Proving Without Explaining, and Checking Without Understanding

Scott Aaronson (MIT)Symposium on Proof, UPenn, Nov. 9, 2012

Looks good to me!

For most of history, a “mathematical proof” meant a demonstration, in words, formulas, and pictures,

that induces an “all-of-a-sudden” understanding of why a theorem must be true in humans who

have understood it

2222 2 baabbac

-(n(x+y)=n(x)).n(n(n(x)+y)+n(x+y))=y.n(n(n(x+y)+n(x)+y)+y)=n(x+y).n(n(n(n(x)+y)+x+y)+y)=n(n(x)+y).n(n(n(n(x)+y)+x+y+y)+n(n(x)+y))=y.n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+z)+n(y+z))=z.n(n(n(n(x)+y)+n(n(x)+y)+x+y+y)+y)=n(n(x)+y).n(n(n(n(x)+y)+n(n(x)+y)+x+y+y+y)+n(n(x)+y))=y.n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z)=n(y+z).n(n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z+u)+n(n(y+z)+u))=u.n(n(n(n(x)+x)+x+x+x)+x)=n(n(x)+x).n(n(n(n(n(x)+x)+x+x+x)+x+y)+n(n(n(x)+x)+y))=y.n(n(n(n(x)+x)+x+x+x+x)+n(n(x)+x))=x.n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x)=n(n(x)+x).n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x+y)+n(n(n(x)+x)+y))=y.n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+n(n(n(x)+x)+x+x+x)+x)+x)=n(n(n(x)+x)+n(n(x)+x)+x+x+x+x).n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)=n(n(n(x)+x)+x+x+x).

With people like Frege, Hilbert, Russell, and Gödel, a new, formal notion of proof entered the world:

proof as a mathematical object in its own right

A string of symbols that “mechanically certifies” that a theorem is true—generally, by starting from axioms and then applying

logical manipulations until the theorem is reached

Proof that all Robbins algebras are Boolean. Discovered by the computer program EQP in 1996, solving a 63-year-old problem

Formal proofs are often absurdly tedious!

Wittgenstein liked to ridicule this sort of

formalization

Famous example from Principia Mathematica,

Volume II

But

Sometimes the gap between “proving” and “explaining” has caused actual mathematical controversy

Four-Color Map Theorem: Proved by Appel and Haken in 1976, with crucial help

from computer enumeration of cases

Critics: “But what if the computer made a mistake?”

Response: “Then check again with another computer!”

Over the last 30 years, theoretical computer scientists have taken the concept of “proof” even

further from “explanation” or “understanding” than Frege, Russell, et al. ever did

A “proof” can now be: probabilistic, interactive, quantum-mechanical… in general, an ephemeral process that, once it’s over, need not leave any trace by which to convince somebody else

(Sometimes, like in cryptography, the impossibility of understanding a proof is actually the goal!)

As a warmup, consider the power of random sampling…

To “probabilistically prove” an algebraic identity: just plug in a bunch of random values and evaluate it!

Not yet certain enough? Repeat!

(But what if your random-number generator was bad?)

Upping the ante: proof by quantum samplingIn 1994, Peter Shor sparked a scientific revolution, by showing that a quantum computer could quickly factor large numbers—a task whose presumed difficulty is the basis for most modern cryptography

But not all quantum algorithms necessarily share that property! Sometimes, the only feasible way to verify a quantum computer’s output might be using a different quantum computer!

(indeed, there might be no “classical” proof that would fit inside the observable universe)

But would you need to trust the quantum computer? In this case, no! Given alleged prime factors, you could multiply them yourself

(and also use known classical methods to verify that they’re prime)

Today, when theoretical computer scientists talk about a “proof system,” they generally mean an interactive game…

“Completeness”: If the claim is true, then there must be some way Merlin can behave that causes Arthur to output “OK” most of the time

Merlin: Omniscient but untrustworthy wizard

“Soundness”: If the claim is false, then regardless of how Merlin behaves, Arthur must output “BS” most of the time

Arthur: Skeptical, polynomial-time king

Challenges and responses OK!

