sign in sign up
<<
Home , Polynomial hierarchy

ATaxonomy of Pro of Systems

Oded Goldreich

Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel

September

Abstract

Several alternative formulations of the concept of an ecient pro of system are nowadays

co existing in our eld These systems include the classical formulation of NP interactive proof

systems giving rise to the class IP computational lysound proof systemsand probabilistical ly

checkable proofs PCP which are closely related to multiprover interactive proofs MI P

Although these notions are sometimes intro duced using the same generic phrases they are

actually very dierent in motivation applications and expressivepower The main ob jectiveof

this essay is to try to clarify these dierences

This is a revised version of a survey which has app eared in Complexity Theory Retrospective II A Hemaspaan

dra and A Selman eds

Intro duction

In recentyears alternativeformulations of the concept of an ecient pro of system have received

much attention Not only have talks and pap ers concerning these systems o o ded the eld of

theoretical computer science but also some of these developments havereached the nontheory

community and a few were even rep orted in nonscientic forums suchastheNew York Times

Thus I am quite sure that the reader has heard of phrases suchasinteractive pro ofs and results

suchasIP PSPACE

By no means am I suggesting that the interest in the various formulations of ecientproof

systems has gone out of prop ortion Certainly the notion of an ecient pro of system is central to the

eld of computer science and I nd it hard to conceive of circumstances in which one mightsay that

it was receiving to o muchattention Furthermore the research area established by these notions

has b een one of the most successful and rewarding enterprises in which the theoretical computer

science community has b een involved For example zeroknowledge pro ofs haverevolutionized the

design of cryptographic proto cols and the characterization of NP in terms of probabilistically

checkable pro ofs has contributed to and in fact revived the attempts to classify the complexity

of approximation problems

Except for NP pro of systems reviewed b elow are probabilistic and furthermore ha ve a non

zero error probabilityHowever the error probability is explicitly b ounded and can b e reduced by

successive applications of the pro of system In all cases nonzero error probability is essential to

the interesting prop erties and consequences that these probabilistic pro of systems have

Referencing convention

Ihave decided to pro ceed in a somewhat unconventional way and have decoupled the technical

exp osition from the story b ehind its evolution These parts app ear in separate sections whichcan

b e read indep endently of each other When reading the technical part the reader should b ear

in mind that the references in this part are minimal and denitely substandard with the sole

objective of referring the reader to the b est source for more details I wish to stress that the b est

source for more details is not necessarily the source that deserves the most credit The situation

is reversed in the story part whichcontains only credits or more accurately my evaluation of

the contribution of the various works to the development of the eld

Addendum

The currentversion is augmented by an op en problems section

ATechnical Exp osition

The notion of a pro of is one of the more fundamental notions of our culture In particular it

is central to science and sp ecically to mathematics and computer science Yet although p eople

always talk of proofs the fundamental issue is the verication pro cedure Pro of systems are dened

by their verication pro cedure and it is the verication pro cedure that gives them their value

The notion of a verication pro cedure assumes the notion of computation and furthermore

ecient computation This implicit assumption is made explicit in the denition of NP It is the

asso ciation of ecient computation with deterministic p olynomialtime algorithms that yields the

asso ciation of ecient pro of systems with the class NPNamely to prove the validity of some

statement one supplies a relatively short pro of and the verication pro cedure consists of

running a p olynomialtime algorithm on input

Technical Remarks All complexity measures mentioned in the subsequent exp osition are assumed

to b e constructible in p olynomial time We denote by poly the set of all p olynomials and by log

the set of all logarithmic functions ie integer functions b ounded by O log n We adopt the

def def

poly poly

standard notations EX P DTIME andNEXP NTIME

Interactive Pro of Systems

In light of the growing acceptability of randomized and interactive computations it is only natural

e p olynomialtime to asso ciate the notion of ecient computation with probabilistic and interactiv

computations This leads naturally to the notion of an interactive pro of system in which the veri

cation pro cedure is interactive and randomized rather than b eing noninteractive and deterministic

as in NP A sketch of the formal denition is given in Item b elow We stress that no com

putational restrictions are placed on the prover Items and intro duce additional complexity

measures that can b e ignored in a rst reading

Denition Interactive Pro ofs IP

An interactive pro of system ips for a language L is a pair P V of interactive machines

that V is a probabilistic polynomialtime machine satisfying

CompletenessFor every x L the verier V always accepts after interacting with the

prover P on common input x

SoundnessFor every x L and every potential prover P the verier V rejects with

probability at least after interacting with P on common input x

Let m and beinteger functions The IP mr consists of languages

having an in which on common input x the verier uses at most

r jxj coin tosses and the total number of messages exchangedbetween the parties is bounded

by mjxj

Let M and R be sets of integer functions Then

def

IP M R IP mr

mMrR

def def

IPm poly and IP IP poly Final ly IP m

Weavoid the denition of interacting machines This denition can b e found in

In Item wehave followed the common convention of sp ecifying b oth the verier and the prover

An alternative presentation only sp ecies the verier while rephrasing the completeness condition

as follows

There exists a machine P a prover so that for every x L the verier V always

accepts after interacting with P on common input x

The soundness condition allows for errors that is executions in which the verier accepts x L

In general one may consider the error probability in Yet the error is explicitly b ounded by

the soundness condition as another parameter It is not hard to see that the error probabilityin

interactive pro ofs can b e reduced by indep endent sequential andor parallel rep etitions Actually

this holds even for somewhat dep endent parallel rep etitions see which is instructive also for

the simpler case of indep endent parallel rep etitions On the other hand requiring zero soundness

error in interactive pro of systems restricts their existence to languages in NP

We stress that although wehave relaxed the requirements from the verication pro cedure by

allowing it to interact toss coins and err with b ounded probabilitywe did not restrict the validity

of the assertions by assumptions concerning the p otential prover This should b e contrasted with

later notions of pro of systems such as computationallysound ones and multiprover ones in which

the validity of the soundness condition dep ends on assumptions concerning the external proving

entity

Known results

Clearly IP poly equals coRP whereas IP equals NPFurthermore IP poly con

tains BP P see or Hence IP IP polycontains BP P N P whereas we currently

do not know whether NP contains BP P It is also easy to see that IP log collapses to

IP P whereas IPpoly log collapses to IP NP The main result concerning

interactive pro of systems is that they exist for any language recognizable in p olynomial space

Namely

Theorem IP PSPACE

Theorem was established using algebraic metho ds In particular the following approach

unprecedented in complexity theory was employed In order to demonstrate that a particular

language is in a particular class an arithmetic generalization of the Bo olean problem is presented

and algebraic metho ds are applied to show that the arithmetic problem is solvable

within the class Interestingly this technique do es not relativize and furthermore yields results

eg IP PSPACE that are false relative to most oracles providing a dramatic refutation of

the Random Oracle Hyp othesis see

Concerning the ner structure of the IPhierarchy the following is known

For every integer function f so that f n for all n the class IP O f collapses to

the class IP f and in particular IP O collapses to IP

The class IP contains languages not known to b e in NP eg Graph NonIsomorphism



See for the general technique and for its applicati on yielding the quoted result

The class IP is contained in NPp oly ie nonuniformNP analogously to BP P

P poly

If coNP IP then the p olynomialtime hierarchy collapses

It is conjectured that coNP is not contained in IP and consequently that interactive pro ofs

with an unb ounded numb er of message exchanges are more p owerful than interactive pro ofs in

which only a b ounded ie constant numb er of messages are exchanged

The IPhierarchy ie IP equals an analogous hierarchy in whichtheverier is restricted to

send the outcome of any coin it tosses The latter restricted pro of systems are called Arthur

