Doubly Efficient Interactive Proofs. Ron Rothblum

Similar documents
Constant-Round Interactive Proofs for Delegating Computation

Probabilistically Checkable Arguments

Interactive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science

Proofs of Proximity for Context-Free Languages and Read-Once Branching Programs

Interactive Proofs of Proximity: Delegating Computation in Sublinear Time

An Exponential Separation Between MA and AM Proofs of Proximity

Lecture 15 - Zero Knowledge Proofs

Electronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP

Verification of quantum computation

CS151 Complexity Theory. Lecture 13 May 15, 2017

Introduction to Interactive Proofs & The Sumcheck Protocol

Non-Interactive RAM and Batch NP Delegation from any PIR

From Secure MPC to Efficient Zero-Knowledge

Lecture 26. Daniel Apon

Rational Proofs against Rational Verifiers

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Notes on Zero Knowledge

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Verifying Computations in the Cloud (and Elsewhere) Michael Mitzenmacher, Harvard University Work offloaded to Justin Thaler, Harvard University

How many rounds can Random Selection handle?

Lecture 3: Interactive Proofs and Zero-Knowledge

Delegating Computation via No-Signaling Strategies

Towards the Sliding Scale Conjecture (Old & New PCP constructions)

Cryptographic Protocols Notes 2

Theory of Computation Chapter 12: Cryptography

cient Computational Integrity (CI) from PCPs

Memory Delegation. June 15, 2011

Efficient Probabilistically Checkable Debates

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

Zero Knowledge and Soundness are Symmetric

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Great Theoretical Ideas in Computer Science

Non-Interactive Delegation for Low-Space Non-Deterministic Computation

Verifiable Computing: Between Theory and Practice. Justin Thaler Georgetown University

Lecture Notes 20: Zero-Knowledge Proofs

Competing Provers Protocols for Circuit Evaluation

Notes on Complexity Theory Last updated: November, Lecture 10

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Lecture 5: Derandomization (Part II)

The purpose here is to classify computational problems according to their complexity. For that purpose we need first to agree on a computational

Strong ETH Breaks With Merlin and Arthur. Or: Short Non-Interactive Proofs of Batch Evaluation

Rational Arguments: Single Round Delegation with Sublinear Verification

Time-Optimal Interactive Proofs for Circuit Evaluation

Umans Complexity Theory Lectures

Almost transparent short proofs for NP R

Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Lecture Examples of problems which have randomized algorithms

A State of the Art MIP For Circuit Satisfiability. 1 A 2-Prover MIP for Low-Depth Arithmetic Circuit Satisfiability

CS154, Lecture 18: 1

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Succinct Delegation for Low-Space Non-Deterministic Computation

Lecture 26: Arthur-Merlin Games

Lecture 19: Interactive Proofs and the PCP Theorem

Complete problems for classes in PH, The Polynomial-Time Hierarchy (PH) oracle is like a subroutine, or function in

Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

Publicly Verifiable Non-Interactive Arguments for Delegating Computation

How to Go Beyond the Black-Box Simulation Barrier

Circuits. Lecture 11 Uniform Circuit Complexity

Delegating Computation Reliably: Paradigms and Constructions. Guy N. Rothblum

Rational Arguments: Single Round Delegation with Sublinear Verification

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

Lattice-Based Non-Interactive Arugment Systems

Introduction to Modern Cryptography Lecture 11

Notes for Lecture 27

Refereed Delegation of Computation

Tolerant Versus Intolerant Testing for Boolean Properties

CSCI 1590 Intro to Computational Complexity

Lecture 17: Interactive Proof Systems

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Pseudo-Deterministic Proofs

Efficient Zero-Knowledge for NP from Secure Two-Party Computation

Interactive protocols & zero-knowledge

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

Local Reductions. September Emanuele Viola Northeastern University

On Publicly Verifiable Delegation From Standard Assumptions

Introduction Long transparent proofs The real PCP theorem. Real Number PCPs. Klaus Meer. Brandenburg University of Technology, Cottbus, Germany

Zero-Knowledge Proofs and Protocols

Monotone Batch NP-Delegation with Applications to Access Control

A Note on Negligible Functions

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Tsuyoshi Ito (McGill U) Hirotada Kobayashi (NII & JST) Keiji Matsumoto (NII & JST)

Delegation of Computation without Rejection Problem from Designated Verifier CS-Proofs

Interactive proof and zero knowledge protocols

Linear Algebra with Sub-linear Zero-Knowledge Arguments

Input-Oblivious Proof Systems and a Uniform Complexity Perspective on P/poly

Lecture 11: Proofs, Games, and Alternation

arxiv: v1 [cs.dc] 28 Dec 2018

Classical Verification of Quantum Computations

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

CS 355: Topics in Cryptography Spring Problem Set 5.

