Checking Computations in Polylogarithmic Time
� � �
Leonid A� Levin Lance Fortnow L�aszl�o Babai
�
Dept� Comp� Sci� Dept� Comp� Sci� Univ� of Chicago and
� �
Boston University Univ� of Chicago E�otv�os Univ�� Budap est
�
Mario Szegedy
Dept� Comp� Sci�
Univ� of Chicago
Abstract� Motivated by Manuel Blum�s concept of instance checking� we consider new� very fast and generic
mechanisms of checking computations� Our results exploit recent advances in interactive pro of proto cols
�LFKN���� �Sha���� and esp ecially the MIP � NEXP proto col from �BFL����
We show that every nondeterministic computational task S �x� y �� de�ned as a p olynomial time relation
b etween the instance x� representing the input and output combined� and the witness y can b e mo di�ed to a
�
task S such that� �i� the same instances remain accepted� �ii� each instance�witness pair b ecomes checkable
�
in polylogarithmic Monte Carlo time� and �iii� a witness satisfying S can b e computed in p olynomial time
from a witness satisfying S �
Here the instance and the description of S have to b e provided in error�correcting co de �since the checker
will not notice slight changes�� A mo di�cation of the MIP pro of was required to achieve p olynomial time
O �log log N �
in �iii�� the earlier technique yields N time only�
This result b ecomes signi�cant if software and hardware reliability are regarded as a considerable cost
factor� The p olylogarithmic checker is the only part of the system that needs to b e trusted� it can b e hard
wired� �We use just one Checker for all problems�� The checker is tiny and so presumably can b e optimized
and checked o��line at a mo dest cost�
In this setup� a single reliable PC can monitor the op eration of a herd of sup ercomputers working with
p ossibly extremely p owerful but unreliable software and untested hardware�
In another interpretation� we show that in p olynomial time� every formal mathematical pro of can b e
transformed into a transparent proof� i�e� a pro of veri�able in p olylogarithmic Monte Carlo time� assuming
the �theorem�candidate� is given in error�correcting co de� In fact� for any � � �� we can transform any
��� O �����
pro of P in time kP k into a transparent pro of� veri�able in Monte Carlo time �log kP k� �
As a by�pro duct� we obtain a binary error correcting co de with very e�cient error�correction� The
���
co de transforms messages of length N into co dewords of length � N � and for strings within ��� of a
valid co deword� it allows to recover any bit of the unique co deword within that distance in p olylogarithmic
O �����
��log N � � time�
1
Research partially supp orted by NSF Grant CCR��������� E�mail� laci�cs�uchicago�edu
2
Research partially supp orted by NSF Grant CCR��������� E�mail� fortnow�cs�uchicago�edu
3
Supp orted by NSF grant CCR��������� E�mail� Lnd�cs�bu�edu
4
��� Cummington St�� Boston MA ������
5
Current address� AT�T Bell Lab oratories� ��� Mountain Avenue� P�O� Box ���� Murray Hill� NJ �����������
E�mail� ms�research�att�com
6
���� E ��th St� Chicago IL ������ �
� Intro duction
��� Very long mathematical pro ofs
An interesting foundational problem is p osed by some mathematical pro ofs which are to o large to b e checked
by a single human�
The pro of of the Four Color Theorem �AHK���� considered controversial at the time� started with a
Lemma that the Theorem follows if certain computation terminates� It was completed with the exp erimental
fact that the computation did indeed terminate within two weeks on contemp orary computers�
The �Enormous Theorem� �Gor��� provides the classi�cation of all �nite simple groups� Its pro of� spread
over ������ pages in Gorenstein�s estimate� consists of a large numb er of di�cult lemmas� Each lemma was
proven by a memb er of a large team� but it seems doubtful that any one p erson was able to check all parts�
An even more di�cult example is a statement that a given large tap e contains the correct output of a
huge computation �with program and input on the same tap e�� One might attempt to verify the claim by
rep eating the computation� but what if there is a systematic error in the implementation�
The �rst two examples are sp ecial cases of the last one� The requirements for mathematical pro ofs can
b e completely formalized� The statement of the theorem would have to incorp orate the de�nitions� basic
concepts� notation� and assumptions of the given mathematical area� They should also include the general
axiom schemes of mathematics used �say� Set Theory�� furthermore� the logical axioms and inference rules�
parsing pro cedures needed to implement the logic� etc� The theorem will then b ecome very large and ugly�
but still easily manageable by computers� The computation would then just check that the pro of adheres to
the sp eci�cations�
��� Transparent pro ofs
Randomness o�ers a surprisingly e�cient way out of the foundational problem� As we shall see� all formal
pro ofs can b e transformed into pro ofs that are checkable in polylogarithmic Monte Carlo time� Note that no
matter how huge a pro of we have� the logarithm of its size is very small� The logarithm of the numb er of
particles in the visible Universe is under ����
O ���
A probabilistic proof system is a kT � P k time algorithm A�T � P � � �� It has random access to the source
� of coin �ips and two input arrays� T ��theorem candidate�� and P ��pro of candidate��� T is given in an
error correcting co de� If T is not a valid co de word� but is within� say� ��� Hamming distance of one� this
�
valid co deword T is uniquely de�ned and recoverable in nearly linear time� Each pair �T � P � is either
�� correct� accepted for all � � or
�� wrong� rejected for most � � or
� � �
�� imperfect� can b e easily transformed into correct �T � P �� with unique T close to T �
In the last case the checker is free either to reject �there are errors� or to accept �errors are inessential��
Using a sp ecial error correcting co de� we can guarantee the acceptance with high probability if there are
� ��� of errors and make �easily transformed� to mean p olylogarithmic time p er digit�
P is a proof of T if �T � P � is correct� T is a theorem if it has a pro of� A deterministic pro of system is the
sp ecial case with no use of � � Extension is a system with more pro ofs but not more theorems�
O ���
A pro of P of T is transparent if it is accepted in a �sp eci�c� p oly�logarithmic time �log kT � P k� � The
O ���
system is friend ly if every pro of P can b e transformed in kT � P k time into a transparent pro of of the
same theorem�
Theorem ��� Each deterministic proof system has a friend ly probabilistic extension�
It will b e su�cient to consider just one pro of system which is NP �complete with resp ect to p olylog�
arithmic time reductions �see de�nition in Section ����� In fact� using a RAM mo del rather than Turing
