1 / 33

Competing Provers Protocols for Circuit Evaluation

Competing Provers Protocols for Circuit Evaluation. Gillat Kol joint work with Ran Raz. Delegation of Computation. Delegation of Computation.

jersey
Download Presentation

Competing Provers Protocols for Circuit Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Competing Provers Protocols for Circuit Evaluation Gillat Kol joint work with Ran Raz

  2. Delegation of Computation

  3. Delegation of Computation A computationally weak verifier (client) wants to delegate computation to a more powerful untrusted (buggy, dishonest,…) prover (cloud, server) The prover needs to convince the verifier that the computation was performed correctly data result

  4. Interactive Proof (IP) Protocols IP Setting: A poly-time verifier wants to compute f(x) with the help of a computationally-unboundedprover, where f,x are known to both IP Protocol for f:Strategies for the verifier and prover. After interacting, the verifier outputs a guess for f(x): either 0, 1 or “?” (don’t know). Whp: Prover follows his strategy  Verifier outputs f(x) Else, the verifier outputs (whp) either f(x) or “?”

  5. Delegation Protocols Delegation Protocol for f: An IP protocol for f, where additionally: The verifier is almost-linear-time (npolylog(n)) The honestprover is poly-time (Soundness against an unboundedprover) More realistic setting… Theorem[S‘92,LFKN‘92]:IP = PSPACE with poly(n) rounds Doesnot yield a delegation protocol, parties do not meet the additional complexity demands

  6. Previous Result [GKR‘08] Theorem [GKR‘08]: Let C be a log-space uniform circuit of size s and depth d. Interactive Proof protocol for C with Communication rounds:dpolylog(s) Bits exchanged: dpolylog(s) Prover’s complexity:poly(s) Verfier’s complexity:(d+n)polylog(s) allows a fast access to the structure of C The Class P • For log-space uniform, poly-size, linear-depth circuits we get a delegation protocol

  7. Delegation to Several Provers

  8. Delegation to Several Provers • Our Motivation:In real life, one can delegate to more than one prover

  9. Delegation to Several Provers Our Motivation:In real life, one can delegate to more than one prover Assumption: From now on assume that at least one of the provers is reliable Observation: In this case, the verifier can always learn the correct value: Run a delegation protocol with each prover separately

  10. Is More Merrier? Our Work:Can we get protocols with less communication by delegating to several provers instead of just one? Main Challenge: Suppose we ask all the provers for f(x) If they all agree, it must be the correct value But, if they don’t, how do we tell who’s reliable? Idea: The provers now compete on the verifier’s trust. The verifier can use the provers one against the other: Use the first proverto validate the claims of the second…

  11. Competing Provers (CP) Protocols CP Setting[FST‘88]:A poly-time verifier wants to compute f(x) with the help of 2computationally-unboundedproversP0and P1, where f,x are known to all CP Protocol for f:Strategies for the verifier and provers. After interacting, the verifier outputs a guess for f(x): either 0or 1 One of the provers follows his strategy  Verifier outputs f(x) (whp) Observation: Wlog, may assume that at the beginning P0 claimsf(x) = 0, while P1claimsf(x) = 1. Hence, P0 and P1 are Competing Provers

  12. CP Delegation Protocols CP Delegation Protocol for f: A CP protocol for f, where additionally: The verifier is almost-linear-time The honest provers are poly-time (Soundness against unboundedprovers) Theorem [FK‘97]: CP = EXP with poly(n)rounds CP = PSAPCE with 1 round Doesnot yield CP delegation protocols, parties do not meet the additional complexity demands

  13. Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d. rCompeting Provers protocol for C with Communication rounds:r Bits exchanged: d1/rpolylog(s) Provers’complexity:poly(s) Verfier’s complexity:(d1/r+n)polylog(s) in GKR dpolylog(s) in GKR (d+n)polylog(s) • r = 1 Bits exchanged:dpolylog(s) (independently proved by [CRR]) • r = O(log(d)/loglog(s))Bits exchanged:polylog(s)

  14. Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d. rCompeting Provers protocol for C with Communication rounds:r Bits exchanged: d1/rpolylog(s) Provers’complexity:poly(s) Verfier’s complexity:(d1/r+n)polylog(s) in GKR dpolylog(s) in GKR (d+n)polylog(s) • We give a delegation protocol for every language in P

  15. Another Application Communication Complexity & Circuit Lower Bounds [AW‘09]

  16. Communication Complexity Setting: Alice and Bob are computationally-unbounded players Alice has input x and Bob has input y The players’ mutualgoal is computing f(x,y)with the least amount of communication between them

  17. Communication Complexity with CP • New Setting: Alice andBobwant to computef(x,y) with the help of Competing Proverswith the least amount of communication between all parties • fis known to all, Alice knows x, Bob knows y, Provers know both x and y • P0 claims f(x,y)= 0, while P1claims f(x,y) = 1 • Each party can communicate with every other party

  18. Corollary of Our Result Corollary: Let C(x,y)be a circuit of size s and depth d. rCommunication Complexity protocol with Competing ProversforC with • Communication rounds:r • Bits exchanged: d1/rpolylog(s) • The corollary follows easily from the proof of our theorem, using the approach of [AW‘09] • For example, if CNC then a 1-round protocol exchanges polylog(n) bits s = poly(n), d = polylog(n)

  19. Circuit Lower-Bounds Our corollary can be viewed as a possible direction towards proving circuit lower-bounds For example, in order to prove fNC, it suffices to show: Any 1-round Communication Complexity protocol with Competing Proversfor f requires the exchange of (polylog(n)) bits Relatively simple combinatorial property that implies strong lower bounds

  20. Proof of Main Theorem for r=1(sketch of sketch)

  21. Main Ingredient I: [GKR‘08]Delegation to a Single Prover

  22. Fix circuit C of size s and depth d, and an input x Enumerate C’s layers: layer 0= output, layer d= inputs Let Li be the vector of values of layer i’s gates when C is evaluated on x Representing the Circuit output C(x) • Let Vi = LDE(Li) • V0(0m) = C(x),Vd= LDE(x) • The verifier knowsVd(r) • for r unknown to the prover, • and wants to compute V0(0m) V0 V1 . . . C Vd-1 Vd input x

  23. Let z0 =0m and zd= r The prover sends V0(z0) = C(x) For i = 1,…,d Reduce knowing a value in a layer to knowing a random value in the layer below: The verifier randomly selects zi, and reduces the correctness of the claim “vi-1 = Vi-1(zi-1)” to the correctness of the claim “vi = Vi(zi)” using the prover Finally, the verifier checks Vd(zd) The Protocol of [GKR‘08] . . . vi-1 vi . . . output C(x) V0 Vi-1 C Vi Vd input x

  24. Claim: A point in layer i-1 is a degree-2 polynomial in the values of the gates of layer i Vi-1(z) = w,w’HmCz,w,w’ Li (w) Li (w’) Proof: Vi-1= LDE(Li-1), thus a point in Vi-1is a linear combination of points in Li-1 (the values of layer i-1’s gates) Connection Between Layers MULT • The value of a gate in layer i-1 is a degree-2 polynomial in the values of its two children in layer i layeri-1 z w w’ layeri Li-1(z) = Li (w)Li (w’)

  25. The reduction between the layers is via a standard IP protocol called Sum-Check [LFKN‘92] Central in PCPs, IP = PSPACE, MIP = NEXP, … Allows computing xHmg(x)for a low-degree g, when the verifier knows g(r) for randomrFm, unknown to the prover (the verifier “tests” the prover on r) Sum-Check can be used to reduce layer i-1 to layer i as: Recall: A point in layer i-1 is a deg-2 poly in layer i polynomial = sum of monomials The prover does not know the test point ziuntil the next iteration Sum-Check Protocol

  26. Main Ingredient II: [FK‘97]Sum-Check for Competing Provers

  27. Recall: IP = PSPACE with poly(n)rounds [S‘92] Proof uses the poly(n)-rounds IPSum-Check protocol of[LFKN‘92] Recall: CP = PSAPCE with 1 round[FK‘97] Proof constructs a 1-round CP Sum-Check protocol Sum-Check for CP

  28. Combining Main Ingredients

  29. Our Goal: Reduce dpolylog(s) rounds to 1 First Attempt: Implement iteration i of GKR using the 1-round Competing ProversSum-Check protocol of FK Problem: Still requires d rounds Second Attempt: Run all d Sum-Checks simultaneously–Theverifier sends all z1,…,zdat once, provers reply to all Problem: During iteration i, provers mustn’t know the test point zi Combining Main Ingredients

  30. Main Idea:Disguisez1,…,zd i, the verifier gives the proversa low-degree curve i:FFmthat passes throughzi(instead of ziitself) The parties run dSum-Checks simultaneously, one for each layer The ithSum-Check uses i-1 instead of zi-1, and iinstead of zi. I.e., it computes Vi-1(z) for all the points zoni-1, using any of the points ronias a test point The proof relies on the fact that the replies of the honest provers are low-degree polynomialsin the zivariables Main Idea i • zi

  31. The verifier checks the replies (low-deg polynomials H) in an alternating order (one of P0 and one of P1) When reply H is checked, the verifier already knows a point on H using a previous reply G of the other prover E.g., assume H(t) = ((t)) and G(t) = ((t)) ( is a low-degfunc, , are intersecting low-deg curves).Knowing G implies knowing a point on H If a proversends an incorrect reply, it disagrees with the correct reply on the known point whp (both are low-deg) Verifier’s Check Algo

  32. Generalization to rrounds and d1/rpolylog(s) bits: Setk = d1/r.Run r-1 rounds of a k-ary search to find layers i > j,i-j = k s.t. the provers agree on a point on Vi but disagree on a point on Vj Run the 1-round protocol on the subcircuitC’ of depth k obtained from layers j…i of C Our Result Requires More Work… output C(x) V0 • Getting a very efficient verifier (assuming log-space uniformity) V1 j C’ . . . C i Vd-1 Vd input x

  33. Thank You!

More Related