Zero-Knowledge Proofs of the Conjugacy for Permutation Groups

This pap er w as published in Visn. L’viv. Univ., Ser. Mekh.-Mat. (Bulletin of the Lviv Univ ersit y , Series in Mec hanics and Mathematics) V ol.61, pp.195–205 (2003). Review ed in Zentr alblatt f¨ ur Mathematik Zbl 1035.035 33. Zero-Kno wledge Pro ofs of the Con jugacy for P erm utation Groups Oleg V erbitsky Departmen t of Algebra F acult y of Mec hanics & Mathematics Kyiv N ational Univ ersit y V olod ym yrsk a 60 01033 Kyiv, Ukraine Abstract W e design a p erfect zero-kno wledge pro of system f or recognition if t w o p erm utation groups are conjugate . It follo ws, answering a question p osed by O. G. Gan yushkin , that th is recognition pr oblem is not NP-complete unless the p olynomial-time hierarc hy collapses. 1 In tro d u ction Let S m b e a symmetric group of order m . W e supp ose that an elemen t of S m , a p erm utation of the set { 1 , 2 , . . . , m } , is enco ded b y a binary string of length l = ⌈ log 2 m ! ⌉ , m (log 2 m − O (1)) ≤ l ≤ m log 2 m . Giv en v ∈ S m , y ∈ S m , and Y ⊆ S m , w e denote y v = v − 1 y v a nd Y v = { y v : y ∈ Y } . Tw o subgroups G and H of S m are similar if their actions on { 1 , 2 , . . . , m } are isomorphic or, equiv ale ntly , if G = H v for some v ∈ S m . If X ⊆ S m , let h X i denote the gr oup generated b y elemen ts of X . W e address the following algorithmic problem. Similitude of Permut a t ion Groups Given: A 0 , A 1 ⊆ S m . R e c o gnize if: A 0 and A 1 are similar. Note that the Equal ity of Per mut a tion Groups problem, that is, recognition if h A 0 i = h A 1 i reduces to recognition, given X ⊆ S m and y ∈ S m , if y ∈ h X i . Since the lat t er problem is kno wn to b e solv able in time b ounded by a p olynomial of the input length [20, 1 0], so is Equality of Permut a tion Groups . As a consequence, Similitude of Permut a tion Groups b elongs to NP , the class of decision problems whose y es-instances ha ve p olynomial-time v erifiable certificates. The similitude of h A 0 i and h A 1 i is certified b y a p erm utation v suc h that h A 1 i = h A v 0 i . Another problem, Iso morphism o f Permut a tion Gr oups , is to recognize if h A 0 i and h A 1 i a re isomorphic. This problem also b elongs to NP (E. Luks, see [5, Corollary 4.11]). F urthermore, it is announced [7] that Isomor phism of Permut a tion Groups b elongs to the complexity class coAM (se e Section 2 for the definition). By [8] this implies that Isomorp hism o f Permu t a t ion Groups is not NP-complete unless 1 the p olynomial-time hierarch y collapses to its second leve l (for the bac kground o n computational complexit y theory the reader is referred to [12]) O. G. Ganyus hkin [11] p osed a question if a similar non-completeness result can b e obta ined for Similitude of Permut a t ion Groups . In this pap er w e answ er this question in affirmative . W e actually pro v e a stronger result of indep enden t in terest, namely , that Similitude o f Perm ut a tion Groups ha s a p erfect zero-kno wledge in- teractiv e pro o f system. It follow s by [1] tha t Similitude of Perm ut a tion Groups b elongs to coAM and is therefore not NP-complete unless the p olynomial-time hi- erarc h y collapses. Informally sp eaking, a zero-kno wledge pro o f system f o r a recognition problem of a language L is a proto col for t w o parties, the pro v er and the v erifier, that allo ws the pro v er to con vince the v erifier that a given input b elongs to L , with high confidence but without comm unicating the v erifier an y information (the rigorous definitions are in Section 2). Our zero-know ledge pro of system for Similitude of Permut a tion Gr ou ps uses the underlying ideas of the zero-know ledge pro o f systems des igned in [1 6] for the Qua dra tic Residuosity and in [14] for the Graph Isomorp hism problem. In particular, instead of direct proving something ab out the input groups h A 0 i a nd h A 1 i , the prov er prefers to deal with their conjugates h A 0 i w and h A 1 i w via a ra ndo m p erm utatio n w . The crucial p oint is that these random groups are indistinguishable by the v erifier b ecause they