1 SNARGs for P, and more, from poly-secure PIR Justin Holmgren Joint work with Zvika Brakerski and Yael Kalai 1 With RAM efficiency for the prover
Verifiable Computation: What we want Common Reference String Hey! f(x) = y. Here’s a proof I believe you Computationally bounded
What’s Known Assumptions Result random oracle/ holy grail knowledge super-polynomial two-message assumptions or iO schemes Moreover, RAM efficiency standard public key+1 message, Our Result LWE secret verification key
Soundness: Non-Interactive RAM P.P.T. wins negligibly often Delegation Worker Client pk 1 λ pk,vk Gen( ) ← DB d=Digest(DB) DB M,x y,d’ M DB (x) ← M,x,y,d’,pf Verify(M,d,x,y,d’,pf) Accept? Adversarial Worker: • Adaptively chooses DB, M, x, y, d’, and pf • Wins if M DB (x) y,d’ and Verify accepts 6!
Theorem For simplicity, assume FHE Assume standard LWE. More generally, any succinct PIR suffices Then there is a non-interactive RAM delegation scheme.
Aiello-Bhat-Ostrovsky- Scheme Overview [ABOR00] Rajagopalan ‘00 MIP Verifier q 1 q k … Construct stronger MIP? Prover 0 Prover 1 Prover k Sound if answers Statistical No-Signaling [KRR14] generated locally a k a 1 M,x,y,d’ Non-Interactive Delegation Encrypted with independent FHE keys q 0 1 , . . . , q 0 Consider alternate k q 1 , . . . , q k Construct stronger FHE? a 0 1 , . . . , a 0 with responses k Guarantees Worker Client • “Spooky-free” [DHRW16]) q 1 = q 0 a 1 ≈ c a 0 answers are If then 1 1 M, x, y, d 0 , a 1 , . . . , a k • “homomorphism- q S = q 0 a S ≈ c a 0 If then S S no-signaling extractable” [BC12]
Family of MIP-based schemes FHE Strength MIP Strength More Crypto Spooky-Free Local Moreover, MIP Super-poly Statistical is adaptive IND-CPA No-Signaling This Computational More MIP IND-CPA No-Signaling Work
MIP Overview Redo [KRR14] and more 1 . Lemma: “local soundness” distribution For any T-time which claims (Pr[win] > ) P ∗ M DB ( x ) → y, d 0 ✏ T-step tableau we can Locally construct consistent Assign P ∗ : algorithm V A Any V | V | ≤ k Distributed like Claim: P*’s successes M DB ( x ) → y, d 0 Our focus today 2 . Lemma: local soundness implies soundness.
Kalai- Tableau for RAMs [KP15] Paneth 15 local Check initial = Variables: constraints digest = d Check initial Machine Mem state = q 0 Digest Merkle Proof state Op (for all adj. layers) Layer 1 Check Merkle Layer 2 proofs, check state … transition Layer t Check final Check final output = y digest = d’ poly ( λ )
Local to global Claim Assign P ∗ With probability ✏ M DB ( x ) → y, d 0 M DB ( x ) 6! y, d 0 Assign P ∗ = queries to Variables By hybrid argument, For some i… Merkle Machine Mem Merkle Proof root state Op Layer 1 M.q 0 d Layer 2 … y d’ Layer t
Local to global Claim Assign P ∗ M DB ( x ) → y, d 0 With probability ✏ M DB ( x ) 6! y, d 0 Assign P ∗ = queries to Variables By hybrid argument, For some i… Merkle Machine Mem Merkle Proof root state Op M.q 0 d Layer i Correct with prob ✏ /t Layer i+1 Incorrect y d’
Local to global Claim Assign P ∗ M DB ( x ) → y, d 0 With probability ✏ M DB ( x ) 6! y, d 0 Assign P ∗ = queries to Variables By hybrid argument, For some i… Merkle Machine Mem Merkle Proof root state Op M.q 0 d Locally Layer i Correct with prob ✏ /t Consistent Layer i+1 Incorrect y d’ Hash Collision!
Application: NP Delegation running time L = { x : ∃ w s.t. R L ( x, w ) } |x| + |w| Prover Verifier With modifications, pk, vk ← Gen (1 λ ) pk Can prove many x’s x,w “for the price of one” For deterministic x,w, proof that computations R L ( x, w ) = 1 | x | + | w | + poly ( λ ) Optimal communication* Soundness follows [Gentry-Wichs] deterministic from deterministic computation adaptive soundness * from falsifiable assumptions
Thanks
Recommend
More recommend
![Interactive Proofs Lecture 19 And Beyond 1 So far 2 So far IP = PSPACE = AM[poly] 2 So far](https://c.sambuz.com/1028644/interactive-proofs-s.jpg)
