sign in sign up
<<
Home , AC (complexity), CC (complexity), Complete (complexity), Complexity class, Computational resource, E (complexity)

App endix A

Glossary of

Classes

Summary This glossary includes selfcontained denitions of most

complexity classes mentioned in the b o ok Needless to say the glossary

oers a very minimal discussion of these classes and the reader is

ferred to the main text for further discussion The items are organized

by topics rather than by alphab etic order Sp ecically the glossary is

partitioned into two parts dealing separately with complexity classes

that are dened in terms of and their resources i time

and of Turing machines and complexity classes de

ned in terms of nonuniform circuits and referring to their size and

depth The algorithmic classes include timecomplexity based classes

such as P NP coNP BPP RP coRP PH E EXP and NEXP

and the space complexity classes NL RL and P S P AC E The non

k

uniform classes include the circuit classes P p oly as well as NC and

k

AC

Denitions and basic results regarding many other complexity classes are available

at the constantly evolving Complexity Zoo

A Preliminaries

Complexity classes are sets of computational problems where each class contains

problems that can b e solved with sp ecic computational resources To de a

one sp ecies a mo del of computation a complexity measure like

time or space which is always measured as a of the input length and a

b ound on the complexity of problems in the class

We follow the tradition of cusing on decision problems but refer to these

problems using the terminology of promise problems see Section That is

we will refer to the problem of distinguishing inputs in from inputs in

yes no

APPENDIX A GLOSSARY OF COMPLEXITY CLASSES

and denote the corresp onding by Standard

yes no

decision problems are viewed as a sp ecial case in which f g and

yes no

the standard formulation of complexity classes is obtained by p ostulating that this

is the case We refer to this case as the case of a trivial promise

The prevailing mo del of computation is that of Turing machines This mo del

captures the notion of uniform algorithms see Section Another imp ortant

mo del is the one of nonuniform circuits see Section The term uniformity

refers to whether the is the same one for every input length or whether

a dierent algorithm or rather a circuit is considered for each input length

We fo cus on natural complexity classes obtained by considering natural com

plexity measures and b ounds Typically these classes contain natural computa

tional problems which are dened in App endix G Furthermore almost of

these classes can b e characterized by natural problems which capture every

problem in the class Such problems are called for the class which means

that they are in the class and every problem in the class can b e easily reduced to

them where easily means that the takes less resources than whatever

seems to b e requires for solving each individual problem in the class Thus any

ecient algorithm for a complete problem implies an algorithm of similar eciency

for al l problems in the class

Organization The glossary is organized by topics rather than by alphab etic or

der of the various items Sp ecically we partition the glossary to classes dened in

terms of algorithmic resources ie time and space complexity of Turing machines

and classes dened in terms of circuit size and depth The former algorithm

based classes are reviewed in Section A while the latter circuitbased classes

are reviewed in Section A

A Algorithmbased classes

The two main complexity measures considered in the context of uniform algo

rithms are the number of steps taken by the algorithm ie its

and the amount of memory or workspace consumed by the computation ie

its space complexity We review the time complexity based classes P NP coNP

BPP RP coRP ZPP PH E EXP and NEXP as well as the space complexity

classes L NL RL and P S P AC E

By prep ending the name of a complexity class of decision problems with

the prex co we mean the class of problems that is the problem

is in coC if and only if is in C Sp ecically deciding

yes no no yes

membership in the S is in the class coC if and only if deciding membership in

the set f g n S is in the class C Thus the denition of coNP and coRP can

b e easily derived from the denitions of NP and RP resp ectively Complexity

classes dened in terms of symmetric acceptance criteria eg deterministic and

twosided error randomized classes are trivially closed under complementation

eg coP P and coBPP BPP and we do not present their coclasses

A ALGORITHMBASED CLASSES

In other cases most notably NL the closure prop erty is highly nontrivial and

we comment ab out it

A Time complexity classes

We start with classes that are closely related to p olynomialtime computations ie

P NP BPP RP and ZPP and latter consider the classes PH E EXP and

NEXP

A Classes closely related to p olynomial time

The most prominent complexity classes are P and NP which are extensively

discussed in Section We also consider classes related to randomized p olynomial

time which are discussed in Section

P and NP The class P consists of all decision problem that can b e solved in

deterministic p olynomialtime A decision problem is in NP

yes no

if there exists a p olynomial p and a deterministic p olynomialtime algorithm V

such that the following two conditions hold

pjxj

For every x there exists y f g such that V x y

yes

For every x and every y f g it holds that V x y

no

A string y satisfying Condition is called an NPwitness for x Clearly P NP

Reductions and NPcompleteness NPC A problem is NP complete if

it is in NP and every problem in NP is p olynomialtime reducible to it where

p olynomialtime reducibility is dened and discussed in Section Lo osely sp eak

ing a p olynomialtime reduction of problem to problem is a p olynomialtime

algorithm that solves by making queries to a subroutine that solves problem

where the runningtime of the subroutine is not counted in the algorithms time

complexity Typically NPcompleteness is dened while restricting the reduction

to make a single query and output its answer Such a reduction called a Karp

reduction is represented by a p olynomialtime computable mapping that maps

yesinstances of to yesinstances of and noinstances of to noinstances of

Hundreds of NPcomplete problems are listed in

Probabilistic p olynomialtime BPP RP and ZPP A decision problem

is in BPP if there exists a probabilistic p olynomialtime algorithm

yes no

A such that the following two conditions hold

For every x it holds that Pr Ax

yes

For every x it holds that Pr Ax no

APPENDIX A GLOSSARY OF COMPLEXITY CLASSES

That is the algorithm has twosided error probability of which can b e further

reduced by rep etitions We stress that due to the twosided error probability of

BPP it is not known whether or not BPP is contained in NP In addition to

the twosided error class BPP we consider onesided error and zeroerror classes

denoted RP and ZPP resp ectively A problem is in RP if there

yes no

exists a probabilistic p olynomialtime algorithm A such that the following two

conditions hold

For every x it holds that Pr Ax

yes

For every x it holds that Pr Ax

no

Again the error probability can b e reduced by rep etitions and thus RP BPP

NP A problem is in ZPP if there exists a probabilistic p olynomial

yes no

time algorithm A which may output a sp ecial dont know symbol such that

the following two conditions hold

For every x it holds that Pr Ax f g and Pr Ax

yes

For every x it holds that Pr Ax f g and Pr Ax

no

Note that P ZPP RP coRP When dened in terms of promise problems

all the aforementioned randomized classes have complete problems wt Karp

reductions but the same is not known when considering only standard decision

problems with trivial promise

The counting class P Functions in P count the number of solutions to

an NPtype search problem or equivalently the number of NPwitnesses for a

yesinstance of a decision problem in NP Formally a function f is in P if there

exists a p olynomial p and a deterministic p olynomialtime algorithm V such that

pjxj

f x jfy f g V x y gj Indeed p and V are as in the denition

of NP and it follows that deciding membership in the set fx f x g is in

NP Clearly P problems are solvable in p olynomial space Surprisingly the

p ermanent of p ositive integer matrices is P complete ie it is in P and any

function in P is p olynomialtime reducible to it

Interactive pro ofs A decision problem has an interactive proof

yes no

system if there exists a p olynomialtime strategy V such that the following two

conditions hold

For every x there exists a prover strategy P such that the verier V

yes

always accepts after interacting with the prover P on common input x

For every x and every strategy P the verier V rejects with proba

no

after interacting with P on common input x bility at least

The corresp onding class is denoted IP and turns out to equal P S P AC E For

further details see Section

A ALGORITHMBASED CLASSES

A Other time complexity classes

The classes E and EXP corresp onding to problems that can b e solved by a deter

O n p olyn

ministic algorithm in time and resp ectively for nbit long inputs

Clearly NP EXP We also mention NEXP the class of problems that can b e

p olyn

solved by a nondeterministic machine in steps

In general one may dene a complexity class for every time b ound and ev

ery type of machine ie deterministic probabilistic and nondeterministic but

p olynomial and exp onential b ounds seem most natural and very robust Another

e

robust type of time b ounds that is sometimes used is quasip olynomial time ie P

denotes the class of problems solvable by deterministic machines of time complexity

expp oly log n

th

The time hierarchy PH For any k the k level

of the p olynomialtime hierarchy consists of problems such that

yes no

there a p olynomial p and a p olynomialtime algorithm V that satises the following

two requirements

pjxj

For every x there exists y f g such that for every y

yes

pjxj pjxj pjxj

f g there exists y f g such that for every y f g

it holds that V x y y y y y That is the condition regarding x

k

consists of k alternating quantiers

For every x the foregoing k alternating condition do es not hold

no

pjxj pjxj

That is for every y f g there exists y f g such that

pjxj pjxj

for every y f g there exists y f g it holds that

V x y y y y y

k

def

co Indeed NP Such a problem is said to b e in and

k k k

corresp onds to the sp ecial case where k Interestingly PH is p olynomialtime

reducible to P

A Space complexity

When dening spacecomplexity classes one counts only the space consumed by

the actual computation and not the space o ccupied by the input and output This

is formalized by p ostulating that the input is read from a readonly device resp

the output is written on a writeonly device Four imp ortant classes of decision

problems are dened next

Alternatively analogously to the denition of NP a problem is in NEXP

yes no

if there exists a p olynomial p and a p olynomialtime algorithm V such that the two conditions

hold

pjxj

For every x there exists y f g such that V x y

yes

For every x and every y f g it holds that V x y no

APPENDIX A GLOSSARY OF COMPLEXITY CLASSES

The class L consists of problems solvable in logarithmic space That is a

problem is in L if there exists a standard ie deterministic algorithm of

logarithmic spacecomplexity for solving This class contains some simple

computational problems eg matrix multiplication and arguably captures

the most spaceecient computations Interestingly L contains the problem

of deciding connectivity of undirected graphs

Classes of problems solvable by randomized algorithms of logarithmic space

complexity include RL and BPL which are dened analogously to RP and

BPP That is RL corresp onds to algorithms with onesided error probabil

ity whereas BPL allows twosided error

The class NL is the nondeterministic analogue of L and is traditionally de

ned in terms of nondeterministic machines of logarithmic spacecomplexity

The class NL contains the problem of deciding whether there exists a directed

path b etween two given vertexes in a given directed graph In fact the lat

ter problem is complete for the class under logarithmicspace reductions

Interestingly coNL equals NL

The class P S P AC E consists of problems solvable in p olynomial space This

class contains very dicult problems including the computation of winning

strategies for any ecient party games see Section

Clearly L RL NL P and NP P S P AC E EXP

A Circuitbased classes

We refer the reader to Section for a denition of Bo olean circuits as computing

devices The two main complexity measures considered in the context of non

uniform circuits are the number of gates or wires in the circuit ie the circuits

size and the length of the longest directed path from an input to an output ie

the circuits depth

Throughout this section when we talk of circuits we actually refer to families of

circuits containing a circuit for each instance length where the nbit long instances

th

of the are handled by the n circuit in the family Similarly

when we talk of the size and depth of a circuit we actually mean the dep endence

th

on n of the size and depth of the n circuit in the family

General p olynomialsize circuits Pp oly The main motivation for the in

tro duction of complexity classes based on nonuniform circuits is the development

of lowerbounds For example the class of problems solvable by p olynomialsize

circuits denoted P p oly is a strict sup erset of P Thus showing that NP

is not contained in P p oly would imply P NP For further discussion see

See further discussion of this denition in Section

In particular P p oly contains some decision problems that are not solvable by any uniform algorithm

A CIRCUITBASED CLASSES

App endix B An alternative denition of P p oly in terms of machines that

take is provided in Section We mention that if NP P p oly then

PH

The sub classes AC and TC The class AC discussed in App endix B

consists of problems solvable by constantdepth p olynomialsize circuits of un

bounded fanin The analogue class that allows also unbounded fanin ma jority

gates or equivalently thresholdgates is denoted T C

The sub classes AC and NC Turning back to the standard basis of

k k

and gates for any nonnegative integer k we denote by NC resp AC

the class of problems solvable by p olynomialsize circuits of bounded fanin resp

k

unbounded fanin having depth O log n where n is the input length Clearly

def

k k k k

NC AC NC A commonly referred class is NC NC

k N

We mention that the class NC NL is the habitat of most natural compu

tational problems of Linear Algebra solving a linear system of equations as well

as computing the rank inverse and determinant of a matrix The class NC con

tains all symmetric functions regular languages as well as word problems for nite

groups and monoids The class AC contains all prop erties of nite ob jects that

are expressible by rstorder

Uniformity The foregoing classes make no reference to the complexity of con

structing the adequate circuits and it is plausible that there is no eective way of

constructing these circuits eg as in case of circuits that trivially solve undecid

able problem regarding unary instances A minimal notion of constructibility of

such p olynomialsize circuits is the existence of a p olynomial time algorithm that

n th

given pro duces the n relevant circuit ie the circuit that solves the problem

on instances of length n Such a notion of constructibility means that the family

of circuits is uniform in some sense rather than consisting of circuits that have

no relation b etween one another Stronger notions of uniformity eg logspace

constructibility are more adequate for sub classes such as AC and NC We men

tion that logspace uniform NC circuits corresp ond to parallel algorithms that use

p olynomially many pro cessors and run in p olylogarithmic time

APPENDIX A GLOSSARY OF COMPLEXITY CLASSES

App endix B

On the Quest for Lower

Bounds

Alas Philosophy Medicine Law and unfortunately also Theol

ogy have I studied in detail and still remained a fo ol not a bit

wiser than b efore Magister and even Do ctor am I called and

for a decade am I sick and tired of pulling my pupils by the nose

and understanding that we can know nothing

JW Go ethe Faust Lines

Summary This app endix briey surveys some attempts at proving

lower b ounds on the complexity of natural computational problems In

the rst part devoted to we describ e lower b ounds

on the size of restricted circuits that solve natural computational

problems This can b e viewed as a program whose longterm goal is

proving that P NP In the second part devoted to Pro of Complex

ity we describ e lower b ounds on the length of restricted prop ositional

pro ofs of natural tautologies This can b e viewed as a program whose

longterm goal is proving that NP coNP

We comment that while the activity in these areas is aimed towards

developing pro of techniques that may b e applied to the resolution of

the big problems such as P versus NP the current achievements

though very impressive seem very far from reaching this goal Cur

rent crownjewel achievements in these areas take the form of tight or

strong lower b ounds on the complexity of computing resp proving

relatively simple functions resp claims in restricted mo dels of com

putation resp pro of systems

This quote reects a common sentiment not shared by the author of the current b o ok

APPENDIX B ON THE QUEST FOR LOWER BOUNDS

B Preliminaries

Circuit complexity refers to a nonuniform mo del of computation see Section

fo cusing on the size of such circuits while ignoring the complexity of constructing

adequate circuits Similarly pro of complexity refers to pro ofs of tautologies fo cus

ing on the length of such pro ofs while ignoring the complexity of generating such

pro ofs

Both circuits and pro ofs are nite ob jects that are dened on top of the notion

of a dag reviewed in App endix G In such a dag vertices

with no incoming edges are called inputs vertices with no outgoing edges are called

outputs and the remaining vertices are called internal vertices The size of a dag

is dened as the number of its edges We will b e mostly interested in dags of

b ounded fanin ie for each vertex the number of incoming edges is at most

two

In order to convert a dag into a computational device resp a pro of each

internal vertex is lab eled by a rule which transforms values assigned to its prede

cessors to values at that vertex Combined with any p ossible assignment of values

to the inputs these xed rules induce an assignment of values to all the vertices of

the dag by a pro cess that starts at the inputs and assigns a value to each vertex

based on the values of its predecessors and according to the corresp onding rule

In the case of computation devices the internal vertices are lab eled by binary

or unary functions over some xed domain eg a nite or innite eld

These functions are called gates and the lab eled dag is called a circuit Such

a circuit with n inputs and m outputs computes a nite function over the

corresp onding domain mapping sequences of length n to sequences of length

m

In the case of pro ofs the internal vertices are lab eled by sound deduction

or inference rules of some xed pro of system Any assignment of axioms

of the said system to the inputs of this lab eled dag yields a sequence of

tautologies at all vertices Typically the dag is assumed to have a single

output vertex and the corresp onding sequence of tautologies is viewed as a

proof of the tautology assigned to the output

We note that b oth mo dels partially adhere to the paradigm of simplicity that

underlies the denitions of uniform computational mo dels as discussed in Sec

tion the aforementioned rules are simple by denition they are applied to

at most two values However unlike in the case of uniform computational mo d

els the current mo dels do not mandate a uniform consideration of all p ossible

inputs but rather allow a sep erate consideration of each nite input length

For example each circuit can compute only a nite function that is a function

dened over a xed number of values ie xed input length Likewise a dag

that corresp onds to a pro of system yields only pro ofs of tautologies that refer to

a xed number of axioms

NB we refer to a xed number of axioms and not merely to a xed number of axiom forms

B COMPLEXITY

Focusing on circuits we note that in order to allow the computation of func

tions that are dened for all input lengths one must consider innite sequences

of dags one for each length This yields a mo del of computation in which each

machine has an innite description when referring to all input lengths Indeed

this signicantly extends the p ower of the computation mo del b eyond that of the

notion of algorithm discussed in Section However since we are interested

in lower b ounds here this extension is certainly legitimate and hop efully fruitful

For example one may hop e that the niteness of the individual circuits will facili

tate the application of combinatorial techniques towards the analysis of the mo dels

p ower and limitations Furthermore as we shall see these mo dels op en the do or

to the introduction and study of meaningful restricted classes of computations

Organization The rest of this app endix is partitioned to three parts In Sec

tion B we consider Bo olean circuits which are the archetypical mo del of non

uniform computing devices In Section B we generalize the treatment by con

sidering arithmetic circuits which may b e dened for every algebraic structure

where Bo olean circuits are viewed as a sp ecial case referring to the twoelement

eld GF Lastly in Section B we consider pro of complexity

B Bo olean Circuit Complexity

In Bo olean circuits the values assigned to all inputs as well as the values induced

by the computation at all intermediate vertices and outputs are bits The set of

allowed gates is taken to b e any complete basis ie one that allows to compute al l

Bo olean functions The most p opular choice of a complete basis is the set f g

corresp onding to twobit conjunction twobit disjunction and of a

single bit resp ectively The sp ecic choice of a complete basis hardly eects the

study of circuit complexity

For a nite Bo olean function f we denote by S f the size of the smallest

Bo olean circuit computing f We will b e interested in sequences of functions ff g

n

where f is a function on n input bits and will study their size complexity ie

n

S f asymptotically as a function of n With some abuse of notation for

n

def

f x f x we let S f denote the integer function that assigns to n the value

jxj

S f Thus we refer to the following denition

n

Denition B circuit complexity Let f f g f g and ff g be such

n

that f x f x for every x The complexity of f resp ff g denoted S f

n

jxj

resp denoted n S f is a function of n that represents the size of the

n

smal lest Boolean circuit computing f

n

We stress that dierent circuits eg having a dierent number of inputs are used

for dierent f s Still there may b e a simple description of this sequence of circuits

n

say an algorithm that on input n pro duces a circuit computing f In case such

n

Recall that an axiom form like yields an innite number of axioms each obtained by

substituting the generic formula or symbol with a xed prop ositional formula

APPENDIX B ON THE QUEST FOR LOWER BOUNDS

an algorithm exists and works in time p olynomial in the size of its output we say

that the corresp onding sequence of circuits is uniform Note that if f has a uniform

sequence of p olynomialsize circuits then f P On the other hand any f P has

a uniform sequence of p olynomialsize circuits Consequently a sup erp olynomial

size lowerbound on any function in NP would imply that P NP

Denition B makes no reference to the uniformity condition and indeed the

sequence of smallest circuits computing ff g may b e highly nonuniform Ac

n

tually nonuniformity makes the circuit mo del stronger than Turing machines or

equivalently stronger than the mo del of uniform circuits there exist functions f

that cannot be computed by Turing machines regardless of their running time

but do have linearsize circuits This raises the p ossibility that proving circuit

lowerbounds is even harder than resolving the P vs NP Question

The common b elief is that the extra p ower provided by nonuniformity is irrel

evant to the P vs NP Question in particular it is conjectured that NPcomplete

sets do not have p olynomialsize circuits This conjecture is supp orted by the fact

that its failure will yield an unexp ected collapse in the world of uniform compu

tational complexity see Section Furthermore the hop e is that abstracting

away the supp osedly irrelevant uniformity condition will allow for combinatorial

techniques to analyze the p ower and limitations of p olynomialsize circuits wrt

NPsets This hop e has materialized in the study of restricted classes of circuits

see Sections B and B Indeed another advantage of the circuit mo del is

that it oers a framework for describing naturally restricted mo dels of computation

We also mention that Bo olean circuits are a natural computational mo del cor

resp onding to hardware complexity which was indeed the original motivation

for their introduction by Shannon and so their study is of indep endent in

terest Moreover some of the techniques for analyzing Bo olean functions found

applications elsewhere eg in computational learning theory combinatorics and

game theory

B Basic Results and Questions

We have already mentioned several basic facts ab out Bo olean circuits Another

basic fact is that most Boolean functions require exponential size circuits which is

due to the gap b etween the number of functions and the number of small circuits

Thus hard functions ie functions that require large circuits and thus have no

ecient algorithms do exist to say the least However the aforementioned hard

ness result is proved via a counting argument which provides no way of p ointing

to any sp ecic hard function The situation is even worse superlinear circuitsize

lowerbounds are not known for any explicit function f even when explicitness

is dened in a very mild sense that only requires f EXP One ma jor op en

problem of circuit complexity is establishing such lowerbounds

See either Theorem or Theorem

Indeed a more natural and still mild notion of explicitness requires that f E This notion

implies that the functions description restricted to nbit long inputs can b e constructed in time

that is p olynomial in the length of the description

B BOOLEAN CIRCUIT COMPLEXITY

Op en Problem B Find an explicit function f f g f g or even f

f g f g such that jf xj O jxj for which S f is not O n

A particularly basic sp ecial case of this op en problem is the question of whether

n n

addition is easier to perform than multiplication Let ADD f g f g

n

n n n n

f g and MULT f g f g f g denote the addition and multipli

n

cation functions resp ectively applied to a pair of integers presented in binary

For addition we have an optimal upp er b ound that is S ADD O n For

n

multiplication the standard school quadratictime algorithm can b e

greatly improved via Discrete Fourier Transforms to almostlinear time yield

e

ing S MULT O n Now the question is whether or not there exist linearsize

n

circuits for multiplication ie is S MULT O n

n

Unable to rep ort on any sup erlinear lowerbound for an explicit function

we turn to restricted types of Bo olean circuits There has b een some remarkable

successes in developing techniques for proving strong lowerbounds for natural re

stricted classes of circuits We describ e the most imp ortant ones and refer the

reader to for further detail

Recall that general Bo olean circuits can compute every function In contrast

restricted types of circuits eg monotone circuits may only b e able to compute

a sub class of all functions eg monotone functions and in such a case we shall

seek lowerbounds on the size of such restricted circuits that compute a function in

the corresp onding sub class Such a restriction is app ealing provided that the cor

resp onding class of functions and the computations represented by the restricted

circuits are natural from a conceptual or practical viewp oint The mo dels dis

cussed b elow satisfy this condition

B Monotone Circuits

One very natural restriction on circuits arises by forbidding negation in the set

of gates namely allowing only and gates The resulting circuits are called

n

monotone and they can compute a function f f g f g if and only if f is

monotone with resp ect to the standard partial order on nbit strings ie x y

i for every bit p osition i we have x y An extremely natural question in

i i

this context is whether or not nonmonotone operations in the circuit help in

computing monotone functions

Before turning to this question we note that most monotone functions re

quire exp onential size circuits let alone monotone ones Still proving a sup er

p olynomial lowerbound on the monotone circuit complexity of an explicit mono

tone function was op en for several decades till the invention of the socalled ap

proximation method by Razb orov

Let CLIQUE b e the function that given a graph on n vertices by its adjacency

n

matrix outputs if and only if the graph contains a complete subgraph of size

A key observation is that it suces to consider the set of nbit monotone functions that

P

n

x bnc resp evaluate to resp to on each string x x x satisfying

n

i

i

P

n

n

bits x bn c Note that each such function is sp ecied by

i

bnc

i

APPENDIX B ON THE QUEST FOR LOWER BOUNDS

p

n This function is clearly monotone and CLIQUE fCLIQUE g is known say

n

to b e NPcomplete

Theorem B improved in There are no polynomialsize monotone

circuits for CLIQUE

We note that the lowerbounds are subexp onential in the number of vertices ie

S CLIQUE expn and that similar lowerbounds are known for func

n

tions in P Thus there exists an exponential separation between monotone circuit

complexity and nonmonotone circuit complexity where this separation refers of

course to the computation of monotone functions

B BoundedDepth Circuits

The next restriction refers to the structure of the circuit or rather to its underling

graph we al al l gates but limit the depth of the circuit The depth of a dag

is simply the length of the longest directed path in it So in a sense depth cap

tures the parallel time to compute the function if a circuit has depth d then the

function can b e evaluated by enough pro cessors in d phases where in each phase

many gates are evaluated in parallel Indeed parallel time is a natural and im

p ortant referring to the following basic question can one

speed computation by using several in parallel Determining which

computational tasks can b e parallelized when many pro cessors are available and

which are inherently sequential is clearly a fundamental question

We will restrict d to b e a constant which still is interesting not only as a measure

of parallel time but also due to the relation of this mo del to expressibility in rst

order logic as well as to the Polynomialtime Hierarchy dened in Section In

the current setting of constantdepth circuits we allow unbounded fanin ie

gates and gates taking any number of incoming edges as otherwise each output

bit can dep end only on a constant number of input bits

Let PAR for parity denote the sum mo dulo two of the input bits and MAJ for

ma jority b e if and only if there are more s than s among the input bits The

invention of the random restriction method by Furst Saxe and Sipser led to

the following basic result

Theorem B improved in For al l constant d the functions PAR

and MAJ have no polynomial size circuit of depth d

The aforementioned improvement of Hastad following Yao gives a

d

relatively tight lowerbound of expn on the size of ninput PAR circuits

of depth d

Interestingly MAJ remains hard for constantdepth p olynomialsize circuits

even if the circuits are also allowed unbounded fanin PARgates this result is

based on yet another pro of technique approximation by

However the converse do es not hold ie constantdepth p olynomialsize cir

cuits with MAJgates can compute PAR and in general the class of constantdepth

p olynomialsize circuits with MAJgates denoted T C seems quite p owerful In

B BOOLEAN CIRCUIT COMPLEXITY

particular nob o dy has managed to prove that there are functions in NP that can

not be computed by such circuits even if their depth is restricted to

B Formula Size

The nal restriction is again structural we require the underlying dag to b e a

tree ie a dag in which each vertex has at most one outgoing edge Intuitively

this forbids the computation from reusing a previously computed intermediate value

and if this value is needed again then it has to b e recomputed Thus the resulting

Bo olean circuits are simply Bo olean formulae Indeed we are back to the basic

mo del allowing negation and gates of fanin

Formulae are natural not only for their prevalent mathematical use but also

b ecause their size can b e related to the depth of general circuits and to the memory

requirements of Turing machines ie their space complexity One of the oldest

results on Circuit Complexity is that PAR and MAJ have nontrivial lowerbounds

in this mo del The pro of follows a simple combinatorial or information theoretic

argument

Theorem B Boolean formulae for nbit PAR and MAJ require n size

This should b e contrasted with the linearsize circuits that exist for b oth functions

Encouraged by Theorem B one may hop e to see sup erp olynomial lowerbounds

on the formulasize of explicit functions This is indeed a famous op en problem

Op en Problem B Find an explicit f that requires superpolynomial

size formulae

An equivalent formulation of this op en problem calls for proving a sup erlogarithmic

lowerbound on the depth of formulae or circuits computing f

One app ealing metho d for addressing such challenges is the communication

complexity method of Karchmer and Wigderson This metho d asserts that

the depth of a formula for a Bo olean function f equals the communication com

plexity in the following two party game G In the game the rst party is given

f

n n

x f f g the second party is given y f f g and their

goal is to nd a bit lo cation on which x and y disagree ie i such that x y

i i

which clearly exists To that end the party exchange messages according to a

predetermined proto col and the question is what is the communication complexity

in terms of total number of bits exchanged on the worstcase input pair of the

b est such proto col We stress that no computational restrictions are placed on the

parties in the gameproto col

Note that proving a sup erlogarithmic lowerbound on the communication com

plexity of the game G will establish a sup erlogarithmic lowerbound on the depth

f

of formulae or circuits computing f and thus a sup erp olynomial lowerbound

on the size of formulae computing f We stress the fact that a lowerbound of a

purely information theoretic nature implies a computational lowerbound

We comment that S PAR O n is trivial but S MAJ O n is not

APPENDIX B ON THE QUEST FOR LOWER BOUNDS

We mention that the communication complexity metho d has a monotone ver

sion such that the depth of monotone circuits is related to the communication

complexity of proto cols that are required to nd an i such that x y rather

i i

than any i such that x y In fact the monotone version is b etter known

i i

than the general one due to its success in leading to linear lowerbounds on the

monotone depth of natural problems such as p erfect matching established by Raz

and Wigderson

B Arithmetic Circuits

We now leave the Bo olean rind and discuss circuits over general elds Fixing any

eld F the gates of the dag will now b e the standard and op erations of the

eld yielding a socalled arithmetic circuit The inputs of the dag will b e assigned

elements of the eld F and these values induce an assignment of values in F to all

other vertices Thus an arithmetic circuit with n inputs and m outputs computes

n m

a p olynomial map p F F and every such p olynomial map is computed

by some circuit mo dulo the convention of allowing some inputs to b e set to some

constants most imp ortantly the constant

Arithmetic circuits provide a natural description of metho ds for computing

p olynomial maps and consequently their size is a natural measure of the complexity

of such maps We denote by S p the size of a smallest circuit computing the

F

p olynomial map p and when no subscript is sp ecied we mean that F Q

the eld of rational numbers As usual we shall b e interested in sequences of

functions one p er each input size and will study the corresp onding circuitsize

asymptotically

We note that for any xed nite eld arithmetic circuits can simulate Bo olean

circuits on Bo olean inputs with only constant factor loss in size Thus the study

of arithmetic circuits fo cuses more on innite elds where lower b ounds may b e

easier to obtain

As in the Bo olean case the existence of hard functions is easy to establish via

dimension considerations rather than counting argument and we will b e inter

ested in explicit families of p olynomials Roughly sp eaking a p olynomial is called

explicit if there exists an ecient algorithm that when given a degree sequence

which sp ecies a monomial outputs the nite description of the corresp onding

co ecient

An imp ortant parameter which is absent in the Bo olean mo del is the degree of

the p olynomials computed It is obvious for example that a degree d p olynomial

even in one variable ie n requires size at least log d We briey consider

the univariate case where d is the only measure of problem size which already

contains striking and imp ortant op en problems Then we move to the general

Note that since f is monotone f x and f y implies the existence of an i such that

x and y

i i

This allows the emulation of adding a constant multiplication by a constant and subtraction

We mention that for the purp ose of computing p olynomials over innite elds division can b e

eciently emulated by the other op erations

B ARITHMETIC CIRCUITS

multivariate case in which as usual the number of variables ie n will b e the

main parameter and we shall assume that d n We refer the reader to

for further detail

B Univariate Polynomials

How tight is the log d lowerbounds for the size of an arithmetic circuit computing

a degree d p olynomial A simple dimension argument shows that for most degree

d p olynomials p it holds that S p d However we know of no explicit one

Op en Problem B Find an explicit polynomial p of degree d such that S p is

not O log d

To illustrate this op en problem we consider the following two concrete p olynomials

d

p x x and q x x x x d Clearly S p log d via

d d d

rep eated squaring so the trivial lowerbound is essentially tight On the other

hand it is a ma jor op en problem to determine S q and the common conjecture

d

is that S q is not p olynomial in log d To realize the imp ortance of this conjecture

d

we state the following prop osition

Prop osition B If S q p oly log d then the problem

d

can be solved by polynomialsize circuits

Recall that it is widely b elieved that the integer factorization problem is intractable

and in particular do es not have p olynomialsize circuits

Pro of Sketch Prop osition B follows by observing that q t t dt

d

and that a small circuit for computing q yields an ecient way of obtaining the

d

value t dt mo d N by emulating the computation of the former circuit

P P Q

K it follows that mo dulo N Observing that K q

j i K

i

j i i i

the value of K mo d N can b e obtained by using circuits for the p olynomials

i

hq i blog K ci Next observe that K mo d N and N are relatively

prime if and only if all prime factors of N are bigger than K Thus given a

i

comp osite N and circuits for hq i blog N ci we can nd a factor of N

by p erforming a binary search for a suitable K

B Multivariate Polynomials

We are now back to p olynomials with n variables To make n our only problem

size parameter it is convenient to restrict ourselves to p olynomials whose total

degree is at most n

Once again almost every p olynomial p in n variables requires size S p

expn and we seek explicit p olynomial families that are hard Unlike in

the Bo olean world here there are slightly nontrivial lowerbounds via elementary

to ols from algebraic geometry

n n n

Theorem B S x x x n log n

n

APPENDIX B ON THE QUEST FOR LOWER BOUNDS

The same techniques extend to prove a similar lowerbound for other natural p oly

nomials such as the symmetric p olynomials and the determinant Establishing a

stronger lowerbound for any explicit p olynomial is a ma jor op en problem Another

op en problem is obtaining a sup erlinear lowerbound for a p olynomial map of con

stant even total degree Outstanding candidates for the latter op en problem

are the linear maps computing the Discrete Fourier Transform over the Complex

numbers or the Walsh transform over the Rationals for b oth O n log ntime al

gorithms are known but no sup erlinear lowerbounds are known

We now fo cus on sp ecic p olynomials of central imp ortance The most natural

and well studied candidate for the last op en problem is the matrix multiplication

function MM let A B b e two m m matrices over F and dene MM A B to b e

n

the sequence of n m values of the entries of the matrix A B Thus MM is a

n

sequence of n explicit bilinear forms over the n input variables which represent

the entries of b oth matrices It is known that S MM n cf On

n

GF

the other hand the obvious algorithm that takes O m O n steps can b e

improved

Theorem B For every eld F it holds that S MM on

F n

So what is the complexity of MM even if one counts only multiplication gates Is

it linear or almostlinear or is it the case that S MM n for some This is

indeed a famous op en problem

We next consider the determinant and p ermanent p olynomials DET and PER

resp over the n m variables representing an m m matrix While DET plays

a ma jor role in classical mathematics PER is somewhat esoteric in that context

though it app ears in Statistical Mechanics and Quantum Mechanics In the con

text of complexity theory b oth p olynomials are of great imp ortance b ecause they

capture natural complexity classes The function DET has relatively low complex

ity and is related to the class of p olynomials having p olynomialsized arithmetic

formulae whereas PER seems to have high complexity and is complete for the

counting class P see x Thus it is conjectured that PER is not p olynomial

time reducible to DET One restricted type of reduction that makes sense in this

algebraic context is a reduction by pro jection

n N

Denition B pro jections Let p F F and q F F be poly

n N

nomial maps and x x be variables over F We say that there is a projection

n

from p to q over F if there exists a function N fx x g F such that

n N n

p x x q N

n n N

Clearly if there is a pro jection from p to q then S p S q Let DET

n N F n F N m

and PER denote the functions DET and PER restricted to mbym matrices It is

m

m

but to yield a p olynomial known that there is a pro jection from PER to DET

m

time reduction one would need a pro jection of PER to DET Needless to say

m

p oly m

it is conjectured that no such pro jection exists

B PROOF COMPLEXITY

B Pro of Complexity

It is common practice to classify pro ofs according to the level of their diculty

but can this app ealing classication b e put on sound grounds This is essentially

the task undertaken by Pro of Complexity It seeks to classify theorems according

to the diculty of proving them much like Circuit Complexity seeks to classify

functions according to the diculty of computing them Furthermore just like

in circuit complexity we shall also refer to a few restricted mo dels called proof

systems which represent various metho ds of reasoning Thus the diculty of

proving various theorems will b e measured with resp ect to various pro of systems

We will consider only prop ositional pro of systems and so the theorems in these

systems will b e prop ositional tautologies Each of these systems will b e complete

and sound that is each tautology and only a tautology will have a pro of relative

to these systems The formal denition of a pro of system sp ells out what we take

for granted the eciency of the verication pro cedure In the following denition

the eciency of the verication pro cedure refers to its runningtime measured in

terms of the total length of the al leged theorem and proof

Denition B A propositional proof system is a polynomialtime Turing

machine M such that a formula T is a tautology if and only if there exists a string

called a proof such that M T

In agreement with standard formalisms the pro of is viewed as coming b efore the

theorem Denition B guarantees the completeness and soundness of the pro of

system as well as verication eciency relative to the total length of the alleged

pro oftheorem pair Note that Denition B allows pro ofs of arbitrary length

suggesting that the length of the pro of is a measure of the complexity of the

tautology T with respect to the proof system M

For each tautology T let L T denote the length of the shortest pro of of T in

M

M ie the length of the shortest string such that M accepts T That is

L captures the proof complexity of various tautologies with resp ect to the pro of

M

system M Abusing notation we let L n denotes the maximum L T over

M M

all tautologies T of length n By denition for every pro of system M the value

L n is welldened and so L is a total function over the natural numbers The

M M

following simple theorem provides a basic connection b etween pro of complexity

with resp ect to any prop ositional pro of system and

ie the NPvscoNP Question

Theorem B There exists a propositional proof system M such that the

function L is upperbounded by a polynomial if and only if NP coNP

M

In particular a prop ositional pro of system M such that L is upp erb ounded by

M

a p olynomial coincides with a NPpro of system as in Denition for the set of

prop ositional tautologies which is a coNP complete set

Indeed this convention diers from the convention emplyed in Chapter where the com

plexity of verication ie veriers runningtime was measured as a function of the length of

the al leged theorem Both approaches were mentioned in Section where the two approaches

coincide b ecause in Section we mandated pro ofs of length p olynomial in the alleged theorem

APPENDIX B ON THE QUEST FOR LOWER BOUNDS

The longterm goal of Pro of Complexity is establishing sup erp olynomial lower

b ounds on the length of pro ofs in any prop ositional pro of system and thus es

tablishing NP coNP It is natural to start this formidable pro ject by rst

considering simple and thus weaker pro of systems and then moving on to more

and more complex ones Moreover various natural pro of systems capturing ba

sic restricted types and primitives of reasoning as well as natural tautologies

suggest themselves as ob jects for this study In the rest of this section we fo cus on

such restricted pro of systems

Dierent branches of Mathematics such as logic algebra and geometry give rise

to dierent pro of systems often implicitly A typical system would have a set of

axioms and a set of deduction rules A pro of in this system would pro ceed to

derive the desired tautology in a sequence of steps each pro ducing a formula often

called a line of the pro of which is either an axiom or follows from previous for

mulae via one of the deduction rules Regarding these pro of systems we make two

observations First pro ofs in these systems can b e easily veried by an algorithm

and thus they t the general framework of Denition B Second these pro of

systems p erfectly t the mo del of a dag with internal vertices lb eled by deduction

rules as in Section B When assigning axioms to the inputs the application of

the deduction rules at the internal vertices yields a pro of of the tautology assigned

to each output

For various pro of systems we turn to study the pro of length L T of tau

tologies T in pro of system The rst observation revealing a ma jor dierence

b etween pro of complexity and circuit complexity is that the trivial counting ar

n

gument fails The reason is that while the number of functions on n bits is

n

there are at most tautologies of this length Thus in pro of complexity even the

existence of a hard tautology not necessarily an explicit one would b e of interest

and in particular if established for all prop ositional pro of systems then it would

yield NP coNP Note that here we refer to hard instances of of a problem

and not to hard problems Anyhow as we shall see most known pro oflength

lowerbounds with resp ect to restricted pro of systems apply to very natural let

alone explicit tautologies

An imp ortant convention There is an equivalent and somewhat more conve

nient view of simple pro of systems namely as simple refutation systems First

recalling that SAT is NPcomplete note that the negation of any prop ositional

tautology can b e written as a conjunction of clauses where each clause is a disjunc

tion of only literals variables or their negation Now if we take these clauses

as axioms and derive using the rules of the system a obvious contradiction eg

the negation of an axiom or b etter yet the empty clause then we have proved the

tautology since we have proved that its negation yields a contradiction Pro of

complexity often takes the refutation viewp oint and often exchanges tautology

with its negation contradiction

General pro of systems as in Denition B can also b e adapted to this formalism by con

sidering a deduction rule that corresp onds to a single step of the machine M However the

deduction rules considered b elow are even simpler and more imp ortantly they are more natural

