Multi-Prover Interactive Proofs: How to Remove Intractability Assumptions Michael Ben-Or* Shafi Goldwassert Joe Kilian* Avi Wigdemons Hebrew University MIT MIT Hebrew University Abstract We call this new model the multi-prover interactive-proof model, and examine its proper- ties and applicability to cryptography. Quite complex cryptographic machinery has been developed based on the assumption that one-way functions exist, yet we know of only a few possi- ble such candidates. It is important at this time 1 Introduction to find alternative foundations to the design of se- cure cryptography. We introduce a new model of The notion of randomized and interactive proof generalized interactive proofs as a step in this di- system, extending NP, was introduced in [GMR] rection. We prove that all NP languages have per- and in [B]. An interactive proof-system consists of fect zero-knowledge proof-systems in this model, an all powerful prover who attempts to convince a without making any intractability assumptions. probabilistic polynomial-time bounded verifier of The generalized interactive-proof model con- the truth of a proposition. The prover and verifier sists of two computationally unbounded and un- receive a common input and can exchange upto trusted provers , rather than one, who jointly a polynomial number of messages, at the end of agree on a strat,egy to convince the verifier of the which the verifier either accepts or rejects the in- truth of an assertion and then engage in a polyno- put. Several examples of interactive proof-system mial number of message exchanges with the veri- for languages not known to be in NP (e.g graph fier in their attempt to do so. To believe the va- non-isomorphism) are known. lidity of the assertion, the verifier must make sure In [GMWl] Goldreich, Micali and Wigderson that the two provers can not communicate with show the fundamental result that that if “non- each other during the course of the proof process. uniform” one-way functions exist (i.e no small cir- Thus, the complexity assumptions made in previ- cuits exist for the function inverse computation), ous work, have been traded for a physical separa- then every NP language has a computationally tion between the two provers. zero-knowledge interactive proof system. This has *Supported by Alon Fellowship. far reaching implications concerning the secure de- 1 Supported in prrt by NSF grant 865727~CCR, AR0 sign of cryptographic protocols. It also seems to grant DAALO%SGK-017, and US-Israel BSF grant 86 be the strongest result possible. Results in [F] and 00301. Jerusalem, Ismel. [BHZ] imply that if perfect zeroknowledge inter- t Supported by a Fannie and John Hertz Foundation active proof-systems for NP exist, (i.e which do fellowship. SSupported by Alon Fellowship not rely on the fact that the verifier is polynomial time bounded) then the polynomial time hierarchy would collapse to its second level. This provides strong evidence that it will be impossible (and at least very hard) to unconditionally show that IVP has zeroknowledge interactive proofs. I’cmission IO copy wiltlout t’cc at1 or par1 ol’ this makriat is graIlled providrd that the copi arc not made or dislributett for direct commercial advantage. the ACM copyright notice and the title of In light of the above negative results, it is inter- the publication and its date appear. and notice is given Ihat copying esting to examine whether the definition of inter- is by permission of the Association for Computing Machinery. To active proofs can be modified so as t.o st,ill capture copy otherwise, or to republish, requires a fee and/or specfic permission. @ 1988 ACM-O-89791-264-O/88/0005/01 I3 $1.50 113 the notion of efficient provability and yet allow crime (who have worked long and hard to prepare perfect zero-knowledge proofs lfor NP, making no a joint alibi), where the suspects a.re the provers intractability assumptions. and the verifier is the interrogator. The interroga- tors conviction that the alibi is valid, stems from This is particularily important from a crypto- his conviction that once the interrogation starts graphic view point, as t:he possible one-way func- the suspects c;.n not talk to each other aa they tions currently considered are very few and almost are kept in separate rooms, and since they can exclusive to number theory (e.g. integer factor- not anticipate the randomized questions he may ization, discrete logarithm computation and ellip- ask them, he can trust his findings (i.e receiving a tic logarithm computation.) If these were found correct proof of the proposition at hand). to be efficiently