Basic question about parallel repetition in IP protocol

Question

The book Arora and Barak defines class IP (interactive protocol) by making the verifier have private coins. Before proceeding to public coin proofs and showing they are the "same," the book mentions the following:

The probabilities of correctly classifying an input can be made arbitrarily close to 1 by using the same boosting technique we used for BPP: to replace $2/3$ by $1−e^{−m}$, sequentially repeat the protocol m times and take the majority answer. In fact, using a more complicated proof, it can be shown that we can decrease the probability without increasing the number of rounds using parallel repetition (i.e., the prover and verifier will run $m$ executions of the protocol in parallel).

Why does the naive idea of simply having the verfier and prover exchange an array of polynomial many messages (different copies) in each round not work? This doesn't increase the rounds. Assuming that for each copy, the verifier uses independent random coins.

Answer 1

Consider the following protocol, which assumes familiarity with cryptographic commitments. It is safe to imagine them as "locked boxes".

1. Verifier chooses a random bit $b \gets \{0,1\}$ and sends a commitment $C = \textsf{Com}(b)$ to the prover.

2. Verifier expects to receive commitment $C'$ from the prover.

3. Verifier opens $C$ to the prover, thus revealing $b$.

4. Verifier expects the prover to open $C'$, revealing its contents $b'$.

5. Verifier accepts iff $C' \ne C$ and $b = b'$.

Intuitively, the verifier challenges the prover to guess $b$, and the condition $C \ne C'$ ensures that the prover cannot simply replay the verifier's commitment. Using a suitably non-malleable commitment scheme, no prover can succeed with probability significantly more than 1/2.

Now imagine the 2-way parallel repetition of this protocol:

1. Verifier chooses random bits $b_1, b_2 \gets \{0,1\}$ and sends a commitments $C_1 = \textsf{Com}(b_1)$ and $C_2 = \textsf{Com}(b_2)$ to the prover.

2. Verifier expects to receive commitments $C'_1, C'_2$ from the prover.

3. Verifier opens $C_1, C_2$ to the prover, thus revealing $b_1, b_2$.

4. Verifier expects the prover to open $C'_1, C'_2$, revealing their contents $b'_1, b'_2$.

5. Verifier accepts iff $(C'_1, C'_2) \ne (C_1, C_2)$ and $(b_1,b_2) = (b'_1,b'_2)$.

The prover's strategy now is just to swap the verifier's 2 commitments -- that is, choose $(C'_1, C'_2) = (C_2, C_1)$. This will have the effect that $(b'_1, b'_2) = (b_2, b_1)$. What is the probability that the verifier accepts?

• With overwhelming probability $C_1 \ne C_2$ so the first condition checked by the verifier is true.
• The last condition is $(b_1,b_2) = (b'_1,b'_2) = (b_2,b_1)$, which happens with probability 1/2.

Conclusion: The parallel repetition protocol has soundness error 1/2 instead of $(1/2)^2$ as you might expect.

Source: I adapted this example from Iftach Haitner's lecture notes (counterexample).

Answer 2

This is a supplement to the answer by @Mikero, for anyone else having the same doubts as me.

1. We repeat in parallel and take the majority. In this case, we can reduce the error in the completeness condition by using the Chernoff bound, as for an honest prover who acts oblivious to interactions corresponding to different copies, the repetitions are "independent". However, the same idea cannot be used to reduce the error in the soundness condition against a cheating/dishonest prover who might base his answers on the view of interactions across all the copies. Thus, in parallel repetition, the argument is a bit tedious and is laid out in the paper On parallel repetition of interactive proof systems by Oded Goldreich.
2. We repeat sequentially and take the majority. Taking the majority and using Chernoff works fine in sequential repetition, where the original protocol is repeated many times sequentially. The reason that the above problem (with parallel repeatiion) doesn't crop up here is because each repeatition is an instance of the original protocol; and in the complenetess condition of the original protocol we have that for any prover $P$ it cannot fool $V$ with probability $\ge \frac{1}{3}$. This helps us argue about error reduction for the soundness condition by Chernoff bound. I have a separate question for that, again answered by @Mikero.