|
Recall the following definitions and lemma from SelfTestingCorrecting: DEFN: F is linear if, for every pair U,W ∈ A, :: F(U)+F(W) = F(U + W). DEFN: F is approximately linear if, for a random pair U,W ∈ A, :: Pr[F(U)+F(W) = F(U + W)] ≥ 91/100 . LEMMA: If F is linear, the SELF-CHECK algorithm for linear functions outputs "pass". If F is not approximately linear, the SELF-CHECK algorithm outputs "fail" with probability at least 50%. Note that the SELF-CHECK algorithm checks F at only 24 places. DEFN: F encodes a function G if, for all W∈ A, a random R∈ A satisfies :: Pr[G(W) = F(W+R)-F(R)] ≥ 9/10 . LEMMA:If F encodes a function G, then G is linear. PROOF: Fix any U,W ∈ A. We will show that G(U+W) = G(U)+G(W). It suffices if, for some R, :: G(U+W) = F(U+W+R)-F(R) :: = G(U)+F(W+R)-F(R) :: = G(U)+G(W)+F(R)-F(R) For a random R, each of these three equalities holds individually with probability at least 9/10. By the naive union bound, the probability that any of the three fails to hold is at most 3/10. Thus, the probability that all succeed is at least 7/10. Thus, there exists an R for which they all hold. QED LEMMA: If F is approximately linear, then F encodes exactly one function G. PROOF SKETCH: Fix any W∈ A. Let R and S be random elements in A. Then :: Pr[ F(W+R)+F(S) = F(R+W+S) AND F(R)+F(W+S) = F(R+W+S)] ≥ 1-2*(1-91/100) = 82/100. Thus, :: Pr[ F(W+R)-F(R) = F(W+S)-F(S)] ≥ 82/100. This implies that there exists a single value G(W) such that, for a random R, :: Pr[ F(W+R)-F(R) = G(W)] ≥ 9/10. (For example, suppose F(W+R)-F(R) takes on the value X with probability 9/10, and Y with probability 1/10. Then the probability that F(W+R)-F(R) = F(W+S)-F(S) is (9/10)2 + (1/10)2 = 82/100. |
|
Probabilistically checkable proofs (PCP's) are proofs that can be verified with high probability by looking at the proof in only a few randomly chosen places. Here we describe a relatively simple self-contained proof that any satisfiable Boolean formula has a PCP of its satisfiability that can be checked by querying a constant number of bits. Formally, we show THEOREM: SAT ∈ PCP(nO(1), 1) That is, SAT has a randomized polynomial-time verifier V with the following properties: # V takes input (A,P) where A is a Boolean formula of size n, and P is a PCP. # If A is satisfiable, then there exists a PCP P such that V(A,P) accepts with probability 1. # If A is not satisfiable, then for any string P, V(A,P) rejects with probability at least 1/2. # V(A,P) looks at O(1) bits of P and uses nO(1) random bits. The PCP system we describe uses exponentially large proofs. In fact, the stronger result holds, but we don't describe a proof: THEOREM: SAT ∈ PCP(log(n), 1) In his book "Approximation Algorithms", Vazirani mentions the following intuition for PCP's. Given a Boolean formula in 3-SAT form with $m$ clauses, suppose the verifier was given a satisfying assignment (as the proof of satisfiability) and then checked a single clause at random of the formula to see if the assignment satisfied that one clause. If the clause was satisfied, then the verifier would accept. With this simple PCP system, if the formula is satisfiable, there is a proof to give the verifier so that the verifier will accept with probability 1. Conversely, if the formula is not satisfiable, no matter what ``proof'' one gives the verifier, the verifier will reject with probability at least 1/m. The challenge is to amplify this rejection probability to at least 1/2, while still having the verifier check only a constant number of bits in the proof. Building block #1 --- Encoding F as a collection of quadratic functions over Z2n.The verifier wants to verify that the Boolean formula F is satisfiable. To begin, the verifier converts F into a set S of equivalent quadratic equations and variables over Z2n (the integers {0,1} with arithmetic mod 2). The equations will have a solution if and only if F is satisfiable. Example: Suppose F = (v1 or v2) and (v1 or v2) . Then the equations are: || Equation || Meaning || || B3 = B1 + B2 - B1 B2 || B3 = (v1 or v2) || || B4 = 1 - B1 B2 || B4 =(v1 or v2) || || B5 = B3 B4 || B5 = B3 and B4 || || B5 = 1 || B5 = true || Building block #2 --- Freivald's trickNext, the verifier selects a random