# Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

## Presentation on theme: "Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation."— Presentation transcript:

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation

Delegation of Computation

A computationally weak verifier (client) wants to delegate computation to a more powerful untrusted (buggy, dishonest,…) prover (cloud, server) The prover needs to convince the verifier that the computation was performed correctly data result

Interactive Proof (IP) Protocols IP Setting: A poly-time verifier wants to compute f(x) with the help of a computationally-unbounded prover, where f,x are known to both IP Protocol for f: Strategies for the verifier and prover. After interacting, the verifier outputs a guess for f(x): either 0, 1 or “?” (don’t know). Whp: – Prover follows his strategy  Verifier outputs f(x) – Else, the verifier outputs (whp) either f(x) or “?”

Delegation Protocols Delegation Protocol for f: An IP protocol for f, where additionally: – The verifier is almost-linear-time (n  polylog(n)) – The honest prover is poly-time (Soundness against an unbounded prover) More realistic setting… Theorem [S‘92,LFKN‘92]: IP = PSPACE with poly(n) rounds – Does not yield a delegation protocol, parties do not meet the additional complexity demands

Previous Result [GKR‘08] For log-space uniform, poly-size, linear-depth circuits we get a delegation protocol Theorem [GKR‘08]: Let C be a log-space uniform circuit of size s and depth d.  Interactive Proof protocol for C with ⁻ Communication rounds: d  polylog(s) ⁻ Bits exchanged: d  polylog(s) ⁻ Prover’s complexity: poly(s) ⁻ Verfier’s complexity: (d+n)polylog(s) allows a fast access to the structure of C The Class P

Delegation to Several Provers

Our Motivation: In real life, one can delegate to more than one prover

Delegation to Several Provers Our Motivation: In real life, one can delegate to more than one prover Assumption: From now on assume that at least one of the provers is reliable Observation: In this case, the verifier can always learn the correct value: Run a delegation protocol with each prover separately

Is More Merrier? Our Work: Can we get protocols with less communication by delegating to several provers instead of just one? Main Challenge: Suppose we ask all the provers for f(x) – If they all agree, it must be the correct value – But, if they don’t, how do we tell who’s reliable? Idea: The provers now compete on the verifier’s trust. The verifier can use the provers one against the other: Use the first prover to validate the claims of the second…

Competing Provers (CP) Protocols CP Setting [FST‘88]: A poly-time verifier wants to compute f(x) with the help of 2 computationally- unbounded provers P 0 and P 1, where f,x are known to all CP Protocol for f: Strategies for the verifier and provers. After interacting, the verifier outputs a guess for f(x): either 0 or 1 – One of the provers follows his strategy  Verifier outputs f(x) (whp) Observation: Wlog, may assume that at the beginning P 0 claims f(x) = 0, while P 1 claims f(x) = 1. Hence, P 0 and P 1 are Competing Provers

CP Delegation Protocols CP Delegation Protocol for f: A CP protocol for f, where additionally: – The verifier is almost-linear-time – The honest provers are poly-time (Soundness against unbounded provers) Theorem [FK‘97]: CP = EXP with poly(n) rounds CP = PSAPCE with 1 round – Does not yield CP delegation protocols, parties do not meet the additional complexity demands

Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d.  r  Competing Provers protocol for C with ⁻ Communication rounds: r ⁻ Bits exchanged: d 1/r polylog(s) ⁻ Provers’ complexity: poly(s) ⁻ Verfier’s complexity: (d 1/r +n)polylog(s) r = 1  Bits exchanged: d  polylog(s) (independently proved by [CRR]) r = O(log(d)/loglog(s))  Bits exchanged: polylog(s) in GKR d  polylog(s) in GKR (d+n)  polylog(s)

Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d.  r  Competing Provers protocol for C with ⁻ Communication rounds: r ⁻ Bits exchanged: d 1/r polylog(s) ⁻ Provers’ complexity: poly(s) ⁻ Verfier’s complexity: (d 1/r +n)polylog(s) We give a delegation protocol for every language in P in GKR d  polylog(s) in GKR (d+n)  polylog(s)

Another Application Communication Complexity & Circuit Lower Bounds [AW‘09]

Communication Complexity Setting: – Alice and Bob are computationally-unbounded players – Alice has input x and Bob has input y – The players’ mutual goal is computing f(x,y) with the least amount of communication between them

Communication Complexity with CP New Setting: Alice and Bob want to compute f(x,y) with the help of Competing Provers with the least amount of communication between all parties – f is known to all, Alice knows x, Bob knows y, Provers know both x and y – P 0 claims f(x,y) = 0, while P 1 claims f(x,y) = 1 – Each party can communicate with every other party

Corollary of Our Result Corollary: Let C(x,y) be a circuit of size s and depth d.  r  Communication Complexity protocol with Competing Provers for C with ⁻ Communication rounds: r ⁻ Bits exchanged: d 1/r polylog(s) s = poly(n), d = polylog(n) The corollary follows easily from the proof of our theorem, using the approach of [AW‘09] For example, if C  NC then a 1-round protocol exchanges polylog(n) bits

