Distributed Verifiers in PCP
aa r X i v : . [ c s . CC ] M a y Distributed Verifiers in PCP
Nagaganesh Jaladanki and Wilson WuMay 22, 2020
Abstract
Traditional proof systems involve a resource-bounded verifier communicating with a powerful(but untrusted) prover. Distributed verifier proof systems are a new family of proof models thatinvolve a network of verifier nodes communicating with a single independent prover that has accessto the complete network structure of the verifiers. The prover is tasked with convincing all verifiersof some global property of the network graph. In addition, each individual verifier may be givensome input string they will be required to verify during the course of computation. Verifier nodesare allowed to exchange messaged with nodes a constant distance away, and accept / reject the inputafter some computation.Because individual nodes are limited to a local view, communication with the prover is potentiallynecessary to prove global properties about the network graph of nodes, which only the prover hasaccess to. In this system of models, the entire model accepts the input if and only if every individualnode has accepted.There are three models in the distributed verifier proof system family:
LCP , dIP , and our pro-posed dPCP , with the fundamental difference between these coming from the type of communicationestablished between the verifiers and the prover. In this paper, we will first go over the past work inthe LCP and dIP space before showing properties and proofs in our dPCP system.
For a graph G , we denote by V ( G ) and E ( G ) the vertex and edge sets of the graph, respectively. Forsome vertex i ∈ V ( G ), we define the neighborhood N ( i ) of i as those vertices in G adjacent to i , including i itself. That is, N ( i ) = { j ∈ V ( G ) | j = i ∨ ( i, j ) ∈ E ( G ) } .In general, problem instances for each model will take the form of ( G, x ) for G in some family of graphs F and x : V ( G ) −→ { , } ∗ a function from vertices to binary strings. Intuitively, F is a “promise” that G has some structure, e.g. that it is connected, while x is an input string for each verifier node. For avertex subset S ∈ V ( G ), we denote by x | S the restriction of x to S .For each proof system we discuss, the distributed verifier consists of V i for each vertex i ∈ G .Each verifier is local , in that it makes a decision based only on the structure, inputs, and proofs ofits neighborhood. That is, each verifier is a function of the format V π N ( i ) i ( N ( i ) , x | N ( i ) ) where π N ( i ) is,abstractly, an oracle with access to the proofs sent to N ( i ). The format of these proofs will be specifiedin more detail for each model we discuss.We will consider several natural graph properties and languages, which we now define. Definition 1.1.
A graph G is in Nonbiparite if it is not bipartite. That is, there exists no 2-coloringof G . 1 efinition 1.2. A graph G is in Sym if some nontrivial automorphism exists on G , i.e. some nonidentitypermutation π : V ( G ) −→ V ( G ) exists such that π is compatible with the structure of G , in that ∀ i, j ∈ V ( G ) : ( i, j ) ∈ E ( G ) ←→ ( π ( i ) , π ( j )) ∈ E ( G ). Definition 1.3.
Leader is the language of graphs with a unique distinguished “leader”. More explicitly,a graph with input strings (
G, x ), with x a function x : V ( G ) −→ { , } , is in Leader if x ( i ) = 1 forexactly one vertex i ∈ V ( G ), and x ( j ) = 0 for all other vertices j = i . Definition 1.4.
A graph and input (
G, x ) is in
Span if x defines a valid spanning tree on G . That is,for each i ∈ V ( G ) the string x ( i ) identifies either a neighbor of i , supposedly its parent in the spanningtree, or with some unique string specifies that i is the root of T . If the directed graph T defined by x isindeed a spanning tree on G , then ( G, x ) ∈ Span . In the Locally Checkable Proofs (
LCP ) model, the prover can only send a single different proof stringto each verifier, after which there is no further communication with prover. Once this proof string isreceived, verifier nodes can communicate with their local neighborhood before accepting or rejecting theinput.Formally, the Prover is a function P : V ( G ) −→ { , } ∗ that associates every vertex to the proofstring that that the Prover sends. The verifier A is a computable function V π N ( i ) i ( N ( i ) , x | N ( i ) ) that hasan oracle to the proofs and input strings of its local neighborhood. Note that the LCP model does notallow verifiers to use randomness to accept or reject the Prover’s proof string. As a result, the followingdefinition encapsulates the
LCP model.
Definition 2.1.
