DOCSLIB.ORG

On the Complexity of Interactive Proofs with Bounded Communication

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On the Complexity of Interactive Proofs with Bounded Communication On the Complexity of Interactive Pro ofs with Bounded Communication Johan Hastad Oded Goldreich Department of Computer Science Department of Computer Science Weizmann Institute of Science Royal Institute of Technology Rehovot Israel Sto ckholm Sweden odedwisdomweizmannacil johanhnadakthse November Abstract We investigate the computational complexity of languages which have interactive pro of sys tems of b ounded message complexity In particular denoting the length of the input by n we show that If L has an interactive pro of in which the total communication is b ounded by cn bits then L can b e recognized by a probabilistic machine in time exp onential in O cn logn If L has a publiccoin interactive pro of in which the prover sends cn bits then L can b e recognized by a probabilistic machine in time exp onential in O cn logcn logn If L has an interactive pro of in which the prover sends cn bits then L can b e recognized by a probabilistic machine with an NPoracle in time exp onential in O cn logcn logn Work done while b eing on a sabbatical leave at LCS MIT Introduction Pro of systems are dened in terms of their verication pro cedures The notion of a verication pro cedure assumes the notion of computation and furthermore the notion of ecient computation This implicit assumption is made explicit in the denition of NP in which ecient computation is asso ciated with deterministic p olynomialtime algorithms In light of the growing acceptability of randomized and distributed computations it is only natural to asso ciate the notion of ecient computation with probabilistic and interactive p olynomialtime computations This leads to the notion of an interactive pro of system cf in which the verication pro cedure is interactive and randomized rather than b eing noninteractive and deterministic Intuitively one may think of this interaction as consisting of tricky questions asked by the verier to which the prover has to reply convincingly The last sentence as well as the denition makes explicit reference to a prover whereas a prover is only implicit in the traditional denitions of pro of systems eg NPpro ofs The actual denition of interactive proof systems suggests probabilistic interpretations to the traditional notions of completeness and soundness asso ciated with any pro of system Sp ecically statistical soundness requires that there exists no strategy which makes the verier accept false state ments with probability greater than say A further relaxation of this soundness condition is the notion of computational soundness Here it is only required that there exists no ecient strategy which makes the verier accept false statements with probability greater than The dierence b etween statistical soundness and computational soundness translates to a dierence b etween inter active pro of systems as dened by Goldwasser Micali and Racko and computationallysound pro of systems aka argument systems as dened by Brassard Chaum and Crepeau A signicant dierence b etween interactive pro of systems and computationallysound pro of systems has b een observed in the domain of zeroknowledge On one hand it is widely b elieved that not all languages in NP have perfect zeroknowledge interactive pro ofs cf In particular the negation of this conjecture implies the collapse of the p olynomialtime hierarchy cf On the other hand assuming that factoring is hard all languages in NP have perfect zeroknowledge computationallysound pro ofs Our aim in this note is to p oint out another signicant dierence b etween interactive pro of systems and computationallysound pro of systems Sp ecically we refer to the expressive p ower of the two types of pro of systems when b ounding their message complexity ie the number of bits sent throughout the interaction We will confront known p ositive results regarding the expressive p ower of computationallysound pro of systems of b ounded message complexity with new negative results regarding the expressive p ower of interactive pro of systems of the same message complexity Computationallysound pro ofs of b ounded message complexity In Kilian demon strated that computationallysound pro of systems may b e able to recognize any language in NP while using only p olylogarithmic message complexity Sp ecicall y assuming the existence of hashing functions for which collisions cannot b e found by sub exp onentialsize circuits Kilian showed that any language in NP has a computationallysound pro of system in which b oth the bi directional message complexity and the randomness complexity are p olylogarithmic Furthermore this pro of system is in the publiccoins aka ArthurMerlin mo del of Babai 1 Perfect zeroknowledge is a strict variant of zeroknowledge The ab ove stated b elief do es not refer to the more relaxed notion of zeroknowledge aka computational zeroknowledge In fact assuming the existence of commitment schemes all languages in NP do have computational zeroknowledge interactive pro ofs Interactive pro ofs of b ounded message complexity Our rst observation indicates that Kilians result as stated ab ove is unlikely for interactive pro of rather than computationally sound systems It shows that if we b ound the message and randomness complexity as in Kilians result ie to b e p olylogarithmic then interactive pro ofs may exist only for languages in the class p oly log QuasiPolynomial Time ie Dtime We note that QuasiPolynomial Time is widely b elieved not to contain NP Theorem interactive pro ofs with b ounded message and randomness complexities Let c be an integer function