Proof-of-work Certificates for High Complexity Computations for - - PowerPoint PPT Presentation

Proof-of-work Certificates for High Complexity Computations for Linear Algebra Erich L. Kaltofen

NCSU, DUKE UNIVERSITY

google->kaltofen

2

Computations for the Cloud: RSA Challenge

RSA220 = 22601385262034057849416540486101975135080389157197767183211 97768109445641817966676608593121306582577250631562886676970 44807000181114971186300211248792819948748206607013106658664 6083327982803560379205391980139946496955261 = 68636564122675662743823714992884378001308422399791648446212 449933215410614414642667938213644208420192054999687 × 329290743948634981204930154921293529191645519653623395246 2860511692903493094652463337824866390738191765712603

• S. Bai, P. Gaudry, A. Kruppa, E. Thom´

e, P. Zimmermann [May 2014–May 2016] Verification on any tablet computer in under one second

3

Computations for the Cloud: Sparse Matrix GL7d19 Rank

From K-Theory Conjectures [Elbaz-Vincent, Gangle, Soul´ e ’05] 1,911,130×1,955,309 matrix of rank 1,033,568 Computed by J.-G. Dumas et al. 2007 with LinBox in 1050 CPU days With Monte-Carlo randomized algorithm ... Do you believe the rank?

3

Computations for the Cloud: Sparse Matrix GL7d19 Rank

From K-Theory Conjectures [Elbaz-Vincent, Gangle, Soul´ e ’05] 1,911,130×1,955,309 matrix of rank 1,033,568 Computed by J.-G. Dumas et al. 2007 with LinBox in 1050 CPU days With Monte-Carlo randomized algorithm ... Do you believe the rank? [Dumas-Kaltofen ISSAC 2014] construct a linear-time checkable interactive proof-of-work certificate

4

Theoretical Computer Science Landmark Result

In order to verify a proof/computation, one does not need to check every step: exponential speed-up for verifier is possible

4

Theoretical Computer Science Landmark Result

In order to verify a proof/computation, one does not need to check every step: exponential speed-up for verifier is possible Ingredients

• 1. Randomized identity testing [DeMillo-Lipton’78;Schwartz,Zippel’79]
• 2. Interactive protocols [Goldwasser-Micali-Rackoff’85]
• 3. Replacing interaction by cryptography [Fiat-Shamir 1986]
• 4. Exponential speed-up for verifier [Lund-Fortnow-Karloff-Nisan’92]

5

Randomization: Rusin Freivalds’s 1979 Check

Let A,B,C ∈ Kn×n, K a field Certify C = A·B via a random vector y ∈ {0,1}n, and check Cy = A(By): randomized of O(n2) complexity Probability(Cy = ABy | C = AB) ≥ 1

2

5

Randomization: Rusin Freivalds’s 1979 Check

Let A,B,C ∈ Kn×n, K a field Certify C = A·B via a random vector y ∈ {0,1}n, and check Cy = A(By): randomized of O(n2) complexity Probability(Cy = ABy | C = AB) ≥ 1

2

Application: O(n2) verification of determinant Prover: Run fastest determinant algorithm, eg, Storjohann’s For the matrix multiplications, record inputs and outputs Verifier: rerun algorithm and instead of the doing matrix multiplications, verify the AB = C by Freivalds’s algorithm It’s like running the det algorithm with a quadratic-time matrix multiplication procedure

5

Randomization: Rusin Freivalds’s 1979 Check

Let A,B,C ∈ Kn×n, K a field Certify C = A·B via a random vector y ∈ {0,1}n, and check Cy = A(By): randomized of O(n2) complexity Probability(Cy = ABy | C = AB) ≥ 1

2

Application: O(n2) verification of determinant Prover: Run fastest determinant algorithm, eg, Storjohann’s For the matrix multiplications, record inputs and outputs Verifier: rerun algorithm and instead of the doing matrix multiplications, verify the AB = C by Freivalds’s algorithm Problem: proof-of-work certificate has O(n2) size

6

Interactive Proof Protocol: Dumas’s & Kaltofen’s 2014 CharPoly Certificate

Prover “Peggy” must convince Verifier “Victor” that χA(λ) = det(λI −A),A ∈ Zn×n Prover Commun. Verifier χA(λ) = det(λI −A) χA(λ) − − − − − − − − → “commits” p a smallish random prime p,r ← − − − − − − − −r a smallish random integer Non-interactive certificate for ∆=det(rI−A) mod p Checks ∆ ≡ χA(r) (mod p)

6

Interactive Proof Protocol: Dumas’s & Kaltofen’s 2014 CharPoly Certificate

Prover “Peggy” must convince Verifier “Victor” that χA(λ) = det(λI −A),A ∈ Zn×n Prover Commun. Verifier χA(λ) = det(λI −A) χA(λ) − − − − − − − − → “commits” p a smallish random prime p,r ← − − − − − − − −r a smallish random integer Non-interactive certificate for ∆=det(rI−A) mod p Checks ∆ ≡ χA(r) (mod p) Verification bit complexity: essentially linear in input bit size

7

Replace Interaction by Crypto: Dumas’s & Kaltofen’s 2014 CharPoly Certificate

Prover “Peggy” must convince Verifier “Victor” that χA(λ) = det(λI −A),A ∈ Zn×n Prover Commun. Verifier χA(λ) = det(λI −A) χA(λ) − − − − − − − − → p,r = hash(A,χA) p,r − − − − − − − − → Non-interactive certificate for ∆=det(rI−A) mod p Checks p,r = hash(A,χA) Checks ∆ ≡ χA(r) (mod p)

7

Replace Interaction by Crypto: Dumas’s & Kaltofen’s 2014 CharPoly Certificate

Prover “Peggy” must convince Verifier “Victor” that χA(λ) = det(λI −A),A ∈ Zn×n Prover Commun. Verifier χA(λ) = det(λI −A) χA(λ) − − − − − − − − → p,r = hash(A,χA) p,r − − − − − − − − → Non-interactive certificate for ∆=det(rI−A) mod p Checks p,r = hash(A,χA) Checks ∆ ≡ χA(r) (mod p) Yields sum-of-squares proofs in non-linear optimization with fastest verification [Kaltofen, Li, Yang, Zhi 2008]

8

Sparse Determinant Proof-of-Work Based on Cramer’s Rule [Dumas and Kaltofen 2015]

A w1

. . . wn−1 wn

• =

. . . 1

• =

⇒ wn = det      a1,1 ... a1,n−1 . . . . . . . . . an−1,1 ... an−1,n−1 an,1 ... an,n−1 1      det      a1,1 ... a1,n−1 a1,n . . . . . . . . . an−1,1 ... an−1,n−1 an−1,n an,1 ... an,n−1 an,n      = det( M

• A1...n−1,1...n−1)

det(A)

9

Prover Communication Verifier

• 1. χA(λ) = det(λIn −A)

χA − − →

• 2. M = [ai,j]1≤i,j≤n−1,

χM(λ) = det(λIn−1 −M) χM − − → Checks GCD(χA,χM) = 1; 3. r1 ← − − r1 ∈ S ⊆ K random with χA(r1) = 0

• 4. Computes w such that

(r1In −A)w = en =

. . . 1

• w

− − → Checks (r1In −A)w = en and wn = χA(r1)/χM(r1); 5. Returns det(A) = (−1)nχA(0) Note: GCD(χA,χM) = 1 is achieved by preconditioning

9

Prover Communication Verifier

• 1. χA(λ) = det(λIn −A)

χA − − →

• 2. M = [ai,j]1≤i,j≤n−1,

χM(λ) = det(λIn−1 −M) χM − − → Checks GCD(χA,χM) = 1; 3. r1 ← − − r1 ∈ S ⊆ K random with χA(r1) = 0

• 4. Computes w such that

(r1In −A)w = en =

. . . 1

• w

− − → Checks (r1In −A)w = en and wn = χA(r1)/χM(r1); 5. Returns det(A) = (−1)nχA(0) Note: GCD(χA,χM) = 1 is achieved by preconditioning Prover cheats by sending monic h,H with GCD(h,H)=1,h/H=χM/χA Then with high probab.: wn = χA(r1)/χM(r1) = h(r1)/H(r1)

9

Prover Communication Verifier

• 1. χA(λ) = det(λIn −A)

χA − − →

• 2. M = [ai,j]1≤i,j≤n−1,

χM(λ) = det(λIn−1 −M) χM − − → Checks GCD(χA,χM) = 1; 3. r1 ← − − r1 ∈ S ⊆ K random with χA(r1) = 0

• 4. Computes w such that

(r1In −A)w = en =

. . . 1

• w

− − → Checks (r1In −A)w = en and wn = χA(r1)/χM(r1); 5. Returns det(A) = (−1)nχA(0) Note: GCD(χA,χM) = 1 is achieved by preconditioning Protocol communication: O(n) scalars Prover complexity: fast by Block Wiedemann Algorithm

10

Our 2015 Preconditioner

• A = A

          τ −1 ... τ −1 ... . . . . . . ... ... ... τ −1 σ ... τ           , det( A) = det(A) (τn +σ) det(A) = 0 = ⇒ χ

A(λ) is irreducible for variables σ,τ

= ⇒ GCD(χ

A,χ M) = 1 with high probability

for random scalars σ,τ

11

The Rank Profile Matrix [Dumas, Pernet, Sultan 2015]

Definition: Let A ∈ Km×n; the rank profile matrix RA = [rA

i,j] ∈ {0,1}m×n satisfies:

• 1. all rows and columns have at most one 1
• 2. the ranks of all upper-left submatrices are the same:

∀i, j: rank([aµ,ν]1≤µ≤i,1≤ν≤ j) = rank([rA

µ,ν]1≤µ≤i,1≤ν≤j)

Example: A =     2 3 1 4 2 1     = ⇒ RA =     1 1 1    

11

The Rank Profile Matrix [Dumas, Pernet, Sultan 2015]

Definition: Let A ∈ Km×n; the rank profile matrix RA = [rA

i,j] ∈ {0,1}m×n satisfies:

• 1. all rows and columns have at most one 1
• 2. the ranks of all upper-left submatrices are the same:

∀i, j: rank([aµ,ν]1≤µ≤i,1≤ν≤ j) = rank([rA

µ,ν]1≤µ≤i,1≤ν≤j)

Example: A =     2 3 1 4 2 1     = ⇒ RA =     1 1 1     Generic rank profile: RA = Ir

• (Ir the identity matrix)

12

Proof-of-work for Generic Rank Profileness [Dumas, Kaltofen, Lucas, Pernet 2019]

Idea for non-singular inputs A: Prover computes A = LU and interactive protocol verifies that L is lower triangular and U is upper triangular Verifier lets Prover compute product ··· = L ηT zT ···

• ne entry at-a-time

12

Proof-of-work for Generic Rank Profileness [Dumas, Kaltofen, Lucas, Pernet 2019]

A ∈ Kn×n non-singular (verified) Prover Verifier A = LU

A has g.r.p.

− − − − − − → for i from n downto 1

• x

y

• = U
• φ

ψ

• φi,ψi

← − − (φi,ψi) ∈ S2 ⊆ K2 random

xi,yi

− − → zT = ηTL

ηi

← − ηi ∈ S ⊆ K random

zi

− → Checks zT x y

• = (ηTA)
• φ

ψ

12

Proof-of-work for Generic Rank Profileness [Dumas, Kaltofen, Lucas, Pernet 2019]

A ∈ Kn×n non-singular (verified) Prover Verifier A = LU

A has g.r.p.

− − − − − − → for i from n downto 1

• x

y

• = U
• φ

ψ

• φi,ψi

← − − (φi,ψi) ∈ S2 ⊆ K2 random

xi,yi

− − → zT = ηTL

ηi

← − ηi ∈ S ⊆ K random

zi

− → Checks zT x y

• = (ηTA)
• φ

ψ

• Proof of soundness is difficult and requires 2 right-side vectors

Generalizes to proof-of-work certificate of rank profile matrix

12

Proof-of-work for Generic Rank Profileness [Dumas, Kaltofen, Lucas, Pernet 2019]

A ∈ Kn×n non-singular (verified) Prover Verifier A = LU

A has g.r.p.

− − − − − − → for i from n downto 1

• x

y

• = U
• φ

ψ

• φi,ψi

← − − (φi,ψi) ∈ S2 ⊆ K2 random

xi,yi

− − → zT = ηTL

ηi

← − ηi ∈ S ⊆ K random

zi

− → Checks zT x y

• = (ηTA)
• φ

ψ

• But: we have no protocol with asymp. comparable Prover, Verifier,

communication complexities and O(1) interactive rounds

13

Exponential Faster Verifier: Rubik’s Cube Example

How many face moves (90◦ and 180◦) does it minimally take to solve the cube? Answer: 20 [T. Rokicki, H. Kociemba, M. Davidson, and J. Dethridge 2010] With about 35 CPU-years of idle computer time donated by Google

13

Exponential Faster Verifier: Rubik’s Cube Example

How many face moves (90◦ and 180◦) does it minimally take to solve the cube? Answer: 20 [T. Rokicki, H. Kociemba, M. Davidson, and J. Dethridge 2010] With about 35 CPU-years of idle computer time donated by Google “You may examine our source code, or even rerun part of the proof on your own computer” [http://www.cube20.org/] Sample: http://cube20.org/alg.cubing.net-rokicki/alg.html?alg=

FU-F2D-BUR-F-LD-R-U-LUB-D2R-FU2D2

14

Exponentially Faster Verification Example

Example: sum of all n×n integer symmetric matrix determinants with 0/1 entries; there are 2N, N = n(n+1)

2

such matrices: σN =

∑

b1∈{0,1}

··· ∑

bN∈{0,1}

det(    

b1 b2 b3 ... bn b2 bn+1 bn+2 ... b2n−1 b3 bn+2 b2n . . . . . . . . . ... bn b2n−1 ... bN

   )

14

Exponentially Faster Verification Example

Example: sum of all n×n integer symmetric matrix determinants with 0/1 entries; there are 2N, N = n(n+1)

2

such matrices: σN =

∑

b1∈{0,1}

··· ∑

bN∈{0,1}

det(    

b1 b2 b3 ... bn b2 bn+1 bn+2 ... b2n−1 b3 bn+2 b2n . . . . . . . . . ... bn b2n−1 ... bN

   ) Prover sums exponentially in N many terms; Verifier checks proof-of-work in polynomial-time in N

14

Exponentially Faster Verification Example

Example: sum of all n×n integer symmetric matrix determinants with 0/1 entries; there are 2N, N = n(n+1)

2

such matrices: σN =

∑

b1∈{0,1}

··· ∑

bN∈{0,1}

det(    

b1 b2 b3 ... bn b2 bn+1 bn+2 ... b2n−1 b3 bn+2 b2n . . . . . . . . . ... bn b2n−1 ... bN

   ) Rubik’s Cube Example: use generalization in [Goldwasser, Kalai, Rothblum 2008,2015; Reingold, Rothblum, Rothblum 2016] to proof-of-work of polylog-depth circuit evaluation

14

Exponentially Faster Verification Example

Example: sum of all n×n integer symmetric matrix determinants with 0/1 entries; there are 2N, N = n(n+1)

2

such matrices: σN =

∑

b1∈{0,1}

··· ∑

bN∈{0,1}

det(    

b1 b2 b3 ... bn b2 bn+1 bn+2 ... b2n−1 b3 bn+2 b2n . . . . . . . . . ... bn b2n−1 ... bN

   ) Rubik’s Cube Example: use generalization in [Goldwasser, Kalai, Rothblum 2008,2015; Reingold, Rothblum, Rothblum 2016] to proof-of-work of polylog-depth circuit evaluation Note to Victor Pan: Our processor-efficient circuits for linear algebra are alive and well: “doubly-efficient, interactive protocols”

15

Lund-Fortnow-Karloff-Nisan 1992 Sumcheck Protocol Ex.: Sum of symmetric determinants with 0/1 entries

(sum of all 0/1 determinants is = 0) σN= ∑

b1∈{0,1}

··· ∑

bN∈{0,1}

det(          b1 b2 b3 ... bn b2 bn+1 bn+2 ... b2n−1 b3 bn+2 b2n . . . . . . . . . ... bn b2n−1 ... bN          )

• ∆(b1,...,bN)

,N=n(n+1) 2 N 1 2 3 4 5 6 7 σN 1 −2 −24 192 15360 −491520 −220200960

16

Main Idea: Two-to-One Reduction

A publicly defined ψ(x) ∈ Z[x],deg(ψ) = NO(1),logψ∞ = NO(1) Prover: can interpolate ψ in 2O(N) bit operations Verifier: wants checkable proofs for ψ(0) and ψ(1) Prover Communication Verifier

• 1. Interpolate ψ(x)

ψ(x) − − − − − − → 2. r ← − − − − − − r ∈ Z random, |r| ≤ 1000 deg(ψ) 3. Protocol to certify ψ(r) ∈ Z 4. computes ψ(0),ψ(1)

16

Main Idea: Two-to-One Reduction

A publicly defined ψ(x) ∈ Z[x],deg(ψ) = NO(1),logψ∞ = NO(1) Prover: can interpolate ψ in 2O(N) bit operations Verifier: wants checkable proofs for ψ(0) and ψ(1) Prover Communication Verifier

• 1. Interpolate ψ(x)

ψ(x) − − − − − − → 2. r ← − − − − − − r ∈ Z random, |r| ≤ 1000 deg(ψ) 3. Protocol to certify ψ(r) ∈ Z 4. computes ψ(0),ψ(1) LFKN sumcheck: ψ(x)=∑

b2∈{0,1} ∑ b3∈{0,1}

··· ∑

bN∈{0,1}

∆(x,b2,...,bN) (σN=ψ(0)+ψ(1))

16

Main Idea: Two-to-One Reduction

A publicly defined ψ(x) ∈ Z[x],deg(ψ) = NO(1),logψ∞ = NO(1) Prover: can interpolate ψ in 2O(N) bit operations Verifier: wants checkable proofs for ψ(0) and ψ(1) Prover Communication Verifier

• 1. Interpolate ψ(x)

ψ(x) − − − − − − → 2. r ← − − − − − − r ∈ Z random, |r| ≤ 1000 deg(ψ) 3. Protocol to certify ψ(r) ∈ Z 4. computes ψ(0),ψ(1) LFKN sumcheck: ψ(x)=∑

b2∈{0,1} ∑ b3∈{0,1}

··· ∑

bN∈{0,1}

∆(x,b2,...,bN) (σN=ψ(0)+ψ(1)) Step 3: Certify ψ(r)=ψ2(0)+ψ2(1)viaψ2(x)=∑

b3∈{0,1}

··· ∑

bN∈{0,1}

∆(r,x,b3,...,bN)

16

Main Idea: Two-to-One Reduction

A publicly defined ψ(x) ∈ Z[x],deg(ψ) = NO(1),logψ∞ = NO(1) Prover: can interpolate ψ in 2O(N) bit operations Verifier: wants checkable proofs for ψ(0) and ψ(1) Prover Communication Verifier

• 1. Interpolate ψ(x)

ψ(x) − − − − − − → 2. r ← − − − − − − r ∈ Z random, |r| ≤ 1000 deg(ψ) 3. Protocol to certify ψ(r) ∈ Z 4. computes ψ(0),ψ(1) Matryoshkas = N interpolants Innermost nest keeps Prover honest: Certify ∆(r,r2,...,rN), r’s random In Ex.: compute a determinant

17

Prover Communication Verifier 1.ψ1(x)= ∑

b2∈{0,1}

··· ∑

bN∈{0,1}

∆(x,b2,b3,...,bN) ψ1(x) − − − − → σN=ψ1(0)+ψ1(1) r1 ← − − − − r1 ∈ Zp random 2.ψ2(x)= ∑

b3∈{0,1}

··· ∑

bN∈{0,1}

∆(r1,x,b3,...,bN) ψ2(x) − − − − → ψ1(r1) ? =ψ2(0)+ψ2(1) r2 ← − − − − r2 ∈ Zp random . . . rb−1 ← − − − − rb−1 ∈ Zp random N.ψN(x)= ∆(r1,r2,...,rb−1,x) ψN(x) − − − − → ψN−1(rN−1)

?

=ψN(0)+ψN(1) Verifier does a single evaluation of ∆: ψN(rN) ? =∆(r1,...,rN) Gets certified sum σN with O(N2) additional operations

18

Concluding Remarks

Investigations are a bit like what Victor Shoup has told me about crypto: “Erich, there is no literature, you have to pull the techniques

• ut from thin air”

To which I add: the resulting protocols look deceptively simple

18

Concluding Remarks

Investigations are a bit like what Victor Shoup has told me about crypto: “Erich, there is no literature, you have to pull the techniques

• ut from thin air”

To which I add: the resulting protocols look deceptively simple

Thank you!