Merlin games or publiccoin interactive proofs In addition aside from the zerolevel and level

the IPhierarchy equals an analogous twosided error hierarchy In the latter pro of systems

the completeness condition is relaxed so that the verier is required to accept each x L with

probabilityatleast

ZeroKnowledge and Knowledge Complexity

Zeroknowledge is a central notion in cryptography Here we only discuss its conceptual signif

icance to the theory of pro of systems Zeroknowledge pro ofs are interesting as they exhibit a

somewhat extreme contrast b etween b eing convinced of the validity of a statement and learning

something in addition while receiving suchaconvincing pro of Namely zeroknowledge pro ofs have

the remarkable prop erty of b eing convincing while yielding nothing to the verier b eyond the fact

that the statementisvalid

In the formulation of the statementP V isa zeroknow ledge pro of system for the language

L one considers two probability distributions for each input x in L

The output distribution of the verier after interacting with the sp ecied prover P on com

mon input x

The output distribution of some probabilistic p olynomialtime machine not interacting with

anyone on input x

The basic paradigm of zeroknowledge asserts that for every distribution of typ e there exist

a similar distribution of typ e The sp ecic variants dier by the interpretation given to

similarity The most strict interpretation leading to perfect zeroknow ledge is that similarity

means equality A somewhat relaxed interpretation leading to almostperfect zeroknow ledgeis

that similarity means statistical closeness ie negligible dierence b etween the distributions

The most lib eral interpretation leading to the standard usage of the term zeroknowledge and

sometimes referred to as computational zeroknow ledge is that similarity means computational

indistinguishabi li ty ie failure of any ecient pro cedure to tell the two distributions apart

The most imp ortant result concerning zeroknowledge is that assuming the existence of oneway

functions each language in NP and actually even in IP has a zeroknowledge interactiveproof

system see and resp ectively This result should b e contrasted with the results

regarding the complexityofalmostperfect zeroknowledge pro of systems namely that suchproof

systems exist only for languages in IP coIP Also a recent result indicates that

oneway functions are essential for the existence of zeroknowledge pro ofs for hard languages ie

languages that cannot b e decided in average p olynomial time Nonzero error probabilityis



The verier is not necessarily the one sp ecied ie V yet for sake of simplicity this issue is ignored here



See also an app endix in indicatin g an error in

essential also to zeroknowledge pro ofs which otherwise exist only for coRP Hence b esides

the apparent strengthening of expressivepower interactive pro of systems do oer some prop erties

sp ecically zeroknowledge that cannot b e oered by an NPpro of system

An extensive treatment of zeroknowledge can b e found in Zeroknowledge is the lowest

level of several knowledgecomplexity hierarchies that quantify the amount of knowledge revealed

by a pro of system Denitions and results concerning these hierarchies can b e found in

and

Howpowerful should the completeness prover b e

Assume that a language L is in IP This means that there is a verier V that can b e convinced

to accept any input in L but cannot b e convinced to accept an input not in L One can ask how

powerful should a prover b e so that it can convince the verier V to accept an input in LMore

interestingly considering all p ossible veriers that give rise to an interactive pro of system for L

what is the minimum p ower required from a prover that satises the completeness requirement

with resp ect to one of these veriers We stress that unlike in the case of computationallysound

er of the prover in the soundness con pro of systems discussed b elow we do not restrict the p ow

dition but rather consider the minimum complexityofprovers meeting the completeness condition

Sp ecicallywe are interested in relatively ecient provers meeting the completeness condition

The term relatively ecientprover has b een given three dierentinterpretations

st interpretationAprover is considered relatively ecient if when given an auxiliary input in

addition to the common input in L it works in probabilistic p olynomial time Sp ecicall y in the

case L NP the auxiliary input may b e an NPwitness that the common input is in the language

Even in this case the interactive pro of need not consist of the prover sending the auxiliary input

to the verier for example an alternative pro cedure may allow the prover to b e zeroknowledge

see This interpretation is adequate and in fact crucial for applications in whichsuchan

auxiliary input is available to the otherwise p olynomialtime parties Typically the auxiliary input

is available in cryptographic applications in which b oth the input and an NPwitness for it are

generated by some party who later wishes to prove in zeroknowledge that the input is in the

language See

nd interpretation A prover is considered relatively ecient if it can b e implemented byaproba

bilistic p olynomialtime with oracle access to the language L itself This interpre

tation generalizes the notion of selfreducibil ity of NP languages By selfreducibil ityofanNP

language we mean that the search problem of nding an NPwitness is Co okreducible to deciding

memb ership in the language Thus every NP language has a relatively ecientproof

system See

rd interpretationAprover is considered relatively ecient if it can b e implemented by a proba

bilistic machine that runs in time that is p olynomial in the deterministic complexity of the language

This interpretation relates the dicultyofconvincing a lazy verier to the complexity of nding

the truth alone Hence in contrast to the rst interpretation which is adequate in settings where

NPassertions are generated along with their NPpro ofs the currentinterpretation is adequate in

settings in which the prover is given only an assertion and has to convince itself of the validityof

the assertion b efore trying to convince a lazy verier of its validity See



For example supp ose a party generates a comp osite number bymultiplyin g together two primes and that it

later wishes to prove in in zeroknowledge that the number it has chosen indeed has this form Then this is an

NPstatement and the primes are the NPwitness for it

MIP and PCP

In contrast to the setting of interactive pro ofs where no restrictions have b een placed on the prover

the two settings discussed in this section do imp ose restrictions on the prover Interestingly the

expressive p ower of the pro of system is increased by these restrictions unless PSPACE

NEXP in which case the systems are equally p owerful We wish to stress that there is nothing

wrong in the fact that a pro of system b ecomes more p owerful once the prover is restricted Indeed

this restricts the provers abilities in case the input is in the language but it also restricts the

provers ability in case the input is not in the language Thus in general when restricting the

power of the prover the expressivepower of the pro of system can change in an arbitrary wayand

in particular stay the same Yet the eect of these restrictions in typically more drastic on the

soundness condition than on the completeness condition since the former employs an existential

quantier whereas the latter employs a universal quantier

But what is the justication for restricting the prover One answer is that in particular ap

plications this restriction can b e imp osed on the p otential provers A second answer is that this

restriction yields an alternativecharacterization for a fundamental complexity class ie NPand

that this alternativecharacterization enables one to get imp ortant results

MultiProver Interactive Pro of Systems MIP

wo or more entities and the In the multiprover interactive pro of setting the prover is split into t

restriction or assumption is that these entities cannot interact with each other Actually the

formulation allows them to co ordinate their strategies prior to interacting with the verier but it

is crucial that they do not exchange messages among themselves while interacting with the verier

It is customary to call each of these provingentities a prover and hence the term multiprover

pro of systems It turns out that twoprover systems are as p owerful as multiprover ones even

such in which the numb er of provers is a parameter that is p olynomially related to the input length