and L f g Suppose that L has an interactive proof system in which both the O c randomness and communication complexities are bounded by c Then L Dtime p oly Theorem is the starting p oint of our investigation Its pro of is facilitated by the fact that the hypothesis contains a b ound on the randomness complexity of the verier However what we consider fundamental in Kilians result is the low message complexity Thus we wish to waive the extra hypothesis In fact waiving the b ound on the randomness complexity we obtain a very similar result Theorem interactive pro ofs with b ounded message complexity Let c be an integer function and L f g Suppose that L has an interactive proof system in which the communication O c complexity is bounded by c Then L BPtime p oly Theorem refers to interactive pro of systems in which the bidirectional communication complex ity is b ounded However it seems that the more fundamental parameter is the unidirectional communication complexity in the provertoverier direction In fact waiving also the b ound on the veriers message length we obtain a similar result for the sp ecial case of publiccoin Arthur Merlin interactive pro of systems Namely Theorem publiccoin interactive pro ofs with b ounded provermessages Let c be an integer function and L f g Suppose that L has a publiccoin interactive proof system in which the O c log c total number of bits sent by the prover is bounded by c Then L BPtime p oly Theorem may not hold for general interactive pro ofs and if it do es this may b e hard to establish The reason b eing that supp osedly hard languages such as Quadratic NonResiduosity and Graph NonIsomorphism have interactive pro of systems in which the prover sends a single bit Thus we are currently content with a weaker result Theorem interactive pro ofs with b ounded provermessages Let c be an integer function and L f g Suppose that L has an interactive proof system in which the total number of bits O c log c NP sent by the prover is bounded by c Then L BPtime p oly Formal Treatment We assume that the reader is familiar with the basic denitions of interactive pro ofs as introduced by Goldwasser Micali and Racko and Babai Here we merely recall them while fo cusing on some parameters In particular we use the more lib eral twosided error versions this only makes our results stronger 2 Recall that Kilians pro of system is of the publiccoin type Interactive Pro of Systems and Parameters Denition interactive pro of systems An interactive proof system for a language L is a pair P V of interactive machines so that V is probabilistic polynomialtime satisfying after Completeness For every x L the verier V accepts with probability at least interacting with P on common input x Soundness For every x L and every potential prover P the verier V accepts with probability at most after interacting with P on common input x An interactive proof system is said to be an ArthurMerlin game if the veriers message in each round consists of al l coins it has tossed in this round Let m and r be integer functions The complexity class IP m r resp AMm r consists of languages having an interactive proof system resp an ArthurMerlin pro of sys tem in which on common input x the interaction consists of at most r jxj communication rounds during which the total number of bits sent from the prover to the verier is bounded by mjxj Our Results NP For an integer function t we let BPtimet resp BPtimet denote the class of languages recognizable by probabilistic ttime machines resp oracle machines with access to an oracle set in NP with error at most Our main result is Prop osition interactive pro ofs with b ounded message and round complexity O mr log r AMm r BPtime p oly O mr log r NP IP m r BPtime p oly Theorem follows from Part of Prop osition whereas Theorem follows from Part Theorems and will b e proven directly b efore proving Prop osition The main ingredient
Load more

Recommended publications
  • Interactive Proof Systems and Alternating Time-Space Complexity
    Theoretical Computer Science 113 (1993) 55-73 55 Elsevier Interactive proof systems and alternating time-space complexity Lance Fortnow” and Carsten Lund** Department of Computer Science, Unicersity of Chicago. 1100 E. 58th Street, Chicago, IL 40637, USA Abstract Fortnow, L. and C. Lund, Interactive proof systems and alternating time-space complexity, Theoretical Computer Science 113 (1993) 55-73. We show a rough equivalence between alternating time-space complexity and a public-coin interactive proof system with the verifier having a polynomial-related time-space complexity. Special cases include the following: . All of NC has interactive proofs, with a log-space polynomial-time public-coin verifier vastly improving the best previous lower bound of LOGCFL for this model (Fortnow and Sipser, 1988). All languages in P have interactive proofs with a polynomial-time public-coin verifier using o(log’ n) space. l All exponential-time languages have interactive proof systems with public-coin polynomial-space exponential-time verifiers. To achieve better bounds, we show how to reduce a k-tape alternating Turing machine to a l-tape alternating Turing machine with only a constant factor increase in time and space. 1. Introduction In 1981, Chandra et al. [4] introduced alternating Turing machines, an extension of nondeterministic computation where the Turing machine can make both existential and universal moves. In 1985, Goldwasser et al. [lo] and Babai [l] introduced interactive proof systems, an extension of nondeterministic computation consisting of two players, an infinitely powerful prover and a probabilistic polynomial-time verifier. The prover will try to convince the verifier of the validity of some statement.
