Back to Computational Complexity
Back to notes

# IP = PSPACE

95%

In this note, we are going to prove that $\IP=\PSPACE$.

## Historical importance

$\IP=\PSPACE$ is one of the first nonrelativized results in the 90s. Recall that we say a complexity relation $A\subseteq B$ where $A$ and $B$ are complexity classes is

• relativized if we prove that $A\subseteq B$ and for any oracle $O$ such that $A^O\subseteq B^O$.
• nonrelatized if we prove that $A\subseteq B$ but there exists an oracle $O$ such that $A^O\not\subseteq B^O$.
• unrelativized if we don’t know how to prove $A\subseteq B$ and there exists oracles $O_1$ and $O_2$ such that $A^{O_1}\subseteq B^{O_1}$ but $A^{O_2}\not\subseteq B^{O_2}$.

The traditional complexity results using diagonalization are all relativized. In 1975, Baker, Gill, and Solovay showed that $\P$ versus $\NP$ probalem is unrelativized.

### Before Shamir proved IP=PSPACE

When the concept of interactive proof was introduced, people first believed that interaction only provides slightly improvement in the computation power. Fortnow and Sipser even conjectured that $\coNP\not\subseteq\IP$.

However, soon there were many progresses in showing the power of interactive proof and finally in 1990, Shamir showed that $\IP=\PSPACE$.

The important message of $\IP=\PSPACE$ is that first, it’s a nonrelatived results. Clearly that when given an say doubly exponential time oracle $O$, $\IP^O$ remains $\IP$ by its definition while $\PSPACE^O=\text{2-}\EXP$. By the time hierarchy theorem, the two won’t be the same.

Second, after the $\P$ versus $\NP$ nonrelativized result by Baker, Gill, and Solovay, some people turned to conjectur that with random oracles, the relation of complexity classes will hold. This is also known as the random oracle hypothesis. However, $\IP=\PSPACE$ turned out to be a counter example that refutes the random oracle hypothesis, see previous work for details.

### Algebrization

Algebrization, shor for algebraic relativization, is the third barrier of to progress on central complexity problems such as $\P$ versus $\NP$ problem. Introduced by Aaronson and Wigderson, algebrization captures the techniques involve in the proof of $\IP=\PSPACE$ and was further shown to be a dead end to prove $\P\neq\NP$.

## $\IP\subseteq\PSPACE$

This is the simple direction. Consider an $\IP$ protocol for language $L$ on input $x$, as the communications between prover and verifier are at most polynomially many and are all in polynomial length, the transcript can be written down in polynomial space. As one can enumerate all the randomnes and compute if the verifier accepts or not in polynomial space, one can compute the probability of the verifier to accept in polynomial space and thus can decide whether $x\in L$ in polynomial space.

## $\PSPACE\subseteq\IP$

Recall that $\TQBF$ is a $\PSPACE$-complete problem directly follows general Cook-Levin theorem. As a result, it is definitely the first playground for us to try to show that $\PSPACE\subseteq\IP$.

We consider the following $\TQBF$ definition that is easier to work with.

The decision problem $\TQBF$ is defined as $$\TQBF := \{\exists x_1\forall x_2\cdots\forall x_n\phi(x_1,x_2,\dots,x_n): \text{the formula is true} \}.$$

$\TQBF$ looks a bit too monstrous at first glance to work with. The following technique called arithmetization reduce $\TQBF$ to summation of the evaluation of a polynomial.

### Arithmetization

Given a quantified boolean formula $\psi=\exists x_1\forall x_2\cdots\forall x_n\phi(x_1,x_2,\dots,x_n)$, we arithmetize $\phi$, the non-quantized part of $\psi$, into a polynomial $f_{\phi}$ in the following way. Note that when we do not specify, $x$ and $X$ denote a vector of variables.

• For each variable $x_i$ in $\phi$, represent it as a new variable $X_i$ in the polynomial. In our mind, when $x_i$ is true, $X_i=1$ and when $x_i$ is false, $X_i=0$.
• For an $\wedge$ gate, e.g., $\phi_1(x)\wedge\phi_2(x)$, represent it as $f_{\phi_1}(X)\times f_{\phi_2}(X)$.
• For an $\vee$ gate, e.g., $\phi_1(x)\vee\phi_2(x)$, represent it as $(1-f_{\phi_1}(X))\times (1-f_{\phi_2}(X))$.

