Results 1  10
of
46
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 192 (14 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
BPP has Subexponential Time Simulations unless EXPTIME has Publishable Proofs (Extended Abstract)
, 1993
"... ) L'aszl'o Babai Noam Nisan y Lance Fortnow z Avi Wigderson University of Chicago Hebrew University Abstract We show that BPP can be simulated in subexponential time for infinitely many input lengths unless exponential time ffl collapses to the second level of the polynomialtime ..."
Abstract

Cited by 114 (9 self)
 Add to MetaCart
) L'aszl'o Babai Noam Nisan y Lance Fortnow z Avi Wigderson University of Chicago Hebrew University Abstract We show that BPP can be simulated in subexponential time for infinitely many input lengths unless exponential time ffl collapses to the second level of the polynomialtime hierarchy, ffl has polynomialsize circuits and ffl has publishable proofs (EXPTIME=MA). We also show that BPP is contained in subexponential time unless exponential time has publishable proofs for infinitely many input lengths. In addition, we show BPP can be simulated in subexponential time for infinitely many input lengths unless there exist unary languages in MA n P . The proofs are based on the recent characterization of the power of multiprover interactive protocols and on random selfreducibility via low degree polynomials. They exhibit an interplay between Boolean circuit simulation, interactive proofs and classical complexity classes. An important feature of this proof is that it does not ...
Software Reliability via RunTime ResultChecking
 JOURNAL OF THE ACM
, 1994
"... We review the field of resultchecking, discussing simple checkers and selfcorrectors. We argue that such checkers could profitably be incorporated in software as an aid to efficient debugging and reliable functionality. We consider how to modify traditional checking methodologies to make them more ..."
Abstract

Cited by 104 (2 self)
 Add to MetaCart
We review the field of resultchecking, discussing simple checkers and selfcorrectors. We argue that such checkers could profitably be incorporated in software as an aid to efficient debugging and reliable functionality. We consider how to modify traditional checking methodologies to make them more appropriate for use in realtime, realnumber computer systems. In particular, we suggest that checkers should be allowed to use stored randomness: i.e., that they should be allowed to generate, preprocess, and store random bits prior to runtime, and then to use this information repeatedly in a series of runtime checks. In a case study of checking a general realnumber linear transformation (for example, a Fourier Transform), we present a simple checker which uses stored randomness, and a selfcorrector which is particularly efficient if stored randomness is allowed.
Efficient Checking of Polynomials and Proofs and the Hardness of Approximation Problems
, 1992
"... The definition of the class NP [Coo71, Lev73] highlights the problem of verification of proofs as one of central interest to theoretical computer science. Recent efforts have shown that the efficiency of the verification can be greatly improved by allowing the verifier access to random bits and acce ..."
Abstract

Cited by 70 (9 self)
 Add to MetaCart
The definition of the class NP [Coo71, Lev73] highlights the problem of verification of proofs as one of central interest to theoretical computer science. Recent efforts have shown that the efficiency of the verification can be greatly improved by allowing the verifier access to random bits and accepting probabilistic guarantees from the verifier [BFL91, BFLS91, FGL + 91, AS92]. We improve upon the efficiency of the proof systems developed above and obtain proofs which can be verified probabilistically by examining only a constant number of (randomly chosen) bits of the proof. The efficiently verifiable proofs constructed here rely on the structural properties of lowdegree polynomials. We explore the properties of these functions by examining some simple and basic questions about them. We consider questions of the form: • (testing) Given an oracle for a function f, is f close to a lowdegree polynomial? • (correcting) Let f be close to a lowdegree polynomial g, is it possible to efficiently reconstruct the value of g on any given input using an oracle for f? 2 The questions described above have been raised before in the context of coding theory as the problems of errordetecting and errorcorrecting of codes. More recently
OneWay Functions are Essential for NonTrivial ZeroKnowledge(Extended Abstract)
 IN PROC. 2ND ISRAEL SYMP. ON THEORY OF COMPUTING AND SYSTEMS (ISTCS93), IEEE COMPUTER
, 1993
"... It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result und ..."
Abstract

