DOCSLIB.ORG

Probabilistic Proof Systems { Lecture Notes

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Probabilistic Proof Systems { Lecture Notes Probabilistic Pro of Systems Lecture Notes Oded Goldreich Department of Computer Science and Applied Mathematics Weizmann Institute of Science Rehovot Israel September Abstract Various typ es of probabilistic pro of systems haveplayed a central role in the development of computer science in the last decade In these notes we concentrate on three such pro of systems interactive proofs zeroknow ledge proofsand probabilistic checkable proofs Remark These are lecture notes in the strict sense of the word Surveys of mine on this sub ject can b e obtained from URL httptheorylcsmitedu odedppshtml These notes were prepared for a series of lectures given in the Theory Student Seminar of the CS Department of UCBerkeley Visiting Miller Professor Aug Sept EECS Dept UCBerkeley Intro duction The glory given to the creativity required to nd pro ofs makes us forget that it is the less glori ed pro cedure of verication whichgives pro ofs their value Philosophically sp eaking pro ofs are secondary to the verication pro cedure whereas technically sp eaking pro of systems are dened in terms of their verication pro cedures The notion of a verication pro cedure assumes the notion of computation and furthermore the notion of ecient computation This implicit assumption is made explicit in the denition of NP in which ecient computation is asso ciated with deterministic p olynomialtime algorithms Traditionally NP is dened as the class of NPsets Yet each such NPset can b e viewed as a pro of system For example consider the set of satisable Bo olean formulae Clearly a satisfying assignment for a formula constitutes an NPpro of for the assertion is satisable the verication pro cedure consists of substituting the variables of by the values assigned by and computing the value of the resulting Bo olean expression The formulation of NPpro ofs restricts the eective length of pro ofs to b e p olynomial in length of the corresp onding assertions However longer pro ofs may b e allowed by padding the assertion with suciently many blank symb ols So it seems that NP gives a satisfactory formulation of pro of systems with ecientverication pro cedures This is indeed the case if one asso ciates ecient pro cedures with deterministic p olynomialtime algorithms However wecangainalotifweare willing to take a somewhat nontraditional step and allow probabilistic verication pro cedures In particular interactive proof systems Randomized and interactiveverication pro cedures giving rise to seem much more p owerful ie expressive than their deterministic counterparts Such randomized pro cedures allow the intro duction of zeroknow ledge proofs which are of great theoretical and practical interest NPpro ofs can b e eciently transformed into a redundant form which oers a tradeo between the numb er of lo cations examined in the NPpro of and the condence in its validity see probabilistical ly checkable proofs In all ab ovementioned typ es of probabilistic pro of systems explicit b ounds are imp osed on the computational complexity of the verication pro cedure which in turn is p ersonied by the notion ofaverier Furthermore in all these pro of systems the verier is allowed to toss coins and rule by statistical evidence Thus all these pro of systems carry a probability of error yet this probability is explicitly b ounded and furthermore can b e reduced by successive application of the pro of system Interactive Pro of Systems In lightofthegrowing acceptability of randomized and distributed computations it is only natural to asso ciate the notion of ecient computation with probabilistic and interactive p olynomialtime computations This leads naturally to the notion of interactive pro of systems in which the verica tion pro cedure is interactive and randomized rather than b eing noninteractive and deterministic Thus a pro of in this context is not a xed and static ob ject but rather a randomized dynamic pro cess in which the verier interacts with the prover Intuitively one may think of this interaction as consisting of tricky questions asked by the verier to which the prover has to reply convinc ingly The ab ove discussion as well as the actual denition makes explicit reference to a prover whereas a prover is only implicit in the traditional denitions of pro of systems eg NPpro ofs The Denition Interaction Going b eyond the unidirectional interaction of the NPpro of system If the verier do es not toss coins then interaction can b e collapsed to a single message computationall y unb ounded Prover As in NPwe start by not considering the complexity of proving probabilistic p olynomialtime Verier We maintain the paradigm that verication ought to b e easyalaswe allow random choices in our notion of easiness Completeness and Soundness We relax the traditional soundness condition by allowing small probability of b eing fo oled by false pro ofs The probabilityistaken over the veriers random choices We still require p erfect completeness that is that correct statements are proven with probability Error probability b eing a parameter can b e further reduced by successive rep eti tions Variations Relaxing the p erfect completeness requirement yields a twosided