Are PCPs Inherent in Efficient Arguments?

Starting with Kilian (STOC ‘92), several works have shown how to use probabilistically checkable proofs (PCPs) and cryptographic primitives such as collision-resistant hashing to construct very efficient argument systems (a.k.a. computationally sound proofs), for example with polylogarithmic communication complexity. Ishai et al. (CCC ‘07) raised the question of whether PCPs are inherent in efficient arguments, and if so, to what extent. We give evidence that they are, by showing how to convert any argument system whose soundness is reducible to the security of some cryptographic primitive into a PCP system whose efficiency is related to that of the argument system and the reduction (under certain complexity assumptions).


Introduction
Probabilistically checkable proofs (PCPs) are one of the greatest successes of the interaction between complexity theory and the foundations of cryptography. The model of PCPs, and the equivalent model of multi-prover interactive proofs, emerged from efforts to find unconditional constructions of zero-knowledge proofs [BGKW] and secure multiparty computation protocols [BGW, CCD] (replacing the constructions of [GMW1] and [Yao2,GMW2], which relied on computational complexity assumptions). But like their predecessor, interactive proofs, they turned out to be extremely interesting from a purely complexity-theoretic point of view [FRS], particularly through their surprising connection to the inapproximability of optimization problems [FGL + ]. The PCP Theorem [AS, ALM + ] is one of the most celebrated results in complexity theory, and has led to a large body of work that continues to generate deep insights.
The PCP Theorem has also provided some returns to cryptography. Specifically, Kilian [Kil] showed how to use PCPs to construct arguments (i.e. computationally sound proof systems) for NP in which the communication complexity is polylogarithmic. 1 Kilian's construction assumes the existence of collision-resistant hash functions with subexponential security. Its zero-knowledge version [Kil] and other variants due to Micali [Mic] and Barak and Goldreich [BG], have found further applications in cryptography [CGH, Bar]. Moreover, these argument systems provide the asymptotically most efficient approaches for proving general NP statements, and thus are appealing for applications such as proving the correctness of a delegated computation or the safety of a program.
In this paper, we consider the question of whether PCPs are really necessary for very efficient arguments. One of our motivations is simply to better understand the relation between these two fundamental notions in complexity theory and cryptography. In addition, the use of PCPs in efficient argument systems has the drawback that the protocols and their applications inherit the somewhat complex construction and proof of the PCP Theorem. While there have been some substantial advances on simplifying the PCP Theorem [BS, Din], it remains quite nontrivial and the construction may still be too involved to use in practice.
The question we study here has previously been considered by Ishai, Kushilevitz and Ostrovsky [IKO]. They showed that by using a stronger cryptographic primitive, namely (additively) homomorphic encryption rather than collision-resistant hashing, it is possible to construct somewhat efficient arguments using the simpler, exponential-length "Hadamard PCP" [ALM + ] rather than the polynomial-length PCPs of the full PCP Theorem. Their arguments are only "somewhat efficient" in that they have low (e.g. polylogarithmic) communication from the prover to the verifier, but the verifier-to-prover communication is polynomial (cf. [GVW]).
Our Results. In this paper, we provide results suggesting that PCPs are necessary for constructing efficient arguments. Specifically, we consider a construction of an argument system based on a wide range of cryptographic primitives (e.g. collision-resistant hashing, the RSA assumption, homomorphic encryption), where the computational soundness is based on the security of the primitive via an efficient reduction. That is, there is an algorithm S such that if P * is any prover strategy that convinces the verifier to accept a false statement, then S P * "breaks" the cryptographic primitive. 2 Indeed, we provide a general formulation of a cryptographic primitive and what it means to "break" such a primitive. This formulation is quite general, covering standard primitives such as one-way functions or homomorphic encryption, and specific assumptions such as the hardness of factoring. For such constructions we show how to construct PCPs whose efficiency is related to that of the argument system, the reduction, and a variety of methods for "implementing" the cryptographic primitive (discussed more below).
Informally, our construction works as follows. We view the PCP oracle as specifying a prover strategy P PCP for the argument system (i.e. the next-message function). The PCP verifier: 1. Chooses an "implementation" C of the cryptographic primitive (to be discussed more below) and sends it to P PCP (with every query), 2. Runs the verifier of the argument system with P PCP , 3. Runs the reduction S with P PCP , and 4. Accepts if both the verifier of the argument system accepts (in Step 2) and S does not break the cryptographic primitive (in Step 3).
To establish soundness, we note that if P PCP convinces the verifier of the argument system of a false statement, then S will break the cryptographic primitive; this means that at least one of the acceptance conditions will fail. Thus, soundness of the PCP holds information-theoretically, unconditionally and regardless of the implementation chosen in Step 1 above. For completeness, we need to ensure that the implementation (of the cryptographic primitive) chosen in Step 1 cannot be broken by S P , where P is the honest prover. We provide several methods for achieving this, some based on complexity assumptions and some unconditional. Below we describe a few of these and the resulting PCP parameters. Implementation and Parameters. Arguments and PCPs have many parameters, which we treat with as much generality as possible. But for simplicity in the current discussion, we focus on a few parameters of interest, with typical settings. (In particular, we ignore prover and verifier computation time.) Consider an argument system constructed from a cryptographic primitive C for a language L ∈ NP such that on inputs of length n, the argument system has prover-to-verifier communication complexity polylog(n) and completeness and soundness error 1/3. Moreover, there is a poly(n)-time reduction S such that for every x / ∈ L and every cheating prover P * , if P * convinces the verifier to accept with probability at least 1/3, then S P * (C, x) "breaks" C with constant probability.
Three key parameters for us are the verifier-to-prover communication complexity v = v(n); the number of rounds r = r(n); and the number of queries S makes to its oracle q = q(n). Kilian's construction of arguments from collision-resistant hash functions (CRHFs) of exponential hardness [Kil] achieves v = O(log n + κ), where κ is the seed length for a CRHF, and r, q = O(1) (here we augment Kilian's construction by basing it on a PCP with constant query complexity, e.g. [AS, ALM + ]). The Ishai et al. [IKO] construction from homomorphic encryption has v = poly(n) and r, q = O(1).
Given the above, our resulting PCPs for L will always have constant completeness and soundness errors and alphabet size polylog(n). The query complexity of our PCPs will be r + q, matching the known constructions of arguments from PCPs. The length of our PCPs is 2 |C|+v , where C is the description length of the implementation of the cryptographic primitive generated by the verifier. Note that if |C| = O(v), then this matches known constructions of arguments from PCPs, e.g. exponential-length PCPs correspond to v = poly(n), and polynomial length PCPs correspond to v = O(log n).
In this paper we present several approaches for implementing the cryptographic primitive used by the construction. Recall that our PCP verifier needs to generate an implementation C of the cryptographic primitive that cannot be broken by S P , where P is the honest prover of the argument system. This is done in a variety of different ways, we outline a few below: • The general framework above is formalized in Section 4, where we also present a natural (and efficient) instantiation. Assume that we have a secure implementation of the cryptographic primitive in the usual sense, e.g. that collision-resistant hash functions exist or that homomorphic encryption schemes exist, with whatever security parameter is used by the underlying argument system (typically polylog(n) to achieve polylogarithmic communication) and security against poly(n)-time adversaries. Such a primitive cannot be broken by S P , because this is a poly(n)-time algorithm. Then, since the implementation C is described by a fixed algorithm (which gets a security parameter as input), it can be hardwired into the PCP protocol.
Here we obtain a standard (information-theoretically sound) PCP, where completeness relies on the assumption that the implementation of the primitive is secure. We view the assumption we use here as quite natural, as if there were no secure implementation of the primitive, then the original construction was a significantly less interesting object to begin with.
• In Section 5, we consider more restrictive notions of reductions, where all entities in the argument system are given only black-box access to a cryptographic primitive such as a one-way function, pseudorandom function family, or collision resistant hash family. We show that, in some cases, we can minimize or remove altogether the computational assumptions made in the results presented above (for such fully black-box reductions). To do so, we observe that the implementation of the cryptographic primitive we use need only be secure against S P : a single fixed polynomial-time algorithm. Obtaining an implementation that is secure against a fixed polynomial time bounded algorithm can be considerably easier than obtaining an implementation secure against any polynomial-time algorithm (the usual requirement from cryptographic primitives). For example, we can actually construct such pseudorandom functions C with seed length |C| = O(log n) using [IW], under the worst-case complexity assumption that E = DTIME (2 O(n) ) does not have circuits of size 2 o(n) .
We can also obtain unconditional implementations of collision-resistant hash functions against S P using a family of poly(n)-wise independent hash functions, yielding |C| = poly(n). Alternatively, by picking poly(n) hash functions at random from such a family and hardwiring them into the PCP verifier and prover, we can obtain a nonuniform PCP construction with |C| = O(log n). (This can also be viewed as a uniform construction in the common reference string model.) 3 We emphasize that even though we use complexity assumptions in some of our transformations, the resulting PCPs achieve the standard, statistical definition of soundness -there does not exist any proof oracle that can convince the verifier to accept a false statement, except with small probability. Indeed, the complexity assumptions are only used for the completeness of (some of) our constructions, in order to ensure that the honest proof oracle that describes the prover does not inadvertently allow (the reduction S) to break the primitive. This conditional completeness differs from the soundness of the original argument system, which also held under the same assumption, but was only guaranteed against bounded malicious provers.
Perspective. Like all negative results regarding reductions, our results do not entirely preclude the possibility of obtaining efficient arguments "without PCPs," and may be alternatively interpreted as suggesting avenues for doing so. One possibility is to make non-black-box use of the cheating prover strategy P * in the reduction from breaking the cryptographic primitive to violating soundness (or at least to use the fact that P * is efficient). Another is to make use of reductions S that make many queries q to the cheating prover, even when soundness is violated with constant probability. (If q = poly(n), we get a PCP with poly(n) queries, which is trivial.) Another direction is to use a reduction where a malicious prover that breaks soundness with even say constant probability only breaks the cryptographic primitive used with polynomially small advantage. Such a reduction would also yield only a PCP with polynomial query complexity. Known reductions are not of any of the above types.