are iden tically distributed, provid ed h A 0 i and h A 1 i are similar. Ho we v er, we here encoun ter a complication: the v erifier ma y actually b e able t o distinguish b et w een h A 0 i w and h A 1 i w based on pa rticular represen ta t io ns of these groups b y their generators. Ov ercoming this complication, whic h do es not ar ise in [16, 14], is a no ve l ing r edien t of our pro of system. Our result holds true ev en for a more general pro blem of recognizing if h A 0 i and h A 1 i are conjuga ted via an elemen t of the group g enerated by a g iv en set U ⊆ S m . W e furthermore observ e that a similar p erfect zero-kno wledge pro o f system w orks also fo r the Elem ent Conj uga cy problem of recognizing, giv en a 0 , a 1 ∈ S m and U ⊆ S m , if a 1 = a v 0 for some v ∈ h U i . A v ersion of this problem where a 0 , a 1 ∈ h U i w as prov ed to b e in coAM in [5, Corollary 12 .3 (i)]. Note t ha t the pro of system dev elop ed in [5] uses differen t techniq ues and is not zero-kno wledge. 2 Preliminaries Ev ery decision problem under consideration can b e r epresen ted through a suitable enco ding as a recognition problem for a languag e L o v er the binary a lphab et. W e denote the length of a binary word w b y | w | . An inter active pr o of system { V , P } , further on abbreviated as IPS, consists of t w o probabilistic T uring machine s, a p olynomial-time veri fi er V and a computatio na lly unlimited pr over P . The input tap e is common fo r the v erifier and the pro v er. The v erifier and the pro v er also share a comm unication tap e whic h allow s message exc ha ng e b et w een them. The system works as follo ws. First b oth the mac hines V a nd P are giv en an input w and eac h of them is g iv en an individual random string, r V for V and r P for P . Then P and V alternatingly write messages to one 2 another in the comm unication tap e. V computes its i - th message a i to P based on the input w , the random string r V , and all previous messages fro m P to V . P computes it s i -th message b i to V ba sed on the input w , the random string r P , and all previous messages from V to P . After a n um b er of message exc hanges V terminates in teraction and computes an output based o n w , r V , and all b i . The output is denoted by { V , P } ( w ). Note that, for a fixed w , { V , P } ( w ) is a random v ariable dep ending on b oth random strings r V and r P . Let ǫ ( n ) b e a function of a na tural arg umen t taking on p ositiv e real v alues. W e sa y that { V , P } is an IPS fo r a language L with err or ǫ ( n ) if the follo wing tw o conditions are fulfilled. Completeness. If w ∈ L , then { V , P } ( w ) = 1 with probability at least 1 − ǫ ( | w | ). Soundness. If w / ∈ L , t hen, fo r an a rbitrary interacting probabilistic T uring machine P ∗ , { V , P ∗ } ( w ) = 1 with probability at most ǫ ( | w | ). W e will call an y pro v er P ∗ in teracting with P on input w / ∈ L che ating . If in the completeness condition we hav e { V , P } ( w ) = 1 with probability 1, we sa y that { V , P } has o ne-side d err or ǫ ( n ). An IPS is public-c oin if the concatenation a 1 . . . a k of t he v erifier’s messages is a prefix o f his r a ndom string r V . A r ound is sending one message from the v erifier to t he prov er or fro m the pro ve r to the ve rifier. The class AM consists of those languages having IPSs with error 1 / 3 and with num b er of rounds b ounded b y a constan t for all inputs. A languag e L b elongs to the class coAM iff its complemen t { 0 , 1 } ∗ \ L b elongs to AM. Prop osition 2.1 ( Goldw asser-Sipser [17 ]) Eve ry IPS for a language L can b e con v erted in to a public-coin IPS for L with t he same error at cost o f increasing the n um b er of rounds in 2. Giv en an IPS { V , P } and an input w , let view V ,P ( w ) = ( r ′ V , a 1 , b 1 , . . . , a k , b k ) where r ′ V is a part of r V scanned b y V during w ork on w and a 1 , b 1 , . . . , a k , b k are all messages from P to V and fr om V to P ( a 1 ma y b e empty if the first message is sen t b y P ). Note that the ve rifier’s messages a 1 , . . . , a k could b e excluded b ecause they are