    [Show full text]
  • On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs*
    On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs* Benny Applebaum† Eyal Golombek* Abstract We study the randomness complexity of interactive proofs and zero-knowledge proofs. In particular, we ask whether it is possible to reduce the randomness complexity, R, of the verifier to be comparable with the number of bits, CV , that the verifier sends during the interaction. We show that such randomness sparsification is possible in several settings. Specifically, unconditional sparsification can be obtained in the non-uniform setting (where the verifier is modelled as a circuit), and in the uniform setting where the parties have access to a (reusable) common-random-string (CRS). We further show that constant-round uniform protocols can be sparsified without a CRS under a plausible worst-case complexity-theoretic assumption that was used previously in the context of derandomization. All the above sparsification results preserve statistical-zero knowledge provided that this property holds against a cheating verifier. We further show that randomness sparsification can be applied to honest-verifier statistical zero-knowledge (HVSZK) proofs at the expense of increasing the communica- tion from the prover by R−F bits, or, in the case of honest-verifier perfect zero-knowledge (HVPZK) by slowing down the simulation by a factor of 2R−F . Here F is a new measure of accessible bit complexity of an HVZK proof system that ranges from 0 to R, where a maximal grade of R is achieved when zero- knowledge holds against a “semi-malicious” verifier that maliciously selects its random tape and then plays honestly.
    [Show full text]
  • NP-Completeness: Reductions Tue, Nov 21, 2017
    CMSC 451 Dave Mount CMSC 451: Lecture 19 NP-Completeness: Reductions Tue, Nov 21, 2017 Reading: Chapt. 8 in KT and Chapt. 8 in DPV. Some of the reductions discussed here are not in either text. Recap: We have introduced a number of concepts on the way to defining NP-completeness: Decision Problems/Language recognition: are problems for which the answer is either yes or no. These can also be thought of as language recognition problems, assuming that the input has been encoded as a string. For example: HC = fG j G has a Hamiltonian cycleg MST = f(G; c) j G has a MST of cost at most cg: P: is the class of all decision problems which can be solved in polynomial time. While MST 2 P, we do not know whether HC 2 P (but we suspect not). Certificate: is a piece of evidence that allows us to verify in polynomial time that a string is in a given language. For example, the language HC above, a certificate could be a sequence of vertices along the cycle. (If the string is not in the language, the certificate can be anything.) NP: is defined to be the class of all languages that can be verified in polynomial time. (Formally, it stands for Nondeterministic Polynomial time.) Clearly, P ⊆ NP. It is widely believed that P 6= NP. To define NP-completeness, we need to introduce the concept of a reduction. Reductions: The class of NP-complete problems consists of a set of decision problems (languages) (a subset of the class NP) that no one knows how to solve efficiently, but if there were a polynomial time solution for even a single NP-complete problem, then every problem in NP would be solvable in polynomial time.
