Algebraic methods for interactive proof systems - Semantic Scholar
CARSTEN Unu>ersity
Methods
LUND,
for Interactive
LANCE
of Clucago,
Chicago,
FORTNOW,
Proof Systems
AND
HOWARD
KARLOFF
Il[mois
AND NOAM
NISAN
Hebrew
Unuemi@
Jen{salern,
Israel
Abstract. A new algebraic technique for the construction of interactive proof systems is presented. Our technique is used to prove that every language in the polynomial-time hierarchy has an interactive proof system. This technique played a pivotal role in the recent proofs that 1P = PSPACE [28] and that MIP = NEXP [4]. Categories
and Subject Descriptors:
tion—Interactive
computation;
tton;
F. 1.3 [Computation
tions
among
General
complexi@
F.1.2 [Computation by Abstract Devices]: Modes of Computa-
probabilistic
computation;
relations
by Abstract Devices]: Complexity
ar?lo?zg modes;
relutitized
Classes —Complexi@
cot?zpata-
hierarchies;
rela-
clusses
Terms: Theory
Additional
Key Words
and Phrases: Interactive
proof systems
1. Introduction NP
can be viewed
deterministic
as the
set of languages
polynomial-time
verifier
L
(Vanna)
with
this
property:
and an infinitely
There
powerful
is a
prover
(Pat) such that for all x, if x is in L, then in polynomial time Pat can persuade Vanna that x is in L, and if x is not in L, then no prover (Pat or any other) can persuade channel Pat
Vanna
(though
can
convince
that
communication
Vanna
C. Lund’s work was supported L. Fortnow’s H. Karloffs
x is in L. Pat and Vanna
two-way
that
a graph
by a fellowship
work was supported work was supported
is not
by National
G
communicate
necessary
For
by
exhibiting
is 3-colorable
from the ~rhus
University,
Science Foundaton
on a two-way
here).
~rhus,
example, a 3-
Denmark.
(NSF) grant CCR 90-09936.
by NSF grant CCR 88-07534.
N. Nisan’s work was partially performed at the Massachusetts Institute of Technology (MIT), Cambridge, Mass., and was supported by NSF grant CCR 86-5727 and Army Research OffIce (ARO) grant DLL03-86-K-017. Authors’ addresses: C. Lund, L. Fortnow, and H. Karloff, Department of Computer Science, University of Chicago, 1100 East 58th Street, Chicago, IL 60637; N. Nisan, Department of Computer Science, Hebrew University, Jerusalem, Israel. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the tide of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy othervvise. or to republish, requires a fee and/or specific permission. @ 1992 ACM 0004-541 1/92/1000-0859 $01.50 JmmMl
of the Assomitmn
for Comput]ng
Machmmv,
Vol
39, No
4, Octohcr
1992,
pp 859-8h8
C. LUND
860 coloring.
If
Vanna
G is not
that
thought
to
be
deterministic
in
NP.
verifier
We can extend by
3-colorable,
G is 3-colorable.
requiring
No
that
no prover
(Of
course,
prover
is known
that
if
x
is in
ever
who
G is not 3-colorable,
this idea of “provability”
instead
will
succeed
co-NP-complete
convince
are not
a skeptical
if it is not 3-colorable.)
by allowing L,
in persuading
languages
can
ET AL.
with
Vanna
probability
to flip at
least
coins
and
2/3
Pat
persuades Vanna that x is in L, and if x is not in L, no prover can convince Vanna that x is in L with probability more than 1/3. Babai [2] and Goldwasser et al. [21] developed this interactizle proof system model. A summary previous results on interactive proof systems can be found in [51. Although known to
certain problems be in NP, were
theoretical accepted
computer by
particular,
it was believed
believed.
Our
generally
proof that
tive proof systems. We prove that interactive nally
such as graph nonisomorphism, which are not known to have interactive proof systems [10],
scientists
interactive
main
of
believed
systems
was
co-NP-complete proof
result
systems
that
not
the class 1P of languages
much
larger
languages
have far greater
is an interactive
proof
than
NP.