error variantof IP ie error probability allowed also in the completeness condition Restricting the verier to send only random ie uniformly chosen messages yields the restricted ArthurMerlin interactive pro ofs aka publiccoins interactive pro ofs Alas b oth variants are essentially as p owerful as the one ab ove An Example interactive pro of of Graph NonIsomorphism The problem not known to b e in NP Proving that two graphs are isomorphic can b e done by presenting an isomorphism but howdoyou prove that no such isomorphism exists The construction the two dierent ob ject proto col if you claim that two ob jects are dierent then you should b e able to tell which is which when I presentthemtoyou in random order In the context of the Graph NonIsomorphism interactive pro of two supp osedly dierentobjects are dened by taking random isomorphic copies of each of the input graphs If these graphs are indeed nonisomorphic then the ob jects are dierent the distributions have distinct supp ort else the ob jects are identical Interactive pro of of NonSatisability Arithmetization of Bo olean CNF formulae Observe that the arithmetic expression is a low degree p olynomial Observe that in any case the value of the arithmetic expression is b ounded Moving to a Finite Field Whenever wecheck equalitybetween twointegers in M it suces to check equalitymodq where qM The b enet is that the arithmetic is now in a nite eld mo d q and so certain things are nicer eg uniformly selecting a value Thus proving that a CNF formula is not satisable reduces to proving equality of the following form X X x x modq n x x n where is a lowdegreemultivariant p olynomial The construction stripping summations in iterations In each iteration the prover is supp osed to supply the p olynomial describing the expression in one currently stripp ed variable By the ab ove observation this is a low degree p olynomial and so has a short description The verier checks that the p olynomial is of low degree and that it corresp onds to the currentvalue b eing claimed ie p p v Next the verier randomly instantiates the variable yielding a new r for uniformly chosen r GFq value to b e claimed for the resulting expression ie v p The verier sends the uniformly chosen instantiation to the prover At the end of the last iteration the verier has a fully sp ecied expression and can easily check it against the claimed value Completeness of the ab ove When the claim holds the prover has no problem supplying the correct p olynomials and this will lead the verier to always accept Soundness of the ab ove It suces to b ound the probability that for a particular iteration the initial claim is false whereas the ending claim is correct Both claims refer to the current summation expression b eing equal to the currentvalue where current means either at the b eginning of the iteration or at its end Let T b e the actual p olynomial representing the expression when stripping the currentvariable and let pbeany p otential answer by the prover Wemay assume that p p v and that p is of lowdegree as otherwise the verier will reject Using our hyp othesis that the initial claim is false we know that T T v Thus p and T are dierentlowdegree p olynomials and so they may agree on very few p oints In case the verier instantiation do es not happ en to b e one of these few p oints the ending claim is false to o Op en Problem alternative pro of of coNP IP Polynomials play a fundamental role in the above construction and this trend has even deepened in subsequent works on PCP It does not seem possible to abstract that role which seems to be very annoying I consider it important to obtain an alternative proof of coNP IPa proof in which al l the underlying ideas can bepresentedat an abstract level The Power of Interactive Pro ofs IP PSPACE Interactive Pro ofs for PSPACE Recall that PSPACE languages can b e expressed by Quan tied Bo olean Formulae The numb er of quantiers is p olynomial in the input but there are b oth existential and universal quantiers and furthermore these quantiers may alternate Con sidering the arithmetization of these formulae wefacetwo problems Firstly the value of the formulae is only b ounded by a double exp onential function in the length of the input and sec ondly when stripping out summations the expression may b e a p olynomial of high degree due to the universal
Load more

Recommended publications
  • CS601 DTIME and DSPACE Lecture 5 Time and Space Functions: T, S
    CS601 DTIME and DSPACE Lecture 5 Time and Space functions: t, s : N → N+ Definition 5.1 A set A ⊆ U is in DTIME[t(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M) ≡ w ∈ U M(w)=1 , and 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps. Definition 5.2 A set A ⊆ U is in DSPACE[s(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M), and 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells. (Input tape is “read-only” and not counted as space used.) Example: PALINDROMES ∈ DTIME[n], DSPACE[n]. In fact, PALINDROMES ∈ DSPACE[log n]. [Exercise] 1 CS601 F(DTIME) and F(DSPACE) Lecture 5 Definition 5.3 f : U → U is in F (DTIME[t(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. Definition 5.4 f : U → U is in F (DSPACE[s(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. (Input tape is “read-only”; Output tape is “write-only”.