With the above arithmetization, one can see that

$\psi=\exists x_1\forall x_2\cdots\forall x_n\phi(x_1,x_2,\dots,x_n)\in\TQBF\Leftrightarrow \sum_{X_1\in\{0,1\}}\prod_{X_2\in\{0,1\}}\cdots\prod_{X_n\in\{0,1\}}f_{\psi}(X_1,\dots,X_n)>0.$

Note that $\exists$ is replaced with $\sum$ and $\forall$ is replaced with $\prod$.

### An $\IP$ protocol for $\sharp\SAT$

Before showing an $\IP$ protocol for $\TQBF$, let’s try a natural toy example first: showing $\sharp\SAT\in\IP$. By the arithmetization method, we know that certifying that a boolean formula $\phi$ has exactly $K$ solutions is equivalent to show that $\sum_{(X_1,\dots,X_n)\in\{0,1\}^{n}}f_{\phi}(X_1,\dots,X_n)=K$.

To design an $\IP$ protocol for $\sum_{(X_1,\dots,X_n)\in\{0,1\}^{n}}f_{\phi}(X_1,\dots,X_n)=K$, we need to take care of two things:

• (completeness) If $\sum_{(X_1,\dots,X_n)\in\{0,1\}^{n}}f_{\phi}(X_1,\dots,X_n)=K$, then there exists a prover that can efficiently convince a verifier with probability 1.
• (soundness) If $\sum_{(X_1,\dots,X_n)\in\{0,1\}^{n}}f_{\phi}(X_1,\dots,X_n)\neq K$, then any prover trying to cheat has constant probability to fail.

We use the following sumcheck protocol:

Setting: Suppose there are $n$ variables in $f(X_1,\dots,X_n)$ and the prover wants to convince the verifier that $\sum_{(X_1,\dots,X_n)\in\{0,1\}^{n}}f_{\phi}(X_1,\dots,X_n)=K$.

Idea: The verifier sequentially fixes the variables and checks if the prover can still certify his knowledge.

Sumchek protocol:

1. The prover send a large enough prime $p$ to the verifier and the verifier checks that $p$ is indeed a prime in polynomial time. Let $K_1=K$
2. At the $i$th round The prover send an univariate polynomial $s(X_i)$ to the verifier and the verifier checks if $s_i(0)+s_i(1)=K_i$. If not, the verifier outputs reject.
3. The verifier randomly picks $a_i\in\mathbb{F}_p$. Now the goal of the prover is to certify that $\sum_{(X_{i+1},\dots,X_n)\in\{0,1\}^{n-i+1}}f(a_1,\dots,a_i,X_{i+1},\dots,X_n)=s_i(a_i)$. Let $K_{i+1}=s_i(a_i)$ and go back to 2 if $i+1\neq n$.
4. At the $n$th round, the verifier simply checks if $p(a_1,\dots,a_{n-1},0)+p(a_1,\dots,a_{n-1},1)=K_{n}$. If so, the verifier outputs accept. If not, the verifier outputs reject.

Analysis: Let’s analyze the correctness of the above protocol. We want to show the following theorem.

The above sumcheck protocol has perfect completeness and constant soundness.

• (completeness) If $\sum_{(X_1,\dots,X_n)\in\{0,1\}^{n}}f_{\phi}(X_1,\dots,X_n)=K$

It’s easy to see that as long as the statement is correct, an honest prover can prove to the verifier with the above protocol.

• (soundness) If $\sum_{(X_1,\dots,X_n)\in\{0,1\}^{n}}f_{\phi}(X_1,\dots,X_n)\neq K$

Let’s prove the soundness inductively.

