On the of

Interactive Pro ofs with Bounded Communication



Johan Hastad

Department of Science Department of Computer Science

Weizmann Institute of Science Royal Institute of Technology

Rehovot Israel Sto ckholm Sweden

odedwisdomweizmannil johanhnadakthse

November

Abstract

We investigate the of languages which have interactive pro of sys

tems of b ounded message complexity In particular denoting the length of the input by n we

show that

 If has an interactive pro of in which the total communication is b ounded by cn bits then

L can b recognized by a probabilistic machine in time exp onential in O cn logn

 If L has a publiccoin interactive pro of in which the prover sends cn bits then L can b e

recognized by a probabilistic machine in time exp onential in O cn  logcn logn

 If L has an interactive pro of in which the prover sends cn bits then L can b e recognized by

a probabilistic machine with an NPoracle in time exp onential in O cn  logcn logn



Work done while b eing on a sabbatical leave at LCS MIT

Introduction

Pro of systems are dened in terms of their verication pro cedures The notion of a verication

pro cedure assumes the notion of computation and furthermore the notion of ecient computation

This implicit assumption is made explicit in the denition of NP in which ecient computation is

asso ciated with deterministic p olynomialtime In light of the growing acceptability

of randomized and distributed computations it is only natural to asso ciate the notion of ecient

computation with probabilistic and interactive p olynomialtime computations This leads to the

notion of an interactive pro of system cf in which the verication pro cedure is interactive and

randomized rather than b eing noninteractive and deterministic Intuitively one may think of this

interaction as consisting of tricky questions asked by the verier to which the prover has to reply

convincingly The last sentence as well as the denition makes explicit reference to a prover

whereas a prover is only implicit in the traditional denitions of pro of systems eg NPpro ofs

The actual denition of interactive proof systems suggests probabilistic interpretations to the

traditional notions of completeness and soundness asso ciated with any pro of system Sp ecically

statistical soundness requires that there exists no strategy which makes the verier accept false state

ments with probability greater than say A further relaxation of this soundness condition is

the notion of computational soundness Here it is only required that there exists no ecient strategy

which makes the verier accept false statements with probability greater than The dierence

b etween statistical soundness and computational soundness translates to a dierence b etween inter

active pro of systems as dened by Goldwasser Micali and Racko and computationallysound

pro of systems aka argument systems as dened by Brassard Chaum and Crepeau

A signicant dierence b etween interactive pro of systems and computationallysound pro of

systems has b een observed in the domain of zeroknowledge On one hand it is widely b elieved

that not languages in NP have perfect zeroknowledge interactive pro ofs cf In particular

the of this conjecture implies the collapse of the p olynomialtime hierarchy cf On

the other hand assuming that factoring is hard all languages in NP have perfect zeroknowledge

computationallysound pro ofs

Our aim in this note is to p oint out another signicant dierence b etween interactive pro of

systems and computationallysound pro of systems Sp ecically we refer to the expressive p ower

of the two types of pro of systems when b ounding their message complexity ie the number of bits

sent throughout the interaction We will confront known p ositive results regarding the expressive

p ower of computationallysound pro of systems of b ounded message complexity with new negative

results regarding the expressive p ower of interactive pro of systems of the same message complexity

Computationallysound pro ofs of b ounded message complexity In Kilian demon

strated that computationallysound pro of systems may b e able to recognize any language in NP

while using only p olylogarithmic message complexity Sp ecicall y assuming the existence

of hashing functions for which collisions cannot b e found by sub exp onentialsize circuits Kilian

showed that any language in NP has a computationallysound pro of system in which b oth the bi

directional message complexity and the randomness complexity are p olylogarithmic Furthermore

this pro of system is in the publiccoins aka ArthurMerlin mo del of Babai

1

Perfect zeroknowledge is a strict variant of zeroknowledge The ab ove stated b elief do es not refer to the more

relaxed notion of zeroknowledge aka computational zeroknowledge In fact assuming the existence of commitment

schemes all languages in NP do have computational zeroknowledge interactive pro ofs

Interactive pro ofs of b ounded message complexity Our rst observation indicates that

