## Probabilistic Proof Systems -- A Survey (1996)

### Cached

### Download Links

Venue: | IN SYMPOSIUM ON THEORETICAL ASPECTS OF COMPUTER SCIENCE |

Citations: | 5 - 0 self |

### BibTeX

@TECHREPORT{Goldreich96probabilisticproof,

author = {Oded Goldreich},

title = {Probabilistic Proof Systems -- A Survey},

institution = {IN SYMPOSIUM ON THEORETICAL ASPECTS OF COMPUTER SCIENCE},

year = {1996}

}

### OpenURL

### Abstract

Various types of probabilistic proof systems have played a central role in the development of computer science in the last decade. In this exposition, we concentrate on three such proof systems -- interactive proofs, zero-knowledge proofs, and probabilistic checkable proofs -- stressing the essential role of randomness in each of them.

### Citations

11561 | Computers and Intractability - A Guide to the Theory of NP-Completness - Garey, Johnson - 1979 |

1251 |
Probabilistic Encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...o ensembles apart). Since the notion of computational indistinguishability is a fundamental one, it is indeed in place to present a definition of it. Definition 4 (computational indistinguishability) =-=[32, 50]-=-: An integer function,f , is called negligible if for every positive polynomial p and all sufficiently large n, it holds that f(n) < 1 p(n) . (Thus, multiplying a negligible function by any fixed poly... |

1094 | The knowledge complexity of interactive proof-systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ... prover. A sketch of the formal definition is given in Item (1) below. Item (2) introduces additional complexity measures which can be ignored in first reading. Definition 2 (Interactive Proofs – IP) =-=[33]-=-: 1. An interactive proof system for a setS is a two-party game, between a verifier executing a probabilistic polynomial-time strategy (denoted V ) and a prover which executes a computationally unboun... |

760 | A pseudorandom generator from any one-way function
- H̊astad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ... schemes can be implemented assuming the existence of one-way functions (i.e., loosely speaking, functions that are easy to compute but hard to invert, such as the multiplication of two large primes) =-=[44, 37]-=-. Using the fact that 3-colorability is NP-complete, one gets zero-knowledge proofs for any NP-set. Theorem 2 [28]: Assuming the existence of one-way functions, any NP-proof can be efficiently transfo... |

660 | A threshold of ln n for approximating set cover
- Feige
- 1998
(Show Context)
Citation Context ...ty results for various classical optimization problems. In particular, quite tight non-approximability results have been shown for MaxClique (cf., [35]), Chromatic Number (cf., [21]), Set Cover (cf., =-=[19]-=-), and Max-Exact-3SAT (cf., [36]). 4.3 The Role of Randomness No trade-off between the number of bits examined and the confidence is possible if one requires the verifier to be deterministic. In parti... |

576 | Optimization, approximation, and complexity classes - Papadimitriou, Yannakakis - 1991 |

540 |
How to play ANY mental game or: A Completeness Theorem for Protocols with Honest
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ... one-way functions, any NP-proof can be efficiently transformed into a (computational) zero-knowledge interactive proof. Theorem 2 has a dramatic effect on the design of cryptographic protocols (cf., =-=[28, 29]-=-). In a different vein and for the sake of elegancy, we mention that, using further ideas and under the same assumption, any interactive proof can be efficiently transformed into a zero-knowledge one ... |

530 | Theory and applications of trapdoor functions - Yao - 1982 |

406 | Nondeterministic exponential time has two-prover interactive protocols
- Babai, Fortnow, et al.
- 1991
(Show Context)
Citation Context ...(log; poly) is contained in NP. These upper bounds turn out to be tight, but proving this is much more difficult (to say the least). The following result is a culmination of a sequence of great works =-=[6, 7, 20, 4, 3]-=-.10 Theorem 3 : NP is contained in PCP(log; O(1)). Thus, probabilistically checkable proofs in which the verifier tosses only logarithmically many coins and makes only a constant number of queries exi... |

396 | Proofs that Yield Nothing but their Validity or All Languages in NP Have Zero-Knowledge Proof Systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...oof for proving that two graphs are not isomorphic5. It is not known whether such a statement can be proven via an NP-proof system. Construction 1 (Interactive proof system for Graph Non-Isomorphism) =-=[28]-=-: Common Input: A pair of two graphs, G 1 =(V 1 ; E 1 ) and G 2 =(V 2 ; E 2 ). Suppose, without loss of generality, that V 1 = f1; 2; :::; jV 1 jg, and similarly for V 2 . Verifier’s first step (V... |