    [Show full text]
  • Interactive Proof Systems and Alternating Time-Space Complexity
    Theoretical Computer Science 113 (1993) 55-73 55 Elsevier Interactive proof systems and alternating time-space complexity Lance Fortnow” and Carsten Lund** Department of Computer Science, Unicersity of Chicago. 1100 E. 58th Street, Chicago, IL 40637, USA Abstract Fortnow, L. and C. Lund, Interactive proof systems and alternating time-space complexity, Theoretical Computer Science 113 (1993) 55-73. We show a rough equivalence between alternating time-space complexity and a public-coin interactive proof system with the verifier having a polynomial-related time-space complexity. Special cases include the following: . All of NC has interactive proofs, with a log-space polynomial-time public-coin verifier vastly improving the best previous lower bound of LOGCFL for this model (Fortnow and Sipser, 1988). All languages in P have interactive proofs with a polynomial-time public-coin verifier using o(log’ n) space. l All exponential-time languages have interactive proof systems with public-coin polynomial-space exponential-time verifiers. To achieve better bounds, we show how to reduce a k-tape alternating Turing machine to a l-tape alternating Turing machine with only a constant factor increase in time and space. 1. Introduction In 1981, Chandra et al. [4] introduced alternating Turing machines, an extension of nondeterministic computation where the Turing machine can make both existential and universal moves. In 1985, Goldwasser et al. [lo] and Babai [l] introduced interactive proof systems, an extension of nondeterministic computation consisting of two players, an infinitely powerful prover and a probabilistic polynomial-time verifier. The prover will try to convince the verifier of the validity of some statement.
    [Show full text]
  • Complexity Theory Lecture 9 Co-NP Co-NP-Complete
    Complexity Theory 1 Complexity Theory 2 co-NP Complexity Theory Lecture 9 As co-NP is the collection of complements of languages in NP, and P is closed under complementation, co-NP can also be characterised as the collection of languages of the form: ′ L = x y y <p( x ) R (x, y) { |∀ | | | | → } Anuj Dawar University of Cambridge Computer Laboratory NP – the collection of languages with succinct certificates of Easter Term 2010 membership. co-NP – the collection of languages with succinct certificates of http://www.cl.cam.ac.uk/teaching/0910/Complexity/ disqualification. Anuj Dawar May 14, 2010 Anuj Dawar May 14, 2010 Complexity Theory 3 Complexity Theory 4 NP co-NP co-NP-complete P VAL – the collection of Boolean expressions that are valid is co-NP-complete. Any language L that is the complement of an NP-complete language is co-NP-complete. Any of the situations is consistent with our present state of ¯ knowledge: Any reduction of a language L1 to L2 is also a reduction of L1–the complement of L1–to L¯2–the complement of L2. P = NP = co-NP • There is an easy reduction from the complement of SAT to VAL, P = NP co-NP = NP = co-NP • ∩ namely the map that takes an expression to its negation. P = NP co-NP = NP = co-NP • ∩ VAL P P = NP = co-NP ∈ ⇒ P = NP co-NP = NP = co-NP • ∩ VAL NP NP = co-NP ∈ ⇒ Anuj Dawar May 14, 2010 Anuj Dawar May 14, 2010 Complexity Theory 5 Complexity Theory 6 Prime Numbers Primality Consider the decision problem PRIME: Another way of putting this is that Composite is in NP.
