How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint...
-
Upload
damon-reeves -
Category
Documents
-
view
221 -
download
2
Transcript of How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint...
How to Delegate Computations: The Power of No-Signaling Proofs
Ron RothblumWeizmann Institute
Joint work with Yael Kalai and Ran Raz
Delegation
Motivation: allow a computationally weak device to outsource computation to the cloud.
Delegation
A computationally weak device outsources its computation to the cloud.
Delegation
The device does not trust the cloud and so it wants to verify the result super-efficiently (say in linear-time).
Delegation
Focus of this talk: 1-round arguments.
𝑥 , 𝑞𝑢𝑒𝑟𝑦
𝑓 (𝑥) , 𝑝𝑟𝑜𝑜𝑓
𝑥∈𝐿?
• Completeness: .
• Computational Soundness: and .
• Running time of :
• Running time of :
Prover Verifier
𝐿∈𝐷𝑇𝐼𝑀𝐸(𝑇 )
Delegation
Prior Work
• 4-messages – [Kilian92]: For all of !– Assumes CRH.
• One-round (2-messages):– [Goldwasser-Kalai-Rothblum08, Kalai-Raz09]: for
bounded-depth computation. Assume sub-exponential PIR.
Prior Work
• In other models: 1. Random oracle model [Micali94]2. Preprocessing [Gennaro-Gentry-Parno10, Chung-Kalai-
Vadhan10, Applebaum-Ishai-Kushilevitz10]
• Under non-falsifiable assumptions (e.g. KoE) [Groth10, Lipma12, Bitanski-Canetti-Chiesa-Tromer12a, Goldwasser-Lin-Rubinstein11, Damgard-Faust-Hazay12, Bitanski-
Canetti-Chiesa-Tromer12b, Gennaro-Gentry-Parno-Raykova12].
• Non-falsifiable necessary* for [Gentry-Wichs11]
Main Result 1
Thm: Assuming sub-exponentially hard PIR Delegation for every language in with an time verifier and a time prover.
Communication is .
Main Result 1
Thm: Assuming sub-exponentially hard PIR Delegation for every language in with an time verifier and a time prover.
Communication is .
quasi-polynomially
(for any ).
Main Result 1 (General)
Thm: Assuming sub-exponentially hard PIR delegation for every language in with a time verifier and a prover.
𝑘=𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑝𝑎𝑟𝑎𝑚𝑒𝑡𝑒𝑟
The Approach of [ABOR00]
[Aiello-Bhatt-Ostrovsky-Rajogopalan00] suggested to construct a delegation scheme by combining a Multi-Prover Interactive Proof-System with an FHE.
Actually PIR suffices, but easier to describe
with FHE
Multi Prover Interactive Proofs (MIP) [BenOr-Goldwasser-Kilian-Wigderson88]
𝑃1
𝑉𝑃2
𝑃 𝑙
.
.
.
• Completeness:
• Soundness:
𝑴𝑰𝑷=𝑵𝑬𝑿𝑷[Babai-Fortnow-Lund91]
Fully Homomorphic Encryption𝐸𝑛𝑐𝑘(𝑚)
Eval
circuit
𝐸𝑛𝑐𝑘(𝐶 (𝑚 ))
For this talk think of the output as a fresh encryption of
The [ABOR00] Protocol
𝑃1
𝑉𝑃 𝑙
.
.
.
𝑞1
𝑞𝑙
𝑎1
𝑎𝑙
Take an protocol.
The [ABOR00] Protocol
𝑃1
𝑉𝑃 𝑙
𝐸𝑘1(𝑞1)
Encrypt the queries and answer homomorphically.
𝐸𝑘1(𝑎1)
𝐸𝑘𝑙(𝑞𝑙)
𝐸𝑘𝑙(𝑎𝑙)
.
.
.
The [ABOR00] Protocol
𝑃1
𝑉𝑃 𝑙
𝐸𝑘1(𝑞1)
Simulate using a single prover.
𝐸𝑘1(𝑎1)
𝐸𝑘𝑙(𝑞𝑙)
𝐸𝑘𝑙(𝑎𝑙)
.
.
.
𝑃The [ABOR00] Protocol
𝑉
Simulate using a single prover.
The [ABOR00] Protocol
Intuition: since encrypted under different keys, prover cannot use one query to answer a different query.
[Dwork-Landberg-Naor-Nissim-Reingold01]: this intuition is false*!
[Kalai-Raz09]: correct for single prover interactive proofs.
We show: protocol works if MIP satisfies a stronger soundness condition called no-signaling soundness.
No-Signaling Prover Strategies
• Allow the provers a minimal form of communication.
• The answer of each prover may depend on the other queries as a function but must be independent as a RV.
No-Signaling Prover Strategies
A prover strategy for an MIP specifies for every a distribution .
Def: A prover strategy is no-signaling if for every and and
Def: A no-signaling MIP – for every no-signaling strategy the verifier rejects whp.