B PROOF COMPLEXITY

Organization The rest of this section is divided to three parts referring to

logical algebraic and geometric pro of systems We will briey describ e imp ortant

representative and basic results in each of these domains and refer the reader

to for further detail and in particular to adequate references

B Logical Pro of Systems

The pro of systems in this section will all have lines that are Bo olean formulae

and the dierences will b e in the structural limits imp osed on these formulae The

most basic pro of system called Frege system puts no restriction on the formulae

manipulated by the pro of It has one derivation rule called the cut rule A C B

C A B for any prop ositional formulae A B and C Adding any other sound

rule like modus ponens has little eect on the length of pro ofs in this system

Frege systems are basic in the sense that in several variants they are the

most common systems in Logic Indeed p olynomial length pro ofs in Frege systems

naturally corresp onds to p olynomialtime reasoning ab out feasible ob jects The

ma jor op en problem in pro of complexity is nding any tautology ie a family of

tautologies that has no p olynomiallong pro of in the Frege system

Since lowerbounds for Frege systems seem intractable at the moment we turn

to subsystems of Frege which are interesting and natural The most widely studied

system of refutation is Resolution whose imp ortance stems from its use by most

prop ositional as well as rst order automated theorem provers The formulae al

lowed as lines in Resolution are clauses disjunctions and so the cut rule simplies

to the resolution rule A x B x A B for any clauses A B and variable x

The gap b etween the p ower of general Frege systems and Resolution is reected

by the existence of tautologies that are easy for Frege and hard for Resolution A

m

sp ecic example is provided by the pigeonhole principle denoted PHP which is a

n

prop ositional tautology that expresses the fact that there is no onetoone mapping

of m pigeons to n m holes

n O n n

Theorem B L PHP n but L PHP

Frege Resolution

n n

B Algebraic Pro of Systems

Just as a natural contradiction in the Bo olean setting is an unsatisable collection

of clauses a natural contradiction in the algebraic setting is a system of p olyno

mials without a common ro ot Moreover CNF formulae can b e easily converted

to a system of p olynomials one p er clause over any eld One often adds the

p olynomials x x which ensure Bo olean values

i

i

A natural pro of system related to Hilb erts Nullstellensatz and to computa

tions of Grobner bases in symbolic algebra programs is Polynomial Calculus abbre

viated PC The lines in this system are p olynomials represented explicitly by all

co ecients and it has two deduction rules For any two p olynomials g h the rule

g h g h and for any p olynomial g and variable x the rule g x x g Strong

i i i

length lowerbounds obtained from degree lowerbounds are known for this sys

APPENDIX B ON THE QUEST FOR LOWER BOUNDS

m

tem For example enco ding the pigeonhole principle PHP as a contradicting set

n

of constant degree p olynomials we have the following lowerbound

m n

Theorem B For every n and every m n it holds that L PHP

PC

n

over every eld

B Geometric Pro of Systems

Yet another natural way to represent contradictions is by a set of regions in space

that have empty intersection Again we care mainly ab out discrete say Bo olean

domains and a wide source of interesting contradictions are integer programs aris

ing from Combinatorial Optimization Here the constraints are ane linear

inequalities with integer co ecients so the regions are of the Bo olean cub e

carved out by halfspaces The most basic system is called Cutting Planes CP

and its lines are linear inequalities with integer co ecients The deduction rules

of PC are the obvious addition of inequalities and the less obvious division of

the co ecients by a constant and rounding taking advantage of the integrality of

the solution space

m

While PHP is easy in this system exponential lowerbounds are known for

n

other tautologies We mention that they are obtained from the monotone circuit

lower b ounds of Section B

App endix C

On the Foundations of

Mo dern

It is p ossible to build a cabin with no foundations

but not a lasting building

Eng Isidor Goldreich

Summary Cryptography is concerned with the construction of com

puting systems that withstand any abuse Such a system is constructed

so to maintain a desired functionality even under malicious attempts

aimed at making it deviate from this functionality

This app endix is aimed at presenting the foundations of cryptography

which are the paradigms approaches and techniques used to concep

tualize dene and provide solutions to natural security concerns It

presents some of these conceptual to ols as well as some of the funda

mental results obtained using them The emphasis is on the clarication

of fundamental concepts and on demonstrating the feasibility of solving

several central cryptographic problems The presentation assumes ba

sic knowledge of algorithms probability theory and complexity theory

but nothing b eyond this

The app endix augments the treatment of oneway functions pseudoran

dom generators and zeroknowledge pro ofs given in Sections

and resp ectively Using these basic primitives the app endix pro

vides a treatment of basic cryptographic applications such as Encryp

tion Signatures and General Cryptographic Proto cols

These augmentations are imp ortant for cryptography but are not central to complexity theory

and thus were omitted from the main text

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

C Introduction and Preliminaries

The rigorous treatment and vast expansion of cryptography is one of the ma jor

achievements of theoretical science In particular classical notions such

as secure encryption and unforgeable signatures were placed on sound grounds

and new unexp ected directions and connections were uncovered Furthermore

this development was coupled with the introduction of novel concepts such as com

putational indistinguishability pseudorandomness and zeroknowledge interactive

pro ofs which are of indep endent interest see Sections and resp ec

tively Indeed mo dern cryptography is strongly coupled with complexity theory

in contrast to classical cryptography which is strongly related to information

theory

C The Underlying Principles

Mo dern cryptography is concerned with the construction of information systems

that are robust against malicious attempts aimed at causing these systems to violate

their prescrib ed functionality The prescrib ed functionality may b e the secret and

authenticated communication of information over an insecure channel the holding

of inco ercible and secret electronic voting or conducting any faultresilient multi

party computation Indeed the scop e of mo dern cryptography is very broad and

it stands in contrast to classical cryptography which has fo cused on the single

problem of enabling secret communication over insecure channel

C Coping with adversaries

Needless to say the design of cryptographic systems is a very dicult task One

cannot rely on intuitions regarding the typical state of the environment in which

the system op erates For sure the adversary attacking the system will try to ma

nipulate the environment into untypical states Nor can one b e content with

countermeasures designed to withstand sp ecic attacks since the adversary which

acts after the design of the system is completed will try to attack the schemes in

ways that are dierent from the ones the designer had envisioned Although the

validity of the foregoing assertions seems selfevident still some p eople hop e that

in practice ignoring these tautologies will not result in actual damage Exp eri

ence shows that these hop es rarely come true cryptographic schemes based on

makebelieve are broken typically so oner than later

In view of the foregoing it makes little sense to make assumptions regarding

the sp ecic strategy that the adversary may use The only assumptions that can

b e justied refer to the computational abilities of the adversary Furthermore

the design of cryptographic systems has to b e based on rm foundations whereas

adho c approaches and heuristics are a very dangerous way to go

The foundations of cryptography are the paradigms approaches and techniques

used to conceptualize dene and provide solutions to natural security concerns

Solving a cryptographic problem or addressing a security concern is a twostage

pro cess consisting of a denitional stage and a constructive stage First in the

C INTRODUCTION AND PRELIMINARIES

denitional stage the functionality underlying the natural concern is to b e iden

tied and an adequate cryptographic problem has to b e dened Trying to list

all undesired situations is infeasible and prone to error Instead one should dene

the functionality in terms of op eration in an imaginary ideal mo del and require

a candidate solution to emulate this op eration in the real clearly dened mo del

which sp ecies the adversarys abilities Once the denitional stage is completed

one pro ceeds to construct a system that satises the denition Such a construction

may use some simpler to ols and in such a case its security is proved relying on the

features of these to ols

Example Starting with the wish to ensure secret resp reliable communication

over insecure channels the denitional stage leads to the formulation of the notion

of secure encryption schemes resp signature schemes Next such schemes are

constructed by using simpler primitives such as oneway functions and the security

of the construction is proved via a reducibility argument which demonstrates

how inverting the oneway function reduces to violating the claimed security of

the construction cf Section

C The use of computational assumptions

Like in the case of the foregoing example most of the to ols and applications of

cryptography exist only if some sort of computational hardness exists Sp ecically

these to ols and applications require either explicitly or implicitly the ability to

generate instances of hard problems Such ability is captured in the denition

of oneway functions Thus oneway functions are the very minimum needed for

doing most natural tasks of cryptography It turns out as we shall see that

this necessary condition is essentially sucient that is the existence of oneway

functions or augmentations and extensions of this assumption suces for doing

most of cryptography

Our current state of understanding of ecient computation do es not allow us

to prove that oneway functions exist In particular as discussed in Sections

and C proving that oneway functions exist seems even harder than proving that

P NP Hence we have no choice at this stage of history but to assume that

oneway functions exist As justication to this assumption we can only oer the

combined b eliefs of hundreds or thousands of researchers Furthermore these

b eliefs concern a simply stated assumption and their validity follows from several

widely b elieved conjectures which are central to various elds eg the conjectured

intractability of integer factorization is central to computational number theory

Since we need assumptions anyhow why not just assume whatever we want

ie the existence of a solution to some natural cryptographic problem Well

rstly we need to know what we want that is we must rst clarify what exactly

we want which means going through the typically complex denitional stage But

once this stage is completed and a denition is obtained can we just assume the

existence of a system satisfying this denition Not really the mere existence of a

denition do es not imply that it can b e satised by any system

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

The way to demonstrate that a cryptographic denition is viable and that

the corresp onding intuitive security concern can b e satised is to prove that it

can b e satised based on a better understood assumption ie one that is more

common and widely b elieved For example lo oking at the denition of zero

knowledge pro ofs it is not apriori clear that such pro ofs exist at all in a nontrivial

sense The nontriviality of the notion was rst demonstrated by presenting a zero

knowledge pro of system for statements regarding Quadratic Residuosity which are

b elieved to b e hard to verify without extra information Furthermore contrary

to prior b eliefs it was later shown that the existence of oneway functions implies

that any NPstatement can b e proved in zeroknowledge Thus facts that were

not known at all to hold and were even b elieved to b e false have b een shown

to hold by reduction to widely b elieved assumptions without which most of

cryptography collapses anyhow

In summary not al l assumptions are equal Thus reducing a complex new

and doubtful assumption to a widelyb elieved and simple or even merely simpler

assumption is of great value Furthermore reducing the solution of a new task

to the assumed security of a wellknown primitive typically means providing a

construction that using the known primitive solves the new task This means

that we do not only gain condence ab out the solvability of the new task but we

also obtain a solution based on a primitive that b eing wellknown typically has

several candidate implementations

C The Computational Mo del

Cryptography as surveyed here is concerned with the construction of ecient

schemes for which it is infeasible to violate the security feature Thus we need a

notion of ecient computations as well as a notion of infeasible ones The compu

tations of the legitimate users of the scheme ought b e ecient whereas violating

the security features by an adversary ought to b e infeasible We stress that we do

not identify feasible computations with ecient ones but rather view the former

notion as p otentially more lib eral Let us elab orate

C Ecient Computations and Infeasible ones

Ecient computations are commonly mo deled by computations that are p olynomial

time in the security parameter The p olynomial b ounding the runningtime of the

legitimate users strategy is xed and typically explicit and smal l Indeed our

aim is to have a notion of eciency that is as strict as p ossible or equivalently

develop strategies that are as ecient as p ossible Here ie when referring to

the complexity of the legitimate users we are in the same situation as in any algo

rithmic setting Things are dierent when referring to our assumptions regarding

the computational resources of the adversary where we refer to the notion of fea

sible which we wish to b e as wide as p ossible A common approach is to p ostulate

that feasible computations are p olynomialtime to o but here the p olynomial is not

apriori specied and is to b e thought of as arbitrarily large In other words the

C INTRODUCTION AND PRELIMINARIES

adversary is restricted to the class of p olynomialtime computations and anything

b eyond this is considered to b e infeasible

Although many denitions explicitly refer to the convention of asso ciating fea

sible computations with p olynomialtime ones this convention is inessential to

any of the results known in the area In all cases a more general statement can

b e made by referring to a general notion of feasibility which should b e preserved

under standard algorithmic comp osition yielding theories that refer to adversaries

of runningtime b ounded by any sp ecic sup erp olynomial function or class of

functions Still for sake of concreteness and clarity we shall use the former con

vention in our formal denitions but our motivational discussions will refer to an

unsp ecied notion of feasibility that covers at least ecient computations

C Randomized or probabilistic Computations

Randomized computations play a central role in cryptography One fundamental

reason for this fact is that randomness is essential for the existence or rather the

generation of secrets Thus we must allow the legitimate users to employ random

ized computations and certainly since we consider randomization as feasible we

must consider also adversaries that employ randomized computations This brings

up the issue of success probability typically we require that legitimate users suc

ceed in fullling their legitimate goals with probability or negligibly close to

this whereas adversaries succeed in violating the security features with negli

gible probability Thus the notion of a negligible probability plays an imp ortant

role in our exp osition

One requirement of the denition of negligible probability is to provide a robust

notion of rareness A rare event should o ccur rarely even if we rep eat the exp eriment

for a feasible number of times That is in case we consider any p olynomialtime

computation to b e feasible a function N N is called negligible if

pn

n for every p olynomial p and suciently big n ie is negligible

if for every p ositive p olynomial p the function is upp erb ounded by p

We will also refer to the notion of noticeable probability Here the requirement

is that events that o ccur with noticeable probability will o ccur almost surely ie

except with negligible probability if we rep eat the exp eriment for a p olynomial

number of times Thus a function N N is called noticeable if for some p ositive

p olynomial p the function is lowerbounded by p

C Organization and Beyond

This app endix fo cuses on several archetypical cryptographic problems eg en

cryption and signature schemes and on several central to ols eg computational

diculty pseudorandomness and zeroknowledge pro ofs For each of these prob

lems we start by presenting the natural concern underlying it then dene the

problem and nally demonstrate that the problem may b e solved In the latter

step our fo cus is on demonstrating the feasibility of solving the problem not on

providing a practical solution

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

Our aim is to present the basic concepts techniques and results in cryptography

and our emphasis is on the clarication of fundamental concepts and the relation

ship among them This is done in a way indep endent of the particularities of some

p opular number theoretic examples These particular examples played a central

role in the development of the eld and still oer the most practical implementa

tions of all cryptographic primitives but this do es not mean that the presentation

has to b e linked to them On the contrary we b elieve that concepts are b est clari

ed when presented at an abstract level decoupled from sp ecic implementations

Actual organization The app endix is organized in two main parts corresp ond

ing to the Basic Tools of Cryptography and the Basic Applications of Cryptography

The basic to ols The most basic to ol is computational diculty which in turn is

captured by the notion of oneway functions Another notion of key imp or

tance is that of computational indistinguishability underlying the theory of

pseudorandomness as well as much of the rest of cryptography Pseudoran

dom generators and functions are imp ortant to ols that are frequently used

So are zeroknowledge pro ofs which play a key role in the design of secure

cryptographic proto cols and in their study

The basic applications Encryption and signature schemes are the most basic

applications of Cryptography Their main utility is in providing secret and

reliable communication over insecure communication media Lo osely sp eak

ing encryption schemes are used for ensuring the secrecy or privacy of the

actual information b eing communicated whereas signature schemes are used

to ensure its reliability or authenticity Another basic topic is the construc

tion of secure cryptographic proto cols for the implementation of arbitrary

functionalities

The presentation of the basic to ols in Sections CC augments and sometimes

rep eats parts of Sections and which provide a basic treatment of one

way functions pseudorandom generators and zeroknowledge pro ofs resp ectively

Sections CC provide a overview of the basic applications that is Encryption

Schemes Signature Schemes and General Cryptographic Proto cols

Suggestions for further reading This app endix is a brief summary of the

authors twovolume work on the sub ject Furthermore the rst part ie

Basic Tools corresp onds to whereas the second part ie Basic Applications

corresp onds to Needless to say the interested reader is referred to these

textb o oks for further detail and in particular for missing references

Practice The aim of this app endix is to introduce the reader to the theoretical

foundations of cryptography As argued such foundations are necessary for sound

practice of cryptography Indeed practice requires much more than theoretical

foundations whereas the current text makes no attempt to provide anything b e

yond the latter However given a sound foundation one can learn and evaluate

C COMPUTATIONAL DIFFICULTY

various practical suggestions that app ear elsewhere On the other hand lack of

sound foundations results in inability to critically evaluate practical suggestions

which in turn leads to unsound decisions Nothing could be more harmful to the

design of schemes that need to withstand adversarial attacks than misconceptions

about such attacks

C Computational Diculty

Mo dern Cryptography is concerned with the construction of systems that are easy

to op erate prop erly but hard to foil Thus a complexity gap b etween the ease of

prop er usage and the diculty of deviating from the prescrib ed functionality lies

at the heart of Mo dern Cryptography However gaps as required for Mo dern Cryp

tography are not known to exist they are only widely b elieved to exist Indeed

almost all of Mo dern Cryptography rises or falls with the question of whether one

way functions exist We mention that the existence of oneway functions implies

that NP contains search problems that are hard to solve on the average which

in turn implies that NP is not contained in BPP ie a worstcase complexity

conjecture

Lo osely sp eaking oneway functions are functions that are easy to evaluate but

hard on the average to invert Such functions can b e thought of as an ecient

way of generating puzzles that are infeasible to solve ie the puzzle is a random

image of the function and a solution is a corresp onding preimage Furthermore

the p erson generating the puzzle knows a solution to it and can eciently verify

the validity of p ossibly other solutions to the puzzle Thus oneway functions

have by denition a clear cryptographic avor ie they manifest a gap b etween

the ease of one task and the diculty of a related one

C OneWay Functions

We start by repro ducing the basic denition of oneway functions as app earing in

Section where this denition is further discussed

Denition C oneway functions Denition restated A function f f g

f g is called oneway if the fol lowing two conditions hold

Easy to evaluate There exist a polynomialtime algorithm A such that Ax

f x for every x f g

Hard to invert For every probabilistic polynomialtime algorithm A every

polynomial p and al l suciently large n

n

Pr A f x f f x

pn

n

where the probability is taken uniformly over x f g and al l the internal

coin tosses of algorithm A

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

Some of the most p opular candidates for oneway functions are based on the con

jectured intractability of computational problems in number theory One such

conjecture is that it is infeasible to factor large integers Consequently the func

tion that takes as input two equal length primes and outputs their pro duct is

widely b elieved to b e a oneway function Furthermore factoring such a com

p osite is infeasible if and only if squaring mo dulo such a comp osite is a oneway

function see For certain comp osites ie pro ducts of two primes that are

b oth congruent to mo d the latter function induces a p ermutation over the

set of quadratic residues mo dulo this comp osite A related p ermutation which is

e

widely b elieved to b e oneway is the RSA function x x mo d N where

N P Q is a comp osite as ab ove e is relatively prime to P Q and

x f N g The latter examples as well as other p opular suggestions are

b etter captured by the following formulation of a collection of oneway functions

which is indeed related to Denition C

Denition C collections of oneway functions A collection of functions ff

i

D f g g is called oneway if there exists three probabilistic polynomial

i

i I

time algorithms I D and F such that the fol lowing two conditions hold

n

Easy to sample and compute On input the output of the index selection

n

I f g ie is an nbit long index algorithm I is distributed over the set

I the output of of some function On input an index of a function i

the domain sampling algorithm D is distributed over the set D ie over

i

the domain of the function f On input i I and x D the evaluation

i i

algorithm F always outputs f x

i

Hard to invert For every probabilistic polynomialtime algorithm A every

positive polynomial p and al l suciently large ns

Pr A i f x f f x

i i

i

pn

n

where i I and x D i

The collection is said to be a collection of p ermutations if each of the f s is a

i

permutation over the corresponding D and D i is almost uniformly distributed

i

in D

i

For example in case of the RSA one considers f D D that satises

N e N e N e

e

f x x mo d N where D f N g Denition C is also a go o d

N e N e

starting p oint for the denition of a trap do or p ermutation Lo osely sp eaking

the latter is a collection of oneway p ermutations augmented with an ecient al

gorithm that allows for inverting the p ermutation when given adequate auxiliary

information called a trap do or

n

Note that this condition refers to the distributions I and D i which are merely required

n n

to range over I f g and D resp ectively Typically the distributions I and D i are

i

n

I f g and D resp ectively almost uniform over

i

Indeed a more adequate term would b e a collection of trap do or p ermutations but the shorter

and less precise term is the commonly used one

C COMPUTATIONAL DIFFICULTY

Denition C trap do or p ermutations A collection of permutations as in Def

inition C is called a trap do or p ermutation if there are two auxiliary probabilistic

n

polynomialtime algorithms I and F such that the distribution I ranges

n

over pairs of strings so that the rst string is distributed as in I and for

n

every i t in the range of I and every x D it holds that F t f x x

i i

That is t is a trap do or that allows to invert f

i

For example in case of the RSA the function f can b e inverted by raising the

N e

image to the p ower d mo dulo N P Q where d is the multiplicative inverse of

e mo dulo P Q Indeed in this case the trap do or information is N d

Strong versus weak oneway functions summary of Section Re

call that the foregoing denitions require that any feasible algorithm succeeds in

inverting the function with negligible probability A weaker notion only requires

that any feasible algorithm fails to invert the function with noticeable probability

It turns out that the existence of such weak oneway functions implies the exis

tence of strong oneway functions as in Denition C The construction itself

is straightforward but analyzing it transcends the analogous information theoretic

setting Instead the security ie hardness of inverting the resulting construction

is proved via a so called reducibility argument that transforms the violation of

the conclusion ie the hypothetical insecurity of the resulting construction into

a violation of the hypothesis ie insecurity of the given primitive This strategy

ie a reducibility argument is used to prove all conditional results in the area

C HardCore Predicates

Recall that saying that a function f is oneway implies that given a typical f

image y it is infeasible to nd a preimage of y under f This do es not mean

that it is infeasible to nd partial information ab out the preimages of y under f

Sp ecically it may b e easy to retrieve half of the bits of the preimage eg given

def

a oneway function f consider the function g dened by g x r f x r for

every jxj jr j As will b ecome clear in subsequent sections hiding partial infor

mation ab out the functions preimage plays an imp ortant role in many advanced

cryptographic constructs eg secure encryption This partial information can b e

considered as a hard core of the diculty of inverting f Lo osely sp eaking a

polynomialtime computable Bo olean predicate b is called a hardcore of a func

tion f if no feasible algorithm given f x can guess bx with success probability

that is nonnegligibly b etter than one half The actual denition is presented in

Section ie Denition

Note that if b is a hardcore of a function f that is p olynomialtime com

putable then f is a oneway function On the other hand recall that Theorem

asserts that for any oneway function f the innerproduct mod of x and r is a

hardcore of the function f where f x r f x r

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

C Pseudorandomness

In practice pseudorandom sequences are often used instead of truly random se

quences The underlying b elief is that if an ecient application p erforms well

when using a truly random sequence then it will p erform essentially as well when

using a pseudorandom sequence However this b elief is not supp orted by ad

ho c notions of pseudorandomness such as passing the statistical tests in or

having large linearcomplexity as dened in Needless to say using such

pseudorandom sequences instead of truly random sequences in a cryptographic

application is very dangerous

In contrast truly random sequences can b e safely replaced by pseudorandom

sequences provided that pseudorandom distributions are dened as b eing compu

tationally indistinguishable from the uniform distribution Such a denition makes

the soundness of this replacement an easy corollary Lo osely sp eaking pseudoran

dom generators are then dened as ecient pro cedures for creating long pseudo

random sequences based on few truly random bits ie a short random seed The

relevance of such constructs to cryptography is in providing legitimate users that

share short random seeds a metho d for creating long sequences that lo ok random

to any feasible adversary which do es not know the said seed

C Computational Indistinguishability

A central notion in Mo dern Cryptography is that of eective similarity aka

computational indistinguishability cf The underlying thesis is that

we do not care whether or not ob jects are equal all we care ab out is whether or

not a dierence b etween the ob jects can b e observed by a feasible computation In

case the answer is negative the two ob jects are equivalent as far as any practical

application is concerned Indeed in the sequel we will often interchange such

computationally indistinguishable ob jects In this section we recall the denition

of computational indistinguishability presented in Section and consider two

variants

We Denition C computational indistinguishability Denition revised

say that X fX g and Y fY g are computationally indistinguishable

n n

nN nN

if for every probabilistic polynomialtime algorithm D every polynomial p and al l

suciently large n

n n

jPr D X Pr D Y j

n n

pn

where the probabilities are taken over the relevant distribution ie either X or

n

Y and over the internal coin tosses of algorithm D

n

For sake of streamlining Denition C with Denition C and unlike in Denition here

the distinguisher is explicitly given the index n of the distribution that it insp ects In typical

applications the dierence b etween Denitions and C is immaterial b ecause the index n is

easily determined from any sample of the corresp onding distributions

C PSEUDORANDOMNESS

See further discussion in Section In particular recall that for eciently

constructible distributions indistinguishability by a single sample as in Deni

tion C implies indistinguishability by multiple samples as in Denition

Extension to ensembles indexed by strings We consider a natural extension

of Denition C in which rather than referring to ensembles indexed by N we refer

to ensembles indexed by an arbitrary set S f g Typically for an ensemble

fZ g it holds that Z ranges over strings of length that is p olynomiallyrelated

S

to the length of

Denition C We say that fX g and fY g are computationally indistin

S S

guishable if for every probabilistic polynomialtime algorithm D every polynomial

p and al l suciently long S

jPr D X Pr D Y j

pjj

where the probabilities are taken over the relevant distribution ie either X or

Y and over the internal coin tosses of algorithm D

n

Note that Denition C is obtained as a sp ecial case by setting S f n N g

A nonuniform version A nonuniform denition of computational indistin

guishability can b e derived from Denition C by articially augmenting the in

dices of the distributions That is fX g and fY g are computationally

S S

indistinguishable in a nonuniform sense if for every p olynomial p the ensembles

fX and fY g are computationally indistinguishable as in Deni g

S S

pjj

tion C where S f S f g g and X X resp

pjj

Y Y for every f g An equivalent alternative denition can b e

obtained by following the formulation that underlies Denition

C Pseudorandom Generators

Lo osely sp eaking a pseudorandom generator is an ecient deterministic algorithm

that on input a short random seed outputs a typically much longer sequence that

is computationally indistinguishable from a uniformly chosen sequence

Denition C pseudorandom generator Denition restated Let N N

satisfy n n for al l n N A pseudorandom generator with stretch function

is a deterministic polynomialtime algorithm G satisfying the fol lowing

For every s f g it holds that jGsj jsj

fGU g and fU g are computationally indistinguishable where

n

n

nN nN

m

U denotes the uniform distribution over f g

m

Indeed the probability ensemble fGU g is called pseudorandom

n

nN

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

We stress that pseudorandom sequences can replace truly random sequences not

only in standard algorithmic applications but also in cryptographic ones That

is any cryptographic application that is secure when the legitimate parties use

truly random sequences is also secure when the legitimate parties use pseudo

random sequences The b enet in such a substitution of random sequences by

pseudorandom ones is that the latter sequences can b e eciently generated using

much less true randomness Furthermore in an interactive setting it is p ossible to

eliminate all random steps from the online execution of a program by replacing

them with the generation of pseudorandom bits based on a random seed selected

and xed oline or at setup time This allows interactive parties to generate

a long sequence of common secret bits based on a shared random seed which may

have b een selected at a much earlier time

Various cryptographic applications of pseudorandom generators will b e pre

sented in the sequel but let us rst recall that pseudorandom generators exist if

and only if oneway functions exist see Theorem For further treatment of

pseudorandom generators the reader is referred to Section

C Pseudorandom Functions

Recall that pseudorandom generators provide a way to eciently generate long

pseudorandom sequences from short random seeds Pseudorandom functions in

tro duced and constructed by Goldreich Goldwasser and Micali are even more

p owerful they provide ecient direct access to the bits of a huge pseudorandom

sequence which is not feasible to scan bitbybit More precisely a pseudorandom

function is an ecient deterministic algorithm that given an nbit seed s and an

nbit argument x returns an nbit string denoted f x such that it is infeasible

s

n

to distinguish the values of f for a uniformly chosen s f g from the values

s

n n

of a truly random function F f g f g That is the feasible testing

pro cedure is given oracle access to the function but not its explicit description

and cannot distinguish the case it is given oracle access to a pseudorandom function

from the case it is given oracle access to a truly random function

Denition C pseudorandom functions A pseudorandom function ensemble

jsj jsj

is a collection of functions ff f g f g g that satises the fol low

s

sfg

ing two conditions

ecient evaluation There exists an ecient deterministic algorithm that

jsj

given a seed s and an argument x f g returns f x

s

pseudorandomness For every probabilistic polynomialtime

M every positive polynomial p and al l suciently large ns

n f n F

U n

n

Pr M Pr M

pn

n n

where F denotes a uniformly selected function mapping f g to f g n

C PSEUDORANDOMNESS

One key feature of the foregoing denition is that pseudorandom functions can

b e generated and shared by merely generating and sharing their seed that is a

n n

random lo oking function f f g f g is determined by its nbit seed

s

s Thus parties wishing to share a random lo oking function f determining

s

n

many values merely need to generate and share among themselves the nbit

seed s For example one party may randomly select the seed s and communicate

it via a secure channel to all other parties Sharing a pseudorandom function

allows parties to determine by themselves and without any further communication

randomlo oking values dep ending on their current views of the environment which

need not b e known a priori To appreciate the p otential of this to ol one should

realize that sharing a pseudorandom function is essentially as go o d as b eing able

to agree on the y on the asso ciation of random values to online given values

where the latter are taken from a huge set of p ossible values We stress that

this agreement is achieved without communication and synchronization Whenever

n

some party needs to asso ciate a random value to a given value v f g it will

n

asso ciate to v the same random value r f g by setting r f v where

v v s

f is a pseudorandom function agreed up on b eforehand Concrete applications of

s

this p ower of pseudorandom functions app ear in Sections C and C

Theorem C How to construct pseudorandom functions Pseudorandom func

tions can be constructed using any pseudorandom generator

Pro of Sketch Let G b e a pseudorandom generator that stretches its seed by a

factor of two ie n n and let G s resp G s denote the rst resp

last jsj bits in Gs Let

def

s G G s G G

jsj jsj

def

s and consider the function ensemble ff dene f x x x G

s s n x x x

n

jsj jsj

f g f g g Pictorially the function f is dened by nstep walks

s

sfg

down a full binary tree of depth n having lab els at the vertices The ro ot of the

tree hereafter referred to as the level vertex of the tree is lab eled by the string

s If an internal vertex is lab eled r then its left child is lab eled G r whereas its

right child is lab eled G r The value of f x is the string residing in the leaf

s

reachable from the ro ot by a path corresp onding to the string x

We claim that the function ensemble ff g is pseudorandom The pro of

s

sfg

th i

uses the hybrid technique cf Section The i hybrid denoted H is a

n

i

n n n

function ensemble consisting of functions f g f g each determined

i

i

s hs i The value of such function by random nbit strings denoted

fg

at x where j j i is dened to equal G s Pictorially the function h

s

h is dened by placing the strings in s in the corresp onding vertices of level i and

s

lab eling vertices of lower levels using the very rule used in the denition of f The

s

and extreme hybrids corresp ond to our indistinguishability claim ie H f

U

n

n

n

H is a truly random function and the indistinguishability of neighboring hybrids

n

See details in Sec

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

follows from our indistinguishability hypothesis by using a reducibility argument

i i

Sp ecically we show that the ability to distinguish H from H yields an ability

n n

to distinguish multiple samples of GU from multiple samples of U by placing

n n

st

on the y halves of the given samples at adequate vertices of the i level

Variants Useful variants and generalizations of the notion of pseudorandom

functions include Bo olean pseudorandom functions that are dened over all strings

ie f f g f g and pseudorandom functions that are dened for other

s

djsj r jsj

domains and ranges ie f f g f g for arbitrary p olynomially

s

b ounded functions d r N N Various transformations b etween these variants

are known cf Sec and Ap dx C

C ZeroKnowledge

Zeroknowledge pro ofs provide a p owerful to ol for the design of cryptographic pro

to cols as well as a go o d b enchmark for the study of various issues regarding such

proto cols Lo osely sp eaking zeroknowledge pro ofs are pro ofs that yield nothing

b eyond the validity of the assertion That is a verier obtaining such a pro of

only gains conviction in the validity of the assertion as if it was told by a trusted

party that the assertion holds This is formulated by saying that anything that is

feasibly computable from a zeroknowledge pro of is also feasibly computable from

the valid assertion itself The latter formulation follows the simulation paradigm

which is discussed next while repro ducing part of the discussion in x and

making additional comments regarding the use of this paradigm in cryptography

C The Simulation Paradigm

A key question regarding the mo deling of security concerns is how to express the

intuitive requirement that an adversary gains nothing substantial by deviating

from the prescrib ed b ehavior of an honest user The answer provided by the sim

ulation paradigm is that the adversary gains nothing if whatever it can obtain by

unrestricted adversarial b ehavior can also b e obtained within essentially the same

computational eort by a b enign b ehavior The denition of the b enign b ehavior

captures what we want to achieve in terms of security and is sp ecic to the security

concern to b e addressed For example in the context of zeroknowledge the unre

stricted adversarial b ehavior is captured by an arbitrary probabilistic p olynomial

time verier strategy whereas the b enign b ehavior is any computation that is

based only on the assertion itself while assuming that the latter is valid Other

examples are discussed in Sections C and C

The denitional approach to security represented by the simulation paradigm

and more generally the entire denitional approach surveyed in this app endix may

b e considered overly cautious b ecause it seems to prohibit also nonharmful gains

of some far fetched adversaries We warn against this impression Firstly there

Indeed according to the simulation paradigm a system is called secure only if all p ossible

C ZEROKNOWLEDGE

is nothing more dangerous in cryptography than to consider reasonable adver

saries a notion which is almost a contradiction in terms typically the adversaries

will try exactly what the system designer has discarded as far fetched Secondly

it seems imp ossible to come up with denitions of security that distinguish break

ing the system in a harmful way from breaking it in a nonharmful way what

is harmful is applicationdep endent whereas a go o d denition of security ought to

b e applicationindep endent as otherwise using the cryptographic system in any

new application will require a full reevaluation of its security Furthermore even

with resp ect to a sp ecic application it is typically very hard to classify the set of

harmful breakings

C The Actual Denition

In x zeroknowledge was dened as a prop erty of some prover strategies

within the context of interactive pro of systems as dened in Section More

generally the term may apply to any interactive machine regardless of its goal A

strategy A is zeroknowledge on inputs from the set S if for every feasible strategy

B there exists a feasible computation C such that the following two probability

ensembles are computationally indistinguishable according to Denition C

def

the output of B after interacting with A on common fA B xg

xS

input x S and

def

the output of C on input x S fC xg

xS

Recall that the rst ensemble represents an actual execution of an interactive pro

to col whereas the second ensemble represents the computation of a standalone

pro cedure called the simulator which do es not interact with anybo dy

The foregoing denition do es not account for auxiliary information that an

adversary B may have prior to entering the interaction Accounting for such

auxiliary information is essential for using zeroknowledge pro ofs as subproto cols

inside larger proto cols This is taken care of by a stricter notion called auxiliary

input zeroknowledge which was not presented in Section

Denition C zeroknowledge revisited A strategy A is auxiliaryinput zero

knowledge on inputs from S if for every probabilistic polynomialtime strategy B

and every polynomial p there exists a probabilistic polynomialtime algorithm C

such that the fol lowing two probability ensembles are computationally indistinguish

able

def

fA B z xg the output of B when having auxiliary

pjxj

xS z fg

input z and interacting with A on common input x S and

def

fC x z g the output of C on inputs x S and z

pjxj

xS z fg

pjxj

f g

adversaries can b e adequately simulated by adequate b enign b ehavior Thus this approach

considers also far fetched adversaries and do es not disregard nonharmful gains that cannot

b e simulated

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

Almost all known zeroknowledge pro ofs are in fact auxiliaryinput zeroknowledge

As hinted auxiliaryinput zeroknowledge is preserved under sequential composi

tion A simulator for the multiplesession proto col can b e constructed by itera

tively invoking the singlesession simulator that refers to the residual strategy of

the adversarial verier in the given session while feeding this simulator with the

transcript of previous sessions Indeed the residual singlesession verier gets the

transcript of the previous sessions as part of its auxiliary input ie z in Deni

tion C For details see Sec

C A General Result and a Generic Application

A question avoided so far is whether zeroknowledge pro ofs exist at all Clearly

every set in P or rather in BPP has a trivial zeroknowledge pro of in which the

verier determines membership by itself however what we seek is zeroknowledge

pro ofs for statements that the verier cannot decide by itself

Assuming the existence of commitment schemes cf xC which in

turn exist if oneway functions exist there exist auxiliaryinput zero

know ledge proofs of membership in any NPset These zeroknowledge pro ofs ab

stractly depicted in Construction have the following imp ortant prop erty the

prescrib ed prover strategy is ecient provided it is given as auxiliaryinput an NP

witness to the assertion to b e proved Implementing the abstract b oxes referred

to in Construction by commitment schemes we get

Theorem C On the applicability of zeroknowledge pro ofs Theorem re

visited If nonuniformly hard oneway functions exist then every set S NP

has an auxiliaryinput zeroknowledge interactive proof Furthermore the pre

scribed prover strategy can be implemented in probabilistic polynomialtime pro

vided that it is given as auxiliaryinput an NPwitness for membership of the com

mon input in S

Theorem C makes zeroknowledge a very p owerful to ol in the design of crypto

graphic schemes and proto cols see xC We comment that the intractability

assumption used in Theorem C seems essential

C Commitment schemes

Lo osely sp eaking commitment schemes are twostage twoparty proto cols allow

ing for one party to commit itself at the rst stage to a value while keeping the

value secret At a later ie second stage the commitment is op ened and it is

guaranteed that the op ening can yield only a single value which is determined

The auxiliaryinput given to the prescrib ed prover in order to allow for an ecient imple

mentation of its strategy is not to b e confused with the auxiliaryinput that is given to malicious

veriers in the denition of auxiliaryinput zeroknowledge The former is typically an NP

witness for the common input which is available to the user that invokes the prover strategy cf

the generic application discussed in x C In contrast the auxiliaryinput that is given to

malicious veriers mo dels arbitrary partial information that may b e available to the adversary

C ZEROKNOWLEDGE

during the committing phase Thus the rst stage of the commitment scheme is

b oth binding and hiding

A simple unidirectional communication commitment scheme can b e con

structed based on any oneway function f with a corresp onding hardcore

n

b To commit to a bit the sender uniformly selects s f g and sends the

pair f s bs Note that this is b oth binding and hiding An alternative

construction which can b e based on any oneway function uses a pseudorandom

generator G that stretches its seed by a factor of three cf Theorem A

commitment is established via twoway communication as follows cf The

n

receiver selects uniformly r f g and sends it to the sender which selects

n

uniformly s f g and sends r Gs if it wishes to commit to the value one

and Gs if it wishes to commit to zero To see that this is binding observe that

n

there are at most bad values r that satisfy Gs r Gs for some pair

s s and with overwhelmingly high probability the receiver will not pick one of

these bad values The hiding prop erty follows by the pseudorandomness of G

C A generic application

As mentioned Theorem C makes zeroknowledge a very p owerful to ol in the

design of cryptographic schemes and proto cols This wide applicability is due to

two imp ortant asp ects regarding Theorem C Firstly Theorem C provides a

zeroknowledge pro of for every NPset and secondly the prescrib ed prover can b e

implemented in probabilistic p olynomialtime when given an adequate NPwitness

We now turn to a typical application of zeroknowledge pro ofs

In a typical cryptographic setting a user U has a secret and is supp osed to take

some action based on its secret For example U may b e instructed to send several

dierent commitments cf xC to a single secret value of its choice The

question is how can other users verify that U indeed to ok the correct action as

determined by U s secret and publicly known information Indeed if U discloses

its secret then anybo dy can verify that U to ok the correct action However U do es

not want to reveal its secret Using zeroknowledge pro ofs we can satisfy b oth con

icting requirements ie having other users verify that U to ok the correct action

without violating U s interest in not revealing its secret That is U can prove

in zeroknowledge that it to ok the correct action Note that U s claim to having

taken the correct action is an NPassertion since U s legal action is determined as

a p olynomialtime function of its secret and the public information and that U

has an NPwitness to its validity ie the secret is an NPwitness to the claim that

the action ts the public information Thus by Theorem C it is p ossible for

U to eciently prove the correctness of its action without yielding anything ab out

its secret Consequently it is fair to ask U to prove in zeroknowledge that it

b ehaves prop erly and so to force U to b ehave prop erly Indeed forcing prop er

b ehavior is the canonical application of zeroknowledge pro ofs see xC

This paradigm ie forcing prop er b ehavior via zeroknowledge pro ofs which

in turn is based on Theorem C has b een utilized in numerous dierent settings

Indeed this paradigm is the basis for the wide applicability of zeroknowledge

proto cols in Cryptography

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

C Denitional Variations and Related Notions

In this section we consider numerous variants on the notion of zeroknowledge and

the underlying mo del of interactive pro ofs These include blackbox simulation and

other variants of zeroknowledge cf Section C as well as notions such as

pro ofs of knowledge noninteractive zeroknowledge and witness indistinguishable

pro ofs cf Section C

Before starting we call the readers attention to the notion of computational

soundness and to the related notion of argument systems discussed in x

We mention that argument systems may b e more ecient than interactive pro ofs

as well as provide stronger zeroknowledge guarantees Sp ecically almostp erfect

zeroknowledge arguments for NP can b e constructed based on any oneway func

tion where almostp erfect zeroknowledge means that the simulators output

is statistically close to the veriers view in the real interaction see a discussion

in xC Note that stronger security guarantee for the prover as provided by

almostp erfect zeroknowledge comes at the cost of weaker security guarantee for

the verier as provided by computational soundness The answer to the question

of whether or not this tradeo is worthwhile seems to b e application dep endent

and one should also take into account the availability and complexity of the corre

sp onding proto cols

C Denitional variations

We consider several denitional issues regarding the notion of zeroknowledge as

dened in Denition C

Universal and blackbox simulation One strengthening of Denition C is

obtained by requiring the existence of a universal simulator denoted C that can

simulate the interactive gain of any verier strategy B when given the veriers

program an auxiliaryinput that is in terms of Denition C one should replace

C x z by C x z hB i where hB i denotes the description of the program of B

which may dep end on x and on z That is we eectively restrict the simulation

by requiring that it b e a uniform feasible function of the veriers program rather

than arbitrarily dep end on it This restriction is very natural b ecause it seems

hard to envision an alternative way of establishing the zeroknowledge prop erty of

a given proto col Taking another step one may argue that since it seems infea

sible to reverseengineer programs the simulator may as well just use the verier

strategy as an oracle or as a blackbox This reasoning gave rise to the notion

of blackb ox simulation which was introduced and advocated in and further

studied in numerous works The b elief was that inherent limitations regarding

blackbox simulation represent inherent limitations of zeroknowledge itself For

example it was b elieved that the fact that the parallel version of the interactive

pro of of Construction cannot b e simulated in a blackbox manner unless NP

is contained in BPP implies that this version is not zeroknowledge as p er Deni

tion C itself However the underlying b elief that any zeroknowledge proto col

can b e simulated in a blackbox manner was later refuted by Barak

C ZEROKNOWLEDGE

Honest verier versus general cheating verier Denition C refers to

all feasible verier strategies which is most natural in the cryptographic setting

b ecause zeroknowledge is supp osed to capture the robustness of the prover un

der any feasible ie adversarial attempt to gain something by interacting with

it A weaker and still interesting notion of zeroknowledge refers to what can b e

gained by an honest verier or rather a semihonest verier that interacts

with the prover as directed with the exception that it may maintain and out

put a record of the entire interaction ie even if directed to erase all records

of the interaction Although such a weaker notion is not satisfactory for stan

dard cryptographic applications it yields a fascinating notion from a conceptual

as well as a complexitytheoretic p oint of view Furthermore every pro of system

that is zeroknowledge with respect to the honestverier can b e transformed into

a standard zeroknowledge pro of without using intractability assumptions and in

the case of publiccoin pro ofs this is done without signicantly increasing the

provers computational eort see

Statistical versus Computational ZeroKnowledge Recall that Denition C

p ostulates that for every probability ensemble of one type ie representing the

veriers output after interaction with the prover there exists a similar ensemble

of a second type ie representing the simulators output One key parameter is

the interpretation of similarity Three interpretations yielding dierent notions

of zeroknowledge have b een extensively considered in the literature

Perfect ZeroKnowledge requires that the two probability ensembles b e iden

tically distributed

Statistical or AlmostPerfect ZeroKnowledge requires that these probability

ensembles b e statistically close ie the variation distance b etween them

should b e negligible

Computational or rather general ZeroKnowledge requires that these proba

bility ensembles b e computationally indistinguishable

Indeed Computational ZeroKnowledge is the most lib eral notion and is the notion

considered in Denition C We note that the class of problems having statistical

zeroknowledge pro ofs contains several problems that are considered intractable

The interested reader is referred to

The term honest verier is more app ealing when considering an alternative equivalent

formulation of Denition C In the alternative denition see Sec the simulator

is only required to generate the veriers view of the real interaction where the veriers view

includes its common and auxiliary inputs the outcome of its coin tosses and all messages it

has received

The actual denition of Perfect ZeroKnowledge allows the simulator to fail while outputting

a sp ecial symbol with negligible probability and the output distribution of the simulator is

conditioned on its not failing

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

C Related notions POK NIZK and WI

We briey discuss the notions of pro ofs of knowledge POK noninteractive zero

knowledge NIZK and witness indistinguishable pro ofs WI

Pro ofs of Knowledge Lo osely sp eaking pro ofs of knowledge are interactive

pro ofs in which the prover asserts knowledge of some ob ject eg a coloring

of a graph and not merely its existence eg the existence of a coloring of the

graph which in turn is equivalent to the assertion that the graph is colorable

See further discussion in Section We mention that proofs of know ledge and in

particular zeroknowledge proofs of know ledge have many applications to the design

of cryptographic schemes and cryptographic proto cols One famous application of

zeroknowledge pro ofs of knowledge is to the construction of identication schemes

eg the FiatShamir scheme

NonInteractive ZeroKnowledge The mo del of noninteractive zeroknowledge

NIZK pro of systems consists of three entities a prover a verier and a uniformly

selected reference string which can b e thought of as b eing selected by a trusted

third party Both the verier and prover can read the reference string as well as

the common input and each can toss additional coins The interaction consists of

a single message sent from the prover to the verier who is then left with the nal

decision whether or not to accept the common input The basic zeroknowledge

requirement refers to a simulator that outputs pairs that should b e computationally

indistinguishable from the distribution of pairs consisting of a uniformly selected

reference string and a random prover message seen in the real mo del We men

tion that NIZK pro of systems have numerous applications eg to the construction

of publickey encryption and signature schemes where the reference string may b e

incorp orated in the publickey which in turn motivate various augmentations of

the basic denition of NIZK see Sec and Sec Such NIZK

pro ofs for any NPset can b e constructed based on standard intractability assump

tions eg intractability of factoring but even constructing basic NIZK pro of

systems seems more dicult than constructing interactive zeroknowledge pro of

systems

Witness Indistinguishability The notion of witness indistinguishability was

suggested in as a meaningful relaxation of zeroknowledge Lo osely sp eaking

for any NPrelation R a pro of or argument system for the corresp onding NPset

is called witness indistinguishable if no feasible verier may distinguish the case in

which the prover uses one NPwitness to x ie w such that x w R from

the case in which the prover is using a dierent NPwitness to the same input x

ie w such that x w R Clearly any zeroknowledge proto col is witness

indistinguishable but the converse do es not necessarily hold Furthermore it seems

Note that the verier do es not eect the distribution seen in the real mo del and so the basic

denition of zeroknowledge do es not refer to it The verier or rather a pro cess of adaptively

selecting assertions to b e proved is referred to in the adaptive variants of the denition

C ENCRYPTION SCHEMES

that witness indistinguishable proto cols are easier to construct than zeroknowledge

ones Another advantage of witness indistinguishable proto cols is that they are

closed under arbitrary concurrent comp osition whereas in general zeroknowledge

proto cols are not closed even under parallel comp osition Witness indistinguishable

proto cols turned out to b e an important tool in the construction of more complex

protocols We refer in particular to the technique of for constructing zero

knowledge pro ofs and arguments based on witness indistinguishable pro ofs resp

arguments

C Encryption Schemes

The problem of providing secret communication over insecure media is the tra

ditional and most basic problem of cryptography The setting of this problem

consists of two parties communicating through a channel that is p ossibly tapp ed

by an adversary The parties wish to exchange information with each other but

keep the wiretapp er as ignorant as p ossible regarding the contents of this infor

mation The canonical solution to this problem is obtained by the use of encryption

schemes Lo osely sp eaking an encryption scheme is a proto col allowing these par

ties to communicate secretly with each other Typically the encryption scheme

consists of a pair of algorithms One algorithm called encryption is applied by the

sender ie the party sending a message while the other algorithm called decryp

tion is applied by the receiver Hence in order to send a message the sender rst

applies the encryption algorithm to the message and sends the result called the

ciphertext over the channel Up on receiving a ciphertext the other party ie the

receiver applies the decryption algorithm to it and retrieves the original message

called the plaintext

In order for the foregoing scheme to provide secret communication the receiver

must know something that is not known to the wiretapp er Otherwise the wire

tapp er can decrypt the ciphertext exactly as done by the receiver This extra

knowledge may take the form of the decryption algorithm itself or some parame

ters andor auxiliary inputs used by the decryption algorithm We call this extra

knowledge the decryptionkey Note that without loss of generality we may assume

that the decryption algorithm is known to the wiretapp er and that the decryp

tion algorithm op erates on two inputs a ciphertext and a decryptionkey This

description implicitly presupp oses the existence of an ecient algorithm for gener

ating random keys We stress that the existence of a decryptionkey not known

to the wiretapp er is merely a necessary condition for secret communication

Evaluating the security of an encryption scheme is a very tricky business

A preliminary task is to understand what is security ie to prop erly dene

what is meant by this intuitive term Two approaches to dening security are

known The rst classical approach introduced by Shannon is informa

tion theoretic It is concerned with the information ab out the plaintext that is

present in the ciphertext Lo osely sp eaking if the ciphertext contains informa

tion ab out the plaintext then the encryption scheme is considered insecure It has

b een shown that such high ie p erfect level of security can b e achieved only

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

if the key in use is at least as long as the total amount of information sent via the

encryption scheme This fact ie that the key has to b e longer than the

information exchanged using it is indeed a drastic limitation on the applicability

of such p erfectlysecure encryption schemes

The second mo dern approach followed in the current text is based on

computational complexity This approach is based on the thesis that it does not

matter whether the ciphertext contains information ab out the plaintext but rather

whether this information can b e eciently extracted In other words instead of

asking whether it is possible for the wiretapp er to extract sp ecic information we

ask whether it is feasible for the wiretapp er to extract this information It turns

out that the new ie computational complexity approach can oer security

even when the key is much shorter than the total length of the messages sent via

the encryption scheme

The computational complexity approach enables the introduction of concepts

and primitives that cannot exist under the information theoretic approach A typ

ical example is the concept of publickey encryption schemes introduced by Die

and Hellman with the most p opular candidate suggested by Rivest Shamir

and Adleman Recall that in the foregoing discussion we concentrated on

the decryption algorithm and its key It can b e shown that the encryption algo

rithm must also get in addition to the message an auxiliary input that dep ends on

the decryptionkey This auxiliary input is called the encryptionkey Traditional

encryption schemes and in particular all the encryption schemes used in the millen

nia until the s op erate with an encryptionkey that equals the decryptionkey

Hence the wiretapp er in these schemes must b e ignorant of the encryptionkey

and consequently the key distribution problem arises that is how can two par

ties wishing to communicate over an insecure channel agree on a secret encryp

tiondecryption key The traditional solution is to exchange the key through an

alternative channel that is secure though much more exp ensive to use The com

putational complexity approach allows the introduction of encryption schemes in

which the encryptionkey may b e given to the wiretapp er without compromising

the security of the scheme Clearly the decryptionkey in such schemes is dierent

from the encryptionkey and furthermore it is infeasible to obtain the decryption

key from the encryptionkey Such encryption schemes called publickey schemes

have the advantage of trivially resolving the key distribution problem b ecause the

encryptionkey can b e publicized That is once some Party X generates a pair of

keys and publicizes the encryptionkey any party can send encrypted messages to

Party X such that Party X can retrieve the actual information ie the plaintext

whereas nob o dy else can learn anything ab out the plaintext

In contrast to publickey schemes traditional encryption schemes in which the

encryptionkey equals the descriptionkey are called privatekey schemes b ecause

in these schemes the encryptionkey must b e kept secret rather than b e public

as in publickey encryption schemes We note that a full sp ecication of either

schemes requires the sp ecication of the way in which keys are generated that is a

randomized keygeneration algorithm that given a security parameter pro duces

a random pair of corresp onding encryptiondecryption keys which are identical

C ENCRYPTION SCHEMES

in case of privatekey schemes

Thus b oth privatekey and publickey encryption schemes consist of three ef

cient algorithms a key generation algorithm denoted G an encryption algorithm

denoted E and a decryption algorithm denoted D For every pair of encryption

and decryption keys e d generated by G and for every plaintext x it holds that

def def

D E x x where E x E e x and D y D d y The dierence b e

d e e d

tween the two types of encryption schemes is reected in the denition of security

the security of a publickey encryption scheme should hold also when the adversary

is given the encryptionkey whereas this is not required for a privatekey encryp

tion scheme In the following denitional treatment we fo cus on the publickey case

and the privatekey case can b e obtained by omitting the encryptionkey from the

sequence of inputs given to the adversary

C Denitions

A go o d disguise should not reveal the p ersons height

Sha Goldwasser and Silvio Micali

For simplicity we rst consider the encryption of a single message which for fur

ther simplicity is assumed to b e of length that equals the security parameter n

As implied by the foregoing discussion a publickey encryption scheme is said to

b e secure if it is infeasible to gain any information ab out the plaintext by lo oking

at the ciphertext and the encryptionkey That is whatever information ab out

the plaintext one may compute from the ciphertext and some apriori informa

tion can b e essentially computed as eciently from the apriori information alone

This fundamental denition of security called semantic security was introduced

by Goldwasser and Micali

Denition C semantic security A publickey encryption scheme G E D

is semantically secure if for every probabilistic polynomialtime algorithm A there

exists a probabilistic polynomialtime algorithm B such that for every two functions

f h f g f g and al l probability ensembles fX g that satisfy jhxj

n

nN

n

p oly jxj and X f g it holds that

n

n

Pr Ae E x hx f x Pr B hx f x n

e

where the plaintext x is distributed according to X the encryptionkey e is dis

n

n

tributed according to G and is a negligible function

That is it is feasible to predict f x from hx as successfully as it is to predict

f x from hx and e E x which means that nothing is gained by obtaining

e

e E x Note that no computational restrictions are made regarding the func

e

tions h and f We stress that the foregoing denition as well as the next one

In the case of publickey schemes no generality is lost by these simplifying assumptions but in

the case of privatekey schemes one should consider the encryption of p olynomiallymany messages

as we do at the end of this section

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

refers to publickey encryption schemes and in the case of privatekey schemes

algorithm A is not given the encryptionkey e

The following technical interpretation of security states that it is infeasible to

distinguish the encryptions of any two plaintexts of the same length As we

shall see this denition also originating in is equivalent to Denition C

Denition C indistinguishability of encryptions A publickey encryption

scheme G E D has indistinguishable encryptions if for every probabilistic polynomial

time algorithm A and al l sequences of triples x y z where jx j jy j

n n n n n

nN

n and jz j p oly n it holds that

n

jPr Ae E x z Pr Ae E y z j n

e n n e n n

n

Again e is distributed according to G and is a negligible function

In particular z may equal x y Thus it is infeasible to distinguish the en

n n n

cryptions of any two xed messages such as the allzero message and the allones

message Thus the following motto is adequate to o

A go o d disguise should not allow a mother to distinguish her own children

Sha Goldwasser and Silvio Micali

Denition C is more app ealing in most settings where encryption is considered

the end goal Denition C is used to establish the security of candidate en

cryption schemes as well as to analyze their application as mo dules inside larger

cryptographic proto cols Thus the equivalence of these denitions is of ma jor

imp ortance

Equivalence of Denitions C and C pro of ideas Intuitively in

distinguishability of encryptions ie of the encryptions of x and y is a sp ecial

n n

case of semantic security sp ecically it corresp onds to the case that X is uni

n

form over fx y g the function f indicates one of the plaintexts and h do es not

n n

distinguish them ie f w i w x and hx hy z where z is

n n n n n

as in Denition C The other direction is proved by considering the algorithm

n n

B that on input v where v hx generates e d G and outputs

n

Ae E v where A is as in Denition C Indistinguishability of encryptions

e

is used to prove that B p erforms as well as A ie for every h f and fX g

n

nN

n n

it holds that Pr B hX f X Pr Ae E hX f X approx

n n e n n

imately equals Pr Ae E X hX f X

e n n n

Probabilistic Encryption A secure publickey encryption scheme must em

ploy a probabilistic ie randomized encryption algorithm Otherwise given the

encryptionkey as additional input it is easy to distinguish the encryption of the

Indeed satisfying this condition requires using a probabilistic encryption algorithm

C ENCRYPTION SCHEMES

allzero message from the encryption of the allones message This explains the

asso ciation of the robust denitions of security with the paradigm of probabilistic

encryption an asso ciation that originates in the title of the pioneering work of

Goldwasser and Micali

Further discussion We stress that the equivalent Denitions C and C

go way b eyond saying that it is infeasible to recover the plaintext from the ci

phertext The latter statement is indeed a minimal requirement from a secure

encryption scheme but is far from b eing a sucient requirement Typically en

cryption schemes are used in applications where even obtaining partial information

on the plaintext may endanger the security of the application When designing an

applicationindep endent encryption scheme we do not know which partial informa

tion endangers the application and which do es not Furthermore even if one wants

to design an encryption scheme tailored to a sp ecic application it is rare to say

the least that one has a precise characterization of all p ossible partial information

that endanger this application Thus we need to require that it is infeasible to

obtain any information ab out the plaintext from the ciphertext Furthermore in

most applications the plaintext may not b e uniformly distributed and some apriori

information regarding it may b e available to the adversary We require that the

secrecy of all partial information is preserved also in such a case That is even

in presence of apriori information on the plaintext it is infeasible to obtain any

new information ab out the plaintext from the ciphertext b eyond what is feasible

to obtain from the apriori information on the plaintext The denition of seman

tic security p ostulates all of this The equivalent denition of indistinguishability

of encryptions is useful in demonstrating the security of candidate constructions as

well as for arguing ab out their eect as part of larger proto cols

Security of multiple messages Denitions C and C refer to the se

curity of an encryption scheme that is used to encrypt a single plaintext p er a

generated key Since the plaintext may b e longer than the key these deni

tions are already nontrivial and an encryption scheme satisfying them even in

the privatekey mo del implies the existence of oneway functions Still in many

cases it is desirable to encrypt many plaintexts using the same encryptionkey

Lo osely sp eaking an encryption scheme is secure in the multiplemessages setting

if conditions as in Denition C resp Denition C hold when p olynomially

many plaintexts are encrypted using the same encryptionkey cf Sec

In the publickey model security in the singlemessage setting implies security in

the multiplemessages setting We stress that this is not necessarily true for the

The same holds for stateless privatekey encryption schemes when considering the security

of encrypting several messages rather than a single message as in the foregoing text For

example if one uses a deterministic encryption algorithm then the adversary can distinguish two

encryptions of the same message from the encryptions of a pair of dierent messages

Recall that for sake of simplicity we have considered only messages of length n but the

general denitions refer to messages of arbitrary p olynomial in n length We comment that in

the general form of Denition C one should provide the length of the message as an auxiliary

input to b oth algorithms A and B

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

privatekey model

C Constructions

It is common practice to use pseudorandom generators as a basis for private

key encryption schemes We stress that this is a very dangerous practice when

the pseudorandom generator is easy to predict such as the linear congruential

generator However this common practice b ecomes sound provided one uses

pseudorandom generators as dened in Section C An alternative and more

exible construction follows

PrivateKey Encryption Scheme based on Pseudorandom Functions

We present a simple construction of a privatekey encryption scheme that uses

pseudorandom functions as dened in Section C The keygeneration algorithm

n

consists of uniformly selecting a seed s f g for a pseudorandom function de

n

noted f To encrypt a message x f g using key s the encryption algorithm

s

n

uniformly selects a string r f g and pro duces the ciphertext r x f r

s

where denotes the exclusiveor of bit strings To decrypt the ciphertext r y

using key s the decryption algorithm just computes y f r The pro of of

s

security of this encryption scheme consists of two steps

Proving that an idealized version of the scheme in which one uses a uniformly

n n

selected function F f g f g rather than the pseudorandom function

f is secure

s

Concluding that the real scheme is secure b ecause otherwise one could dis

tinguish a pseudorandom function from a truly random one

Note that we could have gotten rid of the randomization in the encryption pro cess

if we had allowed the encryption algorithm to b e history dep endent eg use a

counter in the role of r This can b e done if all parties that use the same key

for encryption co ordinate their encryption actions by maintaining a joint state

eg counter Indeed when using a privatekey encryption scheme a common

situation is that the same key is only used for communication b etween two sp ecic

parties which up date a joint counter during their communication Furthermore

if the encryption scheme is used for fifo communication b etween the parties and

b oth parties can reliably maintain the counter value then there is no need for

the sender to send the counter value The resulting scheme is related to stream

ciphers which are commonly used in practice

We comment that the use of a counter or any other state in the encryption

pro cess is not reasonable in the case of publickey encryption schemes b ecause it

is incompatible with the canonical usage of such schemes ie allowing all parties

to send encrypted messages to the owner of the encryptionkey without engaging

in any type of further co ordination or communication Furthermore unlike in the

case of privatekey schemes probabilistic encryption is essential for the security

of publickey encryption schemes even in the case of encrypting a single message

C ENCRYPTION SCHEMES

Following Goldwasser and Micali we now demonstrate the use of probabilistic

encryption in the construction of publickey encryption schemes

PublicKey Encryption Scheme based on Trapdo or Permutations We

present two constructions of publickey encryption schemes that employ a collection

of trap do or p ermutations as dened in Denition C Let ff D D g b e

i i i i

such a collection and let b b e a corresp onding hardcore predicate In the rst

scheme the keygeneration algorithm consists of selecting a p ermutation f along

i

with a corresp onding trap do or t and outputting i t as the keypair To encrypt

a single bit using the encryptionkey i the encryption algorithm uniformly

selects r D and pro duces the ciphertext f r br To decrypt the

i i

ciphertext y using the decryptionkey t the decryption algorithm computes

bf y using the trap do or t of f Clearly br bf f r

i i

i i

Indistinguishability of encryptions is implied by the hypothesis that b is a hardcore

of f We comment that this scheme is quite wasteful in bandwidth nevertheless

i

the paradigm underlying its construction ie applying the trap do or p ermutation

to a randomized version of the plaintext rather than to the actual plaintext is

valuable in practice

A more ecient construction of a publickey encryption scheme which uses

the same keygeneration algorithm follows To encrypt an bit long string x

using the encryptionkey i the encryption algorithm uniformly selects r D

i

r x computes y br bf r bf r and pro duces the ciphertext f

i

i

i

y To decrypt the ciphertext u v using the decryptionkey t the decryption

algorithm rst recovers r f u using the trap do or t of f and then obtains

i

i

v br bf r bf r Note the similarity to the BlumMicali Construction

i

i

depicted in Eq and the fact that the pro of of the pseudorandomness of

Eq can b e extended to establish the computational indistinguishability of

br bf r f r and r f r for random and indep endent r D and

i

i i

i

r f g Indistinguishability of encryptions follows and thus the second scheme

is secure We mention that assuming the intractability of factoring integers this

scheme has a concrete implementation with eciency comparable to that of RSA

C Beyond Eavesdropping Security

Our treatment so far has referred only to a passive attack in which the adversary

merely eavesdrops the line over which ciphertexts are sent Stronger types of at

tacks ie active ones culminating in the socalled Chosen Ciphertext Attack

may b e p ossible in various applications Sp ecically in some settings it is feasible

for the adversary to make the sender encrypt a message of the adversarys choice

and in some settings the adversary may even make the receiver decrypt a ciphertext

of the adversarys choice This gives rise to chosen plaintext attacks and to chosen

ciphertext attacks resp ectively which are not covered by the security denitions

considered in Sections C and C Here we briey discuss such active at

tacks fo cusing on chosen ciphertext attacks of the strongest type known as a

p osteriori or CCA

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

Lo osely sp eaking in a chosen ciphertext attack the adversary may obtain the

decryptions of ciphertexts of its choice and is deemed successful if it learns some

thing regarding the plaintext that corresp onds to some dierent ciphertext see

Sec That is the adversary is given oracle access to the decryption function

corresp onding to the decryptionkey in use and in the case of privatekey schemes

it is also given oracle access to the corresp onding encryption function The adver

sary is allowed to query the decryption oracle on any ciphertext except for the test

ciphertext ie the very ciphertext for which it tries to learn something ab out

the corresp onding plaintext It may also make queries that do not corresp ond to

legitimate ciphertexts and the answer will b e accordingly ie a sp ecial failure

symbol Furthermore the adversary may eect the selection of the test cipher

text by sp ecifying a distribution from which the corresp onding plaintext is to b e

drawn

Privatekey and publickey encryption schemes secure against chosen ciphertext

attacks can b e constructed under almost the same assumptions that suce for

the construction of the corresp onding passive schemes Sp ecically

Theorem C Assuming the existence of oneway functions there exist private

key encryption schemes that are secure against chosen ciphertext attack

Theorem C Assuming the existence of enhanced trap do or p ermutations

there exist publickey encryption schemes that are secure against chosen cipher

text attack

Both theorems are proved by constructing encryption schemes in which the adver

sarys gain from a chosen ciphertext attack is eliminated by making it infeasible

for the adversary to obtain any useful knowledge via such an attack In the case

of privatekey schemes ie Theorem C this is achieved by making it infeasible

for the adversary to pro duce legitimate ciphertexts other than those explicitly

given to it in resp onse to its request to encrypt plaintexts of its choice This

in turn is achieved by augmenting the ciphertext with an authentication tag

that is hard to generate without knowledge of the encryptionkey that is we use a

messageauthentication scheme as dened in Section C In the case of public

key schemes ie Theorem C the adversary can certainly generate ciphertexts

by itself and the aim is to make it infeasible for the adversary to pro duce legit

imate ciphertexts without knowing the corresp onding plaintext This in turn

will b e achieved by augmenting the plaintext with a noninteractive zeroknowledge

pro of of knowledge of the corresp onding plaintext

Security against chosen ciphertext attack is related to the notion of nonmal leability

of the encryption scheme Lo osely sp eaking in a nonmalleable encryption scheme

it is infeasible for an adversary given a ciphertext to pro duce a valid ciphertext

for a related plaintext eg given a ciphertext of a plaintext x for an unknown x

it is infeasible to pro duce a ciphertext to the plaintext x For further discussion

see Sec

Lo osely sp eaking the enhancement refers to the hardness condition of Denition C and

requires that it b e hard to recover f y also when given the coins used to sample y rather

i

than merely y itself See Ap dx C

C SIGNATURES AND MESSAGE AUTHENTICATION

C Signatures and Message Authentication

Both signature schemes and message authentication schemes are metho ds for vali

dating data that is verifying that the data was approved by a certain party or set

of parties The dierence b etween signature schemes and message authentication

schemes is that signatures should b e universally veriable whereas authentication

tags are only required to b e veriable by parties that are also able to generate

them

Signature Schemes The need to discuss digital signatures cf has

arisen with the introduction of computer communication to the business environ

ment in which parties need to commit themselves to prop osals andor declarations

that they make Discussions of unforgeable signatures did take place also prior

to the computer age but the ob jects of discussion were handwritten signatures

and not digital ones and the discussion was not p erceived as related to cryp

tography Lo osely sp eaking a scheme for unforgeable signatures should satisfy the

following requirements

each user can eciently produce its own signature on do cuments of its choice

every user can eciently verify whether a given string is a signature of another

sp ecic user on a sp ecic do cument but

it is infeasible to produce signatures of other users to do cuments they did not

sign

We note that the formulation of unforgeable digital signatures provides also a clear

statement of the essential ingredients of handwritten signatures The ingredients

are each p ersons ability to sign for itself a universally agreed verication pro ce

dure and the b elief or assertion that it is infeasible or at least hard to forge

signatures ie pro duce some other p ersons signatures to do cuments that were

not signed by it such that these unauthentic signatures are accepted by the

verication pro cedure

Message authentication schemes Message authentication is a task related

to the setting considered for encryption schemes that is communication over an

insecure channel This time we consider an active adversary that is monitoring

the channel and may alter the messages sent over it The parties communicating

through this insecure channel wish to authenticate the messages they send such

that their counterpart can tell an original message sent by the sender from a

mo died one ie mo died by the adversary Lo osely sp eaking a scheme for

message authentication should satisfy the following requirements

each of the communicating parties can eciently produce an authentication

tag to any message of its choice

each of the communicating parties can eciently verify whether a given string

is an authentication tag of a given message but

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

it is infeasible for an external adversary ie a party other than the commu

nicating parties to produce authentication tags to messages not sent by the

communicating parties

Note that in contrast to the sp ecication of signature schemes we do not require

universal verication only the designated receiver is required to b e able to verify

the authentication tags Furthermore we do not require that the receiver can not

pro duce authentication tags by itself ie we only require that external parties can

not do so Thus message authentication schemes cannot convince a third party

that the sender has indeed sent the information rather than the receiver having

generated it by itself In contrast signatures can b e used to convince third parties

in fact a signature to a do cument is typically sent to a second party so that in

the future this party may by merely presenting the signed do cument convince

third parties that the do cument was indeed generated or rather approved by the

signer

C Denitions

Both signature schemes and message authentication schemes consist of three e

cient algorithms key generation signing and verication As in the case of encryp

tion schemes the keygeneration algorithm denoted G is used to generate a pair of

corresp onding keys one is used for signing via algorithm S and the other is used

for verication via algorithm V That is S denotes a signature pro duced by

s

algorithm S on input a signingkey s and a do cument whereas V denotes

v

the verdict of the verication algorithm V regarding the do cument and the al

leged signature relative to the vericationkey v Needless to say for any pair of

keys s v generated by G and for every it holds that V S

v s

The dierence b etween the two types of schemes is reected in the denition of

security In the case of signature schemes the adversary is given the verication

key whereas in the case of message authentication schemes the vericationkey

which may equal the signingkey is not given to the adversary Thus schemes

for message authentication can b e viewed as a privatekey version of signature

schemes This dierence yields dierent functionalities even more than in the case

of encryption In typical use of a signature scheme each user generates a pair of

signing and verication keys publicizes the vericationkey and keeps the signing

key secret Subsequently each user may sign do cuments using its own signingkey

and these signatures are universal ly veriable with resp ect to its public verication

key In contrast message authentication schemes are typically used to authenticate

information sent among a set of mutual ly trusting parties that agree on a secret

key which is b eing used b oth to pro duce and verify authenticationtags Indeed

it is assumed that the mutually trusting parties have generated the key together or

have exchanged the key in a secure way prior to the communication of information

that needs to b e authenticated

We fo cus on the denition of secure signature schemes and consider very p ow

erful attacks on the signature scheme as well as a very lib eral notion of breaking

it Sp ecically the attacker is allowed to obtain signatures to any message of its

C SIGNATURES AND MESSAGE AUTHENTICATION

choice One may argue that in many applications such a general attack is not p os

sible b ecause messages to b e signed must have a sp ecic format Yet our view

is that it is imp ossible to dene a general ie applicationindep endent notion

of admissible messages and thus a generalrobust denition of an attack seems

to have to b e formulated as suggested here Note that at worst our approach is

overly cautious Likewise the adversary is said to b e successful if it can pro duce

a valid signature to any message for which it has not asked for a signature during

its attack Again this means that the ability to form signatures to nonsensical

messages is also viewed as a breaking of the scheme Yet again we see no way

to have a general ie applicationindep endent notion of meaningful messages

such that only forging signatures to them will b e considered a breaking of the

scheme

Denition C secure signature schemes a sketch A chosen message attack

is a process that on input a vericationkey can obtain signatures relative to

the corresp onding signingkey to messages of its choice Such an attack is said to

succeed in existential forgery if it outputs a valid signature to a message for which

it has not requested a signature during the attack A signature scheme is secure or

unforgeable if every feasible chosen message attack succeeds with at most negligible

probability where the probability is taken over the initial choice of the keypair as

wel l as over the adversarys actions

One p opular suggestion is signing messages by applying the inverse of a trap do or

p ermutation where the trap do or is used as a signingkey and the p ermutation

itself is used in the forward direction towards verication We warn that in

general this scheme do es not satisfy Denition C eg the p ermutation may b e

a homomorphism of some group

C Constructions

Secure message authentication schemes can b e constructed using pseudorandom

functions or rather the generalized notion of pseudorandom functions discussed

at the end of Section C Sp ecically the keygeneration algorithm consists of

n

uniformly selecting a seed s f g for such a function denoted f f g

s

n

f g and the only valid tag of message x with resp ect to the key s is f x

s

As in the case of our privatekey encryption scheme the pro of of security of the

current message authentication scheme consists of two steps

Proving that an idealized version of the scheme in which one uses a uniformly

n

selected function F f g f g rather than the pseudorandom function

f is secure ie unforgeable

s

Concluding that the real scheme is secure b ecause otherwise one could dis

tinguish a pseudorandom function from a truly random one

Note that this message authentication scheme makes an extensive use of pseu

dorandom functions ie the pseudorandom function is applied directly to the

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

message which may b e rather long More ecient schemes can b e constructed

either based on a more restricted use of a pseudorandom function or based on other

cryptographic primitives

Constructing secure signature schemes seems more dicult than constructing

message authentication schemes Nevertheless secure signature schemes can b e

constructed based on the same assumptions

Theorem C The fol lowing three conditions are equivalent

Oneway functions exist

Secure signature schemes exist

Secure message authentication schemes exist

We stress that unlike in the case of publickey encryption schemes the construction

of signature schemes which may b e viewed as a publickey analogue of message

authentication do es not require a trap do or prop erty Three central paradigms

used in the construction of secure signature schemes are the refreshing of the

eective signingkey the usage of an authentication tree and the hashing

paradigm to b e all discussed in the sequel In addition to b eing used in the

pro of of Theorem C these three paradigms are of indep endent interest

The refreshing paradigm Introduced in the refreshing paradigm is aimed

at limiting the p otential dangers of chosen message attacks This is achieved by

signing the actual do cument using a newly and randomly generated instance

of the signature scheme and authenticating the vericationkey of this random

instance with resp ect to the xed and public vericationkey Intuitively the

gain in terms of security is that a fulledged chosen message attack cannot b e

launched on a xed instance of the underlying signature schemes ie on the xed

vericationkey that was published by the user and is known to the attacker All

that an attacker may obtain via a chosen message attack on the new scheme is

signatures relative to the original signingkey which is coupled with the xed and

public vericationkey to random strings or rather random vericationkeys as

well as additional signatures that are each relative to a random and indep endently

distributed signingkey which is coupled with a freshly generated vericationkey

Authentication trees The security b enets of the refreshing paradigm are am

plied when combining it with the use of authentication trees The idea is to use the

public vericationkey only for authenticating several eg two fresh instances

of the signature scheme use each of these instances for authenticating several ad

ditional fresh instances and so on Thus we obtain a tree of fresh instances of the

basic signature scheme where each internal no de authenticates its children We

That is consider a basic signature scheme G S V used as follows Supp ose that the user

n

U has generated a keypair s v G and has placed the vericationkey v on a publicle

When a party asks U to sign some do cument the user U generates a new fresh keypair

n

s v G signs v using the original signingkey s signs using the new signingkey s

and presents S v v S as a signature to An alleged signature v is veried

s

s

by checking whether b oth V v and V hold

v

v

C SIGNATURES AND MESSAGE AUTHENTICATION

can now use the leaves of this tree for signing actual do cuments where each leaf is

used at most once Thus a signature to an actual do cument consists of

a signature to this do cument authenticated with resp ect to the verication

key asso ciated with some leaf and

a sequence of vericationkeys asso ciated with the no des along the path from

the ro ot to this leaf where each such vericationkey is authenticated with

resp ect to the vericationkey of its parent

We stress that the same signature relative to the key of the parent no de is used

for authenticating the vericationkeys of all its children Thus each instance of

the signature scheme is used for signing at most one string ie a single sequence of

vericationkeys if the instance resides in an internal no de and an actual do cument

if the instance resides in a leaf Hence it suces to use a signature scheme that is

secure as long as it is applied for legitimately signing a single string Such signature

schemes called onetime signature schemes are easier to construct than standard

signature schemes esp ecially if one only wishes to sign strings that are signicantly

shorter than the signingkey resp than the vericationkey For example using

a oneway function f we may let the signingkey consist of a sequence of n pairs of

strings let the corresp onding vericationkey consist of the corresp onding sequence

of images of f and sign an nbit long message by revealing the adequate preimages

n

That is the signingkey consist of a sequence s s s s f g the

n n

and the signa f s f s f s corresp onding vericationkey is f s

n n

n

ture of the message is s s

n

n

The hashing paradigm Note however that in the foregoing authentication

tree the instances of the signature scheme asso ciated with internal no des are

used for signing a pair of vericationkeys Thus we need a onetime signature

scheme that can b e used for signing messages that are longer than the verication

key In order to bridge the gap b etween onetime signature schemes that are

applicable for signing short messages and schemes that are applicable for signing

long messages we use the hashing paradigm This paradigm refers to the common

practice of signing do cuments via a two stage pro cess First the actual do cument is

hashed to a relatively short string and next the basic signature scheme is applied

to the resulting string This practice is sound provided that the hashing function

b elongs to a family of collisionresistant hashing aka collisionfree hashing func

tions Lo osely sp eaking the collisionresistant requirement means that given a

hash function that is randomly selected in such a family it is infeasible to nd two

dierent strings that are hashed by this function to the same value We also refer

A naive implementation of the foregoing fulledged signature scheme calls for storing in

secure memory all the instances of the basic onetime signature scheme that are generated

throughout the entire signing pro cess which refers to numerous do cuments However we note

that it suces to b e able to reconstruct the randomcoins used for generating each of these

instances and the former can b e determined by a pseudorandom function applied to the name

of the corresp onding vertex in the tree Indeed the seed of this pseudorandom function will b e

part of the signingkey of the resulting fulledged signature scheme

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

the interested reader to a variant of the hashing paradigm that uses the seemingly

weaker notion of a family of Universal OneWay Hash Functions see or

Sec

C General Cryptographic Proto cols

The design of secure proto cols that implement arbitrary desired functionalities is

a ma jor part of mo dern cryptography Taking the opp osite p ersp ective the design

of any cryptographic scheme may b e viewed as the design of a secure proto col for

implementing a corresp onding functionality Still we b elieve that it makes sense to

dierentiate b etween basic cryptographic primitives which involve little interac

tion like encryption and signature schemes on one hand and general cryptographic

proto cols on the other hand

In this section we survey general results concerning secure multiparty com

putations where the twoparty case is an imp ortant sp ecial case In a nutshell

these results assert that one can construct proto cols for securely computing any

desirable multiparty functionality Indeed what is striking ab out these results is

their generality and we b elieve that the wonder is not diminished by the various

alternative conditions under which these results hold

A general framework for casting mparty cryptographic proto col problems

consists of sp ecifying a random pro cess that maps m inputs to m outputs The

inputs to the pro cess are to b e thought of as the lo cal inputs of m parties and the

m outputs are their corresp onding lo cal outputs The random pro cess describ es

the desired functionality That is if the m parties were to trust each other or trust

some external party then they could each send their lo cal input to the trusted

party who would compute the outcome of the pro cess and send to each party the

corresp onding output A pivotal question in the area of cryptographic proto cols is

to what extent can this imaginary trusted party b e emulated by the mutually

distrustful parties themselves

The results surveyed in this section describ e a variety of mo dels in which such

an emulation is p ossible The mo dels vary by the underlying assumptions re

garding the communication channels numerous parameters governing the extent

of adversarial b ehavior and the desired level of emulation of the trusted party ie

level of security Our treatment refers to the security of standalone executions

The preservation of security in an environment in which many executions of many

proto cols are attacked is b eyond the scop e of this section and the interested reader

is referred to Sec

That is we consider the secure evaluation of randomized functionalities rather than only

the secure evaluation of functions Sp ecically we consider an arbitrary randomized pro cess

P

def

m

jx j an m F that on input x x rst selects at random dep ending only on

m

i

i

ary function f and then outputs the mtuple f x x f x x f x x

m m m m

In other words F x x F r x x where r is uniformly selected in f g with

m m

p oly and F is a function mapping m long sequences to mlong sequences

C GENERAL CRYPTOGRAPHIC PROTOCOLS

C The Denitional Approach and Some Mo dels

Before describing the aforementioned results we further discuss the notion of

emulating a trusted party which underlies the denitional approach to secure

multiparty computation This approach follows the simulation paradigm cf Sec

tion C which deems a scheme to b e secure if whatever a feasible adversary can

obtain after attacking it is also feasibly attainable by a b enign b ehavior In the

general setting of multiparty computation we compare the eect of adversaries

that participate in the execution of the actual proto col to the eect of adversaries

that participate in an imaginary execution of a trivial ideal proto col for com

puting the desired functionality with the help of a trusted party If whatever the

adversaries can feasibly obtain in the real setting can also b e feasibly obtained in

the ideal setting then the actual proto col emulates the ideal setting ie emu

lates a trusted party and thus is deemed secure This approach can b e applied

in a variety of mo dels and is used to dene the goals of security in these mo dels

We rst discuss some of the parameters used in dening various mo dels and next

demonstrate the application of the foregoing approach in two imp ortant cases For

further details see Sec and

C Some parameters used in dening security mo dels

The following parameters are describ ed in terms of the actual or real computation

In some cases the corresp onding denition of security is obtained by imp osing some

restrictions or provisions on the ideal mo del In al l cases the desired notion of

security is dened by requiring that for any adequate adversary in the real mo del

there exist a corresp onding adversary in the corresp onding ideal mo del that obtains

essentially the same impact as the realmo del adversary

The communication channels Most works in cryptography assume that com

munication is synchronous and that p ointtopoint channels exist b etween every

pair of pro cessors ie a complete network It is further assumed that the ad

versary cannot mo dify or omit or insert messages sent over any communication

channel that connects honest parties In the standard model the adversary may

tap all communication channels and thus obtain any message sent b etween honest

parties In an alternative mo del called the privatechannel mo del one postulates

A few technical comments are in place Firstly we assume that the inputs of all parties

are of the same length We comment that as long as the lengths of the inputs are p olynomially

related the foregoing convention can b e enforced by padding On the other hand some length

restriction is essential for the security results b ecause in general it is imp ossible to hide all

information regarding the length of the inputs to a proto col Secondly we assume that the

desired functionality is computable in probabilistic p olynomialtime b ecause we wish the secure

proto col to run in probabilistic p olynomialtime and a proto col cannot b e more ecient than

the corresp onding centralized algorithm Clearly the results can b e extended to functionalities

that are computable within any given timeconstructible time b ound using adequate padding

For example in the case of twoparty computation see xC secure computation is

p ossible only if premature termination is not considered a breach of security In that case the

suitable security denition is obtained via the simulation paradigm by allowing an analogue

of premature termination in the ideal mo del

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

that the adversary cannot obtain messages sent b etween any pair of honest parties

Indeed in some cases the privatechannel mo del can b e emulated by the standard

mo del eg by using a secure encryption scheme

Setup assumptions Unless stated dierently no setup assumptions are made

except for the obvious assumption that all parties have identical copies of the

proto cols program

Computational limitations Typically the fo cus is on computationallyb ounded

adversaries eg probabilistic p olynomialtime adversaries However the private

channel mo del allows for the meaningful consideration of computationallyunbounded

adversaries

Restricted adversarial b ehavior The parameters of the mo del include ques

tions like whether the adversary is active or passive ie whether a dishonest

party takes active steps to disrupt the execution of the proto col or merely gathers

information and whether or not the adversary is adaptive ie whether the set

of dishonest parties is xed b efore the execution starts or is adaptively chosen by

an adversary during the execution

Restricted notions of security One imp ortant example is the willingness to

tolerate unfair proto cols in which the execution can b e susp ended at any time

by a dishonest party provided that it is detected doing so We stress that in case the

execution is susp ended the dishonest party do es not obtain more information than

it could have obtained when not susp ending the execution What may happ en is

that the honest parties will not obtain their desired outputs but will detect that

the execution was susp ended We stress that the motivation to this restricted

mo del is the imp ossibility of obtaining general secure twoparty computation in

the unrestricted mo del

Upp er b ounds on the number of dishonest parties These are assumed

in some mo dels when required For example in some mo dels secure multiparty

computation is p ossible only if a ma jority of the parties is honest

C Example Multiparty proto cols with honest ma jority

Here we consider an active nonadaptive and computationallyb ounded adversary

and do not assume the existence of private channels Our aim is to dene multi

We stress that also in the case of computationallyunbounded adversaries security should

b e dened by requiring that for every real adversary whatever the adversary can compute after

participating in the execution of the actual proto col is computable within comparable time by

an imaginary adversary participating in an imaginary execution of the trivial ideal proto col for

computing the desired functionality with the help of a trusted party That is although no

computational restrictions are made on the realmo del adversary it is required that the ideal

mo del adversary that obtains the same impact do es so within comparable time ie within time

that is p olynomially related to the running time of the realmo del adversary b eing simulated

C GENERAL CRYPTOGRAPHIC PROTOCOLS

party proto cols that remain secure provided that the honest parties are in ma jority

The reason for requiring an honest ma jority will b e discussed at the end of this

subsection

We rst observe that in any multiparty proto col each party may change its

lo cal input b efore even entering the execution of the proto col However this is

unavoidable also when the parties utilize a trusted party Consequently such an

eect of the adversary on the real execution ie mo dication of its own input

prior to entering the actual execution is not considered a breach of security In

general whatever cannot b e avoided when the parties utilize a trusted party is

not considered a breach of security We wish secure proto cols in the real mo del

to suer only from whatever is unavoidable also when the parties utilize a trusted

party Thus the basic paradigm underlying the denitions of secure multiparty

computations amounts to requiring that the only situations that may o ccur in the

real execution of a secure proto col are those that can also o ccur in a corresp onding

ideal mo del where the parties may employ a trusted party In other words the

eective malfunctioning of parties in secure proto cols is restricted to what is

p ostulated in the corresp onding ideal mo del

In light of the foregoing we start by dening an ideal mo del or rather the

misb ehavior allowed in it Since we are interested in executions in which the

ma jority of parties are honest we consider an ideal mo del in which any minority

group of the parties may collude as follows

First the members of this dishonest minority share their original inputs and

decide together on replaced inputs to b e sent to the trusted party The other

parties send their resp ective original inputs to the trusted party

Up on receiving inputs from all parties the trusted party determines the cor

resp onding outputs and sends them to the corresp onding parties We stress

that the information sent b etween the honest parties and the trusted party

is not seen by the dishonest colluding minority

Up on receiving the outputmessage from the trusted party each honest party

outputs it lo cally whereas the members of the dishonest minority share the

outputmessages and determine their lo cal outputs based on all they know

ie their initial inputs and their received outputmessages

A secure multiparty computation with honest majority is required to emulate this

ideal mo del That is the eect of any feasible adversary that controls a minority of

the parties in a real execution of such a real proto col can b e essentially simulated

by a dierent feasible adversary that controls the corresp onding parties in the

ideal mo del

Denition C secure proto cols a sketch Let f be an mary functionality

and be an mparty protocol operating in the real model

For a realmodel adversary A controlling some minority of the parties and

x we denote by tapping all communication channels and an msequence

x the sequence of m outputs resulting from the execution of on real

A

input x under the attack of the adversary A

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

For an idealmodel adversary A controlling some minority of the parties

x we denote by ideal x the sequence of m outputs and an msequence

f A

resulting from the foregoing threestep ideal process when applied to input x

under the attack of the adversary A and when the trusted party employs the

functionality f

We say that securely implements f with honest majority if for every feasible real

model adversary A controlling some minority of the parties there exists a feasible

idealmodel adversary A controlling the same parties such that the probability en

and fideal are computationally indistinguishable xg x g sembles freal

f A A

x x

as in Denition C

Thus security means that the eect of each minority group in a real execution

of a secure proto col is essentially restricted to replacing its own lo cal inputs

indep endently of the lo cal inputs of the ma jority parties b efore the proto col

starts and replacing its own lo cal outputs dep ending only on its lo cal inputs and

outputs after the proto col terminates We stress that in the real execution the

minority parties do obtain additional pieces of information yet in a secure proto col

they gain nothing from these additional pieces of information b ecause they can

actually repro duce those by themselves

The fact that Denition C refers to a mo del without private channels is

reected in the fact that our sketchy denition of the realmo del adversary al

lowed it to tap all channels which in turn eects the set of p ossible ensembles

When dening security in the privatechannel mo del the real x g freal

A

x

mo del adversary is not allowed to tap channels b etween honest parties and this

again eects the p ossible ensembles freal On the other hand when x g

A

x

dening security with resp ect to passive adversaries b oth the scop e of the real

mo del adversaries and the scop e of the idealmo del adversaries change In the

realmo del execution all parties follow the proto col but the adversary may alter

the output of the dishonest parties arbitrarily dep ending on their intermediate in

ternal states during the entire execution In the corresp onding idealmo del the

adversary is not allowed to mo dify the inputs of dishonest parties in Step but

is allowed to mo dify their outputs in Step

We comment that a denition analogous to Denition C can b e presented also

in the case that the dishonest parties are not in minority In fact such a denition

seems more natural but the problem is that such a denition cannot b e satised

That is most natural functionalities do not have proto cols for computing them

securely in the case that at least half of the parties are dishonest and employ an

adequate adversarial strategy This follows from an imp ossibility result regarding

twoparty computation which essentially asserts that there is no way to prevent a

party from prematurely susp ending the execution On the other hand secure multi

party computation with dishonest ma jority is p ossible if premature susp ension of

the execution is not considered a breach of security see xC

C GENERAL CRYPTOGRAPHIC PROTOCOLS

C Another example Twoparty proto cols allowing ab ort

In light of the last paragraph we now consider multiparty computations in which

premature susp ension of the execution is not considered a breach of security For

simplicity we fo cus on the sp ecial case of twoparty computations As in xC

we consider a nonadaptive active and computationallyb ounded adversary

Intuitively in any twoparty proto col each party may susp end the execution

at any p oint in time and furthermore it may do so as so on as it learns the desired

output Thus if the output of each party dep ends on the inputs of b oth parties

then it is always p ossible for one of the parties to obtain the desired output while

preventing the other party from fully determining its own output The same

phenomenon o ccurs even in the case that the two parties just wish to generate a

common random value In order to account for this phenomenon when considering

active adversaries in the twoparty setting we do not consider such premature

susp ension of the execution a breach of security Consequently we consider an ideal

mo del in which each of the two parties may shutdown the trusted third party

at any p oint in time In particular this may happ en after the trusted party has

supplied the outcome of the computation to one party but b efore it has supplied

the outcome to the other party Thus an execution in the corresp onding ideal

mo del pro ceeds as follows

Each party sends its input to the trusted party where the dishonest party

may replace its input or send no input at all which can b e treated as sending

a default value

Up on receiving inputs from b oth parties the trusted party determines the

corresp onding pair of outputs and sends the rst output to the rst party

If the rst party is dishonest then it may instruct the trusted party to halt

otherwise it always instructs the trusted party to pro ceed If instructed to

pro ceed the trusted party sends the second output to the second party

Up on receiving the outputmessage from the trusted party an honest party

outputs it lo cally whereas a dishonest party may determine its output based

on all it knows ie its initial input and its received output

A secure twoparty computation allowing ab ort is required to emulate this ideal

mo del That is as in Denition C security is dened by requiring that for

every feasible realmo del adversary A there exists a feasible idealmo del adversary

