A Taxonomy of Proof SystemsOded Goldreich�Computer Science DepartmentTechnion, Haifa, Israel.October 24, 1993AbstractSeveral alternative formulations of the concept of an e�cient proof system are nowadayscoexisting in our �eld. These systems include the classical formulation of NP, interactiveproof systems (giving rise to the class IP), computationally-sound proof systems, and proba-bilistically checkable proofs (PCP) which are closely related to multi-prover interactive proofs(MIP). Although these notions are sometimes introduced using the same generic phrases,they are actually very di�erent in motivation, applications and expressive power. The mainobjective of this essay is to try to clarify these di�erences.�Supported in part by grant No. 89-00312 and 92-00226 from the United States - Israel Binational ScienceFoundation (BSF), Jerusalem, Israel. 0T

echn

ion

- C

ompu

ter

Scie

nce

Dep

artm

ent -

Tec

hnic

al R

epor

t C

S078

6 -

1993

1 IntroductionIn recent years alternative formulations of the concept of e�cient proof systems have receivedmuch attention. In fact, the opening sentence is a big understatement. Not only that talks andpapers concerning these systems have ooded the �eld of theoretical computer science, but alsoit happened that some of these developments have reached the non-theory community and a fewwere even reported in nonscienti�c forums such as the New-York Times. Thus, I'm quite sure thatthe reader has heard of phrases such as \interactive proofs" and results such as IP = PSPACE.By no means am I suggesting that the interest in the various formulations of e�cient proofsystems has gone out of proportion. Certainly, the notion of an e�cient proof system is central tothe �eld of computer science and I �nd it hard to conceive circumstances in which one may say thatit receives too much attention. Furthermore, the research area established by these notions hasbeen one of the most successful and rewarding enterprises in which the TCS community has beeninvolved. For example, zero-knowledge proofs have revolutionized the design of cryptographicprotocols, and the characterization of NP in terms of probabilistically checkable proofs hascontributed to (and, in fact, revived) the attempts to classify the complexity of approximationproblems.Now I fear that I have antagonized some of the readers by praising this area and its achieve-ments in such a blunt way. I apologize to these readers and hope that the rest of this essay willcompensate for their discomfort.A word about the organization of the rest of this essay. I have decided to proceed in asomewhat unconventional way and decouple the technical exposition from the story behind itsevolution. Each part appears in a separate section which can be read independently of the other.When reading the technical part, the reader should bear in mind that the references in this partare minimal (and de�nitely substandard), with the sole objective of referring the reader to thebest source1 for more details. The situation is reversed in the `story part' which contains onlycredits, or more accurately my subjective evaluation of the contribution of the various works tothe development of the �eld.2 A Technical ExpositionThe notion of a proof is one of the more fundamental notions of our culture. In particular, it iscentral to science and speci�cally to mathematics and computer science. Yet, although peoplealways talk of proofs, the fundamental issue is the veri�cation procedure. Proof systems arede�ned by their veri�cation procedure, and it is the veri�cation procedure which gives them theirvalue.The notion of a veri�cation procedure assumes the notion of computation and furthermoree�cient computation. This implicit assumption is made explicit in the de�nition of NP . It is theassociation of e�cient computation with (deterministic) polynomial-time algorithms that yields1This is not necessarily the source which deserves most credits!1Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

the association of e�cient proof systems with the class NP . Namely, to prove the validity ofsome statement �, one supplies a proof �, and the veri�cation procedure consists of running apolynomial-time algorithm on input (�; �).Technical Remark: All complexity measures mentioned in the subsequent exposition are as-sumed to be constructible in polynomial-time.2.1 Interactive Proof SystemsIn light of the growing acceptability of randomized and distributed computations, it is only naturalto associate the notion of e�cient computation with probabilistic and interactive polynomial-time computations. This leads naturally to the notion of interactive proof systems in whichthe veri�cation procedure is interactive and randomized, rather than being non-interactive anddeterministic. A sketch of the formal de�nition is given in Item (1) below. Items (2) and (3)introduce additional complexity measures which can be ignored in �rst reading.De�nition 1 (Interactive Proofs { IP):1. An interactive proof system (ips) for a language L is a pair (P; V ) of interactive machines,so that V is probabilistic polynomial-time, satisfying� Completeness: For every x 2 L the veri�er V always accepts after interacting with theprover P on common input x.� Soundness: For every x 62 L and every potential prover P �, the veri�er V rejects withprobability at least 12, after interacting with P � on common input x.2. Let m and r be integer functions. The complexity class IP(m(�); r(�)) consists of languageshaving an interactive proof system in which, on common input x, the veri�er uses at mostr(jxj) coin tosses and the total number of messages exchanged between the parties is boundedby m(jxj).3. LetM and R be set of functions. Then, IP(M;R) denotes [m2M;r2RIP(m(�); r(�)). Denoteby poly the set of all polynomials and by log the set of all integer functions bounded byO(logn). Finally, IP(m(�)) def= IP(m(�); poly) and IP def= IP(poly).In Item (1), I have followed the standard de�nition which speci�es both the veri�er and theprover. An alternative presentation only speci�es the veri�er while rephrasing the completenesscondition as follows: There exists a (prover) machine P so that, for every x 2 L, the veri�er Valways accepts after interacting with P on common input x. I wish to stress that although wehave relaxed the requirements from the veri�cation procedure, by allowing it to interact and tosscoins, we did not restrict the validity of its assertions by assumptions concerning the potentialprover. (This should be contrasted with later notions of proof systems, such as computationally-sound ones and multi-prover ones, in which the validity of the veri�er's assertions depends onassumptions concerning the external proving entity.)2Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

