The KnowledgeComplexity of Interactive Proof-Systems

(ExtendedAbstract)
ShafiGoldwasser SilvioMicali CharlesRackoff
MIT MIT Universityof Toronto

1. Introduction We propose to classify languagesaccordingto the

In the first part of the paper we introduce a amount of additional knowledge that must be
new theorem-provingprocedure,that is a new efl- relcascdfor provingmembershipin them.
cierlt method of communicafirrg a proof: Any such Of particularinterestis the casewherethis addi-
method implies,directly or indirectly, a definition of tional knowledgeis essentially0 and we show that is
proof. Our “proofs” arc probabilisticin nature. On possibleto interactivelyprove that a number is qua-
input an II-bits long statement,we may erroneously dratic non residue mod m releasing0 additional
be convincedof its correctnesswith very smallproba- knowledge.This is surprisingas no efficient algorithm
bility, say, -$, and rightfblly be convincedof its for deciding quadraticrcsiduositymod m is known
when m’s factorizationis not given. Moreover, all
correctnesswith very high probability, say, 1 - -.1 known NP proofs for this problemexhibit the prime
2” factorizationof tn. This indicatesthat adding interac-
Our proofs are Clreruclhre.To eficicntly verify the
tion to the provingprocess,may decreasethe amount
correctnessof a statement,the “recipient” of the
of knowledgethat must be communicatedin order to
proof must activelyaskquestionsand receiveanswers
provea theorem.
from the “prover”.
In the secondpart of the paper,we addressthe 2. InteractiveProof Systems
following question:
Much effort has been previously devoted to
How much knowledge should be communicated make precisethe notion of a theorem-provingpro-
fir proving a theorem T? cedure, NP constitutesa very successfulformaliza-
Certainly enough to see that T is true, but usually tion of this notion. Looselyspeaking,a theoremis in
much more. For instance,to prove that a graph is provablein NP if its proof is easyto verify onceit has
Hamiltonianit sufficesto exhibit an Hamiltoniantour. been found. Let us recall Cook’s [C] (and indepen-
This appears,however, to contain,much additional dently Letin’s [t]) influential definition of NP in this
knowledge than the single bit “HamiltonianInon- light.
Hamiltonian”. The NP proof-systemconsistsof two communi-
We give a computationalcomplexitymeasureof cating Turing machinesA and a : respectively,
knowledge and measuretic amount of additional the prover and the verifier. The prover is
knowlcdgccontainedin proofs. exponential-time.the verifier is polynomial-time.
Permission to copy without fee all or part of this material is granted
Both A and f? arc dctcrministic,reada common
provided that the copies arc not made or distributed for direct input and interactin a veryelementaryway. On
commercial advantage. rhe ACM copyright notice and the title of the
publication and its date appear, and notice is given that copying is by This research was supponcd in part by 1B.M Young Faculty
permission of the Association for Computing Machinery. To copy Development Award dated Scptcmber 1983. IBM Young
otherwise, or to repubhsh. requires a fee and/or specific permission. Fzrulty Dcvelopmcnt Award dated Scptcrnber 1984, and
NSF grant DCR-8413577
@ 1985 ACM 0.89791-l51-2/85/005/0291 $00.75
 input a string .Y, belongingto an NP language provingprocedure.Howcvcr,NP only capturesa par-
L, A computesa string y (whose length is ticular way of communicatinga proof. It dealswith
bounded by a polynomial in the lcngtb of X) those proofs that can be “written down in a book”.
and writesy on a specialtape that B can read. In this paper we introduce interactiveproof-systems
B then checksthat fLib)=x (where f, is a to capture a more gcncral way of communicatinga
polynomial-timecomputablefunction relativeto proof. We deal with those proofs that can be
the language1,) and, if so, halts and accepts. “explained in class”. Informally, in a classroom,the
This processis illusuatcdin figure 1. lecturer can take full advantageof the possibilityof
interacting with the “recipients” of the proof. They
may ask questionsat crucial points of the argument
and receive answers.This makes life much easier.
Writing,down a proof that can be checkedby every-
body without interaction is a much harder task. In
somesense,becauseone hasto answerin advanceah
possiblequestions.Let us now formally set up the
propercomputationalmodel.

2.1 InteractiveTuring machinesand interactivepairs

Fig. 1: The Nf proof-system(‘) of Turing machines
What is intuitively required From a theorem-
proving procedure? First that it is possible to
“prove” a true theorem.Sccomd,that it is impossible
to “prove” a false theorem.Third, that communicat-
ing a proof shouldbe -.cfhcient.in the following sense.
It doesnot matter how long must the provercompute
during the proving process,but it is essentialthat the
computationrcquircd from tbc verifier is easy.
Theorem-proving procedures differ in the
&kyygK T.
underlying definition of a proof. The notion of a
proof, like the notion of a computation,is an intuitive Fig,,2: an interactivepair<f Turing machines
one. Intuition, however,may alndmust be formalized. An interactiveTuring machine(ZTIIf) is a Tur-
Computability by (detcrminist.ic)Turing machinesis ing machinewith a read-onlyinput tape,a work tape
an elegantexampleof formalizationof‘thc intuitive and a random tape. The random tape containsan
conceptof a computation. Each formalization.how- infinite sequenceof random bits. The random tape
ever,cannotentirely captureour original and intuitive can be scannedonly from left to right. When we say
notions,exactlybecausethey are intuitive. Following that an interactivemachineflips a coin we meanthat
our intuition, probabilistic algorithms [R] [SS] are it readsnext bit in its own randomtape. This tape is
meansof computing,though they arc not in the pre- the only sourceof randomnessfor the machine.In
vious formal model. Similarly, NP is an elegantfor- addition an interactivemachinehas a read-onlycom-
malization of the intuitive notion of a theorem- munication tape and B write-only communication
---------___-_____ tape.The head writing on the latter tape movesonly
(9 (By ----> we denote ii read/write head. by
---R -> a read-only head and by ---M-‘-> from left to right, writesonly on a blank cell and can-
a write-only head) not moveto the right without writing.
Two ITM’s A and B form an brterucrivepair of

292
Turirrg rtmhiws(/l J) by ,I.13,. , ,:: Condition 1 csscntially says that. if xEL, there
1) letting A and B share the same input tape and exist a way to easily prove this fact to B that succeeds
with ovcrwhclming probability. This way is A’s algo-
2) letting n’s write-only communication tape bc rithm. In other words, it is possible to prove a true
A’s read-only communication tape and vice
thcorcm so that the proofs arc easily verified (B is
versa. polyllomial-tilnc). Condition 2 says that, if x not in
The interactive pair (A ,B) is ordered and machine 8 L, thcrc exist no strategy, for convincing B of the
starts rhc computation. The machines take turns in contrary, that succeeds with non negligible probabil-
being active. When, say, A is active it can perform ity. In other words, no one can prove a false theorem.
internal computation, mad and write on the proper In fact, B needs not to trust (or to know) the machine
tapes and send a mcssagc to B by writing on the with which it is interacting. It is enough for B to
appropriate communication tape. The ith messageof trust the randomness of its own coin tosses. Notice
A is the entire string that A writes on the communi- that, as for NP, the emphasis is on the “yes-
cation tape during its ith turn. The ith mcssagcof B instances”: if a string is in the language we want to
is similarly defined. Either machine can, during its show it, if it is not WCdo not care. Let us consider an
turn, terminate the computation of the pair. Consider example of an interactive proof-system.
a computation of (A .B) on input x. Let the compu- Example 1: Let Zl dcnotc the set of integers
tation consist of II turns and let a, be A *s ith message bctwccn 1 and Tutthat arc relatively prime with m.
and b, be B’s ith message.Thea the lext of rhe com- An elcmcnt afZi is a quadruhc residue mod n if
pulalion is defined to be the scqucncc a =x2 mod tn for some x CZi. clsc it is a quadruric
{b l,Ul, . . b ,b,,u,,). (a, is empty if it is 13 that halts the nonresidue. Now let I. -7{()~ .x) l x EZZ is a quadratic
computation of (A ,B) in its n th turn). The text of all nonrcsiduc }. Notice that IAENP: a prover needs only
possible computations of A and B on input x will be to compute the factorization of ~1 and send it to the
of re!cvance to our analysis and it will bc dcnotcd by verifier without any further interaction. nut looking
(A .B)[x]. This set has the structure of a probability ahead to zero knowledge proof-systems, WCwill con-
space in the natural way. The probability of each sider a more interesting interactive proof-system for
computation in (A ,B)[x] is taken over the coin tosses L. The vcrificr B begins by choosing n = lnr 1 ran-
of both machines. dom mcmbcrs of Zi, (rl,r2 ,...,r”}. For each
i, l<isn, hc flips a coin, and if it comes up heads
2.2 lntcractivc proof-systems hc forms r, = r,’ mod tn, and if it comes up tails he
Let I,ClO.l}’ be a language and (A ,B) an forms ~,=x-r,~ mod m. Then B sends fl,fz,...,r, to A.
interactive pair of Turing machmes. We say that The prover, having unrcstrictcd computing power,
(A ,B) is an inreraclive proofsysrem for L if A (the finds which of the r, arc quadratic rcsiducs, and uses
prover) has infinite power, B (the ver$er) is polyno- this information to tell B the results of his last n coin
mial time and they satisfy the following properties. tosses.If this information is correct, B accepts.
1) For any x EL given as input to (A ,B), B halts Why dots this work? If (m,x)EL, then A
and accepts with probability at least 1-s for correctly predicts all last II coin tossesof B who will
dcfinitcly accept. If (m.x) not in L. then the {Ii} are
each k and sufficiently large n. just random quadratic rcsiducs. and the prover will
2) For any ITM A’ and for any,rx not in L given respond correctly in the last part of the computation
as input to (A ‘,B), B accepts with probability at with probability $. In fact. for each of the last n
most .L,~ for each k and sufficiently large n.
coin tosses of B, A has probability exactly l/2 of
Here 11denotes the length of the input and the pro- guessing it correctly.
babilitics arc taken only over B’s own coin tosses.
A more complex intcractivc prloof-system for L. that that the inclusion is a strict one. We also believe that
releases essentially 0 additional knowlcdgc, can be our “intcractivc hierarchy” dots not collapse, i.e. that
found in section 4.2. Il’(k] is strictly contained in fl’[k +l]. In any case,
intcractivc proof-systems arc the right proof model to
2.3 Intcractivc Complrxity Classes both analyze and rcducc the knowlcdgc complexity of
We dcfinc IP, Interactive Pol)?totttial-ritt~e,to be a language. Next section is dcvotcd to the discussion
the class of languages possessingan intcractivc proof- of this more subtlc notion. Let us also mention Papa-
system. In this case we may also say that I, is intcrac- dimitriou’ [P] “games against nature”. This is an
tively provable. To cmphasizc that the prover has elegant characterization of PSPACE, though not an
unlimited power, we may write IP, for If. To closer efficient :method of communicating a proof.
analyze the role of the prover, we dcfmc If”,,,, to be
the class of languages having an interactive proof- 3. K~~owledge
Complexity
system whose prover runs in time T(n). To focus on Communication is a tool for transferring or
the role of mtcmction, we Ict fPLf(n)] denote the exchanging knowledge. Knowlcdgc has received a lot
class of languages having a proof-system that, on of attention in a model-theoretic framework [FHV],
input a string x of length tl, halts within f(n) turns. [HM]. In this context, roughly speaking,
Here f is a non decreasing function from natural 1)All parricipanrs are considered to have i&ire
numbers to natural numbers. cotqxuing power. (E.g. each participant “knows”
Interactive proof-systems should be contrasted all logical conscqucnccsof the information in his
with the “Arthur-Merlin” games of Babai [B]. In hands) and
those games Merlin plays the role of n and Arthur 2) The objecr Ihey rty lo “know berfer” is not an
the role of R. The big difference is that Merlin sees availablepublic input. (Rather some event occurs
all results of Arthur’s coin tosses.This allows Babai to that is witnessed or noticed by w but not 4
prove that arbitrary interaction lis not necessaryin his participants. To give an elementary example,
framework: it is suficicnt to al’low Arthur to talk to one participant flips a coin and tells the outcome
Merlin and have Merlin respo:nd; at least as long to a few others who now “know” it. The
they alternate a constant number of times. Actually remaining participants do not “know” what the
Arthur’s message to Merlin consists exactly of the outcome was and they have to decide between
sequence of its own coin tosses. (See figure 3). two possible worlds: one in which “heads” came
1N Pu-r up and one in which “tails” came up).
This scenario may not bc realistic in many practical
contexts. In physics. for example, scientists have
bourtded <resourcesand the object they try to know
better is a public ittpur: nature. Our point of view is
that
1) Knowledge is a norion relafive IO a spectftcmodel
of cotnputa!iotJ wirh specifiedcottlpuring resources
and
fig. 3: The Arthur-Merlin proof-system 2) One studies and gains knowledge about available
If membership in a language L can bc proved by an objecrs
Arthur-Merlin game (LfAN) then, for any random In this paper WCmcasurc the amount of knowledge
oracle 0, I; GNP0 with probability 1. It is apparent that can be gained from a communication by a parti-
that AMCIP (actually, AMcf.P[l]) and we bclicvc cipant with polynomially bounded resources and