Kilians result as stated ab ove is unlikely for interactive pro of rather than computationally

sound systems It shows that if we b ound the message and randomness complexity as in Kilians

result ie to b e p olylogarithmic then interactive pro ofs may exist only for languages in the class

p oly log

Quasi Time ie Dtime We note that QuasiPolynomial Time is widely

b elieved not to contain NP

Theorem interactive pro ofs with b ounded message and randomness Let c be

an integer and L f g Suppose that L has an in which both the

O c

randomness and communication complexities are bounded by c Then L Dtime p oly

Theorem is the starting p oint of our investigation Its pro of is facilitated by the fact that the

hypothesis contains a b ound on the randomness complexity of the verier However what we

consider fundamental in Kilians result is the message complexity Thus we wish to waive

the extra hypothesis In fact waiving the b ound on the randomness complexity we obtain a very

similar result

Theorem interactive pro ofs with b ounded message complexity Let c be an integer function

and L f g Suppose that L has an interactive proof system in which the communication

O c

complexity is bounded by c Then L BPtime p oly

Theorem refers to interactive pro of systems in which the bidirectional communication complex

ity is b ounded However it seems that the more fundamental parameter is the unidirectional

communication complexity in the provertoverier direction In fact waiving also the b ound on

the veriers message length we obtain a similar result for the sp ecial case of publiccoin Arthur

Merlin interactive pro of systems Namely

Theorem publiccoin interactive pro ofs with b ounded provermessages Let c be an integer

function and L f g Suppose that L has a publiccoin interactive proof system in which the

O c log c

total number of bits sent by the prover is bounded by c Then L BPtime p oly

Theorem may not hold for general interactive pro ofs and if it do es this may b e hard to establish

The reason b eing that supp osedly hard languages such as Quadratic NonResiduosity and Graph

NonIsomorphism have interactive pro of systems in which the prover sends a single bit Thus

we are currently content with a weaker result

Theorem interactive pro ofs with b ounded provermessages Let c be an integer function

and L f g Suppose that L has an interactive proof system in which the total number of bits

O c log c NP

sent by the prover is bounded by c Then L BPtime p oly

Formal Treatment

We assume that the reader is familiar with the basic denitions of interactive pro ofs as introduced

by Goldwasser Micali and Racko and Babai Here we merely recall them while cusing

on some parameters In particular we use the more lib eral twosided error versions this only

makes our results stronger

2

Recall that Kilians pro of system is of the publiccoin type

Interactive Pro of Systems and Parameters

Denition interactive pro of systems

An interactive proof system for a language L is a pair P V of interactive machines that

V is probabilistic polynomialtime satisfying

after Completeness For every x L the verier V accepts with probability at least

interacting with P on common input x

Soundness For every x L and every potential prover P the verier V accepts with

probability at most after interacting with P on common input x

An interactive proof system is said to be an ArthurMerlin game if the veriers message in

each round consists of al l coins it has tossed in this round

Let m and be integer functions The IP m r resp AMm r

consists of languages having an interactive proof system resp an ArthurMerlin pro of sys

tem in which on common input x the interaction consists of at most r jxj communication

rounds during which the total number of bits sent from the prover to the verier is bounded

by mjxj

Our Results

NP

For an integer function t we let BPtimet resp BPtimet denote the class of languages

recognizable by probabilistic ttime machines resp oracle machines with access to an oracle

in NP with error at most Our main result is

Prop osition interactive pro ofs with b ounded message and round complexity

O mr log r

AMm r BPtime p oly

O mr log r NP

IP m r BPtime p oly

Theorem follows from Part of Prop osition whereas Theorem follows from Part

Theorems and will b e proven directly b efore proving Prop osition The main ingredient in

all our pro ofs are pro cedures for evaluating or approximating the value of the game tree of a proof

system This tree is dened next

The Game Tree of a Pro of System

Fixing a verier V we consider its interaction with a generic prover on any xed common input

denoted x The veriers random choices can b e thought of as corresp onding to the contents of its

randomtap e called the randompad We assume without loss of generality that V sends the rst

message and that the prover sends the last one In each round V s message is chosen dep ending on

the history of the interaction so far and according to some probability distribution induced by V s