machines� we construct a pro of system� complete for nearly�linear non�deterministic time with resp ect to
���
such reductions� This enables us� in time kT � P k � for any � � �� to put the pro ofs into transparent form�
O �����
veri�able in time �log kT � P k� � It is an interesting problem to eliminate ��� from this exp onent�
��� Comments
O ��� O ���
Polynomial and polylog ab ove refer to kT � P k and �log kT � P k� � resp�� where kxk denotes the length
of the string x� Nearly linear means linear times p olylog�
Theorem ��� asserts that given T �as a valid co de�word� and a correct pro of P � one can compute in
e
p olynomial time another pro of P of T which is accepted in p olylog time �by the extended system��
Note that acceptance of �T � P � do es not guarantee the correctness of �T � P �� But� if acceptance o ccurs
with a noticeable probability� then b oth T and P can easily b e corrected�
Correcting the Theorem� Error�correcting format �enco ding� of the input refers to any sp eci�c p olynomial�
time computable enco ding with the prop erty that every co deword can b e recovered in p olynomial time from
any distortion in a small constant fraction of the digits� Such co des can b e computed very e�ciently by
log�depth� nearly linear size networks �e�g� variants of FFT��
The error�correcting enco ding of the theorem�candidate is crucial� otherwise P could b e a correct pro of
of a slightly mo di�ed �and therefore irrelevant� theorem� and it would not b e p ossible to detect in p olylog
time the slight alteration� In case T fails to b e in valid error�correcting form� acceptance of the pro of means
�
correctness of the unique T to which T is close�
One would not need error�correcting enco ding if we were only concerned ab out short theorems with long
pro ofs� This is rare in computing� where inputs�outputs tend to b e long� But even in mathematics there are
go o d reasons to assume that truly self�contained theorem statements will b e very long� Indeed� as discussed
in Section ���� the statement of a theorem in top ology� for instance� would include lots of relevant textb o ok
material on logic� algebra� analysis� geometry� top ology�
Correcting the Pro of� If �T � P � has a noticeable chance of acceptance in the extended system then T �after
error�correction� if not a valid co de�word� is guaranteed to b e a theorem� i�e� to have a correct pro of� We do
not guarantee that P itself is a correct pro of� but a simple Monte�Carlo pro cedure with random access to P
will correct it� revising each digit indep endently in p olylog time� �This is a self�correction feature related to
a self�correction concept intro duced by Blum�Luby�Rubinfeld and Lipton� The pro of uses the interp olation
trick of Beaver�Feigenbaum�Lipton��
� Checking computations
We shall now interpret Theorem ��� in the context of checking of computations� There will b e two parties
involved� the Solver� comp eting in the op en market to serve the user� and the Checker� a tiny but highly
reliable device�
��� A universal Checker
A non�deterministic programming task is sp eci�ed by a deterministic p olynomial�time predicate S �x� y � W �
meaning W is a witness that �x� y � is an acceptable input�output pair in error�correcting form�
A Solver may present a program which is claimed to pro duce a �p ossibly long� witness W � and running
S on a reliable machine with reliable software might b e exp ensive and time�consuming� Instead� our result
allows to mo dify the sp eci�cation such that �a� the same input�output pairs will b e accepted� �b� the same
Solver can solve the mo di�ed task at only a small extra cost to him� �c� the result can b e checked in
p olylogarithmic time� � We now rephrase Theorem ��� in the checking context�
The following corollary assumes t to b e an upp er b ound on kx� y � W k and on the running time of
S �x� y � W �� � is a random sequence of coin �ips� We select a value � � ��
��� O �����
Corollary ��� There exist machines E �Editor� t running time� and C �Checker� �log t� running
time� such that for any S� x� y with error�correcting codes S � x� y and W �
� if S �x� y � W � accepts then C �S � x� y � E �W �� � � accepts for al l � �
� If C �S� x� y � W� � � accepts for � �� of al l � then S� x� y are within �� Hamming distance from error�
� � � � � �
correcting codes of unique and easily recoverable S � x � y � Moreover� S �x � y � W � accepts for some
W �
Only the Checker but neither the software nor the hardware used by the Solver�Editor need to b e
reliable� If reliability is regarded as a substantial cost factor� the stated result demonstrates that this cost
can be reduced dramatically by requiring the unreliable elements to work just a little harder�
The relation to Theorem ��� is that E �W � will b e the �transparent pro of � of the statement ��W �S �x� y � W ��
��� Space saving� parallelization
���
E �W � from Corollary ��� could b e long� While kE �W �k � kW k � this � should not b e taken to o small�
that raises the exp onent in the p olylogarithmic time b ound of the Checker� But we do not need the Solver
th
to write down the entire E �W �� Instead� he can provide a devilish program� which computes the i bit of
z � from i� This could save considerable space� and as a result� p ossibly even time�
However� such a program could then cheat by b eing adaptive� i�e� making its resp onses dep end on previous
questions of the Checker� We can eliminate this p ossibility by implementing the multi�prover mo del� run
a replica of the program separately� after the Checker had asked all its questions from the original� select
one of these questions at random and ask the replica� If the answer di�ers� reject� Rep eat this pro cess a
p olylogarithmic numb er of times� If no contradiction arises� accept �cf� �BGKW���� �FRS���� �BFL�����
We can give a helping hand to the Solver to enable his program to resp ond in something like real time
to the Checker�s questions� after some prepro cessing�
�
Prop osition ��� Using the notation of Corol lary ���� there exists an NC algorithm to compute any entry
of E �W � from x� y � W � after a nearly linear �in kx� y k� preprocessing time�
��� Comparison with Blum�s mo dels
���
Our result says that any computation is only �N time away� from a computation checkable in p olyloga�
rithmic time in a sense related to Blum�s�
P �
Blum and Kannan �BK��� de�ne a program checker C for a language L and an instance x � f�� �g as
L
a probabilistic p olynomial�time oracle Turing Machine� that� given a program P claiming to compute L and
an input x� outputs with high probability�
�� �correct�� if P correctly computes L for all inputs�
�� �P do es not compute L�� if P �x� � L�x��
In recent consecutive extensions of the p ower of interactive pro ofs� complete languages in the corresp ond�
�P
ing classes were shown to admit Blum�Kannan instance checkers� P �LFKN���� P S P AC E �Sha����
EXP �BFL���� �See �BF��� for more such classes��
The Checker of the present pap er runs in p olylogarithmic time and needs no interaction with the program
to b e checked� There is some conceptual price to pay for these advantages�
What we check is the computation as sp eci�ed by the User� rather than the language or function to b e
computed� We do allow the Solver to use a devilish program� though� conceivably such a program may b e
helpful not only in establishing the right output but also to compute the requested entries of E �W � without
writing all of it down� One ob jection might b e that this excludes some more e�cient algorithms �e�g� if
we sp ecify comp ositeness�testing by way of computing a divisor as witness� this may make the Solver�s task exceedingly hard��
For a comparison with the Blum�Kannan de�nition consider a program P which is claimed to compute
P
the entries of E �W �� Assuming now that x and S are given in error correcting enco ding� our Checker C
� outputs �correct�� if P correctly computes all entries of E �W ��
� with high probability outputs �P do es not compute a correct E �W ��� unless �except for a small
fraction of easily and uniquely recoverable errors� x� S are in error�correcting form and x is acceptable
�i�e� ��W �S �x� W ���
��� Applications to Probabilistically Checkable Programs
Arora and Safra �AS��� de�ne a hierarchy of complexity classes PCP �for probabilistically checkable pro ofs��
corresp onding to the numb er of random and query bits required to verify a pro of of memb ership in the
language� as follows�
A veri�er M is a probabilistic p olynomial�time Turing machine with random access to a string � repre�
senting a memb ership pro of� M can query any bit of �� Call M an �r �n�� q �n���restricted veri�er if� on an
input of size n� it is allowed to use at most r �n� random bits for its computation� and query at most q �n�
bits of the pro of�
A language L is in PCP �r �n�� q �n�� if there exists an �r �n�� q �n���restricted veri�er M such that for every
input x�
�� If x � L� there is a pro of � which causes M to accept for every random string� i�e��with probability ��
x
�� If x �� L� then for all pro ofs �� the probability over random strings of length r �n� that M using pro of
� accepts is b ounded by ����
k k
Fortnow� Romp el and Sipser �FRS��� show that the languages accepted by multiple provers and � PCP �n � n �
k ��
k k
are equivalent� Thus Babai� Fortnow and Lund �BFL��� show that NEXP � � PCP �n � n ��
k ��
c
The results in this pap er show that NP � � PCP �c log n� log n� since a careful analysis shows that
c��
���
we only need O �log n� coins in our proto col� In fact we get the stronger result that the pro of has size n �
�
Arora and Safra �AS��� and Arora� Lund� Motwani� Sudan and Szegedy �ALM ��� build on this result
to show that NP � � PCP �c log�n�� c��
c��
� A Transparent Pro of Based on MIP
In this section we will informally show how to convert results on multiple prover interactive pro of systems
to weak results on transparent pro ofs�
Instead of the standard de�ntion of multiple prover interactive pro of systesm� we will use the following
equivalent de�ntion due to Fortnow� Romp el and Sipser �FRS����
Let M b e a probabilistic p olynomial time Turing machine with access to an oracle O � We de�ne the
languages L that can b e describ ed by these machines as follows�
We say that L is accepted by a probabilistic oracle machine M i� there exists an oracle O such that
�
O
for all p olynomials p and x su�ciently �� For every x � L� M accepts x with probability � � �
p�jxj�
large�
0
�
� O
�� For every x �� L and for all oracles O � M accepts with probability � for all p olynomials p and
p�jxj�
x su�ciently large�
Babai� Fortnow and Lund �BFL��� show that every language in nondeterministic exp onential time is
accepted by a probabilistic oracle machine� They also show that every language in deterministic exp onential
time has such a machine where the oracle O can b e computed in deterministic exp onential time� Note that
k
for an input of length n� only oracle questions of size at most n can b e queried�
n
To create a transparent pro of we just scale down this proto col� Let N � � � Supp ose we want to verify
a computation running in timp e p olynomial in N � This is an exp onential�itme computation in n� The
k
n
Babai�Fortnow�Lund theorem we now have an oracle of size � with the following prop erties�
k k�1
n �log log N �
�� The oracle can b e computed in time � � N �
k k k
�� The computation can b e veri�ed probablistically in time n � �log N � and thus lo ok in only �log n�
places in the oracle�
Thus we have a pro of of only slightly more than p olynomial size that can b e veri�ed probabilistically in
p olylog time�
However we can not trust that the oracle is actually a computation of the input that we are interested
in� If we only check a p olylogartihmic nubmer of lo cations in the oracle� then a dishonest oracle could give
a pro of for a computation on an input that is one bit away from the real input and we would never catch it�
To handle this problem we require that the input is in an error�correcting co de format� An error�correcting
co de format increases an input by a small amount and has the imp ortant prop erty that the error�correcting
co de for every two inputs will di�er in some constant fraction of their bits� Thus we can then check with
only a constant numb er of queries that the input we have matches the one used by the computation in the
oracle�
� Low degree p olynomials
This section presents technical preliminaries� of which an algorithmic result on co des might b e of indep endent
interest �Prop osition �����
��� Low degree extension
The �pro of � in our pro of system consists of an admissible coloring A of the graph G � We may assume A
n
n
is a string of �colors� of length � � We will explain the structure of these graphs in Section �� The set C of
colors will b e viewed as a subset of a �eld F� The transparent version will involve an extension of this string
to a table of values of a multivariate p olynomial over F�
n
�BFL��� suggests to identify the domain V of A with f�� �g � and� regarding f�� �g as a subset of F� extend
n
A to a multilinear function over I where I is a �nite subset of F� However� in order for the �LFKN����typ e
�
proto col of �BFL��� to work� one requires I to have order ��n �� forcing the table of the multilinear function
��n� ��log log N � n
to have size n � N � where N � � is the length of A� This would render the �transparent
pro of � slightly sup erp olynomial�
�
Instead we select a small subset H � F of size jH j � � where � � ��log n��� where � � � is the quantity
