Interactive PCP 2008
- Yael Tauman Kalai ,
- Ran Raz
Automata, Languages and Programming; Lecture Notes in Computer Science, 2008 |
An interactive-PCP (say, for the membership x ∈ L) is a proof that can be verified by reading only one of its bits, with the help of a very short interactive-proof. We show that for membership in some languages L, there are interactive-PCPs that are significantly shorter than the known (non-interactive) PCPs for these languages. Our main result is that the satisfiability of a constant depth Boolean formula Φ(z1, . . . , zk) of size n (over the gates ∧, ∨, ⊕, ¬) can be proved by an interactive-PCP of size poly(k), followed by a short interactive proof of communication complexity polylog(n). That is, we obtain interactivePCPs of size polynomial in the size of the witness. This compares to the known (non-interactive) PCPs that are of size polynomial in the size of the instance. By reductions, this result extends to many other central NP languages (e.g., SAT, k-clique, Vertex-Cover, etc.). More generally, we show that the satisfiability of Vn i=1[Φi(z1, . . . , zk) = 0], where each Φi(z1, . . . , zk) is an arithmetic formula of size n (say, over GF[2]) that computes a polynomial of degree d, can be proved by an interactive-PCP of size poly(k, d), followed by a short interactive proof of communication complexity poly(d, log n). We give many cryptographic applications and motivations for our results. In particular, we show the following: 1. The satisfiability of a constant depth formula Φ(z1, . . . , zk) of size n (as above) has an interactive zero-knowledge proof of communication complexity poly(k) (rather than poly(n))1 . As before, this result extends to many other central NP languages. This zero-knowledge proof has some additional desired properties that will be elaborated on in the body of the paper. 2. Alice can commit to a Boolean formula Λ of size m, by a message of size poly(m), and later on prove to Bob any N statements of the form Λ(x1) = z1, . . . ,Λ(xN ) = zN by a zero-knowledge proof of communication complexity poly(m, log N). Moreover, if Λ is a constant depth Boolean formula then the zero-knowledge proof has communication complexity poly(log m, log N). We further motivate this application in the body of the paper.