Results 1  10
of
34
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 190 (14 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
BPP has Subexponential Time Simulations unless EXPTIME has Publishable Proofs (Extended Abstract)
, 1993
"... ) L'aszl'o Babai Noam Nisan y Lance Fortnow z Avi Wigderson University of Chicago Hebrew University Abstract We show that BPP can be simulated in subexponential time for infinitely many input lengths unless exponential time ffl collapses to the second level of the polynomialtime hierarchy, ..."
Abstract

Cited by 112 (9 self)
 Add to MetaCart
) L'aszl'o Babai Noam Nisan y Lance Fortnow z Avi Wigderson University of Chicago Hebrew University Abstract We show that BPP can be simulated in subexponential time for infinitely many input lengths unless exponential time ffl collapses to the second level of the polynomialtime hierarchy, ffl has polynomialsize circuits and ffl has publishable proofs (EXPTIME=MA). We also show that BPP is contained in subexponential time unless exponential time has publishable proofs for infinitely many input lengths. In addition, we show BPP can be simulated in subexponential time for infinitely many input lengths unless there exist unary languages in MA n P . The proofs are based on the recent characterization of the power of multiprover interactive protocols and on random selfreducibility via low degree polynomials. They exhibit an interplay between Boolean circuit simulation, interactive proofs and classical complexity classes. An important feature of this proof is that it does not ...
Software Reliability via RunTime ResultChecking
 JOURNAL OF THE ACM
, 1994
"... We review the field of resultchecking, discussing simple checkers and selfcorrectors. We argue that such checkers could profitably be incorporated in software as an aid to efficient debugging and reliable functionality. We consider how to modify traditional checking methodologies to make them more ..."
Abstract

Cited by 101 (2 self)
 Add to MetaCart
We review the field of resultchecking, discussing simple checkers and selfcorrectors. We argue that such checkers could profitably be incorporated in software as an aid to efficient debugging and reliable functionality. We consider how to modify traditional checking methodologies to make them more appropriate for use in realtime, realnumber computer systems. In particular, we suggest that checkers should be allowed to use stored randomness: i.e., that they should be allowed to generate, preprocess, and store random bits prior to runtime, and then to use this information repeatedly in a series of runtime checks. In a case study of checking a general realnumber linear transformation (for example, a Fourier Transform), we present a simple checker which uses stored randomness, and a selfcorrector which is particularly efficient if stored randomness is allowed.
OneWay Functions are Essential for NonTrivial ZeroKnowledge(Extended Abstract)
 IN PROC. 2ND ISRAEL SYMP. ON THEORY OF COMPUTING AND SYSTEMS (ISTCS93), IEEE COMPUTER
, 1993
"... It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result und ..."
Abstract

