DOCSLIB.ORG

On Helping and Interactive Proof Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On Helping and Interactive Proof Systems On Helping and Interactive Pro of Systems V Arvind J Kobler R Schuler Department of Computer Science Theoretische Informatik Institute of Mathematical Sciences Universitat Ulm Madras India D Ulm Germany Abstract Weinvestigate the complexity of honest provers in interactive pro of systems This corresp onds precisely to the complexity of oracles helping the computation of robust probabilistic oracle machines We obtain upp er b ounds for languages in FewEXP and for sparse sets in NPFurther interactive proto cols with provers that are reducible to sets of low information content are considered Sp ecicallyiftheverier communicates p only with provers in Pp oly then the accepted language is lowfor In the case that the provers are p olynomialtime reducible to log sparse sets or to sets in strongPlog then the proto col can b e simulated bytheverier even without the help of provers As a consequence we obtain new collapse results under the assumption that intractable sets reduce to sets with low information content Intro duction and overview of results Two extensions of the concept of NP as the class of languages with ecient pro ofs of memb ership Co o namely the class IP of languages that have single prover interactive pro of proto cols and the class MIP of languages with multiprover interactiv e pro of proto cols formal denitions are given in the next section havebeenshown to characterize the complexity classes PSPACE and NEXP resp ectively Sh BFL In the interactive pro of system mo del of computation GMR one or more provers try to convince a probabilistic p olynomial time verier that a given input is a memb er of the considered language The proto col has the following b ehavior if an input is in the language then there are provers that convince the verier to accept with high probability On the other hand if the input is not in the language then no set of provers can convince the verier with more than negligible probability Arthur Merlin games intro duced in Bab are sp ecial cases of singleprover interactive pro of systems in which the random choices of the verier called Arthur are public and therefore visible to Merlin the prover In Bab it is shown that for any constant k ak round interaction AMk can b e substituted bya p two round proto col AM AM and that AM is contained in the second level of the p olynomial time hierarchy Here AMk denotes a k round interaction of messages b etween Arthur and Merlin where the rst message is from Arthur The class MA of languages Part of the work was done while visiting Universitat Ulm Supp orted in part by an Alexander von Humb oldt research fellowship accepted byatwo round proto col starting with a message from Merlin is an apparently smaller class than AM It turned out that the apparently restricted Arthur Merlin games mo del is as p owerful as the general interactive pro of systems In fact anyinteractive pro of system can b e simulated byanArthur Merlin game GS BM with only a constant increase in the numb er of rounds In general the notation AM is used to denote singleprover interactive pro of systems with a constantnumber of interaction whereas IP is used if there is no restriction Following the advances made in LFKN it was nally shown in Sh that PSPACE IP Subsequentlyitwas shown that multiprover interactive pro of systems can accept all of NEXP BFL Intuitively the multiprover mo del is more p owerful since the verier can use one prover to check that the answers of another prover do not dep end on previous queries made to him This is made precise in the pro of of Babai et al of the ab ove mentioned result where it is shown that a p olynomial number of provers can b e substituted bytwoprovers One prover answers all the queries of the original proto col and the second is only used to verify that the answers do not dep end on the history of interaction teractive pro of systems which is also the main An interesting issue that arises in in concern of this pap er is b ounding the complexity of the honest provers that make the verier accept a given language For example it is known Fe Sh that each language in PSPACE has an IP proto col with prover of complexity PSPACE The result of Lund PP et al LFKN implies that P has IP proto cols with prover complexity PP Similarly EXP has MIP proto cols of prover complexity EXP BFL Let IPC and MIPC denote resp ectively the class of languages with prover complexity b ounded by FPC ie the class of functions computable by p olynomialtime b ounded transducers with access to an oracle from the class C In this notation we summarize some of the known results on upp er b ounds for prover complexity Theorem Fe Sh PSPACE IPPSPACE PP LFKNP IPPP BF P IP P NP BFL NEXP MIPEXP BFL EXP MIPEXP A surprising application of Theorem to classical structural complexity is the follo wing corollary Corollary LFKN BFL For KfPP PSPACE EXPgifKPp oly then K MA p The ab ove result improves previously known collapses to under the same assumption obtained by Meyer Karp and Lipton KL This is particularly interesting since it is p under the assumption NP Pp oly KL cannot b e known that the collapse of PH to p improved to with relativizable