A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA A A

Hardness Amplification Starting point - A primitive with “weak security” Goal - A “fully secure” primitive Examples: hard functions, PCP’s, puzzles, interactive proofs, MIP, interactive arguments, … Secondary goal - Do the amplification while preserving efficiency

Interactive Proofs L 2 NP and x 2 L Completeness: 8 x 2 L Pr[(P(x,w),V(x)) = 1] = 1 Soundness: 8 P * and x 2 L Pr[(P *,V(x)) = 1] · neg Also known as Computationally Sound Proofs 3 P (x,w) Accept / Reject “1” / ”0” q1q1 a 1 qmqm a m … 8 PPT P * and x 2 L Interactive Arguments Weak soundness: 8 PPT P * and x 2 L Pr[(P *,V(x)) = 1] <  · 1 – 1/poly Soundness error

Soundness Amplification of Interactive Arguments Fix L, and let (P,V) be s.t. 8 x 2 L and 8 ppt P * Pr[(P *,V(x)) = 1] < ² · 1 – 1/poly We want a protocol (P’,V’) s.t. 8 x 2 L and 8 ppt P * Pr[(P *,V’(x)) = 1] · negl We want a generic transformation that preserves the other properties of (P,V), and can be applied to any protocol 4

Sequential Repetition No overlap between executions Verifier accepts iff all subverifiers do Known to reduce the soundness error at an exponential rate (i.e., ² (k) · max{negl., ² k } ) Blow up in round complexity 5 … P (x,w) Accept / Reject … P (x,w) Accept / Reject … P (x,w) Accept / Reject … K

Parallel repetition Interactions are done in parallel. Verifier accepts iff all subverifiers do. Preserve round complexity. Does it reduce the soundness error? Positive results - Soundness error is reduced at an exponential rate, in: 3-message protocols [Bellare, Impagliazzo, Naor ‘97] Public-coin protocols [Håstad, Pass, Pietrzak, Wikström ‘08], [Chung-Liu ‘09]  Also in interactive proofs [Goldreich ‘99] and MIP [Raz ’95] Impossibility results - Soundness error might not be reduced in (t ¸ 8)-message protocols [BlN ’97, Pietrzak-Wikstrom ’07] Under common hardness assumptions, there exists an 8-message protocol with soundness error ½, whose soundness is not improved via parallel repetition. 6 … P (x,w) Accept / Reject … P (x,w) Accept / Reject … P (x,w) Accept / Reject … K

The Counter Example of [BlN ’97] b à {0,1} P b’, b’’ à {0,1} b’ © b’’ = b Output “1” if b’ © b’’ = b, and the safes P sent are different from the safe V sent Safes are realized as (perfectly binding) commitment schemes. Soundness error ½ w.r.t the empty language. Soundness error 1 (soundness is 0) when viewed as interactive proof. b’ b b’b’’ b’’

Cheating Prover for 3 Repetitions b 1 Ã {0,1} b1b1b1b1 P*P* 1 b 2 Ã {0,1} b2b2b2b2 2 b 3 Ã {0,1} b3b3b3b All verifiers accept if b 1 © b 2 © b 3 = 0 ) Soundness error ½ Can be extended to any (# of repetitions) k [Pietrzak-Wikstrom ‘07] 9 a single protocol whose soundness error remains ½ for any (poly.) k

Our Result For any interactive argument (P,V) there exists a simple variant V of V, s.t. the parallel repetition of (P,V) always reduces the soundness error at a (weakly) exponential rate. ̃̃̃

The Random Terminating Verifier 10 m rounds w.p 1/4m halt and accept Accept iff V does w.p 1/4m halt and accept … P (x,w) ̃̃̃

Our Result cont.  (P,V) has essentially the same soundness as (P,V). I.e., at least ¾ times the original soundness.  Preserves completeness, zero-knowledge, …  Applies to any cryptographic primitive that can be cast as an interactive argument. E.g., binding amplification of computationally binding commitment. ̃̃̃

Let Q be any cryptographic primitive whose security can be cast as a two-party game (e.g., OWF, DDH, commitment schemes). The soundness of (P,V) (w.r.t. the empty language) is equal to the “security” of Q. ) Parallel repetition of Q – the random terminating variant of Q, is (fully) secure. Applicability to Other Primitives 12 ̃̃̃ Q P Accepts if P “breaks” the security of Q ̃̃̃

Proof’s Idea Let’s start with proving parallel repetition of a (standard) public-coin protocol (P,V) (in the spirit of [HPPW ‘08]) Fix L and x 2 L, and assume that 8 ppt P * (1) Pr[(P *,V(x)) = 1] < ² We want to prove that 8 ppt P (k) * (2) Pr[(P (k) *,V (k) (x)) = 1] < ² (k) w ² k The proof is by reduction. Assume 9 ppt P (k) * that contradicts (2), we use it to build a ppt P * that contradicts (1). * In the following we omit L and x, and assume wlog that P (k) * is deterministic

P (k) * Defining P * … … … … … i chosen at random

Defining P * Find q (k) 1,-i such that Pr[ (P (k) *,V (k) (x)) =1|q (k) 1 ] ¸ (1- 1/2m) ² (k) where q (k) 1,i = q 1. Let a (k) 1 be P (k) * ’s answer on q (k) 1 P (k) * q1q1 a 1 = a (k) 1,i (if succeeded) We have reduced the problem to (m-1)-round protocol. Does such q (k) 1,-i always exist? W.h.p, over q 1, a noticeable fraction of the q (k) 1,-i are “good”. How to find q (k) 1,-i ? Sample (at random) many candidates, and for each of them estimate ® = Pr[(P (k) *,V (k) (x)) = 1 | q (k) 1 ]

Estimating ® a1a1 … q1q1 amam qmqm P (k) * a (k) 1,-i … q (k) 1,-i a (k) m,-i q (k) m,-i Estimate ® as the fraction of successful (random) continuations (i.e., all verifiers accept) Since V is public coin, sampling random continuations is easy. Might be infeasible for an arbitrary V - As hard as finding a random preimage of an arbitrary (efficient) function. A candidate sampled at random a1a1 … qmqm a (k) 1,-i … a (k) m,-i q (k) m,-i amam

The Random Terminating Case a1a1 q1q1 P (k) * a (k) 1,-i … q (k) 1,-i a (k) m,-i q (k) m,-i a1a1 a (k) 1,-i … a (k) m,-i q (k) m,-i Accepts & halts amam … qmqm … qmqm q2q2 Hard to sample ̃̃̃

® ’ approximates ® well Since (for large enough k) many of the V j ’s are expected to halt after the first round, ® ’ w ® for a random i P (k) * … … ̃̃̃ i chosen at random ̃̃̃

Further Issues More security preserving reductions (wrt communication complexity) More applications of “random terminating”