For sake of concreteness a denition of twoprover pro of systems is given b elow

Denition TwoProver Interactive Pro ofs A twoprover interactive pro of system fora lan

guage L is a triplet P P V of interactive machines so that V is a probabilistic polynomialtime

machine satisfying

CompletenessFor every x L the verier V always accepts after interacting sep arately and

concurrently with the provers P and P oncommon input x

SoundnessFor every x L and every potential pair of provers P and P the verier

V rejects with probability at least after interacting separately and concurrently with the

provers P and P oncommon input x

The set of languages having twoprover proof systems is denotedbyMI P

The twoprover mo del is reminiscent of the common p olice pro cedure of isolating collab orating

susp ects and interrogating each of them separatelyAtypical application in which the twoprover

mo del may b e assumed is an ATM that veries the validity of a pair of smartcards inserted

in two isolated slots of the ATM The advantage in using such a split system is that it enables

the presentation of p erfect zeroknowledge pro of systems for any language in NP using no

intractability assumptions



This is implicit in the universal quantier used in the soundness condition

Probabilistically Checkable Pro ofs PCP

When viewed in terms of an interactive pro of system the probabilistically checkable pro of PCP

setting consists of a prover that is memoryless Namely one can think of the prover as b eing an

oracle and of the messages sent to it as b eing queries A more app ealing interpretation is to view

the PCP setting as an alternativeway of generalizing NP Instead of receiving the entire pro of and

conducting a deterministic p olynomialtime computation as in the case of NP the verier may

toss coins and query the pro of only at lo cations of its choice Potentially this allows the verier to

utilize very long pro ofs ie of sup erp olynomial length or alternatively insp ect very few bits of a

p olynomially long pro of The basic denition of the PCP setting is given in Item b elow Yet

the complexity measures intro duced in Items and are of key imp ortance for the subsequent

discussions and should not b e ignored

Denition Probabilistic Checkable Pro ofs PCP

A probabilistic checkable pro of system p cp for a language L isaprobabilistic polynomialtime

oracle machine cal led verier denoted V satisfying

CompletenessFor every x L there exists an oracle set so that V on input x and

x

access to oracle always accepts x

x

SoundnessFor every x L and every oracle set machine V oninputx and access

to oracle rejects x with probability at least

Let r and q beinteger functions The complexity class PCPr q consists of languages

having a probabilistic checkable proof system in which the verier on any input of length n

uses at most r n random coins and makes at most q n queries

Let R and Q be sets of integer functions Then

def

PCPR Q PCPr q

r Rq Q

Note that the oracle in a p cp system constitutes a pro of in the standard mathematical sense

x

Jumping ahead the oracles in p cp systems characterizing NP have the prop erty of b eing NP

pro ofs themselves Yet this oracle has the extra prop erty of enabling a lazy verier to toss coins

take its chances and verify the pro of without reading all of it but rather by reading a tiny p ortion

of it

Typical applications for probabilistically chec kable pro ofs arise from settings in which the prover is

committed to a single pro of and cannot mo dify it dep ending on previous queries of the verier

See for example

The expressivepower of PCP

Clearly PCPpoly equals coRP whereas PCP polyequals NP It is easy to prove an upp er

b ound on the nondeterministic of languages in the PCP hierarchy Namely

O r log

Prop osition For every integer function r the class PCPr poly is containedin NTIME

Hence PCPlog poly NP

r n

Pro of Sketch Observe that guessing the b est oracle amounts to guessing only p oly n

many oracle values

t but proving this is much more dicult to say the least These upp er b ounds turn out to b e tigh

Theorem NP is containedin PCPlogO

Corollary The PCP characterization of NP NP PCPlogO

I consider the pro of of Theorem to b e one of the most complicated pro ofs in computer science

and b elievethatitisvery imp ortant to nd a simpler pro of that may b e taught in an advanced

complexity theory class By adapting the pro of of Theorem one gets also

p olyn

Theorem Theorem Generalized Let t be an integer function so that ntn

for al l ns Then the class NTIMEt is contained in the class PCPO log tO

Corollary NEXP PCPpolyO

Interestingly the two complexity measures in the PCPcharacterization of NP can b e traded o

so that at the extremes wegetNP PCPlogO and NP PCP poly resp ectively

Prop osition There exist constants such that for every integer function l so that

l n log n

NP PCPr q

ln

where r n log n l n and q n

Pro of Sketch Starting with Theorem one can scan all p ossibilities for the l nlong prex of

the random tap e of the verier

Sequential rep etitions can b e used to reduce the error probability of p cpmip systems Furthermore

error can b e obtained at very mo derate cost in the randomness complexity cf

P arallel rep etition is a much more complex matter than in the context of interactive pro of systems

see and do not get misled by an error in an early version of On the other hand non

zero error probabilityisessential to the ab ove results as otherwise one can eliminate randomness

q

altogether and use PCPq DTIME poly

Finallywe mention that one can convert a multiprover interactive pro of system into a probabilis

tically checkable pro of and vice versa The translation in the rst direction is easy ie just prex

eachveriermessage by the identity of the prover but the translation in the other direction is

more complex see

PCP and Approximation

Interestingly Theorem can b e rephrased without mentioning the class PCP at all Instead a

new typ e of p olynomialtime reduction whichwecall amplifying emerges



The result NP PCPp oly log p oly log can b e found in although this pap er uses a dierent mo del and

terminologyFurthermore NP PCPlog p oly log is easily obtained from by using standard derandomization

techniques For a pro of of NP PCPf f with f nO log n log log n see The pro of of the quoted

result is more complex and can b e found in see also



Belowweprove that Theorem implies the rephrased form The converse is proven by starting with an amplifying

reduction of SAT to itself and constructing a p cp system for SAT as follows The oracle in this system is viewed

as a function from variables of the reduced formula to Bo olean values The verier uniformly selects a clause in

the reduced formula and insp ects the value of the variables that app ear in it

Theorem Theorem Rephrased Thereexistaconstant andapolynomialtime

reduction of SAT to itself so that the reduction maps nonsatisable CNF formulae to CNF

formulae for which every truth assignment satises at most a fraction of the clauses

Pro of Sketch Start by considering the p cp system for SATguaranteed by Theorem Use

the fact that the p cp system used in the pro of of Theorem is nonadaptive ie the queries are

determined as a function of the input and the randomtap e and do not dep end on answers to

previous queries Next asso ciate the bits of the oracle with Bo olean variables and intro duce a

Bo olean formula for each p ossible value of the random tap e describing whether the verier would

have accepted given this value of the random tap e Finally using auxiliary variables convert

each formula into CNF and obtain as the output of the reduction the conjunction of all these

p olynomially many formulae

As an immediate corollary one gets results concerning the intractability of approximation For

example

Corollary Hardness of Approximating MaxSAT There exists a constant so that the

fol lowing approximation problem known as MaxSAT is NPhard

Given a satisable CNF formula nd a truth assignment that satises at least a

fraction of its clauses

Thus given a satisable CNF formula it is as hard to nd a truth assignment that satises a

fraction of its clauses as it is to nd a truth assignment that satises al l clauses

Consequently for any approximation problem in the class MAXSNPcomplete cf and

there exists a constant so that approximating the problem to this constant is NPhard It follows

that unless P NP there exist no p olynomialtime approximation schemes ie a sequence of

p olynomialtime approximation algorithms one for each constant approximation ratio for any

problem in the class MAXSNPcomplete Results for approximation problems not in the class

MAXSNP can b e derived as well see An alternative p ersp ective aimed at obtaining tight

nonapproximability results is presented in

I b elieve that amplifying reductions are interesting for their own sake and may nd other applica

tions in complexity theory

Computationally Sound Pro of Systems

In the two settings just discussed ie MIP and PCP the restrictions imp osed on the prover were of

a physical nature In the current section we discuss mo dels derived from the mo del of interactive

pro ofs by imp osing computational restrictions sp ecically time b ounds on the prover Although

these restrictions apply to p otential provers in b oth the completeness condition and the soundness

condition the eect of the restriction is more dramatic on the soundness condition Hence

pro of systems with computational restrictions on the p otential provers are commonly referred to

as computationally sound The computational restriction in the soundness condition seems to

