Private Coins versus Public Coins in Interactive Proof Systems
Shaft Goldwasser* Michael Sipser**
Computer Science Department Computer Science Department MIT University of California at Berkeley and Mathematics Department MIT
second, due to Babai, [B] requires that the outcome of the verifier's coin tosses be public Abstract and thus accessible to the prover. An interactive proof system is a method Our main result is that these two sys- by which one party of unlimited resources, tems are equivalent in power with respect to called the prover, can convince a party of lim- language recognition. ited resources, call the verifier, of the truth of The notion of interactive proof system a proposition. The verifier may toss coins, may be seen to yield a probabilistic analog to ask repeated questions of the prover, and run NP much as BPP is the probabilistic analog efficient tests upon the prover's responses to P. We define the probabilistic, nondeter- before deciding whether to be convinced. ministic, polynomial time Turing machine and This extends the familiar proof system impli- show that it is also equivalent in power to cit in the notion of NP in that there the these systems. verifier may not toss coins or speak, but only listen and verify. Interactive proof systems 1. Introduction may not yield proof in the strict mathemati- In this century, the notions of proof and cal sense: the "proofs" are probabilistic with computation have been formalized and under- an exponentially small, though non-zero stood. With the arrival of complexity theory, chance of error. the notion of what is efficiently provable We consider two notions of interactive became of interest. The class NP captured proof system. One, defined by Goldwasser, this notion, containing those languages for Micali, and Rackoff [GMR] permits the which proofs of membership can be verified verifier a coin that can be tossed in private, by a deterministic polynomial time Turing i.e., a secret source of randomness. The machine. We can view NP as a proof-system
Permission to copy without ice all or part of this material is granted consisting of two communicating Turing provided that the copies are not made or distributed for direct machines: the prover who guesses the proof commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by * Research supported in part by NSF G r a n t 8509905 permission of the Association for Computing Machinery. To copy DCR. otherwise, or to republish, requires a fee and/or specific permission. ** Research supported in part by NSF Grant MCS- © 1986 ACM 0-89791-193-8/86/0500/0059 $00.75 8304769 a n d Air Force Grant AFOSR-82-0326.
59 and the polynomial time deterministic computations on them and send the outcome verifier, who checks the correctness of the of the computation to the prover. In particu- proof. lar, he need not show the outcome of the Randomization has been recognized to be coins to the prover. a fundamental ingredient in defining what is The secrecy of the verifier's coin tosses efficiently computable (e.g RP, BPP, RNC). seemed essential to certain examples of In this paper, we seek to understand how ran- interactive proof systems. The most notable domization affects the definition of what is is a recent result of Goldreich, Micali and efficiently provable. Wigderson [GMW] showing an interactive A conventional deterministic NP verifier proof-system for the graph non-isomorphism does not accept statistical evidence as a con- problem. This is somewhat remarkable in vincing argument, regardless of how light of the fact that graph non-isomorphism overwhelming it may be. As a consequence, is not known to be in NP. We sketch this the kind of languages contained in NP are example in section 2.1. precisely those whose proofs of membership The interactive proof system (IP) defines can be fully put down in writing and shown a hierarchy of languages. Namely, L is in to others. The verifier does not actively parti- IP[k] if there exists a k-move (k alternations cipate in the proof process or interact with of message exchanges between prover and the prover in any way. It suffices for the verifier with the verifier sending the first prover to speak and the verifier to listen. message) interactive proof system such that: Randomization and interaction are for every input x(L, the probability that the essential ingredients of two recent formaliza- verifier accepts is greater than 2/3, and for tions of the concept of an efficient proof sys- every input x not in L, even against an tem. One formalization is due to Babai [B] optimal prover, the probability that the and the other to Goldwasser, Micali and verifier accepts is less than 1/3. Rackoff [GMR]. Both definitions would col- lapse to NP if no coins were flipped. Arthur-Merlin Games: An Interactive Proof System with a Public Coin Interactive Proof Systems Babai's formalization of efficient proof In defining what they called interactive system attempts to capture the smallest class proof systems, Goldwasser, Micali and of languages extending NP, for which statisti- Rackoff's intent was to make as general a cal proofs of membership exist. The primary definition as possible of what is provable to a motivation was to place the matrix group probabilistic verifier willing to accept statisti- non-membership and matrix group order prob- cal evidence. Their broader goal was to lems in a complexity class "just above NP". define the concept of the "knowledge" com- His proof-system, presented as a game, con- municated during a proof. sists of a powerful prover (capable of optimal moves) called Merlin, and a probabilistic poly- An interactive proof system consists of a nomial time verifier called Arthur which prover with unlimited computation power and receive a common input x. Merlin wins the a probabilistic polynomial time verifier who game if he can make Arthur accept x. receive a common input x. The prover and Arthur and Merlin alternate exchanging mes- the verifier can exchange messages back and sages back and forth for at most a polynomial forth for a polynomial in the length of x in the length of x times. At the end of the number of times. There are no restrictions on interaction, Arthur decides whether to accept how the verifier may use his coin tosses: he or reject (i.e., whether Merlin won or lost). can toss coins, perform any polynomial time
60 The difference between the Arthur- i.e., the GMR proof system is as powerful as Merlin proof system and the GMR proof sys- the Babai proof system. tem is in the restricted way that Arthur is allowed to use his coin tosses during the 2. Examples and Related Work game. Arthur's moves consist merely of toss- ing coins and sending their outcomes to Mer- 2.1. An Example of An Interactive Proof lin. Thus the Arthur-Merlin game is a special System case of an interactive proof system. Goldreich, Micali and Wigderson [GMW] The Arthur-Merlin games define a have recently demonstrated the following hierarchy of complexity classes, in a manner interactive proof system for the graph non- similar to IP. We say L is in AM[k] if there isomorphism problem. exists an Arthur-Merlin k-move game (i.e., k Let NONISO={(Go G1) such that the alternating message exchanges between graph G 1 is not isomorphic to the graph Go}. Arthur and Merlin, Arthur sending first) such Theorem (GMW): NONISO ~ IP. that for every input x~L, the probability that Arthur accepts x is greater than 2/3; and for proof." Let the prover and verifier receive as every input x not in L, the probability that input two n node graphs G o and G 1 on ver- an optimal Merlin wins is less than 1/3. tices V. The following steps 1 and 2 get exe- cuted n times in parallel. The elegant simplicity of the definition of the Arthur-Merlin game facilitates addi- step 1: The verifier flips a fair coin to tional results. Babai showed that for every choose cC{0,1} and a random permuta- constant k, AM[k] collapses to AM[2]. This tion ~ of V. The verifier then computes in turn is a subset of both H2P and R = ~(Gc) and sends R to the prover. nonuniform-NP. The relative power of proof step 2: The prover tells the verifier systems with a bounded and an unbounded whether c=0 or 1. number of exchanged messages remains an final step: if the prover makes a mistake interesting open question. in step 2 in guessing what c is, the In this paper we prove the equivalence of verifier rejects, otherwise he accepts. these two types of interactive proofs with If the two input graphs G 1 and G 2 are respect to language recognition. As a conse- not isomorphic to each other, then there quence the above results extend to IP. exists a prover who can distinguish the case that R is isomorphic to G O from the case that Our Result R is isomorphic to G1, and thus can always Let Q denote a polynomial. Let IP[Q] tell correctly in step 2 of the protocol whether (and AM[Q]) denote those languages L for c =0 or c=l, and make the verifier accept. which there exists a Q-move interactive proof On the other hand, if Go is isomorphic to system (and Q-move Arthur-Merlin proof- G1, then by the randomness of the permuta- system respectively). Namely, Q(H) mes- tion 9, R is as likely to be ~(Go) as it is to be sage exchanges between the prover and the ~(G1). The prover who does not know c will verifier are allowed on input x. err in step 2 of the protocol with probability In this paper, we show that for any poly- 1/2. QED nomial Q, Clearly, the secrecy of the coin is essen- IP[Q] c AM[Q+2] tial to this protocol. One consequence of this result, combined with Babai's and ours, is that the graph non-
61 isomorphism problem has polynomial-size, Furer and Zachos [ZF], in a work inves- non-deterministic circuits. tigating the robustness of probabilistic com- Several other interactive proof systems plexity classes, introduce a framework of pro, for number theoretic problems and the matrix babilistic existential and universal group membership problem appear in quantifiers and prove several combinatorial [GMR,B]. lemmas about them. The AM complexity classes can be formulated in terms of these 2.2. Related Work special quantifiers. The difference between IP and AM 2.3. Connections with C r y p t o g r a p h y games is analogous to that between alterna- tion [CKS] and alternation with partial infor- An interactive proof system can be mation [R]. In the case of alternation both viewed as a model for proving the correctness players play optimally subject to their of two party cryptographic protocols [GMR]. knowledge and only the referee who deter- The prover and verifier in an interactive mines the outcome is required to be polyno- proof system model the two participants in a mial time bounded. Condon and Ladner [CL] cryptographic protocol with one exception: the describe this connection in a general setting. cryptographic prover is not all powerful, but a probabilistic polynomial time machine with a Other relevant results concerning secret unknown to the verifier. interactive proof systems appear in [H] and [F]. Prior to our result, Johan Hastad [HI A key property of cryptographic proto- showed that the union U IP[k] is contained cols is the amount of "knowledge" released to k > 0 the verifier during the execution of the proto- in ~3. Paul Feldman IF] showed that the col. Very informally, we say that a prover in prover in an interactive proof system with a an interactive proof system releases "zero- polynomial number of interactions need not knowledge" if even a devious verifier can be more powerful than a PSPACE machine. learn no more than the validity of the asser- Boppana and Hastad [BH] showed that if co- tion being proved. In a "secure" protocol the NP C AM then for any i, ~CAM. This and prover has this property. (see [GMR] for pre- our result show that the polynomial hierar- cise definitions). In [GMW] it has been chy collapses to ~2P if graph isomorphism is shown, that if one-way functions exist then NP-complete. every language in NP has a zero-knowledge Fortnow and Sipser [FS] have shown proof protocol. that there is an oracle F such that co- Using this and our transformation from N P F ~ IPF . private-coin to public-coin protocols, Ben-or Other works related to the study of ran- [Be] has very recently shown that all domized proof systems appear in [Pa] and languages in IP have zero-knowledge, public- [ZF]. In Papadimitriou's "Games Against coin protocols, given the existence of one-way Nature", the verifier is also a probabilistic functions. Implications of this are not yet polynomial time machine which flips coins fully clear, but it may be that public coins are and presents them to an the prover which is a adequate for secure cryptographic protocols. capable of optimal moves. The difference is that the probability of convincing the verifier 3. Definitions need not be bounded away from 1/2. This We represent the verifier and the prover apparently affects the strength of the system of an interactive proof system as two func- as Papadimitriou's games are as powerful as tions V and P. PSPACE.
62 Definition: An Interactive proof protocol is 1/3 accepting W. As we shall see later, the given by two functions: class IP is unaffected if we substitute e for V: E* × ~* × E* --~ E* ~ {accept, reject} 1/3, where 2 -p°ly(n) ~- e -~ 1/2 - 2 -poly(n) Definition: An Interactive proof protocol with public coin is defined as above with the fol- lowing difference. The random input r is con- Let si denote the concatenation of i pairs sidered to be the concatenation of l strings of messages, s i = # x l # y l # . . . # x i # y i. We r = r l r 2 . . . r t where l is the number of write V ( w , r , s i ) = x i + 1 to mean that V on rounds and V is restricted to produce ri as it's input w, with random sequence r, and i th message, i.e., for i-
63 L e m m a : Given b,k,I>O, l >max(b,8), and set in which Arthur can verify membership, CC_~ k. Randomly select l linear functions possibly with Merlin's help. Then let Arthur H={h 1. . . . ,hi}, hi:~lt--'>~ b and l 2 strings picks random H and Z and Merlin attempt to Z={zl, . . . . zl~}CE b. Then respond with x ( C such that some x~H-l(z). 1. If b =2+[loglC[] then If C is large then he will likely succeed and if C is small he will likely fail. a) Pr[IH(C)I -> ICl/l] -> 1 - 2 -l b) Pr[H(C)NZ ~ ~ ] -> 1 - 2 -t/s 4.2. M a i n T h e o r e m . Theorem: IP[Q(n)]=AM[Q(n)+2] for any a) IH(C)I -< llcl polynomial Q(n) b) If for d>0, ICl <- 2b/d then: An informal proof sketch: Let's focus on 1- Pr[H(C)NZ ~O] -< 13/d round protocols. Assume V has an exponen- tially small error probability e, sends only Proof la: Since 2b-->4[C] the following chain messages of length m, and uses random of statements are easily verified. Let (hi(x)) j sequences of length I. For each x ~ m let denote the jth bit of the string hi(x). Fix fl=={r: V(r,w,#)=x}. For every y ( ~ = let x,y(E k, x~y, i j >0, except where quantified. axy -~ {r: r(fl= & V(r,w,#x#y) =accept}. Pr[(hi(x))J = (hi(y))J] = 1/2 Clearly, for each x, the optimal prover will Pr[ hi( x ) = hi(y)] = 2 - b select a Yx maximizing [axy [. Let ax=axy ,. Pr[3 y(C (x ~y&hi(x) =hi(y))]-< ]C I .2-b _< 1/4 Let a 0 = U a x . Then Pr[V(w) accepts] = Pr[Vi - [CI/l]-~ 1 - 2 -t vince A that la0] > e'2 l because this implies that Pr[V(w) accepts] > e and hence ~1. He Proof lb: Since [C1>--2b/8, if [H(C)Im[CI/I does this by showing that there are "many" then ax's which are "large", where IH(C)[ _> ! "many" ×"large" > e '2 z. The tradeoff between Ixbl 81 "many" and "large" is governed by a parame- Thus it is likely that one of the 12 strings in ter b sent by M to A. Z will be in H(C). More precisely, M first sends b to A. Pr[H(C) NZ = Q] -< (1 - 1/8/) Z2+ 2 -t < 2 -t/s Then two approximate lower bound protocols Proof 2a: Obvious. ensue. The first convinces A that I{x: lax]-->2b/(e'21)}l --> 2 b. M produces an x Proof 2b: Since in that set as per the approximate lower In(C)! < llcl = ± bound lemma. The second convinces A that x zb dlCl d really is in that set as claimed, i.e., that The probability that each z/ is in H(C) is at lax[ -~ 2b/(e.2l). most lid. Thus the probability that any of For g-round protocols iterate the first the 12 strings in Z is in H(C) is at most 13/d. approximate lower bound protocol to obtain II a o D a l D . . . _ D a g where there are "many/" We use this lemma to obtain Arthur- ways to extend ai_ 1 to ai and ag is "large". Merlin protocols for showing an approximate Require that (H"manyi)"×"large" ~- e'2 l. lower bound on the size of sets. Let C be a
64 Full proof: Let W(IP[Q(n)]. We may R o u n d i (1-~i-