A controlling the same party such that the probability ensembles representing

the corresp onding real and ideal executions are computationally indistinguish

able This means that each partys eective malfunctioning in a secure proto col

is restricted to supplying an initial input of its choice and ab orting the computation

at any p oint in time Needless to say the choice of the initial input of each party

may not dep end on the input of the other party

In contrast in the case of an honest ma jority cf xC the honest party that fails to

obtain its output is not alone It may seek help from the other honest parties which b eing in

ma jority and by joining forces can do things that dishonest minorities cannot do See xC

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

We mention that an alternative way of dealing with the problem of premature

susp ension of execution ie ab ort is to restrict the attention to singleoutput

functionalities that is functionalities in which only one party is supp osed to obtain

an output The denition of secure computation of such functionalities can b e made

identical to Denition C with the exception that no restriction is made on the

set of dishonest parties and in particular one may consider a single dishonest party

in the case of twoparty proto cols For further details see Sec

C Some Known Results

We next list some of the mo dels for which general secure multiparty computation

is known to b e attainable ie mo dels in which one can construct secure multi

party proto cols for computing any desired functionality We mention that the rst

results of this type were obtained by Goldreich Micali Wigderson and Yao

In the standard channel mo del Assuming the existence of enhanced trap

door permutations secure multiparty computation is p ossible in the following three

mo dels cf and details in Chap

Passive adversaries for any number of dishonest parties

Active adversaries that may control only a minority of the parties

Active adversaries for any number of dishonest parties provided that sus

p ension of execution is not considered a violation of security cf xC

In all these cases the adversaries are computationallyb ounded and nonadaptive

On the other hand the adversaries may tap the communication lines b etween hon

est parties ie we do not assume private channels here The results for active

adversaries assume a broadcast channel Indeed the latter can b e implemented

while tolerating any number of dishonest parties using a signature scheme and

assuming that each party knows or can reliably obtain the vericationkey corre

sp onding to each of the other parties

In the private channels mo del Making no computational assumptions and

allowing computationallyunb ounded adversaries but assuming private channels

secure multiparty computation is p ossible in the following two mo dels cf

Passive adversaries that may control only a minority of the parties

Active adversaries that may control only less than one third of the parties

In b oth cases the adversaries may b e adaptive

See Footnote

C GENERAL CRYPTOGRAPHIC PROTOCOLS

C Construction Paradigms and Two Simple Proto cols

We briey sketch a couple of paradigms used in the construction of secure multi

party proto cols We fo cus on the construction of secure proto cols for the mo del

of computationallyb ounded and nonadaptive adversaries These

constructions pro ceed in two steps see details in Chap First a secure pro

to col is presented for the mo del of passive adversaries for any number of dishonest

parties and next such a proto col is compiled into a proto col that is secure in

one of the two mo dels of active adversaries ie either in a mo del allowing the

adversary to control only a minority of the parties or in a mo del in which prema

ture susp ension of the execution is not considered a violation of security These

two steps are presented in the following two corresp onding subsections in which

we also present two relatively simple proto cols for two sp ecic tasks which in turn

are used extensively in the general proto cols

Recall that in the mo del of passive adversaries all parties follow the prescrib ed

proto col but at termination the adversary may alter the outputs of the dishonest

parties dep ending on their intermediate internal states during the entire execu

tion We refer to proto cols that are secure in the mo del of passive resp active

adversaries by the term passivelysecure resp activelysecure

C Passivelysecure computation with shares

For sake of simplicity we consider here only the sp ecial case of deterministic mary

functionalities ie functions We assume that the m parties hold a circuit for

computing the value of the function on inputs of the adequate length and that the

circuit contains only and and not gates The key idea is having each party secretly

share its input with everybo dy else and having the parties secretly transform

shares of the input wires of the circuit into shares of the output wires of the

circuit thus obtaining shares of the outputs which allows for the reconstruction

of the actual outputs The value of each wire in the circuit is shared such that

all shares yield the value whereas lacking even one of the shares keeps the value

totally undetermined That is we use a simple secret sharing scheme such that a

bit b is shared by a random sequence of m bits that sumup to b mo d First each

party shares each of its input bits with all parties by secretly sending each party a

random value and setting its own share accordingly Next all parties jointly scan

the circuit from its input wires to its output wires pro cessing each gate as follows

When encountering a gate the parties already hold shares of the values of

the wires entering the gate and their aim is to obtain shares of the value of

the wires exiting the gate

For a notgate this is easy the rst party just ips the value of its share

and all other parties maintain their shares

Since an andgate corresp onds to multiplication mo dulo the parties need

to securely compute the following randomized functionality where the x s

i

denote shares of one entrywire the y s denote shares of the second entry

i

wire the z s denote shares of the exitwire and the shares indexed by i are i

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

held by Party i

x y x y z z where C

m m m

m m m

X X X

y C x z

i i i

i i i

That is the z s are random sub ject to Eq C

i

Finally the parties send their shares of each circuitoutput wire to the designated

party which reconstructs the value of the corresp onding bit Thus the parties have

propagated shares of the circuitinput wires into shares of the circuitoutput wires

by rep eatedly conducting a passivelysecure computation of the mary functionality

of Eq C C That is securely evaluating the entire arbitrary circuit

reduces to securely conducting a sp ecic very simple multiparty computation

But things get even simpler the key observation is that

m m m

X X X X

x y x y x y C y x

i i i j j i i i

i i i

ij m

Thus the mary functionality of Eq C C can b e computed as follows

where all arithmetic op erations are mo d

def

x y Each Party i lo cally computes z

i i ii

Next each pair of parties ie Parties i and j securely compute random

shares of x y y x That is Parties i and j holding x y and x y

i j i j i i j j

resp ectively need to securely compute the randomized twoparty function

ality x y x y z z where the z s are random sub ject to

i i j j ij ji

z z x y y x Equivalently Party j uniformly selects z f g

ij ji i j i j ji

and Parties i and j securely compute the following deterministic functionality

x y x y z z x y y x C

i i j j ji ji i j i j

where denotes the empty string

P

m

Finally for every i m the sum z yields the desired share of

ij

j

Party i

The foregoing construction is analogous to a construction that was outlined in

A detailed description and full pro ofs app ear in Sec and

The foregoing construction reduces the passivelysecure computation of any

mary functionality to the implementation of the simple ary functionality of

Eq C The latter can b e implemented in a passivelysecure manner by using a

outof Oblivious Transfer Lo osely sp eaking a outofk Oblivious Transfer is

a proto col enabling one party to obtain one out of k secrets held by another party

without the second party learning which secret was obtained by the rst party

That is it allows a passivelysecure computation of the twoparty functionality

i s s s C

k i

C GENERAL CRYPTOGRAPHIC PROTOCOLS

Note that any function f k f g f g fg can b e computed in a

passivelysecure manner by invoking a outofk Oblivious Transfer on inputs i

and f y f k y where i resp y is the initial input of the rst resp

second party

A passivelysecure outofk Oblivious Transfer Using a collection of en

and a corresp onding hardcore hanced trap do or p ermutations ff D D g

I

predicate b we outline a passivelysecure implementation of the functionality of

Eq C when restricted to singlebit secrets

Inputs The rst party hereafter called the receiver has input i f k g The

k

second party called the sender has input f g

k

Step S The sender selects at random a p ermutation f along with a corresp ond

ing trap do or denoted t and sends the p ermutation f ie its index to

the receiver

Step R The receiver uniformly and indep endently selects x x D sets

k

y f x and y x for every j i and sends y y y to the

i i j j k

sender

y for any y x but cannot predict bf Thus the receiver knows f

j i i

j i Needless to say the last assertion presumes that the receiver follows

the proto col ie we only consider passivesecurity

Step S Up on receiving y y y using the invertingwithtrapdo or algo

k

rithm and the trap do or t the sender computes z f y for every

j j

j f k g It sends the k tuple bz bz bz

k k

to the receiver

Step R Up on receiving c c c the receiver lo cally outputs c bx

k i i

We rst observe that this proto col correctly computes outofk Oblivious Trans

f x fer that is the receivers lo cal output ie c bx indeed equals bf

i i i i

bx Next we oer some intuition as to why this proto col constitutes a

i i

privatelysecure implementation of outofk Oblivious Transfer Intuitively the

sender gets no information from the execution b ecause for any p ossible value of i

the sender sees the same distribution sp ecically a sequence of k uniformly and

indep endently distributed elements of D Indeed the key observation is that ap

plying f to a uniformly distributed element of D yields a uniformly distributed

element of D As for the receiver intuitively it gains no computational knowl

edge from the execution b ecause for j i the only information that the receiver

has regarding is the triple x bf x where x is uniformly dis

j j j j j

tributed in D and from this information it is infeasible to predict b etter than

j

by a random guess See Sec for a detailed pro of of security

The latter intuition presumes that sampling D is trivial ie that there is an easily com

putable corresp ondence b etween the coins used for sampling and the resulting sample whereas

in general the coins used for sampling may b e hard to compute from the corresp onding outcome

This is the reason that an enhanced hardness assumption is used in the general analysis of the

foregoing proto col

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

C From passivelysecure proto cols to activelysecure ones

We show how to transform any passivelysecure proto col into a corresp onding

activelysecure proto col The communication mo del in b oth proto cols consists of

a single broadcast channel Note that the messages of the original proto col may

b e assumed to b e sent over a broadcast channel b ecause the adversary may see

them anyhow by tapping the p ointtopoint channels and b ecause a broadcast

channel is trivially implementable in the case of passive adversaries As for the re

sulting activelysecure proto col the broadcast channel it uses can b e implemented

via an authenticated Byzantine Agreement proto col thus providing an emulation

of this mo del on the standard p ointtopoint mo del in which a broadcast channel

do es not exist We mention that authenticated Byzantine Agreement is typically

implemented using a signature scheme and assuming that each party knows the

vericationkey corresp onding to each of the other parties

Turning to the transformation itself the main idea mentioned in xC is

using zeroknowledge pro ofs in order to force parties to b ehave in a way that is

consistent with the passivelysecure proto col Actually we need to conne each

party to a unique consistent b ehavior ie according to some xed lo cal input and a

sequence of coin tosses and to guarantee that a party cannot x its input andor

its coin tosses in a way that dep ends on the inputs andor coin tosses of honest

parties Thus some preliminary steps have to b e taken b efore the stepbystep

emulation of the original proto col may start Sp ecically the compiled proto col

which like the original proto col is executed over a broadcast channel pro ceeds

as follows

Committing to the local input Prior to the emulation of the original proto col

each party commits to its input using a commitment scheme as dened

in xC In addition using a zeroknowledge pro ofofknowledge see

Section each party also proves that it knows its own input that is

it proves that it can decommit to the commitment it sent These zero

knowledge pro ofofknowledge prevent dishonest parties from setting their

inputs in a way that dep ends on inputs of honest parties

Generation of local random tapes Next all parties jointly generate a se

quence of random bits for each party such that only this party knows the

outcome of the random sequence generated for it and everybo dy else gets a

commitment to this outcome These sequences will b e used as the random

inputs ie sequence of coin tosses for the original proto col Each bit in the

randomsequence generated for Party X is determined as the exclusiveor of

the outcomes of instances of an augmented cointossing proto col cf

Sec that Party X plays with each of the other parties The lat

ter proto col provides the other parties with a commitment to the outcome

obtained by Party X

Eective prevention of premature termination In addition when compiling

the passivelysecure proto col to an activelysecure proto col for the model

that al lows the adversary to control only a minority of the parties each party

C GENERAL CRYPTOGRAPHIC PROTOCOLS

shares its input and its randominput with all other parties using a Veriable

Secret Sharing VSS proto col cf Sec Lo osely sp eaking a

VSS proto col allows sharing a secret in a way that enables each participant

to verify that the share it got ts the publicly p osted information which

includes commitments to all shares where a sucient number of the latter

allow for the ecient recovery of the secret The use of VSS guarantees that

if Party X prematurely susp ends the execution then the honest parties can

together reconstruct all Party Xs secrets and carry on the execution while

playing its role This step eectively prevents premature termination and is

not needed in a mo del that do es not consider premature termination a breach

of security

Stepbystep emulation of the original protocol Once all the foregoing steps

are completed the new proto col emulates the steps of the original proto col

In each step each party augments the message determined by the original

proto col with a zeroknowledge pro of that asserts that the message was in

deed computed correctly Recall that the next message as determined by

the original proto col is a function of the senders own input its random

input and the messages it has received so far where the latter are known to

everybo dy b ecause they were sent over a broadcast channel Furthermore

the senders input is determined by its commitment as sent in Step and

its randominput is similarly determined in Step Thus the next mes

sage as determined by the original proto col is a function of publicly known

strings ie the said commitments as well as the other messages sent over

the broadcast channel Moreover the assertion that the next message was

indeed computed correctly is an NPassertion and the sender knows a cor

resp onding NPwitness ie its own input and randominput as well as the

corresp onding decommitment information Thus the sender can prove in

zeroknowledge to each of the other parties that the message it is sending

was indeed computed according to the original proto col

The foregoing compilation was rst outlined in A detailed description

and full pro ofs app ear in Sec and

A secure cointossing proto col Using a commitment scheme we outline a

secure ordinary as opp osed to augmented cointossing proto col

Step C Party uniformly selects f g and sends Party a commitment

denoted c to

Step C Party uniformly selects f g and sends to Party

Step C Party outputs the value and sends along with the decommit

ment information denoted d to Party

Step C Party checks whether or not d t the commitment c it has obtained

in Step It outputs if the check is satised and halts with output

APPENDIX C ON THE FOUNDATIONS OF MODERN CRYPTOGRAPHY

otherwise where indicates that Party has eectively ab orted the proto col

prematurely

Intuitively Steps CC may b e viewed as tossing a coin into the well At

this p oint ie after Step C the value of the coin is determined essentially

as a random value but only one party ie Party can see ie knows this

value Clearly if b oth parties are honest then they b oth output the same uniformly

chosen bit recovered in Steps C and C resp ectively Intuitively each party

can guarantee that the outcome is uniformly distributed and Party can cause

premature termination by improp er execution of Step Formally we have to show

how the eect of any realmo del adversary can b e simulated by an adequate ideal

mo del adversary which is allowed premature termination This is done in

Sec

C Concluding Remarks

In Sections CC we have mentioned numerous denitions and results regard

ing secure multiparty proto cols where some of these denitions are incomparable

to others ie they neither imply the others nor are implies by them For example

in xC and xC we have presented two alternative denitions of secure

multiparty proto cols one requiring an honest ma jority and the other allowing

ab ort These denitions are incomparable and there is no generic reason to prefer

one over the other Actually as mentioned in xC one could formulate a nat

ural denition that implies b oth denitions ie waiving the b ound on the number

of dishonest parties in Denition C Indeed the resulting denition is free of

the annoying restrictions that were introduced in each of the two aforementioned

denitions the only problem with the resulting denition is that it cannot b e

satised in general Thus for the rst time in this app endix we have reached a

situation in which a natural and general denition cannot b e satised and we are

forced to choose b etween two weaker alternatives where each of these alternatives

carries fundamental disadvantages

In general Section C carries a stronger avor of compromise ie recognizing

inherent limitations and settling for a restricted meaningful goal than previous

sections In contrast to the impression given in other parts of this app endix it

turns out that we cannot get all that we may want and this is without mentioning

the problems involved in preserving security under concurrent comp osition cf

Sec Instead we should study the alternatives and go for the one that b est

suits our real needs

Indeed as stated in Section C the fact that we can dene a cryptographic

goal do es not mean that we can satisfy it as dened In case we cannot satisfy

the initial denition we should search for relaxations that can b e satised These

relaxations should b e dened in a clear manner such that it would b e obvious what

they achieve and what they fail to achieve Doing so will allow a sound choice of

the relaxation to b e used in a sp ecic application

App endix D

Probabilistic Preliminaries

and Advanced Topics in

Randomization

What is this Chicken Curry and Seafo o d Salad

Fine but in the same plate This is disgusting

Johan Hastad at Grendels Cambridge

Summary This app endix lumps together some preliminaries regard

ing probability theory and some advanced topics related to the role and

use of randomness in computation Needless to say each of these topics

app ears in a separate section

The probabilistic preliminaries include our conventions regarding ran

dom variables which are used throughout the b o ok Also included are

overviews of three useful probabilistic inequalities Markovs Inequality

Chebyshevs Inequality and Cherno Bound

The advanced topics include hashing sampling and randomness ex

traction For hashing we describ e constructions of pairwise and twise

indep endent hashing functions and a few variants of the Leftover

Hashing Lemma used a few times in the main text We then review

the complexity of sampling that is the number of samples and the

randomness complexity involved in estimating the average value of an

arbitrary function dened over a huge domain Finally we provide an

overview on the question of extracting almost p erfect randomness from

sources of weak or defected randomness

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

D Probabilistic preliminaries

Probability plays a central role in complexity theory see for example Chapters

We assume that the reader is familiar with the basic notions of probability

theory In this section we merely present the probabilistic notations that are used

throughout the b o ok and three useful probabilistic inequalities

D Notational Conventions

Throughout the entire b o ok we refer only to discrete probability distributions

Sp ecically the underlying probability space consists of the set of all strings of a

certain length taken with uniform probability distribution That is the sample

space is the set of all bit long strings and each such string is assigned probability

measure Traditionally random variables are dened as functions from the

sample space to the reals Abusing the traditional terminology we use the term

random variable also when referring to functions mapping the sample space into the

set of binary strings We often do not sp ecify the probability space but rather talk

directly ab out random variables For example we may say that X is a random

and variable assigned values in the set of all strings such that Pr X

Such a random variable may b e dened over the sample space Pr X

f g so that X and X X X One imp ortant

case of a random variable is the output of a randomized pro cess eg a probabilistic

p olynomialtime algorithm as in Section

All our probabilistic statements refer to random variables that are dened b e

forehand Typically we may write Pr f X where X is a random variable

dened b eforehand and f is a function An imp ortant convention is that al l oc

currences of the same symbol in a probabilistic statement refer to the same unique

random variable Hence if B is a Bo olean expression dep ending on two vari

ables and X is a random variable then Pr B X X denotes the probability that

B x x holds when x is chosen with probability Pr X x For example for every

random variable X we have Pr X X We stress that if we wish to discuss the

probability that B x y holds when x and y are chosen indep endently with identi

cal probability distribution then we will dene two indep endent random variables

each with the same probability distribution Hence if X and Y are two indep en

dent random variables then Pr B X Y denotes the probability that B x y holds

when the pair x y is chosen with probability Pr X x Pr Y y For example

for every two indep endent random variables X and Y we have Pr X Y

only if b oth X and Y are trivial ie assign the entire probability mass to a single

string

Throughout the entire b o ok U denotes a random variable uniformly dis

n

n

tributed over the set of all strings of length n Namely Pr U equals

n

n

if f g and equals otherwise We often refer to the distribution of U as

n

n

the uniform distribution neglecting to qualify that it is uniform over f g In ad

n

dition we o ccasionally use random variables arbitrarily distributed over f g

n

or f g for some function N N Such random variables are typically

denoted by X Y Z etc We stress that in some cases X is distributed over

n n n n

D PROBABILISTIC PRELIMINARIES

n n

f g whereas in other cases it is distributed over f g for some function

which is typically a p olynomial We often talk ab out probability ensembles which

are innite sequence of random variables fX g such that each X ranges over

n n

nN

strings of length b ounded by a p olynomial in n

Statistical dierence The statistical distance aka variation distance b etween

the random variables X and Y is dened as

X

jPr X v Pr Y v j maxfPr X S Pr Y S g D

S

v

We say that X is close resp far to Y if the statistical distance b etween them

is at most resp at least

D Three Inequalities

The following probabilistic inequalities are very useful These inequalities refer to

random variables that are assigned real values and provide upp erb ounds on the

probability that the random variable deviates from its exp ectation

D Markovs Inequality

The most basic inequality is Markovs Inequality that applies to any random variable

with b ounded maximum or minimum value For simplicity this inequality is stated

for random variables that are lowerbounded by zero and reads as follows Let X

be a nonnegative random variable and v be a nonnegative real number Then

EX

D Pr X v

v

Equivalently Pr X r EX The pro of amounts to the following sequence

r

X

EX Pr X x x

x

X X

Pr X x Pr X x v

xv

xv

Pr X v v

D Chebyshevs Inequality

Using Markovs inequality one gets a p otentially stronger b ound on the deviation

of a random variable from its exp ectation This b ound called Chebyshevs inequal

ity is useful when having additional information concerning the random variable

sp ecically a go o d upp er b ound on its variance For a random variable X of

def

nite exp ectation we denote by Var X EX EX the variance of X and

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

observe that Var X EX EX Chebyshevs Inequality then reads as follows

Let X be a random variable and Then

Var X

Pr jX EX j D

def

Pro of We dene a random variable Y X EX and apply Markovs

inequality We get

Pr jX EX j Pr X EX

EX EX

and the claim follows

Corollary Pairwise Indep endent Sampling Chebyshevs inequality is particu

larly useful in the analysis of the error probability of approximation via rep eated

sampling It suces to assume that the samples are picked in a pairwise indep en

dent manner where X X X are pairwise indep endent if for every i j and

n

every it holds that Pr X X Pr X Pr X The corol

i j i j

lary reads as follows Let X X X be pairwise independent random variables

n

with identical expectation denoted and identical variance denoted Then

for every it holds that

P

n

X

i

i

Pr D

n n

def

Pro of Dene the random variables X EX Note that the X X s are

i i i i

pairwise indep endent and each has zero exp ectation Applying Chebyshevs in

P

n

X

i

and using the linearity of the exp ectation equality to the random variable

i

n

op erator we get

P

n n

X

i

X

Var

X

i

i

n

Pr

n

i

h i

P

n

E X

i

i

n

Now again using the linearity of exp ectation

n n

h i

X X X

E E X X X X E

i i j

i

i i

i j n

By the pairwise independence of the X s we get EX X EX EX and

i i j i j

X we get using E

i

n

X

X n E

i

i

D PROBABILISTIC PRELIMINARIES

The corollary follows

D Cherno Bound

When using pairwise indep endent sample p oints the error probability in the ap

proximation decreases linearly with the number of sample p oints see Eq D

When using totally indep endent sample p oints the error probability in the approx

imation can b e shown to decrease exp onentially with the number of sample p oints

Recall that the random variables X X X are said to b e totally indep endent

n

Q

n

n

Pr X a if for every sequence a a a it holds that Pr X a

i i n i i

i

i

Probability b ounds supp orting the foregoing statement are given next The rst

b ound commonly referred to as Cherno Bound concerns random variables

ie random variables that are assigned as values either or and asserts the

and X X X be independent random variables such following Let p

n

that Pr X p for each i Then for every p it holds that

i

P

n

X

i

c n

i

Pr p e where c max D

p

n

The more common formulation sets c but the case c p is very useful

when p is small and one cares ab out a multiplicative deviation eg p

P P

n n

Pro of Sketch We upp erb ound Pr X pn n and Pr pn X

i i

i i

def

X EX we apply Markovs inequality X n is b ounded similarly Letting

i i i

P

n

X

i

i

where will b e determined to optimize to the random variable e

P

n

the expressions that we derive Thus Pr X n is upp erb ounded by

i

i

P

n

n

X

i

Y

i

Ee

X n

i

Ee e

n

e

i

where the equality is due to the independence of the random variables To simplify

the rest of the pro of we establish a suboptimal b ound as follows Using a Taylor

x x

expansion of e eg e x x for jxj and observing that E X we

i

P

n

X

i

E which equals p p Thus Pr X pn n X get Ee

i

i

i

n n

is upp erb ounded by e p p expn p pn which

is optimized at p p yielding exp n exp n

pp

The foregoing pro of strategy can b e applied in more general settings A more

general b ound which refers to indep endent random variables that are each b ounded

but are not necessarily identical is given next and is commonly referred to as

Ho efding Inequality Let X X X be n independent random variables each

n

P

def

n

ranging in the real interval a b and let EX denote the average

i

i

n

For example verify that the current pro of actually applies to the case that X rather

i

than X f g by noting that Var X p p still holds

i i

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

expected value of these variables Then for every

P

n

X

n

i

i

ba

D Pr e

n

The sp ecial case of Eq D that refers to identically distributed random vari

ables is easy to derive from the foregoing Cherno Bound by recalling Footnote

and using a linear mapping of the interval a b to the interval This sp ecial

case is useful in estimating the average value of a b ounded function dened over

a large domain esp ecially when the desired error probability needs to b e negligi

ble ie decrease faster than any p olynomial in the number of samples Such an

estimate can b e obtained provided that we can sample the functions domain and

evaluate the function

D Pairwise indep endent versus totally indep endent sampling

To demonstrate the dierence b etween the sampling b ounds provided in xD

and xD we consider the problem of estimating the average value of a function

f In general we say that a random variable Z provides an

approximation of a value v if Pr jZ v j By Eq D the average value

of f evaluated at n O log independent samples selected uniformly

P

f xjj Thus the number of in yield an approximation of

x

sample p oints is p olynomially related to and logarithmically related to In

contrast by Eq D an approximation by n pairwise independent samples

calls for setting n O We stress that in both cases the number of

samples is polynomially related to the desired accuracy of the estimation ie

The only advantage of total ly independent samples over pairwise independent ones

is in the dependency of the number of samples on the error probability ie

D Hashing

Hashing is extensively used in complexity theory see eg x Section

x x and x The typical application is for mapping arbitrary

unstructured sets almost uniformly to a structured set of adequate size Sp ecif

m n m

ically hashing is used for mapping an arbitrary of f g to f g in

an almost uniform manner

m

For any xed set S of cardinality there exists a mapping f S

S

m

f g but this mapping is not necessarily eciently computable eg it may

require knowing the entire set S On the other hand no single function f

n m m n m

f g f g can map every subset of f g to f g in a manner

m n

or even approximately so Nevertheless for every subset S f g a

n m

random function f f g f g has the prop erty that with overwhelmingly

m

high probability f maps S to f g such that no p oint in the range has to o many

f preimages in S The problem is that a truly random function is unlikely to have

a succinct representation let alone an ecient evaluation algorithm We thus seek

families of functions that have a random mapping prop erty as in Item of the

D HASHING

following denition but do have a succinct representation as well as an ecient

evaluation algorithm as in Items and of the following denition

D Denitions

m

Motivated by the foregoing discussion we consider families of functions fH g

mn

n

such that the following prop erties hold

n

For every S f g with high probability a function h selected uniformly

m m

in H maps S to f g in an almost uniform manner For example we

n

m

may require that for any jS j and each p oint y with high probability

over the choice of h it holds that jfx S hx y gj p oly n

m

The functions in H have succinct representation For example we may

n

nm m

f g for some p olynomial require that H

n

m

The functions in H can b e eciently evaluated That is there exists a

n

p olynomialtime algorithm that on input a representation of a function h

n m

and a string x f g returns hx In some cases we make even in H

n

more stringent requirements regarding the algorithm eg that it runs in

linear space

Condition was left vague on purp ose At the very least we require that the

m

exp ected size of fx S hx y g equals jS j We shall see in Section D

that dierent interpretations of Condition are satised by dierent families of

hashing functions We fo cus on twise indep endent hashing functions dened next

m

Denition D twise indep endent hashing functions A family H of func

n

tions from nbit strings to mbit strings is called twise indep endent if for every t

n m

distinct domain elements x x f g and every y y f g it holds

t t

that

t tm

m

Pr hx y

hH i i

i

n

m

That is a uniformly chosen h H maps every t domain elements to the range in

n

a totally uniform manner Note that for t it follows that the probability that

m

a random h H maps two distinct domain elements to the same image equals

n

m

Such families of functions are called universal cf but we will fo cus

on the stronger condition of twise indep endence

D Constructions

The following constructions are merely a reinterpretation of the constructions

presented in x Alternatively one may view the constructions presented

in x as a reinterpretation of the following two constructions

Construction D twise indep endent hashing For t m n N such that m

n consider the fol lowing family of hashing functions mapping nbit strings to m

tn

s s s s f g describes a function bit strings Each tsequence

t

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

n m

f g f g such that h x equals the mbit prex of the binary repre h

s s

P

t

j n

sentation of s x where the arithmetic is that of GF the nite eld of

j

j

n

elements

Prop osition implies that Construction D constitutes a family of twise inde

p endent hash functions Typically we will use either t or t n To make

n

the construction totally explicit we need an explicit representation of GF

see comment following Prop osition An alternative construction for the case

of t may b e obtained analogously to the pairwise indep endent generator of

Prop osition Recall that a Toeplitz matrix is a matrix with all diagonals b eing

homogeneous that is T t is a Toeplitz matrix if t t for all i j

ij ij ij

Construction D alternative pairwise indep endent hashing For m n con

sider the family of hashing functions in which each pair T b consisting of a

nbym Toeplitz matrix T and an mdimensional vector b describes a function

n m

h f g f g such that h x T x b

T b T b

Prop osition implies that Construction D constitutes a family of pairwise

indep endent hash functions Note that a nbym Toeplitz matrix can b e sp ecied

by n m bits yielding a description length of n m bits An alternative

construction analogous to Eq and requiring m n m bits of representation

uses arbitrary nbym matrices rather than Toeplitz matrices

D The Leftover Hash Lemma

We now turn to the almost uniform cover condition ie Condition mentioned

in Section D One concrete interpretation of this condition is given by the

following lemma and another interpretation is implied by it see Theorem D

m

Lemma D Let m n be integers H be a family of pairwise independent hash

n

n m

functions and S f g Then for every y f g and every for al l

m

m

but at most an it holds that fraction of h H

n

jS j

jS j jS j

jfx S hx y gj D

m m

Note that by pairwise indep endence or rather even by wise indep endence the

m

exp ected size of fx S hx y g is jS j where the exp ectation is taken

m

uniformly over all h H The lemma upp er b ounds the fraction of hs that

n

m

deviate from the exp ected b ehavior ie for which jh y S j jS j

m

Needless to say the b ound is meaningful only in case jS j Focusing on

p

m

m

jS j we infer that for al l but at most the case that jS j and setting

m m

an fraction of h H it holds that jfx S hx y gj jS j Thus

n

each range element has approximately the right number of hpreimages in the set

m

S under almost all h H

n

n m

Pro of Fixing an arbitrary set S f g and an arbitrary y f g we

m

estimate the probability that a uniformly selected h H violates Eq D We n

D HASHING

dene random variables over the aforementioned probability space such that

x

h equal if hx y and otherwise The exp ected value of

x x x

P

def

m

is jS j and we are interested in the probability that this sum

x

xS

deviates from the exp ectation Applying Chebyshevs Inequality we get

X

Pr

x

xS

P

m

jS j by the pairwise indep endence of the s and the b ecause Var

x x

xS

m

fact that E The lemma follows

x

A generalization called mixing The pro of of Lemma D can b e easily

m

extended to show that for every set T f g and every for al l but

m

m

fraction of h H it holds that jfx S hx T gj at most an

n

jT jjS j

m

jT j jS j Hint redene h if hx T and

x x

m

otherwise This assertion is meaningful provided that jT j jS j and in the

case that m n it is called a mixing property

An extremely useful corollary The aforementioned generalization of Lemma D

n

asserts that for any xed set of preimages S f g and any xed sets of images

m m

T f g most functions in H b ehave well with resp ect to S and T in the

n

m

sense that they map approximately the adequate fraction of S ie jT j to T

A seemingly stronger statement which is nontrivially implied by Lemma D it

self reverses the order of quantication with resp ect to T that is for all adequate

m m

map S to f g in an almost uniform manner ie sets S most functions in H

n

assign each set T approximately the adequate fraction of S where here the ap

proximation is up to an additive deviation As we shall see this is a consequence

of the following theorem

n m

and S f g be as in Theorem D aka Leftover Hash Lemma Let H

n

p

m

Lemma D and dene jS j Consider random variables X and H that

m

respectively Then the statistical distance are uniformly distributed on S and H

n

between H H X and H U is at most

m

It follows that for X and as in Theorem D and any for al l but at

m

most an fraction of the functions h H it holds that hX is close

n

to U Using the terminology of the subsequent Section D we may say that

m

m

Theorem D asserts that H yields a strong extractor with parameters to b e

n

sp elled out there

def

V Pro of Let V denote the set of pairs h y that violate Eq D and

m m

V it holds that H f g n V Then for every h y

n

Pr H H X h y Pr H h Pr hX y

Pr H U h y

m

This follows by dening a random variable h such that equals the statistical distance

b etween hX and U and applying Markovs inequality m

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

On the other hand by the setting of and Lemma D which imply that Pr H y

m

V for every y f g we have Pr H U V It follows that

m

Pr H H X V Pr H H X V

Pr H U V

m

Using all these upp erb ounds we upp erb ounded the statistical dierence b etween

V H H X and H U denoted by separating the contribution of V and

m

Sp ecically we have

X

jPr H H X h y Pr H U h y j

m

m m

hy H fg

n

X

jPr H H X h y Pr H U h y j

m

hy V

where the rst term upp erb ounds the contribution of all pairs h y V Hence

X

Pr H H X h y Pr H U h y

m

hy V

where the rst inequality is trivial ie j j for any nonnegative

and and the second inequality uses the foregoing upp erb ounds ie Pr H H X

V and Pr H U V The theorem follows

m

An alternative pro of of Theorem D Dene the collision probability of a

random variable Z denote cpZ as the probability that two indep endent samples

P

def

of Z yield the same result Alternatively cpZ Pr Z z Theorem D

z

follows by combining the following two facts

A general fact If Z N and cpZ N then Z is close to the

uniform distribution on N

We prove the contrapositive Assuming that the statistical distance b etween

Z and the uniform distribution on N equals we show that cpZ

def

N This is done by dening L fz Pr Z z N g and lower

b ounding cpZ by using the fact that the collision probability is minimized

on uniform distributions Sp ecically considering the uniform distributions

on L and N n L resp ectively we have

Pr Z L Pr Z N n L

cpZ jLj N jLj D

jLj N jLj

Using Pr Z L where jLjN the rhs of Eq D equals

N N N N

D HASHING

m m m

The collision probability of H H X is at most jS jjH j

n

m

Furthermore this holds even if H is only universal

n

The pro of is by a straightforward calculation Sp ecically note that cpH H X

P

m

m m

Pr H x jH j E cphX whereas E cphX jS j

hH hH

n

x x S

n n

m

H x The sum equals jS j jS j jS j and so cpH H X

m m

jH j jS j

n

p

m

jS jclose to H U which is actually a stronger It follows that H H X is

m

b ound than the one asserted by Theorem D

Stronger uniformity via higher indep endence Recall that Lemma D as

serts that for each p oint in the range of the hash function with high probability

over the choice of the hash function this xed point has approximately the exp ected

number of preimages in S A stronger condition asserts that with high probability

over the choice of the hash function every point in its range has approximately

the exp ected number of preimages in S Such a guarantee can b e obtained when

using nwise indep endent hash functions rather than using pairwise indep endent

hash functions

m

be a family of nwise independent hash Lemma D Let m n be integers H

n

n

functions and S f g Then for every for al l but at most an

m m n m

n jS j fraction of the functions h H it is the case that Eq D

n

m

holds for every y f g

m

Indeed the lemma should b e used with jS jn In particular using m

m n

log jS j log n guarantees that with high probability ie

n m

each range elements has jS j preimages in S Under this

m

setting of parameters jS j n which is p oly n whenever p olyn

Needless to say this guarantee is stronger than the conclusion of Theorem D

Pro of The pro of follows the fo otsteps of the pro of of Lemma D taking advan

tage of the fact that here the random variables ie the s are nwise indep en

x

th

dent For t n this allows using the socalled t moment analysis which

generalizes the second moment analysis of pairwise indep endent samplying pre

sented in xD As in the pro of of Lemma D we x any S and y and dene

P

m

jS j and h if and only if hx y Letting E

x x x

xS

E we start with Markovs inequality

x x

x

P

t

X

E

x

xS

Pr

x

t t

xS

P Q

t

E

x

i x x S

i

t

D

t m t

jS j

Using twise indep endence we note that only the terms in Eq D that do not

vanish are those in which each variable app ears with multiplicity This mean that

only terms having less than t distinct variables contribute to Eq D Now for

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

jS j

j

every j t we have less than t tj jS j terms with j distinct

j

m j

variables and each such term contributes less than to the sum b ecause for

e

m

Thus Eq D is upp erb ounded E every e it holds that E

x

i

x

i

by

t

t

m j m

X

t jS j tt t

m t m t

jS j j jS j jS j

j

m

where the rst inequality assumes jS j n which is justied by the fact that the

claim hold vacuously otherwise This upp erb ounds the probability that a random

m

h H violates Eq D with resp ect to a xed y Using a union b ound on all

n

m

y f g the lemma follows

D Sampling

In many settings rep eated sampling is used to estimate the average or other statis

n

tics of a huge set of values Namely given a value function f g R

P

def

x without having to insp ect the one wishes to approximate

n

n

xfg

value of at each p oint of the domain The obvious thing to do is sampling the

domain at random and obtaining an approximation to by taking the average of

the values of on the sample p oints It turns out that certain pseudorandom

sequences of sample p oints may serve almost as well as truly random sequences of

sample p oints and thus the foregoing problem is indeed related to Section

D Formal Setting

It is essential to have the range of the function b e b ounded since otherwise no

reasonable approximation is p ossible For simplicity we adopt the convention of

having b e the range of and the problem for other predetermined ranges

can b e treated analogously Our notion of approximation dep ends on two param

eters accuracy denoted and error probability denoted We wish to have an

algorithm that with probability at least gets within of the correct value

This leads to the following denition

Denition D sampler A sampler is a randomized oracle machine that on

input parameters n length accuracy and error and oracle access to any

n

function f g outputs with probability at least a value that is

P

def

x Namely at most away from

n

n

xfg

Pr jsampler n j

where the probability is taken over the internal coin tosses of the sampler

A nonadaptive sampler is a sampler that consists of two deterministic algorithms

a sample generating algorithm G and a evaluation algorithm V On input n

Indeed this problem was already mentioned in xD

D SAMPLING

and a random seed of adequate length algorithm G generates a sequence of queries

n

denoted s s f g Algorithm V is given the corresponding sequence of

m

values ie s s and outputs an estimate to

m

We are interested in the complexity of sampling quantied as a function of the

parameters n and Sp ecically we will consider three complexity measures

The sample complexity ie the number of oracle queries made by the sampler the

randomness complexity ie the length of the random seed used by the sampler

and the computational complexity ie the runningtime of the sampler We say

that a sampler is ecient if its runningtime is p olynomial in the total length of

its queries ie p olynomial in b oth its sample complexity and in n We will fo cus

on ecient samplers Furthermore we will b e most interested in ecient samplers

that have optimal upto a constant factor sample complexity and will seek to

minimize the randomness complexity of such samplers Note that minimizing the

randomness complexity without referring to the sample complexity makes no sense

D Known Results

We note that all the following p ositive results refer to nonadaptive samplers

whereas the lower b ound hold also for general samplers For more details on these

results see Sec and the references therein

The naive sampler The straightforward metho d aka the naive sampler

consists of uniformly and independently selecting suciently many sample p oints

queries and outputting the average value of the function on these p oints Using

log

sample p oints suce As indicated next Cherno Bound it follows that O

the naive sampler is optimal upto a constant factor in its sample complexity but

is quite wasteful in randomness

log

It is known that samples are needed in any sampler and that any

sampler that makes sn queries must have randomness complexity at least

n log log sn O These lower b ounds are tight as demon

strated by nonexplicit and inecient samplers The foregoing facts guide our

quest for improvements which is aimed at nding more randomnessecient ways

of eciently generating sample sequences that can b e used in conjunction with an

appropriate evaluation algorithm V We stress that V need not necessarily take

the average of the values of the sampled p oints

The pairwiseindep endent sampler Using a pairwiseindep endence genera

tor cf x for generating sample p oints along with the natural evaluation

algorithm which outputs the average of the values of these p oints we can ob

tain a great saving in the randomness complexity In particular using a seed of

length n we can generate O pairwiseindep endent sample p oints which

by Eq D suce for getting accuracy with error Thus this Pairwise

Indep endent sampler uses n coin tosses rather than the log n coin

tosses used by the naive sampler Furthermore for constant the Pairwise

Indep endent Sampler is optimal upto a constant factor in b oth its sample and

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

randomness However for small ie o this sampler is

wasteful in sample complexity

The MedianofAverages sampler A new idea is required for going fur

ther and a relevant to ol random walks on expander graphs see Sections

and E is needed to o Sp ecically we combine the PairwiseIndependent Sam

pler with the Expander Random Walk Generator of Prop osition to obtain

a new sampler The new sampler uses a tlong random walk on an expander with

def

n

vertex set f g for generating a sequence of t O log related seeds for t

invocations of the PairwiseIndependent Sampler where each of these invocations

n

uses the corresp onding n bits to generate a sequence of O samples in f g

The new sampler called the MedianofAverages Sampler outputs the median of

the t values obtained in these t invocation of the PairwiseIndependent Sampler

In analyzing this sampler we rst note that each of the foregoing t invocations

returns a value that with probability at least is close to By Theorem

see also Exercise with probability at least expt most of these

t invocations return an close approximation Hence the median among these t

values is an approximation to the correct value The resulting sampler has

log

and randomness complexity n O log which sample complexity O

is optimal upto a constant factor in b oth complexities

Further improvements The randomness complexity of the MedianofAverages

Sampler can b e decreased from n O log to n O log while main

log

This is done by replacing taining its optimal sample complexity of O

the Pairwise Indep endent Sampler by a sampler that picks a random vertex in a

suitable expander samples all its neighbors and outputs the average value seen

Averaging Samplers Averaging aka Oblivious samplers are nonadaptive

samplers in which the evaluation algorithm is the natural one that is it merely

outputs the average of the values of the sampled p oints Indeed the Pairwise

Indep endent Sampler is an averaging sampler whereas the MedianofAverages

Sampler is not Interestingly averaging samplers have applications for which ordi

nary nonadaptive samplers do not suce Averaging samplers are closely related

to randomness extractors dened and discussed in the subsequent Section D

An o dd p ersp ective Recall that a nonadaptive sampler consists of a sample

n

generator G and an evaluator V such that for every f g it holds that

Pr jV s s j D

m

s s GU

m

k

where k denotes the length of the samplers random seed Thus we may view

G as a pseudorandom generator that is sub jected to a class of distinguishers that

n

is determined by a xed algorithm V and an arbitrary function f g

Sp ecically assuming that V works well when the m samples are distributed

m

j we U uniformly and indep endently ie Pr jV U

n n

D RANDOMNESS EXTRACTORS

require G to generate sequences that satisfy the corresp onding condition as stated

in Eq D What is a bit o dd ab out the foregoing p ersp ective is that except

for the case of averaging samplers the class of distinguishers considered here is

eected by a comp onent ie the evaluator V that is p otentially custommade to

help the generator G fo ol the distinguisher

D Hitters

Hitters may b e viewed as a relaxation of samplers Sp ecically considering only

Bo olean functions hitters are required to generate a sample that contains a p oint

evaluating to whenever at least an fraction of the function values equal

That is a hitter is a that on input parameters n length

accuracy and error outputs a list of nbit strings such that for every set

n

S f g of density greater than with probability at least the list

contains at least one element of S Note the corresp ondence to the hitting

problem dened in Section

Needless to say any sampler yields a hitter with resp ect to essentially the

same parameters n and However hitting is strictly easier than evaluating

the density of the target set O pairwise indep endent random samples suce

to hit any set of density with constant probability whereas samples are

needed for approximating the average value of a Bo olean function up to accuracy

with constant error probability Indeed adequate simplications of the samplers

discussed in App endix D yield hitters with sample complexity prop ortional to

rather than to

D Randomness Extractors

Extracting almostp erfect randomness from sources of weak ie defected ran

domness is crucial for the actual use of randomized algorithms pro cedures and

proto cols The latter are analyzed assuming that they are given access to a p erfect

random source while in reality one typically has access only to sources of weak

ie highly imp erfect randomness This gap is bridged by using randomness ex

tractors which are ecient pro cedures that p ossibly with the help of little extra

randomness convert any source of weak randomness into an almostp erfect random

source Thus randomness extractors are devices that greatly enhance the quality

Another asp ect in which samplers dier from the various pseudorandom generators discussed

in Chapter is in the aim to minimize rather than maximize the number of blo cks denoted

here by m in the output sequence However also in the case of samplers the aim is to maximize

the blo cklength denoted here by n

Sp ecically any sampler with resp ect to the parameters n and yields a hitter with

resp ect to the parameters n and The need for slackness is easily demonstrated by noting

that estimating the average with accuracy is trivial whereas hitting is nontrivial for any

accuracy density The claim is obvious for nonadaptive samplers but actually holds

also for adaptive samplers Note that adaptivity do es not provide any advantage in the context

of hitters b ecause one may assume without loss of generality that all prior samples missed the

target set S

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

of random sources In addition randomness extractors are related to several other

fundamental problems to b e further discussed later

One key parameter which was avoided in the foregoing discussion is the class

of weak random sources from which we need to extract almost p erfect randomness

Needless to say it is preferable to make as little assumptions as p ossible regarding

the weak random source In other words we wish to consider a wide class of

such sources and require that the randomness extractor often referred to as the

extractor works well for any source in this class A general class of such sources is

dened in xD but rst we wish to mention that even for very restricted classes

of sources no deterministic extractor can work To overcome this imp ossibility

result two approaches are used

Seeded extractors The rst approach consists of considering randomized ex

tractors that use a relatively small amount of randomness in addition to

the weak random source That is these extractors obtain two inputs a

short truly random seed and a relatively long sequence generated by an arbi

trary source that b elongs to the sp ecied class of sources This suggestion is

motivated in two dierent ways

The application may actually have access to an almostp erfect random

source but bits from this highquality source are much more exp en

sive than bits from the weak ie lowquality random source Thus

it makes sense to obtain few highquality bits from the almostp erfect

source and use them to purify the cheap bits obtained from the weak

lowquality source Thus combining many cheap but lowquality

bits with few highquality but exp ensive bits we obtain many high

quality bits

In some applications eg when using randomized algorithms it may

b e p ossible to invoke the application multiple times and use the typi

cal outcome of these invocations eg rule by ma jority in the case of a

decision pro cedure For such applications we may pro ceed as follows

rst we obtain an outcome r of the weak random source then we invoke

the application multiple times such that for every p ossible seed s we

invoke the application feeding it with extracts r and nally we use

the typical outcome of these invocations Indeed this is analogous to

the context of derandomization see Section and likewise this al

ternative is typically not applicable to cryptographic andor distributed

settings

Few indep endent sources The second approach consists of considering deter

ministic extractors that obtain samples from a few say two independent

sources of weak randomness Such extractors are applicable in any setting

including in cryptography provided that the application has access to the

required number of indep endent weak random sources

For example consider the class of sources that output nbit strings such that no string

n

o ccurs with probability greater than ie twice its probability weight under the uniform distribution