pro of metho ds Hel and the LFKN proto col is known to b e not relativizable FS FRS The crux of the pro of of Corollary is as follows if K is contained in Pp oly then by Theorem every language in K has an MIP proto col in which the provers are p olynomial size circuits This proto col can b e simulated by an MA proto col where Merlin simply sends the circuits for the provers to Arthur in the rst round LFKN BFL We observe that the MA proto col in the ab ove pro ofsketch can b e seen as a single prover proto col with prover complexityinPpoly Thus we can identify the classes MIPPp oly and IP Ppoly of interactive pro of systems in which the provers are p olynomial size circuits MIPPp oly IPPp oly MA NP On the other hand in the case of NEXP the NEXP MIPEXP characterization do es not app ear to directly imply any signicant collapse of NEXP under the assumption NEXP Pp oly It is due to the very high upp er b ound on the prover complexityA related result has b een proved by Buhrman and Homer BH who showed that under a p NP NP stronger assumption EXP Pp oly it holds that EXP An imp ortant motivation of the present pap er is to explore further applications of characterizations of complexity classes using interactive pro of systems in order to derive new collapse consequences assuming that the considered class has p olynomial size circuits We note that in Babai et al BFL it is an op en question as to whether the upp er NP b ound of EXP for the prover complexity for NEXP can b e improved The reason for the apparently weak upp er b ound is that all provers must have access to the same tableau of an accepting NEXP computation To wit the high prover complexity is the cost of disambiguating down to one consistent NEXP computation As a rst step weshow that FewEXP languages accepted by NEXP machines that FewEXP have at most exp onentially many accepting paths are contained in MIPNP FewEXP Theorem FewEXP MIPNP FewEXP NP It is to b e noted that NP is a substantially smaller class of provers than EXP FewEXP NEXP Indeed since NP is known to b e contained in P Hem it follows that FewEXP MIPNEXP As a consequence of Theorem we can extend Corollary to the class K FewEXP Corollary If FewEXP Pp oly then FewEXP MA MIPPp oly As observ ed bySchoning Sch there is a close relationship b etween the complexityof provers in interactive pro of systems and the complexity of oracles helping the computation of robust oracle machines A machine M is called robust if LM LM Bforall oracles B and an oracle A onesided helps the computation of M if M with oracle A runs in p olynomial time on all inputs x resp x LM The notion of helping by robust deterministic oracle machines was intro duced bySchoning Sch and was extended to onesided helping byKoKo In a sense the notion of helping by robust machines was a forerunner to the concept of interactive pro of systems Indeed it follows from the probabilistic oracle machine characterization of MIP in FRS that the class MIPC coincides with the class BPP C of languages accepted by probabilistic robust help machines with the onesided help of an oracle from C With this interpretation Theorem FewEXP shows that NP oracles are able to give onesided help to the computation of languages in FewEXP On the other hand the inclusion MIPPp oly MA can b e interpreted as stating that oracles in Pp oly cannot help the computation of languages outside MA An interesting op en question is whether Pp oly provers are useful at all ie whether MIPPp oly contains sets that are not in BPP As follows from the next theorem settling this question is likely to b e very hard since a negative answer would imply that all sparse NP sets are already in BPP which in turn implies that NE is contained in BPE known to b e false in relativized worlds Theorem All sparse NP sets are contained in P Ppoly help In Koitisshown that every set A accepted by a robust deterministic oracle machine p with the onesided help of an oracle from Pp oly ie A P Pp oly is lowfor help Since P Ppoly MIPPp oly the following theorem extends b oth the ab ove help p mentioned result of Ko and the lowness of BPP for Sip ZHSch p Theorem MIPPp oly is low for Considering MIP proto cols with provers reducible to sets of very low information content eg to sets in strongPlog or to log sparse sets we show that such provers cannot help the
Load more

Recommended publications
  • CS601 DTIME and DSPACE Lecture 5 Time and Space Functions: T, S
    CS601 DTIME and DSPACE Lecture 5 Time and Space functions: t, s : N → N+ Definition 5.1 A set A ⊆ U is in DTIME[t(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M) ≡ w ∈ U M(w)=1 , and 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps. Definition 5.2 A set A ⊆ U is in DSPACE[s(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M), and 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells. (Input tape is “read-only” and not counted as space used.) Example: PALINDROMES ∈ DTIME[n], DSPACE[n]. In fact, PALINDROMES ∈ DSPACE[log n]. [Exercise] 1 CS601 F(DTIME) and F(DSPACE) Lecture 5 Definition 5.3 f : U → U is in F (DTIME[t(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. Definition 5.4 f : U → U is in F (DSPACE[s(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. (Input tape is “read-only”; Output tape is “write-only”.
