodes 1152 01:06:56,850 --> 01:06:59,080 all the possible values together? 1153 01:06:59,080 --> 01:07:01,080 I think that's sort of true. 1154 01:07:01,080 --> 01:07:03,810 It sort of mixes them all together into one object. 1155 01:07:03,810 --> 01:07:05,620 Then you have to check that one object, 1156 01:07:05,620 --> 01:07:08,040 which can be done with this sort of random probing of it. 1157 01:07:17,770 --> 01:07:20,020 So this is another good question that we'll see 1158 01:07:20,020 --> 01:07:21,430 explained in the next slide. 1159 01:07:24,040 --> 01:07:25,960 So similarly in attempt one, the prover 1160 01:07:25,960 --> 01:07:31,480 can keep lying by picking polynomials 1161 01:07:31,480 --> 01:07:33,460 by continuing to pick polynomials, 1162 01:07:33,460 --> 01:07:35,320 by lying about the polynomials. 1163 01:07:35,320 --> 01:07:38,788 But eventually it's going to get caught, because this value is 1164 01:07:38,788 --> 01:07:39,955 going to be the wrong value. 1165 01:07:42,490 --> 01:07:45,160 If the polynomial in the previous stage and the m 1166 01:07:45,160 --> 01:07:46,750 minus-- 1167 01:07:46,750 --> 01:07:49,900 if a polynomial that the prover sent in the m stage 1168 01:07:49,900 --> 01:07:53,200 is the wrong polynomial, then you evaluate it, 1169 01:07:53,200 --> 01:07:57,670 you're going to get the wrong value probably. 1170 01:07:57,670 --> 01:07:59,860 And so then that wrong value is not 1171 01:07:59,860 --> 01:08:02,620 going to match the correct value, which 1172 01:08:02,620 --> 01:08:06,670 is you can read off yourself by reading the formula. 1173 01:08:06,670 --> 01:08:08,560 I think we need to move on to the next slide. 1174 01:08:12,090 --> 01:08:13,960 All right. 1175 01:08:13,960 --> 01:08:19,330 So same proof, version two, but looks different. 1176 01:08:19,330 --> 01:08:20,680 Again, the input is that. 1177 01:08:20,680 --> 01:08:22,720 Here is what the prover sends. 1178 01:08:22,720 --> 01:08:24,790 Here is what the verifier sends. 1179 01:08:24,790 --> 01:08:31,149 I'm going to sort of whimsically design this as a telephone chat 1180 01:08:31,149 --> 01:08:35,229 where they're sending each other messages through messaging. 1181 01:08:35,229 --> 01:08:40,450 So the prover sends the number phi to start off with. 1182 01:08:40,450 --> 01:08:42,380 And then off on the side, these are the checks 1183 01:08:42,380 --> 01:08:45,160 that the verifier is going to be doing. 1184 01:08:45,160 --> 01:08:48,540 So here in our first round of the chat, 1185 01:08:48,540 --> 01:08:51,750 the prover is going to send phi of z. 1186 01:08:51,750 --> 01:08:55,979 Remember this is just a polynomial 1187 01:08:55,979 --> 01:08:58,120 in not too many coefficients. 1188 01:08:58,120 --> 01:09:01,380 So it's a polynomial in one variable. 1189 01:09:01,380 --> 01:09:02,319 The degree is small. 1190 01:09:02,319 --> 01:09:04,960 So there are not too many coefficients here. 1191 01:09:04,960 --> 01:09:09,090 So this is just pretending this is what it might look like. 1192 01:09:09,090 --> 01:09:15,430 So from that polynomial, the verifier can plug in 0 and 1 1193 01:09:15,430 --> 01:09:16,870 and see that that adds up. 1194 01:09:19,899 --> 01:09:23,140 Now the verifier, to check that this polynomial is correct, 1195 01:09:23,140 --> 01:09:26,290 it picks a random value to evaluate this polynomial on. 1196 01:09:29,220 --> 01:09:31,740 And so now it's going to have to check that this is correct. 1197 01:09:31,740 --> 01:09:32,907 So this is nothing to check. 1198 01:09:32,907 --> 01:09:37,520 You're just writing this down in anticipation of the next check. 