ComplexityTheoretic Asp ects of Interactive Pro of Systems

by

Lance Jeremy Fortnow

BA Mathematics and Computer Science

Cornell University

Submitted to the Department of Mathematics

in partial fulllment of the requirements for the degree of

Do ctor of Philosophy

at the

MASSACHUSETTS INSTITUTE OF TECHNOLOGY

June

c

Massachusetts Institute of Technology

All rights reserved

Signature of Author ::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::

Department of Mathematics

May

Certied by ::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::

Michael Sipser

Asso ciate Professor Mathematics

Thesis Sup ervisor

Accepted by ::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::

Daniel Kleitman

Chairman Applied Mathematics Committee

Accepted by ::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::

Sigurdur Helgason

Chairman Departmental Graduate Committee

Abstract

In Goldwasser Micali and Racko formulated interactive pro of systems as a to ol for de

veloping cryptographic proto cols Indeed many exciting cryptographic results followed from

studying interactive pro of systems and the related concept of zeroknowledge Interactive

pro of systems also have an imp ortant part in complexity theory merging the well established

concepts of probabilistic and nondeterministic computation This thesis will study the com

plexity of various mo dels of interactive pro of systems

A p erfect zeroknowledge interactive proto col convinces a verier that a string is in a

language without revealing any additional knowledge in an information theoretic sense This

thesis will show that for any language that has a p erfect zeroknowledge pro of system its

complement has a short interactive proto col This result implies that there are not any p erfect

zeroknowledge proto cols for NPcomplete languages unless the p olynomialtime hierarchy

collapses Thus knowledge complexity can show a language is easy to prove

Interesting mo dels of interactive pro of systems arise by restricting the p ower of the verier

This thesis examines the pro of systems with a verier required to run in logarithmic space as

well as p olynomial time Relationships with circuit complexity and logspace Turing machines

are develop ed

We can increase the p ower of interactive pro of systems by allowing many provers that can

not communicate among themselves during the proto col This thesis shows the equivalence

b etween this multiprover mo del and probabilistic Turing machines with an untrustworthy

oracle We additionally give an oracle under which coNP do es not have multiprover interac

tive proto cols This result implies an oracle where coNP do es not have standard interactive

proto cols

Another natural mo del o ccurs when the verier has only linear time Towards this direc

tion this thesis examines probabilistic machines and linear time We show an oracle under

which linear time probabilistic Turing machines can accept all BPP languages an unusual

collapse of a complexity time hierarchy We exhibit many other related relativized results Fi

nally we show probabilistic linear time do es not contain all languages accepted by interactive

pro of systems

Keywords Computational Complexity Interactive Pro of Systems ZeroKnowledge

Probabilistic Computation Oracles

Acknowledgments

Foremost I would like to thank my advisor Michael Sipser Mike has collab orated on much

of my research and virtually every problem I have ever lo oked I have discussed with Mike

Mike has greatly inuenced my graduate career and I will b e forever grateful for these four

years I have sp ent working with him

I sp ent the rst year of my graduate scho oling at the University of California at Berkeley

I started working with Mike Sipser at Berkeley and some of the research in this thesis o ccurred

during that p erio d

I greatly thank the Oce of Naval Research for their generous fellowship that supp orted

me for my rst three years in graduate scho ol as well as indirectly covering my travel exp enses

through out my graduate career Thanks also to the American So ciety for Engineering Edu

cation for eciently administering the fellowship

Thanks to all of the graduate students I have worked and so cialized with during these

four years In particular Eric Schwab e has b een a great friend ro ommate and pro ofreader

since I arrived at MIT

Thanks to Marcy App ell for her companionship over the last year and a half and the many

new exp eriences she has given to me like skiing and coee

Finally thanks to Juris Hartmanis whose courses at Cornell aroused my interests in

theoretical computer science and complexity theory If Juris had not b een at Cornell I would

probably b e writing a thesis on Hopf algebras and missing out of the excitement of complexity

theory

Contents

Intro duction

Victor and the Great Pulu

A Short History

Denitions

Deterministic Time and Space Complexity

Nondeterministic Turing Machines

Completeness

Probabilistic Turing Machines

Oracles and The Polynomial Time Hierarchy

Circuits and Nonuniform Computation

Interactive Pro of Systems

Relativization

Basic Results

An Example Graph Nonisomorphism

Perfect ZeroKnowledge

A Cryptographic Side of Interactive Pro of Systems

Notation and Denitions

Related Results

Showing Sets are Large and Small

Lower Bound Proto col

Upp er Bound Proto col

Comparison Proto col

Main Theorem

Structure of Pro of

An Example Graph Isomorphism

The Proto col

Pro of of the Proto cols Correctness

Extensions and Corollaries

Further Research

LogarithmicSpace Veriers

Reducing the Power of the Verier

Log Space Veriers and BPNL

A Circuit Mo del for BPNL

BPNL Contains LOGCFL

Further Directions of Research

Multiple Provers

Corrob orating Susp ects

Denitions

Probabilistic Oracle Machines

Are there MultiProver Proto cols for coNP Languages

Bounded Round Proto cols

Further Research

Probabilistic Computation and Linear Time

LinearTime Veriers

Our Results and Related Results

Deterministic Nondeterministic and Probabilistic Linear Time

Pro of of the Main Theorem

Structure of the Oracle

A Simple Case

Inuencing and Simulating Strings

Order of Enco ding

Creating the Dep endency Graph

Pro cessing the Dep endency Graph

Generalizing the Pro of for All BPP Machines

Other Results

Conclusions and Further Research

Chapter

Intro duction

Victor and the Great Pulu

Victor a venture capitalist had everything a man could desire money women and p ower

But he felt something missing He decided he lacked knowledge So Victor packed up his

bags and headed to the Himalayas in search of ultimate truths

The natives p ointed Victor to a tall mountain and mentioned rumors of a great man full of

wisdom Victor who smartly brought some climbing equipment tackled the mountain until

he reached a small cave near the summit Victor found the great Pulu grand guru of all that

is known Victor inquired to some ultimate truths and Pulu resp onded

I wil l teach you but you must not trust my words

Victor agreed and found he learned much even though he had to verify all the sayings

of the great Pulu Victor though lacked complete happiness and he asked if he could learn

knowledge b eyond what he could learn in this manner The grand guru replied

You may ask and I wil l answer

Victor p ondered this idea for a minute and said

Since you know all that is known why can you not predict my questions

A silence reigned over the mountain for a short while until the Guru nally sp oke

You must use other implementssymbols of your past life

Victor thought for a while and reached into his backpack and brought out some spare

change he had unwittingly carried with him Even the great Pulu can not predict the ip of

a coin He started ipping the coins to ask the guru and wondered what can I learn now

In this thesis we will study the very question of what Victor can learn On his own Victor

can only decide simple problems With the help of Pulu even when he can not trust the

answers Victor found he could learn much more than b efore With a coin Victor could learn

even more still

We will formalize these interactions by lo oking at Victor as a computer with a restricted

amount of p ower The things Victor can learn on his own form a class of problems P

containing all the problems a simple computer can solve with this restricted amount of time

When Victor rst meets and listens to Pulu Victor can now learn problems from the class

NP problems whose answers a simple computer can verify in short amount of time

Finally when Victor pulls out his coins we have an interactive pro of system with Pulu

interacting with Victor Victor asking random questions to Pulu and Pulu resp onding in a

way to prove certain knowledge to Victor

Computer scientists do not know if Victor will indeed learn new things by ipping coins

with Pulu than on his own though they generally b elieve he will We will lo ok at the typ es

of problems Victor can solve with the help of Pulu concentrating on some variations what

if Pulu wished to reveal no information to Victor b eyond the questions Victor asks what if

Victor can communicate with many gurus who can not talk among themselves and what if

we restrict the p ower of Victor in dierent ways

A Short History

We now go back to the b eginning of complexity theory and give a brief history of results

leading to the development of the interactive pro of system

Computational complexity theory got its start in with a pap er by Hartmanis and

Stearns HaS showing simply that if computers have more time they can accept more lan

guages Ab out the same time Edmonds E intro duced the notion that an algorithm runs

eciently if it runs in time p olynomial in the size of the input Co ok C dened the class P

as the set of all languages with p olynomial time algorithms To this day we use p olynomial

time as the standard for determining whether a problem has an ecient solution

Nondeterministic time has its ro ots in simpler mo dels of computation such as nite and

pushdown automata The signicance of nondeterminism in computational complexity the

ory grew in when Co ok C showed a natural problem satisability is as hard as any

other problem in NP nondeterministic p olynomial time So on later Karp Ka discovered a

large numb er of well known combinatorial problems also had this prop erty The question of

whether p olynomial time contains all the languages solvable in nondeterministic p olynomial

time P NP has b ecome the most famous of op en questions in theoretical computer science

Probabilistic computation came of age in when Solovay and Strassen SS found

a probabilistic p olynomialtime algorithm to test the primality of a numb er a problem still

without a provable deterministic p olynomialtime solution Gill G dened many of the prob

abilistic complexity classes including BPP the problems solvable in probabilistic p olynomial

time Probabilistic computation has since played an imp ortant role for algorithm designers

esp ecially for parallel computer mo dels

Interactive pro of systems however owe themselves as much to mo dern cryptography as to

complexity theory Die and Hellman DH founded mo dern cryptography by describing how

one might use the hard problems in complexity theory to develop cryptographic proto cols

Rivest Shamir and Adleman RSA exhibited a scheme to implement the proto cols suggested

by Die and Hellman Since then cryptographers have designed many ad ho c proto cols for

a variety of purp oses

Input Tap e

x x x x x x x x

Finite

Control

Work Tap e

Figure ATuring Machine The x represent the characters of the input string and the

represent characters on the work tap e

In Goldwasser Micali and Racko GMR develop ed the interactive pro of system

as a mo del for zeroknowledge proto cols proto cols that proved the truth of an assumption

without revealing any additional information Also in Babai B intro duced Arthur

Merlin games a variation of the interactive pro of system with public randomness Goldwasser

and Sipser GS showed the equivalence of these two mo dels

Zeroknowledge pro of systems gained their p opularity when Goldreich Micali and Wigder

son GMW showed under certain complexity assumptions that all of NP has zeroknowledge

proto cols Many complicated proto cols now had trivial reductions to zeroknowledge pro of

systems

Interactive pro of systems have gained a status as an imp ortant complexity class combining

b oth nondeterministic and probabilistic computation This thesis will concentrate on the

complexity asp ects of interactive pro of systems as opp osed to the cryptographic applications

Denitions

The basic mo del of a computer the Turing Machine consists of a nite state control connected

to an input tap e and work tap e see gure Both the input tap e and the work tap e consists

of cells which can each hold a single letter from a certain nite alphab et The work tap e

has an innite numb er of cells usable by the Turing machine

In this thesis we will always assume f g and all logarithms are base two

The nite state control consists of a set of states including a sp ecied initial state and

accepting state a transition function and head p ointers to the input tap e and the work

tap e The head p ointers p oint to a sp ecic cell on each tap e and can b e moved right or left

The transition function take the values of the cells p ointed to by the head p ointers and

the current state and describ es whether to move the head p ointers right or left and the new

state The transition function also may sp ecify a change in the contents of the work tap e cell

p ointed to by the work tap e head p ointer

The input of a Turing machine consists of strings nite concatenations of letters of the

n

alphab et The length of a string is the numb er of letters it contains there are strings

of length n We use jxj to represent the length of string x We let designate the set of all

p ossible strings including the zerolength string A language is a set of strings A class is a

set of languages

Before the Turing machine starts computing an input string x is placed on the input tap e

one letter in each cell The Turing machine initially has p ointers to the rst cell in the input

tap e and the rst cell on the work tap e The Turing machine computes via the transition

function in each step moving the head p ointers p ossibly changing the value of the cell in

the work tap e We say the Turing machine accepts if it ever enters the accepting state The

Turing machine accepts a language L if it accepts as input strings exactly those strings in L

We let LM designate the language accepted by a Turing machine M

Sometimes we would like a Turing machine to compute a function We add to the Turing

machine mo del a write only output tap e initially blank When the Turing machine wishes

to output a character the output tap e head writes the character and moves one space right

The Turing machine can not p erform any other functions on the output tap e or head A

Turing machine outputs a string y on input x if that machine outputs exactly the characters

of y in order b efore it halts

For a more thorough intro duction to Turing machines see HU

Deterministic Time and Space Complexity

ATuring machine M accepts an input x in time t if M enters an accepting state with at most

t applications of the transition function The machine M accepts a language L in tn steps

if for all x L M accepts x in tjxj steps We will usually use n for jxj the length of the

input x

Supp ose we have two functions f n and g n from p ositive integers to p ositive integers

The function f n is O g n if there is some constant c such that f n cg n for all n The

function f n is og n if for all constants c f n cg n for all but a nite n

We dene the complexity class DTIMEf n as the set of languages accepted by some

Turing machine in O f n time The complexity class P contains all the languages accepted

in p olynomial time ie

k

P DTIMEn

k

ATuring machine M accepts an input x in space s if M enters an accepting state using

only the rst s cells of the work tap e In an analogous manner to time we dene the

complexity class DSPACEf n The complexity class PSPACE contains all the languages

accepted in p olynomial space The class L contains the languages accepted in logarithmic

space DSPACElog n

Nondeterministic Turing Machines

Nondeterministic computation allows the Turing machine to make guesses If a series of

guesses lead to an accepting state then the Turing machine accepts Formally we let the

transition function have a set of p ossible moves for a given state We say the nondetermin

istic Turing machine M accepts an input string x if there is a choice of transitions that cause

M to enter an accepting state

We dene NTIMEf n and NSPACEg n exactly as DTIMEf n and DSPACEg n

except that the Turing machines involved may b e nondeterministic The classes NL NP and

