Download presentation

Presentation is loading. Please wait.

Published byJoana Chalkley Modified over 3 years ago

1
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University

2
Probabilistic Proof Systems P wants to convince V that x L Completeness If x L, then P convinces V w.h.p. Soundness If x L, no P* can convince V except w/small prob. s Interactive Proofs: no P* can convince V PCPs: no memoryless oracle P* can convince V Arguments: no poly-time P* can convince V

3
Motivation for Arguments Perfect zero knowledge [BCC86] Can be much more efficient than interactive proofs –Communication [Kil92] –Expressive power [Mic94] –Verifier runtime [Mic94] Based on PCPs Question [IKO07]: Are PCPs necessary?

4
Cryptography Zero Knowledge Complexity Protocols [B82,...] Def of ZK, IP [GMR85] IP=PSPACE [LFKN90,S90] NP µ ZK [GMW86 ] NP-completeness [C71,L73,K72] Secure Computation [Yao86,GMW87, BGW88,CCD88] Multiprover ZK [BGKW88] MIP=NEXP PCP Theorem [BFL91...ALMSS92] Polylog-eff ZK Args [K92,M94] Random Oracle Model [FS86,BR93,CGH98] Concurrency [F90,DNS98] Diagonalization [T36] Non-BB Simulation [B01] ….

5
High-Level Summary Previous work [Kil92,Mic94,BG02,IKO07]: PCPs ) efficient arguments* *under various crypto assumptions Our results: Efficient arguments ) PCPs* *assuming argument soundness based on a secure crypto primitive via an efficient black-box reduction

6
PCPs ) Arguments (previous work)

7
Kilians Construction [Kil92] prover P arg verifier V arg x 2. ¼ = PCP pf that x 2 L commit to ¼ f 1. choose collision-resistant hash function f i 1,…,i q 3. Run V pcp to get queries i 1,…,i q reveal ¼ i 1,…, ¼ i q 4. Accept if reveals valid & V pcp accepts. (L in NP)

8
Short commitments Collision-resistant hash family: F = {f : {0,1} 2k ! {0,1} k } s.t. no poly-time alg can find collision in random f Ã F except with negl. probability. Merkle Tree: ¼ Commit( ¼ ) ffff ff f ¼i¼i Reveal ( ¼ i )

9
Kilian: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = O ~ (log n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log 2 n) P arg V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) (assuming standard PCP thm + exponentially hard CRHF)

10
Kilian: soundness Claim: argument soundness error · PCP soundness error + ² Proof sketch: If not, can find collision in f w.p. > ² /q by running P * w/ two random overlapping query sequences i 1,…,i q, i 1,…,i q. N.B. black-box reduction making 3 queries to P * P*P* V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q )

11
Ishai-Kushilevitz-Ostrovsky `07 Efficient arguments using: Stronger crypto primitive (homomorphic encryption) Weaker PCP (exponentially long Hadamard- based PCP [ALMSS92])

12
IKO: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = poly(n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log n) P arg V arg Hom-Commit( ¼ ) f i 1,…,i q Hom-Reveal( ¼ i 1,…, ¼ i q ) (assuming Hadamard PCP + exponentially hard hom-enc)

13
Arguments ) PCPs (our work)

14
Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

15
Notion of Black-Box Reduction poly-time R s.t. if P * is any strategy making V arg accept x L w.p. > s, then R P * (x) breaks primitive w.p. > ² poly-time T that tests whether R has broken primitive (related to falsifiability [Nao06]) RP*P* x T # queries(R) := # queries to P * in T R P*(x)

16
Example: Kilians construction R P*P* x T f collision a,b f Commit( ¼ ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) repeat poly(1/ ² ) times

17
Example: construction based on factoring R P*P* x T N factors p,q

18
Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

19
Argument PCP: Construction (Honest) PCP proof-oracle P pcp : next-msg function of argument prover P arg PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept.

20
Argument PCP: Soundness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Soundness (x L): If P* makes V arg accept whp in Step 1, then R P*( x) breaks primitive.

21
Argument PCP: Completeness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Completeness (x 2 L): Reduction R and honest P pcp =P arg are poly-time, so cant break secure primitive.

22
Argument PCP: Efficiency PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication)

23
Weakening the Assumptions Only need crypto primitive secure vs. fixed poly-time adversary (namely R Parg ). If honest P arg only makes black-box access to primitive, can sometimes weaken or eliminate assumptions using Nisan-Wigderson-type PRFs or poly(n)-wise independent hash functions.

24
Conclusions & Questions We explain why existing efficient arguments use PCPs. Efficient arguments without PCPs? (Using reduction that is either non-black-box or makes many queries to cheating prover) New PCP constructions inspired by crypto? Deeper connection between arguments & PCPs? Do arguments in random oracle model require PCPs?

25
Argument Constructions Arguments can be much more efficient than interactive proofs (expressive power, communication, V runtime) Known constructions for NP languages: poly(k) communication Poly-length PCPs + CRH [Ki92,Mi94,BaGo02] P V poly(k) communication Exp-length PCP + additively homomorphic encryption [IKO07]

Similar presentations

OK

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google