princeton university

cos 522: computational complexity

Lecture 13: PCP (Probabilistically Checkable Proofs)

Lecturer: Sanjeev Arora

Scribe:Nir Ailon

Definitions

In the traditional view of N P , we had the following players: an input x, a certificate (a proof)
and a poly-time verifier V , s.t.:
x L .V (x) = 1
x
/ L .V (x) = 0,
where V denotes a verifier with access to .
An (r(n), q(n))-restricted verifier is a randomized verifier with access to at most O(r(n)) random
bits and at most O(q(n)) bits of the proof. In other words, the verifier cannot access the entire proof,
like it can in the classic N P definition, but only a restricted window. It can query at most O(q(n))
positions in the proof, it can choose the positions, and it has O(r(n)) coin flips at its disposal. It
turns out, that querying even a small snippet of the proof suffices to give the verifier surprising
power. This will be formulated below as the P CP theorem. We start with a definition of a family
of complexity classes:
Definition 1 P CP (r(n), q(n)) is the class of all languages accepted by an (r(n), q(n))-restricted
verifier V in the following sense:
x L . Pr[V (x) = 1] = 1
1
x
/ L . Pr[V (x) = 0)
2
One can add the notion of adaptive vs. nonadaptive verifiers: an adaptive verifier can decide at
each moment which bit to query based on the history of computation before that moment, and a
nonadaptive selects its queries in advance. Basically, nonadaptive is general enough.

Observations
1. P CP (r(n), q(n)) N T IM E(2O(r(n)) q(n)). Proof: If V is a verifier for L P CP (r(n), q(n)),
then without loss of generality, we can assume that the proof has at most 2O(r(n)) q(n)
bits - q(n) bits accounted for any possible outcome of the coin flips. Instead of performing a
P CP verification, the verifier can treat as a usual witness and simply simulate all possible
outcomes of coin flips and calculate the probability of accepting. If the probability is 1 then
output accept else output reject.
2. N P = P CP (0, poly(n)) =

c>0

P CP (0, nc ).

3. coRP = P CP (poly(n), 0).

4. GRAPH-NONISOMORPHISM P CP (poly(n), 1). Proof: Say the input to a yes instance of GRAPH-NONISOMORPHISM is x = {G1 , G2 }, where G1 , G2 have both n nodes.
contains, for each labelled graph H with n nodes, a bit 0/1 corresponding to whether H is

isomorphic to G1 or to G2 (an arbitrary bit for neither case). In other words, is an array of
bits indexed by some encoding of the graph H.
The verifier picks G1 or G2 at random, together with a random permutation. She applies
the permutation to the vertices of the chosen graph to obtain an isomorphic graph, H, and
queries the corresponding bit of . If the query bit corresponds to the choice of G1 /G2 , then
she outputs success, otherwise failure.
If G1 and G2 are indeed non-isomorphic, then for the constructed above, every query for
which H G1 returns a 0 bit, and every query for which H G2 returns a 1 bit. If G1 and
G2 are isomorphic, then for any proof the query bit will correspond to the index of the
randomly chosen graph with probability 21 , as required.
5. P ERM P CP (poly(n), poly(n)). Proof: Exercise.

The P CP theorem and its implication to approximation

The P CP theorem [AS 92, ALMSS 92] is

Theorem 1
N P = P CP (log n, 1).
Note: Hastaad proved the following stronger result: N P equals P CP with O(log n) random bits
and exactly 3 query bits.
The P CP theorem gives a new surprising characterization for N P , but the main interest in it
lies in its implication to hardness results for approximating N P -hard problems. This motivation is
explained in the following example. MAX-3SAT is the problem of finding, given a 3-CNF boolean
formula as input, an assignment that maximizes the number of satisfied clauses. This problem is of
course N P -hard, because the corresponding decision problem, 3SAT, is N P -complete.
Definition 2 An algorithm computes an -approximation to MAX-3SAT if it computes (in polynomial time) for every instance an assignment that satisfies at least OP T () clauses.
The P CP theorem implies
Corollary 2
There exists a > 0 s.t. (1 + )-approximation to MAX-3SAT is N P -hard.
Proof: Let L be any N P -complete language, let V be a verifier for L, and let a proof queried by
V (in the P CP (log n, 1) sense). For every possible outcome r of the O(log n) random bits, V queries
3 bits from . If we consider the bits of as variables, then V queries the variables xr1 , xr2 , xr3 . Then
it does some computation on these variables, whose outcome is expressible by a 3-CNF formula with
a bounded number of clauses (any boolean function in 3 variables can be expressed using 23 = 8
clauses). Denote this 3-CNF formula by r . Consider the boolean formula
^
=
r
r