efficien tly computable from the o ther comp onen ts. F or a fixed w , view V ,P ( w ) is a random v a riable dep ending on r V and r P . An IPS { V , P } is p erfe c t zer o-know le d ge on L if for ev ery in teracting p olynomial- time probabilistic T uring machine V ∗ there is a probabilistic T uring machine M V ∗ , called a simulator , that on eve ry input w ∈ L runs in exp ected p olynomial time and pro duces output M V ∗ ( w ) whic h, if considered as a ra ndom v ariable dep ending on a random string of M V ∗ , is distributed identic ally with view V ∗ ,P ( w ). This notio n formalizes the claim that the verifier gets no information during interaction with the pro v er: ev erything that the v erifier gets he can get without the prov er by running the sim ulator. According t o the definition, the v erifier learns no thing ev en if he deviates from t he or iginal program and follo ws an arbitrary probabilistic p olynomial- time program V ∗ . W e will call the v erifier V honest and all other v erifiers V ∗ che ating . If, for all V ∗ , M V ∗ is implemen ted by the same sim ulator M running V ∗ as a subroutine, w e sa y that { V , P } is black-b ox si m ulation zero-kno wledge. 3 W e call ǫ ( n ) ne gligible if ǫ ( n ) < n − c for ev ery c and all n starting from some n 0 ( c ). The class of lang ua ges L ha ving IPSs that are p erfect zero-kno wledge on L and ha v e negligible error is denoted by PZK. Prop osition 2.2 ( Aiello-H ˚ astad [1 ]) PZK ⊆ coAM. The k ( n ) -fol d se quential c omp osition of an IPS { V , P } is the IPS { V ′ , P ′ } in whic h V ′ and P ′ on input w execute the progra ms of V and P seq uentially k ( | w | ) times, eac h time with indep enden t choic e o f random strings r V and r P . At the end of in teraction V ′ outputs 1 iff { V , P } ( w ) = 1 in all k ( | w | ) executions . The initial system { V , P } is called atomic . Prop osition 2.3 1. If { V ′ , P ′ } is the k ( n ) -fold sequen tial comp osition of { V , P } , then max P ∗ P [ { V ′ , P ∗ } ( w ) = 1] =  max P ∗ P [ { V , P ∗ } ( w ) = 1]  k ( | w | ) . Consequen tly , if { V , P } is an IPS for a languag e L with one-sided constan t error ǫ , then { V ′ , P ′ } is an IPS fo r L with one-sided error ǫ k ( n ) . 2. (Goldreic h-Oren [1 5], see also [13, L emma 6.19]) If in additio n { V , P } is black- b o x sim ulation p erfect zero-kno wledge on L , then { V ′ , P ′ } is perfect zero- kno wledge on L . In the k ( n ) -fold p ar al lel c o m p osition { V ′′ , P ′′ } of { V , P } , t he program of { V , P } is executed k ( | w | ) times in parallel, t hat is, in each round all k ( | w | ) v ersions of a message a r e sen t from one machine to another at once as a long single message. In ev ery parallel execution V ′′ and P ′′ use independent copies of r V and r P . A t the end of in teraction V ′′ outputs 1 iff { V , P } ( w ) = 1 in all k ( | w | ) executions. Prop osition 2.4 If { V ′′ , P ′′ } is the k ( n ) -fo ld parallel comp osition of { V , P } , then max P ∗ P [ { V ′′ , P ∗ } ( w ) = 1] =  max P ∗ P [ { V , P ∗ } ( w ) = 1]  k ( | w | ) . 3 Group C onjugacy W e consider the following extension of Similitude of Permut a tion Groups . Gr ou p Conjugacy Given: A 0 , A 1 , U ⊆ S m . R e c o gnize if: h A 1 i = h A 0 i v for some v ∈ h U i . Theorem 3.1 Gr oup Conj uga cy is in PZK. Designing a p erfect zero-knowled ge interactiv e pro of system f or Group Conju- gacy , we will mak e use o f the follo wing facts due to Sims [20, 10]. 4 1. There is a p olynomial-time a lgorithm that, giv en X ⊆ S m and y ∈ S m , rec- ognizes if y ∈ h X i . As a consequence , there is a p olynomial-time algorithm that, given X ⊆ S m and Y ⊆ S m , r ecognizes if h X i = h Y i . 2. There is a probabilistic p olynomial-time alg orithm that, giv en X ⊆ S m , out- puts a random elemen t of h X i . Here and further o n, by a r and om element of a finite set Z we mean a ra ndom v ar ia ble uniformly distributed o v er Z . Giv en A ⊆ S m and a nu mber k , define G ( A, k ) = { ( x 1 , . . . , x k ) : x i ∈ S m , h x 1 , . . . , x k i = h A i} . In the sequel, the length of the binary enco ding of an input A 0 , A 1 , U ⊆ S m will b e denoted b y n . W e set k = 4 m . On input ( A 0 , A 1 , U ), the IPS w e design is the n -fold sequen t ial rep etition of the following 3- round system. W e will sa y that the v erifier V ac c epts if { V , P } ( A 0 , A 1 , U ) = 1 and r eje cts otherwise. If ( A 0 , A 1 , U ) is ye s-instance of Group Conjugacy , P finds an elemen t v ∈ h U i suc h that h A 1 i = h A 0 i v . 