1199 01:09:37,520 --> 01:09:44,470 Now, the prover to justify that this value is right, 1200 01:09:44,470 --> 01:09:50,700 that this polynomial is right, so we evaluate-- 1201 01:09:50,700 --> 01:09:55,800 the prover in order to check that this value is right 1202 01:09:55,800 --> 01:10:01,260 is going to send the polynomial for the next level. 1203 01:10:01,260 --> 01:10:05,550 Now, we can from that, we can plug in 0 and 1 for z. 1204 01:10:05,550 --> 01:10:08,250 See if that adds up. 1205 01:10:08,250 --> 01:10:12,090 And now to be sure that this polynomial is right, 1206 01:10:12,090 --> 01:10:17,800 we evaluate it at a random place, calculate that value, 1207 01:10:17,800 --> 01:10:28,330 and then have to see that this value is correct. 1208 01:10:28,330 --> 01:10:31,330 So now we expand to one level further. 1209 01:10:31,330 --> 01:10:35,330 We take a polynomial for the next variable. 1210 01:10:35,330 --> 01:10:37,720 And we see that adds up. 1211 01:10:37,720 --> 01:10:44,060 OK, I'm not sure whether this is helping or not. 1212 01:10:44,060 --> 01:10:45,970 But we keep doing that until we get 1213 01:10:45,970 --> 01:10:50,970 to the very last round with a prover sending a polynomial. 1214 01:10:50,970 --> 01:10:54,210 Make sure that this adds up correctly. 1215 01:10:54,210 --> 01:10:58,840 And the verifier to see that this polynomial is right 1216 01:10:58,840 --> 01:11:05,260 picks a random value and evaluates it and now checks 1217 01:11:05,260 --> 01:11:07,690 that this agrees with the formula. 1218 01:11:07,690 --> 01:11:10,190 Because we've now assigned all of the variables. 1219 01:11:10,190 --> 01:11:13,870 And then we can check this number phi directly 1220 01:11:13,870 --> 01:11:19,120 in terms of the phi, because they have to agree. 1221 01:11:19,120 --> 01:11:22,310 And so the verifier would accept if everything checks out. 1222 01:11:22,310 --> 01:11:23,600 Let's see what happens. 1223 01:11:23,600 --> 01:11:25,810 So this answer will answer some questions. 1224 01:11:29,400 --> 01:11:36,120 Why don't I walk through what happens if the input was wrong. 1225 01:11:36,120 --> 01:11:41,160 And we'll see how the verifier is 1226 01:11:41,160 --> 01:11:44,280 likely to catch the prover but not guaranteed to catch 1227 01:11:44,280 --> 01:11:45,285 the prover in this case. 1228 01:11:48,540 --> 01:11:50,990 So if k was correct, the verifier 1229 01:11:50,990 --> 01:11:53,000 will accept with the honest prover. 1230 01:11:53,000 --> 01:11:55,740 But if k was wrong, so I'm going to, 1231 01:11:55,740 --> 01:11:57,900 again, indicate the wrong values in red. 1232 01:12:00,510 --> 01:12:03,210 I want to show you that the verifier is almost certainly 1233 01:12:03,210 --> 01:12:07,370 going to accept but not guaranteed. 1234 01:12:07,370 --> 01:12:11,170 So did I say that wrong? 1235 01:12:11,170 --> 01:12:14,558 So if k is wrong, the verifier is going to probably reject, 1236 01:12:14,558 --> 01:12:15,975 but it's not guaranteed to reject. 1237 01:12:18,800 --> 01:12:22,810 So first of all, if the prover does not lie, 1238 01:12:22,810 --> 01:12:25,080 does not send the wrong value for number phi, 1239 01:12:25,080 --> 01:12:26,830 The verifier is certainly going to reject, 1240 01:12:26,830 --> 01:12:28,960 because it's not going to get any quality there. 1241 01:12:31,540 --> 01:12:34,010 So the prover has to lie. 1242 01:12:34,010 --> 01:12:39,530 Say if k was 99 but the real value was 1243 01:12:39,530 --> 01:12:42,830 100, the prover if it says 100, the verifier's 1244 01:12:42,830 --> 01:12:44,040 going to reject immediately. 1245 01:12:44,040 --> 01:12:47,390 So the prover's going to say, well, 1246 01:12:47,390 --> 01:12:53,990 let's see what the prover can do to make the verifier hopefully 1247 01:12:53,990 --> 01:12:56,310 accept from the prover's standpoint. 1248 01:12:56,310 --> 01:12:58,250 So the prover is going to send 99. 