Algebraic Metho ds for Interactive Pro of Systems
�
Carsten Lund
y
Lance Fortnow
z
Howard Karlo�
University of Chicago
x
Noam Nisan
Hebrew University
Abstract
We present a new algebraic technique for the construction of interactive pro of systems� We use our
technique to prove that every language in the p olynomial �time hierarchy has an interactive pro of system�
This technique played a pivotal role in the recent pro ofs that IP�PSPACE �S� and that MIP�NEXP
�BFL��
� Intro duction
NP can b e viewed as the set of languages L with this prop erty� there is a deterministic p olynomial�time
veri�er �Vanna� and an in�nitely�p owerful prover �Pat� such that for all x� if x is in L� then in p olynomial
time Pat can p ersuade Vanna that x is in L� and if x is not in L� then no prover �Pat or any other�
can p ersuade Vanna that x is in L� Pat and Vanna communicate on a two�way channel �though two�way
communication is not necessary here�� For example� Pat can convince Vanna that a graph G is ��colorable
by exhibiting a ��coloring� If G is not ��colorable� no prover will ever succeed in p ersuading Vanna that G
is ��colorable� �Of course� co�NP�complete languages are not thought to b e in NP� No prover is known who
can convince a skeptical deterministic veri�er that G is not ��colorable� if it is not ��colorable��
We can extend this idea of �provability� by allowing Vanna to �ip coins and by requiring instead that if
x is in L� with probability at least ��� Pat p ersuades Vanna that x is in L� and if x is not in L� no prover
can convince Vanna that x is in L with probability more than ���� Babai �B� and Goldwasser� Micali and
Racko� �GMR� develop ed this interactive proof system mo del� A summary of previous results on interactive
pro of systems can b e found in �BM��
While certain problems such as graph non�isomorphism which are not known to b e in NP were known
to have interactive pro of systems �GMW�� theoretical computer scientists generally b elieved that the class
�
�
Supp orted by a fellowship from the University of Arhus�
y
Supp orted by NSF grant CCR���������
z
Supp orted by NSF grant CCR���������
x
Some of this work was p erformed at MIT and supp orted by NSF grant CCR������� and ARO grant DLL������K����� �
IP of languages accepted by interactive pro of systems was not much larger than NP� In particular� it was
b elieved that co�NP�complete languages did not have interactive pro of systems�
We prove that interactive pro of systems have far greater p ower than originally b elieved� Our main result
is an interactive pro of system for the language f�A� s�js is the p ermanent of ��� matrix Ag� When combined
with the fact that the p ermanent of ��� matrices is �P�complete �V� and the fact that �P is hard for the
p olynomial�time hierarchy �T�� the existence of an interactive pro of system for the p ermanent implies that
every language in the p olynomial�time hierarchy has an interactive pro of system� In particular� this means
that every language in co�NP has an interactive pro of system� even the complement of ��COLORABILITY�
for example�
For the pro of we develop a new technique for reducing the problem of verifying the value of a low�degree
p olynomial at two given p oints to verifying the value at one new p oint� Shamir �S� has used this technique
to prove that all languages in PSPACE have interactive pro of systems� From the fact that IP�PSPACE �F��
it follows that IP�PSPACE� Babai� Fortnow and Lund �BFL� have also used this technique in their pro of
that every language in nondeterministic exp onential time has a two�prover interactive pro of system in which
the provers cannot communicate with one another�
Our results also have implications for program checking� veri�cation and self�correction in the context of
Blum and Kannan �BK �� Blum� Luby and Rubinfeld �BLR� and Lipton �L�� In fact� the Blum�Luby�Rubinfeld
and Lipton pap ers inspired our result�
Our result do es not relativize� Fortnow and Sipser �FS� have created an oracle under which co�NP
do es not have an interactive pro of system� To our knowledge this is the �rst result to �go contrary� to a
previously�published oracle� Subsequent to the announcement of our result� Chor� Goldreich and H�astad
�CGH� proved the same relativized result for a random oracle�
� De�nitions
A veri�er V is a p olynomial�time� probabilistic Turing machine with a sp ecial communication tap e� A prover
� �
P is an arbitrary map f from each �nite sequence x� q � q � q � ���� where x � f�� �g and each q � f�� �g � to
1 2 3 i
a ��� string�
�
The computation pro ceeds as follows� Both P and V get x � f�� �g � V then computes for a while� and
�
writes a query q � f�� �g on her communication tap e� P resp onds by replacing the q with f �x� q �� V
1 1 1
�
computes� overwrites f �x� q � with a query q � f�� �g � and awaits P �s resp onse� f �x� q � q �� This pro cess
1 2 1 2
continues until V halts and accepts or rejects x� A round is a query from V followed by a resp onse from P �
�
The pair �P � V � forms an interactive proof system for a language L if for all x � f�� �g �
2
�� If x � L� then Pr �V accepts input x when interacting with P � � �
3
1
� �
�� If x �� L� then for all provers P � Pr�V accepts x when interacting with P � � �
3
IP is the class of all languages which have interactive pro of systems�
�
The class �P consists of all functions f � f�� �g � IN for which there exists a p olynomial�time� nonde�
terministic Turing machine M such that for all inputs x� the numb er of accepting computations of M on x
�P
equals f �x�� P is the class of languages recognized by a p olynomial�time oracle Turing machine with an �
oracle for some function f in �P� Given x� the oracle Turing machine can learn f �x� in one time step by
querying its oracle�
� The Proto col
We will prove
�P
Theorem �� Every language in P has an interactive pro of system�
�P
Together with To da�s result that P contains all the languages of the p olynomial�time hierarchy �T��
Theorem � implies
Corollary �� Every language in the p olynomial�time hierarchy has an interactive pro of system� In partic�
ular� every language in co�NP has an interactive pro of system�
We list some facts ab out the p ermanent of a matrix A that will b e crucial in the pro of of Theorem �� If
P
a a � � � a � where the sum is over all p ermutations A � �a � is r � r � the permanent p er �A� �
ij
1� (1) 2� (2) r � (r )
�
P
� of f�� �� ���� r g� We can equivalently de�ne the p ermanent recursively as p er �A� � a � p er �A �
1i
1ji
1�i�r
where A � the ��� i��minor of A� is the matrix A without the �rst row and the ith column� The numb er of
1ji
p erfect matchings in an N �b oy� N �girl bipartite graph G is equal to the p ermanent of G�s adjacency matrix�
We will exhibit an interactive pro of system for verifying the p ermanent of a ��� matrix� The following
lemma implies that this is su�cient to prove Theorem ��
Lemma �� If L � f�A� s�jA is a ��� matrix and p er�A� � s g has an interactive pro of system� then every
�P
language in P has an interactive pro of system�
Pro of Sketch� From the fact that computing the p ermanent of ��� matrices is �P�complete �V�� we can
�P
�
reduce the memb ership problem for a language L � P to that of verifying the p ermanents of ��� matrices�
�
Given an interactive pro of system for L� it is easy to construct one for L �
Throughout most of this pap er we will work with the p ermanent over ZZ of an N � N matrix A with
p
entries in ZZ � where p is a prime in �N �� �N ��� �Bertrand�s Postulate �NZ� guarantees the existence of such
p
a prime�� If A is ���� then the p ermanent of A over ZZ coincides with its p ermanent as an integer matrix�
p
since the p ermanent of an N � N ��� matrix cannot exceed N �� We use the crucial fact that if B is an r � r
matrix over ZZ whose entries are linear p olynomials over ZZ � then p er �B � is a p olynomial of degree at most
p p
r over ZZ � Compared to p� any r � N is minuscule�
p
The veri�er Vanna will use this fact to �trip up� a cheating prover� She will maintain a list of pairs
L �� �B � q �� �B � q �� ���� �B � q � �� where the B �s are square matrices of the same size and q � ZZ �
1 1 2 2 t t i i p
Initially L �� �A� s� �� If s � p er �A�� then a prover who truthfully answers all of Vanna�s questions will
induce Vanna eventually to shrink the list to a single pair �B � q �� where B is � � � and q � p er �B �� At that
p oint Vanna will correctly accept the input�
If s � p er �A�� then however the prover answers Vanna�s questions� with very high probability Vanna will
