How to Delegate Computations: The Power of No-Signaling Proofs

Ron RothblumWeizmann Institute

Joint work with Yael Kalai and Ran Raz

Delegation

Motivation: allow a computationally weak device to outsource computation to the cloud.

Delegation

A computationally weak device outsources its computation to the cloud.

Delegation

The device does not trust the cloud and so it wants to verify the result super-efficiently (say in linear-time).

Delegation

Focus of this talk: 1-round arguments.

𝑥 , 𝑞𝑢𝑒𝑟𝑦

𝑓 (𝑥) , 𝑝𝑟𝑜𝑜𝑓

𝑥∈𝐿?

• Completeness: .

• Computational Soundness: and .

• Running time of :

• Running time of :

Prover Verifier

𝐿∈𝐷𝑇𝐼𝑀𝐸(𝑇 )

Delegation

Prior Work

• 4-messages – [Kilian92]: For all of !– Assumes CRH.

• One-round (2-messages):– [Goldwasser-Kalai-Rothblum08, Kalai-Raz09]: for

bounded-depth computation. Assume sub-exponential PIR.

Prior Work

• In other models: 1. Random oracle model [Micali94]2. Preprocessing [Gennaro-Gentry-Parno10, Chung-Kalai-

Vadhan10, Applebaum-Ishai-Kushilevitz10]

• Under non-falsifiable assumptions (e.g. KoE) [Groth10, Lipma12, Bitanski-Canetti-Chiesa-Tromer12a, Goldwasser-Lin-Rubinstein11, Damgard-Faust-Hazay12, Bitanski-

Canetti-Chiesa-Tromer12b, Gennaro-Gentry-Parno-Raykova12].

• Non-falsifiable necessary* for [Gentry-Wichs11]

Main Result 1

Thm: Assuming sub-exponentially hard PIR Delegation for every language in with an time verifier and a time prover.

Communication is .

Main Result 1

Thm: Assuming sub-exponentially hard PIR Delegation for every language in with an time verifier and a time prover.

Communication is .

quasi-polynomially

(for any ).

Main Result 1 (General)

Thm: Assuming sub-exponentially hard PIR delegation for every language in with a time verifier and a prover.

𝑘=𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑝𝑎𝑟𝑎𝑚𝑒𝑡𝑒𝑟

The Approach of [ABOR00]

[Aiello-Bhatt-Ostrovsky-Rajogopalan00] suggested to construct a delegation scheme by combining a Multi-Prover Interactive Proof-System with an FHE.

Actually PIR suffices, but easier to describe

with FHE

Multi Prover Interactive Proofs (MIP) [BenOr-Goldwasser-Kilian-Wigderson88]

𝑃1

𝑉𝑃2

𝑃 𝑙

.

.

.

• Completeness:

• Soundness:

𝑴𝑰𝑷=𝑵𝑬𝑿𝑷[Babai-Fortnow-Lund91]

Fully Homomorphic Encryption𝐸𝑛𝑐𝑘(𝑚)

Eval

circuit

𝐸𝑛𝑐𝑘(𝐶 (𝑚 ))

For this talk think of the output as a fresh encryption of

The [ABOR00] Protocol

𝑃1

𝑉𝑃 𝑙

.

.

.

𝑞1

𝑞𝑙

𝑎1

𝑎𝑙

Take an protocol.

The [ABOR00] Protocol

𝑃1

𝑉𝑃 𝑙

𝐸𝑘1(𝑞1)

Encrypt the queries and answer homomorphically.

𝐸𝑘1(𝑎1)

𝐸𝑘𝑙(𝑞𝑙)

𝐸𝑘𝑙(𝑎𝑙)

.

.

.

The [ABOR00] Protocol

𝑃1

𝑉𝑃 𝑙

𝐸𝑘1(𝑞1)

Simulate using a single prover.

𝐸𝑘1(𝑎1)

𝐸𝑘𝑙(𝑞𝑙)

𝐸𝑘𝑙(𝑎𝑙)

.

.

.

𝑃The [ABOR00] Protocol

𝑉

Simulate using a single prover.

The [ABOR00] Protocol

Intuition: since encrypted under different keys, prover cannot use one query to answer a different query.

[Dwork-Landberg-Naor-Nissim-Reingold01]: this intuition is false*!

[Kalai-Raz09]: correct for single prover interactive proofs.

We show: protocol works if MIP satisfies a stronger soundness condition called no-signaling soundness.

No-Signaling Prover Strategies

• Allow the provers a minimal form of communication.

• The answer of each prover may depend on the other queries as a function but must be independent as a RV.

No-Signaling Prover Strategies

A prover strategy for an MIP specifies for every a distribution .

Def: A prover strategy is no-signaling if for every and and

Def: A no-signaling MIP – for every no-signaling strategy the verifier rejects whp.

Example

𝑞1

𝑞 2

𝑎1

𝑎2

𝑷 𝟏(𝑥 )

𝑷 𝟐(𝑥 )

𝑽 (𝑥)

Accept if

For some function

A no-signaling cheating strategy : and

Not contrived! Some PCP/MIP verifiers work this way.

Relation to Quantum MIP

• No-signaling strategies originally motivated by quantum MIPs – the (cheating) provers share an entangled quantum state.

• Entangled strategies are no-signaling.

• No-signaling soundness is likely to hold in future theories of physics (if information cannot travel faster than light).

The Power of No-Signaling Strategies

Def: is the class of languages with no-signaling MIPs with poly-time verifier.

• Known that:

[DLNNR01,Ito-Kobayashi-Matsumoto09,KR09, Ito10]

no-signaling strategies break the soundness of all known PCPs/MIPs.

The Power of No-Signaling Strategies

Def: is the class of languages with no-signaling MIPs with poly-time verifier.

• Known that:

[DLNNR01,Ito-Kobayashi-Matsumoto09,KR09, Ito10]

no-signaling strategies break the soundness of all known PCPs/MIPs.

• We show:

Main Technical Result

Suppose can be computed in time .

Thm: has no-signaling MIP with time verifier and time prover.

provers and total communication.

Corollary:

Proof Outline

1. Information Theoretic Step Construct an efficient no-signaling MIP for any language in (and scaled up for ).

2. Cryptographic Step Apply a general transformation

No-signaling MIP + PIR Delegation

Proof Outline

1. Information Theoretic Step Construct an efficient no-signaling MIP for any language in (and scaled up for ).

2. Cryptographic Step Apply a general transformation

No-signaling MIP + PIR Delegation

Proof of Technical Result

(High Level Overview)

Proof Sketch

Suppose that can be computed in time and in space .

Construct a no-signaling for .

Our starting point is the [BFLS] PCP.

This talk – we assume

The Provers

Each prover generates the entire tableau of the computation.

Output bit

𝑇

𝑆

Input bits

Every layer is computed by applying gates to the

previous layer

The provers encode the computation via the [BFLS] PCP.

The Provers

Each (honest) prover expects to be queried on a single point in the PCP and answers accordingly.

The Provers

• The verifier generates the PCP queries.

• Randomly permutes the queries and sends to the provers.

• Also explicitly checks input and output gates.

• Accepts the answers if PCP verifier accepts and input/output gates are correct.

The Verifier

No-Signaling Soundness

Challenges in NS setting:

• Each answer depends on other provers’ queries.

• No low degree test.

• No parallel repetition.

• Cheating provers are randomized.

• Assume that we have a no-signaling cheating prover strategy that succeeds with probability (think of as tiny).

• Once we fix the provers, their answers as RVs are defined can send “crazy” queries and see how they answer.

• Will derive a contradiction.

No-Signaling Soundness

“Reading” a point = query provers on a random line that goes through the point and interpolate answers to get the value.

Reading a Point

Fix some gate of the computation.

Reading a Point

𝑋𝑌 𝑍

Lemma: Can “read a gate” in the tableau so that with probability the 3 values will be “consistent”.

Proof of lemma uses algebraic PCP-like techniques.

Lemma

Simultaneously “read” all points in the tableau.

For every gate, wp by the lemma (and using no-signaling) we get a consistent value

By union bound, wp we get global consistency.

Since we check input/output gates, the verifier must reject.

First Attempt

• Major problem: not enough provers!

• We wanted to query points but we do not have so many provers.

• Number of queries s verifier running time.

First Attempt

Second Attempt

Inputs correct wp

Look at some gate in the second layer.

Consistent wp

Second Attempt

Correct wp

Look at some gate in the second layer.

Second Attempt

By no-signaling still correct wp

Look at some gate in the second layer.

Second Attempt

Similarly ,correct wp

Look at neighbor of the gate.

Second Attempt

Both inputs correct wp

Gate at 3rd layer.

Consistent wp

Second Attempt

output correct wp

Gate at 3rd layer.

Second Attempt

• Error grows exponentially in the depth.

• Gives delegation for low-depth computation (already known via [GKR08+KR09]).

Third Attempt

Use provers!

Lower layer correct wp Upper layer consistent wp

Third Attempt

Use provers!

Correct wp

Third Attempt

By no-signalingstill correct wp

Use provers!

Consistent wp

Third Attempt

upper layer is correct wp

Use provers!

Third Attempt

Use provers!

Third Attempt

Use provers!

Third Attempt

Use provers!

Third Attempt

Use provers!

Third Attempt

top layer is correct wp

• Number of provers so running time is roughly .

• Gives delegation for languages that can be computed in linear space.

• For construction is more complicated.

Third Attempt

Missing Details…

• Construction for .• We assumed provers cheat wp (parallel rep. is

not known for no-signaling MIP).• Formalizing “reading” and proving the lemma.• …

Summary

• Crypo result: Delegation for every language in with time verification (assuming PIR).

• Information-theoretic result: .

Thanks!