Lin inear Multi-Prover In Interactive Proofs Dan Boneh, Yuval - PowerPoint PPT Presentation

Quasi-Optimal SNARGs via ia Lin inear Multi-Prover In Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu

Non-Interactive Arguments for NP ℒ 𝐷 = 𝑦 ∶ 𝐷 𝑦, 𝑥 = 1 for some 𝑥 𝜌 𝑄(𝑦, 𝑥) 𝑊(𝑦) accept / reject Completeness: 𝐷 𝑦, 𝑥 = 1 ⟹ Pr 𝑄 𝑦, 𝑥 , 𝑊 𝑦 = 1 = 1 Soundness: for all provers 𝑄 ⋆ of size 2 𝜇 ( 𝜇 is a security parameter): 𝑦 ∉ ℒ 𝐷 ⟹ Pr 𝑄 ⋆ 𝑦 , 𝑊 𝑦 = 1 ≤ 2 −𝜇

Succinct Non-Interactive Arguments (SNARGs) ℒ 𝐷 = 𝑦 ∶ 𝐷 𝑦, 𝑥 = 1 for some 𝑥 𝜌 𝑄(𝑦, 𝑥) 𝑊(𝑦) accept / reject Argument system is succinct if: • Prover communication is poly 𝜇 + log 𝐷 • 𝑊 can be implemented by a circuit of size poly 𝜇 + 𝑦 + log 𝐷 Verifier complexity significantly smaller than classic NP verifier

Succinct Non-Interactive Arguments (SNARGs) Instantiation: “CS proofs” in the random oracle model [Mic94] 𝜌 𝑄(𝑦, 𝑥) 𝑊(𝑦) Argument consists of a single message accept / reject

Succinct Non-Interactive Arguments (SNARGs) Setup 1 𝜇 Can consider publicly- common reference verification verifiable and secretly- string (CRS) state verifiable SNARGs 𝜏 𝜐 Preprocessing SNARGs: allow “expensive” setup 𝜌 𝑄(𝜏, 𝑦, 𝑥) 𝑊(𝜐, 𝑦) Argument consists of a single message accept / reject

Complexity Metrics for SNARGs Soundness: for all provers 𝑄 ⋆ of size 2 𝜇 : 𝑦 ∉ ℒ 𝐷 ⟹ Pr 𝑄 ⋆ 𝑦 , 𝑊 𝑦 = 1 ≤ 2 −𝜇 How short can the proofs be? Even in the designated- 𝜌 = Ω 𝜇 verifier setting [See paper for details] How much work is needed to generate the proof? 𝑄 = Ω 𝐷

Quasi-Optimal SNARGs Soundness: for all provers 𝑄 ⋆ of size 2 𝜇 : 𝑦 ∉ ℒ 𝐷 ⟹ Pr 𝑄 ⋆ 𝑦 , 𝑊 𝑦 = 1 ≤ 2 −𝜇 A SNARG (for Boolean circuit satisfiability) is quasi-optimal if it satisfies the following properties: • Quasi-optimal succinctness: = ෨ 𝜌 = 𝜇 ⋅ polylog 𝜇, 𝐷 𝑃(𝜇) • Quasi-optimal prover complexity: 𝑄 = ෨ 𝑃 𝐷 + poly(𝜇, log 𝐷 )

Quasi-Optimal SNARGs Prover Proof Construction Complexity Size Assumption ෨ ෨ 𝑃(𝜇 2 ) 𝑃( 𝐷 ) Random Oracle CS Proofs [Mic94] ෨ ෨ 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Groth [Gro16] Generic Group 𝑃(𝜇 𝐷 2 + 𝐷 𝜇 2 ) ෨ ෨ Groth [Gro10] 𝑃(𝜇) Knowledge of Exponent ෨ ෨ GGPR [GGPR12] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) ෨ ෨ BCIOP (Pairing) [BCIOP13] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Linear-Only Encryption Linear-Only ෨ ෨ BISW (LWE/RLWE) [BISW17] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Vector Encryption

For simplicity, we ignore low order Quasi-Optimal SNARGs terms poly 𝜇, log 𝐷 Prover Proof Construction Complexity Size Assumption ෨ ෨ 𝑃(𝜇 2 ) 𝑃( 𝐷 ) Random Oracle CS Proofs [Mic94] ෨ ෨ 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Groth [Gro16] Generic Group 𝑃(𝜇 𝐷 2 + 𝐷 𝜇 2 ) ෨ ෨ Groth [Gro10] 𝑃(𝜇) Knowledge of Exponent ෨ ෨ GGPR [GGPR12] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) ෨ ෨ BCIOP (Pairing) [BCIOP13] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Linear-Only Encryption Linear-Only ෨ ෨ BISW (LWE/RLWE) [BISW17] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Vector Encryption

