Results 1  10
of
61
Algebraic Methods for Interactive Proof Systems
, 1990
"... We present a new algebraic technique for the construction of interactive proof systems. We use our technique to prove that every language in the polynomialtime hierarchy has an interactive proof system. This technique played a pivotal role in the recent proofs that IP=PSPACE (Shamir) and that MIP ..."
Abstract

Cited by 305 (29 self)
 Add to MetaCart
We present a new algebraic technique for the construction of interactive proof systems. We use our technique to prove that every language in the polynomialtime hierarchy has an interactive proof system. This technique played a pivotal role in the recent proofs that IP=PSPACE (Shamir) and that MIP=NEXP (Babai, Fortnow and Lund).
The NPcompleteness column: an ongoing guide
 Journal of Algorithms
, 1985
"... This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co ..."
Abstract

Cited by 188 (0 self)
 Add to MetaCart
This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co., New York, 1979 (hereinafter referred to as ‘‘[G&J]’’; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, crossreferences will be given to that book and the list of problems (NPcomplete and harder) presented there. Readers who have results they would like mentioned (NPhardness, PSPACEhardness, polynomialtimesolvability, etc.) or open problems they would like publicized, should
On the complexity of the parity argument and other inefficient proofs of existence
 JCSS
, 1994
"... We define several new complexity classes of search problems, "between " the classes FP and FNP. These new classes are contained, along with factoring, and the class PLS, in the class TFNP of search problems in FNP that always have a witness. A problem in each of these new classes is defined in terms ..."
Abstract

Cited by 155 (8 self)
 Add to MetaCart
We define several new complexity classes of search problems, "between " the classes FP and FNP. These new classes are contained, along with factoring, and the class PLS, in the class TFNP of search problems in FNP that always have a witness. A problem in each of these new classes is defined in terms of an implicitly given, exponentially large graph. The existence of the solution sought is established via a simple graphtheoretic argument with an inefficiently constructive proof; for example, PLS can be thought of as corresponding to the lemma "every dag has a sink. " The new classes are based on lemmata such as "every graph has an even number of odddegree nodes. " They contain several important problems for which no polynomial time algorithm is presently known, including the computational versions of Sperner's lemma, Brouwer's fixpoint theorem, Chfvalley's theorem, and the BorsukUlam theorem, the linear complementarity problem for Pmatrices, finding a mixed equilibrium in a nonzero sum game, finding a second Hamilton circuit in a Hamiltonian cubic graph, a second Hamiltonian decomposition in a quartic graph, and others. Some of these problems are shown to be complete. © 1994 Academic Press, Inc. 1.
On Hiding Information from an Oracle
, 1989
"... : We consider the problem of computing with encrypted data. Player A wishes to know the value f(x) for some x but lacks the power to compute it. Player B has the power to compute f and is willing to send f(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem f is a ..."
Abstract

Cited by 129 (15 self)
 Add to MetaCart
: We consider the problem of computing with encrypted data. Player A wishes to know the value f(x) for some x but lacks the power to compute it. Player B has the power to compute f and is willing to send f(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem f is a method by which A, using her inferior resources, can transform the cleartext instance x into an encrypted instance y, obtain f(y) from B, and infer f(x) from f(y) in such a way that B cannot infer x from y. When such an encryption scheme exists, we say that f is encryptable. The framework defined in this paper enables us to prove precise statements about what an encrypted instance hides and what it leaks, in an informationtheoretic sense. Our definitions are cast in the language of probability theory and do not involve assumptions such as the intractability of factoring or the existence of oneway functions. We use our framework to describe encryption schemes for some wellknown function...
The Complexity of Mean Payoff Games on Graphs
 Theoretical Computer Science
, 1996
"... We study the complexity of finding the values and optimal strategies of mean payoff games on graphs, a family of perfect information games introduced by Ehrenfeucht and Mycielski and considered by Gurvich, Karzanov and Khachiyan. We describe a pseudopolynomial time algorithm for the solution of suc ..."
Abstract

Cited by 96 (3 self)
 Add to MetaCart
We study the complexity of finding the values and optimal strategies of mean payoff games on graphs, a family of perfect information games introduced by Ehrenfeucht and Mycielski and considered by Gurvich, Karzanov and Khachiyan. We describe a pseudopolynomial time algorithm for the solution of such games, the decision problem for which is in NP " coNP. Finally, we describe a polynomial reduction from mean payoff games to the simple stochastic games studied by Condon. These games are also known to be in NP " coNP, but no polynomial or pseudopolynomial time algorithm is known for them. 1 Introduction Let G = (V; E)be a finite directed graph in which each vertex has at least one edge going out of it. Let w : E ! f\GammaW; : : : ; 0; : : : ; Wg be a function that assigns an integral weight to each edge of G. Ehrenfeucht and Mycielski [EM79] studied the following infinite twoperson game played on such a graph. The game starts at a vertex a 0 2 V . The first player chooses an edge e...
Interpolation Theorems, Lower Bounds for Proof Systems, and Independence Results for Bounded Arithmetic
"... A proof of the (propositional) Craig interpolation theorem for cutfree sequent calculus yields that a sequent with a cutfree proof (or with a proof with cutformulas of restricted form; in particular, with only analytic cuts) with k inferences has an interpolant whose circuitsize is at most k. We ..."
Abstract

