Results 1  10
of
51
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 214 (15 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
Software reliability via runtime resultchecking
 J. ACM
, 1997
"... We review the eld of resultchecking, discussing simple checkers and selfcorrectors. We argue that such checkers could protably be incorporated in software as an aid to ecient debugging and enhanced reliability. We consider how to modify traditional checking methodologies to make them more appropr ..."
Abstract

Cited by 121 (2 self)
 Add to MetaCart
We review the eld of resultchecking, discussing simple checkers and selfcorrectors. We argue that such checkers could protably be incorporated in software as an aid to ecient debugging and enhanced reliability. We consider how to modify traditional checking methodologies to make them more appropriate for use in realtime, realnumber computer systems. In particular, we suggest that checkers should be allowed to use stored randomness: i.e., that they should be allowed to generate, preprocess, and store random bits prior to runtime, and then to use this information repeatedly in a series of runtime checks. In a case study of checking a general realnumber linear transformation (for example, a Fourier Transform), we present a simple checker which uses stored randomness, and a selfcorrector which is particularly ecient if stored
BPP has Subexponential Time Simulations unless EXPTIME has Publishable Proofs (Extended Abstract)
, 1993
"... ) L'aszl'o Babai Noam Nisan y Lance Fortnow z Avi Wigderson University of Chicago Hebrew University Abstract We show that BPP can be simulated in subexponential time for infinitely many input lengths unless exponential time ffl collapses to the second level of the polynomialtime ..."
Abstract

Cited by 112 (9 self)
 Add to MetaCart
) L'aszl'o Babai Noam Nisan y Lance Fortnow z Avi Wigderson University of Chicago Hebrew University Abstract We show that BPP can be simulated in subexponential time for infinitely many input lengths unless exponential time ffl collapses to the second level of the polynomialtime hierarchy, ffl has polynomialsize circuits and ffl has publishable proofs (EXPTIME=MA). We also show that BPP is contained in subexponential time unless exponential time has publishable proofs for infinitely many input lengths. In addition, we show BPP can be simulated in subexponential time for infinitely many input lengths unless there exist unary languages in MA n P . The proofs are based on the recent characterization of the power of multiprover interactive protocols and on random selfreducibility via low degree polynomials. They exhibit an interplay between Boolean circuit simulation, interactive proofs and classical complexity classes. An important feature of this proof is that it does not ...
Efficient Checking of Polynomials and Proofs and the Hardness of Approximation Problems
, 1992
"... The definition of the class NP [Coo71, Lev73] highlights the problem of verification of proofs as one of central interest to theoretical computer science. Recent efforts have shown that the efficiency of the verification can be greatly improved by allowing the verifier access to random bits and acce ..."
Abstract

Cited by 67 (9 self)
 Add to MetaCart
The definition of the class NP [Coo71, Lev73] highlights the problem of verification of proofs as one of central interest to theoretical computer science. Recent efforts have shown that the efficiency of the verification can be greatly improved by allowing the verifier access to random bits and accepting probabilistic guarantees from the verifier [BFL91, BFLS91, FGL + 91, AS92]. We improve upon the efficiency of the proof systems developed above and obtain proofs which can be verified probabilistically by examining only a constant number of (randomly chosen) bits of the proof. The efficiently verifiable proofs constructed here rely on the structural properties of lowdegree polynomials. We explore the properties of these functions by examining some simple and basic questions about them. We consider questions of the form: • (testing) Given an oracle for a function f, is f close to a lowdegree polynomial? • (correcting) Let f be close to a lowdegree polynomial g, is it possible to efficiently reconstruct the value of g on any given input using an oracle for f? 2 The questions described above have been raised before in the context of coding theory as the problems of errordetecting and errorcorrecting of codes. More recently
OneWay Functions are Essential for NonTrivial ZeroKnowledge(Extended Abstract)
 IN PROC. 2ND ISRAEL SYMP. ON THEORY OF COMPUTING AND SYSTEMS (ISTCS93), IEEE COMPUTER
, 1993
"... It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result und ..."
Abstract

Cited by 44 (12 self)
 Add to MetaCart
It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result under the assumption that uniform oneway functions do not exist. Thus, very loosely speaking, zeroknowledge is either useless (exists only for "easy" languages), or universal (exists for every provable language).
The random oracle hypothesis is false
, 1990
"... The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which holdforalmost all relativized worlds must also hold in the unrelativized case. Although this paper is not the rst to provideacounterexample to the Random Oracle Hy ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
(Show Context)
The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which holdforalmost all relativized worlds must also hold in the unrelativized case. Although this paper is not the rst to provideacounterexample to the Random Oracle Hypothesis, it does provide a most compelling counterexample by showing that for almost all oracles A, IP A 6=PSPACE A. If the Random Oracle Hypothesis were true, it would contradict Shamir's result that IP = PSPACE. In fact, it is shown that for almost all oracles A, coNP A 6 IP A. These results extend to the multiprover proof systems of BenOr, Goldwasser, Kilian and Wigderson. In addition, this paper shows that the Random Oracle Hypothesis is sensitive to small changes in the de nition. A class IPP, similar to IP, is de ned. Surprisingly, the IPP = PSPACE result holds for all oracle worlds. Warning: Essentially this paper has been published in Information and Computation and is hence subject to copyright restrictions. It is for personal use only. 1
A GameTheoretic Classification of Interactive Complexity Classes (Extended Abstract)
 IN PROCEEDINGS OF THE TENTH ANNUAL IEEE CONFERENCE ON COMPUTATIONAL COMPLEXITY
, 1995
"... Gametheoretic characterizations of complexity classes have often proved useful in understanding the power and limitations of these classes. One wellknown example tells us that PSPACE can be characterized by twoperson, perfectinformation games in which the length of a played game is polynomial i ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
Gametheoretic characterizations of complexity classes have often proved useful in understanding the power and limitations of these classes. One wellknown example tells us that PSPACE can be characterized by twoperson, perfectinformation games in which the length of a played game is polynomial in the length of the description of the initial position [Chandra et al., Journal of the ACM, 28 (1981), pp. 114133]. In this paper, we investigate the connection between game theory and interactive computation. We formalize the notion of a polynomially definable game system for the language L, which, informally, consists of two arbitrarily powerful players P 1 and P 2 and a ...
Quantum interactive proofs with competing provers
 In Proceedings of the 22nd Symposium on Theoretical Aspects of Computer Science (2005
"... This paper studies quantum refereed games, which are quantum interactive proof systems with two competing provers: one that tries to convince the verifier to accept and the other that tries to convince the verifier to reject. We prove that every language having an ordinary quantum interactive proof ..."
Abstract

Cited by 20 (11 self)
 Add to MetaCart
(Show Context)
This paper studies quantum refereed games, which are quantum interactive proof systems with two competing provers: one that tries to convince the verifier to accept and the other that tries to convince the verifier to reject. We prove that every language having an ordinary quantum interactive proof system also has a quantum refereed game in which the verifier exchanges just one round of messages with each prover. A key part of our proof is the fact that there exists a single quantum measurement that reliably distinguishes between mixed states chosen arbitrarily from disjoint convex sets having large minimal trace distance from one another. We also show how to reduce the probability of error for some classes of quantum refereed games. 1
The P versus NP problem
 Clay Mathematical Institute; The Millennium Prize Problem
, 2000
"... The P versus NP problem is to determine whether every language accepted by some nondeterministic algorithm in polynomial time is also accepted by some (deterministic) algorithm in polynomial time. To define the problem precisely it is necessary to give a formal model of a computer. The standard comp ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
The P versus NP problem is to determine whether every language accepted by some nondeterministic algorithm in polynomial time is also accepted by some (deterministic) algorithm in polynomial time. To define the problem precisely it is necessary to give a formal model of a computer. The standard computer model in computability theory is the Turing machine, introduced by Alan Turing in 1936 [37]. Although the model was introduced before physical computers were built, it nevertheless continues to be accepted as the proper computer model for the purpose of defining the notion of computable function. Informally the class P is the class of decision problems solvable by some algorithm within a number of steps bounded by some fixed polynomial in the length of the input. Turing was not concerned with the efficiency of his machines, rather his concern was whether they can simulate arbitrary algorithms given sufficient time. It turns out, however, Turing machines can generally simulate more efficient computer models (for example, machines equipped with many tapes or an unbounded random access memory) by at most squaring or cubing the computation time. Thus P is a