    [Show full text]
  • The Complexity of Space Bounded Interactive Proof Systems
    The Complexity of Space Bounded Interactive Proof Systems ANNE CONDON Computer Science Department, University of Wisconsin-Madison 1 INTRODUCTION Some of the most exciting developments in complexity theory in recent years concern the complexity of interactive proof systems, defined by Goldwasser, Micali and Rackoff (1985) and independently by Babai (1985). In this paper, we survey results on the complexity of space bounded interactive proof systems and their applications. An early motivation for the study of interactive proof systems was to extend the notion of NP as the class of problems with efficient \proofs of membership". Informally, a prover can convince a verifier in polynomial time that a string is in an NP language, by presenting a witness of that fact to the verifier. Suppose that the power of the verifier is extended so that it can flip coins and can interact with the prover during the course of a proof. In this way, a verifier can gather statistical evidence that an input is in a language. As we will see, the interactive proof system model precisely captures this in- teraction between a prover P and a verifier V . In the model, the computation of V is probabilistic, but is typically restricted in time or space. A language is accepted by the interactive proof system if, for all inputs in the language, V accepts with high probability, based on the communication with the \honest" prover P . However, on inputs not in the language, V rejects with high prob- ability, even when communicating with a \dishonest" prover. In the general model, V can keep its coin flips secret from the prover.
    [Show full text]
  • Lecture 14 (Feb 28): Probabilistically Checkable Proofs (PCP) 14.1 Motivation: Some Problems and Their Approximation Algorithms
    CMPUT 675: Computational Complexity Theory Winter 2019 Lecture 14 (Feb 28): Probabilistically Checkable Proofs (PCP) Lecturer: Zachary Friggstad Scribe: Haozhou Pang 14.1 Motivation: Some problems and their approximation algorithms Many optimization problems are NP-hard, and therefore it is unlikely to efficiently find optimal solutions. However, in some situations, finding a provably good-enough solution (approximation of the optimal) is also acceptable. We say an algorithm is an α-approximation algorithm for an optimization problem iff for every instance of the problem it can find a solution whose cost is a factor of α of the optimum solution cost. Here are some selected problems and their approximation algorithms: Example: Min Vertex Cover is the problem that given a graph G = (V; E), the goal is to find a vertex cover C ⊆ V of minimum size. The following algorithm gives a 2-approximation for Min Vertex Cover: Algorithm 1 Min Vertex Cover Algorithm Input: Graph G = (V; E) Output: a vertex cover C of G. C ; while some edge (u; v) has u; v2 = C do C C [ fu; vg end while return C Claim 1 Let C∗ be an optimal solution, the returned solution C satisfies jCj ≤ 2jC∗j. Proof. Let M be the edges considered by the algorithm in the loop, we have jCj = 2jMj. Also, jC∗j covers M and no two edges in M share an endpoint (M is a matching), so jC∗j ≥ jMj. Therefore, jCj = 2jMj ≤ 2jC∗j. Example: Max SAT is the problem that given a CNF formula, the goal is to find a assignment that satisfies as many clauses as possible.
    [Show full text]
  • The Complexity Zoo
    The Complexity Zoo Scott Aaronson www.ScottAaronson.com LATEX Translation by Chris Bourke [email protected] 417 classes and counting 1 Contents 1 About This Document 3 2 Introductory Essay 4 2.1 Recommended Further Reading ......................... 4 2.2 Other Theory Compendia ............................ 5 2.3 Errors? ....................................... 5 3 Pronunciation Guide 6 4 Complexity Classes 10 5 Special Zoo Exhibit: Classes of Quantum States and Probability Distribu- tions 110 6 Acknowledgements 116 7 Bibliography 117 2 1 About This Document What is this? Well its a PDF version of the website www.ComplexityZoo.com typeset in LATEX using the complexity package. Well, what’s that? The original Complexity Zoo is a website created by Scott Aaronson which contains a (more or less) comprehensive list of Complexity Classes studied in the area of theoretical computer science known as Computa- tional Complexity. I took on the (mostly painless, thank god for regular expressions) task of translating the Zoo’s HTML code to LATEX for two reasons. First, as a regular Zoo patron, I thought, “what better way to honor such an endeavor than to spruce up the cages a bit and typeset them all in beautiful LATEX.” Second, I thought it would be a perfect project to develop complexity, a LATEX pack- age I’ve created that defines commands to typeset (almost) all of the complexity classes you’ll find here (along with some handy options that allow you to conveniently change the fonts with a single option parameters). To get the package, visit my own home page at http://www.cse.unl.edu/~cbourke/.
    [Show full text]
  • The Polynomial Hierarchy
    ij 'I '""T', :J[_ ';(" THE POLYNOMIAL HIERARCHY Although the complexity classes we shall study now are in one sense byproducts of our definition of NP, they have a remarkable life of their own. 17.1 OPTIMIZATION PROBLEMS Optimization problems have not been classified in a satisfactory way within the theory of P and NP; it is these problems that motivate the immediate extensions of this theory beyond NP. Let us take the traveling salesman problem as our working example. In the problem TSP we are given the distance matrix of a set of cities; we want to find the shortest tour of the cities. We have studied the complexity of the TSP within the framework of P and NP only indirectly: We defined the decision version TSP (D), and proved it NP-complete (corollary to Theorem 9.7). For the purpose of understanding better the complexity of the traveling salesman problem, we now introduce two more variants. EXACT TSP: Given a distance matrix and an integer B, is the length of the shortest tour equal to B? Also, TSP COST: Given a distance matrix, compute the length of the shortest tour. The four variants can be ordered in "increasing complexity" as follows: TSP (D); EXACTTSP; TSP COST; TSP. Each problem in this progression can be reduced to the next. For the last three problems this is trivial; for the first two one has to notice that the reduction in 411 j ;1 17.1 Optimization Problems 413 I 412 Chapter 17: THE POLYNOMIALHIERARCHY the corollary to Theorem 9.7 proving that TSP (D) is NP-complete can be used with DP.
    [Show full text]
  • Collapsing Exact Arithmetic Hierarchies
    Electronic Colloquium on Computational Complexity, Report No. 131 (2013) Collapsing Exact Arithmetic Hierarchies Nikhil Balaji and Samir Datta Chennai Mathematical Institute fnikhil,[email protected] Abstract. We provide a uniform framework for proving the collapse of the hierarchy, NC1(C) for an exact arith- metic class C of polynomial degree. These hierarchies collapses all the way down to the third level of the AC0- 0 hierarchy, AC3(C). Our main collapsing exhibits are the classes 1 1 C 2 fC=NC ; C=L; C=SAC ; C=Pg: 1 1 NC (C=L) and NC (C=P) are already known to collapse [1,18,19]. We reiterate that our contribution is a framework that works for all these hierarchies. Our proof generalizes a proof 0 1 from [8] where it is used to prove the collapse of the AC (C=NC ) hierarchy. It is essentially based on a polynomial degree characterization of each of the base classes. 1 Introduction Collapsing hierarchies has been an important activity for structural complexity theorists through the years [12,21,14,23,18,17,4,11]. We provide a uniform framework for proving the collapse of the NC1 hierarchy over an exact arithmetic class. Using 0 our method, such a hierarchy collapses all the way down to the AC3 closure of the class. 1 1 1 Our main collapsing exhibits are the NC hierarchies over the classes C=NC , C=L, C=SAC , C=P. Two of these 1 1 hierarchies, viz. NC (C=L); NC (C=P), are already known to collapse ([1,19,18]) while a weaker collapse is known 0 1 for a third one viz.
    [Show full text]
  • On the Power of Parity Polynomial Time Jin-Yi Cai1 Lane A
    On the Power of Parity Polynomial Time Jin-yi Cai1 Lane A. Hemachandra2 December. 1987 CUCS-274-87 I Department of Computer Science. Yale University, New Haven. CT 06520 1Department of Computer Science. Columbia University. New York. NY 10027 On the Power of Parity Polynomial Time Jin-yi Gaia Lane A. Hemachandrat Department of Computer Science Department of Computer Science Yale University Columbia University New Haven, CT 06520 New York, NY 10027 December, 1987 Abstract This paper proves that the complexity class Ef)P, parity polynomial time [PZ83], contains the class of languages accepted by NP machines with few ac­ cepting paths. Indeed, Ef)P contains a. broad class of languages accepted by path-restricted nondeterministic machines. In particular, Ef)P contains the polynomial accepting path versions of NP, of the counting hierarchy, and of ModmNP for m > 1. We further prove that the class of nondeterministic path-restricted languages is closed under bounded truth-table reductions. 1 Introduction and Overview One of the goals of computational complexity theory is to classify the inclusions and separations of complexity classes. Though nontrivial separation of complexity classes is often a challenging problem (e.g. P i: NP?), the inclusion structure of complexity classes is progressively becoming clearer [Sim77,Lau83,Zac86,Sch87]. This paper proves that Ef)P contains a broad range of complexity classes. 1.1 Parity Polynomial Time The class Ef)P, parity polynomial time, was defined and studied by Papadimitriou and . Zachos as a "moderate version" of Valiant's counting class #P . • Research supported by NSF grant CCR-8709818. t Research supported in part by a Hewlett-Packard Corporation equipment grant.