subset of the set of equations above and adds them together to get a single equation, say, ∑ij xij Bi Bj = 1 for some particular (known) x. We will write this equation also as FB(x) = 1. Note that the verifier knows x but not B, even though we use notation suggesting that FB(x) is a function of x. LEMMA: The random function FB(x) has the following property: for any particular assignment B=b, if b satisfies all the equations, then Fb(x)=1. Otherwise, Pr[Fb(x) = 1] ≤ 1/2. This is because, if there are any incorrect equations (for a particular b), the final equation will be incorrect exactly when the number of incorrect equations chosen in the set is odd. This is FreivaldsTrick.? Building block #3 --- SelfTestingCorrectingFinally, the verifier examines the proof P, using the SELF-CHECK-DIAG and SELF-CORRECT algorithms from SelfTestingCorrecting.? The verifier expects the proof P to encode a satisfying assignment B=b for the equations as follows. For each of the 2n× n n× n matrices X ∈ Z2n× n, the proof should tell the value (0 or 1) of ::Fb(X) = ∑ij Xij bi bj. Thus, the proof P has 2n× n bits, one for each possible matrix X. Let P(X) denote the bit in the proof P giving the value of Fb(X). The key observation at this point is that if P has the correct format, then P(X) is a diagonal linear function of X. In particular, P(X) = Fb(X) = ∑ij Xij bi bj for some particular b. Now we can state the verifier completely. On input (A, P), where A is a SAT formula and P is an alleged proof that B is satisfiable, the verifier V does the following: # Use SELF-CHECK-DIAG(P) to check that P(X) is an approximate diagonal linear function of X. If the test fails, reject. # Assume that P is an approximate diagonal linear function encoding a diagonal linear function Q(X) = ∑ij Xij bi bj for some b. # As described above, construct a set of quadratic equations over Z2n that has a solution iff A is satisfiable. # Repeat the remaining steps twice: # As described above, let quadratic equation "F(B)=1" be obtained by summing a random subset of the equations. \ Compute x such that F(B) = ∑ij xij Bi Bj. # Use SELF-CORRECT(P,x) to evaluate Q(x). If SELF-CORRECT discovers a non-linearity, reject. If the equation "Q(x)=1" fails, reject. # Accept. LEMMA: If A is satisfiable, there exists a proof P such that V(A, P) accepts. PROOF: As described, let B=b be a satisfying assignment of the quadratic equations. For each X, let P(X) = ∑ij Xij bi bj . Then P(X) is a diagonal linear function of X, so the SELF-CHECK-DIAG(P) test passes, and SELF-CORRECT(P,x) returns P(x), which equals Q(x), which equals F(b). Since all equations in the set of quadratic equations are satisfied, so is the equation F(b)=1, so Q(x)=1 holds too. Thus, the verifier accepts. |
|
SELF-CORRECT ALGORITHM(F,U): :: input: an approximately linear function F:A→ B, and any U∈ A. :: output: G(U), with probability at least 9/10, where G is the linear function encoded by F. # Choose a random R∈ A and output F(U+R)-F(U). LEMMA: If F is approximately linear, then, for any W∈ A, with probability at least 9/10, SELF-CORRECT(F,W) outputs G(W), where G is the linear function encoded by F. |
|
LEMMA: If A is not satisfiable, then for any alleged proof P, Pr[V(A,P) rejects] ≥ 1/2. |
|
That there is a unique linear function encoded by F follows from the lemmas above. That F(U+R)-F(R) = G(W) with probability at least 9/10 follows also from the lemmas above. QED |
|
Suppose A is not satisfiable. If P does not encode an approximate diagonal linear function, then SELF-CHECK-DIAG(P) fails with probability at least 1/2. |
Self Testing and Correcting of "Diagonal" Linear Functions |
|
So assume that P does. Let Q(X) = ∑ij Xij bi bj be the approximate diagonal linear function that P encodes. One of the following things has to happen for the remaing steps to not reject: * Freivalds' trick fails (the random subset of equations sums to an equation that is satisfied). \ Since not all equations are satisfied by b, this happens with probability at most 1/2. * Freivalds trick succeeds but the SELF-CORRECT(P,x) call fails to return the correct value Q(x), and fails to discover a non-linearity. By a lemma in SelfTestingCorrecting, this happens with probability at most 1/10. Thus, the probability that the remaining steps don't lead to rejection is at most 1/2+1/10 = 6/10. Since the steps are repeated twice, and each time the probability of rejection is at least 4/10, the probability of passing both is at most (6/10)2 < 1/2. |
