SLIDE 1
Doubly Efficient Interactive Proofs Ron Rothblum Outsourcing - - PowerPoint PPT Presentation
Doubly Efficient Interactive Proofs Ron Rothblum Outsourcing - - PowerPoint PPT Presentation
Doubly Efficient Interactive Proofs Ron Rothblum Outsourcing Computation Weak client outsources computation to the cloud. = () Outsourcing Computation We do not want to blindly trust the cloud. = () Key
SLIDE 2
SLIDE 3
Outsourcing Computation
We do not want to blindly trust the cloud.
π¦ π§ = π(π¦) Correctness: why should we trust the serverβs answer? Key security concern:
SLIDE 4
Interactive Proofs to the Rescue?
Interactive Proof [GMR85]: prover π tries to interactively convince a polynomial-time verifier π that π π¦ = π§. π π¦ = π§ β π convinces π. π π¦ β π§ β no πβ can convince π wp β₯ 1/2. Key Problem: in classical results complexity of proving is actually exponential: IP=PSPACE [LFKN90,Shamir90]: Interactive Proofs for space π computations with 2poly π prover, poly(π, π) verification, poly(π) rounds.
SLIDE 5
Doubly Efficient Interactive Proof
[GKR08] Interactive proof for π π¦ = π§ where the prover is efficient, and the verifier is super efficient. Proportional to complexity of π Much faster than complexity of π
Soundness holds against any (computationally unbounded) cheating prover.
SLIDE 6
Why Proof and not Arguments*?
- 1. Security against unbounded adversary.
- Post-quantum secure, post post quantum secureβ¦
- 2. No reliance on unproven crypto assumptions
- 3. Do not use any expensive crypto operations
β Even if not currently practical, no clear bottleneck (e.g., [GKR08])β¦
* Disclaimer: arguments are GREAT! (e.g., [KRR14])
SLIDE 7
Doubly Efficient Interactive Proofs: The State of the Art
1) [GKR08]: Bounded Depth
- Any bounded-depth circuit.
- (Almost) linear time verifier, poly-time prover.
- Number of rounds proportional to circuit depth.
2) [RRR16]: Bounded Space
- Any bounded-space computation.
- (Almost) linear time verifier, poly-time prover.
- π· π rounds.
Logspace uniform ππ·
SLIDE 8
Constant-Round Doubly Efficient Interactive Proofs
Theorem [RRR16]: βπ > 0 s.t. every language computable in poly(π) time and ππ space has an unconditionally sound interactive proof where:
- 1. Verifier is (almost) linear time.
- 2. Prover is polynomial-time.
- 3. Constant number of rounds.
SLIDE 9
Tightness
Define IP
DE as class of languages having doubly
efficient interactive proofs.
IP
DE TISP(poly π , ππ)
SLIDE 10
Roadmap: A Taste of the Proof
Iterative construction:
- 1. Start with interactive proof for short
computations.
- 2. Build interactive proof for slightly longer
computations.
- 3. Repeat.
SLIDE 11
Iterative Construction
Suppose we have interactive proofs for time π/π and space π computations. Consider a time π and space π computation.
π π
π¦ π§
SLIDE 12
Divide & Conquer
π’π/π π’2π/π π’(πβ1)π/π β¦
Divide: Prover sends Turing machine configuration in π βͺ π intermediate steps. Conquer? recurse on all subcomputations. Problem: verification blows up, no savings.
π¦ π§
SLIDE 13
Divide & Conquer
π’π/π π’2π/π π’(πβ1)π/π β¦
Divide: Prover sends Turing machine configuration in π βͺ π intermediate steps. Conquer? Choose a few at random and recurse. Problem: huge soundness error.
π¦ π§
SLIDE 14
Best of Both Worlds?
Can we batch verify π instances much more efficiently than π independent executions. Goal:
- Suppose π¦ β π can be verified in time π’.
- Want to verify π¦1, β¦ , π¦π β π in βͺ π β π’ time.
SLIDE 15
Concrete Example: Batch Verification
- f πππ΅ moduli
Def: integer π is an RSA modulos if it is the product of two π-bit primes π = π β π. The proof that π is an RSA modulos is its factorization. Can we verify π RSA moduli more efficiently? πΈ(ππ, ππ β¦ , ππ, ππ) πΎ(πΆπ, β¦ , πΆπ)
βͺ π β π communication
SLIDE 16
Warmup: Batch Verification for ππ
ππ β ππ are all relations with unique accepting witnesses. Theorem [RRR16]: Every π β ππ, has an interactive proof for verifying that π¦1, β¦ , π¦π β π with π β πͺπ©π¦π³π¦π©π‘(π) + π·(π) communication. For batch verification of interactive proofs we introduce interactive analogs of ππ and πππ.
π = witness length
SLIDE 17
Constant-Round Doubly Efficient Interactive Proofs
Theorem [RRR16]: βπ > 0 s.t. every language computable in poly(π) time and ππ space has an unconditionally sound interactive proof where:
- 1. Verifier is (almost) linear time.
- 2. Prover is polynomial-time.
- 3. Constant number of rounds.
SLIDE 18
Sublinear Time Verification
Huge Database
Motivation: statistical analysis of vast amounts
- f data.
Huge Database
SLIDE 19
Sublinear Time Verification
Can we verify without even reading the input? Yes! If we allow for approximation. Following Property Testing [GGR98]: only required to reject inputs that are far from the language.
SLIDE 20
Sublinear Time Verification
Revisiting classical notions of proof-systems:
NP
Gur-R13, Fischer-Goldhirsh-Lachish13, Goldreich-Gur-R15
Interactive Proof
Rothblum-Vadhan-Wigderson13, Kalai-R15, Goldreich-Gur-R15, Goldreich-Gur16, Reingold-Rothblum-R16, Gur-R17
Zero-Knowledge
Berman-R-Vaikuntanathan17
PCP/MIP
Ergun-Kumar-Rubinfeld04, Dinur-Reingold06, BenSasson-Goldreich-Harsha-Sudan-Vadhan06, Gur-Ramnarayan-R17
SLIDE 21
Open Problems
- Research directions:
β Bridge theory and practice. β Sublinear time verification.
- Concrete questions: