Results 1  10
of
102
The knowledge complexity of interactive proof systems
 in Proc. 27th Annual Symposium on Foundations of Computer Science
, 1985
"... Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltoni ..."
Abstract

Cited by 1041 (38 self)
 Add to MetaCart
Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltonian. In this paper a computational complexity theory of the "knowledge " contained in a proof is developed. Zeroknowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zeroknowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable. Key words, cryptography, zero knowledge, interactive proofs, quadratic residues AMS(MOS) subject classifications. 68Q15, 94A60 1. Introduction. It is often regarded that saying a language L is in NP (that is, acceptable in nondeterministic polynomial time) is equivalent to saying that there is a polynomial time "proof system " for L. The proof system we have in mind is one where on input x, a "prover " creates a string a, and the "verifier " then computes on x and a in time polynomial in the length of the binary representation of x to check that
Algebraic Methods for Interactive Proof Systems
, 1990
"... We present a new algebraic technique for the construction of interactive proof systems. We use our technique to prove that every language in the polynomialtime hierarchy has an interactive proof system. This technique played a pivotal role in the recent proofs that IP=PSPACE (Shamir) and that MIP ..."
Abstract

Cited by 308 (30 self)
 Add to MetaCart
We present a new algebraic technique for the construction of interactive proof systems. We use our technique to prove that every language in the polynomialtime hierarchy has an interactive proof system. This technique played a pivotal role in the recent proofs that IP=PSPACE (Shamir) and that MIP=NEXP (Babai, Fortnow and Lund).
Noninteractive ZeroKnowledge
 SIAM J. COMPUTING
, 1991
"... This paper investigates the possibility of disposing of interaction between prover and verifier in a zeroknowledge proof if they share beforehand a short random string. Without any assumption, it is proven that noninteractive zeroknowledge proofs exist for some numbertheoretic languages for which ..."
Abstract

Cited by 190 (19 self)
 Add to MetaCart
This paper investigates the possibility of disposing of interaction between prover and verifier in a zeroknowledge proof if they share beforehand a short random string. Without any assumption, it is proven that noninteractive zeroknowledge proofs exist for some numbertheoretic languages for which no efficient algorithm is known. If deciding quadratic residuosity (modulo composite integers whose factorization is not known) is computationally hard, it is shown that the NPcomplete language of satisfiability also possesses noninteractive zeroknowledge proofs.
The NPcompleteness column: an ongoing guide
 Journal of Algorithms
, 1985
"... This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co ..."
Abstract

Cited by 188 (0 self)
 Add to MetaCart
This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co., New York, 1979 (hereinafter referred to as ‘‘[G&J]’’; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, crossreferences will be given to that book and the list of problems (NPcomplete and harder) presented there. Readers who have results they would like mentioned (NPhardness, PSPACEhardness, polynomialtimesolvability, etc.) or open problems they would like publicized, should
Interactive proofs and the hardness of approximating cliques
 Journal of the ACM
, 1996
"... The contribution of this paper is twofold. First, a connection is shown between approximating the size of the largest clique in a graph and multiprover interactive proofs. Second, an efficient multiprover interactive proof for NP languages is constructed, where the verifier uses very few random b ..."
Abstract

Cited by 155 (10 self)
 Add to MetaCart
The contribution of this paper is twofold. First, a connection is shown between approximating the size of the largest clique in a graph and multiprover interactive proofs. Second, an efficient multiprover interactive proof for NP languages is constructed, where the verifier uses very few random bits and communication bits. Last, the connection between cliques and efficient multiprover interactive proofs, is shown to yield hardness results on the complexity of approximating the size of the largest clique in a graph. Of independent interest is our proof of correctness for the multilinearity test of functions. 1
On Hiding Information from an Oracle
, 1989
"... : We consider the problem of computing with encrypted data. Player A wishes to know the value f(x) for some x but lacks the power to compute it. Player B has the power to compute f and is willing to send f(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem f is a ..."
Abstract

Cited by 130 (15 self)
 Add to MetaCart
: We consider the problem of computing with encrypted data. Player A wishes to know the value f(x) for some x but lacks the power to compute it. Player B has the power to compute f and is willing to send f(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem f is a method by which A, using her inferior resources, can transform the cleartext instance x into an encrypted instance y, obtain f(y) from B, and infer f(x) from f(y) in such a way that B cannot infer x from y. When such an encryption scheme exists, we say that f is encryptable. The framework defined in this paper enables us to prove precise statements about what an encrypted instance hides and what it leaks, in an informationtheoretic sense. Our definitions are cast in the language of probability theory and do not involve assumptions such as the intractability of factoring or the existence of oneway functions. We use our framework to describe encryption schemes for some wellknown function...
On the Power of MultiProver Interactive Protocols
 Theoretical Computer Science
, 1988
"... this paper we consider a further generalization of the proof system model, due to BenOr, Goldwasser, Kilian and Wigderson [6], where instead of a single prover there may be many. This apparently gives the model additional power. The intuition for this may be seen by considering the case of two crim ..."
Abstract

Cited by 129 (9 self)
 Add to MetaCart
this paper we consider a further generalization of the proof system model, due to BenOr, Goldwasser, Kilian and Wigderson [6], where instead of a single prover there may be many. This apparently gives the model additional power. The intuition for this may be seen by considering the case of two criminal suspects who are under interrogation to see if they are guilty of together robbing a bank. Of course they (the provers) are trying to convince Scotland Yard (the verifier) of their innocence. Assuming that they are in fact innocent, it is clear that their ability to convince the police of this is enhanced if they are questioned in separate rooms and can corroborate each other's stories without communicating. We shall see later in this paper that this sort of corroboration is the key to the additional power of multiple provers. Interactive proof systems have seen a number of important applications to cryptography [23, 22], algebraic complexity [3], program testing [7, 8] and distributed computation [16, 23]. For example, a chain of results concerning interactive proof systems [22, 3, 24, 9] conclude that if the graph isomorphism problem is NPcomplete then the polynomial time hierarchy collapses. Multipleprover interactive proof systems have also seen several important applications including the analysis of program testing [7, 4] and the complexity of approximation algorithms [14, 2, 1]. Brief summary of results: First we give a simple characterization of the power of the multiprover model in terms of probabilistic oracle Turing machines. Then we show that every language accepted by multiple prover interactive proof systems can be computed in nondeterministic exponential time. Babai, Fortnow and Lund [4] have since shown this bound is tight. We then show results like th...
Statistical ZeroKnowledge Languages Can Be Recognized in Two Rounds
 Journal of Computer and System Sciences
, 1991
"... : Recently, a hierarchy of probabilistic complexity classes generalizing NP has emerged in the work of Babai [B], and Goldwasser, Micali, and Rackoff [GMR1], and Goldwasser and Sipser [GS]. The class IP is defined through the computational model of an interactive proververifier pair. Both Turing ma ..."
Abstract

Cited by 65 (2 self)
 Add to MetaCart
: Recently, a hierarchy of probabilistic complexity classes generalizing NP has emerged in the work of Babai [B], and Goldwasser, Micali, and Rackoff [GMR1], and Goldwasser and Sipser [GS]. The class IP is defined through the computational model of an interactive proververifier pair. Both Turing machines in a pair receive a common input and exchange messages. Every move of the verifier as well as its final determination of whether to accept or reject w are the result of random polynomial time computations on the input and all messages sent so far. The prover has no resource bounds. A language, L, is in IP if there is a proververifier pair such that: 1.) when w 2 L, the verifier accepts with probability at least 1 \Gamma 2 \Gammajwj and, 2.) when w 62 L, the verifier interacting with any prover accepts with probability at most 2 \Gammajwj . Such a proververifier pair is called an interactive proof for L. In addition to defining interactive proofs, Goldwasser, Micali, and Rackoff...
The Graph Isomorphism Problem
, 1996
"... The graph isomorphism problem can be easily stated: check to see if two graphs that look differently are actually the same. The problem occupies a rare position in the world of complexity theory, it is clearly in NP but is not known to be in P and it is not known to be NPcomplete. Many subdiscipli ..."
Abstract

Cited by 63 (0 self)
 Add to MetaCart
The graph isomorphism problem can be easily stated: check to see if two graphs that look differently are actually the same. The problem occupies a rare position in the world of complexity theory, it is clearly in NP but is not known to be in P and it is not known to be NPcomplete. Many subdisciplines of mathematics, such as topology theory and group theory, can be brought to bear on the problem, and yet only for special classes of graphs have polynomialtime algorithms been discovered. Incongruently, this problem seems very easy in practice. It is almost always trivial to check two random graphs for isomorphism, and fast hardware implementations exists for application domains such as image processing. This paper is mostly a survey of related work in the graph isomorphism field. We examine the problem from many angles, mirroring the multifaceted nature of the literature. We survey complexity results for the graph isomorphism problem, and discuss some of the classes of graphs which hav...
Replicator Equations, Maximal Cliques, and Graph Isomorphism
, 1999
"... We present a new energyminimization framework for the graph isomorphism problem that is based on an equivalent maximum clique formulation. The approach is centered around a fundamental result proved by Motzkin and Straus in the mid1960s, and recently expanded in various ways, which allows us to fo ..."
Abstract

Cited by 52 (11 self)
 Add to MetaCart
We present a new energyminimization framework for the graph isomorphism problem that is based on an equivalent maximum clique formulation. The approach is centered around a fundamental result proved by Motzkin and Straus in the mid1960s, and recently expanded in various ways, which allows us to formulate the maximum clique problem in terms of a standard quadratic program. The attractive feature of this formulation is that a clear onetoone correspondence exists between the solutions of the quadratic program and those in the original, combinatorial problem. To solve the program we use the socalled replicator equations—a class of straightforward continuous and discretetime dynamical systems developed in various branches of theoretical biology. We show how, despite their inherent inability to escape from local solutions, they nevertheless provide experimental results that are competitive with those obtained using more elaborate meanfield annealing heuristics.