BS!

Example: Graph Non-IsomorphismMerlin wants to convince Arthur that two graphs are different

Clever interactive solution: Arthur picks one of the graphs randomly, randomly permutes its vertices, and sends Merlin the result. He then asks Merlin which graph he started with

Simply listing all permutations is astronomically inefficient

Given any two non-isomorphic graphs, there might always be a short proof that they’re different, but no one has proved that

“ ”

The IP=PSPACE Theorem (Lund et al. / Shamir 1990) showed that these sorts of interactive proof systems are incredibly powerful. For example, Merlin could quickly convince Arthur that White has the win in chess (assuming that’s indeed true)!

pxxqnxx

n mod,,1,0,,1

1

The Graph Non-Isomorphism protocol has another amazing property, besides its efficiency. Arthur learns nothing whatsoever about why the graphs are non-isomorphic!

Goldreich, Micali, and Wigderson showed that, under plausible cryptographic assumptions, every formal proof can likewise be converted into a “zero-knowledge proof”

(Furthermore, here the prover need not be a wizard, but just an ordinary person who knows the original proof)

The key is to start with an NP-complete problem, like Hamilton Cycle

A solution to this problem can encode a formal proof of the Riemann Hypothesis, or of any other theorem you want!

To make the proof zero-knowledge:Merlin randomly permutes the nodes. Then, for each pair of nodes, he sends Arthur a “locked box,” inside of which he’s written whether those nodes are connected by an edge.

With the boxes in his possession, Arthur can either ask Merlin to unlock all the boxes, and show him the isomorphism between the new graph and the original graph, or he can ask Merlin to unlock only the boxes corresponding to a Hamilton cycle.

To implement over the Internet: replace the locked boxes by encryption.

Useful! Lets suspicious agents prove to each other that they’re carrying out a protocol correctly, without revealing the secrets on which the proofs are based

One application: secure e-voting

Renaissance court mathematicians were terrified of rivals stealing their secrets. Galileo once ensured his priority by sending Kepler a coded message: smaismrmilmepoetaleumibunenugttauiras

Today, a paranoid prover of the Riemann Hypothesis could use the GMW protocol to establish priority without revealing the proof

Theoretical computer science: surging ahead into the 1500s!

Another famous NP-complete problem is 3-coloring a graph

Solution: Arthur puts the Merlins in separate rooms, like police suspects. He either picks a random node and asks both Merlins its color (and checks that they give the same answer), or he picks two neighboring nodes and asks one Merlin about each (and checks that they give different answers)

Suppose two Merlins claim that they know how to 3-color a certain graph. Arthur will get a billion dollars if he can prove they’re lying, but he’s only allowed to ask them for the color of one node each

Pushing this further leads to the PCP Theorem, one of the crown jewels of theoretical computer science

Any formal proof can be rewritten in an “error-correcting” format, in such a way that its validity can be checked, with high confidence, by looking at only 10 or 20 random bits

Application: Implies that, for many NP-complete problems, finding an approximate solution is as hard as finding an exact one

Recent Realization: Even if they can’t talk to each other, the two Merlins could still sometimes cheat by measuring quantum-mechanically entangled particles! (Related to the famous Bell Inequality)

But we now know that every multi-prover protocol can be “immunized” against entangled provers (Ito-Vidick 2012)

SummaryWith Frege, Russell, Gödel, etc, “proofs” became mathematical objects in their own right: sequences of symbols that can be verified by a machine, and that no human needs to understand

Today, theoretical computer science has taken the separation between verifying and understanding even further, by making “proofs” probabilistic, interactive, zero-knowledge, quantum…

What’s the point of this? Russell et al.’s redefinition of proof helped bring us the computer age. The modern redefinitions of proof helped bring us secure electronic commerce, as well as profound insights into the nature of computation

Central irony: All these amazing discoveries about proof relied themselves on “traditional,” understanding-based proofs!

Will we ever have a mechanistic account of explaining and understanding, in the same

sense that we now have a mechanistic account of proving and verifying?