Example
𝑞1
𝑞 2
𝑎1
𝑎2
𝑷 𝟏(𝑥 )
𝑷 𝟐(𝑥 )
𝑽 (𝑥)
Accept if
For some function
A no-signaling cheating strategy : and
Not contrived! Some PCP/MIP verifiers work this way.
Relation to Quantum MIP
• No-signaling strategies originally motivated by quantum MIPs – the (cheating) provers share an entangled quantum state.
• Entangled strategies are no-signaling.
• No-signaling soundness is likely to hold in future theories of physics (if information cannot travel faster than light).
The Power of No-Signaling Strategies
Def: is the class of languages with no-signaling MIPs with poly-time verifier.
• Known that:
[DLNNR01,Ito-Kobayashi-Matsumoto09,KR09, Ito10]
no-signaling strategies break the soundness of all known PCPs/MIPs.
The Power of No-Signaling Strategies
Def: is the class of languages with no-signaling MIPs with poly-time verifier.
• Known that:
[DLNNR01,Ito-Kobayashi-Matsumoto09,KR09, Ito10]
no-signaling strategies break the soundness of all known PCPs/MIPs.
• We show:
Main Technical Result
Suppose can be computed in time .
Thm: has no-signaling MIP with time verifier and time prover.
provers and total communication.
Corollary:
Proof Outline
1. Information Theoretic Step Construct an efficient no-signaling MIP for any language in (and scaled up for ).
2. Cryptographic Step Apply a general transformation
No-signaling MIP + PIR Delegation
Proof Outline
1. Information Theoretic Step Construct an efficient no-signaling MIP for any language in (and scaled up for ).
2. Cryptographic Step Apply a general transformation
No-signaling MIP + PIR Delegation
Proof of Technical Result
(High Level Overview)
Proof Sketch
Suppose that can be computed in time and in space .
Construct a no-signaling for .
Our starting point is the [BFLS] PCP.
This talk – we assume
The Provers
Each prover generates the entire tableau of the computation.
Output bit
𝑇
𝑆
Input bits
Every layer is computed by applying gates to the
previous layer
The provers encode the computation via the [BFLS] PCP.
The Provers
Each (honest) prover expects to be queried on a single point in the PCP and answers accordingly.
The Provers
• The verifier generates the PCP queries.
• Randomly permutes the queries and sends to the provers.
• Also explicitly checks input and output gates.
• Accepts the answers if PCP verifier accepts and input/output gates are correct.
The Verifier
No-Signaling Soundness
Challenges in NS setting:
• Each answer depends on other provers’ queries.
• No low degree test.
• No parallel repetition.
• Cheating provers are randomized.
• Assume that we have a no-signaling cheating prover strategy that succeeds with probability (think of as tiny).
• Once we fix the provers, their answers as RVs are defined can send “crazy” queries and see how they answer.
• Will derive a contradiction.
No-Signaling Soundness
“Reading” a point = query provers on a random line that goes through the point and interpolate answers to get the value.
Reading a Point
Fix some gate of the computation.
Reading a Point
𝑋𝑌 𝑍
Lemma: Can “read a gate” in the tableau so that with probability the 3 values will be “consistent”.
Proof of lemma uses algebraic PCP-like techniques.
Lemma
Simultaneously “read” all points in the tableau.
For every gate, wp by the lemma (and using no-signaling) we get a consistent value
By union bound, wp we get global consistency.
Since we check input/output gates, the verifier must reject.
First Attempt
• Major problem: not enough provers!
• We wanted to query points but we do not have so many provers.
• Number of queries s verifier running time.
First Attempt
Second Attempt
Inputs correct wp
Look at some gate in the second layer.
Consistent wp
Second Attempt
Correct wp
Look at some gate in the second layer.
Second Attempt
By no-signaling still correct wp
Look at some gate in the second layer.
Second Attempt
Similarly ,correct wp
Look at neighbor of the gate.
Second Attempt
Both inputs correct wp
Gate at 3rd layer.
Consistent wp
Second Attempt
output correct wp
Gate at 3rd layer.
Second Attempt
• Error grows exponentially in the depth.
• Gives delegation for low-depth computation (already known via [GKR08+KR09]).
Third Attempt
Use provers!
Lower layer correct wp Upper layer consistent wp
Third Attempt
Use provers!
Correct wp
Third Attempt
By no-signalingstill correct wp
Use provers!
Consistent wp
Third Attempt
upper layer is correct wp
Use provers!
Third Attempt
Use provers!
Third Attempt
Use provers!
Third Attempt
Use provers!
Third Attempt
Use provers!
Third Attempt
top layer is correct wp
• Number of provers so running time is roughly .
• Gives delegation for languages that can be computed in linear space.
• For construction is more complicated.
Third Attempt
Missing Details…
• Construction for .• We assumed provers cheat wp (parallel rep. is
not known for no-signaling MIP).• Formalizing “reading” and proving the lemma.• …
Summary
• Crypo result: Delegation for every language in with time verification (assuming PIR).
• Information-theoretic result: .
Thanks!