Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Slides:



Advertisements
Similar presentations
On Non-Black-Box Proofs of Security Boaz Barak Princeton.
Advertisements

Perfect Non-interactive Zero-Knowledge for NP
Short Non-interactive Zero-Knowledge Proofs
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research Ran Raz Weizmann Institute.
Introductions for the “Weizmann Distinguished Lectures Day” by Oded Goldreich.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Direct-product testing, and a new 2-query PCP Russell Impagliazzo (IAS & UCSD) Valentine Kabanets (SFU) Avi Wigderson (IAS)
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
CS151 Complexity Theory Lecture 16 May 20, The outer verifier Theorem: NP  PCP[log n, polylog n] Proof (first steps): –define: Polynomial Constraint.
CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:
Topic 36: Zero-Knowledge Proofs
Yi Deng IIE,Chinese Academy of Sciences (Beijing) Joint work with
The complexity of the Separable Hamiltonian Problem
Derandomization & Cryptography
Randomness and Computation
On the Size of Pairing-based Non-interactive Arguments
Zero Knowledge Anupam Datta CMU Fall 2017
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Pseudorandomness when the odds are against you
Cryptography Lecture 19.
The Complexity of Zero Knowledge
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
How to Delegate Computations: The Power of No-Signaling Proofs
Alessandra Scafuro Practical UC security Black-box protocols
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
On the Efficiency of 2 Generic Cryptographic Constructions
Fiat-Shamir for Highly Sound Protocols is Instantiable
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Post-Quantum Security of Fiat-Shamir
Impossibility of SNARGs
Jens Groth and Mary Maller University College London
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University

Probabilistic Proof Systems P wants to convince V that x L Completeness If x L, then P convinces V w.h.p. Soundness If x L, no P* can convince V except w/small prob. s Interactive Proofs: no P* can convince V PCPs: no memoryless oracle P* can convince V Arguments: no poly-time P* can convince V

Motivation for Arguments Perfect zero knowledge [BCC86] Can be much more efficient than interactive proofs –Communication [Kil92] –Expressive power [Mic94] –Verifier runtime [Mic94] Based on PCPs Question [IKO07]: Are PCPs necessary?

Cryptography Zero Knowledge Complexity Protocols [B82,...] Def of ZK, IP [GMR85] IP=PSPACE [LFKN90,S90] NP µ ZK [GMW86 ] NP-completeness [C71,L73,K72] Secure Computation [Yao86,GMW87, BGW88,CCD88] Multiprover ZK [BGKW88] MIP=NEXP PCP Theorem [BFL91...ALMSS92] Polylog-eff ZK Args [K92,M94] Random Oracle Model [FS86,BR93,CGH98] Concurrency [F90,DNS98] Diagonalization [T36] Non-BB Simulation [B01] ….

High-Level Summary Previous work [Kil92,Mic94,BG02,IKO07]: PCPs ) efficient arguments* *under various crypto assumptions Our results: Efficient arguments ) PCPs* *assuming argument soundness based on a secure crypto primitive via an efficient black-box reduction

PCPs ) Arguments (previous work)

Kilians Construction [Kil92] prover P arg verifier V arg x 2. ¼ = PCP pf that x 2 L commit to ¼ f 1. choose collision-resistant hash function f i 1,…,i q 3. Run V pcp to get queries i 1,…,i q reveal ¼ i 1,…, ¼ i q 4. Accept if reveals valid & V pcp accepts. (L in NP)

Short commitments Collision-resistant hash family: F = {f : {0,1} 2k ! {0,1} k } s.t. no poly-time alg can find collision in random f à F except with negl. probability. Merkle Tree: ¼ Commit( ¼ ) ffff ff f ¼i¼i Reveal ( ¼ i )

Kilian: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = O ~ (log n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log 2 n) P arg V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) (assuming standard PCP thm + exponentially hard CRHF)

Kilian: soundness Claim: argument soundness error · PCP soundness error + ² Proof sketch: If not, can find collision in f w.p. > ² /q by running P * w/ two random overlapping query sequences i 1,…,i q, i 1,…,i q. N.B. black-box reduction making 3 queries to P * P*P* V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q )

Ishai-Kushilevitz-Ostrovsky `07 Efficient arguments using: Stronger crypto primitive (homomorphic encryption) Weaker PCP (exponentially long Hadamard- based PCP [ALMSS92])

IKO: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = poly(n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log n) P arg V arg Hom-Commit( ¼ ) f i 1,…,i q Hom-Reveal( ¼ i 1,…, ¼ i q ) (assuming Hadamard PCP + exponentially hard hom-enc)

Arguments ) PCPs (our work)

Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

Notion of Black-Box Reduction poly-time R s.t. if P * is any strategy making V arg accept x L w.p. > s, then R P * (x) breaks primitive w.p. > ² poly-time T that tests whether R has broken primitive (related to falsifiability [Nao06]) RP*P* x T # queries(R) := # queries to P * in T R P*(x)

Example: Kilians construction R P*P* x T f collision a,b f Commit( ¼ ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) repeat poly(1/ ² ) times

Example: construction based on factoring R P*P* x T N factors p,q

Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

Argument PCP: Construction (Honest) PCP proof-oracle P pcp : next-msg function of argument prover P arg PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept.

Argument PCP: Soundness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Soundness (x L): If P* makes V arg accept whp in Step 1, then R P*( x) breaks primitive.

Argument PCP: Completeness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Completeness (x 2 L): Reduction R and honest P pcp =P arg are poly-time, so cant break secure primitive.

Argument PCP: Efficiency PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication)

Weakening the Assumptions Only need crypto primitive secure vs. fixed poly-time adversary (namely R Parg ). If honest P arg only makes black-box access to primitive, can sometimes weaken or eliminate assumptions using Nisan-Wigderson-type PRFs or poly(n)-wise independent hash functions.

Conclusions & Questions We explain why existing efficient arguments use PCPs. Efficient arguments without PCPs? (Using reduction that is either non-black-box or makes many queries to cheating prover) New PCP constructions inspired by crypto? Deeper connection between arguments & PCPs? Do arguments in random oracle model require PCPs?

Argument Constructions Arguments can be much more efficient than interactive proofs (expressive power, communication, V runtime) Known constructions for NP languages: poly(k) communication Poly-length PCPs + CRH [Ki92,Mi94,BaGo02] P V poly(k) communication Exp-length PCP + additively homomorphic encryption [IKO07]