Lin inear Multi-Prover In Interactive Proofs Dan Boneh, Yuval - - PowerPoint PPT Presentation

Quasi-Optimal SNARGs via ia Lin inear Multi-Prover In Interactive Proofs

Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu

Non-Interactive Arguments for NP

ℒ𝐷 = 𝑦 ∶ 𝐷 𝑦, 𝑥 = 1 for some 𝑥

𝑄(𝑦, 𝑥) 𝑊(𝑦) accept / reject Completeness: 𝐷 𝑦, 𝑥 = 1 ⟹ Pr 𝑄 𝑦, 𝑥 , 𝑊 𝑦 = 1 = 1 Soundness: for all provers 𝑄⋆ of size 2𝜇 (𝜇 is a security parameter): 𝑦 ∉ ℒ𝐷 ⟹ Pr 𝑄⋆ 𝑦 , 𝑊 𝑦 = 1 ≤ 2−𝜇

𝜌

Succinct Non-Interactive Arguments (SNARGs)

𝑄(𝑦, 𝑥) 𝑊(𝑦) accept / reject Argument system is succinct if:

• Prover communication is poly 𝜇 + log 𝐷
• 𝑊 can be implemented by a circuit of size poly 𝜇 + 𝑦 + log 𝐷

Verifier complexity significantly smaller than classic NP verifier

ℒ𝐷 = 𝑦 ∶ 𝐷 𝑦, 𝑥 = 1 for some 𝑥 𝜌

Succinct Non-Interactive Arguments (SNARGs)

𝑄(𝑦, 𝑥) 𝑊(𝑦) accept / reject

𝜌

Argument consists of a single message Instantiation: “CS proofs” in the random oracle model [Mic94]

Succinct Non-Interactive Arguments (SNARGs)

𝑄(𝜏, 𝑦, 𝑥) 𝑊(𝜐, 𝑦) accept / reject

𝜌

Argument consists of a single message

common reference string (CRS) verification state

Setup 1𝜇

𝜏 𝜐

Can consider publicly- verifiable and secretly- verifiable SNARGs Preprocessing SNARGs: allow “expensive” setup

Complexity Metrics for SNARGs

Soundness: for all provers 𝑄⋆ of size 2𝜇: 𝑦 ∉ ℒ𝐷 ⟹ Pr 𝑄⋆ 𝑦 , 𝑊 𝑦 = 1 ≤ 2−𝜇

How short can the proofs be? 𝜌 = Ω 𝜇 How much work is needed to generate the proof? 𝑄 = Ω 𝐷

Even in the designated- verifier setting

[See paper for details]

Quasi-Optimal SNARGs

Soundness: for all provers 𝑄⋆ of size 2𝜇: 𝑦 ∉ ℒ𝐷 ⟹ Pr 𝑄⋆ 𝑦 , 𝑊 𝑦 = 1 ≤ 2−𝜇

A SNARG (for Boolean circuit satisfiability) is quasi-optimal if it satisfies the following properties:

• Quasi-optimal succinctness:

𝜌 = 𝜇 ⋅ polylog 𝜇, 𝐷 = ෨ 𝑃(𝜇)

• Quasi-optimal prover complexity:

𝑄 = ෨ 𝑃 𝐷 + poly(𝜇, log 𝐷 )

Quasi-Optimal SNARGs

Construction Prover Complexity Proof Size Assumption

CS Proofs [Mic94]

෨ 𝑃( 𝐷 ) ෨ 𝑃(𝜇2) Random Oracle

Groth [Gro10] GGPR [GGPR12]

෨ 𝑃(𝜇 𝐷 2 + 𝐷 𝜇2) ෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) ෨ 𝑃(𝜇) Knowledge of Exponent

BCIOP (Pairing) [BCIOP13]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Linear-Only Encryption

BISW (LWE/RLWE) [BISW17]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Linear-Only Vector Encryption

Groth [Gro16]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Generic Group

Quasi-Optimal SNARGs

Construction Prover Complexity Proof Size Assumption

CS Proofs [Mic94]

෨ 𝑃( 𝐷 ) ෨ 𝑃(𝜇2) Random Oracle

Groth [Gro10] GGPR [GGPR12]

෨ 𝑃(𝜇 𝐷 2 + 𝐷 𝜇2) ෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) ෨ 𝑃(𝜇) Knowledge of Exponent