D RANDOMNESS EXTRACTORS

In this section we fo cus on the rst type of extractors ie the seeded extractors

This choice is motivated b oth by the relatively more mature state of the research

of seeded extractors and by the closer connection b etween seeded extractors and

other topics in complexity theory

D Denitions and various p ersp ectives

We rst present a denition that corresp onds to the foregoing motivational discus

sion and later discuss its relation to other topics in complexity

D The Main Denition

A very wide class of weak random sources corresp onds to sources in which no

sp ecic output is to o probable That is the class is parameterized by a probability

b ound and consists of all sources X such that for every x it holds that Pr X

x In such a case we say that X has minentropy at least log Indeed

we represent sources as random variables and assume that they are distributed over

strings of a xed length denoted n An n k source is a source that is distributed

n

over f g and has minentropy at least k

An interesting sp ecial case of n k sources is that of sources that are uniform

k

over some subset of strings Such sources are called n k at A useful obser

vation is that each n k source is a convex combination of n k at sources

Denition D extractor for n k sources

d n m

An algorithm Ext f g f g f g is called an extractor with error

for the class C if for every source X in C it holds that ExtU X is close

d

to U If C is the class of n k sources then Ext is called a k extractor

m

An algorithm Ext is called a strong extractor with error for C if for every

source X in C it holds that U ExtU X is close to U U A strong

d d d m

k extractor is dened analogously

Using the aforementioned decomp osition of n k sources into n k at sources

it follows that Ext is a k extractor if and only if it is an extractor with error

for the class of n k at sources A similar claim holds for strong extractors

Thus much of the technical analysis is conducted with resp ect to the class of

n k at sources For example by analyzing the case of n k at sources it is

easy to see that for d log n O there exists a k extractor Ext

d n k

f g f g f g The pro of employs the Probabilistic Metho d and uses

a union b ound on the nite set of all n k at sources

P

Pr X x log Pr X x Recall that the entropy of a random variable X is dened as

x

Indeed the minentropy of X equals min flog Pr X xg and is always upp erb ounded by

x

its entropy

n

def

Indeed the key fact is that the number of n k at sources is N The probability

k

d n k

that a random function Ext f g f g f g is not an extractor with error for a

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

We seek however explicit extractors that is extractors that are implementable

by p olynomialtime algorithms We note that the evaluation algorithm of any fam

ily of pairwise indep endent hash functions mapping nbit strings to mbit strings

k m

constitutes a strong k extractor for see Theorem D How

ever these extractors necessarily use a long seed ie d m must hold and

in fact d n m holds in Construction D In Section D we survey

constructions of ecient k extractors that obtain logarithmic seed length ie

d O log n But b efore doing so we provide a few alternative p ersp ectives

on extractors

An imp ortant note on logarithmic seed length The case of logarithmic seed

length ie d O log n is of particular imp ortance for a variety of reasons

Firstly when emulating a randomized algorithm using a defected random source

as in Item of the motivational discussion of seeded extractors the overhead is

exp onential in the length of the seed Thus the emulation of a generic probabilistic

p olynomialtime algorithm can b e done in p olynomial time only if the seed length

is logarithmic Similarly the applications discussed in xD and xD are

feasible only if the seed length is logarithmic Lastly we note that logarithmic seed

length is an absolute lowerbound for k extractors whenever k n n

and the extractor is nontrivial ie m and

D Extractors as averaging samplers

There is a close relationship b etween extractors and averaging samplers which are

dened towards the end of Section D We shall rst show that any averaging

n m t

sampler gives rise to an extractor Let G f g f g b e the sample gen

erating algorithm of an averaging sampler having accuracy and error probability

m

That is G uses n bits of randomness and generates t sample p oints in f g

m

such that for every f f g with probability at least the average

of the f values of these t pseudorandom p oints resides in the interval f where

def

n m

f Ef U Dene Ext t f g f g such that Exti r is the

m

th

i sample generated by Gr We shall prove that Ext is a k extractor for

k n log

Supp ose towards the contradiction that there exists a n k at source X such

m

that for some S f g it is the case that Pr ExtU X S Pr U S

d m

d

where d log t and t f g Dene

n m

B fx f g Pr ExtU x S jS j g

d

k n

Then jB j Dening f z if z S and f z otherwise we

def

m

f Ef U jS j But for every r B the f average of the sample have

m

k

def

dk

xed n k at source is upp erb ounded by p exp b ecause p b ounds the

dk k

probability that when selecting random k bit long strings there exists a set T f g that

k dk

is hit by more than jT j of these strings Note that for d log n O it

holds that N p In fact the same analysis applies to the extraction of m k log n bits

rather than k bits

D RANDOMNESS EXTRACTORS

f in contradiction to the hypothesis that the sampler has Gr is greater than

error probability with resp ect to accuracy

We now turn to show that extractors give rise to averaging samplers Let Ext

d n m

f g f g f g b e a k extractor Consider the sample generation

d

n m

algorithm G f g f g dene by Gr Exts r d We prove

sfg

that G corresp onds to an averaging sampler with accuracy and error probability

nk

m

Supp ose towards the contradiction that there exists a function f f g

n k n

such that for strings r f g the average f value of the

def

sample Gr deviates from f Ef U by more than Supp ose without loss

m

of generality that for at least half of these r s the average is greater than f

and let B denote the set of these r s Then for X that is uniformly distributed on

B and is thus a n k source we have

Ef ExtU X Ef U

d m

which using jf z j for every z contradicts the hypothesis that ExtU X is

d

close to U

m

D Extractors as randomnessecient errorreductions

As may b e clear from the foregoing discussion extractors yield randomnessecient

metho ds for errorreduction This is the case b ecause errorreduction is a spe

cial case of the sampling problem obtained by considering Bo olean functions

Sp ecically for a twosided error decision pro cedure A consider the function

jxj

f f g f g such that f r if Ax r and f r otherwise

x x x

Assuming that the probability that A is correct is at least say

error reduction amounts to providing a sampler with accuracy and any desired

error probability for the Bo olean function f Thus by xD any k

x

d n jxj

extractor Ext f g f g f g with k n log yields the

d d

desired errorreduction provided that is feasible eg p oly jxj where

represents the randomness complexity of the original algorithm A The ques

tion of interest here is how do es n which represents the randomness complexity of

the corresp onding sampler grow as a function of jxj and

n jxj

Errorreduction using the extractor Ext p oly jxj f g f g

error probability randomness complexity

original algorithm jxj

resulting algorithm may dep end on jxj n function of jxj and

Needless to say the answer to the foregoing question dep ends on the quality of the

extractor that we use In particular using Part of the forthcoming Theorem D

we note that for every one can obtain n O jxj log for any

p olyjxj O jxj

Note that for this b ound on the randomness

complexity of errorreduction is b etter than the b ound of n jxj O log

that is provided for the reduction of onesided error by the Expander Random

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

Walk Generator of Section alb eit the number of samples here is larger ie

p oly jxj rather than O log

Mentioning the reduction of onesided errorprobability brings us to a cor

resp onding relaxation of the notion of an extractor which is called a disp erser

Lo osely sp eaking a k disp erser is only required to hit with p ositive probabil

ity any set of density greater than in its image rather than pro duce a distribution

that is close to uniform

d n m

Denition D disp ersers An algorithm Dsp f g f g f g is

called a k disp erser if for every n k source X the support of Dsp U X covers

d

m m

at least points Alternatively for every set S f g of size greater

m

than it holds that Pr DspU X S

d

Disp ersers can b e used for the reduction of onesided error analogously to the

use of extractors for the reduction of twosided error Sp ecically regarding the

aforementioned function f and assuming that Pr f U we may use

x x

jxj

d n jxj

any k disp erser Dsp f g f g f g towards nding a p oint z

k

such that f z Indeed if Pr f U then there are less than

x x

jxj

d

p oints z such that s f g f Dsp s z and thus the onesided error can

x

nk

b e reduced from to while using n random bits Note that disp ersers

are closely related to hitters cf App endix D analogously to the relation of

extractors and averaging samplers

D Other p ersp ectives

Extractors and disp ersers have an app ealing interpretation in terms of bipartite

d

graphs Starting with disp ersers we view any k disp erser Dsp f g

n m n m

f g f g as a bipartite graph G f g f g E such that E

n d

fx Dsps x x f g s f g g This graph has the prop erty that any

k n

subset of vertices on the left ie in f g has a neighborho o d that contains

at least a fraction of the vertices of the right which is remarkable in the

typical case where d is small eg d O log n and n k m whereas

m k or at least m k Furthermore if Dsp is eciently computable

then this bipartite graph is strongly constructible in the sense that given a vertex

on the left one can eciently nd each of its neighbors Any k extractor

d n m

Ext f g f g f g yields an analogous graph with an even stronger

k

prop erty the neighborho o d multiset of any subset of vertices on the left covers

the vertices on the right in an almost uniform manner

An o dd p ersp ective In addition to viewing extractors as averaging samplers

which in turn may b e viewed within the scop e of the pseudorandomness paradigm

we mention here an even more o dd p ersp ective Sp ecically randomness extractors

may b e viewed as randomized algorithms distinguishers designed on purp ose such

that to b e fo oled by any weak random source but not by an even worse source

d n m

Sp ecically for any k extractor Ext f g f g f g where

m k log n and d O log n consider the following class of

D RANDOMNESS EXTRACTORS

m m

distinguishers or tests parameterized by subsets of f g for S f g the

n

test T satises Pr T x Pr ExtU x S ie on input x f g the

S S d

d

test uniformly selects s f g and outputs if and only if Exts x S Then

as shown next any n k source is pseudorandom with resp ect to this class of

distinguishers but suciently nonn k sources are not pseudorandom with

resp ect to this class of distinguishers

m

For every n k source X and every S f g the test T do es not dis

S

tinguish X from U ie Pr T X Pr T U b ecause

n S S n

ExtU X is close to ExtU U since each is close to U

d d n m

On the other hand for every n k d at source Y there exists a set

S such that T distinguish Y from U with gap at least eg for S

S n

that equals the supp ort of ExtU Y it holds that Pr T Y but

d S

dk dm

Pr T U Pr U S Furthermore

S n m

any source that has entropy b elow k d will b e detected as defected by

this class with probability at least

Thus this weird class of tests deems each n k source as pseudorandom while

deeming sources of signicantly lower entropy eg entropy lower than k d

as nonpseudorandom Indeed this p ersp ective stretches the pseudorandomness

paradigm quite far

D Constructions

Recall that we seek explicit constructions of extractors that is functions Ext

d n m

f g f g f g that can b e computed in p olynomialtime The ques

tion of course is of parameters that is having explicit k extractors with m as

large as possible and d as smal l as possible We rst note that except in patholog

ical cases b oth m k d log O and d log n k O

must hold regardless of the explicitness requirement The aforementioned b ounds

are in fact tight that is there exists nonexplicit k extractors with m

k d log O and d log n k O The obvious goal is

meeting these b ounds via explicit constructions

D Some known results

Despite tremendous progress on this problem and o ccasional claims regarding op

timal explicit constructions the ultimate goal was not reached yet Nevertheless

the known explicit constructions are pretty close to b eing optimal

Theorem D explicit constructions of extractors Explicit k extractors of

d n m

the form Ext f g f g f g exist for the fol lowing cases ie settings

of the parameters d and m

For any such source Y the distribution Z Ext U Y has entropy at most k m

d

and thus is far from U and far from Ext U U The lowerbound on the statistical

m n

d

distance b etween Z and U can b e proved by the contrapositive if Z is close to U then its

m m

entropy is at least m eg by using Fanos inequality see Thm

That is for and m d

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

For d O log n and m k O d where is an arbitrarily

smal l constant and provided that expk

For d log n and m k p oly log n where are arbitrarily

smal l constants

Pro ofs of Part and Part can b e found in and resp ectively We note

that for sake of simplicity we did not quote the b est p ossible b ounds Furthermore

we did not mention additional incomparable results which are relevant for dierent

ranges of parameters

We refrain from providing an overview of the pro of of Theorem D but rather

review the pro of of a weaker result that provides explicit n p oly nextractors

for the case of d O log n and m n where is an arbitrarily smal l

constant Indeed in xD we review the conceptual insight that underlies this

result as well as much of the subsequent developments in the area

D The pseudorandomness connection

We conclude this section with an overview of a fruitful connection b etween extrac

tors and certain pseudorandom generators The connection discovered by Tre

visan is surprising in the sense that it go es in a nonstandard direction it

transforms certain pseudorandom generators into extractors As argued throughout

this b o ok most conspicuously at the end of Section computational ob jects

are typically more complex than the corresp onding information theoretical ob jects

Thus if pseudorandom generators and extractors are at all related which was not

susp ected b efore then this relation should not b e exp ected to help in the con

struction of extractors which seem an information theoretic ob ject Nevertheless

the discovery of this relation did yield a breakthrough in the study of extractors

Teaching note The current text assumes familiarity with pseudorandom generators

and in particular with the NisanWigderson Generator presented in x

But b efore describing the connection let us wonder for a moment Just lo oking

at the syntax we note that pseudorandom generators have a single input ie the

seed while extractors have two inputs ie the nbit long source and the dbit

long seed But taking a second lo ok at the NisanWigderson Generator ie the

combination of Construction with an amplication of worstcase to average

case hardness we note that this construction can b e viewed as taking two inputs

a dbit long seed and a hard predicate on d bit long strings where d d

Now an app ealing idea is to use the nbit long source as a truthtable description

d

of a worsecase hard predicate which indeed means setting n The key

observation is that even if the source is only weakly random then it is likely to

represent a predicate that is hard on the worstcase

We note that once the connection b ecame b etter understo o d inuence started going in the

right direction from extractors to pseudorandom generators

Indeed to t the current context we have mo died some notations In Construction the

length of the seed is denoted by k and the length of the input for the predicate is denoted by m

D RANDOMNESS EXTRACTORS

Recall that the aforementioned construction is supp osed to yield a pseudoran

dom generator whenever it starts with a hard predicate In the current context

where there are no computational restrictions pseudorandomness is supp osed to

hold against any computationally unbounded distinguisher and thus here pseudo

randomness means b eing statistically close to the uniform distribution on strings

of the adequate length denoted Intuitively this makes sense only if the ob

served sequence is shorter that the amount of randomness in the source and seed

which is indeed the case ie k d where k denotes the minentropy of the

source Hence there is hop e to obtain a go o d extractor this way

To turn the hop e into a reality we need a pro of which is sketched next Lo ok

ing again at the NisanWigderson Generator we note that the pro of of indistin

guishability of this generator provides a blackbox pro cedure for computing the un

derlying predicate when given oracle access to any p otential distinguisher Sp ecif

d

ically in the pro ofs of Theorems and which holds for any

this blackbox pro cedure was implemented by a relatively smal l circuit which

dep ends on the underlying predicate Hence this pro cedure contains relatively

little information regarding the underlying predicate on top of the observed

bit long output of the extractorgenerator Sp ecically for some xed p olynomial

p the amount of information enco ded in the pro cedure and thus available to it is

def

upp erb ound by b p while the pro cedure is supp ose to compute the underly

ing predicate correctly on each input That is b bits of information are supp osed

to fully determine the underlying predicate which in turn is identical to the nbit

long source However if the source has minentropy exceeding b then it cannot b e

fully determine using only b bits of information It follows that the foregoing con

struction constitutes a b O extractor outputting b bits where

the constant is the one used in the pro of of Theorem and the argument

holds provided that b n Note that this extractor uses a seed of length

d O d O log n The argument can b e extended to obtain k p oly k

extractors that output k bits using a seed of length d O log n provided that

k n

We note that the foregoing description has only referred to two abstract prop

erties of the NisanWigderson Generator the fact that this generator uses

any worstcase hard predicate as a blackbox and the fact that its analysis

uses any distinguisher as a blackbox In particular we viewed the amplication

of worstcase hardness to inapproximability p erformed in Theorem as part

of the construction of the pseudorandom generator An alternative presentation

which is more selfcontained replaces the amplication step of Theorem by a

direct argument in the current information theoretic context and plugs the result

ing predicate directly into Construction The advantages of this alternative

include using a simpler amplication since amplication is simpler in the informa

tion theoretic setting than in the computational setting and deriving transparent

construction and analysis which mirror Construction and Theorem re

sp ectively

d d

Recalling that n the restriction implies n

APPENDIX D PROBABILISTIC PRELIMINARIES AND ADVANCED TOPICS IN RANDOMIZATION

The alternative presentation The foregoing analysis transforms a generic dis

tinguisher into a pro cedure that computes the underlying predicate correctly on

each input which fully determines this predicate Hence an upp erb ound on the

information available to this pro cedure yields an upp erb ound on the number of

p ossible outcomes of the source that are bad for the extractor In the alternative

presentation we transforms a generic distinguisher into a pro cedure that only ap

proximates the underlying predicate that is the pro cedure yields a function that

is relatively close to the underlying predicate If the p otential underlying pred

icates are far apart then this yields the desired b ound on the number of bad

sourceoutcomes that corresp ond to such predicates Thus the idea is to enco de

the nbit long source by an error correcting co de of length n p oly n and rel

ative distance n and use the resulting co deword as a truthtable of a

predicate for Construction Such co des coupled with ecient enco ding al

gorithms do exist see xE and the b enet in using them is that each n bit

long string determined by the information available to the aforementioned ap

proximation pro cedure may b e nclose to at most O n co dewords

which corresp ond to p otential predicates Thus each approximation pro cedure

rules out at most O n p otential predicates ie source outcomes In summary

n

the resulting extractor converts the nbit input x into a codeword x f g

d

viewed as a predicate over f g where d log n and evaluates this predicate

at the projections of the dbit long seed where these projections to d bits are

determined by the corresponding set system ie the long sequence of d subsets

of d that is used in Construction The analysis mirrors the pro of of Theo

O

rem and yields a b ound of O n on the number of bad outcomes for

the source where O upp erb ounds the amount of information enco ded in and

available to the approximation pro cedure and O n upp erb ounds the number

of sourceoutcomes that corresp ond to co dewords that are each nclose

to any xed approximation pro cedure

D Recommended reading

The interested reader is referred to a survey of Shaltiel This survey con

tains a comprehensive introduction to the area including an overview of the ideas

that underly the various constructions In particular the survey describ es the ap

proaches used b efore the discovery of the pseudorandomness connection the con

nection itself and the constructions that arise from it and the third generation

of constructions that followed

The aforementioned survey predates the most recent constructions of extrac

tors that extract a constant fraction of the minentropy using a logarithmically

long seed cf Part of Theorem D Such constructions were rst presented

in and improved using dierent ideas in Indeed we refer to reader

to which provides a selfcontained description of the b est known extractor

for almost all settings of the relevant parameters

Indeed the use of this error correcting co de replaces the hardnessamplication step of The

orem

See App endix E

App endix E

Explicit Constructions

It is easier for a camel to go through the eye of a needle than

for a rich man to enter into the kingdom of Go d

Matthew

Complexity theory provides a clear denition of the intuitive notion of an explicit

construction Furthermore it also suggests a hierarchy of dierent levels of explic

itness referring to the ease of constructing the said ob ject

The basic levels of explicitness are provided by considering the complexity of

fully constructing the ob ject eg the time it takes to print the truthtable of

a nite function In this context explicitness often means outputting a full de

scription of the ob ject in time that is p olynomial in the length of that description

Stronger levels of explicitness emerge when considering the complexity of answering

natural queries regarding the ob ject eg the time it takes to evaluate a xed func

tion at a given input In this context strong explicitness often means answering

such queries in p olynomialtime

The aforementioned themes are demonstrated in our brief review of explicit

constructions of error correcting codes and expander graphs These constructions

are in turn used in various parts of the main text

Summary This app endix provides a brief overview of asp ects of co d

ing theory and expander graphs that are most relevant to complexity

theory Starting with co ding theory we review several p opular con

structions of error correcting co des culminating in the construction of a

go o d binary co de ie a co de that achieves constant relative distance

and constant rate The latter co de is obtained by concatenating a

ReedSolomon co de with a mildly explicit construction of a go o d

binary co de which is applied to small pieces of information We also

briey review the notions of lo cally testable and lo cally deco dable co des

and present a useful list deco ding b ound ie an upp erb ound on the

number of co dewords that are close to any single sequence

APPENDIX E EXPLICIT CONSTRUCTIONS

Turning to expander graphs we review two standard denitions of ex

pansion representing combinatorial and algebraic p ersp ectives and

two prop erties of expanders that are related to singlestep and multi

step random walks on them We also sp ellout two levels of explicitness

of graphs which corresp ond to the aforementioned notions of basic and

strong explicitness Finally we review two explicit constructions of

expander graphs

E Error Correcting Co des

In this section we highlight some issues and asp ects of co ding theory that are most

relevant to the current b o ok The interested reader is referred to for a more

comprehensive treatment of the computational asp ects of co ding theory Structural

asp ects of co ding theory which are at the traditional fo cus of that eld are covered

in standard textb o ok such as

E Basic Notions

Lo osely sp eaking an error correcting co de is a mapping of strings to longer strings

such that any two dierent strings are mapp ed to a corresp onding pair of strings

k n

that are far apart and not merely dierent Sp ecically C f g f g

k

is a binary co de of distance d if for every x y f g it holds that C x and

C y dier on at least d bit p ositions Indeed the relation between k n and d is of

major concern typically the aim is having a large distance ie large d without

introducing too much redundancy ie have n as small as p ossible with resp ect to

k and d

It will b e useful to extend the foregoing denition to sequences over an arbitrary

m

nite alphab et and to use some notations Sp ecically for x we denote

th

the i symbol of x by x ie x x x and consider co des over ie

i m

k n

mappings of sequences to sequences The mapping co de C has

k

distance d if for every x y it holds that jfi C x C y gj d The

i i

k

members of fC x x g are called co dewords and in some texts this set itself

is called a co de

In general we dene a metric called Hamming distance over the set of nlong

n

sequences over The Hamming distance b etween y and z where y z is

dened as the number of lo cations on which they disagree ie jfi y z gj The

i i

Hamming weight of such sequences is dened as the number of nonzero elements

assuming that one element of is viewed as zero Typically is asso ciated

with an additive group and in this case the distance b etween y and z equals the

Hamming weight of w y z where w y z for every i

i i i

Note that a trivial way of obtaining distance d is to duplicate each symbol d times This

rep etition co de satises n d k while we shall seek n d k Indeed as we shall see one

can obtain simultaneously n O k and d k

E ERROR CORRECTING CODES

Asymptotics We will actually consider innite families of co des that is fC

k

nk

k

g where S N and typically S N NB we allow

k S k

k

k

to dep end on k We say that such a family has distance d N N if for

every k S it holds that C has distance dk Needless to say b oth n nk

k

called the blo cklength and dk dep end on k and the aim is having a linear

dependence ie nk O k and dk nk In such a case one talks of the

relative rate of the co de ie the constant k nk and its relative distance ie the

constant dk nk In general we will often refer to relative distances b etween

n

sequences For example for y z we say that y and z are close resp far

if jfi y z gj n resp jfi y z gj n

i i i i

Explicitness A mild notion of explicitness refers to constructing the list of all

co dewords in time that is p olynomial in its length which is exp onential in k

A more standard notion of explicitness refers to generating a sp ecic co deword

ie pro ducing C x when given x which coincides with the enco ding task men

tioned next Stronger notions of explicitness refer to other computational problems

concerning co des eg various deco ding tasks

Computational problems The most basic computational tasks asso ciated with

co des are enco ding and deco ding under noise The denition of the enco ding task

k

is straightforward ie map x to C x and an ecient algorithm is required

k

k

to compute each symbol in C x in p oly k log j jtime When dening the de

k k

nk

co ding task we note that minimum distance deco ding ie given w

k

nd x such that C x is closest to w in Hamming distance is just one natural

k

p ossibility Two related variants regarding a co de of distance d are

nk

Unique deco ding Given w that is at Hamming distance less than dk

k

from some co deword C x retrieve the corresp onding deco ding of C x

k k

ie retrieve x

Needless to say this task is welldened b ecause there cannot b e two dierent

co dewords that are each at Hamming distance less than dk from w

nk

List deco ding Given w and a parameter d which may b e greater than

k

dk output a list of all co dewords or rather their deco ding that are at

Hamming distance at most d from w That is the task is outputting the

k

list of all x such that C x is at distance at most d from w

k

k

Typically one considers the case that d dk See Section E for a

discussion of upp erb ounds on the number of co dewords that are within a

certain distance from a generic sequence

Two additional computational tasks are considered in Section E

The foregoing formulation is not the one that is common in co ding theory but it is the most

natural one for our applications On one hand this formulation is applicable also to co des with

sup erp olynomial blo cklength On the other hand this formulation do es not supp ort a discussion

of practical algorithms that compute the co deword faster than is p ossible when computing each

of the co dewords bits separately

APPENDIX E EXPLICIT CONSTRUCTIONS

k

Linear co des Asso ciating with some nite eld we call a co de C

k k

k

nk

linear if it satises C x y C x C y where x and y resp C x

k k k k

k

and C y are viewed as k dimensional resp nk dimensional vectors over

k k

and the arithmetic is of the corresp onding vector space A useful prop erty of linear

co des is that their distance equals the Hamming weight of the lightest co deword

k nk

other than C that is min fjfi C x C y gjg equals

k x y k i k i

min k fjfi C x gjg Another useful prop erty of linear co des is that

k i

x

the co de is fully sp ecied by a k bynk matrix called the generating matrix

k

that consists of the co dewords of some xed basis of That is the set of all

k

k

co dewords is obtained by taking all j j dierent linear combination of the rows

k

of the generating matrix

E A Few Popular Co des

Our fo cus will b e on explicitly constructible co des that is families of co des of the

nk

k

form fC g that are coupled with ecient enco ding and deco ding

k k S

k

k

algorithms But b efore presenting several such co des let us consider a nonexplicit

co de having go o d parameters that is the following result asserts the existence

of certain co des without p ointing to any sp ecic co de let alone an explicit one

Prop osition E on the distance of random linear co des Let n d t N N

be such that for al l suciently large k it holds that

k tk

E nk max dk

H dk nk

def

where H log log Then for al l suciently

tk

large k with probability greater than a random linear transformation of

k nk

f g to f g constitutes a code of distance dk

Indeed for asserting that most random linear co des are go o d it suces to set t

while for merely asserting the existence of a go o d linear co de even setting t

will do Also for every constant there exists a constant and

k k

an innite family of codes fC f g f g g of relative distance

k

k N

Sp ecically any constant H will do

Pro of We consider a uniformly selected k bynk generating matrix over GF

and upp erb ound the probability that it yields a linear co de of distance less than

k

dk We use a union b ound on all p ossible linear combinations of the

rows of the generating matrix where for each such combination we compute the

probability that it yields a co deword of Hamming weight less than dk Ob

serve that the result of each such linear combination is uniformly distributed over

nk

f g and thus this co deword has Hamming weight less than dk with prob

P

def

dk

nk

nk

ability p Clearly for dk nk it holds that

i

i

H dk nk nk H dk nk nk

p dk but actually p holds

as well eg use Cor Using H dk nk nk k tk

the prop osition follows

E ERROR CORRECTING CODES

E A mildly explicit version of Prop osition E

Note that Prop osition E yields a deterministic algorithm that nds a linear co de

of distance dk by conducting an exhaustive search over all p ossible generating

matrices that is a go o d co de can b e found in time expk nk The time

b ound can b e improved to expk nk by constructing the generating matrix

in iterations such that at each iteration the current set of rows is augmented

with a single row while maintaining the natural invariance ie all nonempty

linear combinations of the current rows have weight at least dk Thus at each

iteration we conduct an exhaustive search over all p ossible values of the next nk

bit long row and for each such candidate value we check whether the foregoing

invariance holds by considering all linear combinations of the previous rows and

the current candidate

Note that the pro of of Prop osition E can b e adapted to assert that as long

as we have less than k rows a random choice of the next row will do with p ositive

probability Thus the foregoing iterative algorithm nds a go o d co de in time

P

k

nk i

p oly nk expnk k In the case that nk O k this

i

yields an algorithm that runs in time that is p olynomial in the size of the co de ie

k

the number of co dewords ie Needless to say this mild level of explicitness is

inadequate for most co ding applications however it will b e useful to us in xE

E The Hadamard Co de

The Hadamard co de is the longest nonrep etitive linear co de over f g GF

k k

That is x f g is mapp ed to the sequence of all nk p ossible linear

combinations of its bits that is bit lo cations in the co dewords are asso ciated with

k

k bit strings such that lo cation f g in the co deword of x holds the value

P

k

k

x It can b e veried that each nonzero co deword has weight and

i i

i

thus this co de has relative distance dk nk alb eit its blo cklength nk

is exp onential in k

Turning to the computational asp ects we note that enco ding is very easy As

for deco ding the warmup discussion at the b eginning of the pro of of Theorem

provides a very fast probabilistic algorithm for unique deco ding whereas Theo

rem itself provides a very fast probabilistic algorithm for list deco ding

We mention that the Hadamard co de has played a key role in the pro of of the

PCP Theorem Theorem see x

A prop os long co des We mention that the longest nonrep etitive binary

co de called the LongCo de and introduced in is extensively used in the de

sign of advanced PCP systems see eg In this co de a k bit long

k

string x is mapp ed to the sequence of nk values each corresp onding to

the evaluation of a dierent Bo olean function at x that is bit lo cations in the

co dewords are asso ciated with Bo olean functions such that the lo cation asso ciated

k

with f f g f g in the co deword of x holds the value f x

APPENDIX E EXPLICIT CONSTRUCTIONS

E The ReedSolomon Co de

ReedSolomon co des can b e dened for any adequate nonbinary alphab et where

the alphab et is asso ciated with a nite eld of n elements denoted GF n For

any k n the co de maps univariate p olynomials of degree k over GFn

k

to their evaluation at all eld elements That is p GFn viewed as such

a p olynomial is mapp ed to the sequence p p where is a

n n

canonical enumeration of the elements of GF n This mapping is called a Reed

Solomon co de with parameters k and n and its distance is n k b ecause any

nonzero p olynomials of degree k evaluates to zero at less than k p oints Indeed

this co de is linear over GFn since p is a linear combination of p p

k

P

k

i

where p p

i

i

The ReedSolomon co de yields innite families of co des with constant rate and

constant relative distance eg by taking nk k and dk k but the

alphab et size grows with k or rather with nk k Ecient algorithms for

unique deco ding and list deco ding are known see and references therein

These computational tasks corresp ond to the extrap olation of p olynomials based

on a noisy version of their values at all p ossible evaluation p oints

E The ReedMuller Co de

ReedMuller co des generalize ReedSolomon co des by considering multivariate

p olynomials rather than univariate p olynomials Consecutively the alphab et may

b e any nite eld and in particular the twoelement eld GF ReedMuller co des

and variants of them are extensively used in complexity theory for example they

underly Construction and the PCP constructed at the end of x The

relevant prop erty of these nonbinary co des is that under a suitable setting of

parameters that satises nk p olyk they allow sup er fast co deword testing

and selfcorrection see discussion in Section E

For any prime p ower q and parameters m and r we consider the set denoted

P of all mvariate p olynomials of total degree at most r over GFq Each

mr

p olynomial in P is represented by the k log jP j co ecients of all relevant

mr mr

q

mr

monomials where in the case that r q it holds that k We consider

m

k n m

the co de C GF q GF q where n q mapping mvariate p olynomials of

m

total degree at most r to their values at all q evaluation p oints That is the m

variate p olynomial p of total degree at most r is mapp ed to the sequence of values

p p where is a canonical enumeration of all the mtuples

n n

of GFq The relative distance of this co de is lowerbounded by q r q cf

Lemma

In typical applications one sets r m log m and q p oly r which yields

m m m

k m and n p oly r p oly m Thus we have nk p oly k but not

nk O k As we shall see in Section E the advantage in comparison to the

ReedSolomon co de is that co deword testing and selfcorrection can b e p erformed

k

Alternatively we may map v v GFn to p p where p is the unique

n

k

univariate p olynomial of degree k that satises p v for i k Note that this

i i

mo dication amounts to a linear transformation of the generating matrix

E ERROR CORRECTING CODES

at complexity related to q p oly log n Actually most complexity applications

use a variant in which only mvariate p olynomials of individual degree r r m are

enco ded In this case an alternative presentation analogous to the one presented in

m

Footnote is preferred The information is viewed as a function f H GF q

where H GFq is of size r and is enco ded by the evaluation at all p oints in

m

GFq of the unique mvariate p olynomial of individual degree r that extends

the function f see Construction

E Binary co des of constant relative distance and constant rate

Recall that we seek binary co des of constant relative distance and constant rate

Prop osition E asserts that such co des exists but do es not provide an explicit

construction The Hadamard co de is explicit but do es not have a constant rate to

k

say the least since nk The ReedSolomon co de has constant relative

distance and constant rate but uses a nonbinary alphab et which grows at least

linearly with k Thus all co des we have reviewed so far fall short of providing

an explicit construction of binary codes of constant relative distance and constant

rate We achieve the desired construction by using the paradigm of concatenated

co des which is of indep endent interest Concatenated co des may b e viewed

as a simple analogue of the pro of comp osition paradigm presented in x

Intuitively concatenated co des are obtained by rst enco ding information viewed

as a sequence over a large alphab et by some co de and next enco ding each resulting

symbol which is viewed as a sequence of over a smaller alphab et by a second co de

n k n k k

and C and two co des C Formally consider

k k k

Then the concatenated co de of C and C maps x x to

k

C x x where y y C y C y

k n n

k k n n

Note that the resulting co de C has constant rate and con

stant relative distance if b oth C and C have these prop erties Enco ding in

the concatenated co de is straightforward To deco de a corrupted co deword of

C we view the input as an n long sequence of blo cks where each blo ck is an

n long sequence over Applying the deco der of C to each blo ck we obtain

n sequences each of length k over and interpret each such sequence as

a symbol of Finally we apply the deco der of C to the resulting n long

sequence over and interpret the resulting k long sequence over as a

n n

k k long sequence over The key observation is that if w is close

then at least n of the blocks of w C y C y to C x x

n k

are close to the corresponding C y

i

We are going to consider the concatenated co de obtained by using the Reed

k n

Solomon Co de C GFn GFn as the large co de setting k log n

and using the mildly explicit version of Prop osition E see also xE C

n k

as the small co de We use n k and n O k and so the f g f g

Binary ReedMuller co des also fail to simultaneously provide constant relative distance and

constant rate

This observation oers unique deco ding from a fraction of errors that is the pro duct of the

fractions of error asso ciated with the two original co des Stronger statements regarding unique

deco ding of the concatenated co de can b e made based on more rened analysis cf

APPENDIX E EXPLICIT CONSTRUCTIONS

k n

concatenated co de is C f g f g where k k k and n n n O k

The key observation is that C can b e constructed in expk time whereas here

expk p oly k Furthermore b oth enco ding and deco ding with resp ect to C

can b e p erformed in time expk p oly k Thus we get

Theorem E an explicit go o d co de There exists constants and an

explicit family of binary codes of rate and relative distance at least That is

there exists a polynomialtime enco ding algorithm C such that jC xj jxj for

every x and a polynomialtime deco ding algorithm D such that for every y that

is close to some C x it holds that D y x Furthermore C is a linear code

The linearity of C is justied by using a ReedSolomon co de over the extension eld

k

and noting that this co de induces a linear transformation over GF F GF

Sp ecically the value of a p olynomial p over F at a p oint F can b e obtained

as a linear transformation of the co ecient of p when viewed as k dimensional

vectors over GF

Relative distance approaching one half Note that starting with a Reed

Solomon co de of relative distance and a smaller co de C of relative distance

we obtain a concatenated co de of relative distance Recall that for any

n k

of GF n constant there exists a ReedSolomon co de C GFn

relative distance and constant rate ie Thus for any constant

we may obtain an explicit co de of constant rate and relative distance

eg by using and Furthermore giving up on

constant rate we may start with a ReedSolomon co de of blo cklength n k

p oly k and distance n k k over n k and use a Hadamard co de enco ding

log n k n k

n k f g by f g in the role of the small co de C This

yields a concatenated binary co de of blo ck length nk n k p oly k and

distance n k k n k Thus the resulting explicit code has relative distance

k

p

o provided that nk k

nk

E Two Additional Computational Problems

In this section we briey review relaxations of two traditional co ding theoretic tasks

