SLIDE 1
Delegation with Updatable Unambiguous Proofs and PPAD-Hardness
Lisa Yang MIT
Based on joint work with Yael Tauman Kalai and Omer Paneth
Delegation with Updatable Unambiguous Proofs and PPAD-Hardness - - PowerPoint PPT Presentation
Delegation with Updatable Unambiguous Proofs and PPAD-Hardness - - PowerPoint PPT Presentation
Delegation with Updatable Unambiguous Proofs and PPAD-Hardness Lisa Yang MIT Based on joint work with Yael Tauman Kalai and Omer Paneth time computation = ? Delegation () = y Proof checks in time
SLIDE 2
SLIDE 3
Publicly Verifiable Delegation
π(π¦) = y Proof Ξ
π·ππ
SLIDE 4
Prior Work: Publicly Verifiable Delegation
Strong assumptions
- Random Oracle Model
[Micali94]
- Knowledge assumptions
- Indistinguishability Obfuscation
- Multilinear maps
[Paneth-Rothblum17]
Delegation for bounded-depth circuits via Fiat-Shamir
- Optimal security of LWE
[Canetti-Chen-Holmgren-Lombardi-Rothblum-Rothblum-Wichs19]
- Sub-exponential LWE
[Kalai-Zhang20]
Delegation for polynomial-time computations
- Bilinear groups
[Kalai-Paneth-Y19] [Groth10, Lipma12, Gennaro-Gentry-Parno-Raykova12, Bitansky- Canetti-Chiesa-Tromer12, Bitansky-Chiesa-Ishai-Ostrovsky-Paneth13β¦] [Bitansky-Sanjam-Lin-Pass-Telang14,Canetti-Holmgren-Jain- Vaikuntanathan14,Koppula-Lewko-Waters14, Canetti- Holmgren16, Chen-Chow-Chung-Lai16]
SLIDE 5
π·π β¦ π·ππ+1 π·ππ π·0
Updatable Proofs [Valiant08]
Consider a long computation π·0 β π·π carried
- ut over πΆ iterations
Updatable Proofs: update Ξ π into Ξ π+1 Want the proof update to take time ~ computation performed Want proofs to remain succinct
[Bitansky-Canetti-Chiesa-Tromer13] using SNARKs
(based on strong assumptions)
Ξ π Ξ π+1
SLIDE 6
Unambiguous Proofs
π(π¦) = y Proofs Ξ β Ξ β²
π·ππ Unambiguous Proofs: πβ(π·ππ) cannot output Ξ β Ξ β² for the same statement π π¦ = π§ (except with negligible probability over π·ππ)
[Reingold-Rothblum-Rothblum]
SLIDE 7
Our Results: Delegation
Delegation with updatable and unambiguous proofs based on the decisional bilinear group assumption:
For a bilinear group π» of order π = 2Ξ(π) and π½ = π(log π) given for random π β π» and π‘ β β€π it is hard to distinguish whether π’ = π‘2π½+1 or π’ is an independent random element in β€π.
[Kalai-Paneth-Y19]
SLIDE 8
Our Results: PPAD-Hardness
PPAD-Hardness based on:
- 1. The quasi-polynomial hardness of KPYβs bilinear group assumption
- 2. Any hard language π decidable in super-polynomial time (and
polynomial space)
- For example, the hardness of SAT for sub-exponential size circuits
(non-uniform ETH) suffices
[Choudhuri-Hubacek-Kamath-Pietrzak-Rosen-Rothblum19]
SLIDE 9
Related Work: PPAD-Hardness
Strong assumptions
- Indistinguishability Obfuscation
- Functional Encryption assumptions [Garg-Pandey-Srinivasan16, Komargodski-Segev17]
Fiat-Shamir interactive protocol for a particular language
- Security of Fiat-Shamir/Optimal security of LWE
- Sub-exponential LWE
Polynomial Local Search (PLS) Hardness
[Abbot-Kane-Valiant04, Bitanski-Paneth-Rosen15, Hubacek-Yogev17] [Choudhuri-Hubacek-Kamath-Pietrzak-Rosen- Rothblum19, Ephraim-Freitag-Komargodski-Pass19] [Lombardi-Vaikuntanathan20, Kalai-Zhang20, Jawale-Khurana20] [Bitansky-Gerichter20]
SLIDE 10
- 1. Delegation with Updatable Proofs
- Use recursive proof composition
- Without strong assumptions!