    [Show full text]
  • On the NP-Completeness of the Minimum Circuit Size Problem
    On the NP-Completeness of the Minimum Circuit Size Problem John M. Hitchcock∗ A. Pavany Department of Computer Science Department of Computer Science University of Wyoming Iowa State University Abstract We study the Minimum Circuit Size Problem (MCSP): given the truth-table of a Boolean function f and a number k, does there exist a Boolean circuit of size at most k computing f? This is a fundamental NP problem that is not known to be NP-complete. Previous work has studied consequences of the NP-completeness of MCSP. We extend this work and consider whether MCSP may be complete for NP under more powerful reductions. We also show that NP-completeness of MCSP allows for amplification of circuit complexity. We show the following results. • If MCSP is NP-complete via many-one reductions, the following circuit complexity amplifi- Ω(1) cation result holds: If NP\co-NP requires 2n -size circuits, then ENP requires 2Ω(n)-size circuits. • If MCSP is NP-complete under truth-table reductions, then EXP 6= NP \ SIZE(2n ) for some > 0 and EXP 6= ZPP. This result extends to polylog Turing reductions. 1 Introduction Many natural NP problems are known to be NP-complete. Ladner's theorem [14] tells us that if P is different from NP, then there are NP-intermediate problems: problems that are in NP, not in P, but also not NP-complete. The examples arising out of Ladner's theorem come from diagonalization and are not natural. A canonical candidate example of a natural NP-intermediate problem is the Graph Isomorphism (GI) problem.
    [Show full text]
  • Computational Complexity: a Modern Approach
    i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University [email protected] Not to be reproduced or distributed without the authors’ permission This is an Internet draft. Some chapters are more finished than others. References and attributions are very preliminary and we apologize in advance for any omissions (but hope you will nevertheless point them out to us). Please send us bugs, typos, missing references or general comments to [email protected] — Thank You!! DRAFT ii DRAFT Chapter 9 Complexity of counting “It is an empirical fact that for many combinatorial problems the detection of the existence of a solution is easy, yet no computationally efficient method is known for counting their number.... for a variety of problems this phenomenon can be explained.” L. Valiant 1979 The class NP captures the difficulty of finding certificates. However, in many contexts, one is interested not just in a single certificate, but actually counting the number of certificates. This chapter studies #P, (pronounced “sharp p”), a complexity class that captures this notion. Counting problems arise in diverse fields, often in situations having to do with estimations of probability. Examples include statistical estimation, statistical physics, network design, and more. Counting problems are also studied in a field of mathematics called enumerative combinatorics, which tries to obtain closed-form mathematical expressions for counting problems. To give an example, in the 19th century Kirchoff showed how to count the number of spanning trees in a graph using a simple determinant computation. Results in this chapter will show that for many natural counting problems, such efficiently computable expressions are unlikely to exist.
    [Show full text]
  • The Complexity Zoo
    The Complexity Zoo Scott Aaronson www.ScottAaronson.com LATEX Translation by Chris Bourke [email protected] 417 classes and counting 1 Contents 1 About This Document 3 2 Introductory Essay 4 2.1 Recommended Further Reading ......................... 4 2.2 Other Theory Compendia ............................ 5 2.3 Errors? ....................................... 5 3 Pronunciation Guide 6 4 Complexity Classes 10 5 Special Zoo Exhibit: Classes of Quantum States and Probability Distribu- tions 110 6 Acknowledgements 116 7 Bibliography 117 2 1 About This Document What is this? Well its a PDF version of the website www.ComplexityZoo.com typeset in LATEX using the complexity package. Well, what’s that? The original Complexity Zoo is a website created by Scott Aaronson which contains a (more or less) comprehensive list of Complexity Classes studied in the area of theoretical computer science known as Computa- tional Complexity. I took on the (mostly painless, thank god for regular expressions) task of translating the Zoo’s HTML code to LATEX for two reasons. First, as a regular Zoo patron, I thought, “what better way to honor such an endeavor than to spruce up the cages a bit and typeset them all in beautiful LATEX.” Second, I thought it would be a perfect project to develop complexity, a LATEX pack- age I’ve created that defines commands to typeset (almost) all of the complexity classes you’ll find here (along with some handy options that allow you to conveniently change the fonts with a single option parameters). To get the package, visit my own home page at http://www.cse.unl.edu/~cbourke/.
