Interactive Verifiable Polynomial Evaluation Saeid Sahraei, Mohammad - - PowerPoint PPT Presentation

Saeid Sahraei, Mohammad Ali Maddah-Ali and Salman Avestimehr

Interactive Verifiable Polynomial Evaluation

ISIT, June 2020

Motivation

• Cloud computing enables users to delegate computationally heavy

tasks to commercial servers.

• But, how can we trust that the service providers do the actual

computations?

• The users must also be able to detect adversarial behaviors.

User (verifier) Server (prover) 𝑔 ⋅ , 𝑦 መ 𝑔(𝑦) Verify that መ 𝑔 𝑦 = 𝑔(𝑦)

Query Response Query Response ⋯ The user learns 𝑔(𝑦0) reliably

(Interactive) Verifiable Computation

• The function 𝑔 𝑦 is publicly known.
• The user (verifier) is interested in learning the

evaluation of 𝑔(⋅) at 𝑦 ∈ {𝑦0, 𝑦1, ⋯ }.

• The user is computationally weak. He can
• nly perform a one-time heavy initialization.
• He delegates the task to a server (prover).
• The server provides 𝑔 𝑦0 and convinces

the user of correctness of the result in an interactive fashion. Similarly, for 𝑔 𝑦1 , ⋯

⋯

Query Response Query Response ⋯ The user learns 𝑔(𝑦1) reliably One-time initialization User (verifier) Server (prover)

Main performance criteria

• Completeness: If the prover is honest, the verifier should accept the result with

probability 1.

• Soundness: If the prover is dishonest, the verifier should reject the result with high

probability.

• Efficient initialization: The verifier can perform a one-time initialization and store

the outcome for future reference. Complexity of this phase should be comparable to the complexity of computing 𝑔 𝑦 .

• Super-Efficient verifier: The complexity of verifier should be negligible compared

to the complexity of computing 𝑔 𝑦 .

• Efficient prover: The complexity of the prover should be comparable to the

complexity of computing 𝑔 𝑦 .

• Small round complexity: the number of rounds of interaction between the prover

and the verifier must be small.

Related Work

• Interactive Proofs (information-theoretic):
• Lund’90, Shamir’90: Interactive proof for the sum-check problem, IP = PSPACE
• Rothblum’13, Goldwasser‘15: Interactive proofs with super-efficient verifier
• Verifiable computation for generic functions (non-interactive, amortized model, rely on

hardness assumptions):

• Parno ’13, Gennaro ’13: based on Quadratic Arithmetic Programs
• Killian’ 92: based on Probabilistically Checkable Proofs
• Verifiable computation for Specific Functions (more practical at the expense of

generality):

• Verifier Polynomial Evaluation (Benabbas’11, Fiore’12, Papamanthou ’13,

Elkhiaouyi’16, Sahraei’20)

• Matrix Multiplication (Fiore’12, Zhang’17, Elkhiyaoui’16)
• Modular Exponentiation(Chen’14)

Summary of the results

Algorithm Security Initialization complexity Verifier Complexity Prover Complexity Round Complexity

• Ben. ’11

limited 𝑃(𝑒) 𝑃(log 𝑒) 𝑃(𝑒) 𝑃(1) Fiore ‘12 limited 𝑃(𝑒) 𝑃(1) 𝑃(𝑒) 𝑃(1)

• Elkhiy. ’16

limited 𝑃(𝑒) 𝑃(1) 𝑃(𝑒) 𝑃(1) INTERPOL ‘19 Information Theoretic 𝑃(𝑒) 𝑃( 𝑒) 𝑃(𝑒) 𝑃(1) This work Information Theoretic 𝑃(𝑒1+𝜗) 𝑃(𝑒𝜗) 𝑃(𝑒1+𝜗) 𝑃(log 𝑒)

We propose a (interactive) verifiable polynomial evaluation algorithm with initialization complexity of O(d1+ϵ), verifier complexity of O(dϵ), prover complexity of O(d1+ϵ), and round complexity of O(log d) which satisfies the completeness and soundness properties. 𝑒 − 1: degree of the polynomial