lo cal randomtap e The history so far corresp onds to a xed of p ossible randompads and the

p ossible messages to b e sent corresp ond to a partition of this subset Thus each p ossible message

is sent with probability prop ortional to its part in this subset The ab ove description corresp onds

to general interactive pro ofs In case of ArthurMerlin games the situation is simpler V merely

tosses a predetermined by history number of coins and sends the outcome to the prover As

to the provers messages they are chosen arbitrarily but are of length at most p oly jxj The

interaction go es on for at most p oly jxj rounds at which p oint the verier stops outputting either

accept or reject The messages exchanged till that p oint are called a transcript of the interaction

b etween the prover and V

To simplify the exp osition we augment the transcript of the interaction by V s randompad

This way V s acceptreject decision is determined by the augmented transcript and the input x

This convention is not needed for ArthurMerlin games

The interaction b etween the prover and V on common input x may b e viewed as a game in

which the provers ob jective is to maximize the probability that V accepts and V s strategy is

xed but mixed ie probabilistic It is useful to consider the corresp onding game tree

Denition the game tree and its value Let V and x be xed

The tree T The nodes in the tree denoted T correspond to possible prexes of the interac

x x

tion of V with an arbitrary prover The root represents the empty interaction and is dened

th

to be at level For every i the edges going out from each i level node correspond

to the messages V may send given the history so far We know that V selects one of these

edgesmessages according to some predetermined by the no de probability distribution The

st

edges going out from each i level node correspond to the messages a prover may send

given the history so far The prover may select an edgemessage so to maximize the ac

cepting probability of V Nodes which correspond to an execution on which V stops have as

children one or more leaves each corresponding to a possible V s randompad which is con

sistent with the interaction represented in the father Thus leaves correspond to augmented

transcripts as dened above

The value of T The value of the tree is dened bottom as fol lows The value of a leaf

x

is either or depending on whether V accepts in the augmented transcript represented by

it or not The value of an internal no de at level i is dened as the weighted average of the

values of its children where the weights correspond to the probabilities of the various verier

messages This denition holds also for the fathers of leaves when viewing V s randompad

as an auxiliary ctitious message sent by V The value of an internal no de at level i is

dened as the maximum of the values of its children This corresponds to the provers strategy

of trying to maximize V s accepting probability The value of the tree is dened as the value

of its root

To decide if x is in the language accepted by V it suces to approximate the value of the tree T

x

dened ab ove The reason b eing that the value of T is a tight upp er b ound on the probability that

x

V accepts x when interacting with any prover strategy The b ound is achievable by an optimal

prover which indeed selects each message as to maximize V s acceptance probability Thus the

value of T is at least if x is in the language and at most otherwise Thus it suces

x

to approximate the value of T within an additive term of Below we present various

x

pro cedures for obtaining such approximations The more restrictions we have on the pro of system

the simpler the pro cedure is

3

That is we assume that for every partial history of the interaction the number of coins tossed by the verier is

predetermined by the history of interaction so far This assumption is more relaxed from what is typically assumed

in the literature ie typically it is assumed that the number of coin tosses may only dep end on the round number

or even is xed for the entire interactive pro of Our results can b e easily extended to the general case where the

verier may determine the number of coins tossed at each round dep ending on the outcome of previous coins tossed

at this round

Comment It is easy to see that the optimal prover can b e implemented in expp oly jxjtime

since within this time one may construct the tree T as well as compute the value of all its no des

x

In fact it is a wellknown folklore that the optimal prover can b e implemented in p olynomialspace

Pro of of Theorem

def

We start with the simplest case where we have a b ound c cjxj on b oth the randomness and

message complexity of the interactive pro of on input x In this case the number of no des in T

x

c

is at most since the pro duct of fanout along any path from the ro ot to a leaf is b ounded

c c

by where the rst factor is due to the actual transcript and the second to the number of

c

p ossible randompads augmenting any of these Thus we can construct T in time p oly jxj

x

and compute the value of each of its no des within the same time The theorem follows