maintain this �invariant�� the list contains at least one pair �B � q � such that q � p er �B �� ��Invariant�
i i i i
app ears in quotes b ecause with extremely low probability� at some p oint every q might equal p er �B ���
i i
When the list shrinks to one pair �B � q � where B is � � � and q � p er �B �� Vanna will reject the input �if not
earlier�� �
How Vanna manipulates the list is the crux of the proto col� When L ���B � q �� �B � �b �� � � i� j � r �
ij
and r � ��� for each i � �� �� ���� r � Vanna constructs the minor B � B � asks Pat for the p ermanent of B �
i i
1ji
P P
r r
and gets q in return� Vanna checks that q � b q � if not� she halts and rejects� If q � b q � she
i 1i i 1i i
i=1 i=1
expands L by replacing L by ��B � q �� �B � q �� ���� �B � q ��� Provided that q � p er �B �� q � p er �B � for
1 1 2 2 r r i i
some i�
When the list has more than one pair� Vanna shrinks the list by replacing the �rst two pairs �C � c�� �D � d�
by a new pair �E � e�� in the following way� The function f �x� � p er �C � x�D � C �� is a p olynomial of degree
at most r over ZZ � Vanna asks Pat for the r � � co e�cients of f and constructs a p olynomial g from the
p
resp onses� �Or Vanna could just ask for the value of f at r � � arbitrary p oints and interp olate herself�� If
g ��� � c or g ��� � d� Vanna rejects�
1
Vanna now uniformly cho oses a random a � ZZ � sends it to Pat� constructs E � C � a�D � C � and
p
e � g �a�� and replaces the pairs �C � c�� �D � d� in L by the one pair �E � e�� The crucial fact is that if c � p er �C �
or d � p er �D �� then with probability at least � � r �p� p er �E � � e� This follows from Lemma ��
Lemma �� Let C and D b e r � r matrices over ZZ � Let g b e a p olynomial of degree at most r over ZZ
p p
such that either g ��� � p er �C � or g ��� � p er �D �� Then if a is chosen uniformly at random from ZZ �
p
r
Pr�p er �C � a�D � C �� � g �a�� � �
p
Pro of� Let f �x� � p er �C � x�D � C ��� a p olynomial of degree at most r over ZZ � Since f ��� � p er �C � and
p
f ��� � p er �D �� clearly f � g � But two nonidentical p olynomials of degree at most r over ZZ can coincide
p
on at most r p oints� It follows that there are at most r values a such that
g �a� � f �a� � p er �C � a�D � C ���
If L �� �B � q �� �B � q �� ���� �B � q � � and at least one i satis�es p er �B � � q � then with very high
1 1 2 2 t t i i
probability� after t � � shrinkings L will consist of one pair �H � h� with h � p er �H �� The idea� then� is to
replace the initial list L ���A� s�� by lists of smaller and smaller matrices� until eventually L ���B � q ��
where B is � � �� If q � p er�B ��a condition Vanna can easily test�Vanna will reject� Otherwise she�ll
accept�
How likely is it that Vanna will b e able to maintain the �invariant�� A sequence of one expansion step
� � �
followed by r � � shrinking steps will replace L ���B � q ��� where B is r � r � by L ���B � q ��� where B is
2
�r � �� � �r � ��� Thus fewer than N steps �of either kind� su�ce to reduce L ���A� s�� to L ���B � q ���
where B is � � �� It follows that the probability that a cheating prover can induce Vanna to erroneously
2
accept �A� s� is less than N times the minuscule probability �at most N �p� that a given expand or shrink
step �rst violates the �invariant��
Now we give the full pro of of Theorem ��
Pro of of Theorem �� By Lemma �� it su�ces to exhibit an interactive pro of system for
L � f�A� s�jA is a ��� matrix and p er�A� � s g�
1
Throughout the pap er� we will assume that Vanna can cho ose elements of ZZ uniformly at random� despite the fact that
p
she can only pick bits uniformly at random� In reality� she will pick integers a uniformly at random from f�� �� �� ���� M � �g�
where M is the least p ower of two exceeding p� until one is less than p� If enough trials fail to �nd an a less than p� she will
just halt and accept x� This increases the probability of erroneously accepting an x �� L only slightly� �
Here is a formal description of the proto col� A is an N � N ��� matrix and � � s � N ��
b egin
Let L �� �A� s� �� Pat picks an integer p in �N �� �N �� and provides a short pro of to Vanna that p is
prime �Pr�� All arithmetic in this proto col is done mo d p�
Rep eat until L ���B � q �� for some � � � matrix B �
If L ���B � q �� then do