BCIOP (Pairing) [BCIOP13]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Linear-Only Encryption

BISW (LWE/RLWE) [BISW17]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Linear-Only Vector Encryption

Groth [Gro16]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Generic Group

For simplicity, we ignore low order terms poly 𝜇, log 𝐷

Quasi-Optimal SNARGs

Construction Prover Complexity Proof Size Assumption

CS Proofs [Mic94]

෨ 𝑃( 𝐷 ) ෨ 𝑃(𝜇2) Random Oracle

Groth [Gro10] GGPR [GGPR12]

෨ 𝑃(𝜇 𝐷 2 + 𝐷 𝜇2) ෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) ෨ 𝑃(𝜇) Knowledge of Exponent

BCIOP (Pairing) [BCIOP13]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Linear-Only Encryption

BISW (LWE/RLWE) [BISW17]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Linear-Only Vector Encryption

Groth [Gro16]

෨ 𝑃(𝜇 𝐷 ) ෨ 𝑃(𝜇) Generic Group

This work

෨ 𝑃 𝐷 ෨ 𝑃(𝜇) Linear-Only Vector Encryption

For simplicity, we ignore low order terms poly 𝜇, log 𝐷

This Work

New framework for building preprocessing SNARGs (following [BCIOP13, BISW17])

Step 1 (information-theoretic):

• Linear multi-prover interactive proofs (linear MIPs)
• This work: first construction of a quasi-optimal linear MIP

Step 2 (cryptographic):

• Linear-only vector encryption to simulate linear MIP model
• This work: linear MIP ⟹ preprocessing SNARG

Results yield the first quasi-optimal SNARG (from linear-only vector encryption

• ver rings)

Linear PCPs [IKO07]

𝜌 ∈ 𝔾𝑛

𝑟 ∈ 𝔾𝑛 𝑟, 𝜌 ∈ 𝔾 Several possible instantiations: based on the Walsh-Hadamard code [ALMSS92] or quadratic span programs [GGPR13] Verifier

𝑦, 𝑥

PCP where the proof

• racle implements a

linear function 𝜌 ∈ 𝔾𝑛 In these instantiations, verifier is oblivious (queries independent of statement)

From Linear PCPs to SNARGs [BCIOP13]

𝑟1 𝑟2 𝑟3 𝑟𝑙 ⋯

part of the CRS

𝑅 =

Verifier encrypts its queries using a linear-only encryption scheme

From Linear PCPs to SNARGs [BCIOP13]

𝑟1 𝑟2 𝑟3 𝑟𝑙 ⋯

part of the CRS

𝑅 =

Verifier encrypts its queries using a linear-only encryption scheme

Encryption scheme that only supports linear homomorphism

From Linear PCPs to SNARGs [BCIOP13]

𝑟1 𝑟2 𝑟3 𝑟𝑙 ⋯

part of the CRS

𝑅 =

Verifier encrypts its queries using a linear-only encryption scheme

𝑦, 𝑥 𝜌 ∈ 𝔾𝑛

Prover constructs linear PCP 𝜌 from (𝑦, 𝑥)

⟨𝜌, 𝑟1⟩ ⟨𝜌, 𝑟2⟩ ⋯ ⟨𝜌, 𝑟𝑙⟩

Prover homomorphically computes responses to linear PCP queries SNARG proof

From Linear PCPs to SNARGs [BCIOP13]

𝑟1 𝑟2 𝑟3 𝑟𝑙 ⋯

part of the CRS

𝑅 =

Verifier encrypts its queries using a linear-only encryption scheme

𝑦, 𝑥 𝜌 ∈ 𝔾𝑛

Prover constructs linear PCP 𝜌 from (𝑦, 𝑥)

⟨𝜌, 𝑟1⟩ ⟨𝜌, 𝑟2⟩ ⋯ ⟨𝜌, 𝑟𝑙⟩

Prover homomorphically computes responses to linear PCP queries SNARG proof

Evaluating inner product requires Ω 𝐷 homomorphic operations; prover complexity: Ω 𝜇 ⋅ Ω 𝐷 = Ω 𝜇 𝐷 Proof consists of a constant number of ciphertexts: total length 𝑃(𝜇) bits

We pay Ω(𝜇) for each homomorphic

• peration. Can we

reduce this?