Further we may assume that (-~) Merlin's protocol w h e n w EW I(n)>max(g(n),m(n),80). We write g,m,e,l First some notation. For r ~ l and for g(n), re(n), e(n) and l(n) where n is s = v l # v 2 # " ' ' #vk a stream of messages we understood. say We now describe the functions A and M, (V*P)(w,r) accepts via s simulating V and P, informally as two par- ties exchanging messages. The variables x i if the first k messages sent by V and P agree and Yi represent messages sent by V and P with s and (V*P)(w,r) accepts. respectively. In essence, the idea is for A to Suppose Pr[V(w) accepts] >- 2/3. Fix use the random hash functions to force M to any P such that Pr[(V*P)(w) accepts] -> 2/3. produce a generic run of the V,P protocol and We now exhibit a protocol for M such that then finally to prove that this run would Pr[(A*M)(w) accepts] -> 2/3. likely cause V to accept. The numbers bi R o u n d 0: that M produces roughly correspond to the Let i = 1. Proceed with "obtain bl". log of the number of possible generic mes- sages that V can make at round i. Obtain bi (i <-g): Let s i _ l = # x l # y l # ' " # x i _ l # y i _ l be the mes- A r t h u r ' s protocol sage stream for the V-P protocol produced so far. For each x ~ m let ax={r: R o u n d 0: (V*P)(w,r) accepts via si-l#x}. Group these a's into l A initially makes a null move and classes ¥1 . . . . . 7l where TTd contains a's of receives number bl from M. Go to round 1. size >2 d-1 and -<2 d. Choose the class Ymax
65 whose union UYm~L~= U{ax: axEYmax} is lai--1 I largest. Send bi=2+[logly=~l]. IU = I -> l Round i: Since all members of ¥max differ in size by at M receives hi, . . . . h l from A and most a factor of 2 and since ai E'Ym~ we have strings z i , . . . ,zt2. If there is an x E H - I ( z ) IU m=l such that axEym~, call it x i. Then, M la,I--> 21Ymd responds with the pair xi,Yi where and since bi=2+[loglymax]] we have yi=P(si_i#xi). Otherwise M responds with "failure". In the later analysis we refer to 2 b'+l -> 21 m=l the set ax, as ai. Set i ~ i + l . Goto "obtain Thus bi". Obtain bg+i: M produces the value bg+i as IU = I [all--> 2b i --> 12b, follows: Let sg = sg_ i #xg #yg be the message stream that has been selected. So ag={r:(V*P)(w,r) accepts via sg}. Send bg+i =2+[loglagl|. Claim 2: ~ b i -> l - g log l Proof: By Claim 1 we have: Round g + l : lad • M receives hi, . . . . h l and strings iagi-> z i . . . . ,zl~(~ bg÷~. If there is an lg " H 2b' i~g r E a g A H - i ( z ) , then M responds with r. Oth- erwise M responds with "failure". (Note that Since laol >-(213)2 t and taking logs r ( a g implies that V(w,r,sg) = accept) log[ag I -> ( / - 1 ) - ( g l o g l + ~ b i ) End of Protocol. i~g Since bg+i > l + l o g lag[ We now show that Pr[(A*M)(w) accepts] bi > l - g log l -> 2/3. Let ao={r: (V*P)(w,r) = accept}. i~g+l Since Pr[V accepts w| is high, la01->(2/3)2 t. By the definition of M, A will accept provided M never responds "failure" and (<--) Merlin's impotence when w q W ~ b i - > l - g l o g l . By the approximate lower Show that if Pr[V(w) accepts] -< e, bound lemma the probability that M responds then Pr[A(w)accepts] -~ 1/3. failure at any round is -<2 -l/s. Hence, the For every i > 0 and probability that M ever responds failure is S i = X l # Y l # " ' " #xi#y i let a(si)=max - 67 5. Probabilistic, nondeterministic T u r i n g 3. Can our transformation of interactive proof m a c h i n e s systems with public coins into Arthur-Merlin We can define a new type of Turing games be modified to preserve "zero- machine which accepts precisely those knowledge" without assuming the existence languages in IP. This gives an automata of one-way functions? theoretic