Interactive Verifiable Polynomial Evaluation Saeid Sahraei, Mohammad Ali Maddah-Ali and Salman Avestimehr ISIT, June 2020
Motivation • Cloud computing enables users to delegate computationally heavy tasks to commercial servers. • But, how can we trust that the service providers do the actual computations? • The users must also be able to detect adversarial behaviors. User Server (verifier) 𝑔 ⋅ , 𝑦 (prover) መ 𝑔(𝑦) Verify that መ 𝑔 𝑦 = 𝑔(𝑦)
(Interactive) Verifiable Computation • The function 𝑔 𝑦 is publicly known. • The user (verifier) is interested in learning the User Server One-time (verifier) (prover) initialization evaluation of 𝑔(⋅) at 𝑦 ∈ {𝑦 0 , 𝑦 1 , ⋯ } . Query • The user is computationally weak. He can Response Query only perform a one-time heavy initialization. Response ⋯ • He delegates the task to a server (prover). The user learns 𝑔(𝑦 0 ) reliably Query • The server provides 𝑔 𝑦 0 and convinces Response the user of correctness of the result in an Query Response interactive fashion. Similarly, for 𝑔 𝑦 1 , ⋯ ⋯ The user learns 𝑔(𝑦 1 ) reliably ⋯
Main performance criteria • Completeness : If the prover is honest, the verifier should accept the result with probability 1. • Soundness : If the prover is dishonest, the verifier should reject the result with high probability. • Efficient initialization: The verifier can perform a one-time initialization and store the outcome for future reference. Complexity of this phase should be comparable to the complexity of computing 𝑔 𝑦 . • Super-Efficient verifier: The complexity of verifier should be negligible compared to the complexity of computing 𝑔 𝑦 . • Efficient prover: The complexity of the prover should be comparable to the complexity of computing 𝑔 𝑦 . • Small round complexity : the number of rounds of interaction between the prover and the verifier must be small.
Related Work • Interactive Proofs (information-theoretic): • Lund’90, Shamir’90: Interactive proof for the sum -check problem, IP = PSPACE • Rothblum’13, Goldwasser‘15: Interactive proofs with super -efficient verifier • Verifiable computation for generic functions (non-interactive, amortized model, rely on hardness assumptions) : • Parno ’13, Gennaro ’13: based on Quadratic Arithmetic Programs • Killian’ 92: based on Probabilistically Checkable Proofs • Verifiable computation for Specific Functions (more practical at the expense of generality): • Verifier Polynomial Evaluation (Benabbas’11, Fiore’12, Papamanthou ’13, Elkhiaouyi’16, Sahraei’20) • Matrix Multiplication (Fiore’12, Zhang’17, Elkhiyaoui’16) • Modular Exponentiation(Chen’14)
Summary of the results We propose a (interactive) verifiable polynomial evaluation algorithm with initialization complexity of O(d 1+ϵ ) , verifier complexity of O(d ϵ ) , prover complexity of O(d 1+ϵ ) , and round complexity of O(log d) which satisfies the completeness and soundness properties. Algorithm Security Initialization Verifier Prover Round complexity Complexity Complexity Complexity 𝑃(𝑒) 𝑃(log 𝑒) 𝑃(𝑒) 𝑃(1) Ben. ’11 limited Fiore ‘12 limited 𝑃(𝑒) 𝑃(1) 𝑃(𝑒) 𝑃(1) Elkhiy . ’16 limited 𝑃(𝑒) 𝑃(1) 𝑃(𝑒) 𝑃(1) INTERPOL ‘19 Information 𝑃(𝑒) 𝑃(𝑒) 𝑃(1) 𝑃( 𝑒) Theoretic 𝑃(𝑒 1+𝜗 ) 𝑃(𝑒 𝜗 ) 𝑃(𝑒 1+𝜗 ) 𝑃(log 𝑒) This work Information Theoretic 𝑒 − 1 : degree of the polynomial
Initial Observations • Let 𝑔 𝑦 = 𝑏 0 + ⋯ + 𝑏 𝑒−1 𝑦 𝑒−1 be the polynomial of interest, where 𝑏 𝑗 ∈ 𝔾 𝑟 and suppose 𝑒 is even. Define 𝑒 • 𝑔 0 𝑧 = 𝑏 0 + 𝑏 2 𝑧 + ⋯ 𝑏 𝑒−2 𝑧 2 −1 𝑒 • 𝑔 1 𝑧 = 𝑏 1 + 𝑏 3 𝑧 + ⋯ 𝑏 𝑒−1 𝑧 2 −1 • Note that both 𝑔 0 (𝑧) and 𝑔 1 (𝑧) are of degree 𝑒 2 − 1 . Furthermore, • 𝑔 𝑦 = 𝑔 0 𝑧 + 𝑦 𝑔 1 𝑧 if 𝑧 = 𝑦 2 . • The verifier will reduce the problem of verifying 𝑔 𝑦 to the easier problem of verifying 𝑔 0 (𝑧) and 𝑔 1 𝑧 .
