Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research Ran Raz Weizmann Institute.

Published byLenard Barrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research Ran Raz Weizmann Institute."— Presentation transcript:

1 Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research Ran Raz Weizmann Institute

2 Our Results public-coin IP one-round argument Corollary1: PSPACE µ 1-round arguments Main Result: PSPACE = IP = Public-coin IP [LFKN, Shamir, Goldwasser-Sipser]

3 Our Results (Cont.) Define: probabilistically checkable arguments (PCAs) ¼ PCPs that are only computationally sound public-coin IP one-round argument Main Result: Corollary2: Short PCAs of size poly(|witness|) Main Result with IP[Goldwasser-K-Rothblum08]

4 Interactive Proofs (IP) [Golwasser-Micali-Rackoff, Babai] Proofs that use interaction and randomization IP=PSPACE [Lund-Fortnow-Karloff-Nissan, Shamir] # rounds = poly(n) Can we reduce the number of rounds? –O(1)-round IP = 1-round IP –Believed: 1-round IP does not contain much… (1-round IP  PSPACE)

5 Interactive Arguments (IA) Poly-time verifier Honest prover’s runtime T Soundness against cheating provers of size 2  Interactive proofs that are only computationally sound: Security holds only against comp. bounded cheating provers

6 IA=NEXP [Kilian,Micali] # rounds = 2 (4 messages) What can be proved via 1-round interactive argument? –[Micali]: In random oracle model NEXP=1-round IA –What about in the plain model?? Interactive Arguments (cont.) PSPACE µ 1-round IA

7 PVP’V’ public-coin IP one-round argument Our Result Independent of instance PIR public-coin: verifier only sends his coin tosses [Goldwasser-Sipser]: IP = public-coin IP msg V’

8 Main Thm: Under exponential hardness assumptions, any public-coin IP can be converted into a one- round argument (blowup in provers run-time) public-coin IP one-round argument PIR public-coin: verifier only sends his coin tosses [Goldwasser-Sipser]: IP = public-coin IP No blowup if we use IP of [GKR08] No blowup if we use fully-homomorphic encryption [Gentry09]

9 Previous Attempts Fiat-Shamir88 : Use hash-function to convert any public-coin IP into 1-round argument Barak01, Goldwasser-K03: Exhibit inherent difficulties in proving soundness Aiello-Bhatt-Ostrovsky-Rajagopalan00: Use PIR scheme to convert the two-round Kilian/Micali argument for NEXP into a (short) one-round argument Dwork-Langberg-Naor-Nissim-Reingold04: Exhibit inherent difficulties in proving soundness

10 Proof Idea Public-coin interactive proof 1-round argument PIR

11 PIR Scheme [ Chor-Goldreich-Kushilevitz-Sudan95, Kushilevitz-Ostrovsky97 ] x1x1 x2x2 xixi xNxN DBU query answer

12 Secrecy: 8 i,j 2 {1,…,N} q(i) ¼ q(j) polylog PIR Scheme [CMS99]: Communication complexity = poly( , log N) User run-time poly( , log N) PIR Scheme [ Chor-Goldreich-Kushilevitz-Sudan95, Kushilevitz-Ostrovsky97 ] For distinguishers of size poly(N)

13 PVP’V’ q 1,…,q t a 1,…,a t q i =query(r 1,…,r i ) a i =answer(q i,DB i ), where the (r 1,…,r i ) entry of DB i is m i (r 1,…,r i ) Public-coin interactive proof 1-round argument m1m1 r1r1 m2m2 mtmt r2r2 rtrt

14 Proof Idea PVP’V’ Fix x not in L. Suppose 9 P* of size · 2  s.t. Pr[(P *,V’)(x)=1] ¸ s+  x 2 L ? ? m1m1 r1r1 m2m2 mtmt r2r2 rtrt q 1,…,q t a 1,…,a t q i =query(r 1,…,r i ) a i =answer(q i,DB i ), where the (r 1,…,r i ) entry of DB i is m i (r 1,…,r i )

15 Proof Idea P0P0 V0V0 PiPi ViVi m i+1 { r j }, {m j }, r i+1 mtmt rtrt PtPt VtVt q 1,…,q i a 1,…,a i soundness · s against any cheating prover 9 P* of size 2  s.t. Pr[(P *,V t )(x)=1] ¸ s+  q 1,…,q t m1m1 r1r1 m2m2 mtmt r2r2 rtrt a 1,…,a t

16 Proof Idea (Cont.) P i-1 V i-1 soundness · s* against any cheating prover of size 2  Pi*Pi* ViVi Pr[(P i *,V i )(x)=1] ¸ s* +  /t x 2 L ?? m i+1 mtmt rtrt mimi { r j } j=1,..,i-1, {m j } j=1,..,i-1,r i mtmt rtrt Use P* i to break PIR in time 2 O(  ) ¼ |P* i |+2 O(cc) { r j } j=1,..,i, {m j } j=1,..,i,r i+1 q 1,…,q i-1 a 1,…,a i-1 q 1,…,q i a 1,…,a i

17 Summary Corollary: PSPACE µ 1-round argument public-coin IP one-round argument Interactive proof [GKR08] PCA Remark: This method does not seem to work when applied to interactive arguments (rather than proofs) Open: 1-round argument = PSPACE ?Open: 1-round argument = NEXP ? PIR

18 Thanks !!

Download ppt "Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research Ran Raz Weizmann Institute."

Similar presentations

The Power of Unentanglement

The Power of Unentanglement
QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Parallel Repetition of Two Prover Games Ran Raz Weizmann Institute and IAS.

Parallel Repetition of Two Prover Games Ran Raz Weizmann Institute and IAS.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
How to Delegate Computations: The Power of No-Signaling Proofs Ran Raz (Weizmann Institute & IAS) Joint work with: Yael Tauman Kalai Ron Rothblum.

How to Delegate Computations: The Power of No-Signaling Proofs Ran Raz (Weizmann Institute & IAS) Joint work with: Yael Tauman Kalai Ron Rothblum.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Universal Communication Brendan Juba (MIT) With: Madhu Sudan (MIT)

Universal Communication Brendan Juba (MIT) With: Madhu Sudan (MIT)
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Tsuyoshi Ito (McGill U) Hirotada Kobayashi (NII & JST) Keiji Matsumoto (NII & JST) QIP 2009, January 12–16, 2009 arXiv:0810.0693.

Tsuyoshi Ito (McGill U) Hirotada Kobayashi (NII & JST) Keiji Matsumoto (NII & JST) QIP 2009, January 12–16, 2009 arXiv:

Similar presentations

Ads by Google