Delegation with (nearly) optimal time/space overhead Justin - - PowerPoint PPT Presentation

Delegation with (nearly) optimal time/space overhead

Justin Holmgren MIT Ron Rothblum MIT

Verifiable Computation

Verifiable Computation

Verifiable Computation

“M(x) = y” M(x)=?

Verifiable Computation

“M(x) = y” M(x)=? , challenge , proof

Verifiable Computation

accept? “M(x) = y” M(x)=? , challenge , proof

Verifiable Computation

Complexity
 << evaluating M(x)

accept? “M(x) = y” M(x)=? , challenge , proof

Verifiable Computation

Complexity
 << evaluating M(x)

accept?

Complexity
 ~evaluating M(x)

“M(x) = y” M(x)=? , challenge , proof

Verifiable Computation
 In Practice

Walfish, Blumberg ’15

Verifiable Computation
 In Practice

Walfish, Blumberg ’15

“An additional bottleneck is memory: the prover must materialize a transcript of a computation's execution.”

Verifiable Computation

Complexity
 << evaluating M(x)

“M(x) = y”, proof accept?

Complexity
 ~evaluating M(x)

• Prover efficiency
• Computational assumptions

Our focus: M(x)=?, challenge

Prior Work

Prior Work

Model Assumptions Prover Time Prover Space No-Signaling PCP


[KRR14, KP15, BHK16]

RAM PIR poly(T) poly(T)

Prior Work

Model Assumptions Prover Time Prover Space No-Signaling PCP


[KRR14, KP15, BHK16]

RAM PIR T 60? T 60?

Prior Work

Model Assumptions Prover Time Prover Space No-Signaling PCP


[KRR14, KP15, BHK16]

RAM PIR T 3? T 3?

Prior Work

Model Assumptions Prover Time Prover Space No-Signaling PCP


[KRR14, KP15, BHK16]

RAM PIR SNARKs

[BC12, BCCT12, …]

RAM Non-Falsifiable Succinct Garbling

[GHRW14, KLW15,
 CH15, CCCLLZ15]

RAM Obfuscation T · poly(κ) S · poly(κ) T · poly(κ) S · poly(κ) T 3? T 3?

Prior Work

Model Assumptions Prover Time Prover Space No-Signaling PCP


[KRR14, KP15, BHK16]

RAM PIR SNARKs

[BC12, BCCT12, …]

RAM Non-Falsifiable Succinct Garbling

[GHRW14, KLW15,
 CH15, CCCLLZ15]

RAM Obfuscation [this work] TM “Slightly”
 Homomorphic
 Encryption T · poly(κ) S · poly(κ) T · poly(κ) S · poly(κ) T · poly(κ) S + poly(κ) T 3? T 3?

Prior Work

Model Assumptions Prover Time Prover Space No-Signaling PCP


[KRR14, KP15, BHK16]

RAM PIR SNARKs

[BC12, BCCT12, …]

RAM Non-Falsifiable Succinct Garbling

[GHRW14, KLW15,
 CH15, CCCLLZ15]

RAM Obfuscation [this work] TM “Slightly”
 Homomorphic
 Encryption T · poly(κ) S · poly(κ) T · poly(κ) S · poly(κ) T · poly(κ) S + poly(κ)

Extends to (cache-efficient) RAM

T 3? T 3?

Prior Work

Model Assumptions Prover Time Prover Space No-Signaling PCP


[KRR14, KP15, BHK16]

RAM PIR SNARKs

[BC12, BCCT12, …]

RAM Non-Falsifiable Succinct Garbling

[GHRW14, KLW15,
 CH15, CCCLLZ15]

RAM Obfuscation [this work] TM “Slightly”
 Homomorphic
 Encryption T · poly(κ) S · poly(κ) T · poly(κ) S · poly(κ) T · poly(κ) S + poly(κ)

Extends to (cache-efficient) RAM

T 3? T 3?