Preliminaries and Definitions
Let [n] be the set {1, 2, . . . n}. For x, y ∈ {0, 1} n we use x • y to denote the concatenation of x and y (a string in {0, 1} 2n ). For a (discrete) distribution D over a set X we denote by x ∼ D the experiment of selecting x ∈ X by the distribution D. A function f (n) is negligible if it is smaller than any (inverse) polynomial. We refer the reader to [Gol1,Gol2] for complete definitions of standard cryptographic objects used in this work such as one-way functions, distribution ensembles, collision resistant hash functions and pseudorandom functions. We emphasize that throughout this work whenever we make or refer to hardness assumptions, the assumptions are always against nonuniform adversaries.
We present definitions of the two types of proof system we consider in this work Definition 2.1 (Argument System (P, V) [BCC, GMR]). An argument system for a language L ∈ N T IME(g(n)) consists of two interactive machines. P(x, w) gets an input x and advice w ∈ {0, 1} g(|x|) (usually an NP witness to the input's membership in L). V(x) gets the input x. The requirements are: • Completeness c(n). For every x ∈ L and corresponding witness w for x's membership in L, the interaction of V(x) with P(x, w) (sometimes denoted (P(x, w), V(x))) makes V accept with probability at least c(n).
• Soundness s(n) vs. size f (n). For every x / ∈ L and every cheating P * of (nonuniform) size at most f (n), the probability that (P * (x), V(x)) makes V accept is at most s(n).
There are many complexity measures of an argument system that will interest us, such as the communication complexity (in each direction), the round complexity, the size of the honest prover and verifier, and more.
Definition 2.2 (PCP, Probabilistically Checkable Proof (P, V)). An argument system for a language L ∈ N T IME(g(n)) consists of a non-adaptive (i.e. stateless) machine P and an oracle machine V . P(x, w) gets an input x, advice w ∈ {0, 1} g(|x|) (usually an NP witness to the input's membership in L) and an input oracle query. V(x) gets the input x. The requirements are: • Completeness c(n). For every x ∈ L and corresponding witness w for x's membership in L, the probability that V(x) accepts when it is run with P(x, w) as its oracle (we denote this as V(x) P(x,w) ), is at least c(n).
• Soundness s(n). For every x / ∈ L and every non-adaptive cheating P * oracle, the probability that V(x) P * (x) accepts is at most s(n).
There are many complexity measures of an PCP system that have been extensively studied. In this work we focus on the query complexity (the number of oracle calls V makes), the alphabet size (the size of P's output), the PCP length (the number of possible P input queries), the size of the honest prover and verifier, and more.

Cryptographic Primitives and Reductions
In this section we consider reductions from cryptographic primitives to computationally sound argument systems. We would like to consider a general notion of a cryptographic primitive and of a reduction. The notion we present here already captures a host of cryptographic primitives such as one-way functions, encryption schemes, specific assumptions, and more. See the discussion below regarding how they fit the formalism.
Definition 3.1 (Cryptographic Primitive). A cryptographic primitive (C, T ) is defined by a class C of circuits and a testing procedure T . For a candidate C in C (a circuit in the class), we say that an interactive adversary A (κ, ε)-breaks C if: On the other hand, we say C is (κ, ε)-secure against A if: Pr T 's coins T A (C, 1 κ , 1 1/ε ) accepts ≤ 1/3 where in both cases T is given access to the circuit C. Throughout this work we deal only with C and A for which there is a promise that either A breaks C, or C is secure against A. The input parameter κ is typically used to denote a security parameter that bounds the input and output sizes of circuit C (circuits that don't meet this bound make T (C, 1 κ , ·) accept immediately). 4 Intuitively, the parameter ε is used to specify a "threshold" for the success probability of A in breaking the primitive, see the examples below.
Note that the above notion can be extended to consider classes of circuit distributions (rather than circuits, or circuit distributions with support size 1, as done above). For simplicity and clarity we use the more restricted notion (Definition 3.1 suffices to capture all the cryptographic primitives we consider in this work). We proceed by considering several examples and how they fit into the above definition of a cryptographic primitive: 1. One-Way Functions. Here C is the class of circuits computing a function, say from {0, 1} κ to {0, 1} κ . Given a circuit C and adversary A, the tester T A (C, 1 κ , 1 1/ε ) chooses O(1/ε) random inputs to the function, applies C to each of the inputs, and runs A on each of the outputs. T accepts if the adversary inverts C on at least one of these outputs (i.e. C(A(C(x))) = C(x) for one of the inputs x). If f : {0, 1} * → {0, 1} * is a (length-preserving) one-way function, this means that it is computable in polynomial time (in its input length), and for every PPT A and polynomial p(·), for sufficiently large κ, f κ is (κ, 1/p(κ))-secure against A κ . I.e., it holds that: Pr[T A κ (f κ , 1 κ , 1 p(κ) ) accepts ] ≤ 1/3, where f κ and A κ are the restrictions of f and A to inputs of length κ.

Collision-Resistant Hash
Families. Here C is the class of circuits that evaluate families of shrinking hash functions say from {0, 1} 2κ to {0, 1} κ . I.e., C in C gets as input a seed s and an input x and outputs the function C s (x) = C(s, x). The tester T chooses O(1/ε) random seeds {s 1 , s 2 , . . . s O(1/ε) }, and asks A to find a collision on each of them, it accepts if A succeeds on at least one (i.e. if given for any of the seeds s i , the adversary A(s i ) finds x and x such that C(s i , x) = C(s i , x )).
3. Hardness of Factoring. We can also view specific number-theoretic (or other) assumptions as cryptographic primitives in our framework. To capture, for example, the assumption that factoring is hard, we have a single circuit C κ for every value of the security parameter. This circuit C κ is the canonical circuit that picks two random κ/2-bit primes and outputs their product. The tester T takes O(1/ε) random samples (numbers) {n 1 , n 2 , . . . , n O(1/ε) } from the distribution. It then asks A to factor each of these numbers, and accepts if A succeeds on at least one (A finds a non-trivial factorization of some n i into two prime factors).
4. Homomorphic Encryption Scheme. A homomorphic encryption scheme is a (public or secret key) scheme with a special homomorphic evaluation procedure that can be used on a sequence of ciphertexts to compute an encryption of some function f of the plaintexts (common functions include addition and multiplication). The scheme remains semantically secure against an adversary who is given a circuit computing this homomorphic evaluation procedure. See [Gol2] for more details on semantically secure encryption schemes.
In this example, C is the class of circuits that perform key generation, encryption, decryption and homomorphic evaluation procedures. The tester uses C ∈ C to generate a key and feeds the adversary with this key and with the homomorphic evaluation procedure (for public-key schemes, the adversary is also given the encryption procedure). The tester and adversary then run the semantic security game O(1/ε 2 ) times, and the tester accepts if the adversary has advantage ε in breaking the scheme's semantic security in these experiments.
Discussion. Note that the definition of a cryptographic primitive is decoupled from the question of whether there exists an implementation of the primitive that is (κ, ε)-secure against a collection of adversaries. The related work of Naor [Nao] also considers general notions of cryptographic assumptions and primitives. That work sets forth the notion of falsifiable assumptions: assumptions for which there exists a procedure for testing whether a given adversary breaks the assumption. The primary focus there is classifying cryptographic assumptions according to how efficiently they can be falsified. In that setting, one of the goals is designing specific procedures that not only break the cryptographic assumption (assuming that it can be broken), but that do so in a way that can be verified very efficiently. In our notion of a cryptographic primitive, we consider falsifiable primitives, but we focus on verifying that an arbitrary adversary (provided by a security reduction) breaks the cryptographic primitive. Falsifiable (and even only somewhat falsifiable, cf. [Nao] assumptions) naturally fall into our framework of a cryptographic primitive. Non-falsifiable assumptions, such as the knowledge of exponent assumption [Dam], may not fit into our notion. This is because there is no "testing procedure" that can be used to tell whether an adversary breaks the assumption. Now that we have presented our notion of a cryptographic primitive, we proceed to define a reduction from a cryptographic primitive to a computationally sound argument system. Definition 3.2 (Reduction). A reduction R = (P, V, S, (C, T ), κ(·), ε(·)) from a cryptographic primitive defined by (C, T ) to an argument system for a language L consists of several components. We use x to denote an n bit input whose membership is being proved, and w to denote the prover's auxiliary input (usually the NP witness). 1. A cryptographic primitive (C, T ) as in Definition 3.1.
2. Two functions κ : N → N, ε : N → [0, 1] that determine the parameters of the cryptographic primitive as a function of the input length. The function κ(·) determines the security parameter, and ε(·) determines the advantage of an adversary who breaks the argument's soundness in breaking the cryptographic primitive. 5 3. Two interactive oracle machines: a prover P(C, x, w) and verifier V(C, x) with access to a candidate circuit C in C.

4.
A proof of security: an oracle machine S with black-box access to a cheating prover P * (C, x) that gets as input C in C and x ∈ {0, 1} n .
We require that (P(C, ·, ·), V(C, ·)) is complete for every candidate C ∈ C. For security, we require that if a cheating prover P * (C, x) violates soundness for some x / ∈ L and C, then S P * (·, x) breaks the (supposedly hard) C. If C is indeed hard to break, then the argument system is thus sound. We state these requirements formally below: 1. Completeness c(n). For every C in C, given x ∈ L and a valid witness w, the prover P(C, x, w) convinces V(C, x) with probability at least c(n).
2. Security proof of soundness s(n). For every C in C, every n-bit input x / ∈ L and every cheating prover P * (C, x): if (P * (C), V(C))(x) accepts with probability at least s(n), then S P * (·,x) breaks C, i.e.: For simplicity, one can think of ε(n) = s(n) O(1) throughout this work.
We assume throughout that s(n) ≤ 0.1 and c(n) ≥ 0.9. We use t(n) to denote the circuit size S P (i.e., t(n) is |S| · |P|, here we refer only to the honest P), and q(n) to denote the number of P * -oracle queries made by T S P * . 6 We use v(n) to denote a bound on the number of bits sent from V to P, u(n) to denote a bound on the length (in bits) of each of P's answers, and r(n) to denote the number of rounds of communication of (P, V).
In the reduction notion of Definition 3.2, all the algorithms in the argument system (prover, verifier, tester T ) get access to C's explicit representation. The only "black-box" access in the definition is the security proof's access to the cheating prover. This is quite a general notion of reduction. See Reingold, Trevisan and Vadhan [RTV] for a discussion of different notions of reductions. In this work we also consider more restricted notions. (Fully) black-box reductions are reductions where the algorithms access C as a black box. We will also consider black-box reductions with bounded adaptiveness. See Section 5 for a discussion and definitions of these more restricted types of reductions. See Appendix A for an overview of known argument constructions and a discussion of how they fit into our framework.

From Arguments to PCPs
In this section, we take any reduction R = (P, V, S, (C, T ), κ(·), ε(·)) from a cryptographic primitive specified by (C, T ) to an argument system for a language L, and construct from it a PCP for L.

A Generic Transformation
For all of our results, we need an additional property from the reduction. We require that it is possible to generate candidates C in C for the cryptographic primitive, that cannot be broken by the security proof S P when it runs with the honest prover (except with small probability). We formalize this property below.
Property 4.1. The reduction R (with soundness s(n)) has a (polynomial time deterministic) generation procedure G(1 n ) that outputs a candidate C in C such that for every x ∈ L and every valid witness w for x's membership in L, C is (κ(n), ε(n))-secure against S P(·,x,w) (·, x). 7 In Section 5 we extend this notion to probabilistic generators G. We will restrict our attention to deterministic G throughout this section.
We now specify a "generic" PCP construction for reductions with Property 4.1. We will later show how to instantiate this generic construction for specific cryptographic primitives, by constructing a generator G that meets Property 4.1 (unconditionally or under various assumptions). We view the verifier for the PCP as an oracle machine (with oracle access to the proof or oracle-prover). We run the generator G to generate a candidate C. The generic verifier V P CP and the (honest) prover oracle P P CP depend on this candidate C.
1. Choose random coins for V. Simulate V(C, x) in the interactive argument system using these coins and the candidate C, using the PCP prover P P CP to obtain the messages of the argument system's prover P(C, x, w). Thus, each query to P P CP specifies a transcript of the interactive argument (The verifier's messages are computed using the existing transcript and the random coins chosen.) If V rejects, then reject. Otherwise, continue to Step 2.
2. Repeat the following O(log(1/α)) times, where α = α(n) is a parameter: Run the tester T S P P CP (C, 1 n , 1 1/ε(n) ) with independent random coins to check whether S P P CP breaks C. Here P P CP plays the role of answering S's oracle queries to P * . Again, each query to P P CP specifies a transcript of the interactive argument. If in at least half of these iterations T accepts, then reject. Otherwise accept. For any query specifying a transcript of past messages for the interactive argument, simulate P(C, x, w) on this transcript and output its next message.

Figure 2: (Honest) PCP Proof Oracle P P CP
The intuition is that if for x / ∈ L a cheating PCP prover P * P CP makes the verifier V P CP accept with probability s(n) or greater in Step 1, then the reduction R guarantees that in Step 2, the security proof S P * P CP will break C correctly with advantage ε(n) (and V P CP rejects). This guarantees soundness. On the other hand, when x ∈ L, we know by Property 4.1 that C is (κ(n), ε(n))-secure against the security proof run with the honest prover (and so the verifier should usually accept). This guarantees completeness. We formalize this in the theorem below.
Theorem 4.2. Let R = (P, V, S, (C, T ), κ(·), ε(·)) be a reduction from a cryptographic primitive specified by (C, T ) to an argument system for a language L as in Definition 3.2. Suppose furthermore that R satisfies Property 4.1 and has a generator G for hard candidates.
Let c = c(n) and s = s(n) be the completeness and soundness of the argument system, and take ε = ε(n) and κ = κ(n). Recall that v = v(n) bounds the communication from V to P, the value u = u(n) bounds P's answer lengths, the value r = r(n) bounds the number of rounds, and q = q(n) bounds the number of P * -queries made by T S P * (C, 1 n , 1 1/ε ).
Then (P P CP , V P CP ) is a PCP for L with completeness c − α and soundness max{s, α}. The number of queries is r + O[log(1/α) · q]. The alphabet size is 2 u . The length of the PCP is 2 v . Furthermore, the PCP oracle can be constructed in time polynomial in that of P(C, x, w). The running time of the PCP verifier is polynomial in that of G, of V(C, x) and of T S P * (C, 1 n , 1 1/ε ).
Proof. We begin by analyzing the proposed construction's alphabet size, length and query number: • Query number: The verifier V P CP makes r queries to P P CP in Step 1 (one for each round of communication between V and P). It then runs O(log(1/α)) simulations of S, each of which makes q queries. The total number of queries is thus r • Alphabet size: The answers of P P CP are messages sent by the prover P in the interactive argument, their length is bounded by u and the alphabet size is bounded by 2 u .
• PCP length: Each query made by V P CP includes a transcript for the interactive argument . The length of each such query is thus v, and the length of the PCP is 2 v .
We now turn our attention to completeness and soundness. For soundness, suppose x / ∈ L but P * P CP makes the verifier V P CP accept in Step 1 with probability at least s. We view P * P CP as a cheating prover P * for the interactive argument. By the properties of the reduction R, we know that S P * (·, x) will have advantage ε in breaking C. This means that in Step 2, every time that V P CP simulates T , it accepts with probability at least 2/3. Thus (repeating Θ(log(1/α)) times), the verifier V P CP will reject in Step 2 with all but probability α. If the probability of "accepting" (i.e. not rejecting) in Step 1 is greater than s, then the verifier accepts in Step 2 with probability at most α. Hence, the total probability of accepting is at most max{s, α}.
For completeness, in Step 1 of V P CP 's operation, when it runs the argument system's V, it will accept with probability at least c by the completeness of (P, V). By Property 4.1, the candidate C is (κ, ε)-secure against S P P CP . So in every iteration of Step 2, T will reject with probability at least 2/3. Repeating Ω(log(1/α)) times, the probability that the verifier rejects in Step 2 is at most α. Taking a union bound, the total probability of accepting when x ∈ L and the prover is honest is at least c − α.

Constructions Under Cryptographic Assumptions
As an immediate corollary of Theorem 4.2, we obtain conditional constructions of PCPs from argument systems. If there is indeed a computationally hard candidate for the cryptographic primitive on which the argument's construction is based, then this candidate immediately satisfies Property 4.1. We view this as a natural assumption to make: presumably we consider the construction of an argument to be meaningful because we believe that the cryptographic primitive has a secure implementation. Given such an implementation, we get a PCP (with statistical soundness) "for free". We can use the candidate to construct the PCP. We emphasize that the soundness of the PCP obtained is unconditional and information-theoretic; it is only completeness that is based on the cryptographic assumption. In fact, it suffices that the implementation is secure against (the reduction run with) the fixed polynomial-time bounded honest prover, so we can even make do with a cryptographic primitive that is only secure against this fixed algorithm (we elaborate and build on this in subsequent sections).
Here the notion of reduction from arguments to cryptographic primitives used is the general notion of Definition 3.2, i.e. the reduction is black-box only in the adversary. In particular, we obtain the following (informal) corollary: Corollary 4.3 (Informal). Let R be a reduction from a cryptographic primitive to a computationally sound argument system for language L. If there exists a secure implementation of the cryptographic primitive, then the argument system can be used to construct a PCP as in Theorem 4.2.
In particular, if there exists a family of collision-resistant hash functions, then any reduction from CRHF to a computationally sound argument system can be used to construct a PCP. If there exists an additively homomorphic encryption scheme, then any reduction from additively homomorphic encryption to a computationally sound argument system can be used to construct a PCP.
Perspective from known constructions. We first examine the known reductions using collisionresistant hashing for NP arguments [Kil, Mic, BG]. Taking κ to be the security parameter, the communication from V to P is v(n) = O(log n + κ) (specifying the hash and O(1) PCP queries), the length of prover answers is u(n) = O(log n · κ), and the number of rounds is r(n) = O(1). The number of calls T S P * makes to P * is q(n) = O(1) (for constant soundness and advantage in breaking the primitive). Theorem 4.2 gives (for any instantiation) a PCP with constant completeness and soundness, O(1) queries, alphabet size 2 O(log n·κ) , and proof length poly(n)·2 κ . Thus, if we take a poly-logarithmic security parameter, the PCP length is quasi-polynomial. This does not quite match the Kilian [Kil] construction (which needed a polynomial-length PCP), but as we show in Section 5, we can actually (under complexity assumptions) get implementations of the CRHF that suffice for the construction above and with logarithmic κ. This yields a polynomial-length PCP from any (black-box) construction with the parameters of [Kil].
If we examine the reduction of [IKO], there the communication from the verifier to the prover is κ times the logarithm of the length of the PCP being used, v(n) = poly(n) · κ (in their case the PCP used was exponential, and so v(n) is polynomial). The communication from the prover to the verifier is u(n) = O(κ), and the number of rounds is r(n) = O(1). Again, the number of calls T S P * makes to P * is q(n) = O(1) (for constant soundness and advantage in breaking the encryption). Theorem 4.2 gives (for any instantiation) a PCP with constant completeness and soundness, O(1) queries, alphabet size 2 O(κ) , and proof length 2 poly(n)·κ (as should be expected, because they started with an exponential length PCP).