Pro of of Theorem

def

Here we only have a b ound c cjxj on the message complexity of the interactive pro of on input

c

x In this case the number of internal no des in T is at most since the pro duct of fanout

x

c

along any path from the ro ot to a father of a leaf is b ounded by However T itself may have

x

exp onentially many leaves ie each lastlevel internal no de may have exp p oly jxj many leaves

corresp onding to p ossible randompads consistent with the transcript represented by this no de

c

Our aim is to approximate the value of T in time p oly jxj so we cannot aord to construct T

x x

def

c

Instead we take a sample of m c randompads denoted R and evaluate the residual tree

R

T which results from T by omitting all no des which are not consistent with some randompad in

x

x

R

R The weights in the tree T are those induced by the various of R which are consistent

x

with the transcript represented by each no de We will show that with very high probability the

R R

value of T approximates the value of T We note that the value of T can b e computed in time

x

x x

R

prop ortional to its size as done in previous subsection for T itself and that the size of T is

x

x

c O c

b ounded by jRj Thus the theorem follows from the following lemma

R

Lemma Let V x m T and T be as above Suppose that r r are uniformly and inde

x m

x

pendently chosen randompads for V x and let R denote the multiset fr r g Then with

m

R

probability at least the value of T is within of the value of T where the probability is

x

x

taken uniformly over al l possible choices of R

R

Pro of It is useful to consider a verier denoted V which selects its randompad uniformly

R

in R and otherwise acts as V do es Clearly the value of T represents a tight upp er b ound on the

x

R

accepting probability of V interacting with any prover strategy on common input x

Fixing any prover strategy denoted P we consider the dierence b etween the accepting prob

R

abilities of V and V when each interacts with P on common input x Denote this dierence by

m

R Using Cherno Bound see App endix A with probability at most over the choices

P

of R we have j Rj Sp ecicall y we consider random variables so that

P m i

th R

if the i randompad in R ie r makes V accept x when interacting with P Since each r

i i

is uniformly selected among all p ossible randompads of V the exp ected value of each equals

i

the probability that V accepts x when interacting with P Since the r s are chosen indep endently

i

R

the s are indep endent random variables Finally observe that the probability that V accepts

i

4

Such a verier is not a standard interactive machine as dened in Denition but rather one having access

to an oracle R

x when interacting with P is a random variable which equals the average of the random variables

2

m

Thus applying Cherno Bound indeed yields that with probability at most

m

over the choices of R we have j Rj

P

Noting that provers are functions from histories to nextmessages we conclude that there are

c c

c c

at most p ossible provers as b oth histories and next messages are of length at most

c bits Thus the probability that there exists a prover P such that j Rj is at most

P

2 c c c

m c c c

c

where the probability is taken uniformly over all choices of R The rst inequality uses m c

The lemma follows

Pro of of Prop osition

Here we only have a b ound on the unidirectional communication from the prover to the verier

def

mjxj b e a b ound on the total number of bits sent by the prover to V on Sp ecically let m

def

input x and r r jxj b e a b ound on the number of rounds in their interaction on x Our goal

is to approximate the value of T within complexity related to m and r Thus the approach of

x

the previous subsection which used the assumption that T has relatively few internal no des will

x

not do Instead we are going to construct a representative subtree of T which typically has

x

R

very few of the internal no des of T We comment that the tree T considered in the previous

x

x

section may have all internal no des of T yet few of its leaves

x

Motivation The basic idea is that we do not need to consider all p ossible messages that V may

send at a particular p oint in the interaction Considering a random sample of these messages should

suce since with very high probability the average acceptingprobability over this sample provides

a go o d approximation to the weighted average over all p ossible messages The latter assertion

holds provided we select the sample at random according to the weights assigned to the p ossible

messages Note that the argument holds with resp ect to V s messages as these are selected by V

at random but cannot b e applied to the provers resp onses which are selected to maximize V s

accepting probability

Back to the actual pro of For each evenlevel no de in T we select a random sample of m

x

children representing p ossible V messages on the partial transcript asso ciated with this no de

The sample is selected according to the weights mentioned in Denition ie the probabilities of

the various V s messages Each sample p oint is selected indep endently of the others and so the

sample may contain several o ccurrences of the same no de At this p oint we ignore the question of

how one may select such a sample This is indeed easy if the interactive pro of is of an ArthurMerlin

type but in general this may b e a hard task and an NPoracle will b e used to carry it out