Initial Observations

• Let 𝑔 𝑦 = 𝑏0 + ⋯ + 𝑏𝑒−1𝑦𝑒−1 be the polynomial of interest, where 𝑏𝑗 ∈ 𝔾𝑟 and

suppose 𝑒 is even. Define

• 𝑔 0 𝑧 = 𝑏0 + 𝑏2𝑧 + ⋯ 𝑏𝑒−2 𝑧

𝑒 2−1

• 𝑔 1 𝑧 = 𝑏1 + 𝑏3𝑧 + ⋯ 𝑏𝑒−1 𝑧

𝑒 2−1

• Note that both 𝑔 0 (𝑧) and 𝑔 1 (𝑧) are of degree

𝑒 2 − 1. Furthermore,

• 𝑔 𝑦 = 𝑔 0 𝑧 + 𝑦 𝑔 1 𝑧 if 𝑧 = 𝑦2.
• The verifier will reduce the problem of verifying 𝑔 𝑦 to the easier problem of

verifying 𝑔 0 (𝑧) and 𝑔 1 𝑧 .

Strawman approach

Prover provides መ 𝑔(𝑦) , መ 𝑔 0 (𝑧) and መ 𝑔 1 (𝑧)

𝑔 𝑦 = 𝑏0 + 𝑏1𝑦 + 𝑏2𝑦2 + ⋯ 𝑔 0 𝑧 = 𝑏0 + 𝑏2𝑧 + 𝑏4𝑧2 + ⋯ 𝑔 1 𝑧 = 𝑏1 + 𝑏3𝑧 + 𝑏5𝑧2 + ⋯ 𝑔 0,0 𝑨 = 𝑏0 + 𝑏4𝑨 + 𝑏8𝑨2 + ⋯ 𝑔 0,1 𝑨 = 𝑏2 + 𝑏6𝑨 + 𝑏10𝑨2 + ⋯ 𝑔 1,0 𝑨 = 𝑏1 + 𝑏5𝑨 + 𝑏9𝑨2 + ⋯ 𝑔 1,1 𝑨 = 𝑏3 + 𝑏7𝑨 + 𝑏11𝑨2 + ⋯

መ 𝑔 0 (𝑧) መ 𝑔 1 (𝑧) Verifier checks if መ 𝑔 𝑦 = መ 𝑔 0 𝑧 + 𝑦 መ 𝑔 1 (𝑧) If not, he rejects the result Prover provides መ 𝑔 0,0 (𝑨) and መ 𝑔 0,1 (𝑨) Prover provides መ 𝑔 1,0 (𝑨) and መ 𝑔 1,1 (𝑨) መ 𝑔 0,0 (𝑧) መ 𝑔 0,1 (𝑧) መ 𝑔 1,0 (𝑧) መ 𝑔 1,1 (𝑧)

Verifier checks if መ 𝑔(1) 𝑧 = መ 𝑔 1,0 𝑨 + 𝑧 መ 𝑔 1,1 (𝑨) If not, he rejects the result Verifier checks if መ 𝑔(0) 𝑧 = መ 𝑔 0,0 𝑨 + 𝑧 መ 𝑔 0,1 (𝑨) If not, he rejects the result

𝑧 = 𝑦2, 𝑨 = 𝑧2, ⋯ ⋯ ⋯ ⋯ ⋯ After 𝑠 = log 𝑒 iterations, the verifier checks, for every 𝑐1, ⋯ , 𝑐𝑠 , if መ 𝑔 𝑐1,⋯,𝑐𝑠 ⋅ = 𝑏𝑗, where 𝑗 = 𝑐120 + ⋯ + 𝑐𝑠2𝑠−1.

Analysis of the strawman approach

• Completeness:
• If the prover is honest, all the verifications will trivially pass and the verifier will

accept the result.

• Soundness:
• Suppose the prover lies about the evaluation of 𝑔 at 𝑦. Namely, መ

𝑔 𝑦 ≠ 𝑔 𝑦 .

• In order to pass the first level verification, he must either provide መ

𝑔 0 𝑧 ≠ 𝑔(0)(𝑧) or መ 𝑔 1 𝑧 ≠ 𝑔(1)(𝑧).

