Gillat Koljoint work with Ran Raz

Competing Provers Protocols for Circuit Evaluation

Delegation of Computation

Delegation of Computation• A computationally weak verifier (client) wants to

delegate computation to a more powerful untrusted (buggy, dishonest,…) prover (cloud, server)

• The prover needs to convince the verifier that the computation was performed correctly

data

result

Interactive Proof (IP) Protocols• IP Setting: A poly-time verifier wants to compute f(x)

with the help of a computationally-unbounded prover, where f,x are known to both

• IP Protocol for f: Strategies for the verifier and prover. After interacting, the verifier outputs a guess for f(x): either 0, 1 or “?” (don’t know). Whp:– Prover follows his strategy Verifier outputs f(x) – Else, the verifier outputs (whp) either f(x) or “?”

Delegation Protocols• Delegation Protocol for f: An IP protocol for f, where additionally:

– The verifier is almost-linear-time (npolylog(n))– The honest prover is poly-time (Soundness against an unbounded prover)

• More realistic setting…

• Theorem [S‘92,LFKN‘92]: IP = PSPACE with poly(n) rounds – Does not yield a delegation protocol, parties do not

meet the additional complexity demands

Previous Result [GKR‘08]

• For log-space uniform, poly-size, linear-depth circuits we get a delegation protocol

Theorem [GKR‘08]: Let C be a log-space uniform circuit of size s and depth d.Interactive Proof protocol for C with⁻Communication rounds: dpolylog(s)⁻Bits exchanged: dpolylog(s)⁻Prover’s complexity: poly(s)⁻Verfier’s complexity: (d+n)polylog(s)

allows a fast access to the structure of C

The Class P

Delegation to Several Provers

Delegation to Several Provers• Our Motivation: In real life, one can delegate to more

than one prover

Delegation to Several Provers• Our Motivation: In real life, one can delegate to more

than one prover• Assumption: From now on assume that at least one of

the provers is reliable• Observation: In this case, the verifier can always learn

the correct value:Run a delegation protocol with each prover separately

Is More Merrier?• Our Work: Can we get protocols with less communication

by delegating to several provers instead of just one? • Main Challenge: Suppose we ask all the provers for f(x)

– If they all agree, it must be the correct value– But, if they don’t, how do we tell who’s reliable?

• Idea: The provers now compete on the verifier’s trust. The verifier can use the provers one against the other: Use the first prover to validate the claims of the second…

Competing Provers (CP) Protocols• CP Setting [FST‘88]: A poly-time verifier wants to

compute f(x) with the help of 2 computationally-unbounded provers P0 and P1, where f,x are known to all

• CP Protocol for f: Strategies for the verifier and provers. After interacting, the verifier outputs a guess for f(x): either 0 or 1 – One of the provers follows his strategy Verifier outputs f(x) (whp)

• Observation: Wlog, may assume that at the beginningP0 claims f(x) = 0, while P1 claims f(x) = 1. Hence, P0 and P1 are Competing Provers

CP Delegation Protocols• CP Delegation Protocol for f: A CP protocol for f, where additionally:

– The verifier is almost-linear-time– The honest provers are poly-time (Soundness against unbounded provers)

• Theorem [FK‘97]: CP = EXP with poly(n) roundsCP = PSAPCE with 1 round– Does not yield CP delegation protocols, parties do

not meet the additional complexity demands

Our ResultTheorem: Let C be a log-space uniform circuit of size s and depth d.r Competing Provers protocol for C with⁻Communication rounds: r⁻Bits exchanged: d1/rpolylog(s)⁻Provers’ complexity: poly(s)⁻Verfier’s complexity: (d1/r+n)polylog(s)

• r = 1 Bits exchanged: dpolylog(s) (independently proved by [CRR])

• r = O(log(d)/loglog(s)) Bits exchanged: polylog(s)

in GKRdpolylog(s)

in GKR(d+n)polylog)

s(

Our ResultTheorem: Let C be a log-space uniform circuit of size s and depth d.r Competing Provers protocol for C with⁻Communication rounds: r⁻Bits exchanged: d1/rpolylog(s)⁻Provers’ complexity: poly(s)⁻Verfier’s complexity: (d1/r+n)polylog(s)

• We give a delegation protocol for every language in P

in GKRdpolylog(s)

in GKR(d+n)polylog)

s(

Another ApplicationCommunication Complexity & Circuit Lower Bounds [AW‘09]

Communication Complexity• Setting:

– Alice and Bob are computationally-unbounded players– Alice has input x and Bob has input y– The players’ mutual goal is computing f(x,y) with the

least amount of communication between them

Communication Complexity with CP• New Setting: Alice and Bob want to compute f(x,y)

with the help of Competing Provers with the least amount of communication between all parties– f is known to all, Alice knows x, Bob knows y,

Provers know both x and y– P0 claims f(x,y) = 0, while P1 claims f(x,y) = 1– Each party can communicate with every other party

Corollary of Our Result

Corollary: Let C(x,y) be a circuit of size s and depth d. r Communication Complexity protocol with Competing Provers for C with⁻ Communication rounds: r⁻ Bits exchanged: d1/rpolylog(s)

s = poly(n), d = polylog(n)

• The corollary follows easily from the proof of our theorem, using the approach of [AW‘09]

• For example, if CNC then a 1-round protocol exchanges polylog(n) bits

Circuit Lower-Bounds• Our corollary can be viewed as a possible direction

towards proving circuit lower-bounds • For example, in order to prove fNC, it suffices to show:

Any 1-round Communication Complexity protocol with Competing Provers for f requires the exchange of (polylog(n)) bits– Relatively simple combinatorial property that implies

strong lower bounds

Proof of Main Theorem for r = 1(sketch of sketch)

Main Ingredient I: [GKR‘08]Delegation to a Single Prover

. . .