Known resultsClearly, IP(0; poly) equals BPP, whereas IP(1; 0) equals NP. Hence, IP � IP(1; poly)contains BPP [NP , while we currently do not know whether NP contains BPP . It is also easyto see that IP(0; log) collapses to IP(0; 0) = P , whereas IP(poly; log) collapses to IP(1; 0) =NP. The main result concerning interactive proof systems, is that they exist for any languagerecognizable in polynomial-space. Namely,Theorem 1 [46]: IP = PSPACE.Concerning the �ner structure of the IP hierarchy the following is known:� For every integer function, f , so that f(n) � 2 for all n, the class IP(O(f(�))) collapses tothe class IP(f(�)), and in particular IP(O(1)) collapses to IP(2) [7].� The class IP(2) contains languages not known to be in NP ; e.g., Graph Non-Isomorphism[28].� The class IP(2) is contained in nonuniform-NP.� If coNP � IP(2) then the polynomial-time hierarchy collapses [13].It is conjectured that coNP is not contained in IP(2), and consequently that interactive proofswith unbounded number of message exchanges are more powerful than interactive proofs in whichonly a bounded (i.e., constant) number of messages are exchanged.Zero-KnowledgeZero-knowledge is a central notion in cryptography. Here, I wish only to discuss its conceptualsigni�cance to the theory of proof systems. Zero-knowledge proofs are interesting as they exhibita somewhat extreme contrast between being convinced of the validity of a statement and learninganything in addition while receiving such a convincing proof. Namely, zero-knowledge proofs havethe remarkable property of being both convincing while yielding nothing to the veri�er, beyondthe fact that the statement is valid.The formulation of the statement \(P; V ) is a zero-knowledge proof system for the languageL" considers two probability distributions, for each input x in L1. The output distribution of the veri�er2 after interacting with the prover P on commoninput x.2. The output distribution of some probabilistic polynomial-time machine (not interactingwith anyone), on input x.2not necessarily the one speci�ed (i.e., V ) { yet, for sake of simplicity this issue is ignored here.3Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

The basic paradigm of zero-knowledge asserts that for every distribution of type (1) there exista \similar" distribution of type (2). The speci�c variants di�er by the interpretation given to`similarity'. The most strict interpretation, leading to perfect zero-knowledge, is that similaritymeans equality. A somewhat relaxed interpretation, leading to almost-perfect zero-knowledge, isthat similarity means statistical closeness (i.e., negligible di�erence between the distributions).The most liberal interpretation, leading to the standard usage of the term zero-knowledge (andsometimes referred to as computation zero-knowledge), is that similarity means computationalindistinguishability (i.e., failure of any e�cient procedure to tell the two distributions apart).The most important result concerning zero-knowledge is that, assuming the existence of one-way functions, each language in NP (and actually even in IP) has a zero-knowledge interactiveproof system [28, 42, 31, 16]. This result should be contrasted with the results regarding thecomplexity of almost-perfect zero-knowledge proof systems; namely, that such proof systems existonly for languages in IP(2) \ coIP(2) [23, 1]. Also, a very recent result seems to indicate thatone-way functions are essential for the existence of zero-knowledge proofs for hard languages (i.e.,languages which cannot be decided in average polynomial-time)[43].How powerful should the prover be?Assume that a language L is in IP . This means that there is a veri�er V that can be convincedto accept any input in L but cannot be convinced to accept any input not in L. One can ask howpowerful should a prover be so that it can convince the veri�er V to accept any input in L. Moreinterestingly, considering all possible veri�ers which give rise to an interactive proof system for L,what is the minimum power required from a prover which satis�es the completeness requirementwith respect to one of these veri�ers? We stress that, unlike the case of computationally-soundproof systems (discussed below), we do not restrict the power of the prover in the soundnesscondition but rather consider the minimum complexity of provers meeting the completenesscondition. Speci�cally, we are interested in relatively e�cient provers (meeting the completenesscondition). The term `relatively e�cient prover' has been given three di�erent interpretations.1. A prover is considered relatively e�cient if, when given an auxiliary input (in additionto the common input in L), it works in (probabilistic) polynomial-time. Speci�cally, incase L 2 NP, the auxiliary input maybe an NP-witness that the common input is in thelanguage3. This interpretation is adequate and in fact crucial for applications in whichsuch an auxiliary input is available to the otherwise polynomial-time parties. Typically,the auxiliary input is available in cryptographic applications in which both the input and aNP-witness for it are generated by some party who later wishes to prove (in zero-knowledge)that the input is in the language.2. A prover is considered relatively e�cient if it can be implemented by a probabilistic polynomial-time oracle machine with oracle access to the language L itself. This interpretation general-3Even in this case the interactive proof need not consist of the prover sending the auxiliary input; e.g., analternative procedure may allow the prover to be zero-knowledge! See [28].4Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

izes the notion of self-reducibility of NP-languages. (By self-reducibility of an NP-languageI mean that the search problem of �nding an NP-witness is Cook-reducible to decidingmembership in the language.)3. A prover is considered relatively e�cient if it can be implemented by a probabilistic machinewhich runs in time which is polynomial in the deterministic complexity of the language.This interpretation relates the di�culty of convincing a very lazy veri�er to the complexityof �nding the truth alone. Hence, in contrast to the �rst interpretation which is adequate insettings where theorems are generated alone with their NP-proofs, the current interpretationis adequate in settings in which the prover is given only the theorem and has to �nd a proofto it by itself (before trying to convince a lazy veri�er of its validity).2.2 MIP and PCPIn contrast to the setting of interactive proofs, where no restrictions have been placed on theprover, the two settings discussed in this section do impose restrictions on the prover. Inter-estingly, the power of the proof system is increased by these restrictions, unless PSPACE =NEXPT IME (in which case the systems are equally powerful). Jumping ahead, I wish to stressthat there is nothing wrong in the fact that a proof system becomes more powerful once the proveris restricted. Indeed, this restricts the prover's abilities in case the input is in the language; but italso restricts the prover's ability in case the input is not in the language. Thus, when restrictingthe prover, the power of the proof system can change in an arbitrary way (and in particular {stay the same).But what is the justi�cation for restricting the prover? One answer is that in particularapplications this restriction can be imposed (on the potential provers). A second answer is thatthis restriction yields an alternative characterization for an interesting complexity class (i.e.,NP)and that this alternative characterization enables one to get important results.Multi-Prover Interactive Proof Systems (MIP)In the multi-prover interactive proof setting, the prover is split into two (or more) entities and therestriction (or assumption) is that these entities cannot interact with each other. Actually, theformulation allows them to coordinate their strategies prior to interacting with the veri�er4 but itis crucial that they don't exchange messages among themselves while interacting with the veri�er.It is customary to call each of these proving-entities a `prover' and hence the term `multi-proverproof systems'. It turns out that two-prover systems are as powerful as multi-prover ones (evensuch in which the number of provers is a parameter that is polynomially related to the inputlength). For sake of concreteness, a de�nition of two-prover proof systems is given below.De�nition 2 (Two-Prover Interactive Proofs): A two-prover interactive proof system for a lan-guage L is a triplet (P1; P2; V ) of interactive machines, so that V is probabilistic polynomial-time,4This is implicit in the universal quanti�er used in the soundness condition.5Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