    [Show full text]
  • University Microfilms International 300 North Zeeb Road Ann Arbor, Michigan 48106 USA St John's Road
    INFORMATION TO USERS This material was produced from a microfilm copy of the original document. While the most advanced technological means to photograph and reproduce this document have been used, the quality is heavily dependant upon the quality of the original submitted. The following explanation of techniques is provided to help you understand markings or patterns which may appear on this reproduction. 1. The sign or "target" for pages apparently lacking from the document photographed is "Missing Page(s)". If it was possible to obtain the missing page(s) or section, they are spliced into the film along with adjacent pages. This may have necessitated cutting thru an image and duplicating adjacent pages to insure you complete continuity. 2. When an image on the film is obliterated with a large round black mark, it is an indication that the photographer suspected that the copy may have moved during exposure and thus cause a blurred image. You w ill find a good image of the page in the adjacent frame. 3. When a map, drawing or chart, etc., was part of the material being photographed the photographer followed a definite method in "sectioning" the material. It is customary to begin photoing at the upper left hand corner of a large sheet and to continue photoing from left to right in equal sections with a small overlap. If necessary, sectioning is continued again — beginning below the first row and continuing on until complete. 4. The majority of users indicate that the textual content is of greatest value, however, a somewhat higher quality reproduction could be made from "photographs" if essential to the understanding of the dissertation.
    [Show full text]
  • Notes on Space Complexity of Integration of Computable Real
    Notes on space complexity of integration of computable real functions in Ko–Friedman model Sergey V. Yakhontov Abstract x In the present paper it is shown that real function g(x)= 0 f(t)dt is a linear-space computable real function on interval [0, 1] if f is a linear-space computable C2[0, 1] real function on interval R [0, 1], and this result does not depend on any open question in the computational complexity theory. The time complexity of computable real functions and integration of computable real functions is considered in the context of Ko–Friedman model which is based on the notion of Cauchy functions computable by Turing machines. 1 2 In addition, a real computable function f is given such that 0 f ∈ FDSPACE(n )C[a,b] but 1 f∈ / FP if FP 6= #P. 0 C[a,b] R RKeywords: Computable real functions, Cauchy function representation, polynomial-time com- putable real functions, linear-space computable real functions, C2[0, 1] real functions, integration of computable real functions. Contents 1 Introduction 1 1.1 CF computablerealnumbersandfunctions . ...... 2 1.2 Integration of FP computablerealfunctions. 2 2 Upper bound of the time complexity of integration 3 2 3 Function from FDSPACE(n )C[a,b] that not in FPC[a,b] if FP 6= #P 4 4 Conclusion 4 arXiv:1408.2364v3 [cs.CC] 17 Nov 2014 1 Introduction In the present paper, we consider computable real numbers and functions that are represented by Cauchy functions computable by Turing machines [1]. Main results regarding computable real numbers and functions can be found in [1–4]; main results regarding computational complexity of computations on Turing machines can be found in [5].
    [Show full text]
  • Lecture 9 1 Interactive Proof Systems/Protocols
    CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction The traditional mathematical notion of a proof is a simple passive protocol in which a prover P outputs a complete proof to a verifier V who decides on its validity. The interaction in this traditional sense is minimal and one-way, prover → verifier. The observation has been made that allowing the verifier to interact with the prover can have advantages, for example proving the assertion faster or proving more expressive languages. This extension allows for the idea of interactive proof systems (protocols). The general framework of the interactive proof system (protocol) involves a prover P with an exponential amount of time (computationally unbounded) and a verifier V with a polyno- mial amount of time. Both P and V exchange multiple messages (challenges and responses), usually dependent upon outcomes of fair coin tosses which they may or may not share. It is easy to see that since V is a poly-time machine (PPT), only a polynomial number of messages may be exchanged between the two. P ’s objective is to convince (prove to) the verifier the truth of an assertion, e.g., claimed knowledge of a proof that x ∈ L. V either accepts or rejects the interaction with the P . 1.2 Definition of Interactive Proof Systems An interactive proof system for a language L is a protocol PV for communication between a computationally unbounded (exponential time) machine P and a probabilistic poly-time (PPT) machine V such that the protocol satisfies the properties of completeness and sound- ness.