Cited by 86 (2 self)
 Add to MetaCart
A proof of the (propositional) Craig interpolation theorem for cutfree sequent calculus yields that a sequent with a cutfree proof (or with a proof with cutformulas of restricted form; in particular, with only analytic cuts) with k inferences has an interpolant whose circuitsize is at most k. We give a new proof of the interpolation theorem based on a communication complexity approach which allows a similar estimate for a larger class of proofs. We derive from it several corollaries: 1. Feasible interpolation theorems for the following proof systems: (a) resolution. (b) a subsystem of LK corresponding to the bounded arithmetic theory S 2 2 (ff). (c) linear equational calculus. (d) cutting planes. 2. New proofs of the exponential lower bounds (for new formulas) (a) for resolution ([15]). (b) for the cutting planes proof system with coefficients written in unary ([4]). 3. An alternative proof of the independence result of [43] concerning the provability of circuitsize lower bounds ...
Some Consequences of Cryptographical Conjectures for . . .
, 1995
"... We show that there is a pair of disjoint NPsets, whose disjointness is provable in S 1 2 and which cannot be separated by a set in P=poly, if the cryptosystem RSA is secure. Further we show that factoring and the discrete logarithm are implicitly definable in any extension of S 1 2 admittin ..."
Abstract

Cited by 74 (8 self)
 Add to MetaCart
We show that there is a pair of disjoint NPsets, whose disjointness is provable in S 1 2 and which cannot be separated by a set in P=poly, if the cryptosystem RSA is secure. Further we show that factoring and the discrete logarithm are implicitly definable in any extension of S 1 2 admitting an NP definition of primes about which it can prove that no number satisfying the definition is composite. As a corollary we obtain that the Extended Frege (EF) proof system does not admit feasible interpolation theorem unless the RSA cryptosystem is not secure, and that an extension of EF by tautologies p (p primes), formalizing that p is not composite, as additional axioms does not admit feasible interpolation theorem unless factoring and the discrete logarithm are in P=poly . The NP 6= coNP conjecture is equivalent to the statement that no propositional proof system (as defined in [6]) admits polynomial size proofs of all tautologies. However, only for few proof systems occur...
Almost All Primes Can be Quickly Certified
"... This paper presents a new probabilistic primality test. Upon termination the test outputs "composite" or "prime", along with a short proof of correctness, which can be verified in deterministic polynomial time. The test is different from the tests of Miller [M], SolovayStrassen [SSI, and Rabin [R] ..."
Abstract

Cited by 69 (4 self)
 Add to MetaCart
This paper presents a new probabilistic primality test. Upon termination the test outputs "composite" or "prime", along with a short proof of correctness, which can be verified in deterministic polynomial time. The test is different from the tests of Miller [M], SolovayStrassen [SSI, and Rabin [R] in that its assertions of primality are certain, rather than being correct with high probability or dependent on an unproven assumption. Thc test terminates in expected polynomial time on all but at most an exponentially vanishing fraction of the inputs of length k, for every k. This result implies: • There exist an infinite set of primes which can be recognized in expected polynomial time. • Large certified primes can be generated in expected polynomial time. Under a very plausible condition on the distribution of primes in "small" intervals, the proposed algorithm can be shown'to run in expected polynomial time on every input. This
NonTransitive Transfer of Confidence: A Perfect ZeroKnowledge Interactive Protocol for SAT and Beyond
, 1986
"... A perfect zeroknowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the sense of Shannon's information theory). We give a general technique for achieving this goal for any prob ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
A perfect zeroknowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the sense of Shannon's information theory). We give a general technique for achieving this goal for any problem in NP (and beyond). The fact that our protocol is perfect zeroknowledge does not depend on unproved cryptographic assumptions. Furthermore, our protocol is powerful enough to allow Alice to convince Bob of theorems for which she does not even have a proof. Whenever Alice can convince herself probabilistically of a theorem, perhaps thanks to her knowledge of some trapdoor information, she can convince Bob as well, without compromising the trapdoor in any way. This results in a nontransitive transfer of confidence from Alice to Bob, because Bob will not be able to convince anyone else afterwards. Our protocol is dual to those of [GrMiWi86a, BrCr86]. 1. INTRODUCTION Assume that Alice h...
ZeroKnowledge Simulation of Boolean Circuits
, 1987
"... A zeroknowledge interactive proof is a protocol by which Alice can convince a polynomiallybounded Bob of the truth of some theorem without giving him any hint as to how the proof might proceed. Under cryptographic assumptions, we give a general technique for achieving this goal for any problem in ..."
Abstract

Cited by 37 (7 self)
 Add to MetaCart
A zeroknowledge interactive proof is a protocol by which Alice can convince a polynomiallybounded Bob of the truth of some theorem without giving him any hint as to how the proof might proceed. Under cryptographic assumptions, we give a general technique for achieving this goal for any problem in NP. This extends to a presumably larger class, which combines the powers of nondeterminism and randomness. Our protocol is powerful enough to allow Alice to convince Bob of theorems for which she does not even have a proof. Whenever Alice can convince herself probabilistically of a theorem, perhaps thanks to her knowledge of some trapdoor information, she can convince Bob as well, without compromising the trapdoor in any way. 1. INTRODUCTION The notion of zeroknowledge interactive proofs (ZKIP) introduced a few years ago by Goldwasser, Micali and Rackoff [GwMiRac85] has become a very active research area. Assume that Alice holds the proof of some theorem. A zeroknowledge interactive pr...