Actually this is not essential as one can convert an adaptivesysteminto a nonadaptive one while incurring an

exp onential blowup in the query complexitywhich in our case is a constant

In fact the prover in the completeness condition typically has b ounded complexity although the denition of an

interactive pro of system do es not imp ose such a restriction In particular every language in IP has a pro of system

in which the prover works in p olynomial space For further discussion see subsection

upset the puristic intuition ab out pro ofs even more than the restrictions discussed in the previous

section Yet from the p oint of view of computer science the computational restriction is quite

natural and furthermore it is justied in many applications

There are twotyp es of computationally sound pro of systems In the rst typ e called arguments

the computational restriction is that the p otential provers given access to an auxiliary input run

in p olynomial time or more generally in time that is p olynomially related to the nondeterministic

complexity of the language In the second typ e called CSproofs the computational restric

tion is that the p otential provers run in time that is p olynomially related to the deterministic

complexity of the language These computational restrictions are analogous to two of the interpre

tations discussed in subsection Sp ecically in argument system the st interpretation is

imp osed on the provers of b oth soundness and completeness condition whereas in CSpro ofs the

rd interpretation is imp osed

Argument Systems

The denition of an argument system is derived from the denition of an interactive pro of system

by mo difying the completeness and soundness conditions as follows

Completeness The prover P runs in time p olynomial in the length of the common input For

every x L there exists an auxiliary input for the prover w so that the verier V always

x

accepts after interacting with P w on common input x

x

SoundnessFor every probabilistic p olynomialtime machine P for all suciently long

after x L and for all w f g the verier V rejects with probability at least

interacting with P w on common input x

Both conditions can b e rephrased by using nonuniform families of circuits of p olynomial size

As discussed ab ove argument systems are adequate for mo deling the b ehavior of parties in a real

life setting Under strong intractability assumptions argument systems exhibit advantages over

interactive pro of systems Let us start by stating these assumptions

Denition CollisionFree Hashing Consider a family of hash functions indexed by strings

def

jj jj

F ff f g f g g sothatthere exists a polynomialtime algorithm for evaluating F

ie on input and x returns f x The family F is cal led collisionfree wrt complexity c if

for every nonuniform family of circuits fC g with size boundedby c and al l suciently large

n

n

ns the probability that C given a uniformly chosen f g outputs a pair x y so that

n

f x f y isboundedabove by cn The family F is cal led collisionfree if it is col lision

free wrt al l polynomials and is cal led strongly collisionfree if for some itiscol lisionfree

def

n

wrt the function f n

In some early works and in particular in argument systems are negligently referred to as interactive pro ofs

This is quite confusing since arguments dier from interactive pro ofs not only by denition but also in expressive

power unless PSPACE IP and in zeroknowledge prop erties unless the p olynomial time hierarchy

collapses



Actually there are three variants of this mo del see In the current subsection we concentrate on the

interactive variant of A brief discussion of the noninteractive variants of is p ostp oned to subsection



Again this means a running time p olynomial in the length of the common input



Below we consider the expressing p ower of b oth mo dels An additional advantage of argument systems is that

under strong intractabili ty assumptions there exist perfect zeroknowledge arguments rather than computational

zeroknowledge interactive pro ofs for any language in NP

Collisionfree functions exist assuming the intractability of factoring integers ie in p olynomial

n

time Strong collisionfree functions exist if integers cannot b e factored in time for some

Theorem Let L NP and assume the existenceofcol lisionfree functions resp strong

collisionfree functions Then for every there exists an argument system for L in which the

randomness and communication complexities of the verier on inputs of length nareboth bounded

by n resp p oly log nFurthermore the computational complexity of the verier is quadratic

in the length of the input

We stress that Theorem is meaningful also in case L P in particular it oers quadratic veri

cation time indep endently of the p ossibly higher deterministic complexity of the language Inter

estingly the results of Theorem are unlikely for interactive pro of systems due to the following

Prop osition Suppose that L has an interactive proof system in which both the randomness

and communication complexities of the verier arebounded by an integer function c Then

O clog

DTIME L

Pro of Sketch Consider the tree of all p ossible executions

CSPro of Systems

The denition of a CSpro of system is derived from the denition of an interactive pro of system

analogously to the way the denition of an argument system is derived The only dierence is that

here the p otential provers are uniform probabilistic machines with no auxiliary inputs running in

time p olynomial in the deterministic complexity of the language A result analogous to Theorem

is obtainable also in the current setting Sp ecicall y

Theorem Let L EXP Then assuming the existenceofstrong col lisionfree functions

there exists a CSproof system for LFurthermore the computational complexity of the verier is

quadratic in the length of the input and polylogarithmic in the deterministic complexity of L

Other Typ es of Pro of Systems

Of the other typ es of pro of systems Im going to discuss only two which are slightly problematic

and also this will b e done quite abruptly

NonInteractive Pro of Systems

The phrase noninteractive is often misleading Indeed in all mo dels that are called non

interactive the interaction b etween the prover and the verier is minimal it consists of the

pro ver sending a single message to the verier as in the case of an NPpro of Yet in most

noninteractive mo dels b oth the prover and the verier interact with a trusted random string

cf or even query a random oracle cf the socalled Guaranteed CSpro ofs of

However in addition to NPpro ofs there is another mo del that is truly noninteractive namely

the socalled Cryptographic CSpro of Cryptographic CSpro ofs are short certicates that

can b e eciently veried like NPpro ofs are relatively easy to nd for inputs in the language

but are very hard to nd rather than do not exist for inputs not in the language Namely for



See for further investigations

IP arguments CSpro of PCP MIP

restrictions none p olytime p olynomial memoryless split

on prover aux input in Dtime ie oracle entity

motivation generalize restrict IP augment see

as I see it NP see Remark NP Remark

ln

expressive PSPACE IP PH EXP scalable NTIME

power for rndquery O l n

Figure Comparison of various pro of systems

valid assertions Cryptographic CSpro ofs can b e found in time p olynomial in the deterministic

complexity of deciding the language whereas for invalid assertions false certicates cannot b e

found within such time b ounds Unfortunately the existence of nontrivial Cryptographic CS

pro ofs is not known to b e reducible to standard complexity assumptions yet plausibili ty arguments

towards the existence of the former can b e found in

Pro ofs of Knowledge

The concept of a pro of of knowledge is very app ealing yet its precise formulation is muchmore

complex than one may exp ect see Akey notion in the denition is that of a know ledge

extractor Lo osely sp eaking a knowledgeverier for a relation R guarantees the existence of a

knowledge extractor that on input x and access to anyinteractivemachine P outputs a y so

that x y R within complexity that is inversely prop ortional to the probability that the verier

accepts x when interacting with P

Comparison

In Figure Ive tried to summarize the dierences b etween the various notions of ecientproof

systems The class NP has b een omitted for obvious reasons I view IP as the natural general

ization of NP obtained by relaxing the notion of ecient computation so that probabilism and

teraction are allowed Except for the negligible probability of error which can b e controlled by in

the verier the original avor of a pro of is maintained Also I view PCPlogO as an augmen

tation of NP with the extra prop ertyofallowing a hastyverier to takeitschances and verify the

pro of in a sup erfast manner In contrast the two notions of computationally sound pro of systems

ie arguments and CSpro ofs deviate signicantly from the conservative approach of absolute

pro ofs Yet computational soundness seems adequate in most practical settings The only word

of warning is that typical results in these latter settings dep end on intractability assumptions and

when evaluating these results one should not ignore the relativesevereness of these assumptions