1249 01:12:58,250 --> 01:13:01,100 Well, the verifier says, OK, 99, fine. 1250 01:13:01,100 --> 01:13:01,910 Convince me. 1251 01:13:01,910 --> 01:13:06,290 So the prover-- now one of these two is going to be wrong. 1252 01:13:08,860 --> 01:13:11,110 Because the two correct values can't add up 1253 01:13:11,110 --> 01:13:12,170 to the wrong value. 1254 01:13:12,170 --> 01:13:13,240 So one of these is wrong. 1255 01:13:13,240 --> 01:13:17,820 So that means the prover had to send the wrong polynomial. 1256 01:13:17,820 --> 01:13:20,940 Because the correct polynomial would evaluate the correct 1257 01:13:20,940 --> 01:13:21,580 answers here. 1258 01:13:21,580 --> 01:13:24,130 So the prover had to send the wrong polynomial. 1259 01:13:24,130 --> 01:13:26,820 So now when we evaluate it at a random place, 1260 01:13:26,820 --> 01:13:30,860 chances are this is going to be the wrong-- this is not 1261 01:13:30,860 --> 01:13:33,360 going to be the same value that the correct polynomial would 1262 01:13:33,360 --> 01:13:35,330 have given you. 1263 01:13:35,330 --> 01:13:37,850 The prover could get lucky. 1264 01:13:37,850 --> 01:13:39,620 The verifier might have just happened 1265 01:13:39,620 --> 01:13:42,200 to pick a place where the correct polynomial 1266 01:13:42,200 --> 01:13:44,420 and the incorrect polynomial agree. 1267 01:13:44,420 --> 01:13:48,080 In that place, the prover will think, huh, I'm saved. 1268 01:13:48,080 --> 01:13:52,850 Now I can act like the honest prover from this point on 1269 01:13:52,850 --> 01:13:57,340 and the verifier will never catch me. 1270 01:13:57,340 --> 01:14:00,230 It's sort of a little bit analogous to the situation 1271 01:14:00,230 --> 01:14:00,730 maybe-- 1272 01:14:03,610 --> 01:14:06,770 I'm trying to see if you really studied the whole course. 1273 01:14:06,770 --> 01:14:10,360 So I'm giving you an exam by picking sort of random places 1274 01:14:10,360 --> 01:14:11,020 there. 1275 01:14:11,020 --> 01:14:16,690 But maybe you just studied a few facts from the course. 1276 01:14:16,690 --> 01:14:17,560 You might get lucky. 1277 01:14:17,560 --> 01:14:20,290 I might happen to ask just about those facts. 1278 01:14:20,290 --> 01:14:23,590 And then you give the appearance of having studied everything, 1279 01:14:23,590 --> 01:14:25,120 but you really didn't. 1280 01:14:25,120 --> 01:14:28,180 So here the prover might send the wrong polynomial, 1281 01:14:28,180 --> 01:14:30,030 but the verifier just queries that 1282 01:14:30,030 --> 01:14:32,050 at the place where it happens to agree 1283 01:14:32,050 --> 01:14:34,870 with the correct polynomial, and the prover just gets lucky. 1284 01:14:34,870 --> 01:14:37,180 And the verifier is going to accept, in that case. 1285 01:14:37,180 --> 01:14:39,140 But there are very few of those. 1286 01:14:39,140 --> 01:14:41,890 So that's why the prover is almost certainly 1287 01:14:41,890 --> 01:14:44,110 to be caught if it tries to lie. 1288 01:14:44,110 --> 01:14:47,570 But not guaranteed. 1289 01:14:47,570 --> 01:14:50,920 So just tracing this down. 1290 01:14:50,920 --> 01:14:54,940 If this was a lie, then one of those two has to be a lie. 1291 01:14:54,940 --> 01:14:57,970 So therefore, the next polynomial has to be a lie. 1292 01:14:57,970 --> 01:14:58,878 And so we continue. 1293 01:14:58,878 --> 01:15:01,420 So then the next value is almost certainly going to be a lie. 1294 01:15:01,420 --> 01:15:02,590 Not guaranteed. 1295 01:15:02,590 --> 01:15:06,210 And so then one of those two values has to be a lie. 1296 01:15:06,210 --> 01:15:08,700 At least one has to be a lie. 1297 01:15:08,700 --> 01:15:14,903 Therefore, the polynomial has to be a lie and so on until-- 1298 01:15:14,903 --> 01:15:17,070 unless the prover got lucky along the way somewhere, 1299 01:15:17,070 --> 01:15:18,720 which is very unlikely, even though it 1300 01:15:18,720 --> 01:15:21,120 has a several opportunities. 