We say a given graph property
P ⊆ F admits locally checkable proofs if the twoproperties hold. • If G ∈ P , then there exists a proof P : V ( G ) −→ { , } ∗ such that all verifiers accept. • If G / ∈ P then any proof P : V ( G ) −→ { , } ∗ will have at least one verifier reject.Of particular interest in this model is the communication complexity between the prover and eachverifier, which allows a complexity hierarchy to be defined within this model. Definition 2.2.
We define the class
LCP ( f ) to consist of graph properties that admit a locally checkableproof where the communication between each verifier and the prover is up to f ( n ) bits.This following levels in the complexity hierarchy are of interest: LCP (0) , LCP (1) , LCP ( O (log n )), and LCP ( O ( poly ( n )), which were first described in a by a 2011 paper by G¨o¨os and Suomela [1]. We define logLCP as an alias for LCP ( O (log n )).Intuitively, logLCP is an interesting complexity class as it allows the prover to send a concise yetnon-negligible amount of information to each verifier to prove some global property about the graph. logLCP lower bounds An interesting property about the logLCP class is the existence of nontrivial lower bounds proved onproof size. Uniquely identifying every node in a graph of n vertices takes a lower bound of log n bits, so2ne can potentially characterize the logLCP class as one that sends the identifiers of a constant numberof nodes to each vertex in the proof string.Several problems in the logLCP class, such as Span , Nonbiparite , or
Leader , have O (log n ) bitsof communication as a lower bound for proof strings.The proof sketch for this is as follows. We can take several small cycles that form yes -instancesof a particular graph property and “glue” them together to form a longer cycle that does not matchthe relevant graph property. The smaller yes -instances, which each require fewer bits to convey nodeidentifiers and proof labels, still hold true locally when glued together, causing all nodes to accept basedoff of their local neighborhood. This will lead to an acceptance, even though the glued longer cycle isnot part of the language. The dIP model extends upon the
LCP model by introducing the notion of interaction and randomnessbetween each verifier and the prover. Every verifier and the prover are allowed to communicate byexchanging communication in a series of rounds. These rounds of communication may be interspersedby communication with other nodes in the local neighborhood of the verifier. Because of the introductionof randomness, the prover-verifier system is not guaranteed to always produce the right answer such asin the
LCP model.
Definition 3.1.
We say a given graph property
P ⊆ F admits a distributed interactive proof if the twoproperties hold. • If G ∈ P , then there exists a prover P such that all nodes accept with probability greater than . • If G / ∈ P then for any prover, the probability that all nodes accept is less than .Ideas from traditional IP models can be extended to the dIP model as well. In particular, the paperproposing the dIP model worked extensively in the public-coin variant of the model, in which the verifiersshare all generated randomness with the prover.[3] A prominent system used was the dMAM model.Communication complexity is denoted in this model as dMAM [ f ], where the number of bits transferredbetween the prover and verifier is upper bounded by f ( n ).Intuitively, randomness and interaction seem to give this model more power, which may allow thenet communication complexity to go down. Indeed, this is true, with results showing that Sym ∈ dMAM [ O (log n )]. This is direct improvement from the LCP model, which showed that
Sym / ∈ LCP ( o ( n )). The RAM compiler, introduced by Naor, Parter, and Yogev, is a general way of transforming traditional IP graph protocols with a centralized verifier into those that can be accepted by the network graph ofverifiers [2].At a high level, this reduction involves using the network graph as a RAM machine, with eachindividual verifier responsible for a small portion of the computation. The computation is checked to beglobally correct with a specific reduction to Set Equality, for which a protocol is given in the paper.3 Distributed PCP
In the distributed
PCP model we propose, the prover provides one global proof string which can bequeried by each verifier in the graph. Intuitively, this model gains some power from the fact that theprover is forced to commit to a single, shared proof for all verifiers – each verifier can both check thatthe proof is locally consistent with its neighborhood, and that it honestly encodes some global structureof the graph and vertex inputs. This sort of verifier strategy does not appear in
LCP or dIP , as in theseclasses the prover is free to send inconsistent proofs to different verifiers.Formally, we define distributed PCP as follows:
Definition 4.1.