For simplicity, we ignore low order Quasi-Optimal SNARGs terms poly 𝜇, log 𝐷 Prover Proof Construction Complexity Size Assumption ෨ ෨ 𝑃(𝜇 2 ) 𝑃( 𝐷 ) Random Oracle CS Proofs [Mic94] ෨ ෨ 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Groth [Gro16] Generic Group 𝑃(𝜇 𝐷 2 + 𝐷 𝜇 2 ) ෨ ෨ Groth [Gro10] 𝑃(𝜇) Knowledge of Exponent ෨ ෨ GGPR [GGPR12] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) ෨ ෨ BCIOP (Pairing) [BCIOP13] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Linear-Only Encryption Linear-Only ෨ ෨ BISW (LWE/RLWE) [BISW17] 𝑃(𝜇 𝐷 ) 𝑃(𝜇) Vector Encryption Linear-Only ෨ ෨ 𝑃 𝐷 𝑃(𝜇) This work Vector Encryption

This Work New framework for building preprocessing SNARGs (following [BCIOP13, BISW17] ) Step 1 (information-theoretic): • Linear multi-prover interactive proofs (linear MIPs) • This work: first construction of a quasi-optimal linear MIP Step 2 (cryptographic): • Linear-only vector encryption to simulate linear MIP model • This work: linear MIP ⟹ preprocessing SNARG Results yield the first quasi-optimal SNARG (from linear-only vector encryption over rings)

Linear PCPs [IKO07] 𝑦, 𝑥 PCP where the proof oracle implements a linear function 𝜌 ∈ 𝔾 𝑛 𝜌 ∈ 𝔾 𝑛 In these instantiations, 𝑟 ∈ 𝔾 𝑛 verifier is oblivious (queries independent of statement) 𝑟, 𝜌 ∈ 𝔾 Several possible instantiations: based on the Walsh-Hadamard code [ALMSS92] or quadratic span programs [GGPR13] Verifier

From Linear PCPs to SNARGs [BCIOP13] Verifier encrypts its queries using a linear-only encryption scheme 𝑅 = 𝑟 1 𝑟 2 𝑟 3 𝑟 𝑙 ⋯ part of the CRS

From Linear PCPs to SNARGs [BCIOP13] Encryption scheme that only supports linear homomorphism Verifier encrypts its queries using a linear-only encryption scheme 𝑅 = 𝑟 1 𝑟 2 𝑟 3 𝑟 𝑙 ⋯ part of the CRS

From Linear PCPs to SNARGs [BCIOP13] Verifier encrypts its queries using Prover constructs linear a linear-only encryption scheme PCP 𝜌 from (𝑦, 𝑥) 𝑦, 𝑥 𝑅 = 𝑟 1 𝑟 2 𝑟 3 𝑟 𝑙 ⋯ 𝜌 ∈ 𝔾 𝑛 Prover homomorphically computes responses to linear PCP queries part of the CRS ⟨𝜌, 𝑟 1 ⟩ ⟨𝜌, 𝑟 2 ⟩ ⋯ ⟨𝜌, 𝑟 𝑙 ⟩ SNARG proof

From Linear PCPs to SNARGs [BCIOP13] Verifier encrypts its queries using Prover constructs linear Evaluating inner product requires a linear-only encryption scheme PCP 𝜌 from (𝑦, 𝑥) Ω 𝐷 homomorphic operations; prover complexity: 𝑦, 𝑥 Ω 𝜇 ⋅ Ω 𝐷 = Ω 𝜇 𝐷 𝑅 = 𝑟 1 𝑟 2 𝑟 3 𝑟 𝑙 We pay Ω(𝜇) for each ⋯ 𝜌 ∈ 𝔾 𝑛 homomorphic operation. Can we reduce this? Prover homomorphically computes Proof consists of a constant responses to linear PCP queries number of ciphertexts: total length part of the CRS ⟨𝜌, 𝑟 1 ⟩ ⟨𝜌, 𝑟 2 ⟩ ⋯ ⟨𝜌, 𝑟 𝑙 ⟩ 𝑃(𝜇) bits SNARG proof

