Efficient Interactive Proofs for Linear Algebra Christopher Hickey Graham Cormode University of Warwick
Our Model – Streaming Interactive Proofs Data, S, in the Cloud F(S) = ? F(S) Conversation Helper Verifier Completeness An honest helper will ALWAYS F(S) ⊥ convince the verifier Conclusion A dishonest helper will ALMOST Soundness NEVER trick the verifier
Costs in SIPs Interactivity Number of rounds Verifier Memory Working memory of the verifier Communication Total communication sent in both directions Verifier’s Computational complexity of streaming in S Streaming Cost Verifier’s Computational complexity of streaming the Checking Cost conversation Helper Additional work required by the helper Overhead beyond solving the problem
What Costs to Trade Off “Non - interactive” costs “Interactive” costs Verifier Memory Communication Interactivity Verifier's Streaming Cost Verifier's Checking Cost Helper Overhead Rule of thumb: Decreasing a non-interactive cost usually increases some interactive cost, and vice-versa. Our work attempts to see which cost is best to relax in order to minimize the total time of the protocol. We focus on linear algebra, as this is a primitive for many problems, and yields interesting examples.
Warm-up: Inner Product For two vectors of length 𝑜 , ignoring constant factors. [CTY11] [CMT12] Method This Work Binary Sum-Check FFT and LDEs 1 𝑒 log 𝑜 Total Communication 𝑜 𝑒𝑜 “Non - 1 𝑒 interactive ” log 𝑜 Verifier Checking Cost 𝑜 𝑒𝑜 costs Rounds 𝑒 − 1 log 𝑜 1 𝑜 log 𝑜 𝑜 log 𝑜 𝑜 log 𝑜 Helper Overhead “interactive” 𝑒𝑜 1+1 𝑒 Verifier Streaming Cost 𝑜 log 𝑜 𝑜 𝑜 costs 1 𝑒 Verifier Memory log 𝑜 𝑜 𝑒 + 𝑜 𝑒 is a variable parameter from 1 to log 𝑜 determining the number of rounds. Note that if we set 𝑒 = 2 , we get [CMT12], and if we set 𝑒 = log 𝑜 we get [CTY11]. 1 log 𝑜 = 2 𝑜
Matrix Multiplication For two matrices of size 𝑜 × 𝑜 , ignoring constant factors. [Thaler13] [CH18] Method This Work Binary Sum Check Fingerprints 2 𝑒 𝑜 2 log 𝑜 Total Communication 𝑒𝑜 “Non - 𝑜 2 + log 𝑜 2 𝑒 𝑜 2 𝑜 2 + 𝑒𝑜 interactive ” Verifier Checking Cost costs Rounds 𝑒 1 + log 𝑜 1 𝑜 2 log 𝑜 𝑜 2 log 𝑜 1 Helper Overhead 𝑜 2 log 𝑜 “interactive” 𝑜 2 log 𝑜 𝑒𝑜 2+2 𝑒 Verifier Streaming Cost costs 2 𝑒 1 Verifier Memory log 𝑜 𝑒𝑜 𝑒 is a variable parameter from 1 to log 𝑜 determining the number of rounds.
Motivation: Minimizing Total Time Taken Number of rounds considering only communication for Matrix Multiplication that decreases the total time to send all the data over all the rounds. Less interactivity, even with more communication reduces overall time! The question is now how much does this affect the other overheads?
Problem: Given streaming access to two data sets, how can we check they’re the same (with high probability )? Solution: Low Degree Extensions! Consider a polynomial which passes through each data point 𝑗, 𝑤 𝑗 . We index the data via a hypercube 𝑚 𝑒 and create the unique polynomial of degree 𝑚 in 𝑒 variables that passes through each data point. We can evaluate this LDE at a random point in 𝔾 𝑒 LDEs can be used with the powerful sum- as we stream the data! check protocol [LFKN92] to sum a function LDEs share many useful properties, of the elements in a data set. • The probability of two different vectors having the same LDE evaluation at a random point is LDEs are very useful for making efficient very small protocols for inner product and matrix • LDEs have linearity multiplication that use 𝑒 = log 𝑜 and 𝑚 = 2 . • They can be constructed in 𝑃 𝑜𝑚𝑒 time
Problem: Given 𝑣, 𝑤 ∈ 𝔾 𝑜 , how can we check the inner product 𝑣 𝑈 𝑤 ? [CTY11] [CTY11] uses LDEs with 𝑜 = 𝑚 𝑒 , we represent the 𝑒 -variate LDE of 𝑣 by 𝑣 and 𝑤 by 𝑤 . We want to find 𝑜 𝑚−1 𝑚−1 𝑣 𝑈 𝑤 = 𝑣 𝑗 𝑤 𝑗 = ∙∙∙ 𝑣 𝑙 1 , … , 𝑙 𝑒 𝑤 𝑙 1 , … , 𝑙 𝑒 𝑗=1 𝑙 1 =0 𝑙 𝑒 =0 They use a well- known protocol called ‘sum - check’ [LFKN92], a 𝑒 -round protocol in which the prover allows the verifier to check the following sum against a ‘secret’ constructed in the streaming phase 𝑣 𝑠 1 , … , 𝑠 𝑒 𝑤 𝑠 1 , … , 𝑠 𝑒 . The messages the prover sends are degree 2𝑚 polynomials, which the prover can create in time 𝑃 𝑜𝑚𝑒 .
