Editing Arthur–Merlin protocol

{{short description|Interactive proof system in computational complexity theory}}
{{More citations needed|date=July 2016}}
In [[computational complexity theory]], an '''Arthur&ndash;Merlin protocol''', introduced by {{Harvtxt|Babai|1985}}, is an [[interactive proof system]] in which the verifier's coin tosses are constrained to be public (i.e. known to the prover too). {{Harvtxt|Goldwasser|Sipser|1986}} proved that all (formal) [[formal language|languages]] with interactive proofs of arbitrary length with private coins also have interactive proofs with public coins.

Given two participants in the protocol called Arthur and Merlin respectively, the basic assumption is that Arthur is a standard computer (or verifier) equipped with a [[Random number generation|random number generating device]], while Merlin is effectively an [[oracle (computer science)|oracle]] with infinite computational power (also known as a prover). However, Merlin is not necessarily honest, so Arthur must analyze the information provided by Merlin in response to Arthur's queries and decide the problem itself. A problem is considered to be solvable by this protocol if whenever the answer is "yes", Merlin has some series of responses which will cause Arthur to accept at least {{frac|2|3}} of the time, and if whenever the answer is "no", Arthur will never accept more than {{frac|1|3}} of the time. Thus, Arthur acts as a probabilistic polynomial-time verifier, assuming it is allotted polynomial time to make its decisions and queries.

==MA==
The simplest such protocol is the 1-message protocol where Merlin sends Arthur a message, and then Arthur decides whether to accept or not by running a probabilistic polynomial time computation. (This is similar to the verifier-based definition of NP, the only difference being that Arthur is allowed to use randomness here.) Merlin does not have access to Arthur's coin tosses in this protocol, since it is a single-message protocol and Arthur tosses his coins only after receiving Merlin's message. This protocol is called ''MA''. Informally, a [[formal language|language]] ''L'' is in '''MA''' if for all strings in the language, there is a polynomial sized proof that Merlin can send Arthur to convince him of this fact with high probability, and for all strings not in the language there is no proof that convinces Arthur with high probability.

Formally, the complexity class '''MA''' is the set of decision problems that can be decided in polynomial time by an Arthur–Merlin protocol where Merlin's only move precedes any computation by Arthur. In other words, a language ''L'' is in '''MA''' if there exists a polynomial-time deterministic Turing machine ''M'' and polynomials ''p'', ''q'' such that for every input string ''x'' of length ''n'' = |''x''|,
*if ''x'' is in ''L'', then <math>\exists z\in\{0,1\}^{q(n)}\,\Pr\nolimits_{y\in\{0,1\}^{p(n)}}(M(x,y,z)=1)\ge2/3,</math>
*if ''x'' is not in ''L'', then <math>\forall z\in\{0,1\}^{q(n)}\,\Pr\nolimits_{y\in\{0,1\}^{p(n)}}(M(x,y,z)=0)\ge2/3.</math>

The second condition can alternatively be written as
*if ''x'' is not in ''L'', then <math>\forall z\in\{0,1\}^{q(n)}\,\Pr\nolimits_{y\in\{0,1\}^{p(n)}}(M(x,y,z)=1)\le1/3.</math>

To compare this with the informal definition above, ''z'' is the purported proof from Merlin (whose size is bounded by a polynomial) and ''y'' is the random string that Arthur uses, which is also polynomially bounded.

==AM==
The [[complexity class]] '''AM''' (or '''AM[2]''') is the set of [[decision problem]]s that can be decided in polynomial time by an Arthur&ndash;Merlin protocol with two messages. There is only one query/response pair: Arthur tosses some random coins and sends the outcome of ''all'' his coin tosses to Merlin, Merlin responds with a purported proof, and Arthur deterministically verifies the proof. In this protocol, Arthur is only allowed to send outcomes of coin tosses to Merlin, and in the final stage Arthur must decide whether to accept or reject using only his previously generated random coin flips and Merlin's message.

