Results 1  10
of
10
Designing Programs That Check Their Work
, 1989
"... A program correctness checker is an algorithm for checking the output of a computation. That is, given a program and an instance on which the program is run, the checker certifies whether the output of the program on that instance is correct. This paper defines the concept of a program checker. It d ..."
Abstract

Cited by 305 (17 self)
 Add to MetaCart
A program correctness checker is an algorithm for checking the output of a computation. That is, given a program and an instance on which the program is run, the checker certifies whether the output of the program on that instance is correct. This paper defines the concept of a program checker. It designs program checkers for a few specific and carefully chosen problems in the class FP of functions computable in polynomial time. Problems in FP for which checkers are presented in this paper include Sorting, Matrix Rank and GCD. It also applies methods of modern cryptography, especially the idea of a probabilistic interactive proof, to the design of program checkers for group theoretic computations. Two strucural theorems are proven here. One is a characterization of problems that can be checked. The other theorem establishes equivalence classes of problems such that whenever one problem in a class is checkable, all problems in the class are checkable.
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 192 (14 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
On the Limits of NonApproximability of Lattice Problems
, 1998
"... We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for th ..."
Abstract

Cited by 81 (3 self)
 Add to MetaCart
We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for the "coNP direction"; that is, we give an interactive protocol showing that a vector is "far" from the lattice (for CVP), and an interactive protocol showing that the shortestlatticevector is "long" (for SVP). Furthermore, these interactive proof systems are HonestVerifier Perfect ZeroKnowledge. We conclude that approximating CVP (resp., SVP) within a factor of p n is in NP " coAM. Thus, it seems unlikely that approximating these problems to within a p n factor is NPhard. Previously, for the CVP (resp., SVP) problem, Lagarias et. al., Hastad and Banaszczyk showed that the gap problem corresponding to approximating CVP (resp., SVP) within n is in NP " coNP . On the other hand, Ar...
Tiny Families of Functions with Random Properties: A QualitySize Tradeoff for Hashing
, 2003
"... We present three explicit constructions of hash functions, which exhibit a tradeo# between the size of the family (and hence the number of random bits needed to generate a member of the family), and the quality (or error parameter) of the pseudorandom property it achieves. Unlike previous const ..."
Abstract

Cited by 54 (11 self)
 Add to MetaCart
We present three explicit constructions of hash functions, which exhibit a tradeo# between the size of the family (and hence the number of random bits needed to generate a member of the family), and the quality (or error parameter) of the pseudorandom property it achieves. Unlike previous constructions, most notably universal hashing, the size of our families is essentially independent of the size of the domain on which the functions operate.
Relativizable And Nonrelativizable Theorems In The Polynomial Theory Of Algorithms
 In Russian
, 1993
"... . Starting with the paper of Baker, Gill and Solovay [BGS 75] in complexity theory, many results have been proved which separate certain relativized complexity classes or show that they have no complete language. All results of this kind were, in fact, based on lower bounds for boolean decision tree ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
. Starting with the paper of Baker, Gill and Solovay [BGS 75] in complexity theory, many results have been proved which separate certain relativized complexity classes or show that they have no complete language. All results of this kind were, in fact, based on lower bounds for boolean decision trees of a certain type or for machines with polylogarithmic restrictions on time. The following question arises: Are these methods of proving "relativized" results universal? In the first part of the present paper we propose a general framework in which assertions of universality of this kind may be formulated and proved as convenient criteria. Using these criteria we obtain, as easy consequences of the known results on boolean decision trees, some new "relativized" results and new proofs of some known results. In the second part of the present paper we apply these general criteria to many particular cases. For example, for many of the complexity classes studied in the literature all relativiza...
Uniform Generation of NPwitnesses using an NPoracle
 Information and Computation
, 1997
"... A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. T ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. This improves upon results of Jerrum, Valiant and Vazirani, which either require a \Sigma P 2 oracle or obtain only almost uniform generation. Our procedure utilizes ideas originating in the works of Sipser, Stockmeyer, and Jerrum, Valiant and Vazirani. Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. EMail: mihir@cs.ucsd.edu. URL: http://wwwcse.ucsd.edu/users/mihir. Supported in part by NSF CAREER Award CCR9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot, Israel. EMail: oded@wis...
A Taxonomy of Proof Systems
 BASIC RESEARCH IN COMPUTER SCIENCE, CENTER OF THE DANISH NATIONAL RESEARCH FOUNDATION
, 1997
"... Several alternative formulations of the concept of an efficient proof system are nowadays coexisting in our field. These systems include the classical formulation of NP , interactive proof systems (giving rise to the class IP), computationallysound proof systems, and probabilistically checkable pro ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Several alternative formulations of the concept of an efficient proof system are nowadays coexisting in our field. These systems include the classical formulation of NP , interactive proof systems (giving rise to the class IP), computationallysound proof systems, and probabilistically checkable proofs (PCP), which are closely related to multiprover interactive proofs (MIP). Although these notions are sometimes introduced using the same generic phrases, they are actually very different in motivation, applications and expressive power. The main objective of this essay is to try to clarify these differences.
Honest Verifier vs Dishonest Verifier in Public Coin ZeroKnowledge Proofs
, 1995
"... This paper presents two transformations of publiccoin/ArthurMerlin proof systemswhich are zeroknowledge with respect to the honest verifier into (publiccoin/ArthurMerlin) proof systems which are zeroknowledge with respect to any verifier. The first transformation applies only to constantround ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
This paper presents two transformations of publiccoin/ArthurMerlin proof systemswhich are zeroknowledge with respect to the honest verifier into (publiccoin/ArthurMerlin) proof systems which are zeroknowledge with respect to any verifier. The first transformation applies only to constantround proof systems. It builds on Damgard's transformation (see Crypto93), using ordinary hashing functions instead of the interactive hashing protocol (of Naor, Ostrovsky, Venkatesan and Yung  see Crypto92) which was used by Damgard. Consequently, the protocols resulting from our transformation have much lower roundcomplexity than those derived by Damgard's transformation. As in Damgard's transformation, our transformation preserves statistical /perfect zeroknowledge and does not rely on any computational assumptions. However, unlike Damgard's transformation, the new transformation is not applicable to argument systems or to proofs of knowledge. The second transformation can be applied to p...
Hashing Functions Can Simplify ZeroKnowledge Protocol Design (too)
 BRICS TECHNICAL RERPORT
, 1994
"... In Crypto93, Damgård showed that any constantround protocol in which the verifier sends only independent, random bits and which is zeroknowledge against the honest verifier can be transformed into a protocol (for the same problem) that is zeroknowledge in general. His transformation was based ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
In Crypto93, Damgård showed that any constantround protocol in which the verifier sends only independent, random bits and which is zeroknowledge against the honest verifier can be transformed into a protocol (for the same problem) that is zeroknowledge in general. His transformation was based on the interactive hashing technique of Naor, Ostrovsky, Venkatesan and Yung, and thus the resulting protocol had very large roundcomplexity. We adopt
Computational Limitations of Stochastic Turing Machines and ArthurMerlin Games with Small Space Bounds
 IN PROC. 22. INT. SYMP
, 1997
"... A Stochastic Turing machine (STM) is a Turing machine that can perform nondeterministic and probabilistic moves and alternate between both types. Such devices are also called games against nature, ArthurMerlin games, or interactive proof systems with public coins. We give an overview on complexity ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
A Stochastic Turing machine (STM) is a Turing machine that can perform nondeterministic and probabilistic moves and alternate between both types. Such devices are also called games against nature, ArthurMerlin games, or interactive proof systems with public coins. We give an overview on complexity classes defined by STMs with space resources between constant and logarithmic size and constant or sublinear bounds on the number of alternations. New lower space bounds are shown for a specific family of languages by exploiting combinatorial properties. These results imply an infinite hierarchy with respect to the number of alternations of STMs, and nonclosure properties of certain classes.