A Protocol for Generating Random Elements with their Probabilities
This work addresses a foundational challenge in interactive proof systems by providing a new protocol for probability sampling, which is incremental as it builds upon the Goldwasser-Sipser transformation with specific efficiency gains.
The paper tackles the problem of generating random elements with their probabilities from a prover-held distribution via an AM protocol, achieving a weaker guarantee that the output probability p is an upper bound on the actual probability of outputting x on average, and applies this to transform private-coin interactive proofs into public-coin ones with improved verifier running time, losing only an arbitrarily small constant in soundness and completeness for constant-round protocols.
We give an AM protocol that allows the verifier to sample elements x from a probability distribution P, which is held by the prover. If the prover is honest, the verifier outputs (x, P(x)) with probability close to P(x). In case the prover is dishonest, one may hope for the following guarantee: if the verifier outputs (x, p), then the probability that the verifier outputs x is close to p. Simple examples show that this cannot be achieved. Instead, we show that the following weaker condition holds (in a well defined sense) on average: If (x, p) is output, then p is an upper bound on the probability that x is output. Our protocol yields a new transformation to turn interactive proofs where the verifier uses private random coins into proofs with public coins. The verifier has better running time compared to the well-known Goldwasser-Sipser transformation (STOC, 1986). For constant-round protocols, we only lose an arbitrarily small constant in soundness and completeness, while our public-coin verifier calls the private-coin verifier only once.