Remark Arguments and CSpro of systems are derived by imp osing computational restrictions on

the p otential provers in b oth the completeness and soundness conditions In b oth cases the moti

vation for these restrictions is to obtain prop erties that interactive pro ofs do not seem to have In

the case of argument systems the advantageous prop erties are very lowcommunication complexity

and perfect zeroknowledge for NP Interestingly the expressivepower of the system do es not

increase in this case but rather decreases In the case of CSpro of systems the advantageous

prop erty is the linking of the complexity of proving to the complexity of deciding Interestingly

er of the system seems to increase as well unless PSPACE EX P the expressivepow



Dep ending on strong intractabili ty assumptions

Remark The MIP mo del indeed generalizes the IP mo del However in my opinion this general

ization is less natural than the generalization of NP to IP As far as I am concerned the MIP mo del

is justied by cryptographic applications see subsection on MIP The transformations b etween

MIP systems and PCP systems do es not mean that the motivation of one mo del can b e moved to

the other

The Story

In this section I will try to provide a historical account of the ideas that led to the exciting

developments concerning the various typ es of ecient pro of systems My account is certainly a

sub jective one and it concentrates on myevaluation of the conceptual contributions their declared

intentions and their eect on subsequentdevelopments

The story of these research developments as any real story has a complex structure that needs

to b e simplied so that the reader do es not get lost in its web Thus I havebroken the story into

several indep endent linearly structured stories which do cross each other I will b egin with the

story of the evolution of proof systems and then pass to the story of their applications to deriving

hardness results for approximation problems program checking and zeroknow ledge proofs

The Evolution of Pro of Systems

The story of NP is wellknown except mayb e for the fact that NPcompleteness was discovered by

Levin indep endently of Co ok and Karp see Trakhtenbrots survey of Russian research

on NP Our story thus starts with the denition of interactive pro of systems

Interactive Pro of Systems

Motivated by the desire to form ulate the most general typ e of pro ofs that may b e used within

cryptographic proto cols Goldwasser Micali and Racko intro duced the notion of an interactive

proof system Although the main thrust of their pap er is the intro duction of a sp ecial typ e of

interactive pro ofs ie ones that are zeroknow ledge the computational complexity p otential of

the class of languages p ossessing interactive pro of systems denoted IP has b een p ointed out

The rst evidence of the surprising p ower of interactive pro ofs was given by Goldreich Micali

and Wigderson who presented an interactive pro of system for Graph NonIsomorphism a

language not known to b e in NPInteractive pro of systems gained much attention also due to

the interest in the construction of zeroknowledge pro ofs for languages in NP presented in

assuming the existence of oneway functions

Babai indep endently of suggested a dierentformulation of interactive pro ofs termed

ArthurMerlin Games and giving rise to the class AM Syntactically ArthurMerlin Games are

a restricted form of interactive pro of systems yet Goldwasser and Sipser have subsequently shown

that these restricted systems are as p owerful as the general ones namely AM IP Babais

motiv ation was to place a grouptheoretic problem previously placed in NP under some group

theoretic assumptions as close to NP as p ossible without using any assumptions Interestingly

Babai underestimated the p ower of the new class conjecturing that the class AM even with an

unb ounded numb er of rounds is very close to NP

MultiProver Interactive Pro of Systems

A generalization of interactive pro ofs to multiprover interactive proofs has b een suggested by

BenOr Goldwasser Kilian and Wigderson Again the main motivation came from zero

knowledge asp ects sp ecicallyintro ducing multiprover zeroknowledge pro ofs for NP without



Here indep endence do es not mean concurrently Indeed b oth the works of Babai and of Goldwasser Micali and

Racko rst app eared in the same conference ie th STOC yet early versions of the pap er of Goldwasser

Micali and Racko existed as early as and were rejected three times from ma jor conferences ie FOCS

STOC and FOCS



Indeed Babai placed the Matrix Representation Problem in AM using only tworounds

relying on intractability assumptions Yet the complexity theoretic prosp ects of the new class

denoted MI P have not b een ignored A more app ealing to my taste formulation of the class

MI P has b een presented byFortnow Romp el and Sipser The latter formulation exactly

coincides with the formulation now known as probabilistical ly checkable proofs ie PCP

Algebraic Metho ds Demonstrate the Power of Interactive Pro ofs

The amazing p ower of interactive pro of systems has b een demonstrated by using algebraic metho ds

The basic technique has b een intro duced by Lund Fortnow Karlo and Nisan who applied it to

P

show that the p olynomialtime hierarchy and actually P isin IP Subsequently Shamir

used the technique to show that IP PSPACE and Babai Fortnow and Lund used it to

show that MI P NEXP

The technique of Lund Fortnow Karlo and Nisan has b een inspired by ideas coming from

works on program checking cf In particular their interactive pro of system for the p erma

t nent combines Liptons selftesting pro cedure for the p ermanent which represents the p ermanen

asamultilinear p olynomial and the downwards selfreducibili ty pro cedure of Blum Luby

and Rubinfeld Another idea that is implicit in and made explicit in the subsequentworks

of is the representation intro duced byBeaver and Feigenbaum of Bo olean formulae as

multilinear p olynomials

It maybeofinterest to note that the technique of Lund et al has b een rst applied in the

P

context of multiprover interactive pro ofs yielding P MIP and that the result quoted ab ove

concerning IP followed later Hence MI P has played a role in the historical development leading

to the characterization of IP

Scaling Down the BFL Pro of System Yields a New Class

The ab ovementioned multiprover pro of system of Babai Fortnow and Lund hereafter referred

to as the BFL pro of system has b een the starting p oint for fundamental developments regarding

NP The rst developmentwas the discovery that the BFL pro of system can b e scaleddown

from NEXP to NP This imp ortantdiscovery was made indep endently bytwo sets of authors

Babai Fortnow Levin and Szegedy and Feige Goldwasser Lovasz and Safra However

the manner in which the BFL pro of is scaleddown is dierent in the two pap ers and so are the

consequences of the scalingdown

Babai Fortnow Levin and Szegedy start by considering only inputs enco ded using a sp e

cial errorcorrecting co de The enco ding of strings relative to this errorcorrecting co de can b e

computed in p olynomial time They presented a p olynomialtime algorithm that transforms NP

witnesses to inputs in a language L NPinto transparent proofs that can b e veried as vouching

for the correctness of the enco ded assertion in probabilistic p olylogarithmic time by a Ran

dom Access Machine The fact that the verication pro cedure never reads the entire pro of

should not come as a surprise as the pro cedures of alsohave this prop erty Thus

once statements and pro ofs are in the right errorcorrecting form verication is sup erfast

Babai et al stress the practical asp ects of transparent pro ofs sp ecically for rapidly checking

transcripts of long computations

The term scaleddown is used here as a standard technical term Doing so I do not mean to underestimate

the technical diculty of obtaining these results



At a later stage Szegedy improved the randomness and query complexities of the system in and joined the

latter pap er which has app eared as

In the pro of system of Babai et al the total running time of the verier is reduced ie

scaleddown to p olylogarithmic In contrast in the pro of system of Feige Goldwasser Lovasz

and Safra the verier stays p olynomialtime and only two more ned complexity measures

sp ecically the randomness and query complexities are reduced to p olylogarithmic This eliminates

the need to assume that the input is in a sp ecial errorcorrecting form and yields a more app ealing

ie less cumb ersome complexity class This complexity class is a renement of the class intro

duced in The renement is obtained by sp ecifying the randomness and query complexities

Namely PCPr q denotes the class of languages having probabilistically checkable pro ofs in

which on input x the verier tosses at most r jxj coins and makes at most q jxj Bo olean queries

to the pro of Hence whereas the result of Babai Fortnow and Lund can b e restated as