NPSPACE are the nondeterministic analogues of L P and PSPACE

For a complexity class C we let coC contain all languages whose complements b elong to

C For example coNP contains all languages whose complements are contained in nondeter

ministic p olynomial time For any two complexity classes C and D if C D then coC

coD

Here are some basic facts relating these complexity classes see HU

f n

DTIMEf n NTIMEf n DTIMEc for some c

DSPACEf n NSPACEf n DSPACEf n

f n

DTIMEf n DSPACEf n DTIMEc for some c

DTIMEf n coDTIMEf n

DSPACEf n coDSPACEf n

NSPACEf n coNSPACEf n see I

Thus L NL P NP PSPACE NPSPACE and NL coNL None of the

inclusions are known to b e prop er except NL PSPACE

Completeness

The P NP question remains the most fundamental op en problem in complexity theory To

understand the complexity of NP we often lo ok at the hardest problems in NP called the

NPcomplete problems

Let f b e a function from strings to strings computable in p olynomial time

The function f reduces a language L to a language L if x L if and only if f x L

If L has a p olynomialtime solution then L also has a p olynomialtime solution for input x

by checking if f x is in L

A language L is NPcomplete if L NP and for all languages L NP there is a

p olynomialtime reduction f from L to L Thus if an NPcomplete problem has a p olynomial

time solution then P NP Likewise if P NP then L has a p olynomialtime solution since

L NP The P NP question is equivalent to showing whether any particular NPcomplete

problem has a p olynomialtime solution

In Co ok C shows the rst natural problem satisability is NPcomplete Sat

isability consists of all b o olean formulas such that there exists a setting of the variable to

make the setting true Karp Ka shows the NPcompleteness of many famous combinatorial

Input Tap e

Work Tap e

Finite

Control

Z



Z

Z

Z

c



Figure A Probabilistic Turing Machine

problems including traveling salesman and vertex cover Many more results showing various

problems NPcomplete have since app eared

For a more in depth discussion of NPcompleteness and a list of many of the ma jor NP

complete problems see GJ

We can dene other forms of completeness For example we say a language L is logspace

complete for P if P contains L and every language in P has a logspace reduction to L

Probabilistic Turing Machines

Supp ose we gave a deterministic Turing machine access to a coin see gure Such a

machine could ip the coin and examine dierent p ossibilities based on whether the coin

came up heads or tails This machine would accept or reject dep ending on the outcome of

the coin ips

Formally we dene a probabilistic Turing machine M by adding a sp ecial coinip state

When M enters this state it next go es to either a heads state or a tails state each with

probability one half Each coinip o ccurs indep endently of any other coin ip We can then

analyze the probability of M accepting on a certain input

A probabilistic Turing machine M accepts a language L if for all inputs x in L

If x L then PrM accepts x

If x L then PrM accepts x

There is nothing magical ab out and We can use any two constants strictly

b etween and and strictly b etween and resp ectively without aecting the resulting

complexity classes

A prop er probabilistic machine M has onesided error if for x L the probability that

M accepts x is zero ie M do es not accept x on any computation path

Note that some machines M might not accept any language for some input x the prob

ability that M accepts x lies b etween and We call these improper machines

The language L BPTIMEf n if there is a prop er probabilistic machine for L that

k

runs in O f n steps BPP BPTIMEn We use RTIME and R resp ectively for

k

Input Tap e

Work Tap e

Finite

Control

Z

Z

Z

Z

Oracle Tap e

Figure A Relativized Turing Machine

onesided error probabilistic machines RTIMEf n NTIMEf n b ecause one can just

guess the coin tosses We use ZPTIME and ZPP for zero sided error ie a language L has

ZPTIMEf n machine M if the probabilistic machine M always outputs the correct answer

and runs in O f n exp ected steps ZPTIMEf n RTIMEf ncoRTIMEf n

The class BPNP combines b oth nondeterministic and probabilistic computation The

nondeterministic branches cho ose the path with the b est probability of accepting and the

probabilistic branches cho ose each branch with equal probability BPNP contains all the

languages accepted by these machines using the same probabilities as probabilistic machines

Oracles and The Polynomial Time Hierarchy

Sometimes we would like a Turing machine to have additional information to have a trust

worthy advisor to whom it can ask certain kinds of questions We will often dene an oracle

that a Turing machine may use

An oracle A is a subset of A relativized Turing machine is a machine with a sp ecial

oracle tap e on which it writes a string x see gure The Turing machine then

enters an oracle query state that immediately go es to a sp ecial yes state if x A and to a

no state otherwise In shorthand we say the machine makes an oracle query of x We only

charge the Turing machine the time it requires to write down the oracle query We relativize

nondeterministic and probabilistic Turing machines in similar ways

Equivalently we can think of an oracle as its characteristic function A f g where

Ax i x A

A

We will use sup erscripts to represent access to an oracle For example M represents a

relativized Turing machine M with access to an oracle A We can also relativize complexity

A

classes ie the class NP consists of all languages recognizable by some p olynomialtime

nondeterministic Turing machine with access to oracle A Also we can relativize complexity

classes to other complexity classes

NP A

P P

ANP

We relativize complexity classes dened with more than one machine such as NPcoNP by

allowing every machine access to the same oracle

If we relativize NP with NP oracles and then relativize this class with NP oracles and

so on we get the p olynomialtime hierarchy Formally we recursively dene the hierarchy as

follows

P

i

NP

i

co

i i

i

P

i

The p olynomialtime hierarchy PH consists of the union of for all i

i

Some basic facts ab out the hierarchy see St

NP coNP P

P PH PSPACE

i i i

i i i

None of the inclusions are known to b e prop er We say the p olynomialtime hierarchy collapses

if PH for some i Complexity theorists generally b elieve the hierarchy do es not collapse

i

P

for to distinguish the p olynomialtime hierarchy Often computer scientists write

i

i

from the recursion theoretic arithmetic hierarchy Throughout this thesis will refer to the

i

ith level of the p olynomialtime hierarchy

AlmostP contains all the languages accepted by a p olynomialtime machine with most

oracles Formally the class almostP contains the language L if the set of all R such that

R

L P is measure one in the set of all p ossible R Often we say L is in P under a

random oracle We can easily show AlmostP BPP AlmostBPP Likewise we can dene

AlmostNP or for any other complexity class

Circuits and Nonuniform Computation

Instead of computing via a machine we can also compute via circuits A circuit consists of

and or and not gates as no des of a directed graph with the input as the leaves see gure

The inputs take on binary values that propagates through the circuit in the obvious manner

The circuit accepts if the value of the ro ot no de is one The size of the circuit equals the

numb er of gates it contains The depth of the circuit is the length of the longest path The

fanin of a gate g is the numb er of gates p ointing to g

By using De Morgans laws the negation of x and x is equivalent to the or of the

i j

negation of x and the negation of x we can assume the not gates app ear only directly

i j

ab ove inputs without increasing the size or depth of the circuit by more than a constant

factor

A family of circuits C fC C g consists of a set of circuits where C has n inputs

n

Supp ose x x x x has length n Then x is accepted by C if C on x x x accepts

n n n

A family of circuits C accepts a language L if for all x of length n C accepts exactly those

n

x in L

A family of circuits C has size f n if C has size at most f n for all n Similarly we can

n

dene depth functions

#

or

"!

HY

H

H

H

H

H

H

H

# #

H

H

H

H

not

and

"! "!

I

# # #

x x x

"! "! "!

Figure A Circuit

There need not b e any relationship b etween the circuits b elonging to the same family

b esides any size and depth restrictions Often we refer to such circuit families as nonuniform

circuits

We relativize a circuit by having a sp ecial oracle gate that takes as input a query to the

oracle and returns true if that string is in the oracle

Sometimes we let Turing machines have access to advice a small amount of additional

information dep ending only on the input size Formally p olynomial advice consists of a

list of strings a a such that ja j is b ounded by a p olynomial in n A language L

n

is accepted by a p olynomialtime Turing machine with p olynomial advice if there exists a

p olynomialtime Turing machine M and p olynomial advice such that i x L then M

accepts x a The class Pp oly or nonuniform p olynomial time consists of all languages

jxj

accepted in p olynomial time with p olynomial advice This class consists of exactly those

languages accepted by p olynomial size circuits Likewise we can dene NPp oly nonuniform

nondeterministic p olynomial time BPPlog and so on

Bennet and Gill BG have shown all languages in BPP have p olynomial size circuits

Sometimes we require uniformity conditions on our circuits A circuit family C is logspace

i

uniform if there exists a logspace Turing machine that outputs C on input The set of

i

languages accepted by p olynomial size logspace uniform circuits consists of exactly those

languages in P

Interactive Pro of Systems

An interactive proof system consists of two players an innitely p owerful prover and a prob

abilistic p olynomialtime verier The prover will try to convince the verier of the validity

of some statement However the verier do es not trust the prover and will only accept if the

prover manages to convince the verier of the validity of the statement

Formally an interactive pro of system consists of two controls P the prover and V the

Input Tap e

J

J

J

J

Work Tap e Work Tap e

Z

J

Z

Z

P V

Z

Z

 

Z

Z

Z

c c

 

R

Communication Tap e

Figure An Interactive Pro of System

verier see gure Both the prover and the verier have access to a common read

only input tap e and a readwrite communication tap e Individuall y the prover and verier

have access each to a private coin and a private work tap e The verier works just as a

probabilistic Turing machine Usually we will restrict the verier to a p olynomial numb er of

steps in the length of the input However the prover may compute arbitrary functions of the

coin and the contents of the input work and communication tap es We put no restrictions

on the complexity of this function Informally we say P has probabilistic innite p ower The

pro of system accepts if the verier enters an accepting state As in the case of probabilistic

Turing machines we are interested in the probability of the verier accepting

Communication pro ceeds by the verier sending a message to the prover on the commu

nication tap e The size of the messages is limited only in the p olynomial time the verier has

to compute The prover then sends a message to the verier likewise limited in p olynomial

size since the verier has only p olynomial time to read it The prover and verier may rep eat

this pro cess a p olynomial numb er of times until the verier decides whether or not to accept

An interactive pro of system consists of a prover verier pair P V P and V form an

interactive proto col for a language L if

If x L then PrP V x accepts

If x L then for all P PrP V x accepts

A round of an interactive proto col is a message from the verier to the prover followed by

a message from the prover to the verier We let IPf n represent the languages accepted

by interactive pro of systems b ounded by f n rounds AM is the class of languages accepted

by interactive proto cols with a xed constant b ound on the numb er of rounds Babai B BM

shows that one round suces for AM ie AM IP IPc for any constant c If we have

one round with Merlin the prover sending his message b efore the verier ips any coins we

have the class MA Babai also shows MA AM

A publiccoin interactive pro of system allows the prover access to the veriers coin Equiv

alently we require the veriers messages to consist of exactly the veriers coin tosses since

the previous round Goldwasser and Sipser GS show the class of languages accepted by the

standard interactive pro of system is the same as the class of languages accepted by a public

coin interactive pro of system This holds for any f n b ound on the numb er of rounds

Messages in a k round conversation will b e describ ed by

k k

where the are messages from the prover to the verier at round i and the are messages

i i

from the verier to the prover

r will b e used for the random coin tosses of the verier

An interactive pro of system runs an interactive protocol describing how to p erform the

computation and communication The notation for describing proto cols follows

P These are computations p erformed by the prover unseen by the verier The prover

has probabilistic innite time to make these computations

P V This is a message from the prover to the verier

V These are computations p erformed by the verier unseen by the prover These

computations must b e p erformed in probabilistic p olynomial time

V P This is a message from the verier to the prover

Once a proto col has completed we may wish to execute the proto col again to decrease

the amount of error Each execution should run completely indep endently Running an

interactive proto col m times in series means rep eating this pro cess for a total of m times

Running the proto col m times in paral lel means the verier sends the rst message for all m

proto cols followed by the provers resp onses for all m proto cols et cetera

Relativization

Since the b eginning of complexity theory computer scientists have used techniques from

recursion theory to solve computational complexity questions Often these techniques have

b een successful most of the early work in complexity theory has b een proven solely using

recursion theoretic techniques However we now know such techniques have limitations We

use oracles to show recursion theoretic techniques can not settle certain complexity questions

A complexity statement such as NP PSPACE is true under an oracle A if the

A

statement is true when all the complexity classes are relativized to the oracle A We say NP

A

PSPACE to mean NP PSPACE is true under the oracle A

When we use recursion theoretic techniques to prove a statement true the pro of will work

even if all the machines involved have access to the same oracle For example we can prove L

PSPACE using diagonalization ie we create a language in PSPACE dened to b e dierent

than each p ossible logspace machine This pro of works even if we allow PSPACE machine

and the logspace machines access to any oracle Thus L PSPACE is true under any oracle

A Al l results mentioned in this thesis are true under al l oracles unless mentioned otherwise

We say a technique relativizes if its application is indep endent of any oracle access

Supp ose we show a complexity statement is true under a certain oracle B If we could

prove the statement false using recursion theoretic metho ds then the statement would b e false

under all oracles This contradiction tells us recursion theoretic techniques will not work to

prove the statement false If we can nd two oracles A and B such that the statement is true

under oracle A and false under oracle B then recursion theoretic techniques will not work

to settle the statement true or false We will need other techniques techniques that do not

relativize to settle this statement Most complexity statements relativized b oth true and

false have remained unsettled by any techniques

In Baker Gill and Solovay BGS had the rst use of oracles to show the famous P

A

NP question likely has a hard solution They have found oracles A and B such that P

