Presentation is loading. Please wait.

Presentation is loading. Please wait.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Published byJoana Chalkley Modified over 10 years ago

Similar presentations

Presentation on theme: "Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University."— Presentation transcript:

1 Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University

2 Probabilistic Proof Systems P wants to convince V that x L Completeness If x L, then P convinces V w.h.p. Soundness If x L, no P* can convince V except w/small prob. s Interactive Proofs: no P* can convince V PCPs: no memoryless oracle P* can convince V Arguments: no poly-time P* can convince V

3 Motivation for Arguments Perfect zero knowledge [BCC86] Can be much more efficient than interactive proofs –Communication [Kil92] –Expressive power [Mic94] –Verifier runtime [Mic94] Based on PCPs Question [IKO07]: Are PCPs necessary?

4 Cryptography Zero Knowledge Complexity Protocols [B82,...] Def of ZK, IP [GMR85] IP=PSPACE [LFKN90,S90] NP µ ZK [GMW86 ] NP-completeness [C71,L73,K72] Secure Computation [Yao86,GMW87, BGW88,CCD88] Multiprover ZK [BGKW88] MIP=NEXP PCP Theorem [BFL91...ALMSS92] Polylog-eff ZK Args [K92,M94] Random Oracle Model [FS86,BR93,CGH98] Concurrency [F90,DNS98] Diagonalization [T36] Non-BB Simulation [B01] ….

5 High-Level Summary Previous work [Kil92,Mic94,BG02,IKO07]: PCPs ) efficient arguments* *under various crypto assumptions Our results: Efficient arguments ) PCPs* *assuming argument soundness based on a secure crypto primitive via an efficient black-box reduction

6 PCPs ) Arguments (previous work)

7 Kilians Construction [Kil92] prover P arg verifier V arg x 2. ¼ = PCP pf that x 2 L commit to ¼ f 1. choose collision-resistant hash function f i 1,…,i q 3. Run V pcp to get queries i 1,…,i q reveal ¼ i 1,…, ¼ i q 4. Accept if reveals valid & V pcp accepts. (L in NP)

8 Short commitments Collision-resistant hash family: F = {f : {0,1} 2k ! {0,1} k } s.t. no poly-time alg can find collision in random f à F except with negl. probability. Merkle Tree: ¼ Commit( ¼ ) ffff ff f ¼i¼i Reveal ( ¼ i )

9 Kilian: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = O ~ (log n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log 2 n) P arg V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) (assuming standard PCP thm + exponentially hard CRHF)

10 Kilian: soundness Claim: argument soundness error · PCP soundness error + ² Proof sketch: If not, can find collision in f w.p. > ² /q by running P * w/ two random overlapping query sequences i 1,…,i q, i 1,…,i q. N.B. black-box reduction making 3 queries to P * P*P* V arg Commit( ¼ ) f i 1,…,i q Reveal( ¼ i 1,…, ¼ i q )

11 Ishai-Kushilevitz-Ostrovsky `07 Efficient arguments using: Stronger crypto primitive (homomorphic encryption) Weaker PCP (exponentially long Hadamard- based PCP [ALMSS92])

12 IKO: communication # rounds: O(1) V ! P communication: (# queries) ¢ log(PCP length) + k = poly(n) P ! V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O ~ (log n) P arg V arg Hom-Commit( ¼ ) f i 1,…,i q Hom-Reveal( ¼ i 1,…, ¼ i q ) (assuming Hadamard PCP + exponentially hard hom-enc)

13 Arguments ) PCPs (our work)

14 Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

15 Notion of Black-Box Reduction poly-time R s.t. if P * is any strategy making V arg accept x L w.p. > s, then R P * (x) breaks primitive w.p. > ² poly-time T that tests whether R has broken primitive (related to falsifiability [Nao06]) RP*P* x T # queries(R) := # queries to P * in T R P*(x)

16 Example: Kilians construction R P*P* x T f collision a,b f Commit( ¼ ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) f, i 1,…,i q Reveal( ¼ i 1,…, ¼ i q ) repeat poly(1/ ² ) times

17 Example: construction based on factoring R P*P* x T N factors p,q

18 Main Result Argument system (V arg,P arg ) w/soundness based on a crypto primitive via a black-box reduction R PCP with following parameters: #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

19 Argument PCP: Construction (Honest) PCP proof-oracle P pcp : next-msg function of argument prover P arg PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept.

20 Argument PCP: Soundness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Soundness (x L): If P* makes V arg accept whp in Step 1, then R P*( x) breaks primitive.

21 Argument PCP: Completeness PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. Completeness (x 2 L): Reduction R and honest P pcp =P arg are poly-time, so cant break secure primitive.

22 Argument PCP: Efficiency PCP Verifier: 1.Run V arg with P pcp. If V arg rejects, reject. 2.Run reduction R (& test T) with P pcp. If break primitive, then reject. Otherwise accept. #Queries: #rounds (V arg,P arg ) + #queries(R&T) Length: exp(V arg P arg communication) Alphabet: exp(P arg V arg communication)

23 Weakening the Assumptions Only need crypto primitive secure vs. fixed poly-time adversary (namely R Parg ). If honest P arg only makes black-box access to primitive, can sometimes weaken or eliminate assumptions using Nisan-Wigderson-type PRFs or poly(n)-wise independent hash functions.

24 Conclusions & Questions We explain why existing efficient arguments use PCPs. Efficient arguments without PCPs? (Using reduction that is either non-black-box or makes many queries to cheating prover) New PCP constructions inspired by crypto? Deeper connection between arguments & PCPs? Do arguments in random oracle model require PCPs?

25 Argument Constructions Arguments can be much more efficient than interactive proofs (expressive power, communication, V runtime) Known constructions for NP languages: poly(k) communication Poly-length PCPs + CRH [Ki92,Mi94,BaGo02] P V poly(k) communication Exp-length PCP + additively homomorphic encryption [IKO07]

Download ppt "Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University."

Similar presentations

On Non-Black-Box Proofs of Security Boaz Barak Princeton.

On Non-Black-Box Proofs of Security Boaz Barak Princeton.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.

Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

Similar presentations

Ads by Google