In
did not have interacpower
system
than
origi-
for the language
of 0-1 matrix A}. When combined with the fact that {(A, S)1Sis the permanent the permanent O–1 matrices is #P-complete [33] and the fact that #P is hard for the polynomial-time hierarchy [32], the existence of an interactive proof system for the permanent implies hierarchy has an interactive proof language
in CO-NP has an interactive
3-COLORABILITY, For
that every language system. In particular,
the
veri~ing
system,
even
the
complement
of
for example.
proof,
we
the value
the value
proof
in the polynomial-time this means that every
develop
a new
of a low-degree
at one new point.
technique
polynomial
Shamir
for
reducing
at two given
the
[28] has used this technique
all languages in PSPACE have interactive proof systems. 1P c PSPACE [15], it follows that 1P = PSPACE. Babai
problem
points
of
to veri~ing to prove
that
From the fact et al. [4] have
that also
used this technique in their proof that every language in nondeterministic exponential time has a two-prover interactive proof system in which the provers cannot communicate with one another. Our results also have implications for program checking, verification and self-correction Lipton
in the
context
of Blum
and
[25]. In fact, the Blum–Luby–Rubinfeld
Kannan
[9], Blum
and Lipton
et al. [10],
papers
inspired
and our
result. Our
result
does
not
relativize.
Fortnow
and
Sipser
[18]
have
created
an
oracle under which CO-NP does not have an interactive proof system. To our knowledge this is the first result to “go contrary” to a previously published oracle. Subsequent to the announcement of our result, Chor et al. [13] proved the same relativized result for a random oracle. 2. Definitions A verfier V is a polynomial-time, communication tape. A prol~er sequence x, ql, ql, q~. ..., where
probabilistic Turing machine with a special P is an arbitrary map f from each finite x G {O, 1}* and each q, G {O, l}*, to a O–1
string. The computation proceeds as follows. Both P and V get x G {O, 1}*. V then computes for a while, and writes a query ql = {O, 1}* on her communication
Algebraic tape.
Methods
for Interactille
P responds
Proof
by replacing
the
861
Systems ql
with
f ( x, ql ). V computes,
f(x,ql ) with a query q, c {O, l}*,and awaits P’s response, process continues until V halts and accepts or rejects x. A from V followed by a response from P. The pair (P, V) forms an interactive proof .x E {o, l}*:
overwrites
f(x, q,, q,). This round is a query
system for a language
L if for
with P) > ~. (1) If x ● L, then Pr(V accepts input x when interacting (2) ~,)x I), for each i = 1,2,..., of B,, and gets q, in constructs the minor B, = Bill, asks Pat for the permanent return. q =
Vanna
checks
~~.lbltq,,
that
she
q = Z;= ~bll q,;
expands
(Bz, qz),..., (B,, q, )). provided When the list has more than first
two
function
pairs ~(x)
(C, c-), (D, = per(C
-Y
if
by
not,
she
halts
replacing
L?
and
rejects.
by
((Bl,
that q # per (B), q, + per(BZ) for some i. one pair, Vanna shrinks the list by replacing the
d) by a new
+ x(D
– C))
pair
(E, e), in the
is a polynomial
following
of degree
arbitrary
points
the one pair
chooses
(E, e). The
4.
at least Let
a random
crucial
a is chosen uniformly
1 – r/p,
Let
is that
per(E)
at random
f(x)
from +a(D
+ c
or
the pairs
a polynomial of ~ at r + 1
g(1)
+ d,
(C, c), (D,
if c # per(C)
# e. This
ZP such that eitherg(0)
Pr[per(C
over ZP. Since f(0) identical polynomials
fact
g(0)
The
r over
Vanna
a = ZP,1 sends it to Pat, constructs
and replaces
C and D be r X r matrices
degree at most r oler
PROOF.
herself. ) If
– C) and e = g(a),
probability
LEMMA
interpolate
now uniformly
E = C + a(ll with
and
way.
at most
ZP. Vanna asks Pat for the r + 1 coefficients of ~ and constructs g from the responses. (Or Vanna could just ask for the value rejects. Vanna
If ql),
follows
d) in S
or d # per(D), from
Lemma
4.
ol)er ZP. Let g be a polynomial # per(C)
or g(1)
+ per(D).
by
then
of
Then if
ZP, – C))
= per( C + x( D – C)),
=g(a)]
< ~.
a polynomial
of
degree
at most
r
= per(C) and f(1) = pm-(D), clearly f + g. But two nonof degree at most r over ZP can coincide on at most r
1 Throughout the paper, we assume that Vanna can choose elements of Z,, umformly at random, despite the fact that she can only pick b~tA uniformly at random, In reality, she will pick integers a uniformly at random from {O, 1, 2, ..., M – 1}, where Lf is the least power of two exceeding p, until one is less than p. If enough trials fzail to fmd an a less than p, she wdl Just halt and accept x. Thri increases the probability of erroneously accepting an x t?! L only slightly.