1301 01:15:21,120 --> 01:15:24,510 We've arranged it so that the chance of getting lucky 1302 01:15:24,510 --> 01:15:26,290 is tiny at each stage. 1303 01:15:26,290 --> 01:15:27,840 So even though he has a few chances, 1304 01:15:27,840 --> 01:15:29,965 there's still going to be a tiny chance that you're 1305 01:15:29,965 --> 01:15:31,320 going to get lucky somewhere. 1306 01:15:31,320 --> 01:15:35,980 And so this is wrong, then chances are that's wrong. 1307 01:15:35,980 --> 01:15:38,850 And so therefore, this is going to be a disagreement. 1308 01:15:38,850 --> 01:15:42,480 And the verifier at that point when it doesn't agree 1309 01:15:42,480 --> 01:15:44,323 is going to reject. 1310 01:15:44,323 --> 01:15:46,490 Unless the prover got lucky somewhere along the way, 1311 01:15:46,490 --> 01:15:48,460 which is unlikely. 1312 01:15:48,460 --> 01:15:53,040 So I don't know if you had-- 1313 01:15:53,040 --> 01:15:56,337 so that's all I was going to say about this proof. 1314 01:15:56,337 --> 01:15:58,170 I don't know if you had any questions on it, 1315 01:15:58,170 --> 01:16:00,990 but let's just see. 1316 01:16:00,990 --> 01:16:01,490 OK. 1317 01:16:01,490 --> 01:16:07,840 So do we have any questions I can answer? 1318 01:16:07,840 --> 01:16:10,170 How the prover gets-- 1319 01:16:10,170 --> 01:16:13,800 how does a prover get number-- 1320 01:16:13,800 --> 01:16:16,740 how does the prover get number phi of z? 1321 01:16:22,430 --> 01:16:23,510 So you have to-- 1322 01:16:23,510 --> 01:16:27,680 why is number phi of z have no other variables? 1323 01:16:27,680 --> 01:16:29,900 You have to go back and look at the definition 1324 01:16:29,900 --> 01:16:32,480 of number phi of a. 1325 01:16:32,480 --> 01:16:35,760 Because you add up over all the other variables. 1326 01:16:35,760 --> 01:16:38,940 So now instead of a, we're plugging a variable for that. 1327 01:16:38,940 --> 01:16:41,310 But you're still adding up over the other variables. 1328 01:16:41,310 --> 01:16:48,230 So this is a function in just one variable, because it-- 1329 01:16:48,230 --> 01:16:50,210 the original thing was a polynomial. 1330 01:16:50,210 --> 01:16:53,060 This is also going to be polynomial. 1331 01:16:53,060 --> 01:16:55,140 I think we're starting to run low on time. 1332 01:16:55,140 --> 01:16:59,910 So this is our very last check in for the semester here. 1333 01:16:59,910 --> 01:17:05,580 So of course there's one natural question to ask you all. 1334 01:17:05,580 --> 01:17:08,580 And for our very last check in, as we're 1335 01:17:08,580 --> 01:17:11,790 in our last couple of minutes of the course or at least 1336 01:17:11,790 --> 01:17:17,500 the lectures, does P equal NP? 1337 01:17:17,500 --> 01:17:18,325 What do you think? 1338 01:17:24,660 --> 01:17:29,520 Will maybe PB equal NPB solved by a deep learning algorithm? 1339 01:17:29,520 --> 01:17:33,050 Or maybe we'll never prove it. 1340 01:17:33,050 --> 01:17:35,060 Give me your best guess. 1341 01:17:35,060 --> 01:17:37,020 We're kind of running out of time. 1342 01:17:37,020 --> 01:17:41,470 So let's not think too hard here. 1343 01:17:41,470 --> 01:17:42,760 Another five seconds. 1344 01:17:46,850 --> 01:17:47,350 All right. 1345 01:17:47,350 --> 01:17:49,900 Ending polling. 1346 01:17:49,900 --> 01:17:52,070 I'll share that with you. 1347 01:17:52,070 --> 01:17:53,540 Oh, I did share. 1348 01:17:53,540 --> 01:17:54,440 So what did we get? 1349 01:17:54,440 --> 01:17:55,850 D here. 1350 01:17:55,850 --> 01:17:59,310 We will prove it in somewhere between 20 and 100 years 1351 01:17:59,310 --> 01:17:59,810 from now. 1352 01:17:59,810 --> 01:18:01,655 That seems to be the majority opinion. 