On Completeness and Soundness in Interactive Proof Systems

Total Page:16

File Type:pdf, Size:1020Kb

On Completeness and Soundness in Interactive Proof Systems On Completeness and Soundness in Interactive Pro of Systems Martin Furer Computer Science Dept Pennsylvania state Univ University Park PA Oded Goldreich Computer Science Dept Technion Haifa Israel Yishay Mansour Lab for Computer Science MIT Cambridge MA Michael Sipser Mathematics Dept MIT Cambridge MA Stathis Zachos Comp and Inform Sci Bro okline College of CUNY Bro okline NY ABSTRACT An interactive pro of system with Perfect Completeness resp Perfect Soundness for a language L is an interactive pro of for L in which for every x L resp x L the verier always accepts resp always rejects We show that any language having an interactive pro of system has one of the ArthurMerlin type with p erfect completeness On the other hand only languages in NP have interactive pro ofs with p erfect soundness Work done while third author was working at the IBMScientic Center Technion City Haifa Israel Second author was partially supp orted by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities Fifth author was partially supp orted by PSCCUNY grant App eared in Advances in Computing Research A Research Annual Vol Randomness and Computation S Micali ed pages Warning Repro duced almost automatically from an old tro le The resulting text was not pro ofread Up dated aliation for Oded Goldreich Department of Computer Science and Applied Math ematics Weizmann Institute of Science Rehovot Israel Email odedwisdomweizmannacil INTRODUCTION The two basic notions regarding a pro of system are completeness and soundness Completeness means that the pro of system is p owerful enough to generate pro ofs for all the valid statements in some class Soundness means that any statement that can b e proved is valid ie no pro ofs exist for false statements Two computational tasks related to a pro of system are generating a pro of and verifying the validity of a pro of This naturally suggests the notions of a prover a party able of generating pro ofs and a verier a party capable of validating pro ofs Typically the veriers task is easier than the provers task In order to fo cus on the complexity of the verication task it is convenient to assume that the prover has unlimited p ower For many years NP was considered the formulation of whatever can be eciently veried This stemmed from the asso ciation of deterministic p olynomialtime computation with ecient computation The growing acceptability of probabilistic p olynomialtime computations as reecting ecient computations is the basis of more recent formalizations of whatever can b e eciently veried In these formalizations due to Goldwasser Micali and Racko GMR and Babai B and shown to b e equivalent by Goldwasser and Sipser GS the p olynomial time verier is allowed to toss coins and arbitrarily interact with the prover furthermore he can accept or reject based on overwhelming statistical evidence Ruling by overwhelming statistical evidence means relaxing the completeness and soundness conditions so that any valid statement can b e proved with a very high probability while any false statement has only negligible probability to b e proved For a denition of interactive proof systems we refer the reader to Goldwasser and Sipsers article in this volume GS We denote by IP the class of languages for which there exists an interactive pro of system Clearly NP IP P S P AC E It is b elieved that the class NP is strictly contained in IP Evidence for this may p erhaps b e derived from the fact that relative to some oracle interactive A A pro ofs are even not contained in the p olynomialtime hierarchy ie A st IP PH see AGH It is also interesting to note that natural languages as Graph NonIsomorphism and Matrix Group NonMembership which are not known to b e in NP where shown to b e in IP by GMW and B resp ectively Considering an interactive pro of system it seems that in some sense the prover is resp onsible for the completeness condition while the verier is resp onsible for the soundness condition If this intuition is correct and the prover has unrestricted p ower why should the completeness condition b e relaxed Namely can one mo dify the interactive pro of such that the prover never fails in demonstrating the validity of true statements while maintaining soundness By perfect completeness we mean that the prover never fails to prove the membership of inputs that are indeed in the language while perfect soundness means that the verier never accepts inputs that are not in the language Perfect completeness and p erfect soundness are not only theoretically interesting but are also of practical imp ortance This is the case since probabilistic completeness and soundness are dened with resp ect to ideal unbiased coin tosses and may not hold when using pseudorandom sequences even in the sense of Blum and Micali BM and Yao Y On the other hand p erfect completeness and soundness are indep endent of the quality of the verier coin