    [Show full text]
  • The Correlation Among Software Complexity Metrics with Case Study
    International Journal of Advanced Computer Research (ISSN (print): 2249-7277 ISSN (online): 2277-7970) Volume-4 Number-2 Issue-15 June-2014 The Correlation among Software Complexity Metrics with Case Study Yahya Tashtoush1, Mohammed Al-Maolegi2, Bassam Arkok3 Abstract software product attributes such as functionality, quality, complexity, efficiency, reliability or People demand for software quality is growing maintainability. For example, a higher number of increasingly, thus different scales for the software code lines will lead to greater software complexity are growing fast to handle the quality of software. and so on. The software complexity metric is one of the measurements that use some of the internal The complexity of software effects on maintenance attributes or characteristics of software to know how activities like software testability, reusability, they effect on the software quality. In this paper, we understandability and modifiability. Software cover some of more efficient software complexity complexity is defined as ―the degree to which a metrics such as Cyclomatic complexity, line of code system or component has a design or implementation and Hallstead complexity metric. This paper that is difficult to understand and verify‖ [1]. All the presents their impacts on the software quality. It factors that make program difficult to understand are also discusses and analyzes the correlation between responsible for complexity. So it is necessary to find them. It finally reveals their relation with the measurements for software to reduce the impacts of number of errors using a real dataset as a case the complexity and guarantee the quality at the same study. time as much as possible.
    [Show full text]
  • Interactive Proofs 1 1 Pspace ⊆ IP
    CS294: Probabilistically Checkable and Interactive Proofs January 24, 2017 Interactive Proofs 1 Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Mariel Supina 1 Pspace ⊆ IP The first proof that Pspace ⊆ IP is due to Shamir, and a simplified proof was given by Shen. These notes discuss the simplified version in [She92], though most of the ideas are the same as those in [Sha92]. Notes by Katz also served as a reference [Kat11]. Theorem 1 ([Sha92]) Pspace ⊆ IP. To show the inclusion of Pspace in IP, we need to begin with a Pspace-complete language. 1.1 True Quantified Boolean Formulas (tqbf) Definition 2 A quantified boolean formula (QBF) is an expression of the form 8x19x28x3 ::: 9xnφ(x1; : : : ; xn); (1) where φ is a boolean formula on n variables. Note that since each variable in a QBF is quantified, a QBF is either true or false. Definition 3 tqbf is the language of all boolean formulas φ such that if φ is a formula on n variables, then the corresponding QBF (1) is true. Fact 4 tqbf is Pspace-complete (see section 2 for a proof). Hence to show that Pspace ⊆ IP, it suffices to show that tqbf 2 IP. Claim 5 tqbf 2 IP. In order prove claim 5, we will need to present a complete and sound interactive protocol that decides whether a given QBF is true. In the sum-check protocol we used an arithmetization of a 3-CNF boolean formula. Likewise, here we will need a way to arithmetize a QBF. 1.2 Arithmetization of a QBF We begin with a boolean formula φ, and we let n be the number of variables and m the number of clauses of φ.
    [Show full text]
  • Interactive Proofs for Quantum Computations
    Innovations in Computer Science 2010 Interactive Proofs For Quantum Computations Dorit Aharonov Michael Ben-Or Elad Eban School of Computer Science, The Hebrew University of Jerusalem, Israel [email protected] [email protected] [email protected] Abstract: The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked [21]: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results to predictions? To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard Interactive Proofs [13] the prover is computationally unbounded, here our prover is in BQP, representing a quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access to few qubits. Our main theorem can be roughly stated as: ”Any language in BQP has a QPIP, and moreover, a fault tolerant one” (providing a partial answer to a challenge posted in [1]). We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault tolerant. Our second protocol uses polynomial codes QAS due to Ben-Or, Cr´epeau, Gottesman, Hassidim, and Smith [8], combined with quantum fault tolerance and secure multiparty quantum computation techniques.
    [Show full text]