In the first round, if the prover successfully cheats the verifier, i.e., sends $\bar{s}_1$ such that $\bar{s}_1(0)+\bar{s}_1(1)=K_1$. Note that as $s_1(0)+s_1(1)\neq K_1$, $s_1\neq\bar{s}_1$. As a result, when the verifier randomly pick $a_1\in\mathbb{F}_p$, the probability of $\bar{s}_1(a_1)= s_1(a_1)$ is at most $\frac{d}{p}$, where $d$ is the degree of $f$. Thus, the probability that $\bar{s}_1(a_1)\neq s_1(a_1)$ is at least $(1-\frac{d}{p})$. More precisely,

$\mathbb{P}_{a_1\in\mathbb{F}_p}[\bar{s}_1(a_1)\neq s_1(a_1)|\bar{s}_1(0)+\bar{s}_1(1)\neq s_1(0)+s_1(1)]\geq 1-\frac{d}{p}.$

With the same reasoning, at the $i$th round, we have

$\mathbb{P}_{a_i\in\mathbb{F}_p}[\bar{s}_i(a_i)\neq s_i(a_i)|\bar{s}_i(0)+\bar{s}_i(1)\neq s_i(0)+s_i(1)]\geq 1-\frac{d}{p}.$

As $s_{i+1}(0)+s_{i+1}(1)=s_i(a_i)$ and $\bar{s}_{i+1}(0)+\bar{s}_{i+1}(1)=\bar{s}_i(a_i)$, we have

$\mathbb{P}_{a_{i+1}\in\mathbb{F}_p}[\bar{s}_{i+1}(a_{i+1})\neq s_{i+1}(a_{i+1})|\bar{s}_i(a_i)\neq s_i(a_i)]\geq 1-\frac{d}{p}.$

The probability that the verifier does not be cheated in the last round is:

\begin{align*} \mathbb{P}[P\text{ does not cheat }V]&\geq\mathbb{P}_{a_1,\dots,a_n\in\mathbb{F}_p}[\forall i\in[n], \bar{s}_i(a_i)\neq s_i(a_i)]\\
&=\mathbb{P}_{a_1}[\bar{s}_1(a_1)\neq s_1(a_1)]\\
&\cdot\prod_{i\in[n-1]}\mathbb{P}_{a_{i+1}}[\bar{s}_{i+1}(a_{i+1})\neq s_{i+1}(a_{i+1})|\bar{s}(a_i)\neq s_i(a_i)]\\
&\geq(1-\frac{d}{p})^n. \end{align*}

We conclude that when taking $p>2^n$, as for a boolean formula without any quantifier, the degree of its arithmetization is at most $3m$ where $m$ is the length of the formula. The probability that the malicious prover being caught is at least $(1-\frac{\poly(n)}{2^n})^{2^n}\geq 1/2$.

### An $\IP$ protocol for $\TQBF$

The major difference between $\sharp\SAT$ and $\TQBF$ is that the degree of the polynomial after arithmetization: in the $\sharp\SAT$ case, we can guarantee that the degree is polynomial in $n$ while in the $\TQBF$ case, the degree might become exponential in $n$ dual to the multiplication of the universal quantifier.

If one try to enlarge the size of the finite field we are working on, then the prime $p$ should be doubly exponentially in $n$ which require exponentially many bits to record. Thus, we need to find some way to reduce the degree of the polynomial after the arithmetization.

A key observation is that as we encode boolean variable by 0/1, for variable $X_i$, $X_i^k=X_i$ for any $k\in\N$. That is, we can actually transform any polynomial into a multilinear polynomial, i.e., in every variable appears at most once in each monomials. As a result, the degree can be maintained to be at most $n$. As a result, the protocol for $\TQBF$ introduces a new quantifier $L_i$ working as follows:

$$L_i f = x_i f(x_1,\dots 1,\dots,x_n) + (1-x_i) f(x_1,\dots,0,\dots,x_n).$$

One can see that after applying $L-i$, the degree of $x_i$ in the polynomial will become at most 1. Thus, in our $\TQBF$ protocol, the prover is trying to prove the following boolean formula:

$$\psi=\exists x_n\cdots L_nL_{n-2}\cdots L_3\forall x_{n-1}\cdots L_nL_{n-1}\cdots L_2\forall x_1\phi(x_1,\dots,x_n).$$

Similar to the protocol for $\sharp\SAT$, the prover is going to fix variables with random instance in $\mathbb{P}$ one by one from $X_1$. The only difference is that when we encounter universal quantifier, the verifier need to multiply $s_i(0)$ and $s_i(1)$ instead of add them in the existential case. As to encountering the $L_i$ quantifier, the verifier need to evaluate $a_i f(\dots,1,\dots)+(1-a_i)f(\dots,0,\dots)$.