A B B

NP and P NP Thus techniques that relativize will not settle the P NP question

They also show the existence of oracles C D E and F such that

C C

NP coNP

D D D

P NP coNP

E E E E E

P NP and P NP coNP

F F F F F

P NP coNP and NP coNP

Baker Gill and Solovay left op en some questions ab out the p olynomialtime hierarchy

that remained unsolved for over a decade In Yao Y showed an oracle A such that the

A A

for all i In Ko p olynomialtime hierarchy did not collapse under A ie

i i

Ko found a series of oracles A A such that for each i the p olynomialtime hierarchy

A A A

A

i i i

i

collapsed to the ith level under oracle A ie PH

i

i i i

Racko R shows some relativized results ab out probabilistic complexity classes Racko

A A A B B B

found oracles A and B such that P R NP and P R NP For example we

could not easily prove P R even if we assume P NP

This section gives just a small sample of the many oracle results proven over the last fteen

years Via oracle results we can learn what we will have diculty proving particularly which

techniques will not work This thesis will have several examples of relativized results to show

which questions of interactive pro of systems may b e hard to resolve

Basic Results

We have come a long way in understand the complexity of interactive pro of systems since

Goldwasser Micali and Racko GMR develop ed them in This section will give a

review of imp ortant complexity results not covered in this thesis

In Goldwasser and Sipser GS showed privatecoin interactive pro of systems and

publiccoin interactive pro of systems accepted exactly the same class of languages In fact

the class of languages accepted f nround privatecoin interactive pro of systems contains

exactly the same languages accepted by f nround publiccoin interactive pro of systems

At the same time as interactive pro of systems Babai B invented his ArthurMerlin games

similar to interactive pro of systems but using public coins for the verier instead of private

coins Goldwasser and Sipser show the equivalence b etween these two mo dels

Babai B BM showed a oneround pro of system can accept all the languages of any

constantround pro of system More generally he shows IPcf n IPf n for any constant

c In other words we can reduce the numb er of rounds of an interactive proto col by any

constant factor We can not easily improve this result b ecause Aiello Goldwasser and Hastad

show for any functions f n and g n with f n og n the existence of an oracle A such

that IPf n IPg n In particular they exhibit an oracle that separates AM from IP

Babai also showed MA AM though Zachos Z also proved the same result using his

generalized quantier swapping techniques Santha Sa exhibits an oracle that separates MA

from AM

Babai and Moran BM show how to decrease the error probability without increasing

the numb er of rounds by running the proto col several times in parallel If x L then we

pn

can make the probability of acceptance at least and for x L we can make the

pn

probability of acceptance at most for any p olynomial pn

Goldreich Mansour and Sipser GMS show any language that has a f nround interactive

proto col has a f n round interactive proto col such that if x L then the verier always

accepts Note that this is opp osite to the notion of onesided error used to dene the class

R Goldreich Mansour and Sipser also show only NP languages have interactive pro ofs such

that the verier always rejects if x L

How do the interactive pro of classes compare to the p olynomialtime hierarchy Sipser and

Gacs Si showed that BPP An elegant pro of of this fact by Lautemann La easily

generalizes to show MA and AM BM Santhas oracle Sa actually shows

a language in AM but not in under that oracle Feldman Fe shows PSPACE contains

IP though the oracle created by Aiello Goldwasser and Hastad AGH puts IP outside of the

p olynomialtime hierarchy

Fortnow and Sipser FS exhibit an oracle such that IP do es not contain coNP A

generalized version of this pro of app ears in section Boppana Hastad and Zachos BHZ

show that if AM contains coNP then the p olynomial hierarchy collapses to

Nisan and Wigderson NW show the equivalence b etween AM and almostNP Goldwasser

and Sipser GS note the equivalence of IP and BPNP and that nonuniform NP contains all

of AM

An Example Graph Nonisomorphism

To help in the understanding of interactive pro of systems we will now examine in detail an

interactive proto col for graph nonisomorphism develop ed by Goldreich Micali and Wigderson

GMW

An undirected graph G V E consists of a set of vertices V fv v g and a set

of edges E of unordered pairs of vertices Let b e a p ermutation of the rst n integers We

dene G as the graph obtained by applying the p ermutation to the graph G ie the

edges of G consist of all edges u v such that u v are edges of G

The two graphs G and G are isomorphic if there exists a p ermutation such that

G G Let GI b e the language consisting of pairs of graphs G G such that G

and G are isomorphic A nondeterministic p olynomialtime machine can determine whether

there exists an isomorphism b etween G and G by guessing a p ermutation and verifying

that G G Let GNI consist of the pairs of nonisomorphic graphs

Since GI NP then GI has a trivial interactive proto col by the prover sending to the

verier the p ermutation GI is not known to b e in P or NPcomplete GNI is not known

to b e in NP however we will exhibit an interactive proto col for graph nonisomorphism

Let G and G b e two graphs each with n vertices We create a prover P and a verier

V to run the following proto col

V Pick a p ermutation at random and pick i f g also at random Compute

G G

i

V P G

P V j

V Accept if j i

Supp ose G and G were not isomorphic Then G could only b e isomorphic to G

and not G and vice versa An innitely p owerful prover could identify which graph was

isomorphic to G and correctly resp ond with a j such that j i

Now supp ose G was isomorphic to G Then G will b e isomorphic to b oth G and G

Despite its innite p ower any prover just will not have enough information to determine the

graph is isomorphic to G

If the language GNI contains G G then the proto col will cause the verier to accept

with probability one If however the graphs are isomorphic the proto col accepts with proba

bility at most one half Unfortunately we require in the denition of interactive pro of systems

that the pro of system accept with probability at most one third for strings G G not in

the language GNI

We solve this problem by running the proto col two times in series and having the verier

accept if b oth times the prover correctly determined the original graph For nonisomorphic

graphs the probability of acceptance remains at one but for isomorphic graphs the prover can

correctly guess the original graph b oth times with probability at most one fourth Thus we

now have a threeround interactive proto col for graph nonisomorphism

Goldwasser and Sipser GS show us how to convert this interactive proto col into a public

coin proto col a surprising result b ecause the proto col ab ove dep ends on the verier keeping

the choice of i a secret Since we have a b oundedround proto col Babai B BM shows us

how to convert this proto col into a two round AM proto col where the verier sends random

public coins followed by the provers resp onse Thus GNI almostNP and GNI NPp oly

though graph nonisomorphism is not known to b e in NP or BPP If GI was NPcomplete

then the p olynomialtime hierarchy would collapse to

We will return to graph isomorphism in section

Chapter

Perfect ZeroKnowledge

A Cryptographic Side of Interactive Pro of Systems

When Goldwasser Micali and Racko GMR develop ed interactive pro of systems they con

currently develop ed zeroknowledge a restriction of interactive pro of systems requiring the

verier not learn any additional knowledge useful to him as a p olynomialtime machine Gol

dreich Micali and Wigderson GMW show if one way functions exist then all languages

in NP have zeroknowledge pro ofs However their pro of relies on the fact that the verier

has limited p ower and is unable to invert these oneway functions Perfect zeroknowledge

PZK a stronger restriction requires the verier not learn any additional information no

matter how p owerful he may b e There are several languages not known to b e in BPP or

NPcoNP such as graph isomorphism GMW which have p erfect zeroknowledge pro of

systems

Our main theorem shows for any language that has a p erfect zeroknowledge pro of sys

tem its complement has a singleround interactive pro of system Thus PZK coAM the

complement of languages accepted by oneround interactive pro of systems Our result holds

in the weaker case where we only require the verier following the proto col will not learn any

additional information

Combining our main theorem with a result of Boppana Hastad and Zachos BHZ we

show NPcomplete languages do not have p erfect zeroknowledge pro of systems unless the

p olynomialtime hierarchy collapses to the second level Thus it is unlikely that the result of

Goldreich Micali and Wigderson will extend to p erfect zeroknowledge

Notation and Denitions

Let P V represent an interactive proto col b etween a prover P and a verier V The veriers

view of the conversation consists of all the messages b etween P and V and the random coin

tosses of V

Let M b e a simulator for a view of the conversation b etween P and V The simulator M

is a probabilistic p olynomialtime machine that will output a conversation b etween P and V

including the random coin tosses r of V Thus each run of M will pro duce

r

k k

where the are messages from the prover to the verier at round i and the are messages

i i

from the verier to the prover

Let P V x denote the probability distribution of views of conversations b etween P and

V Let M x denote the distribution of views of conversations created by running M on x

Let Ax and B x b e two distributions of strings The distributions Ax and B x are

statistical ly close if for any subset of strings S

X X

Pr y Pr y

Ax B x q jxj

y S y S

for all p olynomials q with jxj large enough Let J b e a probabilistic p olynomialtime machine

that outputs either or The distributions Ax and B x are polynomialtime indistinguish

able if for any J

jPrJ Ax PrJ B x j

r jxj

for all p olynomials r with jxj large enough Let J Ax b e the output of J when run on a

string chosen from the probability distribution Ax Note if Ax and B x are statistically

close then they are p olynomialtime indistinguishabl e



P V is computational ZeroKnow ledge ZK if for any verier V there is a M such

V



x are p olynomialtime indistinguishabl e We use that for all x in L P V x and M

V

zeroknowledge throughout this thesis to refer to computational zeroknowledge



such that for P V is Perfect ZeroKnow ledge PZK if for any verier V there is a M

V



all x in L P V x M x

V



such that P V is Statistical ZeroKnow ledge SZK if for any verier V there is a M

V



for all x in L P V x and M x are statistically close

V

Goldwasser Micali and Racko GMR intro duced zeroknowledge as well as interactive

pro of systems in

Note ZK SZK PZK The inclusions are not known to b e prop er but the main result

of this chapter gives go o d evidence that ZK SZK

The results in this chapter only require a weaker version of zeroknowledge a simulator

only need exist for the given P and V and not necessarily for any V For the rest of this

chapter we will assume this weaker mo del and use M for M the simulator for P and V

V

Related Results

Goldreich Micali and Wigderson GMW show every language in NP has a zeroknowledge

interactive pro of system if a oneway function exists This result do es not relativize there

exists an oracle such that one way functions exist but NP do es not have zeroknowledge

pro ofs The pro of of Goldreich Micali and Wigderson works by exhibiting a zeroknowledge

pro of for a certain NPcomplete problem instead of for general nondeterministic machines

and thus the pro of do es not relativize

Our result shows for any language L with an statistical zeroknowledge pro of system there

exists a b oundedround interactive pro of system for its complement L We can then apply

several earlier results ab out b oundedround interactive pro of systems describ ed in section

Subsequent to our result Aiello and Hastad AH have shown using similar techniques

a b oundedround interactive pro of system can simulate any statistical zeroknowledge pro of

system This nice complement to our result combines with our result to show nonuniform

NPcoNP contains any language with a p erfect zeroknowledge pro of system

Brassard and Crep eau BC have shown p erfect zeroknowledge for SAT using a dierent

mo del for interactive pro of systems where the prover is a p olynomialtime machine that knows

a satisfying assignment Our result ab out p erfect zeroknowledge relies on the ability of the

prover to have innite p ower and do es not apply to Brassard and Crep eaus mo del

Showing Sets are Large and Small

In this chapter we will need proto cols to show sets are large and small We create b oth

proto cols using CarterWegman Universal Hash Functions CW

N N N b

Supp ose S f g For F a random binary b N matrix let f b e

the function dened by f x F x using regular matrix multiplication mo dulo two We can

think of f in terms of linear algebra over the eld of two elements The distribution of f

forms the uniform distribution over all p ossible linear functions from ndimensional space to

bdimensional space Let f b e the function f restricted to the domain S

S

b b b

If jS j then f is likely to b e onto most of and most elements of will have many

S

preimages

b b

If jS j then the range of f is a small subset of and most elements of f S will

S S

have only one inverse in S

N

Lemma Vector Indep endence Suppose x x x are linearly indepen

k

dent vectors over the eld of two elements Then f x f x f x are independently

k

b

and uniformly distributed over

Pro of Since x x x are linearly indep endent we can extend to a basis Let T b e the

k

N

transformation matrix from this new basis to the canonical basis of Then the matrix

b

B FT describ es the function from the new basis to the canonical basis of Since T

is an invertible matrix there is a onetoone corresp ondence b etween B and F Thus B is

distributed uniformly over all p ossible binary b N matrices The vector f x is just the

j

b

j th column of B Thus each f x is indep endently distributed over 2

j

Lower Bound Proto col

Goldwasser and Sipser GS develop ed the following proto col to show S is large for S recog

nizable in p olynomial time

N b

V Pick indep endent random hash functions f f and p oints

b

z z

V P f f z z

P V x

V Accept if x S and f x z for some i j i and j

i j

b

If S is much smaller than then there will probably b e no x such that f x z

i j

However if S is large then there will probably b e many x fulllin g f x z and a innitely

i j

p owerful prover will have no trouble exhibiting such an x that V can verify in p olynomial

time

Lemma Lower Bound GS Using the above protocol with a given N b d and

maxfb g

b

If jS j then PrP V accepts

b

then PrP V accepts for any P If jS j

d d

Upp er Bound Proto col

If V has a random element s in S completely unknown to P then we can use the following

proto col to show S is small

V Pick a random N b matrix F

V P F f s F s

P V s

For small S it is unlikely more than one element of S will map to f s and P can determine

s For large S probably many s will map to f s and P can not determine which element of

S the verier had

Lemma Upp er Bound Using the above protocol with a given N b and d

b

If jS j then PrP V accepts

d d

b

for any P If jS j d then PrP V accepts

d

Pro of Let A b e the random variable equal to the numb er of x s in S such that f x f s