|
Let F:Z2n× n→ Z2. Here Z2 denotes the finite field {0,1} with arithmetic mod 2. |
|
QED |
|
We think of X∈ Z2n× n as a doubly subscripted vector (ie. a matrix), and we denote its elements as Xij for 1≤ i, j≤ n. |
|
If F is a linear function, then it can be written as :: F(X) = ∑ij Xij Bij for some B ∈ Z2n× n. DEFN: F is a diagonal linear function if F can be written as :: F(X) = ∑ij Xij bi bj for some b ∈ Z2n. Note that any diagonal linear function is a linear function. DEFN: F is an approximately diagonal linear function if F is approximately linear and the linear function that F encodes is a diagonal linear function. SELF-CHECK ALGORITHM(F): :: input: a subroutine for computing a function F:Z2n× n→ B. :: output: if F is a diagonal linear function, then "pass". If F is not approximately diagonal linear, then "fail" with probability at least 50%. # Check that F is approximately linear using the SELF-CHECK algorithm for approximately linear functions. # If that test fails, return "fail". # Repeat the following test 3 times: # Choose random vectors r,s ∈ Z2n and check G(rsT) = G(diag(r))G(diag(s)), \ using the SELF-CORRECT(F,W) algorithm for linear functions to evaluate G (with probability at least 9/10). \ Here G is the linear function encoded by F. diag(r) is the diagonal matrix where diag(r)ii = ri. # If all 3 tests pass, return "pass", else return "fail". |
|
LEMMA: If F is a diagonal linear function, then SELF-CHECK(F) (above) passes. If F is not an approximately diagonal linear function, then SELF-CHECK(F) fails with probability at least 50%. PROOF: If F is diagonal linear, then SELF-CHECK clearly passes. |
|
Suppose F is not approximately diagonal linear. If F is not approximately linear, then the SELF-CHECK for linear functions fails with probability at least 50%. So assume F is approximately linear, and let G be the linear function encoded by F. Since G is linear, G(X) = ∑ij Xij Cij for some C ∈ Z2n× n. By definition, G is diagonal iff C = bbT for some b∈ Z2n. The condition rT C s = rT b bT r for some b is equivalent to G(rsT) = G(diag(r))G(diag(s)). (check) Note: here rsT denotes the matrix whose ij entry is ri sj. This condition clearly holds if G is diagonal linear. On the other hand, If C ≠ bbT, then Pr[rT C s = rT b bT s] ≤ 1/4 for two random vectors r,s ∈ Z2n× n. (This is FreivaldsTrick, applied twice.) Thus, if G is not diagonal linear, then each of the last three checks made by the SELF-CHECK algorithm will fail with probability at least 7/40 = (1-3/10)(1/4). (The (1-3/10) part is because, in evaluating G using the SELF-CORRECT subroutine, there is 1/10 chance that each evaluation fails to return the actual value of G(W). |
|
Thus, if G is not diagonal linear, then the SELF-CHECK will fail with probability at least 1-(1-7/40)3 > 1/2. |
|
QED |
|
Finally, note that SELF-CORRECTing an approximately diagonal linear function reduces trivially to SELF-CORRECTing a linear function. References: * M. Blum, M. Luby, and R. Rubinfeld. Self-testing/correcting with applications to numerical problems. In Proc. 22nd ACM Symp. on Theory of Computing, pages 73-83, 1990. |
|
* S. Arora, C. Lund, R. Motwani, M. Sudan, and M. Szegedy. Proof verification and hardness of approximation problems. In Proc. 33rd IEEE Symp. on Foundations of Computer Science, pages 14-23, 1992. * M. Blum, M. Luby, and R. Rubinfeld. Self-testing/correcting with applications to numerical problems. In Proc. 22nd ACM Symp. on Theory of Computing, pages 73-83, 1990. Notes on the weak PCP theorem are available either in [html] or [pdf]. |
|
* S. Arora, C. Lund, R. Motwani, M. Sudan, and M. Szegedy. Proof verification and hardness of approximation problems. In Proc. 33rd IEEE Symp. on Foundations of Computer Science, pages 14-23, 1992. |
THEOREM: SAT ∈ PCP(nO(1), 1)
That is, SAT has a randomized polynomial-time verifier V with the following properties:
The PCP system we describe uses exponentially large proofs.
