Doubly Efficient Interactive Proofs Ron Rothblum
Outsourcing Computation Weak client outsources computation to the cloud. π¦ π§ = π(π¦)
Outsourcing Computation We do not want to blindly trust the cloud. π¦ π§ = π(π¦) Key security concern: Correctness: why should we trust the serverβs answer?
Interactive Proofs to the Rescue? Interactive Proof [GMR85]: prover π tries to interactively convince a polynomial-time verifier π that π π¦ = π§ . π π¦ = π§ β π convinces π . π π¦ β π§ β no π β can convince π wp β₯ 1/2 . Key Problem: in classical results complexity of proving is actually exponential: IP=PSPACE [LFKN90,Shamir90]: Interactive Proofs for space π computations with 2 poly π prover, poly(π, π) verification, poly(π) rounds.
Doubly Efficient Interactive Proof [GKR08] Interactive proof for π π¦ = π§ where the prover is efficient , and the verifier is super efficient . Proportional to Much faster than complexity of π complexity of π Soundness holds against any (computationally unbounded) cheating prover.
Why Proof and not Arguments*? 1. Security against unbounded adversary. ο§ Post-quantum secure, post post quantum secureβ¦ 2. No reliance on unproven crypto assumptions 3. Do not use any expensive crypto operations β Even if not currently practical, no clear bottleneck (e.g., [GKR08] )β¦ * Disclaimer: arguments are GREAT! (e.g., [KRR14])
Doubly Efficient Interactive Proofs: The State of the Art Logspace uniform 1) [GKR08]: Bounded Depth ππ· β’ Any bounded-depth circuit. β’ (Almost) linear time verifier, poly-time prover. β’ Number of rounds proportional to circuit depth. 2) [RRR16]: Bounded Space β’ Any bounded-space computation. β’ (Almost) linear time verifier, poly-time prover. β’ π· π rounds.
Constant-Round Doubly Efficient Interactive Proofs Theorem [RRR16]: βπ > 0 s.t. every language computable in poly(π) time and π π space has an unconditionally sound interactive proof where: 1. Verifier is (almost) linear time. 2. Prover is polynomial-time. 3. Constant number of rounds.
Tightness Define IP DE as class of languages having doubly efficient interactive proofs. IP DE TISP(poly π , π π )
Roadmap: A Taste of the Proof Iterative construction: 1. Start with interactive proof for short computations. 2. Build interactive proof for slightly longer computations. 3. Repeat.
Iterative Construction Suppose we have interactive proofs for time π/π and space π computations. Consider a time π and space π computation. π π¦ π§ π
Divide & Conquer Divide: Prover sends Turing machine configuration in π βͺ π intermediate steps. π¦ π§ π’ π/π π’ 2π/π β¦ π’ (πβ1)π/π Conquer? recurse on all subcomputations. Problem: verification blows up, no savings.
Divide & Conquer Divide: Prover sends Turing machine configuration in π βͺ π intermediate steps. π¦ π§ π’ π/π π’ 2π/π β¦ π’ (πβ1)π/π Conquer? Choose a few at random and recurse. Problem: huge soundness error.
Best of Both Worlds? Can we batch verify π instances much more efficiently than π independent executions. Goal: β’ Suppose π¦ β π can be verified in time π’. β’ Want to verify π¦ 1 , β¦ , π¦ π β π in βͺ π β π’ time.
Concrete Example: Batch Verification of πππ΅ moduli Def: integer π is an RSA modulos if it is the product of two π -bit primes π = π β π . The proof that π is an RSA modulos is its factorization. Can we verify π RSA moduli more efficiently? πΎ(πΆ π , β¦ , πΆ π ) πΈ(π π , π π β¦ , π π , π π ) βͺ π β π communication
Warmup: Batch Verification for ππ ππ β ππ are all relations with unique accepting witnesses. π = witness length Theorem [RRR16]: Every π β ππ, has an interactive proof for verifying that π¦ 1 , β¦ , π¦ π β π with π β πͺπ©π¦π³π¦π©π‘(π) + π·(π) communication. For batch verification of interactive proofs we introduce interactive analogs of ππ and πππ .
Constant-Round Doubly Efficient Interactive Proofs Theorem [RRR16]: βπ > 0 s.t. every language computable in poly(π) time and π π space has an unconditionally sound interactive proof where: 1. Verifier is (almost) linear time. 2. Prover is polynomial-time. 3. Constant number of rounds.
Sublinear Time Verification Motivation: statistical analysis of vast amounts of data. Huge Database Huge Database
Sublinear Time Verification Can we verify without even reading the input? Yes! If we allow for approximation. Following Property Testing [GGR98] : only required to reject inputs that are far from the language.
Sublinear Time Verification Revisiting classical notions of proof-systems: Gur-R13, NP Fischer-Goldhirsh-Lachish13, Goldreich-Gur-R15 Rothblum-Vadhan-Wigderson13, Kalai-R15, Goldreich-Gur-R15, Interactive Proof Goldreich-Gur16, Reingold-Rothblum-R16, Gur-R17 Zero-Knowledge Berman-R-Vaikuntanathan17 Ergun-Kumar-Rubinfeld04, Dinur-Reingold06, PCP/MIP BenSasson-Goldreich-Harsha-Sudan-Vadhan06, Gur-Ramnarayan-R17
Open Problems β’ Research directions: β Bridge theory and practice. β Sublinear time verification. β’ Concrete questions: β IP=PSPACE with βefficientβ prover. β Batch verification for all of NP. β [GR17]: Simpler and more efficient protocols (even for smaller classes). β Improve [RRR16] round complexity: even exponentially.
More recommend
![Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2](https://c.sambuz.com/697105/interactive-proofs-s.jpg)
![29.09.2007 No Shortage of Public Fears RFID and Privacy The risk [RFID] poses to humanity](https://c.sambuz.com/826169/29-09-2007-s.jpg)
