Results 1  10
of
25
The knowledge complexity of interactive proof systems
 in Proc. 27th Annual Symposium on Foundations of Computer Science
, 1985
"... Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltoni ..."
Abstract

Cited by 1197 (38 self)
 Add to MetaCart
Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltonian. In this paper a computational complexity theory of the "knowledge " contained in a proof is developed. Zeroknowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zeroknowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable. Key words, cryptography, zero knowledge, interactive proofs, quadratic residues AMS(MOS) subject classifications. 68Q15, 94A60 1. Introduction. It is often regarded that saying a language L is in NP (that is, acceptable in nondeterministic polynomial time) is equivalent to saying that there is a polynomial time "proof system " for L. The proof system we have in mind is one where on input x, a "prover " creates a string a, and the "verifier " then computes on x and a in time polynomial in the length of the binary representation of x to check that
Statistical ZeroKnowledge Languages Can Be Recognized in Two Rounds
 Journal of Computer and System Sciences
, 1991
"... : Recently, a hierarchy of probabilistic complexity classes generalizing NP has emerged in the work of Babai [B], and Goldwasser, Micali, and Rackoff [GMR1], and Goldwasser and Sipser [GS]. The class IP is defined through the computational model of an interactive proververifier pair. Both Turing ma ..."
Abstract

Cited by 71 (2 self)
 Add to MetaCart
: Recently, a hierarchy of probabilistic complexity classes generalizing NP has emerged in the work of Babai [B], and Goldwasser, Micali, and Rackoff [GMR1], and Goldwasser and Sipser [GS]. The class IP is defined through the computational model of an interactive proververifier pair. Both Turing machines in a pair receive a common input and exchange messages. Every move of the verifier as well as its final determination of whether to accept or reject w are the result of random polynomial time computations on the input and all messages sent so far. The prover has no resource bounds. A language, L, is in IP if there is a proververifier pair such that: 1.) when w 2 L, the verifier accepts with probability at least 1 \Gamma 2 \Gammajwj and, 2.) when w 62 L, the verifier interacting with any prover accepts with probability at most 2 \Gammajwj . Such a proververifier pair is called an interactive proof for L. In addition to defining interactive proofs, Goldwasser, Micali, and Rackoff...
Hilbert's Nullstellensatz is in the Polynomial Hierarchy
 Journal of Complexity
, 1996
"... We show that if the Generalized Riemann Hypothesis is true, the problem of deciding whether a system of polynomial equations in several complex variables has a solution is in the second level of the polynomial hierarchy. In fact, this problem is in AM, the "ArthurMerlin" class (recall tha ..."
Abstract

Cited by 46 (12 self)
 Add to MetaCart
(Show Context)
We show that if the Generalized Riemann Hypothesis is true, the problem of deciding whether a system of polynomial equations in several complex variables has a solution is in the second level of the polynomial hierarchy. In fact, this problem is in AM, the "ArthurMerlin" class (recall that NP ` AM ` RP NP ` \Pi 2 ). The best previous bound was PSPACE. An earlier version of this paper was distributed as NeuroCOLT Technical Report 9644. The present paper includes in particular a new lower bound for unsatisfiable systems, and remarks on the ArthurMerlin class. 1 A part of this work was done when the author was visiting DIMACS at Rutgers University. 1 Introduction In its weak form, Hilbert's Nullstellensatz states that a system f 1 (x) = 0; : : : ; f s (x) = 0 (1) of polynomial equations in n unknowns has no solution over C if and only if there are polynomials g 1 ; : : : ; g s 2 C [X 1 ; : : : ; X n ] such that P s i=1 f i g i = 1. For this reason, the problem of deciding whethe...
The (True) Complexity of Statistical Zero Knowledge (Extended Abstract)
 Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, ACM
, 1990
"... ) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a comp ..."
Abstract

Cited by 44 (19 self)
 Add to MetaCart
) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a complexity assumption a much weaker condition suffices to attain statistical zeroknowledge. As a result we are able to simplify statistical zeroknowledge and to better characterize, on many counts, the class of languages that possess statistical zeroknowledge proofs. 1 Introduction An interactive proof involves two parties, a prover and a verifier, who talk back and forth. The prover, who is computationally unbounded, tries to convince the probabilistic polynomial time verifier that a given theorem is true. A zeroknowledge proof is an interactive proof with an additional privacy constraint: the verifier does not learn why the theorem is true [11]. That is, whatever the polynomialtime verif...
OneWay Functions are Essential for NonTrivial ZeroKnowledge(Extended Abstract)
 IN PROC. 2ND ISRAEL SYMP. ON THEORY OF COMPUTING AND SYSTEMS (ISTCS93), IEEE COMPUTER
, 1993
"... It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result und ..."
Abstract

Cited by 41 (12 self)
 Add to MetaCart
It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result under the assumption that uniform oneway functions do not exist. Thus, very loosely speaking, zeroknowledge is either useless (exists only for "easy" languages), or universal (exists for every provable language).
Randomness, Interactive Proofs and . . .
 APPEARS IN THE UNIVERSAL TURING MACHINE: A HALFCENTURY SURVEY, R. HERKEN ED.
, 1987
"... Recent approaches to the notions of randomness and proofs are surveyed. The new notions differ from the traditional ones in being subjective to the capabilities of the observer rather than reflecting "ideal " entities. The new notion of randomness regards probability distributions as equal ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
(Show Context)
Recent approaches to the notions of randomness and proofs are surveyed. The new notions differ from the traditional ones in being subjective to the capabilities of the observer rather than reflecting "ideal " entities. The new notion of randomness regards probability distributions as equal if they cannot be told apart by efficient procedures. This notion is constructive and is suited for many applications. The new notion of a proof allows the introduction of the notion of zeroknowledge proofs: convincing arguments which yield nothing but the validity of the assertion. The new approaches to randomness and proofs are based on basic concepts and results from the theory of resourcebounded computation. In order to make the survey as accessible as possible, we have presented elements of the theory of resource bounded computation (but only to the extent required for the description of the new approaches). This survey is not intended to provide an account of the more traditional approaches to randomness (e.g. Kolmogorov Complexity) and proofs (i.e. traditional logic systems). Whenever these approaches are described it is only in order to confront them with the new approaches.
On Completeness and Soundness in Interactive Proof Systems
, 1989
"... An interactive proof system with Perfect Completeness (resp. Perfect Soundness) for a language L is an interactive proof (for L) in which for every x 2 L (resp. x 62 L) the verifier always accepts (resp. always rejects). We show that any language having an interactive proof system has one (of the A ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
An interactive proof system with Perfect Completeness (resp. Perfect Soundness) for a language L is an interactive proof (for L) in which for every x 2 L (resp. x 62 L) the verifier always accepts (resp. always rejects). We show that any language having an interactive proof system has one (of the ArthurMerlin type) with perfect completeness. On the other hand, only languages in NP have interactive proofs with perfect soundness. Work done while third author was working at the IBMScientific Center, Technion City, Haifa, Israel. Second author was partially supported by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities. Fifth author was partially supported by PSCCUNY grant. Appeared in Advances in Computing Research: A Research Annual, Vol. 5 (Randomness and Computation, S. Micali, ed.), pages 429442, 1989. Warning: Reproduced almost automatically from an old troff file. The resulting text was not proofread. Updated affiliation for Oded Gold...
ComplexityTheoretic Aspects of Interactive Proof Systems
, 1989
"... In 1985, Goldwasser, Micali and Rackoff formulated interactive proof systems as a tool for developing cryptographic protocols. Indeed, many exciting cryptographic results followed from studying interactive proof systems and the related concept of zeroknowledge. Interactive proof systems also have a ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
(Show Context)
In 1985, Goldwasser, Micali and Rackoff formulated interactive proof systems as a tool for developing cryptographic protocols. Indeed, many exciting cryptographic results followed from studying interactive proof systems and the related concept of zeroknowledge. Interactive proof systems also have an important part in complexity theory merging the well established concepts of probabilistic and nondeterministic computation. This thesis will study the complexity of various models of interactive proof systems. A perfect zeroknowledge interactive protocol convinces a verifier that a string is in a language without revealing any additional knowledge in an information theoretic sense. This thesis will show that for any language that has a perfect zeroknowledge proof system, its complement has a short interactive protocol. This result implies that there are not any perfect zeroknowledge protocols for NPcomplete languages unless the polynomialtime hierarchy collapses. Thus knowledge comp...
ON THE POWER OF INTERACTION
"... Let IP[f(n)] be the class of languages recognized by interactive proofs with f(jxj) interactions. Babai [B] showed that all languages recognized by interactive proofs with a bounded number of interactions can be recognized by interactive proofs with only two interactions � i.e., for every constant k ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
Let IP[f(n)] be the class of languages recognized by interactive proofs with f(jxj) interactions. Babai [B] showed that all languages recognized by interactive proofs with a bounded number of interactions can be recognized by interactive proofs with only two interactions � i.e., for every constant k, IP[k] collapses to IP[2]. In this paper, we give evidence that interactive proofs with an unbounded number of interactions may be more powerful than interactive proofs with a bounded number of interactions. We show that for any polynomially bounded polynomial time computable function f(n) and any g(n) =o(f(n)) there exists an oracle B such that IPB [f(n)] 6 IPB [g(n)]. The techniques employed are extensions of the techniques for proving lower bounds on small depth circuits used in [FSS], [Y] and [H1].
Making ZeroKnowledge Provers Efficient
 Proceedings of the 24th Annual Symposium on the Theory of Computing, ACM
, 1995
"... We look at the question of how powerful a prover must be to give a zeroknowledge proof. We present the first unconditional bounds on the complexity of a statistical ZK prover. The result is that if a language possesses a statistical zeroknowledge then it also possesses a statistical zeroknowledge ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
(Show Context)
We look at the question of how powerful a prover must be to give a zeroknowledge proof. We present the first unconditional bounds on the complexity of a statistical ZK prover. The result is that if a language possesses a statistical zeroknowledge then it also possesses a statistical zeroknowledge proof in which the prover runs in probabilistic, polynomial time with an NP oracle. Previously this was only known given the existence of oneway permutations. Extending these techniques to protocols of knowledge complexity k(n) ? 0, we derive bounds on the time complexity of languages of "small" knowledge complexity. Underlying these results is a technique for efficiently generating an "almost" random element of a set S 2 NP. Specifically, we construct a probabilistic machine with an NP oracle which, on input 1 n and ffi ? 0 runs in time polynomial in n and lg ffi \Gamma1 , and outputs a random string from a distribution within distance ffi of the uniform distribution on S " f0; 1g n ...