Weakening or Eliminating Computational Assumptions
In this section we consider more restricted reductions that those of Section 4.2, and obtain PCP constructions with better parameters. The main idea will be to build an implementation for the cryptographic primitive used by the reduction that is only secure against one specific adversary: the adversary which runs the reduction together with the honest argument prover (such an implementation still suffices for arguing completeness via Theorem 4.2). In this section, we will look at (fully) black-box reductions and (even more restricted) black-box reductions with bounded adaptivity. We begin by formally introducing these more restricted notions of reductions.
Definition 5.1 (Black-Box Reduction.). A reduction R = (P, V, S, (C, T ), κ(·), ε(·)) is a (fully) black-box reduction if it is a reduction, as in Definition 3.2, and also P and S only have black-box access to C, i.e. they access C as an oracle. Here t(n) also bounds the number of oracle calls made by S P (as t(n) is the total combined size of this procedure).
Definition 5.2 (Black-Box Reduction with a(n) Adaptivity.). A reduction R = (P, V, S, (C, T ), κ(·), ε(·)) is a black-box reduction with adaptivity a(n) if it is a black-box reduction as in Definition 5.1, and has the following structure: for every candidate C in C, and input-witness pair (x, w), when S P (C,x,w) is run (with the honest prover), each of the oracle calls to C is associated with an adaptivity level i ∈ {0, . . . , a(n)}. Each query made by S P (C,x,w) is in fact of the form (i, y) (where i is the adaptivity level and y is the actual query). 8 For every i ∈ {0, . . . , a(n)}, and all of the oracle queries of the form (k + 1, y) that S P(C,x,w) makes, y is a function only of the answers to oracle queries of the form (i, y ) for i ≤ k. We emphasize that this is only required when S is run with the honest P.
A good example to keep in mind when thinking about bounded-adaptivity reductions is a hash-tree constructed using collision-resistant hashing, say a hash function that shrinks its input by a factor of 2. Here a long string is divided into blocks, each pair of blocks is hashed, the hashes are divided into pairs and each pair is itself hashed, then each pair of hashes of hashes is hashed etc., until a single "hash root" is obtained. The number of hash levels is logarithmic in the number of blocks. This hash-tree construction is a primary component of the argument systems of [Kil, Mic, BG], and both the constructions and the security reductions in these argument systems have logarithmic adaptivity in the sense of Definition 5.2 (see Appendix A for further discussion of these constructions).
Probabilistic Candidate Generator. To get unconditional results and results under weaker (worst-case) assumptions, we need to generalize Property 4.1. We need to extend that property to the case where we do not have a deterministic generator that outputs a single hard implementation, but rather a probabilistic generator outputs a hard implementation (for a specific algorithm) w.h.p.
Property 5.3. The reduction R (with soundness s(n)) has a probabilistic polynomial-time generation procedure G(1 n ) that outputs a candidate C in C such that for every x ∈ {0, 1} n and advice string w ∈ {0, 1} poly(n) given to the prover P: C is (κ(n), ε(n))-secure against S P(·,x,w) (·, x) ≥ 1 − γ where γ = γ(n) is a parameter. We say that G has output length b = b(n) if G(1 n ) always outputs a circuit C "with a description" of size at most b(n). 9 Note that now, when we want to use the generic transformation of Theorem 4.2 for a reduction with a probabilistic generator a la Property 5.3, we need for the PCP proof to depend on the hard candidate C. To do this, we modify (P P CP , V P CP ) so that in Step 1, the PCP verifier will choose a random C ∼ G(1 n ). Since this candidate C is not fixed in advance, it will be included in every PCP query made by the verifier (recall that C's size is bounded by b(n)). This increases the PCP length by a 2 b(n) multiplicative factor. We formalize this as a generalization of Theorem 5.4.
Theorem 5.4. Let R = (P, V, S, (C, T ), κ(·), ε(·)) be a reduction from a cryptographic primitive specified by (C, T ) to an argument system for a language L as in Definition 3.2. Suppose furthermore that R satisfies Property 5.3 and has a probabilistic generator G for hard candidates that has output length bounded by b(n) and with parameter γ(·) such that for all n, γ(n) ≤ 1/4. Let c = c(n) and s = s(n) be the completeness and soundness of the argument system, and take ε = ε(n), κ = κ(n), b = b(n), and γ = γ(n). Recall that v = v(n) bounds the communication from V to P, the value u = u(n) bounds P's answer lengths, the value r = r(n) bounds the number of rounds, and q = q(n) bounds the number of P * -queries made by T S P * (C, 1 n , 1 1/ε ).

Then (P P CP , V P CP ) is a PCP for L with completeness c − α − γ and soundness max{s, α}. The number of queries is r + O[log(1/α) · q].
The alphabet size is 2 u . The length of the PCP is 2 v+b . Furthermore, the PCP oracle can be constructed in time polynomial in that of P(C, x, w) and G(1 n ). The running time of the PCP verifier is polynomial in that of G(1 n ), of V(C, x) and of T S P * (C, 1 n , 1 1/ε ).
Proof. The analysis of the query number and alphabet size are as in the proof of Theorem 4.2. The PCP length is larger: each query made by V P CP includes the candidate C ∼ G(1 n ) generated in Step 1 (b bits), together with a transcript for the interactive argument. The length of each such query is thus v + b, and the length of the PCP is 2 v+b .
For soundness, regardless of the candidate C generated by G, suppose that x / ∈ L but P * P CP makes the verifier V P CP accept in Step 1 with probability at least s. We view P * P CP as a cheating prover P * for the interactive argument. By the properties of the reduction R, we know that S P * (·, x) will have advantage ε in breaking C. This means that in Step 2, every time that V P CP simulates T , it accepts with probability at least 2/3. Thus (repeating Θ(log(1/α)) times), the verifier V P CP will reject in Step 2 with all but probability α. If the probability of "accepting" (i.e. not rejecting) in Step 1 is greater than s, then the verifier accepts in Step 2 with probability at most α. Hence, the total probability of accepting is at most max{s, α}.
For completeness, in Step 1 of V P CP 's operation, when it runs the argument system's V, it will accept with probability at least c by the completeness of (P, V). By Property 5.3, the candidate C is (κ, ε)-secure against S P P CP with all but γ probability. When this is the case, in every iteration of Step 2, T will reject with probability at least 2/3. Repeating O(log(1/α)) times, the probability that the verifier rejects in Step 2 is at most α. Taking a union bound, the total probability of accepting when x ∈ L and the prover is honest is at least c − α − γ.
Bounded-Adversary PRF families and CRHF families. In Section 4.2 we obtained PCPs based on cryptographic assumptions. As noted previously, however, the type of hardness we need is much more relaxed than what is usual in the cryptographic setting: we only need hardness for a specific algorithm S P . In this setting, for algorithms that access C as a black box, we can even obtain unconditional results. For example, to an algorithm that makes only q oracle queries, a qwise independent hash function "looks like" a truly random function. We can use this intuition to transform (black-box) constructions of arguments from collision-resistant hash families (CRHFs) or one-way functions into PCPs unconditionally or under relatively mild complexity assumptions. The price we pay beyond the (conditional) results of Section 4.2, is that the hash function description, and with it the PCP length and verifier running time, may become large.
We define bounded-adversary pseudorandom functions. These are function families that (from black-box access) look random to a bounded adversary. We will then show that bounded-adversary PRF families (i) suffice for building a candidate generator instantiating the generic construction of Theorem 5.4 and constructing PCPs from black-box reductions from one-way functions, pseudorandom function families and collision resistant hash families to arguments (ii) can be constructed unconditionally or under weak worst-case complexity assumptions (with various seed lengths). We will also define bounded-adversary collision-resistant hash families (a weaker primitive), show that they can be used to construct a PCP from any black-box reduction from CRHF families to an argument system, and present efficient constructions.
We proceed in Section 5.1 with definitions and constructions of bounded-adversary cryptographic primitives. In Section 5.2 we show how to use the bounded-adversary primitives to trans-form reductions into PCPs.

Bounded-Adversary PRFs and CRHFs
We begin by defining and constructing bounded-adversary pseudorandom function families (PRFs) and collision-resistant hash families (CRHFs). These are collections of functions that look random or collision resistant (respectively) to bounded adversaries. We do not bound the time needed to compute the function: it may take more time than the adversary's running time. We construct such functions unconditionally and also under mild complexity assumptions (to decrease the function's description size).

Definition 5.5 (Pseudorandom Function). Consider an ensemble
, 1} (n) } n with seed length j(n), input length k(n) and output length (n). We say that F is a (s(·), ε(·))-pseudorandom function (PRF) family if for every (nonuniform) size s(n) adversary (an oracle circuit ensemble) A, for all but finitely many n's: I.e. no size s adversary can distinguish a random function in the family from a truly random function (except with advantage ε).
Sometimes it is easier to construct function families that do not look pseudorandom, but are collision-resistant. In particular, this will be the case for adversaries of bounded adaptivity.
Definition 5.6 (Collision-Resistant Functions). Consider an efficiently constructible ensemble F = {f n : {0, 1} j(n) ×{0, 1} k(n) → {0, 1} (n) } n with seed length j(n), input length k(n) and output length (n), where k(n) > (n). We say that F is a (s(·), a(·), ε(·))-collision resistant function (CRHF) family if no (nonuniform) size s(n) adversary (an oracle circuit ensemble) A with adaptivity a(n) can find a collision on a random function from the ensemble with probability ε or greater. Here the adaptivity is the depth of the adversary's oracle calls. The model is as in Definition 5.2, i.e. the adaptivity level is considered part of the input to the function.
Note here that we do not bound the complexity of computing the pseudorandom and collisionresistant functions, and in particular the function might not be computable by size s or depth a circuits. This is similar to complexity-theoretic pseudorandom generators such as those of Nisan and Wigderson [NW]. We outline several constructions of bounded-adversary pseudorandom and collision resistant functions. The first is an unconditional construction of PRFs that uses a large seed. The second construction replaces the large seed with a nonuniform construction with a short seed. Then we show how to shorten the seed without resorting to nonuniformity by derandomizing the unconditional construction, using the pseudorandom generators of [NW, IW]. The final construction is an unconditional construction of CRHFs for bounded-depth adversaries. The seed length will also be significantly reduced. We begin with the unconditional construction: Proposition 5.7. For any input and output lengths k(n) and (n), there exists an (s(n), 0)pseudorandom function. The seed length is j(n) = s(n) · max(k(n), (n)). The function can be evaluated in (uniform) time poly(s(n), k(n), (n)). {0, 1} k(n) to {0, 1} (n) . A random function in this family looks perfectly random to any algorithm that makes at most s(n) queries. This is because even given the function's value on any up to (adaptively chosen) s(n) − 1 points, its value on any other point is completely random (over the choice of the function from the family). Such an s(n)-wise independent function can be generated using a seed of s(n) · max(k(n), (n)) random bits and in time poly(s(n), k(n), (n)).