These samples each p er evenlevel no de denes an approximation tree denoted A in which

x

each o ddlevel no de has the same children as in T whereas each evenlevel no de has p oly m

x

children The value of the approximation tree is dened recursively as in Denition Sp ecically

the leaves of A have the same value as in T the value of o ddlevel no des is the maximum of

x x

the value of their children and the value of evenlevel no des is the unweighted average of the

values of their children We stress that although the averages taken in the evenlevel no des of T

x

may b e weighted the averages taken in A are not However these weights have their eect in the

x

randomized construction of A as describ ed ab ove The following lemma shows that the value

x

of A is a go o d approximation of the value of T The lemma do es not refer to the complexity of

x x

constructing A considered b elow

x

Lemma the value of A With probability at least the value of the approximation tree A

x x

is within away from the value of the corresponding game tree T where the probability is taken

x

uniformly over the random choices in the construction of A

x

Pro of Let s m b e the size of the sample used for each evenlevel no de We consider r

hybrid trees denoted H H so that H consists of the rst i levels of A and the rest of

r i x

th

the levels taken from T That is each i level no de of H is the ro ot of the T subtree ro oted at

x i x

the corresp onding no de in T Note that H T and H A The value of H is dened in the

x x r x i

natural manner that is the values of no des at level b elow i are dened as in T the corresp onding

x

edges going out of these evenlevel no des have weights as in T and the value of no des in levels

x

i and less are dened as in A We will show that for every i r with probability at

x

least the values of H and H are within of one another

i i

r r

th

Let us x i and consider any i level no de in H denoted f Denote the children of this

i

no de in H by c c and the weights asso ciated with the edges leading to them by w w

i t t

Denote the value of c in H by val j Then by denition of values in H the value of f in H is

j i i i i

P

t

w val j as in T We may view H as generated from H by taking a sample of s children

j i x i i

j

th

of each i level no de in H The children of the no de corresp onding to f in H are selected

i i

among the no des corresp onding to the c s according to the weights w s We represent these s

j j

choices by the random variables distributed in f tg Note that Prob j w

s k j

for every j t and k s As a function of each we consider the random variable

k

P

def

t

w val j Thus the value of the val The exp ected value of each equals

j i k i k k

j

no de corresp onding to f in H is a random variable which is the sum of s m indep endent

i

random variables ie the s Applying Cherno b ound we observe that with probability at

k

2

s

m

least exp the value of this no de is within of its exp ected value

2

r r

P

t

th m i m r

ie w val j Since the number of i level no de in H is at most s O m

j i i

j

2

m th

the values of all corresp onding i we conclude that with probability at least

r r

level no des of H and H are within of one another In such a case the values of the ro ots

i i

r

of one another The lemma follows of the trees H and H are within

i i

r

The size of A The total size of the approximation tree is

x

m r m r m r

p oly m p oly m p oly r

m r m r m m r

where the last equality is proven as follows In case m we have m p oly r

m r m r m r m r

Otherwise we have m and so m r and m r p oly r

Constructing A in case of an ArthurMerlin verier In this case it is easy to select

x

uniformly a sample of children of any evenlevel no de in T as this amount to selecting a sample of

x

the verier next messages which are uniformly distributed in the set of strings of a predetermined

length Thus we can construct A topdown probabilistically in time related to its size ie

x

m r

p oly r and compute its value b ottomup within this time b ound Using Lemma Part

of Prop osition follows

Constructing A in the general case In this case we use a Uniform Generation procedure

x

see App endix B Lo osely sp eaking this pro cedure allows to uniformly select an NPwitness for

a given input in an NPlanguage The pro cedure runs in probabilistic p olynomialtime using an

NPoracle Here we use this pro cedure to uniformly select a randompad for V consistent with a

given partial transcript Note that the set of p ossible pairs x t where t is a partial transcripts for

V on input x is an NPlanguage with the randompads acting as NPwitnesses Thus given any

evenlevel no de in T partial transcript we can uniformly select a consistent randompad yielding

x

a verier nextmessage according to the right distribution Thus given access to an NPoracle we

m r

can construct A topdown probabilistically in time related to its size ie p oly r Once

x

we have constructed A we compute its value b ottomup as b efore Using Lemma Part of

x

Prop osition follows

Conclusions and Op en Problems

Our conclusion is that computationallysound pro of systems of low message complexity seem to b e

much more p owerful than interactive pro of systems of the same message complexity b ound We

wonder whether the results of Theorems and can b e improved In particular

Op en Problem relatively minor Can the runningtime bounds of the decision procedures

provided by Theorems and be improved

In particular time b ounds exp onential in c rather than in c log c seem a natural goal

cO

Note that there is little hop e to go b elow time this would imply algorithms for any

NP problem op erating in time which is sub exp onential in the length of the NPwitness

as each problem in NP has a trivial interactive pro of in which the prover sends an NPwitness to

the verier On the other hand recall that for interactive pro ofs with O c log c rounds we

c

do have p oly time decision pro cedures see Prop osition

Op en Problem Can the probabilistic NP of the conclusion of Theorem be

replaced by a weaker process

There seems to b e little hop e to replace the probabilistic NPoracle machine by an ordinary prob

abilistic or nondeterministic machine of similar timeb ounds since languages for which the

hypothesis of Theorem holds with c include Quadratic NonResiduosity widely b elieved not

to b e in BPP and Graph NonIsomorphism not known to b e in NP But it seems plausible

that for cn O log n log log n the class IP c c is contained in IP p oly O where

notations are as in x That is we ask whether any language having an interactive pro of system

in which the prover sends a total of O log n log log n bits but may have as many rounds has

also a constantround interactive pro of system More generally we ask whether IP c c is

contained in a generalization of constantround interactive pro ofs in which the verier is allowed

O c log c

to run for p oly time On a slightly dierent note how ab out

Op en Problem Can one provide evidence that NP is not contained in IP c c for

smal l c How about constant c

Clearly such indication will have to assume that NP is not in BPP But all we know under

that assumption is that NP is not contained in publiccoin classes such as AMlog O since

O c

AMc O BPtime p oly In the same vain how ab out

Op en Problem Can one provide evidence that coNP is not contained in IP c c for

smal l nonconstant function c How about cn log log n

It is widely b elieved that coNP is not contained in IP p oly O or else for example the

p olynomialtime hierarchy collapses Actually stronger evidence for coNP I P O O

will b e of interest to o

Acknowledgments

We are grateful to the anonymous referees for their helpful comments

References

L Babai Trading Group Theory for Randomness In th STOC pages

Publication is considered the journal version

L Babai and S Moran ArthurMerlin Games A Randomized Pro of System and a Hierarchy

of Complexity Classes JCSS Vol pages

M Bellare O Goldreich and E Petrank Uniform Generation of NPwitnesses using an

NPoracle In preparation

M Bellare and E Petrank Making ZeroKnowledge Provers Ecient In th STOC pages

See

R Boppana J Hastadand S Zachos Do es CoNP Have Short Interactive Pro ofs IPL

Vol pages May

G Brassard D Chaum and C Crepeau Minimum Disclosure Pro ofs of Knowledge JCSS

pages Preliminary version by Brassard and Crepeau in th FOCS

L Fortnow The Complexity of Perfect ZeroKnowledge Advances in Computing Research

a research annual Vol Randomness and Computation S Micali ed pages

O Goldreich S Micali and A Wigderson Pro ofs that Yield Nothing but their Validity or