Linear-Only Encryption over Rings

Consider encryption scheme over a polynomial ring 𝑆𝑞 = Τ ℤ𝑞 𝑦 Φℓ 𝑦 ≅ 𝔾𝑞

ℓ

𝑦1 𝑦2 𝑦3 ⋮ 𝑦ℓ

Plaintext space can be viewed as a vector of field elements

𝑦1

′

𝑦2

′

𝑦3

′

⋮ 𝑦ℓ

′

𝑦1 + 𝑦1′ 𝑦2 + 𝑦2

′

𝑦3 + 𝑦3

′

⋮ 𝑦ℓ + 𝑦ℓ

′

Homomorphic operations correspond to component-wise additions and scalar multiplications Using RLWE-based encryption schemes, can encrypt ℓ = ෨ 𝑃(𝜇) field elements (𝑞 = poly 𝜇 ) with ciphertexts of size ෨ 𝑃(𝜇)

Linear-Only Encryption over Rings

Consider encryption scheme over a polynomial ring 𝑆𝑞 = Τ ℤ𝑞 𝑦 Φℓ 𝑦 ≅ 𝔾𝑞

ℓ

𝑦1 𝑦2 𝑦3 ⋮ 𝑦ℓ

Plaintext space can be viewed as a vector of field elements

𝑦1

′

𝑦2

′

𝑦3

′

⋮ 𝑦ℓ

′

𝑦1 + 𝑦1′ 𝑦2 + 𝑦2

′

𝑦3 + 𝑦3

′

⋮ 𝑦ℓ + 𝑦ℓ

′

Homomorphic operations correspond to component-wise additions and scalar multiplications Using RLWE-based encryption schemes, can encrypt ℓ = ෨ 𝑃(𝜇) field elements (𝑞 = poly 𝜇 ) with ciphertexts of size ෨ 𝑃(𝜇)

Amortized cost of homomorphic

• peration on a single field

element is polylog(𝜇)

Linear-Only Encryption over Rings

𝑟1 ∈ 𝔾𝑞

𝑛

𝑟2 ∈ 𝔾𝑞

𝑛

𝑟3 ∈ 𝔾𝑞

𝑛

⋮ 𝑟ℓ ∈ 𝔾𝑞

𝑛

⟨𝜌1, 𝑟1⟩ ⟨𝜌2, 𝑟2⟩ ⟨𝜌3, 𝑟3⟩ ⋮ ⟨𝜌ℓ, 𝑟ℓ⟩ Given encrypted set of query vectors, prover can homomorphically apply independent linear functions to each slot

Linear Multi-Prover Interactive Proofs (MIPs)

𝑦, 𝑥

𝜌1 𝜌2 ⋯ 𝜌ℓ Verifier has oracle access to multiple linear proof oracles

[Proofs may be correlated]

Can convert linear MIP to preprocessing SNARG using linear-

• nly (vector) encryption over rings

Suppose

• Number of provers ℓ = ෨

𝑃 𝜇

• Proofs 𝜌1, … , 𝜌ℓ ∈ 𝔾𝑞

𝑛 where 𝑛 =

Τ 𝐷 ℓ

• Number of queries to each 𝜌𝑗 is polylog(𝜇)

Then, linear MIP is quasi-optimal

Linear Multi-Prover Interactive Proofs (MIPs)

𝑦, 𝑥

𝜌1 𝜌2 ⋯ 𝜌ℓ

Suppose

• Number of provers ℓ = ෨

𝑃 𝜇

• Proofs 𝜌1, … , 𝜌ℓ ∈ 𝔾𝑞

𝑛 where 𝑛 =

Τ 𝐷 ℓ

• Number of queries to each 𝜌𝑗 is polylog(𝜇)

Then, linear MIP is quasi-optimal

Linear Multi-Prover Interactive Proofs (MIPs)

𝑦, 𝑥

𝜌1 𝜌2 ⋯ 𝜌ℓ

Prover complexity: ෨ 𝑃 ℓ𝑛 = ෨ 𝑃 𝐷 Linear MIP size: 𝑃 ℓ ⋅ polylog 𝜇 = ෨ 𝑃(𝜇)

Quasi-Optimal Linear MIPs

This work: Construction of a quasi-optimal linear MIP for Boolean circuit satisfiability

Robust Decomposition Consistency Check Quasi-Optimal Linear MIP

Robust Decomposition

(𝑦, 𝑥)