Proof. The pseudorandom function family is a collection of s(n)-wise independent functions from
The main disadvantage of this construction is the large seed length (as large as the adversary's size). We can reduce this seed length by using nonuniformity: Proposition 5.8. For any input and output lengths k(n) and (n), there exists a (s(n), 1/s(n))pseudorandom function. The seed length is j(n) = O(log s(n)). The function can be evaluated in nonuniform time poly(s(n), k(n), (n)). (In fact, a random advice string of this length will yield a PRF of these parameters with probability at least 1 − 2 −s(n) . Hence, this can be viewed as a construction in the Common Random String (CRS) Model.) Proof. We construct the PRF by choosing uniformly at random a set B of poly(s(n)) seeds for the PRF of Proposition 5.7. With probability at least 1 − 2 −poly(s(n)) over this choice of B, for any sizes(n) distinguisher, its behavior on a random seed from the set B is 1/s(n)-close to its behavior given a truly random seed. Taking a union bound, with probability at least 1 − 2 −s(n) over the choice of B no size-s(n) distinguisher has a 1/s(n) advantage in distinguishing a random seed from B from a truly random seed. In conclusion, the PRF whose seed is of length log |B| = O(log s(n)) and is used to choose a (larger) seed from B and compute that larger seed's function, is a (s(n), 1/s(n)-PRF.
Another way of reducing the seed length without resorting to nonuniformity is derandomizing. We can use derandomization techniques, e.g. the work of Impagliazzo and Wigderson [IW], to reduce the seed length without hurting pseudorandomness too much. To do this we must make mild (worst-case) complexity assumptions, this approach is taken in Proposition 5.9.
Proof. If for some β > 0, it holds that DTIME (2 O(n) ) ⊆ SIZE (2 β·n ), then by the results of [NW, IW] there is a pseudorandom generator that stretches O(log t(n)) bits to t(n) bits s.t. no distinguisher of size t(n) has advantage greater than 1/t(n) in distinguishing the generator's output on a random seed from a truly random string. We take t(n) = max{2s(n) · max(k(n), (n)), s(n) · q(n)}, where q(n) = poly(s(n), k(n), (n)) is the time to evaluate the PRF of Proposition 5.7.
Consider then the pseudorandom function that gets a seed of length O(log t(n)) for the generator, stretches it to a string of length t(n), and uses the first 2s(n) · max(k(n), (n)) bits of that string as a seed for the "large seed" pseudorandom function of Proposition 5.7. Any algorithm that distinguishes the "large seed PRF" when it is evaluated using this pseudorandom seed from the "large seed PRF" function evaluated using a truly random seed can be used (together with the "large seed PRF" evaluator) to break the pseudorandom generator with the same advantage. A size s(n) "large seed PRF" adversary thus corresponds to a size s(n) · q(n) adversary for the PRG, and this means that no size s(n) PRF adversary has advantage greater than 1/t(n) in distinguishing the "large seed PRF" using a pseudorandom seed from the "large seed PRF" using a truly random seed. In particular, since with a truly random ("large") PRF seed the distinguishing advantage for a size s(n) adversary from a random function is 0, with the pseudorandom seed the distinguishing advantage of a size s(n) adversary between the PRF and a truly random function is at most 1/t(n) < 1/s(n).
Remark 5.10. In Proposition 5.9 we made a relatively strong complexity assumption, i.e. we assumed that DTIME (2 O(n) ) ⊆ SIZE (2 β·n ). In general, we could use more relaxed assumptions to obtain a weaker derandomization and longer seed length. For clarity, we focus only on the "high-end" assumption made above. Note that cryptographic pseudorandom functions or collision-resistant functions are in general a stronger assumption than the assumptions needed for a derandomization via Proposition 5.9. If there exist such functions fooling size poly(n) adversaries, with seed, input and output length κ = κ(n), then DTIME 2 O(κ) ⊆ SIZE (poly(n)). Using [IW] this implies the existence of (poly(n), 1/poly(n))-pseudorandom functions with similar input, output and seed lengths.
Another approach for reducing the seed length is considering bounded depth adversaries and settling for collision-resistance (rather than pseudorandomness), as done below: Proposition 5.11. For any input and output lengths k(n) and (n), there exists an (s(n), a(n), a(n)· s 2 (n)/2 (n) )-collision resistant function. The seed length is j(n) = 2(a(n) + 1) · max(k(n), (n)). The function can be evaluated in (uniform) time poly(a(n), k(n), (n)).
Proof. Take a = a(n), k = k(n), = (n). Recall that for an adversary A with bounded adaptivity, each query made by the adversary has an adaptivity level between 0 and a(n), and this adaptivity level is given to the hash function as part of its input. Here we choose a hash function h that includes a + 1 pairwise-independent hash functions h 0 , . . . , h a : {0, 1} k → {0, 1} −log a . The hash function h on input (i, y) (i.e. adaptivity level i and data y) outputs (i, h i (y)). That is, we use a separate hash function for each level of adaptivity. We now claim that the probability that A finds a collision is at most a · s 2 /2 .
To bound the probability that A finds a collision, first recall that for a pairwise independent hash function h i : {0, 1} k → {0, 1} −log a , the probability of a collision in any set of q non-adaptive (i.e. fixed before the choice of h) queries is less than a · q 2 /2 . For each pair of queries the collision probability is a/2 = 1/2 −log a , there are less than q 2 pairs of queries. For the hash function we chose, collisions occur only within the same adaptivity level, i.e. on two queries of the form (i, y) and (i, y ). When S runs, in each level of adaptivity it is making non-adaptive queries to a new hash function. For any fixing of the hash functions up to level i − 1 and the randomness of S P , the probability of a collision in level i is thus at most a · q 2 i /2 (over the choice of h i ), where q i is the number of queries made in level i. Fixing the number of queries in adaptivity level i to be q i , the total probability of a collision is (taking a union bound over the levels of adaptivity) at most a i=0 a · q 2 i /2 . And we know that a i=0 q i ≤ s, this is at most a · s 2 /2 . The number of queries made in level i, q i , is itself a random variable, and so we get that for any adversary A: Where the last inequality is because it is always the case that a i=0 q i ≤ s. The description size of each h i is less than 2 · max(k, ) (see [CW]), so the description of h is of size at most 2(a(n) + 1) · max(k, ). The function can be evaluated in (uniform) time poly(a(n), k(n), (n)).