294
invcstigatc how much knowledge must bc communi- whose total probability dots not exceed -24”l 1
for
catcd for proving a thcorcm!‘) Our computational
complexity measure of knowlcdgc is. howcvcr. of some constant d bctwccn 0 and 1. Such strong indis
wider applicability. For example, as skctchcd in scc- tir.guishability is a luxury not always available and, in
tion 6. ir constitutes a powerful tool for dcvcloping a any case. is ?ot ncccssaryto dcvclop our theory.
mathematical theory of cryptographic protocols, The Notice that our distinguishcrs are Fed with a sin-
following concept will be crucial to our analysis. gle I x I’-bit string at a time. One may consider dis
tinguishcrs that arc fed with more strings of length
3.1 Degreesof distinguishabilityfor probabilitydistri- I x I c at the same time. In this case, if two ensemble
butions are O-distinguishable,they will remain undistinguish-
Let I be an infinite set of strings and c a posi- able (as long “more” < poly ( I x I )). If the two ensem-
tive constant. For each x EI with length n, Ict lI, be bles arc at most p-distinguishable, they may remain at
a probability distribution over the II’-bit strings. most p-distinguishable or the probability of “distin-
Then w Bay ti i&~tr.(IT~ 1u E8) is a I-c-ensemble. guishing” them may become much higher. (This
By saying that l-I is an erlsembleor a I-eruemble we plays a role for deciding whether a certain crypto-
mean, respectively, that there exist I and c or simply graphic protocol may be played securely more than
c such that iI is a I-c-ensemble. once using the same secret key).
A disrillguishet is a probabilistic polynomial-time Related notions of indistinguishability. have
algorithm D that on input a string s outputs a bit b. been previously considered in [GM] in the context of
Let II,={Il,,,IxE1} and l12={lI~,xIxEZ} bc two probabilistic encryption and then in [y] and [GGMJ in
I-c-ensembles. Let p$ denote the probability that D the context of pseudo-random number generation.
outputs 1 on input a 1x 1‘-bit long string randomly
selected with probability distribution lI,,X. Symmetri- 3.2 The knowledgecomputablefrom a communica-
cally, pf’* denotes the probability that D outputs 1 on tion
input a Ix (‘-bit long string randomly selected with Which communications convey knowledge?
probability distribution II,,. Let p:N+[O,l]. . We say Informally, those that transmit the output of an
that the ensembles II, and n2 arc al most p unfeasible computation. a computation that we cannot
disrirlguishable if for all distinguishers D, perform ourselves. For example, if A sends to B n
1~:~ -p$ I < p( I x I) + & for all k and suf’fi- random bits, this will be 11 bits of information. We
would say this contains no knowledge, however,
ciently long X. because B could generate random bits by himself.
Of particular interest will be the notion of at Similarly, the result of any probabilistic polynomial-
most O-distinguishability (or indistinguishability). In time computation will not contain any knowledge.
this case the two ensembles are “equal” with respect With this in mind we would like to derive an upper
to any polynomial-time computation. In section 4.2 bound (exprcsscd in bits) for the amounf of
we will prcscnt an interesting example of indiscin- knowledge that a polynomially bounded B can
guishablc cnscmblcs. In this example. the n,,, and extract from a communication.
172,Xarc indistinguishable in a stronger scnsc. In fact First a bit of notation. Notice that any proba-
the probability that they assign to each 1x (‘-bit bilistic Turing machine Al gcneratcs the ensemble
string is identical except for a set of stings strings wl=Mxl3,cl. where ,U[x] dcnotcs the set of pos-
------------______
(2) Our definitions may be given with respect to any time sible outputs of Al (on input xEI) taken with the
bound. but wc restrict our attention to polynomial-time both probability distribution induced by Al’s coin tosses.
to Amplify the matter a bit and because we believe that it Similarly, we will dcnotc by (n.B)l] the cnscmble
constitutes the most important case.
associated to an interactive pair of Turing machines