Strawman approach 𝑔 𝑦 = 𝑏 0 + 𝑏 1 𝑦 + 𝑏 2 𝑦 2 + ⋯ 𝑔 0 𝑧 = 𝑏 0 + 𝑏 2 𝑧 + 𝑏 4 𝑧 2 + ⋯ 𝑔 1 𝑧 = 𝑏 1 + 𝑏 3 𝑧 + 𝑏 5 𝑧 2 + ⋯ Prover provides መ 𝑔(𝑦) , 𝑔 0,0 𝑨 = 𝑏 0 + 𝑏 4 𝑨 + 𝑏 8 𝑨 2 + ⋯ 𝑔 0 (𝑧) and መ 𝑔 1 (𝑧) መ 𝑔 0,1 𝑨 = 𝑏 2 + 𝑏 6 𝑨 + 𝑏 10 𝑨 2 + ⋯ 𝑔 0 (𝑧) 𝑔 1 (𝑧) መ Verifier checks if መ 𝑔 1,0 𝑨 = 𝑏 1 + 𝑏 5 𝑨 + 𝑏 9 𝑨 2 + ⋯ 𝑔 0 𝑧 + 𝑦 መ 𝑔 1 (𝑧) 𝑔 𝑦 = መ መ 𝑔 1,1 𝑨 = 𝑏 3 + 𝑏 7 𝑨 + 𝑏 11 𝑨 2 + ⋯ If not, he rejects the result 𝑧 = 𝑦 2 , 𝑨 = 𝑧 2 , ⋯ Prover provides Prover provides 𝑔 0,0 (𝑨) and መ 𝑔 0,1 (𝑨) 𝑔 1,0 (𝑨) and መ 𝑔 1,1 (𝑨) መ መ 𝑔 0,1 (𝑧) 𝑔 0,0 (𝑧) መ መ 𝑔 1,0 (𝑧) 𝑔 1,1 (𝑧) መ መ Verifier checks if Verifier checks if 𝑔 (1) 𝑧 = መ 𝑔 1,0 𝑨 + 𝑧 መ 𝑔 1,1 (𝑨) 𝑔 (0) 𝑧 = መ 𝑔 0,0 𝑨 + 𝑧 መ 𝑔 0,1 (𝑨) መ መ If not, he rejects the result If not, he rejects the result ⋯ ⋯ ⋯ ⋯ 𝑔 𝑐 1 ,⋯,𝑐 𝑠 ⋅ = 𝑏 𝑗 , where 𝑗 = 𝑐 1 2 0 + ⋯ + 𝑐 𝑠 2 𝑠−1 . After 𝑠 = log 𝑒 iterations, the verifier checks, for every 𝑐 1 , ⋯ , 𝑐 𝑠 , if መ
Analysis of the strawman approach • Completeness: • If the prover is honest, all the verifications will trivially pass and the verifier will accept the result. • Soundness: • Suppose the prover lies about the evaluation of 𝑔 at 𝑦 . Namely, መ 𝑔 𝑦 ≠ 𝑔 𝑦 . 𝑔 0 𝑧 ≠ • In order to pass the first level verification, he must either provide መ 𝑔 1 𝑧 ≠ 𝑔 (1) (𝑧) . 