Given a family of graphs F and graph language L ⊆ F × { , } ∗ , we have L ∈ dPCP c,s [ l, r, q ] if • Completeness:
For any (
G, x ) ∈ L , there exists a proof π with | π | = l such thatPr (cid:0) ∀ i ∈ V ( G ) : V πi ( x N ( i ) = 1 (cid:1) > c . • Soundness:
For any (
G, x ) / ∈ L , for any proof ˜ π , we have Pr (cid:0) ∀ i ∈ V ( G ) : V πi ( x N ( i ) = 1 (cid:1) < s .for some ( V i ) i ∈ V ( G ) with each verifier V i using at most r random bits and making at most q queries to π . dPCP We will demonstrate constant-query dPCP protocols for the problems
Nonbiparite , Leader , and
Span .As seen above, there exist no locally checkable proofs of size o (log n ) for these problems, suggesting thatprobabilistic checking is more powerful than the fixed proofs of LCP . However, the protocols belowrequire that G ∈ F n , where F n is the family of connected graphs with n vertices. This is required onlyfor the verifier to know how to query a Hadamard encoding of an n -dimensional vector, and it is notclear that this is central to the protocol itself. Recall that a graph G is bipartite if and only if it has no cycles with an odd number of vertices. Thus, itsuffices to provide a proof that some odd cycle exists in G . Given some odd cycle C , consider the vector α C ∈ { , } n with n = | V ( G ) | , where α Ci = 1 if and only if i ∈ C . Since we want to verify that C isin fact an odd cycle in a constant number of queries, we let the proof be π = Had( α C ) the Hadamardencoding of α C . Let e i be the basis vector with value 1 at coordinate i and 0 everywhere else, and let be the all ones vector. Each verifier V i then runs the following protocol:1. Run linearity check on π .2. Query a i = α ⊤ C e i .3. If a i = 1, communicate with neighbors to ensure there exist exactly two distinct j ∈ N ( i ) suchthat a j = 1.4. Query and check α ⊤ C = 1.Note that each query is error-corrected — that is, instead of querying e.g. α ⊤ v , we instead query α ⊤ ( v + r ) + α ⊤ r for a randomly sampled r ∈ { , } n . For any graph G ∈ Nonbiparite , the prover4an find some loop with odd vertices, so completeness holds. Soundness follows from the converse ofthis, and the fact that the linearity check and each query introduce only a constant probability of error.Therefore,
Nonbiparite ∈ dPCP , / [ O (2 n ) , O ( n ) , O (1)]. In the constant-query protocol for
Leader , the honest proof is simply the Hadamard encoding of theinput: π = Had( α x ), where α xi = x ( i ) for i ∈ V ( G ). The protocol for each V i is as follows:1. Run linearity check on π .2. Query and check α ⊤ x e i = x ( i ).3. If x ( i ) = 1: • Sample r i which is zero on entry i and uniform in { , } elsewhere. • Query and check α ⊤ x r i = 0.Else: • Query and check α ⊤ x = 1.If the prover attempts to lie about x ( i ), it will be caught in the second step of the protocol. Otherwise,the third step verifies that there exists a unique i such that x ( i ) = 1 and ∀ j = i : x ( j ) = 0. Completenessand soundness follow. Here, an honest prover sends π = (Had( α r ) , (Had( α i )) i ∈ V ( G ) where α ri = x ( i ) = root0 otherwiseand α ij = j reachable from i in T ( x )0 otherwisewhere T ( x ) is the directed graph defined on V ( G ) by x , where ( i, j ) ∈ E ( T ( x )) if x ( i ) = j . The verifierruns the Leader protocol on Had( α r ), then, if x ( i ) is not root, checks ( α i + α x ( i ) ) = e i using queries1. Check ( α i + α x ( i ) ) ⊤ e i = α ⊤ i e i + α ⊤ x ( i ) e i = 1.2. Check ( α i + α x ( i ) ) ⊤ r i = 0 for r i = 0 on element i and uniform from { , } elsewhere.It follows that Span ∈ dPCP , / [2 O ( n ) , O ( n ) , O (1)] We have introduced the dPCP model, which we believe to be an interesting and meaningful notion ofdistributed proof. Future directions include the relationship between dPCP and the logLCP or dIP classes— although we presented some protocols for graph languages in logLCP and dIP , we have yet to deviseany general reductions. It could also be interesting to explore the creation of succinct arguments from dPCP using cryptographic methods, which may be useful in practical settings.5 eferences [1] G¨o¨os, Mika, and Jukka Suomela. “Locally checkable proofs in distributed computing.” Theory ofComputing arXiv preprint arXiv:1812.10917 (2018).[3] Kol, Gillat, Rotem Oshman, and Raghuvansh R. Saxena. “Interactive distributed proofs.”