    [Show full text]
  • If Np Languages Are Hard on the Worst-Case, Then It Is Easy to Find Their Hard Instances
    IF NP LANGUAGES ARE HARD ON THE WORST-CASE, THEN IT IS EASY TO FIND THEIR HARD INSTANCES Dan Gutfreund, Ronen Shaltiel, and Amnon Ta-Shma Abstract. We prove that if NP 6⊆ BPP, i.e., if SAT is worst-case hard, then for every probabilistic polynomial-time algorithm trying to decide SAT, there exists some polynomially samplable distribution that is hard for it. That is, the algorithm often errs on inputs from this distribution. This is the ¯rst worst-case to average-case reduction for NP of any kind. We stress however, that this does not mean that there exists one ¯xed samplable distribution that is hard for all probabilistic polynomial-time algorithms, which is a pre-requisite assumption needed for one-way func- tions and cryptography (even if not a su±cient assumption). Neverthe- less, we do show that there is a ¯xed distribution on instances of NP- complete languages, that is samplable in quasi-polynomial time and is hard for all probabilistic polynomial-time algorithms (unless NP is easy in the worst case). Our results are based on the following lemma that may be of independent interest: Given the description of an e±cient (probabilistic) algorithm that fails to solve SAT in the worst case, we can e±ciently generate at most three Boolean formulae (of increasing lengths) such that the algorithm errs on at least one of them. Keywords. Average-case complexity, Worst-case to average-case re- ductions, Foundations of cryptography, Pseudo classes Subject classi¯cation. 68Q10 (Modes of computation (nondetermin- istic, parallel, interactive, probabilistic, etc.) 68Q15 Complexity classes (hierarchies, relations among complexity classes, etc.) 68Q17 Compu- tational di±culty of problems (lower bounds, completeness, di±culty of approximation, etc.) 94A60 Cryptography 2 Gutfreund, Shaltiel & Ta-Shma 1.
    [Show full text]
  • On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs*
    On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs* Benny Applebaum† Eyal Golombek* Abstract We study the randomness complexity of interactive proofs and zero-knowledge proofs. In particular, we ask whether it is possible to reduce the randomness complexity, R, of the verifier to be comparable with the number of bits, CV , that the verifier sends during the interaction. We show that such randomness sparsification is possible in several settings. Specifically, unconditional sparsification can be obtained in the non-uniform setting (where the verifier is modelled as a circuit), and in the uniform setting where the parties have access to a (reusable) common-random-string (CRS). We further show that constant-round uniform protocols can be sparsified without a CRS under a plausible worst-case complexity-theoretic assumption that was used previously in the context of derandomization. All the above sparsification results preserve statistical-zero knowledge provided that this property holds against a cheating verifier. We further show that randomness sparsification can be applied to honest-verifier statistical zero-knowledge (HVSZK) proofs at the expense of increasing the communica- tion from the prover by R−F bits, or, in the case of honest-verifier perfect zero-knowledge (HVPZK) by slowing down the simulation by a factor of 2R−F . Here F is a new measure of accessible bit complexity of an HVZK proof system that ranges from 0 to R, where a maximal grade of R is achieved when zero- knowledge holds against a “semi-malicious” verifier that maliciously selects its random tape and then plays honestly.
    [Show full text]
  • The Complexity of Space Bounded Interactive Proof Systems
    The Complexity of Space Bounded Interactive Proof Systems ANNE CONDON Computer Science Department, University of Wisconsin-Madison 1 INTRODUCTION Some of the most exciting developments in complexity theory in recent years concern the complexity of interactive proof systems, defined by Goldwasser, Micali and Rackoff (1985) and independently by Babai (1985). In this paper, we survey results on the complexity of space bounded interactive proof systems and their applications. An early motivation for the study of interactive proof systems was to extend the notion of NP as the class of problems with efficient \proofs of membership". Informally, a prover can convince a verifier in polynomial time that a string is in an NP language, by presenting a witness of that fact to the verifier. Suppose that the power of the verifier is extended so that it can flip coins and can interact with the prover during the course of a proof. In this way, a verifier can gather statistical evidence that an input is in a language. As we will see, the interactive proof system model precisely captures this in- teraction between a prover P and a verifier V . In the model, the computation of V is probabilistic, but is typically restricted in time or space. A language is accepted by the interactive proof system if, for all inputs in the language, V accepts with high probability, based on the communication with the \honest" prover P . However, on inputs not in the language, V rejects with high prob- ability, even when communicating with a \dishonest" prover. In the general model, V can keep its coin flips secret from the prover.
