We determine the exact power of two-prover inter-active proof systems introduced by Ben-Or, Goldwasser, Kilian, and Wigderson (1988). In this system, two all-powerful non-communicating provers convince a randomizing polynomial time verifier in polynomial time that the input z belongs to the language L. It was previously suspected (and proved in a relativized sense) that coNP-complete languages do not admit such proof systems. In sharp contrast, we show that the class of languages having two-prover interactive proof systems is nondeterministic exponential time. After the recent results that all languages in PSPACE have single prover interactive proofs (Lund, Fortnow, Karloff, Nisan, and Shamir), this represents a further step demonstrating the unexpectedly immense power of randomization and interaction in efficient provability. Indeed, it follows that multiple provers with coins are strictly stronger than without, since NEXP # NP. In particular, for the first time, prov-ably polynomial time intractable languages turn out to admit “efficient proof systems’’ since NEXP # P. We show that to prove membership in languages in EXP, the honest provers need the power of EXP only. A consequence, linking more standard concepts of structural complexity, states that if EX P has poly-nomial size circuits then EXP = Cg = MA. The first part of the proof of the main result ex-tends recent techniques of polynomial extrapolation of truth values used in the single prover case. The second part is a verification scheme for multilinearity of an n-variable function held by an oracle and can be viewed as an independent result on program verification. Its proof rests on combinatorial techniques including the estimation of the expansion rate of a graph.

We show that a parallel repetition of any two-prover one-round proof system (MIP(2, 1)) decreases the probability of error at an exponential rate. No constructive bound was previously known. The constant in the exponent (in our analysis) depends only on the original probability of error and on the total number of possible answers of the two provers. The dependency on the total number of possible answers is logarithmic, which was recently proved to be almost the best possible [U. Feige and O. Verbitsky, Proc. 11th Annual IEEE Conference on Computational Complexity, IEEE Computer Society Press, Los Alamitos, CA, 1996, pp. 70--76].

this paper we consider a further generalization of the proof system model, due to Ben-Or, Goldwasser, Kilian and Wigderson [6], where instead of a single prover there may be many. This apparently gives the model additional power. The intuition for this may be seen by considering the case of two criminal suspects who are under interrogation to see if they are guilty of together robbing a bank. Of course they (the provers) are trying to convince Scotland Yard (the verifier) of their innocence. Assuming that they are in fact innocent, it is clear that their ability to convince the police of this is enhanced if they are questioned in separate rooms and can corroborate each other's stories without communicating. We shall see later in this paper that this sort of corroboration is the key to the additional power of multiple provers. Interactive proof systems have seen a number of important applications to cryptography [23, 22], algebraic complexity [3], program testing [7, 8] and distributed computation [16, 23]. For example, a chain of results concerning interactive proof systems [22, 3, 24, 9] conclude that if the graph isomorphism problem is NP-complete then the polynomial time hierarchy collapses. Multiple-prover interactive proof systems have also seen several important applications including the analysis of program testing [7, 4] and the complexity of approximation algorithms [14, 2, 1]. Brief summary of results: First we give a simple characterization of the power of the multi-prover model in terms of probabilistic oracle Turing machines. Then we show that every language accepted by multiple prover interactive proof systems can be computed in nondeterministic exponential time. Babai, Fortnow and Lund [4] have since shown this bound is tight. We then show results like th...

We survey definitions, known results, and open questions in the area of locally random reductions and explore the ramifications of these reductions in complexity theory. This paper is based on a survey talk given at the DIMACS Workshop on Structural Complexity and Cryptography, Rutgers University, New Brunswick NJ, December 1990. 1 Introduction We consider the question of whether a probabilistic polynomial-time machine A can compute a function f in the following manner. A interacts with one or more machines B 1 , . . ., B k that are not restricted to probabilistic polynomial time. At the end of the interaction, A can use the information obtained from the B i 's to compute f(x). However, the information that A sends to the B i 's is locally random. Informally, this means that no individual B i can use it to figure out what A's private input x is. This study can be motivated by the practical problem of using shared resources for private computations. For example, f may be a financial ...

In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be super-efficient and run in nearly-linear time. These proof systems can be used for delegating computation: a server can run a computation for a client and interactively prove the correctness of the result. The client can verify the result’s correctness in nearly-linear time (instead of running the entire computation itself). Previously, related questions were considered in the Holographic Proof setting by Babai, Fortnow, Levin and Szegedy, in the argument setting under computational assumptions by Kilian, and in the random oracle model by Micali. Our focus, however, is on the original interactive proof model where no assumptions are made on the computational power or adaptiveness of dishonest provers. Our main technical theorem gives a public coin interactive proof for any language computable by a log-space uniform boolean circuit with depth d and input length n. The verifier runs in time (n+d)·polylog(n) and space O(log(n)), the communication complexity is d · polylog(n), and the prover runs in time poly(n). In particular, for languages computable by log-space uniform N C (circuits of polylog(n) depth), the prover is efficient, the verifier runs in time n · polylog(n) and space O(log(n)), and the communication complexity is polylog(n).

. We show a rough equivalence between alternating time-space complexity and a public-coin interactive proof system with the verifier having a polynomial related time-space complexity. Special cases include ffi All of NC has interactive proofs with a log-space polynomial-time public-coin verifier vastly improving the best previous lower bound of LOGCFL for this model [7]. ffi All languages in P have interactive proofs with a polynomial-time public-coin verifier using o(log 2 n) space. ffi All exponential-time languages have interactive proof systems with public-coin polynomial-space exponential-time verifiers. To achieve better bounds, we show how to reduce a k-tape alternating Turing machine to a 1-tape alternating Turing machine with only a constant factor increase in time and space. 1. Introduction In 1981, Chandra, Kozen and Stockmeyer [4] introduced alternating Turing machines, an extension of nondeterministic computation where the Turing 1 Supported by NSF Grant CCR-900993...

We show that every language in PSPACE, or equivalently every language accepted by an unbounded round interactive proof system, has a 1-round, 2-prover interactive proof system with exponentially small error probability. To obtain this result, we prove the correctness of a simple but powerful method for parallelizing 2-prover interactive proof systems to reduce their error. 1 Introduction We describe a general methodology for parallelizing unbounded round interactive proof systems to obtain 1-round, 2-prover interactive proof systems. We show that this methodology yields a 1-round, 2-prover interactive proof system for any language in PSPACE. Our interactive proof systems have exponentially small error probability. The notion of a single-prover interactive proof system was introduced by Goldwasser, Micali and Rackoff [12] and by Babai [1] and was generalized to two and more provers by Ben-Or, Goldwasser, Kilian and Wigderson [5]. In a single-prover interactive proof system, a prover...

We survey a major collective accomplishment of the theoretical computer science community on efficiently verifiable proofs. Informally, a formal proof is transparent (or holographic) if it can be verified with large confidence by a small number of spot-checks. Recent work by a large group of researchers has shown that this seemingly paradoxical concept can be formalized and is feasible in a remarkably strong sense; every formal proof in ZF, say, can be rewritten in transparent format (proving the same theorem in a different proof system) without increasing the length of the proof by too much. This result in turn has surprising implications for the intractability of approximate solutions of a wide range of discrete optimization problems, extending the pessimistic predictions of the P-NP theory to approximate solvability. We discuss the main results on transparent proofs and their implications to discrete optimization. We give an account of several links between the two subjects as well ...

) Manuel Blum Computer Science Division U.C. Berkeley Berkeley, California 94720 Michael Luby International Computer Science Institute Berkeley, California 94704 Ronitt Rubinfeld y Computer Science Division U.C. Berkeley Berkeley, California 94720 May 17, 1990 Abstract The theory of program result checking introduced in [Blum] allows one to check that a program P correctly computes the function f on input x. The checker may use P 's outputs on other inputs to help it check that P (x) = f(x). In this setting, P is always assumed to be a fixed program, whose output on input x is a function P (x). We extend the theory to check a program P which returns a result on input x that may depend on previous questions asked of P . We call a checker that works for such a program an adaptive checker. We consider the case where there is an adaptive program that supposedly computes f running on each of several noninteracting machines. We design adaptive checkers that work for a c...

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : vii Chapter 1. INTRODUCTION : : : : : : : : : : : : : : : : : : : : : : : : : 1 2. PRELIMINARIES : : : : : : : : : : : : : : : : : : : : : : : : : 4 2.1 Basic Definitions : : : : : : : : : : : : : : : : : : : : : : : 4 2.1.1 Basics : : : : : : : : : : : : : : : : : : : : : : : : 4 2.1.2 Boolean Formulas : : : : : : : : : : : : : : : : : 4 2.1.3 Arithmetic Formulas and Expressions : : : : : : 5 2.2 Computational Models : : : : : : : : : : : : : : : : : : : : 9 2.2.1 Deterministic Computation : : : : : : : : : : : : 9 2.2.2 Probabilistic Computation : : : : : : : : : : : : 11 2.2.3 Non-Deterministic Computation : : : : : : : : : 12 2.2.4 Alternating Computations : : : : : : : : : : : : 13 2.2.5 Interactive Proof Systems : : : : : : : : : : : : : 13 2.2.6 Multiple Prover Interactive Proof Systems : : : 15 2.2.7 Computation relative to an Oracle : : : : : : : : 15 2.3 Complexity Classes : : : : : : : : : : : : : : : : : : : : ...