393 | On the hardness of approximating minimization problems - Lund, Yannakakis - 1993 |

346 | Selftesting/correcting with applications to numerical problems
- Blum, Luby, et al.
- 1993
(Show Context)
Citation Context ...was obtained in [3]. This sequence of works, directly related to the stated theorem, was built on and inspired by works from various settings such as interactive proofs [41, 49, 22], program-checking =-=[16, 26, 48]-=-, and private computation with oracles [9]. The constant (number of queries) in Theorem 3 has been subsequently improved and is currently 9; cf., [36]. 11A 3CNF formula is a Boolean formula consisting... |

333 | Robust Characterizations of Polynomials with Applications to Program Testing - Rubinfeld, Sudan - 1996 |

321 |
Minimum disclosure proofs of knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...heating” prover strategies) really holds. The reason to consider these restricted models is that they enable to achieve results which are not possible in the general model of interactive proofs (cf., =-=[14, 17, 39, 43]-=-). We consider restrictions of two types: computational or physical. We start with a physical restriction. In the so-called multi-prover interactive proof model, denoted MIP (cf., [14]), the prover is... |

318 |
Arthur-Merlin Games: A Randomized Proof System, and a Hierarchy of Complexity Class
- Babai, Moran
- 1988
(Show Context)
Citation Context .... Thus, under this conjecture, interactive proofs are more powerful than NP-proofs. Concerning the finer structure of the IP hierarchy it is known that this hierarchy has a “linear speed-up” property =-=[8]-=-. Namely, for every integer function, f , so that f(n) 2 for all n, the classIP(O(f())) collapses to the classIP(f()). In particular, IP(O(1)) collapses to IP(2). It is conjectured that coNP is no... |

311 | Algebraic methods for interactive proof systems
- Lund, Fortnow, et al.
- 1992
(Show Context)
Citation Context ...airs of non-isomorphic graphs. Recall that the latter is a coNP-set (not known to be in NP). Interactive proofs are powerful enough to prove any coNP assertion (e.g., that a graph is not 3-colorable) =-=[41]-=-. Furthermore, the class of sets having interactive proof systems coincides with the class of sets that can be decided using a polynomial amount of work-space [49]. Theorem 1 [41, 49]: IP = PSPACE . R... |

305 | Trading group theory for randomness
- Babai
- 1985
(Show Context)
Citation Context ... the prover corresponds to IP(2). Clearly,NP IP(1), yet the inclusion may be strict since the verifier may toss coins after receiving the prover’s single message. Arthur-Merlin games2 introduced in =-=[5]-=- are a special case of interactive proofs; yet, as shown in [34], this restricted case has essentially3 the same power as the general case previously introduced in [33]. Also, in some sources interact... |

256 | Checking computations in polylogarithmic time
- Babai, Fortnow, et al.
- 1991
(Show Context)
Citation Context ...shown related to a multi-prover model introduced previously in [14]. The fine complexity measures were introduced and motivated in [20], and further advocated in [4]. A related model was presented in =-=[7]-=-, stressing the applicability to program checking. We stress that the oracle x in a pcp system constitutes a proof in the standard mathematical sense9. Yet, this oracle has the extra property of ena... |

204 |
Proof Verification and Intractability of Approximation Problems
- Arora, Lund, et al.
- 1992
(Show Context)
Citation Context ...(log; poly) is contained in NP. These upper bounds turn out to be tight, but proving this is much more difficult (to say the least). The following result is a culmination of a sequence of great works =-=[6, 7, 20, 4, 3]-=-.10 Theorem 3 : NP is contained in PCP(log; O(1)). Thus, probabilistically checkable proofs in which the verifier tosses only logarithmically many coins and makes only a constant number of queries exi... |

201 | Free Bits, PCPs and NonApproximability - Towards Tight Results, FOCS
- Bellare, Goldreich, et al.
- 1995
(Show Context)
Citation Context ... be selected at random. The characterization of NP in terms of probabilistically checkable proofs plays a central role in recent developments concerning the difficulty of approximation problems (cf., =-=[20, 3, 42, 11]-=- and [35, 36]). To demonstrate this relationship, we first note that Theorem 3 can be rephrased without mentioning the classPCP altogether. Instead, a new type of polynomial-time reductions, which we ... |

187 | Private coins versus public coins in interactive proof systems - Goldwasser, Sipser - 1989 |