    [Show full text]
  • EXPSPACE-Hardness of Behavioural Equivalences of Succinct One
    EXPSPACE-hardness of behavioural equivalences of succinct one-counter nets Petr Janˇcar1 Petr Osiˇcka1 Zdenˇek Sawa2 1Dept of Comp. Sci., Faculty of Science, Palack´yUniv. Olomouc, Czech Rep. [email protected], [email protected] 2Dept of Comp. Sci., FEI, Techn. Univ. Ostrava, Czech Rep. [email protected] Abstract We note that the remarkable EXPSPACE-hardness result in [G¨oller, Haase, Ouaknine, Worrell, ICALP 2010] ([GHOW10] for short) allows us to answer an open complexity ques- tion for simulation preorder of succinct one counter nets (i.e., one counter automata with no zero tests where counter increments and decrements are integers written in binary). This problem, as well as bisimulation equivalence, turn out to be EXPSPACE-complete. The technique of [GHOW10] was referred to by Hunter [RP 2015] for deriving EXPSPACE-hardness of reachability games on succinct one-counter nets. We first give a direct self-contained EXPSPACE-hardness proof for such reachability games (by adjust- ing a known PSPACE-hardness proof for emptiness of alternating finite automata with one-letter alphabet); then we reduce reachability games to (bi)simulation games by using a standard “defender-choice” technique. 1 Introduction arXiv:1801.01073v1 [cs.LO] 3 Jan 2018 We concentrate on our contribution, without giving a broader overview of the area here. A remarkable result by G¨oller, Haase, Ouaknine, Worrell [2] shows that model checking a fixed CTL formula on succinct one-counter automata (where counter increments and decre- ments are integers written in binary) is EXPSPACE-hard. Their proof is interesting and nontrivial, and uses two involved results from complexity theory.
    [Show full text]
  • Dspace 6.X Documentation
    DSpace 6.x Documentation DSpace 6.x Documentation Author: The DSpace Developer Team Date: 27 June 2018 URL: https://wiki.duraspace.org/display/DSDOC6x Page 1 of 924 DSpace 6.x Documentation Table of Contents 1 Introduction ___________________________________________________________________________ 7 1.1 Release Notes ____________________________________________________________________ 8 1.1.1 6.3 Release Notes ___________________________________________________________ 8 1.1.2 6.2 Release Notes __________________________________________________________ 11 1.1.3 6.1 Release Notes _________________________________________________________ 12 1.1.4 6.0 Release Notes __________________________________________________________ 14 1.2 Functional Overview _______________________________________________________________ 22 1.2.1 Online access to your digital assets ____________________________________________ 23 1.2.2 Metadata Management ______________________________________________________ 25 1.2.3 Licensing _________________________________________________________________ 27 1.2.4 Persistent URLs and Identifiers _______________________________________________ 28 1.2.5 Getting content into DSpace __________________________________________________ 30 1.2.6 Getting content out of DSpace ________________________________________________ 33 1.2.7 User Management __________________________________________________________ 35 1.2.8 Access Control ____________________________________________________________ 36 1.2.9 Usage Metrics _____________________________________________________________
    [Show full text]
  • Lecture 9 1 Interactive Proof Systems/Protocols
    CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction The traditional mathematical notion of a proof is a simple passive protocol in which a prover P outputs a complete proof to a verifier V who decides on its validity. The interaction in this traditional sense is minimal and one-way, prover → verifier. The observation has been made that allowing the verifier to interact with the prover can have advantages, for example proving the assertion faster or proving more expressive languages. This extension allows for the idea of interactive proof systems (protocols). The general framework of the interactive proof system (protocol) involves a prover P with an exponential amount of time (computationally unbounded) and a verifier V with a polyno- mial amount of time. Both P and V exchange multiple messages (challenges and responses), usually dependent upon outcomes of fair coin tosses which they may or may not share. It is easy to see that since V is a poly-time machine (PPT), only a polynomial number of messages may be exchanged between the two. P ’s objective is to convince (prove to) the verifier the truth of an assertion, e.g., claimed knowledge of a proof that x ∈ L. V either accepts or rejects the interaction with the P . 1.2 Definition of Interactive Proof Systems An interactive proof system for a language L is a protocol PV for communication between a computationally unbounded (exponential time) machine P and a probabilistic poly-time (PPT) machine V such that the protocol satisfies the properties of completeness and sound- ness.
    [Show full text]
  • Interactive Proofs 1 1 Pspace ⊆ IP
    CS294: Probabilistically Checkable and Interactive Proofs January 24, 2017 Interactive Proofs 1 Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Mariel Supina 1 Pspace ⊆ IP The first proof that Pspace ⊆ IP is due to Shamir, and a simplified proof was given by Shen. These notes discuss the simplified version in [She92], though most of the ideas are the same as those in [Sha92]. Notes by Katz also served as a reference [Kat11]. Theorem 1 ([Sha92]) Pspace ⊆ IP. To show the inclusion of Pspace in IP, we need to begin with a Pspace-complete language. 1.1 True Quantified Boolean Formulas (tqbf) Definition 2 A quantified boolean formula (QBF) is an expression of the form 8x19x28x3 ::: 9xnφ(x1; : : : ; xn); (1) where φ is a boolean formula on n variables. Note that since each variable in a QBF is quantified, a QBF is either true or false. Definition 3 tqbf is the language of all boolean formulas φ such that if φ is a formula on n variables, then the corresponding QBF (1) is true. Fact 4 tqbf is Pspace-complete (see section 2 for a proof). Hence to show that Pspace ⊆ IP, it suffices to show that tqbf 2 IP. Claim 5 tqbf 2 IP. In order prove claim 5, we will need to present a complete and sound interactive protocol that decides whether a given QBF is true. In the sum-check protocol we used an arithmetization of a 3-CNF boolean formula. Likewise, here we will need a way to arithmetize a QBF. 1.2 Arithmetization of a QBF We begin with a boolean formula φ, and we let n be the number of variables and m the number of clauses of φ.
    [Show full text]
  • Interactive Proofs for Quantum Computations
    Innovations in Computer Science 2010 Interactive Proofs For Quantum Computations Dorit Aharonov Michael Ben-Or Elad Eban School of Computer Science, The Hebrew University of Jerusalem, Israel [email protected] [email protected] [email protected] Abstract: The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked [21]: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results to predictions? To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard Interactive Proofs [13] the prover is computationally unbounded, here our prover is in BQP, representing a quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access to few qubits. Our main theorem can be roughly stated as: ”Any language in BQP has a QPIP, and moreover, a fault tolerant one” (providing a partial answer to a challenge posted in [1]). We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault tolerant. Our second protocol uses polynomial codes QAS due to Ben-Or, Cr´epeau, Gottesman, Hassidim, and Smith [8], combined with quantum fault tolerance and secure multiparty quantum computation techniques.
    [Show full text]
  • Distribution of Units of Real Quadratic Number Fields
    Y.-M. J. Chen, Y. Kitaoka and J. Yu Nagoya Math. J. Vol. 158 (2000), 167{184 DISTRIBUTION OF UNITS OF REAL QUADRATIC NUMBER FIELDS YEN-MEI J. CHEN, YOSHIYUKI KITAOKA and JING YU1 Dedicated to the seventieth birthday of Professor Tomio Kubota Abstract. Let k be a real quadratic field and k, E the ring of integers and the group of units in k. Denoting by E( ¡ ) the subgroup represented by E of × ¡ ¡ ( k= ¡ ) for a prime ideal , we show that prime ideals for which the order of E( ¡ ) is theoretically maximal have a positive density under the Generalized Riemann Hypothesis. 1. Statement of the result x Let k be a real quadratic number field with discriminant D0 and fun- damental unit (> 1), and let ok and E be the ring of integers in k and the set of units in k, respectively. For a prime ideal p of k we denote by E(p) the subgroup of the unit group (ok=p)× of the residue class group modulo p con- sisting of classes represented by elements of E and set Ip := [(ok=p)× : E(p)], where p is the rational prime lying below p. It is obvious that Ip is inde- pendent of the choice of prime ideals lying above p. Set 1; if p is decomposable or ramified in k, ` := 8p 1; if p remains prime in k and N () = 1, p − k=Q <(p 1)=2; if p remains prime in k and N () = 1, − k=Q − : where Nk=Q stands for the norm from k to the rational number field Q.
    [Show full text]