app earing in the comments after the statement of Theorem ��� as well as in Corollary ��� We may assume
m
m �� n�� is an integer� and we identify V with the set H � The next Prop osition allows us to extend A to
a low degree p olynomial in only m variables� Now the size of the table of the extended function has size
m m � m ������
jIj � N �jIj�jH j� � N ���n �� � N � ���
�
using the stipulation� to b e justi�ed later� that the right size of I is ��n jH j��
Prop osition ��� �Low degree extension� Let H � � � � � H � F and let f � H � � � � � H � F be a
� m � m
e
function� Then there exists a unique polynomial f in m variables over F such that
th
e
� f has degree � jH j in its i variable�
i
e
� f � restricted to H � � � � � H � agrees with f �
� m
Pro of� Let u � �u � � � � � u � � K �� H � � � � � H � Consider the p olynomial
� m � m
m
Y Y
�x � h�� ��� g �x� �
i u
i��
h�H nfu g
i i
Now g �u� � � but g �x� � � for all x � K n fug� Clearly� every function K � F is a linear combination of
u u
the g � restricted to K � This proves the existence part of the statement� The uniqueness can b e proved by
u
an easy induction on m� 2
��� Low degree test
One of the key ingredients of the program that checks the �transparent pro of � is a test that a function
m
f � F � F is a low degree p olynomial�
We say that two functions de�ned over a common �nite domain are ��approximations of one another if
they agree on at least a �� � �� fraction of their domain�
An imp ortant feature of low degree p olynomials is that they form an error�correcting code with large
distance� two such p olynomials can agree on a small fraction of their domain only� assuming the domain is
not to o small� This follows from a well known lemma of J� T� Schwartz �Sch��b� which we quote�
m
Lemma ��� �J� T� Schwartz� Let I � F be a �nite subset of the �eld F� Let f � F � F be an m�variate
m
polynomial of �combined� degree d � �� Then f cannot vanish in more than a d�jIj fraction of I �
�The pro of is by a simple induction on m��
An imp ortant prop erty of low degree p olynomials over not to o small �nite �elds is that they are random
self�reducible� as observed by Beaver�Feigenbaum �BF��� and Lipton �Lip���� They show that an m�variate
m
p olynomial p � F � F of degree d can b e recovered from an ��approximation assuming � � ����d� and
jFj � d � �� A� Wigderson has p ointed out to us that the b ound on � can b e improved to a constant� say ����
using known error�correction techniques in the way used by Ben�Or� Goldwasser� and Wigderson �BGW���
in their �secret sharing with cheaters� proto col� We brie�y review the technique and state the result�
Prop osition ��� Let p be an unknown polynomial of degree d in m variables over the �nite �eld F� Let
m
f � F � F be an ��approximation of p� where � � ���� Let n be a divisor of jFj � �� and assume n � �d � ��
m
Then there is a Monte Carlo algorithm which for any x � F computes p�x� with large probability in time
polynomial in n� m� and log jFj if al lowed to query f �
th m
Pro of� Let � b e a primitive n ro ot of unity in F� We select a random r � F � query the values
i i
� � f �x � r � � for i � �� � � � � n � �� Let �e b e de�ned analogously� using p in place of f � Now �e is a ���
univariate p olynomial of degree � d � �n � ����� and with some luck� no more than �n � ���� of the queried
values of f di�er from the corresp onding values of p� If this is the case� the p olynomial �e can b e recovered
from the values of �� Indeed� as observed in �BGW��� p� ��� this is a case of correcting errors in a generalized
Reed�Muller co de� cf��PW��� p� �����
Rep eating this pro cess we are likely to succeed and obtain the correct value of p�x� for a ma jority of the
random choices of r � 2
Let us say that a multivariate p olynomial f is h�smooth if it has degree � h in each variable� A function
is ��approximately h�smooth if it is an ��approximation of an h�smo oth function� ��smo oth p olynomials are
called multilinear� One of the key ingredients of the MIP � NEXP proto col in �BFL��� is a multilinear�
ity�low degree test�
Theorem ��� ��BFL���� Let F be a �eld� h� m positive integers� and I a �nite subset of F� There exists
m
a Monte Carlo algorithm which tests approximate h�smoothness of a function f � I � F in the fol lowing
sense�
�i� if f is h�smooth� the algorithm accepts�
�
�ii� if f is not ��approximately h�smooth� the algorithm rejects with high probability� where � � �m h�jIj�
O ���
The algorithm queries hm values of f �
For the pro of� see �BFL��� Theorem ���� and Remark ������ �Sp eci�c citations refer to the journal
�
version�� A more e�cient version of the algorithm was recently found by Szegedy �see �FGL �����
We shall now combine this result with the ideas of Beaver� Feigenbaum� Lipton� Ben�Or� Goldwasser� and
Wigderson to upgrade the test� incorp orating a strong self�correction feature which makes the test tolerant
to errors of up to a substantial fraction of the domain� In order to do so� we have to take I � F�
�
Corollary ��� Let F be a �nite �eld� and h� m positive integers� Assume jFj � ��m h� There exists a
m
Monte Carlo algorithm which tests approximate h�smoothness of a function f � F � F in the fol lowing
stronger sense�
m
�i� if f is ����approximately h�smooth� the algorithm accepts with high probability� and for any x � F �
computes the value of the unique h�smooth approximation of f at x�
�ii� if f is not ����approximately h�smooth� the algorithm rejects with high probability�
O ���
The algorithm runs in time �jFjm� � including the queries to values of f �
Pro of� Let us �rst pretend that f is ����approximately h�smo oth� Apply the pro cedure of Prop osition ���
O ��� m
e
to �hm� p oints x � F to establish values �random variables� f �x�� If the pro cedure fails to pro duce a
value or the value pro duced is di�erent from f �x� more than ����� of the time� reject� Else� p erform the
e
h�smo othness test of Theorem ��� to the values of f rather than those of f �
If indeed f is ����approximately h�smo oth then let g b e its unique smo oth approximation� For every x
c
e
it has very large �� � exp��hm� �� probability that f �x� � g �x�� so the smo othness test will accept� On the
other hand� if the self�correction pro cedure do es not reject� then it is likely that there exists a function g �x�
e
such that for almost every x� f �x� � g �x� with large probability� Now if the smo othness test accepts� then
�
g must very closely approximate an h�smo oth function g � Now we are almost certain that f and g agree on
�
all but ����� of the places� so all put together f is very likely to ����approximate the h�smo oth g � 2
��� An e�ciently correctable co de
We describ e an error�correcting co de with a p olylogarithmic error correction algorithm� capable of restoring
each bit from a string which may have errors in a substantial fraction� This co de plays a multiple role in
