Proving Without Explaining, and

Checking Without Understanding

Looks good
to me!

Scott Aaronson (MIT)

Symposium on Proof, UPenn, Nov. 9, 2012
For most of history, a “mathematical proof” meant
a demonstration, in words, formulas, and pictures,
that induces an “all-of-a-sudden” understanding of
why a theorem must be true in humans who have
understood it

c  a  b   2ab  a 2  b 2
2 2
With people like Frege, Hilbert, Russell, and Gödel,
a new, formal notion of proof entered the world:
proof as a mathematical object in its own right
A string of symbols that “mechanically certifies” that a theorem
is true—generally, by starting from axioms and then applying
logical manipulations until the theorem is reached

-(n(x+y)=n(x)).
Proof that all Robbins algebras
n(n(n(x)+y)+n(x+y))=y. are Boolean. Discovered by the
n(n(n(x+y)+n(x)+y)+y)=n(x+y).
n(n(n(n(x)+y)+x+y)+y)=n(n(x)+y). computer program EQP in 1996,
n(n(n(n(x)+y)+x+y+y)+n(n(x)+y))=y.
n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+z)+n(y+z))=z.
solving a 63-year-old problem
n(n(n(n(x)+y)+n(n(x)+y)+x+y+y)+y)=n(n(x)+y).
n(n(n(n(x)+y)+n(n(x)+y)+x+y+y+y)+n(n(x)+y))=y.
n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z)=n(y+z).
n(n(n(n(n(n(x)+y)+x+y+y)+n(n(x)+y)+n(y+z)+z)+z+u)+n(n(y+z)+u))=u.
n(n(n(n(x)+x)+x+x+x)+x)=n(n(x)+x).
n(n(n(n(n(x)+x)+x+x+x)+x+y)+n(n(n(x)+x)+y))=y.
n(n(n(n(x)+x)+x+x+x+x)+n(n(x)+x))=x.
n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x)=n(n(x)+x).
n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+x+y)+n(n(n(x)+x)+y))=y.
n(n(n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)+n(n(n(x)+x)+x+x+x)+x)+x)=n(n(n(x)+x)+n(n(x)+x)+x+x+x+x).
n(n(n(x)+x)+n(n(x)+x)+x+x+x+x)=n(n(n(x)+x)+x+x+x).
 Formal proofs are often absurdly tedious!

Famous example from

Principia Mathematica,
Volume II

Wittgenstein liked to
ridicule this sort of
formalization

But
Sometimes the gap between “proving” and “explaining”
has caused actual mathematical controversy

Four-Color Map Theorem: Proved by

Appel and Haken in 1976, with crucial help
from computer enumeration of cases

Critics: “But what if the computer made a mistake?”

Response: “Then check again with another computer!”
 Over the last 30 years, theoretical computer
scientists have taken the concept of “proof” even
further from “explanation” or “understanding”
than Frege, Russell, et al. ever did
(Sometimes, like in cryptography, the impossibility of
understanding a proof is actually the goal!)

A “proof” can now be: probabilistic, interactive,

quantum-mechanical… in general, an ephemeral
process that, once it’s over, need not leave any trace
by which to convince somebody else
As a warmup, consider the power of random sampling…

To “probabilistically prove” an
algebraic identity: just plug in a bunch
of random values and evaluate it!

Not yet certain enough? Repeat!

(But what if your random-number

generator was bad?)
 Upping the ante: proof by quantum sampling
In 1994, Peter Shor sparked a scientific revolution, by showing that a
quantum computer could quickly factor large numbers—a task
whose presumed difficulty is the basis for most modern cryptography

But would you need to trust the quantum computer? In this case, no!
Given alleged prime factors, you could multiply them yourself
(and also use known classical methods to verify that they’re prime)
But not all quantum algorithms necessarily share that property!
Sometimes, the only feasible way to verify a quantum computer’s
output might be using a different quantum computer!
(indeed, there might be no “classical” proof that would fit inside
the observable universe)
Today, when theoretical computer scientists talk about a
“proof system,” they generally mean an interactive game…

Challenges and responses OK!

BS!