Let S S fsg Let A b e the indicator random variable equal to one if f x f s zero

x

otherwise Then

X X X

jS j

b

E A E A E A

x x

b

0 0 0

xS xS xS

b

If jS j then E A If f s has only s as an inverse in jS j then P with his innite

d d

p ower will b e able to determine s Thus PrP V rejects PrA E A since A

d

is an integral random variable

b b

Supp ose jS j d We can assume jS j d without increasing the probability of

acceptance Then E A d Since P has no idea what s the verier V has P can only

probability of predicting the s that V has We will show with a large probability have a

A

A is large using the variance of A

Given x y s all distinct and y x s then x y and z are linearly indep endent Then

by the Vector Indep endence Lemma f x f y and f s are indep endently distributed over

b

It then follows that A and A are indep endent random variables and their covariance is

x y

zero

The covariance of any two indicator random variables is never greater then the exp ected

value of one of them Then VARA

X X X

COV A A COV A A COV A A E A d

x y x x x xs x

0 0 0

xy S xS xS

Possibly x s S which could only decrease the variance Using Chebyshevs inequality we

get

V ARA d

PrA d PrjA dj d

d d d

the prover P can determine s easily b ecause A is small So with probability at most

d

chance of guessing s so in total P has at most a enough otherwise P has at most

d d

chance of determining s 2

Comparison Proto col

N

Supp ose we had two sets S S and wanted to show jS j jS j If S is p olynomial

time testable and V has a random element s of S then we can use the following proto col to

show jS j jS j

P V b N

P V Use lowerb ound proto col on S with b b nN

P V Use upp erb ound proto col on S with b b n s s

V Accept if b oth the upp er and lower b ound proto cols accept

Lemma Comparison Using the above protocol

n n

If jS j jS j then PrP V accepts

n n

If jS j jS j then PrP V accepts n N for any P

n

Pro of Let d

n

Pick b blog jS jc Then each proto col accepts with probability so b oth

n

will accept with probability by the upp er and lower b ound lemmas

There are two cases dep ending on what b the prover P cho oses

a If b dlog jS je n then by the lower b ound lemma the probability of V accepting

n

is n N

b If b dlog jS je n then by the hyp othesis b n blog jS jc n and by the

n

upp erb ound lemma the probability of V accepting is 2

Using CarterWegman Hashing to show a set is large was intro duced by Sipser Si and

used extensively in Si B GS To the authors knowledge this is the rst use of an interactive

proto col to show a set is small

Main Theorem

We will start with a simple version of the theorem

Theorem For any language L with a perfect zeroknow ledge interactive proof system

L there exists an interactive proof system accepting

Structure of Pro of

We are given a prover and verier P and V for the language L and a simulator M that

pro duces views of conversations b etween P and V and the random coin tosses of V A prob

abilistic p olynomialtime machine can simulate the computation of V checking for example

whether or not V accepts On x L M pro duces a view of a conversation from exactly

the same probability distribution as when P and V run on x However the denition of

p erfect zeroknowledge has no requirements on the simulator in the case when x L three

p ossibilities arise

M will pro duce garbage something clearly not a randomly selected memb er of P

V x

M will pro duce views of conversations that cause V to reject most of the time

M will pro duce a simulation that lo oks valid and causes V to accept It may not b e

p ossible in p olynomial time to dierentiate this view from one created by P and V

when x L However M must pro duce views of conversations from a distribution

quite dierent from the distribution of views b etween P and V since in the real views

V will probably reject

We will create a new prover and verier P and V to determine if one of these three cases

o ccur The verier V will simulate M and get a view of a conversation b etween P and V as

well as r the random coin tosses of V The verier V will check the validity of this view and

that V accepts If the view fails this test then it fails in cases or so V accepts knowing

x L Otherwise V will send to P some initial segment of the conversation The prover P

will then convince V that the conversation came from a bad distribution by predicting r

b etter than P could have done from a go o d distribution

An Example Graph Isomorphism

In section we discussed graph isomorphism and showed an interactive proto col for graph

nonisomorphism In this section we will present a p erfect zeroknowledge proto col for graph

isomorphism develop ed by Goldreich Micali and Wigderson GMW and show how our

theorem converts this zeroknowledge proto col to an interactive proto col for graph noniso

morphism The proto col we develop will b e virtually identical to the proto col for graph

nonisomorphism in GMW and discussed in section our pro of however shows the

similarity b etween the two proto cols is not coincidental

Recall two graphs G and G are isomorphic if there exists a p ermutation such that

G G A p erfect zeroknowledge proto col for graph isomorphism suggested by GMW

works as follows

P Generate random p ermutation and computes G G

P V G

V P i or chosen at random

P V chosen at random such that G G

i

If G G then G will b e a p ermutation of b oth G and G and P will always b e able to

nd a If G G then G cannot b e a p ermutation of b oth G and G so at least half of

the time V will cho ose an i such that no exists

Thus we have an interactive proto col for graph isomorphism This proto col also is p erfect

zeroknowledge The simulator M works as follows

M generates and i at random and computes G G then outputs the following

i

view of a conversation

r i

P V G

V P i

P V

It is easy to verify when G G M pro duces exactly the same distribution of views of

G The output of M always conversations as P and V Notice what happ ens when G

causes V to accept Thus when G G M must pro duce views of conversations from a

very dierent distribution from what P and V pro duce In fact whenever G G one can

always predict r i from the G pro duced by M

This leads to a new interactive proto col b etween a new prover and verier P and V for

graph nonisomorphism as follows

V Generate and i at random and compute G G

i

V P G

P V j

V Accept if j i

The Proto col

We have a prover and verier P and V for a language L and a simulator M such that M

exactly simulates views of conversations b etween P and V for x in L Let n jxj and let k

b e the numb er of rounds of the proto col b ounded by a p olynomial in n We can decrease

pn

the probability of error in the proto col b etween P and V to for any p olynomial pn

by the standard trick of running the proto col several times in parallel and having V accept

if the ma jority of individual proto cols accept BM This new proto col is still p erfect zero

knowledgewe just run the simulator in parallel Note we make use of the fact that we

only need a simulator for the real verier V In general it is not known whether p erfect

zeroknowledge proto cols remain p erfect zeroknowledge when run in parallel

Thus we can assume

k n

If x L then PrP V x accepts

k n

If x L then for all P PrP V x accepts

For the sake of the comparison proto col we require V immediately reject if all its coin tosses

are zero Since this will happ en with an exp onentially small probability it will not aect

the correctness of the proto col The proto col remains p erfect zeroknowledge by having the

simulator output no conversation if the veriers coins are all zero

A proto col b etween a new prover and verier P and V works as follows

V Run M and get r The verier V now checks

k k

the validity of the conversation ie r will cause V to say

k k

the conversation causes V to accept

If either of these tests fail then V can b e very sure that x L so V quits now and

accepts Otherwise V continues

Let j

V P

j j

n

P V Lo ok at the sets R and R as dened b elow If jR j jR j then use the

comparison proto col describ ed in section to show jR j jR j Otherwise let

j j If j k tell V to TRY NEXT ROUND otherwise GIVE UP

The set R can b e thought of as all the p ossible random strings of V after round j of the

proto col The set R consists of the p ossible random strings of V generated by M More

formally

Let R b e the set of all p ossible coin tosses of V

Let R fR R j R and cause V to say g

j j

Let R fR R j M can output R part of a valid accepting

j j

conversationg

Note R R and if x L then R R Also note R is indep endent of

j

We can test containment of an element in R in p olynomial time and if x L then M

pro duces the exact distribution b etween P and V and thus r is a random element of R which

P do es not know fullling the requirements of the comparison proto col If x L p ossibly

r is not a random element of R which can only increase the probability of the comparison

proto col accepting

Pro of of the Proto cols Correctness

L we must show To show the proto col of section forms an interactive proto col for

If x L then P V x accepts with probability

If x L then for all P P V x accepts with probability

n

Supp ose to the contrary x L and the proto col fails to accept If jR j jR j

then by the comparison lemma the comparison proto col will fail with an exp onentially small

n

probability So jR j jR j at all rounds j with probability at least one fourth We will

derive a contradiction by demonstrating P V is not an interactive pro of system for L by

presenting a prover P which will convince V the original verier x L with probability

k n

greater than

At round j supp ose the conversation so far has b een P works as follows

j

P Run M which outputs r Check this is a valid accepting conver

k k

sation If not try again See if If not try again

j

j

P V

j

If x L then the prover P will eventually succeed at each round b ecause M must

generate every p ossible conversation with some p ositive probability

At round j when P has a conversation from M matching the conversation so far R is

the set of p ossible random coin tosses of V When P says R is the set of coin tosses

j

n

of V that will still keep V heading towards an accepting path Since jR j jR j this

n

will happ en with probability So after k rounds V will end up accepting with a

k nk k n

which is higher than the maximum accepting probability probability at least

we assumed for V and any P when x L

Note P may require exp onential exp ected time to complete its part of the proto col but

in our mo del we allow an innitely p owerful P

Supp ose x L The simulator M will pro duce views of conversations from exactly the

same distribution as P and V Thus every conversation pro duced by M will b e valid Assume

a prover P can convince V to accept with probability The verier V will reject in this

n

conversation with an exp onentially small probability causing V to accept If jR j jR j

on any round then the comparison proto col will accept also with an exp onentially small

n

probability Thus we can assume with probability that jR j jR j for some round

j Since M outputs all p ossible conversations R is just the random coin tosses of V which

might cause V to accept in the future So at round j of the proto col V accepts with probability

jR j

n

less than Since this happ ens at least a fourth of the time in general V accepts

jR j

n

contradicting the fact V will accept with probability greater with probability at most

k n

than 2

Extensions and Corollaries

Theorem Suppose P V is an interactive proof system for a language L and there is

a probabilistic polynomialtime simulator M such that M x is statistical ly close to P V x

Then there is a singleround interactive proof system for the complement of L

Idea of Pro of This extends the main theorem in two ways First we do not require

M x P V x just they b e statistically close One can check the pro of in the previous

section and notice with some minor adjustments to the probabilities statistically close is

go o d enough

Second we would like to get a singleround pro of system for the complement of L Notice

in the proto col in section the numb er of rounds dep ends on when P decides to say

STOP To get b ounded rounds we must make the following change to the proto col

V Run M k times indep endently and get k views of conversations check each

conversation is valid and accepting

V P For each i i k send the rst i mo d k rounds of the ith conversation

P V Pick any conversation j and show jR j jR j for the view of this conversation

The pro of still works b ecause the new proto col essentially tries all rounds in parallel Once

we have b ounded rounds we apply the theorems of B GS that imply singleround proto cols

can simulate any b oundedround proto col

Some trivial corollaries that follow from results describ ed in sections and

Corollary If L has an statistical zeroknow ledge interactive proof system possibly with

an unbounded number of rounds then

the complement of L has a oneround interactive proof system

L is contained in the intersection of almostNP and almostcoNP

Corollary If any NPcomplete language has an statistical zeroknow ledge interactive

proof system then the polynomialtime hierarchy col lapses to the second level

Corollary If oneway functions exist and the polynomialtime hierarchy does not col lapse

then NP ZK but NP SZK so ZK SZK

Further Research

There are several interesting problems remaining concerning p erfect zeroknowledge includ

ing

What is the relationship b etween PZK and SZK

Are complement of p erfect or statistical zeroknowledge languages themselves p erfect

zeroknowledge in any sense

Do we need cryptographic assumptions to show NP has zeroknowledge pro of systems

Although this chapter shows NP probably do es not have p erfect zeroknowledge pro of

systems p ossibly we need only assume the intractability of SAT for a zeroknowledge

pro of system

Chapter

LogarithmicSpace Veriers

Reducing the Power of the Verier

Often in complexity theory as in real life we would like our computers to require small work

space as well as a short amount of time In this chapter we lo ok at the complexity of veriers

not only restricted in p olynomial time but logarithmic space

Condon and Ladner CL rst lo oked at these space b ounded pro of systems in In

Condon Co Co describ ed prop erties of these mo dels with dierent results for public

and private coins in contrast to the Goldwasser and Sipser result GS

We will concentrate on one mo del with the verier restricted to public coins p olynomial

time and logarithmic space We show the equivalence of this mo del to adding b oth nondeter

ministic and probabilistic computation to logarithmic space b ounded Turing machines

Log Space Veriers and BPNL

We dene an interactive proto col with a logspace verier as an interactive proto col with the

following complexity for the verier V

V uses at most O log n space

V runs in p olynomial time

V uses only public coins

The class IPL contains all the languages accepted by these mo dels using the same proba

bilities as for the standard mo del describ ed in section

The last two restrictions on V prevent the mo del from b ecoming to o p owerful If we allow

V unrestricted time with public coins this mo del accepts exactly the class P Co Anne

Condon and John Romp el indep endently have shown if we allow V to use private coins then

this mo del accepts the same languages as standard interactive pro of systems

Analogous to BPNP we can dene a probabilistic nondeterministic version of logarithmic

space We dene the class of languages accepted by b oundederror probabilistic nondetermin

istic p olynomialtime logspace machines as BPNL and we can show the following relationship

b etween this mo del and interactive pro of systems with logspace veriers

Theorem The classes IPL and BPNL contain the same set of languages

Pro of

Supp ose a language L has a BPNL machine M We create a verier that simulates M

and when M makes a nondeterministic choice we defer that choice to the prover On

any input x the probability of acceptance of this proto col is the same as the probability

of acceptance of M since playing optimally the prover cho oses to send the message that

leads to the highest probability of acceptance for V

Supp ose a language L has a IPL pro of system with verier V We create M that simu

lates V but uses nondeterminism to guess the provers resp onses Again the probabilities

of acceptance are identical 2

For the rest of this chapter we will use BPNL to refer to this class of languages