𝑔 (0) (𝑧) or መ 𝑔 0,0 𝑧 ≠ • In order to pass the second level verification, he must either provide መ 𝑔 0,0 𝑧 , መ 𝑔 0,1 𝑧 ≠ 𝑔 (0,1) (𝑧) , መ 𝑔 1,0 𝑧 ≠ 𝑔 (1,0) (𝑧) or መ 𝑔 1,1 𝑧 ≠ 𝑔 1,1 𝑧 and so on. • After log 𝑒 steps each polynomial is a constant which the verifier can check against the coefficients of original polynomial, 𝑔(𝑦) . • Verifier complexity: • The number of verifications grows exponentially by the depth of the tree. The verifier runs in O 2 𝑠 = 𝑃(𝑒) .
Improving the complexity with MDS codes Prover provides መ 𝑔 (𝑦) and 𝑔 𝑦 = 𝑏 0 + 𝑏 1 𝑦 + 𝑏 2 𝑦 2 + ⋯ Verifier checks if the systematic symbols 𝑔 0 𝑧 + 𝑦 መ 𝑔 1 (𝑧) 𝑔 𝑦 = መ መ 𝑔 0 𝑧 = 𝑏 0 + 𝑏 2 𝑧 + 𝑏 4 𝑧 2 + ⋯ for the next codeword If not, he rejects the result 𝑔 1 𝑧 = 𝑏 1 + 𝑏 3 𝑧 + 𝑏 5 𝑧 2 + ⋯ 𝑔 0 (𝑧) 𝑔 1 (𝑧) መ መ 𝑔 0,0 𝑨 = 𝑏 0 + 𝑏 4 𝑨 + 𝑏 8 𝑨 2 + ⋯ 𝑔 0,1 𝑨 = 𝑏 2 + 𝑏 6 𝑨 + 𝑏 10 𝑨 2 + ⋯ 𝑔 1,0 𝑨 = 𝑏 1 + 𝑏 5 𝑨 + 𝑏 9 𝑨 2 + ⋯ MDS code 𝑔 1,1 𝑨 = 𝑏 3 + 𝑏 7 𝑨 + 𝑏 11 𝑨 2 + ⋯ 𝑔 𝑐 𝑧 = 𝑎 0 (𝛽 𝑐 ) መ 𝑔 0 𝑧 + 𝑎 1 (𝛽 𝑐 ) መ 𝑔 1 (𝑧) መ 𝑧 = 𝑦 2 , 𝑨 = 𝑧 2 , ⋯ Verifier randomly chooses a codeword symbol and reveals the index to the prover 𝑎 0 𝛾 = 𝛾 − 𝛽 1 𝛽 0 − 𝛽 1 Index = 4 𝑎 1 𝛾 = 𝛾 − 𝛽 0 Verifier checks if Prover provides the 𝑔 4 𝑧 = መ 𝑔 4,0 𝑨 + 𝑧 መ 𝑔 4,1 (𝑨) መ 𝛽 1 − 𝛽 0 systematic symbols for If not, he rejects the result the next codeword 𝑔 4,1 (𝑨) 𝑔 4,0 (𝑨) መ መ ⋯ MDS code ⋯