295
 (n,B). WC arc now ready to introduce our dclini- Assume now that B is so news-hungry that is ready to
tion. bccomc dishonest during the phone conversation, i.e.
Dclinition: I.ct (A J) be an intcractivc pair of hc is ready to transform himself to B’. Dcspitc this, if
Turing machines and I the set of its inputs. Ict B be the officer is so skillful to bc one who communicates,
polynomial-time and f :N-+N bc non dccrcasing. WC say, at most 2 bits of knowledge, no matter how tricky
say that A corwmnica/es al IUOSIf (II) bits of questions 8’ asks and how much he cheats, he will
kjlowledge fo B if there exists a probabilistic not get out of him more than two bits about x. (Here
polynomial-time machine A4 such that the I- WC arc implicitly assuming that a cheating reporter
still remains a polynomial-time one!)
ensembles ,\!I] and (A ,B)l] are at most 1 -A-2f (n)
Example 2: Consider the ITM (A ,B) of example
distinguishable. WC say that A conmmicates at-most 1. Restrict its inputs only to the strings in L. Then
f(rr ) bifs of k now1edge if for all polynomial-time A communicates at most 0 bits of knowledge to B.
ITM’s B’ A communicates at most for) bits of In fact, them exists a probabilistic polynomial-time
knowledge to B’. machine AI such that (for those inputs) generates
Remark 1: Assume AI, on input x, tries to select exactly the same cnscmblc that (,4 ,B) does. Essen-
a string “as undistinguishable as possible” from a tially, Al can simulate B. as B is polynomial-time,
computation randomly sclectcd in (A ,O)[x]. Note and simulates A by_looking at R’s coin tosse3as fol-
that in this attempt no information is hidden from Jl: lows. When U sends r, computed by squaring r,, M
A ‘s program, R’s program and x arc all inputs of M. will answer “quadratic residue”. When B sends r,
A{ may have “built in” the description of A. This, computed by squaring r, and then multiplying it by x,
however, is not of great help, as A ‘s algorithm may A,/ answers “quadratic nonresidue”.
be absolutely inefficient. Notice, however, that, if the problem of deciding qua-
A non mathematical discussion: Let us try to dratic rcsiduosity is not in probabilistic polynomial-
illustrate the above definitions. Assume that a crime x time, A does.- not communicate at most 0 bits of
has happened, B is a reporter and ,4 a police officer. knowledge. in fact, some machine B’, interacting with
A understands the rights of the press but, for obvious A, may decide to create the Ii’s in a different way.
reasons, also tries not to communicate too much For instance, such a B may send the, sequence of
knowledge. Should reporter B call the police officer integers r, - i and therefore receive an answer about
n to know more about x? It depends. If he has pro- their quadratic residuosiry that it may not be able to
bability csscntially equal to 1 of gcncrating at home, compute by itself.
in front of his typewriter, the “same” conversations An interesting ITM A that communicates at most 0
about this specific bits of knowledge may be found in section 4.2.
x that he might have with A, he should not bother
to call. A will give him essentially 0 knowledge about 3.3 The knowledge complexity of a Isnguage
x. If, instead. say, he may gcncrare an honest conver-
How much knowledge should be communicated
sation about x with probability lr’4 (i.e. what he gen-
to provide a proof of a tbcorem T? Certainly enough
erates is at most 3/4-distinguishable from the “real”
to verify that T is true. Usually, much more. For
conversations), then the officer may tell him some-
example. to prove that a certain aC2; is a quadratic
thing that he dots not know. Tlhis knowledge how-
rcsiduc, it is sufficient to, communicate an x such that
ever, will not exceed two bits and may not bc of the
a =x2 mod tn. This communication, however, con-
“useful” kind! Still, it may pay off to call. If. finally,
tains more knowledge than just the fact that P is a
B has only chance 1 in 2’O”of generating the possible
quadratic residue. It communicates a square root of
conversations about x with the police ofliccr, then A
a. We intend to measure the additional knowledge
is a real gossiper and B should rush to the telephone!
that a prover gives to a verifier during a proof, and
investigate.whcther:this,additionalknowledgema) bc A rvcryimportantapplicationof knowledgecom-
essentially0. plcxity is that it cnablcsprovingcorrectness
of crypto-
Definition: Let L bc a languagepossessing an graphicprotocolsin a modular way(seesection6).
intcractivcproof-system(A ,B). Let f: N --)N be non
decreasing.WCsay that L has knowledge cotnplexily 4. Languagesin KC(O)
f(n) if, when restrictingthe inputs of (R,R) to the Every languagein P or RP or BPPhas trivially
strings in L A communicatesat most f(n ) bits of knowledgecomplexity0. If L is not in probabilistic
knowledge.We denotethis fact by L EKC( f(n) ). polynomial-time, no NP proof-systemfor L can
.4n informaldiscussion.Let us recallthat WCarc release0 additionalknowledge. However,there may
concentratingon the “yes-instances”.When a string bc a more interactiveproof-systemfor L that does
x is not in the languagethe prover“givesup” and WC relcasc0 additional knowledge. A natural question
do not mcasurc knowledge. When, instead,xEL, arises, Do meaningful examples of languagesin
what is the verifier’s point of view at the end of an KC(O) exist or is KC(O)-BPPa fancy way to define
intcractlveproof? First, it is “convinced” (correctly the empty set?A similar questioncould bc askedfor,
with overwhelmingprobability) that x EL. This was say, RP. Namely, is RP-P a fancy name for the
the goal of the proof-systemin the first place.Second, empty set?The bestsignof a possiblenegativeanswer
it possesses the text of the entire computationwith to the latter questionis constitutedby the fact that
the prover on input X. This text, has been used to primality testingis in RP [SS][R] and, while the prob-
verify that xEL, but dots not contain more than lem of dctcnninistically deciding primality has
f(n) bits of additional knowledge. In fact, on input received a lot of attention for centuries, no
xEI,, we are guaranteedto be able to easilygenerate polynomial-timealgorithm is currently known. Simi-
such texts with probability distribution ak most (l- larly, it is of great intcrcst to find candidatesfor
languagesin KC(O)but not in, say,BPP. This is the
-&)-distinguishable from the “real” texts,no maftcr best one can do, given our current knowledgeabout
with which machineB’ A is interacting.The special provinglower-bounds.
caseL EKC (0) is of particular interest. In this case, We know of two interestinglanguagesthat have
by interactingwith A and from the text of the com- knowledgecomplexity0. Both are algebraic.The first
putation, B can verify that x EL , but, with respectto one is the following languageBL proposedby Blum
polynomial-timecomputation,the text is irrclcvantfor in [Bll] wherehe givesall the essentialingredientsto
any other purpose,no matter with which B’ A is prove BL UC(O). Let )I be an integer with prime
interacting.In fdct,on input a guaranteedxEL, such factorizationn =p:l -p:‘. Then n f BL if the number
texts can be easily selectedwith essentialiythe right of different p,s congruentto 3 mod 4 is even.The
probabilitydistributionand without A. other languagethat is known to belong to KC(O) is
We believethat.knowledgecomplexityis one of the well known quadratic non-residuositylanguage.
the fundamental parameters of a language or, We give a proof of this fact in this section.
equivalently, of a theorem-proving procedure. For y EZ: WCdefine
Theorem-provingproceduresare intended to com-
.
municateknowlcdgcand it is very natural to classify
them accordingto the amount of knowledge they
communicate. I 0 if y is a quadraticresiduemod m
QmW = 1 otherwise

Note that knowledgecomplexityis also defined Then .L = {(J,M) 1 Q,,,(y)=l) is the quadratic
for NP proof-systemsas they are a specialtype of non-rcsiduositylanguage.
interactiveproof-system.However, their knowledge Our proof that LEK(0) dots not dcpcnd on
complexitytendsto be very high. any unprovedcomputationalcomplexityassumptions.