satisfying� Completeness: For every x 2 L the veri�er V always accepts after interacting separatelyand concurrently with the provers P1 and P2, on common input x.� Soundness: For every x 62 L and every potential pair of provers, P �1 and P �2 , the veri�erV rejects with probability at least 12, after interacting separately and concurrently with theprovers P �1 and P �2 , on common input x.The set of languages having two-prover (resp., multi-prover) proof systems is denoted by MIP2(resp., MIP).The two-prover model is reminiscent of the common police procedure of isolating collaboratingsuspects and interrogating each of them separately. A typical application in which the two-provermodel may be assumed is an ATM which veri�es the validity of a pair of smart-cards insertedin two isolated slots of the ATM. The advantage in using such a split system is that it enablespresenting (perfect) zero-knowledge proof systems to any language inNP , using no computationalassumptions [17].Probabilistically Checkable Proofs (PCP)When viewed in terms of an interactive proof system, the probabilistically checkable proof settingconsists of a prover which is memoryless. Namely, one can think of the prover as being an oracleand of the messages sent to it as being queries. A more appealing interpretation is to view theprobabilistically checkable proof setting as an alternative way of generalizing NP . Instead ofreceiving the entire proof and conducting a deterministic polynomial-time computation (as inthe case of NP), the veri�er may toss coins and query the proof only at location of its choice.Potentially, this allows the veri�er to utilize very long proofs (i.e., of super-polynomial length)or alternatively receive very few bits of the entire proof. The basic de�nition of the PCP settingis given in Item (1) below. Yet, the complexity measures introduced in Items (2) and (3) are ofkey importance for the subsequent discussions, and should not be ignored.De�nition 3 (Probabilistic Checkable Proofs { PCP):1. A probabilistic checkable proof system (pcp) for a language L is a probabilistic polynomial-timeoracle machine (called veri�er), denoted V , satisfying� Completeness: For every x 2 L there exists an oracle set �x so that V , on input x andaccess to oracle �x, always accepts x.� Soundness: For every x 62 L and every oracle set �, machine V , on input x and accessto oracle �, rejects x with probability at least 12 .2. Let r and q be integer functions. The complexity class PCP(r(�); q(�)) consists of languageshaving a probabilistic checkable proof system in which the veri�er on input of length n alwaysuses at most r(n) random coins and makes at most q(n) queries.6Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

3. Let R and Q be sets of functions. Then, PCP(R;Q) denotes [r2R;q2QPCP(r(�); q(�)).It should be stressed that the oracle �x in a pcp system constitutes a proof in the standardmathematical sense. (Jumping ahead, the oracles in pcp systems characterizing NP have theproperty of being NP proofs themselves.) Yet, this oracle has the extra property of enabling alazy veri�er, to toss coins, take his chances and verify the proof without reading all of it (butrather by reading a tiny portion of it).Typical application for probabilistically checkable proofs arise from settings in which theprover is committed to a single \proof" and cannot modify it depending on previous queries ofthe veri�er. (See section on computationally sound proofs).The expressive power of PCPClearly, PCP(poly; 0) equals BPP, whereas PCP(0; poly) equals NP. It is easy to prove an up-per bound on the non-deterministic time complexity of languages in the PCP hierarchy. Namely,Proposition 1 For every integer function r(�), the class PCP(r(�); poly) is contained in Non-deterministic time 2O(r(n)+logn), where n is the length of the input. Hence, PCP(log; poly) iscontained in NP.These upper bounds turn out to be tight, but proving this is much more di�cult (to say theleast).Theorem 2 [2, 3]: NP is contained in PCP(log; O(1)).I consider the proof of the above theorem as one of the most complicated proofs in computerscience and believe that it is very important to �nd a simpler proof that may �t an advancedcomplexity class. This is probably the wrong place to say that by adapting the proof of the abovetheorem, one gets alsoCorollary 1 For every (at least linear) integer function t(�), the class Ntime(t(�)) is containedin the class PCP(O(log t(n)); O(1)).Interestingly, the two complexity measures in the PCP-characterization of NP can be traded-o�as follows:Proposition 2 There exists a constant c > 1 such that for every integer function l(�), so that0� l(n)�c log2 n, NP = PCP(r(�); q(�))where r(n) = c log2 n� l(n) and q(n) = c2l(n). 7Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

proof sketch: Starting with Theorem 2, one can scan all possibilities for the l(n)-long pre�x ofthe random tape of the veri�er. 2Finally, it should be mentioned that one can convert a multi-prover interactive proof system intoa probabilistically checkable proof, and vice versa. The translation in the �rst direction is easy(i.e., just pre�x each veri�er-message by the ID of the prover), but the translation in the otherdirection is more complex.PCP and ApproximationInterestingly, Theorem 2 can be rephrases without mentioning the class PCP altogether. Instead,a new type of polynomial-time reductions, which I call amplifying, emerges.Theorem 3 (Theorem 2 { Rephrased): There exists a constant � < 1, and a polynomial-timereduction of 3SAT to itself so that the reduction maps non-satis�able 3CNF formulae to 3CNFformulae for which every truth assignment satis�es at most a fraction � of the clauses.proof sketch: Start by considering the pcp for 3SAT (guaranteed by Theorem 2). Use thefact that the pcp system used in the proof of Theorem 2 is non-adaptive5 (i.e., the queries aredetermined as a function of the input and the random-tape { and do not depend on answers toprevious queries). Next, associate the bits of the oracle with Boolean variables and introduce aBoolean formula for each possible contents of the random-tape, describing whether the veri�erwould have accepted given this contents of the random-tape. Finally, using auxiliary variables,convert each formula into CNF and obtain (as the output of the reduction) the conjunction ofall these polynomially many formulae. 2As an immediate corollary one gets results concerning the intractability of approximation. Forexample,Corollary 2 There exists a constant � < 1, so that the following approximation problem (knownas Max3Sat) is \NP-hard" (i.e., cannot be solved in polynomial-time unless P = NP):Given a satis�able 3CNF formulae, �nd a truth assignment which satis�es at least afraction � of its clauses.Consequently, for any approximation problem in the class MAX-SNP (cf. [44]), there exists aconstant so that approximating the problem up to this constant is \NP-hard". In other words,unless P = NP, there exist no polynomial-time approximation schemes (i.e., a sequence ofpolynomial-time approximation algorithms, one for each constant approximation ratio) for anyproblem in the class MAX-SNP.I believe that amplifying reductions are interesting for their own sake and may �nd other appli-cations in complexity theory.5Actually, this is not essential as one can convert an adaptive system into a non-adaptive one, while incurringan exponential blowup in the query complexity (which in our case is a constant).8Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

2.3 Computationally Sound Proof SystemsIn the two settings just discussed (i.e., MIP and PCP) the restrictions imposed on the prover wereof \physical" nature. In the current section I discuss models derived from the model of interactiveproofs by imposing computational restrictions (speci�cally, time bounds) on the prover. Althoughthis restrictions apply to potential provers in both the completeness condition and the soundnesscondition, the a�ect of the restriction is more dramatic in the soundness condition6. Hence,proof systems with computational restrictions on the potential provers are commonly referred toas `computationally sound'. The computational restriction seems to upset the puristic intuitionabout proofs (even more than the restrictions discussed in the previous section). Yet, from thepoint of view of computer science, the computational restriction is quite natural and furthermoreit is justi�ed in many applications.There are two types of computationally sound proofs. In the �rst type, called arguments, thecomputational restriction is that the potential provers, given access to an auxiliary input, run inpolynomial-time (or more generally, in time which is polynomially related to the non-determiniticcomplexity of the language). In the second type, called CS-proofs, the computational restrictionis that the potential provers run in time which is polynomially related to the deterministiccomplexity of the language (which may be polynomial also here!).ArgumentsThe de�nition of an argument system is derived from the de�nition of an interactive proof systemby modifying the completeness and soundness conditions as follows.� Completeness: The prover P runs in time polynomial in the common input. For everyx 2 L, there exists an auxiliary input (for the prover), wx, so that the veri�er V alwaysaccepts after interacting with P (wx) on common input x.� Soundness: For every probabilistic polynomial-time (in common input) machine P �, for allsu�ciently long x 62 L, and for all w 2 f0; 1g�, the veri�er V rejects with probability atleast 12 , after interacting with P �(w) on common input x.Both conditions can be rephrased by using (non-uniform) families of circuits of polynomial-size.As discussed above, argument systems are adequate for modelling the behavior of parties in areal-life setting. Under strong intractability assumptions, argument systems exhibit advantagesover interactive proofs7. Let me start by stating these assumptions.6In fact, the prover in the completeness condition typically has bounded complexity although the de�nition ofa proof system does not impose such a restriction. In particular, every language in IP has a proof system in whichthe prover works in polynomial-space. For further discussion see the preceding subsection titled \how powerfulshould the prover be?"7Below, I consider the expressing power of both models. An additional advantage of argument systems is that,under strong intractability assumptions, there exist perfect zero-knowledge arguments (rather than computationalzero-knowledge ones) for any language in NP [14]. 9Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

De�nition 4 (collision-free hashing): Consider a family of hash functions, indexed by strings,F def= ff� : f0; 1g2j�j 7! f0; 1gj�jg�, so that there exists a polynomial-time algorithm for evaluatingF (i.e., on input � and x returns f�(x)).� F is called collision-free if for every probabilistic polynomial-time algorithm A, every poly-nomial p(�) and all su�ciently large n's, the probability that A, given a uniformly chosen� 2 f0; 1gn, outputs a pair (x; y) so that f�(x)=f�(y), is bounded above by 1=p(n).� F is called strongly collision-free if there exists and � > 0 so that for every probabilisticalgorithm A running in time bounded by 2n� all su�ciently large n's, the probability that A,given a uniformly chosen � 2 f0; 1gn, outputs a pair (x; y) so that f�(x)=f�(y), is boundedabove by 2�n�Collision-free functions exist assuming the intractability of factoring Blum Integers (i.e., inpolynomial-time). Strong collision-free functions exist if such integers cannot be factored intime 2n�, for some � > 0.Theorem 4 [35]: Let L be an arbitrary language in NP.� Assuming the existence of collision-free functions it follows that for every � there exists anargument system for L in which the randomness and communication complexities of theveri�er are both bounded by n�.� Assuming the existence of strong collision-free functions, there exists an argument systemfor L in which the randomness and communication complexities of the veri�er are bothpolylogarithmic.Furthermore, the computational complexity of the veri�er is at most quadratic in the length ofthe input.Note that Theorem 4 is meaningful also in case L 2 P . On the other hand, its second part can begeneralized to L 2 Ntime(t(�)), for poly(n) � t(n) � 2poly(n), provided that the model is changedso that the provers are allowed to run in time polynomial in t(�).8 Interestingly, the results ofTheorem 4 are unlikely for interactive proof systems, due to the followingProposition 3 Let b(�) an (at least logarithmic) integer function. Suppose that a language Lhas an interactive proof system in which both the randomness and communication complexitiesof the veri�er are bounded by b(�). Then L can be decided in (deterministic) time exponential inb(�).proof sketch: consider the tree of all possible executions. 28In the generalization, the veri�er's randomness and communication complexities will be poly(log t(n)).10Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

CS-ProofsThe de�nition of a CS-proof system is derived from the de�nition of an interactive proof systemanalogously to the way the de�nition of an argument system is derived. The only di�erence isthat here the potential provers are (uniform) probabilistic machines, with no auxiliary inputs,running in time polynomial in the deterministic complexity of the language. A result analogous toTheorem 4 is obtainable also in the current setting. Speci�cally, assuming the existence of strongcollision-free functions, each language in DEXPT IME has a CS-proof system. The setting ofCS-proofs seems particularly adequate for program checking, yet in a sense di�erent from Blum's;namely, the computation of a program � on a speci�c input is checked against the program � itself(rather than against a functional description of what � is supposed to do). The prover, which isan extension of �, needs to run more time than � (but not drastically more), yet the advantage isthat a veri�er can check this long computation very fast. In contrast to a similar result obtainedin the PCP setting, there is no need to assume here that the program is memoryless, but insteadone needs to assume that its running time is bounded (though the bound may be huge) and thatsome (unprecedentially strong) intractability assumption holds.2.4 Other Types of Proof SystemsOf the other types of proof systems, I'm going to discuss only two, which are slightly problematic,and also this will be done quite abruptly.Non-InteractiveThe phrase `non-interactive' is often misleading. Indeed, the interaction between the prover andthe veri�er is minimal; it consists of the prover sending a single message (as in the case of NP).Yet, both the prover and the veri�er interact (i.e., query) extensively with a (trusted) randomoracle. Several variants of the model do exist, but this is not the place to discuss them. Yet,I'd like to say a few words on one variant which is truly non-interactive; namely, the notion of acomputationally sound non-interactive proof. This notion can be de�ned without allowing accessto a random oracle. Yet, under very strong intractability assumptions9, computationally soundnon-interactive proof systems are more powerful than NP .Proof of KnowledgeThe concept of a proof of knowledge is very appealing, yet its precise formulation is much morecomplex than one may expect. A key notion in the de�nition is that of a knowledge extractor.Loosely speaking, a knowledge-veri�er for a relation R guarantees the existence of a knowledgeextractor that on input x and access to any interactive machine P � outputs a y, so that (x; y)2R,within complexity related to the probability that the veri�er accepts x when interacting with P �.9Which have not even been speci�ed so far. 11Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