Problem: How were LDEs used to solve inner product? [CTY11] The protocol uses sum-check, this is a 𝑒 -round protocol involving 𝑒 messages of 2𝑚 field elements. Classification Cost (ignoring constant factors) Explanation Interactivity 𝑒 𝑒 rounds 𝑚 + 𝑒 Needs to store 𝑠 , and 𝑚 evaluations of 𝑘 Verifier Memory Communication 𝑚𝑒 𝑒 messages of 2𝑚 field elements Verifier’s 𝑒𝑜 1+1 𝑒 Evaluating 𝑣 𝑠 1 , … , 𝑠 𝑒 𝑤 𝑠 1 , … , 𝑠 𝑒 Streaming Cost Verifier’s 𝑚 evaluations of 𝑘 , 𝑒 times 𝑚𝑒 Checking Cost Helper 𝑜𝑚𝑒 Forming 𝑘 for 𝑘 in 1, 𝑒 Overhead [CTY11] note that using 𝑚 = 2 and 𝑒 = log 𝑜 minimizes many costs, but with the cost of maximum interactivity.
Problem: How can we make [CTY11] variable-round without sacrificing Helper Overhead? [CMT12] introduced a non-interactive protocol that massively reduced the helper overhead to 𝑜 log 𝑜 where the prover uses convolutions and fast fourier transforms. We generalize this result to variable round protocols, as well as implementing a ‘stop - short’ reduction in sum-check to allow the protocol to run in 𝑒 − 1 rounds. Note that even with this adaptation, the memory efficient method is to use 𝑒 = log 𝑜 . We aim to show experimentally that in practice, it’s often most time efficient to use as much memory as you have available. However, the main motivation behind this protocol is how we can use it as a primitive for other protocols.
Problem: Vector-Matrix-Vector Multiplication A first example of how to use this primitive is a nifty algebraic trick for multiplying two vectors 𝑣, 𝑤 ∈ 𝔾 𝑜 and 𝐵 ∈ 𝔾 𝑜×𝑜 we can verify 𝑣 𝑈 𝐵𝑤 by considering 𝑜 𝑜 𝑣 𝑈 𝐵𝑤 = 𝑣 𝑗 𝐵 𝑗𝑘 𝑤 𝑘 = 𝑣𝑤 𝑈 𝑤𝑓𝑑 ∙ 𝐵 𝑤𝑓𝑑 𝑗=1 𝑘=1 Where the subscript 𝑤𝑓𝑑 refers to a canonical transformation from a matrix to a vector. Using the inner product protocol on the LDEs of 𝐵 and 𝑣𝑤 𝑈 gives us a protocol with communication and space costs O 𝑚 2 𝑒 and 𝑒 rounds. (𝑠 Note we can use the inner product protocol as we can construct 𝑣𝑤 𝑈 1 , 𝑠 2 ) using 𝑣 𝑠 1 𝑤 𝑠 2 .
Problem: Matrix Multiplication For matrices A, B ∈ 𝔾 𝑜×𝑜 we will have to For a vector v ∈ 𝔾 𝑜 , the fingerprint verify that a sent matrix is correct, not of 𝑤 with respect to 𝑦 ∈ 𝑆 𝔾 is: just a scalar. 𝑜−1 𝑦 𝑤 = 𝑤 𝑗 𝑦 𝑗 𝑔 [Thaler13] uses LDEs for verification, and 𝑗=0 uses log 𝑜 rounds and the inner product Fingerprints have the property definition of matrix multiplication. 𝑦 𝑣 𝑈 𝑤 = 𝑔 𝑦 𝑜 𝑣 𝑔 𝑔 𝑦 𝑤 [CH18]. We use fingerprints in conjunction with our inner product protocol, however We define fingerprints for matrices implement the outer-product definition analogously. of matrix multiplication.
Problem: Matrix Multiplication For matrices A, B ∈ 𝔾 𝑜×𝑜 we will have to verify that a sent matrix is correct, not just a scalar. Fingerprints are useful with the following identity ↓ 𝑜 𝑔 𝑦 𝑜 𝐵 1 ↓ 𝑔 → → → 𝑦 𝐵𝐶 = 𝑔 𝑦 𝑜 𝐵 𝑗 𝑔 𝑦 𝐶 𝑗 = ∙ 𝑔 𝑦 𝐶 1 ⋯ 𝑔 𝑦 𝐶 𝑜 ⋮ ↓ 𝑔 𝑦 𝑜 𝐵 𝑜 𝑗=1 To use our inner product protocol, the verifier simply needs to be able to find the LDE of these two vectors at a random point, which it can using the linearity of fingerprints and LDEs.
Recommend
More recommend