Expand� Supp ose that B � �b � is r � r � Vanna constructs B � B for � � i � r � She asks Pat for
ij i
1ji
P
r
the p ermanents of B � � � i � r � and gets q for the p ermanent of B � If b q � q � Vanna rejects�
i i i 1i i
i=1
Otherwise� she sets L � � �B � q �� �B � q �� ���� �B � q ���
1 1 2 2 r r
Else �L has two or more pairs� do
Shrink� Vanna cho oses the �rst two pairs �C � c� and �D � d� from L� asks Pat for the r � � co e�cients
of f �x� � p er �C � x�D � C �� �where C and D are r � r �� and constructs g �x� from them� If g ��� � c
or g ��� � d� Vanna rejects� Otherwise� she cho oses a random a � ZZ � sends it to Pat� and replaces the
p
pairs �C � c�� �D � d� in L by �C � a�D � C �� g �a���
When L ���B � q �� and B is � � �� Vanna accepts if q � p er �B � and rejects if q � p er �B ��
end�
The proto col contains exactly N � � Expand steps and �N � �� � �N � �� � � � � � � � � Shrink steps if
Vanna accepts �A� s��
We will prove�
��� There is a prover Pat such that for all N and all N � N ��� matrices A� if s � p er �A� then
Pr�Vanna accepts �A� s�� � ��
3
��� If s � p er �A�� then for all provers� Pr �Vanna accepts �A� s�� � N �p � ��� �if N � ���
It is easy to see that a prover who truthfully answers all of Vanna�s questions when p er �A� � s induces
Vanna with probability one to reduce L to � �B � q � � with B � � � and q � p er �B �� At this p oint Vanna
accepts� This completes the pro of of ����
For ���� let s � p er �A�� Fix any prover Pat� If Vanna accepts �A� s�� then at some time L �� �B � q � �
with q � p er �B �� initially L �� �A� s� � with s � p er �A�� We say that Pat succeeds in iteration m if the
rep eat lo op is executed in full at least m times� and
q � p er �B � for all �B � q � in L
�rst o ccurs just after the rep eat lo op has b een executed exactly m times� Pat succeeds in some iteration
2
if Vanna accepts� Since there are only N � �N � �� � � � � � � � N iterations� it su�ces to prove that
Pr�Pat succeeds in iteration m� � N �p�
Fix an m� Without loss of generality� we may assume that Pat never induces Vanna to reject until L
consists of only one pair� in which the matrix is � � �� �Otherwise� we may replace Pat by another prover
�
Pat who� instead of inducing Vanna to reject early� answers the remaining questions in a way consistent
with his earlier resp onses� as long as p ossible� Against such a prover Vanna will not halt until the last stage
�
of the proto col� The probability that Pat succeeds in iteration m is no greater than the probability that Pat �
do es��
Pat simply cannot succeed in an Expand step� if L � � �B � q � � with q � p er �B � b ecomes L �
� �B � q �� ���� �B � q �� with q � p er �B � for all i� Vanna immediately rejects�
1 1 r r i i
If iteration m is a Shrink step� L contains �C � c� and �D � d� b efore the step and �E � e� afterward� If
c � p er �C � and d � p er �D �� then L contained a pair �H � h� with h � p er �H �� It still do es� So we may
assume that either c � p er �C � or d � p er �D �� In this case Lemma � tells us that Pr�e � p er �E �� � N �p�
Thus
N
Pr�Pat succeeds in iteration m� � �
p
� Extensions
2
The proto col ab ove requires ��N � rounds of prover�veri�er communication when the input matrix is N � N �
Babai has suggested the following scheme to reduce the numb er of rounds to O �N �� His idea makes it p ossible
�
to shrink a list L with r pairs into a list L with one pair in one round� For � � i � r � let
Y
�x � j �
� f �x� �
i
�i � j �
j :j �=i�1�j �r
Note that f �x� is a p olynomial over ZZ of degree r � � with f �i� � �� and if j � i� then f �j � � �� Let
i p i i
P
r
f �x�B � The matrix C �x� has entries consisting L ���B � q �� �B � q �� ���� �B � q �� and de�ne C �x� �
i i 1 1 2 2 r r
i=1
of p olynomials of degree at most r � �� Now f �x� � p er �C �x�� is a p olynomial of degree at most r �r � ��
with f �i� � p er �C �i�� � p er�B � for all i� � � i � r � This gives us an alternative Shrink pro cedure�
i
Shrink� Vanna asks Pat for the r �r � �� � � co e�cients of f �x� � p er �C �x�� and constructs g �x� from
them� If g �i� � q for some � � i � r � then Vanna rejects� Otherwise� she cho oses a random a � ZZ � sends
i p
it to Pat and replaces L by ��C �a�� g �a��� �
The pro of of correctness is similar to that of Theorem � and is omitted here�
Because the numb er of rounds of an interactive pro of system can b e reduced by a constant factor �BM��
for any � � � there is a variant of our p ermanent proto col running in at most �N rounds� A b ounded�round
proto col for the p ermanent would imply that the p olynomial�time hierarchy collapses� since Boppana� H�astad
and Zachos �BHZ� have shown that if all co�NP languages have b ounded�round proto cols� then the hierarchy
collapses� To our knowledge this is the �rst example of an interactive pro of system that app ears to require
an unb ounded numb er of rounds�
Babai and Fortnow �BF� and Shamir �S� have provided alternate interactive pro of systems for verifying the
values of �P functions by counting the numb er of assignments satisfying a CNF formula� thus circumventing
the need for Valiant�s result on the completeness of the p ermanent� They have shown how to �arithmetize�
a formula as a low�degree p olynomial so that Pat and Vanna can use a proto col similar to that of Section �
to verify the numb er of satisfying assignments�
Shamir �S� has shown how to arithmetize a QBF formula� using dummy variables to keep the degree
low� Using a proto col similar to that in Section �� he then proves that every language in PSPACE has an
interactive pro of system� Shen �Sh� later provided a �degree�reduction op erator� as an alternate technique
to keep the degree low�
Babai� Fortnow and Lund �BFL� have applied the techniques of this pap er to multiple�prover interactive �
pro of systems� de�ned by Ben�Or� Goldwasser� Kilian and Wigderson �BGKW� as interactive pro of systems
having a p olynomial numb er of provers unable to communicate among themselves or to see the conversation
b etween any other prover and the veri�er� Babai� Fortnow and Lund have proven that any language com�
putable in nondeterministic exp onential time has a multiple�prover interactive pro of system� Their pro of
uses ideas similar to those of �BF� and �S� in order to reduce the problem to that of testing the multilinearity
of a function�
Cai� Condon and Lipton �CCL� have used the proto cols of this pap er and of Shamir �S� to prove that
every PSPACE language has a b ounded�round multiple�prover interactive pro of system�
Fortnow and Lund �FL� have extended the techniques from this and Shamir�s pap er �S� to exhibit a
p olynomial equivalence b etween time�space complexity of alternating Turing machines and the time�space
complexity of the veri�er in a public�coin interactive pro of system� In particular� they prove that every
language in NC has a interactive pro of system with a public�coin� p olynomial�time� logarithmic�space veri�er�
� Implications
Goldwasser and Sipser �GS� have shown that one can convert any interactive pro of system to one in which
the veri�er uses public coins� i�e�� the veri�er juxtap oses her coin tosses and her query message q on her
i
communication tap e� Furer� Goldreich� Mansour� Sipser and Zachos �FGMSZ� have shown how to mo dify
an interactive pro of system so that for true instances the veri�er is convinced with probability one� Both of
these prop erties already hold for our proto col�
Some simple corollaries that follow from these results�
Corollary �� If cryptographic one�way functions exist then every language in the p olynomial�time hierar�
chy has a zero�knowledge interactive pro of system�
Pro of� Every language with an interactive pro of system has a zero�knowledge interactive pro of system if
one�way functions exist �BGGHKMR� IY ��
From Shamir �S�� we infer that all languages computable in p olynomial space have zero�knowledge inter�
active pro of systems if cryptographic one�way functions exist�
Corollary �� If every language in IP has a b ounded�round interactive pro of system� then the p olynomial�
time hierarchy collapses�
This is immediate from Boppana� H�astad and Zachos �BHZ �� Previously Aiello� Goldwasser and H�astad
�AGH� constructed an oracle relative to which the class of languages with unb ounded�round interactive pro of
systems di�ers from those with b ounded�round interactive pro of systems�
Our theorem also has applications to program checking� veri�cation and self�correction� Lipton �L�� using
ideas of Beaver and Feigenbaum �BeF�� showed that the p ermanent function can b e �tested�� Our proto cols
extend this idea and show the p ermanent has a self�testing�correcting pair �BLR�� a pair of functions the
�rst of which veri�es that a program computes the p ermanent correctly on most inputs and the second of
which converts a program that passes the �rst test into one that correctly computes the p ermanent on all
inputs with high probability�
Theorem � also provides a program correctness checker �BK� for the p ermanent� �
Corollary �� There exists a probabilistic p olynomial�time machine M that given access to a program P
and a matrix A� will output with a high degree of con�dence either �P outputs the correct value of the
p ermanent of A� or �P do es not correctly compute the p ermanent of some matrix��
Pro of� In the pro of of Theorem � the prover need only answer questions ab out the p ermanents of various
matrices� We can have M simulate the veri�er and use P as the prover�
A further discussion of the relationship b etween interactive pro of systems and program testing can b e
found in �BFL��
MA is the class of languages accepted by an interactive pro of system consisting of a single message from
the prover to the veri�er followed by probabilistic veri�cation by the veri�er� We can think of this class as
the set of �publishable pro ofs�� �pro ofs� that can b e written down now and randomly veri�ed years later
P P
without any help from the prover� Babai has proven that MA� � � � �B�� Corollary � implies that if �P
2 2
�P
has p olynomial�size circuits� then P � and hence the p olynomial�time hierarchy� lies in MA�
�P
Corollary �� If �P has p olynomial�size circuits then P � MA�
Pro of� The prover gives the veri�er a circuit computing the p ermanent� She uses this circuit as the prover
in the proto col in Section ��
A general discussion of Corollary � app ears in �BFL� where it is shown that a similar result holds for
PSPACE and EXP� Contrast Corollary � with the result of Karp and Lipton �KL� that if NP has p olynomial�
P
size circuits� then the p olynomial�time hierarchy collapses to � �
2
� Further Research
We have proven that every language reducible to a �P�complete problem has an interactive pro of system�
and thus so do es every language in the p olynomial�time hierarchy� In particular� every language in co�NP has
an interactive pro of system� However� even for a co�NP�complete language� in the proto col ab ove the prover
must answer �P�complete questions� Is there an interactive pro of system for co�SAT where the prover need
only answer questions ab out the satis�ability of CNF formulas� Such a pro of system would give an instance
checker for NP�complete languages�
We b elieve that one should study why this result do es not relativize� One simple answer is that we have
exhibited an interactive pro of system for a very sp eci�c �P�complete function�the p ermanent�which is not
�P�complete relative to any su�ciently complex oracle �since the p ermanent do es not dep end on the oracle��
Babai and Fortnow �BF� have exhibited a simple characterization of �P functions by p olynomials and have
used this characterization to prove the main theorem of this pap er without any reference to p ermanents�
This algebraic formulation of �P do es not hold in relativized worlds� Studying the algebraic structure of
well�known complexity classes may lead to yet more exciting relationships among them�
References
�AGH� W� Aiello� S� Goldwasser� and J� H�astad� On the p ower of interaction� Combinatorica� ��������
��� ����� �
�B� L� Babai� Trading group theory for randomness� In Proc� of the ��th ACM Symp� on the
Theory of Computing� pages �������� �����
�BeF� D� Beaver and J� Feigenbaum� Hiding instances in multioracle queries� In Proc� �th Symp� on
Theoretical Aspects of Comp� Sci� LNCS ���������� �����
�BF� L� Babai and L� Fortnow� Arithmetization� a new metho d in structural complexity theory�
Computational Complexity� �������� �����
�BFL� L� Babai� L� Fortnow� and C� Lund� Non�deterministic exp onential time has two�prover in�
teractive proto cols� Computational Complexity� ������� �����
�BGGHKMR� M� Ben�Or� O� Goldreich� S� Goldwasser� J� H�astad� J� Kilian� S� Micali� and P� Rogaway�
Everything provable is provable in zero�knowledge� In Proc� Crypto ��� pages ������ �����
�BGKW� M� Ben�Or� S� Goldwasser� J� Kilian� and A� Wigderson� Multi�prover interactive pro ofs�
How to remove intractability assumptions� In Proc� of the ��th ACM Symp� on the Theory of
Computing� pages �������� �����
�BHZ� R� Boppana� J� H�astad� and S� Zachos� Do es co�NP have short interactive pro ofs� Information
Processing Letters� �������������� �����
�BK� M� Blum and S� Kannan� Designing programs that check their work� In Proc� of the ��st ACM
Symp� on the Theory of Computing� pages ������ �����
�BLR� M� Blum� M� Luby� and R� Rubinfeld� Self�testing and self�correcting programs� with applica�
tions to numerical programs� In Proc� of the ��nd ACM Symp� on the Theory of Computing�
�����
�BM� L� Babai and S� Moran� Arthur�Merlin games� a randomized pro of system� and a hierarchy
of complexity classes� J� of Computer and System Sciences� �������������� �����
�C� S� Co ok� The complexity of theorem�proving pro cedures� In Proc� of the �rd ACM Symp� on
the Theory of Computing� pages �������� �����
�CCL� J� Cai� A� Condon� and R� J� Lipton� PSPACE is provable by two provers in one round� In
Proc� of the �th Conference on Structure in Complexity Theory� pages �������� �����
�CGH� B� Chor� O� Goldreich� and J� H�astad� The random oracle hyp othesis is false� Manuscript�
Technion� Haifa� Israel� �����
�F� P� Feldman� The optimum prover lives in PSPACE� Manuscript� M�I�T�� �����
�FGMSZ� M� Furer� O� Goldreich� Y� Mansour� M� Sipser� and S� Zachos� On completeness and soundness
in interactive pro of systems� In S� Micali� editor� Randomness and Computation� volume � of
Advances in Computing Research� pages �������� JAI Press� �����
�FL� L� Fortnow and C� Lund� Interactive pro of systems and alternating time�space complexity� In
Proc� �th Symp� on Theoretical Aspects of Comp� Sci� LNCS ������������ ����� To app ear
in Theoretical Computer Science�
�FRS� L� Fortnow� J� Romp el� and M� Sipser� On the p ower of multi�prover interactive proto cols� In
Proc� of the �rd Conference on Structure in Complexity Theory� pages �������� ����� �
�FS� L� Fortnow and M� Sipser� Are there interactive proto cols for co�NP languages� Information
Processing Letters� ����������� �����
�GMR� S� Goldwasser� S� Micali� and C� Racko�� The knowledge complexity of interactive pro of�
systems� SIAM J� on Computing� �������������� �����
�GMW� O� Goldreich� S� Micali� and A� Wigderson� Pro ofs that yield nothing but their validity and
a metho dology of cryptographic proto col design� In Proc� of the ��th IEEE Symp� on Foun�
dations of Computer Science� pages �������� �����
�GS� S� Goldwasser and M� Sipser� Private coins versus public coins in interactive pro of systems�
In S� Micali� editor� Randomness and Computation� volume � of Advances in Computing
Research� pages ������ JAI Press� �����
�IY� R� Impagliazzo and M� Yung� Direct minimum�knowledge computation� In Proc� Crypto ���
pages ������ LNCS ���� �����
�KL� R� Karp and R� Lipton� Some connections b etween nonuniform and uniform complexity
classes� In Proc� of the ��th ACM Symp� on the Theory of Computing� pages �������� �����
�L� R� Lipton� New directions in testing� In J� Feigenbaum and M� Merritt� editors� Distributed
Computing and Cryptography� volume � of DIMACS Series in Discrete Mathematics and
Theoretical Computer Science� pages �������� American Mathematical So ciety� �����
�NZ� I� Niven and H� S� Zuckerman� An introduction to the theory of numbers� John Wiley and
Sons� New York� �th edition� pages �������� �����
�Pr� V� Pratt� Every prime has a succinct certi�cate� SIAM J� Comp� ���������� �����
�S� A� Shamir� IP�PSPACE� In Proc� of the ��st IEEE Symp� on Foundations of Computer
Science� pages ������ �����
�Sh� A� Shen� IP�PSPACE� simpli�ed pro of� Manuscript� Institute of Problems of Information
Transmission� Moscow� USSR� �����
�Si� J� Simon� On some central problems in computational complexity� PhD thesis� Cornell Uni�
versity� Computer Science� ����� Tech Rep ort TR �������
�SS� R� Solovay and V� Strassen� A fast Monte�Carlo test for primality� SIAM J� of Computing�
�������� ����� See also erratum ������ �����
�T� S� To da� On the computational p ower of PP and �P� In Proc� of the ��th IEEE Symp� on
Foundations of Computer Science� pages �������� �����
�V� L� Valiant� The complexity of computing the p ermanent� Theoretical Computer Science� ������
���� ����� ��