237
WC first rcvjew what is known about the complexity The basicidea is that B generatesnumbersof
of decidingmembershipin this Ilanguage. two types:x =9 mod I)?(type 1) and x =y.r2 mod m
(type 2) where r is randomlychnscn,and quizzesA
4.1 The QuadraticRcsiduosity.Problcm about them. If indeed(y .nt) is in L, then A camtell
The quadraticresiduosityproblemwith parame- the typesof thesenumbers.If @,m) is not in L , they
tcrs mEA’ and xEZ~ consistsof computing Q,,(x). look all the sameto A and it will fail the quizzeswith
If the factorizationof m is known, it is trivial to com- very high probabiilty. The dangerwith this basicidea
pute Q,,,.If the factorizationof m is unknown, then ariseswhenindeed~,uI) is in L as A , whenanswer-
there is no known efficient procedurefor computing ing the quizzes, may releasesome knowledgeother
Q,,,. This decisionproblem is one of the four main than b,m)EL (e.g. the quadratic residuosity of
problemsdiscussedby Gaussin “DisquisitionesArith- specificother xG$ chosenby a cheating B’). We
meticac” (1801)(along with primality testing,integer ovcrcomcthis danger,by having A make sure that
factorization and Solvability o:f Diophantinc Equa- the machinewith which it is interacting“knows” what
tions). A polynomialtime soluti.onfor it would Imply are the typesof the numbersit quizzesA about.
a probabilistic polynomial time solution for other
open problemsin Number Theory such as deciding A andB’sInteractiveProgram
whethera compositeintegerm is a productof 2 or 3 Input: b,nr)EL suchthat (i)=l and n =logzm.
primes.
Initialize ilerarion =O.
The Jacobisymbol(2) for nrEN and xfZ: is
Step 1:
a polynomialtime computablefunction that evaluates B first choosesa random to from Zi, and then
to 1 and -1 and provides some information about tosses a coin C, . If C, =O, then B sets
Qm(x). Namely, if (:)= -1 then Q,,,(x)=l. How- x=ri mod n, else if C, =l , B sets
x =,y-t-02 mod n . B sendsx to A.
ever, when (i)=l then computing Q,(x) is a hard
Then, B choosestwo random sets,eachof size
problem. n fact.,it is not even known how to effi- n,
ciently producea single “guaranteed” quadraticnon-
residuemod nt with Jacobisymbol1. T = { 11,12,...,tn 1 tl = c2mod m )
and,
4.2 A “0” KnowledgeInteractiveProof Systemfor L
S =’ { ~~+~,l~+~,...,t~~ f it = y$ mod m )
In the proof system,(A,B:), that we exhibit for
O,,m)EL the prover A is only rcquircd to be a pro- B sendsto A the elementsin TUS in random
babilistic polynomial time Turing machine with the order.
additional power of being able to evaluateQ,. ( Of Step2:
course,it remainstrue that no infinitely powerful A’ A picks a random subsetZCT US of size n
can convince13that y is a quadraticnon-residuemod and sendsit backto B.
m if that is not the case).
Step3:
For simplicity, we only consider proving that For eachzEZ, B sendsto A r suchthat I = 9
(y,?ft)EI, when the Jacobisymbol(x)=1. The case mod m or z = y-i2 mod m.
Supposethat the sizes of T-Z and S -Z
where (ij= -1 is uninteresting. We specifyA and differ by d. Then. B choosesd randomelements
B by giving-theirexplicit programat eachstepof the from the larger set, + ,..., ‘id and sendstheir
interaction. respective r,,, . . . , rid to A. (i.e l, =$ or
I
 ft,=y*ri, mod m for some1 5 i, < 2t1). with probability exactlyt and that evenwith infinite
B sets X =T-2 -(II, . . , I,,, and
computation power A’ can’t distinguishbetween a
l

Y=S-z-(f,, ,..., f$,* computation with B in which C, =0 from one in

Ifx=rJ modm,Blets: which C, =l. The latter can be seenas follows.
SupposeC,‘=O.
X’ = {ro’r, = Jzmod n 1 f,EX } Then, in step 3 for all r,EX, A receives
Y’ = fy*roq = JY*x*~, mod n 1 Ii EY }. ror, =dG =dm mod m. Note that
q =1,*x mod 1~ is a random square,(as f, is)
elseif x =y.ri mod m, B Us: and ror, is a randomsquareroot of e, mod m.
for all w, A receives
f: f gsros4= ~/y-x-f, mod n 1 I,EX 3 dym mod VI. Note that
-ro-rl = JF& mod n 1 f,EY 3
f, =y+x =y2*r$x mod m is a randomsquare,
B then sendsthe elementsin X’U Y’ to A in (as r,2is) and y$ro-r, is a randomsquareroot of
randomorder. f, mod m.
step 4: SupposeC, = 1.
A checksthat X’U Y’ is of the form specified Then, in step 3, for a11 f,EX, A receives
in step3 (i.e for all wEX’U Y’, ti=f,x mod m y-rO-rt=dy.f;x =dy’r:rl mod m. Note that
or w2=f,-x-y mod m for someIi EX U Y) and Zi=y-f,.x mod 1~ is a randomsquare,(as both
that IX’U Y’J > f. If this is not the case,A y and f, arc now squaresand r, is a random
square)and y~,r, is a randomsquareroot of 2,
halts detectingcheating.Otherwise,A sendsB mod m.
the valuev =Q,,(x).
for all f,E Y, A receivesy-to-r, = d z mod m,
Step5: Note that f, =I,.x =y’-$.ri mod m is a random
If v#C, then B halts detectingcheating,other- square,[as r: is) and y-roar, is a randomsquare
wise iteration =iferafion + 1 (this is the end of root of j, mod m.
an iteration).
If ilerafiorl 2 n, then B acceptsb,m)EL, oth- Thus, for both C, =0 and C, =1 A will still receive
erwiseB goesbackto step1. randomsquarerootsof randomsquares.ThereforeA
can’t haveany advantagein predictingC,.
Let us first prove that (A,B) constitutesan interactive
proof-systemfor L. Claim 2: If (y,,n) in L, then A correctlycomputedC,
in step4.
Remark 2: Note that if A,B both operate
accordingto specification,then eachiteration of the Theorem1: (A.B) is an interactiveproof-systemfor L.
programwill be completedwith probability > l-f Proof: For every(y .nr)E L givenasinput to (A,B), B
hahs and accepts with probability greater than
for 0 < c 5: 1.
(1- f) for all constants0 < c 5 1 and sufficiently
The following claims l&2 hold for each com-
plctcd iteration. large n . This follows by claim 2. For any machineA ’
and for any ~,TH) not in L, givenas input to (A ‘J),
Claim 1: If (y .nr) is not in L, then A ( or any other
A ’ ) correctly gucsscdC, ( i.e sends v=C,), with B acceptswith probability at most f by claim 1 and
probabilityexactlyT. 1 remark3.
We now proceedto show that L hasknowledge
proof: The proof folIows from the fact that C, =0
complexity0.