tosses Our main result is that Interactive Proofs with Perfect Completeness are as p owerful as Interactive Proofs The pro of of the main result is in fact a transformation that given an interactive pro of for a language L yield an ArthurMerlin interactive pro of with p erfect completeness for L This transformation preserves the number of interactions of the original interactive pro of An alternative pro of which uses dierent ideas and in particular a proto col for random selection app ears in GMS An alternative characterization of complexity classes dene by b ounded ArthurMerlin games was presented in ZF They use p olynomially + + b ounded quantiers where means roughly for most For all quantier strings + Q Q of equal length over f g the notation Q Q represents the classes of languages 1 2 1 2 satisfying x L Q y P x y 1 x L Q y P x y 2 + + + for some p olytime computable predicate P In this notation resp + denotes the class of languages that are accepted by a general resp p erfect com pleteness p erfect soundness twomove ArthurMerlin pro of system MODEL AND DEF INITIONS We state and prove our main result for the Arthur Merlin games introduced by Babai B Using the result of GS our main result applies also to the interactive pro of systems of GMR In this section we provide a precise denition of Arthur Merlin games and auxiliary terminology in order to facilitate the presentation of our result Since we are interested only in the complexity theoretic asp ects of pro of systems we may assume that the prover Merlin uses an optimal strategy and therefore with no loss of generality is deterministic In the following denition we assume that in all interactions of Arthur and Merlin on inputs of the same length the same number of messages are exchanged and that all these messages are of the same length Clearly this condition is immaterial and is only placed in order to facilitate the analysis Denition Arthur Merlin games An ArthurMerlin game is a pair of interactive programs A and M and a predicate such that On common input x exactly q jxj messages of length mjxj each are exchanged where q and m are xed p olynomials and jxj denotes the length of x Arthur A go es rst and at iteration i q jxj chooses at random a string r of length i mjxj with uniform probability distribution Merlins reply in the ith iteration denoted y is a function of all the previous choices of i Arthur and the common input x More formally y Mx r r In other words M is i 1 i the strategy of Merlin For every program M a conversation b etween A and M on input x is a string r y r y 1 1 q (jxj) q (jxj) 0 M where for every i q jxj y M x r r We denote by CONV the set of all i 1 i x 0 M q (jxj)m(jxj) conversations b etween A and M on input x Note that jCONV j x The predicate is a p olynomialtime computable predicate This predicate maps the input x and a conversation r y r y to a Bo olean value called the value of the conversation 1 1 q (jxj) q (jxj) We asso ciate tr ue with accept and f al se with r ej ect The predicate is called the value ofthegame predicate Notation Let A and M b e programs and b e a predicate as ab ove 0 M Then AC C denotes the set x 0 M fr r jy y st r y r y CONV r y r y accept g 1 q (jxj) 1 q (jxj) 1 1 q (jxj) q (jxj) q (jx j) q (jx j) x 0 M Intuitively AC C is the set of all the random choices leading A to accept x when interacting x 0 M with M Note that AC C dep ends only on Merlin M and the predicate since we assume x 0 M jAC C j x that Arthur follows the proto col The ratio is the probability that Arthur accepts x 0 M jCONV j x when interacting with M Denition Arthur Merlin pro of systems An ArthurMerlin proof system for language L is an ArthurMerlin game satisfying the following two conditions M jAC C j 2 x This condition There exists a strategy for Merlin M such that for all x L M jCONV j 3 x is hereafter referred to as probabilisticcompleteness 0 M jAC C j 1 x This condition is hereafter For every strategy M and for any x L 0 M 3 jCONV j x referred to as probabilisticsoundness p(jxj) p(jxj) An equivalent denition is obtained by replacing by and by where p is an arbitrary p olynomial satisfying pn n Denition p erfect completeness An ArthurMerlin pro of system with perfectcompleteness for a language L is an ArthurMerlin pro of system for L satisfying M x L jAC C j CONVSIZE x Perfectcompleteness of an ArthurMerlin pro of system means that Merlin always succeeds in convincing Arthur to accept inputs in the language Denition p erfect soundness An ArthurMerlin pro of system
Recommended publications
  • Database Theory
    DATABASE THEORY Lecture 4: Complexity of FO Query Answering Markus Krotzsch¨ TU Dresden, 21 April 2016 Overview 1. Introduction | Relational data model 2. First-order queries 3. Complexity of query answering 4. Complexity of FO query answering 5. Conjunctive queries 6. Tree-like conjunctive queries 7. Query optimisation 8. Conjunctive Query Optimisation / First-Order Expressiveness 9. First-Order Expressiveness / Introduction to Datalog 10. Expressive Power and Complexity of Datalog 11. Optimisation and Evaluation of Datalog 12. Evaluation of Datalog (2) 13. Graph Databases and Path Queries 14. Outlook: database theory in practice See course homepage [) link] for more information and materials Markus Krötzsch, 21 April 2016 Database Theory slide 2 of 41 How to Measure Query Answering Complexity Query answering as decision problem { consider Boolean queries Various notions of complexity: • Combined complexity (complexity w.r.t. size of query and database instance) • Data complexity (worst case complexity for any fixed query) • Query complexity (worst case complexity for any fixed database instance) Various common complexity classes: L ⊆ NL ⊆ P ⊆ NP ⊆ PSpace ⊆ ExpTime Markus Krötzsch, 21 April 2016 Database Theory slide 3 of 41 An Algorithm for Evaluating FO Queries function Eval(', I) 01 switch (') f I 02 case p(c1, ::: , cn): return hc1, ::: , cni 2 p 03 case : : return :Eval( , I) 04 case 1 ^ 2 : return Eval( 1, I) ^ Eval( 2, I) 05 case 9x. : 06 for c 2 ∆I f 07 if Eval( [x 7! c], I) then return true 08 g 09 return false 10 g Markus Krötzsch, 21 April 2016 Database Theory slide 4 of 41 FO Algorithm Worst-Case Runtime Let m be the size of ', and let n = jIj (total table sizes) • How many recursive calls of Eval are there? { one per subexpression: at most m • Maximum depth of recursion? { bounded by total number of calls: at most m • Maximum number of iterations of for loop? { j∆Ij ≤ n per recursion level { at most nm iterations I • Checking hc1, ::: , cni 2 p can be done in linear time w.r.t.
    [Show full text]
  • Interactive Proof Systems and Alternating Time-Space Complexity
    Theoretical Computer Science 113 (1993) 55-73 55 Elsevier Interactive proof systems and alternating time-space complexity Lance Fortnow” and Carsten Lund** Department of Computer Science, Unicersity of Chicago. 1100 E. 58th Street, Chicago, IL 40637, USA Abstract Fortnow, L. and C. Lund, Interactive proof systems and alternating time-space complexity, Theoretical Computer Science 113 (1993) 55-73. We show a rough equivalence between alternating time-space complexity and a public-coin interactive proof system with the verifier having a polynomial-related time-space complexity. Special cases include the following: . All of NC has interactive proofs, with a log-space polynomial-time public-coin verifier vastly improving the best previous lower bound of LOGCFL for this model (Fortnow and Sipser, 1988). All languages in P have interactive proofs with a polynomial-time public-coin verifier using o(log’ n) space. l All exponential-time languages have interactive proof systems with public-coin polynomial-space exponential-time verifiers. To achieve better bounds, we show how to reduce a k-tape alternating Turing machine to a l-tape alternating Turing machine with only a constant factor increase in time and space. 1. Introduction In 1981, Chandra et al. [4] introduced alternating Turing machines, an extension of nondeterministic computation where the Turing machine can make both existential and universal moves. In 1985, Goldwasser et al. [lo] and Babai [l] introduced interactive proof systems, an extension of nondeterministic computation consisting of two players, an infinitely powerful prover and a probabilistic polynomial-time verifier. The prover will try to convince the verifier of the validity of some statement.
    [Show full text]
  • On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs*
    On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs* Benny Applebaum† Eyal Golombek* Abstract We study the randomness complexity of interactive proofs and zero-knowledge proofs. In particular, we ask whether it is possible to reduce the randomness complexity, R, of the verifier to be comparable with the number of bits, CV , that the verifier sends during the interaction. We show that such randomness sparsification is possible in several settings. Specifically, unconditional sparsification can be obtained in the non-uniform setting (where the verifier is modelled as a circuit), and in the uniform setting where the parties have access to a (reusable) common-random-string (CRS). We further show that constant-round uniform protocols can be sparsified without a CRS under a plausible worst-case complexity-theoretic assumption that was used previously in the context of derandomization. All the above sparsification results preserve statistical-zero knowledge provided that this property holds against a cheating verifier. We further show that randomness sparsification can be applied to honest-verifier statistical zero-knowledge (HVSZK) proofs at the expense of increasing the communica- tion from the prover by R−F bits, or, in the case of honest-verifier perfect zero-knowledge (HVPZK) by slowing down the simulation by a factor of 2R−F . Here F is a new measure of accessible bit complexity of an HVZK proof system that ranges from 0 to R, where a maximal grade of R is achieved when zero- knowledge holds against a “semi-malicious” verifier that maliciously selects its random tape and then plays honestly.
