Results 1  10
of
30
Graph Nonisomorphism Has Subexponential Size Proofs Unless The PolynomialTime Hierarchy Collapses
 SIAM Journal on Computing
, 1998
"... We establish hardness versus randomness tradeoffs for a broad class of randomized procedures. In particular, we create efficient nondeterministic simulations of bounded round ArthurMerlin games using a language in exponential time that cannot be decided by polynomial size oracle circuits with acce ..."
Abstract

Cited by 108 (6 self)
 Add to MetaCart
We establish hardness versus randomness tradeoffs for a broad class of randomized procedures. In particular, we create efficient nondeterministic simulations of bounded round ArthurMerlin games using a language in exponential time that cannot be decided by polynomial size oracle circuits with access to satisfiability. We show that every language with a bounded round ArthurMerlin game has subexponential size membership proofs for infinitely many input lengths unless exponential time coincides with the third level of the polynomialtime hierarchy (and hence the polynomialtime hierarchy collapses). This provides the first strong evidence that graph nonisomorphism has subexponential size proofs. We set up a general framework for derandomization which encompasses more than the traditional model of randomized computation. For a randomized procedure to fit within this framework, we only require that for any fixed input the complexity of checking whether the procedure succeeds on a given ...
Statistical zeroknowledge proofs with efficient provers: Lattice problems and more
 In CRYPTO
, 2003
"... Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) a ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP), where the witness is simply a short vector in the lattice or a lattice vector close to the target, respectively. Our proof systems are in fact proofs of knowledge, and as a result, we immediately obtain efficient latticebased identification schemes which can be implemented with arbitrary families of lattices in which the approximate SVP or CVP are hard. We then turn to the general question of whether all problems in SZK ∩ NP admit statistical zeroknowledge proofs with efficient provers. Towards this end, we give a statistical zeroknowledge proof system with an efficient prover for a natural restriction of Statistical Difference, a complete problem for SZK. We also suggest a plausible approach to resolving the general question in the positive. 1
Lower bounds for nonblackbox zero knowledge
 In 44th FOCS
, 2003
"... We show new lower bounds and impossibility results for general (possibly nonblackbox) zeroknowledge proofs and arguments. Our main results are that, under reasonable complexity assumptions: 1. There does not exist a tworound zeroknowledge proof system with perfect completeness for an NPcomplet ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
We show new lower bounds and impossibility results for general (possibly nonblackbox) zeroknowledge proofs and arguments. Our main results are that, under reasonable complexity assumptions: 1. There does not exist a tworound zeroknowledge proof system with perfect completeness for an NPcomplete language. The previous impossibility result for tworound zero knowledge, by Goldreich and Oren (J. Cryptology, 1994) was only for the case of auxiliaryinput zeroknowledge proofs and arguments. 2. There does not exist a constantround zeroknowledge strong proof or argument of knowledge (as defined by Goldreich (2001)) for a nontrivial language. 3. There does not exist a constantround publiccoin proof system for a nontrivial language that is resettable zero knowledge. This result also extends to boundedresettable zero knowledge, in which the number of resets is a priori bounded by a polynomial in the input length and provertoverifier communication.
Pseudorandomness for approximate counting and sampling
 In Proceedings of the 20th IEEE Conference on Computational Complexity
, 2005
"... We study computational procedures that use both randomness and nondeterminism. Examples are ArthurMerlin games and approximate counting and sampling of NPwitnesses. The goal of this paper is to derandomize such procedures under the weakest possible assumptions. Our main technical contribution allow ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
We study computational procedures that use both randomness and nondeterminism. Examples are ArthurMerlin games and approximate counting and sampling of NPwitnesses. The goal of this paper is to derandomize such procedures under the weakest possible assumptions. Our main technical contribution allows one to “boost” a given hardness assumption. One special case is a proof that EXP � ⊆ NP/poly ⇒ EXP � ⊆ P NP   /poly. In words, if there is a problem in EXP that cannot be computed by polysize nondeterministic circuits then there is one which cannot be computed by polysize circuits that make nonadaptive NP oracle queries. This in particular shows that the various assumptions used over the last few years by several authors to derandomize ArthurMerlin games (i.e., show AM = NP) are in fact all equivalent. In addition to simplifying the framework of AM derandomization, we show that this “unified assumption ” suffices to derandomize several other probabilistic procedures. For these results we define two new primitives that we regard as the natural pseudorandom objects associated with approximate counting and sampling of NPwitnesses. We use the “boosting ” theorem and hashing techniques to construct these primitives using an assumption that is no stronger than that used to derandomize AM. As a consequence, under this assumption, there are deterministic polynomial time algorithms that use nonadaptive NPqueries and perform the following tasks: • approximate counting of NPwitnesses: given a Boolean circuit A, output r such that (1 − ɛ)A −1 (1)  ≤r ≤A −1 (1).
Hardness hypotheses, derandomization, and circuit complexity
 In Proceedings of the 24th Conference on Foundations of Software Technology and Theoretical Computer Science
, 2004
"... Abstract We consider hypotheses about nondeterministic computation that have been studied in different contexts and shown to have interesting consequences: * The measure hypothesis: NP does not have pmeasure 0.* The pseudoNP hypothesis: there is an NP language that can be distinguished from anyDT ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
Abstract We consider hypotheses about nondeterministic computation that have been studied in different contexts and shown to have interesting consequences: * The measure hypothesis: NP does not have pmeasure 0.* The pseudoNP hypothesis: there is an NP language that can be distinguished from anyDTIME(2 nffl) language by an NP refuter. * The NPmachine hypothesis: there is an NP machine accepting 0 * for which no 2n ffltime machine can find infinitely many accepting computations. We show that the NPmachine hypothesis is implied by each of the first two. Previously, norelationships were known among these three hypotheses. Moreover, we unify previous work by showing that several derandomizations and circuitsize lower bounds that are known to followfrom the first two hypotheses also follow from the NPmachine hypothesis. In particular, the NPmachine hypothesis becomes the weakest known uniform hardness hypothesis that derandomizesAM. We also consider UP versions of the above hypotheses as well as related immunity and scaled dimension hypotheses. 1 Introduction The following uniform hardness hypotheses are known to imply full derandomization of ArthurMerlin games (NP = AM): * The measure hypothesis: NP does not have pmeasure 0 [24].
When Worlds Collide: Derandomization, Lower Bounds, and Kolmogorov Complexity
 OF REDUCTIONS,IN“PROC.29THACM SYMPOSIUM ON THEORY OF COMPUTING
, 1997
"... This paper has the following goals:  To survey some of the recent developments in the field of derandomization.  To introduce a new notion of timebounded Kolmogorov complexity (KT), and show that it provides a useful tool for understanding advances in derandomization, and for putting vario ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
This paper has the following goals:  To survey some of the recent developments in the field of derandomization.  To introduce a new notion of timebounded Kolmogorov complexity (KT), and show that it provides a useful tool for understanding advances in derandomization, and for putting various results in context.  To illustrate the usefulness of KT, by answering a question that has been posed in the literature, and  To pose some promising directions for future research.
Derandomization in cryptography
 SIAM J. Computing
"... Abstract. We give two applications of Nisan–Wigdersontype (“noncryptographic”) pseudorandom generators in cryptography. Specifically, assuming the existence of an appropriate NWtype generator, we construct: 1. A onemessage witnessindistinguishable proof system for every language in NP, based on ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
Abstract. We give two applications of Nisan–Wigdersontype (“noncryptographic”) pseudorandom generators in cryptography. Specifically, assuming the existence of an appropriate NWtype generator, we construct: 1. A onemessage witnessindistinguishable proof system for every language in NP, based on any trapdoor permutation. This proof system does not assume a shared random string or any setup assumption, so it is actually an “NP proof system.” 2. A noninteractive bit commitment scheme based on any oneway function. The specific NWtype generator we need is a hitting set generator fooling nondeterministic circuits. It is known how to construct such a generator if E = DTIME(2 O(n) ) has a function of nondeterministic circuit complexity 2 Ω(n) (Miltersen and Vinodchandran, FOCS ‘99). Our witnessindistinguishable proofs are obtained by using the NWtype generator to derandomize the ZAPs of Dwork and Naor (FOCS ‘00). To our knowledge, this is the first construction of an NP proof system achieving a secrecy property. Our commitment scheme is obtained by derandomizing the interactive commitment scheme of Naor (J. Cryptology, 1991). Previous constructions of noninteractive commitment schemes were only known under incomparable assumptions. 1
Derandomization That is Rarely Wrong From Short Advice That is Typically Good
, 2002
"... For every ffl ? 0, we present a deterministic logspace algorithm that correctly decides undirected graph connectivity on all but at most 2 of the nvertex graphs. The same holds for every problem in Symmetric Logspace (i.e., SL). ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
For every ffl ? 0, we present a deterministic logspace algorithm that correctly decides undirected graph connectivity on all but at most 2 of the nvertex graphs. The same holds for every problem in Symmetric Logspace (i.e., SL).
Circuit lower bounds for MerlinArthur classes
 In Proc. ACM STOC
, 2007
"... We show that for each k> 0, MA/1 (MA with 1 bit of advice) doesn’t have circuits of size nk. This implies the first superlinear circuit lower bounds for the promise versions of the classes MA, AM and ZPP NP We extend our main result in several ways. For each k, we give an explicit language in (MA ∩ ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
We show that for each k> 0, MA/1 (MA with 1 bit of advice) doesn’t have circuits of size nk. This implies the first superlinear circuit lower bounds for the promise versions of the classes MA, AM and ZPP NP We extend our main result in several ways. For each k, we give an explicit language in (MA ∩ coMA)/1 which doesn’t have circuits of size nk. We also adapt our lower bound to the averagecase setting, i.e., we show that MA/1 cannot be solved on more than 1/2 + 1/nk fraction of inputs of length n by circuits of size nk. Furthermore, we prove that MA does not have arithmetic circuits of size nk for any k. As a corollary to our main result, we obtain that derandomization of MA with O(1) advice implies the existence of pseudorandom generators computable using O(1) bits of advice. 1
Graph Isomorphism is Low for ZPP(NP) and other Lowness results
, 2000
"... We show the following new lowness results for the probabilistic class ZPP NP . { The class AM \ coAM is low for ZPP NP . As a consequence it follows that Graph Isomorphism and several grouptheoretic problems known to be in AM \ coAM are low for ZPP NP . { The class IP[P=poly], consisting of sets th ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We show the following new lowness results for the probabilistic class ZPP NP . { The class AM \ coAM is low for ZPP NP . As a consequence it follows that Graph Isomorphism and several grouptheoretic problems known to be in AM \ coAM are low for ZPP NP . { The class IP[P=poly], consisting of sets that have interactive proof systems with honest provers in P=poly, is also low for ZPP NP . We consider lowness properties of nonuniform function classes, namely, NPMV=poly, NPSV=poly, NPMV t =poly, and NPSV t =poly. Specifically, we show that { Sets whose characteristic functions are in NPSV=poly and that have program checkers (in the sense of Blum and Kannan [8]) are low for AM and ZPP NP . { Sets whose characteristic functions are in NPMV t =poly are low for p 2 .