A Circuit Mo del for BPNL

In this section we describ e a circuit mo del that captures the p ower of BPNL We lo ok at

p olynomial size circuits consisting of max and average gates instead of and and or gates A

max or average gate can take inputs from any value b etween and and outputs some value

b etween and On inputs x and x a max gate will output maxx x On inputs x and

x an average gate will output x x Maxave circuits are a family of p olynomial size

circuits of max and average gates C C with the following prop erty of acceptance for a

language L

n

If x f g and the b ottom most inputs of C are just x x the bits of x then

n n

If x L then C x x

n n

If x L then C x x

n n

As with probabilistic computation we require that C never falls b etween and for any

n

input We call circuits with this prop erty proper maxave circuits

One can make an analogy from maxave circuits to BPNL by having the prover make the

choices on the max gates and the verier randomly making a choice in the average gate We

make this notion formal as follows

Theorem

For every L in BPNL there is a logspace computable function f such that f x C

where C is a proper maxave circuit for L with size polynomial in jxj and no nonconstant

inputs

There is a BPNL machine M such that PrM accepts C x C x for al l x f g

and maxave circuits C

Pro of

We will show given a BPNL machine M and an input x we can create in logspace a

circuit C such that the probability of M accepting is the value of C We add a clo ck

to M to keep track of how many steps have gone by Let S b e the set of all p ossible

congurations of M Clearly there are only a p olynomial numb er of p ossibiliti es for

S These congurations will form the gates of the circuit C Those congurations

where M nondeterministically guesses a bit form max gates over all the next p ossible

congurations The congurations where M ips a coin form average gates over the next

p ossible congurations one step after the coin ip We replace an accepting conguration

by the constant input one Likewise we replace the rejecting congurations by zero

The other congurations form a max gate over the single gate representing the next

conguration after a single step of deterministic computation Since we have added a

clo ck to M this pro cess can not create any cycles By the denition of BPNL and

maxave circuits the probability of M accepting is the value of C We clearly can do

the ab ove construction in logspace Note C do es not have any nonconstant inputs

We will show that we can create a proververier pair to accept x with probability C x

The prover and verier will start at the top gate For a max gate the prover picks one

of that gates children For an average gate the verier picks one of the gates children

by ipping a coin We continue this pro cess on the gates child Since C has only a

p olynomial numb er of gates V can always keep a p ointer to the gate currently b eing

pro cessed The verier will accept if we pro cess a one input Again the probability of

acceptance is exactly the value C x We then turn P V into an equivalent BPNL

machine M 2

Corollary BPNL P Proven independently by Condon Co

Pro of Given L in BPNL and x in by the previous theorem we have a reduction f x to

a circuit C with no nonconstant inputs We then compute C by calculating the value at each

gate and accept if the value of C is at least two thirds 2

Note this do es not say maxave circuits accept exactly the same languages as BPNL

machines For example a maxave circuit can only accept monotone languages thus no family

of maxave circuits can exist accepting nonmonotone languages such as parity However

BPNL can clearly compute parity By the ab ove pro of a BPNL machine can accept any

language accepted by logspace uniform prop er maxave circuits

Do es BPNL accept all the languages of P We conjecture there exist p olynomialtime

computable languages not in BPNL The following theorem indicates we will not easily settle

this question by computing the value of the maxave circuit

Theorem fC x v jC x v g is logspacecomplete for P

Pro of Ladner L showed fC xjC x g logspace complete for P where C is a

normal p olynomial size andor circuit We create C by replacing every or gate by a max gate

and every and gate by an average gate Then C x if and only if C x 2

BPNL Contains LOGCFL

Clearly BPNL contains b oth NL and BPL In this section we show that BPNL nontriv

ially contains the complexity class LOGCFL languages logspace reducible to contextfree

languages Su Su

Venkateswaran V showed the equivalence of LOGCFL and the class of languages accepted

by logspace uniform semiunb ounded log depth circuits ie a family of andor circuits of

O log n depth and b ounded fanin ands p ossibly unb ounded fanin ors We can assume

that the fanin of the ands is two

The class LOGCFL contains NL and equality is unknown It is also unknown whether

BPL contain LOGCFL

Theorem LOGCFL BPNL

Pro of Let L LOGCFL For x let C b e the appropriate logspace constructible semi

unb ounded circuit such that C x i x L The prover and verier will start at the top

gate If it is an or gate then the prover picks one of that gates children If it is an and gate

the verier picks one of the gates children by ipping a coin We then continue this pro cess

on the gates child Since C is of p olynomial size V can always keep a p ointer to the gate

currently b eing pro cessed We will end up at either

An input x In this case the verier accepts if x

i i

A negation of an input x In this case the verier accepts if x

i i

If x L then for any choices at and gates there exist choices at or gates that cause the

circuit to accept Thus the prover has a winning strategy for any choices of the verier so the

verier always accepts

If x L then there are choices the verier V could make so V would reject Since the

circuit is only log depth and V makes one choice out of two at each gate the probability

O log n

that V would reject for some p olynomial pn Thus PrP and V accept

pn

x

pn

We then run this proto col pn times indep endently and in succession and V accepts if

all runs of this proto col accept We then get

If x L then PrP and V accept x

pn

e If x L then PrP and V accept

pn

P and V form a p olynomialtime logspace publiccoin interactive pro of system for L 2

Further Directions of Research

Several op en questions remain including

We showed LOGCFL BPNL P Can this gap b e tightened

Are there other restrictions on the verier that give rise to other interesting complexity

classes

What is the relationship of maxave circuits to other circuit mo dels

It is clear that BPL is closed under complement and Immerman I recently showed the

same was true for NL Can similar techniques b e used to show BPNL is closed under

complement

Chapter

Multiple Provers

Corrob orating Susp ects

Consider the case of two criminal susp ects who are under interrogation to see if they are guilty

of together robbing a bank Of course they the provers are trying to convince Scotland Yard

the verier of their inno cence Assuming that they are in fact inno cent it is clear that their

ability to convince the p olice of this is enhanced if they are questioned in separate ro oms and

can corrob orate each others stories without communicating

Instead of the verier communicating with only one prover we will now lo ok at the mo del

where the verier can communicate with many provers that can not communicate with each

other BenOr Goldwasser Kilian and Wigderson BGKW originally develop ed multiprover

interactive pro of systems primarily for cryptographic purp oses They show every language

accepted by a two prover interactive pro of system has a p erfect zeroknowledge two prover

pro of system see section for denitions of p erfect zeroknowledge They also show two

prover systems can simulate any multiprover system Along the same lines of Goldreich

Mansour and Sipser GMS they show any two prover system has an equivalent system that

accepts with probability one for strings in the language Complete pro ofs of these results

app ear in Ki

We give a simple characterization of the p ower of the multiprover mo del in terms of

probabilistic oracle Turing machines Using this characterization we give an oracle relative

to which there exists a coNP language not accepted by any multiprover interactive pro of

system extending the result of Fortnow and Sipser FS for the standard interactive pro of

system mo del

Denitions

Let P P P b e innitely p owerful machines and V b e a probabilistic p olynomialtime

k

machine all of which share the same readonly input tap e The verier V shares communi

cation tap es with each P but dierent provers P and P have no tap es they can b oth access

i i j

b esides the input tap e We allow k to b e as large as a p olynomial in the size of the input

any larger and V could not access all the provers

Formally similar to the prover of a standard interactive pro of system each P is a function

i

from the input and the conversation it has seen so far to a message We put no restrictions

on the complexity of this function other than that the lengths of the messages pro duced by

this function must b e b ounded by a p olynomial in the size of the input

P P and V form a multiprover interactive proto col for a language L if

k

n

If x L then PrP P and V on x accept

k

n

If x L then for all provers P P PrP P and V on x accept

k k

MIP is the class of all languages which have multiprover interactive proto cols If k is one we

get the class IP of languages accepted by standard interactive pro of systems

Note the dierent probabilities used here compared to the probabilities used to dene

standard interactive pro of systems Unlike the result of Babai and Moran BM for the

standard mo del it is unknown whether we can increase the probability of error in multi

prover pro of systems by running the proto cols in parallel see section We can reduce

pn

the probability of error to less than for any p olynomial pn by running the proto cols

several times serially

A round of an multiprover interactive proto col is a message from the verier to some or all

of the provers followed by messages from these provers to the verier In general interactive

proto cols can have a p olynomial numb er of rounds We let designate a message from

ij

prover i to the verier in round j and designate a message from the verier to prover i in

ij

round j We may omit the prover numb er for oneprover interactive proto cols

IPj k is the class of languages accepted with no more than j provers in no more than

k rounds The values j and k may dep end on the input but clearly can not b e larger than a

p olynomial in the size of the input We let poly designate a p olynomial ie IP is IPpoly

and MIP is IPpolypoly A proto col is said to have b ounded rounds if k is a constant

Probabilistic Oracle Machines

Supp ose a prover in an interactive pro of system must set all his p ossible resp onses b efore the

proto col with the verier takes place We can think of the prover as an oracle attempting to

convince a probabilistic machine whether to accept a certain input string The oracle must

b e fully sp ecied b efore the proto col b egins

Let M b e a probabilistic p olynomialtime Turing machine with access to an oracle O A

language L is accepted by an oracle machine M i

O

n

For every x L there is an oracle O such that M accepts x with probability

0

O

n

For every x L and for all oracles O M accepts with probability

This mo del diers from the standard interactive proto col mo del in that the oracle must

b e set ahead of time while in an interactive proto col the prover may let his future answers

dep end on previous ones

Theorem L is accepted by an oracle machine if and only if L is accepted by a multi

prover interactive protocol

Pro of Writeup due to John Romp el

Supp ose L is accepted by a multiprover interactive pro of system V Then dene M as follows

M simulates V with M rememb ering all messages When V sends a message to a prover

M asks the oracle the question x i j suitably enco ded and uses the resp onse

i ij

th th

as the bit of the message from prover i on input x where are the rst j

i ij

messages sent from the verier to prover i M then accepts x if and only if V do es

Let P P b e provers which cause V to accept each x L with probability at least

k

n

If we let O b e the oracle which enco des in the ab ove manner the messages of

O

P P then M will accept each x L with the same probability as V

k

0

O

Supp ose there were an input x L and an oracle O such that M accepts x with

n

probability more than Then we could construct provers P P which cause V

k

to accept x with the same probability by just using O to create their messages Since

by denition no such P P exist neither do es O

k

k

Supp ose L is accepted by a probabilistic oracle machine M in n steps We will dene a

k

verier V to simulate M using n provers The verier rst randomly cho oses an ordering

k

of the n provers The verier then simulates M and whenever M asks an oracle question

V asks the question to each of the next n provers in the chosen ordering If the provers

are unanimous in their answer V uses that answer in its simulation of M if not V rejects

immediately If the provers successfully answer all oracle queries then the verier accepts if

k k

and only if M do es There can b e at most n questions so the n provers will suce

O n

Let O b e an oracle such that M accepts each x L with probability at least

all answer identically according to O then they will cause V If we let P P

k

n

O

to accept each x L with the same probability as M

Consider x L consider any provers P P Let oracle O answer queries as the

k

n

would ma jority of P P

k

n

There are two cases to consider for V accepting x either all oracle queries in the

simulation answered consistent with O or some oracle query answered dierent than

O would By the denition of acceptance for probabilistic oracle machines we know

n

that the probability of the rst case o ccurring is where this probability is over the

random coins of M

Now consider the second case Fix some set of random coins r Let q q b e the

k

n

oracle questions in the computation of M on x using random coins r and oracle O For

V to accept using an oracle answer inconsistent with O it must b e the case that for

th

some i the set of n provers all give an answer inconsistent with O on q Fix i

i

k

Since O gives the answer to q that the ma jority of provers do at most n of the

i

k th

n provers will answer dierently than O Thus the probability that the set of n

provers will all answer dierently from O is at most

k

n

n

n

k

n

n

k

The probability that this will happ en for some i is at most n times this Thus the total

n k n k n

probability that V will accept x is at most n or n

Finally we dene V to simulate V three times in series accepting or rejecting according

to the ma jority of the simulations Since the probabilities of the runs are indep endent the

probability that the correct provers will cause V to accept x L is at least

n n n n

and the probability that any provers will cause V to accept x L is at most

n n n n

If we further mo dify V hardwiring the correct answer for n then V forms a multi

prover interactive pro of system for L 2

This theorem gives a natural mo del equivalent to multiple provers and useful for proving

theorems ab out them

Are there MultiProver Proto cols for coNP Languages

With the extra p ower of multiple provers we can not immediately rule out the p ossibility of

proto cols for all coNP languages However we can extend the result of Fortnow and Sipser

A A

FS where an oracle is given such that coNP IP

A A

Theorem There exists an oracle A and a language L coNP such that L MIP

Pro of In this pro of we will use the oracle machine mo del It is easy to verify that the

pro of in section holds under relativizations to all oracles Note that our machines can ask

questions ab out two oracles the prover oracle O and the relativization oracle A

We can enumerate all p ossible p olynomialtime machines in the standard manner letting

i

M b e b ounded in time by n where n is the size of the input

i

For any oracle A let

n

LA f A contains all strings of length ng

A

It is clear that LA coNP for all oracles A

A

In step i we make LA dierent from every oracle machine M Then LA can not have

i

a multiprover interactive proto col and we have proved our theorem

STEP i

i N

i

N and no oracle questions of length N have b een Pick N large enough so

i i i

i

asked in any previous step Let p N

i i

A

Every time M asks a question to A which has not b een previously answered we answer

i

A N

i

with probability yes If there are not any oracles O such that O and M accept on input

i

at least then we put in the oracle A all strings of length N and every other previously unset

i

A A

string that M asks ab out for any oracle O This completes step i Note that M can only

i i

ask questions of length less than p so we will always b e able to nd N in step i

i i

A N

i

Otherwise we have some oracle O such that O and M will accept with probability

i

A A

On any computation path which is determined by M s coin tosses M can at least

i i

N

i

ask at most p oracle questions to A of length N There are questions of length N A

i i i

counting argument shows that there is some oracle question x of length N that app ears in

i

N A

i

no more than p of the computation paths of M By the way we chose N this means

i i

i

A

the oracle question x app ears in less than one third of the computation paths of M Put

i

all strings of length N except for x in the oracle A Also place in the oracle A every string

i

A

queried by M on every p ossible communication with every p ossible O The oracle O will

i

A

convince M to accept with probability greater than one third since more than a third of the

i

computation paths are the same as b efore

A N

i

If there exists an oracle O that makes M accept with probability greater than two

i

N A

i

thirds then LA do es not contain Conversely if no oracles exists that causes M

i

N

i

to accept with probability at least one third then LA will contain By the standard

