1 / 24

Are PCPs Inherent in Efficient Arguments?

This paper explores the question of whether probabilistically checkable proofs (PCPs) are necessary for efficient arguments, and proposes a new approach based on a secure crypto primitive using black-box reduction.

jameskwilliams
Download Presentation

Are PCPs Inherent in Efficient Arguments?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Are PCPs Inherentin Efficient Arguments? Guy Rothblum, MIT)MSR-SVC)IASSalil Vadhan, Harvard University

  2. Probabilistic Proof Systems P wants to convince V that xL Completeness If xL, then P convinces Vw.h.p. Soundness If x L, no P* can convince V except w/small prob. s Interactive Proofs: no P* can convince V PCPs: no memoryless oracle P* can convince V Arguments: no poly-time P* can convince V

  3. Motivation for Arguments • Perfect zero knowledge [BCC86] • Can be much more efficient than interactive proofs • Communication [Kil92] • Expressive power [Mic94] • Verifier runtime [Mic94] Based on PCPs Question [IKO07]: Are PCPs necessary?

  4. Zero Knowledge Cryptography Complexity Protocols [B82,...] NP-completeness [C71,L73,K72] Def of ZK, IP [GMR85] IP=PSPACE [LFKN90,S90] NPµZK [GMW86] Secure Computation [Yao86,GMW87,BGW88,CCD88] Multiprover ZK[BGKW88] MIP=NEXPPCP Theorem[BFL91...ALMSS92] Polylog-eff ZK Args[K92,M94] Random Oracle Model [FS86,BR93,CGH98] Diagonalization [T36] Concurrency[F90,DNS98] …. Non-BB Simulation [B01] ….

  5. High-Level Summary • Previous work [Kil92,Mic94,BG02,IKO07]:PCPs ) efficient arguments* *under various crypto assumptions • Our results:Efficient arguments ) PCPs* *assuming argument soundness based on a secure crypto primitive via an “efficient black-box reduction”

  6. PCPs ) Arguments (previous work)

  7. Kilian’s Construction [Kil92] (L in NP) x proverParg verifier Varg 1. choose collision-resistant hash function f f 2.¼= PCP pfthat x2 L “commit” to ¼ 3. Run Vpcpto getqueries i1,…,iq i1,…,iq “reveal” ¼i1,…,¼iq 4. Accept if reveals valid & Vpcp accepts.

  8. Short commitments • Collision-resistant hash family:F = {f : {0,1}2k! {0,1}k} s.t. no poly-time alg can find collision in random fà F except with negl. probability. • Merkle Tree: ¼i ¼ f f f f f f Reveal(¼i) f Commit(¼)

  9. Kilian: communication # rounds: O(1) V! P communication: (# queries)¢ log(PCP length) + k = O~(log n) P!V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O~(log2 n) Parg Varg f Commit(¼) i1,…,iq Reveal(¼i1,…,¼iq) (assuming standard PCP thm + exponentially hard CRHF)

  10. Kilian: soundness Claim: argument soundness error· PCP soundness error + ² Proof sketch:If not, can find collision in f w.p. > ²/q by running P* w/ two random overlapping query sequences i1,…,iq , i’1,…,i’q . N.B. “black-box” reduction making 3 queries to P* P* Varg f Commit(¼) i1,…,iq Reveal(¼i1,…,¼iq)

  11. Ishai-Kushilevitz-Ostrovsky `07 “Efficient” arguments using: • Stronger crypto primitive (homomorphic encryption) • Weaker PCP (exponentially long Hadamard-based PCP [ALMSS92])

  12. IKO: communication # rounds: O(1) V! P communication: (# queries)¢ log(PCP length) + k = poly(n) P!V communication: (# queries) ¢ [log(PCP length) ¢ k + log |PCP alphabet|] = O~(log n) Parg Varg f Hom-Commit(¼) i1,…,iq Hom-Reveal(¼i1,…,¼iq) (assuming Hadamard PCP + exponentially hard hom-enc)

  13. Arguments ) PCPs (our work)

  14. Main Result Argument system (Varg,Parg) w/soundness based on a crypto primitive via a black-box reduction R  PCP with following parameters: #Queries: #rounds (Varg,Parg) + #queries(R) Length: exp(Varg→Parg communication) Alphabet: exp(Parg→Varg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

  15. Notion of Black-Box Reduction • poly-time R s.t. if P* is any strategy making Vargaccept xLw.p. > s, then RP*(x) “breaks” primitive w.p. > ² • poly-time T that tests whether R has broken primitive (related to “falsifiability” [Nao06]) x R P* T # queries(R) := # queries to P* in TRP*(x)

  16. Example: Kilian’s construction x f f Commit(¼) repeat poly(1/²) times f, i1,…,iq R P* T Reveal(¼i1,…,¼iq) f, i’1,…,i’q Reveal(¼i’1,…,¼i’q) collision a,b

  17. Example: construction based on factoring x N R P* T factors p,q

  18. Main Result Argument system (Varg,Parg) w/soundness based on a crypto primitive via a black-box reduction R  PCP with following parameters: #Queries: #rounds (Varg,Parg) + #queries(R&T) Length: exp(Varg→Parg communication) Alphabet: exp(Parg→Varg communication) Soundness unconditional Completeness assuming the crypto primitive is secure Matches [Kil92,IKO07]

  19. Argument  PCP: Construction (Honest) PCP proof-oracle Ppcp: next-msg function of argument proverParg PCP Verifier: Run Vargwith Ppcp. If Vargrejects, reject. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.

  20. Argument  PCP: Soundness PCP Verifier: Run Vargwith Ppcp. If Vargrejects, reject. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept. Soundness (xL): IfP* makes Vargaccept whp in Step 1, then RP*(x) “breaks” primitive.

  21. Argument  PCP: Completeness PCP Verifier: Run Vargwith Ppcp. If Vargrejects, reject. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept. Completeness (x2L): Reduction R and honest Ppcp=Pargare poly-time, so can’t break secure primitive.

  22. Argument  PCP: Efficiency PCP Verifier: Run Vargwith Ppcp. If Vargrejects, reject. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept. #Queries: #rounds (Varg,Parg) + #queries(R&T) Length: exp(Varg→Parg communication) Alphabet: exp(Parg→Varg communication)

  23. Weakening the Assumptions • Only need crypto primitive secure vs. fixed poly-time adversary (namely RParg). • If honest Pargonly makes black-box access to primitive, can sometimes weaken or eliminate assumptions using Nisan-Wigderson-type PRFs or poly(n)-wise independent hash functions.

  24. Conclusions & Questions We explain why existing efficient arguments use PCPs. • Efficient arguments without PCPs? (Using reduction that is either non-black-box or makes many queries to cheating prover) • New PCP constructions inspired by crypto? • Deeper connection between arguments & PCPs? • Do arguments in random oracle model require PCPs?

More Related