Local extraction [Kalai-Paneth-Y19]
SLIDE 11
π·ππΆ β¦ π·π2 π·π1 π·0 π·ππΆ Verify Ξ πΆ β¦ π·π2 Verify Ξ 2 π·π1 Verify Ξ 1 π·0 Ξ β² Ξ 1 Ξ πΆ Ξ 2 β¦ πππ ππ π·ππβ1, Ξ π, π·ππ πβ[πΆ] replaces this with π·0, Ξ β², π·ππΆ
- 1. Delegation with Updatable Proofs
Ξ contains πΆ proofs Ξ π:π·ππβ1 β π·ππ
Ξ β² βͺ Ξ 1 + β―+ |Ξ πΆ|
nondeterministic Ξ : π·0 β π·π Update Ξ : Append proof for computation performed Proof grows!! Local extraction suffices!
SLIDE 12
Ξ = ?
π1 π1 ππ ππ π·ππ encoded computation tableau
π π¦ = π§
π§ π¦
π π checks Ξ using Zero-Test
[Paneth-Rothblum17]
Homomorphic encryption
KPY Delegation
π = πΊ(π)
SLIDE 13
- 2. Delegation with Unambiguous Proofs
- Observation: need to use encryption with unambiguity property
- Unambiguity of Ciphertexts: any πβ(π·ππ) cannot generate two
different ciphertexts that encrypt the same message
- KPY Encryption:
- π‘π = π‘ β πΎ
- π = ππ β πΎ[π¦]
- πβ β π = ππ,πβ² = ππβ² such that π π‘ = πβ² π‘ = π
- Unambiguous Proofs: suffices to ensure unambiguity of answers
π π‘ = π
SLIDE 14
- 2. Unambiguity of Answers
- [Kalai-Raz-Rothblum14] for π β 0,1 β answers are unambiguous
- Need unambiguous answers for π β πΎβ
- Observation: If π evaluates a multilinear polynomial then can
show unambiguity of answers for every π β πΎβ
- Idea: Ask π to send a βproof of multilinearityβ for his
evaluated ciphertexts
π§ π¦
π
Notion of local multilinearity!
π = πΊ(π)
SLIDE 15
Proof of Local Multilinearity
- π homomorphically evaluates πΊ(π1 β¦ πβ)
- First attempt: ask π for the restriction of πΊ in each coordinate
Evaluate encryptions of (π΅π, πΆπ) such that πΊ Τ¦ π = π΅π β ππ + πΆπ π checks consistency using the Zero-Test
- Problem: πβ can compute (π΅π, πΆπ) using πΉππ(ππ)
- Idea: encrypt Τ¦
π again without π'th coordinate Ask π for π΅π
β²,πΆπ β²
- Test that π΅π, πΆπ = π΅π
β²,πΆπ β²
βProof of Equalityβ π evaluated same function on both encryptions
SLIDE 16
Delegation with Updatable Unambiguous Proofs
Not done yet⦠To show unambiguity of entire proof:
- Unambiguity of other ciphertexts in KPY proof
- Unambiguity of ciphertexts we added βΊ
Equality and Multilinearity proofs
- Show unambiguity preserved in recursive proof composition
Updatable proofs
SLIDE 17
Summary
- Our Results:
- Delegation with updatable and unambiguous proofs based on
the KPY bilinear group assumption
- PPAD-Hardness based on the quasi-polynomial hardness of the
KPY bilinear group assumption (and any hard language)
- Power of local proofs:
- recursive proof composition (updatable proofs)
- proof of multilinearity (unambiguous proofs)
Standard assumptions!
SLIDE 18
Thank you!
lisayang@mit.edu