The purp ose of these relaxations is enabling the design of sup erfast randomized

algorithms that provide meaningful information Sp ecically these algorithms may

run in sublinear eg p olylogarithmic time and thus cannot p ossibly solve the

unrelaxed version of the corresp onding problem

Lo cal testability This task refers to testing whether a given word is a co deword

in a predetermine co de based on randomly insp ecting few lo cations in the

word Needless to say we can only hop e to make an approximately correct

decision that is accept each co deword and reject with high probability each

word that is far from the co de Indeed this task is within the framework of

prop erty testing see Section

E ERROR CORRECTING CODES

Lo cal deco dability Here the task is to recover a sp ecied bit in the plaintext by

randomly insp ecting few lo cations in a mildly corrupted co deword This

task is somewhat related to the task of selfcorrection ie recovering a sp ec

ied bit in the co deword itself by insp ecting few lo cations in the mildly

corrupted co deword

Note that the Hadamard co de is b oth lo cally testable and lo cally deco dable as well

as selfcorrectable based on a constant number of queries into the word these facts

were demonstrated and extensively used in x However the Hadamard co de

k

has an exp onential blo cklength ie nk and the question is whether one

can achieve analogous results with resp ect to a shorter co de eg nk p oly k

As hinted in xE the answer is p ositive when we refer to p erforming these

op erations in time that is p olylogarithmic in k

Theorem E For some constant and polynomials n q N N there

k nk

exists an explicit family of codes fC q k q k g of relative distance

k

k N

that can be locally testable and locally decodable in p oly log k time That is the

fol lowing three conditions hold

k

Enco ding There exists a polynomial time algorithm that on input x q k

returns C x

k

Lo cal Testing There exists a probabilistic polynomialtime oracle machine

nk

T that given k in binary and oracle access to w q k viewed as

w nk q k distinguishes the case that w is a codeword from the case

that w is far from any codeword Specically

k C x

k

a For every x q k it holds that Pr T k

nk

b For every w q k that is far from any codeword of C it holds

k

w

that Pr T k

As usual the error probability can be reduced by repetitions

Lo cal Deco ding There exists a probabilistic polynomialtime oracle machine

nk

D that given k and i k in binary and oracle access to any w q k

w

that is close to C x returns x that is Pr D k i x

k i i

Self correction holds too there exists a probabilistic polynomialtime oracle

machine M that given k and i nk in binary and oracle access to any

nk w

w q k that is close to C x returns C x that is Pr D k i

k k i

C x

k i

We stress that all these oracle machines work in time that is p olynomial in the bi

nary representation of k which means that they run in time that is p olylogarithmic

in k The co de asserted in Theorem E is a small mo dication of a ReedMuller

m

co de for r m log m q k p oly r and nk GF q k see xE

Thus the running time of T is p oly jk j p oly log k

The mo dication is analogous to the one presented in Footnote For a suitable choice of

m

k p oints GF q k we map v v to p p where p is the unique

n

k k

v for i k mvariate p olynomial of degree at most r that satises p

i i

APPENDIX E EXPLICIT CONSTRUCTIONS

The aforementioned oracle machines queries the oracle w nk GFq k

at a nonconstant number of lo cations Sp ecically selfcorrection for lo cation

m m

i GFq k is p erformed by selecting a random line over GF q k that

passes through i recovering the values assigned by w to all q k p oints on this

line and p erforming univariate p olynomial extrap olation under mild noise Lo

cal testability is easily reduced to selfcorrection and under the aforementioned

mo dication lo cal deco dability is a sp ecial case of selfcorrection

Constant number of binary queries The lo cal testing and deco ding al

gorithms asserted in Theorem E make a p olylogarithmic number of queries into

the oracle Furthermore these queries which refer to a nonbinary co de are

nonbinary ie they are each answered by a nonbinary value In contrast the

Hadamard co de has lo cal testing and deco ding algorithms that use a constant num

ber of binary queries Can this b e obtained with much shorter binary co dewords

That is redening lo cal testability and deco dability as requiring a constant number

of queries we ask whether binary co des of signicantly shorter blo cklength can b e

lo cally testable and deco dable For lo cal testability the answer is denitely p ositive

one can construct such lo cally testable and binary co des with blo cklength that

is nearly linear ie linear up to p olylogarithmic factors see For lo cal

deco dability the shortest known co de has sup erp olynomial length see In

light of this state of aairs we advocate natural relaxations of the lo cal deco dability

task eg the one studied in

The interested reader is referred to which includes more details on lo cally

testable and deco dable co des as well as a wider p ersp ective Note however that

this survey was written prior to and which resolve two ma jor op en

problems discussed in

E A List Deco ding Bound

A necessary condition for the feasibility of the list deco ding task is that the list

of co dewords that are close to the given word is short In this section we present

an upp erb ound on the length of such lists noting that this b ound has found

several applications in complexity theory and sp ecically to studies related to the

contents of this b o ok In contrast we do not present far more famous b ounds

which typically refer to the relation among the main parameters of co des ie

k n and d b ecause they seem less relevant to the contents of this b o ok

We start with a general statement that refers to any alphab et q and later

sp ecialize it to the case that q Esp ecially in the general case it is natural and

convenient to consider the agreement rather than the distance b etween sequences

over q Furthermore it is natural to fo cus on agreement rate of at least q and

it is convenient to state the following result in terms of the excessive agreement

rate ie the excess b eyond q Lo osely sp eaking the following result upp er

b ounds the number of co dewords that have a sucient large agreement rate with

Indeed we only consider co des with distance d q n ie agreement rate of at least

q and words that are at distance at most d from the co de Note that a random sequence is

exp ected to agree with any xed sequence on a q fraction of the lo cations

E EXPANDER GRAPHS

any xed sequence where the upp erb ound dep ends only on this agreement rate

and the agreement rate b etween co dewords as well as on the alphab et size but

not on k and n

k n

Lemma E Part of Thm Let C q q be an arbitrary

def

dn q denote code of distance d n nq and let

C

the corresponding upperbound on the excessive agreement rate between codewords

Suppose that satises

s

E

C

q

n

Then for any w q the number of codewords that agree with w on at least

q n positions ie are at distance at most q n from w

is upperbounded by

q q

C

E

q

C

p

In the binary case ie q Eq E requires and Eq E yields

C

the upp erb ound We highlight two sp ecic cases

C C

At the end of xD we refer to this b ound for the binary case while

setting k and k Indeed in this case

C C C

O k

In the case of the Hadamard co de we have Thus for every w

C

n

f g and every the number of co dewords that are close to

w is at most

In the general case and sp ecically for q it is useful to simplify Eq E by

p

p

q q g and Eq E by minf

C C

C

E Expander Graphs

In this section we review basic facts regarding expander graphs that are most

relevant to the current b o ok For a wider p ersp ective the interested reader is

referred to

Lo osely sp eaking expander graphs are regular graphs of small degree that ex

hibit various prop erties of cliques In particular we refer to prop erties such as the

relative sizes of cuts in the graph ie relative to the number of edges and the

rate at which a random walk converges to the uniform distribution relative to the

of the graph size to the base of its degree

Another useful intuition is that expander graphs exhibit various prop erties of random regular

graphs of the same degree

APPENDIX E EXPLICIT CONSTRUCTIONS

Some technicalities Typical presentations of expander graphs refer to one of

several variants For example in some sources expanders are presented as bipartite

graphs whereas in others they are presented as ordinary graphs and are in fact

very far from b eing bipartite We shall follow the latter convention Furthermore

at times we implicitly consider an augmentation of these graphs where selflo ops

are added to each vertex For simplicity we also allow parallel edges

We often talk of expander graphs while we actually mean an innite collection

of graphs such that each graph in this collection satises the same prop erty which

is informally attributed to the collection For example when talking of a dregular

expander graph we actually refer to an innite collection of graphs such that each

of these graphs is dregular Typically such a collection or family contains a single

N vertex graph for every N S where S is an innite subset of N Throughout

this section we denote such a collection by fG g with the understanding that

N

N S

G is a graph with N vertices and S is an innite set of natural numbers

N

E Denitions and Prop erties

We consider two denitions of expander graphs two dierent notions of explicit

constructions and two useful prop erties of expanders

E Two mathematical denitions

We start with two dierent denitions of expander graphs These denitions are

qualitatively equivalent and even quantitatively related We start with an algebraic

denition which seems technical in nature but is actually the denition typically

used in complexity theoretic applications since it directly implies various mixing

prop erties see xE We later present a very natural combinatorial denition

which is the source of the term expander

The algebraic denition eigenvalue gap Identifying graphs with their ad

jacency matrix we consider the eigenvalues and eigenvectors of a graph or rather

of its adjacency matrix Any dregular graph G V E has the uniform vector

as an eigenvector corresp onding to the eigenvalue d and if G is connected and

nonbipartite then the absolute values of all other eigenvalues are strictly smaller

than d The eigenvalue b ound denoted G d of such a graph G is dened as

a tight upp erb ound on the absolute value of all the other eigenvalues In fact

in this case it holds that G d djV j The algebraic denition of

expanders refers to an innite family of dregular graphs and requires the existence

of a constant eigenvalue b ound that holds for all the graphs in the family

Denition E An innite family of dregular graphs fG g where S N

N

N S

satises the eigenvalue b ound if for every N S it holds that G In

N

This follows from the connection to the combinatorial denition see Theorem E Sp ecif

ically the square of this graph denoted G is jV j expanding and thus it holds that G

G d jV j

E EXPANDER GRAPHS

such a case we say that fG g is a family of d expanders and call d

N

N S

its eigenvalue gap

It will b e often convenient to consider relative or normalized versions of the

foregoing quantities obtained by division by d

The combinatorial denition expansion Lo osely sp eaking expansion re

quires that any not to o big set of vertices of the graph has a relatively large set

of neighbors Sp ecically a graph G V E is cexpanding if for every set S V

of cardinality at most jV j it holds that

def

S fv u S st fu v g E g E

G

has cardinality at least c jS j Assuming the existence of selflo ops on all

vertices the foregoing requirement is equivalent to requiring that j S n S j

G

c jS j In this case every connected graph G V E is jV jexpanding

The combinatorial denition of expanders refers to an innite family of dregular

graphs and requires the existence of a constant expansion b ound that holds for all

the graphs in the family

Denition E An innite family of dregular graphs fG g is cexpanding if

N

N S

for every N S it holds that G is cexpanding

N

The two denitions of expander graphs are related see Sec or

Sec Sp ecically the expansion b ound and the eigenvalue b ound are

related as follows

Theorem E Let G be a dregular graph having a selfloop on each vertex

The graph G is cexpanding for c d Gd

If G is cexpanding then d G c c

Thus any nonzero b ound on the combinatorial expansion of a family of dregular

graphs yields a nonzero b ound on its eigenvalue gap and vice versa Note how

ever that the backandforth translation b etween these measures is not tight We

note that the applications presented in the main text see eg Section and

x refer to the algebraic denition and that the loss incurred in Theorem E

is immaterial for them

In contrast a bipartite graph G V E is not expanding b ecause it always contains a set

S of size at most jV j such that j S j jS j although it may hold that j S n S j jS j

G G

Recall that in such a graph G V E it holds that S S for every S V and thus

G

j S j j S n S j jS j Furthermore in such a graph all eigenvalues are greater than or

G G

equal to d and thus if d G then this is due to a p ositive eigenvalue of G These

facts are used for bridging the gap b etween Theorem E and the more standard versions see

eg Sec that refer to variants of b oth denitions Sp ecically Sec refers to

S S n S and G where G is the second largest eigenvalue of G rather than

G

G

referring to S and G Note that in general S may b e attained by the dierence

G G

b etween the smallest eigenvalue of G which may b e negative and d

APPENDIX E EXPLICIT CONSTRUCTIONS

Amplication The quality of expander graphs improves by raising these

th

graphs to any p ower t ie raising their adjacency matrix to the t p ower

where this op eration corresp onds to replacing tpaths in the original graphs

by edges in the resulting graphs Sp ecically when considering the algebraic

t t

denition it holds that G G but indeed the degree also gets raised

t t

to the p ower t Still the ratio G d deceases with t An analogous phe

nomenon o ccurs also under the combinatorial denition provided that some suit

able mo dications are applied For example if for every S V it holds that

t

j S j min c jS j jV j then for every S V it holds that j S j

G

G

t

min c jS j jV j

The optimal eigenvalue b ound For every dregular graph G V E it holds

p

d where O log jV j Thus for any innite that G

G G

d

p

family of d expanders it must holds that d

E Two levels of explicitness

Towards discussing various notions of explicit constructions of graphs we need to

x a representation of such graphs Sp ecically throughout this section when

referring to an innite family of graphs fG g we shall assume that the vertex

N

N S

set of G equals N Indeed at times we shall consider vertex sets having a

N

dierent structure eg m m for some m N but in all these cases there

exists a simple isomorphism of these sets to the canonical representation ie there

exists an eciently computable and invertible mapping of the vertex set of G to

N

N

Recall that a mild notion of explicit constructiveness refers to the complexity of

constructing the entire object ie the graph Applying this notion to our setting

we say that an innite family of graphs fG g is explicitly constructible if there

N

N S

N

exists a polynomialtime algorithm that on input where N S outputs the

list of the edges in the N vertex graph G That is the entire graph is constructed

N

in time that is p olynomial in its size ie in p oly N time

The foregoing mild level of explicitness suces when the application requires

holding the entire graph andor when the runningtime of the application is lower

b ounded by the size of the graph In contrast other applications refer to a huge

virtual graph which is much bigger than their running time and only require

the computation of the neighborho o d relation in such a graph In this case the

following stronger level of explicitness is relevant

A strongly explicit construction of an innite family of dregular graphs fG g

N

N S

is a polynomialtime algorithm that on input N S in binary a vertex v in the

th

N vertex graph G ie v N and an index i d returns the i neighbor

N

of v That is the neighbor query is answered in time that is p olylogarithmic in

the size of the graph Needless to say this strong level of explicitness implies the

basic mild level

An additional requirement which is often forgotten but is very imp ortant refers

to the tractability of the set S Sp ecically we require the existence of an

ecient algorithm that given any n N nds an s S such that n s n

E EXPANDER GRAPHS

Corresp onding to the two foregoing levels of explicitness ecient may mean

either running in time p oly n or running in time p oly log n The requirement

that n s n suces in most applications but in some cases a smaller interval

p

eg n s n n is required whereas in other cases a larger interval eg

n s p oly n suces

Greater exibility In continuation to the foregoing paragraph we comment

that expanders can b e combined in order to obtain expanders for a wider range of

graph sizes For example given two dregular cexpanding graphs G V E

and G V E where jV j jV j and c we can obtain a d regular

cexpanding graph on jV j jV j vertices by connecting the two graphs using a

p erfect matching of V and jV j of the vertices of V and adding selflo ops to the

remaining vertices of V More generally combining the dregular cexpanding

P

def

t

jV j jV j yields graphs G V E through G V E where N

i t t t t

i

P

t

jV j vertices by using a p erfect a d regular cexpanding graph on

i

i

t

matching of V and N of the vertices of V

i t

i

E Two prop erties

The following two prop erties provide a quantitative interpretation to the statement

that expanders approximate the complete graph or b ehave approximately like

a complete graph When referring to d expanders the deviation from the

b ehavior of a complete graph is represented by an error term that is linear in d

The mixing lemma Lo osely sp eaking the following folklore lemma asserts

that in expander graphs for which d the fraction of edges connecting two

large sets of vertices approximately equals the pro duct of the densities of these sets

This prop erty is called mixing

Lemma E Expander Mixing Lemma For every dregular graph G V E

and for every two subsets A B V it holds that

p

jAj jB j G

jB j G jAj jA B E j

E

jV j jV j d jV j d

jE j

where E denotes the set of directed edges ie vertex pairs that correspond to the

undirected edges of G ie E fu v fu v g E g and jE j djV j

In particular jA A E j A d G jAj where A jAjjV j It

follows that jA V n A E j A d G jAj

def def

Pro of Let N jV j and G For any subset of the vertices S V we

def

denote its density in V by S jS jN Hence Eq E is restated as

p

A B

jA B E j

A B

d N d

APPENDIX E EXPLICIT CONSTRUCTIONS

We pro ceed by providing b ounds on the value of jA B E j To this end we let

th

a denote the N dimensional Bo olean vector having in the i comp onent if and

only if i A The vector b is dened similarly Denoting the adjacency matrix of

the graph G by M m we note that jA B E j equals a M b b ecause

ij

i j A B E if and only if it holds that i A j B and m

ij

e e where e and We consider the orthogonal eigenvector basis

N

e e N for each i and write each vector as a linear combination of the vectors

i i

in this basis Sp ecically we denote by a the co ecient of a in the direction of e

i i

P

that is a a e N and a e Note that a a e N jAjN A a

i i i i

i

P

N

a aN jAjN A Similarly for b It now follows that and a

i

i

N

X

jA B E j a M b e

i i

i

N

X

a e b

i i i

i

th

where denotes the i eigenvalue of M Note that d and for every i it

i

holds that j j Thus

i

N

X

jA B E j b a

i i i

dN d

i

N

X

a b

i i i

AB

d

i

N

X

a b AB

i i

d

i

P P

N N

Using a A and b B and applying CauchySchwartz In

i i

i i

p

P

N

a b by equality we b ound AB The lemma follows

i i

i

The random walk lemma Lo osely sp eaking the rst part of the following

lemma asserts that as far as remaining trapp ed in some subset of the vertex set

is concerned a random walk on an expander approximates a random walk on the

complete graph

Lemma E Expander Random Walk Lemma Let G N E be a dregular

graph and consider walks on G that start from a uniformly chosen vertex and take

additional random steps where in each such step we uniformly selects one out

of the d edges incident at the current vertex and traverses it

def

Theorem restated Let W be a subset of N and jW jN Then the

probability that such a random walk stays in W is at most

G

E

d

E EXPANDER GRAPHS

Exercise restated For any W W N the probability that a random

walk of length intersects W W W is at most

q

Y

p

d E

i

i

def

jW jN where

i i

The basic principle underlying Lemma E was discovered by Ajtai Komlos and

Szemeredi who proved a b ound as in Eq E The b etter analysis yielding

Theorem is due to Cor A more general b ound that refer to the

probability of visiting W for a number of times that approximates jW jN is given

in which actually considers an even more general problem ie obtaining

Chernotype b ounds for random variables that are generated by a walk on an

expander

Pro of of Equation E The basic idea is viewing events o ccuring during the

random walk as an evolution of a corresp onding probability vector under suitable

transformations The transformations corresp ond to taking a random step in G

and to passing through a sieve that keeps only the entries that corresp ond to

the current set W The key observation is that the rst transformation shrinks

i

the comp onent that is orthogonal to the uniform distribution whereas the sec

ond transformation shrinks the comp onent that is in the direction of the uniform

distribution Details follow

Let A b e a matrix representing the random walk on G ie A is the adjacency

def

matrix of G divided by d and let Gd ie upp erb ounds the abso

lute value of every eigenvalue of A except the rst one Note that the uniform

distribution represented by the vector u N N is the eigenvector of

A that is asso ciated with the largest eigenvalue which is Let P b e a ma

i

trix that has entries only on its diagonal such that entry j j is set to if and

only if j W Then the probability that a random walk of length intersects

i

W W W is the sum of the entries of the vector

def

v P A P AP AP u E

p

We are interested in upp erb ounding k v k and use kv k N kv k where kz k

z k denote the L norm and L norm of z resp ectively eg kuk and and k

uk N The key observation is that the linear transformation P A shrinks k

i

every vector

Main Claim For every z it holds that kP Az k kz k

i i

z that is orthogonal to u whereas P Pro of Intuitively A shrinks the comp onent of

i

z that is in the direction of u Sp ecically we decomp ose shrinks the comp onent of

z z z such that z is the pro jection of z on u and z is the comp onent

orthogonal to u Then using the triangle inequality and other obvious facts which

APPENDIX E EXPLICIT CONSTRUCTIONS

z k kP z k and kP Az k kAz k we have imply kP A

i i i

z P Az k kP Az k kP Az k kP A

i i i i

kP z k kAz k

i

p

kz k kz k

i

where the last inequality uses the fact that P shrinks any uniform vector by elimi

i

nating of its elements whereas A shrinks the length of any eigenvector except

i

u by a factor of at least Using the CauchySchwartz inequality we get

q

p

z k kz k z k k kP A

i i

q

kz k

i

where the equality is due to the fact that z is orthogonal to z

p

Recalling Eq E and using the Main Claim and kv k N kv k we get

p

k v k N kP A P AP AP uk

q

Y

p

kP N uk

i

i

p p

uk N N N we establish Eq E Finally using kP

Rapid mixing A prop erty related to Lemma E is that a random walk starting

at any vertex converges to the uniform distribution on the expander vertices after a

logarithmic number of steps Sp ecically we claim that starting at any distribution

s including a distribution that assigns all weight to a single vertex after steps

p

on a d expander G N E we reach a distribution that is N d close

to the uniform distribution over N Using notation as in the pro of of Eq E

p

s uk N which is meaningful only for the claim asserts that kA

p

s uk N kA s uk log N The claim is proved by recalling that kA

and using the fact that s u is orthogonal to u b ecause the former is a zerosum

s uk kA s uk ks uk and using ks uk the vector Thus kA

claim follows

E Constructions

Many explicit constructions of d expanders are known The rst such con

struction was presented in where d was not explicitly b ounded and an

p

d was rst optimal construction ie an optimal eigenvalue b ound of

p

p

P

p

n

kz That is we get a b kz k kz k k kz k by using

i i i i

i

P P

p

n n

b with n a a b kz k etc

i i i

i i

E EXPANDER GRAPHS

provided in Most of these constructions are quite simple see eg xE

but their analysis is based on nonelementary results from various branches of math

ematics In contrast the construction of Reingold Vadhan and Wigderson

presented in xE is based on an iterative pro cess and its analysis is based on

a relatively simple algebraic fact regarding the eigenvalues of matrices

Before turning to these explicit constructions we note that it is relatively easy

to prove the existence of regular expanders by using the Probabilistic Metho d

cf and referring to the combinatorial denition of expansion

E The MargulisGabb erGalil Expander

For every natural number m consider the graph with vertex set Z Z and the

m m

edge set in which every hx y i Z Z is connected to the vertices hx y y i

m m

hx y y i hx y xi and hx y x i where the arithmetic is mo dulo m

This yields an extremely simple regular graph with an eigenvalue b ound that is

a constant which is indep endent of m Thus we get

Theorem E There exists a strongly explicit construction of a family of

expanders for graph sizes fm m N g Furthermore the neighbors of a vertex in

these expanders can be computed in logarithmicspace

An app ealing prop erty of Theorem E is that for every n N it directly yields

n

expanders with vertex set f g This is obvious in case n is even but can b e

easily achieved also for o dd n eg use two copies of the graph for n and

connect the two copies by the obvious p erfect matching

Theorem E is due to Gabb er and Galil building on the basic approach

suggested by Margulis We mention again that the strongly explicit d

p

expanders of achieve the optimal eigenvalue b ound ie d but

there are annoying restrictions on the degree d ie d should b e a prime

congruent to mo dulo and on the graph sizes for which this construction works

This can b e done by considering a regular graph obtained by combining an N cycle with a

random matching of the rst N vertices and the remaining N vertices It is actually easier

to prove the related statement that refers to the alternative denition of combinatorial expansion

that refers to the relative size of S S n S rather than to the relative size of S

G G

G

In this case for a suciently small and all suciently large N a random regular N

vertex graph is expanding with overwhelmingly high probability The pro of pro ceeds by

considering a not necessarily simple graph G obtained by combining three uniformly chosen

p erfect matchings of the elements of N For every S N of size at most N and for every set

T of size jS j we consider the probability that for a random p erfect matching M it holds that

S T The argument is concluded by applying a union b ound

M

In fact for m that is a p ower of two and under a suitable enco ding of the vertices the

neighbors can b e computed by a online algorithm that uses a constant amount of space The

same holds also for a variant in which each vertex hx y i is connected to the vertices hx y y i

hx y y i hx y xi and hx y x i This variant yields a b etter known b ound on

p

ie

The construction in allows graph sizes of the form p p where p mo d is

a prime such that d is a quadratic residue mo dulo p As stated in Sec the construction

k k

can b e extended to graph sizes of the form p p for any k N and p as in the foregoing

APPENDIX E EXPLICIT CONSTRUCTIONS

E The Iterated ZigZag Construction

The starting p oint of the following construction is a very go o d expander G of

constant size which may b e found by an exhaustive search The construction

th

of a large expander graph pro ceeds in iterations where in the i iteration the

current graph G and the xed graph G are combined resulting in a larger graph

i

G The combination step guarantees that the expansion prop erty of G is at

i i

least as go o d as the expansion of G while G maintains the degree of G and

i i i

is a constant times larger than G The pro cess is initiated with G G and

i

terminates when we obtain a graph G of approximately the desired size which

t

requires a logarithmic number of iterations u 1 v 1 6 2

6 2

5 3

5 4 3

4

In this example G is regular and G is a regular graph having six

vertices In the graph G not shown the nd edge of vertex u is

incident at v as its th edge The wide segment line shows one of

the corresp onding edges of G z G which connects the vertices hu i

and hv i

Figure E Detail of the zigzag pro duct of G and G

The ZigZag pro duct The heart of the combination step is a new type of

graph pro duct called ZigZag product This op eration is applicable to any pair

of graphs G D E and G N E provided that G which is typically

larger than G is D regular For simplicity we assume that G is dregular where

typically d D The ZigZag product of G and G denoted G z G is dened as

a graph with vertex set N D and an edge set that includes an edge b etween

th

hu ii N D and hv j i if and only if fi k g f j g E and the k edge incident

th

at u equals the edge incident at v That is hu ii and hv j i are connected in

G z G if there exists a three step sequence consisting of a Gstep from hu ii to

hu k i according to the edge fi k g of G followed by a G step from hu k i to hv i

E EXPANDER GRAPHS

th th

according to the k edge of u in G which is the edge of v and a nal Gstep

from hv i to hv j i according to the edge f j g of G See Figure E as well as

further formalization which follows

Teaching note The following paragraph which provides a formal description of the

zigzag pro duct can b e ignored in rst reading but is useful for more advanced discus

sion

It will b e convenient to represent graphs like G by their edgerotation function

th

denoted R N D N D such that R u i v j if fu v g is the i

th

edge incident at u as well as the j edge incident at v That is R rotates the

pair u i which represents one side of the edge fu v g ie the side incident at

th

u as its i edge resulting in the pair v j which represents the other side of the

th

same edge which is the j edge incident at v For simplicity we assume that

the constantsize dregular graph G D E is edgecolorable with d colors

which in turn yields a natural edgerotation function ie R i j if the

edge fi j g is colored We will denote by E i the vertex reached from i D

by following the edge colored ie E i j i R i j The ZigZag

product of G and G denoted G z G is then dened as a graph with the vertex set

N D and the edgerotation function

hu ii h i hv j i h i if R u E i v E j E

th

That is edges are lab eled by pairs over d and the h i edge out of vertex

th

hu ii N D is incident at the vertex hv j i as its h i edge if R u E i

v E j where indeed E E j j Intuitively based on h i we rst

take a Gstep from hu ii to hu E ii then viewing hu E ii u E i as

a side of an edge of G we rotate it ie we eectively take a G step reaching

def

v j R u E i and nally we take a Gstep from hv j i to hv E j i

Clearly the graph G z G is d regular and has D N vertices The key fact

proved in using techniques as in xE is that the relative eigenvaluevalue

of the zigzag pro duct is upp erb ounded by the sum of the relative eigenvaluevalues

of the two graphs that is G z G G G where denotes the relative

eigenvaluebound of the relevant graph The qualitative fact that G z G is an

expander if b oth G and G are expanders is very intuitive eg consider what

happ ens if G or G is a clique Things are even more intuitive if one considers the

related replacement product of G and G denoted G r G where there is an edge

between hu ii N D and hv j i if and only if either u v and fi j g E or

th th

the i edge incident at u equals the j edge incident at v

The iterated construction The iterated expander construction uses the afore

mentioned zigzag pro duct as well as graph squaring Sp ecically the construc

tion starts with the d regular graph G G D E where D d and

G and pro ceeds in iterations such that G G z G for i t

i

i

Recall that for a suciently large constant d we rst nd a dregular graph G d E

satisfying G by exhaustive search

APPENDIX E EXPLICIT CONSTRUCTIONS

where t is logarithmic in the desired graph size That is in each iteration the cur

rent graph is rst squared and then comp osed with the xed dregular D vertex

graph G via the zigzag pro duct This pro cess maintains the following two invari

ants

i

The graph G is d regular and has D vertices

i

The degree b ound follows from the fact that a zigzag pro duct with a d

regular graph always yields a d regular graph

The relative eigenvaluebound of G is smaller than one half ie G

i i

Here we use the fact that G z G G G which in turn

i i

equals G G Note that graph squaring is used

i

to reduce the relative eigenvalue of G b efore increasing it by zigzag pro duct

i

with G

In order to show that we can actually construct G we show that we can com

i

pute the edgerotation function that corresp ond to its edge set This b oils down

to showing that given the edgerotation function of G we can compute the

i

edgerotation function of G as well as of its zigzag pro duct with G Note

i

that this entire computation amounts to two recursive calls to computations re

garding G and two computations that corresp ond to the constant graph G

i

But since the recursion depth is logarithmic in the size of the nal graph ie

t log jverticesG j the total number of recursive calls is p olynomial in the

t

D

size of the nal graph and thus the entire computation is p olynomial in the size of

the nal graph This suces for the minimal ie mild notion of explicitness

but not for the strong one

The strongly explicit version To achieve a strongly explicit construction we

z G we slightly mo dify the iterative construction Rather than letting G G

i

i

let G G G z G where G G denotes the tensor product of G with

i i i

itself that is if G V E then G G V V E where

E ffhu u i hv v ig fu v g fu v g E g

ie hu u i and hv v i are connected in G G if for i it holds that u is

i

connected to v in G The corresp onding edgerotation function is

i

R hu u i hi i i hv v i hj j i

where R u i v j and R u i v j We still use G G where

as b efore G is dregular and G but here G has D d vertices Using

the fact that tensor pro duct preserves the relative eigenvaluebound while squaring

the degree and the number of vertices we note that the mo died iteration G

i

i i

G G z G yields a d regular graph with D D D vertices and

i i

The reason for the change is that G G will b e d regular since G will b e d regular

i i i

E EXPANDER GRAPHS

that G b ecause G G z G G G Computing the

i i i i

neighbor of a vertex in G b oils down to a constant number of such computations

i

regarding G but due to the tensor pro duct op eration the depth of the recursion

i

is only doublelogarithmic in the size of the nal graph and hence logarithmic in

the length of the description of vertices in this graph

Digest In the rst construction the zigzag pro duct was used b oth in order to

increase the size of the graph and to reduce its degree However as indicated by

the second construction where the tensor pro duct of graphs is the main vehicle

for increasing the size of the graph the primary eect of the zigzag pro duct is

reducing the graphs degree and the increase in the size of the graph is merely a

sideeect In b oth cases graph squaring is used in order to comp ensate for the

mo dest increase in the relative eigenvaluebound caused by the zigzag pro duct In

retrosp ect the second construction is the correct one b ecause it decouples three

dierent eects and uses a natural op eration to obtain each of them Increasing the

size of the graph is obtained by tensor pro duct of graphs which in turn increases

the degree the desired degree reduction is obtained by the zigzag pro duct which

in turn slightly increases the relative eigenvaluebound and graph squaring is used

in order to reduce the relative eigenvaluebound

Stronger b ound regarding the eect of the zigzag pro duct In the fore

going description we relied on the fact proved in that the relative eigenvalue

b ound of the zigzag pro duct is upp erb ounded by the sum of the relative eigenvalue

b ounds of the two graphs ie G z G G G Actually a stronger

upp erb ound is proved in It holds that G z G f G G where

s

y x y x

def

y E f x y

Indeed f x y y x y x y On the other hand for x we have

y x y x

y

f x y which implies

G G

E G z G

Thus G z G G G and it follows that the zigzag

pro duct has a p ositive eigenvaluegap if b oth graphs have p ositive eigenvaluegaps

p

ie G z G if b oth G and G Furthermore if G

then G z G G This fact plays an imp ortant role in the pro of

of Theorem

We mention that this sideeect may actually b e undesired in some applications For example

in Section we would rather not have the graph grow in size but we can tolerate the constant

size blowup caused by zigzag pro duct with a constantsize graph

APPENDIX E EXPLICIT CONSTRUCTIONS

App endix F

Some Omitted Pro ofs

A word of a Gentleman is b etter than a pro of

but since you are not a Gentleman please provide a pro of

Leonid A Levin

The pro ofs presented in this app endix were not included in the main text for a

variety of reasons eg they were deemed to o technical andor outofpace for the

corresp onding lo cation On the other hand since our presentation of these pro ofs

is suciently dierent from the original andor standard presentation we see a

b enet in including these pro ofs in the current b o ok

Summary This app endix contains pro ofs of the following results

PH is reducible to P and in fact to P via randomized Karp

reductions The pro of follows the underlying ideas of Todas orig

inal pro of but the actual presentation is quite dierent

For any integral function f that satises f n f p olyng it

holds that IP f AMO f and AMO f AMf The

pro ofs dier from the original pro ofs provided in and

resp ectively only in secondary details but these details seem sig

nicant

F Proving that PH reduces to #P

Recall that Theorem asserts that PH is Co okreducible to P via determin

istic reductions Here we prove a closely related result also due to Toda

which relaxes the requirement from the reduction allowing it to b e randomized

but uses an oracle to a seemingly weaker class The latter class is denoted P

and is the mo dulo analogue of P Sp ecically a Bo olean function f is

in P if there exists a function g P such that for every x it holds that

APPENDIX F SOME OMITTED PROOFS

f x g x mo d Equivalently f is in P if there exists a search problem

R PC such that f x jR xj mo d where R x fy x y R g Thus for

def

any R PC the set R fx jR xj mo d g is in P The symbol

in the notation P actually represents parity which is merely addition mo dulo

Indeed a notation such as P would have b een more appropriate

Theorem F Every set in PH is reducible to P via a probabilistic polynomial

time reduction Furthermore the reduction is via a manytoone randomized map

ping and it fails with negligible error probability

The pro of follows the underlying ideas of the original pro of but the actual

presentation is quite dierent Alternative pro ofs of Theorem F can b e found

in

Teaching note It is quite easy to prove a nonuniform analogue of Theorem F which

asserts that AC circuits can b e approximated by circuits consisting of an unbounded

parity of conjunctions where each conjunction has p olylogarithmic fanin Turning this

argument into a pro of of Theorem F requires a careful implementation as well as using

transitions of the type presented in Exercise Furthermore such a presentation tends

to obscure the conceptual steps that underly the argument

Pro of Outline The pro of uses three main ingredients The rst ingredient is

the fact that NP is reducible to P via a probabilistic Karpreduction and that

A A

this reduction relativizes ie reduces NP to P for any oracle A The

second ingredient is the fact that errorreduction is available in the current context

of randomized reductions to P resulting in reductions that have exp onentially

vanishing error probability The third ingredient is the extension of the rst

ingredient to which relies on Prop osition as well as on the aforementioned

k

errorreduction These ingredients corresp ond to the three main steps of the pro of

which are outlined next

Step Present a randomized Karpreduction of NP to P

Step Decrease the error probability of the foregoing Karpreduction such that

the error probability b ecomes exp onentially vanishing Such a low error prob

ability is crucial as a starting p oint for the next step

Indeed the relativization requirement presumes that b oth NP and P are each asso

ciated with a class of standard machines that generalizes to a class of corresp onding oracle

machines see comment at Section This presumption holds for b oth classes by virtue

of a deterministic p olynomialtime machine that decide membership in the corresp onding rela

tion that b elongs to PC Alternatively one may use the fact that the aforementioned reduction

is highly structured in the sense that for some p olynomialtime computable predicate this

pjxj

reduction maps x to hx si such that for every nonempty set S f g it holds that

x

Pr jfy S x s y gj mo d

s x

We comment that such an errorreduction is not available in the context of reductions to

unique solution problems This comment is made in view of the similarity b etween the reduction

of NP to P and the reduction of NP to problems of unique solution

F PROVING THAT PH REDUCES TO P

Step Prove that is randomly reducible to P by extending the reduction

of Step while using Step Intuitively for any oracle A the reduction

A A

of Step oers a reduction of NP to P whereas a reduction of A to

A

B having exp onentially vanishing error probability allows reducing P to

B A B P

P or similarly reduce NP to NP Observing that P P

NP

we obtain a randomized Karpreduction of viewed as NP to P

When completing the third step we shall have all the ingredients needed for the

general case of randomly reducing to P for any k We shall nish the

k

pro of by sketching the extension of the case of treated in Step to the general

case of for any k The actual extension is quite cumbersome but the

k

ideas are all present in the case of Furthermore we b elieve that the case of

is of signicant interest p er se

Teaching note The foregoing sketch of Step suggests an abstract treatment that

A B

evolves around denitions such as NP and P We prefer a concrete presentation

that p erforms Step as an extension of Step while using Step This is one

reason for explicitly p erforming Step ie present a randomized Karpreduction of

NP to P We note that Step ie a reduction of NP to P follows immediately

from the NPhardness of deciding unique solution for some relations R PC ie

S where US fx jR xj g Theorem b ecause the promise problem US

R R R

and S fx jR xj g is reducible to R fx jR xj mo d g by the

R

identity mapping However for the sake of selfcontainment and conceptual rightness

we present an alternative pro of

Step a direct pro of for the case of NP As in the pro of of Theorem

we start with any R PC and our goal is reducing S fx jR xj g to P by a

R

randomized Karpreduction The standard way of obtaining such a reduction eg

in consists of just using the reduction to unique solution

that was presented in the pro of of Theorem but we b elieve that this way is

conceptually wrong Let us explain

Recall that the pro of of Theorem consists of implementing a randomized

sieve that has the following prop erty For any x S with noticeable probability

R

a single element of R x passes the sieve and this event can b e detected by an

oracle to a unique solution problem Indeed an adequate oracle in P correctly

detects the case in which a single element of R x passes the sieve However by

denition this oracle correctly detects the more general case in which any o dd

number of elements of R x pass the sieve Thus insisting on a random sieve that

allows the passing of a single element of R x seems an overkill or at least is

conceptually wrong Instead we should just apply a less stringent random sieve

that with noticeable probability al lows the passing of an odd number of elements

As in Theorem if any search problem in PC is reducible to R via a parsimonious reduc

tion then we can reduce S to R Sp ecically we shall show that S is randomly reducible

R R

to R for some R PC and a reduction of S to R follows by using the parsimonious

R

reduction of R to R

APPENDIX F SOME OMITTED PROOFS

of R x The adequate to ol for such a random sieve is a smallbias generator see

Section

Indeed we randomly reduce S to P by sieving p otential solutions via a small

R

bias generator Intuitively we randomly map x to hx si where s is a random seed

for such a generator and y is considered a solution to the instance hx si if and

th

only if y R x and the y bit of Gs equals Indeed if jR xj then with

probability approximately the instance hx si has an o dd number of solutions

whereas if jR xj then hx si has no solutions Sp ecically we use a strongly

k k

ecient generator see x denoted G f g f g where GU has

k

k

bias at most and k expk That is given a seed s f g and index

th

i k we can pro duce the i bit of Gs denoted Gs i in p olynomialtime

pjxj

Assuming without loss of generality that R x f g for some p olynomial

p we consider the relation

def

fhx s i y x y R Gs y g F R

pjxj pjxj O jy j jy j

where y f g and s f g such that jsj In

other words R hx s i fy y R x Gs y g Then for every x

O jy j

S with probability at least a uniformly selected s f g satises

R

O jy j

jR hx s ij mo d whereas for every x S and every s f g it

R

holds that jR hx s ij A key observation is that R PC and thus R is

in P Thus deciding membership in S is randomly reducible to R by the

R

manytoone randomized mapping of x to hx si where s is uniformly selected in

O pjxj

f g Since the foregoing holds for any R PC it follows that NP is

reducible to P via randomized Karpreductions

Dealing with coNP We may Co okreduce coNP to NP and thus prove that

coNP is randomly reducible to P but we wish to highlight the fact that a

randomized Karpreduction will also do Starting with the reduction presented for

the case of sets in NP we note that for S coNP ie S fx R x g we

obtain a relation R such that x S is indicated by jR hx ij mo d We

wish to the parity such that x S will b e indicated by jR hx ij mo d

and this can b e done by augmenting the relation R with a single dummy solution

p er each x For example we may redene R hx si as fy y R hx s ig

pjxj

f g Indeed we have just demonstrated and used the fact that P is closed

under complementation

We note that dealing with the cases of NP and coNP is of interest only b ecause

we reduced these classes to P rather than to P In contrast even a reduction

of to P is of interest and thus the reduction of to P presented in

Step is interesting This reduction relies heavily on the fact that errorreduction

is applicable to the context of randomized Karpreductions to P

Step error reduction An imp ortant observation towards the core of the

pro of is that it is p ossible to drastically decrease the onesided error probability

in randomized Karpreductions to P Sp ecically let R b e as in Eq F and

F PROVING THAT PH REDUCES TO P

t

t b e any p olynomial Then a binary relation R that satises

tjxj

Y

t

jR hx s ij F jR hx s s ij

i

tjxj

i

t

oers such an errorreduction b ecause jR hx s s ij is o dd if and only if

tjxj

for some i tjxj it holds that jR hx s ij is o dd Thus

i

t

jR hx s s ij mo d Pr

s s

tjxj

tjxj

tjxj

Pr jR hx s ij mo d

s

O pjxj

where s s s are uniformly and indep endently distributed in f g

tjxj

pjxj

and p is such that R x f g This means that the onesided error

probability of a randomized reduction of S to R which maps x to hx s i can

R

t

b e drastically decreased by reducing S to R where the reduction maps x to

R

hx s s i Sp ecically an error probability of eg in the case

tjxj

that we desire an o dd outcome ie x S is decreased to error probability

R

t

whereas the zero error probability in the case of a desired even outcome ie

x S is preserved

R

t t

as p ostulated in is in P that is whether R A key question is whether R

Eq F can b e implemented in PC The answer is p ositive and this can b e shown

by using a Cartesian pro duct construction and adding some dummy solutions

t

hx s s i consists of tuples h y y i such that For example let R

tjxj tjxj

pjxj

either and y y or and for every i tjxj

tjxj

pjxj pjxj

it holds that y fgR hx s i f g ie either y or y y

i i i i

i

and y R hx s i

i

i

We wish to stress that when starting with R as in Eq F the forgoing

pro cess of errorreduction can b e used for obtaining error probability that is upp er

b ounded by expq jxj for any desired p olynomial q The imp ortance of this

comment will b ecome clear shortly

Step the case of With the foregoing preliminaries we are now ready to

handle the case of S By Prop osition there exists a p olynomial p and a

pjxj

set S coNP such that S fx y f g st x y S g Using

S coNP we apply the forgoing reduction of S to P as well as an adequate

pjxj

errorreduction that yields an upp erb ound of on the error probability

where is unsp ecied at this p oint For the case of the setting

will do but for the dealing with we will need a much smaller value of

k

Thus for an adequate p olynomial t ie tn pn O pn log we obtain

t

pjxj

a relation R PC such that the following holds for every x and y f g

pjxj p olyjxj

with probability at least over the random choice of s f g

def

t

it holds that x x y S if and only if jR hx s ij is odd

p jx j

Recall that js j tjx j O p jx j where R x f g is the witnessrelation

p jx j

corresp onding to S ie x S if and only if R x f g Thus R hx s i

APPENDIX F SOME OMITTED PROOFS

pjxj

Using a union b ound over all p ossible y f g it follows that with

probability at least over the choice of s it holds that x S if and only if there

t

hx y s ij is odd Now as in the treatment of NP we exists a y such that jR

wish to reduce the latter existential problem to P That is we wish to dene a

relation R PC such that for a randomly selected s the value jR hx s s ij mo d

provides an indication to whether or not x S by indicating whether or not there

t

hx y s i j is o dd Analogously to Eq F consider exists a y such that jR

the binary relation

o n

def

t

hx y s i j mo d Gs y hx s s i y jR I F

t

In other words I hx s s i fy jR hx y s i j mo d Gs y g

Indeed if x S then with probability at least over the random choice of s and

probability at least over the random choice of s it holds that jI hx s s i j is

o dd whereas for every x S and every choice of s it holds that Pr jI hx s s ij

s

Note that for it follows that for every x S we have

jI hx s s i j mo d whereas for every x S Pr

ss

jI hx s s ij mo d Thus jI hx ij mo d we have Pr

ss

provides a randomized indication to whether or not x S but it is not clear

whether I is in PC and in fact I is likely not to b e in PC The key observation

is that there exists R PC such that R I Sp ecically consider

n o

def

t

hx s s i hy z i hx y s i z R Gs y R F

pjxj p olyjxj

where hy z i f g f g That is hy z i is in R hx s s i if

t

hx y s i z R and Gs y Clearly R PC and so it is left to show

that jR hx s s ij jI hx s s ij mo d The claim follows by letting

y z

t

resp the event Gs y resp indicate the event hx y s i z R

y

noting that

jR hx s s ij mo d

y z y z y

jI hx s s ij mo d

y z y z y

t

p jx j tjx jp jx j

f g and R hx s i is a subset of f g Note that since we

started with S coNP the error probability o ccurs on noinstances of S whereas yesinstances

are always accepted However to simplify the exp osition we allow p ossible errors also on yes

instances of S This do es not matter b ecause we will anyhow have an error probability on

yesinstances of S see Footnote

In continuation to Footnote we note that actually if x S then there exists a y such that

t

x y S and consequently for every choice of s it holds that jR hx y s i j is o dd b ecause

the reduction from S co NP to P has zero error on yesinstances Thus for every x S and

s with probability at least over the random choice of s it holds that jI hx s s i j is o dd