this pap er� In addition to b eing the co de of choice for the �theorem�candidate�� it can b e added onto the
transparent pro of to make the pro of itself error�tolerant� Moreover� the ideas involved motivate parts of the
construction of the �transparent pro of ��
Theorem ��� Given � � � and a su�ciently large positive integer N � there exists an integer N � N � N �
� �
���
N �log N � and an error�correcting code with the fol lowing properties�
� �
N ���
�a� given a message string x � f�� �g � one can compute in time N the co deword E �x� of length
���
m�N � � N �
�b� the Hamming distance of any two valid codewords is at least ��� of their length�
O �����
�c� given random access to a string y of length m�N �� a �log N � �time Monte Carlo algorithm wil l�
with large probability� output �accept� if y is within ��� of a valid codeword� and �reject� if y is not
within ��� of a valid codeword�
� ���
�d� if y is within ��� of a �unique� valid codeword y then a �log N � �time Monte Carlo algorithm wil l
�
be able to compute any digit of y with large con�dence�
m�
Pro of� We cho ose N in the form N � � � k where k � � is slightly greater than � log m� and �k � ���� � ��
k �
So � � � log m��� Let F b e a �nite �eld of order q � � and H � F b e a subset of size � � We identify F
k m m�
with f�� �g and thereby the message string with a function x � H � F� A message of N breaks into �
tokens� each an element of F�
We shall p erform a two�stage �concatenated� enco ding� The �rst stage asso ciates with x its unique jH j�
m
smo oth extension to F which we denote by E �x� �Prop osition ����� E �x� is a token�string of length
� �
mk
� �
�k ����� ���
Clearly� the bit�length of these strings is N �N �k � � N � and they are computable �if done in
prop er order� at p olylogarithmic cost p er token�
The degree of E �x� as a p olynomial of m variables is � mjH j� Therefore� by the quoted result of J� T�
�
m
Schwartz �Lemma ���� this p olynomial cannot vanish on more than a mjH j�jFj fraction of its domain F �
We observe�
k ��
mjH j�jFj � m�� � ��m� ���
But m log m � � log N � so ��m will b e small for �xed � and su�ciently large N � This justi�es statement �b�
�for tokens�� �c� and �d� �for tokens� follow from Corollary ����
Now to switch to bits from tokens� we have to apply an enco ding of the tokens themselves� Here we have
a large degree of freedom� e�g� Justesen�s co des will work �cf� �MS��� Chap��������� The prop erties required
are now easily veri�ed� 2
� LFKN�typ e proto cols
��� Veri�cation of large sums
We shall have to consider the following situation� let F b e a �eld� �We shall use F � Q�� Assume we are
m
given a p olynomial of low degree in m variables over I where I is a �small� �nite subset of F� We have to
verify that
X
f �u� � a ���
m
u�H
for some small H � I and a � F� �jH j will b e p olylogarithmic�� We assume that we have random access to
a database of values of f as well as their partial sums
X X
f �x � � � � � x � �� � � � f �x � � � � � x �� ���
i � i � m
x �H x �H
i+1 m
over I� Clearly� f � f � and
m
X
f � f �x � h� ���
i�� i i
h�H
�using self�explanatory notation��
Assumption on the database� We assume that the database gives the correct values of f but we allow
that it give false values of the other f �
i
Proto col sp eci�cations� The proto col is required to accept if the entire database is correct and equation ���
holds� and reject with large probability if equation ��� do es not hold �regardless of the correctness of the
database��
We review the proto col which is a slight variation of the one used for an analogous purp ose in �BFL���
Prop osition ����� The proto col builds on the technique of Lund� Karlo�� Fortnow� and Nisan �LFKN����
The proto col will work assuming the degree of f is � d in each variable �f is d�smo oth�� and jIj � �dm�
The proto col pro ceeds in rounds� There are m rounds�
At the end of round i� we pick a random numb er r � I� and compute a �stated value� b � We set b � a�
i i �
It will b e maintained throughout that unless our database is faulty� for each i� including i � ��
b � f �r � � � � � r �� ���
i i � i
So by the b eginning of round i � �� the numb ers r � � � � � r have b een picked and the �stated values�
� i��
b � a� b � � � � � b have b een computed�
� � i��
Now we use the database to obtain the co e�cients of the univariate p olynomial
g �x� � f �r � � � � � r � x� ���
i i � i��
�by making d � � queries and interp olating�� Let ge denote the p olynomial thus obtained� We p erform a
i
Consistency Test� with equation ��� in mind� we check the condition
X
b � eg �h�� ���
i�� i
h�H
If this test fails� we reject� else we generate the next random numb er r � I and declare b �� eg �r � to b e the
i i i i
th
next �stated value�� After the m round we have the stated value b and the random numb ers r � � � � � r �
m � m
and we p erform the Final Test
b � f �r � � � � � r �� ����
m � m
We accept if all the m Consistency Tests as well as the Final Test have b een passed�
The pro of of correctness exploits the basic idea that if equation ��� do es not hold but the data pass
the Consistency Tests then we obtain false relations involving p olynomials with fewer and fewer variables�
eventually reaching a constant� the correctness of which we can check by a single substitution into the
p olynomial b ehind the summations�
Pro of of correctness of the proto col� Assume �rst that equation ��� holds and the database is correct�
Then we shall always have eg � g and eventually accept�
i i
Assume now that at some p oint� there is a mistake� ge � g � Here we allow i � �� we de�ne the
i�� i��
constant p olynomial eg �� b � a� Then with probability � � � d�jIj� b � eg �r � � g �r � since
� � i�� i�� i�� i�� i��
two di�erent univariate p olynomials of degree � d cannot agree at more than d places� Assuming now that
the next Consistency Test is passed �equation ���� it follows that the same error must o ccur in the next
round� eg � g �
i i
If now equation ��� do es not hold� then the constant a � b � ge di�ers from g � f � an error o ccurs in
� � � �
round �� It follows that unless one of the Consistency Tests fails� with probability � � � dm�jIj� the same
error will have to o ccur in each round� But the error in the last round is discovered by the Final Test� 2
��� Simultaneous vanishing
P
�
In �BFL���� simultaneous vanishing of all values f �x�� x � D was reduced to the statement f �x� � ��
x�D
This trick works over sub�elds of the reals and will b e used in the main pro cedure �Section ��� However� if we
wish to avoid large�precision arithmetic� a di�erent approach is required� We mo dify a pro cedure describ ed
in �BFL��� Section �����
The situation is similar to Section ���� except that rather than verifying equation ���� we have to verify
m
