Two prover perfect zero knowledge for MIP*

arXiv - CS - Computational Complexity Pub Date : 2024-04-01 DOI:arxiv-2404.00926

Kieran Mastel, William Slofstra

{"title":"Two prover perfect zero knowledge for MIP*","authors":"Kieran Mastel, William Slofstra","doi":"arxiv-2404.00926","DOIUrl":null,"url":null,"abstract":"The recent MIP*=RE theorem of Ji, Natarajan, Vidick, Wright, and Yuen shows\nthat the complexity class MIP* of multiprover proof systems with entangled\nprovers contains all recursively enumerable languages. Prior work of Grilo,\nSlofstra, and Yuen [FOCS '19] further shows (via a technique called simulatable\ncodes) that every language in MIP* has a perfect zero knowledge (PZK) MIP*\nprotocol. The MIP*=RE theorem uses two-prover one-round proof systems, and\nhence such systems are complete for MIP*. However, the construction in Grilo,\nSlofstra, and Yuen uses six provers, and there is no obvious way to get perfect\nzero knowledge with two provers via simulatable codes. This leads to a natural\nquestion: are there two-prover PZK-MIP* protocols for all of MIP*? In this paper, we show that every language in MIP* has a two-prover one-round\nPZK-MIP* protocol, answering the question in the affirmative. For the proof, we\nuse a new method based on a key consequence of the MIP*=RE theorem, which is\nthat every MIP* protocol can be turned into a family of boolean constraint\nsystem (BCS) nonlocal games. This makes it possible to work with MIP* protocols\nas boolean constraint systems, and in particular allows us to use a variant of\na construction due to Dwork, Feige, Kilian, Naor, and Safra [Crypto '92] which\ngives a classical MIP protocol for 3SAT with perfect zero knowledge. To show\nquantum soundness of this classical construction, we develop a toolkit for\nanalyzing quantum soundness of reductions between BCS games, which we expect to\nbe useful more broadly. This toolkit also applies to commuting operator\nstrategies, and our argument shows that every language with a commuting\noperator BCS protocol has a two prover PZK commuting operator protocol.","PeriodicalId":501024,"journal":{"name":"arXiv - CS - Computational Complexity","volume":"289 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Computational Complexity","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2404.00926","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The recent MIP*=RE theorem of Ji, Natarajan, Vidick, Wright, and Yuen shows that the complexity class MIP* of multiprover proof systems with entangled provers contains all recursively enumerable languages. Prior work of Grilo, Slofstra, and Yuen [FOCS '19] further shows (via a technique called simulatable codes) that every language in MIP* has a perfect zero knowledge (PZK) MIP* protocol. The MIP*=RE theorem uses two-prover one-round proof systems, and hence such systems are complete for MIP*. However, the construction in Grilo, Slofstra, and Yuen uses six provers, and there is no obvious way to get perfect zero knowledge with two provers via simulatable codes. This leads to a natural question: are there two-prover PZK-MIP* protocols for all of MIP*? In this paper, we show that every language in MIP* has a two-prover one-round PZK-MIP* protocol, answering the question in the affirmative. For the proof, we use a new method based on a key consequence of the MIP*=RE theorem, which is that every MIP* protocol can be turned into a family of boolean constraint system (BCS) nonlocal games. This makes it possible to work with MIP* protocols as boolean constraint systems, and in particular allows us to use a variant of a construction due to Dwork, Feige, Kilian, Naor, and Safra [Crypto '92] which gives a classical MIP protocol for 3SAT with perfect zero knowledge. To show quantum soundness of this classical construction, we develop a toolkit for analyzing quantum soundness of reductions between BCS games, which we expect to be useful more broadly. This toolkit also applies to commuting operator strategies, and our argument shows that every language with a commuting operator BCS protocol has a two prover PZK commuting operator protocol.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

MIP* 的两个完美零知识证明者

Ji, Natarajan, Vidick, Wright 和 Yuen 最近提出的 MIP*=RE 定理表明，具有纠缠证明器的多证明器证明系统的复杂度类 MIP* 包含所有递归可数语言。格里洛、斯洛夫斯特拉和袁的前期工作[FOCS'19]进一步表明（通过一种称为可模拟代码的技术），MIP*中的每种语言都有一个完美零知识（PZK）MIP*协议。MIP*=RE 定理使用双验证器一轮证明系统，因此这种系统对于 MIP* 来说是完整的。然而，格里洛、斯洛夫斯特拉和袁的构造使用了六个证明者，而且没有明显的方法通过可模拟代码用两个证明者获得完美的零知识。这自然引出了一个问题：是否存在适用于所有 MIP* 的双证明器 PZK-MIP* 协议？在本文中，我们证明了 MIP* 中的每种语言都有一个双证明者一轮 PZK-MIP* 协议，从而肯定地回答了这个问题。为了证明这一点，我们使用了一种基于 MIP*=RE 定理关键结果的新方法，即每个 MIP* 协议都可以转化为布尔约束系统（BCS）非局部博弈族。这使得我们可以把 MIP* 协议当作布尔约束系统来处理，特别是允许我们使用 Dwork、Feige、Kilian、Naor 和 Safra [Crypto '92] 提出的一种构造的变体，该构造给出了具有完美零知识的 3SAT 的经典 MIP 协议。为了证明这一经典构造的量子完备性，我们开发了一个工具包，用于分析 BCS 博弈之间还原的量子完备性，我们希望它能在更广泛的范围内发挥作用。这个工具包也适用于换算算子策略，我们的论证表明，每一种具有换算算子 BCS 协议的语言都有一个双证明者 PZK 换算算子协议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

arXiv - CS - Computational Complexity

自引率

0.00%

发文量

期刊最新文献

New Direct Sum Tests Complexity and algorithms for Swap median and relation to other consensus problems Journalists, Emotions, and the Introduction of Generative AI Chatbots: A Large-Scale Analysis of Tweets Before and After the Launch of ChatGPT Almost-catalytic Computation Fast Simulation of Cellular Automata by Self-Composition