Competing Provers Protocols for Circuit Evaluation
description
Transcript of Competing Provers Protocols for Circuit Evaluation
Gillat Koljoint work with Ran Raz
Competing Provers Protocols for Circuit Evaluation
Delegation of Computation
Delegation of Computation• A computationally weak verifier (client) wants to
delegate computation to a more powerful untrusted (buggy, dishonest,…) prover (cloud, server)
• The prover needs to convince the verifier that the computation was performed correctly
data
result
Interactive Proof (IP) Protocols• IP Setting: A poly-time verifier wants to compute f(x)
with the help of a computationally-unbounded prover, where f,x are known to both
• IP Protocol for f: Strategies for the verifier and prover. After interacting, the verifier outputs a guess for f(x): either 0, 1 or “?” (don’t know). Whp:– Prover follows his strategy Verifier outputs f(x) – Else, the verifier outputs (whp) either f(x) or “?”
Delegation Protocols• Delegation Protocol for f: An IP protocol for f, where additionally:
– The verifier is almost-linear-time (npolylog(n))– The honest prover is poly-time (Soundness against an unbounded prover)
• More realistic setting…
• Theorem [S‘92,LFKN‘92]: IP = PSPACE with poly(n) rounds – Does not yield a delegation protocol, parties do not
meet the additional complexity demands
Previous Result [GKR‘08]
• For log-space uniform, poly-size, linear-depth circuits we get a delegation protocol
Theorem [GKR‘08]: Let C be a log-space uniform circuit of size s and depth d.Interactive Proof protocol for C with⁻Communication rounds: dpolylog(s)⁻Bits exchanged: dpolylog(s)⁻Prover’s complexity: poly(s)⁻Verfier’s complexity: (d+n)polylog(s)
allows a fast access to the structure of C
The Class P
Delegation to Several Provers
Delegation to Several Provers• Our Motivation: In real life, one can delegate to more
than one prover
Delegation to Several Provers• Our Motivation: In real life, one can delegate to more
than one prover• Assumption: From now on assume that at least one of
the provers is reliable• Observation: In this case, the verifier can always learn
the correct value:Run a delegation protocol with each prover separately
Is More Merrier?• Our Work: Can we get protocols with less communication
by delegating to several provers instead of just one? • Main Challenge: Suppose we ask all the provers for f(x)
– If they all agree, it must be the correct value– But, if they don’t, how do we tell who’s reliable?
• Idea: The provers now compete on the verifier’s trust. The verifier can use the provers one against the other: Use the first prover to validate the claims of the second…
Competing Provers (CP) Protocols• CP Setting [FST‘88]: A poly-time verifier wants to
compute f(x) with the help of 2 computationally-unbounded provers P0 and P1, where f,x are known to all
• CP Protocol for f: Strategies for the verifier and provers. After interacting, the verifier outputs a guess for f(x): either 0 or 1 – One of the provers follows his strategy Verifier outputs f(x) (whp)
• Observation: Wlog, may assume that at the beginningP0 claims f(x) = 0, while P1 claims f(x) = 1. Hence, P0 and P1 are Competing Provers
CP Delegation Protocols• CP Delegation Protocol for f: A CP protocol for f, where additionally:
– The verifier is almost-linear-time– The honest provers are poly-time (Soundness against unbounded provers)
• Theorem [FK‘97]: CP = EXP with poly(n) roundsCP = PSAPCE with 1 round– Does not yield CP delegation protocols, parties do
not meet the additional complexity demands
Our ResultTheorem: Let C be a log-space uniform circuit of size s and depth d.r Competing Provers protocol for C with⁻Communication rounds: r⁻Bits exchanged: d1/rpolylog(s)⁻Provers’ complexity: poly(s)⁻Verfier’s complexity: (d1/r+n)polylog(s)
• r = 1 Bits exchanged: dpolylog(s) (independently proved by [CRR])
• r = O(log(d)/loglog(s)) Bits exchanged: polylog(s)
in GKRdpolylog(s)
in GKR(d+n)polylog)
s(
Our ResultTheorem: Let C be a log-space uniform circuit of size s and depth d.r Competing Provers protocol for C with⁻Communication rounds: r⁻Bits exchanged: d1/rpolylog(s)⁻Provers’ complexity: poly(s)⁻Verfier’s complexity: (d1/r+n)polylog(s)
• We give a delegation protocol for every language in P
in GKRdpolylog(s)
in GKR(d+n)polylog)
s(
Another ApplicationCommunication Complexity & Circuit Lower Bounds [AW‘09]
Communication Complexity• Setting:
– Alice and Bob are computationally-unbounded players– Alice has input x and Bob has input y– The players’ mutual goal is computing f(x,y) with the
least amount of communication between them
Communication Complexity with CP• New Setting: Alice and Bob want to compute f(x,y)
with the help of Competing Provers with the least amount of communication between all parties– f is known to all, Alice knows x, Bob knows y,
Provers know both x and y– P0 claims f(x,y) = 0, while P1 claims f(x,y) = 1– Each party can communicate with every other party
Corollary of Our Result
Corollary: Let C(x,y) be a circuit of size s and depth d. r Communication Complexity protocol with Competing Provers for C with⁻ Communication rounds: r⁻ Bits exchanged: d1/rpolylog(s)
s = poly(n), d = polylog(n)
• The corollary follows easily from the proof of our theorem, using the approach of [AW‘09]
• For example, if CNC then a 1-round protocol exchanges polylog(n) bits
Circuit Lower-Bounds• Our corollary can be viewed as a possible direction
towards proving circuit lower-bounds • For example, in order to prove fNC, it suffices to show:
Any 1-round Communication Complexity protocol with Competing Provers for f requires the exchange of (polylog(n)) bits– Relatively simple combinatorial property that implies
strong lower bounds
Proof of Main Theorem for r = 1(sketch of sketch)
Main Ingredient I: [GKR‘08]Delegation to a Single Prover
. . .
V0
Vd-1
V1
Vd
• Fix circuit C of size s and depth d, and an input x • Enumerate C’s layers: layer 0 = output, layer d = inputs• Let Li be the vector of values of layer i’s gates when C
is evaluated on x
Representing the Circuit
• Let Vi = LDE(Li)
• V0(0m) = C(x), Vd = LDE(x)
• The verifier knows Vd(r) for r unknown to the prover, and wants to compute V0(0m)
input x
output C(x)
C
• Let z0 = 0m and zd = r
• The prover sends V0(z0) = C(x)
• For i = 1,…,d– Reduce knowing a value in a layer to knowing a random value in the layer below:
The verifier randomly selects zi, and reduces the correctness of the claim “vi-1 = Vi-1(zi-1)” to the correctness of the claim “vi = Vi(zi)” using the prover
• Finally, the verifier checks Vd(zd)
The Protocol of [GKR‘08] V0
Vi
Vi-1
Vd
input x
output C(x)
C
. . .
. . .
vi
vi-1
• Claim: A point in layer i-1 is a degree-2 polynomial in the values of the gates of layer i
Vi-1(z) = w,w’Hm Cz,w,w’ Li (w) Li (w’)
• Proof: – Vi-1 = LDE(Li-1), thus a point in Vi-1 is a linear combination
of points in Li-1 (the values of layer i-1’s gates)
Connection Between Layers
– The value of a gate in layer i-1 is a degree-2 polynomial in the values of its two children in layer i
MULT
w’w
z
Li-1(z) = Li (w)Li (w’)
layer i
layer i-1
• The reduction between the layers is via a standard IP protocol called Sum-Check [LFKN‘92] – Central in PCPs, IP = PSPACE, MIP = NEXP, …– Allows computing xHm g(x) for a low-degree g, when
the verifier knows g(r) for random rFm, unknown to the prover (the verifier “tests” the prover on r)
• Sum-Check can be used to reduce layer i-1 to layer i as:– Recall: A point in layer i-1 is a deg-2 poly in layer i
polynomial = sum of monomials– The prover does not know the test point zi until the
next iteration
Sum-Check Protocol
Main Ingredient II: [FK‘97]Sum-Check for Competing Provers
• Recall: IP = PSPACE with poly(n) rounds [S‘92]– Proof uses the poly(n)-rounds IP Sum-Check protocol
of [LFKN‘92]
• Recall: CP = PSAPCE with 1 round [FK‘97]– Proof constructs a 1-round CP Sum-Check protocol
Sum-Check for CP
Combining Main Ingredients
• Our Goal: Reduce dpolylog(s) rounds to 1
• First Attempt: Implement iteration i of GKR using the 1-round Competing Provers Sum-Check protocol of FK– Problem: Still requires d rounds
• Second Attempt: Run all d Sum-Checks simultaneously –The verifier sends all z1,…,zd at once, provers reply to all– Problem: During iteration i, provers mustn’t know
the test point zi
Combining Main Ingredients
• Main Idea: Disguise z1,…,zd
i, the verifier gives the provers a low-degree curve i: FFm that passes through zi (instead of zi itself)
• The parties run d Sum-Checks simultaneously, one for each layer
• The ith Sum-Check uses i-1 instead of zi-1, and i instead of zi. I.e., it computes Vi-1(z) for all the points z on i-1, using any of the points r on i as a test point
• The proof relies on the fact that the replies of the honest provers are low-degree polynomials in the zi variables
Main Ideai
zi
• The verifier checks the replies (low-deg polynomials H) in an alternating order (one of P0 and one of P1)
• When reply H is checked, the verifier already knows a point on H using a previous reply G of the other prover– E.g., assume H(t) = ((t)) and G(t) = ((t)) ( is a low-deg func, , are intersecting low-deg curves).Knowing G implies knowing a point on H
• If a prover sends an incorrect reply, it disagrees with the correct reply on the known point whp (both are low-deg)
Verifier’s Check Algo
• Generalization to r rounds and d1/rpolylog(s) bits:– Set k = d1/r. Run r-1 rounds of a k-ary search to find
layers i > j, i-j = k s.t. the provers agree on a point on Vi but disagree on a point on Vj
– Run the 1-round protocol on the subcircuit C’ of depth k obtained from layers j…i of C
Our Result Requires More Work…
. . .
V0
Vd-1
V1
Vd
input x
output C(x)
C
j
i
C’
• Getting a very efficient verifier (assuming log-space uniformity)
Thank You!