Tolerant Versus Intolerant Testing for Boolean Properties

Interactive Locking, Zero-Knowledge PCPs, and Unconditional Cryptography

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for Advanced Study

Theorem 11.1 (Lund-Fortnow-Karloff-Nisan). There is a polynomial length interactive proof for the

arxiv: v1 [cs.cc] 30 Apr 2015

Arthur-Merlin Streaming Complexity

Quantum Information and the PCP Theorem

Transcription:

Doubly Efficient Interactive Proofs Ron Rothblum

Outsourcing Computation Weak client outsources computation to the cloud. x y = f(x)

Outsourcing Computation We do not want to blindly trust the cloud. x y = f(x) Key security concern: Correctness: why should we trust the server s answer?

Interactive Proofs to the Rescue? Interactive Proof [GMR85]: prover P tries to interactively convince a polynomial-time verifier V that f x = y. f x = y P convinces V. f x y no P can convince V wp 1/2. Key Problem: in classical results complexity of proving is actually exponential: IP=PSPACE [LFKN90,Shamir90]: Interactive Proofs for poly S space S computations with 2 prover, poly(n, S) verification, poly(s) rounds.

Doubly Efficient Interactive Proof [GKR08] Interactive proof for f x = y where the prover is efficient, and the verifier is super efficient. Proportional to complexity of f Much faster than complexity of f Soundness holds against any (computationally unbounded) cheating prover.

Why Proof and not Arguments*? 1. Security against unbounded adversary. Post-quantum secure, post post quantum secure 2. No reliance on unproven crypto assumptions 3. Do not use any expensive crypto operations Even if not currently practical, no clear bottleneck (e.g., [GKR08]) * Disclaimer: arguments are GREAT! (e.g., [KRR14])

Doubly Efficient Interactive Proofs: The State of the Art 1) [GKR08]: Bounded Depth Any bounded-depth circuit. Logspace uniform NC (Almost) linear time verifier, poly-time prover. Number of rounds proportional to circuit depth. 2) [RRR16]: Bounded Space Any bounded-space computation. (Almost) linear time verifier, poly-time prover. O 1 rounds.

Constant-Round Doubly Efficient Interactive Proofs Theorem [RRR16]: δ > 0 s.t. every language computable in poly(n) time and n δ space has an unconditionally sound interactive proof where: 1. Verifier is (almost) linear time. 2. Prover is polynomial-time. 3. Constant number of rounds.

Tightness Define IP DE as class of languages having doubly efficient interactive proofs. IP DE TISP(poly n, n δ )

Roadmap: A Taste of the Proof Iterative construction: 1. Start with interactive proof for short computations. 2. Build interactive proof for slightly longer computations. 3. Repeat.

Iterative Construction Suppose we have interactive proofs for time T/k and space S computations. Consider a time T and space S computation. S x y T

Divide & Conquer Divide: Prover sends Turing machine configuration in k T intermediate steps. x y t T/k t 2T/k t (k 1)T/k Conquer? recurse on all subcomputations. Problem: verification blows up, no savings.

Divide & Conquer Divide: Prover sends Turing machine configuration in k T intermediate steps. x y t T/k t 2T/k t (k 1)T/k Conquer? Choose a few at random and recurse. Problem: huge soundness error.

Best of Both Worlds? Can we batch verify k instances much more efficiently than k independent executions. Goal: Suppose x L can be verified in time t. Want to verify x 1,, x k L in k t time.

Concrete Example: Batch Verification of RSA moduli Def: integer N is an RSA modulos if it is the product of two m-bit primes N = p q. The proof that N is an RSA modulos is its factorization. Can we verify k RSA moduli more efficiently? P(p 1, q 1, p k, q k ) V(N 1,, N k ) k m communication

Warmup: Batch Verification for UP UP NP are all relations with unique accepting witnesses. m = witness length Theorem [RRR16]: Every L UP, has an interactive proof for verifying that x 1,, x k L with m polylog(k) + O(k) communication. For batch verification of interactive proofs we introduce interactive analogs of UP and PCP.

Constant-Round Doubly Efficient Interactive Proofs Theorem [RRR16]: δ > 0 s.t. every language computable in poly(n) time and n δ space has an unconditionally sound interactive proof where: 1. Verifier is (almost) linear time. 2. Prover is polynomial-time. 3. Constant number of rounds.

Sublinear Time Verification Motivation: statistical analysis of vast amounts of data. Huge Database

Sublinear Time Verification Can we verify without even reading the input? Yes! If we allow for approximation. Following Property Testing [GGR98]: only required to reject inputs that are far from the language.

Sublinear Time Verification Revisiting classical notions of proof-systems: NP Interactive Proof Zero-Knowledge PCP/MIP Gur-R13, Fischer-Goldhirsh-Lachish13, Goldreich-Gur-R15 Rothblum-Vadhan-Wigderson13, Kalai-R15, Goldreich-Gur-R15, Goldreich-Gur16, Reingold-Rothblum-R16, Gur-R17 Berman-R-Vaikuntanathan17 Ergun-Kumar-Rubinfeld04, Dinur-Reingold06, BenSasson-Goldreich-Harsha-Sudan-Vadhan06, Gur-Ramnarayan-R17

Research directions: Open Problems Bridge theory and practice. Sublinear time verification. Concrete questions: IP=PSPACE with efficient prover. Batch verification for all of NP. [GR17]: Simpler and more efficient protocols (even for smaller classes). Improve [RRR16] round complexity: even exponentially.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback