DOCSLIB.ORG

Delegating Computation: Interactive Proofs for Muggles

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Delegating Computation: Interactive Proofs for Muggles Delegating Computation: Interactive Proofs for Muggles ¤ y z Shafi Goldwasser Yael Tauman Kalai Guy N. Rothblum MIT and Weizmann Institute Georgia Tech MIT shafi@theory.csail.mit.edu yael@cc.gatech.edu. rothblum@csail.mit.edu ABSTRACT Using this theorem we make progress on several questions: In this work we study interactive proofs for tractable lan- ² We show how to construct short (polylog size) com- guages. The (honest) prover should be e±cient and run in putationally sound non-interactive certi¯cates of cor- polynomial time, or in other words a \muggle".1 The veri- rectness for any log-space uniform NC computation, in ¯er should be super-e±cient and run in nearly-linear time. the public-key model. The certi¯cates can be veri¯ed These proof systems can be used for delegating computation: in quasi-linear time and are for a designated veri¯er: a server can run a computation for a client and interactively each certi¯cate is tailored to the veri¯er's public key. prove the correctness of the result. The client can verify the This result uses a recent transformation of Kalai and result's correctness in nearly-linear time (instead of running Raz from public-coin interactive proofs to one-round the entire computation itself). arguments. The soundness of the certi¯cates is based Previously, related questions were considered in the Holo- on the existence of a PIR scheme with polylog com- graphic Proof setting by Babai, Fortnow, Levin and Szegedy, munication. in the argument setting under computational assumptions by Kilian, and in the random oracle model by Micali. Our ² Interactive proofs with public-coin, log-space, poly-time focus, however, is on the original interactive proof model veri¯ers for all of P. This settles an open question where no assumptions are made on the computational power regarding the expressive power of proof systems with or adaptiveness of dishonest provers. such veri¯ers. Our main technical theorem gives a public coin interactive proof for any language computable by a log-space uniform ² Zero-knowledge interactive proofs with communication boolean circuit with depth d and input length n. The veri¯er complexity that is quasi-linear in the witness length runs in time (n+d)¢polylog(n) and space O(log(n)), the com- for any NP language veri¯able in NC, based on the munication complexity is d ¢ polylog(n), and the prover runs existence of one-way functions. in time poly(n). In particular, for languages computable by log-space uniform NC (circuits of polylog(n) depth), the ² Probabilistically checkable arguments (a model due to prover is e±cient, the veri¯er runs in time n ¢ polylog(n) Kalai and Raz) of size polynomial in the witness length and space O(log(n)), and the communication complexity is (rather than the instance length) for any NP language polylog(n). veri¯able in NC, under computational assumptions. Categories and Subject Descriptors ¤ Supported by NSF Grants CCF-0514167, CCF-0635297, F.2.0 [Theory of Computation]: Analysis of Algorithms NSF-0729011, the RSA chair, and by the Weizmann Chais and problem complexity|General Fellows Program for New Scientists. yThis work was mainly done while the author was visiting Microsoft Research, Redmond. Supported in part by NSF General Terms grant CCF-0635297 Theory zSupported by NSF Grants CCF-0635297, NSF-0729011, CNS-0430336 and by a Symantec Graduate Fellowship. 1In the ¯ction of J. K. Rowling: a person who possesses no Keywords magical powers; from the Oxford English Dictionary. Proof Veri¯cation, Interactive Proofs, Delegating Computa- tion Permission to make digital or hard copies of all or part of this work for 1. INTRODUCTION personal or classroom use is granted without fee provided that copies are E±cient proof veri¯cation lies at the heart of complex- not made or distributed for profit or commercial advantage and that copies ity theory. Classically, this was captured by the idea of a bear this notice and the full citation on the first page. To copy otherwise, to deterministic polynomial time veri¯cation procedure which republish, to post on servers or to redistribute to lists, requires prior specific receives the proof, a certi¯cate of polynomial length, and permission and/or a fee. STOC’08, May 17–20, 2008, Victoria, British Columbia, Canada. veri¯es its validity. Extending classical proof systems, in- Copyright 2008 ACM 978-1-60558-047-0/08/05 ...$5.00. teractive proof systems [37, 9] provide a model in which the polynomial time veri¯cation procedure (the veri¯er) is ran- ² Communication complexity that is polylogarithmic in domized and can interact with a prover that may employ an the size of the computation. adaptive strategy. Delegating Computation. Beyond its complexity theoretic in- Much of the complexity-theoretic research on interactive terest, the question of interactive proofs for e±cient players proofs has focused on studying their expressive power while is motivated by real-world applications. The main appli- improving the veri¯er's complexity in terms of various re- cation we consider is delegating polynomial time computa- source measures (e.g. time, space, depth, rounds or ran- tions to an untrusted party. The general setting is of several domness). The complexity of proving has received less at- computational devices of di®ering computational abilities in- tention. Indeed, since research focused on proofs for in- teracting with each other over a network. Some of these tractable languages, the honest prover is often2 assumed to devices are computationally weak due to various resource be able to perform intractable computations in the interest constraints. As a consequence there are tasks, which poten- of e±cient veri¯ability. In Arthur-Merlin games, the honest tially could enlarge a device's range of application, that are prover is accordingly named after Merlin, a computationally beyond its reach. A natural solution is to delegate computa- unbounded magician. tions that are too expensive for one device, to other devices Even in cryptographic contexts, where parties in interac- which are more powerful or numerous and connected to the tive proof systems must run in polynomial time, the main same network. This approach comes up naturally in today's focus of research remains on intractable languages such as and tomorrow's computing reality as illustrated in the fol- deciding quadratic-residuosity modulo a composite number. lowing two examples. To allow the honest prover to perform computations oth- 1. Large Scale Distributed Computing. The idea of Vol- erwise impossible in polynomial time, he can use auxiliary unteer Computing is for a server to split large computations secrets, e.g. the factorization of the input modulos in the into small units, send these units to volunteers for process- quadratic residuosity example. This model is reasonable in ing, and reassemble the result (via a much easier computa- protocol settings where the input is generated by the prover tion). The Berkeley Open Infrastructure for Network Com- himself. The prover can generate the input along with an puting (BOINC) [5, 6] is such a platform whose intent is auxiliary secret which enables him prove non-BPP proper- to make it possible for researchers in ¯elds as diverse as ties. However, in settings where the input is generated by physics, biology and mathematics to tap into the enormous an external source, an e±cient prover does not have access processing power of personal computers around the world. to auxiliary information about the input. A famous project using the BOINC platform is SETI@home Our Setting and Goal. In this paper, we embark on the study [3, 1], where large chunks of radio transmission data are of interactive proofs in the real world, where both the veri¯er scanned for signs of extraterrestrial intelligence. Anyone and the prover are e±cient. Thus, we replace the unbounded can participate by running a free program that downloads magical Merlin with a\Muggle"prover who is limited to run- and analyzes radio telescope data. Thus, getting many com- ning probabilistic polynomial-time computations. We think puters to pitch into the larger task of scanning space for the of the input to the interactive proof as dictated by an out- existence of extraterrestrial intelligence, and getting people side source, possibly even by the veri¯er. Thus, the prover interested in science at the same time. Another example of a has no auxiliary information to help him in the proving task. similar flavor is the Great Internet Mersenne Prime Search Clearly, if both the prover and the veri¯er are e±cient, [2], where volunteers search for Mersenne prime numbers then the language is tractable (in BPP). This may seem and communicate puzzling at ¯rst glance, since usually one allows the veri¯er 2. Weak Peripheral Devices. More and more, small or to run arbitrary polynomial-time computations, and thus it cheap computational devices with limited computational ca- could compute on its own whether or not the input is in the pabilities, such as cell-phones, printers, cameras, security language! This obviously is not very interesting. Indeed, we access-cards, music players, and sensors, are connected via want veri¯cation to be considerably faster than computing. networks to stronger remote computers whose help they can The question we ask in this work is which polynomial-time use. Consider, for example, a sensor that is presented with computable languages have interactive proofs with a super- an access-card, sends it a random challenge, and receives a e±cient veri¯er and an e±cient prover. We emphasize that digital signature of the random challenge. The computation although we aim for the honest prover to be e±cient, we still required to verify the signature involves public-key opera- require the soundness of the proof system to hold uncondi- tions which are too expensive both in time and space for tionally.
Load more

Recommended publications
  • Database Theory
    DATABASE THEORY Lecture 4: Complexity of FO Query Answering Markus Krotzsch¨ TU Dresden, 21 April 2016 Overview 1. Introduction | Relational data model 2. First-order queries 3. Complexity of query answering 4. Complexity of FO query answering 5. Conjunctive queries 6. Tree-like conjunctive queries 7. Query optimisation 8. Conjunctive Query Optimisation / First-Order Expressiveness 9. First-Order Expressiveness / Introduction to Datalog 10. Expressive Power and Complexity of Datalog 11. Optimisation and Evaluation of Datalog 12. Evaluation of Datalog (2) 13. Graph Databases and Path Queries 14. Outlook: database theory in practice See course homepage [) link] for more information and materials Markus Krötzsch, 21 April 2016 Database Theory slide 2 of 41 How to Measure Query Answering Complexity Query answering as decision problem { consider Boolean queries Various notions of complexity: • Combined complexity (complexity w.r.t. size of query and database instance) • Data complexity (worst case complexity for any fixed query) • Query complexity (worst case complexity for any fixed database instance) Various common complexity classes: L ⊆ NL ⊆ P ⊆ NP ⊆ PSpace ⊆ ExpTime Markus Krötzsch, 21 April 2016 Database Theory slide 3 of 41 An Algorithm for Evaluating FO Queries function Eval(', I) 01 switch (') f I 02 case p(c1, ::: , cn): return hc1, ::: , cni 2 p 03 case : : return :Eval( , I) 04 case 1 ^ 2 : return Eval( 1, I) ^ Eval( 2, I) 05 case 9x. : 06 for c 2 ∆I f 07 if Eval( [x 7! c], I) then return true 08 g 09 return false 10 g Markus Krötzsch, 21 April 2016 Database Theory slide 4 of 41 FO Algorithm Worst-Case Runtime Let m be the size of ', and let n = jIj (total table sizes) • How many recursive calls of Eval are there? { one per subexpression: at most m • Maximum depth of recursion? { bounded by total number of calls: at most m • Maximum number of iterations of for loop? { j∆Ij ≤ n per recursion level { at most nm iterations I • Checking hc1, ::: , cni 2 p can be done in linear time w.r.t.
    [Show full text]
  • CS601 DTIME and DSPACE Lecture 5 Time and Space Functions: T, S
    CS601 DTIME and DSPACE Lecture 5 Time and Space functions: t, s : N → N+ Definition 5.1 A set A ⊆ U is in DTIME[t(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M) ≡ w ∈ U M(w)=1 , and 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps. Definition 5.2 A set A ⊆ U is in DSPACE[s(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M), and 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells. (Input tape is “read-only” and not counted as space used.) Example: PALINDROMES ∈ DTIME[n], DSPACE[n]. In fact, PALINDROMES ∈ DSPACE[log n]. [Exercise] 1 CS601 F(DTIME) and F(DSPACE) Lecture 5 Definition 5.3 f : U → U is in F (DTIME[t(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. Definition 5.4 f : U → U is in F (DSPACE[s(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. (Input tape is “read-only”; Output tape is “write-only”.
    [Show full text]
  • Interactive Proof Systems and Alternating Time-Space Complexity
    Theoretical Computer Science 113 (1993) 55-73 55 Elsevier Interactive proof systems and alternating time-space complexity Lance Fortnow” and Carsten Lund** Department of Computer Science, Unicersity of Chicago. 1100 E. 58th Street, Chicago, IL 40637, USA Abstract Fortnow, L. and C. Lund, Interactive proof systems and alternating time-space complexity, Theoretical Computer Science 113 (1993) 55-73. We show a rough equivalence between alternating time-space complexity and a public-coin interactive proof system with the verifier having a polynomial-related time-space complexity. Special cases include the following: . All of NC has interactive proofs, with a log-space polynomial-time public-coin verifier vastly improving the best previous lower bound of LOGCFL for this model (Fortnow and Sipser, 1988). All languages in P have interactive proofs with a polynomial-time public-coin verifier using o(log’ n) space. l All exponential-time languages have interactive proof systems with public-coin polynomial-space exponential-time verifiers. To achieve better bounds, we show how to reduce a k-tape alternating Turing machine to a l-tape alternating Turing machine with only a constant factor increase in time and space. 1. Introduction In 1981, Chandra et al. [4] introduced alternating Turing machines, an extension of nondeterministic computation where the Turing machine can make both existential and universal moves. In 1985, Goldwasser et al. [lo] and Babai [l] introduced interactive proof systems, an extension of nondeterministic computation consisting of two players, an infinitely powerful prover and a probabilistic polynomial-time verifier. The prover will try to convince the verifier of the validity of some statement.
    [Show full text]
  • On Uniformity Within NC
    On Uniformity Within NC David A Mix Barrington Neil Immerman HowardStraubing University of Massachusetts University of Massachusetts Boston Col lege Journal of Computer and System Science Abstract In order to study circuit complexity classes within NC in a uniform setting we need a uniformity condition which is more restrictive than those in common use Twosuch conditions stricter than NC uniformity RuCo have app eared in recent research Immermans families of circuits dened by rstorder formulas ImaImb and a unifor mity corresp onding to Buss deterministic logtime reductions Bu We show that these two notions are equivalent leading to a natural notion of uniformity for lowlevel circuit complexity classes Weshow that recent results on the structure of NC Ba still hold true in this very uniform setting Finallyweinvestigate a parallel notion of uniformity still more restrictive based on the regular languages Here we givecharacterizations of sub classes of the regular languages based on their logical expressibility extending recentwork of Straubing Therien and Thomas STT A preliminary version of this work app eared as BIS Intro duction Circuit Complexity Computer scientists have long tried to classify problems dened as Bo olean predicates or functions by the size or depth of Bo olean circuits needed to solve them This eort has Former name David A Barrington Supp orted by NSF grant CCR Mailing address Dept of Computer and Information Science U of Mass Amherst MA USA Supp orted by NSF grants DCR and CCR Mailing address Dept of
    [Show full text]
  • On the NP-Completeness of the Minimum Circuit Size Problem
    On the NP-Completeness of the Minimum Circuit Size Problem John M. Hitchcock∗ A. Pavany Department of Computer Science Department of Computer Science University of Wyoming Iowa State University Abstract We study the Minimum Circuit Size Problem (MCSP): given the truth-table of a Boolean function f and a number k, does there exist a Boolean circuit of size at most k computing f? This is a fundamental NP problem that is not known to be NP-complete. Previous work has studied consequences of the NP-completeness of MCSP. We extend this work and consider whether MCSP may be complete for NP under more powerful reductions. We also show that NP-completeness of MCSP allows for amplification of circuit complexity. We show the following results. • If MCSP is NP-complete via many-one reductions, the following circuit complexity amplifi- Ω(1) cation result holds: If NP\co-NP requires 2n -size circuits, then ENP requires 2Ω(n)-size circuits. • If MCSP is NP-complete under truth-table reductions, then EXP 6= NP \ SIZE(2n ) for some > 0 and EXP 6= ZPP. This result extends to polylog Turing reductions. 1 Introduction Many natural NP problems are known to be NP-complete. Ladner's theorem [14] tells us that if P is different from NP, then there are NP-intermediate problems: problems that are in NP, not in P, but also not NP-complete. The examples arising out of Ladner's theorem come from diagonalization and are not natural. A canonical candidate example of a natural NP-intermediate problem is the Graph Isomorphism (GI) problem.
    [Show full text]
  • Week 1: an Overview of Circuit Complexity 1 Welcome 2
    Topics in Circuit Complexity (CS354, Fall’11) Week 1: An Overview of Circuit Complexity Lecture Notes for 9/27 and 9/29 Ryan Williams 1 Welcome The area of circuit complexity has a long history, starting in the 1940’s. It is full of open problems and frontiers that seem insurmountable, yet the literature on circuit complexity is fairly large. There is much that we do know, although it is scattered across several textbooks and academic papers. I think now is a good time to look again at circuit complexity with fresh eyes, and try to see what can be done. 2 Preliminaries An n-bit Boolean function has domain f0; 1gn and co-domain f0; 1g. At a high level, the basic question asked in circuit complexity is: given a collection of “simple functions” and a target Boolean function f, how efficiently can f be computed (on all inputs) using the simple functions? Of course, efficiency can be measured in many ways. The most natural measure is that of the “size” of computation: how many copies of these simple functions are necessary to compute f? Let B be a set of Boolean functions, which we call a basis set. The fan-in of a function g 2 B is the number of inputs that g takes. (Typical choices are fan-in 2, or unbounded fan-in, meaning that g can take any number of inputs.) We define a circuit C with n inputs and size s over a basis B, as follows. C consists of a directed acyclic graph (DAG) of s + n + 2 nodes, with n sources and one sink (the sth node in some fixed topological order on the nodes).
    [Show full text]
  • The Complexity Zoo
    The Complexity Zoo Scott Aaronson www.ScottAaronson.com LATEX Translation by Chris Bourke cbourke@cse.unl.edu 417 classes and counting 1 Contents 1 About This Document 3 2 Introductory Essay 4 2.1 Recommended Further Reading ......................... 4 2.2 Other Theory Compendia ............................ 5 2.3 Errors? ....................................... 5 3 Pronunciation Guide 6 4 Complexity Classes 10 5 Special Zoo Exhibit: Classes of Quantum States and Probability Distribu- tions 110 6 Acknowledgements 116 7 Bibliography 117 2 1 About This Document What is this? Well its a PDF version of the website www.ComplexityZoo.com typeset in LATEX using the complexity package. Well, what’s that? The original Complexity Zoo is a website created by Scott Aaronson which contains a (more or less) comprehensive list of Complexity Classes studied in the area of theoretical computer science known as Computa- tional Complexity. I took on the (mostly painless, thank god for regular expressions) task of translating the Zoo’s HTML code to LATEX for two reasons. First, as a regular Zoo patron, I thought, “what better way to honor such an endeavor than to spruce up the cages a bit and typeset them all in beautiful LATEX.” Second, I thought it would be a perfect project to develop complexity, a LATEX pack- age I’ve created that defines commands to typeset (almost) all of the complexity classes you’ll find here (along with some handy options that allow you to conveniently change the fonts with a single option parameters). To get the package, visit my own home page at http://www.cse.unl.edu/~cbourke/.
    [Show full text]
  • University Microfilms International 300 North Zeeb Road Ann Arbor, Michigan 48106 USA St John's Road
    INFORMATION TO USERS This material was produced from a microfilm copy of the original document. While the most advanced technological means to photograph and reproduce this document have been used, the quality is heavily dependant upon the quality of the original submitted. The following explanation of techniques is provided to help you understand markings or patterns which may appear on this reproduction. 1. The sign or "target" for pages apparently lacking from the document photographed is "Missing Page(s)". If it was possible to obtain the missing page(s) or section, they are spliced into the film along with adjacent pages. This may have necessitated cutting thru an image and duplicating adjacent pages to insure you complete continuity. 2. When an image on the film is obliterated with a large round black mark, it is an indication that the photographer suspected that the copy may have moved during exposure and thus cause a blurred image. You w ill find a good image of the page in the adjacent frame. 3. When a map, drawing or chart, etc., was part of the material being photographed the photographer followed a definite method in "sectioning" the material. It is customary to begin photoing at the upper left hand corner of a large sheet and to continue photoing from left to right in equal sections with a small overlap. If necessary, sectioning is continued again — beginning below the first row and continuing on until complete. 4. The majority of users indicate that the textual content is of greatest value, however, a somewhat higher quality reproduction could be made from "photographs" if essential to the understanding of the dissertation.
    [Show full text]
  • Sharp Lower Bounds for the Dimension of Linearizations of Matrix Polynomials∗
    Electronic Journal of Linear Algebra ISSN 1081-3810 A publication of the International Linear Algebra Society Volume 17, pp. 518-531, November 2008 ELA SHARP LOWER BOUNDS FOR THE DIMENSION OF LINEARIZATIONS OF MATRIX POLYNOMIALS∗ FERNANDO DE TERAN´ † AND FROILAN´ M. DOPICO‡ Abstract. A standard way of dealing with matrixpolynomial eigenvalue problems is to use linearizations. Byers, Mehrmann and Xu have recently defined and studied linearizations of dimen- sions smaller than the classical ones. In this paper, lower bounds are provided for the dimensions of linearizations and strong linearizations of a given m × n matrixpolynomial, and particular lineariza- tions are constructed for which these bounds are attained. It is also proven that strong linearizations of an n × n regular matrixpolynomial of degree must have dimension n × n. Key words. Matrixpolynomials, Matrixpencils, Linearizations, Dimension. AMS subject classifications. 15A18, 15A21, 15A22, 65F15. 1. Introduction. We will say that a matrix polynomial of degree ≥ 1 −1 P (λ)=λ A + λ A−1 + ···+ λA1 + A0, (1.1) m×n where A0,A1,...,A ∈ C and A =0,is regular if m = n and det P (λ)isnot identically zero as a polynomial in λ. We will say that P (λ)issingular otherwise. A linearization of P (λ)isamatrix pencil L(λ)=λX + Y such that there exist unimod- ular matrix polynomials, i.e., matrix polynomials with constant nonzero determinant, of appropriate dimensions, E(λ)andF (λ), such that P (λ) 0 E(λ)L(λ)F (λ)= , (1.2) 0 Is where Is denotes the s × s identity matrix. Classically s =( − 1) min{m, n}, but recently linearizations of smaller dimension have been considered [3].