Algebraic points.
Methods It follows
for Interactive that
there g(a)
If 5=
((Bl,
ql),
Proof
Systems
are at most =f(a)
863
r values
= per(C
a such that
+ a(ll
❑
– C)).
(Bz, q2), .- .,( B/, q, )) and at least one i satisfies
per(lll)
#
S will consist of one q,, then with very high probability, after t – 1 shrinking pair (L?, h) with h # per(H). The idea, then, is to replace the initial list Y = ((A, s)) by lists of smaller and smaller matrices, until eventually % = ((B, q)) where B is 1 x 1. If q # per( B)—a —Vanna will reject. Otherwise, she’ll accept. How likely is it that Vanna will be able
condition
Vanna
to maintain
the
can easily
test
“invariant”?
A
steps will replace sequence of one expansion step followed by r – 1 shrinking 5?= ((B, q)), where B is r x r, by -!3= (( B’, q’)), where B’ is (r – 1) X (r – 1). Thus fewer than iV2 steps (of either kind) suffice to reduce &= that ((A, s)) to 1% = ((B, q)), where B is 1 X 1. It follows that the probability a cheating prover can induce Vanna to erroneously accept (A,s) is less than IV2 times the minuscule shrink step first violates Now
we give the full
PROOF proof
probability the “invariant proof
OF THEOREM
system
1.
By
S
0 there is a variant EN rounds. A bounded-round
et al. [11] have shown
protocols, number
imply
a G ZP, sends
g(a))).
how
the degree
that
of Section to arithmetize
low. Using
every language
provided
3 to veri& a QBF
a protocol
in PSPACE
a “degree-reduction
the number formula,
similar
operator”
using
to that
has an interactive
of satisfying dummy
in Section proof
3,
system.
as an alternate
tech-
nique to keep the degree low. Babai et al. [4] have applied the techniques of this paper to multiple-prover interactive proof systems, defined by Ben-Or et al. [8] as interactive proof systems having a polynomial number of provers unable to communicate among themselves
or
to
see the
conversation
between
any
other
prover
and
the
verifier. Babai, Fortnow, and Lund have proven that any language computable in nondeterministic exponential time has a multiple-prover interactive proof system.
Their
the problem
proof to that
uses ideas similar of testing
to those
the multilinearity
of [3] and [28] in order
to reduce
of a function.
Cai et al. [12] have used the protocols of this paper and of Shamir [28] to prove that every PSPACE language has a bounded-round multiple-prover integrative proof system. Fortnow and Lund [16] have extended the techniques from this and Shamir’s paper [28] to exhibit of alternating Turing
a polynomial equivalence between time-space complexity machines and the time–space complexity of the verifier
in a public-coin interactive proof language in NC has an interactive time, logarithmic-space verifier.
system. In particular, they prove that every proof system with a public-coin, polynomial-
5. Implications Goldwasser and Sipser [22] have shown that one can convert any integrative proof system to one in which the verifier uses public coins, that is, the verifier juxtaposes her coin tosses and her query message q, on her communication tape. Furer et al. [19] have shown how to modi~ an interactive proof system so that for true instances the verifier is convinced with probability one. Both of these properties
already
hold
for our protocol.
C. LUND
866 Some simple
corollaries
COROLLARY
5.
PROOF.
From
hierarchy
Every
language
interactive Shamir
we
COROLLARY
This
infer
that
interactive
proof
has
proof
languages
proof
system
computable
systems
from
applications
a zero❑
in polynomial
if cryptographic
one-way
interactille
[11].
Previously,
Aiello
the class of languages
differs
has
proof
collapses.
et al.
to which
in
system.
exist [7, 23].
in IP has a bounded-round
Boppana
systems
exist, then elery language interactive
functions
proof
hierarchy
relative
tive proof systems. Our theorem also
all
language
from
an oracle
results:
interactive
if one-way
interactive
If euey
is immediate
an
system
then the polynomial-time
constructed round
6.
these
one-way functions
with
proof
[28],
from
has a zero-knowledge
space have zero-knowledge functions exist.
system,
follow
If c~ptographic
the polynomial-time
knowledge
that
ET AL.
those with
to program
with
et al.
bounded-round
checking,
[1]
unboundedinterac-
verification
and
self-correction. Lipton [25], using ideas of Beaver and Feigenbaum [6], showed Our protocols extend this idea that the permanent function can be “tested.” and show the permanent has a self-testing/correcting pair [10], a pair of functions the first of which verifies that a program computes the permanent correctly
on most
passes the inputs with
and
the
first test into one high probability.
that
Theorem
inputs
1 also provides
second
of which
correctly
a program
converts
computes
correctness
the
checker
a program permanent [9] for
that on
all
the perma-
nent: COROLLARY 7. There exists a probabilistic polynomial-time machine M that, giuen access to a program P and a matrix A, will output with a high degree of confidence either ‘(P outputs the correct ualue of the permanent not correctly compute the permanent of some matrix. ” PROOF. about verifier
In the proof
of Theorem
the permanents of various and use P as the prover.
A further
discussion
of the
1, the prover matrices.
We
need
only
can
have
of A”
or ‘
1
W.,
(1992),
2. BABAI, L. Symposium
[17], [30], and [31] are not cited in text. GOLDWASSER,
S., AND H.&STAD, J.
Trading
group
on the Theory
theory
Complex.
1 (1991),
6.
7.
8.
9.
10.
11.
for randomness. In Proceedings of the 17t}t Annaal ACM (Providence, R. I., May 6-8). ACM, New York, 1985,
Arithmetization:
a new method
in structural
complexity
theory.
41-66.
L., FORTNOW, L. AND LUND, C. Non-deterministic exponential time has two-prover Complex. 1 (1991), 3–40. interactive protocols. Computat. BABAI, L., AND MORAN, S. Arthur–Merlin games: A randomized proof system, and a Syst. Sci. 362 (1988), 254-276. hierarchy of complexity classes. J. Comput BEAVER, D. AND FEIGENBAUM, J. Hiding instances in multioracle queries. In Proceedings of the 7th S~mposiam on the Theoretical Aspects of Computer Sccencc. Lecture Notes in Computer Science, vol. 415. Springer Verlag, New York, 1990, pp. 37-48. BEN-OR, M., GOLDREICH, O., GOLDWASSE~, S., H&TAD, J., KILIAN, J., MICALI, S., AND of Cypto ROGAWAY, P. Everything provable is provable in zero-knowledge. In Proceedings 88. Lecture notes in Computer Science, vol. 403. Springer-Verlag, New York, 1988, pp. 37-56. BEN-OR, M., GOLDWASSER, S., KILIAN, J., AND WIGDERSON, A. Multi-prover interactive of the 20th Annaal ACM proofs: How to remove intractability assumptions. In Proceedings Symposmm on the Theoiy of Coi?tputing (Chicago, 111,May 2-4). ACM, New York, 1988, pp. 113-131. BLUM, M., AND KANN.MN, S. Designing programs that check their work. In Proceedings of the 21th AnnualACM Symposium on the Theow of Cot?lputing (Seattle, Wash., May 15-17). ACM, New York, 1989, pp. 86-97. BLUM. M., LUBY, M.. AND RUBINFELD, R. Self-testing correcting with applications to numerion the Theory of Co??zputazg cal problems. In Proceedazgs of the 22nd Annwd A CM $mposnan (Baltimore, Md., May 14-16). ACM, New York, 1990. pp. 73-83. BOPPANA, R., HLSTAD, J., AND ZACHOS, S. Does CO-NP have short interactive proofs? Znfi
4. BABAI, 5.
Combinatorics,
of Cornputmg
pp. 421-429. 3. BABAI, L., AND FORTNOW, L. Computat.
On the power of interaction.
3-25.
Proc.
Lett.
25, 2 (1987),
127-132.
868
C. LUND ET AL.
12. CAT, J., CONDON, A., AND LIPTON, R. J. Proceedings
of the 6th Annual
Conference
PSPACE
E provable
on Strzuture
by two provers m one round. In Theory (Chicago, 111..June
m Complexity
30-July 3). IEEE, New York, 1991, pp. 110-115. oracle hypothesis N false. 13, CHOR, B., GOLDREICH. O., AND HASTAD, J. The random Manuscript. Technion, Haifa, Israel, 1990. of the 3rd The complexity of theorem-proving procedures. In Proceedwgs 14, CooK, S. A. Annual ACM Symposuun on the Theoy of Computmg (Shaker FIelghts, Oh., May 3-5). ACM, New York, 1971, pp. 151-158. M. I.T., Cambridge, Mass., 15. FELDMAN, P. The optimum prover lives in PSPACE. Manuscript. 1986. time-space complex16. FORTNOW, L., AND LUND, C. Interactive proof systems and alternating of the 8th Symposiuvz on Theoretical Aspects of Compatcr Science Lecture ity. In Proccedmgs Notes m Computer Science, vol. 480, Sprmger-Verlag, New York, 1991, pp. 263-274. On the power of multi-prover interactive 17. FORTNOW, L., ROMPEL, J., AND SIPSER, M. Theory (Washington, protocols. In Proceedings of tize 3rd Conference on Structure m CompletzQ D. C., June 14-17). IEEE, New York, 1988, pp. 156-161. Are there interactive protocols for CO-NP languages? Irf 18. FORTNOW, L., AND SIPSER, M. l’ro~. Lett. 28 (1988), 249–251. 19. FURER, M., GOLDREICH, 0,, MANSOUR, Y., SIPSER, M., AND ZACHOS, S. On completeness and Computation, and soundness m interactive proof systems. In S. Micah, ed. Randomness (volume 5 of Adc,ances m Compzttmg Research). JAI Press, Greenwich, Corm. 1989, pp. 429-442. 20. GOLDREICH, O., MIC.4LI, S., AND WIGDERSON, A. Proofs that yield nothing but their vahdity of the 27tlz IEEE and a methodology of cryptographic protocol design. In Proceedings Sy~~~ponZurZ on Foundations of Computer Science. IEEE, New York, 1986, pp. 174-187. 21. GOLDWWSER, S., MICALL S., AND R~CKOFE, C. The knowledge complexity of interactive proof-systems, SZAM J. Comput. 18, 1 ( 1989), 186-208. 22. GOLDWASSER, S. AND SIPSER, M. Private corns versus public coins m interactive proof systems. In S. Micali, ed. Randomness and Co}?zpatatzon, (volume 5 of AdLances w ConlPutL~lg JAI Pre~s, Greenwich, Corm. 1989, pp. 73-90. lMP.AGLIAZZO, R., AND YuN~, M. Dn-ect mimmum-knowledge computation. In Proceedings of Crypto 87. Lecture Notes in Computer Science, vol. 293, Springer-Verlag, New York, 1987, pp. 40-51. Some connection between nonumform and uniform complexity fQRP, R., JiND LIPTON, R. (Los classes. In Proceedings of the 12th Annuul A CM Sy??lposlzlm on the Theoy of Computmg Angeles, Calif., Apr. 28-30). ACM, New York, 1980, pp. 302-309. and M. Merritt, eds. Dtstrdmted LIPrON, R. New directions m testing. In J. Felgenbaum Computmg and Cgptogzap[l) (volume 2 oi DIMACS Scnes m Dzscrete Matherrzatlcs and Theoretical Computer Science). American Mathematical Society, Providence, R. I., 1991, pp. 191-202. NIVEN, I., AND ZUCfCERhfAN, H. S. An uztroductlon to the theory of ?zzlmbers 4th cd., Wdey, New York, 1980, pp. 224-225. PR.4Tr, V. Every prime has a succinct certificate. SIAM J. Cornput. 4 (1975), 214–220. SHAMIR, A. 1P = PSPACE. J. ACM 39, 4 (Oct. 1992), 869-877. SHFN, A. 1P = PSPACE: Simplified proof. J ACM 39, 4 (Oct. 1992), 878-880. SIMON, J. On some central problems in computational complexity. PhD thesis, Cornell University, Computer Science, 1975. Tech Report TR 75-224. SOLOVAY, R,, AND STRASSEN, V. A fast Monte-Carlo test for primality. SIAM J. Con2pt4t. 6 (1977), 84-85. See also erratum 7 (1978), 118. of the 30t/z IEEE TODA, S. On the computational power of PP and @P. In Proceedmg~ Symposzu,,z on Foundations of Compzlter Scwzce. IEEE, New York, 1989, pp. 514-519. VALIANT, L. The complexity of computmg the permanent. T/zeoret. Comput. Scz 8 (1979), Research).
23.
~4.
25.
Z6. 27. 28. 29.
30. 31. 32. 33.
189-201.
RkCEIVED
NO\’EMBkR
1990;
REVISED NOVEMBER
1991 : ACCEPTED ~UGUST 1991
J~umd of the 4\.