A

diagonalization argument LA do es not equal the language accepted by M for any j 2

j

This result implies the earlier result of Fortnow and Sipser FS since the language LA

do es not have standard interactive pro of systems under the oracle A

Corollary Techniques which relativize wil l not settle whether MIP contains coNP or

whether IP contains coNP

B B B

Pro of Let B b e the standard oracle which makes P NP BGS Then coNP

B B B B

P and coNP IP MIP Thus any pro of that proves or disproves coNP MIP or

coNP IP can not relativize 2

Bounded Round Proto cols

Fortnow Romp el and Sipser FRS claimed some results ab out collapsing rounds IPpoly

IP and IPpolypoly IP The pro ofs require that we can somehow decrease the

error probability by running the proto cols in parallel The approach makes the assumption

that if the provers can b e prevented from communicating among themselves through the

proto col then parallel runs of the proto col work indep endently like parallel runs of one prover

interactive proto cols BM

The claims of Fortnow Romp el and Sipser remain unproven b ecause of this faulty as

sumption We show the assumption faulty with the following counterexample

Supp ose we have the following two prover proto col

V Pick two bits a and b uniformly and indep endentl y at random

V P a

V P b

P V c

P V d

V Accept if a c b d

It is easy to show the b est strategy for two provers causes the verier to accept with probability

Notice neither prover has any notion of what bit the verier has sent to the other prover

Now let us examine the two round version of the same proto col

V Pick bits a a and b b uniformly and indep endently at random

V P a a

V P b b

P V c c

P V d d

V Accept if a c b d and a c b d

If the parallel runs of the proto col b ehave indep endently we would exp ect the optimum

strategy for the provers causes the verier to accept with probability However

the following strategy for the provers causes the verier to accept with probability

P If a a resp ond c c otherwise resp ond c c

P If b b resp ond d d otherwise resp ond d d

n

Note in n rounds the probability of acceptance of this proto col can not exceed

since the verier will not accept if a b for any i We can not nd any counterexample

i i

without this typ e of exp onential decrease However we can not prove any such decrease in a

general setting

We conjecture the b ounded round claims of Fortnow Romp el and Sipser are true but the

pro ofs will require new techniques

Further Research

There still remain many op en questions including

Can we in fact prove the results like those stated in FRS ie results that collapse

unb ounded rounds to b ounded rounds p erhaps with additional provers

Under what conditions can we reduce the error probability without drastically increasing

the numb er of rounds in multiprover interactive pro of systems

What is the relation b etween MIP and IP Is there for instance an oracle separating

the two classes

What is the relationship b etween MIP and PSPACE Feldman Fe shows that PSPACE

contains IP but the pro of do es not app ear to work for MIP Peterson and Reif PR

show if we replace the veriers randomness with universal choices we get exactly non

deterministic exp onential time

A publiccoin interactive pro of system can accept any language accepted by a interactive

pro of system GS What can we say ab out publiccoin multiprover interactive pro of

systems How do we even dene publiccoin pro of systems for multiple provers

Chapter

Probabilisti c Computation and

Linear Time

LinearTime Veriers

Supp ose we restrict our verier to run in linear time Clearly any language accepted by a

verier running in linear time will b e accepted by a standard interactive pro of system with

a p olynomialtime verier Can we nd a language accepted by a standard interactive pro of

system but not a pro of system with a lineartime verier

In this chapter we examine the same question for simpler mo dels of computation In

in the seminal pap er in complexity theory Hartmanis and Stearns HaS showed for

k

any k there exist problems with deterministic n algorithms but no deterministic

k

algorithms exist that run in n steps This hierarchy theorem answered the question for the

simple deterministic case

Interactive pro of systems combine nondeterministic and probabilistic computation In

Co ok C showed a hierarchy exists for nondeterministic computation In contrast with

deterministic and nondeterministic computation the existence of a probabilistic hierarchy

remains unknown The techniques that establish the deterministic and nondeterministic

hierarchy fail in the probabilistic case The main result of this chapter shows a fundamental

reason for this failure

We will show this result by exhibiting an oracle A relative to which probabilistic linear

time equals BPP probabilistic p olynomial time as well as an oracle for which they dier

Thus techniques that relativize will not answer this question Virtually all known techniques

for solving problems of this typ e relativize particularly the techniques that separate the

deterministic and nondeterministic time classes

This result suggests the p ossibility of a collapse of a complexity time hierarchy Results

of this nature show some fundamental dierences in probabilistic computation versus other

forms of computation such as deterministic and nondeterministic

Assuming computers have easy access to random bits a problem has an ecient solution

if a probabilistic p olynomialtime algorithm can solve this problem Under the oracle A

we have the surprising situation that we can solve all problems with ecient solutions in

probabilistic linear time

We also show some other relativized results in this pap er relating to probabilistic com

putation and linear time We also give a partial answer to the original question by showing

the existence of a language accepted by an interactive pro of system but not accepted in

probabilistic linear time

Our Results and Related Results

We show the existence of oracles under which the following hold

BPP BPTIMEn actually we will show BPP RTIMEn thus BPP NTIMEn

and BPP ZPTIMEn

BPP has linear size circuits

BPTIMEn

The negation of each of the ab ove

We also show there must exist a language in either BPP or NP but not in BPTIMEn

This result implies there are languages accepted by interactive pro of systems that are not

accepted in probabilistic linear time

Hartmanis and Stearns HaS with Hennie and Stearns HeS show for nice f and g such

f n

j k

that DTIMEf n DTIMEg n thus DTIMEn DTIMEn for that g n o

log n

k j Co ok C showed the latter result for nondeterministic time which was improved

by Seiferas Fischer and Meyer SFM All of these results relativize to all oracles

Wilson W showed has linear size circuits with an appropriate oracle We extend

Wilsons result to show BPTIMEn contains relative to an oracle However his techniques

fail to help prove our main theorem since they rely on the fact that languages in can dep end

only on a p olynomial numb er of oracle queries for each input BPP do es not aord us that

luxury

k

Kannan K showed do es not have n size circuits for any xed k Using standard

techniques one can show BPTIMEn has n size circuits These results relativize to all

oracles Combining these facts with the ab ove results we get that there are oracles that put

and BPP in BPTIMEn and linear size circuits where as such oracles do not exist for

The class contains BPP Si and though the relationship b etween

and BPP is unknown

n

One can get a trivial separation of BPTIMEn and BPTIME by simulating all p ossible

log n

coin tosses Karpinski and Verb eek KV improved this result to show BPTIMEn do es

n

not contain BPTIME for any

Deterministic Nondeterministic and

Probabilistic Linear Time

Why do es probabilistic computation b ehave dierently than deterministic and nondetermin

istic computation for separating the time classes In this section we will describ e the pro of

techniques for separating the deterministic and nondeterministic time classes and show why

these techniques fail for probabilistic computation

The pro of that DTIMEn DTIMEn works roughly as follows Let M M b e

an enumeration of all lineartime deterministic Turing machines Dene a machine M that

on input i do es the following Simulate M on input i and accept if and only if M rejects

i i

In quadratic time M has more than enough time to simulate M on input i However if a

i

lineartime machine M accepts LM then we have a contradiction by the denition of M

j

At rst glance this pro of seems to work for probabilistic machines However the pro of

fails b ecause of the enumeration of the machines If we cho ose a standard enumeration of

the BPP machines one of the M will accept with probability for example the machine

i

that just ips a coin and accepts if heads Since a prop er probabilistic machine must accept

with probability b elow or ab ove M will not b e in BPTIMEn even though it runs

in quadratic time We could try to have an enumeration of prop er probabilistic lineartime

machines but such an enumeration may b e computationally infeasible

The deterministic pro of do es not work for the nondeterministic case either Co ok C

proved NTIMEn NTIMEn using a translation lemma If NTIMEf n NTIMEg n

then for all reasonable sup erlinear h NTIMEhf n NTIMEhg n A similar lemma

holds for deterministic and probabilistic computation Co oks pro of pro ceeds as follows

Assume NTIMEn NTIMEn Then by using the translation lemma NTIMEn

NTIMEn and thus NTIMEn NTIMEn If we rep eat this pro cess k times we get

k

NTIMEn NTIMEn By using an universal nondeterministic machine we are able to

k

maintain the same constant at each step ie a nondeterministic machine that runs in n

k

can b e simulated by a machine that runs in c n time for some xed c If we let k log n we

n log c

get NTIMEn NTIMEn which can b e shown false by diagonalization

Even though the translation lemma holds this pro of still fails for probabilistic compu

tation The diculty comes when we try to make a universal prop er probabilistic machine

A universal prop er probabilistic machine would b e a prop er probabilistic machine that can

simulate other prop er probabilistic machines a very dicult task as we have already seen

Thus we can not keep the constants in check and therefore can only rep eat the translation

pro cess a constant numb er of times

We will exploit these diculties to create the oracle to collapse BPP to BPTIMEn

Pro of of the Main Theorem

A A

In order to construct an oracle A such that BPP BPTIME n we enco de within A the

A

answers to whether BPP machines M accepts inputs w for each M and almost all w in

A

a way that a BPTIME n machine can nd the enco ding and thus p erform the simulation

A

quickly The diculty that arises is that the BPP machine also has access to A and so can

use it to try to ensure that however we try to enco de the answers the simulating machine

will b e incorrect This is in fact why analogous oracles for P and NP can not exist since the

theorems of HaS C relativize for all oracles Our ability to construct the oracle in this case

rests on a balancing act b etween the p ower of probabilistic over deterministic computation on

one side its still limited ability on the second side and the forbidden region of acceptance

probability b etween and lastly

We present the pro of in several sections as follows

We describ e the structure of the oracle

We examine a simple case in which machines and inputs only lo ok at their own enco d

ings

We dene inuencing strings oracle strings that aect the acceptance by a reasonable

probability and show prop er machines can not dep end on noninuencin g strings

We describ e the enco ding pro cess for a restrictive BPP machine

We create a dep endency graph for a machine and an input

We pro cess the dep endency graph enco ding that machine and input

We generalize the pro of to all BPP machines

Structure of the Oracle

Let M M b e an enumeration of p olynomialtime Turing machines that can make random

A

designates the machine with index i using oracle choices and ask queries of an oracle M

i

A i

A Without loss of generality we can assume M x runs in at most n steps Clearly if L

i

A

A A

BPP then L LM for some i with M b eing a prop er probabilistic Turing machine

i i

A

x ips all its coins b efore it do es any Without loss of generality we can assume M

i

A

other computation Once M x has ipp ed these coins it b ecomes a deterministic machine

i

whose acceptance dep ends solely on the oracle questions it asks We call the computation

A A A

after M x ips its coins a computation path of M x We also assume M x ips the

i i i

same numb er of coins on each computation path so that each path has the same probability

A

of o ccurring Since M x runs in p olynomial time it can ask only a p olynomial numb er of

i

oracle queries on any computation path

A

one of the two following We will create the oracle A such that for each machine M

i

statements will b e true

A

is improp er M

i

A

that accepts exactly the same There will exist a probabilistic lineartime machine S

i

A

language as M

i

A

A

contains a language L Then some machine M must accept exactly the Supp ose BPP

j

A

language L The machine M must b e prop er otherwise it could not accept any language

j

at all certainly not L If we have set up the oracle A as describ ed ab ove then we have a

A A

lineartime machine S accepting the same language as M ie the language L Thus all of

j j

BPP collapses to probabilistic linear time under the oracle A

A

x accepts by putting the string i x in the oracle A if We could enco de whether M

i

A A

and only if M x accepts The lineartime machine S accepts on input x if i x is in A

i i

A

This idea fails to work b ecause M x can lo ok at its own enco ding of i x in A

i

A

Instead we will enco de in the oracle A whether or not M accepts using strings of the

i

jxj

form i x r where r may b e any of the strings of length jxj

A

We say A properly encodes M x if

i

A

If M accepts x then for at least of the p ossible r s i x r A

i

A

If M rejects x then for at most of the p ossible r s i x r A

i

A

We call the i x r s encoding strings of M x

i

A

We now have the simulating machine S do the following for input x

i

Pick a random r of length jxj

Accept if i x r is in the oracle A

A A

Notice that if we have prop erly enco ded A for M then S will accept exactly the same

i i

A

language as M We will prop erly enco de the oracle A for all prop er p olynomialtime prob

i

A

abilistic machines M

i

A Simple Case

A

Let us examine the case when M x only lo oks at strings of its own enco ding ie strings

i

of the form i x r

A

An inuencing string of M x is an oracle query that o ccurs on at least one sixth of

i

A

x can have at most a all the computation paths An easy counting argument shows M

i

p olynomial numb er of inuencing strings and thus they make up a very small fraction of all

the p ossible i x r

A

x in A as follows We will prop erly enco de M

i

Initially we will set all of the strings of the form i x r to zero ie not in A We will

