1 Notes on Complexity Theory Last updated: October, 2011 Lecture 17 Jonathan Katz 1 Graph Non-Isomorphism is in AM The proof system we showed earlier for graph non-isomorphism relied on the fact that the verifier’s coins are kept hidden from the prover. Is this inherent? Somewhat surprisingly, we now show a proof for graph non-isomorphism. Before doing so, we take a brief detour to discuss public-coin pairwise-independent hash functions (which are useful in many other contexts as well). 1.1 Pairwise-Independent Hash Functions and range R . Let H = { h K } Fix some domain D ∈ be a family of functions, where each k K k k ∈ 1 : D → R . We say that H is h defines a function if for all distinct pairwise independent family k ′ ′ and all (not necessarily distinct) y, y D ∈ R we have ∈ x, x ] [ ∧ 2 ′ ′ x ) = y = 1 h | ( h ( ) = y x R / | . Pr k k k K ← D K { x = , . . . , x is } and consider the random variables Y Put differently, let = h ) (where ( x i 1 i K ` uniform). If H Y is uniformly distributed, and moreover the is pairwise independent then each i Y are pairwise independent; i.e., for any , . . . , Y Y random variables i 6 = j the random variables 1 i ` Y and are independent. j We show a simple construction of a pairwise-independent family for = R = F , where F is D n any finite field. Setting = GF (2 ), and viewing strings of length n as field elements, we obtain F n D = R = { 0 , 1 } . By truncating the output, we obtain a construction with a construction with n ` } 1 } D and R = { 0 , 1 0 , for any n ≥ ` . By padding the input with 0s, we obtain a construction = { ` ≥ n . for any D = R = F and let H = { h } Fix is pairwise H . We claim that where h b ( x ) = ax + ∈ a,b a,b F a,b ′ ′ ∈ F and any y, y independent. Indeed, fix any distinct ∈ x, x , and consider the probability (over F a, b ) that choice of y = ax + b ′ ′ y ax = + b. Using some basic algebra, we see that the above equations are true iff ′ ′ − 1 a ) · ( x = ( x y ) − y − ′ ′ − 1 ( y − y · ) · ( x − x b ) = y − x. ′ ′ ′ x (Note that the above rely on the fact that .) Since x, x = , y, y 6 are fixed, the right-hand sides x F ; hence, the probability that a, b satisfy both of the above equations are some fixed elements in 2 / | F | equations is exactly 1 as required. 1 Frequently, terminology is abused and h ∈ H is called a pairwise-independent hash function. Formally, it only k makes sense to speak about pairwise independent families of functions. 17-1

2 For applications, what we actually need are ways to construct pairwise-independent families n { 1 } 0 for some given n . In that case we actually want an efficient probabilistic algorithm on, say, , n n that is n : { 0 , 1 } , outputs a key → { 0 , 1 } h that, in turn, defines a function that, given k k efficiently computable. The construction given above satisfies this, though it is not entirely trivial to show this. (In particular, we need to use the fact that we can efficiently generate, and manipulate n elements of, ).) (2 GF 1.2 An AM Protocol for Graph Non-Isomorphism G (represented as an adjacency n We begin by introducing some more notation. For an -vertex graph ( G ) = { π ) ( G matrix), consider the (multi-)set , . . . , π . This G ( all ) } of all permuted versions of G 1 ! n G is indeed a multi-set (in general) since it is possible that π ( G ) even when π ) = 6 = π . For π ( i j j i in which there is a single edge (1 example, consider the 3-vertex graph 2). Considering the 6 G , π G to itself, even possible permutations on the labels of the vertices, we see that = (12)(3) maps ′ is not the identity permutation. On the other hand, π = (13)(2) maps G π though to a graph G . isomorphic, but not identical, to aut Let G ) = { π | π ( G ) = G } ; these are the automorphisms of G . (Note that aut ( G ) is never ( empty, since the identity permutation is always in ( G ).) Let iso ( G ) be the set (not multi-set) aut π ( ) | π is a permutation } . We claim that for any n -vertex graph G we have: { G ) aut ) |·| iso ( G G | = n ! . | ( all ( G ) has exactly n ! elements in it, but each graph in iso The reason is that our original multi-set G ) ( appears exactly ( G ) times in all ( G ) (because | aut ( G ) | = | aut ( π ( G )) | for any permutation π ). aut We now have the ideas we need to describe the proof system. Given graphs ( G , G ), define the 0 1 set W as follows: { } H is isomorphic to either G or G 0 1 W | = ( H, σ . ) aut ( ) ∈ σ and H ∼ is isomorphic to G G , then H ; also, the number of G iff it is isomorphic to G Note that if = 1 0 0 1 H is exactly | aut ( G = ) | . So the size of W automorphisms of any such | iso ( G | ) |·| aut ( G ) is exactly 0 0 0 ∼ G are distinct from those graphs 6 !. On the other hand, if G G n then the graphs isomorphic to = 0 0 1 isomorphic to G . So the size of W in this case is 1 | iso ( G . ) |·| aut ( G ! ) | + | iso ( G n ) |·| aut ( G = 2 ) | 1 1 0 0 2 2 ∼ ∼ × = ( n !) | if G . Furthermore, it is possible to × G G W and So, W W W | = 4 · ( n !) | if G 6 | = = 0 1 1 0 prove membership in W by giving an isomorphism to either G (the automorphism can be or G 1 0 verified in polynomial time). The above suggests the following proof system: On common input ( G as above. (Arthur obviously cannot construct , G 1. ), define W × W 1 0 2 W , but all it needs to do is compute the upper bound 4( n W !) on its size.) Let m = × 2 n !) log 4( , and note that m is polynomial in the input size n . 2. h from a pairwise-independent family, where h maps strings of the Arthur selects a random m { 0 , 1 } appropriate length (which will become obvious in a minute) to . It sends h to Merlin. 17-2

3 m 3. W × W such that h ( x ) = 0 x (if one exists). It sends this x to Arthur, Merlin finds an ∈ ∈ × W . x along with a proof that W m ∈ W × W and h ( x ) = 0 4. . Arthur outputs 1 if x 2 = ( We now analyze the above. Say ( ) are isomorphic. Then | W × W | , G n !) G and so 1 0 ∑ m m x ∈ W × W : h ( x ) = 0 Pr ] ≤ h ] [ ) = 0 x ( Pr ∃ [ h h ∈ x W × W 2 − m / 2 = 1 !) 4 , = ( · n ∼ G 4. On the other hand, if 6 G and so Merlin convinces Arthur only with probability at most 1 / = 0 1 2 W W | = 4( n !) × and we can bound the desired probability as follows: | then ∑ m m x ∈ W × W : h ( x ) = 0 Pr ] ≥ [ ] ∃ ) = 0 x ( Pr h [ h h × W ∈ x W ∑ 1 m m − · ] y ( h ∧ ) = 0 ) = 0 x Pr ( [ h h 2 W × W ∈ x,y y 6 x = 1 2 2 − m 2 (2 (4( · · n !) ) = 1 ) / 2 , > 1 − 2 using the inclusion-exclusion principle for the first inequality, and relying on pairwise independence in the second step. (A better bound can be obtained using Chebyshev’s inequality.) The above does not have perfect completeness, but we have seen before that this can be fixed. 1.3 Evidence that Graph Isomorphism is not NP -Complete GI be the language of graph isomorphism, and GNI be the language of graph non-isomorphism. Let GNI ∈ AM . This gives evidence that GI In the previous section we showed not NP -complete. is GI is NP -complete, then the polynomial hierarchy collapses (specifically, PH = Σ If ). Theorem 1 2 is AM ⊆ Π We first observe that (why?). Now, assume Proof is NP -complete. Then GNI GI 2 ) we have NP GNI ∈ co -complete and hence (since co NP ⊆ AM . We show that this implies AM Σ . ⊆ AM ⊆ Π = Σ and hence PH 2 2 2 ′ Π ∈ . Then by definition of Σ Say , there is a language L L ∈ Σ such that: (1) if = co NP 1 2 2 ′ ′ then there exists a x such that ( x, y ) ∈ L ∈ , but (2) if x 6∈ L then for all y we have ( x, y ) 6∈ L L . y This immediately suggests the following proof system for L : 1. Merlin sends to Arthur. y ′ ∈ protocol that ( 2. ) AM L Arthur and Merlin then run an (this is possible precisely because x, y ′ ). ∈ co NP ⊆ AM L The above is an proof system for L . But, as we have seen, this means there is an AM proof MAM system for L . Since L ∈ Σ , completing the proof. was arbitrary this means Σ AM ⊆ 2 2 17-3