S S

b ecause the reduction from S NP to P has nonzero error on yesinstances On the

t

other hand if x S then Pr y jR hx y s ij mo d b ecause for every y it

s

holds that x y S and the reduction from coNP to P has nonzero error on noinstances

Thus for every x S and s it holds that Pr jI hx s s ij b ecause the reduction

s

S S

from S NP to P has zero error on noinstances To sumup the combined reduction has

twosided error b ecause each of the two reductions introduces an error in a dierent direction

F PROVING THAT IP F AMO F AMF

and using the equivalence of the two corresp onding Bo olean expressions Thus S is

randomly Karpreducible to R P by the manytoone randomized mapping

O pjxj p olyjxj

of x to hx s s i where s s is uniformly selected in f g f g

Since this holds for any S we conclude that is randomly Karpreducible

to P

Again errorreduction may b e applied to this reduction of to P such

that the resulting reduction can b e used for dealing with viewed as NP A

technical diculty arises since the foregoing reduction has twosided error proba

bility where one type or side of error is due to the error in the reduction of

t

which o ccurs on noinstances of S and the second type S coNP to R

or side of error is due to the new reduction of S to R and o ccurs on the

yesinstances of S However the error probability in the rst reduction is or can

b e made very small and thus can b e ignored when applying errorreduction to the

second reduction See following comments

The general case First note that as in the case of coNP we can obtain

a similar reduction to P for sets in co It remains to extend the

treatment of to for every k Indeed we show how to reduce to

k k

P by using a reduction of or rather to P Sp ecically S

k k k

is treated by considering a p olynomial p and a set S such that S fx

k

pjxj

y f g st x y S g Relying on the treatment of we use a

k

t

k

relation R such that with overwhelmingly high probability over the choice of

k

t

k

s the value jR hx y s ij mo d indicates whether or not x y S Using

k

the ideas underlies the treatment of NP and we check whether there exists

t

k

pjxj

y f g such that jR hx y s i j mo d This yields a relation

k

R such that for random s s the value jR hx s s ij mo d indicates whether

k k

or not x S Finally we apply error reduction while ignoring the probability that

t

k

s is bad and obtain the desired relation R

k

We comment that the foregoing inductive pro cess should b e implemented with

some care Sp ecically if we wish to upp erb ound the error probability in the

t

k

reduction of S to R by then the error probability in the reduction

k

k

t

k

pjxj

of S to R should b e upp erb ounded by and t should b e

k k k

k

set accordingly Thus the pro of that PH is randomly reducible to P actually

pro ceed top down at least partially that is starting with an arbitrary S

k

we rst determine the auxiliary sets as p er Prop osition as well as the error

b ounds that should b e proved for the reductions of these sets which reside in lower

levels of PH and only then we establish the existence of such reductions Indeed

this latter and main step is done b ottom up using the reduction to P of

th st

the set in the i level when reducing to P the set in the i level

F Proving that IP (f ) AM(O (f )) AM(f )

Using the notations presented in x we restate two results mentioned there

APPENDIX F SOME OMITTED PROOFS

Theorem F roundecient emulation of IP by AM Let f N N be a

polynomially bounded function Then IP f AMf

We comment that in light of the following linear sp eedup in roundcomplexity for

AM it suces to establish IP f AMO f

Theorem F linear sp eedup for AM Let f N N be a polynomially bounded

function Then AMf AMf

Combining these two theorems we obtain a linear sp eedup for IP that is for any

p olynomially b ounded f N N n fg it holds that IP O f AMf

IP f In this app endix we prove b oth theorems

Note The pro of of Theorem F relies on the fact that for every f error

reduction is p ossible for IP f Sp ecically errorreduction can b e obtained via

parallel rep etitions see Ap dx C We mention that errorreduction in the

context of AMf is implicit also in the pro of of Theorem F and is explicit in

the original pro of of

F Emulating general interactive pro ofs by AMgames

In this section we prove Theorem F Our pro of diers from the original pro of of

Goldwasser and Sipser only in the conceptualization and implementation of

the iterative emulation pro cess

F Overview

Our aim is to transform a general interactive pro of system P V into a public

coin interactive pro of system for the same set Supp ose without loss of generality

that P constitutes an optimal prover with resp ect to V ie P maximizes the

acceptance probability of V on any input Then for any yesinstance x the set

A of coin sequences that make V accept when interacting with this optimal prover

x

contains all p ossible outcomes whereas for a noinstance x of equal length the set

A is signicantly smaller The basic idea is having a publiccoin system in which

x

on common input x the prover proves to the verier that the said set A is big

x

Such a pro of system can b e constructed using ideas as in the case of approximate

counting see the pro of of Theorem while replacing the NPoracle with a

prover that is required to prove the correctness of its answers Implementing this

idea requires taking a closer lo ok at the set of coin sequences that make V accept

an input

A very restricted case Let us rst demonstrate the implementation of the

foregoing approach by considering a restricted type of twomessage interactive pro of

systems Recall that in a twomessage interactive pro of system the verier denoted

V sends a single message based on the common input and its internal coin tosses

to which the prover denoted P resp onds with a single message and then V decides

F PROVING THAT IP F AMO F AMF

whether to accept or reject the input We further restrict our attention by assuming

that each possible message of V is equally likely and that the number of possible

V messages is easy to determine from the input Thus on input x the verier V

tosses jxj coins and sends one out of N N x p ossible messages Note that

if x is a yesinstance then for each p ossible V message there exists a P resp onse that

is accepted by the N corresp onding coin sequences of V ie the coin sequences

that lead V to send this V message On the other hand if x is a noinstance

then in exp ectation for a uniformly selected V message the optimal P resp onse

is accepted by a signicantly smaller number of corresp onding coin sequences We

now show how such an interactive pro of system can b e emulated by a publiccoin

system

In the publiccoin system on input x the prover will attempt to prove that

for each p ossible V message in the original system there exists a resp onse by

the original prover that is accepted by N corresp onding coin sequences of V

Recall that N N x and jxj are easily determined by b oth parties and

so if the foregoing claim holds then x must b e a yesinstance The new interaction

itself pro ceeds as follows First the verier selects uniformly a coin sequence for

V denoted r and sends it to the prover The coin sequence r determines a V

message denoted Next the prover sends back an adequate P message denoted

and interactively proves to the verier that would have b een accepted by

N p ossible coin sequences of V that corresp ond to the V message ie

should b e accepted not only by r but rather by the N coin sequences of V that

corresp ond to the V message The latter interactive pro of follows the idea of

the pro of of Theorem The verier applies a random sieve that lets only a

N fraction of the elements pass and the prover shows that some adequate

sequence of V coins has passed this sieve by merely presenting such a sequence

We stress that the foregoing interaction and in particular the random sieve can

b e implemented in the publiccoin mo del

Waiving one restriction Next we waive the restriction that the number of

p ossible V messages is easy to determine from the input but still assume that

all p ossible V messages are equally likely In this case the prover should provide

the number N of p ossible V messages and should prove that indeed there exist at

least N p ossible V messages and that as in the prior case for each V message

there exists a P resp onse that is accepted by N corresp onding coin sequences

of V That is the prover should prove that for at least N p ossible V messages

there exists a P resp onse that is accepted by N corresp onding coin sequences

of V This calls for a double or rather nested application of the aforementioned

lowerbound proto col That is rst the parties apply a random sieve to the set

of p ossible V messages such that only a N fraction of these messages pass and

next the parties apply a random sieve to the set coin sequences that t a passing

V message such that only a N fraction of these sequences pass

Indeed the verier can easily check whether a coin sequence r passes the sieve as well as ts

the initial message and would have made V accept when the prover resp onds with ie V

would have accepted the input on coins r when receiving the prover message

APPENDIX F SOME OMITTED PROOFS

The general case of IP Treating general twomessage interactive pro ofs re

quires waiving also the restriction that all p ossible V messages are equally likely In

this case the prover may cluster the V messages into few say clusters such that

the messages in each cluster are sent by V with roughly the same probability say

up to a factor of two Then fo cusing on the cluster having the largest probability

weight the prover can pro ceed as in the previous case ie send i and claim that

i

there are p ossible V messages that are each supp orted by coin sequences

This has a p otential of cutting the probabilistic gap b etween yesinstances and

noinstances by a factor related to the number of clusters times the approximation

level within clusters eg a factor of O but this loss is negligible in comparison

to the initial gap which can b e obtained via errorreduction

Dealing with all levels of IP So far we only dealt with twomessage systems

ie IP We shall see that the general case of IP f can b e dealt by recursion

or rather by iterations where each level of recursion resp each iteration is

analogous to the general case of IP Recall that our treatment of the case

of IP b oils down to selecting a random V message and having the prover

send a P resp onse and prove that is acceptable by many V coins In other

words the prover should prove that in the conditional probability space dened

by a V message the original verier V accepts with high probability In the

general case of IP f the latter claim refers to the probability of accepting in

the residual interaction which consists of f messages and thus the very same

proto col can b e applied iteratively until we get to the last message which is dealt

as in the case of IP The only problem is that in the residual interactions it

may not b e easy for the verier to select a random V message as done in the very

restricted case However as already done when waiving the rst restriction the

the verier can b e assisted by the prover while making sure that it is not b eing

fo oled by the prover This pro cess is made explicit in xF where we dene an

adequate notion of a random selection proto col which need to b e implemented in

the publiccoin mo del For simplicity we may consider the problem of uniformly

selecting a sequence of coins in the corresp onding residual probability space

b ecause such a sequence determines the desired random V message

F Random selection

Various types of random selection proto cols have app eared in the literature see

eg Sec The common theme in these proto cols is that they allow

for a probabilistic p olynomialtime player called the verier to sample a set

denoted S f g while b eing assisted by a second player called the prover

that is p owerful but not trustworthy These nicknames t the common conventions

regarding interactive pro ofs and are further justied by the typical applications of

such proto cols as subroutines within an interactive pro of system where indeed the

The loss is due to the fact that the distribution of probability weights may not b e identical

on all instances For example in one case eg of some yesinstance all clusters may have equal

weight and thus a corresp onding factor is lost while in another case eg of some noinstance

all the probability mass may b e concentrated in a single cluster

F PROVING THAT IP F AMO F AMF

rst party is played by the higherlevel verier while the second party is played by

the higherlevel prover The various types of random selection proto cols dier by

what is known ab out the set S and what is required from the proto col

Here we will assume that the verier is given a parameter N which is supp osed

to equal jS j and the p erformance guarantee of the proto col will b e meaningful

only for sets of size at most N We seek a constantround preferably twomessage

publiccoin proto col for this setting such that the following two conditions hold

with resp ect to a security parameter p oly

If b oth players follow the proto col and N jS j then the veriers output is

close to the uniform distribution over S Furthermore the verier always

outputs an element of S

For any set S f g if the verier follows the proto col then no matter

how the prover b ehaves the veriers output resides in S with probability

at most p oly jS jN

Indeed the second prop erty is meaningful only for sets S having size that is sig

nicantly smaller than N We shall b e using such a proto col while setting to b e

a constant say

A threemessage publiccoin proto col that satises the foregoing prop erties can

b e obtained by using the ideas that underly Construction Sp ecically we

set m max log N O log in order to guarantee that if jS j N then

m

with overwhelmingly high probability each of the cells dened by a uniformly

m

selected hashing function contains jS j elements of S In the proto col

the prover arbitrarily selects a good hashing function ie one dening such a go o d

partition of S and sends it to the verier which answers with a uniformly selected

cell to which the prover responds with a uniformly selected element of S that resides

in this cell

We stress that the foregoing proto col is indeed in the publiccoin mo del and

comment that the fact that it uses three messages rather than two will have a

minor eect on our application see xF Indeed this proto col satises the

two foregoing prop erties In particular the second prop erty follows b ecause for

is every p ossible hashing function the fraction of cells containing an element of S

m

at most jS j which is upp erb ounded by p oly jS jN

We mention that the foregoing proto col is but one out of several p ossible implementations of

the ideas that underly Construction Firstly note that an alternative implementation may

designate the task of selecting a hashing function to the verier who may do so by selecting a

function at random Although this seems more natural it actually oers no advantage with resp ect

to the soundnesslike prop erty ie the second prop erty Furthermore in this case it may

happ en rarely that the hashing function selected by the verier is not go o d and consequently

the furthermore clause of the rst prop erty ie requiring that the output always resides in

S is not satised Secondly recall that in the foregoing proto col the last step consists of the

prover selecting a random element of S that resides in the selected by the verier cell An

alternative implementation may replace this step by two steps such that rst the prover sends a

m

list of N elements of S that resides in the said cell and then the verier outputs a

uniformly selected element of this list This alternative yields an improvement in the soundness

like prop erty ie the veriers output resides in S with probability at most jS jN but

requires an additional message which we prefer to avoid although this not that crucial

APPENDIX F SOME OMITTED PROOFS

F The iterated partition proto col

Using the random selection proto col of xF we now present a publiccoin

emulation of an arbitrary interactive pro of system P V We start with some

notations

Fixing any input x to P V we denote by t tjxj the number of pairs

of messages exchanged in the corresp onding interaction while assuming that the

verier takes the rst move in P V We denote by jxj the number of coins

tossed by V and assume that t Recall that we assume that P is an optimal

prover with resp ect to V and that without loss of generality P is deterministic

Let us denote by hP V r ix the full transcript of the interaction of P and V

on input x when V uses coins r that is hP V r ix if

t t

V x r f g is V s nal verdict and for every i t it holds

t

that V x r and P x For any partial transcript

i i i i

ending with a Pmessage we denote by ACC the

i i x

set of coin sequences that are consistent with the partial transcript and lead V

to accept x when interacting with P that is r ACC if and only if for some

x

tip olyjxj

f g it holds that hP V r ix

i i

The same notation is also used for a partial transcript ending with a Vmessage

that is r ACC if and only if hP V r i x

x i i

for some

Motivation By suitable error reduction we may assume that P V has sound

t

ness error jxj that is smaller than p oly Thus for any yesinstance x it

holds that jACC j whereas for any noinstance x it holds that jACC j

x x

Indeed the gap b etween the initial set sizes is huge and we can maintain a

gap b etween the sizes of the corresp onding residual sets ie ACC

x i

provided that we lose at most a factor of p oly p er each round The key ob

servations is that for any partial transcript it holds

i i

that

X

jACC j jACC j F

x x

whereas jACC j max fjACC jg Clearly we can prove that jACC j

x x x

is big by providing an adequate and proving that jACC j is big Likewise

x

P

jACC j is proving that jACC j is big reduces to proving that the sum

x x

big The problem is that this sum may contain exp onentially many terms and so we

cannot even aord reading the value of each of these terms As hinted in xF

th

we may cluster these terms into clusters such that the j cluster contains sets of

j j j

cardinality approximately ie s such that jACC j One

x

of these clusters must account for a fraction of the claimed size of jACC j

x

We note if the prover takes the rst move in P V then its rst message can b e emulated

with no cost in the number of rounds

Furthermore we cannot aord verifying more than a single claim regarding the value of one

of these terms b ecause examining at least two values p er round will yield an exp onential blowup

ie time complexity that is exp onential in the number of rounds

F PROVING THAT IP F AMO F AMF

and so we fo cus on this cluster that is the prover we construct will identify a suit

able j ie such that there are at least jACC j elements in the sets of the

x

th j

j cluster and prove that there are at least N jACC j sets ie

x

j

ACC s each of size at least Note that this establishes that jACC j

x x

j

is bigger than N jACC jO which means that we lost a factor of O

x

of the size of ACC But as stated previously we may aord such a lost

x

Before we turn to the actual proto col let us discuss the metho d of proving that

j

that there are at least N sets ie ACC s each of size at least This

x

claim is proved by employing the random selection proto col while setting the size

parameter to N with the goal of selecting such a set or rather its index If

indeed N such sets exists then the rst prop erty of the proto col guarantees that

such a set is always chosen and we will pro ceed to the next iteration with this set

j

which has size at least and so we should b e able to establish a corresp onding

lowerbound there Thus entering the current iteration with a valid claim we

pro ceed to the next iteration with a new valid claim On the other hand supp ose

j

that jACC j N Then the second prop erty of the proto col implies that

x

with probability at least t the selected is such that jACC j

x

j

p oly jACC jN whereas at the next iteration we will need to prove

x

j

that the selected set has size at least Thus entering the current iteration with

a false claim that is wrong by a factor F p oly with probability at least

t we pro ceed to the next iteration with a false claim that is wrong by a

factor of at least F p oly

We note that although the foregoing motivational discussion refers to proving

lowerbounds on various set sizes the actual implementation refers to randomly

selecting elements in such sets If the sets are smaller than claimed the selected

elements are likely to reside outside these sets which will b e eventually detected

Construction F the actual proto col On common input x the tmessage

interaction of P and V is quasiemulated in t iterations where t tjxj The

th

i iteration starts with a partial transcript and a

i i i

claimed bound M where in the rst iteration is the empty sequence and

i

th

M The i iteration proceeds as fol lows

j

The prover determines an index j such that the cluster C f

j

def

j j

jACC j g has size at least N M and sends j

x i i

to the verier Note that if jACC j M then such a j exists

x i i

The prover invokes the random selection protocol with size parameter N in

order to select C where for simplicity we assume that C f g

j j

Recall that this publiccoin protocol involves three messages with the rst and

last message being sent by the prover Let us denote the outcome of this

protocol by

i

For a loss factor L p oly consider the set S f jACC j L jACC jN g

x x

Then jS j N L and it follows that an element in S is selected with probability at most

p oly L which is upp erb ounded by t when using a suitable choice of L

APPENDIX F SOME OMITTED PROOFS

The prover determines such that ACC ACC and

i x i i i x i i

sends to the verier

i

j

Towards the next iteration M and

i i i i i i i

After the last iteration the prover invokes the random selection protocol with size

parameter N M in order to select r ACC Upon obtain

t x t t

ing this r the verier accepts if and only if V x r and for every

t

i t it holds that V x r where the s and s are as

i i i i

determined in the foregoing iterations

Note that the three steps of each iteration involve a single message by the public

coin verier and thus the foregoing proto col can b e implemented using t

messages

Clearly if x is a yesinstance then the prover can make the verier accept

with probability one b ecause an adequately large cluster exists at each iteration

and the random selection proto col guarantees that the selected will reside in this

i

cluster On the other hand if x is a noinstance then by using the low soundness

error of P V we can establish the soundness of Construction F This is proved

in the fol lowing claim which refers to a polynomial p that is suciently large

t

Prop osition F Suppose that jACC j where p Then

x

the verier of Construction F accepts x with probability smal ler than

Pro of Sketch We rst prove that for every i t if jACC j

x i

ti

M then with probability at least t it holds that jACC j

i x i

ti

M Fixing any i let j b e the value selected by the prover in Step of

i

ti j

iteration i and dene S f jACC j g Then

x i

ti j ti

jS j jACC j M

x i i

j

where the second inequality represents the claims hypothesis Letting N M

i

as in Step of this iteration it follows that jS j N By the second prop

erty of the random selection proto col invoked in Step of this iteration with size

parameter N it follows that

jS j

p oly Pr S p oly

i

N

which is smaller than t provided that the p olynomial p that determines

p is suciently large Thus with probability at least t it holds that

ti j

jACC j The claim regarding jACC j follows by recalling

x i i x i

j

that M in Step and that for every it holds that jACC j

i x i i

jACC j

x i i

Alternatively we may mo dify P V by adding a last V message in which V sends its internal

coin tosses ie r In this case the additional invocation of the random selection proto col o ccurs

st

as a sp ecial case of handling the added t iteration

Thus at the last invocation of the random selection proto col the verier always obtains

r ACC and accepts

x t

F PROVING THAT IP F AMO F AMF

t

Using the hypothesis jACC j M and the foregoing claim it follows

x

that with probability at least the execution of the aforementioned t iterations

yields values and M such that jACC j M In this case the last invoca

t t x t t

tion of the random selection proto col invoked with size parameter M pro duces an

t

element of ACC with probability at most p oly and otherwise the

x t

verier rejects b ecause the conditions that the verier checks regarding the output

r of the random selection proto col are logically equivalent to r ACC The

x t

prop osition follows

F Linear sp eedup for AM

In this section we prove Theorem F Our pro of diers from the original pro of of

Babai and Moran in the way we analyze the basic switch of MA to AM

We adopt the standard terminology of publiccoin aka ArthurMerlin inter

active pro of systems where the verier is called Arthur and the prover is called

Merlin More imp ortantly we view the execution of such a pro of system on any

xed common input x as a fullinformation game indexed by x b etween an

honest Arthur and p owerful Merlin These parties alternate in taking moves such

that Arthur takes random moves and Merlin takes optimal moves with resp ect to

a xed p olynomialtime computable predicate v that is evaluated on the ful l

x

transcript of the games execution We stress that in contrast to general inter

active pro of systems each of Arthurs moves is uniformly distributed in a set of

p ossible values that is predetermined indep endently of prior moves eg the set

jxj

f g The value of the game is dened as the exp ected value of an execution

of the game where the exp ectation is taken over Arthurs moves and Merlins

moves are assumed to b e optimal

We shall assume without loss of generality that all messages of Arthur are

of the same length denoted jxj Similarly each of Merlins messages is of

length m mjxj

Recall that AM AM denotes a twomessage system in which Arthur

moves rst and do es not toss coins after receiving Merlins answer whereas MA

AM denotes a onemessage system in which Merlin sends a single message and

Arthur tosses additional coins after receiving this message Thus b oth AM and

MA are viewed as twomove games and dier in the order in which the two parties

take these moves As we shall shortly see in xF the MA order can b e

emulated by the AM order ie MA AM This fact will b e the basis of the

round sp eedup transformation presented in xF

F The basic switch from MA to AM

The basic idea is transforming an MAgame ie a twomove game in which Merlin

moves rst and Arthur follows into an AMgame in which Arthur moves rst and

Merlin follows In the original game on input x rst Merlin sends a message

m

f g then Arthur resp onds with a random f g and Arthurs verdict

ie the value of this execution of the game is given by v f g In the

x

new game see Figure F the order of these moves will b e switched but to limit

APPENDIX F SOME OMITTED PROOFS

Merlins p otential gain from the switch we require it to provide a single answer

that should t several random messages of Arthur That is for a parameter t to

t t

b e sp ecied rst Arthur send a random sequence f g then

m

Merlin resp onds with a string f g and Arthur accepts if and only if for

i

every i f tg it holds that v ie the value of this transcript of

x

Q

t

i

the new game is dened as v Intuitively Merlin gets the advantage

x

i

of choosing its move after seeing Arthurs moves but Merlins choice must t the

t choices of Arthurs move which leaves Merlin with little gain if t is suciently large

The original MA game The new AM game

Merlin Arthur Merlin Arthur β α(1). . . α (t)

α β

The value of the transcript of the original MAgame is given

t

by v whereas the value of the transcript of

x

Q

t

i

the new AMgame is given by v

x

i

Figure F The transformation of an MAgame into an AMgame

of the new game where Recall that the value v of the transcript

x

Q

t

i t

v Thus the value of the new game is is dened as

x

i

dened as

t

Y

i

v max F E

x

i

which is upp erb ounded by

t

X

i

max E v F

x

t

i

Note that the upp erb ound provided in Eq F is tight in the case that the value

of the original MAgame equals one ie if x is a yesinstance and that in this case

the value of the new game is one b ecause in this case there exists a move such

that v holds for every However the interesting case where Merlin

x

may gain something by the switch is when the value of the original MAgame is

strictly smaller than one ie when x is a noinstance The main observation is

that for a suitable choice of t it is highly improbable that Merlins gain from the

switch is signicant

Recall that in the original MAgame Merlin selects obliviously of Arthurs

choice of and thus Merlins prot ie the value of the game is represented

by max fE v g In the new AMgame Merlin selects based on the

x

F PROVING THAT IP F AMO F AMF

chosen by Arthur and we have upp erb ounded its prot in the new sequence

AMgame by Eq F Merlins gain from the switch is thus the excess prot of

the new AMgame as compared to the original MAgame We upp erb ound the

probability that Merlins gain from the switch exceeds a parameter denoted as

follows

t

X

def

i

max Pr p v maxfE v g

t

x x x

t

i

t

X

i m

v E v f g st Pr

t

x x

t

i

m

exp t

where the last inequality is due to combining the Union Bound with the Cherno

Bound Denoting by V max fE v g the value of the original game

x x

we upp erb ound Eq F by p V Using t O m k we have

x x

k

p and thus

x

t

X

def

i k

v maxfE v g F E V max

x x

x

t

i

Needless to say Eq F is lowerbounded by V since Merlin may just use the

x

k

optimal move of the MAgame In particular using and assuming

that V we obtain V Thus starting from an MA pro of system for

x

x

some set we obtain an AM pro of system for the same set that is we just proved

that MA AM

Extension We note that the foregoing transformation as well as its analysis

do es not refer to the fact that v is eciently computable from Fur

x

thermore the analysis remain valid for arbitrary v b ecause for any

x

Q Q P

t t t

t

v v it holds that v v v t Thus we may

t i i i

i i i

apply the foregoing transformation to any two consecutive MerlinArthur moves

in any publiccoin interactive pro of provided that all the subsequent moves are

i

p erformed in t copies where each copy corresp onds to a dierent used in the

th

switch That is if the j move is by Merlin then we can switch the players in the

th t

j and j moves by letting Arthur take the j move sending fol

lowed by Merlins move answering Subsequent moves will b e played in t copies

th i

such that the i copy corresp onds to the moves and The value of the new

k

game may increase by at most and so we obtain an equivalent

game with the two steps switched Schematically acting on the middle MA in

j j j j

AAMMA by AM AMA MA dicated in b old font we can replace AM

which in turn allows the collapse of two consecutive Amoves and two consec

utive Mmoves if j In particular using only the case j we get

j j

AMA AMA AMA AM Thus for any constant f we get

AMf AM

APPENDIX F SOME OMITTED PROOFS

We stress that the foregoing switching pro cess can b e applied only a constant

number of times b ecause each time we apply the switch the length of messages

increases by a factor of t m Thus a dierent approach is required to deal

with a nonconstant number of messages ie unbounded function f

j j

F The augmented switch from M AM A to AM A A

Sequential applications of the MAtoAM switch allows for reducing the number

of rounds by any additive constant However each time this switch is applied

all subsequent moves are p erformed t times in parallel That is the MAto

AM switch splits the rest of the game to t indep endent copies and thus this

switch cannot b e p erformed more than a constant number of times Fortunately

Eq F suggests a way of shrinking the game back to a single copy just have

th

Arthur select i t uniformly and have the parties continue with the i copy In

order to avoid introducing an ArthurMerlin alternation the extra move of Arthur

is p ostp one to after the following move of Merlin see Figure F Schematically

indicating the action by b old font we replace MAMA by AMMAAAMA

rather than replacing MAMA by AMAMA and obtaining no reduction in the

number of movealternations

The MAMA game The AMA game

Merlin Arthur Merlin Arthur (1) (t) β1 α1 . . .α1

α1 β1 (1) (t) β2 β 2 β2 i

α2 α2

The value of the transcript of the original MAMA

game is given by v whereas the value of the tran

x

t t

i of the new AMAgame script

i i

is given by v

x

Figure F The transformation of MAMA into AMA

The value of game obtained via the aforementioned augmented switch is given

by Eq F which can b e written as

i

E g maxfE v

t

x

it

Indeed the relaxed form of Eq F plays a crucial role here in contrast to Eq F

F PROVING THAT IP F AMO F AMF

k

which in turn is upp erb ounded in Eq F by max fE v g

x

As in xF the argument applies to any two consecutive MerlinArthur moves

in any publiccoin interactive pro of Recall that in order to avoid the introduc

tion of an extra Arthur move we actually p ostp one the last move of Arthur to

after the next move of Merlin Thus we may apply the augmented switch to the

rst two moves in any blo ck of four consecutive moves that start with a Merlin

move transforming the schematic sequence MAMA into AMMAAAMA see Fig

ure F The key p oint is that the moves that take place after the said block

remain intact Hence we may apply the augmented MAtoAM switch which

is actually an MAMAtoAMA switch concurrently to disjoint segments of the

j j j

game Schematically we can replace MAMA by AMA AMA Note that

k

Merlins gain from each such switch is upp erb ounded by but selecting

e

t O f jxj mjxj p oly jxj allows to upp erb ound the total gain by a con

k

stant using say f jxj We thus obtain AMf AMf

and Theorem F follows

APPENDIX F SOME OMITTED PROOFS

App endix G

Some Computational

Problems

Although we view sp ecic natural computational problems as secondary to nat

ural complexity classes we do use the former for clarication and illustration of

the latter This app endix provides denitions of such computational problems

group ed according to the type of ob jects to which they refer eg graphs Bo olean

formula etc

We start by addressing the central issue of the representation of the various

ob jects that are referred to in the aforementioned computational problems The

general principle is that elements of all sets are compactly represented as binary

strings without much redundancy For example the elements of a nite set S

eg the set of vertices in a graph or the set of variables app earing in a Bo olean

formula will b e represented as binary strings of length log jS j

G Graphs

Graph theory has long b ecome recognized as one of the more

useful mathematical sub jects for the computer science student to

master The approach which is natural in computer science is the

algorithmic one our interest is not so much in existence pro ofs or

enumeration techniques as it is in nding ecient algorithms for

solving relevant problems or alternatively showing evidence that

no such algorithms exist Although algorithmic graph theory was

started by Euler if not earlier its development in the last ten

years has b een dramatic and revolutionary

Shimon Even Graph Algorithms

A simple graph G V E consists of a nite set of vertices V and a nite set of

edges E where each edge is an unordered pair of vertices that is E ffu v g

APPENDIX G SOME COMPUTATIONAL PROBLEMS

u v V u v g This formalism do es not allow selflo ops and parallel edges which

are allowed in general ie nonsimple graphs where E is a multiset that may

contain in addition to twoelement subsets of V also singletons ie selflo ops

The vertex u is called an endp oint of the edge fu v g and the edge fu v g is said

to b e incident at v In such a case we say that u and v are adjacent in the graph

and that u is a neighb or of v The degree of a vertex in G is dened as the number

of edges that are incident at this vertex

We will consider various substructures of graphs the simplest one b eing paths

A path in a graph G V E is a sequence of vertices v v such that for every

def

i f g it holds that v and v are adjacent in G Such a path is said

i i

to have length A simple path is a path in which each vertex app ears at most

once which implies that the longest p ossible simple path in G has length jV j

The graph is called connected if there exists a path b etween each pair of vertices

in it

A cycle is a path in which the last vertex equals the rst one ie v v

The cycle v v is called simple if and jfv v gj ie if v v

i j

then i j mo d and the cycle u v u is not considered simple A graph is

called acyclic or a forest if it has no simple cycles and if it is also connected then

it is called a tree Note that G V E is a tree if and only if it is connected and

jE j jV j and that there is a unique simple path b etween each pair of vertices

in a tree

A subgraph of the graph G V E is any graph G V E satisfying V V

and E E Note that a simple cycle in G is a connected subgraph of G in which

each vertex has degree exactly two An induced subgraph of the graph G V E

is any subgraph G V E that contain all edges of E that are contained in V

In such a case we say that G is the subgraph induced by V

Directed graphs We will also consider simple directed graphs aka digraphs

where edges are ordered pairs of vertices In this case the set of edges is a subset

of V V n fv v v V g and the edges u v and v u are called antiparallel

General ie nonsimple directed graphs are dened analogously The edge u v

is viewed as going from u to v and thus is called an outgoing edge of u resp

incoming edge of v The outdegree resp indegree of a vertex is the number of

its outgoing edges resp incoming edges Directed paths and the related ob jects

are dened analogously for example v v is a directed path if for every i

it holds that v v is a directed edge which is directed from v to v It is

i i i i

common to consider also a pair of antiparallel edges as a simple directed cycle

A directed acyclic graph DAG is a digraph that has no directed cycles Every

DAG has at least one vertex having outdegree resp indegree zero called a sink

resp a source A simple directed acyclic graph G V E is called an inward

resp outward directed tree if jE j jV j and there exists a unique vertex

called the ro ot having outdegree resp indegree zero Note that each vertex

in an inward resp outward directed tree can reach the ro ot resp is reachable

from the ro ot by a unique directed path

Note that in any DAG there is a directed path from each vertex v to some sink resp from

G GRAPHS

Representation Graphs are commonly represented by their adjacency matrix

andor their incidence lists The adjacency matrix of a simple graph G V E is a

jV jbyjV j Bo olean matrix in which the i j th entry equals if and only if i and

j are adjacent in G The incidence list representation of G consists of jV j sequences

th

such that the i sequence is an ordered list of the set of edges incident at vertex i

Computational problems Simple computational problems regarding graphs

include determining whether a given graph is connected andor acyclic and nd

ing shortest paths in a given graph Another simple problem is determining whether

a given graph is bipartite where a graph G V E is bipartite or colorable if

there exists a coloring of its vertices that do es not assign neighboring vertices the

same color All these problems are easily solvable by BFS

Moving to more complicated tasks that are still solvable in p olynomialtime we

mention the problem of nding a p erfect matching or a maximum matching in a

given graph where a matching is a subgraph in which all vertices have degree a

p erfect matching is a matching that contains all the graphs vertices and a maximum

matching is a matching of maximum cardinality among all matching of the said

graph

Turning to seemingly hard problems we mention that the problem of deter

mining whether a given graph is colorable ie GC is NPcomplete A few

additional NPcomplete problems follow

A Hamiltonian path resp Hamiltonian cycle in the graph G V E is a

simple path resp cycle that passes through all the vertices of G Such a

path resp cycle has length jV j resp jV j The problem is to determine

whether a given graph contains a Hamiltonian path resp cycle

An indep endent set resp clique of the graph G V E is a set of vertices

V V such that the subgraph induced by V contains no edges resp

contains all p ossible edges The problem is to determine whether a given

graph has an indep endent set resp a clique of a given size

A vertex cover of the graph G V E is a set of vertices V V such that

each edge in E has at least one endp oint in V Note that V is a vertex

cover of G if and only if V n V is an indep endent set of V

A natural computational problem which is b elieved to b e neither in P nor NP

complete is the graph isomorphism problem The input consists of two graphs

G V E and G V E and the question is whether there exist a and

onto mapping V V such that fu v g is in E if and only if fu v g is in

E Such a mapping is called an isomorphism

some source to each vertex v In an inward resp outward directed tree this sink resp source

must b e unique The condition jE j jV j enforces the uniqueness of these paths b ecause

combined with the reachability condition it implies that the underlying graph obtained by

disregarding the orientation of the edges is a tree

APPENDIX G SOME COMPUTATIONAL PROBLEMS

G Bo olean Formulae

In x Bo olean formulae are dened as a sp ecial case of Bo olean circuits

x Here we take the more traditional approach and dene Bo olean for

mulae as structured sequences over an alphab et consisting of variable names and

various connectives It is most convenient to dene Bo olean formulae recursively

as follows

A variable is a Bo olean formula

If are Bo olean formulae and is a tary Bo olean op eration then

t

is a Bo olean formula

t

Typically we consider three Bo olean op erations the unary op eration of negation

denoted neg or and the b ounded or unbounded conjunction and disjunction

denoted and resp ectively Furthermore the convention is to shorthand

t

by and to write or instead of and similarly

i t t

i

for

Two imp ortant sp ecial cases of Bo olean formulae are CNF and DNF formulae

A CNF formula is a conjunction of disjunctions of variables andor their negation

t

t

i

where each is either that is is a CNF if each has the form

ij ij i i

i

j

a variable or a negation of a variable and is called a literal If for every i it holds

that t then we say that the formula is a CNF Similarly DNF formulae are

i

dened as disjunctions of conjunctions of literals

The value of a Bo olean formula under a truth assignment to its variables is

t

dened recursively along its structure For example has the value true

i

i

under an assignment if and only if every has the value true under We say

i

that a formula is satisable if there exists a truth assignment to its variables

such that the value of under is true

The set of satisable CNF resp CNF formulae is denoted SAT resp SAT

and the problem of deciding membership in it is NPcomplete The set of tau

tologies ie formula that have the value true under any assignment is coNP

complete even when restricted to DNF formulae

Quantied Bo olean Formulae In contrast to the foregoing that refers to un

quantied Bo olean formulae a quantied Bo olean formula is a formula augmented

with quantiers that refer to each variable app earing in it That is if is a for

mula in the Bo olean variables x x and Q Q are Bo olean quantiers ie

n n

each Q is either or then Q x Q x x x is a quantied Bo olean

i n n n

formula A k alternating quantied Bo olean formula is a quantied Bo olean for

mula with up to k alternating sequences of existential and universal quantiers

starting with an existential quantier For example x x x x x x is a

alternating quantied Bo olean formula We say that a quantied Bo olean formula

is satisable if it evaluates to true

The set of satisable k alternating quantied Bo olean formulae is denoted kQBF

and is complete whereas the set of all satisable quantied Bo olean formulae

k

is denoted QBF and is P S P AC E complete

G FINITE FIELDS POLYNOMIALS AND VECTOR SPACES

The foregoing denition refers to the canonical form of quantied Bo olean for

mulae in which all the quantiers app ear at the leftmost side of the formula

A more general denition allows each variable to b e quantied at an arbitrary

place to the left of its leftmost o ccurrence in the formula eg x x x

x x x x Note that such generalized formulae used in the pro of of

Theorems and can b e transformed to the canonical form by pulling all

quantiers to the left of the formula eg x x x x x x x

G Finite Fields Polynomials and Vector Spaces

Various algebraic ob jects computational problems and techniques play an imp or

tant role in complexity theory The most dominant such ob jects are nite elds as

well as vector spaces and p olynomials over such elds

Finite Fields We denote by GFq the nite eld of q elements and note that

q may b e either a prime or a prime p ower In the rst case GFq is viewed

as consisting of the elements f q g with addition and multiplication b eing

dened mo dulo q Indeed GF is an imp ortant sp ecial case In the case that

e e

q p where p is a prime and e the standard representation of GFp

refers to an irreducible p olynomial of degree e over GFp Sp ecically if f is

e

an irreducible p olynomial of degree e over GF p then GFp can b e represented

as the set of p olynomials of degree at most e over GFp with addition and

multiplication dened mo dulo the p olynomial f

We mention that nding representations of large nite elds is a nontrivial

computational problem where in b oth cases we seek an ecient algorithm that

nds a representation ie either a large prime or an irreducible p olynomial in

time that is p olynomial in the length of the representation In the case of a eld

of prime cardinality this calls for generating a of adequate size

which can b e done eciently by a randomized algorithm while a corresp onding

e

deterministic algorithm is not known In the case of GFp where p is a prime

and e we need to nd an irreducible p olynomial of degree e over GFp

Again this task is eciently solvable by a randomized algorithm see but

a corresp onding deterministic algorithm is not known for the general case ie

e

for arbitrary prime p and e Fortunately for e with e b eing an

e e

integer the p olynomial x x is irreducible over GF which means that

e

nding a representation of GF is easy in this case Thus there exists a strongly

e

explicit construction of an innite family of nite elds ie fGF g where

eL

e

L f N g

Polynomials and Vector Spaces The set of degree d p olynomials over a

nite eld F of cardinality at least d forms a ddimensional vector space over F

d

eg consider the basis f x x g Indeed the standard representation of this

d

vector space refers to the basis x x and when referring to this basis the

P

d

i

p olynomial c x is represented as the vector c c c An alternative

i d

i

APPENDIX G SOME COMPUTATIONAL PROBLEMS

basis is obtained by considering the evaluation at d distinct p oints F

d

that is the degree d p olynomial p is represented by the sequence of values

p p Needless to say moving b etween such representations ie rep

d

resentations with resp ect to dierent bases amounts to applying an adequate linear

P

d

i

c x we have transformation that is for px

i

i

d

p c

d

B B C C C B

p c

B B C C C B

G

B B C C C B

A A A

d

p c

d d

d

d

where the full rank matrix in Eq G is called a Vandermonde matrix The

foregoing transformation or rather its inverse is closely related to the task of

p olynomial interp olation ie given the values of a degree d p olynomial at d

p oints nd the p olynomial itself

G The Determinant and the Permanent

Recall that the p ermanent of an nbyn matrix M a is dened as the sum

ij

P Q

n

a taken over all p ermutations of the set f ng This is related

i j

i

to the denition of the determinant in which the same sum is used except that

some elements are negated that is the determinant of M a is dened as

ij

Q P

n

a where if is an even p ermutation ie can b e

i j

i

expressed by an even number of transp ositions and otherwise

The corresp onding computational problems ie computing the determinant

or p ermanent of a given matrix seem to have vastly dierent complexities The

determinant can b e computed in p olynomialtime moreover it can b e computed

in uniform NC In contrast computing the p ermanent is P complete even in

the sp ecial case of matrices with entries in f g see Theorem

G Primes and Comp osite Numbers

A prime is a natural number that is not divisible by any natural number other than

itself and A natural number that is not a prime is called comp osite and its prime

