Download presentation

Presentation is loading. Please wait.

Published byLiana Eglin Modified over 2 years ago

1
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation

2
Delegation of Computation

3
A computationally weak verifier (client) wants to delegate computation to a more powerful untrusted (buggy, dishonest,…) prover (cloud, server) The prover needs to convince the verifier that the computation was performed correctly data result

4
Interactive Proof (IP) Protocols IP Setting: A poly-time verifier wants to compute f(x) with the help of a computationally-unbounded prover, where f,x are known to both IP Protocol for f: Strategies for the verifier and prover. After interacting, the verifier outputs a guess for f(x): either 0, 1 or “?” (don’t know). Whp: – Prover follows his strategy Verifier outputs f(x) – Else, the verifier outputs (whp) either f(x) or “?”

5
Delegation Protocols Delegation Protocol for f: An IP protocol for f, where additionally: – The verifier is almost-linear-time (n polylog(n)) – The honest prover is poly-time (Soundness against an unbounded prover) More realistic setting… Theorem [S‘92,LFKN‘92]: IP = PSPACE with poly(n) rounds – Does not yield a delegation protocol, parties do not meet the additional complexity demands

6
Previous Result [GKR‘08] For log-space uniform, poly-size, linear-depth circuits we get a delegation protocol Theorem [GKR‘08]: Let C be a log-space uniform circuit of size s and depth d. Interactive Proof protocol for C with ⁻ Communication rounds: d polylog(s) ⁻ Bits exchanged: d polylog(s) ⁻ Prover’s complexity: poly(s) ⁻ Verfier’s complexity: (d+n)polylog(s) allows a fast access to the structure of C The Class P

7
Delegation to Several Provers

8
Our Motivation: In real life, one can delegate to more than one prover

9
Delegation to Several Provers Our Motivation: In real life, one can delegate to more than one prover Assumption: From now on assume that at least one of the provers is reliable Observation: In this case, the verifier can always learn the correct value: Run a delegation protocol with each prover separately

10
Is More Merrier? Our Work: Can we get protocols with less communication by delegating to several provers instead of just one? Main Challenge: Suppose we ask all the provers for f(x) – If they all agree, it must be the correct value – But, if they don’t, how do we tell who’s reliable? Idea: The provers now compete on the verifier’s trust. The verifier can use the provers one against the other: Use the first prover to validate the claims of the second…

11
Competing Provers (CP) Protocols CP Setting [FST‘88]: A poly-time verifier wants to compute f(x) with the help of 2 computationally- unbounded provers P 0 and P 1, where f,x are known to all CP Protocol for f: Strategies for the verifier and provers. After interacting, the verifier outputs a guess for f(x): either 0 or 1 – One of the provers follows his strategy Verifier outputs f(x) (whp) Observation: Wlog, may assume that at the beginning P 0 claims f(x) = 0, while P 1 claims f(x) = 1. Hence, P 0 and P 1 are Competing Provers

12
CP Delegation Protocols CP Delegation Protocol for f: A CP protocol for f, where additionally: – The verifier is almost-linear-time – The honest provers are poly-time (Soundness against unbounded provers) Theorem [FK‘97]: CP = EXP with poly(n) rounds CP = PSAPCE with 1 round – Does not yield CP delegation protocols, parties do not meet the additional complexity demands

13
Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d. r Competing Provers protocol for C with ⁻ Communication rounds: r ⁻ Bits exchanged: d 1/r polylog(s) ⁻ Provers’ complexity: poly(s) ⁻ Verfier’s complexity: (d 1/r +n)polylog(s) r = 1 Bits exchanged: d polylog(s) (independently proved by [CRR]) r = O(log(d)/loglog(s)) Bits exchanged: polylog(s) in GKR d polylog(s) in GKR (d+n) polylog(s)

14
Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d. r Competing Provers protocol for C with ⁻ Communication rounds: r ⁻ Bits exchanged: d 1/r polylog(s) ⁻ Provers’ complexity: poly(s) ⁻ Verfier’s complexity: (d 1/r +n)polylog(s) We give a delegation protocol for every language in P in GKR d polylog(s) in GKR (d+n) polylog(s)

15
Another Application Communication Complexity & Circuit Lower Bounds [AW‘09]

16
Communication Complexity Setting: – Alice and Bob are computationally-unbounded players – Alice has input x and Bob has input y – The players’ mutual goal is computing f(x,y) with the least amount of communication between them

17
Communication Complexity with CP New Setting: Alice and Bob want to compute f(x,y) with the help of Competing Provers with the least amount of communication between all parties – f is known to all, Alice knows x, Bob knows y, Provers know both x and y – P 0 claims f(x,y) = 0, while P 1 claims f(x,y) = 1 – Each party can communicate with every other party

18
Corollary of Our Result Corollary: Let C(x,y) be a circuit of size s and depth d. r Communication Complexity protocol with Competing Provers for C with ⁻ Communication rounds: r ⁻ Bits exchanged: d 1/r polylog(s) s = poly(n), d = polylog(n) The corollary follows easily from the proof of our theorem, using the approach of [AW‘09] For example, if C NC then a 1-round protocol exchanges polylog(n) bits

19
Circuit Lower-Bounds Our corollary can be viewed as a possible direction towards proving circuit lower-bounds For example, in order to prove f NC, it suffices to show: Any 1-round Communication Complexity protocol with Competing Provers for f requires the exchange of (polylog(n)) bits – Relatively simple combinatorial property that implies strong lower bounds

20
Proof of Main Theorem for r = 1 (sketch of sketch)

21
Main Ingredient I: [GKR‘08] Delegation to a Single Prover

22
... V0V0 V d-1 V1V1 VdVd Fix circuit C of size s and depth d, and an input x Enumerate C’s layers: layer 0 = output, layer d = inputs Let L i be the vector of values of layer i’s gates when C is evaluated on x Representing the Circuit Let V i = LDE(L i ) V 0 (0 m ) = C(x), V d = LDE(x) The verifier knows V d (r) for r unknown to the prover, and wants to compute V 0 (0 m ) input x output C(x) C

23
Let z 0 = 0 m and z d = r The prover sends V 0 (z 0 ) = C(x) For i = 1,…,d – Reduce knowing a value in a layer to knowing a random value in the layer below: The verifier randomly selects z i, and reduces the correctness of the claim “v i-1 = V i-1 (z i-1 )” to the correctness of the claim “v i = V i (z i )” using the prover Finally, the verifier checks V d (z d ) The Protocol of [GKR‘08] V0V0 ViVi V i-1 VdVd input x output C(x) C... vivi v i-1

24
Claim: A point in layer i-1 is a degree-2 polynomial in the values of the gates of layer i V i-1 (z) = w, w’ H m C z,w,w’ L i (w) L i (w’) Proof: – V i-1 = LDE(L i-1 ), thus a point in V i-1 is a linear combination of points in L i-1 (the values of layer i-1’s gates) Connection Between Layers – The value of a gate in layer i-1 is a degree-2 polynomial in the values of its two children in layer i MULT w’ w z L i-1 (z) = L i (w) L i (w’) layer i layer i-1

25
The reduction between the layers is via a standard IP protocol called Sum-Check [LFKN‘92] – Central in PCPs, IP = PSPACE, MIP = NEXP, … – Allows computing x H m g(x) for a low-degree g, when the verifier knows g(r) for random r F m, unknown to the prover (the verifier “tests” the prover on r) Sum-Check can be used to reduce layer i-1 to layer i as: – Recall: A point in layer i-1 is a deg-2 poly in layer i polynomial = sum of monomials – The prover does not know the test point z i until the next iteration Sum-Check Protocol

26
Main Ingredient II: [FK‘97] Sum-Check for Competing Provers

27
Recall: IP = PSPACE with poly(n) rounds [S‘92] – Proof uses the poly(n)-rounds IP Sum-Check protocol of [LFKN‘92] Recall: CP = PSAPCE with 1 round [FK‘97] – Proof constructs a 1-round CP Sum-Check protocol Sum-Check for CP

28
Combining Main Ingredients

29
Our Goal: Reduce d polylog(s) rounds to 1 First Attempt: Implement iteration i of GKR using the 1-round Competing Provers Sum-Check protocol of FK – Problem: Still requires d rounds Second Attempt: Run all d Sum-Checks simultaneously – The verifier sends all z 1,…,z d at once, provers reply to all – Problem: During iteration i, provers mustn’t know the test point z i Combining Main Ingredients

30
Main Idea: Disguise z 1,…,z d i, the verifier gives the provers a low-degree curve i : F F m that passes through z i (instead of z i itself) The parties run d Sum-Checks simultaneously, one for each layer The i th Sum-Check uses i-1 instead of z i-1, and i instead of z i. I.e., it computes V i-1 (z) for all the points z on i-1, using any of the points r on i as a test point The proof relies on the fact that the replies of the honest provers are low-degree polynomials in the z i variables Main Idea ii zizi

31
The verifier checks the replies (low-deg polynomials H) in an alternating order (one of P 0 and one of P 1 ) When reply H is checked, the verifier already knows a point on H using a previous reply G of the other prover – E.g., assume H(t) = ( (t)) and G(t) = ( (t)) ( is a low-deg func, , are intersecting low-deg curves). Knowing G implies knowing a point on H If a prover sends an incorrect reply, it disagrees with the correct reply on the known point whp (both are low-deg) Verifier’s Check Algo

32
Generalization to r rounds and d 1/r polylog(s) bits: – Set k = d 1/r. Run r-1 rounds of a k-ary search to find layers i > j, i-j = k s.t. the provers agree on a point on V i but disagree on a point on V j – Run the 1-round protocol on the subcircuit C’ of depth k obtained from layers j…i of C Our Result Requires More Work…... V0V0 V d-1 V1V1 VdVd input x output C(x) C j i C’ Getting a very efficient verifier (assuming log-space uniformity)

33
Thank You!

Similar presentations

OK

1 Interactive Proofs proof systems interactive proofs and their power Arthur-Merlin games.

1 Interactive Proofs proof systems interactive proofs and their power Arthur-Merlin games.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on art and craft movement wikipedia Ppt on rf remote control robot Ppt on mammals and egg laying animals image Ppt on types of crops grown in india Download ppt on mind controlled robotic arms design Ppt on solar energy generation Convert pdf ppt to ppt online shopping Creative ppt on leadership Ppt on ten figures of speech Ppt on net etiquettes of life