2.5 ComparisonBelow, I've tried to summarize the di�erences between the various notions of e�cient proofs ina table. The class NP has been omitted for obvious reasons. I wish to say that I view IPas the natural generalization of NP , obtained by relaxing the notion of e�cient computationso that probabilism and interaction are allowed. Except for the negligible probability of errors,which can be controlled by the veri�er, the original avour of a proof is maintained. Also, I viewPCP(log; O(1)) as an augmentation of NP with the extra property of allowing a hasty veri�erto take its chances and verify the proof in a super-fast manner. In contrast, the two notions ofcomputationally sound proof systems (i.e., arguments and CS-proofs) deviate signi�cantly fromthe conservative approach of absolute proofs. Yet, computational soundness seems adequate inmost practical settings. The only word of warning is that typical results in these settings dependon intractability assumptions, and when evaluating these results one should not ignore the relativesevereness of these assumptions.IP arguments CS-proof PCP MIPrestrictions none poly-time poly(Dtime) memoryless spliton prover + aux. input (i.e., oracle) entitymain generalize relax program augment applicationsmotivation NP IP checking NPexpressive PSPACE NP DEXPTIME10 scalable: Ntime(2l(n)),power for rnd+query = O(l(n))3 The StoryIn this section I will try to provide a historical account of the ideas which led to the excitingdevelopments concerning the various types of e�cient proof systems. My account is certainlya subjective one and it concentrates on my evaluation of the conceptual contributions, theirdeclared intentions, and their e�ect on subsequent developments.The story of these research developments, as any real story, has a complex structure thatneeds to be simpli�ed so that the reader does not get lost in its web. Thus I have broken thestory into several independent linearly-structured stories, which do cross each other. I will beginwith the story of the evolution of proof systems, and then pass to the story of their applicationsto deriving hardness results for approximation problems, program checking and zero-knowledgeproofs.3.1 The Evolution of Proof SystemsFor obvious reasons, there is no need to tell the story of NP . Our story thus starts with thede�nition of interactive proof systems.10depending on (strong) intractability assumptions 12Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

Interactive Proof SystemsMotivated by the desire to formulate the most general type of \proofs" that may be used withincryptographic protocols, Goldwasser, Micali and Racko� introduce the notion of an interactiveproof system [29]. Although the main thrust of their paper has been the introduction of a specialtype of interactive proofs (i.e., ones which are zero-knowledge), the computational complexitypotential of the class of languages possessing interactive proof systems, denoted IP , has beenpointed out.First evidence to the power of interactive proofs has been given by Goldreich, Micali andWigderson who presented an interactive proof system for Graph Non-Isomorphism [28], a lan-guage not known to be in NP . Interactive proof systems gained much attention also due tothe interest in the construction of zero-knowledge proofs for languages in NP , presented in [28](assuming the existence of one-way functions).Interestingly, Babai [4], independently11 of [29], suggested a di�erent formulation of interactiveproofs, termed Arthur-Merlin Games (and giving rise to the class AM). Syntactically, Arthur-Merlin Games are a restricted form of interactive proof systems, yet Goldwasser and Sipser havesubsequently shown that these restricted systems are as powerful as the general ones; namely,AM = IP [30]. Babai's motivation was to place some group theoretic problem, previously placedin NP under some group theoretic assumptions, \as close to NP as possible" without using anyassumptions12.Multi-Prover Interactive Proof SystemsA generalization of interactive proofs to multi-prover interactive proofs has been suggested byBen-Or, Goldwasser, Kilian and Wigderson [17]. Again, the main motivation came from zero-knowledge aspects; speci�cally, introducing multi-prover zero-knowledge proofs for NP withoutrelying on intractability assumptions. Yet, the complexity theoretic prospects of the new class,denoted MIP , have not been ignored. A more appealing, to my taste, formulation of the classMIP has been presented by Fortnow, Rompel and Sipser [25]. The latter formulation exactlycoincides with the formulation now known as probabilistically checkable proofs (i.e., PCP).Algebraic Methods Demonstrate the Power of Interactive ProofsThe amazing power of interactive proof systems has been demonstrated by using algebraic meth-ods. Typically, in order to demonstrate that a particular language is in a particular class, an11Here `independence' does not mean concurrently. Indeed, both the works of Babai and Goldwasser, Micaliand Racko� have �rst appeared in the same conference (i.e., 17th STOC of 1985), yet early versions of the paperof Goldwasser, Micali and Racko� have existed as early as 1982, have been cited as early as 1983, and have beenrejected three times from major conferences (i.e., FOCS83, STOC84, FOCS84).12Indeed, Babai placed the Matrix Representation Problem in AM using only two rounds. Interestingly, Babaiunderestimated the power of the new class, conjecturing that the class AM (even with unbounded number ofrounds) is \very close" to NP. 13Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

arithmetic generalization of the Boolean problem has been presented, and (elementary) algebraicmethods have been applied to show that the arithmetic problem is solvable within the class. Sucha procedure has been unprecedential in complexity theory13. The basic technique has been in-troduced by Lund, Fortnow, Karlo� and Nisan, who applied it to show that the polynomial-timehierarchy (and actually P ]P ) is in IP [39]. Subsequently, Shamir used the technique to show thatIP = PSPACE [46], and Babai, Fortnow and Lund used it to show thatMIP = NEXPT IME[5]. The technique of Lund, Fortnow, Karlo� and Nisan has been inspired by ideas coming fromworks on \program checking" (cf., [18]). In particular, the interactive proof system for thepermanent combines Lipton's \self-testing" procedure for the permanent (which represents thepermanent as a multi-linear polynomial) [36], and the \downwards self-reducibility" procedureof Blum, Luby and Rubinfeld [19]. Another idea which is implicit in [39] and made explicit inthe subsequent works of [46, 5] is the representation, introduced by Beaver and Feigenbaum [8],of Boolean formulae as multi-linear polynomials.It may be of interest to note that the technique of Lund et. al., has been �rst applied in thecontext of multi-prover interactive proofs, yielding P ]P �MIP, and that the result quoted above(concerning IP) followed later. Hence, MIP has played a role in the historical developmentleading to the characterization of IP .Scaling Down the BFL-proofs Yields a New ClassThe fact that the abovementioned Babai-Fortnow-Lund (BFL) proof systems can be \scaled-down" (from NEXPT IME to NP) has been discovered independently by two sets of authors14:Babai, Fortnow, Levin and Szegedy [6] and Feige, Goldwasser, Lovasz, Safra and Szegedy [24].However, the manner in which the BFL proof is scaled-down is di�erent in the two papers, andso are the consequences of the scaling-down.Babai, Fortnow, Levin and Szegedy start by considering only inputs encoded using a specialerror-correcting code. The encoding of strings, relative to the error-correcting code, can be com-puted in polynomial-time. Similarly, there exists a polynomial-time algorithm which transformsNP-witnesses (to inputs in a language L 2 NP) into \proofs" which can be veri�ed in (proba-bilistic) polylogarithmic time. (The fact that the veri�cation procedure never reads the entire\proof" should not come as a surprise, as the procedures of [39, 46, 5] also have this property).Consequently, once \statements" and \proofs" are in the right form, veri�cation is \super-fast".Babai et. al. [6] stress the practical aspects of this fact; speci�cally, for rapidly checking longcomputations.In the proof system of Babai et. al. [6], the total running-time of the veri�er is reduced (i.e.,13In particular, the technique \does not relativize". Furthermore, the technique yields results (e.g., IP =PSPACE) which are false relative to most oracles, providing a dramatic refute of the \Random Oracle Hypothesis",see [20].14The non-empty intersection of these sets should indeed raise some eyebrows. The story is that Szegedy joinedthe second paper at a later stage. 14Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

\scaled-down") to polylogarithmic (and consequently both the randomness and query complexityof the veri�er are so bounded). In contrast, in the proof system of Feige, Goldwasser, Lovasz,Safra and Szegedy [24], the veri�er stays polynomial-time and only two more re�ned complexitymeasures, speci�cally randomness and query complexities, are reduced to polylogarithmic. Thiseliminates the need to assume that the input is in a special error-correcting form, and yields amore appealing (i.e., less cumbersome) complexity class. This complexity class is a re�nementof the class introduced by Fortnow, Rompel and Sipser [25]. The re�nement is obtained byspecifying the randomness and queries complexities. Namely, PCP(r(�); q(�)) denotes the classof languages having probabilistically checkable proofs in which, on input x, the veri�er tosses atmost r(jxj) coins and makes at most q(jxj) (Boolean) queries to the proof. Hence, whereas theresult of Babai, Fortnow and Lund can be restated asNEXPT IME = PCP(poly; poly);the result of Feige et. al. is restated asNP � PCP(f(�); f(�)) ; where f(n) = O(logn � log logn).Interest in the new complexity class became immense since Feige et. al. demonstrated its relevanceto proving the intractability of approximating some combinatorial problems (speci�cally, Max-Clique). I will elaborate on this aspect of their work in a subsequent section. Momentarily, Ionly wish to point out that, when using the method of Feige et. al., the randomness and querycomplexities of the veri�er (in a pcp system for an NP-complete language) relate directly to thesimulation time of NP . Speci�cally, the simulation time is exponential in these complexities.This fact provided a very strong motivation for trying to reduce these complexities and providea tight characterization of NP in terms of PCP(�; �).Tightening the Relation between NP and PCPOnce the work of Feige et. al. [24] has been presented, the challenge was clear: showing that NPequals PCP(log; log). This challenge has been met by Arora and Safra [3]. The proof systemconstructed by Arora and Safra is very complex, involving recursive use of proof systems andconcatenation tests which are much more e�cient than the length of strings tested. Actually,Arora and Safra showed thatNP = PCP(log; f(�)) ; where f(n) = o(logn).Hence, a new challenge arose: namely, further reducing the query-complexity, and in particularto a constant, while maintaining the logarithmic randmoness-complexity. Again, additional mo-tivation for this challenge came from the relevance of such a result to the study of approximationproblems (see subsequent section). The new challenge has been met by Arora, Lund, Motwani,Sudan and Szegedy [2] and is captured by the equationNP = PCP(log; O(1))15Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

In addition to building on the ideas of Arora and Safra [3], the above result of [2] utilizes ideasand techniques from the works on self-testing/self-correcting [19], degree-test for multi-variantpolynomials [27, 45], and parallelization of multi-prover proof systems [37].Computationally Sound Proof SystemsComputationally-sound proofs (also known as `arguments') were de�ne in 1986 by Brassard,Chaum and Crepeau [14], but their complexity theoretic signi�cance became apparent only in1992. This happened when Kilian, using early results on PCP (due to [24]), showed that, undersome intractability assumptions, every language in NP has a computationally-sound proof inwhich the randomness and communication complexities are polylogarithmic [35].Recently, Micali has suggested a new type of proof systems which he also calls computationally-sound proofs (or CS proofs) [41]. This recycling of the term `computationally-sound proofs' islikely to cause a lot of confusion in the future. The confusion will be ampli�ed by the fact thatin some works, and in particular in [14], the original computationally sound proofs (arguments)are negligently referred to as `interactive proofs'. In case the reader is confused, I can only o�erhim/her my sympathy.Confusion has been created also regarding the credits concerning the construction of verye�cient computationally sound proof systems. As stated above, the basic construction is due toKilian [35]. Micali showed that this construction can be applied also for languages beyond NP ,and more importantly that using interaction with a trusted random oracle allows to get rid ofthe interaction between the parties as well as of the intractability assumptions [41].Other Types of Proof SystemsTwo additional types of proof systems are the so-called15 non-interactive proofs and proofs ofknowledge. The setting of non-interactive proofs was �rst formulated by Blum, Feldman andMicali [12]. Since then, several variants of the model has appeared, but I don't wish to elaborateon these complex issues. The concept of proofs of knowledge was introduced in the paper ofGoldwasser, Micali and Racko� [29], but it is only recently that it has been given a satisfactoryformal treatment [10].3.2 PCP and ApproximationIt has been stated above that probabilistic checkable proofs became the focus of so much attentiondue to their relation to the di�culty of approximation.The relation between PCP and approximation was �rst pointed out by Feige, Goldwasser,Lovasz, Safra and Szegedy [24]. Speci�cally, they showed how to construct a graph representingthe possible computations of a veri�er on a speci�c input so that the size of the maximum cliquein this graph equals the accepting probability (scaled down by an easy to determined factor).15As I have remarked in the technical part, I �nd these terms, and especially the �rst one, quite misleading.16Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