1st r ound. P generates a random eleme nt u ∈ h U i , computes A = A u 1 , ch o oses a random elemen t ( a 1 , . . . , a k ) in G ( A, k ), and sends ( a 1 , . . . , a k ) to V . V c hec ks if a ll a i ∈ S m and, if not (this is p o ssible in the case of a c heating prov er), halts and rejects. 2nd r ound. V chooses a random bit β ∈ { 0 , 1 } and sends it to P . 3r d r o und . Case β = 1 . P sends V the p ermutation w = u . V c hec ks if w ∈ h U i a nd if h a 1 , . . . , a k i = h A w 1 i . Case β 6 = 1 (this includes the p ossibilit y of a message β / ∈ { 0 , 1 } pro duced by a c heating v erifier). P computes w = v u a nd sends w to V . V c hec ks if w ∈ h U i and if h a 1 , . . . , a k i = h A w 0 i . V halt s and accepts if the conditions are che ck ed successfully and r ejects other- wise. W e no w need t o prov e that this system is indeed an IPS for Group Conjugacy and, moreo v er, that it is p erfect zero-kno wledge. Completeness. T o sho w that the pro v er is a ble to follow the a bov e proto col, w e ha v e to chec k that G ( A, k ) 6 = ∅ for k = 4 m . The latter is true b y the fact that ev ery subgroup of S m can b e generated b y at most m − 1 elemen ts [1 8]. If h A 0 i and h A 1 i are conjugate via an elemen t of h U i and the prov er and the v erifier f ollo w the proto col, then h a 1 , . . . , a k i = h A i = h A u 1 i = h A vu 0 i . Therefore, the v erifier accepts with proba bility 1 b oth in the atomic and the comp osed systems. Soundness. Assume that h A 0 i and h A 1 i are not conjug a te via a n elemen t of h U i and consider an arbitr a ry c heating pro v er P ∗ . Observ e that if b oth h a 1 , . . . , a k i = h A u 1 i and h a 1 , . . . , a k i = h A w 0 i with u , w ∈ h U i , then h A 1 i = h A 0 i w u − 1 . It f o llo ws that V rejects for at least one v alue of β and, therefore, in the atomic system V accepts 5 with proba bility at most 1 / 2. By Prop osition 2.3 (1 ) , in the comp osed system V accepts with probability at most 2 − n . Zer o-kn o w le dge. W e will need t he following fact. Lemma 3.2 Let G b e a subgroup of S m and a 1 , . . . , a k b e random independen t elemen ts of G . 1. If k = 4 m , then h a 1 , . . . , a k i = G with probability more than 1/2. 2. If k = 8 m , then h a 1 , . . . , a k i = G with probability more than 1 − 2 − m . Pro of. W e will estimate from ab ov e the probability that h a 1 , . . . , a k i 6 = G . This inequalit y is equiv alen t with the condition that all h a 1 i , h a 1 , a 2 i , . . . , h a 1 , . . . , a k i are prop er subgroups o f G . Assume that this conditio n is true. Since ev ery subgroup c hain in S m has length less than 2 m [3, 9], less t han 2 m − 1 inclusions among h a 1 i ⊆ h a 1 , a 2 i ⊆ · · · ⊆ h a 1 , . . . , a k i are prop er. In other w ords, less than 2 m − 1 of the eve nts a 2 / ∈ h a 1 i , a 3 / ∈ h a 1 , a 2 i , . . . , a k / ∈ h a 1 , . . . , a k − 1 i o ccur. Equiv a lently , there o ccur more than k − 2 m of the ev en ts a 2 ∈ h a 1 i , a 3 ∈ h a 1 , a 2 i , . . . , a k ∈ h a 1 , . . . , a k − 1 i . Let p = | H | / | G | b e the maxim um densit y of a prop er subgroup H o f G . Giv en a 1 , . . . , a i ∈ G , define E ( a 1 , . . . , a i ) to b e an arbit r a ry subset of G fixed so that (i) E ( a 1 , . . . , a i ) has densit y p in G , and (ii) E ( a 1 , . . . , a i ) contains h a 1 , . . . , a i i if the latter is a prop er subgroup of G . If h a 1 , . . . , a k i 6 = G , there mus t o ccur more than k − 2 m of the ev en ts a 2 ∈ E ( a 1 ) , a 3 ∈ E ( a 1 , a 2 ) , . . . , a k ∈ E ( a 1 , . . . , a k − 1 ) . (1) It suffice s to sho w that the probability of so many o ccurrences in (1) is small enough. Set X i ( a 1 , . . . , a k ) to b e equal to 1 if a i +1 ∈ E ( a 1 , . . . , a i ) and to 0 