620 likes | 772 Views
How to Delegate Computations: The Power of No-Signaling Proofs. Ron Rothblum Weizmann Institute. Joint work with Yael Kalai and Ran Raz. Delegation. Motivation: allow a computationally weak device to outsource computation to the cloud. Delegation.
E N D
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz
Delegation Motivation: allow a computationally weak device to outsource computation to the cloud.
Delegation A computationally weak device outsources its computation to the cloud.
Delegation The device does not trust the cloud and so it wants to verify the result super-efficiently (say in linear-time).
Delegation Focus of this talk:1-round arguments.
Delegation Prover Verifier • Completeness: • . • Computational Soundness: and • . • Running time of : • Running time of :
Prior Work • 4-messages • [Kilian92]:For all of ! • Assumes CRH. • One-round (2-messages): • [Goldwasser-Kalai-Rothblum08, Kalai-Raz09]: for bounded-depth computation. Assume sub-exponential PIR.
Prior Work • In other models: • Random oracle model [Micali94] • Preprocessing [Gennaro-Gentry-Parno10, Chung-Kalai-Vadhan10, Applebaum-Ishai-Kushilevitz10] • Under non-falsifiable assumptions (e.g. KoE) [Groth10, Lipma12, Bitanski-Canetti-Chiesa-Tromer12a, Goldwasser-Lin-Rubinstein11, Damgard-Faust-Hazay12, Bitanski-Canetti-Chiesa-Tromer12b, Gennaro-Gentry-Parno-Raykova12]. • Non-falsifiable necessary* for[Gentry-Wichs11]
Main Result 1 Thm: Assuming sub-exponentially hard PIR Delegation for every language in with an time verifier and a time prover. Communication is .
Main Result 1 Thm: Assuming sub-exponentially hard PIR Delegation for every language in with an time verifier and a time prover. Communication is . quasi-polynomially (for any ).
Main Result 1 (General) Thm: Assuming sub-exponentially hard PIR delegation for every language in with a time verifier and a prover.
The Approach of [ABOR00] [Aiello-Bhatt-Ostrovsky-Rajogopalan00] suggested to construct a delegation scheme by combining a Multi-Prover Interactive Proof-System with an FHE. Actually PIR suffices, but easier to describe with FHE
Multi Prover Interactive Proofs (MIP) [BenOr-Goldwasser-Kilian-Wigderson88] . . . • Completeness: • Soundness: [Babai-Fortnow-Lund91]
Fully Homomorphic Encryption circuit Eval For this talk think of the output as a fresh encryption of
The [ABOR00] Protocol Take an protocol. . . .
The [ABOR00] Protocol Encrypt the queries and answer homomorphically. . . .
The [ABOR00] Protocol Simulate using a single prover. . . .
The [ABOR00] Protocol Simulate using a single prover.
The [ABOR00] Protocol Intuition:since encrypted under different keys, prover cannot use one query to answer a different query. [Dwork-Landberg-Naor-Nissim-Reingold01]: this intuition is false*! [Kalai-Raz09]: correct for single prover interactive proofs. We show:protocol works if MIP satisfies a stronger soundness condition called no-signaling soundness.
No-Signaling Prover Strategies • Allow the provers a minimal form of communication. • The answer of each prover may depend on the other queries as a function but must be independent as a RV.
No-Signaling Prover Strategies A prover strategyfor an MIP specifies for every a distribution . Def:A prover strategy is no-signaling if for every and and Def:A no-signaling MIP– for every no-signaling strategy the verifier rejects whp.
Example Accept if For some function A no-signaling cheating strategy: and Not contrived! Some PCP/MIP verifiers work this way.
Relation to Quantum MIP • No-signaling strategies originally motivated by quantum MIPs – the (cheating) provers share an entangled quantum state. • Entangled strategies are no-signaling. • No-signaling soundness is likely to hold in future theories of physics (if information cannot travel faster than light).
The Power of No-Signaling Strategies Def: is the class of languages with no-signaling MIPs with poly-time verifier. • Known that: [DLNNR01,Ito-Kobayashi-Matsumoto09,KR09,Ito10] no-signaling strategies break the soundness of all known PCPs/MIPs.
The Power of No-Signaling Strategies Def: is the class of languages with no-signaling MIPs with poly-time verifier. • Known that: [DLNNR01,Ito-Kobayashi-Matsumoto09,KR09,Ito10] no-signaling strategies break the soundness of all known PCPs/MIPs. • We show:
Main Technical Result Suppose can be computed in time . Thm: has no-signaling MIP with time verifier and time prover. provers and total communication. Corollary:
Proof Outline • Information Theoretic Step Construct an efficient no-signaling MIP for any language in (and scaled up for ). 2. Cryptographic Step Apply a general transformation No-signaling MIP + PIR Delegation
Proof Outline • Information Theoretic Step Construct an efficient no-signaling MIP for any language in (and scaled up for ). 2. Cryptographic Step Apply a general transformation No-signaling MIP + PIR Delegation
Proof of Technical Result (High Level Overview)
Proof Sketch This talk – we assume Suppose that can be computed in time and in space . Construct a no-signaling for . Our starting point is the [BFLS] PCP.
The Provers Every layer is computed by applying gates to the previous layer Each prover generates the entire tableau of the computation. Output bit Input bits
The Provers The provers encode the computation via the [BFLS] PCP.
The Provers Each (honest) prover expects to be queried on a single point in the PCP and answers accordingly.
The Verifier • The verifier generates the PCP queries. • Randomly permutes the queries and sends to the provers. • Also explicitly checks input and output gates. • Accepts the answers if PCP verifier accepts and input/output gates are correct.
No-SignalingSoundness Challenges in NS setting: • Each answer depends on other provers’queries. • No low degree test. • No parallel repetition. • Cheating provers are randomized.
No-Signaling Soundness • Assume that we have a no-signaling cheating prover strategy that succeeds with probability (think of as tiny). • Once we fix the provers, their answers as RVs are defined can send “crazy” queries and see how they answer. • Will derive a contradiction.
Reading a Point “Reading” a point = query provers on a random line that goes through the point and interpolate answers to get the value.
Reading a Point Fix some gate of the computation.
Lemma Lemma:Can “read a gate” in the tableau so that with probability the 3 values will be “consistent”. Proof of lemma uses algebraic PCP-like techniques.
First Attempt Simultaneously “read” all points in the tableau. For every gate, wp by the lemma (and using no-signaling) we get a consistent value By union bound, wpwe get global consistency. Since we check input/output gates, the verifier must reject.
First Attempt • Major problem: not enough provers! • We wanted to query points but we do not have so many provers. • Number of queries s verifier running time.
Second Attempt Look at some gate in the second layer. Inputs correct wp Consistent wp
Second Attempt Look at some gate in the second layer. Correct wp
Second Attempt Look at some gate in the second layer. By no-signaling still correct wp
Second Attempt Look at neighbor of the gate. Similarly, correct wp
Second Attempt Gate at 3rd layer. Both inputs correct wp Consistent wp
Second Attempt Gate at 3rd layer. output correct wp
Second Attempt • Error grows exponentially in the depth. • Gives delegation for low-depth computation (already known via [GKR08+KR09]).
Third Attempt Use provers! Lower layer correct wp Upper layer consistent wp
Third Attempt Use provers! Correct wp