A

then determine the probability of M x accepting There are three cases

i

A

M x accepts with probability less than one third

i

A

x accepts with probability b etween one third and two thirds M

i

A

x accepts with probability greater than two thirds M

i

A

In the rst case M x rejects by denition and we have set less than a third of the i x r

i

in A in fact none of the i x r are in A In this case we have already prop erly enco ded A

A

In the second case M x b eing improp er can not accept any languages so we no longer

i

A

even for other inputs need to enco de A for M

i

A

In the third case M x accepts but there are less than two thirds of the i x r in A

i

We will prop erly enco de A using the following algorithm

Let S b e a collection of two thirds of the i x r such that S has only noninuencing

strings The set S exists b ecause the inuencing i x r form only a tiny fraction of all of

the i x r

Pick a single string from S and put that string in the oracle A Now only one string of

A

the form i x r is in the oracle Once again determine the probability of M x accepting

i

A A

If M x accepts with probability b etween one third and two thirds then M is improp er

i i

A

and we no longer need to enco de M

i

A

M x can not accept with probability less than one third Since we chose an noninu

i

A

encing string o ccurring on at most one sixth of the computation paths of M x it can not

i

A

change its probability by more than one sixth However M x would have to change its

i

probability by more than one third to accept with probability less than one third

A

Thus if M x is still prop er then it must accept with probability at least two thirds

i

We then pick another string from S and put that string in the oracle A along with the rst

string

A

Once again either M x is improp er or it accepts with probability more than two thirds

i

A

We continue this pro cess until M b ecomes improp er or we have added to A all of S At this

i

A

p oint M x accepts and two thirds of the i x r are in A Thus we have prop erly enco ded

i

A

A for M x

i

A

Unfortunately this do es not nish the pro of b ecause M x may ask questions of other

i

machines and inputs To handle this case we must lo ok carefully at the dep endencies among

the machines and the enco ding strings they query The remainder of the pro of handles these

dep endencies

Inuencing and Simulating Strings

A

x we will lo ok at all the oracle queries it can p ossibly ask on every computation For each M

i

pathp otentially a very large set of oracle strings We call the oracle queries that aect the

A

probability of M x accepting by a certain nonnegligible probability inuencing strings

i

a slight change from the denition in section The remaining oracle queries we call

A

simulating strings We will show that M x can not have to o many inuencing strings

i

A

x dep ends on its simulating strings ie one setting of these strings causes Supp ose M

i

A A

M x to accept with probability less than and another setting causes M x to accept

i i

with probability more than We can start with the rst setting and change one oracle

A

query at a time to get to the second setting Eventually M x must accept with probability

i

greater than However since the simulating strings do not individually change the prob

A A

x accepts can not b e greater than so x very much the probability M ability of M

i i

A

M is no longer a prop er probabilistic machine

i

We now give an outline of the rest of the pro of using inuencing and simulating strings

For every machine M and input x we try all p ossible settings of the oracle queries of A in an

i

A A

x accept with an improp er probability If we succeeded in making M eort to make M

i i

improp er we set all other enco ding strings of M to zero Otherwise M dep ends only on its

i i

A

x We have not set inuencing strings we just set these arbitrarily in A to determine M

i

to o many strings in particular we have not set very many of the i x r s We then use the

A

unset i x r s to enco de M x consistent with whether it accepts

i

Order of Enco ding

A

For any given prop er M we need only prop erly enco de oracle A for all but a nite numb er of

i

A A

inputs for M The lineartime probabilistic machine S that merely cho oses a random r and

i i

accepts if the oracle A contains i x r will work for all the inputs prop erly enco ded by A

A A

We create a lineartime machine T that accepts the same language as M by hardwiring

i i

the answers of the nite numb er of inputs not prop erly enco ded by A

A

We will use a nite injury argument For a given M we might not prop erly enco de

i

A

M on some nite numb er of inputs We will determine which inputs we will not prop erly

i

enco de as the construction happ ens making sure only that a nite numb er of inputs are not

A

prop erly enco ded For example supp ose we can set the enco ding strings of M strings of

i

A

the form i x r in order to make M improp er for i j Then we do not have to consider

j

A

M again Since there is only i machines with a lower index than i we can only set the

j

enco ding strings in this way for a nite numb er of times

We will enco de machines and inputs in order of input size For inputs of length n we will

enco de machines M M M Thus for machine i we will not enco de any of the

log log log n

i

nite numb er of inputs of size smaller than

A

For each M x we will either

i

A

Set enough of the oracle A to determine whether M x accepts and appropriately set

i

A

the enco ding strings of M x in A

i

A

Make M improp er

i

A

Make some M improp er for some j i

j

At all times we carefully set the oracle questions in A as to not use to o many enco ding

questions for any machine andor input except for nite injury in cases and

For each machine and input we will lo ok at its inuencing and simulating strings If a

machine dep ends on simulating strings of a higher indexed machine by the earlier argument

we can set these strings to make the machine improp er since we only changed strings of a

higher index we use the nite injury argument If a machine has simulating strings of a lower

index we recursively enco de those machinesnote we limit ourselves to log log log n indices

Ideally we would like to just set all the inuencing strings in A immediately Unfortunately

inuencing strings of dierent inputs may take up a large part of the enco ding strings of some

M x This may happ en during the recursion of simulating strings We show we only have to

i

worry ab out inuencing strings of enco dings of smaller inputs the others we will immediately

set We recursively enco de those machines showing the recursive depth can not b e to o deep

to prevent the enco ding of the original machine Note we never set the simulating strings of

a machine unless either we can make that machine improp er or we enco de a machine whose

enco ding strings are the simulating strings of another machine

For now we will make the following restriction on how M works We assume M do es not

i i

make oracle queries dep endent on the answers of previous queries In other words for any

given computation path M has a xed set of oracle queries to decide whether to accept or

i

i

reject This set can have at most jxj oracle queries the running time of M on x We will

i

show later how to extend this pro of to the general case where M s oracle queries can dep end

i

on previous queries

A

We enco de M x in two phases First we will determine which enco ding strings M x

i

i

A

x We do dep ends on Then we prop erly enco de these machines until we have enco ded M

i

this through use of a dep endency graph

Before we enco de any machines we set all oracle strings not used for enco ding to zero

Since we enco de in order of input size we have previously determined all of the following

oracle strings

Nonenco ding strings of the oracle

Enco ding strings of the form j y r for all j y and r such that j log log log jy j since

we only enco de the rst log log log n machines for inputs of length n

Enco ding strings of all inputs of size less than n jxj since these string have b een

previously enco ded

Enco ding strings of all machines previously made improp er

As we will see in this pro of we may have determined strings in A in addition to those listed

ab ove

Creating the Dep endency Graph

A

We will create a nite dependency graph to help us prop erly enco de M x The no des of the

i

dep endency graph represent a machine and an input Directed edges go from one machine

and input to another if the rst machine on that input asks oracle queries of enco ding strings

of the other machine and input No des will b e of the form j y representing machine M

j

on input y We call j the index of no de j y and y the input We dene an ordering of the

no des by j y k z if j k or j k and y z for some ordering of input strings such

that jy j jz j implies y z

In the simple case we assumed the dep endency graph had only self lo ops ie machines

and inputs only lo ok at their own enco ding strings If the dep endency graph had no cycles

we could prop erly enco de all the no des by enco ding the leaves and then work our way back

to the ro ot However the dep endency graph may have cycles in which case we will require

more work to pro cess this graph

A

To create the dep endency graph G for M x we rst start with the single no de i x

i

Let us place the graph on a two dimensional grid with indices increasing from left to right and

inputs increasing from b ottom to top We place i x in the lower right corner We expand a

no de j y by adding an edge to k z creating the no de if necessary if for some selection of

random coins M y asks an as yet undetermined enco ding string of M z We recursively

j k

expand no de k z if one of the following holds

k j ie no de k z is to the left of no de j y

k i and jz j jy j and jz j jw j for some no de l w of G with l k ie no de k z is

to the left of the original no de i x is b elow j y and is b elow some no de at least as

far right as k z We need this condition to prevent the indices from increasing without

b ound

We get the dep endency graph G by expanding the single no de i x We will see this graph

contains the structure of the recursive enco dings necessary to enco de M x A no de j y

i

depends on no de h z if there is an edge from j y to h z Likewise M y depends on

j

M z if j y dep ends on h z

h

Note that all no des of G represent machines with as yet undetermined enco ding strings

If j y is a no de of G then j log log log n and jy j n If j y is an expanded no de of

G other than i x then j i

log n

Lemma If j y G then jy j n

Pro of ATuring machine can not ask an oracle question longer than the amount of time it

log log log jz j

has to write it down If k z is a no de of G then M has running time at most jz j

k

since k log log log n and M runs in time at most n for inputs of size n By the denition of

k

G we only expand a no de with a larger input if the index is smaller If f j is the maximum

log log log f j

size of the inputs of all the no des of index at least j then f j f j We

know f i n since i x is the only expanded no de of G of index i We can b ound the

log n

recurrence using lemma to show f j n for all j such that j i Thus for all

log n

expanded no des j y jy j n Since we create unexpanded no des only from expanded

log n

no des we can actually show for all no des j y of G jy j n 2

Lemma Suppose we have a function f j with the fol lowing conditions

f i n for some i i log log log n

log log log f j

f j f j for al l j j i

log n

Then f j n for al l j j i

log n

Pro of By induction on j True for j i by assumption Assume f k n for all k

j k i We will show the lemma true for j

For all k with j k i

log n

log log log f k log log logn g n

f k f k f k f k

log n

for g n log log logn log log log n Then we have

log log log n ij

g n g n

n f j f i

by rep eatedly exp onentiating f i n by g n for i j times To b ound the exp onent we

note

log log log n

log g n log log log n log g n log log log n log log log log n log log n

log log log n log n

Thus g n log n and thus f j n 2

log n

Since we restrict the length of y b etween n and n and j b etween and log log log n

there can b e only a nite numb er of no des j y of G

Pro cessing the Dep endency Graph

A

x as describ ed ab ove we will pro cess each After we create the dep endency graph G for M

i

expanded no de j y of G from smallest no de to i x in the order also describ ed ab ove

p ossibly changing G at each step

As we pro cess each no de j y of G we will either

Set enough of the oracle A to determine M y We then enco de M y in A appropri

j j

ately with its unset enco ding strings We remove no de j y from G along with all its

asso ciated edges

Make M improp er At this p oint we stop trying to enco de M x invoking the nite

j i

injury argument since j i

Put no de j y on hold We will restructure the dep endency graph so j y only has

edges to no des k z with k j and jz j jy j

As we pro cess each no de j y of G all previously pro cessed no des not removed will b e

on hold These held no des dep end solely on a larger index or input than j y We will

combine no de j y with all the held no des it dep ends on into one single no de We will show

the probabilistic machine corresp onding to this no de can not have to o much p ower This

machine also dep ends solely on enco dings of a larger index or input We show we can apply

one of the three actions ab ove and then we pro cess the next no de When we pro cess no de

i x it can not b e put on hold b ecause jxj n and no no des of G have input of length less

A

than n We have then succeeded in enco ding M x or making it improp er or making some

i

machine with a smaller index improp er

When do es a no de k z b ecome unheld The no de k z b ecomes unheld when we enco de

all of the no des k z dep ends on However some of these no des might themselves b e put on

hold Supp ose k z dep ends on j y and we decide to put j y on hold ie M z dep ends

k

on M y which in turn dep ends on larger indices Clearly then M z dep ends only on what

j k

M y dep ends on Possibly k z never b ecomes unheld to achieve the goal of enco ding i x

j

We will keep the following invariant When we pro cess no de j y all held no des only have

edges to unpro cessed no des

We now give a more precise description of how we pro cess no de j y

y a new machine that combines M y with all the machines Convert M y to M

j j

j

related to the held no des j y dep ends on We describ e the combining pro cess b elow

y dep ends only We remove all edges from j y to the held no des The machine M

j

on enco dings relating to larger no des

A

We try to set the oracle to make M y accept with an improp er probability

j

y We argue If unsuccessful we examine the inuencing and simulating strings of M

j

A

that the simulating strings can not aect the output of M y and we remove the

j

related edges from G We set all the inuencing strings of enco dings of inputs at least

as long as y to zero also removing those edges from G

A

If there are no more inuencing strings then we have determined M y Prop erly

j

enco de the oracle Recompute every machine related to a held no de with an edge

to j y If we have now determined those machines prop erly enco de the oracle and

remove those no des from G Finally remove no de j y from G and all its remaining

asso ciated edges

If inuencing edges remain we then place no de j y on hold We combine every

y replacing edges to j y with edges to the machine with a hold on j y with M

j

inuencing no des of j y

We combine a machine M with a set of machines M as follows We simulate M cho osing

the random coin tosses at random When M asks an oracle query ab out the enco ding of a

machine M M we would like to resp ond with whether M accepts We could simulate

M and resp ond to the oracle query with the output of M However with any given set of

coin tosses M may ask several oracle queries and each simulation could fail with probability

up to one third Thus we could have a large probability of getting wrong answers on some

of the oracle queries Instead we simulate M n times indep endently and take the ma jority

answer which gives us an exp onentially small error If we can show the numb er of oracle

queries M can ask on any given set of coin tosses is much less than exp onential then M will

have a negligible probability of making a mistake on any computation path

We call this combined machine M If M runs in time f n and the maximal running

time of a machine in M is g n then an upp er b ound on the time of M is nf ng f n A

maximum of f n oracle queries of length at most f n each simulated n times

Since we only do O log log log n steps of combining on any given machine we can show

log n

using similar calculations as lemma that every M machine takes no more than O n

steps for every no de in the graph generated by i x with jxj n

n

Dene an inuencing string of an oracle as an oracle query that app ears on at least

of the paths

Lemma If M runs in time tn then for any given x of length n M x has at most

n

tn inuencing strings

n

inuencing Pro of Supp ose M x has c computation paths If M x has more than tn

strings then these inuencing strings account for more than ctn oracle queries However we

can have at most ctn oracle queries b ecause at most tn queries can b e asked on each of

the c computation paths 2

n

y for j y generated by i x will have more than inuencing strings for No M

j

n jxj

Note no simulating string can aect the probability of a machines acceptance by more

n

than Thus if the output of a machine dep ends on settings of the simulating strings

then we can make the machine improp er b ecause changing a single simulating string can not

change a machine from accepting to rejecting or vice versa

A

We need to show the oracle has ro om to enco de M y Let m jy j Recall we enco de

j

A m

M y in oracle strings of the form j y r where r can b e any of the strings of length

j

m If we used any of these strings to make a machine improp er then we set the remaining

enco ding strings to zero invoking the nite injury argument Notice the only other enco ding

strings of M y that have b een previously set are inuencing strings from machines on inputs

j

m

of length at most m These are log log log m machines each asking at most inuencing

m

strings on inputs of size at most m Inuencing strings take up a grand total of at

m m m

most log log log m of the enco ding strings of j y r less than of the enco ding

m

strings available The noninuencing strings consist of more than of the enco ding

A

strings available and thus we can prop erly enco de whether M x accepts

i

Generalizing the Pro of for All BPP Machines

We will give a sketch of the mo dications of this pro of necessary if we allow the probabilistic

machines to base their oracle queries on answers to previous oracle queries The computation

paths on a machine M will now contain branches b oth for coin tosses and oracle queries We

create G using all p ossible branches of b oth typ es When we work our way pro cessing each

no de j y of G we do the following

We create M j y as b efore

A

We will try all p ossible oracle settings of A to try to make M j y improp er If we

succeed then we longer need to continue pro cessing G

Lo ok at the machine where it takes oracle query branches as though they were zero

