How proofs are prepared at Camelot Andreas Bjrklund Petteri Kaski - PowerPoint PPT Presentation

How proofs are prepared 
 at Camelot Andreas Björklund Petteri Kaski Lund University Aalto University Fine-Grained Complexity and Algorithm Design Reunion Simons Institute, UC Berkeley 15 December 2016

Fine - grained design and analysis of proof systems ➤ Nondeterministic strong exponential-time hypothesis 
 (Carmosino, Gao, Impagliazzo, 
 Mihajlin, Paturi, Schneider 2016) 
 –– fine-grained design & analysis with a 
 deterministic verifier 
 ➤ Merlin–Arthur proofs of batch evaluation 
 (Williams 2016) 
 –– fine-grained design & analysis with a 
 randomized verifier 
 –– SETH breaks with Merlin and Arthur

(Noninteractive) proofs Claim [Clipart: Merlin] [Clipart: Arthur] Proof Prover Verifier

Completeness, (probabilistic) soundness, 
 ease of verification Claim [Clipart: Merlin] [Clipart: Arthur] Proof Prover Verifier

SETH fails with Merlin and Arthur 
 (Williams 2016) Claim (#CNFSAT): 
 “This n-variable 
 CNF-formula φ has exactly A satisfying assignments” [Clipart: Merlin] [Clipart: Arthur] Proof string P φ 
 of length O*(2 n/2 ) Runs in time O*(2 n/2 ), always accepts correct proof, rejects bad proof w.h.p.

But what if Merlin is taking [Clipart: Arthur panic] a vacation? (How powerful does the prover need to be?)

Interactive proofs for muggles 1 [Goldwasser, Kalai, Rothblum 2015] Claim [Clipart: 
 Polynomial-time [Clipart: lower- prover] polynomial-time verifier] … Prover Verifier 1 In the fiction of J. K. Rowling : a person who possesses no magical powers (Oxford English Dictionary)

[Clipart: Merlin] [Clipart: Arthur] [Clipart: Merlin] [Clipart: Arthur] [Clipart: Arthur] [Clipart: Arthur]

K Knights prepare the proof, in parallel (+ any single Knight can verify the proof, probabilistically, 
 using about the same effort that he put into the preparation) Claim [Clipart: Knights around the Round Table of Camelot] [Clipart: Arthur] Proof

Modern computers are parallel Titan (Oak Ridge) 
 #3 top500.org Courtesy of 
 Oak Ridge National Laboratory, 
 U.S. Department of Energy. Image in the public domain. (18,688 GPUs, 50,233,344 cores)

Modern computers make (some) errors [Figure 2 from Tiwari et al .] [Clipart: 
 faulty prover] Tiwari et al . Supercomputing’15

Proof preparation Courtesy of 
 Oak Ridge National Laboratory, 
 U.S. Department of Energy. Image in the public domain. Preparation takes place in parallel Errors may occur

Proof verification Can error-correct proof ? Always accept good proof Reject bad proof w.h.p.

What is the overhead for parallel proof preparation and error-tolerance ? (Compared with best sequential algorithm 
 that just solves the problem 
 on error-free hardware)

“Camelot” KE = Õ(T) [Clipart: Knights around the Round Table of Camelot] T = best known sequential runtime K = number of Knights E = effort (runtime) of each Knight

“Camelot” algorithms for e.g. Permanent, #Hamiltonian cycles, #Orthogonal vectors, … 
 are implicit in Williams (2016) [Björklund & K. 2016]: Replace Merlin with mere Knights 
 + 
 more “Camelot” algorithms e.g. #k-clique, #triangles, #Graph Coloring, …

Example: “Camelot” algorithm for #6-clique 
 (Björklund & K. 2016) KE = Õ(T) T = O(n 2 ω + ε ) for any constant ε >0 
 [Clipart: Knights around the Round Table of Camelot] = best known sequential runtime 
 (Ne š et ř il & Poljak 1985) 
 K = O(n ω + ε ’ ) = number of Knights E = Õ(n ω + ε ’ ) = effort of each Knight for any constant ε ’>0 
 ω = lim n → ∞ (log rk 0 <n,n,n>)/(log n)

G Proof [Clipart: Knights around the Round Table of Camelot] ( ξ 1 ,p G ( ξ 1 )), ( ξ 2 ,p G ( ξ 2 )), …, ( ξ K ,p G ( ξ K )) The proof is a list of K evaluations of 
 a degree d univariate polynomial p G (x) (modulo q, for 3 distinct primes q, with q ≥ d+1) K ≥ d+1 d = ϴ (n ω + ε ’ ) Effort to evaluate p G (x) at a given point x= ξ : E = Õ(n ω + ε ’ )


 To design a Camelot algorithm is 
 to design 
 (i) the low-degree proof polynomial p G (x), and 
 (ii) a fast algorithm for computing p G ( ξ ) 
 given x= ξ and G as input Error-correcting the proof : Reed-Solomon decoding 
 (using Gao’s (2003) fast decoder) 
 Proof verification : Polynomial identity testing 
 (using (ii) to randomly access the true polynomial)

Near-linear-time toolbox for univariate polynomials Addition • Multiplication • Division (quotient and remainder) • Batch evaluation (at d+1 given points) • Interpolation (from d+1 given evaluations) • Extended Euclid (gcd) • Õ(d) operations for inputs of degree at most d [These algorithms are practical]

Fast interpolation from (partly) erroneous data Interpolation of degree d polynomial 
 • from K given evaluations, 
 when at most (K – d – 1)/2 
 evaluations are in error Runs in Õ(K) operations, uses –– one (error-free) interpolation 
 –– one extended Euclid 
 –– one division [This is a practical algorithm] (Gao 2003)

To design a Camelot algorithm is 
 to design 
 (i) the low-degree proof polynomial p G (x), and 
 (ii) a fast algorithm for computing p G ( ξ ) 
 given x= ξ and G as input p G (x) for #6-cliques ?

The 15-linear form (~ #6-cliques) • Let χ be an N × N matrix � 6 � • We seek to compute the -linear form 2 X 2 ) = X ( χ ab χ ac χ ad χ ae χ a f χ bc χ bd χ be χ b f χ cd χ ce χ c f χ de χ d f χ e f 6 a,b,c,d,e,f c b • A direct evaluation takes O ( N 6 ) operations d a e f

Ne š et ř il & Poljak (1985) algorithm • Neˇ setˇ ril and Poljak (1985) observe that we can precompute the three N 2 × N 2 matrices U ab,cd = � ab � ac � ad � bc � bd f = � ae � a S ab,e f � be � b f � e f f = � cd � ce � c T cd,e f � de � d f and then use fast matrix multiplication to compute X X 2 ) = V ab,cd = X ( U ab,cd V ab,cd , S ab,e f T cd,e 6 f a,b,c,d e,f • This takes O ( N 2 ! + ✏ ) operations for any constant ✏ > 0

New evaluation formula (Björklund & K. 2016) Ne š et ř il & Poljak (1985) formula appears not to split naturally 
 • into O(N ω + ε ) parts with O(N ω + ε ) effort each 
 We want such a formula –– ideally it should be a simple sum 
 • of O(N ω + ε ) terms, with O(N ω + ε ) effort to prepare each term 
 Such a formula exists, and it extends to a univariate proof • polynomial P(x) …

Trilinear decomposition of <N,N,N> • For d, e, f = 1 , 2 , . . . , N and r = 1 , 2 , . . . , R let ↵ de ( r ) , � e f ( r ) , � d f ( r ) be integers that satisfy the polynomial identity R ✓X ◆✓X ◆✓X ◆ X X f = ↵ de 0 ( r ) u de 0 f 0 ( r ) v e � d 0 f ( r ) w d 0 f u de v e f w d � e f 0 r =1 d,e,f d,e 0 e,f 0 d 0 ,f • We can assume that R = O ( N ! + ✏ ) for an arbitrary constant ✏ > 0 • Furthermore, the N 2 × R matrices ↵ , � , � are Kronecker powers of matrices of size O (1) Example: 1 0 0 1 -1 0 1 1 1 0 -1 0 1 0 1 0 1 0 1 -1 0 Strassen’s 4 x 7 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 0 1 0 1 γ 0 = α 0 = β 0 = trilinear 
 0 1 0 1 0 0 0 0 1 0 0 0 1 0 0 0 0 1 0 0 1 decomposition 1 -1 1 0 0 1 0 1 1 0 1 0 0 -1 1 0 -1 0 1 0 1 of <2,2,2>

New evaluation formula (Björklund & K. 2016) • For each r = 1 , 2 , . . . , R , compute, using fast matrix multiplication, X X α de 0 ( r ) χ ae 0 χ de 0 , H ad ( r ) = A ab ( r ) = χ ad χ bd H ad ( r ) , e 0 d X X f 0 , K be ( r ) = f 0 ( r ) χ b B bc ( r ) = χ be χ ce K be ( r ) , β e f 0 χ e e f 0 X X f ( r ) = γ d 0 f ( r ) χ cd 0 χ d 0 f , C ac ( r ) = f ( r ) L c χ a f χ c f L c d 0 f • Finally, compute, again using fast matrix multiplication, X X Q ab ( r ) = χ ac χ bc B bc ( r ) C ac ( r ) , P ( r ) = χ ab A ab ( r ) Q ab ( r ) c a,b • Each term P ( r ) takes O ( N ! + ✏ ) operations to compute

New evaluation formula (Björklund & K. 2016) Extension to “Camelot”: 
 The integer values P(r) extend to a degree-at-most 3R polynomial P(x) 
 2 ) = P R r =1 P ( r ) • Theorem. X ( 6 that admits, using Yates’s (1937) algorithm, an evaluation algorithm 
 that for a given x 0 computes P(x 0 ) mod q in O(N ω + ε ) operations mod q • Proof. R R X X X P ( r ) = χ ab χ ac χ bc A ab ( r ) B bc ( r ) C ac ( r ) r =1 r =1 a,b,c R X X X X X = α de 0 ( r ) χ ad χ ae 0 χ bd χ de 0 f 0 ( r ) χ be χ b γ d 0 f ( r ) χ a χ ab χ ac χ bc β e f 0 χ ce χ e f χ cd 0 χ c f χ d 0 f f 0 r =1 a,b,c d,e 0 e,f 0 d 0 ,f, R ✓X ◆✓X ◆✓X ◆ X X = α de 0 ( r ) χ ad χ ae 0 χ bd χ de 0 f 0 ( r ) χ be χ b γ d 0 f ( r ) χ a χ ab χ ac χ bc β e f 0 χ ce χ e f χ cd 0 χ c f χ d 0 f f 0 r =1 a,b,c d,e 0 e,f 0 d 0 ,f X X = χ ab χ ac χ bc χ ad χ ae χ a f χ bd χ be χ b f χ cd χ ce χ c f χ de χ d f χ e f a,b,c d,e,f