In fact, the stronger result holds, but we don't describe a proof:
THEOREM: SAT ∈ PCP(log(n), 1)
In his book "Approximation Algorithms", Vazirani mentions the following intuition for PCP's. Given a Boolean formula in 3-SAT form with $m$ clauses, suppose the verifier was given a satisfying assignment (as the proof of satisfiability) and then checked a single clause at random of the formula to see if the assignment satisfied that one clause. If the clause was satisfied, then the verifier would accept.
With this simple PCP system, if the formula is satisfiable, there is a proof to give the verifier so that the verifier will accept with probability 1. Conversely, if the formula is not satisfiable, no matter what ``proof'' one gives the verifier, the verifier will reject with probability at least 1/m.
The challenge is to amplify this rejection probability to at least 1/2, while still having the verifier check only a constant number of bits in the proof.
The verifier wants to verify that the Boolean formula F is satisfiable. To begin, the verifier converts F into a set S of equivalent quadratic equations and variables over Z2n (the integers {0,1} with arithmetic mod 2). The equations will have a solution if and only if F is satisfiable.
Example: Suppose F = (v1 or v2) and (v1 or v2) .
Then the equations are:
| Equation | Meaning |
| B3 = B1 + B2 - B1 B2 | B3 = (v1 or v2) |
| B4 = 1 - B1 B2 | B4 =(v1 or v2) |
| B5 = B3 B4 | B5 = B3 and B4 |
| B5 = 1 | B5 = true |
Next, the verifier selects a random subset of the set of equations above and adds them together to get a single equation, say, ∑ij xij Bi Bj = 1 for some particular (known) x. We will write this equation also as FB(x) = 1. Note that the verifier knows x but not B, even though we use notation suggesting that FB(x) is a function of x.
LEMMA: The random function FB(x) has the following property: for any particular assignment B=b, if b satisfies all the equations, then Fb(x)=1. Otherwise, Pr[Fb(x) = 1] ≤ 1/2.
This is because, if there are any incorrect equations (for a particular b), the final equation will be incorrect exactly when the number of incorrect equations chosen in the set is odd. This is FreivaldsTrick.?
Finally, the verifier examines the proof P, using the SELF-CHECK-DIAG and SELF-CORRECT algorithms from SelfTestingCorrecting.?
The verifier expects the proof P to encode a satisfying assignment B=b for the equations as follows. For each of the 2n× n n× n matrices X ∈ Z2n× n, the proof should tell the value (0 or 1) of
The key observation at this point is that if P has the correct format, then P(X) is a diagonal linear function of X. In particular, P(X) = Fb(X) = ∑ij Xij bi bj for some particular b.
Now we can state the verifier completely. On input (A, P), where A is a SAT formula and P is an alleged proof that B is satisfiable, the verifier V does the following:
LEMMA: If A is satisfiable, there exists a proof P such that V(A, P) accepts.
PROOF: As described, let B=b be a satisfying assignment of the quadratic equations.
For each X, let P(X) = ∑ij Xij bi bj .
Then P(X) is a diagonal linear function of X, so the SELF-CHECK-DIAG(P) test passes,
and SELF-CORRECT(P,x) returns P(x), which equals Q(x), which equals F(b).
Since all equations in the set of quadratic equations are satisfied,
so is the equation F(b)=1, so Q(x)=1 holds too.
Thus, the verifier accepts.
QED
LEMMA: If A is not satisfiable, then for any alleged proof P, Pr[V(A,P) rejects] ≥ 1/2.
PROOF:
Suppose A is not satisfiable.
If P does not encode an approximate diagonal linear function, then SELF-CHECK-DIAG(P) fails with probability at least 1/2.
So assume that P does. Let Q(X) = ∑ij Xij bi bj be the approximate diagonal linear function that P encodes. One of the following things has to happen for the remaing steps to not reject:
QED