that f �u� � � for each u � H � In this section we show how to reduce this problem to the result of
Section ����
m m
Let us extend the �small� �eld F to a large �eld K where �jH j � jKj � �jH j jFj� Let jH j � d� Let
P
m��
m i
� � H � f�� �� � � � � d � �g b e a bijection� and for u � �u � � � � � u � � H � set � �u� � d ��u �� So�
� m�� i
i��
m m
� � H � f�� � � � � d � �g is a bijection�
P
� �u�
f �u�t � Unless all the f �u� are zero� a Let us now consider the univariate p olynomial p�t� �
m
u�H
random � � K has probability � ��� to b e a ro ot� We show that checking p�� � � � for a given � � K is an instance of equation ����
i
d
Indeed� let � � � � then
i
m�� m��
X Y Y
��h� ��u �
i � �u�
� � L �u �� ���� � � � �
h i
i i
i�� i��
h�H
where the L are Lagrange interp olation p olynomials� for h� h � H � L �h � � � if h � h and zero otherwise�
h � h � �
The right hand side is therefore a pro duct of p olynomials of degree � �d � �� of each u � and the proto col of
i
Section ��� can b e used to verify that p�� � � ��
Having veri�ed this for a numb er of indep endent random choices of � � K� we are assured that all the
f �u� are zero�
� Pointer machines and the Kolmogorov�Usp enski�� thesis
In order to apply the theory e�ciently to actual computations and mathematical pro ofs� we need a formal�
ization of the concept of pro ofs� more accurately re�ecting their p erceived length�
Within an accuracy of p olynomial�time transformations a formalization of pro ofs is quite established�
It is based on the nondeterministic Turing machine mo del� Pro ofs could b e represented as witnesses to
instances of any NP �complete problem �say ��coloring�� Their length and checking time will b e b ounded by
a p olynomial of kT � P k for any reasonable formal system�
We need a greater accuracy� First� our p olylogarithmic time checker has no direct way to verify the
p olynomial time transformations� We can a�ord only very trivial �p olylog�time� reductions on instances
�b elow� they will simply pre�x the input with short strings�� Second� we intend to transform very long
mathematical pro ofs into transparent form� Squaring the length of the pro of of the Enormous Theorem
would seem to o much�
Better accuracy is harder to achieve in machine�indep endent terms� One p ossibility is to accept the thesis
of Kolmogorov and Usp enski�� �KU��� that the Pointer Machine mo del of computation prop osed there �the
original and cleaner version of RAM� see b elow� simulates� with constant factor time overhead� any other
realistic mo del �including formal mathematical pro ofs��
This thesis suggests the following solution� We de�ne the class NF of problems solvable in nearly linear
time on nondeterministic p ointer machines �or� equivalently� RAM�s�� �NF � �Non�deterministic Fast�� we
use the term �fast� as a synonym to �in nearly linear time��� We �nd an NF �complete problem with resp ect
to our very restrictive reduction concept� We use the witnesses of this problem as �pro ofs�� This de�nes a
sp eci�c pro of system� for which we design our checker� Pro ofs in other systems can then b e padded to allow
nearly�linear time veri�cations and reduced to our complete problem�
��� Pointer Machines and RAMs
Kolmogorov�Usp enski�� Machines �often called Pointer Machines� are an elegant combinatorial mo del of
realistic computation� Pointer Machines are equivalent to RAM�s within the accuracy relevant for us �p olylog
factors�� We describ e a slightly generalized version �to directed graphs� due to A� Sch�onhage �Sch��a�� This
de�nition is not required for the technical details of the pro ofs but it may contribute to conceptual clarity�
The memory con�guration of a Pointer Machine �PM� is a directed graph with lab eled edges� The set
of lab els �colors� is �nite and prede�ned indep endently of the input� Edges coming out of a common no de
must di�er in colors �thus constant outdegree�� There is a sp ecial no de O � called the central node� All no des
must b e reachable from O via directed paths�
The input of a PM is the starting memory con�guration� Based on the con�guration of the constant
depth neighb orho o d of O �w�l�o�g� depth ��� the program of PM cho oses and p erforms a set of local op erations�
delete or create an edge� create a new no de connected to O � halt� The op erations transform the con�guration
step by step until the halt� The �nal con�guration represents the output� The no des �and their edges� which
b ecome unreachable from O are considered deleted�
Now we compare this PM mo del to RAM�s� Our variety of RAM has an array of registers R with content
i
m�R �� These include R � � � � � R � initially storing the input� and a Central Register R � �s� a� w � t�� R
i � n � �
has a time counter t and O �kt� nk� other bits� The RAM works as a Turing Machine on R and� at regular
�
�
intervals� swaps the contents of s and R � A copy t of t is maintained in a part of the �eld s� except that
m�a�
at each swap it is overwritten for a moment� At the start� the RAM reads consecutively the entire input�
Prop osition ��� PM�s and RAM�s can simulate each other in nearly linear time�
��� An NF �complete Problem�
Let f b e a function which transforms strings w called �witnesses� into �acceptable instances� x � f �w �� We
say that f is fast if it is computable in time nearly linear in kf �w �k� An NF problem is a task to invert
a fast function� �Note that this de�nition requires a su�ciently strong mo del� such as Pointer Machines or
RAM�s�� Representation of ob jects �say graphs� as strings is �exible� since nearly linear time is su�cient for
translation of various representations into each other�
A fast reduction of problem P to Q is a pair of mappings f � h� The instance transformation f � computable
in p olylogarithmic time� maps the range of P into the range of Q� The witness transformation h� computable
in nearly�linear time� maps the inverses� P �h�w �� � x whenever f �x� � Q�w ��
We need a combinatorial problem with witnesses re�ecting space�time histories of nearly�linear time
computations�
The history of the work of a RAM is the the sequence of records m�R �� for all moments of time� Each
�
�
record contains two time values t and t in s� copied from t or swapp ed from R � Each time value
m�a�
may app ear in two records� at its own time and at the next time the same register R will b e accessed
m�a�
again� Clearly� any error in the history creates an inconsistency of two records �including the inputs�� It
can b e either a Turing error or some �read� inconsistent with the �write� at the last access time or two
�reads� indicating the same last access time� We can easily �nd the errors by comparing two copies of the
�
history� sorted by t and sorted by t � The contradicting records will collide against each other� So we have
accomplished three goals�
� The length of our history is nearly linear in time� a contrast to quadratic lengths �linear space times
linear time� of customary �Turing machine or RAM� histories�
� Its veri�cation can b e done on a sorting network of �xed structure� �Simulation by a �xed structure
network was �rst done in �Ofman �����
� The veri�cation takes p olylogarithmic paral lel time� Thus the space�time record of the veri�cation
is also nearly linear� Note that only the veri�cation� not the construction of the history can b e so
parallelized� So� only non�deterministic problems allow such reductions�
To implement the veri�cation we need a sorting network of nearly linear width and p olylogarithmic
depth� Of course� the sorting gates will b e simple circuits of binary gates comparing numb ers in binary� This
network will also need to p erform a simple computation verifying other minor requirements�
The history of this veri�cation �assigning the �color� i�e� the bit stored at each gate at each time� is a
coloring of the Carrier Graph on which the network is implemented� The veri�cation is successful if the
coloring of the carrier graph satis�es certain lo cal requirements� So� we obtain the following NF �complete
problem� Extend a given partial coloring �the input part� of a sorting network to a total coloring� so that
only a �xed �nite set of permitted types of colored neighborhoods of given �xed depth occurs� We may extend
the numb er of colors to represent such a whole neighb orho o d as the color of a single no de� Then consistency
need only b e required from pairs of colors of adjacent no des�
��� The Domino Problem
We now describ e a simpli�ed NF �complete problem� We cho ose a family of standard directed graphs G of
n
n th th
size ��� �� We denote by g �i� the k digit of the binary name of the c neighb or of no de i� It do es not n�k �c
make much di�erence what G we cho ose �say� Shu�e Exchange Graph�� as long as g can b e represented by
n
O ���
a b o olean formula of the digits of i� computable from n� c� k in time n and a p olylog time sorting network
can b e implemented on G � A coloring of a graph is a mapping of its no des into integers �colors�� The base
n
is the subgraph of ��� ���colored no des� We require it to b e an initial segment of consecutive no des of G �
n
A domino is a two�no de induced colored subgraph� with no des unlab eled� The Domino Problem is to color
the standard graph to achieve given domino set and base �sp eci�ed as a string of colors��
Prop osition ��� The Domino Problem is NF �complete� i�e� al l NF problems have fast reductions to it�
The instance transformation will leave the base string intact and supplement it with a �xed domino set�
sp eci�c for the problem� Alternatively� we can use a �xed universal domino set and prep end the input with
a problem�sp eci�c pre�x to get the base string� The idea of the construction was outlined in section ����
Other �straightforward� details will b e given in the journal version�
� Arithmetization of admissibility of coloring
The purp ose of this section is to turn the essentially Bo olean conditions describing the admissibility of a
coloring A of the standard graph G of the Domino Problem �Section ���� into algebraic conditions of the
n
following typ e� some family of low degree polynomials of several variables must vanish on al l substitutions
of the variables from some smal l set�
Let C b e the set of colors and D the set of admissible domino es� Let G b e the standard graph referred
n
to in the domino problem� with edge set E � vertex set V � and functions B � B � E � V and B � E � f�� �g
� � �
describing the head� the tail� and the typ e of each edge� �The �typ e� is either directed or undirected��
Let now D b e the set of all conceivable domino es� For � � D � let � � C � C � f�� �g � f�� �g b e the
� � �
predicate describing the statement � �� � � � �� that an edge of typ e � has typ e � with its head colored �
� � � �
and its tail colored � �
�
Let F b e a �eld� We assume C � F� Let A � V � F b e a function� We wish to express by arithmetic
formulas that A is an admissible coloring of V � By an arithmetic formula we mean a correctly parenthesized
expression involving the op erations �� �� �� variable symb ols� and constants from F�
First we observe that the statement that A is an admissible coloring of G is equivalent to the following�
n
��� � D n D ���e � E �
�
�� �A�B �e��� A�B �e��� B �e�� � ��� ����
� � � �
��v � V ��A�v � � C �� ����
�
As in Section ���� let H � F b e a set of size � where � � log n��� �We cho ose � so as to make this an
integer�� We may assume also that m �� n�� is an integer� We emb ed b oth E and V into a Cartesian p ower
m �
of H � E � V � H � Furthermore� we identify H with f�� �g � So the elements of H are represented as binary
th
strings of length �� For h � H � let � �h� denote the j bit of h �� � j � ��� For v � �h � � � � � h � � V � let
j � m
us call the h the tokens of v � and the bits of the h the bits of v � So v has m tokens and m� � n bits� We
i i
m
use the same terminology for E � After a slight technical trick we may assume that V � E � H �
We assume B � B � B are given in the form of a family of Bo olean functions de�ning the bits of the
� � �
output in terms of the bits of the input� We assume that these functions are given by Bo olean formulas�
c
1
� where the entire collection of these formulas is computable from n in time n
Let us arithmetize these formulas� i�e� create equivalent arithmetic expressions in the same n variable
symb ols which give the same value on Bo olean substitutions� This is easily accomplished by �rst eliminating
��s from the Bo olean formulas �replacing them by � � ��� and subsequently replacing each � by multiplication
and each subformula of the form �f by �� � f �� The length of the arithmetic expression created is linear in
the length of the initial Bo olean formula�
So we now may assume that B � B � B are given by arithmetic expressions over F describing families of
� � �
c
1
in m� variables� We now wish to turn this representation in n variables over f�� �g p olynomials of degree n
into a representation in m variables over H �
���
Each pro jection function � � H � f�� �g � F can b e viewed as a p olynomial of degree � jH j � n
j
in a single variable over F� Combining these families of p olynomials� we obtain the families of comp osite
p olynomials
P �u � � � � � u � � B �� �u �� � �u �� � � � � � �u ��� ����
i � m i � � � � � m
c ����
1
The degree of this p olynomial is � n �
Similarly� for each � � D � � is a p olynomial of degree � jC j in each of � and � and linear in � so its
� � � �
total degree is � �jC j � � �by Prop osition �����
Let now A � V � F b e an arbitrary function�
First� let us consider the following p olynomial f of degree jC j in a single variable�
Y