solvable, the cryptographic conse- quences of the [GMW] result would be unusable. Applying this model in a cryptographic sce- nario, one may think of a bank customer hold- ing two bank-cards rather than one, attempt.ing 1.1 New Model to prove its identity to the bank machine. The machine makes sure that once the two cards are in- We extend the definiiion of an interactive proof serted they can no longer communicate with each for language L as follows: instead of one prover other. In this scenario, the provers correspond to attempting to convince a verifier that x, the input the two cards, and the verifier to the bank ma- string, is in L, our prover consists of two separate chine. agents (or rather two provers) who jointly attempt to convince a verifier that t is in L. The two provers can cooperate and communicate between 1.2 Results them to decide on a common optimal strategy be- fore the interaction with the verifier starts. But, 1.2.1 Perfect Zero Knowledge Multi- once they start to interact with the verifier, they Prover Interactive Proofs can no longer send each other messages or see the messages exchanged between t,he verifier and the We show, that in our extended model all NP lan- “other prover”. As in [GMR] the verifier is prob- guages have a perfect zero-knowledge interactive abilistic polynomial tim.e, and can exchange upto proof-system, making no intractability assump- a polynomial number of messages with either one tions. of the two provers (with no restriction on inter- leaving the exchanged :messages) before deciding The protocol for NP languages proposed, re- to accept or reject string 2.l quires the two provers to share either a polyno- mially long random pad or a function which they We restrict the verifier to send messages to the can compute but the polynomially bounded veri- prover in a predetrmined order. It can be shown fier can not. It is well known that such functions that this is equivalent with respect to language exist by counting arguments. Most of the burden recognition, to a model in which the verifier is of the proof lies on one predetermined prover. In free to talk to the provers in any order he wishes. fact, the “other” prover sole function is to peri- Moreover, the verifier can be forced to send mes- odically output segments of the random pad he sages to the provers in a predetermined order by shares with the “primary prover”. The protocol is using a simple password scheme. Thus, we can constant (two) round. work in the easier to deal with synchronous model completely without loss of generality. Differently then in the case of the graph non- &morphism and quadratic non-residousity proof- The main novelty of our model is that the ver- systems in [GMR], [GMW], paralIe1 executions of ifier can “check” its inteeractions with the provers the protocol remain perfect zero-knowledge. “against each other”. One may think of this as the process of checking the alibi of two suspects of a More generally, we show that any lauguage which can be recoguiaed in our extended model, ‘A proof-eystem for B la.nguage in this model is defined can be recognized in perfect zero-knowledge nlrzk- in a similar marmer to [GMR]. Namely, I, has a multi- prover inleractive proof-system if there exist a vrrifcr V iug no intractability wsulnptions. and provers Pl, P2 such Lllat when r E L lhc prolkxbiiity Our culist,ructivu does iiot ~LSSIIIIILt’h at the ver- that V accepts is greater than 2/3, and when z’ is not ill L then for all Pl, I’2 the probability that V accepts is lcsa ifier is polynomial time bounded. The .LS.C;~II,~io~n) I than l/3. that there is no cormnunication t)t:twCelI t II(, I,wo I14 provers while interacting with the verifier, must 2 Definitions be made in order for the verifier to believe the va- lidity of the proofs. It need not be made to show Definition 1: Let 4, Pz,..., 4 be Turing machines that the interaction is perfect zero-knowledge. which are computationally unbounded and V be a probabilistic polynomial time Turing machine. All machines have a read-only input tape, a work I .3 Language Recognition Power tape and a random tape. In addition, Pt, P2 ,.., pi of New Model share an infinite read-only random tape of O’s and 1’s. Every Pi has one write-only communication It is interesting to consider what is the power of tape on which it writes messages for V. V has this new model solely with respect to language k write-only communication tapes. On communi- recognition. Clearly, NP E IP which in turn cation tape i, V writes messages to Pi. We call is a subset of languages accepts by our extended (9, %, . pk, V) a k-p rover inieraclive protocol.