V0

Vd-1

V1

Vd

• Fix circuit C of size s and depth d, and an input x • Enumerate C’s layers: layer 0 = output, layer d = inputs• Let Li be the vector of values of layer i’s gates when C

is evaluated on x

Representing the Circuit

• Let Vi = LDE(Li)

• V0(0m) = C(x), Vd = LDE(x)

• The verifier knows Vd(r) for r unknown to the prover, and wants to compute V0(0m)

input x

output C(x)

C

• Let z0 = 0m and zd = r

• The prover sends V0(z0) = C(x)

• For i = 1,…,d– Reduce knowing a value in a layer to knowing a random value in the layer below:

The verifier randomly selects zi, and reduces the correctness of the claim “vi-1 = Vi-1(zi-1)” to the correctness of the claim “vi = Vi(zi)” using the prover

• Finally, the verifier checks Vd(zd)

The Protocol of [GKR‘08] V0

Vi

Vi-1

Vd

input x

output C(x)

C

. . .

. . .

vi

vi-1

• Claim: A point in layer i-1 is a degree-2 polynomial in the values of the gates of layer i

Vi-1(z) = w,w’Hm Cz,w,w’ Li (w) Li (w’)

• Proof: – Vi-1 = LDE(Li-1), thus a point in Vi-1 is a linear combination

of points in Li-1 (the values of layer i-1’s gates)

Connection Between Layers

– The value of a gate in layer i-1 is a degree-2 polynomial in the values of its two children in layer i

MULT

w’w

z

Li-1(z) = Li (w)Li (w’)

layer i

layer i-1

• The reduction between the layers is via a standard IP protocol called Sum-Check [LFKN‘92] – Central in PCPs, IP = PSPACE, MIP = NEXP, …– Allows computing xHm g(x) for a low-degree g, when

the verifier knows g(r) for random rFm, unknown to the prover (the verifier “tests” the prover on r)

• Sum-Check can be used to reduce layer i-1 to layer i as:– Recall: A point in layer i-1 is a deg-2 poly in layer i

polynomial = sum of monomials– The prover does not know the test point zi until the

next iteration

Sum-Check Protocol

Main Ingredient II: [FK‘97]Sum-Check for Competing Provers

• Recall: IP = PSPACE with poly(n) rounds [S‘92]– Proof uses the poly(n)-rounds IP Sum-Check protocol

of [LFKN‘92]

• Recall: CP = PSAPCE with 1 round [FK‘97]– Proof constructs a 1-round CP Sum-Check protocol

Sum-Check for CP

Combining Main Ingredients

• Our Goal: Reduce dpolylog(s) rounds to 1

• First Attempt: Implement iteration i of GKR using the 1-round Competing Provers Sum-Check protocol of FK– Problem: Still requires d rounds

• Second Attempt: Run all d Sum-Checks simultaneously –The verifier sends all z1,…,zd at once, provers reply to all– Problem: During iteration i, provers mustn’t know

the test point zi

Combining Main Ingredients

• Main Idea: Disguise z1,…,zd

i, the verifier gives the provers a low-degree curve i: FFm that passes through zi (instead of zi itself)

• The parties run d Sum-Checks simultaneously, one for each layer

• The ith Sum-Check uses i-1 instead of zi-1, and i instead of zi. I.e., it computes Vi-1(z) for all the points z on i-1, using any of the points r on i as a test point

• The proof relies on the fact that the replies of the honest provers are low-degree polynomials in the zi variables

Main Ideai

zi

• The verifier checks the replies (low-deg polynomials H) in an alternating order (one of P0 and one of P1)

• When reply H is checked, the verifier already knows a point on H using a previous reply G of the other prover– E.g., assume H(t) = ((t)) and G(t) = ((t)) ( is a low-deg func, , are intersecting low-deg curves).Knowing G implies knowing a point on H

• If a prover sends an incorrect reply, it disagrees with the correct reply on the known point whp (both are low-deg)

Verifier’s Check Algo

• Generalization to r rounds and d1/rpolylog(s) bits:– Set k = d1/r. Run r-1 rounds of a k-ary search to find

layers i > j, i-j = k s.t. the provers agree on a point on Vi but disagree on a point on Vj

– Run the 1-round protocol on the subcircuit C’ of depth k obtained from layers j…i of C

Our Result Requires More Work…

. . .

V0

Vd-1

V1

Vd

input x

output C(x)

C

j

i

C’

• Getting a very efficient verifier (assuming log-space uniformity)

Thank You!