Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before."— Presentation transcript:

1 A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA A A

2 Hardness Amplification Starting point - A primitive with “weak security” Goal - A “fully secure” primitive Examples: hard functions, PCP’s, puzzles, interactive proofs, MIP, interactive arguments, … Secondary goal - Do the amplification while preserving efficiency

3 Interactive Proofs L 2 NP and x 2 L Completeness: 8 x 2 L Pr[(P(x,w),V(x)) = 1] = 1 Soundness: 8 P * and x 2 L Pr[(P *,V(x)) = 1] · neg Also known as Computationally Sound Proofs 3 P (x,w) Accept / Reject “1” / ”0” q1q1 a 1 qmqm a m … 8 PPT P * and x 2 L Interactive Arguments Weak soundness: 8 PPT P * and x 2 L Pr[(P *,V(x)) = 1] <  · 1 – 1/poly Soundness error

4 Soundness Amplification of Interactive Arguments Fix L, and let (P,V) be s.t. 8 x 2 L and 8 ppt P * Pr[(P *,V(x)) = 1] < ² · 1 – 1/poly We want a protocol (P’,V’) s.t. 8 x 2 L and 8 ppt P * Pr[(P *,V’(x)) = 1] · negl We want a generic transformation that preserves the other properties of (P,V), and can be applied to any protocol 4

5 Sequential Repetition No overlap between executions Verifier accepts iff all subverifiers do Known to reduce the soundness error at an exponential rate (i.e., ² (k) · max{negl., ² k } ) Blow up in round complexity 5 … P (x,w) Accept / Reject … P (x,w) Accept / Reject … P (x,w) Accept / Reject … K

6 Parallel repetition Interactions are done in parallel. Verifier accepts iff all subverifiers do. Preserve round complexity. Does it reduce the soundness error? Positive results - Soundness error is reduced at an exponential rate, in: 3-message protocols [Bellare, Impagliazzo, Naor ‘97] Public-coin protocols [Håstad, Pass, Pietrzak, Wikström ‘08], [Chung-Liu ‘09]  Also in interactive proofs [Goldreich ‘99] and MIP [Raz ’95] Impossibility results - Soundness error might not be reduced in (t ¸ 8)-message protocols [BlN ’97, Pietrzak-Wikstrom ’07] Under common hardness assumptions, there exists an 8-message protocol with soundness error ½, whose soundness is not improved via parallel repetition. 6 … P (x,w) Accept / Reject … P (x,w) Accept / Reject … P (x,w) Accept / Reject … K

7 The Counter Example of [BlN ’97] b à {0,1} P b’, b’’ à {0,1} b’ © b’’ = b Output “1” if b’ © b’’ = b, and the safes P sent are different from the safe V sent Safes are realized as (perfectly binding) commitment schemes. Soundness error ½ w.r.t the empty language. Soundness error 1 (soundness is 0) when viewed as interactive proof. b’ b b’b’’ b’’

8 Cheating Prover for 3 Repetitions b 1 Ã {0,1} b1b1b1b1 P*P* 1 b 2 Ã {0,1} b2b2b2b2 2 b 3 Ã {0,1} b3b3b3b3 3112233 All verifiers accept if b 1 © b 2 © b 3 = 0 ) Soundness error ½ Can be extended to any (# of repetitions) k [Pietrzak-Wikstrom ‘07] 9 a single protocol whose soundness error remains ½ for any (poly.) k

9 Our Result For any interactive argument (P,V) there exists a simple variant V of V, s.t. the parallel repetition of (P,V) always reduces the soundness error at a (weakly) exponential rate. ̃̃̃

10 The Random Terminating Verifier 10 m rounds w.p 1/4m halt and accept Accept iff V does w.p 1/4m halt and accept … P (x,w) ̃̃̃

11 Our Result cont.  (P,V) has essentially the same soundness as (P,V). I.e., at least ¾ times the original soundness.  Preserves completeness, zero-knowledge, …  Applies to any cryptographic primitive that can be cast as an interactive argument. E.g., binding amplification of computationally binding commitment. ̃̃̃

12 Let Q be any cryptographic primitive whose security can be cast as a two-party game (e.g., OWF, DDH, commitment schemes). The soundness of (P,V) (w.r.t. the empty language) is equal to the “security” of Q. ) Parallel repetition of Q – the random terminating variant of Q, is (fully) secure. Applicability to Other Primitives 12 ̃̃̃ Q P Accepts if P “breaks” the security of Q ̃̃̃

13 Proof’s Idea Let’s start with proving parallel repetition of a (standard) public-coin protocol (P,V) (in the spirit of [HPPW ‘08]) Fix L and x 2 L, and assume that 8 ppt P * (1) Pr[(P *,V(x)) = 1] < ² We want to prove that 8 ppt P (k) * (2) Pr[(P (k) *,V (k) (x)) = 1] < ² (k) w ² k The proof is by reduction. Assume 9 ppt P (k) * that contradicts (2), we use it to build a ppt P * that contradicts (1). * In the following we omit L and x, and assume wlog that P (k) * is deterministic

14 P (k) * Defining P * … … … … … i chosen at random

15 Defining P * Find q (k) 1,-i such that Pr[ (P (k) *,V (k) (x)) =1|q (k) 1 ] ¸ (1- 1/2m) ² (k) where q (k) 1,i = q 1. Let a (k) 1 be P (k) * ’s answer on q (k) 1 P (k) * q1q1 a 1 = a (k) 1,i (if succeeded) We have reduced the problem to (m-1)-round protocol. Does such q (k) 1,-i always exist? W.h.p, over q 1, a noticeable fraction of the q (k) 1,-i are “good”. How to find q (k) 1,-i ? Sample (at random) many candidates, and for each of them estimate ® = Pr[(P (k) *,V (k) (x)) = 1 | q (k) 1 ]

16 Estimating ® a1a1 … q1q1 amam qmqm P (k) * a (k) 1,-i … q (k) 1,-i a (k) m,-i q (k) m,-i Estimate ® as the fraction of successful (random) continuations (i.e., all verifiers accept) Since V is public coin, sampling random continuations is easy. Might be infeasible for an arbitrary V - As hard as finding a random preimage of an arbitrary (efficient) function. A candidate sampled at random a1a1 … qmqm a (k) 1,-i … a (k) m,-i q (k) m,-i amam

17 The Random Terminating Case a1a1 q1q1 P (k) * a (k) 1,-i … q (k) 1,-i a (k) m,-i q (k) m,-i a1a1 a (k) 1,-i … a (k) m,-i q (k) m,-i Accepts & halts amam … qmqm … qmqm q2q2 Hard to sample ̃̃̃

18 ® ’ approximates ® well Since (for large enough k) many of the V j ’s are expected to halt after the first round, ® ’ w ® for a random i P (k) * … … ̃̃̃ i chosen at random ̃̃̃

19 Further Issues More security preserving reductions (wrt communication complexity) More applications of “random terminating”

Download ppt "A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.

Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.
A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.

A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Gillat Kol joint work with Ran Raz Locally Testable Codes Analogues to the Unique Games Conjecture Do Not Exist.

Gillat Kol joint work with Ran Raz Locally Testable Codes Analogues to the Unique Games Conjecture Do Not Exist.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.

Similar presentations

Ads by Google