1353 01:18:04,460 --> 01:18:06,460 I don't know. 1354 01:18:06,460 --> 01:18:09,430 I hope it'll be sooner than that, because I'd 1355 01:18:09,430 --> 01:18:10,520 like to see the answer. 1356 01:18:10,520 --> 01:18:11,770 But we don't know. 1357 01:18:15,670 --> 01:18:18,940 Yeah, if you can prove P different from NP, 1358 01:18:18,940 --> 01:18:20,020 I'll give you an A+. 1359 01:18:20,020 --> 01:18:21,395 You won't have to take the final. 1360 01:18:21,395 --> 01:18:24,160 But you better be sure you're right. 1361 01:18:24,160 --> 01:18:24,790 All right. 1362 01:18:24,790 --> 01:18:27,850 So that is our quick review. 1363 01:18:27,850 --> 01:18:32,140 We finished number set in IP and therefore that coNP 1364 01:18:32,140 --> 01:18:35,410 is a subset of IP. 1365 01:18:35,410 --> 01:18:39,010 If you're interested in further pursuit of this material, 1366 01:18:39,010 --> 01:18:40,690 I got a couple of questions on that. 1367 01:18:40,690 --> 01:18:44,890 These are some courses you may want to look at. 1368 01:18:44,890 --> 01:18:47,980 I know I checked with Ryan Williams. 1369 01:18:47,980 --> 01:18:53,680 He's planning to teach Advanced Complexity fall 2021. 1370 01:18:53,680 --> 01:18:59,140 So that's going to be the most natural follow-on subject 1371 01:18:59,140 --> 01:19:00,440 to this one. 1372 01:19:00,440 --> 01:19:02,650 There's the crypto classes also are 1373 01:19:02,650 --> 01:19:05,025 kind of make use of some of the same ideas. 1374 01:19:05,025 --> 01:19:07,150 And there's, of course, also randomness computation 1375 01:19:07,150 --> 01:19:09,205 that Ronitt Rubinfeld teaches. 1376 01:19:09,205 --> 01:19:10,330 If I didn't check with her. 1377 01:19:10,330 --> 01:19:12,788 I'm not sure the next time she's going to be teaching that. 1378 01:19:15,710 --> 01:19:22,912 And good luck on the final and best wishes. 1379 01:19:22,912 --> 01:19:24,370 And I'm going to have office hours. 1380 01:19:24,370 --> 01:19:29,320 So if you have any questions, happy to answer those. 1381 01:19:29,320 --> 01:19:32,480 But otherwise, see you all. 1382 01:19:32,480 --> 01:19:33,005 Good luck. 1383 01:19:35,705 --> 01:19:36,830 Thank you for the comments. 1384 01:19:36,830 --> 01:19:39,280 Yeah, I enjoyed having you all as students. 1385 01:19:39,280 --> 01:19:41,000 It was a fun time. 1386 01:19:41,000 --> 01:19:43,780 A lot of work, but it was a fun time. 1387 01:19:43,780 --> 01:19:46,720 I've always been intrigued by the P versus NP problem, 1388 01:19:46,720 --> 01:19:48,580 and I proved a kind of a-- 1389 01:19:53,490 --> 01:19:56,490 I proved the exponential complexity 1390 01:19:56,490 --> 01:20:00,210 of computing the parity function in a certain weak model 1391 01:20:00,210 --> 01:20:01,350 of computation. 1392 01:20:01,350 --> 01:20:06,690 So parity function is obviously very trivial function. 1393 01:20:06,690 --> 01:20:12,610 But for the parity function, if you can't count, 1394 01:20:12,610 --> 01:20:15,040 whatever that means, but there is a model 1395 01:20:15,040 --> 01:20:17,980 you can kind of set up where you can't count. 1396 01:20:17,980 --> 01:20:23,020 Then parity requires exponential complexity. 1397 01:20:23,020 --> 01:20:25,480 And surprisingly, not easy to prove. 1398 01:20:25,480 --> 01:20:30,010 But that's probably the theorem that I'm most known for. 1399 01:20:30,010 --> 01:20:30,640 Anyway. 1400 01:20:30,640 --> 01:20:34,912 But that would be a topic for another day. 1401 01:20:34,912 --> 01:20:35,620 Another question. 1402 01:20:35,620 --> 01:20:40,918 Why not include Myhill-Nerode theorem. 1403 01:20:40,918 --> 01:20:41,460 I don't know. 1404 01:20:41,460 --> 01:20:43,200 That's a theorem about finite automata 1405 01:20:43,200 --> 01:20:45,420 and all of those ways of characterizing 1406 01:20:45,420 --> 01:20:46,620 the regular languages. 