How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

Slides:



Advertisements
Similar presentations
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Advertisements

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Parallel Repetition of Two Prover Games Ran Raz Weizmann Institute and IAS.
University of Queensland
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Secure Evaluation of Multivariate Polynomials
COMP 553: Algorithmic Game Theory Fall 2014 Yang Cai Lecture 21.
Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:
How to Delegate Computations: The Power of No-Signaling Proofs Ran Raz (Weizmann Institute & IAS) Joint work with: Yael Tauman Kalai Ron Rothblum.
Data Integrity Proofs in Cloud Storage Sravan Kumar R, Ashutosh Saxena Communication Systems and Networks (COMSNETS), 2011 Third International Conference.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Tsuyoshi Ito (McGill U) Hirotada Kobayashi (NII & JST) Keiji Matsumoto (NII & JST) QIP 2009, January 12–16, 2009 arXiv:
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research Ran Raz Weizmann Institute.
Two Query PCP with Sub-constant Error Dana Moshkovitz Princeton University Ran Raz Weizmann Institute 1.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
1 Adapted from Oded Goldreich’s course lecture notes.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Interactive Proofs For Quantum Computations Dorit Aharonov, Michael Ben-Or, Elad Eban School of Computer Science and Engineering The Hebrew University.
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
How to play ANY mental game
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
A Parallel Repetition Theorem for Entangled Projection Games Thomas Vidick Simons Institute, Berkeley Joint work with Irit Dinur (Weizmann) and David Steurer.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Quantum Homomorphic Encryption
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.
Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
2012/1/25 Complete Problem for Perfect Zero-Knowledge Quantum Interactive Proof Jun Yan State Key Laboratory of Computer Science, Institute.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
Interactive proof systems Section 10.4 Giorgi Japaridze Theory of Computability.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
NP ⊆ PCP(n 3, 1) Theory of Computation. NP ⊆ PCP(n 3,1) What is that? NP ⊆ PCP(n 3,1) What is that?
Verifiable Outsourcing of Computation Ron Rothblum.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Topic 36: Zero-Knowledge Proofs
The complexity of the Separable Hamiltonian Problem
On the Size of Pairing-based Non-interactive Arguments
Direct product testing
Verifiable Oblivious Storage
Cryptography for Quantum Computers
How to Delegate Computations: The Power of No-Signaling Proofs
Uncertain Compression
Cynthia Dwork Moni Naor Guy Rothblum
Fiat-Shamir for Highly Sound Protocols is Instantiable
In the name of God.
Impossibility of SNARGs
Presentation transcript:

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz

Delegation Motivation: allow a computationally weak device to outsource computation to the cloud.

Delegation A computationally weak device outsources its computation to the cloud.

Delegation The device does not trust the cloud and so it wants to verify the result super-efficiently (say in linear-time).

Delegation Focus of this talk: 1-round arguments.

Delegation

Comparison with Succinct Arguments A succinct non-interactive argument system (SNARG) is the same model but focus is small communication rather than verifier run-time. SNARGs for P = Trivial.

Prior Work

Main Result 1

quasi-polynomially

Main Result 1 (General)

The Approach of [ABOR00] [ Aiello-Bhatt-Ostrovsky-Rajogopalan 00] suggested to construct a delegation scheme by combining a Multi-Prover Interactive Proof-System with an FHE. Actually PIR suffices, but easier to describe with FHE

Multi Prover Interactive Proofs (MIP) [BenOr-Goldwasser-Kilian-Wigderson88] [Babai-Fortnow-Lund91]

Fully Homomorphic Encryption Eval

The [ABOR00] Protocol......

Encrypt the queries and answer homomorphically

The [ABOR00] Protocol Simulate using a single prover

The [ABOR00] Protocol Simulate using a single prover.

The [ABOR00] Protocol Intuition: since encrypted under different keys, prover cannot use one query to answer a different query. [ Dwork-Landberg-Naor-Nissim-Reingold 01]: this intuition is false*! [Kalai-Raz09]: correct for single prover interactive proofs. We show: protocol works if MIP satisfies a stronger soundness condition called no-signaling soundness.

No-Signaling Prover Strategies Allow the provers a minimal form of communication. The answer of each prover may depend on the other queries as a function but must be independent as a RV.

No-Signaling Prover Strategies

Example

Relation to Quantum MIP No-signaling strategies originally motivated by quantum MIPs – the (cheating) provers share an entangled quantum state. Entangled strategies are no-signaling. No-signaling soundness is likely to hold in future theories of physics (if information cannot travel faster than light).

The Power of No-Signaling Strategies

Main Technical Result

Proof Outline

Proof of Technical Result (High Level Overview)

Proof Sketch

The Provers Each prover generates the entire tableau of the computation. Output bit Input bits

The provers encode the computation via the [BFLS] PCP. The Provers

Each (honest) prover expects to be queried on a single point in the PCP and answers accordingly. The Provers

The verifier generates the PCP queries. Randomly permutes the queries and sends to the provers. Also explicitly checks input and output gates. Accepts the answers if PCP verifier accepts and input/output gates are correct. The Verifier

No-Signaling Soundness Challenges in NS setting: Each answer depends on other provers’ queries. No low degree test. No parallel repetition. Cheating provers are randomized.

[BFLS]: If the provers do not communicate, the MIP is sound. For no-signaling provers situation is more complicated. Classical Setting

No-Signaling Soundness

“Reading” a point = query provers on a random line that goes through the point and interpolate answers to get the value. Reading a Point

Fix some gate of the computation. Reading a Point

Lemma

First Attempt

Second Attempt Look at some gate in the second layer.

Second Attempt Look at some gate in the second layer.

Second Attempt Look at some gate in the second layer.

Second Attempt Look at neighbor of the gate.

Second Attempt Gate at 3 rd layer.

Second Attempt Gate at 3 rd layer.

Second Attempt Error grows exponentially in the depth. Gives delegation for low-depth computation (already known via [GKR08+KR09]).

Third Attempt

Missing Details…

Summary

Thanks!