293
Theorem 2: L has knowledge complexity 0. by B’ and the “virtual” A. M now runs B’ again with
Proof: To show that (A .R) constitutes a 0 knowledge the same input (y,m) and the same content R in the
proof-system for L, we must show that for each random tape of R ‘, For this second compuation, M
polynomial-time ITM B’. thcrc exists a probabilistic simulates A anew. by flipping new coins. Four things
polynomial-time Turing Machine M, such that the two will happen in this second computation.
enscml&s 1!!1] and (A ,B ‘)I ] are indistinguishable. 1) B ’ sends in step 1 the same sets 5’ and T, as in
The basic idea is that Ai can easily simulate B’, as B’ its first computation.
runs in polynomial time. On the other hand, M will 2) In step 2, A will select a random subset
succeed in simulating A, by running B’ twice with the iC_TUS. With probability greater than
same coin tosses.
1-L Z#Z (where Z denotes the set
A more precise description of M is the following: On 2czn ’

input (~~.rn)cL, M randomly fills the random tape of chosen in the first computation).
B’ with a sufficiently long string R, and makes B’ In step 3, B sends the sets k and p. (The
3)
perform “its own version” of step 1. (B’ may in fact
respcctivc sets in the first compuation were X’
execute a different algorithm than. R during step 1.)
Simulating A in step 2 is easy for M, as all A does and Y ‘). With probability > 1 - 4, 2 and y
here is picking a random subset. Next, M makes 8’ 23
are of the right form (i.e could not cause the
perform its own version of step 3. Now, M must
legal A to halt).
simulate A in step 4. Notice that it is easy to check
whether A will halt in step 4. ‘Thcrcfore it will be 4) With probability > 1 - 4, 2*:x’ and
easy for M to simulate A in a computation with B’ in 24
which A halts in step 4. Difficulti:es arise if A won’t h Y’.
halt but continue, This implies that A, must compute M now sclccts an element r,E(T - X’)n,$* As
Q,,,(x) correctly as A does. This is easy to do for A I,ET-X’, in the first computation B’ sent its
who has enough power to decide the quadratic resi- corresponding ri. As r, Ef . in the second computa-
duosity of X. Notice that this would also be easy for tion B’ sends 4 x!, mod m or J xr,V mod In. Now,
AI if B’, either generated x by squaring mod m an ro in whatever case, it is just a matter of algebra for M
that A! may observe ( in which case M knows that to easily compute r. such that ri =x mod m or
Q,(x)=O), or if B’ generated x bly squaring mod R ri-y=x mod tn. If O),m)EL, exactly one of,these
an r. and multiplying by y ( in which case M knows casts may occur. Therefore M, having computed rh
that Q,(x)=l). However, life may be not so easy. can simulate A by sending a v = Q&).
B’ might have generated x in some other way (e.g. QED
at random) which would make it h.ard for M to com-
pute Q,,,(X). We overcome this difficulty as follows. 5. A parentheticalsection.
BY CI.C~.C~,... we denote fixed, positive constants Remark 3: A stronger way of saying that A
depending on A and B’. Without. loss of generality, communicates at most f(rl) bits of knowledge with
we may assume that on input @,tn), A will halt in respect to polynomial-time computation, is the foklow-
step 4 with probability less than 1 -- -. ’ (Otherwise ing.
p*