Cited by 37 (10 self)
 Add to MetaCart
It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result under the assumption that uniform oneway functions do not exist. Thus, very loosely speaking, zeroknowledge is either useless (exists only for "easy" languages), or universal (exists for every provable language).
The random oracle hypothesis is false
, 1990
"... The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which holdforalmost all relativized worlds must also hold in the unrelativized case. Although this paper is not the rst to provideacounterexample to the Random Oracle Hy ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which holdforalmost all relativized worlds must also hold in the unrelativized case. Although this paper is not the rst to provideacounterexample to the Random Oracle Hypothesis, it does provide a most compelling counterexample by showing that for almost all oracles A, IP A 6=PSPACE A. If the Random Oracle Hypothesis were true, it would contradict Shamir's result that IP = PSPACE. In fact, it is shown that for almost all oracles A, coNP A 6 IP A. These results extend to the multiprover proof systems of BenOr, Goldwasser, Kilian and Wigderson. In addition, this paper shows that the Random Oracle Hypothesis is sensitive to small changes in the de nition. A class IPP, similar to IP, is de ned. Surprisingly, the IPP = PSPACE result holds for all oracle worlds. Warning: Essentially this paper has been published in Information and Computation and is hence subject to copyright restrictions. It is for personal use only. 1
A GameTheoretic Classification of Interactive Complexity Classes (Extended Abstract)
 IN PROCEEDINGS OF THE TENTH ANNUAL IEEE CONFERENCE ON COMPUTATIONAL COMPLEXITY
, 1995
"... Gametheoretic characterizations of complexity classes have often proved useful in understanding the power and limitations of these classes. One wellknown example tells us that PSPACE can be characterized by twoperson, perfectinformation games in which the length of a played game is polynomial i ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
Gametheoretic characterizations of complexity classes have often proved useful in understanding the power and limitations of these classes. One wellknown example tells us that PSPACE can be characterized by twoperson, perfectinformation games in which the length of a played game is polynomial in the length of the description of the initial position [Chandra et al., Journal of the ACM, 28 (1981), pp. 114133]. In this paper, we investigate the connection between game theory and interactive computation. We formalize the notion of a polynomially definable game system for the language L, which, informally, consists of two arbitrarily powerful players P 1 and P 2 and a ...
The P versus NP problem
 Clay Mathematical Institute; The Millennium Prize Problem
, 2000
"... The P versus NP problem is to determine whether every language accepted by some nondeterministic algorithm in polynomial time is also accepted by some (deterministic) algorithm in polynomial time. To define the problem precisely it is necessary to give a formal model of a computer. The standard comp ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
The P versus NP problem is to determine whether every language accepted by some nondeterministic algorithm in polynomial time is also accepted by some (deterministic) algorithm in polynomial time. To define the problem precisely it is necessary to give a formal model of a computer. The standard computer model in computability theory is the Turing machine, introduced by Alan Turing in 1936 [37]. Although the model was introduced before physical computers were built, it nevertheless continues to be accepted as the proper computer model for the purpose of defining the notion of computable function. Informally the class P is the class of decision problems solvable by some algorithm within a number of steps bounded by some fixed polynomial in the length of the input. Turing was not concerned with the efficiency of his machines, rather his concern was whether they can simulate arbitrary algorithms given sufficient time. It turns out, however, Turing machines can generally simulate more efficient computer models (for example, machines equipped with many tapes or an unbounded random access memory) by at most squaring or cubing the computation time. Thus P is a
Verifying and decoding in constant depth
 In Proceedings of the ThirtyNinth Annual ACM Symposium on Theory of Computing
, 2007
"... We develop a general approach for improving the efficiency of a computationally bounded receiver interacting with a powerful and possibly malicious sender. The key idea we use is that of delegating some of the receiver’s computation to the (potentially malicious) sender. This idea was recently intro ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We develop a general approach for improving the efficiency of a computationally bounded receiver interacting with a powerful and possibly malicious sender. The key idea we use is that of delegating some of the receiver’s computation to the (potentially malicious) sender. This idea was recently introduced by Goldwasser et al. [14] in the area of program checking. A classic example of such a senderreceiver setting is interactive proof systems. By taking the sender to be a (potentially malicious) prover and the receiver to be a verifier, we show that (pprover) interactive proofs with k rounds of interaction are equivalent to (pprover) interactive proofs with k + O(1) rounds, where the verifier is in NC 0. That is, each round of the verifier’s computation can be implemented in constant parallel time. As a corollary, we obtain interactive proof systems, with (optimally) constant soundness, for languages in AM and NEXP, where the verifier runs in constant paralleltime. Another, less immediate senderreceiver setting arises in considering error correcting codes. By taking the sender to be a (potentially corrupted) codeword and the receiver to be a decoder, we obtain explicit families of codes that are locally (list)decodable by constantdepth circuits of size polylogarithmic in the length of the codeword. Using the tight connection between locally listdecodable codes and averagecase complexity, we obtain a new, more efficient, worstcase to averagecase reduction for languages in EXP.