AHPs——algebraic holographic proofs

1. Interactive proofs

interactive proofs correspond to languages decidable in polynomial space: IP[poly(n)] = PSPACE。

1.1 L.Babai1985年论文

在L. Babai的1985年论文《Trading group theory for randomness》中提出了一种新的复杂度体系AM(k)，用于介绍Arthur vs. Merlin games。在该论文中，构建一个基于有限域内的组合game：Merlin (the nondeterministic player)能使Arthur（the random player）基于统计学证据的基础上，信服 $|G|=N$。在该game中，不再需要中心化的要素存在。
有限域群常用矩阵来表示。
定理1.1： Membership in, and order of matrix groups over finite fields belong to $AM \cap coAM$.

主要定义为：a k-round Arthur–Merlin game is a k-round public-coin interactive proof (i.e., the verifier messages are uniformly and independently random); AM[k] is the class of languages with a k-round Arthur–Merlin game.

1.2 Goldwasser，Micali等人1989年论文

Goldwasser，Micali等人1989年论文《The knowledge complexity of interactive proof systems》中提出：
对于n-bit long的statement，出现错误convinced的概率低至 $\frac{1}{2^n}$，正确convinced的概率高至 $1-\frac{1}{2^n}$
在交互式证明中，proof的接收方必须主动地对prover提问并获取答案。

主要定义为：in a k-round interactive proof, a probabilistic polynomial-time verifier exchanges k messages with an all-powerful prover, and then accepts or rejects; IP[k] is the class of languages with a k-round interactive proof。

在该文中还提出：为了证明某个定理T，究竟有多少知识必须被交互？(How much knowledge should be communicated for proving a theorem T?) 当所需要的知识为0时，即为零知识证明。
A theorem is in provable in NP if its proof is easy to verify once it has been found.

A theorem-proving procedure直观上应有以下几个要求：

• it is possible to “prove” a true theorem.
• it is impossible to “prove” a false theorem.
• communicating a proof should be efficient，即不论prover在生成证明的过程多复杂，verifier验证的过程应足够简单。

在Arthur-Merlin证明系统中，Merlin作为A图灵机（Prover），Arthur作为B图灵机（Verifier），与上面的交互图灵机证明最大的不同在于，Merlin可以看到Arthur所有的抛硬币（随机数）结果。

（可参考我的博客Arthur-Merlin protocol交互式知识证明系统）

1.3 Multi-prover interactive proofs(MIPs)

2. Probabilistically checkable proofs

in a probabilistically-checkable proof, a probabilistic polynomial-time verifier has oracle access to a proof string; PCP[r, q] is the class of languages for which the verifier uses at most r bits of randomness, and queries at most q locations of the proof (note that the proof length is at most $2^r$ ).

2.1 L. Babai等人1991年论文

在L. Babai等人1991年论文《Checking computations in polylogarithmic time》，针对的场景是：一个数学proof实在是太大了，导致无法由单个人来完成check。（如，此时考虑的不再是图灵机，而是RAM有限的机器等情况。）
解决方法为引入随机数。 all formal proofs can be transformed into proofs that are checkable in polylogarithmic Monte Carlo time。


引入了两个角色：

• Solver：在开发市场上用于服务用户的具有竞争力的一方。
• Checker：小小的但是具有高可靠性的设备。

结论为：

2.2 Arora和Safra等人1998年论文

Arora和Safra等人1998年论文《Probabilistic checking of proofs: a new characterization of NP》中，介绍了NP的一种新特性：
the class NP contains exactly those languages L for which membership proofs (a proof that an input x is in L) can be verified probabilistically in polynomial time using logarithmic number of random bits and by reading sublogarithmic number of bits from the proof.

2.3 Arora和Lund等人1998年论文

Arora和Lund等人1998年论文《Proof verification and the hardness of approximation problems》中，
自17世纪起，NP完备性被用于寻找大量的组合问题的最优解。

3. Interactive oracle proofs (IOPs)

IOPs结合了interactive proofs和probabilistically checkable proofs的特征。
interactive oracle proofs (IOPs), a model of proof system that combines aspects of IPs and PCPs, and also generalizes interactive PCPs (which consist of a PCP followed by an IP).

3.1 Ben-Sasson等人2016年论文

Ben-Sasson等人2016年论文《Interactive Oracle Proofs》中，提出了结合interactive proofs（IPs）和probabilistically-checkable proofs（PCPs），创建了interactive oracle proof（IOP, consist of a PCP followed by an IP），此时verifier将不再需要读取prover的完整消息，verifier对prover的消息具有oracle access，可以probabilistically query them。IOPs保持了PCPs的课表大型，抓住了NEXP而不仅仅是PSPACE，同时保持了IPs的灵活性，允许与prover进行多轮交互沟通。
该论文主要有两大技术贡献：

• 提供了编译器，用于将public-coin IOP映射为non-interactive proff in the random oracle model。并证明映射后的proof仍然具有IOP的可靠性可抵抗state restoration攻击。该编译器可认为是Fiat-Shamir paradigm for public-coin IPs、Micali CS proof构建以及Valiant for PCPs的通用化。
• 提供了IOP的state-restoration可靠性分析。

An IOP为一个multi-round PCP, 将an interactive proof归纳概括为：
The verifier has oracle access to the prover’s messages, and may probabilistically query them (rather than having to read them in full).

A k-round IOP由k轮交互组成，第i轮交互的内容为：verifier给prover发送消息 $m_i$（verifier读取了完整的 $m_i$）；prover给verifier会应消息 $f_i$，verifier无需读取完整的 $f_i$，verifier可以在当轮及后续轮中对oracle proof string $f_i$进行query。经过k轮交互，verifier可决定是接受还是拒绝。
用于衡量IOP模型效率的三个主要维度为：

• proof length p：which is the total number of bits in all of the prover’s messages.
• query complexity q：the total number of locations queried by the verifier across all of the prover’s messages.
• round complexity k：PCP model可认为是k=1的特例，且the first verifier message为空。

相比于PCP， IOP的proof length可通过prover与verifier之间的交互大幅减少。

3.1.1 compiling proof systems into argument systems

The proof systems mentioned so far share a common feature: they make no assumptions on the computational resources of a (malicious) prover trying to convince the verifier. Instead, many proof systems make “structural” assumptions on the prover: MIPs assume that the prover is a collection of non-communicating strategies (each representing a “sub-prover”); PCPs assume that the prover is non-adaptive (the answer to a message does not depend on previous messages); linear IPs assume that the prover is a linear function; and so on. Prover端的这些structural assumptions在实际应用时很难强制执行。
Argument systems为proof systems的一种，argument systems的可靠性依赖于provers具有有限的计算资源computational resources，由统计学的可靠性转化为computational可靠性，可绕过IPs的各种限制，同时也可避免prover端的structural assumptions.
Random oracle model为理想的computationally-bounded prover模型，在random oracle model模型中，参与的每一方访问的均为同一个random function。
构建argument system主要分为两步：

• 1）give a proof system that achieves these properties in a model with structural restrictions on (all-powerful) provers;
• 2）use cryptographic tools to compile that proof system into an argument system, i.e., one where the only restriction on the prover is that it is an efficient algorithm.

NIROA：non-interactive random-oracle argument。

3.2 Reingold等人2016年论文

在Reingold等人2016年论文《Constant-Round Interactive Proofs for Delegating Computation》中，独立提出了与IOP概念类似的Probabilistically Checkable Interactive Proofs (PCIPs)。
PCIP as a two-step process: first, an interactive protocol is executed, where the verifier sends messages (which are merely random strings) to the prover, and receives in return messages from the prover. In the second step, the verifier queries just a few points in the transcript and input (without any further interaction with the prover), and decides whether to accept or reject.

4. Algebraic holographic proofs (AHPs)

Algebraic holographic proofs (AHPs)在IOPs的基础上做了以下两方面的调整：

• Holographic：verifier接收的不是input的明文，而是具有对a prescribed encoding of the input的oracle access。这对verifier有一个潜在的优势是：相比于读取完整的所有的input所花费的时间，verifier可以更快的速度完成验证。
• Algebraic：honest prover必须生成具有low-degree polynomials的oracles【这是完备性的要求】；所有的malicious provers有而必须生成具有low-degree polynomials的oracles【这是可靠性的放松要求】。给verifier的encoded input也必须为a low-degree polynomial。

非正式地，a (public-coin) AHP over a field F for an indexed relation R is specified by an indexer I, prover P, and verifier V的工作流程如下：

• Offline phase离线阶段：The indexer I receives as input the index $i$ to be preprocessed, and outputs one or more univariate polynomials over F encoding $i$.
• Online phase 在线阶段：For some instance $x$ and witness $w$, the prover P receives $(i, x,w)$ and the verifier V receives $x$; P and V interact over some (in this paper, constant) number of rounds, where in each round V sends a challenge and P sends one or more polynomials; after the interaction, $V(x)$ probabilistically queries the polynomials output by the indexer and the polynomials output by the prover, and then accepts or rejects.最关键的是，V不直接接收 $i$作为input，而是queries the polynomials output by I that encode $i$。这就能构建verifier V使其运行时间与 $|i|$次线性相关。
  

参考资料：
[1] 1985年论文《Trading group theory for randomness》
[2] 我的博客Arthur-Merlin protocol交互式知识证明系统
[3] 1989年论文《The knowledge complexity of interactive proof systems》
[4] 1991年论文《Checking computations in polylogarithmic time》
[5] 1998年论文《Probabilistic checking of proofs: a new characterization of NP》
[6] 1998年论文《Proof verification and the hardness of approximation problems》
[7] 2016年论文《Interactive Oracle Proofs》
[8] 2016年论文《Constant-Round Interactive Proofs for Delegating Computation》