Q

t

e

i

where the factorization is the set of primes that divide it that is if N P

i

i

P s are distinct primes greater than and e then fP i tg is the

i i i

prime factorization of N If t then N is a prime p ower

Two famous computational problems identied by Gauss as fundamental ones

are testing primality ie given a natural number determine whether it is prime or

comp osite and factoring comp osite integers ie given a comp osite number nd its

prime factorization Needless to say in b oth cases the input is presented in binary

representation Although testing primality is reducible to integer factorization

the problems seem to have dierent complexities While testing primality is in P

see and x showing that the problem is in BPP it is conjectured that

G PRIMES AND COMPOSITE NUMBERS

factoring composite integers is intractable In fact many p opular candidates for

various cryptographic systems are based on this conjecture

Extracting mo dular square ro ots Two related computational problems are

extracting mo dular square ro ots with resp ect to prime and comp osite mo duli

Sp ecically a quadratic residue mo dulo a prime P is an integer s such that there

exists an integer r satisfying s r mo d P The corresp onding search problem

ie given such P and s nd r can b e solved in probabilistic p olynomialtime

see Exercise The corresp onding problem for comp osite mo duli is compu

tationally equivalent to factoring see furthermore extracting square ro ots

mo dulo N is easily reducible to factoring N and factoring N is randomly reducible

to extracting square ro ots mo dulo N even in a typicalcase sense We mention

that even the problem of deciding whether or not a given integer has a modular

square root modulo a given composite is conjectured to b e hard but is not known

to b e computationally equivalent to factoring

APPENDIX G SOME COMPUTATIONAL PROBLEMS

Bibliography

S Aaronson Complexity Zo o A continueously up dated website at

Zoo httpqwikicaltecheduwikiComplexity

LM Adleman and M Huang Primality Testing and Abelian Varieties Over

Finite Fields SpringerVerlag Lecture Notes in Computer Science Vol

Preliminary version in th STOC

M Agrawal N Kayal and N Saxena PRIMES is in P Annals of Mathe

matics Vol pages

M Ajtai J Komlos E Szemeredi Deterministic Simulation in LogSpace

In th ACM Symposium on the Theory of Computing pages

R Aleliunas RM Karp RJ Lipton L Lovasz and C Racko Random

walks universal traversal sequences and the complexity of maze problems In

th IEEE Symposium on Foundations of Computer Science pages

N Alon L Babai and A Itai A fast and Simple Randomized Algorithm

for the Maximal Indep endent Set Problem J of Algorithms Vol pages

N Alon and R Boppana The monotone circuit complexity of Bo olean func

tions Combinatorica Vol pages

N Alon J Bruck J Naor M Naor and R Roth Construction of Asymp

totically Go o d LowRate ErrorCorrecting Co des through PseudoRandom

Graphs IEEE Transactions on Information Theory Vol pages

N Alon E Fischer I Newman and A Shapira A Combinatorial Charac

terization of the Testable Graph Prop erties Its All Ab out Regularity In

th ACM Symposium on the Theory of Computing pages

N Alon O Goldreich J Hastad R Peralta Simple Constructions of Almost

k wise Indep endent Random Variables Journal of Random Structures and

Algorithms Vol No pages Preliminary version in st

FOCS

BIBLIOGRAPHY

N Alon and JH Sp encer The Probabilistic Method John Wiley Sons

Inc Second edition

R Armoni On the derandomization of spaceb ounded computations In

the pro ceedings of Random SpringerVerlag Lecture Notes in Computer

Science Vol pages

S Arora Approximation schemes for NPhard geometric optimization prob

lems A survey Math Programming Vol pages July

S Arora ab d B Barak Complexity Theory A Modern Approach Cambridge

University Press to app ear

S Arora C Lund R Motwani M Sudan and M Szegedy Pro of Verication

and Intractability of Approximation Problems Journal of the ACM Vol

pages Preliminary version in rd FOCS

S Arora and S Safra Probabilistic Checkable Pro ofs A New Characteriza

tion of NP Journal of the ACM Vol pages Preliminary

version in rd FOCS

H Attiya and J Welch Distributed Computing Fundamentals Simulations

and Advanced Topics McGrawHill

L Babai Trading Group Theory for Randomness In th ACM Symposium

on the Theory of Computing pages

L Babai Random oracles separate PSPACE from the PolynomialTime

Hierarchy Information Processing Letters Vol pages

L Babai L Fortnow and C Lund NonDeterministic Exp onential Time has

TwoProver Interactive Proto cols Computational Complexity Vol No

pages Preliminary version in st FOCS

L Babai L Fortnow L Levin and M Szegedy Checking Computations in

Polylogarithmic Time In rd ACM Symposium on the Theory of Computing

pages

L Babai L Fortnow N Nisan and A Wigderson BPP has Sub exp onen

tial Time Simulations unless EXPTIME has Publishable Pro ofs Complexity

Theory Vol pages

L Babai and S Moran ArthurMerlin Games A Randomized Pro of System

and a Hierarchy of Complexity Classes Journal of Computer and System

Science Vol

E Bach and J Shallit Algorithmic Number Theory Volume I Ecient

Algorithms MIT Press

B Barak NonBlackBox Techniques in Crypptography PhD Thesis Weiz

mann Institute of Science

BIBLIOGRAPHY

W Baur and V Strassen The Complexity of Partial Derivatives Theor

Comput Sci pages

P Beame and T Pitassi Prop ositional Pro of Complexity Past Present and

Future In Bul letin of the European Association for Theoretical Computer

Science Vol June pp

M Bellare O Goldreich and E Petrank Uniform Generation of NP

witnesses using an NPoracle Information and Computation Vol pages

M Bellare O Goldreich and M Sudan Free Bits PCPs and Non

Approximability Towards Tight Results SIAM Journal on Computing

Vol No pages Extended abstract in th FOCS

S BenDavid B Chor O Goldreich and M Luby On the Theory of Average

Case Complexity Journal of Computer and System Science Vol pages

A BenDor and S Halevi In nd Israel Symp on Theory of Computing and

Systems IEEE Computer So ciety Press pages

M BenOr O Goldreich S Goldwasser J Hastad J Kilian S Micali

and P Rogaway Everything Provable is Probable in ZeroKnowledge In

Crypto SpringerVerlag Lecture Notes in Computer Science Vol

pages

M BenOr S Goldwasser J Kilian and A Wigderson MultiProver Inter

active Pro ofs How to Remove Intractability In th ACM Symposium on

the Theory of Computing pages

M BenOr S Goldwasser and A Wigderson Completeness Theorems for

NonCryptographic FaultTolerant Distributed Computation In th ACM

Symposium on the Theory of Computing pages

E BenSasson O Goldreich P Harsha M Sudan and S Vadhan Robust

PCPs of Proximity Shorter PCPs and Applications to Co ding SIAM Jour

nal on Computing Vol pages Extended abstract in

th STOC

E BenSasson and M Sudan Simple PCPs with Polylog Rate and Query

Complexity In th ACM Symposium on the Theory of Computing pages

L Berman and J Hartmanis On isomorphisms and density of NP and other

complete sets SIAM Journal on Computing Vol pages

M Blum A MachineIndependent Theory of the Complexity of Recursive

Functions Journal of the ACM Vol pages

BIBLIOGRAPHY

M Blum and S Kannan Designing Programs that Check their Work In

st ACM Symposium on the Theory of Computing pages

M Blum M Luby and R Rubinfeld SelfTestingCorrecting with Appli

cations to Numerical Problems Journal of Computer and System Science

Vol No pages

M Blum and S Micali How to Generate Cryptographically Strong Sequences

of PseudoRandom Bits SIAM Journal on Computing Vol pages

Preliminary version in rd FOCS

A Bogdanov K Obata and L Trevisan A lower b ound for testing

colorability in b oundeddegree graphs In rd IEEE Symposium on Foun

dations of Computer Science pages

A Bogdanov and L Trevisan On worstcase to averagecase reductions for

NP problems SIAM Journal on Computing Vol pages

Extended abstract in th FOCS

A Bogdanov and L Trevisan Averagecase complexity Foundations and

Trends in Theoretical Computer Science Vol

R Boppana J Hastad and S Zachos Do es CoNP Have Short Interactive

Pro ofs Information Processing Letters Vol May pages

R Boppana and M Sipser The complexity of nite functions In Handbook

of Theoretical Computer Science Volume A Algorithms and Complexity

J van Leeuwen editor MIT PressElsevier pages

A Boro din Computational Complexity and the Existence of Complexity

Gaps Journal of the ACM Vol pages

A Boro din On Relating Time and Space to Size and Depth SIAM Journal

on Computing Vol pages

G Brassard D Chaum and C Crepeau Minimum Disclosure Pro ofs of

Knowledge Journal of Computer and System Science Vol No pages

Preliminary version by Brassard and Crepeau in th FOCS

L Carter and M Wegman Universal Hash Functions Journal of Computer

and System Science Vol pages

GJ Chaitin On the Length of Programs for Computing Finite Binary Se

quences Journal of the ACM Vol pages

AK Chandra DC Kozen and LJ Sto ckmeyer Alternation Journal of the

ACM Vol pages

BIBLIOGRAPHY

D Chaum C Crepeau and I Damgard Multiparty unconditionally Secure

Proto cols In th ACM Symposium on the Theory of Computing pages

B Chor and O Goldreich On the Power of TwoPoint Based Sampling

Jour of Complexity Vol pages Preliminary version dates

A Church An Unsolvable Problem of Elementary Number Theory Amer

J of Math Vol pages

N Creignou S Khanna and M Sudan Complexity Classications of

Boolean Constraint Satisfaction Problems SIAM Monographs on Discrete

Mathematics and Applications

A Cobham The Intristic Computational Diculty of Functions In Proc

Iternational Congress for Logic Methodology and Philosophy of Science

pages

SA Co ok The Complexity of Theorem Proving Pro cedures In rd ACM

Symposium on the Theory of Computing pages

SA Co ok An Overview of Computational Complexity Turing Award Lec

ture CACM Vol pages

SA Co ok A Taxonomy of Problems with Fast Parallel Algorithms Infor

mation and Control Vol pages

SA Co ok and RA Reckhow The Relative Eciency of Prop ositional Pro of

Systems J of Symbolic Logic Vol pages

D Copp ersmith and S Winograd Matrix multiplication via arithmetic pro

gressions Journal of Symbolic Computation pages

TM Cover and GA Thomas Elements of Information Theory John Wiley

Sons Inc NewYork

P Crescenzi and V Kann A comp endium of NP Optimization problems

Available at httpwwwnadakthseviggowwwcompendium

RA DeMillo and RJ Lipton A probabilistic remark on algebraic program

testing Information Processing Letters Vol pages June

W Die and ME Hellman New Directions in Cryptography IEEE Trans

actions on Information Theory IT Nov pages

I Dinur The PCP Theorem by Gap Amplication In th ACM Symposium

on the Theory of Computing pages

I Dinur and O Reingold Assignmenttesters Towards a combinatorial pro of

of the PCPTheorem SIAM Journal on Computing Vol pages

Extended abstract in th FOCS

BIBLIOGRAPHY

I Dinur and S Safra The imp ortance of b eing biased In th ACM Sym

posium on the Theory of Computing pages

J Edmonds Paths Trees and Flowers Canad J Math Vol pages

S Even Graph Algorithms Computer Science Press

S Even AL Selman and Y Yacobi The Complexity of Promise Problems

with Applications to PublicKey Cryptography Information and Control

Vol pages

U Feige S Goldwasser L Lovasz and S Safra On the Complexity of

Approximating the Maximum Size of a Clique Unpublished manuscript

U Feige S Goldwasser L Lovasz S Safra and M Szegedy Approximating

Clique is almost NPcomplete Journal of the ACM Vol pages

Preliminary version in nd FOCS

U Feige D Lapidot and A Shamir Multiple NonInteractive Zero

Knowledge Pro ofs Under General Assumptions SIAM Journal on Com

puting Vol pages Preliminary version in st FOCS

U Feige and A Shamir Witness Indistinguishability and Witness Hiding

Proto cols In nd ACM Symposium on the Theory of Computing pages

E Fischer The art of uninformed decisions A primer to prop erty test

ing Bul letin of the European Association for Theoretical Computer Science

Vol pages

GD Forney Concatenated Codes MIT Press Cambridge MA

L Fortnow R Lipton D van Melkebeek and A Viglas Timespace lower

b ounds for satisability Journal of the ACM Vol pages

November

L Fortnow J Romp el and M Sipser On the p ower of multiprover interac

tive proto cols In rd IEEE Symp on Structure in Complexity Theory pages

See errata in th IEEE Symp on Structure in Complexity

Theory pages

S Fortune A Note on Sparse Complete Sets SIAM Journal on Computing

Vol pages

M F urer O Goldreich Y Mansour M Sipser and S Zachos On Complete

ness and Soundness in Interactive Pro of Systems Advances in Computing

Research a research annual Vol Randomness and Computation S Mi

cali ed pages

BIBLIOGRAPHY

ML Furst JB Saxe and M Sipser Parity Circuits and the Polynomial

Time Hierarchy Mathematical Systems Theory Vol pages

Preliminary version in nd FOCS

O Gab er and Z Galil Explicit Constructions of Linear Size Sup erconcen

trators Journal of Computer and System Science Vol pages

MR Garey and DS Johnson Computers and Intractability A Guide to the

Theory of NPCompleteness WH Freeman and Company New York

J von zur Gathen Algebraic Complexity Theory Ann Rev Comput Sci

Vol pages

O Goldreich Foundation of Cryptography Class Notes Computer Science

Dept Technion Israel Spring Sup erseded by

O Goldreich A Note on Computational Indistinguishability Information

Processing Letters Vol pages May

O Goldreich Notes on Levins Theory of AverageCase Complexity ECCC

TR Dec

O Goldreich Modern Cryptography Probabilistic Proofs and Pseudorandom

ness Algorithms and Combinatorics series Vol Springer

O Goldreich Foundation of Cryptography Basic Tools Cambridge Univer

sity Press

O Goldreich Foundation of Cryptography Basic Applications Cambridge

University Press

O Goldreich Short Lo cally Testable Co des and Pro ofs Survey ECCC

TR

O Goldreich On Promise Problems a survey in memory of Shimon Even

ECCC TR

O Goldreich S Goldwasser and S Micali How to Construct Random

Functions Journal of the ACM Vol No pages

O Goldreich S Goldwasser and A Nussb oim On the Implementation of

Huge Random Ob jects In th IEEE Symposium on Foundations of Com

puter Science pages

O Goldreich S Goldwasser and D Ron Prop erty testing and its connection

to learning and approximation Journal of the ACM pages July

Extended abstract in th FOCS

O Goldreich and H Krawczyk On the Comp osition of ZeroKnowledge

Pro of Systems SIAM Journal on Computing Vol No February

pages Preliminary version in th ICALP

BIBLIOGRAPHY

O Goldreich and LA Levin Hardcore Predicates for any OneWay Func

tion In st ACM Symposium on the Theory of Computing pages

O Goldreich S Micali and A Wigderson Pro ofs that Yield Nothing but

their Validity or All Languages in NP Have ZeroKnowledge Pro of Systems

Journal of the ACM Vol No pages Preliminary version

in th FOCS

O Goldreich S Micali and A Wigderson How to Play any Mental Game

A Completeness Theorem for Proto cols with Honest Ma jority In th ACM

Symposium on the Theory of Computing pages

O Goldreich N Nisan and A Wigderson On Yaos XORLemma ECCC

TR

O Goldreich and D Ron Prop erty testing in b ounded degree graphs Algo

rithmica pages Extended abstract in th STOC

O Goldreich and D Ron A sublinear bipartite tester for b ounded degree

graphs Combinatorica Vol pages Extended abstract

in th STOC

O Goldreich R Rubinfeld and M Sudan Learning p olynomials with queries

the highly noisy case SIAM J Discrete Math Vol pages

O Goldreich S Vadhan and A Wigderson On interactive pro ofs with a

laconic provers Computational Complexity Vol pages

O Goldreich and A Wigderson Computational Complexity In The Prince

ton Companion to Mathematics to app ear

S Goldwasser and S Micali Probabilistic Encryption Journal of Computer

and System Science Vol No pages Preliminary version

in th STOC

S Goldwasser S Micali and C Racko The Knowledge Complexity of

Interactive Pro of Systems SIAM Journal on Computing Vol pages

Preliminary version in th STOC Earlier versions date to

S Goldwasser S Micali and RL Rivest A Digital Signature Scheme Secure

Against Adaptive ChosenMessage Attacks SIAM Journal on Computing

April pages

S Goldwasser and M Sipser Private Coins versus Public Coins in Interactive

Pro of Systems Advances in Computing Research a research annual Vol

Randomness and Computation S Micali ed pages Extended

abstract in th STOC

BIBLIOGRAPHY

SW Golomb Shift Register Sequences HoldenDay Aegean Park

Press revised edition

V Guruswami C Umans and S Vadhan Extractors and condensers from

univariate p olynomials ECCC TR

J Hartmanis and RE Stearns On the Computational Complexity of of

Algorithms Transactions of the AMS Vol pages

J Hastad Almost Optimal Lower Bounds for Small Depth Circuits Ad

vances in Computing Research a research annual Vol Randomness and

Computation S Micali ed pages Extended abstract in

th STOC

J Hastad Clique is hard to approximate within n Acta Mathematica

Vol pages Preliminary versions in th STOC

and th FOCS

J Hastad Getting optimal inapproximability results Journal of the ACM

Vol pages Extended abstract in th STOC

J Hastad R Impagliazzo LA Levin and M Luby A Pseudorandom Gen

erator from any Oneway Function SIAM Journal on Computing Volume

Number pages Preliminary versions by Impagliazzo

et al in st STOC and Hastad in nd STOC

J Hastad and S Khot Query ecient PCPs with p efect completeness In

nd IEEE Symposium on Foundations of Computer Science pages

A Healy RandomnessEcient Sampling within NC Computational Com

plexity to app ear Preliminary version in th RANDOM

A Healy S Vadhan and E Viola Using nondeterminism to amplify hardness

SIAM Journal on Computing Vol pages

D Ho chbaum ed Approximation Algorithms for NPHard Problems PWS

JE Hop croft and JD Ullman Introduction to Automata Theory Languages

and Computation AddisonWesley

S Ho ory N Linial and A Wigderson Expander Graphs and their Applica

tions Bul l AMS Vol pages

N Immerman Nondeterministic Space is Closed Under Complementation

SIAM Journal on Computing Vol pages

R Impagliazzo Hardcore Distributions for Somewhat Hard Problems In

th IEEE Symposium on Foundations of Computer Science pages

BIBLIOGRAPHY

R Impagliazzo and LA Levin No Better Ways to Generate Hard NP In

stances than Picking Uniformly at Random In st IEEE Symposium on

Foundations of Computer Science pages

R Impagliazzo and A Wigderson PBPP if E requires exp onential circuits

Derandomizing the XOR Lemma In th ACM Symposium on the Theory

of Computing pages

R Impagliazzo and A Wigderson Randomness vs Time Derandomization

under a Uniform Assumption Journal of Computer and System Science

Vol pages

R Impagliazzo and M Yung Direct ZeroKnowledge Computations In

Crypto SpringerVerlag Lecture Notes in Computer Science Vol

pages

M Jerrum A Sinclair and E Vigo da A PolynomialTime Approximation

Algorithm for the Permanent of a Matrix with NonNegative Entries Journal

of the ACM Vol pages

M Jerrum L Valiant and VV Vazirani Random Generation of Combina

torial Structures from a Uniform Distribution Theoretical Computer Science

Vol pages

B Juba and M Sudan

Towards Universal Semantic Communication Manuscript February

Available from httptheorycsailmitedumadhupapersjubapdf

V Kabanets and R Impagliazzo Derandomizing Polynomial Identity Tests

Means Proving Circuit Lower Bounds Computational Complexity Vol

pages Preliminary version in th STOC

N Kahale Eigenvalues and Expansion of Regular Graphs Journal of the

ACM Vol pages September

R Kannan H Venkateswaran V Vinay and AC Yao A Circuitbased

Pro of of Todas Theorem Information and Computation Vol pages

RM Karp Reducibility among Combinatorial Problems In Complexity

of Computer Computations RE Miller and JW Thatcher eds Plenum

Press pages

RM Karp and RJ Lipton Some connections b etween nonuniform and uni

form complexity classes In th ACM Symposium on the Theory of Com

puting pages

RM Karp and M Luby MonteCarlo algorithms for enumeration and re

liability problems In th IEEE Symposium on Foundations of Computer

Science pages

BIBLIOGRAPHY

RM Karp and V Ramachandran Parallel Algorithms for SharedMemory

Machines In Handbook of Theoretical Computer Science Vol A Algorithms

and Complexity

M Karchmer and A Wigderson Monotone Circuits for Connectivity Require

Sup erlogarithmic Depth SIAM J Discrete Math Vol pages

Preliminary version in th STOC

MJ Kearns and UV Vazirani An introduction to Computational Learning

Theory MIT Press

S Khot and O Regev Vertex Cover Might b e Hard to Approximate to

within In th IEEE Conference on Computational Complexity pages

VM Khrap chenko A metho d of determining lower b ounds for the com

plexity of Pischemes In Matematicheskie Zametki Vol pages

in Russian English translation in Mathematical Notes of the Academy

of Sciences of the USSR Vol pages

J Kilian A Note on Ecient ZeroKnowledge Pro ofs and Arguments In

th ACM Symposium on the Theory of Computing pages

DE Knuth The Art of Computer Programming Vol Seminumerical

Algorithms AddisonWesley Publishing Company Inc rst edition

and second edition

A Kolmogorov Three Approaches to the Concept of The Amount Of In

formation Probl of Inform Transm Vol

E Kushilevitz and N Nisan Communication Complexity Cambridge Uni

versity Press

RE Ladner On the Structure of Polynomial Time Reducibility Journal of

the ACM Vol pages

C Lautemann BPP and the Information Processing

Letters Vol pages

FT Leighton Introduction to Parallel Algorithms and Architectures Arrays

Trees Hypercubes Morgan Kaufmann Publishers San Mateo CA

LA Levin Universal Search Problems Problemy Peredaci Informacii

pages in Russian English translation in Problems of Infor

mation Transmission pages

LA Levin Randomness Conservation Inequalities Information and Inde

p endence in Mathematical Theories Information and Control Vol pages

BIBLIOGRAPHY

LA Levin Average Case Complete Problems SIAM Journal on Computing

Vol pages

LA Levin Fundamentals of Computing SIGACT News Education Forum

sp ecial th issue Vol pages

M Li and P Vitanyi An Introduction to Kolmogorov Complexity and its

Applications Springer Verlag August

RJ Lipton New directions in testing Distributed Computing and Cryp

tography J Feigenbaum and M Merritt ed DIMACS Series in Discrete

Mathematics and Theoretical Computer Science American Mathematics So

ciety Vol pages

N Livne All Natural NPC Problems Have AverageCase Complete Versions

ECCC TR

CJ Lu O Reingold S Vadhan and A Wigderson Extractors optimal up

to constant factors In th ACM Symposium on the Theory of Computing

pages

A Lub otzky R Phillips and P Sarnak Ramanujan Graphs Combinatorica

Vol pages

M Luby and A Wigderson Pairwise Indep endence and Derandomization

Foundations and Trends in Theoretical Computer Science Vol

Preliminary version TR ICSI Berkeley

C Lund L Fortnow H Karlo and N Nisan Algebraic Metho ds for In

teractive Pro of Systems Journal of the ACM Vol No pages

Preliminary version in st FOCS

F MacWilliams and N Sloane The theory of errorcorrecting codes North

Holland

GA Margulis Explicit Construction of Concentrators Prob Per Infor

Vol pages in Russian English translation in Problems

of Infor Trans pages

S Micali Computationally Sound Pro ofs SIAM Journal on Computing

Vol pages Preliminary version in th FOCS

GL Miller Riemanns Hyp othesis and Tests for Primality Journal of Com

puter and System Science Vol pages

PB Miltersen and NV Vino dchandran Derandomizing ArthurMerlin

Games using Hitting Sets Computational Complexity Vol pages

Preliminary version in th FOCS

R Motwani and P Raghavan Randomized Algorithms Cambridge University

Press

BIBLIOGRAPHY

M Naor Bit Commitment using Pseudorandom Generators Journal of

Cryptology Vol pages

J Naor and M Naor Smallbias Probability Spaces Ecient Constructions

and Applications SIAM Journal on Computing Vol pages

Preliminary version in nd STOC

M Naor and M Yung Universal OneWay Hash Functions and their Crypto

graphic Application In st ACM Symposium on the Theory of Computing

pages

M Nguyen SJ Ong S Vadhan Statistical ZeroKnowledge Arguments for

NP from Any OneWay Function In th IEEE Symposium on Foundations

of Computer Science pages

N Nisan Pseudorandom bits for constant depth circuits Combinatorica

Vol pages

N Nisan Pseudorandom Generators for Space Bounded Computation Com

binatorica Vol pages Preliminary version in nd

STOC

N Nisan RL SC Computational Complexity Vol pages

Preliminary version in th STOC

N Nisan and A Wigderson Hardness vs Randomness Journal of Computer

and System Science Vol No pages Preliminary version

in th FOCS

N Nisan and D Zuckerman Randomness is Linear in Space Journal of

Computer and System Science Vol pages Preliminary

version in th STOC

CH Papadimitriou Computational Complexity Addison Wesley

CH Papadimitriou and M Yannakakis Optimization Approximation and

Complexity Classes In th ACM Symposium on the Theory of Computing

pages

N Pipp enger and MJ Fischer Relations among complexity measures Jour

nal of the ACM Vol pages

E Post A Variant of a Recursively Unsolvable Problem Bul l AMS Vol

pages

MO Rabin Digitalized Signatures In Foundations of Secure Computation

RA DeMillo et al eds Academic Press

MO Rabin Digitalized Signatures and Public Key Functions as Intractable

as Factoring MITLCSTR

BIBLIOGRAPHY

MO Rabin Probabilistic Algorithm for Testing Primality Journal of Num

ber Theory Vol pages

R Raz A Parallel Rep etition Theorem SIAM Journal on Computing

Vol pages Extended abstract in th STOC

R Raz and A Wigderson Monotone Circuits for Matching Require Linear

Depth Journal of the ACM Vol pages Preliminary

version in nd STOC

A Razb orov Lower b ounds for the monotone complexity of some Bo olean

functions In Doklady Akademii Nauk SSSR Vol No pages

in Russian English translation in Soviet Math Doklady pages

A Razb orov Lower b ounds on the size of b oundeddepth networks over a

complete basis with logical addition In Matematicheskie Zametki Vol

No pages in Russian English translation in Mathematical

Notes of the Academy of Sci of the USSR Vol pages

AR Razb orov and S Rudich Natural Pro ofs Journal of Computer and

System Science Vol pages Preliminary version in th

STOC

O Reingold Undirected STConnectivity in LogSpace In th ACM Sym

posium on the Theory of Computing pages

O Reingold S Vadhan and A Wigderson Entropy Waves the ZigZag

Graph Pro duct and New ConstantDegree Expanders and Extractors An

nals of Mathematics Vol pages Preliminary version

in st FOCS pages

HG Rice Classes of Recursively Enumerable Sets and their Decision Prob

lems Trans AMS Vol pages

RL Rivest A Shamir and LM Adleman A Metho d for Obtaining Digital

Signatures and Public Key Cryptosystems CACM Vol Feb pages

D Ron Prop erty testing In Handbook on Randomization Volume II

pages Editors S Ra jasekaran PM Pardalos JH Reif

and JDP Rolim

R Rubinfeld and M Sudan Robust characterization of p olynomials with

applications to program testing SIAM Journal on Computing Vol

pages

Journal of Com M Saks and S Zhou BP SPACES DSPACES

H

puter and System Science Vol pages Preliminary

version in th FOCS

BIBLIOGRAPHY

WJ Savitch Relationships b etween nondeterministic and deterministic tap e

complexities Journal of Computer and System Science Vol pages

A Selman On the structure of NP Notices Amer Math Soc Vol

page

JT Schwartz Fast probabilistic algorithms for verication of p olynomial

identities Journal of the ACM Vol pages Octob er

R Shaltiel Recent Developments in Explicit Constructions of Extractors In

Current Trends in Theoretical Computer Science The Chal lenge of the New

Century Vol Algorithms and Complexity World scietic Editors

G Paun G Rozenberg and A Salomaa Preliminary version in Bul letin of

the EATCS pages

R Shaltiel and C Umans Simple Extractors for All MinEntropies and a

New PseudoRandom Generator In nd IEEE Symposium on Foundations

of Computer Science pages

CE Shannon A Symbolic Analysis of Relay and Switching Circuits Trans

American Institute of Electrical Engineers Vol pages

CE Shannon A mathematical theory of communication Bel l Sys Tech

Jour Vol pages

CE Shannon Communication Theory of Secrecy Systems Bel l Sys Tech

Jour Vol pages

A Shamir IP PSPACE Journal of the ACM Vol No pages

Preliminary version in st FOCS

A Shpilka Lower Bounds for Matrix Pro duct SIAM Journal on Computing

pages

M Sipser A Complexity Theoretic Approach to Randomness In th ACM

Symposium on the Theory of Computing pages

M Sipser Introduction to the Theory of Computation PWS Publishing

Company

R Smolensky Algebraic Metho ds in the Theory of Lower Bounds for Bo olean

Circuit Complexity In th ACM Symposium on the Theory of Computing

pages

RJ Solomono A Formal Theory of Inductive Inference Information and

Control Vol pages

R Solovay and V Strassen A Fast MonteCarlo Test for Primality SIAM

Journal on Computing Vol pages Addendum in SIAM Jour

nal on Computing Vol page

BIBLIOGRAPHY

DA Spielman Advanced Complexity Theory Lectures and

Notes by D Lewin and S Vadhan March Available

from httpwwwcsyaleeduhomesspielmanAdvComplexity as

lectps and lectps

LJ Sto ckmeyer The PolynomialTime Hierarchy Theoretical Computer

Science Vol pages

L Sto ckmeyer The Complexity of Approximate Counting In th ACM

Symposium on the Theory of Computing pages

V Strassen Algebraic Complexity Theory In Handbook of Theoretical Com

puter Science Volume A Algorithms and Complexity J van Leeuwen edi

tor MIT PressElsevier pages

M Sudan Deco ding of Reed Solomon co des b eyond the errorcorrection

b ound Journal of Complexity Vol pages

M Sudan Algorithmic introduction to co ding theory Lecture notes Avail

able from httptheorycsailmitedumadhuFT

M Sudan L Trevisan and S Vadhan Pseudorandom generators without

the XOR Lemma Journal of Computer and System Science Vol No

pages

R Szelep csenyi A Metho d of Forced Enumeration for Nondeterministic Au

tomata Acta Informatica Vol pages

S Toda PP is as hard as the p olynomialtime hierarchy SIAM Journal on

Computing Vol pages

BA Trakhtenbrot A Survey of Russian Approaches to Perebor Brute Force

Search Algorithms Annals of the History of Computing Vol pages

L Trevisan Extractors and Pseudorandom Generators Journal of the ACM

Vol pages Preliminary version in st STOC

L Trevisan On uniform amplication of hardness in NP In th ACM

Symposium on the Theory of Computing pages

V Trifonov An O log n log log n Space Algorithm for Undirected st

Connectivity In th ACM Symposium on the Theory of Computing pages

CE Turing On Computable Numbers with an Application to the Entschei

dungsproblem Proc Londom Mathematical Soceity Ser Vol pages

A Correction ibid Vol pages

C Umans Pseudorandom generators for all hardness Journal of Computer

and System Science Vol pages

BIBLIOGRAPHY

S Vadhan A Study of Statistical ZeroKnowledge Pro ofs PhD

Thesis Department of Mathematics MIT Available from

httpwwweecsharvardedusalilpapersphdthesisabshtml

S Vadhan An Unconditional Study of Computational Zero Knowledge

SIAM Journal on Computing Vol pages Extended

abstract in th FOCS

S Vadhan Lecture Notes for CS Pseudorandomness Spring

Available from httpwwweecsharvardedusalil

LG Valiant The Complexity of Computing the Permanent Theoretical

Computer Science Vol pages

LG Valiant A theory of the learnable CACM Vol pages

LG Valiant and VV Vazirani NP Is as Easy as Detecting Unique Solutions

Theoretical Computer Science Vol pages

J von Neumann First Draft of a Rep ort on the EDVAC Contract No

WORD Mo ore School of Electrical Engineering Univ of Penn

Philadelphia Reprinted in part in Origins of Digital Computers Selected

Papers SpringerVerlag Berlin Heidelb erg pages

J von Neumann Zur Theorie der Gesellschaftsspiele Mathematische An

nalen pages

I Wegener The Complexity of Boolean Functions WileyTeubner

I Wegener Branching Programs and Binary Decision Diagrams Theory and

Applications SIAM Monographs on and Applications

A Wigderson The amazing p ower of pairwise indep endence In th ACM

Symposium on the Theory of Computing pages

AC Yao Theory and Application of Trapdo or Functions In rd IEEE

Symposium on Foundations of Computer Science pages

AC Yao Separating the PolynomialTime Hierarchy by Oracles In th

IEEE Symposium on Foundations of Computer Science pages

AC Yao How to Generate and Exchange Secrets In th IEEE Symposium

on Foundations of Computer Science pages

S Yekhanin New Lo cally Deco dable Co des and Private Information Re

trieval Schemes ECCC TR

BIBLIOGRAPHY

RE Zipp el Probabilistic algorithms for sparse p olynomials In the Proceed

ings of EUROSAM International Symposium on Symbolic and Algebraic

Manipulation E Ng Ed Lecture Notes in Computer Science Vol

pages Springer

D Zuckerman LinearDegree Extractors and the Inapproximability of Max

Clique and Chromatic Number In th ACM Symposium on the Theory of

Computing pages

Index

Author Index Karchmer M

Adleman LM Karlo H

Agrawal M Karp RM

Ajtai M Kayal N

Aleliunas R Kilian J

Arora S Kolmogorov A

Babai L Komlos J

Barak B Ladner RE

BenOr M Lautemann C

Blum M Levin LA

Boro din A

Lipton RJ

Brassard G

Lovasz L

Chaitin GJ

Luby M

Chaum D

Lund C

Church A

Micali S

Cobham A

Co ok SA

Miller GL

Crepeau C

Moran S

Die W

Motwani R

Dinur I

Naor J

Edmonds J

Naor M

Even S

Nisan N

Feige U

Papadimitriou CH

Fortnow L

Rabin MO

Furst ML

Racko C

Goldreich O

Raz R

Razb orov AR

Goldwasser S

Reingold O

Hastad J Rivest RL

Hartmanis J Ron D

Hellman ME Rubinfeld R

Huang M Safra S

Immerman N Savitch WJ

Impagliazzo R Saxe JB

Jerrum M Saxena N

INDEX

depth Selman AL

Monotone Shamir A

Natural Pro ofs Shannon CE

size

Sipser M

unbounded fanin

Solomonov RJ

uniform

Solovay R

Stearns RE

Bo olean Formulae

Sto ckmeyer LJ

Strassen V

clauses

Sudan M

CNF

Szegedy M

DNF

Szelep csenyi R

literals

Szemeredi E

Monotone

Toda S

Quantied

Trevisan L

Byzantine Agreement

Turing AM

Vadhan S

Chebyshevs Inequality

Valiant L

Cherno Bound

Vazirani VV

Chinese Reminder Theorem

Wigderson A

ChurchTuring Thesis

Circuits see Bo olean Circuits

Yacobi Y

CNF see Bo olean Formulae

Yannakakis M

CobhamEdmonds Thesis

Yao AC

Zuckerman D

Co ding Theory

concatenated co des

Algorithms see the

Connection to Hardness Ampli

ory

cation

Approximate counting

go o d co des

Hadamard Co de

satisfying assignments to a DNF

List Deco ding

Approximation

Counting see Approximate count

lo cally deco dable

ing

lo cally testable

Hardness see Hardness of Ap

Long Co de

proximation

ReedMuller Co de

Arithmetic Circuits

ReedSolomon Co de

Average Case Complexity

Unique Deco ding

BlumMicali Generator see Pseudo Commitment Schemes see Cryptog

random Generators

raphy

Bo olean Circuits

Communication Complexity

Complexity classes

b ounded fanin P

constantdepth P

INDEX

PSPACE AC

AM

quasiP

BPL

RL

BPP

RP

SC

coNL

SZK

coNP

TC

ZK see ZeroKnowledge pro of sys

coRP

tems

Dspace

ZPP

Dtime

Computability theory

DTISP

Computational Indistinguishability

E

EXP

IP see Interactive Pro of systems

multiple samples

nontriviality

L

The Hybrid Technique

MA

NC

vs statistical closeness

NEXP

Computational Learning Theory

NL

Computational problems

SAT

NP

XC

Bipartiteness

Bounded Halting

Bounded NonHalting

as pro of system

CEVL

as search problem

Clique

Optimal search

CSAT

traditional denition

CSP

Determinant

NPC see NPCompleteness

Directed Connectivity

NPI

Nspace

Exact Set Cover

two mo dels

Extracting mo dular square ro ots

Ntime

P

Factoring Integers

Graph Colorability

as search problem

Graph Colorability

Pp oly

PCP see Probabilistically Check

Graph Isomorphism

able Pro of systems

Graph kColorability

PH

Graph NonIsomorphism

INDEX

Halting Problem General Proto cols

HardCore Predicates see One

Way Functions

Hamiltonian path

Hashing see Hashing

Indep endent Set

Message Authentication Schemes

kQBF

Perfect Matching

Mo dern vs Classical

Oblivious Transfer

Permanent

OneWay Functions see OneWay

Primality Testing

Functions

Pseudorandom Functions see Pseu

QBF

dorandom Functions

Pseudorandom Generators see Pseu

SAT

dorandom Generators

Set Cover

Secret Sharing

stCONN

Signature Schemes

Testing p olynomial identity

Trapdo or Permutations

TSP

Veriable Secret Sharing

UCONN

ZeroKnowledge see ZeroKnowledge

Undirected Connectivity

pro of systems

CSP see Computational problems

Vertex Cover

Computational Tasks and Mo dels

Decision problems

ComputationallySound pro of systems

unique solutions see Unique so

Arguments

lutions

Constantdepth circuits see Bo olean

Diagonalization

Circuits

Direct Pro duct Theorems

Constraint satisfaction problems see

CSP

Disp ersers

Co okreductions see Reduction

Counting Problems

Error Correcting Co des see Co ding

Approximation see Approximate

Theory

counting

Errorreduction

p erfect matching

satisfying assignments to a DNF

randomnessecient

Cryptography

Expander Graphs

Coin Tossing

amplication

Commitment Schemes

constructions

eigenvalue gap

Computational Indistinguishabil

expansion

ity see Computational In

explicitness

distinguishability

mixing

random walk Encryption Schemes

INDEX

hard regions Extractors see Randomness Extrac

Information Theory tors

Interactive Pro of systems

Finite automata

Finite elds

algebraic metho ds

Formulae see Bo olean Formulae

ArthurMerlin

Fourier co ecients

computationalsoundness

Godels Incompleteness Theorem

constantround

Game Theory

for Graph NonIsomorphism

Minmax principle

for PSPACE

Gap Problems see Promise Problems

Hierarchy

Gap Theorems see Time Gaps

linear sp eedup

GF

p ower of the prover

n

GF

publiccoin

Graph prop erties

Graph theory

twosided error

Karpreductions see Reduction

Hadamard Co de see Co ding Theory

Knowledge Complexity

Halting Problem see Computational

Kolmogorov Complexity

problems

Hard Regions see Inapproximable Pred

icates

Levinreductions see Reduction

Hardness of Approximation

Linear Feedback Shift Registers

MaxSAT

List Deco ding see Co ding Theory

MaxClique

Low Degree Tests see Prop erty Test

The PCP connection

ing

Lower Bounds

Hashing

as a random sieve

Markovs Inequality

Minmax principle see Game Theory

CollisionFree

Monotone circuits see Bo olean Cir

CollisionResistant

cuits

Extraction Prop erty

MultiProver Interactive Pro of systems

highly indep endent

Leftover Hash Lemma

NisanWigderson Generator see Pseu

Mixing Prop erty

dorandom Generators

pairwise indep endent

NonInteractive ZeroKnowledge

Universal

Notation

Universal OneWay

asymptotic

Hierarchy Theorems see Time Hier

combinatorial

archies

graph theory

Hitters

integrality issues

Ho efding Inequality

NPCompleteness

Inapproximable Predicates

INDEX

OneWay Functions for graph prop erties

Low Degree Tests

SelfCorrecting see SelfCorrecting

HardCore Predicates

SelfTesting see SelfTesting

Pseudorandom Functions

Strong vs Weak

Optimal search for NP

Pseudorandom Generators

Oracle machines

archetypical case

BlumMicali Construction

P versus NP Question

conceptual discussion

PCP see Probabilistically Checkable

Pro of systems

Connection to Extractors

Polynomialtime Reductions see Re

duction

derandomization

Post Corresp ondence Problem

Probabilistic LogSpace

high end

Probabilistic PolynomialTime

low end

discrepancy sets

Probabilistic Pro of Systems

expander random walks

Probabilistically Checkable Pro of sys

tems

Extractors see Randomness Ex

adaptive

tractors

Approximation see Hardness of

general paradigm

Approximation

for NEXP

generalpurp ose

for NP

application

freebit complexity

construction

nonadaptive

denition

stretch

nonbinary queries

hitting

of proximity

NisanWigderson Construction

pro of length

query complexity

Robustness

pairwise indep endence

Probability Theory

conventions

samplers see Sampling

inequalities

small bias

Promise Problems

space

sp ecial purp ose

Gap Problems

universal sets

Pro of Complexity

unpredictability

Pro ofs of Knowledge

Random variables

Prop erty Testing

Co deword Testing see Co ding The pairwise indep endent

ory totally indep endent

INDEX

Randomized Computation worstcase to averagecase

LogSpace see Probabilistic Log

Rices Theorem

Space

PolynomialTime see Probabilis

Samplers see Sampling

tic PolynomialTime

Sampling

Pro of Systems see Probabilistic

Averaging Samplers

Pro of Systems

Search problems

Reductions see Reductions

Sublinear Time see Prop erty Test

Uniform generation see Uniform

ing

generation

Randomness Extractors

unique solutions see Unique so

Connection to Errorreduction

lutions

versus decision

Connection to Pseudorandomness

SelfCorrecting

Connection to Samplers

from few indep endent sources

Selfreducibility see Reduction

Seeded Extractors

SelfTesting

using Weak Random Sources

Space Complexity

Circuit Evaluation

Reductions

comp osition lemmas

among distributional problems

conventions

Co okReductions

Logarithmic Space

NonDeterminism

Downwards selfreducibility

Polynomial Space

Pseudorandomness see Pseudo

gap amplifying

random Generators

KarpReductions

Randomness see Probabilistic Log

Space

LevinReductions

Reductions see Reductions

sublogarithmic

parsimonious

versus time complexity

Space Gaps

Polynomialtime Reductions

Space Hierarchies

Spaceconstructible

Randomized Reductions

Sp eedup Theorems

stCONN see Computational prob

Reducibility Argument

lems

Statistical dierence

Selfreducibility

Time complexity

Spaceb ounded

Time Gaps

Time Hierarchies

Turingreductions Timeconstructible

INDEX

Turing machines

multitape

nondeterministic

singletap e

with advice

Turingreductions see Reductions

UCONN see Computational problems

Uncomputable functions

Undecidability

Uniform generation

Unique solutions

Universal algorithms

Universal machines

Variation distance see Statistical dif

ference

Witness Indistinguishability

Yaos XOR Lemma

derandomized version

ZeroKnowledge pro of systems

AlmostPerfect

blackbox simulation

Computational

for Colorability

for Graph NonIsomorphism

for NP

Honest verier

Knowledge Complexity

Perfect

Statistical

universal simulation