in the variables of . The P CP theorem tells us that if x L, then is satisfiable, i.e., all its
clauses can be satisfied. On the other hand, for x
/ L, any proof is such that at least 21 of
the possible queries result in rejection. In other words, for any assignment for , at least 12 of the
1
of
expressions {r } are not satisfied. Since each r has at most 8 clauses, we get that at least 16
the clauses of are unsatisfied.

To make the proof complete, we have to make sure that computing from x can be done in
polynomial time. This proves that it is N P -hard to distinguish between satisfiable 3-CNF formulas
and 3-CNF formulas with at most fraction 15
16 of the clauses satisfiable. In particular, it is N P -hard
-approximation
to
MAX-3-SAT.

to compute a 16
15
Remark: The P CP theorem gives us a new reduction for languages in N P which has the property
of robustness. In the classic Cook-Levin reduction, computations of a Turing machine are encoded
as CNF formulas. If a verifier does not actually check all the clauses of this formula, then a prover
can fool it to believe that for a x
/ L there is an accepting computation. This is true because
it is the same as saying that by slightly changing a Turing machine computation, a non accepting
computation can be diverted into an accepting one. So a verifier that checks only a few windows
of computation will be fooled with very high probability. This does not happen in the reduction
described in the above proof.

Towards proving the P CP theorem

The nontrivial part is, of course, N P P CP (log n, 1). It suffices to show that 3SAT P CP (log n, 1).
Instead of using the usual certificate for satisfiablity of a boolean 3CNF formula , i.e., the satisfying
assignment, we will apply any algebraic transformation to the instance of the problem such that a
certificate will be a multivariate polynomial.
We start with some definitions.
Definition 3 A monomial is an expression of the form axd11 xd22 ...xdmm , where a is from some ground
field
F , x1 ..xm are formal variables and d1 ..dm are positive integers. The degree of the monomial
Pm
is i=1 di . A polynomial is a sum of monomials. The degree of a polynomial is the degree of its
highest-degree monomial.
In what follows we consider only finite fields, i.e. F = GF (q) for q a power of some prime.
Lemma 3
(Schwartz-Zippel) If a degree d polynomial p over F = GF (q) is nonzero, then
d
Pr[p(a1 ..am ) 6= 0] 1 ,
q
where the probability is over all choices of a1 ..am F .
Proof: By induction on the number of variables in p. If p is of degree 0 (p is a constant 6= 0) then
the above probability is trivially 1. If there is one variable, then it is a well known fact that p has
at most d zeroes. Therefore,
d
Pr [p(a) 6= 0] 1 .
aF
q
Assume the statement is true for polynomials with up to m1 variables, and let p be a polynomial
in m variables x1 ..xm . For each possible assignment am F for the single variable xm , Let p|xm =am
be the polynomial that is obtained by the substitution. The polynomial p|xm =am is in m1 variables
x1 , .., xm1 and has degree at most d. By the induction hypothesis,
Pr

a1 ,..,am1 F

d
[p|xm =am (a1 , .., am1 ) 6= 0] 1 .
q

Therefore,
Pr

a1 ..am F

[p(a1 , ..., am ) 6= 0] = Eam F [

Pr

a1 ..am1 F

d
q

[p|xm =am (a1 , .., am1 ) 6= 0]]

as required.
The Schwartz-Zippel lemma is the source of robustness for the reduction that will be constructed.