Interactive PCP

  • Authors:

  • Yael Tauman Kalai;Ran Raz

  • Affiliations:

  • No Affiliations,;No Affiliations,

  • Venue:
  • ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
  • Year:
  • 2008

Quantified Score

Hi-index 0.01

Visualization

Abstract

A central line of research in the area of PCPs is devoted to constructing short PCPs. In this paper, we show that if we allow an additional interactive verification phase, with very low communication complexity, then for some NP languages, one can construct PCPs that are significantly shorter than the known PCPs (without the additional interactive phase) for these languages. We give many cryptographical applications and motivations for our results and for the study of the new model in general.More specifically, we study a new model of proofs: interactive-PCP. Roughly speaking, an interactive-PCP (say, for the membership x茂戮驴 L) is a proof-string that can be verified by reading only one of its bits, with the help of an interactive-proof with very small communication complexity. We show that for membership in some NP languages L, there are interactive-PCPs that are significantly shorter than the known (non-interactive) PCPs for these languages.Our main result is that for any constant depth Boolean formula 茂戮驴(z1,...,zk) of size n(over the gates 茂戮驴 , 茂戮驴 , 茂戮驴 , ¬), a prover, Alice, can publish a proof-string for the satisfiability of 茂戮驴, where the size of the proof-string is poly(k). Later on, any user who wishes to verify the published proof-string needs to interact with Alice via a short interactive protocol of communication complexity poly(logn), while accessing the proof-string at a single location.Note that the size of the published proof-string is poly(k), rather than poly(n), i.e., the size is polynomial in the size of the witness, rather than polynomial in the size of the instance. This compares to the known (non-interactive) PCPs that are of size polynomial in the size of the instance. By reductions, this result extends to many other central NP languages (e.g., SAT, k-clique, Vertex-Cover, etc.).More generally, we show that the satisfiability of $\bigwedge_{i=1}^n[\Phi_i(z_1,\ldots,z_k) =0]$, where each 茂戮驴i(z1,...,zk) is an arithmetic formula of size n(say, over $\mathbb{GF}[2]$) that computes a polynomial of degree d, can be proved by a published proof-string of size poly(k,d). Later on, any user who wishes to verify the published proof-string needs to interact with the prover via an interactive protocol of communication complexity poly(d,logn), while accessing the proof-string at a single location.We give many applications and motivations for our results and for the study of the notion of interactive PCP in general. In particular, we have the following applications:Succinct zero knowledge proofs:We show that any interactive PCP, with certain properties, can be converted into a zero-knowledge interactive proof. We use this to construct zero-knowledge proofs of communication complexity polynomial in the size of the witness, rather than polynomial in the size of the instance, for many NP languages.Succinct probabilistically checkable arguments:In a subsequent paper, we study the new notion of probabilistically checkable argument, and show that any interactive PCP, with certain properties, translates into a probabilistically checkable argument [18]. We use this to construct probabilistically checkable arguments of size polynomial in the size of the witness, rather than polynomial in the size of the instance, for many NP languages.Commit-Reveal schemes:We show that Alice can commit to a string wof kbits, by a message of size poly(k), and later on, for any predicate 茂戮驴of size n, whose satisfiability can be proved by an efficient enough interactive PCP with certain properties, Alice can prove the statement 茂戮驴(w) = 1, by a zero-knowledge interactive proof with communication complexity poly(logn). (Surprisingly, the communication complexity may be significantly smaller than kand n).