Delegation with Updatable Unambiguous Proofs and PPAD-Hardness Lisa Yang MIT Based on joint work with Yael Tauman Kalai and Omer Paneth
time π computation π π¦ = ? Delegation π(π¦) = y Proof Ξ π checks Ξ in time βͺ π Can verifying be faster than computing?
Publicly Verifiable Delegation π·ππ π(π¦) = y Proof Ξ
Prior Work: Publicly Verifiable Delegation Strong assumptions β’ Random Oracle Model [Micali94] β’ Knowledge assumptions [Groth10, Lipma12, Gennaro-Gentry-Parno-Raykova12, Bitansky- Canetti-Chiesa-Tromer12, Bitansky-Chiesa-Ishai-Ostrovsky- Paneth13β¦] β’ Indistinguishability Obfuscation [Bitansky-Sanjam-Lin-Pass-Telang14,Canetti-Holmgren-Jain- Vaikuntanathan14,Koppula-Lewko-Waters14, Canetti- Holmgren16, Chen-Chow-Chung-Lai16] β’ Multilinear maps [Paneth-Rothblum17] Delegation for bounded-depth circuits via Fiat-Shamir β’ Optimal security of LWE [Canetti-Chen-Holmgren-Lombardi-Rothblum-Rothblum-Wichs19] β’ Sub-exponential LWE [Kalai-Zhang20] Delegation for polynomial-time computations β’ Bilinear groups [Kalai-Paneth-Y19]
π· π Updatable Proofs [Valiant08] Consider a long computation π· 0 β π· π carried out over πΆ iterations π· π π+1 β¦ Updatable Proofs: update Ξ π into Ξ π+1 π· π π ~ computation performed Ξ π+1 Want the proof update to take time Ξ π Want proofs to remain succinct π· 0 [Bitansky-Canetti-Chiesa-Tromer13] using SNARKs (based on strong assumptions)
Unambiguous Proofs π·ππ π(π¦) = y Proofs Ξ β Ξ β² Unambiguous Proofs: π β (π·ππ) cannot output Ξ β Ξ β² for the same statement π π¦ = π§ (except with negligible probability over π·ππ ) [Reingold-Rothblum-Rothblum]
Our Results: Delegation Delegation with updatable and unambiguous proofs based on the decisional bilinear group assumption: For a bilinear group π» of order π = 2 Ξ(π) and π½ = π(log π) given [Kalai-Paneth-Y19] for random π β π» and π‘ β β€ π it is hard to distinguish whether π’ = π‘ 2π½+1 or π’ is an independent random element in β€ π .
Our Results: PPAD-Hardness [ Choudhuri-Hubacek-Kamath-Pietrzak-Rosen-Rothblum 19] PPAD-Hardness based on: 2. Any hard language π decidable in super-polynomial time (and 1. The quasi-polynomial hardness of KPYβs bilinear group assumption polynomial space) β’ For example, the hardness of SAT for sub-exponential size circuits (non-uniform ETH) suffices
Related Work: PPAD-Hardness Strong assumptions β’ Indistinguishability Obfuscation [Abbot-Kane-Valiant04, Bitanski-Paneth-Rosen15, Hubacek-Yogev17] β’ Functional Encryption assumptions [Garg-Pandey-Srinivasan16, Komargodski-Segev17] Fiat-Shamir interactive protocol for a particular language β’ Security of Fiat-Shamir/Optimal security of LWE [Choudhuri-Hubacek-Kamath-Pietrzak-Rosen- Rothblum19, Ephraim-Freitag-Komargodski-Pass19] β’ Sub-exponential LWE [Lombardi-Vaikuntanathan20, Kalai-Zhang20, Jawale-Khurana20] Polynomial Local Search (PLS) Hardness [Bitansky-Gerichter20]
1. Delegation with Updatable Proofs β’ Use recursive proof composition β’ Without strong assumptions! Local extraction [Kalai-Paneth-Y19]
1. Delegation with Updatable Proofs πππ ππ π· π πβ1 , Ξ π , π· π π πβ[πΆ] π· π πΆ Ξ : π· 0 β π· π Ξ πΆ replaces this with π· 0 , Ξ β², π· π πΆ Update Ξ : π· π πΆ Verify Ξ πΆ π· π 2 A ppend proof for β¦ β¦ β¦ computation Ξ 2 π· π 2 performed Ξ β² Verify Ξ 2 π· π 1 Proof grows!! π· π 1 Ξ contains πΆ proofs Ξ 1 Verify Ξ 1 Ξ β² βͺ Ξ 1 + β―+ |Ξ πΆ | Ξ π :π· π πβ1 β π· π π π· 0 π· 0 Local extraction nondeterministic suffices!
KPY Delegation π·ππ Homomorphic π 1 π π encryption π π¦ = π§ π checks Ξ π§ Ξ = ? π 1 π π π using Zero-Test [Paneth-Rothblum17] π = πΊ(π) π¦ encoded computation tableau
2. Delegation with Unambiguous Proofs β’ Unambiguity of Ciphertexts: any π β (π·ππ) cannot generate two β’ Observation: need to use encryption with unambiguity property π π‘ = π different ciphertexts that encrypt the same message β’ π‘π = π‘ β πΎ β’ KPY Encryption: β’ π = π π β πΎ[π¦] β’ π β β π = π π ,π β² = π π β² such that π π‘ = π β² π‘ = π β’ Unambiguous Proofs: suffices to ensure unambiguity of answers
π§ 2. Unambiguity of Answers π β’ [Kalai-Raz-Rothblum14] for π β 0,1 β answers are unambiguous π¦ β’ Need unambiguous answers for π β πΎ β π = πΊ(π) β’ Observation: If π evaluates a multilinear polynomial then can show unambiguity of answers for every π β πΎ β β’ Idea: Ask π to send a β proof of multilinearity β for his evaluated ciphertexts Notion of local multilinearity!
Proof of Local Multilinearity β’ π homomorphically evaluates πΊ(π 1 β¦ π β ) β’ First attempt: ask π for the restriction of πΊ in each coordinate Evaluate encryptions of (π΅ π , πΆ π ) such that πΊ Τ¦ π = π΅ π β π π + πΆ π π checks consistency using the Zero-Test β’ Problem: π β can compute (π΅ π , πΆ π ) using πΉππ(π π ) π evaluated same β’ Idea: encrypt Τ¦ π again without π 'th coordinate βProof of E qualityβ Ask π for π΅ π β² ,πΆ π β² β’ Test that π΅ π , πΆ π = π΅ π β² ,πΆ π function on both β² encryptions
Delegation with Updatable Unambiguous Proofs Not done yet β¦ To show unambiguity of entire proof: β’ Unambiguity of other ciphertexts in KPY proof β’ Unambiguity of ciphertexts we added βΊ Equality and Multilinearity proofs β’ Show unambiguity preserved in recursive proof composition Updatable proofs
Summary β’ Our Results: β’ Delegation with updatable and unambiguous proofs based on the KPY bilinear group assumption β’ PPAD-Hardness based on the quasi-polynomial hardness of the KPY bilinear group assumption (and any hard language) Standard β’ Power of local proofs: assumptions! β’ recursive proof composition (updatable proofs) β’ proof of multilinearity (unambiguous proofs)
Thank you! lisayang@mit.edu
Recommend
More recommend