    [Show full text]
  • The Weakness of CTC Qubits and the Power of Approximate Counting
    The weakness of CTC qubits and the power of approximate counting Ryan O'Donnell∗ A. C. Cem Sayy April 7, 2015 Abstract We present results in structural complexity theory concerned with the following interre- lated topics: computation with postselection/restarting, closed timelike curves (CTCs), and approximate counting. The first result is a new characterization of the lesser known complexity class BPPpath in terms of more familiar concepts. Precisely, BPPpath is the class of problems that can be efficiently solved with a nonadaptive oracle for the Approximate Counting problem. Similarly, PP equals the class of problems that can be solved efficiently with nonadaptive queries for the related Approximate Difference problem. Another result is concerned with the compu- tational power conferred by CTCs; or equivalently, the computational complexity of finding stationary distributions for quantum channels. Using the above-mentioned characterization of PP, we show that any poly(n)-time quantum computation using a CTC of O(log n) qubits may as well just use a CTC of 1 classical bit. This result essentially amounts to showing that one can find a stationary distribution for a poly(n)-dimensional quantum channel in PP. ∗Department of Computer Science, Carnegie Mellon University. Work performed while the author was at the Bo˘gazi¸ciUniversity Computer Engineering Department, supported by Marie Curie International Incoming Fellowship project number 626373. yBo˘gazi¸ciUniversity Computer Engineering Department. 1 Introduction It is well known that studying \non-realistic" augmentations of computational models can shed a great deal of light on the power of more standard models. The study of nondeterminism and the study of relativization (i.e., oracle computation) are famous examples of this phenomenon.
    [Show full text]
  • Independence of P Vs. NP in Regards to Oracle Relativizations. · 3 Then
    Independence of P vs. NP in regards to oracle relativizations. JERRALD MEEK This is the third article in a series of four articles dealing with the P vs. NP question. The purpose of this work is to demonstrate that the methods used in the first two articles of this series are not affected by oracle relativizations. Furthermore, the solution to the P vs. NP problem is actually independent of oracle relativizations. Categories and Subject Descriptors: F.2.0 [Analysis of Algorithms and Problem Complex- ity]: General General Terms: Algorithms, Theory Additional Key Words and Phrases: P vs NP, Oracle Machine 1. INTRODUCTION. Previously in “P is a proper subset of NP” [Meek Article 1 2008] and “Analysis of the Deterministic Polynomial Time Solvability of the 0-1-Knapsack Problem” [Meek Article 2 2008] the present author has demonstrated that some NP-complete problems are likely to have no deterministic polynomial time solution. In this article the concepts of these previous works will be applied to the relativizations of the P vs. NP problem. It has previously been shown by Hartmanis and Hopcroft [1976], that the P vs. NP problem is independent of Zermelo-Fraenkel set theory. However, this same discovery had been shown by Baker [1979], who also demonstrates that if P = NP then the solution is incompatible with ZFC. The purpose of this article will be to demonstrate that the oracle relativizations of the P vs. NP problem do not preclude any solution to the original problem. This will be accomplished by constructing examples of five out of the six relativizing or- acles from Baker, Gill, and Solovay [1975], it will be demonstrated that inconsistent relativizations do not preclude a proof of P 6= NP or P = NP.