by simulating A and B’ for steps 1.,2and 3. as above, For all ITM B’ there exist a polynomial-time
and having A halt in step 4. WCtriv.ially gcncrate com- ITM Al that by interacting with B’ (but also
putations which arc indistinguishable from reading the random tape of B’!) produces an
(A 9mJJ,mll. ensemble at most (l- &)-distinguishable from
At the end of step 3, Al savesall messagessent so far (A .B’)H.
This notion is stronger as it allowsB’ not to bc bound 6. Applicationsto Cryptographic
Protocols
to polynomial-time computation while A needs not to Given our current state of knowledge about
know what the computing power of B’ is. Full details lower bounds, the security of a cryptographic protocol
will be given in the final paper. Intcrcstingly. the must bc proved based on the intractability assumption
interactive proof-system for quadratic non-rcsiduosity of some candidate hard problem. lln~s one must
of section 4.2 rcleascs 0 additional knowledge even accept that further analysis may reveal some candi-
with respect to this stronger definition. date hard problems to be efficiently solvable. What
An informal dcfinitiow One advantage of the is not acceptable is that a protocol may be broken
point of view of Remark 3 is that it allows one to without violating the rclativc intractability assumntion.
express in a clean way notions like “the polynomial- In traditional computational complexity or com-
time machine B knew x at some point of its computa- munication complexity, the goal is to communicate as
tion”. Let us consider a particular example. Assume much knowledge as possible as.efficiently as possible.
that machine B started computing on input k and Since all participants arc considcrcd good friends, no
outputs a k-bit integer M. B may have randomly one carts if more knowlcdgc than ncccssary is com-
selected two primes p1 and pz, multiplied them municatcd. The situation with respect to cryptographic
together to produce m, then “erased” pl and p2 and protocols is very different. In this cast there is gen-
output ~1. What could one mean by saying that B erally no problem at all communicating the
knew the factorization of m? A natural choice is that knowlcdgc efficiently, but the whole problem is mak-
B is able to compute it. In a narrow scnsc, this may ing sure not too ntuch knowledge has been communi-
mean that, in performing next instruction, B will out- cated.
put 01’s factorization or that it was written, say, at the
Model theoretic knowledge has been used to
beginning of B’s work-tape at some point in time. In
analyze protocols. For example,in [HR] it has been
a broader sense it may mean that if a probabilistic
used co prove Rabin’s “Oblivious Transfer” correct In
polynomial-time machine A4 “monitors” the sequence
some setting. Howcvcr. as pointed out in [FMR],
of istantaneous descriptions of B’s computation, then
Rabin’s oblivious transfer still lacks a proof of correct-
M outputs nt’s factorization with very high probabil-
nessin a complexity theoretic framework.
ity in poly(k) time. This, however, may not be gen-
eral enough. In fact, “extracting” N’S factorization We believe that knowledge complexity provides
may not be easy for M, and still B had enough the right framework to discuss the correctness of
“potential” to efficiently compute it (though B’s pro- crytographic protocols. Applying rhcsc ideas, [FMR]
gram may never explicitly do so). WC believe that the modified Rabin’s oblivious transfer so that it can be
following (informal) definition achievesthe right level provedcorrect. A sketch of this can be found in sec-
of generality. Let M be a probabilistic polynomial- tion 6.1.
time machine that monitors B’s computation from the Knowledge complexity helps in proving or
start till it outputs m. In particular, M reads all the disproving the correctness of cryptographic protocols
inputs (random and not) of B and all its outputs. as thcsc arc based on the secrecy of some private
Informally we say that B knew m ‘sfic~orizu~iurrif M information and should prcscrve this secrecy. The
can now USCB to compute M’S factorization. This privacy of some information is what gives us an
use of B may bc very general. For example. M may advantage over our advcrsarics. Let A(licc) possess
run R more than once after altering the content of its the prime factorization of an integer n (say n =pi*p2),
tapes. An example of this is imphcit in section 4.2. while B(ob) only knows tr. During a protocol with
Full details will be given in the final paper. B, A must protect the privacy of her information.
Assume that A can perform each step of the protocol
without having even to look at the value of pi and pz.
Then it is easy to show that the protocol did not

331
compromisethe privacyof n s factorization. It Is also provethe correctness of me mainprotocd In general,
easyto see,however,that the protlocolcould not have it appearsthat much strungcr definitions for t&se
accomplishedany interestingtask. In fact A has not sub-protocolsare ncedcdin order to fit them modur
made use of her “advantage”! The protocol may larly and cleanly inside larger protocols.Full details
accomplisha non-trivial task if, in at lcastone stepof will be givenin the final paper.
it, A performs a computationc that dependson p1
and p2. This raisesthe question: 6.1 A Modific~~iunof the 4IbM~us Trw&x
Will c(p,,pJ betray to much informorion about p1 That ItsProvablyEquivalentto Facto&g
and pz? This sectionis joint work of IFMR]. The notion
Classical information theory does not provide an of an ObliviousTransfer(OT) hasbeenintroducedby
answerto this question. Knowledlgecomplexitycan. Rabin [HR] who also proposed the first protocol
In particular, implementingit. OT appearsuseful as a designtool.
Seefor exampleBlum [B12]and Even Goldreichand
1) We can quantify the amount of knowledge Lempel [EGL]. Rabin introducedOT (to be described
aboutp1 and p2 that c conveysand below) in a numbertheoreticsetting. Mom generally
2) We can design protocols so to minimize this tbc OT can bc vicwcd as a protocol for transfer* a
amountof knowledge. large amounf of knowledge with probability 112[EGL].
If (A .B) is a 0 knowledgeinteractiveproof-systemfor Bcrgcr. Peraltaand Tedrick [RPlJ present a correct
L, we alreadysawthat, on input ;I EL, A givesB at protocol for “obliviously transferring” a random
most one bit of knowledge,namelyxEL. (That is 0 number. Different from OT, this protocol transfers
additional knowledge).More generallyhowever,we no knowledge.
define an upper bound, measuredin bits, on the The notion of an OT involvestwo partiesA and
amountof knowlcdgcA givesto B in a particularpro- B and an integer n (product of two large distinct
tocol (to appearin the final paper). primes) whosefactorizationis only known to A. A
We use this to give an upper bound on the would like to send the factorizationof n to B with
numberof timesa singleprotocolor a combinationof the followingconstraints:
protocolscan be played, using a commonsecretkey, 1) 13must have50%chanceof receivingthe factor-
without giving away too much information about the ization of n and the other half of the time B
secretkey. In addition, trying to measurethe amount should not know any information at all about
of knowledgerevealedduring the cxccutionof a pro- the factorsof n.
tocol about the sccrct,may pin point weaknesses in 2) A should not have any idea whether or not B
the designof the protocol. For examplethe amount receivedthe factorizationof n.
of knowledgerevealedin a protocolof [BDJappeared
to be unreasonablylarge. Further analysis by [H] Rabin’sprotocolrelieson the computationaldifficulty
showed that this protocol could be broken if the of factoring. However,as describedbelow, there is a
encryptionfunction used in the protocol is RSA with potential flow in his protocol: it is possible that B can
low exponentsor Rabin’sfunction. cheatand factor n with probability much higher than
l/2 even if the intractability assumptionof factoring
A most important application of these ideas is holds. Although we cannot prove that B can really
that it allowsus to provecorrcctncssof protocolsin a cheat, no one hasyet been able to prove that B can
modular way. Complex protocols are usually com-
not. Before proceedingany further, let us desc&
posedof sub-protocols.For instance,many protocols Rabin’sproposedprotocol.We assumethat A and B
usea sub-protocolfor “coin tossingover a tclcphone”
both know n and that A knowsits factorization.
(Rlum [Ml]). However, it is not clear how to use a
“normal” definition of correctnessof “coin tossing”to
Step 1: B chooses a random x, 1 < x 5 n , relatively at the end of the protocol, equals l/2 + the probabil-
prime with 11. Then B computes y=x’ mod n and ity that B can factor 11in k steps before the protocol
sends y to A. starts. The heart of the modified protocol is that in
Step 2: A computes a random square root (mod n) z addition to y, B gives A a minimum knowledge
of y and sends z to B. (If no square root exists, A interactive proof that he possessesa square root of y
does nothing). following’ the ideas in section 4.2. In particular, such
interactive proof will not reveal any information
Step 3: B checks that z’=y mod n. (If not, B halts
about which square root B knows. Now that we have
detecting cheating). Let us assume that z*ry mod n.
made sure that B knows one square root of y. when
It is well known that y has four square roots mod n
A will give him one of them at random, it is easy to
that can be written as {x,-x,w,-w}, where B
prove that B’s probability of factoring n at the end of
knows x. With probability 50% z will be x or -x
the protocol equals l/2 + the probability that he had
and B reccivcs no knowledge With probability 50%.
of factoring n before the start of the protocol.
however, z will be w or -w, in which case
gccd(n ,x + z) will be a factor of II, allowing B to com-
7, Open Problems
pute the factorization of n.
Many open problems arise. We only list a few
Party A cannot cheat by sending back some
of them.
cleverly chosen square root z of of n: no matter
what n dots, zE(x, -x) with probability 50% and 1. Is NP strictly contained in IP?
zE(w, - w) witn probability again 50% and A cannot 2. Is KC(O) contained in NP?
know which is the case. 3. Is KC(O) contained in IP[l]?
Is it clear, however, that B cannot cheat? We 4. Is Ip[k J strictly contained in IP[k + l]?
wish it to be the case that at the end of the protocol
5. Are there NP Complete languages in KC(Q(lr ))?
B cannot factor with probability (much) bigger than
l/2, even if B cheats, and we wish to prove this 6. For what time-bound T(n). if any,
assuming only that factoring is hard. What happens if I&a, c IPT(J
B does not square any x at a!!, but instead picks a
particular cleverly chosen square mod n y to send? Acknowledegements
Perhaps knowing any square root mod tr of y will Mike Sipser greately helped in focusing on this
allow fl to factor n. That is, perhaps there is a poly- problem.
nomial time algorithm that given n produces a “spe- We highly bcnefitcd from the encouragement
cial” square mod n y, and another polynomial time and the ideas of Dena Angluin, Manuel Blum, Steve
algorithm that given y,n and any square root of J Cook, Mike Fischer, Odcd Goldreich. Ravi Kannan,
mod 11 factors n. The point is not that WChave such Dick Karp. David Lichtcnstcin, Albert Meyer, Gary
algorithms, but that no one has proved that the Miller, Ron Rivcst and Paul Weiss.
existence of such algorithms contradicts the assump-
tion that factoring is hard. Hence, the proof that To all our most sincere thanks.
Rabin’s protocol is correct relies not only on the
assumption that factoring is hard, but on an additional References
complicated and unnatural assumption, essentiaHythat [B] Babai L., Trading Group Theov for Randomness
the above algorithms do not exist. [Bll] M. Blum, Coin flipping by relephone, IEEE
We have been able to prove that a modified COMPCON 1982.
version of Rabin’s OT is correct. Le. the probability [BlZ] M. Blum. Three uppkuriom of rhe oblivious
(taken over the possible choices of n and a!! possible fransfer, Unpublished manuscript, 1981
random choices of B) that B can factor n in k steps