Merlin: Omniscient but Arthur: Skeptical,

untrustworthy wizard polynomial-time king

“Completeness”: If the claim is true, then there must be some

way Merlin can behave that causes Arthur to output “OK” most
of the time

“Soundness”: If the claim is false, then regardless of how Merlin

behaves, Arthur must output “BS” most of the time
 Example: Graph Non-Isomorphism
Merlin wants to convince Arthur that two graphs are different

“  ”
Given any two non-isomorphic graphs, there might always be a
short proof that they’re different, but no one has proved that
Simply listing all permutations is astronomically inefficient
Clever interactive solution: Arthur picks one of the graphs
randomly, randomly permutes its vertices, and sends Merlin
the result. He then asks Merlin which graph he started with
The IP=PSPACE Theorem (Lund et al. / Shamir 1990)
showed that these sorts of interactive proof systems are
incredibly powerful. For example, Merlin could quickly
convince Arthur that White has the win in chess
(assuming that’s indeed true)!

qx ,, x mod p

x1 ,, xn  0,1
1 n
The Graph Non-Isomorphism protocol has another amazing
property, besides its efficiency. Arthur learns nothing whatsoever
about why the graphs are non-isomorphic!

Goldreich, Micali, and Wigderson showed that, under plausible

cryptographic assumptions, every formal proof can likewise be
converted into a “zero-knowledge proof”
(Furthermore, here the prover need not be a wizard, but just an
ordinary person who knows the original proof)

The key is to start with an NP-complete

problem, like Hamilton Cycle

A solution to this problem can

encode a formal proof of the
Riemann Hypothesis, or of any
other theorem you want!
To make the proof zero-knowledge:
Merlin randomly permutes the nodes. Then, for each pair of nodes,
he sends Arthur a “locked box,” inside of which he’s written
whether those nodes are connected by an edge.
With the boxes in his possession, Arthur can either ask Merlin to
Renaissance
unlock all thecourt
boxes,mathematicians
and show him thewere terrified of rivals
isomorphism betweenstealing
the
theirgraph
new secrets.
andGalileo once graph,
the original ensuredorhis
he priority
can ask by sending
Merlin Kepler a
to unlock
coded
only themessage: smaismrmilmepoetaleumibunenugttauiras
boxes corresponding to a Hamilton cycle.
Today, a paranoid prover ofTo
theimplement
Riemann Hypothesis could use
over the Internet: the
replace
GMW protocol to establish priority without
boxesrevealing the proof
the locked by encryption.
Theoretical computer science: surging ahead into the 1500s!
Useful! Lets suspicious agents prove to
each other that they’re carrying out a
protocol correctly, without revealing the
secrets on which the proofs are based
One application: secure e-voting
Another famous NP-complete problem is 3-coloring a graph

Suppose two Merlins claim that they know how to 3-color a

certain graph. Arthur will get a billion dollars if he can prove
they’re lying, but he’s only allowed to ask them for the color
of one node each
Solution: Arthur puts the Merlins in separate rooms, like police
suspects. He either picks a random node and asks both
Merlins its color (and checks that they give the same answer),
or he picks two neighboring nodes and asks one Merlin about
each (and checks that they give different answers)
Pushing this further leads to the PCP Theorem, one of the crown
jewels of theoretical computer science
Any formal proof can be rewritten in an “error-correcting”
format, in such a way that its validity can be checked, with
high confidence, by looking at only 10 or 20 random bits
Application: Implies that, for many NP-complete problems,
finding an approximate solution is as hard as finding an exact one

Recent Realization: Even if they can’t talk to each other, the two
Merlins could still sometimes cheat by measuring quantum-
mechanically entangled particles! (Related to the famous Bell Inequality)

But we now know that every multi-prover protocol can be

“immunized” against entangled provers (Ito-Vidick 2012)
 Summary
With Frege, Russell, Gödel, etc, “proofs” became mathematical
objects in their own right: sequences of symbols that can be
verified by a machine, and that no human needs to understand
Will we ever
Today, theoretical have ascience
computer mechanistic account
has taken of
the separation
betweenexplaining and
verifying and understanding,
understanding in the same
even further, by making
sense that interactive,
“proofs” probabilistic, we now have a mechanistic
zero-knowledge, quantum…
account of proving and verifying?
What’s the point of this? Russell et al.’s redefinition of proof
helped bring us the computer age. The modern redefinitions
of proof helped bring us secure electronic commerce, as well
as profound insights into the nature of computation
Central irony: All these amazing discoveries about proof relied
themselves on “traditional,” understanding-based proofs!