    [Show full text]
  • The Correlation Among Software Complexity Metrics with Case Study
    International Journal of Advanced Computer Research (ISSN (print): 2249-7277 ISSN (online): 2277-7970) Volume-4 Number-2 Issue-15 June-2014 The Correlation among Software Complexity Metrics with Case Study Yahya Tashtoush1, Mohammed Al-Maolegi2, Bassam Arkok3 Abstract software product attributes such as functionality, quality, complexity, efficiency, reliability or People demand for software quality is growing maintainability. For example, a higher number of increasingly, thus different scales for the software code lines will lead to greater software complexity are growing fast to handle the quality of software. and so on. The software complexity metric is one of the measurements that use some of the internal The complexity of software effects on maintenance attributes or characteristics of software to know how activities like software testability, reusability, they effect on the software quality. In this paper, we understandability and modifiability. Software cover some of more efficient software complexity complexity is defined as ―the degree to which a metrics such as Cyclomatic complexity, line of code system or component has a design or implementation and Hallstead complexity metric. This paper that is difficult to understand and verify‖ [1]. All the presents their impacts on the software quality. It factors that make program difficult to understand are also discusses and analyzes the correlation between responsible for complexity. So it is necessary to find them. It finally reveals their relation with the measurements for software to reduce the impacts of number of errors using a real dataset as a case the complexity and guarantee the quality at the same study. time as much as possible.
    [Show full text]
  • Complexity Theory
    Complexity Theory Course Notes Sebastiaan A. Terwijn Radboud University Nijmegen Department of Mathematics P.O. Box 9010 6500 GL Nijmegen the Netherlands terwijn@math.ru.nl Copyright c 2010 by Sebastiaan A. Terwijn Version: December 2017 ii Contents 1 Introduction 1 1.1 Complexity theory . .1 1.2 Preliminaries . .1 1.3 Turing machines . .2 1.4 Big O and small o .........................3 1.5 Logic . .3 1.6 Number theory . .4 1.7 Exercises . .5 2 Basics 6 2.1 Time and space bounds . .6 2.2 Inclusions between classes . .7 2.3 Hierarchy theorems . .8 2.4 Central complexity classes . 10 2.5 Problems from logic, algebra, and graph theory . 11 2.6 The Immerman-Szelepcs´enyi Theorem . 12 2.7 Exercises . 14 3 Reductions and completeness 16 3.1 Many-one reductions . 16 3.2 NP-complete problems . 18 3.3 More decision problems from logic . 19 3.4 Completeness of Hamilton path and TSP . 22 3.5 Exercises . 24 4 Relativized computation and the polynomial hierarchy 27 4.1 Relativized computation . 27 4.2 The Polynomial Hierarchy . 28 4.3 Relativization . 31 4.4 Exercises . 32 iii 5 Diagonalization 34 5.1 The Halting Problem . 34 5.2 Intermediate sets . 34 5.3 Oracle separations . 36 5.4 Many-one versus Turing reductions . 38 5.5 Sparse sets . 38 5.6 The Gap Theorem . 40 5.7 The Speed-Up Theorem . 41 5.8 Exercises . 43 6 Randomized computation 45 6.1 Probabilistic classes . 45 6.2 More about BPP . 48 6.3 The classes RP and ZPP .
    [Show full text]
  • Delegating Computation: Interactive Proofs for Muggles∗
    Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 108 (2017) Delegating Computation: Interactive Proofs for Muggles∗ Shafi Goldwasser Yael Tauman Kalai Guy N. Rothblum MIT and Weizmann Institute Microsoft Research Weizmann Institute shafi@theory.csail.mit.edu yael@microsoft.com rothblum@alum.mit.edu Abstract In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a \muggle".1 The verifier should be super-efficient and run in nearly-linear time. These proof systems can be used for delegating computation: a server can run a computation for a client and interactively prove the correctness of the result. The client can verify the result's correctness in nearly-linear time (instead of running the entire computation itself). Previously, related questions were considered in the Holographic Proof setting by Babai, Fortnow, Levin and Szegedy, in the argument setting under computational assumptions by Kilian, and in the random oracle model by Micali. Our focus, however, is on the original inter- active proof model where no assumptions are made on the computational power or adaptiveness of dishonest provers. Our main technical theorem gives a public coin interactive proof for any language computable by a log-space uniform boolean circuit with depth d and input length n. The verifier runs in time n · poly(d; log(n)) and space O(log(n)), the communication complexity is poly(d; log(n)), and the prover runs in time poly(n). In particular, for languages computable by log-space uniform NC (circuits of polylog(n) depth), the prover is efficient, the verifier runs in time n · polylog(n) and space O(log(n)), and the communication complexity is polylog(n).
    [Show full text]