1407 01:20:46,620 --> 01:20:48,930 That seems kind of a technical theorem. 1408 01:20:48,930 --> 01:20:51,990 I don't see much point in covering it. 1409 01:20:51,990 --> 01:20:54,510 And another question that some of my colleagues 1410 01:20:54,510 --> 01:20:57,000 ask me is why don't I have Rice's theorem, which 1411 01:20:57,000 --> 01:20:58,620 sort of provides a kind of a machine 1412 01:20:58,620 --> 01:21:00,600 for proving undecidability. 1413 01:21:00,600 --> 01:21:02,730 And I don't know. 1414 01:21:02,730 --> 01:21:06,940 I think that you can use Rice's theorem without understanding 1415 01:21:06,940 --> 01:21:08,680 how to prove undecidability. 1416 01:21:12,000 --> 01:21:15,650 It's like checking off a box. 1417 01:21:15,650 --> 01:21:18,770 Checking some boxes and then you conclude something's undecided. 1418 01:21:18,770 --> 01:21:21,830 I'd rather have somebody understand it 1419 01:21:21,830 --> 01:21:23,900 rather than be able to use some powerful tool. 1420 01:21:27,720 --> 01:21:30,630 Can we understand that proof about the parity 1421 01:21:30,630 --> 01:21:33,530 function that I just alluded to? 1422 01:21:33,530 --> 01:21:36,518 It's super hard. 1423 01:21:36,518 --> 01:21:38,685 With the knowledge from this class, I think you can. 1424 01:21:41,780 --> 01:21:45,440 That theorem relies on a certain technique 1425 01:21:45,440 --> 01:21:49,310 which we didn't cover called the probabilistic method, which 1426 01:21:49,310 --> 01:21:51,260 is a kind of an amazing method. 1427 01:21:51,260 --> 01:21:54,500 Not hard to explain, but basically you 1428 01:21:54,500 --> 01:21:56,900 show that something exists by showing 1429 01:21:56,900 --> 01:22:01,750 that the probability that a random object has 1430 01:22:01,750 --> 01:22:05,585 the property you're looking for is more than 0. 1431 01:22:05,585 --> 01:22:07,210 And so therefore, the thing that you're 1432 01:22:07,210 --> 01:22:09,210 looking for that has that property has to exist. 1433 01:22:11,863 --> 01:22:13,780 There are lots of examples of that these days. 1434 01:22:13,780 --> 01:22:15,920 But it's kind of an amazing method. 1435 01:22:15,920 --> 01:22:17,500 So we use that method. 1436 01:22:17,500 --> 01:22:19,990 Do I think quantum computing can solve useful problems 1437 01:22:19,990 --> 01:22:22,758 beyond the capability of computers? 1438 01:22:22,758 --> 01:22:24,300 I have no idea whether one can really 1439 01:22:24,300 --> 01:22:25,470 build a quantum computer. 1440 01:22:25,470 --> 01:22:27,510 It seems to be always 20 years off at least 1441 01:22:27,510 --> 01:22:28,960 to doing one that factors. 1442 01:22:28,960 --> 01:22:32,640 And I've been literally I remember people 1443 01:22:32,640 --> 01:22:34,470 20 years ago saying it's 20 years off. 1444 01:22:34,470 --> 01:22:38,530 So I don't think it's converging. 1445 01:22:38,530 --> 01:22:41,350 I'm skeptical that they'll ever build a quantum computer that 1446 01:22:41,350 --> 01:22:42,010 can factor. 1447 01:22:42,010 --> 01:22:44,230 I'll go out on a limb and say that. 1448 01:22:44,230 --> 01:22:45,954 But that's controversial. 1449 01:22:49,372 --> 01:22:51,330 And whether it can solve other useful problems, 1450 01:22:51,330 --> 01:22:53,413 I'm not sure what other useful problems are there. 1451 01:22:53,413 --> 01:22:55,620 Well, I guess they're simulating quantum systems. 1452 01:22:55,620 --> 01:22:57,500 So maybe that might be possible. 1453 01:23:00,600 --> 01:23:01,100 All right. 1454 01:23:01,100 --> 01:23:06,370 I think I'm going to end this now. 1455 01:23:06,370 --> 01:23:09,440 But thank you, everybody. 1456 01:23:09,440 --> 01:23:09,940 Take care. 1457 01:23:09,940 --> 01:23:11,610 Bye bye.