The time needed to construct the graph is (linearly) exponential in the randomness and querycomplexity of the probabilistic checkable proof. It follows, for example, that a polynomial-timealgorithm approximating Clique, up to a constant factor, yields an algorithm for deciding alanguage in PCP(r(�); q(�)) running in time 2r(n)+q(n) � poly(n).Although Feige et. al. only related PCP to the approximation of MaxClique, many researchersunderstood that the relation between PCP and approximation cannot be speci�c only to the cliqueproblem. The question was how well do the results for clique translate to other approximationproblems, or alternatively whether better results can be obtained by �rst relating PCP to theapproximation of a di�erent problem.It turned out that better results are possible when treating the two complexity measuresof PCP (i.e., randomness and query complexities) separately. In particular, languages in theclass PCP(r(�); O(1)) are naturally represented by 3CNF formulae of size O(2r(n)), so that if theinput is in the language then the formula is satis�able and otherwise no truth assignment cansatisfy more than a constant (< 1) fraction of its clauses16. Furthermore, the time required tocompute this formula is (linearly) exponential in r(�). These facts were observed by Arora, Lund,Motwani, Sudan and Szegedy [2] (and independently by many other researchers) 17. Hence,for example, a polynomial-time approximation scheme for Max3SAT yields a polynomial-timedecision procedure for any language in PCP(log; O(1)). An important point is that Max3SAT iseasier than MaxClique 18 and hence an intractability result for it is more impressive. Furthermore,since Max3SAT is complete for the class MAX-SNP [44], it followed that each problem in thatclass is hard to approximate to within some constant factor.The results in [24, 3, 2] have renewed the interest in the complexity of approximation prob-lems, after many years of frustration. Subsequent works establish the hardness of approximationproblems by using one of the following two methods.1. generic reductions from PCP/MIP: Reducing the evaluation of the acceptance probabilityof a PCP/MIP system to the approximation problem being considered (cf., Bellare [9],Lund and Yannakakis [40]). Furthermore, sometimes such a reduction is coupled with anew PCP/MIP system which is more e�cient in some parameters yielding stronger negativeresults than those obtained by reducing previously known PCP/MIP systems (cf., Bellare,Goldwasser, Lund and Russell [11]).2. reductions among approximation problems: The newly acquired collection of hard approx-imation problems motivates and facilitates the attempts to prove the hardness of newproblems by using approximation-preserving reductions. Typical examples are given in theworks of Lund and Yannakakis [40] and Khanna, Linial and Safra [34].16See technical part.17Thus, the main contribution of Arora et. al. is in proving that NP = PCP(log; O(1)).18In particular, Max3SAT can be easily approximated to within a 7=8 factor, whereas approximating MaxCliqueto within any constant is as hard/easy as approximating it to within another factor.17Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

3.3 Interactive Proofs and Program CheckingWhen introducing the concept of program checking, Blum was indeed aware of its relation tointeractive proof systems. In particular, his program checker for Graph Isomorphism mimicsthe interactive proof of [28]. Subsequently, the developments of the two concepts (i.e., programchecking and e�cient proof systems) have continued to intersect. The contribution of programchecking techniques to the results concerning IP and PCP has been discussed above. Here I wishto further discuss the opposite direction in which various proof systems have yielded applicationsto program checking.In [6], Babai, Fortnow, Levin and Szegedy stress the application of their result to programchecking. At the expense of having the powerful computer make some extra work, its computationcan be checked by a much weaker computer. Checking in their context is an interactive processin which both computers take place. Furthermore, the checker only checks that the computationis a valid one { it does not check the �nal result against the correct value of the desired function.Recently, Micali showed that using short non-interactive CS-proofs one can transform pro-grams to ones that in addition to the result of the computation supply a certi�cate to the validityof the computation. This certi�cate can then be checked in time which is negligible compared tothe original computation. The conditions under which this result holds are quite complex.3.4 Zero-Knowledge ProofsAs mentioned a few times above, the search for zero-knowledge proofs has been the driving forcebehind many of the de�nitions of interactive proof systems. In particular, zero-knowledge hasmotivated the �rst leap beyond NP taken when interactive proofs were conceived by Goldwasser,Micali and Racko�. The reason being that a more liberal notion of a proof seemed (and in fact is)necessary in order to enable simulation of the transcript without ability to do the real interaction.Hence, besides the apparent strengthening of expressive power, interactive proof system do o�ersome properties (speci�cally, zero-knowledge) which cannot be o�ered by an NP-proof system.The wide applicability of zero-knowledge proofs has been demonstrated by Goldreich, Micaliand Wigderson [28]. Most importantly, they showed how to construct zero-knowledge proofsystems for any language in NP .19 Their construction uses a cryptographic primitive called acommitment scheme that may be implemented using any one-way function [31, 42]. Actually,under the same assumption, zero-knowledge proofs exists for any language in IP [32, 16], butthis elegant result has almost no applications.Subsequently, zero-knowledge proofs have become the focus of much attention in crypto-graphic cycles and, as one may expect, many interesting results followed. But this is a story fora separate essay.19Some sources credit Brassard and Crepeau [15] for independently discovering the same result. Firstly, this isinaccurate since Brassard and Crepeau use a much stronger intractability assumption; speci�cally, the intractabilityof the Quadratic Residousity Problem. Furthermore, their discovery took place after they have heard of the resultof Goldreich, Micali and Wigderson. 18Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

AcknowledgementsI am grateful to Sha� Goldwasser and Dana Ron for helpful remarks.References[1] W. Aiello and J. Hastad. Perfect Zero-Knowledge Languages can be Recognized in Two Rounds. In 28thFOCS, pages 439{448, 1987.[2] S. Arora, C. Lund, R. Motwani, M. Sudan and M. Szegedy. Proof Veri�cation and Intractability of Ap-proximation Problems. In 33rd FOCS, pages 14{23, 1992.[3] S. Arora and S. Safra. Probabilistic Checkable Proofs: A New Characterization of NP. In 33rd FOCS,pages 1{13, 1992.[4] L. Babai. Trading Group Theory for Randomness. In 17th STOC, pages 421{420, 1985.[5] L. Babai, L. Fortnow, and C. Lund. Non-Deterministic Exponential Time has Two-Prover InteractiveProtocols. In 31st FOCS, pages 16{25, 1990.[6] L. Babai, L. Fortnow, L. Levin, and M. Szegedy. Checking Computations in Polylogarithmic Time. In 23rdSTOC, pages 21{31, 1991.[7] L. Babai and S. Moran. Arthur-Merlin Games: A Randomized Proof System and a Hierarchy of ComplexityClasses. JCSS, Vol. 36, pp. 254{276, 1988.[8] D. Beaver and J. Feigenbaum. Hiding Instances in Multioracle Queries. In 7th STACS, Springer Verlag,LNCS Vol. 415, pages 37{48, 1990.[9] M. Bellare. Interactive Proofs and Approximation: Reductions from Two Provers in One Round. In Proc.2nd Israel Symp. on Theory of Computing and Systems (ISTCS93), IEEE Computer Society Press, pages266{274, 1993.[10] M. Bellare and O. Goldreich. On De�ning Proofs of Knowledge. In Crypto92.[11] M. Bellare, S. Goldwasser, C. Lund and A. Russell. E�cient Probabilistically Checkable Proofs and Appli-cations to Approximation. In 25th STOC, pages 294{304, 1993.[12] M. Blum, P. Feldman and S. Micali. Non-Interactive Zero-Knowledge and its Applications. In 20th STOC,pages 103{112, 1988.[13] R. Boppana, J. Hastad, and S. Zachos. Does Co-NP Have Short Interactive Proofs? IPL, 25, May 1987,pp. 127-132.[14] G. Brassard, D. Chaum and C. Cr�epeau. Minimum Disclosure Proofs of Knowledge. JCSS, pages 156{189,1988.[15] G. Brassard and C. Cr�epeau. Zero-Knowledge Simulation of Boolean Circuits. In Crypto86, Springer Verlag,LNCS Vol. 263, pages 223{233, 1987.[16] M. Ben-Or, O. Goldreich, S. Goldwasser, J. Hastad, J. Kilian, S. Micali and P. Rogaway. EverythingProvable is Probable in Zero-Knowledge. In Crypto88, Springer Verlag, LNCS Vol. 403, pages 37{56, 1990[17] M. Ben-Or, S. Goldwasser, J. Kilian and A. Wigderson. Multi-Prover Interactive Proofs: How to RemoveIntractability. In 20th STOC, pages 113{131, 1988.[18] M. Blum and S. Kannan. Designing Programs that Check their Work. In 21st STOC, pages 86{97, 1989.[19] M. Blum, M. Luby, R. Rubinfeld. Self-Testing/Correcting with Applications to Numerical Problems. In22th STOC, pages 73{83, 1990.[20] R. Chang, B. Chor, O. Goldreich, J. Hartmanis, J. Hastad, D. Ranjan, and P. Rohatgi. The Random OracleHypothesis is False. to appear in JCSS. 19Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

[21] S. A. Cook. The Complexity of Theorem-Proving Procedures. In 3rd STOC, pages 151{158, 1971.[22] U. Feige. NEXPTIME Has Two-Provers One-Round Proof Systems With Exponentially Small Error Prob-ability. manuscript, 1991.[23] L. Fortnow, The Complexity of Perfect Zero-Knowledge. In 19th STOC, pages 204{209, 1987.[24] U. Feige, S. Goldwasser, L. Lov�asz, S. Safra, and M. Szegedy. Approximating Clique is almost NP-complete.In 32nd FOCS, pages 2{12, 1991.[25] L. Fortnow, J. Rompel and M. Sipser. On the Power of Multi-Prover Interactive Protocols. In Proc. 3rdIEEE Symp. on Structure in Complexity Theory, pages 156{161, 1988.[26] Michael R. Garey and David S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, 1979.[27] P. Gemmell, R. Lipton, R. Rubinfeld, M. Sudan, and A. Wigderson. Self-Testing/Correcting for Polynomialsand for Approximate Functions. In 23th STOC, pages 32{42, 1991.[28] O. Goldreich, S. Micali and A. Wigderson. Proofs that Yield Nothing but their Validity or All Languagesin NP Have Zero-Knowledge Proof Systems. JACM, Vol. 38, No. 1, pages 691{729, 1991.[29] S. Goldwasser, S. Micali and C. Racko�. The Knowledge Complexity of Interactive Proof Systems. SIAMJournal on Computing, Vol. 18, pages 186{208, 1989.[30] S. Goldwasser and M. Sipser. Private Coins versus Public Coins in Interactive Proof Systems. In 18thSTOC, pages 59{68, 1986.[31] J. Hastad, R. Impagliazzo, L.A. Levin and M. Luby. Construction of Pseudorandom Generator from anyOne-Way Function. manuscript, 1993.[32] R. Impagliazzo and M. Yung. Direct Zero-Knowledge Computations. In Crypto87, Springer Verlag, LNCSVol. 293, pages 40{51, 1987.[33] R.M. Karp. Reducibility Among Combinatorial Problems. In Complexity of Computer Computations,(Raymond E. Miller and James W. Thatcher, eds.), Plenum Press, pages 85{103, 1972.[34] S. Khanna, N. Linial and S. Safra. On the Hardness of Approximating the Chromatic Number. In Proc.2nd Israel Symp. on Theory of Computing and Systems (ISTCS93), IEEE Computer Society Press, pages250{260, 1993.[35] J. Kilian. A Note on E�cient Zero-Knowledge Proofs and Arguments. In 24th STOC, pages 723{732, 1992.[36] R.J. Lipton. New Directions in Testing, manuscript, 1989.[37] D. Lapidot and A. Shamir. Fully Parallelized Multi Prover Protocols for NEXP-time. In 32nd FOCS, pages13{18, 1991.[38] L. Levin. Universal'ny��e pereborny��e zadachi (universal search problems : in russian). Problemy PeredachiInformatsii, 9 (3), pages 265{266, 1973.[39] C. Lund, L. Fortnow, H. Karlo�, and N. Nisan. Algebraic Methods for Interactive Proof Systems. In 31stFOCS, pages 2{10, 1990.[40] C. Lund and M. Yannakakis. On the Hardness of Approximating Minimization Problems, In 25th STOC,pages 286{293, 1993.[41] S. Micali. CS Proofs. manuscript, 1992.[42] M. Naor. Bit Commitment using Pseudorandom Generators. Crypto89, pages 123{132, 1990[43] R. Ostrovsky and A. Wigderson. One-Way Functions are essential for Non-Trivial Zero-Knowledge, InProc. 2nd Israel Symp. on Theory of Computing and Systems (ISTCS93), IEEE Computer Society Press,pages 3{17, 1993. 20Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93

[44] C. H. Papadimitriou and M. Yannakakis. Optimization, Approximation, and Complexity Classes. In 20thSTOC, pages 229{234, 1988.[45] R. Rubinfeld and M. Sudan. Testing Polynomial Functions E�ciently and over Rational Domains. In Proc.3rd Annual ACM-SIAM Symp. on Discrete Algorithms, pages 23{32, 1992.[46] A. Shamir. IP=PSPACE. In 31st FOCS, pages 11{15, 1990.

21Tec

hnio

n -

Com

pute

r Sc

ienc

e D

epar

tmen

t - T

echn

ical

Rep

ort

CS0

786

- 19

93