How proofs are prepared at Camelot Andreas Bjrklund Petteri Kaski - - PowerPoint PPT Presentation

How proofs are prepared 
 at Camelot

Fine-Grained Complexity and Algorithm Design Reunion Simons Institute, UC Berkeley 15 December 2016

Petteri Kaski Aalto University Andreas Björklund Lund University

Fine-grained design and analysis of proof systems

➤ Nondeterministic strong exponential-time hypothesis 


(Carmosino, Gao, Impagliazzo, 
 Mihajlin, Paturi, Schneider 2016)
 –– fine-grained design & analysis with a
 deterministic verifier


➤ Merlin–Arthur proofs of batch evaluation


(Williams 2016)
 –– fine-grained design & analysis with a
 randomized verifier
 –– SETH breaks with Merlin and Arthur

(Noninteractive) proofs

Prover Verifier Claim Proof

[Clipart: Merlin] [Clipart: Arthur]

Completeness, (probabilistic) soundness, 
 ease of verification

Prover Verifier Claim Proof

[Clipart: Merlin] [Clipart: Arthur]

SETH fails with Merlin and Arthur 
 (Williams 2016)

Runs in time O*(2n/2), always accepts correct proof, rejects bad proof w.h.p.

Claim (#CNFSAT):
 “This n-variable 
 CNF-formula φ has exactly A satisfying assignments”

Proof string Pφ


• f length O*(2n/2)

[Clipart: Merlin] [Clipart: Arthur]

But what if Merlin is taking a vacation?

(How powerful does the prover need to be?)

[Clipart: Arthur panic]

Interactive proofs for muggles1

1In the fiction of J. K. Rowling: a person who possesses no magical powers (Oxford English Dictionary)

[Goldwasser, Kalai, Rothblum 2015]

Prover Claim

…

Verifier

[Clipart: lower- polynomial-time verifier] [Clipart: 
 Polynomial-time prover]

[Clipart: Merlin] [Clipart: Arthur] [Clipart: Merlin] [Clipart: Arthur] [Clipart: Arthur] [Clipart: Arthur]

K Knights prepare the proof, in parallel

Claim Proof

(+ any single Knight can verify the proof, probabilistically, 
 using about the same effort that he put into the preparation)

[Clipart: Arthur] [Clipart: Knights around the Round Table of Camelot]

(18,688 GPUs, 50,233,344 cores)

Titan (Oak Ridge)
 #3 top500.org

Courtesy of 
 Oak Ridge National Laboratory, 
 U.S. Department of Energy. Image in the public domain.

Modern computers are parallel

Tiwari et al. Supercomputing’15

Modern computers make (some) errors

[Clipart:
 faulty prover] [Figure 2 from Tiwari et al.]

Proof preparation

Preparation takes place in parallel Errors may occur

Proof verification

Can error-correct proof ? Always accept good proof Reject bad proof w.h.p.

What is the overhead for parallel proof preparation and error-tolerance ?

(Compared with best sequential algorithm 
 that just solves the problem 


• n error-free hardware)

“Camelot”

T = best known sequential runtime K = number of Knights E = effort (runtime) of each Knight

KE = Õ(T)

[Clipart: Knights around the Round Table of Camelot]

“Camelot” algorithms for e.g. Permanent, #Hamiltonian cycles, #Orthogonal vectors, …
 are implicit in Williams (2016)

[Björklund & K. 2016]: Replace Merlin with mere Knights 
 +
 more “Camelot” algorithms e.g. #k-clique, #triangles, #Graph Coloring, …

Example: “Camelot” algorithm for #6-clique
 (Björklund & K. 2016)

T = O(n2ω+ε) for any constant ε>0
 = best known sequential runtime
 (Nešetřil & Poljak 1985)
 K = O(nω+ε’) = number of Knights E = Õ(nω+ε’) = effort of each Knight

ω = limn→∞ (log rk0 <n,n,n>)/(log n)

for any constant ε’>0


KE = Õ(T)

[Clipart: Knights around the Round Table of Camelot]

[Clipart: Knights around the Round Table of Camelot]

Proof

The proof is a list of K evaluations of 
 a degree d univariate polynomial pG(x)

d = ϴ(nω+ε’) K ≥ d+1 Effort to evaluate pG(x) at a given point x=ξ: E = Õ(nω+ε’)

G

(ξ1,pG(ξ1)), (ξ2,pG(ξ2)), …, (ξK,pG(ξK))

(modulo q, for 3 distinct primes q, with q ≥ d+1)

To design a Camelot algorithm is 
 to design 
 (i) the low-degree proof polynomial pG(x), and 
 (ii) a fast algorithm for computing pG(ξ) 
 given x=ξ and G as input

Error-correcting the proof: Reed-Solomon decoding
 (using Gao’s (2003) fast decoder)
 
 Proof verification: Polynomial identity testing
 (using (ii) to randomly access the true polynomial)

Near-linear-time toolbox for univariate polynomials

• Addition
• Multiplication
• Division (quotient and remainder)
• Batch evaluation (at d+1 given points)
• Interpolation (from d+1 given evaluations)
• Extended Euclid (gcd)

Õ(d) operations for inputs of degree at most d

[These algorithms are practical]

Fast interpolation from (partly) erroneous data

• Interpolation of degree d polynomial


from K given evaluations, 
 when at most (K – d – 1)/2 
 evaluations are in error

Runs in Õ(K) operations, uses –– one (error-free) interpolation
 –– one extended Euclid
 –– one division

[This is a practical algorithm]

(Gao 2003)

pG(x) for #6-cliques ?