Probabilistically Checkable Proofs

Probabilistically Checkable Proofs

Proof string π

π1 π2 … πL

Verifier

Input x

Probabilistically Checkable Proofs

Proof string π

π1 π2 … πL

Verifier

Input x i1 i2 i3

Probabilistically Checkable Proofs

Proof string π

π1 π2 … πL

Verifier

Input x

x ∈ L = ⇒ exists convincing proof

i1 i2 i3

Probabilistically Checkable Proofs

Proof string π

π1 π2 … πL

Verifier

Input x

x ∈ L = ⇒ exists convincing proof x 62 L = ) every proof convinces
 with low probability

i1 i2 i3

Probabilistically Checkable Proofs

Proof string π

π1 π2 … πL

Verifier

Input x

x ∈ L = ⇒ exists convincing proof x 62 L = ) every proof convinces
 with low probability

i1 i2 i3

Not a standard-model
 delegation scheme

PCP-based Delegation

PCP-based Delegation

PCP proof π PCP verifier

PCP-based Delegation

PCP proof π independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

PCP verifier

PCP-based Delegation

PCP proof π independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

PCP verifier

[Biehl-Meyer-Wetzel 98]

PCP-based Delegation

PCP proof π independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

PCP verifier

• Not sound in general


[Dwork-Langberg-Naor-Nissim-Reingold 01] [Biehl-Meyer-Wetzel 98]

PCP-based Delegation

PCP proof π independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

PCP verifier

• Not sound in general


[Dwork-Langberg-Naor-Nissim-Reingold 01]

• Sound if the PCP is no-signaling sound


[Kalai-Raz-Rothblum 14] [Biehl-Meyer-Wetzel 98]

PCP-based Delegation

PCP proof π independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

PCP verifier

• Not sound in general


[Dwork-Langberg-Naor-Nissim-Reingold 01]

• Sound if the PCP is no-signaling sound


[Kalai-Raz-Rothblum 14] [Biehl-Meyer-Wetzel 98]

no precomputation!

PCP-based Delegation

PCP proof π independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

PCP verifier

• Not sound in general


[Dwork-Langberg-Naor-Nissim-Reingold 01]

• Sound if the PCP is no-signaling sound


[Kalai-Raz-Rothblum 14] [Biehl-Meyer-Wetzel 98]

no precomputation! general computations!

PCP proof π PCP verifier

Observation 0

independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

PCP proof π PCP verifier

Observation 0

independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

FHE ciphertexts

PCP proof π PCP verifier

Observation 0

• If PIR = FHE, just need efficient “random-

access” to PCP.

independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

FHE ciphertexts

PCP proof π PCP verifier

Observation 0

• If PIR = FHE, just need efficient “random-

access” to PCP.

independent PIR queries

i1 , . . . , ik πi1 , . . . , πik

FHE ciphertexts

No-Signaling PCP with efficient prover $$$ reward

Our Technical Contributions

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) (essentially BFLS)

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S)

Remove major component of KRR, namely “augmented circuit”

(essentially BFLS)

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) 2 Super-efficient prover: Any symbol computable in ˜ O(T) S + polylog(T) time: space:

Remove major component of KRR, namely “augmented circuit”

(essentially BFLS)

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) 2 Super-efficient prover: Any symbol computable in ˜ O(T) S + polylog(T) time: space:

Remove major component of KRR, namely “augmented circuit”

2’ Limited efficiency loss under FHE (essentially BFLS)

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) 2 Super-efficient prover: Any symbol computable in ˜ O(T) S + polylog(T) time: space:

Remove major component of KRR, namely “augmented circuit”

2’ Limited efficiency loss under FHE time: T · poly(λ) (essentially BFLS)

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) 2 Super-efficient prover: Any symbol computable in ˜ O(T) S + polylog(T) time: space:

Remove major component of KRR, namely “augmented circuit”

2’ Limited efficiency loss under FHE time: T · poly(λ) S + poly(λ) space: (essentially BFLS)

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) 2 Super-efficient prover: Any symbol computable in ˜ O(T) S + polylog(T) time: space:

Remove major component of KRR, namely “augmented circuit”

2’ Limited efficiency loss under FHE time: T · poly(λ) S + poly(λ) space: (essentially BFLS)

BFLS already known to be complexity-preserving? [BC12, BTVW14]

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) 2 Super-efficient prover: Any symbol computable in ˜ O(T) S + polylog(T) time: space:

Remove major component of KRR, namely “augmented circuit”

2’ Limited efficiency loss under FHE time: T · poly(λ) S + poly(λ) space: (essentially BFLS)

BFLS already known to be complexity-preserving? [BC12, BTVW14] for deterministic
 computations

Our Technical Contributions

1 Simpler and direct NS-PCP for any language L ∈ TISP(T, S) 2 Super-efficient prover: Any symbol computable in ˜ O(T) S + polylog(T) time: space:

Remove major component of KRR, namely “augmented circuit”

2’ Limited efficiency loss under FHE time: T · poly(λ) S + poly(λ) space: (essentially BFLS)

BFLS already known to be complexity-preserving? [BC12, BTVW14] for deterministic
 computations with non-deterministic
 computations

Talk Outline

Talk Outline

NOT proving NS-soundness of BFLS for deterministic circuits

Talk Outline

NOT proving NS-soundness of BFLS for deterministic circuits Part 1: Turing / RAM Machines (non-succinct) deterministic circuits

Talk Outline

NOT proving NS-soundness of BFLS for deterministic circuits Part 1: Turing / RAM Machines (non-succinct) deterministic circuits Part 2: (part of) BFLS prover efficiency despite non- succinctness.

Turing Machines as Circuits

TM Configuration

tape

Turing Machines as Circuits

TM Configuration

tape

Turing Machines as Circuits

TM Configuration

tape

Turing Machines as Circuits

TM Configuration

tape

…

Config0 Config1

…

ConfigT-1

Transcript / Circuit

Turing Machines as Circuits

TM Configuration

tape

…

Config0 Config1

…

ConfigT-1

Transcript / Circuit

Turing Machines as Circuits

TM Configuration

tape

…

RAM Machines as Circuits

Configuration:

RAM Machines as Circuits

Configuration:

(diameter log S) leaves = memory

RAM Machines as Circuits

Configuration:

(diameter log S) leaves = memory

RAM Machines as Circuits

Configuration:

(diameter log S) leaves = memory

RAM Machines as Circuits

Configuration:

(diameter log S) leaves = memory

RAM Machines as Circuits

Configuration: Important for BFLS:
 Graph is “regular”!

(diameter log S) leaves = memory

RAM Machines as Circuits

Configuration: Transcript / Circuit:

Config0 Config1

…

ConfigT-1

Important for BFLS:
 Graph is “regular”!

(diameter log S) leaves = memory

RAM Machines as Circuits

Configuration: Transcript / Circuit:

Config0 Config1

…

ConfigT-1

Important for BFLS:
 Graph is “regular”!

(diameter log S) leaves = memory

RAM Machines as Circuits

Configuration: Transcript / Circuit:

Config0 Config1

…

ConfigT-1

Important for BFLS:
 Graph is “regular”!

(diameter log S) leaves = memory no routing networks!

RAM Machines as Circuits

Configuration: Transcript / Circuit:

Config0 Config1

…

ConfigT-1

Important for BFLS:
 Graph is “regular”!

(diameter log S) leaves = memory no Merkle trees! no routing networks!

The PCP (BFLS) Part 1: Multilinear extension

The PCP (BFLS) Part 1: Multilinear extension

Let be any function. f : {0, 1}m → F

The PCP (BFLS) Part 1: Multilinear extension

1 Let be any function. f : {0, 1}m → F

The PCP (BFLS) Part 1: Multilinear extension

1 multilinear 1

• 1
• 2

2 3

• 2 -3
• 4 -6

ˆ f : Fm → F Let be any function. f : {0, 1}m → F

The PCP (BFLS) Part 1: Multilinear extension

1 multilinear 1

• 1
• 2

2 3

• 2 -3
• 4 -6

ˆ f : Fm → F Let be any function. f : {0, 1}m → F ˆ f( ) = X

x∈{0,1}m

f(x) · ˆ 1x( )

The PCP (BFLS) Part 1: Multilinear extension

1 multilinear 1

• 1
• 2

2 3

• 2 -3
• 4 -6

ˆ f : Fm → F Let be any function. f : {0, 1}m → F ˆ f( ) = X

x∈{0,1}m

f(x) · ˆ 1x( )