otherwise. In these t erms, we ha v e to estimate the probabilit y that k − 1 X i =1 X i > k − 2 m. (2) It is easy to calculate that an a rbitrary set of l eve nts in (1) o ccurs with proba- bilit y p l . Hence the ev en ts (1 ) as w ell a s the random v ar ia bles X 1 , . . . , X k − 1 are m utually indep enden t, and X 1 , . . . , X k − 1 are success ive Bernoulli trails with success probabilit y p . If k = 4 m , the inequalit y (2) implies that strictly more than a half of all the trails are success ful. Since p ≤ 1 / 2, t his happ ens with probability less than 1/2 and the item 1 of the lemma follows. If k = 8 m , the inequality (2) implies 1 k − 1 k − 1 X i =1 X i > p + ǫ with deviation ǫ = 1 / 4 from the mean v alue p = E h 1 k − 1 P k − 1 i =1 X i i . By the Chernoff b ound [2, Theorem A.4], this happ ens with probabilit y less than exp ( − 2 ǫ 2 ( k − 1)) = exp( − m + 1 8 ) < 2 − m . This pro v es t he item 2 o f the lemma. ✷ 6 By Prop osition 2.3 (2 ) it suffices to show that the atomic system is black-box sim ulation p erfect zero-kno wledge. W e describ e a probabilistic sim ulator M that uses the program of V ∗ as a subroutine and, for eac h V ∗ , runs in exp ected p olynomial time. Assume that the running time o f V ∗ is b ounded b y a p olynomial q in the input size. On input ( A 0 , A 1 , U ) of length n , M will run the program of V ∗ on the same input with random string r , where r is the prefix of M ’s ra ndo m string of length q ( n ). In all other cases of randomization, M will use the remaining part of its random string. Ha ving receiv ed an input ( A 0 , A 1 , U ), the sim ula tor M c ho oses a rando m elemen t w ∈ h U i and a random bit α ∈ { 0 , 1 } . Then M randomly and indep enden tly chooses elemen ts a 1 , . . . , a k in h A w α i and c hec ks if h a 1 , . . . , a k i = h A w α i . (3) If (3) is not true, M repeats the c ho ice of a 1 , . . . , a k again and again un til (3) is fulfilled. By Lemma 3.2 (1), M succeeds in at most 2 att empts on av erage. The resulting sequence ( a 1 , . . . , a k ) is uniformly distributed on G ( A w α , k ). Then M computes β = V ∗ ( A 0 , A 1 , U, r, a 1 , . . . , a k ), the message that V ∗ sends P in the 2- nd round after receiving P ’s message a 1 , . . . , a k . If β and α are sim ultaneously equal to or different fro m 1, M halts and outputs ( r ′ , a 1 , . . . , a k , β , w ), where r ′ is the prefix of r that V ∗ actually uses after reading the input ( A 0 , A 1 , U ) and the pro v er’s message a 1 , . . . , a k . If exactly one of β and α is equal to 1, then M restarts the same program from the v ery b eginning with another indep enden t c hoice of w , α , and a 1 , . . . , a k . Notice that it migh t happ en that in unsucces sful attempts V ∗ used a prefix o f r longer than r ′ . W e first c hec k t hat, for each V ∗ , the sim ulator M terminates in exp ected p oly- nomial time whenev er A 0 and A 1 are conjugated via an elemen t of h U i . Since V ∗ is p olynomial-time, one attempt to pass the b o dy of M ’s prog ram tak es time b ounded b y a p o lynomial o f n . Observ e that α and ( r , a 1 , . . . , a k ) ar e indep enden t . Really , indep enden tly of whether α = 0 or α = 1, r is a random string of length q ( n ) a nd ( a 1 , . . . , a k ) is a ra ndom elemen t of G ( A, k ), where A itself is a ra ndom elemen t of the o rbit { A w 0 : w ∈ h U i} = { A w 1 : w ∈ h U i} under the conjugating action of h U i on subsets o f S m . It follo ws that α a nd β are indep enden t and therefor e an execution of the b o dy of M ’s program is successful with probability 1/2. W e conclude that on a v erage M ’s program is executed tw ice and this ta k es exp ected p olynomial time. W e finally need to c hec k that , whenev er A 0 and A 1 are conjugated via a n el- emen t of h U i , for each V ∗ the output M ( A 0 , A 1 , U ) is distributed iden tically with view V ∗ ,P ( A 0 , A 1 , U ). Notice that b oth the random v aria bles dep end on V ∗ ’s ran- dom string r . It therefore suffices to show that the distributions are iden tical when conditioned on an arbitr a ry fixed r . Denote these conditional distributions b y D M ( A 0 , A 1 , U, r ) and D V ∗ ,P ( A 0 , A 1 , U, r ). W e will show that b ot h D M ( A 0 , A 1 , U, r ) and D V ∗ ,P ( A 0 , A 1 , U, r ) ar e uniform o n the set S = n ( a 1 , . . . , a k , β , w ) : w ∈ h U i , β = V ∗ ( A 0 , A 1 , U, r, a 1 , . . . , a k ) , ( a 1 , . . . , a k ) ∈ G ( A w δ ( β ) , k ) o , 7 where δ ( β ) is equal to 1 if β = 1 and to 0 otherwise. Let v ∈ h U i , suc h that h A 1 i = h A 0 i v , b e c hosen b y the pro v er P on input ( A 0 , A 1 , U ). Giv en x 1 , . . . , x k ∈ G ( A 1 , k ) and u ∈ h U i , define φ ( x 1 , . . . , x k , u ) = ( a 1 , . . . , a k , β , w ) b y a i = x u i for all i ≤ k , β = V ∗ ( A 0 , A 1 , U, r, a 1 , . . . , a k ), and w = v 1 − δ ( β ) u . As easily seen, φ ( x 1 , . . . , x k , u ) ∈ S . Claim: The map φ : G ( A 1 , k ) × h U i → S is one-t o-one. Pro of. Define ψ ( a 1 , . . . , a k , β , w ) = ( x 1 , . . . , x k , u ) by u = v δ ( β ) − 1 w and x i = a u − 1 i for all i ≤ k . It is not ha rd to c hec k tha t the map ψ is the in v erse of φ . ✷ Observ e no w that if ( x 1 , . . . , x k , u ) is c hosen at random unifo rmly in G ( A 1 , k ) × h U i , then φ ( x 1 , . . . , x k , u ) has distribution D V ∗ ,P ( A 0 , A 1 , U, r ). By Claim we con- clude that D V ∗ ,P ( A 0 , A 1 , U, r ) is uniform on S . As a ye t another consequence of Claim, observ e that if a random tuple ( a 1 , . . . , a k , β , w ) is uniformly distributed o n S , then its prefix ( a 1 , . . . , a k ) is a random ele- men t of G ( A, k ), where A is a random elemen t of the orbit { A w 0 : w ∈ h U i} = { A w 1 : w ∈ h U i} under the conjugating action of h U i on subsets of S m . This sug- gests the following w ay of generating a rando m elemen t of S . Cho ose uniformly at random α ∈ { 0 , 1 } , w ∈ h U i , ( a 1 , . . . , a k ) ∈ G ( A w α , k ) and, if δ ( V ∗ ( A 0 , A 1 , U, r, a 1 , . . . , a k )) = α, (4) output ( a 1 , . . . , a k , V ∗ ( A 0 , A 1 , U, r, a 1 , . . . , a k ) , w ); otherwise rep eat the same pro ce- dure once again indep enden tly . Under the condition that (4) is fulfilled for the first time in the i -th rep etition, the output is uniformly distributed on S . Notice now that this sampling pro cedure coincides with the description of D M ( A 0 , A 1 , U, r ). It fol- lo ws that D M ( A 0 , A 1 , U, r ) is unifo rm on S . The pro of of the p erfect zero-knowled ge prop ert y of our pro of system for Group Conjugacy is complete. The fo llo wing corollary immediately follows from Theorem 3.1 b y Prop osition 2.2 and the result of [8]. Corollary 3.3 Gr oup Conjugacy is in coAM a nd is therefore not NP-complete unless the p olynomial-time hierarch y collapses. W e also giv e an alternative pro of of this corollary that consists in direct designing a tw o- round IPS { V , P } with error 1/4 for the complemen t of Group Conjugacy and applying Prop osition 2.1. More precisely , we deal with the Group Non-Conjugacy problem of recognizing, giv en A 0 , A 1 , U ⊆ S m , if there is no v ∈ h U i suc h that h A 1 i = h A 0 i v . Set k = 8 m . The b elow IPS is comp osed twice in parallel. 1st r ound. V c ho oses a r andom bit α ∈ { 0 , 1 } , a random elemen t u ∈ h U i , and a sequence of random indep enden t elemen ts a 1 , . . . , a k ∈ h A u α i . Then V sends ( a 1 , . . . , a k ) to P . 2nd r ound. P determines β suc h that h a 1 , . . . , a k i and h A β i are conjuga te via an elemen t of h U i and sends β to V . 8 V accepts if β = α and r ejects otherwise. Completeness. By L emma 3.2 (2 ), h a 1 , . . . , a k i = h A u α i with probabilit y at least 1 − 2 − m . If this happ ens and if h A 0 i and h A 1 i are not conjugated via h U i , the group h a 1 , . . . , a k i is conjugated via h U i with precisely one of h A 0 i and h A 1 i . In this case P is able t o determine α correctly . Therefore V accepts with probability at least 1 − 2 − m in the atomic system and with pro ba bilit y at least 1 − 2 − m +1 in the comp osed system. Soundness. If h A 0 i a nd h A 1 i a re conjugated via h U i , then for b oth v a lues α = 0 and α = 1, the v ector ( a 1 , . . . , a k ) has the same distribution, namely , it is a random elemen t of A k , where A is a random elemen t of the orbit { A w 0 : w ∈ h U i} = { A w 1 : w ∈ h U i} under the conjug ating action o f h U i on subsets of S m . It follows that, irresp ectiv e of his program, P guesses the true v alue of α with proba bility 1/2. With the same probability V accepts in the atomic system. By Prop osition 2.4, in the comp osed system V accepts with pro babilit y 1/ 4. Note that { V , P } is p erfect zero-kno wledge only for the honest verifie r but may rev eal a no n- trivial infor ma t io n for a cheating v erifier. 4 Elemen t Conjug acy This section is dev oted to the follow ing problem. Element Conjugacy Given: a 0 , a 1 ∈ S m , U ⊆ S m . R e c o gnize if: a 1 = a v 0 for some v ∈ h U i . L. Baba i [5] considers a v ersion of this problem with a 0 , a 1 ∈ h U i and pro ve s that it b elongs to coAM. His result holds true not only for p erm utation g roups but a lso for arbitrary finite groups with efficien tly p erfo r ma ble group op erations, in particular, for matrix gro ups o v er finite fields. It is easy to see that Theorem 3.1 carries o v er to Element Con juga cy . Theorem 4.1 Element Conjugacy is in PZK. The pro o f system designed in the preceding section for Group Conjugacy ap- plies to Element Conjugacy as w ell. Moreov er, the pro o f system for Element Conjugacy is considerably simpler. In place of groups h A u 0 i and h A u 1 i we no w deal with single elemen t s a u 0 and a u 1 and there is no complication with represen tation of h A u 0 i and h A u 1 i by generating sets. W e now not ice relations of Elemen t Conjuga cy with the follo wing problem considered by E. Luks [19] (see a lso [6, Section 6.5]) . Giv en x ∈ S m , let C ( x ) denote the centralize r of x in S m . Centralizer an d Coset Inter section Given: x, y ∈ S m , U ⊆ S m . R e c o gnize if: C ( x ) ∩ h U i y 6 = ∅ . Since, given a p erm utation x , one can efficien tly find a list of generators f or C ( x ), this is a particular case of the Cos et Intersec tion problem of recognizing, giv en A, B ⊆ S m and s, t ∈ S m , if the cosets h A i s and h B i t in tersect. 9 Prop osition 4.2 Element Conj uga cy a nd Cen tralizer and Coset In tersec- tion are equiv alen t with resp ect to the p olynomial-time man y-one reducibilit y . Pro of. W e first reduce Elemen t Conjugacy to Centr alizer and Coset In ter- section . G iv en p erm utations a 0 and a 1 , it is easy to recognize if they are conjugate in S m and, if so, to find an s suc h that a 1 = a s 0 . The set of all z ∈ S m suc h that a 1 = a z 0 is the coset C ( a 0 ) s . It follo ws that h U i con tains v suc h that a 1 = a v 0 iff C ( a 0 ) and h U i s − 1 in tersect. A reduction fro m Centralize r and Coset Intersec tion to Elem ent Conju - gacy is ba sed on the fact that C ( x ) and h U i y inte rsect iff x and y xy − 1 are conjugated via a n elemen t of h U i . ✷ Note that, while the reduction w e describ ed fro m Element Conjugacy to Cen- tralizer and Coset Inters ection w orks only for p erm utatio n g roups, the re- duction in the other direction w orks equally w ell for arbitra ry finite groups with efficien tly p erformable group op erations, in particular, for matrix groups o v er finite fields. W e now hav e three differen t w a ys to prov e that Element Conjugacy is in coAM and is therefore not NP-complete unless the p olynomial-time hierarc h y collapses. First, this fact fo llows from Theorem 4 .1 by Prop osition 2 .2 . Second, one can use Prop osition 4.2 and the result of [5, Corollary 12 .2 (d)] that Coset Interse ction is in coAM. Finally , one can design a constan t-r o und IPS for the complemen t of Element Conjugacy as it is done in the preceding section for the complemen t of Gr ou p Conjugacy . W e conclude with tw o questions. Question 4.3 Is there any reduction b et w een Group Conjugacy and Coset In- tersect ion ? W e are no t able to prov e an analog of Prop osition 4.2 for g roups b ecause, give n A 0 , A 1 ⊆ S m suc h that h A 1 i = h A 0 i v for some v ∈ S m , w e cannot efficien tly find an y v with this prop erty (ot herwise we could efficien tly recognize the Similitude of Permut a tion Gr oup s ). Question 4.4 Do es Element Conju ga cy reduce to Group Conjugacy ? Where - as Corollary 3.3 giv es us an evidence that Group Conjugacy is not NP-complete, w e ha v e no formal evidence suppor t ing o ur feeling that Gr oup Conjugacy is not solv able efficien tly . A reduction from Ele ment Conjugacy could b e considered such an evidence as Element Conjugacy is not expected t o b e solv a ble in p olynomial time [4, page 1483]. Note that the conjugacy of p ermutations a 0 and a 1 via an elemen t of a group h U i do es not reduce to the conjugacy of the cyclic gr o ups h a 0 i and h a 1 i via h U i b ecause h a 0 i and h a 1 i can b e conjugated b y conjugation of a no ther pair of their generators, while suc h a new conjugat ion may b e not necess ary via h U i . F o r example, despite the gr o ups h (123) i and h (45 6) i a re conjugated via h (14)(26)(35) i , the p erm utations (123) and (4 56) are not. Ac kno wledgemen t I a ppreciate useful discussions with O. G . Gany ushkin. 10 References [1] B. Aiello and J. H ˚ astad. P erfect zero-kno wledge languages can b e recognized in t w o rounds. In Pr o c. of the 28 th IEEE Ann. Symp. on F ounda tion s of Computer Scienc e ( FOCS) , pages 439–4 4 8, 19 87. [2] N. Alon and J. H. Sp encer. The pr ob abilistic metho d . John Wiley & Sons, 199 2. [3] L. Ba bai. On the length of c hains o f subgroups in the symmetric group. Comm. A lgebr a , 14:172 9 –1736, 1986. [4] L. Babai. Computationa l complexit y in finite gro ups. In Pr o c. of the Int. Congr. of Mathematicians , Ky oto, Japan, pages 1 479–1489, 19 9 0. [5] L. Babai. Bounded round in teractiv e pro of s in finite groups. SIAM Journal of Discr ete Mathematics , 5 (1):88–111, 199 2. [6] L. Babai. Automorphism groups, isomorphism, reconstruction. Handb o o k of Combinatorics, Ch. 27 , pa g es 1447–1 5 40. Elsevier Publ., 1995 . [7] L. Babai, S. Kannan, and E.M.Luks. Bounded round interactiv e pro ofs for nonisomorphism of p ermu tatio n groups. Quoted in [6] and [5 ]. [8] R. B. Boppana, J. H ˚ astad, and S. Zach os. Do es co-NP hav e short interactiv e pro ofs? Inform a tion Pr o c essing L etters , 25:127 –132, 198 7. [9] P . J. Cameron, R. Solomon, and A. T urull. Chains of subgroups in symmetric groups. J. Algebr a , 127:340–3 52, 1 989. [10] M. L. F urst, J. Ho p crof t , and E. M. Luks. P olynomial-time algo r ithms fo r p erm utation gr o ups. In Pr o c. of the 21 st IEEE Ann. Symp. on F oundations of Computer Scienc e (FOCS) , pages 36–41, 1 980. [11] O. G. Gan yushkin. Personal c ommunic ation . [12] M. R. G arey and D. S. Johnson. Computers and Intr ac tabi l i ty. A guide to the the ory of N P -c ompletene s s . W. H. F reeman, 19 79 (a Russian translation a v aila ble). [13] O. G o ldreic h. F oundations of crypto g r aphy (f r agments of a b o ok) . W eizmann Institute of Science, 1995. Av ailable from www.eccc.u ni-trier.de/eccc/ . [14] O. Goldreic h, S. Micali, and A. Wigderson. Pro o fs that yield no thing but their v alidity or all languages in NP hav e zero-knowle dge pro of system s. J. Asso c. Comput. Mach. , 38(3):691 – 729, 1991. [15] O. G oldreic h and Y. Oren. Definitions and pro p erties o f zero- kno wledge pro of systems . Journal of Cryptolo gy , 7(1):1–32, 1994. 11 [16] S. Go ldw asser, S. Micali, and C. Rack off. The kno wledge complexit y of inter- activ e pro of systems. SIAM Journal on Computing , 18 (1):186–208, 1989. [17] S. Goldw asser and M. Sipser. Priv ate coins v ersus public coins in in teractiv e pro of systems. In Pr o c. of the 18 th ACM Ann. Symp . on the The ory of Com- puting (ST OC) , pa ges 59–68, 1 986. [18] M. R . Jerrum. A compact represen tation for p ermu tatio n groups. In Pr o c. of the 2 3 r d IEEE Ann. Symp. on F oundations of Computer Scienc e (FOCS) , pages 12 6–133, 1982. [19] E. M. Luks. Isomorphism of g raphs o f b ounded v alence can b e tested in p o ly- nomial time. Jo urna l of Com puter an d System Sc ienc es , 25:42–65, 1 9 82. [20] C. C. Sims. Some gr o up the or etic algorithms , v olume 697 of L e ctur e Notes in Computer Scienc e , pa g es 108–12 4 . Springer V erlag, Berlin, 1978. Receiv ed 15.12.2001 Accepted 14.0 3.2003 12