How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz
Delegation Motivation: allow a computationally weak device to outsource computation to the cloud.
Delegation A computationally weak device outsources its computation to the cloud.
Delegation The device does not trust the cloud and so it wants to verify the result super-efficiently (say in linear-time).
Delegation Focus of this talk: 1-round arguments.
Delegation
Comparison with Succinct Arguments A succinct non-interactive argument system (SNARG) is the same model but focus is small communication rather than verifier run-time. SNARGs for P = Trivial.
Prior Work
Main Result 1
quasi-polynomially
Main Result 1 (General)
The Approach of [ABOR00] [ Aiello-Bhatt-Ostrovsky-Rajogopalan 00] suggested to construct a delegation scheme by combining a Multi-Prover Interactive Proof-System with an FHE. Actually PIR suffices, but easier to describe with FHE
Multi Prover Interactive Proofs (MIP) [BenOr-Goldwasser-Kilian-Wigderson88] [Babai-Fortnow-Lund91]
Fully Homomorphic Encryption Eval
The [ABOR00] Protocol......
Encrypt the queries and answer homomorphically
The [ABOR00] Protocol Simulate using a single prover
The [ABOR00] Protocol Simulate using a single prover.
The [ABOR00] Protocol Intuition: since encrypted under different keys, prover cannot use one query to answer a different query. [ Dwork-Landberg-Naor-Nissim-Reingold 01]: this intuition is false*! [Kalai-Raz09]: correct for single prover interactive proofs. We show: protocol works if MIP satisfies a stronger soundness condition called no-signaling soundness.
No-Signaling Prover Strategies Allow the provers a minimal form of communication. The answer of each prover may depend on the other queries as a function but must be independent as a RV.
No-Signaling Prover Strategies
Example
Relation to Quantum MIP No-signaling strategies originally motivated by quantum MIPs – the (cheating) provers share an entangled quantum state. Entangled strategies are no-signaling. No-signaling soundness is likely to hold in future theories of physics (if information cannot travel faster than light).
The Power of No-Signaling Strategies
Main Technical Result
Proof Outline
Proof of Technical Result (High Level Overview)
Proof Sketch
The Provers Each prover generates the entire tableau of the computation. Output bit Input bits
The provers encode the computation via the [BFLS] PCP. The Provers
Each (honest) prover expects to be queried on a single point in the PCP and answers accordingly. The Provers
The verifier generates the PCP queries. Randomly permutes the queries and sends to the provers. Also explicitly checks input and output gates. Accepts the answers if PCP verifier accepts and input/output gates are correct. The Verifier
No-Signaling Soundness Challenges in NS setting: Each answer depends on other provers’ queries. No low degree test. No parallel repetition. Cheating provers are randomized.
[BFLS]: If the provers do not communicate, the MIP is sound. For no-signaling provers situation is more complicated. Classical Setting
No-Signaling Soundness
“Reading” a point = query provers on a random line that goes through the point and interpolate answers to get the value. Reading a Point
Fix some gate of the computation. Reading a Point
Lemma
First Attempt
Second Attempt Look at some gate in the second layer.
Second Attempt Look at some gate in the second layer.
Second Attempt Look at some gate in the second layer.
Second Attempt Look at neighbor of the gate.
Second Attempt Gate at 3 rd layer.
Second Attempt Gate at 3 rd layer.
Second Attempt Error grows exponentially in the depth. Gives delegation for low-depth computation (already known via [GKR08+KR09]).
Third Attempt
Missing Details…
Summary
Thanks!