    [Show full text]
  • Week 1: an Overview of Circuit Complexity 1 Welcome 2
    Topics in Circuit Complexity (CS354, Fall’11) Week 1: An Overview of Circuit Complexity Lecture Notes for 9/27 and 9/29 Ryan Williams 1 Welcome The area of circuit complexity has a long history, starting in the 1940’s. It is full of open problems and frontiers that seem insurmountable, yet the literature on circuit complexity is fairly large. There is much that we do know, although it is scattered across several textbooks and academic papers. I think now is a good time to look again at circuit complexity with fresh eyes, and try to see what can be done. 2 Preliminaries An n-bit Boolean function has domain f0; 1gn and co-domain f0; 1g. At a high level, the basic question asked in circuit complexity is: given a collection of “simple functions” and a target Boolean function f, how efficiently can f be computed (on all inputs) using the simple functions? Of course, efficiency can be measured in many ways. The most natural measure is that of the “size” of computation: how many copies of these simple functions are necessary to compute f? Let B be a set of Boolean functions, which we call a basis set. The fan-in of a function g 2 B is the number of inputs that g takes. (Typical choices are fan-in 2, or unbounded fan-in, meaning that g can take any number of inputs.) We define a circuit C with n inputs and size s over a basis B, as follows. C consists of a directed acyclic graph (DAG) of s + n + 2 nodes, with n sources and one sink (the sth node in some fixed topological order on the nodes).
    [Show full text]
  • Computational Complexity: a Modern Approach
    i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University [email protected] Not to be reproduced or distributed without the authors’ permission This is an Internet draft. Some chapters are more finished than others. References and attributions are very preliminary and we apologize in advance for any omissions (but hope you will nevertheless point them out to us). Please send us bugs, typos, missing references or general comments to [email protected] — Thank You!! DRAFT ii DRAFT Chapter 9 Complexity of counting “It is an empirical fact that for many combinatorial problems the detection of the existence of a solution is easy, yet no computationally efficient method is known for counting their number.... for a variety of problems this phenomenon can be explained.” L. Valiant 1979 The class NP captures the difficulty of finding certificates. However, in many contexts, one is interested not just in a single certificate, but actually counting the number of certificates. This chapter studies #P, (pronounced “sharp p”), a complexity class that captures this notion. Counting problems arise in diverse fields, often in situations having to do with estimations of probability. Examples include statistical estimation, statistical physics, network design, and more. Counting problems are also studied in a field of mathematics called enumerative combinatorics, which tries to obtain closed-form mathematical expressions for counting problems. To give an example, in the 19th century Kirchoff showed how to count the number of spanning trees in a graph using a simple determinant computation. Results in this chapter will show that for many natural counting problems, such efficiently computable expressions are unlikely to exist.
    [Show full text]
  • NP-Completeness Part I
    NP-Completeness Part I Outline for Today ● Recap from Last Time ● Welcome back from break! Let's make sure we're all on the same page here. ● Polynomial-Time Reducibility ● Connecting problems together. ● NP-Completeness ● What are the hardest problems in NP? ● The Cook-Levin Theorem ● A concrete NP-complete problem. Recap from Last Time The Limits of Computability EQTM EQTM co-RE R RE LD LD ADD HALT ATM HALT ATM 0*1* The Limits of Efficient Computation P NP R P and NP Refresher ● The class P consists of all problems solvable in deterministic polynomial time. ● The class NP consists of all problems solvable in nondeterministic polynomial time. ● Equivalently, NP consists of all problems for which there is a deterministic, polynomial-time verifier for the problem. Reducibility Maximum Matching ● Given an undirected graph G, a matching in G is a set of edges such that no two edges share an endpoint. ● A maximum matching is a matching with the largest number of edges. AA maximummaximum matching.matching. Maximum Matching ● Jack Edmonds' paper “Paths, Trees, and Flowers” gives a polynomial-time algorithm for finding maximum matchings. ● (This is the same Edmonds as in “Cobham- Edmonds Thesis.) ● Using this fact, what other problems can we solve? Domino Tiling Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling The Setup ● To determine whether you can place at least k dominoes on a crossword grid, do the following: ● Convert the grid into a graph: each empty cell is a node, and any two adjacent empty cells have an edge between them.
    [Show full text]
  • The Complexity Zoo
    The Complexity Zoo Scott Aaronson www.ScottAaronson.com LATEX Translation by Chris Bourke [email protected] 417 classes and counting 1 Contents 1 About This Document 3 2 Introductory Essay 4 2.1 Recommended Further Reading ......................... 4 2.2 Other Theory Compendia ............................ 5 2.3 Errors? ....................................... 5 3 Pronunciation Guide 6 4 Complexity Classes 10 5 Special Zoo Exhibit: Classes of Quantum States and Probability Distribu- tions 110 6 Acknowledgements 116 7 Bibliography 117 2 1 About This Document What is this? Well its a PDF version of the website www.ComplexityZoo.com typeset in LATEX using the complexity package. Well, what’s that? The original Complexity Zoo is a website created by Scott Aaronson which contains a (more or less) comprehensive list of Complexity Classes studied in the area of theoretical computer science known as Computa- tional Complexity. I took on the (mostly painless, thank god for regular expressions) task of translating the Zoo’s HTML code to LATEX for two reasons. First, as a regular Zoo patron, I thought, “what better way to honor such an endeavor than to spruce up the cages a bit and typeset them all in beautiful LATEX.” Second, I thought it would be a perfect project to develop complexity, a LATEX pack- age I’ve created that defines commands to typeset (almost) all of the complexity classes you’ll find here (along with some handy options that allow you to conveniently change the fonts with a single option parameters). To get the package, visit my own home page at http://www.cse.unl.edu/~cbourke/.
    [Show full text]
  • Lecture 9 1 Interactive Proof Systems/Protocols
    CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction The traditional mathematical notion of a proof is a simple passive protocol in which a prover P outputs a complete proof to a verifier V who decides on its validity. The interaction in this traditional sense is minimal and one-way, prover → verifier. The observation has been made that allowing the verifier to interact with the prover can have advantages, for example proving the assertion faster or proving more expressive languages. This extension allows for the idea of interactive proof systems (protocols). The general framework of the interactive proof system (protocol) involves a prover P with an exponential amount of time (computationally unbounded) and a verifier V with a polyno- mial amount of time. Both P and V exchange multiple messages (challenges and responses), usually dependent upon outcomes of fair coin tosses which they may or may not share. It is easy to see that since V is a poly-time machine (PPT), only a polynomial number of messages may be exchanged between the two. P ’s objective is to convince (prove to) the verifier the truth of an assertion, e.g., claimed knowledge of a proof that x ∈ L. V either accepts or rejects the interaction with the P . 1.2 Definition of Interactive Proof Systems An interactive proof system for a language L is a protocol PV for communication between a computationally unbounded (exponential time) machine P and a probabilistic poly-time (PPT) machine V such that the protocol satisfies the properties of completeness and sound- ness.
    [Show full text]
  • CS286.2 Lectures 5-6: Introduction to Hamiltonian Complexity, QMA-Completeness of the Local Hamiltonian Problem
    CS286.2 Lectures 5-6: Introduction to Hamiltonian Complexity, QMA-completeness of the Local Hamiltonian problem Scribe: Jenish C. Mehta The Complexity Class BQP The complexity class BQP is the quantum analog of the class BPP. It consists of all languages that can be decided in quantum polynomial time. More formally, Definition 1. A language L 2 BQP if there exists a classical polynomial time algorithm A that ∗ maps inputs x 2 f0, 1g to quantum circuits Cx on n = poly(jxj) qubits, where the circuit is considered a sequence of unitary operators each on 2 qubits, i.e Cx = UTUT−1...U1 where each 2 2 Ui 2 L C ⊗ C , such that: 2 i. Completeness: x 2 L ) Pr(Cx accepts j0ni) ≥ 3 1 ii. Soundness: x 62 L ) Pr(Cx accepts j0ni) ≤ 3 We say that the circuit “Cx accepts jyi” if the first output qubit measured in Cxjyi is 0. More j0i specifically, letting P1 = j0ih0j1 be the projection of the first qubit on state j0i, j0i 2 Pr(Cx accepts jyi) =k (P1 ⊗ In−1)Cxjyi k2 The Complexity Class QMA The complexity class QMA (or BQNP, as Kitaev originally named it) is the quantum analog of the class NP. More formally, Definition 2. A language L 2 QMA if there exists a classical polynomial time algorithm A that ∗ maps inputs x 2 f0, 1g to quantum circuits Cx on n + q = poly(jxj) qubits, such that: 2q i. Completeness: x 2 L ) 9jyi 2 C , kjyik2 = 1, such that Pr(Cx accepts j0ni ⊗ 2 jyi) ≥ 3 2q 1 ii.
    [Show full text]
  • Complexity Theory
    Complexity Theory Course Notes Sebastiaan A. Terwijn Radboud University Nijmegen Department of Mathematics P.O. Box 9010 6500 GL Nijmegen the Netherlands [email protected] Copyright c 2010 by Sebastiaan A. Terwijn Version: December 2017 ii Contents 1 Introduction 1 1.1 Complexity theory . .1 1.2 Preliminaries . .1 1.3 Turing machines . .2 1.4 Big O and small o .........................3 1.5 Logic . .3 1.6 Number theory . .4 1.7 Exercises . .5 2 Basics 6 2.1 Time and space bounds . .6 2.2 Inclusions between classes . .7 2.3 Hierarchy theorems . .8 2.4 Central complexity classes . 10 2.5 Problems from logic, algebra, and graph theory . 11 2.6 The Immerman-Szelepcs´enyi Theorem . 12 2.7 Exercises . 14 3 Reductions and completeness 16 3.1 Many-one reductions . 16 3.2 NP-complete problems . 18 3.3 More decision problems from logic . 19 3.4 Completeness of Hamilton path and TSP . 22 3.5 Exercises . 24 4 Relativized computation and the polynomial hierarchy 27 4.1 Relativized computation . 27 4.2 The Polynomial Hierarchy . 28 4.3 Relativization . 31 4.4 Exercises . 32 iii 5 Diagonalization 34 5.1 The Halting Problem . 34 5.2 Intermediate sets . 34 5.3 Oracle separations . 36 5.4 Many-one versus Turing reductions . 38 5.5 Sparse sets . 38 5.6 The Gap Theorem . 40 5.7 The Speed-Up Theorem . 41 5.8 Exercises . 43 6 Randomized computation 45 6.1 Probabilistic classes . 45 6.2 More about BPP . 48 6.3 The classes RP and ZPP .
    [Show full text]
  • Interactive Proofs for Quantum Computations
    Innovations in Computer Science 2010 Interactive Proofs For Quantum Computations Dorit Aharonov Michael Ben-Or Elad Eban School of Computer Science, The Hebrew University of Jerusalem, Israel [email protected] [email protected] [email protected] Abstract: The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked [21]: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results to predictions? To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard Interactive Proofs [13] the prover is computationally unbounded, here our prover is in BQP, representing a quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access to few qubits. Our main theorem can be roughly stated as: ”Any language in BQP has a QPIP, and moreover, a fault tolerant one” (providing a partial answer to a challenge posted in [1]). We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault tolerant. Our second protocol uses polynomial codes QAS due to Ben-Or, Cr´epeau, Gottesman, Hassidim, and Smith [8], combined with quantum fault tolerance and secure multiparty quantum computation techniques.
    [Show full text]
  • Lecture 11 1 Non-Uniform Complexity
    Notes on Complexity Theory Last updated: October, 2011 Lecture 11 Jonathan Katz 1 Non-Uniform Complexity 1.1 Circuit Lower Bounds for a Language in §2 \ ¦2 We have seen that there exist \very hard" languages (i.e., languages that require circuits of size (1 ¡ ")2n=n). If we can show that there exists a language in NP that is even \moderately hard" (i.e., requires circuits of super-polynomial size) then we will have proved P 6= NP. (In some sense, it would be even nicer to show some concrete language in NP that requires circuits of super-polynomial size. But mere existence of such a language is enough.) c Here we show that for every c there is a language in §2 \ ¦2 that is not in size(n ). Note that this does not prove §2 \ ¦2 6⊆ P=poly since, for every c, the language we obtain is di®erent. (Indeed, using the time hierarchy theorem, we have that for every c there is a language in P that is not in time(nc).) What is particularly interesting here is that (1) we prove a non-uniform lower bound and (2) the proof is, in some sense, rather simple. c Theorem 1 For every c, there is a language in §4 \ ¦4 that is not in size(n ). Proof Fix some c. For each n, let Cn be the lexicographically ¯rst circuit on n inputs such c that (the function computed by) Cn cannot be computed by any circuit of size at most n . By the c+1 non-uniform hierarchy theorem (see [1]), there exists such a Cn of size at most n (for n large c enough).
    [Show full text]