303
[BPT]Berger, Pcralta, Tedrick, Ow Jxing rhe Oblivious Complexily, 14th STOC,1982.
I ‘rurzsfer,Presented in Eurocrypt 1983. These Iy] AC. Yao, SonoeCo&exify (&&ions iM&# to
Proceedings DisMbutive Computing Froc. of 11th STOC,
[C] SCook, The Complexity of Theorem-Proving 1979.
Procedures’: Proc. of 3rd STOC, 1971. M AC. -Yao, They and ApglicaGorrs of Trapboor
[DB] D. Dolev, A. Broder, Flipping Coins in Many Funcrions, Proc.of 23rd FOCS,1982.
Pockets,Proc. of 25th FOCS, 1984.
[EGL]Even, Goldrcich Lempel, A randomizedprofocol
for Signirlg Co~fmcrs, Advances in Cryptology:
proceedings of Crypt0 1982, Plenum press, 1983,
205210.
[FHV]R. Fagin, J. Halpem, M. Vardi, A model-
thcorctic analysis .of knowhzdge,Proc, df 25th
FOCS,1984.
[FMR]M. Fischer, S. Micali and C, Rackoff, A Secure
Protocol for rhe Oblivious Transfer, Eurocrypt
1984.
[HM] J. Halpern, Y. Moses,Knowledge gnndCommon
Knowledge in a Dislributed Knvironmenf, Proc.of
3rd PODC, 1984.
[H] J. Hastad, On Solving A System of Simulkzrteous
Alodtilar Polynomial Equations of Low Degree
In preparation.
[HR] J. Halpcrn and M.O. Rabin, A Logic 10 reason
aboul likehood, Proc. of 15th.STOC. 1983.
[HS] J. Hastad, A. Shamir, On fhe Security of
Linearly Truncated Sequences,this proceedings.
[GM] S. Goldwasser, and S. IMicali, Probabilistic
Encryprion, JCSS Vol. 28. No. 2. April 1984.
[GM]S. Goldwasser, and S. Mlcali ,Proofi with
Unrntsred Oracles, Unpublished Manuscript
1983.
[GGMIO. Goldreich, S. Goldwasser, and S. Micali,
How to Consirucl Random Funclion, 25th FOCS,
1984.
[L] L.A.I.cvin, Universal Sequen,rialSearch Problems,
Probl. Inform. Transm. 9/3 (1973), pp. 26,5-266.
[p] C. Papadimitriou, Games against nature, Proc.
24th ann. Symp. on Foundations of Computer
Sciende, 1983, pp 446-450.
IpS] Papadi&iou and Sipse:r, Communication

304