In other words, a language ''L'' is in '''AM''' if there exists a polynomial-time deterministic Turing machine ''M'' and polynomials ''p'', ''q'' such that for every input string ''x'' of length ''n'' = |''x''|,
*if ''x'' is in ''L'', then <math>\Pr\nolimits_{y\in\{0,1\}^{p(n)}}(\exists z\in\{0,1\}^{q(n)}\,M(x,y,z)=1)\ge2/3,</math>
*if ''x'' is not in ''L'', then <math>\Pr\nolimits_{y\in\{0,1\}^{p(n)}}(\forall z\in\{0,1\}^{q(n)}\,M(x,y,z)=0)\ge2/3.</math>

The second condition here can be rewritten as 
*if ''x'' is not in ''L'', then <math>\Pr\nolimits_{y\in\{0,1\}^{p(n)}}(\exists z\in\{0,1\}^{q(n)}\,M(x,y,z)=1)\le1/3.</math>

As above, ''z'' is the alleged proof from Merlin (whose size is bounded by a polynomial) and ''y'' is the random string that Arthur uses, which is also polynomially bounded.

The complexity class '''AM[''k'']''' is the set of problems that can be decided in polynomial time, with ''k'' queries and responses. '''AM''' as defined above is '''AM[2]'''. '''AM[3]''' would start with one message from Merlin to Arthur, then a message from Arthur to Merlin and then finally a message from Merlin to Arthur. The last message should always be from Merlin to Arthur, since it never helps for Arthur to send a message to Merlin after deciding his answer.

==Properties==

[[File:Arthur-Merlin classes diagram.svg|alt=A diagram showcasing the relationships of MA and AM with other complexity classes described in the article.|thumb|Known relationships of '''MA''' and '''AM''' with other complexity classes. An arrow from class ''A'' to class ''B'' means ''A'' is a subset of ''B''.]]

* Both '''MA''' and '''AM''' remain unchanged if their definitions are changed to require perfect completeness, which means that Arthur accepts with probability 1 (instead of 2/3) when ''x'' is in the language.<ref>For a proof, see {{cite web|url=http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture17.pdf|title=Lecture 17: Arthur-Merlin games, Zero-knowledge proofs|author=Rafael Pass and Jean-Baptiste Jeannin|date=March 24, 2009|access-date=June 23, 2010}}</ref>
* For any constant ''k'' ≥ 2, the class '''AM[''k'']''' is equal to '''AM[2]'''. If ''k'' can be polynomially related to the input size, the class '''AM'''[poly(''n'')] is equal to the class, '''[[IP (complexity)|IP]]''', which is known to be equal to '''[[PSPACE]]''' and is widely believed to be stronger than the class '''AM[2]'''.
* '''MA''' is contained in '''AM''', since '''AM'''[3] contains '''MA''': Arthur can, after receiving Merlin's certificate, flip the required number of coins, send them to Merlin, and ignore the response.
* It is open whether '''AM''' and '''MA''' are different. Under plausible circuit lower bounds (similar to those implying '''P'''='''BPP'''), they are both equal to '''NP'''.<ref>{{Cite book |last1=Impagliazzo |first1=Russell |last2=Wigderson |first2=Avi |date=1997-05-04 |title=P = BPP if E requires exponential circuits: derandomizing the XOR lemma |publisher=ACM |pages=220–229 |doi=10.1145/258533.258590 |isbn=0897918886|s2cid=18921599 }}</ref>
* '''AM''' is the same as the class '''BP⋅NP''' where '''BP''' denotes the bounded-error probabilistic operator. Also, '''<math> \exists \cdot \mathsf{BPP}</math>''' ( also written as '''ExistsBPP''') is a subset of '''MA'''. Whether '''MA''' is equal to '''<math> \exists \cdot \mathsf{BPP}</math>''' is an open question.
* The conversion to a private coin protocol, in which Merlin cannot predict the outcome of Arthur's random decisions, will increase the number of rounds of interaction by at most 2 in the general case. So the private-coin version of '''AM''' is equal to the public-coin version.
* '''MA''' contains both '''[[NP (complexity)|NP]]''' and '''[[BPP (complexity)|BPP]]'''. For BPP this is immediate, since Arthur can simply ignore Merlin and solve the problem directly; for NP, Merlin need only send Arthur a certificate, which Arthur can validate deterministically in polynomial time.
* Both '''MA''' and '''AM''' are contained in the [[polynomial hierarchy]]. In particular, '''MA''' is contained in the intersection of Σ<sub>2</sub><sup>P</sup> and Π<sub>2</sub><sup>P</sup> and '''AM''' is contained in Π<sub>2</sub><sup>P</sup>. Even more, '''MA''' is contained in subclass '''[[S2P (complexity)|{{nowrap|S{{su|p=P|b=2}}}}]]''',<ref>{{cite web|url=http://www.ccs.neu.edu/home/koods/papers/russell98symmetric.pdf |title=Symmetric Alternation captures BPP|website=Ccs.neu.edu|access-date=2016-07-26}}</ref> a complexity class expressing "symmetric alternation". This is a generalization of [[Sipser–Lautemann theorem]].
* '''AM''' is contained in '''[[NP/poly]]''', the class of decision problems computable in non-deterministic polynomial time with a polynomial size [[advice (complexity)|advice]]. The proof is a variation of [[P/poly#Adleman's theorem|Adleman's theorem]].
* '''MA''' is contained in '''[[PP (complexity)|PP]]'''; this result is due to Vereshchagin.<ref>{{Cite book|last=Vereschchagin|first=N.K. |pages=138–143 |doi=10.1109/sct.1992.215389|isbn=081862955X|year=1992|chapter=On the power of PP |title=&#91;1992&#93; Proceedings of the Seventh Annual Structure in Complexity Theory Conference |s2cid=195705029 }}</ref>
* '''MA''' is contained in its quantum version, '''[[QMA]]'''.<ref>{{Cite journal |last1=Vidick |first1=Thomas |last2=Watrous |first2=John |date=2016 |title=Quantum Proofs |journal=Foundations and Trends in Theoretical Computer Science |volume=11 |issue=1–2 |pages=1–215 |doi=10.1561/0400000068 |issn=1551-305X|arxiv=1610.01664 |s2cid=54255188 }}</ref>
* '''AM''' contains the [[graph isomorphism problem|problem]] of deciding if two graphs are ''not'' isomorphic. The protocol using private coins is the following and can be transformed to a public coin protocol. Given two graphs ''G'' and ''H'', Arthur randomly chooses one of them, and chooses a random permutation of its vertices, presenting the permuted graph ''I'' to Merlin. Merlin has to answer if ''I'' was created from ''G'' or ''H''. If the graphs are nonisomorphic, Merlin will be able to answer with full certainty (by checking if ''I'' is isomorphic to ''G''). However, if the graphs are isomorphic, it is both possible that ''G'' or ''H'' was used to create ''I'', and equally likely. In this case, Merlin has no way to tell them apart and can convince Arthur with probability at most 1/2, and this can be amplified to 1/4 by repetition. This is in fact a [[zero knowledge proof]].
* If '''AM''' contains '''coNP''' then '''[[Polynomial hierarchy|PH]]''' = '''AM'''. This is evidence that graph isomorphism is unlikely to be NP-complete, since it implies collapse of polynomial hierarchy.
* It is known, assuming [[extended Riemann hypothesis|ERH]], that for any ''d'' the problem "Given a collection of multivariate polynomials <math>f_i</math> each with integer coefficients and of degree at most ''d'', do they have a common complex zero?" is in '''AM'''.<ref>{{cite web|url=http://people.csail.mit.edu/madhu/FT98/course.html |title=Course: Algebra and Computation |website=People.csail.mit.edu |access-date=2016-07-26}}</ref>