Final step: checking against a look-up table 𝑦 𝑒 = 𝑔 𝑐 1 ,⋯,𝑐 𝑠 𝑦 𝑒 . • After 𝑠 = log 𝑒 rounds, the verifier must check if መ 𝑔 𝑐 1 ,⋯,𝑐 𝑠 • In each iteration, the degree of the polynomial is divided by 2. 𝑔 𝑐 1 ,⋯,𝑐 𝑠 ⋅ is a constant! Can be computed in advance and stored in a look-up table. • Size of the table is 𝑜 𝑠 where 𝑜 is the block-length of the MDS code. • Example look-up table for 𝑒 = 4 . Row 𝑗 , column 𝑘 represents 𝑔 𝑗,𝑘 ⋅ . 𝑏 0 𝑎 0 𝛽 0 𝑎 1 𝛽 0 + 𝑏 1 𝑎 0 𝛽 0 𝑎 1 𝛽 0 + 𝑏 0 𝑎 0 𝛽 1 𝑎 1 𝛽 0 + 𝑏 1 𝑎 0 𝛽 1 𝑎 1 𝛽 0 + 𝑏 0 𝑎 0 𝛽 2 𝑎 1 𝛽 0 + 𝑏 1 𝑎 0 𝛽 2 𝑎 1 𝛽 0 + 𝑏 2 𝑎 1 𝛽 0 𝑎 0 𝛽 0 + 𝑏 3 𝑎 1 𝛽 0 𝑎 1 (𝛽 0 ) 𝑏 2 𝑎 1 𝛽 1 𝑎 0 𝛽 0 + 𝑏 3 𝑎 1 𝛽 1 𝑎 1 (𝛽 0 ) 𝑏 2 𝑎 1 𝛽 2 𝑎 0 𝛽 0 + 𝑏 3 𝑎 1 𝛽 2 𝑎 1 (𝛽 0 ) 𝑏 0 𝑎 0 𝛽 0 𝑎 1 𝛽 1 + 𝑏 1 𝑎 0 𝛽 0 𝑎 1 𝛽 1 + 𝑏 0 𝑎 0 𝛽 1 𝑎 1 𝛽 1 + 𝑏 1 𝑎 0 𝛽 1 𝑎 1 𝛽 1 + 𝑏 0 𝑎 0 𝛽 2 𝑎 1 𝛽 1 + 𝑏 1 𝑎 0 𝛽 2 𝑎 1 𝛽 1 + ⋯ 𝑏 2 𝑎 1 𝛽 0 𝑎 0 𝛽 1 + 𝑏 3 𝑎 1 𝛽 0 𝑎 1 (𝛽 1 ) 𝑏 2 𝑎 1 𝛽 1 𝑎 0 𝛽 1 + 𝑏 3 𝑎 1 𝛽 1 𝑎 1 (𝛽 1 ) 𝑏 2 𝑎 1 𝛽 2 𝑎 0 𝛽 1 + 𝑏 3 𝑎 1 𝛽 2 𝑎 1 (𝛽 1 ) 𝑏 0 𝑎 0 𝛽 0 𝑎 1 𝛽 2 + 𝑏 1 𝑎 0 𝛽 0 𝑎 1 𝛽 2 + 𝑏 0 𝑎 0 𝛽 1 𝑎 1 𝛽 2 + 𝑏 1 𝑎 0 𝛽 1 𝑎 1 𝛽 2 + 𝑏 0 𝑎 0 𝛽 2 𝑎 1 𝛽 0 + 𝑏 1 𝑎 0 𝛽 2 𝑎 1 𝛽 2 + 𝑏 2 𝑎 1 𝛽 0 𝑎 0 𝛽 2 + 𝑏 3 𝑎 1 𝛽 0 𝑎 1 (𝛽 2 ) 𝑏 2 𝑎 1 𝛽 1 𝑎 0 𝛽 2 + 𝑏 3 𝑎 1 𝛽 1 𝑎 1 (𝛽 2 ) 𝑏 2 𝑎 1 𝛽 2 𝑎 0 𝛽 0 + 𝑏 3 𝑎 1 𝛽 2 𝑎 1 (𝛽 2 ) ⋯
Recommend
More recommend