are pcps inherent in efficient arguments?
DESCRIPTION
Are PCPs Inherent in Efficient Arguments?. Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University. Probabilistic Proof Systems. P wants to convince V that x L Completeness If x L , then P convinces V w.h.p . Soundness - PowerPoint PPT PresentationTRANSCRIPT
Are PCPs Inherentin Efficient Arguments?
Guy Rothblum, MIT)MSR-SVC)IASSalil Vadhan, Harvard University
Probabilistic Proof SystemsP wants to convince V that xL
CompletenessIf xL, then P convinces V w.h.p.
SoundnessIf x L, no P* can convince V except w/small prob. s• Interactive Proofs: no P* can convince V• PCPs: no memoryless oracle P* can convince V• Arguments: no poly-time P* can convince V
Motivation for Arguments• Perfect zero knowledge [BCC86]
• Can be much more efficient than interactive proofs– Communication [Kil92]– Expressive power [Mic94]– Verifier runtime [Mic94]
Based on PCPs
Question [IKO07]: Are PCPs necessary?
Cryptography Zero Knowledge Complexity• Protocols• [B82,...] • Def of ZK, IP
[GMR85]
• IP=PSPACE [LFKN90,S90]
• NPµZK [GMW86]
• NP-completeness• [C71,L73,K72]
• Secure Computation [Yao86,GMW87,BGW88,CCD88] • Multiprover ZK
[BGKW88] • MIP=NEXPPCP Theorem
[BFL91...ALMSS92]• Polylog-eff ZK Args
[K92,M94]
• Random Oracle Model [FS86,BR93,CGH98]
• Concurrency[F90,DNS98]
• Diagonalization [T36]
• Non-BB Simulation [B01]
….….
High-Level Summary• Previous work [Kil92,Mic94,BG02,IKO07]:
PCPs ) efficient arguments**under various crypto assumptions
• Our results:Efficient arguments ) PCPs*
*assuming argument soundnessbased on a secure crypto primitivevia an “efficient black-box reduction”
PCPs ) Arguments
(previous work)
Kilian’s Construction [Kil92]
prover Parg verifier Varg
x
2. ¼ = PCP pfthat x2 L “commit” to ¼
f 1. choose collision-resistant hash function f
i1,…,iq3. Run Vpcp to getqueries i1,…,iq
“reveal” ¼i1,…,¼iq
4. Accept if reveals valid & Vpcp accepts.
(L in NP)
Short commitments• Collision-resistant hash family:
F = {f : {0,1}2k ! {0,1}k} s.t. no poly-time alg can find collision in random fà F except with negl. probability.
• Merkle Tree: ¼
Commit(¼)
f f f f
ff
f
¼i
Reveal(¼i)
Kilian: communication# rounds: O(1)
V! P communication:(# queries)¢ log(PCP length) + k
= O~(log n)
P!V communication:(# queries) ¢ [log(PCP length) ¢ k
+ log |PCP alphabet|]
= O~(log2 n)
Parg Varg
Commit(¼)
f
i1,…,iq
Reveal(¼i1,…,¼iq
)
(assuming standard PCP thm + exponentially hard CRHF)
Kilian: soundnessClaim: argument soundness error
· PCP soundness error + ²
Proof sketch:If not, can find collision in f w.p. > ²/q by running P* w/ two random overlapping query sequences i1,…,iq , i’1,…,i’q .
N.B. “black-box” reduction
making 3 queries to P*
P* Varg
Commit(¼)
f
i1,…,iq
Reveal(¼i1,…,¼iq
)
Ishai-Kushilevitz-Ostrovsky `07
“Efficient” arguments using:
• Stronger crypto primitive (homomorphic encryption)
• Weaker PCP (exponentially long Hadamard-based PCP [ALMSS92])
IKO: communication# rounds: O(1)
V! P communication:(# queries)¢ log(PCP length) + k
= poly(n)
P!V communication:(# queries) ¢ [log(PCP length) ¢ k
+ log |PCP alphabet|]
= O~(log n)
Parg Varg
Hom-Commit(¼)
f
i1,…,iq
Hom-Reveal(¼i1,…,¼iq
)
(assuming Hadamard PCP + exponentially hard hom-enc)
Arguments ) PCPs
(our work)
Main ResultArgument system (Varg,Parg) w/soundness based
on a crypto primitive via a black-box reduction R
PCP with following parameters:
• #Queries: #rounds (Varg,Parg) + #queries(R)• Length: exp(Varg→Parg communication)• Alphabet: exp(Parg→Varg communication)
Soundness unconditionalCompleteness assuming the crypto primitive is secure
Matches [Kil92,IKO07]
Notion of Black-Box Reduction• poly-time R s.t.
if P* is any strategy making Varg accept xL w.p. > s, then RP*(x) “breaks” primitive w.p. > ²
• poly-time T that tests whether R has broken primitive (related to “falsifiability” [Nao06])
R P*
x
T
• # queries(R) := # queries to P* in TRP*(x)
Example: Kilian’s construction
R P*
x
T
f
collision a,b
fCommit(¼)
f, i1,…,iqReveal(¼i1
,…,¼iq)
f, i’1,…,i’q
Reveal(¼i’1,…,¼i’q
)
repeat poly(1/²) times
Example: construction based on factoring
R P*
x
T
N
factors p,q
Main ResultArgument system (Varg,Parg) w/soundness based
on a crypto primitive via a black-box reduction R
PCP with following parameters:
• #Queries: #rounds (Varg,Parg) + #queries(R&T)• Length: exp(Varg→Parg communication)• Alphabet: exp(Parg→Varg communication)
Soundness unconditionalCompleteness assuming the crypto primitive is secure
Matches [Kil92,IKO07]
Argument PCP: Construction(Honest) PCP proof-oracle Ppcp:
next-msg function of argument prover Parg
PCP Verifier:1. Run Varg with Ppcp.
If Varg rejects, reject.
2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.
Argument PCP: SoundnessPCP Verifier:1. Run Varg with Ppcp.
If Varg rejects, reject.
2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.
Soundness (xL):If P* makes Varg accept whp in Step 1, thenRP*(x) “breaks” primitive.
Argument PCP: CompletenessPCP Verifier:1. Run Varg with Ppcp.
If Varg rejects, reject.
2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.
Completeness (x2 L):Reduction R and honest Ppcp=Parg are poly-time,
so can’t break secure primitive.
Argument PCP: EfficiencyPCP Verifier:1. Run Varg with Ppcp.
If Varg rejects, reject.
2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.
• #Queries: #rounds (Varg,Parg) + #queries(R&T)• Length: exp(Varg→Parg communication)• Alphabet: exp(Parg→Varg communication)
Weakening the Assumptions• Only need crypto primitive secure vs. fixed
poly-time adversary (namely RParg).
• If honest Parg only makes black-box access to primitive, can sometimes weaken or eliminate assumptions using Nisan-Wigderson-type PRFs or poly(n)-wise independent hash functions.
Conclusions & QuestionsWe explain why existing efficient arguments use
PCPs.
• Efficient arguments without PCPs? (Using reduction that is either non-black-box or makes many queries to cheating prover)
• New PCP constructions inspired by crypto?
• Deeper connection between arguments & PCPs?
• Do arguments in random oracle model require PCPs?