“funny x” ∈ Fm

The PCP (BFLS) Part 1: Multilinear extension

1 multilinear 1

• 1
• 2

2 3

• 2 -3
• 4 -6

ˆ f : Fm → F Let be any function. f : {0, 1}m → F ˆ f( ) = X

x∈{0,1}m

f(x) · ˆ 1x( )

“funny x” ∈ Fm “bold x” ∈ {0, 1}m

Prover Efficiency

• 1. Evaluating extension of transcript

sum sum

ˆ C : {0, 1}t+s → {0, 1}

Prover Efficiency

• 1. Evaluating extension of transcript

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1 2

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1 2

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1 2 2

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1 2 2

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1 2 2 5

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0

3 1 2 2 5

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum was 3,
 now 0

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

• 3

13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum was 3,
 now 0

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

• 3

13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum was 3,
 now 0

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

• 3

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

3 1 2 2 5

sum sum was 3,
 now 0

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

• 3

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

• 3

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 was 1,
 now 2

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

+1

• 3

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 was 1,
 now 2

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

+1

• 3

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 was 1,
 now 2

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 was 1,
 now 2

ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

X

x,y

C(x, y)

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

X

x,y

C(x, y)

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 implicit
 enumeration


• f

was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

X

x,y

C(x, y)

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 implicit
 enumeration


• f

was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

X

x,y

C(x, y)

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1 Config2

3 1 2 2 5

sum sum was 3,
 now 0 implicit
 enumeration


• f

was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

X

x,y

C(x, y)

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

Coefficients structured;
 all is still well

Config2

3 1 2 2 5

sum sum was 3,
 now 0 implicit
 enumeration


• f

was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

X

x,y

C(x, y)

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

Coefficients structured;
 all is still well

Config2

3 1 2 2 5

sum sum was 3,
 now 0 implicit
 enumeration


• f

was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

11 +1

• 3

X

x,y

C(x, y)

10 13

Prover Efficiency

• 1. Evaluating extension of transcript

Config0 Config1

Coefficients structured;
 all is still well

Config2

3 1 2 2 5

sum sum was 3,
 now 0 implicit
 enumeration


• f

was 1,
 now 2

… ˆ C : {0, 1}t+s → {0, 1} ˆ C( , ) = X

y,x

C(y, x) · ˆ 1y,x( , )

Additional Challenges

Additional Challenges

• Other (sum-check) polynomials

Additional Challenges

• Other (sum-check) polynomials
• Getting rid of KRR’s augmented circuit

Additional Challenges

• Other (sum-check) polynomials
• Getting rid of KRR’s augmented circuit
• Prover efficiency under somewhat homomorphic

encryption

Additional Challenges

• Other (sum-check) polynomials
• Getting rid of KRR’s augmented circuit
• Prover efficiency under somewhat homomorphic

encryption

• Low multiplicative degree,


O(1) field operations per step

Additional Challenges

• Other (sum-check) polynomials
• Getting rid of KRR’s augmented circuit
• Prover efficiency under somewhat homomorphic

encryption

• Low multiplicative degree,


O(1) field operations per step

• Space stays , not

S + poly(κ) S · poly(κ)

Summary

Assumptions Prover Time Prover Space No-Signaling PCPs [KRR, …] PIR SNARKs

[BC,BCCT, …]

Non-Falsifiable Succinct Garbling

[GHRW, KLW, …]

Obfuscation/ multilinear maps [this work] ≥ T 3S3 ≥ T 3S3 T · poly(κ) S · poly(κ) T · poly(κ) S · poly(κ) T · poly(κ) S + poly(κ) “Slightly”
 Homomorphic
 Encryption

Open Questions

• How does this compare in practice? What are the

remaining bottlenecks?

• Can PCP query complexity be reduced?
• Is there an FHE scheme which is extra efficient for
• ur prover?
• Efficiently evaluate low-degree arithmetic circuits

(large fields)

Open Questions

• How does this compare in practice? What are the

remaining bottlenecks?

• Can PCP query complexity be reduced?
• Is there an FHE scheme which is extra efficient for
• ur prover?
• Efficiently evaluate low-degree arithmetic circuits

(large fields)

low “asymmetric” degree (GSW) even better