Interactive PCP.

*(English)*Zbl 1155.68504
Aceto, Luca (ed.) et al., Automata, languages and programming. 35th international colloquium, ICALP 2008, Reykjavik, Iceland, July 7–11, 2008. Proceedings, Part II. Berlin: Springer (ISBN 978-3-540-70582-6/pbk). Lecture Notes in Computer Science 5126, 536-547 (2008).

Summary: A central line of research in the area of PCPs is devoted to constructing short PCPs. In this paper, we show that if we allow an additional interactive verification phase, with very low communication complexity, then for some NP languages, one can construct PCPs that are significantly shorter than the known PCPs (without the additional interactive phase) for these languages. We give many cryptographical applications and motivations for our results and for the study of the new model in general.

More specifically, we study a new model of proofs: interactive-PCP. Roughly speaking, an interactive-PCP (say, for the membership \(x \in L\)) is a proof-string that can be verified by reading only one of its bits, with the help of an interactive-proof with very small communication complexity. We show that for membership in some NP languages \(L\), there are interactive-PCPs that are significantly shorter than the known (non-interactive) PCPs for these languages.

Our main result is that for any constant depth Boolean formula \(\Phi (z _{1},\dots ,z _{k })\) of size \(n\) (over the gates \(\land , \vee , \oplus , \lnot )\), a prover, Alice, can publish a proof-string for the satisfiability of \(\Phi \), where the size of the proof-string is \(\text{poly}(k)\). Later on, any user who wishes to verify the published proof-string needs to interact with Alice via a short interactive protocol of communication complexity \(\text{poly}(\log n)\), while accessing the proof-string at a single location.

Note that the size of the published proof-string is \(\text{poly}(k)\), rather than \(\text{poly}(n)\), i.e., the size is polynomial in the size of the witness, rather than polynomial in the size of the instance. This compares to the known (non-interactive) PCPs that are of size polynomial in the size of the instance. By reductions, this result extends to many other central NP languages (e.g., SAT, \(k\)-clique, Vertex-Cover, etc.). More generally, we show that the satisfiability of \(\bigwedge_{i=1}^n[\Phi_i(z_1,\ldots,z_k) =0]\), where each \(\Phi _{i }(z _{1},\dots ,z _{k })\) is an arithmetic formula of size \(n\) (say, over \(\mathbb{GF}[2]\)) that computes a polynomial of degree \(d\), can be proved by a published proof-string of size \(\text{poly}(k,d)\). Later on, any user who wishes to verify the published proof-string needs to interact with the prover via an interactive protocol of communication complexity \(\text{poly}(d,\log n)\), while accessing the proof-string at a single location.

We give many applications and motivations for our results and for the study of the notion of interactive PCP in general. In particular, we have the following applications:

Succinct zero knowledge proofs: We show that any interactive PCP, with certain properties, can be converted into a zero-knowledge interactive proof. We use this to construct zero-knowledge proofs of communication complexity polynomial in the size of the witness, rather than polynomial in the size of the instance, for many NP languages.

Succinct probabilistically checkable arguments: In a subsequent paper, we study the new notion of probabilistically checkable argument, and show that any interactive PCP, with certain properties, translates into a probabilistically checkable argument. We use this to construct probabilistically checkable arguments of size polynomial in the size of the witness, rather than polynomial in the size of the instance, for many NP languages.

Commit-Reveal schemes: We show that Alice can commit to a string \(w\) of \(k\) bits, by a message of size \(\text{poly}(k)\), and later on, for any predicate \(\Phi \) of size \(n\), whose satisfiability can be proved by an efficient enough interactive PCP with certain properties, Alice can prove the statement \(\Phi (w) = 1\), by a zero-knowledge interactive proof with communication complexity \(\text{poly}(\log n)\). (Surprisingly, the communication complexity may be significantly smaller than \(k\) and \(n)\).

For the entire collection see [Zbl 1141.68001].

More specifically, we study a new model of proofs: interactive-PCP. Roughly speaking, an interactive-PCP (say, for the membership \(x \in L\)) is a proof-string that can be verified by reading only one of its bits, with the help of an interactive-proof with very small communication complexity. We show that for membership in some NP languages \(L\), there are interactive-PCPs that are significantly shorter than the known (non-interactive) PCPs for these languages.

Our main result is that for any constant depth Boolean formula \(\Phi (z _{1},\dots ,z _{k })\) of size \(n\) (over the gates \(\land , \vee , \oplus , \lnot )\), a prover, Alice, can publish a proof-string for the satisfiability of \(\Phi \), where the size of the proof-string is \(\text{poly}(k)\). Later on, any user who wishes to verify the published proof-string needs to interact with Alice via a short interactive protocol of communication complexity \(\text{poly}(\log n)\), while accessing the proof-string at a single location.

Note that the size of the published proof-string is \(\text{poly}(k)\), rather than \(\text{poly}(n)\), i.e., the size is polynomial in the size of the witness, rather than polynomial in the size of the instance. This compares to the known (non-interactive) PCPs that are of size polynomial in the size of the instance. By reductions, this result extends to many other central NP languages (e.g., SAT, \(k\)-clique, Vertex-Cover, etc.). More generally, we show that the satisfiability of \(\bigwedge_{i=1}^n[\Phi_i(z_1,\ldots,z_k) =0]\), where each \(\Phi _{i }(z _{1},\dots ,z _{k })\) is an arithmetic formula of size \(n\) (say, over \(\mathbb{GF}[2]\)) that computes a polynomial of degree \(d\), can be proved by a published proof-string of size \(\text{poly}(k,d)\). Later on, any user who wishes to verify the published proof-string needs to interact with the prover via an interactive protocol of communication complexity \(\text{poly}(d,\log n)\), while accessing the proof-string at a single location.

We give many applications and motivations for our results and for the study of the notion of interactive PCP in general. In particular, we have the following applications:

Succinct zero knowledge proofs: We show that any interactive PCP, with certain properties, can be converted into a zero-knowledge interactive proof. We use this to construct zero-knowledge proofs of communication complexity polynomial in the size of the witness, rather than polynomial in the size of the instance, for many NP languages.

Succinct probabilistically checkable arguments: In a subsequent paper, we study the new notion of probabilistically checkable argument, and show that any interactive PCP, with certain properties, translates into a probabilistically checkable argument. We use this to construct probabilistically checkable arguments of size polynomial in the size of the witness, rather than polynomial in the size of the instance, for many NP languages.

Commit-Reveal schemes: We show that Alice can commit to a string \(w\) of \(k\) bits, by a message of size \(\text{poly}(k)\), and later on, for any predicate \(\Phi \) of size \(n\), whose satisfiability can be proved by an efficient enough interactive PCP with certain properties, Alice can prove the statement \(\Phi (w) = 1\), by a zero-knowledge interactive proof with communication complexity \(\text{poly}(\log n)\). (Surprisingly, the communication complexity may be significantly smaller than \(k\) and \(n)\).

For the entire collection see [Zbl 1141.68001].

##### MSC:

68T15 | Theorem proving (deduction, resolution, etc.) (MSC2010) |

68Q25 | Analysis of algorithms and problem complexity |