Chapter Probabilistic Pro of Systems A pro of is whatever convinces me Shimon Even The glory attached to the creativity involved in nding pro ofs makes us forget that it is the less gloried pro cess of verication that gives pro ofs their value Conceptu ally sp eaking pro ofs are secondary to the verication pro cess whereas technically sp eaking pro of systems are dened in terms of their verication pro cedures The notion of a verication pro cedure presumes the notion of computation and furthermore the notion of ecient computation This implicit stipulation is made explicit in the denition of NP where ecient computation is asso ciated with deterministic p olynomialtime algorithms However as argued next we can gain a lot if we are willing to take a somewhat nontraditional step and allow probabilistic verication pro cedures In this chapter we shall study three types of probabilistic pro of systems called interactive proofs zeroknowledge proofs and probabilistic checkable proofs In each of these three cases we shall present fascinating results that cannot b e obtained when considering the analogous deterministic pro of systems Summary The asso ciation of ecient pro cedures with deterministic p olynomialtime pro cedures is the basis for viewing NPpro of systems as the canonical formulation of pro of systems with ecient verica tion pro cedures Allowing probabilistic verication pro cedures and moreover ruling by statistical evidence gives rise to various types of probabilistic pro of systems Indeed these probabilistic pro of systems carry a probability of error which is explicitly b ounded and can b e reduced by successive application of the pro of system yet they of fer various advantages over the traditional deterministic and errorless pro of systems Randomized and interactive verication pro cedures giving rise to inter active proof systems seem much more p owerful than their deterministic CHAPTER PROBABILISTIC PROOF SYSTEMS counterparts In particular such interactive pro of systems exist for any set in P S P AC E coNP eg for the set of unsatised prop ositional formulae whereas it is widely b elieved that some sets in coNP do not have NPpro of systems ie NP coNP We stress that a pro of in this context is not a xed and static ob ject but rather a randomized and dynamic pro cess in which the verier interacts with the prover Intuitively one may think of this interaction as consisting of questions asked by the verier to which the prover has to reply convincingly Such randomized and interactive verication pro cedures allow for the meaningful conceptualization of zeroknowledge proofs which are of great theoretical and practical interest esp ecially in cryptography Lo osely sp eaking zeroknowledge pro ofs are interactive pro ofs that yield nothing to the verier b eyond the fact that the assertion is indeed valid For example a zeroknowledge pro of that a certain prop o sitional formula is satisable do es not reveal a satisfying assignment to the formula nor any partial information regarding such an assignment eg whether the rst variable can assume the value true Thus the successful verication of a zeroknowledge pro of exhibit an extreme contrast b etween b eing convinced of the validity of a statement and learning nothing else while receiving such a convincing pro of It turns out that under reasonable complexity assumptions ie assuming the existence of oneway functions every set in NP has a zeroknowledge pro of system NPpro ofs can b e eciently transformed into a redundant form that oers a tradeo b etween the number of lo cations randomly exam ined in the resulting pro of and the condence in its validity In par ticular it is known that any set in NP has an NPpro of system that supp orts probabilistic verication such that the error probability de creases exp onentially with the number of bits read from the alleged pro of These redundant NPpro ofs are called probabilistically checkable proofs or PCPs In addition to their conceptually fascinating nature PCPs are closely related to the study of the complexity of numerous natural approximation problems Introduction and Preliminaries Conceptually sp eaking pro ofs are secondary to the verication pro cess Indeed b oth in mathematics and in reallife pro ofs are meaningful only with resp ect to commonly agreed principles of reasoning and the verication pro cess amounts to checking that these principles were prop erly applied Thus these principles which are typically taken for granted are more fundamental than any sp ecic pro of that applies them that is the mere attempt to reason ab out anything is based on commonly agreed principles of reasoning The commonly agreed principles of reasoning are asso ciated with a verication pro cedure that distinguishes prop er applications of these principles from improp er ones A line of reasoning is considered valid with resp ect to such xed principles and is thus deemed a pro of if and only if it pro ceeds by a prop er applications of these principles Thus a line of reasoning is considered valid if and only if it is accepted by the corresp onding verication pro cedure This means that technically sp eaking pro ofs are dened in terms of a predetermined verication pro cedure or are dene with resp ect to such a pro cedure Indeed this state of aairs is b est illustrated in the formal study of pro ofs ie logic which is actually the study of formally dened pro of systems The p oint is that these pro of systems are dened often explicitly and sometimes only implicitly in terms of their verication pro cedures The notion of a verication pro cedure presumes the notion of computation This fact explains the historical interest of logicians in computer science cf Furthermore the verication of pro ofs is supp osed to b e relatively easy and hence a natural connection emerges b etween verication pro cedures and the notion of ecient computation This connection was made explicit by complexity theorists and is captured by the denition of NP and NPpro of systems cf Denition which targets all ecient verication pro cedures Recall that Denition identies ecient verication pro cedures with de terministic p olynomialtime algorithms and that it explicitly restricts the length of pro ofs to b e p olynomial in the length of the assertion Thus verication is performed in a number of steps that is polynomial in the length of the assertion We comment that deterministic pro of systems that allow for longer pro ofs but require that verication is ecient in terms of the length of the alleged pro of can b e mo deled as NPpro of systems by adequate padding of the assertion Indeed NPpro ofs provide the ultimate formulation of eciently veriable pro ofs ie pro of systems with ecient verication pro cedures provided that one asso ciates ecient pro cedures with deterministic p olynomialtime algorithms How ever as we shall see we can gain a lot if we are willing to take a somewhat nontraditional step and allow probabilistic p olynomialtime algorithms and in particular probabilistic verication pro cedures Randomized and interactive verication pro cedures seem much more p owerful than their deterministic counterparts Such interactive pro of systems allow for the construction of meaningful zeroknowledge pro ofs which are of great conceptual and practical interest NPpro ofs can b e eciently transformed into a redundant form that sup p orts sup erfast probabilistic verication via very few random prob es into the alleged pro of In contrast traditional pro of systems are formulated based on rules of inference that seem natural in the relevant context The fact that these inference rules yield an ecient verication pro cedure is merely a consequence of the corresp ondence b etween pro cesses that seem natural and ecient computation CHAPTER PROBABILISTIC PROOF SYSTEMS In all these cases explicit b ounds are imp osed on the computational complexity of the verication pro cedure which in turn is p ersonied by the notion of a verier Furthermore in all these pro of systems the verier is allowed to toss coins and rule by statistical evidence Thus all these pro of systems carry a probability of error yet this probability is explicitly b ounded and furthermore can b e reduced by successive application of the pro of system One imp ortant convention When presenting a pro of system we state all complexity b ounds in terms of the length of the assertion to b e proved which is viewed as an input to the verier Namely when we say p olynomialtime we mean time that is p olynomial in the length of this assertion Indeed as will b ecome evident this is the natural choice in all the cases that we consider Note that this convention is consistent with the foregoing discussion of NPpro of systems Notational Conventions We denote by poly the set of all integer functions that are upp erb ounded by a p olynomial and by log the set of all integer functions b ounded by a logarithmic function ie f log if and only if f n O log n All complexity measures mentioned in this chapter are assumed to b e constructible in p olynomialtime Organization In Section we present the basic denitions and results regard ing interactive pro of systems The denition of an interactive pro of systems is the starting p oint for a discussion of zeroknowledge pro ofs which is provided in Sec tion Section which presents the basic denitions and results regarding probabilistically checkable pro ofs PCP can b e read indep endently of the other sections Prerequisites We assume a basic familiarity with elementary probability theory see App endix