Are PCPs Inherentin Efficient Arguments?

Guy Rothblum, MIT)MSR-SVC)IASSalil Vadhan, Harvard University

Probabilistic Proof SystemsP wants to convince V that xL

CompletenessIf xL, then P convinces V w.h.p.

SoundnessIf x L, no P* can convince V except w/small prob. s• Interactive Proofs: no P* can convince V• PCPs: no memoryless oracle P* can convince V• Arguments: no poly-time P* can convince V

Motivation for Arguments• Perfect zero knowledge [BCC86]

• Can be much more efficient than interactive proofs– Communication [Kil92]– Expressive power [Mic94]– Verifier runtime [Mic94]

Based on PCPs

Question [IKO07]: Are PCPs necessary?

Cryptography Zero Knowledge Complexity• Protocols• [B82,...] • Def of ZK, IP

[GMR85]

• IP=PSPACE [LFKN90,S90]

• NPµZK [GMW86]

• NP-completeness• [C71,L73,K72]

• Secure Computation [Yao86,GMW87,BGW88,CCD88] • Multiprover ZK

[BGKW88] • MIP=NEXPPCP Theorem

[BFL91...ALMSS92]• Polylog-eff ZK Args

[K92,M94]

• Random Oracle Model [FS86,BR93,CGH98]

• Concurrency[F90,DNS98]

• Diagonalization [T36]

• Non-BB Simulation [B01]

….….

High-Level Summary• Previous work [Kil92,Mic94,BG02,IKO07]:

PCPs ) efficient arguments**under various crypto assumptions

• Our results:Efficient arguments ) PCPs*

*assuming argument soundnessbased on a secure crypto primitivevia an “efficient black-box reduction”

PCPs ) Arguments

(previous work)

Kilian’s Construction [Kil92]

prover Parg verifier Varg

x

2. ¼ = PCP pfthat x2 L “commit” to ¼

f 1. choose collision-resistant hash function f

i1,…,iq3. Run Vpcp to getqueries i1,…,iq

“reveal” ¼i1,…,¼iq

4. Accept if reveals valid & Vpcp accepts.

(L in NP)

Short commitments• Collision-resistant hash family:

F = {f : {0,1}2k ! {0,1}k} s.t. no poly-time alg can find collision in random fà F except with negl. probability.

• Merkle Tree: ¼

Commit(¼)

f f f f

ff

f

¼i

Reveal(¼i)

Kilian: communication# rounds: O(1)

V! P communication:(# queries)¢ log(PCP length) + k

= O~(log n)

P!V communication:(# queries) ¢ [log(PCP length) ¢ k

+ log |PCP alphabet|]

= O~(log2 n)

Parg Varg

Commit(¼)

f

i1,…,iq

Reveal(¼i1,…,¼iq

)

(assuming standard PCP thm + exponentially hard CRHF)

Kilian: soundnessClaim: argument soundness error

· PCP soundness error + ²

Proof sketch:If not, can find collision in f w.p. > ²/q by running P* w/ two random overlapping query sequences i1,…,iq , i’1,…,i’q .

N.B. “black-box” reduction

making 3 queries to P*

P* Varg

Commit(¼)

f

i1,…,iq

Reveal(¼i1,…,¼iq

)

Ishai-Kushilevitz-Ostrovsky `07

“Efficient” arguments using:

• Stronger crypto primitive (homomorphic encryption)

• Weaker PCP (exponentially long Hadamard-based PCP [ALMSS92])

IKO: communication# rounds: O(1)

V! P communication:(# queries)¢ log(PCP length) + k

= poly(n)

P!V communication:(# queries) ¢ [log(PCP length) ¢ k

+ log |PCP alphabet|]

= O~(log n)

Parg Varg

Hom-Commit(¼)

f

i1,…,iq

Hom-Reveal(¼i1,…,¼iq

)

(assuming Hadamard PCP + exponentially hard hom-enc)

Arguments ) PCPs

(our work)

Main ResultArgument system (Varg,Parg) w/soundness based

on a crypto primitive via a black-box reduction R

PCP with following parameters:

• #Queries: #rounds (Varg,Parg) + #queries(R)• Length: exp(Varg→Parg communication)• Alphabet: exp(Parg→Varg communication)

Soundness unconditionalCompleteness assuming the crypto primitive is secure

Matches [Kil92,IKO07]

Notion of Black-Box Reduction• poly-time R s.t.

if P* is any strategy making Varg accept xL w.p. > s, then RP*(x) “breaks” primitive w.p. > ²

• poly-time T that tests whether R has broken primitive (related to “falsifiability” [Nao06])

R P*

x

T

• # queries(R) := # queries to P* in TRP*(x)

Example: Kilian’s construction

R P*

x

T

f

collision a,b

fCommit(¼)

f, i1,…,iqReveal(¼i1

,…,¼iq)

f, i’1,…,i’q

Reveal(¼i’1,…,¼i’q

)

repeat poly(1/²) times

Example: construction based on factoring

R P*

x

T

N

factors p,q

Main ResultArgument system (Varg,Parg) w/soundness based

on a crypto primitive via a black-box reduction R

PCP with following parameters:

• #Queries: #rounds (Varg,Parg) + #queries(R&T)• Length: exp(Varg→Parg communication)• Alphabet: exp(Parg→Varg communication)

Soundness unconditionalCompleteness assuming the crypto primitive is secure

Matches [Kil92,IKO07]

Argument PCP: Construction(Honest) PCP proof-oracle Ppcp:

next-msg function of argument prover Parg

PCP Verifier:1. Run Varg with Ppcp.

If Varg rejects, reject.

2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.

Argument PCP: SoundnessPCP Verifier:1. Run Varg with Ppcp.

If Varg rejects, reject.

2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.

Soundness (xL):If P* makes Varg accept whp in Step 1, thenRP*(x) “breaks” primitive.

Argument PCP: CompletenessPCP Verifier:1. Run Varg with Ppcp.

If Varg rejects, reject.

2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.

Completeness (x2 L):Reduction R and honest Ppcp=Parg are poly-time,

so can’t break secure primitive.

Argument PCP: EfficiencyPCP Verifier:1. Run Varg with Ppcp.

If Varg rejects, reject.

2. Run reduction R (& test T) with Ppcp.If break primitive, then reject. Otherwise accept.

• #Queries: #rounds (Varg,Parg) + #queries(R&T)• Length: exp(Varg→Parg communication)• Alphabet: exp(Parg→Varg communication)

Weakening the Assumptions• Only need crypto primitive secure vs. fixed

poly-time adversary (namely RParg).

• If honest Parg only makes black-box access to primitive, can sometimes weaken or eliminate assumptions using Nisan-Wigderson-type PRFs or poly(n)-wise independent hash functions.

Conclusions & QuestionsWe explain why existing efficient arguments use

PCPs.

• Efficient arguments without PCPs? (Using reduction that is either non-black-box or makes many queries to cheating prover)

• New PCP constructions inspired by crypto?

• Deeper connection between arguments & PCPs?

• Do arguments in random oracle model require PCPs?