Cited by 38 (10 self)
 Add to MetaCart
It was known that if oneway functions exist, then there are zeroknowledge proofs for every language in PSPACE. We prove that unless very weak oneway functions exist, ZeroKnowledge proofs can be given only for languages in BPP. For averagecase definitions of BPP we prove an analogous result under the assumption that uniform oneway functions do not exist. Thus, very loosely speaking, zeroknowledge is either useless (exists only for "easy" languages), or universal (exists for every provable language).
The random oracle hypothesis is false
, 1990
"... The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which holdforalmost all relativized worlds must also hold in the unrelativized case. Although this paper is not the rst to provideacounterexample to the Random Oracle Hy ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which holdforalmost all relativized worlds must also hold in the unrelativized case. Although this paper is not the rst to provideacounterexample to the Random Oracle Hypothesis, it does provide a most compelling counterexample by showing that for almost all oracles A, IP A 6=PSPACE A. If the Random Oracle Hypothesis were true, it would contradict Shamir's result that IP = PSPACE. In fact, it is shown that for almost all oracles A, coNP A 6 IP A. These results extend to the multiprover proof systems of BenOr, Goldwasser, Kilian and Wigderson. In addition, this paper shows that the Random Oracle Hypothesis is sensitive to small changes in the de nition. A class IPP, similar to IP, is de ned. Surprisingly, the IPP = PSPACE result holds for all oracle worlds. Warning: Essentially this paper has been published in Information and Computation and is hence subject to copyright restrictions. It is for personal use only. 1
A GameTheoretic Classification of Interactive Complexity Classes (Extended Abstract)
 IN PROCEEDINGS OF THE TENTH ANNUAL IEEE CONFERENCE ON COMPUTATIONAL COMPLEXITY
, 1995
"... Gametheoretic characterizations of complexity classes have often proved useful in understanding the power and limitations of these classes. One wellknown example tells us that PSPACE can be characterized by twoperson, perfectinformation games in which the length of a played game is polynomial i ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Gametheoretic characterizations of complexity classes have often proved useful in understanding the power and limitations of these classes. One wellknown example tells us that PSPACE can be characterized by twoperson, perfectinformation games in which the length of a played game is polynomial in the length of the description of the initial position [Chandra et al., Journal of the ACM, 28 (1981), pp. 114133]. In this paper, we investigate the connection between game theory and interactive computation. We formalize the notion of a polynomially definable game system for the language L, which, informally, consists of two arbitrarily powerful players P 1 and P 2 and a ...
Verifying and decoding in constant depth
 In Proceedings of the ThirtyNinth Annual ACM Symposium on Theory of Computing
, 2007
"... We develop a general approach for improving the efficiency of a computationally bounded receiver interacting with a powerful and possibly malicious sender. The key idea we use is that of delegating some of the receiver’s computation to the (potentially malicious) sender. This idea was recently intro ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We develop a general approach for improving the efficiency of a computationally bounded receiver interacting with a powerful and possibly malicious sender. The key idea we use is that of delegating some of the receiver’s computation to the (potentially malicious) sender. This idea was recently introduced by Goldwasser et al. [14] in the area of program checking. A classic example of such a senderreceiver setting is interactive proof systems. By taking the sender to be a (potentially malicious) prover and the receiver to be a verifier, we show that (pprover) interactive proofs with k rounds of interaction are equivalent to (pprover) interactive proofs with k + O(1) rounds, where the verifier is in NC 0. That is, each round of the verifier’s computation can be implemented in constant parallel time. As a corollary, we obtain interactive proof systems, with (optimally) constant soundness, for languages in AM and NEXP, where the verifier runs in constant paralleltime. Another, less immediate senderreceiver setting arises in considering error correcting codes. By taking the sender to be a (potentially corrupted) codeword and the receiver to be a decoder, we obtain explicit families of codes that are locally (list)decodable by constantdepth circuits of size polylogarithmic in the length of the codeword. Using the tight connection between locally listdecodable codes and averagecase complexity, we obtain a new, more efficient, worstcase to averagecase reduction for languages in EXP.