We argue the simulating strings of this mo del can not aect the output of the original

machine As b efore we set to zero inuencing strings of an enco ding of an input of

length at least jy j If there are other inuencing strings we will put the machine on

hold and combine the appropriate machines

We enco de j y In this case we may have intro duced ones into A We then recompute

as well as combine all machines that had a hold on j y

The remainder of the pro of follows as b efore

Other Results

Corollary BPP ZPTIMEn RTIMEn NTIMEn for some oracle A

Pro of Note in the pro of of the main theorem we only intro duce ones into the oracle when

we make a machine improp er or when we enco de a machine Except for a nite numb er

A A

of injuries if M x rejects then we will enco de M x entirely with zeros A lineartime

i i

machine that picks an enco ding string at random will never accept in this case so the oracle we

created actually collapses BPP to RTIMEn If BPP RTIMEn then BPP coRTIMEn

and thus BPP ZPTIMEn 2

Corollary For some oracle A BPP has linear size circuits

n

Pro of Fix a probabilistic machine M Lo ok at all inputs of length n For any i x r

i

n A

all but of the r s correctly enco de M x Thus there exists some r such that i x r

i

A

correctly enco des M x for all x of length n We can easily build a linear size circuit that

i

determines if i x r A 2

Theorem For some oracle A BPTIMEn

Pro of Let M M b e a list of machines ie p olynomialtime nondeterministic

machines with access to a NP oracle We set up the oracle A as in the pro of of the main

theorem but we enco de our machines in a dierent way

Lo ok at the computation of M x on undetermined oracle queries Using techniques of

i

Wilson W we note there exists a setting of p olynomial many oracle questions that determines

A A

M x We set the oracle in this way to determine M x We then enco de i x r prop erly

i i

n

There are log log log n machines on inputs each requiring at most a p olynomial numb er of

n

oracle queries to b e set We have hardly used any of the oracle questions available Thus

A

we will have no problem enco ding M x 2

i

Note RTIMEn under any oracle b ecause RTIMEn would imply NP

NTIMEn which contradicts Co oks result C

Theorem For some oracle B the class BPTIMEn does not contain DTIMEn

Pro of Let M M b e an enumeration of linear time probabilistic Turing machines

We can assume M runs in time at most in for inputs of length n In step i we do the

i

following

Let n i Set all strings of the oracle B of length less than n to zero Simulate

B n B

M on input The machine M can ask questions of length at most in n and thus is

i i

B n n

completely determined If M accepts with probability less than than we put in

i

n

B otherwise we leave out of B

n n

Let the language L f j B g A deterministic quadratic time machine with ac

cess to B can clearly accept L but the standard diagonalization argument shows no linear

probabilistic time machine can accept L 2

Under this oracle B BPTIMEn do es not contain either BPP or We can use a similar

argument to create oracles where NTIMEn do es not contain BPP and BPP do es not have

linear size circuits

Finally we will show the imp ossibili ty of simultaneously collapsing b oth BPP and NP to

probabilistic linear time even though we can do either individual ly

Theorem The fol lowing two statements can not both be true

BPP BPTIMEn

NP BPTIMEn

Pro of Assume b oth statements are true Then NP would b e contained in BPP By a result

of Zachos Z NP BPP implies the entire p olynomialtime hierarchy collapses to BPP

and thus to BPTIMEn Then all languages in the p olynomialtime hierarchy have n size

k

circuits which contradicts Kannans result K that do es not have n size circuits for

any xed k 2

Note this pro of relativizes thus no oracle A exists that collapses b oth BPP and NP to

probabilistic linear time even though we can collapse each individuall y

Any complexity class that contains b oth NP and BPP can not b e collapsed to BPTIMEn

In particular the set of all languages accepted by interactive pro of systems must contain

languages not recognizable in probabilistic linear time since IP contains b oth NP and BPP

Conclusions and Further Research

This chapter shows the collapse of b oth BPP and to b oth BPTIMEn and linear size

circuits with appropriate oracles Also can not b e collapsed to either BPTIMEn

or linear size circuits Probabilistic linear time do es not contain all languages accepted by

interactive pro of systems However it is unknown whether interactive pro of systems can

have linear size circuits We b elieve an oracle exists under which all languages accepted by

interactive pro of systems have linear size circuits

Ideally the questions in this pap er should b e resolved in the unrelativized world This

chapter shows solving such problems will b e hard but not necessarily imp ossible However it

would likely require new techniques to solve them We conjecture none of the collapses o ccur

in the unrelativized world

This thesis do es not address the original question stated in section Do interactive pro of

systems with a lineartime verier accept a strictly smaller set of languages than interactive

pro of systems with a p olynomialtime verier This question was the original motivation of

the research of this chapter but has remained unsolved

This chapter intro duces several techniques for oracle construction These metho ds may

b e useful in the construction of oracles for other problems

This chapter gives an example of how probabilistic computation app ears dierent than

deterministic and nondeterministic computation Perhaps there exist other results that may

help to understand the dierences and similarities in the nature of probabilistic computation

and other typ es of computation such as interactive pro of systems

Biblio graphy

AGH Aiello W S Goldwasser and J Hastad On the p ower of Interaction Combi

natorica to app ear Extended abstract available in Proc th FOCS pp

AH Aiello W and J Hastad Statistical ZeroKnowledge Languages can b e Recog

nized in Two Rounds JCSS to app ear Extended abstract available in Proc th

FOCS pp

AKLLR Aleliunas R R Karp R Lipton L Lovasz and C Racko Random Walks

Universal Transversal Sequences and the Complexity of Maze Problems Proc

th FOCS pp

B Babai L Trading Group Theory for Randomness Proc th STOC pp

BM Babai L and S Moran ArthurMerlin games A Randomized Pro of System and

a Hierarchy of Complexity Classes JCSS pp

BGS Baker T J Gill and R Solovay Relativizations of the P NP question SIAM

J Comput

BGKW BenOr M S Goldwasser J Kilian and A Wigderson MultiProver Interactive

Pro ofs How to Remove Intractability Assumptions Proc th STOC pp

A A A

BG Bennet C and J Gill Relative to a Random Oracle P NP coNP with

Probability One SIAM J Comput pp

BHZ Boppana R J Hastad and S Zachos Do es coNP Have Short Interactive

Pro ofs Information Processing Letters pp

BC Brassard G and C Crep eau NonTransitive Transfer of Condence A Perfect

ZeroKnowledge Interactive Proto col for SAT and Beyond Proc th FOCS

pp

CW Carter JL and MN Wegman Universal Classes of Hash Functions JCSS

pp

Co Condon A Computational Models of Games PhD Dissertation Department of

Computer Science University of Washington at Seattle

Co Condon A Space Bounded Probabilistic Game Automata proc rd Structure

in Complexity Theory Conf pp

CL Condon A and R Ladner Probabilistic Game Automata Proc st Structure

in Complexity Theory Conf pp

C Co ok S The Complexity of Theorem Proving Pro cedures Proc rd STOC

pp

C Co ok S A hierarchy for Nondeterministic Time Complexity JCSS

pp

DH Die W and M Hellman New Directions in Cryptography IEEE Trans on

Inform Theory IT pp

E Edmonds J Paths Trees and Flowers Canad Jour Math pp

Fe Feldman P The Optimum Prover Lives in PSPACE manuscript

FM Feldman P and S Micali Optimal Algorithms for Byzantine Agreement Proc

th STOC pp

Fo Fortnow L The Complexity of Perfect ZeroKnowledge In S Micali editor

Randomness and Computation Volume of Advances in Computing Research JAI

th

Press Extended Abstract available in Proc Symposium on Theory of

Computing pp

FRS Fortnow L J Romp el and M Sipser On the Power of MultiProver Interactive

r d

Proto cols Proc Structure in Complexity Theory Conference pp

FS Fortnow L and M Sipser Are There Interactive Proto cols for coNP Lan

guages Information Processing Letters NorthHolland pp

FS Fortnow L and M Sipser Probabilistic Computation and Linear Time Proc

st Symposium on Theory of Computing to app ear

GJ Garey M and D Johnson Computers and Intractability A Guide to the Theory

of NPCompleteness WH Freeman and Co

G Gill J Computation Complexity of Probabilistic Turing Machines SIAM J

Comp pp

GMS Goldreich O Y Mansour and M Sipser Interactive Pro of Systems Provers

that never Fail and Random Selection Proc th FOCS pp

GMW Goldreich O S Micali and A Wigderson Pro ofs that Yield Nothing But their

Validity and a Metho dology of Cryptographic Proto col Design Proc th FOCS

pp

GMW Go dreich O S Micali and A Wigderson How to Play any Mental Game Proc

th STOC pp

GMR Goldwasser S S Micali and C Racko The Knowledge Complexity of Inter

active Pro ofSystems SIAM Journal on Computing pp Ex

tended abstract available in Proc th STOC pp

GS Goldwasser S and M Sipser Private Coins versus Public Coins in Interactive

Pro of Systems In S Micali editor Randomness and Computation Volume

of Advances in Computing Research JAI Press to app ear Extended Abstract

available in Proc th STOC pp

HaS Hartmanis J and R Stearns On the Computational Complexity of Algorithms

Trans AMS pp

HeS Hennie F and R Stearns Twotap e Simulation of Multitap e Turing Machines

JACM pp

HU Hop croft J and J Ullman Intro dcution to Automata Theory Languages and

Computation AddisonWesley

I Immerman I Nondeterministic Space is Closed Under Complement Proc rd

Structure in Complexity Theory Conf pp

K Kannan R CircuitSize Lower Bounds and Nonreducibili ty to Sparse Sets In

formation and Control pp

Ka Karp R Reducibili ty among Combinatorial Problems in R Miller and J

Thatcher eds Complexity of Computer Computations Plenum Press pp

KV Karpinski M and R Verb eek Randomness Provability and the Separation of

Monte Carlo Time and Space LNCS pp

Ki Kilian J Uses of Randomness in Algorithms and Protocols PhD Dissertation

Massachusetts Institute of Technology

Ko Ko K Relativized Polynomial Time Hierarchies Having Exactly K Levels Proc

th STOC pp

L Ladner R The Circuit Value Problem is Log Space Complete for P SIGACT

News Jan pp

La Lautemann C BPP and the p olynomial hierarchy Information Processing Let

ters

NW Nisan N and A Wigderson Hardness vs Randomness Proc th FOCS

pp

PR Peterson G and J Reif MultiplePerson Alternation Proc th FOCS

pp

R Racko C Relativized Questions Involving Probabilistic Algorithms Proc th

STOC pp

RSA Rivest R A Shamir and L Adleman A Metho d for Obtaining Digital Signatures

and Public Key Cryptosystems CACM Feb pp

Sa Santha M Relativized ArthurMerlin versus MerlinArthur Games Information

and Computation pp

SFM Seiferas J M Fischer and A Meyer Separating Nondeterministic Time Com

plexity Classes JACM pp

Si Sipser M A Complexity Theoretic Approach to Randomness Proc th STOC

pp

SS Solovay S and V Strassen A Fast MonteCarlo Test for Primality SIAM J

Comp pp

St Sto ckmeyer L The Polynomialtime Hierarchy Theoretical Computer Science

pp

Su Sudb orough I Time and Tap e Bounded Auxiliary Pushdown Automata Math

ematical Foundations of Computer Science pp

Su Sudb orough I On the Tap e Complexity of Deterministic Context Free Lan

guages JACM pp

V Venkateswaran H Prop erties that Characterize LOGCFL Proc th STOC

pp

th

W Wilson C Relativized Circuit Complexity FOCS pp

Y Yao A Separating the PolynomialTime Hierarchy by Oracles Proc th

FOCS pp

Z Zachos S Probabilistic Quantiers Adversaries and Complexity Classes An

Overview In A Selman editor Proc st Structure in Complexity Theory Volume

of Lecture Notes in Computer Science SpringerVerlag pp