All Languages in NP Have ZeroKnowledge Pro of Systems JACM Vol No pages

Preliminary version in th FOCS

S Goldwasser S Micali and C Racko The Knowledge Complexity of Interactive Pro of

Systems SIAM Journal on Computing Vol pages Preliminary version

in th STOC

M Jerrum L Valiant and V Vazirani Random Generation of Combinatorial Structures

from a Uniform Distribution Theoretical Computer Science Vol pages

J Kilian A Note on Ecient ZeroKnowledge Pro ofs and Arguments In th STOC pages

M Sipser A Complexity Theoretic Approach to Randomness In th STOC pages

L Sto ckmeyer The Complexity of Approximate Counting In th STOC pages

App endix A Cherno Bound

Cherno Bound Let b e indep endent random variables each ranging in and

m

having exp ected value Then

m

X

Prob exp m

i

m

i

App endix B The Uniform Generation Pro cedure

The approximation presented in x uses a uniform generation pro cedure for selecting

a NPwitness Such a pro cedure originating in has app eared in Here we follow the

recent presentation of

Denition uniform generation of NPwitnesses Let R be an NPwitness relation associated

def def

with the NPlanguage L fx y st x y Rg Let R fy x y Rg denote the set of

R x

witness for membership of x in the language A uniform generation procedure for R is a probabilistic

jxj

machine which given x L with probability at least outputs some witness for x ie

R

a string y in R Furthermore al l possible strings in R are output with the same probability

x x

That is for every y y R the probability that the procedure on input x outputs y equals the

x

probability that it outputs y

Clearly we cannot exp ect such a pro cedure to b e weaker than NP itself On the other hand

without loss of generality we may assume that when not outputting an NPwitness the pro cedure

outputs a sp ecial symbol eg Note that the denition is robust with resp ect to the choice of

the lower b ound on the probability that the pro cedure outputs a witness Any pro cedure in which

this lower b ound is at least p oly jxj can b e converted to a pro cedure as ab ove

Theorem Let R and L be as above Then there exists a probabilistic polynomialtime

R

oracle machine which when given oracle to NP ie to an NPcomplete language constitutes a

uniform generation procedure for R

For sake of selfcontainment we present a sketch of the pro of of this theorem The pro of is slightly

dierent from what app ears in any of the previous works We start with a high level description

of the execution of the pro cedure on input x L We assume without loss of generality that

R

n

R f g where n p oly jxj and that n is p olynomialtime computable from x The uniform

x

generation pro cedure for R works as follows

i

The pro cedure nds an i such that jR j and with probability at least it holds

x

def

i

jR j In addition in case i dlog the pro cedure also obtains see details

x

n i i

b elow a hash function h f g f g so that for every f g we have

def

jR j n where R fy R hy g Furthermore with probability at least

xh xh x

i

we have jR j n for every f g

xh

In case i the pro cedure obtains R and stops uniformly outputting a member of R

x x

i

Otherwise using i and h found in Step the pro cedure uniformly selects f g and

obtains R The pro cedure halts outputting each e R with probability n and

xh xh

jR j

xh

In particular in case R outputting otherwise ie with probability

2 xh

n

the pro cedure always outputs

It can b e easily veried that the ab ove yields a uniform generation pro cedure for R The question

is how to implement all of the ab ove steps To simplify the exp osition we assume n jxj rather

than n p oly jxj and that n

Checking if jR j n This is done using the NPoracle by querying ab out membership of x

x

in the language

def

0 2 0 2

S fx y y y st x y x y Rg

jx j jx j

Finding go o d i and h in case jR j n Recall n jxj For each i we use a family

x

of nwise hashing functions mapping nbit strings into i bit strings eg use p olynomials of

n

degree n over GF For i log jR j and h uniformly selected in this family we have using

x

th

the n moment metho d

Prob st jR j n or jR j n

h xh xh

We may verify that jR j n for all s by checking with the NPoracle that x h in not in

xh

the language

def

0 2

S fx h y y y st x y R and h y j g

jx j j j

Thus trying i n we select for each i a random h and test the ab ove condition In case

we get to i n we set h to return the n bit prex of the argument Thus we surely return a

pair i h for which the condition holds and with probability at least this pair will also satisfy

jR j n for all s

xh

Obtaining R or R in case they are small For sake of simplicity we consider here only

x xh

the case jR j n Firstly we use the NPoracle to determine the size of R by testing the

x x

2

n

in the set membership of each x x

def

k

S fx y y y st x y x y Rg

k k

th

Once the cardinality of R denoted s is determined and assuming s we nd the j bit of

x

th s i j

the i element by testing the membership of x in the set

0 0 0

def

s i j

th

0 0 0

S fx y y y st x y x y R and the j bit of y is zerog

s s i