==References==
{{Reflist}}

==Bibliography==
* {{Citation | last1=Babai | first1=László | author1-link=László Babai | title=STOC '85: Proceedings of the seventeenth annual ACM symposium on Theory of computing | publisher=ACM | isbn=978-0-89791-151-1 | year=1985 | chapter=Trading group theory for randomness | pages=421–429}}.
* {{Citation | last1=Goldwasser | first1=Shafi | author1-link=Shafi Goldwasser | last2=Sipser | first2=Michael | author2-link=Michael Sipser | title=STOC '86: Proceedings of the eighteenth annual ACM symposium on Theory of computing | publisher=ACM | isbn=978-0-89791-193-1 | year=1986 | chapter=Private coins versus public coins in interactive proof systems | pages=59–68}}.
*{{Citation
| last1=Arora | first1=Sanjeev | author-link1=Sanjeev Arora
| last2=Barak | first2=Boaz
| title=Computational Complexity: A Modern Approach
| url = http://www.cs.princeton.edu/theory/complexity/
| publisher=[[Cambridge University Press|Cambridge]]
| year=2009
| isbn=978-0-521-42426-4
}}.
* [http://theory.lcs.mit.edu/~madhu/ST05/ Madhu Sudan's MIT course on advanced complexity]

==External links==
*{{CZoo|MA|M#ma}}
*{{CZoo|AM|A#am}}

{{ComplexityClasses}}

{{DEFAULTSORT:Arthur-Merlin protocol}}
[[Category:Randomized algorithms]]