Download presentation

Presentation is loading. Please wait.

Published byJoana Chalkley Modified over 3 years ago

1
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University

2
Probabilistic Proof Systems P wants to convince V that x L Completeness If x L, then P convinces V w.h.p. Soundness If x L, no P* can convince V except w/small prob. s Interactive Proofs: no P* can convince V PCPs: no memoryless oracle P* can convince V Arguments: no poly-time P* can convince V

3
Motivation for Arguments Perfect zero knowledge [BCC86] Can be much more efficient than interactive proofs –Communication [Kil92] –Expressive power [Mic94] –Verifier runtime [Mic94] Based on PCPs Question [IKO07]: Are PCPs necessary?

4
Cryptography Zero Knowledge Complexity Protocols [B82,...] Def of ZK, IP [GMR85] IP=PSPACE [LFKN90,S90] NP µ ZK [GMW86 ] NP-completeness [C71,L73,K72] Secure Computation [Yao86,GMW87, BGW88,CCD88] Multiprover ZK [BGKW88] MIP=NEXP PCP Theorem [BFL91...ALMSS92] Polylog-eff ZK Args [K92,M94] Random Oracle Model [FS86,BR93,CGH98] Concurrency [F90,DNS98] Diagonalization [T36] Non-BB Simulation [B01] ….

5
High-Level Summary Previous work [Kil92,Mic94,BG02,IKO07]: PCPs ) efficient arguments* *under various crypto assumptions Our results: Efficient arguments ) PCPs* *assuming argument soundness based on a secure crypto primitive via an efficient black-box reduction

6
PCPs ) Arguments (previous work)

7
Kilians Construction [Kil92] prover P arg verifier V arg x 2. ¼ = PCP pf that x 2 L commit to ¼ f 1. choose collision-resistant hash function f i 1,…,i q 3. Run V pcp to get queries i 1,…,i q reveal ¼ i 1,…, ¼ i q 4. Accept if reveals valid & V pcp accepts. (L in NP)

8
Short commitments Collision-resistant hash family: F = {f : {0,1} 2k ! {0,1} k } s.t. no poly-time alg can find collision in random f Ã F except with negl. probability. Merkle Tree: ¼ Commit( ¼ ) ffff ff f ¼i¼i Reveal ( ¼ i )

9
Kilian: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = O ~ (log n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log 2 n) P arg V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) (assuming standard PCP thm + exponentially hard CRHF)

10
Kilian: soundness Claim: argument soundness error · PCP soundness error + ² Proof sketch: If not, can find collision in f w.p. > ² /q by running P * w/ two random overlapping query sequences i 1,…,i q, i 1,…,i q. N.B. black-box reduction making 3 queries to P * P*P* V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q )

11
Ishai-Kushilevitz-Ostrovsky `07 Efficient arguments using: Stronger crypto primitive (homomorphic encryption) Weaker PCP (exponentially long Hadamard- based PCP [ALMSS92])

12
IKO: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = poly(n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log n) P arg V arg Hom-Commit( ¼ ) f i 1,…,i q Hom-Reveal( ¼ i 1,…, ¼ i q ) (assuming Hadamard PCP + exponentially hard hom-enc)

13
Arguments ) PCPs (our work)

14
Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

15
Notion of Black-Box Reduction poly-time R s.t. if P * is any strategy making V arg accept x L w.p. > s, then R P * (x) breaks primitive w.p. > ² poly-time T that tests whether R has broken primitive (related to falsifiability [Nao06]) RP*P* x T # queries(R) := # queries to P * in T R P*(x)

16
Example: Kilians construction R P*P* x T f collision a,b f Commit( ¼ ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) repeat poly(1/ ² ) times

17
Example: construction based on factoring R P*P* x T N factors p,q

18
Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

19
Argument PCP: Construction (Honest) PCP proof-oracle P pcp : next-msg function of argument prover P arg PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept.

20
Argument PCP: Soundness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Soundness (x L): If P* makes V arg accept whp in Step 1, then R P*( x) breaks primitive.

21
Argument PCP: Completeness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Completeness (x 2 L): Reduction R and honest P pcp =P arg are poly-time, so cant break secure primitive.

22
Argument PCP: Efficiency PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication)

23
Weakening the Assumptions Only need crypto primitive secure vs. fixed poly-time adversary (namely R Parg ). If honest P arg only makes black-box access to primitive, can sometimes weaken or eliminate assumptions using Nisan-Wigderson-type PRFs or poly(n)-wise independent hash functions.

24
Conclusions & Questions We explain why existing efficient arguments use PCPs. Efficient arguments without PCPs? (Using reduction that is either non-black-box or makes many queries to cheating prover) New PCP constructions inspired by crypto? Deeper connection between arguments & PCPs? Do arguments in random oracle model require PCPs?

25
Argument Constructions Arguments can be much more efficient than interactive proofs (expressive power, communication, V runtime) Known constructions for NP languages: poly(k) communication Poly-length PCPs + CRH [Ki92,Mi94,BaGo02] P V poly(k) communication Exp-length PCP + additively homomorphic encryption [IKO07]

Similar presentations

Presentation is loading. Please wait....

OK

Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on email etiquettes presentation Ppt on bing search engine Mba ppt on business cycles Ppt on network switching hub Ppt on new stone age Ppt on solar energy pdf Ppt on great indian mathematicians Ppt on ruby programming language Ppt on atoms and molecules Ppt online open office