Circuit Lower-Bounds Our corollary can be viewed as a possible direction towards proving circuit lower-bounds For example, in order to prove f  NC, it suffices to show: Any 1-round Communication Complexity protocol with Competing Provers for f requires the exchange of  (polylog(n)) bits – Relatively simple combinatorial property that implies strong lower bounds

Proof of Main Theorem for r = 1 (sketch of sketch)

Main Ingredient I: [GKR‘08] Delegation to a Single Prover

... V0V0 V d-1 V1V1 VdVd Fix circuit C of size s and depth d, and an input x Enumerate C’s layers: layer 0 = output, layer d = inputs Let L i be the vector of values of layer i’s gates when C is evaluated on x Representing the Circuit Let V i = LDE(L i ) V 0 (0 m ) = C(x), V d = LDE(x) The verifier knows V d (r) for r unknown to the prover, and wants to compute V 0 (0 m ) input x output C(x) C

Let z 0 = 0 m and z d = r The prover sends V 0 (z 0 ) = C(x) For i = 1,…,d – Reduce knowing a value in a layer to knowing a random value in the layer below: The verifier randomly selects z i, and reduces the correctness of the claim “v i-1 = V i-1 (z i-1 )” to the correctness of the claim “v i = V i (z i )” using the prover Finally, the verifier checks V d (z d ) The Protocol of [GKR‘08] V0V0 ViVi V i-1 VdVd input x output C(x) C... vivi v i-1

Claim: A point in layer i-1 is a degree-2 polynomial in the values of the gates of layer i V i-1 (z) =  w, w’  H m C z,w,w’ L i (w) L i (w’) Proof: – V i-1 = LDE(L i-1 ), thus a point in V i-1 is a linear combination of points in L i-1 (the values of layer i-1’s gates) Connection Between Layers – The value of a gate in layer i-1 is a degree-2 polynomial in the values of its two children in layer i MULT w’ w z L i-1 (z) = L i (w)  L i (w’) layer i layer i-1

The reduction between the layers is via a standard IP protocol called Sum-Check [LFKN‘92] – Central in PCPs, IP = PSPACE, MIP = NEXP, … – Allows computing  x  H m g(x) for a low-degree g, when the verifier knows g(r) for random r  F m, unknown to the prover (the verifier “tests” the prover on r) Sum-Check can be used to reduce layer i-1 to layer i as: – Recall: A point in layer i-1 is a deg-2 poly in layer i polynomial = sum of monomials – The prover does not know the test point z i until the next iteration Sum-Check Protocol

Main Ingredient II: [FK‘97] Sum-Check for Competing Provers

Recall: IP = PSPACE with poly(n) rounds [S‘92] – Proof uses the poly(n)-rounds IP Sum-Check protocol of [LFKN‘92] Recall: CP = PSAPCE with 1 round [FK‘97] – Proof constructs a 1-round CP Sum-Check protocol Sum-Check for CP

Combining Main Ingredients

Our Goal: Reduce d  polylog(s) rounds to 1 First Attempt: Implement iteration i of GKR using the 1-round Competing Provers Sum-Check protocol of FK – Problem: Still requires d rounds Second Attempt: Run all d Sum-Checks simultaneously – The verifier sends all z 1,…,z d at once, provers reply to all – Problem: During iteration i, provers mustn’t know the test point z i Combining Main Ingredients

Main Idea: Disguise z 1,…,z d  i, the verifier gives the provers a low-degree curve  i : F  F m that passes through z i (instead of z i itself) The parties run d Sum-Checks simultaneously, one for each layer The i th Sum-Check uses  i-1 instead of z i-1, and  i instead of z i. I.e., it computes V i-1 (z) for all the points z on  i-1, using any of the points r on  i as a test point The proof relies on the fact that the replies of the honest provers are low-degree polynomials in the z i variables Main Idea ii zizi

The verifier checks the replies (low-deg polynomials H) in an alternating order (one of P 0 and one of P 1 ) When reply H is checked, the verifier already knows a point on H using a previous reply G of the other prover – E.g., assume H(t) =  (  (t)) and G(t) =  (  (t)) (  is a low-deg func, ,  are intersecting low-deg curves). Knowing G implies knowing a point on H If a prover sends an incorrect reply, it disagrees with the correct reply on the known point whp (both are low-deg) Verifier’s Check Algo

Generalization to r rounds and d 1/r polylog(s) bits: – Set k = d 1/r. Run r-1 rounds of a k-ary search to find layers i > j, i-j = k s.t. the provers agree on a point on V i but disagree on a point on V j – Run the 1-round protocol on the subcircuit C’ of depth k obtained from layers j…i of C Our Result Requires More Work…... V0V0 V d-1 V1V1 VdVd input x output C(x) C j i C’ Getting a very efficient verifier (assuming log-space uniformity)

Thank You!

Download ppt "Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation."

Similar presentations