• In order to pass the second level verification, he must either provide መ

𝑔 0,0 𝑧 ≠ 𝑔 0,0 𝑧 , መ 𝑔 0,1 𝑧 ≠ 𝑔(0,1)(𝑧), መ 𝑔 1,0 𝑧 ≠ 𝑔(1,0)(𝑧) or መ 𝑔 1,1 𝑧 ≠ 𝑔 1,1 𝑧 and so on.

• After log 𝑒 steps each polynomial is a constant which the verifier can check

against the coefficients of original polynomial, 𝑔(𝑦).

• Verifier complexity:
• The number of verifications grows exponentially by the depth of the tree. The

verifier runs in O 2𝑠 = 𝑃(𝑒).

Prover provides መ 𝑔 (𝑦) and the systematic symbols for the next codeword መ 𝑔 0 (𝑧) መ 𝑔 1 (𝑧) Verifier checks if መ 𝑔 𝑦 = መ 𝑔 0 𝑧 + 𝑦 መ 𝑔 1 (𝑧) If not, he rejects the result

MDS code

Verifier randomly chooses a codeword symbol and reveals the index to the prover መ 𝑔 𝑐 𝑧 = 𝑎0(𝛽𝑐) መ 𝑔 0 𝑧 + 𝑎1(𝛽𝑐) መ 𝑔 1 (𝑧) Prover provides the systematic symbols for the next codeword

Index = 4

መ 𝑔 4,0 (𝑨) መ 𝑔 4,1 (𝑨) Verifier checks if መ 𝑔 4 𝑧 = መ 𝑔 4,0 𝑨 + 𝑧 መ 𝑔 4,1 (𝑨) If not, he rejects the result

⋯ ⋯

𝑎0 𝛾 = 𝛾 − 𝛽1 𝛽0 − 𝛽1 𝑎1 𝛾 = 𝛾 − 𝛽0 𝛽1 − 𝛽0 𝑔 𝑦 = 𝑏0 + 𝑏1𝑦 + 𝑏2𝑦2 + ⋯ 𝑔 0 𝑧 = 𝑏0 + 𝑏2𝑧 + 𝑏4𝑧2 + ⋯ 𝑔 1 𝑧 = 𝑏1 + 𝑏3𝑧 + 𝑏5𝑧2 + ⋯ 𝑔 0,0 𝑨 = 𝑏0 + 𝑏4𝑨 + 𝑏8𝑨2 + ⋯ 𝑔 0,1 𝑨 = 𝑏2 + 𝑏6𝑨 + 𝑏10𝑨2 + ⋯ 𝑔 1,0 𝑨 = 𝑏1 + 𝑏5𝑨 + 𝑏9𝑨2 + ⋯ 𝑔 1,1 𝑨 = 𝑏3 + 𝑏7𝑨 + 𝑏11𝑨2 + ⋯ 𝑧 = 𝑦2, 𝑨 = 𝑧2, ⋯

Improving the complexity with MDS codes

MDS code

Final step: checking against a look-up table

• After 𝑠 = log 𝑒 rounds, the verifier must check if መ

𝑔 𝑐1,⋯,𝑐𝑠 𝑦𝑒 = 𝑔 𝑐1,⋯,𝑐𝑠 𝑦𝑒 .

• In each iteration, the degree of the polynomial is divided by 2. 𝑔 𝑐1,⋯,𝑐𝑠 ⋅ is a

constant! Can be computed in advance and stored in a look-up table.

• Size of the table is 𝑜𝑠 where 𝑜 is the block-length of the MDS code.
• Example look-up table for 𝑒 = 4. Row 𝑗, column 𝑘 represents 𝑔 𝑗,𝑘 ⋅ .

𝑏0𝑎0 𝛽0 𝑎1 𝛽0 + 𝑏1𝑎0 𝛽0 𝑎1 𝛽0 + 𝑏2𝑎1 𝛽0 𝑎0 𝛽0 + 𝑏3𝑎1 𝛽0 𝑎1(𝛽0) 𝑏0𝑎0 𝛽1 𝑎1 𝛽0 + 𝑏1𝑎0 𝛽1 𝑎1 𝛽0 + 𝑏2𝑎1 𝛽1 𝑎0 𝛽0 + 𝑏3𝑎1 𝛽1 𝑎1(𝛽0) 𝑏0𝑎0 𝛽2 𝑎1 𝛽0 + 𝑏1𝑎0 𝛽2 𝑎1 𝛽0 + 𝑏2𝑎1 𝛽2 𝑎0 𝛽0 + 𝑏3𝑎1 𝛽2 𝑎1(𝛽0) 𝑏0𝑎0 𝛽0 𝑎1 𝛽1 + 𝑏1𝑎0 𝛽0 𝑎1 𝛽1 + 𝑏2𝑎1 𝛽0 𝑎0 𝛽1 + 𝑏3𝑎1 𝛽0 𝑎1(𝛽1) 𝑏0𝑎0 𝛽1 𝑎1 𝛽1 + 𝑏1𝑎0 𝛽1 𝑎1 𝛽1 + 𝑏2𝑎1 𝛽1 𝑎0 𝛽1 + 𝑏3𝑎1 𝛽1 𝑎1(𝛽1) 𝑏0𝑎0 𝛽2 𝑎1 𝛽1 + 𝑏1𝑎0 𝛽2 𝑎1 𝛽1 + 𝑏2𝑎1 𝛽2 𝑎0 𝛽1 + 𝑏3𝑎1 𝛽2 𝑎1(𝛽1) 𝑏0𝑎0 𝛽0 𝑎1 𝛽2 + 𝑏1𝑎0 𝛽0 𝑎1 𝛽2 + 𝑏2𝑎1 𝛽0 𝑎0 𝛽2 + 𝑏3𝑎1 𝛽0 𝑎1(𝛽2) 𝑏0𝑎0 𝛽1 𝑎1 𝛽2 + 𝑏1𝑎0 𝛽1 𝑎1 𝛽2 + 𝑏2𝑎1 𝛽1 𝑎0 𝛽2 + 𝑏3𝑎1 𝛽1 𝑎1(𝛽2) 𝑏0𝑎0 𝛽2 𝑎1 𝛽0 + 𝑏1𝑎0 𝛽2 𝑎1 𝛽2 + 𝑏2𝑎1 𝛽2 𝑎0 𝛽0 + 𝑏3𝑎1 𝛽2 𝑎1(𝛽2)

⋯

⋯

• Suppose መ

𝑔 𝑦 ≠ 𝑔 𝑦 . To pass the first verification, the prover must provide መ 𝑔 0 𝑧 ≠ 𝑔 0 (𝑧) or መ 𝑔 1 𝑧 ≠ 𝑔 1 (𝑧).

• Let ෡

A be the codeword with systematic symbols ( መ 𝑔 0 𝑧 , መ 𝑔 1 𝑧 ) and let A be the codeword with systematic symbols (𝑔 0 (𝑧), 𝑔 1 (𝑧) ).

• መ

𝐵 and 𝐵 will be different in at least 𝑜 − 1 positions (𝑒𝑛𝑗𝑜 = 𝑜 − 𝑙 + 1 = 𝑜 − 1).

• With probability

𝑜−1 𝑜 , we have መ

𝑔 𝑐1 𝑧 ≠ 𝑔 𝑐1 𝑧 .

• After r = log 𝑒 rounds, we have መ

𝑔 𝑐1,⋯𝑐𝑠 ⋅ ≠ 𝑔 𝑐1,⋯𝑐𝑠 ⋅ with probability ≈

𝑜−1 𝑜 𝑠

.

• The algorithm is repeated 𝑛 times to increase the probability of success of the

verifier to 1 − 1 −

𝑜−1 𝑜 𝑠 𝑛

.

Soundness

• Initialization
• The look-up table consists of all 𝑏(𝑐1,⋯,𝑐𝑠) ≜ 𝑔 𝑐1,⋯,𝑐𝑠 ⋅ where 𝑐ℓ ∈ 0: 𝑂 − 1 .
• Calculating each 𝑏(𝑐1,⋯,𝑐𝑠) requires 𝑃 𝑒 . In total, 𝑃 𝑜𝑠 ⋅ 𝑒 = 𝑃(𝑒1+log 𝑜).
• We need an efficient algorithm for building the entire look-up table in 𝑃(𝑒log 𝑜 ).
• We use MDS codes with 𝑙 > 2 and 𝑜 ≈ 𝑙. Then, 𝑃 𝑒log𝑙 𝑜 = 𝑃 𝑒1+𝜗 .
• Verifier
• To further reduce the probability of success of a malicious prover, the entire

process can be repeated 𝑛 times. In each iteration, the verifier runs in 𝑃(log 𝑒).

• The total complexity is 𝑃 𝑛 ⋅ log 𝑒 .
• Prover
• The prover runs in 𝑃(𝑛 ⋅ 𝑒).
• Round complexity
• The 𝑛 trials can be run in parallel, resulting in a round complexity of 𝑃(log 𝑒).

Complexity

Efficient computation of the look-up table

𝑏0 𝑏1 𝑏2 𝑏3 𝑏0

(0)

𝑏1

(0)

𝑏0

(1)

𝑏1

(1)

𝑏0

(2)

𝑏1

(2)

𝑏0

(0,0) 𝑏0 (0,1) 𝑏0 (0,2) 𝑏0 (1,0) 𝑏0 (1,1) 𝑏0 (1,2) 𝑏0 (2,0) 𝑏0 (2,1) 𝑏0 (2,2)

× 𝑎0(𝛽0) × 𝑎0(𝛽1) × 𝑎0(𝛽2) × 𝑎1(𝛽0) × 𝑎1(𝛽1) × 𝑎1(𝛽2)

𝑏𝑗

(𝑐1) ≜ 𝑏2𝑗𝑎0 𝛽𝑐1 + 𝑏2𝑗+1𝑎1(𝛽𝑐1) 𝑏𝑗

(𝑐1,𝑐2) ≜ 𝑏2𝑗 𝑐1 𝑎0 𝛽𝑐2 + 𝑏2𝑗+1 𝑐1 𝑎1 𝛽𝑐2

𝑔 𝑐1,⋯,𝑐ℓ 𝑦 = ෍

𝑗

𝑏𝑗

(𝑐1,⋯,𝑐ℓ)𝑦𝑗 ⋯

• Prover sends መ

𝑔(𝑦) to the verifier.

• For ℓ ∈ 0: 𝑠 − 1
• Prover sends መ

𝑔 𝑐0,⋯,𝑐ℓ−1,𝑡 (𝑦𝜃) to the verifier, for all 𝑡 ∈ 0: 𝜃 − 1 .

• Verifier checks if መ

𝑔(𝑐0,⋯,𝑐ℓ−1)(𝑦) = σ𝑡 𝑦𝑡 ⋅ መ 𝑔 𝑐0,⋯,𝑐ℓ−1,𝑡 (𝑦𝜃). If not, reject.

• Verifier randomly chooses 𝑐ℓ ∈ [0: 𝑑 ⋅ 𝜃 − 1], reveals 𝑐ℓ to the prover.
• Verifier computes መ

𝑔 𝑐0,⋯,𝑐ℓ 𝑦𝜃 = σ𝑡 መ 𝑔 𝑐0,⋯,𝑐ℓ−1,𝑡 𝑦𝜃 ⋅ 𝑎𝑡 𝛽𝑐ℓ .

• 𝑦 ← 𝑦𝜃.
• end
• Verifier checks መ

𝑔 𝑐1,⋯,𝑐𝑠 ⋅ against the pre-computed 𝑏0

(𝑐1,⋯,𝑐𝑠) in the look-up

• table. If they are not equal, he rejects.