183 | Zero knowledge and the chromatic number
- Feige, Kilian
- 1998
(Show Context)
Citation Context ...trong non-approximability results for various classical optimization problems. In particular, quite tight non-approximability results have been shown for MaxClique (cf., [35]), Chromatic Number (cf., =-=[21]-=-), Set Cover (cf., [19]), and Max-Exact-3SAT (cf., [36]). 4.3 The Role of Randomness No trade-off between the number of bits examined and the confidence is possible if one requires the verifier to be ... |

179 |
Approximating clique is almost NP-complete
- Feige, Goldwasser, et al.
- 1991
(Show Context)
Citation Context ...[ r2R;q2Q PCP(r(); q()). The above model was suggested in [24] and shown related to a multi-prover model introduced previously in [14]. The fine complexity measures were introduced and motivated in =-=[20]-=-, and further advocated in [4]. A related model was presented in [7], stressing the applicability to program checking. We stress that the oracle x in a pcp system constitutes a proof in the standard... |

178 |
Multiple non-interactive zero knowledge proofs based on a single random string
- Feige, Lapidot, et al.
- 1990
(Show Context)
Citation Context ...ed in [4] and the cited result was obtained in [3]. This sequence of works, directly related to the stated theorem, was built on and inspired by works from various settings such as interactive proofs =-=[41, 49, 22]-=-, program-checking [16, 26, 48], and private computation with oracles [9]. The constant (number of queries) in Theorem 3 has been subsequently improved and is currently 9; cf., [36]. 11A 3CNF formula ... |

159 |
Hiding instances in multioracle queries
- Beaver, Feigenbaum
- 1990
(Show Context)
Citation Context ...ly related to the stated theorem, was built on and inspired by works from various settings such as interactive proofs [41, 49, 22], program-checking [16, 26, 48], and private computation with oracles =-=[9]-=-. The constant (number of queries) in Theorem 3 has been subsequently improved and is currently 9; cf., [36]. 11A 3CNF formula is a Boolean formula consisting of a conjunction of clauses, where each c... |

151 | On Defining Proofs of Knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...the soundness condition. 5.3 Proofs of Knowledge The concept of a proof of knowledge, introduced in [33], is very appealing; yet, its precise formulation is much more complex than one may expect (cf. =-=[10]-=-). Loosely speaking, a knowledge-verifier for a relationR guarantees the existence of a “knowledge extractor” that on input x and access to any interactive machine P outputs a y, so that (x; y)2R, w... |

150 | A note on efficient zero-knowledge proofs and arguments (extended abstract - Kilian - 1992 |

135 | Multi-Prover Interactive Proofs: How to Remove Intractability Assumptions
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...0 or 1). For sets of integer functions,R andQ, we letPCP(R;Q) equal [ r2R;q2Q PCP(r(); q()). The above model was suggested in [24] and shown related to a multi-prover model introduced previously in =-=[14]-=-. The fine complexity measures were introduced and motivated in [20], and further advocated in [4]. A related model was presented in [7], stressing the applicability to program checking. We stress tha... |

131 | On the Power of Multi-Prover Interactive Protocols
- Fortnow, Rompel, et al.
- 1988
(Show Context)
Citation Context ...n complexity theory, the oracle answers are always binary (i.e., either 0 or 1). For sets of integer functions,R andQ, we letPCP(R;Q) equal [ r2R;q2Q PCP(r(); q()). The above model was suggested in =-=[24]-=- and shown related to a multi-prover model introduced previously in [14]. The fine complexity measures were introduced and motivated in [20], and further advocated in [4]. A related model was presente... |

129 |
Non-interactive zero-knowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...munication-efficient than (regular) interactive proofs; cf. [39, 43, 27]. 5.2 Non-Interactive Zero-Knowledge Proofs Actualy the term “non-interactive” is somewhat misleading. The model, introduced in =-=[15]-=-, consists of three entities: a prover, a verifier and a uniformly selected sequence of bits (which can be thought of as being selected by a trusted third party). Both verifier and prover can read the... |

122 | Definitions and Properties of Zero-Knowledge Proof Systems
- Goldreich, Oren
- 1994
(Show Context)
Citation Context ...ersion of the actual definitions. For example, in order to guarantee that zero-knowledge is preserved under sequential composition it is necessary to slightly augment the definitions. For details see =-=[30]-=-. 3.2 The Power of Zero-Knowledge A simple example, demonstrating the power of zero-knowledge proofs, follows. Specifically, we will present a simple zero-knowledge proof for proving that a graph is 3... |