characterization of this class. Definition: A Probabilistic, nondeterministic, Acknowledgements Turing machine, N, is defined conventionally W e are grateful to Oded Goldreich and except that it has two kinds of nondeterminis- Johan Hastad for pointing out that our proof tic states: random states denoted (~ and works for a polynomial number of interac- L P~ guess states, denoted ~ . tions. Silvio Micali's comments have been Given a configuration, c of such a machine we inspiring, as always. Thanks again to Oded assign it a probability p(c) of accepting as fol- for a careful reading of this paper and exten- lows: if c is an accept configuration then sive suggestions. Discussions with Laszlo p ( c ) = l , if c is a reject configuration then Babai, Anne Condon, Jack Edmonds, and Eva p ( c ) = 0 , if c is a deterministic configuration Tardos were very helpful. Ed Bein, Danny then p(c) =p(c') where c' is the successor of c, Soroker, and Jeannine St.Jacques provided if c is a random configuration, then p(c) is much appreciated last minute assistance. the average ofp(c'), and if c is a guess state then p(c) is the m a x i m u m of p(c') for c' a R e f e r e n c e s successor. We say that Pr[N(w) accepts] = [B] L. Babai, Trading group theory for randomness, Prec. of 17th Symposium on the Theory of Computation, P(Cstart ) where Cstan is the starting Providence, Rhode Island, 1985. configuration for N on input w. One way to [Be] M. Ben-Or, personal communication. think of computations on these machines is [BH] R. Boppana, J. Hastad, If co-NP Has Interactive Proof Systems with a Constant Number of Interactions, then that at every random state, a coin is flipped the Polynomial Time Hierarchy Collapses, In prep. to determine the successor and at every guess [CKS] Chandra, Kozen, Stockmeyer, Alternation, JACM state the successor with highest probability of 1981, p. 114. [Co] S. Cook, The Complexity of Theorem Proving Pro- eventually accepting is selected. cedures, 3rd STOC, 1971. Definition: Say W E B P N P if there is a proba- [CW] J.L. Carter, and M.N. Wegman, Universal classes of hash functions, JCSS 18, no. 2, 1979, 143-154. bilistic, nondeterministic, polynomial time [F] P. Feldman, The Prover in [P Need Not be More Turing machine N such that for all wEZ*: Powerful than PSPACE, personal communication. 1) if w E W then Pr[N(w) accepts] > 2/3 [FS] L. Fortnow, M. Sipser, personal communication. [H] J. Hastad, personal communication. 2) if w ~'W then Pr[N(w) accepts] < 1/3. [GMR] S. Goldwasser, S. Micali, C. Rackoff, The Knowledge Theorem: IP= AM(poly)--BPNP complexity of interactive proofs, Prec. of 17th Sympo- sium on the Theory of Computation, Providence, Proof: Immediate. These machines are just a Rhode Island, 1985. reformulation of Arthur-Merlin games. [GMW] O. Goldreich, S. Micali, A. Wigderson, Proofs that Yield Nothing but the Validity of their Assertion, In preparation. 6. O p e n Questions [P] C. Papadimitriou, Games against nature, 24th FOCS 1983, 446-450, 1. Is IP[2] = IP, or perhaps show an oracle F [R] J. Reif, Games with imperfect information, JCSS 29, such that IP F ~c I P[2]F? 274-301, 1984. [Si] M. Sipser, A Complexity Theoretic Approach to Ran- 2. In [B] Babai states that AM[2] = domness, 15th STOC, 1983, 330-335. {W: WENP R, for almost all oracles R}. How- [St] L. Steckmeyer, The complexity of approximate count- ing, Proc. of Symposium on the Theory of Computa- ever, an oversight in his argument leaves this tion, 1984. equality an open question. [ZF] S. Zachos, M. Furer, Probabilistic quantifiers us. dis- trustful adversaries, to appear. 68