Encode

𝑦1

′

𝑦2

′

𝑦3

′

⋯ 𝑦𝑜

′

𝑥1

′

𝑥2

′

𝑥3

′

⋯ 𝑥ℎ

′

𝑔

1

𝑔

2

⋯

Boolean circuit 𝐷 of size 𝑡

𝑔

ℓ Statement- witness for 𝐷 Statement-witness for 𝑔

1, … , 𝑔 ℓ

Decompose 𝐷 into constraint functions 𝑔

1, … , 𝑔 ℓ, where each

constraint can be computed by a circuit of size 𝑡/ℓ

Only depends on 𝑦

Each constraint only needs to read a subset of the input bits

Robust Decomposition

(𝑦, 𝑥)

Encode

𝑦1

′

𝑦2

′

𝑦3

′

⋯ 𝑦𝑜

′

𝑥1

′

𝑥2

′

𝑥3

′

⋯ 𝑥ℎ

′

𝑔

1

𝑔

2

⋯

Boolean circuit 𝐷 of size 𝑡

𝑔

ℓ Statement- witness for 𝐷 Statement-witness for 𝑔

1, … , 𝑔 ℓ

Only depends on 𝑦

Decompose 𝐷 into constraint functions 𝑔

1, … , 𝑔 ℓ, where each

constraint can be computed by a circuit of size 𝑡/ℓ Each constraint only needs to read a subset of the input bits

Robust Decomposition

(𝑦, 𝑥)

Encode

𝑦1

′

𝑦2

′

𝑦3

′

⋯ 𝑦𝑜

′

𝑥1

′

𝑥2

′

𝑥3

′

⋯ 𝑥ℎ

′

𝑔

1

𝑔

2

⋯

Boolean circuit 𝐷 of size 𝑡

𝑔

ℓ Statement- witness for 𝐷 Statement-witness for 𝑔

1, … , 𝑔 ℓ

Only depends on 𝑦

Decompose 𝐷 into constraint functions 𝑔

1, … , 𝑔 ℓ, where each

constraint can be computed by a circuit of size 𝑡/ℓ Each constraint only needs to read a subset of the input bits

Robust Decomposition

(𝑦, 𝑥)

Encode

𝑦1

′

𝑦2

′

𝑦3

′

⋯ 𝑦𝑜

′

𝑥1

′

𝑥2

′

𝑥3

′

⋯ 𝑥ℎ

′

𝑔

1

𝑔

2

⋯

Boolean circuit 𝐷 of size 𝑡

𝑔

ℓ Statement- witness for 𝐷 Statement-witness for 𝑔

1, … , 𝑔 ℓ

Completeness: If 𝐷 𝑦, 𝑥 = 1, then 𝑔

𝑗 𝑦′, 𝑥′ = 1 for all 𝑗

Robustness: If 𝑦 ∉ ℒ, then for all 𝑥′, at most 2/3 of 𝑔

𝑗 𝑦′, 𝑥′ = 1

Efficiency: (𝑦′, 𝑥′) can be computed by a circuit of size ෨ 𝑃(𝑡)

Only depends on 𝑦

Robust Decomposition

Boolean circuit 𝐷 of size 𝑡 𝑔

1

𝑔

2

⋮ 𝑔

ℓ

𝜌1 𝜌2 ⋮ 𝜌ℓ

𝜌𝑗: linear PCP that 𝑔

𝑗(𝑦′,⋅) is satisfiable

(instantiated over 𝔾𝑞 where 𝑞 = poly(𝜇))

Using linear PCP based on QSPs [GGPR13], 𝜌𝑗 = 𝑃( Τ 𝐷 ℓ) and provides soundness 1/poly 𝜇 (𝑦, 𝑥)

Statement-witness for 𝐷 Statement-witness for 𝑔

1, … , 𝑔 ℓ

Encode

(𝑦′, 𝑥′)

Robust Decomposition

Boolean circuit 𝐷 of size 𝑡 𝑔

1

𝑔

2

⋮ 𝑔

ℓ

𝜌1 𝜌2 ⋮ 𝜌ℓ

𝜌𝑗: linear PCP that 𝑔

𝑗(𝑦′,⋅) is satisfiable

(instantiated over 𝔾𝑞 where 𝑞 = poly(𝜇))

Verifier invokes linear PCP verifier for each instance (𝑦, 𝑥)

Statement-witness for 𝐷 Statement-witness for 𝑔

1, … , 𝑔 ℓ

Encode

(𝑦′, 𝑥′)

Robust Decomposition

Boolean circuit 𝐷 of size 𝑡 𝑔

1

𝑔

2

⋮ 𝑔

ℓ

𝜌1 𝜌2 ⋮ 𝜌ℓ

𝜌𝑗: linear PCP that 𝑔

𝑗(𝑦′,⋅) is satisfiable

(instantiated over 𝔾𝑞 where 𝑞 = poly(𝜇)) Completeness: Follows by completeness of decomposition and linear PCPs Soundness: Each linear PCP provides Τ 1 poly 𝜇 soundness and for false statement, at least 1/3 of the statements are false, so if ℓ = Ω(𝜇), verifier accepts with probability 2−Ω 𝜇

Robust Decomposition

Completeness: Follows by completeness of decomposition and linear PCPs Soundness: Each linear PCP provides Τ 1 poly 𝜇 soundness and for false statement, at least 1/3 of the statements are false, so if ℓ = Ω(𝜇), verifier accepts with probability 2−Ω 𝜇

Robustness: If 𝑦 ∉ ℒ, then for all 𝑥′, at most 2/3 of 𝑔

𝑗 𝑦′, 𝑥′ = 1

For false 𝑦, no single 𝑥′ can simultaneously satisfy 𝑔

𝑗 𝑦′,⋅ ;

however, all of the 𝑔

𝑗(𝑦′,⋅) could

individually be satisfiable

Problematic however if prover uses different 𝑦′, 𝑥′ to construct proofs for different 𝑔

𝑗’s

Consistency Checking

Require that linear PCPs are systematic: linear PCP 𝜌 contains a copy of the witness:

𝜌1 𝜌2 𝜌3 𝑥1

′

𝑥3

′

𝑥1

′

𝑥2

′

𝑥2

′

𝑥3

′

• ther components
• ther components
• ther components

First few components of proof correspond to witness associated with the statement

Goal: check that assignments to 𝑥′ are consistent via linear queries to 𝜌𝑗

Each proof induces an assignment to a few bits of the common witness 𝑥′

[See paper for details]

Robust Decomposition

𝐷

𝑔

1

𝑔

2

⋯ 𝑔

ℓ

• Checking satisfiability of 𝐷

corresponds to checking satisfiability of 𝑔

1, … , 𝑔 ℓ (each

• f which can be checked by a

circuit of size Τ 𝐷 ℓ)

• For a false statement, no

single witness can simultaneously satisfy more than a constant fraction of 𝑔

𝑗

Quasi-Optimal Linear MIP

Robust decomposition can be instantiated by combining “MPC-in-the-head” paradigm

[IKOS07] with a robust MPC protocol with

polylogarithmic overhead [DIK10]

[See paper for details]

Robust Decomposition

𝐷

𝑔

1

𝑔

2

⋯ 𝑔

ℓ

• Checking satisfiability of 𝐷

corresponds to checking satisfiability of 𝑔

1, … , 𝑔 ℓ (each

• f which can be checked by a

circuit of size Τ 𝐷 ℓ)

• For a false statement, no

single witness can simultaneously satisfy more than a constant fraction of 𝑔

𝑗

Consistency Check

• Check that consistent witness is

used to prove satisfiability of each 𝑔

𝑗

• Relies on pairwise consistency

checks and permuting the entries to obtain a “nice” replication structure

Quasi-Optimal Linear MIP

Conclusions

A SNARG is quasi-optimal if it satisfies the following properties:

• Quasi-optimal succinctness: 𝜌 = ෨

𝑃(𝜇)

• Quasi-optimal prover complexity: 𝑄 = ෨

𝑃 𝐷 + poly(𝜇, log 𝐷 ) New framework for building quasi-optimal SNARGs by combining quasi-optimal linear MIP with linear-only vector encryption

• Construction of a quasi-optimal linear MIP possible by combining robust

decomposition and consistency check What if we had a 1-bit SNARG? Implies a form of witness encryption

• Highlights connection between soundness and confidentiality; see also

[BDRV18] which shows laconic zero-knowledge implies PKE

[See paper for details]

Open Problems

Publicly-verifiable quasi-optimal SNARGs

• Or: multi-theorem designated-verifier SNARGs

Quasi-optimal zero-knowledge SNARGs

Thank you!

https://eprint.iacr.org/2018/133