NEXP PCPp oly p oly

the result of Feige Goldwasser Lovasz Safra and Szegedy is restated as

NP PCPf f where f n O log n log log n

It should b e stressed that the result of Babai Fortnow Levin and Szegedy also implies a

containment of the ab oveformwithf n p oly log n Interest in the new complexity class

b ecame immense since Feige et al demonstrated its relevance to proving the intractability

of approximating some combinatorial problems sp ecically MaxClique I will elab orate on this

asp ect of their work in subsection Here I only wish to p oint out that when using the metho d

of Feige et al the randomness and query complexities of the verier in a p cp system for an

NPcomplete language relate to the strength of the negative results obtained for approximation

problems This fact provided a very strong motivation for trying to reduce these complexities and

obtain a tightcharacterization of NP in terms of PCP

Tightening the Relation b etween NP and PCP

Once the work of Feige et al had b een presented the challenge was clear showing that

NP equals PCPlog log This challenge was met by Arora and Safra The pro of system

constructed by Arora and Safra is very complex involving recursive use of pro of systems and con

catenation tests that are muchmoreecient than the length of strings b eing tested Interestingly

the idea of enco ding inputs in an errorcorrecting form as suggested in is essential to make this

ed that recursion work Actually Arora and Safra show

NP PCPlogf where f n olog n

Hence a new challenge arose namely further reducing the query complexity in particular to a

constant while maintaining the logarithmic randomness complexity Again additional motivation

for this challenge came from the relevance of such a result to the study of approximation problems

see subsection The new challenge was met by Arora Lund Motwani Sudan and Szegedy

and is captured by the equation

NP PCPlogO

In addition to building on the ideas of Arora and Safra the ab ove result of utilizes ideas

and techniques from the works on selftestingselfcorrecting degreetests for multivariant

p olynomials and parallelization of multiprover pro of systems

Computationally Sound Pro of Systems

Argument systems were dened in by Brassard Chaum and Crep eau but their complexity

theoretic signicance b ecame apparent only in This happ ened when Kilian using early results

on PCP due to showed that under some intractability assumptions every language in NP

has a computationallysound pro of in which the randomness and communication complexities are

p olylogarithmic

Consequently Micali suggested three new typ es of computationallysound pro of systems that he

calls CSpro ofs Micali showed that Kilians construction can b e applied also for languages

beyond NP and more imp ortantly that using interaction with a trusted random oracle allows one

to get rid of the interaction b etween the parties as well as of the intractability assumptions

The latter idea can b e traced back to a pap er of Fiat and Shamir

Other Typ es of Pro of Systems

The setting of noninteractive pro ofs was rst intro duced by Blum Feldman and Micali The

concept of pro ofs of knowledge was intro duced in the pap er of Goldwasser Micali and Racko

but it is only recently that it has b een given a satisfactory formal treatment

PCP and Approximation

As stated ab ove probabilistic checkable pro ofs b ecame the fo cus of so muchattention due to their

relation to the diculty of approximation

The relation b etween PCP and approximation was rst p ointed out byFeige Goldw asser Lovasz

and Safra see Sp ecically they showed how to construct a graph representing the p ossible

computations of a p cp verier on a sp ecic input so that the size of the maximum clique in this

graph equals the accepting probability scaled down by an easy to determine factor The time

needed to construct the graph is linearly exp onential in the randomness and query complexity

of the p cp system It follows for example that any p olynomialtime algorithm approximating

MaxClique up to a constant factor yields an algorithm for deciding a language in PCPr q

r nq n

such that the algorithm runs in time polyn This has provided a strong motivation

towards showing that NP PCPlog log

Although Feige et al only related PCP to the approximation of MaxClique it was understo o d

that the relation b etween PCP and approximation is not sp ecic to the MaxClique Problem The

question was howwell do the results for MaxClique translate to other approximation problems or

alternatively whether b etter results can b e obtained by directly relating PCP to the approxima

tion of dierent problems

It turned out that stronger nonapproximability results are p ossible when treating the two

complexity measures of PCP ie randomness and query complexities separately In particular

r n

languages in the class PCPr O are naturally represen ted by CNF formulae of size O

so that if the input is in the language then the formula is satisable and otherwise no truth

assignment can satisfy more than a constant fraction of its clauses see this chapters Technical

Part Furthermore the time required to compute this formula is linearly exp onential in r

Hence any p olynomialtime approximation scheme for MaxSAT yields a p olynomialtime decision

pro cedure for any language in PCPlogO This implication has provided a strong motivation

towards showing that NP PCPlog O Additional motivation comes from the fact that the

latter inclusion also implies that MaxClique is NPhard to approximate even to within a factor of

N for some where N denotes the number of vertices in the graph These facts were observed

by Arora Lund Motwani Sudan and Szegedy They also observed that since MaxSATisin

the class MAXSNP it followed that each complete problem in that class eg MaxSAT

MaxCUT MinVC is hard to approximate to within some constant factor

The results of have renewed interest in the complexity of approximation problems after

manyyears of frustration Subsequentwork established the hardness of approximation problems

via the following two approaches

st approach generic reductions from PCPMIP That is reducing the evaluation of the acceptance

probability of a PCPMIP system directly to the approximation problem b eing considered cf

Bellare Lund and Yannakakis Furthermore sometimes such a reduction is coupled with

a new PCPMIP system that is more ecientinsomeparameters yielding stronger negative results

than those obtained by reducing previously known PCPMIP systems cf Bellare Goldwasser

Lund and Russell Bellare and Sudan and Bellare Goldreich and Sudan Lastlyit

is imp ortant to select the right complexity parameters to b e optimized cf For an

elab orate discussion of the latter p oint see

nd approach reductions among approximation problems The newly acquired collection of hard

approximation problems motivates and facilitates attempts to prove the hardness of new problems

by using approximationpreserving reductions Typical examples are given in the works of Lund

and Yannakakis Khanna Linial and Safra and Furer

Interactive Pro ofs and Program Checking

When intro ducing the concept of program checking Blum cf was indeed aware of its relation

to interactive pro of systems In particular his program checker for mimics the

interactive pro of of Subsequently the development paths of the two concepts ie program

checking and ecient pro of systems havecontinued to intersect The contribution of program

checking techniques to the results concerning IP and PCP has b een discussed ab ove Here I wish

to further discuss the opp osite direction in whichvarious pro of systems have yielded applications

to program checking

In Babai Fortnow Levin and Szegedy stress the application of their result to program

checking At the exp ense of having a p owerful computer do some extra work its computation can

be checked byamuchweaker computer Sp ecicallythepowerful computer outputs a certicate

for the correctness of the computation so that the certicate has length comparable to the length

of the computation and yet its correctness can b e veried in time that is much shorter than the

time of the original computation This holds in a Random Access Machine computation mo del

Recently Micali showed that using Cryptographic CSpro ofs see this c hapters Technical

Part one can transform programs to ones that in addition to the result of the computation supply

avery short certicate of the validity of the computation This certicate can then b e checked

in time that is negligible also in a mo del compared to the original computation

time

Both the results of and refer to program checking in a sense dierent from Blums

cf namely the computation of a program on a sp ecic input is checked against the

program itself rather than against a functional description of what is supp osed to do The

prover which is an extension of needs to run more time than but not drastically more yet

the advantage is that a verier can check this long computation very fast



On the other hand each problem in this class is easy to approximate to within a dierent constant

ZeroKnowledge Pro ofs

As mentioned a few times ab ove the search for zeroknowledge pro ofs has b een the driving force

b ehind many of the denitions of pro of systems In particular zeroknowledge has motivated the

rst leap b eyond NP taken when interactive pro ofs were conceived by Goldwasser Micali and

Racko The reason b eing that a more lib eral notion of a pro of seemed and in fact is

necessary in order to enable simulation of the transcript without ability to p erform the interaction

in real time

The notion of computational indistinguishabi l ityintro duced by Goldwasser and Micali in the

context of dening security of encryption schemes and Yao in full generalityiscentral to

the denition of zeroknowledge However most of the complexitytheoretic impact of the former

notion was on the theory of pseudorandomness cf for example and which has

evolved almost concurrently to the evolution of interactive pro of systems

The wide applicability of zeroknowledge pro ofs has b een demonstrated by Goldreich Micali

and Wigderson Most imp ortantly they showed how to construct zeroknowledge pro of systems

for any language in NP Their construction uses a cryptographic primitive called a commitment

scheme that may b e implemented using any oneway function Actually under the same

but the latter elegant assumption zeroknowledge pro ofs exists for any language in IP

result has almost no applications

Subsequently zeroknowledge pro ofs have b ecome the fo cus of much attention in cryptographic

circles and as one may exp ect manyinteresting results followed But this is a story for a separate

essay



Some sources credit Brassard and Crep eau for indep endently discovering the same result Tosay the very

least this is technically inaccurate since Brassard and Crep eau use a much stronger intractability assumption

sp ecically the intractabili ty of the Quadratic Residue Problem

Addendum Some Op en Problems

Op en Problem Polynomials play a fundamental role in the construction of interactiveproof

systems for coNP and this trend continues in the construction of PCP systems for NP Fur

thermore it do es not seem p ossible to abstract that role I consider it imp ortant to obtain an

alternative pro of of coNP IP a pro of in which all the underlying ideas can b e presented at an

abstract level

L Currentlywe only Op en Problem Supp ose that L IPr What can b e said ab out

L IPp oly This do es not utilize the extra information regarding the IP level know that

in which L resides On the other hand we dont exp ect L to b e in IPg r for any function g

since this will put coNP coIP in IP Thus another parameter may b e relevant here for

example the lengths of the messages exchanged in the interaction Indeed if L has an interactive

L hasaninteractive pro of in which the total pro of in which the total message length is m then

message length is O m I consider it imp ortant to obtain a b etter result In general it would b e

interesting to get a b etter understanding of the IP Hierarchy

Op en Problem Regarding subsection it will b e interesting to understand the limitations

of relatively ecient provers according to the nd and rd interpretations A b etter understanding

of the selfreducibili ty on NPlanguages is also long due A sp ecic challenge cf provide

an NPpro of system for Quadratic NonResiducity QNR using a probabilistic p olynomialtime

prover with access to QNR language

Op en Problem Try to provide rm grounds for the heuristics of making pro of systems non

interactiveby use of random public functions cf I advise not to try to dene the

latter notion in a general form but rather devise some adho c metho d using some sp ecic but

widely b elieved complexity assumptions eg hardness of deciding Quadratic Residucity mo dulo a

comp osite numb er for this sp ecic application

Op en Problem It would b e interesting to gure out and utilize the minimal p ossible assump

tion required for constructing zeroknowledge proto cols for NP in various mo dels like constant

round interactive pro ofs the noninteractive mo del and p erfect zeroknowledge arguments

Op en Problem As a rst step towards the simplication of the pro of of the PCP Character

ization one maywanttoprovide an alternative randomnessecient parallelization pro cedure

which do es not rely on p olynomials or any other algebraic creatures A rst step towards this par

tial goal was taken by Safra and myself cf TR of ECCC Wehave constructed an ecient

degree test whic h utilizes a simpleinecie ntlowdegree test which is parallelized using a new

combinatorial consistency lemma

Acknowledgments

I am grateful to Sha Goldwasser Leonid Levin Dana Ron Madhu Sudan and two anonymous

reviewers for helpful remarks

The Electronic Col loquium on Computational Complexity ECCC is a new forum for the rapid and

widespread interchange of ideas in computational complexity Online access to ECCC is p ossible

via url httpwwwecccunitrierdeeccc anonymous ftp to site ftpecccunitrierde

directory pubeccc and email to ftpmailftpecccunitrierde use sub ject help eccc

for initial instructions

References

W Aiello M Bellare and R Venkatesan Knowledge on the Average Perfect Statistical

and Logarithmic In th ACM Symposium on the Theory of Computing pages

W Aiello and J Hastad Statistical ZeroKnowledge Languages can b e Recognized in Two

Rounds Journal of Computer and System ScienceVol pages

S Arora Probabilistic CheckingofProofs and the Hardness of Approximation Problems

PhD thesis UC BerkeleyAvailable from ECCC

S Arora and C Lund Hardness of Approximations In Approximation Algorithms for

NPhardProblemsDHochbaum ed PWS

S Arora C Lund R Motwani M Sudan and M Szegedy Pro of Verication and In

tractability of Approximation Problems In rd IEEE Symposium on Foundations of Com

puter Science pages

S Arora and S Safra Probabilistic Checkable Pro ofs A New Characterization of NP In

d IEEE Symposium on Foundations of Computer Science pages r

L Babai Trading Group Theory for Randomness In th ACM Symposium on the Theory

of Computing pages

L Babai L Fortnow L Levin and M Szegedy Checking Computations in Polylogarithmic

Time In rdACM Symposium on the Theory of Computing pages

L Babai L Fortnow and C Lund NonDeterministic Exp onential Time has TwoProver

Interactive Proto cols Computational ComplexityVol No pages Prelimi

nary version in st FOCS

L Babai and S Moran ArthurMerlin Games A Randomized Pro of System and a Hierarchy

of Complexity Classes Journal of Computer and System ScienceVol pages

D Beaver and J Feigenbaum Hiding Instances in Multioracle Queries In th Symposium

on Theoretical Aspects of Computer Science Springer Verlag LNCS Vol pages

M Bellare Interactive Pro ofs and Approximation Reductions from TwoProvers in One

Round In Proc nd Israel Symp on Theory of Computing and Systems ISTCS IEEE

Computer So ciety Press pages

M Bellare and O Goldreich On Dening Pro ofs of Knowledge In Crypto Springer

Verlag LNCS Vol pages

M Bellare O Goldreich and S Goldwasser Randomness in interactive pro ofs Computa

tional ComplexityVol No pages

M Bellare O Goldreich and M Sudan Free Bits PCPs and NonApproximability

Towards Tight Results Extended abstract in th IEEE Symposium on Foundations of

Computer Science pages Full version app eared as TR of ECCC

M Bellare and S Goldwasser The Complexity of Decision versus Search SIAM J on

Computing Vol No pages

M Bellare S Goldwasser C Lund and A Russell Ecient Probabilistically Checkable

Pro ofs and Applications to Approximation In th ACM Symposium on the Theory of

Computing pages A revised version is available from the authors

M Bellare and M Sudan Improved NonApproximability Results In th ACM Symposium

on the Theory of Computing pages

M BenOr O Goldreich S Goldwasser J Hastad J Kilian S Micali and PRogaway

Everything Provable is Probable in ZeroKnowledge In Crypto Springer Verlag LNCS

Vol pages

M BenOr S Goldwasser J Kilian and A Wigderson MultiProver Interactive Pro ofs

How to RemoveIntractabilit yInth ACM Symposium on the Theory of Computingpages

M Blum A De Santis S Micali and G Persiano NonInteractive ZeroKnowledge Pro of

Systems SIAM J on Computing Vol No pages

M Blum PFeldman and S Micali NonInteractive ZeroKnowledge and its Applications

In th ACM Symposium on the Theory of Computing pages

M Blum and S Kannan Designing Programs that Check their Work In st ACM

Symposium on the Theory of Computing pages

M Blum and S Micali How to Generate Cryptographically Strong Sequences of Pseudo

Random Bits SIAM J ComputVol pages In rdFOCS pages

M Blum M Luby and R Rubinfeld SelfTestingCorrecting with Applications to Numer

ical Problems Journal of Computer and System ScienceVol No pages

Preliminary version in th STOC

R Boppana J Hastad and S Zachos Do es CoNP Have Short Interactive Pro ofs Infor

mation Processing LettersVol pages May

G Brassard D Chaum and C Crep eau Minimum Disclosure Pro ofs of Knowledge Journal

of Computer and System ScienceVol No pages Preliminary version

by Brassard and Crep eau in th FOCS

ep eau ZeroKnowledge Simulation of Bo olean Circuits In Crypto G Brassard and C Cr

Springer Verlag LNCS Vol pages

R Chang B Chor O Goldreich J Hartmanis J Hastad D Ranjan and P Rohatgi

The Random Oracle Hyp othesis is False Journal of Computer and System ScienceVol

No pages

S A Co ok The Complexity of TheoremProving Pro cedures In rdACM Symposium on

the Theory of Computing pages

U Feige S Goldwasser L Lovasz and S Safra On the Complexity of Approximating the

Maximum Size of a Clique Unpublished manuscript

U Feige S Goldwasser L Lovasz S Safra and M Szegedy Approximating Clique is

almost NPcomplete In nd IEEE Symposium on Foundations of Computer Sciencepages

U Feige and J Kilian Two Prover Proto cols Low Error at Aordable Rates In th

ACM Symposium on the Theory of Computing pages

A Fiat and A Shamir How to ProveYourself Practical Solution to Identication and

Signature Problems In Crypto Springer Verlag LNCS Vol pages

L Fortnow The ComplexityofPerfect ZeroKnowledge Advances in Computing Research

aresearch annualVol Randomness and Computation S Micali ed pages

L Fortnow J Romp el and M Sipser On the Power of MultiProver Interactive Proto cols

Theoretical Computer ScienceVol pages Preliminary version in Proc

rd IEEE Symp on Structure in Complexity Theory

M Furer Improved Hardness Results for Approximating the Chromatic Numb er In th

IEEE Symposium on Foundations of Computer Science pages

M Furer O Goldreich Y Mansour M Sipser and S Zachos On Completeness and Sound

ness in Interactive Pro of Systems Advances in Computing Research a research annualVol

Randomness and Computation S Micali ed pages

MR Garey and DS Johnson Computers and Intractability A Guide to the Theory of

NPCompletenessWHFreeman

P Gemmell R Lipton R Rubinfeld M Sudan and A Wigderson SelfTestingCorrecting

for Polynomials and for Approximate Functions In th ACM Symposium on the Theory

of Computing pages

O Goldreich Foundation of Cryptography FragmentsofaBookFebruary Available

from ECCC

O Goldreich and J Hastad On the Message ComplexityofInteractive Pro of Systems

TR of ECCCMarch

O Goldreich S Micali and A Wigderson Pro ofs that Yield Nothing but their Validityor

CMVol All Languages in NP Have ZeroKnowledge Pro of Systems Journal of the A

No pages Preliminary version in th FOCS

O Goldreich and Y Oren Denitions and Prop erties of ZeroKnowledge Pro of Systems

Journal of CryptologyVol No pages

O Goldreich R Ostrovsky and E Petrank Knowledge Complexity and Computational

ComplexityInth ACM Symposium on the Theory of Computing pages

O Goldreich and E Petrank Quantifying Knowledge ComplexityInnd IEEE Symposium

on Foundations of Computer Science pages

S Goldwasser and S Micali Probabilistic Encryption Journal of Computer and System

ScienceVol No pages Preliminary version in th STOC

S Goldwasser S Micali and C Racko The Knowledge ComplexityofInteractiveProof

Systems SIAM Journal on ComputingVol pages Preliminary version

in th STOC

S Goldwasser and M Sipser Private Coins versus Public Coins in Interactive Pro of Systems

Advances in Computing Research a research annualVol Randomness and Computation

S Micali ed pages

J Hastad R Impagliazzo LA Levin and M Luby Construction of Pseudorandom Gen

erator from any OneWayFunction To app ear in SIAM J on Computing Preliminary

versions by Impagliazzo et al in st STOC and Hastad in nd STOC

R Impagliazzo and M Yung Direct ZeroKnowledge Computations In Crypto Springer

Verlag LNCS Vol pages

RM Karp Reducibil ity Among Combinatorial Problems In Complexity of Computer

Computations Raymond E Miller and James W Thatcher eds Plenum Press pages

S Khanna N Linial and S Safra On the Hardness of Approximating the Chromatic

Number In Proc nd Israel Symp on Theory of Computing and Systems ISTCS

IEEE Computer So ciety Press pages

S Khanna R Motwani M Sudan and U Vazirani On Syntatic versus Computational

Views of ApproximabilityInth IEEE Symposium on Foundations of Computer Science

pages

J Kilian A Note on Ecient ZeroKnowledge Pro ofs and Arguments In th ACM Sym

posium on the Theory of Computing pages

D Lapidot and A Shamir Fully Parallelized Multi Prover Proto cols for NEXPtime In

nd IEEE Symposium on Foundations of Computer Science pages

C Lautemann BPP and the Polynomial Hierarchy Information Processing LettersVol

pages

L Levin Universalnye p ereb ornye zadachi Universal Search Problems in Russian

Problemy Peredachi Informatsii pages

RJ Lipton New Directions in Testing Unpublished manuscript

C Lund L Fortnow H Karlo and N Nisan Algebraic Metho ds for InteractiveProof

Systems Journal of the ACMVol No pages Preliminary version in

st FOCS

C Lund and M Yannakakis On the Hardness of Approximating Minimization Problems

Journal of the ACMVol pages Preliminary version in th STOC

S Micali CS Pro ofs Unpublished manuscript

S Micali CS Pro ofs In th IEEE SymposiumonFoundations of Computer Sciencepages

M Naor Bit Commitment using Pseudorandom Generators Journal of CryptologyVol

pages

N Nisan Pseudorandom Generators for SpaceBounded Computation Combinatorica

Vol No pages Preliminary version in nd STOC

N Nisan and A Wigderson Hardness vs Randomness Journal of Computer and System

ScienceVol No pages Preliminary version in th FOCS

R Ostrovsky and A Wigderson OneWayFunctions are essential for NonTrivial Zero

Knowledge In Proc nd Israel Symp on Theory of Computing and Systems ISTCS

IEEE Computer So ciety Press pages

C H Papadimitriou and M Yannakakis Optimization Approximation and Complexity

Classes Journal of Computer and System ScienceVol pages Preliminary

version in th STOC

R Raz A Parallel Rep etition Theorem In th ACM Symp osium on the Theory of Com

puting pages

R Rubinfeld and M Sudan Robust Characterizations of Polynomials with Applications to

Program Checking SIAM J of ComputingVol No pages Preliminary

version in rdSODA

A Shamir IPPSPACE Journal of the ACMVol No pages

Preliminary version in st FOCS

M Sudan Ecient Checking of Polynomials and Proofs and the Hardness of Approximation

ProblemsACM Distinguished Theses Springer Verlag LNCS Vol

A TaShma A Note on PCP vs MIP TR Institute of Computer Science Hebrew

University Israel To app ear in Information Processing Letters

BA Trakhtenbrot A Survey of Russian Approaches to Pereb or BruteForce Search Al

gorithms Annals of the History of ComputingVol No pages

AC Yao Theory and Application of Trapdoor Functions In rd IEEE Symposium on

Foundations of Computer Science pages