To design a Camelot algorithm is 
 to design 
 (i) the low-degree proof polynomial pG(x), and 
 (ii) a fast algorithm for computing pG(ξ) 
 given x=ξ and G as input

• Let χ be an N × N matrix
• We seek to compute the

6

2

• linear form

X(

6 2) =

X

a,b,c,d,e,f

χabχacχadχaeχa

fχbcχbdχbeχb fχcdχceχc fχdeχd fχe f

• A direct evaluation takes O(N 6) operations

The 15-linear form (~ #6-cliques)

d a c b e f

Nešetřil & Poljak (1985) algorithm

• Neˇ

setˇ ril and Poljak (1985) observe that we can precompute the three N 2 × N 2 matrices Uab,cd = abacadbcbd Sab,e

f = aea fbeb fe f

Tcd,e

f = cdcec fded f

and then use fast matrix multiplication to compute X(

6 2) =

X

a,b,c,d

Uab,cdVab,cd , Vab,cd = X

e,f

Sab,e

fTcd,e f

• This takes O(N 2!+✏) operations for any constant ✏ > 0

New evaluation formula (Björklund & K. 2016)

• Nešetřil & Poljak (1985) formula appears not to split naturally 


into O(Nω+ε) parts with O(Nω+ε) effort each


• We want such a formula –– ideally it should be a simple sum 

• f O(Nω+ε) terms, with O(Nω+ε) effort to prepare each term

• Such a formula exists, and it extends to a univariate proof

polynomial P(x) …

Trilinear decomposition of <N,N,N>

• For d, e, f = 1, 2, . . . , N and r = 1, 2, . . . , R let ↵de(r), e

f(r), d f(r) be integers that satisfy

the polynomial identity X

d,e,f

udeve

fwd f = R

X

r=1

✓X

d,e0

↵de0(r)ude0 ◆✓X

e,f 0

e

f 0(r)ve f 0

◆✓X

d0,f

d0f(r)wd0f ◆

• We can assume that R = O(N !+✏) for an arbitrary constant ✏ > 0
• Furthermore, the N 2 × R matrices ↵, , are Kronecker powers of matrices of size O(1)

1 0 1 0 1 -1 0 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 1 0 1 0 0 -1

1 1 0 -1 0 1 0 0 0 1 0 0 1 0 0 0 0 1 0 0 1 1 0 -1 0 1 0 1

1 0 0 1 -1 0 1 0 0 1 0 1 0 0 0 1 0 1 0 0 0 1 -1 1 0 0 1 0

Example: Strassen’s 4 x 7 trilinear
 decomposition

• f <2,2,2>

α0 = β0 =

γ0 =

New evaluation formula (Björklund & K. 2016)

• For each r = 1, 2, . . . , R, compute, using fast matrix multiplication,

Had(r) = X

e0

αde0(r)χae0χde0 , Aab(r) = X

d

χadχbdHad(r) , Kbe(r) = X

f 0

βe

f 0(r)χb f 0χe f 0 ,

Bbc(r) = X

e

χbeχceKbe(r) , Lc

f(r) =

X

d0

γd0f(r)χcd0χd0f , Cac(r) = X

f

χa

fχc fLc f(r)

• Finally, compute, again using fast matrix multiplication,

Qab(r) = X

c

χacχbcBbc(r)Cac(r) , P(r) = X

a,b

χabAab(r)Qab(r)

• Each term P(r) takes O(N !+✏) operations to compute

New evaluation formula (Björklund & K. 2016)

• Theorem. X(

6 2) = PR

r=1 P(r)

• Proof.

R

X

r=1

P (r) =

R

X

r=1

X

a,b,c

χabχacχbcAab(r)Bbc(r)Cac(r) =

R

X

r=1

X

a,b,c

χabχacχbc X

d,e0

αde0(r)χadχae0χbdχde0 X

e,f0

βe

f0(r)χbeχb f0χceχe f0

X

d0,f,

γd0f (r)χa

f χcd0χc f χd0f

= X

a,b,c

χabχacχbc

R

X

r=1

✓X

d,e0

αde0(r)χadχae0χbdχde0 ◆✓X

e,f0

βe

f0(r)χbeχb f0χceχe f0

◆✓X

d0,f

γd0f (r)χa

f χcd0χc f χd0f

◆ = X

a,b,c

χabχacχbc X

d,e,f

χadχaeχa

f χbdχbeχb f χcdχceχc f χdeχd f χe f

Extension to “Camelot”: 
 The integer values P(r) extend to a degree-at-most 3R polynomial P(x)
 that admits, using Yates’s (1937) algorithm, an evaluation algorithm 
 that for a given x0 computes P(x0) mod q in O(Nω+ε) operations mod q

CAMELOT ALGORITHMS
 (IMPLICIT, WILLIAMS 2016)

➤ #CNF-SAT ➤ Matrix permanent ➤ #Hamiltonian cycles ➤ #Orthogonal vectors ➤ Closest pairs in Hamming metric ➤ …

(** We “almost match” the best sequential running time)

CAMELOT ALGORITHMS
 (BJÖRKLUND & K. 2016)

➤ “Polynomial extension” of 


many fastest known sequential algorithms

➤ k-clique 


[Nešetřil & Poljak 1985]

➤ graph colouring


[Björklund et al. 2006, 2009]

➤ triangle counting in sparse

graphs**
 [Itai & Rodeh 1978]
 [Alon, Yuster & Zwick 1997]

➤ Tutte polynomial**


[Björklund et al. 2008]

THANK YOU

[Clipart: Merlin] [Clipart: Arthur]