Linear-Only Encryption over Rings ℓ Τ Consider encryption scheme over a polynomial ring 𝑆 𝑞 = ℤ 𝑞 𝑦 Φ ℓ 𝑦 ≅ 𝔾 𝑞 ′ 𝑦 1 𝑦 1 𝑦 1 + 𝑦 1 ′ ′ ′ 𝑦 2 𝑦 2 𝑦 2 + 𝑦 2 Homomorphic operations correspond to component-wise ′ ′ 𝑦 3 𝑦 3 𝑦 3 + 𝑦 3 additions and scalar multiplications ⋮ ⋮ ⋮ ′ ′ 𝑦 ℓ 𝑦 ℓ 𝑦 ℓ + 𝑦 ℓ Using RLWE-based encryption schemes, can Plaintext space can be viewed encrypt ℓ = ෨ 𝑃(𝜇) field elements ( 𝑞 = poly 𝜇 ) as a vector of field elements with ciphertexts of size ෨ 𝑃(𝜇)

Linear-Only Encryption over Rings ℓ Τ Consider encryption scheme over a polynomial ring 𝑆 𝑞 = ℤ 𝑞 𝑦 Φ ℓ 𝑦 ≅ 𝔾 𝑞 ′ 𝑦 1 𝑦 1 𝑦 1 + 𝑦 1 ′ ′ ′ 𝑦 2 𝑦 2 𝑦 2 + 𝑦 2 Homomorphic operations correspond to component-wise ′ ′ 𝑦 3 𝑦 3 𝑦 3 + 𝑦 3 Amortized cost of homomorphic additions and scalar multiplications ⋮ ⋮ ⋮ operation on a single field element is polylog(𝜇) ′ ′ 𝑦 ℓ 𝑦 ℓ 𝑦 ℓ + 𝑦 ℓ Using RLWE-based encryption schemes, can Plaintext space can be viewed encrypt ℓ = ෨ 𝑃(𝜇) field elements ( 𝑞 = poly 𝜇 ) as a vector of field elements with ciphertexts of size ෨ 𝑃(𝜇)

Linear-Only Encryption over Rings 𝑛 𝑟 1 ∈ 𝔾 𝑞 ⟨𝜌 1 , 𝑟 1 ⟩ 𝑛 𝑟 2 ∈ 𝔾 𝑞 ⟨𝜌 2 , 𝑟 2 ⟩ 𝑛 𝑟 3 ∈ 𝔾 𝑞 ⟨𝜌 3 , 𝑟 3 ⟩ ⋮ ⋮ 𝑛 𝑟 ℓ ∈ 𝔾 𝑞 ⟨𝜌 ℓ , 𝑟 ℓ ⟩ Given encrypted set of query vectors, prover can homomorphically apply independent linear functions to each slot

Linear Multi-Prover Interactive Proofs (MIPs) 𝑦, 𝑥 𝜌 1 𝜌 2 ⋯ 𝜌 ℓ Verifier has oracle access to multiple linear proof oracles [Proofs may be correlated] Can convert linear MIP to preprocessing SNARG using linear- only (vector) encryption over rings

Linear Multi-Prover Interactive Proofs (MIPs) 𝑦, 𝑥 𝜌 1 𝜌 2 ⋯ 𝜌 ℓ Suppose • Number of provers ℓ = ෨ 𝑃 𝜇 𝑛 where 𝑛 = • Proofs 𝜌 1 , … , 𝜌 ℓ ∈ 𝔾 𝑞 Τ 𝐷 ℓ • Number of queries to each 𝜌 𝑗 is polylog(𝜇) Then, linear MIP is quasi-optimal

Linear Multi-Prover Interactive Proofs (MIPs) 𝑦, 𝑥 Prover complexity: 𝑃 ℓ𝑛 = ෨ ෨ 𝑃 𝐷 𝜌 1 𝜌 2 ⋯ 𝜌 ℓ Linear MIP size: = ෨ 𝑃 ℓ ⋅ polylog 𝜇 𝑃(𝜇) Suppose • Number of provers ℓ = ෨ 𝑃 𝜇 𝑛 where 𝑛 = • Proofs 𝜌 1 , … , 𝜌 ℓ ∈ 𝔾 𝑞 Τ 𝐷 ℓ • Number of queries to each 𝜌 𝑗 is polylog(𝜇) Then, linear MIP is quasi-optimal

Quasi-Optimal Linear MIPs This work: Construction of a quasi-optimal linear MIP for Boolean circuit satisfiability Robust Consistency Quasi-Optimal Decomposition Check Linear MIP