Interactive Verifiable Polynomial Evaluation

Let 𝜃 ∈ ℤ+, 𝑑 ∈ ℝ+ such that 𝜃 ⋅ 𝑑 ∈ ℤ, and let 𝛽0, ⋯ , 𝛽𝑑⋅𝜃−1 ∈ 𝔾𝑟 and 𝑠 = log𝜃 𝑒 . The following algorithms is repeated 𝑛 times (can be parallelized). If all the 𝑛 tests pass, the verifier accepts the result.

Performance guarantees and the Proper choice of the parameters

• Soundness holds with probability 1 − 1 − 1 −

1 𝑑 𝑠 𝑛

>

1 2 (analysis similar to

the toy example).

• Initialization complexity is 𝑃 𝑑𝑠 ⋅ 𝑒 ⋅ 𝜃 = 𝑃 𝑒

1+

log 𝑑 𝜕 log log 𝑒

= 𝑃(𝑒1+𝜗).

• Verifier complexity is 𝑃 𝑛 ⋅ 𝑠 ⋅ 𝜃 = 𝑃 𝑒

1 𝜕 log 𝑑 𝑑−1 log log 𝑒

= 𝑃(𝑒𝜗).

• Prover complexity is 𝑃 𝑛 ⋅ 𝑒 = 𝑃 𝑒

1+

1 𝜕 log 𝑑 𝑑−1 log log 𝑒

= 𝑃(𝑒1+𝜗).

• Round complexity is 𝑠 = 𝑃(log 𝑒).

To achieve the blue guarantees, Choose 𝜃 = log 𝑒 𝜕, for an arbitrary 𝜕 ∈ ℝ+, and 𝑛 =

𝑑 𝑑−1 𝑠

.

Summary

• We introduced an interactive verifier polynomial evaluation algorithm

with efficient prover and super-efficient verifier.

• The verifiability guarantee holds in the presence of a computationally

unbounded adversarial prover.

• Results can be readily generalized to multi-variate polynomials (see

the longer version of paper on arXiv).

• Open problem: can you reduce the verifier’s complexity from O(d𝜗)

to 𝑃(polylog 𝑒)?

• Lund, C., Fortnow, L., Karloff, H., and Nisan, N. “Algebraic methods for

interactive proof systems.” In Proceedings of the 31st Annual Symposium

• n Foundations of Computer Science (1990), IEEE,pp. 2–10.
• Shamir, A. “IP= PSPACE (interactive proof= polynomial space)”. In

Proceedings of the 31st Annual Symposium on Foundations of Computer Science (1990), IEEE, pp. 11–15.

• Goldwasser, Shafi, Yael Tauman Kalai, and Guy N. Rothblum. “Delegating

computation: interactive proofs for muggles.” Journal of the ACM (JACM) 62.4 (2015): 1-64.

• Rothblum, G. N., Vadhan, S., and Wigderson, A. “Interactive proofs of

proximity: delegating computation in sublinear time.” InProceedings of the forty-fifth annual ACM symposium on Theory of computing (2013), ACM, pp. 793–802.

• Sahraei, Saeid, and A. Salman Avestimehr. "INTERPOL: Information

theoretically verifiable polynomial evaluation." IEEE International Symposium on Information Theory (ISIT), 2019.

Bibliography

• Fiore, Dario, and Rosario Gennaro. “Publicly verifiable delegation of large

polynomials and matrix computations, with applications.” Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012.

• Benabbas, Siavosh, Rosario Gennaro, and Yevgeniy Vahlis. “Verifiable delegation
• f computation over large datasets.” Annual Cryptology Conference. Springer,

Berlin, Heidelberg, 2011.

• Elkhiyaoui, Kaoutar, et al. “Efficient techniques for publicly verifiable delegation of

computation.” Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, 2016.

• Kilian, Joe. “A note on efficient zero-knowledge proofs and arguments.”

Proceedings of the twenty-fourth annual ACM symposium on Theory of

• computing. ACM, 1992.
• R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifiable computing:

Outsourcing computation to untrusted workers, in Annual Cryptology Conference. Springer, 2010.

• B. Parno, J. Howell, C. Gentry, and M. Raykova, “Pinocchio: Nearly practical

verifiable computation, in 2013 IEEE Symposium on Security and Privacy. IEEE, 2013, pp. 238252.

Bibliography