90 | The Complexity of Perfect Zero-Knowledge
- Fortnow
- 1989
(Show Context)
Citation Context ... be contrasted with the results regarding the complexity of almostperfect zero-knowledge proof systems; namely, that almost-perfect zero-knowledge proof systems exist only for sets in IP(2) \ coIP(2) =-=[23, 2]-=-, and thus are unlikely to exist for all NP-sets. Also, a recent result seems to indicate that one-way functions are essential for the existence of zero-knowledge proofs for “hard” sets (i.e., sets wh... |

78 | Selftesting/correcting for polynomials and for approximate functions
- Gemmell, Lipton, et al.
- 1991
(Show Context)
Citation Context ...was obtained in [3]. This sequence of works, directly related to the stated theorem, was built on and inspired by works from various settings such as interactive proofs [41, 49, 22], program-checking =-=[16, 26, 48]-=-, and private computation with oracles [9]. The constant (number of queries) in Theorem 3 has been subsequently improved and is currently 9; cf., [36]. 11A 3CNF formula is a Boolean formula consisting... |

67 | Clique is hard to approximate within n 1\Gammaffl - Hastad - 1999 |

55 |
Probabilistic Checkable Proofs: A New Characterization of NP
- Arora, Safra
- 1992
(Show Context)
Citation Context ...above model was suggested in [24] and shown related to a multi-prover model introduced previously in [14]. The fine complexity measures were introduced and motivated in [20], and further advocated in =-=[4]-=-. A related model was presented in [7], stressing the applicability to program checking. We stress that the oracle x in a pcp system constitutes a proof in the standard mathematical sense9. Yet, thi... |

49 | CS Proofs - Micali - 1994 |

40 | One-way functions are essential for non-trivial zero-knowledge - Ostrovsky, Wigderson - 1993 |

38 | Bit Commitment using Pseudorandom Generators - Naor - 1991 |

35 | Testing polynomial functions efficiently and over rational domains - Rubinfeld, Sudan - 1992 |

33 | The Complexity of Decision versus Search
- Bellare, Goldwasser
- 1994
(Show Context)
Citation Context ...otion of self-reducibility of NP-sets. (By self-reducibility of an NP-set we mean that the search problem of finding an NP-witness is polynomial-time reducible to deciding membership in the set.) See =-=[12]-=-. 3. A prover is considered relatively efficient if it can be implemented by a probabilistic machine which runs in time which is polynomial in the deterministic complexity of the set. This interpretat... |

27 | Quantifying Knowledge Complexity
- Goldreich, Petrank
- 1991
(Show Context)
Citation Context ...knowledge revealed in an interaction” [33]. Knowledge complexity may be defined as the minimum number of oracle-queries required in order to (efficiently) simulate an interaction with the prover (cf. =-=[31]-=-). Results linking two different variants of this measure to other complexity measures are given in [1, 47], respectively. Acknowledgement I am grateful to Shafi Goldwasser for suggesting the essentia... |

26 | An efficient noninteractive zero-knowledge proof system for np with general assumptions - Kilian, Petrank - 1998 |

25 | Selftesting /correcting for polynomials and for approximate functions - Gemmell, Lipton, et al. - 1991 |

18 |
Perfect Zero-Knowledge Languages can be Recognized in Two Rounds
- Aiello, Hastad
- 1987
(Show Context)
Citation Context ... be contrasted with the results regarding the complexity of almostperfect zero-knowledge proof systems; namely, that almost-perfect zero-knowledge proof systems exist only for sets in IP(2) \ coIP(2) =-=[23, 2]-=-, and thus are unlikely to exist for all NP-sets. Also, a recent result seems to indicate that one-way functions are essential for the existence of zero-knowledge proofs for “hard” sets (i.e., sets wh... |

12 | The knowledge-complexity of interactive proof systems - Goldwasser, Micali, et al. - 1989 |

11 | Low communication 2-prover zero-knowledge proofs for np - Dwork, Feige, et al. - 1992 |

10 | On the knowledge complexity of NP - Petrank, Tardos - 1996 |

10 | On the complexity of bounded-interaction and noninteractive zero-knowledge proofs - Kilian - 1994 |

9 | Direct Zero-Knowledge Computations - Impagliazzo, Yung - 1987 |

5 |
Everything Provable is Probable in Zero-Knowledge
- Ben-Or, Goldreich, et al.
- 1990
(Show Context)
Citation Context ...). In a different vein and for the sake of elegancy, we mention that, using further ideas and under the same assumption, any interactive proof can be efficiently transformed into a zero-knowledge one =-=[38, 13]-=-. The above results may be contrasted with the results regarding the complexity of almostperfect zero-knowledge proof systems; namely, that almost-perfect zero-knowledge proof systems exist only for s... |