Private Coins versus Public Coins in Interactive Proof Systems Shaft Goldwasser* Michael Sipser** Computer Science Department Computer Science Department MIT University of California at Berkeley and Mathematics Department MIT second, due to Babai, [B] requires that the outcome of the verifier's coin tosses be public Abstract and thus accessible to the prover. An interactive proof system is a method Our main result is that these two sys- by which one party of unlimited resources, tems are equivalent in power with respect to called the prover, can convince a party of lim- language recognition. ited resources, call the verifier, of the truth of The notion of interactive proof system a proposition. The verifier may toss coins, may be seen to yield a probabilistic analog to ask repeated questions of the prover, and run NP much as BPP is the probabilistic analog efficient tests upon the prover's responses to P. We define the probabilistic, nondeter- before deciding whether to be convinced. ministic, polynomial time Turing machine and This extends the familiar proof system impli- show that it is also equivalent in power to cit in the notion of NP in that there the these systems. verifier may not toss coins or speak, but only listen and verify. Interactive proof systems 1. Introduction may not yield proof in the strict mathemati- In this century, the notions of proof and cal sense: the "proofs" are probabilistic with computation have been formalized and under- an exponentially small, though non-zero stood. With the arrival of complexity theory, chance of error. the notion of what is efficiently provable We consider two notions of interactive became of interest. The class NP captured proof system. One, defined by Goldwasser, this notion, containing those languages for Micali, and Rackoff [GMR] permits the which proofs of membership can be verified verifier a coin that can be tossed in private, by a deterministic polynomial time Turing i.e., a secret source of randomness. The machine. We can view NP as a proof-system Permission to copy without ice all or part of this material is granted consisting of two communicating Turing provided that the copies are not made or distributed for direct machines: the prover who guesses the proof commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by * Research supported in part by NSF G r a n t 8509905 permission of the Association for Computing Machinery. To copy DCR. otherwise, or to republish, requires a fee and/or specific permission. ** Research supported in part by NSF Grant MCS- © 1986 ACM 0-89791-193-8/86/0500/0059 $00.75 8304769 a n d Air Force Grant AFOSR-82-0326. 59 and the polynomial time deterministic computations on them and send the outcome verifier, who checks the correctness of the of the computation to the prover. In particu- proof. lar, he need not show the outcome of the Randomization has been recognized to be coins to the prover. a fundamental ingredient in defining what is The secrecy of the verifier's coin tosses efficiently computable (e.g RP, BPP, RNC). seemed essential to certain examples of In this paper, we seek to understand how ran- interactive proof systems. The most notable domization affects the definition of what is is a recent result of Goldreich, Micali and efficiently provable. Wigderson [GMW] showing an interactive A conventional deterministic NP verifier proof-system for the graph non-isomorphism does not accept statistical evidence as a con- problem. This is somewhat remarkable in vincing argument, regardless of how light of the fact that graph non-isomorphism overwhelming it may be. As a consequence, is not known to be in NP. We sketch this the kind of languages contained in NP are example in section 2.1. precisely those whose proofs of membership The interactive proof system (IP) defines can be fully put down in writing and shown a hierarchy of languages. Namely, L is in to others. The verifier does not actively parti- IP[k] if there exists a k-move (k alternations cipate in the proof process or interact with of message exchanges between prover and the prover in any way. It suffices for the verifier with the verifier sending the first prover to speak and the verifier to listen. message) interactive proof system such that: Randomization and interaction are for every input x(L, the probability that the essential ingredients of two recent formaliza- verifier accepts is greater than 2/3, and for tions of the concept of an efficient proof sys- every input x not in L, even against an tem. One formalization is due to Babai [B] optimal prover, the probability that the and the other to Goldwasser, Micali and verifier accepts is less than 1/3. Rackoff [GMR]. Both definitions would col- lapse to NP if no coins were flipped. Arthur-Merlin Games: An Interactive Proof System with a Public Coin Interactive Proof Systems Babai's formalization of efficient proof In defining what they called interactive system attempts to capture the smallest class proof systems, Goldwasser, Micali and of languages extending NP, for which statisti- Rackoff's intent was to make as general a cal proofs of membership exist. The primary definition as possible of what is provable to a motivation was to place the matrix group probabilistic verifier willing to accept statisti- non-membership and matrix group order prob- cal evidence. Their broader goal was to lems in a complexity class "just above NP". define the concept of the "knowledge" com- His proof-system, presented as a game, con- municated during a proof. sists of a powerful prover (capable of optimal moves) called Merlin, and a probabilistic poly- An interactive proof system consists of a nomial time verifier called Arthur which prover with unlimited computation power and receive a common input x. Merlin wins the a probabilistic polynomial time verifier who game if he can make Arthur accept x. receive a common input x. The prover and Arthur and Merlin alternate exchanging mes- the verifier can exchange messages back and sages back and forth for at most a polynomial forth for a polynomial in the length of x in the length of x times. At the end of the number of times. There are no restrictions on interaction, Arthur decides whether to accept how the verifier may use his coin tosses: he or reject (i.e., whether Merlin won or lost). can toss coins, perform any polynomial time 60 The difference between the Arthur- i.e., the GMR proof system is as powerful as Merlin proof system and the GMR proof sys- the Babai proof system. tem is in the restricted way that Arthur is allowed to use his coin tosses during the 2. Examples and Related Work game. Arthur's moves consist merely of toss- ing coins and sending their outcomes to Mer- 2.1. An Example of An Interactive Proof lin. Thus the Arthur-Merlin game is a special System case of an interactive proof system. Goldreich, Micali and Wigderson [GMW] The Arthur-Merlin games define a have recently demonstrated the following hierarchy of complexity classes, in a manner interactive proof system for the graph non- similar to IP. We say L is in AM[k] if there isomorphism problem. exists an Arthur-Merlin k-move game (i.e., k Let NONISO={(Go G1) such that the alternating message exchanges between graph G 1 is not isomorphic to the graph Go}. Arthur and Merlin, Arthur sending first) such Theorem (GMW): NONISO ~ IP. that for every input x~L, the probability that Arthur accepts x is greater than 2/3; and for proof." Let the prover and verifier receive as every input x not in L, the probability that input two n node graphs G o and G 1 on ver- an optimal Merlin wins is less than 1/3. tices V. The following steps 1 and 2 get exe- cuted n times in parallel. The elegant simplicity of the definition of the Arthur-Merlin game facilitates addi- step 1: The verifier flips a fair coin to tional results. Babai showed that for every choose cC{0,1} and a random permuta- constant k, AM[k] collapses to AM[2]. This tion ~ of V. The verifier then computes in turn is a subset of both H2P and R = ~(Gc) and sends R to the prover. nonuniform-NP. The relative power of proof step 2: The prover tells the verifier systems with a bounded and an unbounded whether c=0 or 1. number of exchanged messages remains an final step: if the prover makes a mistake interesting open question. in step 2 in guessing what c is, the In this paper we prove the equivalence of verifier rejects, otherwise he accepts. these two types of interactive proofs with If the two input graphs G 1 and G 2 are respect to language recognition. As a conse- not isomorphic to each other, then there quence the above results extend to IP. exists a prover who can distinguish the case that R is isomorphic to G O from the case that Our Result R is isomorphic to G1, and thus can always Let Q denote a polynomial. Let IP[Q] tell correctly in step 2 of the protocol whether (and AM[Q]) denote those languages L for c =0 or c=l, and make the verifier accept. which there exists a Q-move interactive proof On the other hand, if Go is isomorphic to system (and Q-move Arthur-Merlin proof- G1, then by the randomness of the permuta- system respectively).