    [Show full text]
  • IBM Research Report Derandomizing Arthur-Merlin Games And
    H-0292 (H1010-004) October 5, 2010 Computer Science IBM Research Report Derandomizing Arthur-Merlin Games and Approximate Counting Implies Exponential-Size Lower Bounds Dan Gutfreund, Akinori Kawachi IBM Research Division Haifa Research Laboratory Mt. Carmel 31905 Haifa, Israel Research Division Almaden - Austin - Beijing - Cambridge - Haifa - India - T. J. Watson - Tokyo - Zurich LIMITED DISTRIBUTION NOTICE: This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g. , payment of royalties). Copies may be requested from IBM T. J. Watson Research Center , P. O. Box 218, Yorktown Heights, NY 10598 USA (email: [email protected]). Some reports are available on the internet at http://domino.watson.ibm.com/library/CyberDig.nsf/home . Derandomization Implies Exponential-Size Lower Bounds 1 DERANDOMIZING ARTHUR-MERLIN GAMES AND APPROXIMATE COUNTING IMPLIES EXPONENTIAL-SIZE LOWER BOUNDS Dan Gutfreund and Akinori Kawachi Abstract. We show that if Arthur-Merlin protocols can be deran- domized, then there is a Boolean function computable in deterministic exponential-time with access to an NP oracle, that cannot be computed by Boolean circuits of exponential size. More formally, if prAM ⊆ PNP then there is a Boolean function in ENP that requires circuits of size 2Ω(n).
    [Show full text]
  • Probabilistic Proof Systems: a Primer
    Probabilistic Proof Systems: A Primer Oded Goldreich Department of Computer Science and Applied Mathematics Weizmann Institute of Science, Rehovot, Israel. June 30, 2008 Contents Preface 1 Conventions and Organization 3 1 Interactive Proof Systems 4 1.1 Motivation and Perspective ::::::::::::::::::::::: 4 1.1.1 A static object versus an interactive process :::::::::: 5 1.1.2 Prover and Veri¯er :::::::::::::::::::::::: 6 1.1.3 Completeness and Soundness :::::::::::::::::: 6 1.2 De¯nition ::::::::::::::::::::::::::::::::: 7 1.3 The Power of Interactive Proofs ::::::::::::::::::::: 9 1.3.1 A simple example :::::::::::::::::::::::: 9 1.3.2 The full power of interactive proofs ::::::::::::::: 11 1.4 Variants and ¯ner structure: an overview ::::::::::::::: 16 1.4.1 Arthur-Merlin games a.k.a public-coin proof systems ::::: 16 1.4.2 Interactive proof systems with two-sided error ::::::::: 16 1.4.3 A hierarchy of interactive proof systems :::::::::::: 17 1.4.4 Something completely di®erent ::::::::::::::::: 18 1.5 On computationally bounded provers: an overview :::::::::: 18 1.5.1 How powerful should the prover be? :::::::::::::: 19 1.5.2 Computational Soundness :::::::::::::::::::: 20 2 Zero-Knowledge Proof Systems 22 2.1 De¯nitional Issues :::::::::::::::::::::::::::: 23 2.1.1 A wider perspective: the simulation paradigm ::::::::: 23 2.1.2 The basic de¯nitions ::::::::::::::::::::::: 24 2.2 The Power of Zero-Knowledge :::::::::::::::::::::: 26 2.2.1 A simple example :::::::::::::::::::::::: 26 2.2.2 The full power of zero-knowledge proofs ::::::::::::
    [Show full text]
  • On Beating the Hybrid Argument∗
    THEORY OF COMPUTING, Volume 9 (26), 2013, pp. 809–843 www.theoryofcomputing.org On Beating the Hybrid Argument∗ Bill Fefferman† Ronen Shaltiel‡ Christopher Umans§ Emanuele Viola¶ Received February 23, 2012; Revised July 31, 2013; Published November 14, 2013 Abstract: The hybrid argument allows one to relate the distinguishability of a distribution (from uniform) to the predictability of individual bits given a prefix. The argument incurs a loss of a factor k equal to the bit-length of the distributions: e-distinguishability implies e=k-predictability. This paper studies the consequences of avoiding this loss—what we call “beating the hybrid argument”—and develops new proof techniques that circumvent the loss in certain natural settings. Our main results are: 1. We give an instantiation of the Nisan-Wigderson generator (JCSS 1994) that can be broken by quantum computers, and that is o(1)-unpredictable against AC0. We conjecture that this generator indeed fools AC0. Our conjecture implies the existence of an oracle relative to which BQP is not in the PH, a longstanding open problem. 2. We show that the “INW generator” by Impagliazzo, Nisan, and Wigderson (STOC’94) with seed length O(lognloglogn) produces a distribution that is 1=logn-unpredictable ∗An extended abstract of this paper appeared in the Proceedings of the 3rd Innovations in Theoretical Computer Science (ITCS) 2012. †Supported by IQI. ‡Supported by BSF grant 2010120, ISF grants 686/07,864/11 and ERC starting grant 279559. §Supported by NSF CCF-0846991, CCF-1116111 and BSF grant
    [Show full text]