Instantiations Using Bounded Adversary Primitives
Bounded-adversary PRF families can be used to transform reductions from one-way functions, PRF families or CRHF families to argument systems into PCPs. This is done by showing that for any such reduction, the bounded-adversary PRF familiy can be used to obtain a generator G satisfying Property 5.3. The fixed and bounded adversary for this PRF is the reduction run with the honest prover: S P(·,x,w) (·, x). Recall that this procedure is of size at most t(n) (and in particular, it makes at most t(n) oracle queries to the PRF family).
For reductions from one-way functions (say functions from {0, 1} κ to {0, 1} κ ), the generator simply outputs a bounded-adversary PRF chosen at random from the family with input and output length κ. Since S P(·,x,w) (·, x) cannot distinguish (from its bounded oracle access) this function from a random one, w.h.p. it cannot invert the function on a random input.
The situation is similar for reductions from CRHF families (say with input length 2κ and output and seed length κ). The generator generates a bounded-adversary PRF chosen at random from the family with input length 2κ and output length κ. This function g(·) is interpreted as a CRHF f (x, y) = g(x) by ignoring the first argument (the seed to a function in the family). Since S P(·,x,w) (·, x) cannot distinguish (from its bounded oracle access) the function g(·) from a random one, w.h.p. it cannot find collisions on the family f (·, ·).
Reductions from PRF families (say with input length 2κ and output and seed length κ) to an argument system are handled in a slightly different manner. Here we cannot just ignore the seed and have a family of size 1 (a random function from any PRF family of size 1 is easily distinguished from a random function). Instead, we use a bounded-adversary PRF family {f s : The generator G outputs a random member f s of the bounded-PRF family by choosing a random seed s. We interpret this as a PRF family by parsing the first input argument t ∈ {0, 1} κ as the index to a function in the PRF, and the second argument as the actual input. Now since S P(·,x,w) (·, x) cannot distinguish f s (·, ·) from a truly random function (from its bounded oracle access), it should not be able to distinguish f s (t, ·) from a truly random function. This gives us a generator for reductions from PRF families.
These three cases are captured in the three claims below. The proofs for one-way functions and CRHF families are similar and appear together.
Claim 5.12. Let R = (P, V, S, (C, T ), κ(·), ε(·)) be a black-box reduction from a one-way function , to a computationally sound argument system, let γ(·) be a parameter, and let t(n) be an upper bound on the running time of S P(x,w) (x). Suppose there exists a (λ · t(n), δ)-PRF as in Definition 5.5 that can be evaluated in time poly(n) and has seed length j(n), input length κ(n) and output length κ(n), where δ = 1/2 · (γ · ε − t(n) 2 /2 κ ) and λ > 0 is a fixed constant. Then R satisfies Property 5.3, with the given γ(n) and where the number of coins used by the generator G is j(n).
Claim 5.13. Let R = (P, V, S, (C, T ), κ(·), ε(·)) be a black-box reduction from a CRHF family , to a computationally sound argument system, let γ(·) be a parameter, and let t(n) be an upper bound on the running time of S P(x,w) (x). Suppose there exists a (λ · t(n), δ)-PRF as in Definition 5.5 that can be evaluated in time poly(n) and has seed length j(n), input length 2κ(n) and output length κ(n), where δ = 1/2 · (γ · ε − t(n) 2 /2 κ ) and λ > 0 is a fixed constant. Then R satisfies Property 5.3, with the given γ(n) and where the number of coins used by the generator G is j(n).
Proof of Claims 5.12 and 5.13. The proof is presented for the case of CRHF families, the case of one-way functions is similar. The generator G outputs the j(n)-bit seed for a bounded-adversary PRF F as above. This PRF is interpreted as a CRHF by ignoring the first input and taking the second argument to be the actual input. We claim that with probability 1-γ over the choice of seed to F this is a (κ, ε)-secure CRHF against S P . Otherwise, if S P can with probability γ (over the choice of the j(n)-bit seed) find collisions on this CRHF with probability ε, then there is a distinguisher that distinguishes the PRF F from a truly random function with advantage γ · ε − t(n) 2 /2 κ > δ, a contradiction.
To see this, we construct a PRF-distinguisher for F (with black-box access to a random PRF or a truly random function). The distinguisher gets oracle access to a function (in F or truly random). It chooses a random index, runs S P on the CRHF formed by fixing the first κ input bits of its oracle function to that index, and outputs 1 if S P finds a collision. The size of this distinguisher is at most λ · t(n). When run on a random PRF in F, the probability that the distinguisher outputs 1 is at least γ · ε. When run on a truly random function, the CRHF we get is a family of random functions, and so the probability that S P finds a collision and the distinguisher outputs 1 is at most t(n) 2 /2 κ .
Claim 5.14. Let R = (P, V, S, (C, T ), κ(·), ε(·)) be a black-box reduction from a one-way function to a computationally sound argument system, let γ(·) be a parameter, and let t(n) be an upper bound on the running time of S P(x,w) (x). Suppose there exists a (λ · t(n) · log(1/γ) · 1/ε 2 , γ/2)-PRF as in Definition 5.5 that can be evaluated in time poly(n) and has seed length j(n), input length 3κ(n) and output length κ(n), where λ > 0 is a fixed constant. Then R satisfies Property 5.3, with the given γ(n) and where the number of coins used by the generator G is j(n).
Proof. The construction and proof for PRF families is similar to the proof of Claim 5.13. The generator G outputs the j(n)-bit seed for a bounded-adversary PRF F as above. This PRF is interpreted as a PRF family by parsing the first input argument as the index to a function in the PRF family, and the second argument as the actual input.
If S P has with probability γ advantage ε in distinguishing the "small PRF" (meaning the PRF built by choosing an index and fixing the first κ bits of the original function in F to that index) from a "small" (i.e., from {0, 1} 2κ to {0, 1} κ ) truly random function, then we build a distinguisher for F with total advantage γ/2. This F-distinguisher gets black-box access to a PRF in F or random function. It then executes O(log(1/γ) · 1/ε 2 ) runs of S P on "small functions" produced by fixing the first input bits of its oracle function to random distinct indices, and also O(log(1/γ) · 1/ε 2 ) executions of S P on truly random "small functions". If the gap between the fraction of executions that output 1 using the input oracle function and truly random functions is at least ε/2, then the distinguisher outputs 1. Now we know that if this distinguisher is given a random function in F, then with probability γ the gap between the probability of 1 in the two executions is at least ε. Thus (by a Chernoff bound) the distinguisher will output 1 with probability at least 3γ/4. If the distinguisher is given a truly random function, then the probability of 1 in both sets of executions is identical, and (by a Chernoff bound) the distinguisher outputs 1 with probability less than γ/4. The size of this new distinguisher is bounded by λ · t(n) · log(1/γ) · 1/ε 2 .
Similarly, for reductions from CRHFs with bounded adaptivity (say with input length 2κ and output length κ) to an argument system, we use a bounded-depth-adversary CRHF family {f s : {0, 1} 2κ → {0, 1} κ } (the "original" family). The generator G outputs a random function from bounded-CRHF family. We interpret this as a family of CRHFs (the "derived" family) by ignoring the first input argument, and taking the second argument as the actual input (similarly to the construction of Claim 5.13). Now since S P(·,x,w) (·, x) cannot find any collision on f s chosen at random from the "original" family (from its bounded oracle access), it should not be able to find f s -collisions in the "derived" family (where the seed is ignored). This gives us a candidate generator for reductions from CRHFs.
Proof. The proof is similar to that of Claim 5.13. The generator G outputs the j(n)-bit seed for a bounded-adversary CRHF f ∈ F as above. This "original" CRHF f is interpreted as a family of "derived" CRHFs by ignoring the first input argument and taking the second argument as the actual input. With probability 1-γ over the choice of seed to F this is a (κ, ε)-secure CRHF against S P . Otherwise, if S P can with probability γ (over the choice of the j(n)-bit seed) find collisions on the randomly chosen "derived" CRHF family (which ignores its seed) with probability ε, then S P can be used to break the "original" family F with probability γ · ε. The F-adversary gets a random function f (·) from F, and runs S P on the "derived" family f (x, y) = g(y), to find a collision. With probability γ · ε, this returns a collision in the "original" family F. The size of this F-adversary is about the same as the size of S P (up to say some constant multiplicative factor). When run on a truly random function, the CRHF we get is a random function, and so the probability that S P finds a collision and the distinguisher outputs 1 is at most t(n) 2 /2 κ .
Instantiating the Generic Transformation. Recall from Sections 4.1, 4.2 the generic transformation of Theorem 5.4 and also the parameters it gives on known reductions. We instantiate this transformation, converting reductions from pseudorandom functions or collision-resistant hash families into PCPs, using the bounded-adversary PRF families and CRHF families of the previous section. Note that in this setting it even makes sense to consider reductions with logarithmic security parameter (logarithmic in the running time of the bounded adversary).
Unconditional PRF. Any reduction from one-way functions, PRF families or CRHF families to arguments yields (unconditionally) a PCP using the bounded-adversary PRF families of Proposition 5.7 together with Claims 5.12, 5.13, 5.14. The completeness, soundness, query complexity and alphabet size are as in the theorem statement of Theorem 5.4. The main "price" of this instantiation is the length of the PCP that is obtained. The number of bits needed to choose a function in the family is O(t · κ), where t is the size of S P (e.g. poly(n) for arguments with efficient provers). The length of the PCP is thus exponential: 2 v+O (t·κ) . While this length is large, constructing even such exponential length PCPs from scratch (e.g. the Hadamard PCP of [ALM + ]) is quite nontrivial. Another disadvantage is that the verifier's running time becomes fairly large (polynomial in t). The PCP length can be improved either using nonuniformity or derandomization, as we now describe.
Nonuniform Unconditional PRF. Continuing the discussion above, if we use the nonuniform bounded-adversary PRF of Proposition 5.8, the number of bits needed to choose a function in the family becomes only O(log t). The length of the PCP shrinks to 2 v · poly(t). The verifier's running time, however, remains polynomial in t, and moreover the prover and verifier are now nonuniform. An alternative approach that avoids the nonuniformity (at the cost of making complexity assumptions) is derandomization.
Derandomized Conditional PRF. The (almost) final approach we suggest for transforming reductions into PCPs is shortening the seed length of PRF families using derandomization under (worst-case) complexity assumptions. If we assume that for some β > 0, it holds that DTIME (2 O(n) ) ⊆ SIZE (2 β·n ), then we can use the PRF of Proposition 5.9. The number of bits needed to choose a function in the family becomes only O(log t + log(1/ε)). 10 As before, the length of the PCP shrinks to 2 v · poly(t, 1/ε). The verifier's running time, while uniform, still remains polynomial in t.
Remark 5.16. If we are willing to make stronger assumptions, we can assume here the existence of one-way permutations f : {0, 1} κ → {0, 1} κ that are hard to invert for circuits of size 2 Ω(κ) . This would give (using the works of [BM,Yao1,GL,GGM]), a (s, 1/s)-PRF families with seeds of length O(log s)that can be computed in (uniform) time poly(log s(n)) and give both short PCP length and efficient verifier running time.
Finally, an alternative to reduce the PCP length and verifier running time is considering bounded-adaptivity black-box reductions.
Bounded-Adaptivity CRHF. If we have a reduction from CRHFs with bounded adaptivity a, we can use the (unconditional) bounded-adversary CRHF of Proposition 5.11 together with Claim 5.15. The number of bits needed to choose a random function in the family is O(a(n) · κ). The length of the PCP shrinks to 2 v · 2 O(a(n)·κ) . The verifier's running time becomes polynomial in that of the PCP verifier and in a(n) and κ.
To get an idea of what these results mean for the known reductions, observe that in known reductions we can choose κ to be logarithmic, and for a CRHF reduction with logarithmically bounded adaptivity (e.g. that of [Kil]

A Known Argument Constructions
In this section we briefly review known constructions of argument systems from cryptographic primitives, and their parameters in terms of our notions of reduction. The approaches taken in the works of Kilian [Kil], Micali [Mic] and Barak and Goldreich [BG] are all based on collisionresistant hash functions (or random oracles) and polynomial-length PCPs (polynomial in the time needed to recognize the language). The work of Ishai, Kushilevitz and Ostrovsky [IKO] is based on homomorphically additive encryption over a large (super-polynomial) field and exponential length PCPs (exponential in the time needed to recognize the language), where each symbol in the PCP is a linear function of its location in the PCP (the locations are viewed as vectors over a large field). We review the constructions from CRH and homomorphic encryption (we do not explain the random-oracle construction of [Mic]).
Overview of Constructions. In all of these constructions, the cryptographic primitive is used by the prover to "commit" to a (long) PCP proof string, the (short) computationally binding commitment can be sent to the verifier. This commitment allows de-committing to individual bits (or symbols) of the PCP very efficiently (in terms of the verifier's work and the communication). To build an argument system, the prover commits to a PCP and sends the commitment to the argument verifier. This verifier runs the PCP verifier who requests some bits of the PCP, the argument verifier requests these bits and their decommitment from the (argument) prover. The argument prover sends the bits and decommitments, the verifier verifies that they are valid, completes the simulation of the PCP verifier and accepts if it accepts. To argue computational soundness, the intuition is that unless the prover can break the commitment scheme, once it sends the commitment it is essentially bound to a single PCP string, and the PCP's soundness (against non-adaptive provers) carries over to the argument setting.
To be more precise, consider the distribution D i of (non-adaptive) queries made by the PCP verifier, chosen uniformly and at random conditioned on the PCP verifier querying location i. The distribution D i (given i) is efficiently sampleable for the PCPs used. Consider the following decommitment experiment using any (potentially cheating) prover: run the commitment scheme on a PCP string of the prover's choice, then choose a random verifier query set and a random query i from that set, take two samples from D i , and run the prover (twice) to decommit to the each of the two index sets. Compare the two answers to query i. The commitment schemes have the property that if in this experiment with probability at least ε the prover de-commits to two different values as the i-th symbol, then this prover can be used to generate an adversary A that breaks the underlying cryptographic primitive (collision resistant hash or homomorphic encryption) with advantage ε Ω(1) (in the sense of Definition 3.1). 11 The number of queries A makes to the cheating prover is constant, i.e. O(1).
Soundness of the argument systems follows from the soundness s P CP of the PCP and ε-security of the primitive. Let q be the PCP's query complexity. If the primitive is ε secure, then by the above, the prover's cheating probability in the decommitment experiment is at most ε. From this we conclude that the argument's soundness is at least s P CP −(ε·q) O(1) : roughly, this because with high probability over the coins of the commitment phase, with high probability over the verifier's query, there is only a single high-probability answer that the prover gives to this query. Changing the prover to always return this high-probability answer makes it non-adaptive without changing the system's behavior much. This means that the adaptive but computationally bounded prover could not have cheated with too high probability to begin with (since an unbounded but non-adaptive prover cannot break the PCP's soundness).
The Parameters. Turning our attention to the parameters of these constructions, in the constructions of [Kil, Mic, BG], collision-resistant hash functions that shrink their input by a multiplicative factor of 2, say from {0, 1} 2κ to {0, 1} κ , are used to build a hash tree of logarithmic depth (logarithmic in the PCP length). The commitment is the root of the hash tree. To decommit to a symbol in the PCP the prover reveals the (logarithmically many) values along the path from the root to the requested symbol. The completeness c and soundness are (more or less) inherited from the PCP, the parameter ε is polynomial in the soundness and query complexity of the original PCP, as is the number of queries q made by T S P * to a cheating prover oracle. The size t of T S P is polynomial in the PCP length and the soundness. The communication complexity is logarithmic in the PCP length, and polynomial in the number of queries and the security parameter κ. The number of rounds of communication is O(1). Note also that the hash tree being used can very naturally be framed in terms of a bounded-adaptivity reduction, where the number of levels of adaptivity is logarithmic in the PCP length.
In summary, if we consider a PCP for an NP language with small constant soundness and completeness, and constant query complexity we get an argument with (slightly worse) constant soundness and completeness. The security proof transforms a cheating prover to break the CRH with small constant advantage (polynomial in the soundness). The number of queries made by T S P * to a cheating prover is constant, and its size when run with the honest prover is polynomial. The number of rounds is constant and the communication complexity is log n · κ. Viewed as a bounded-adaptivity reduction, the adaptivity is logarithmic.
Turning to the reduction of [IKO] from homomorphic encryption and using a linear PCP, the parameters are similar, except that the running times of the honest prover and of T S P depend logarithmically on the PCP length. We also note that the communication from the prover to the verifier is short, and proportional only to κ (not even logarithmic in the PCP length).