f �t� � �t � � � � �� ����
� �C
Now the statement that A is a coloring of V is equivalent to
��v � V ��f �A�v �� � ��� ����
Next� we consider the p olynomials P de�ned ab ove� Setting
i
A
� �e� � � �A�P �e��� A�P �e��� P �e�� ����
� � � �
�
we observe that the coloring A is admissible precisely if
A
��� � D n D ���e � E ��� �e� � �� ����
�
�
m
where each edge e is viewed as a memb er of H � We summarize the result�
Prop osition ��� There exists a family of arithmetic formulas P � P � P � � � f computable from n in time
� � � �
O ���
jH jn such that a function A � V � F represents an admissible coloring of G if and only if conditions
n
���� and ���� hold�
This result almost accomplishes our goal� except that A is not a p olynomial� Let us now consider the
m
e
unique extension A � F � F of A as a p olynomial which has degree � jH j in each variable ������ Replacing
e
A by A in the formulas ���� and ����� we obtain arithmetic conditions in terms of the vanishing of certain
��c ���� m
1
p olynomials of degree � n over H �the set which was identi�ed with V and E ��
� The pro cedure
We use the co de of Theorem ��� to enco de the �theorem�candidate�� The pro of system includes this in�
formation and is enco ded into our instance of the domino problem� The �pro of�candidate� is therefore a
coloring of the standard graph in the Domino Problem�
We de�ne the parameters n� m� � and the set H as suggested in Section ���� with F � Q and jIj �
� m
��n jH j�� The Solver is asked to extend the coloring A to an jH j�smo oth p olynomial over I �
The veri�cation consists of the LFKN�typ e proto col �Section ����� employed to verify that the sum of
squares of the quantities in equations ���� and ���� vanishes�
The �transparent pro of � will consist of a collection of databases� one for the extended A� others for each
LFKN�typ e partial sum encountered in the veri�cation �according to Sections �� ��� We test jH j�smo othness
of the extended A�
Let P b e the collection of the databases obtained� It should b e clear that P quali�es as a transparent
� �
pro of� except that it do es not have the error�tolerance stated in Section ���� at this p oint the Checker is
allowed to reject on the grounds of a single bit of error�
In order to add error�tolerance� we enco de P according to Theorem ���� to obtain the transparent pro of
�
� �
P � The Checker op erates on P by lo cally reconstructing each bit of P as needed� If P was incorrect even
� �
�
in a single bit� then P will b e more than ��� away from any correct pro of�
Remarks� �� The enco ding of the Theorem�candidate do es not need to use the enco ding of Theorem ����
Any error�correcting co de will do� the co de of Theorem ��� can b e incorp orated in the transparent pro of
and serve the same purp ose �correction of any bit of T in p olylog time�� �� Rather than working over Q�
we could use the trick of Section ��� in the proto col� This would require a separate LFKN proto col for each
� � K� thus squaring the length of the transparent pro of� This blowup can b e avoided with the following
����round interactive proto col� �� Prover� low degree extension of coloring� �� Veri�er� random � � K � ��
Prover� p�� � � ��
Acknowledgements� We are grateful to Manuel Blum� Joan Feigenbaum� and Avi Wigderson for their
insightful comments�
References
�AHK��� K� App el� W� Haken� and J� Ko ch� Every planar map is four colorable� Part I I� Reducibility�
Il linois Journal of Mathematics� ����������� �����
�
�ALM ��� S� Arora� C� Lund� R� Motwani� M� Sudan� and M� Szegedy� Pro of veri�cation and hardness
of approximation problems� In Proceedings of the ��rd IEEE Symposium on Foundations of
Computer Science� pages ������ IEEE� New York� �����
�AS��� S� Arora and S� Safra� Approximating clique is NP�complete� In Proceedings of the ��rd IEEE
Symposium on Foundations of Computer Science� pages ����� IEEE� New York� �����
�BF��� D� Beaver and J� Feigenbaum� Hiding instances in multioracle queries� In Proceedings of the
�th Symposium on Theoretical Aspects of Computer Science� volume ��� of Lecture Notes in
Computer Science� pages ������ Springer� Berlin� �����
�BF��� L� Babai and L� Fortnow� Arithmetization� A new metho d in structural complexity theory�
Computational Complexity� ����������� �����
�BFL��� L� Babai� L� Fortnow� and C� Lund� Non�deterministic exp onential time has two�prover inter�
active proto cols� Computational Complexity� ���������� �����
�BGKW��� M� Ben�Or� S� Goldwasser� J� Kilian� and A� Wigderson� Multi�prover interactive pro ofs� How
to remove intractability assumptions� In Proceedings of the ��th ACM Symposium on the Theory
of Computing� pages �������� ACM� New York� �����
�BGW��� M� Ben�Or� S� Goldwasser� and A� Wigderson� Completeness theorems for non�cryptographic
fault�tolerant distributed computation� In Proceedings of the ��th ACM Symposium on the
Theory of Computing� pages ����� ACM� New York� �����
�BK��� M� Blum and S� Kannan� Designing programs that check their work� In Proceedings of the ��st
ACM Symposium on the Theory of Computing� pages ������ ACM� New York� �����
�
�FGL ��� U� Feige� S� Goldwasser� L� Lov�asz� S� Safra� and M� Szegedy� Approximating clique is almost
NP�complete� In Proceedings of the ��nd IEEE Symposium on Foundations of Computer Science�
pages ����� IEEE� New York� �����
�FRS��� L� Fortnow� J� Romp el� and M� Sipser� On the p ower of multi�prover interactive proto cols� In
Proceedings of the �rd IEEE Structure in Complexity Theory Conference� pages �������� IEEE�
New York� �����
�Gor��� D� Gorenstein� The enormous theorem� Scienti�c American� ��������������� Decemb er �����
�KU��� A� Kolmogorov and V� Usp enski��� On the de�nition of an algorithm� Uspehi Mat� Nauk� ��������
��� ����� Translation in �KU����
�KU��� A� Kolmogorov and V� Usp enski��� On the de�nition of an algorithm� American Mathematical
Society Translations� ����������� �����
�LFKN��� C� Lund� L� Fortnow� H� Karlo�� and N� Nisan� Algebraic metho ds for interactive pro of systems�
Journal of the ACM� �������������� �����
�Lip��� R� Lipton� New directions in testing� In J� Feigenbaum and M� Merritt� editors� Distributed Com�
puting and Cryptography� volume � of DIMACS Series in Discrete Mathematics and Theoretical
Computer Science� pages ��� � ���� American Mathematical So ciety� Providence� �����
�MS��� F� MacWilliams and N� Sloane� The Theory of Error�Correcting Codes� North�Holland� Ams�
terdam� �����
�PW��� W� Peterson and W� Weldon� Jr� Error�correcting Codes� MIT Press� �����
�Sch��a� A� Sch�onhage� Storage mo di�cation machines� SIAM Journal on Computing� �������������
�����
�Sch��b� J� Schwartz� Fast probabilistic algorithms for veri�cation of p olynomial identities� Journal of
the ACM� ����������� �����
�Sha��� A� Shamir� IP � PSPACE� Journal of the ACM� �������������� �����