competing provers protocols for circuit evaluation
DESCRIPTION
Competing Provers Protocols for Circuit Evaluation. Gillat Kol joint work with Ran Raz. Delegation of Computation. Delegation of Computation. - PowerPoint PPT PresentationTRANSCRIPT
Gillat Koljoint work with Ran Raz
Competing Provers Protocols for Circuit Evaluation
Delegation of Computation
Delegation of Computation• A computationally weak verifier (client) wants to
delegate computation to a more powerful untrusted (buggy, dishonest,…) prover (cloud, server)
• The prover needs to convince the verifier that the computation was performed correctly
data
result
Interactive Proof (IP) Protocols• IP Setting: A poly-time verifier wants to compute f(x)
with the help of a computationally-unbounded prover, where f,x are known to both
• IP Protocol for f: Strategies for the verifier and prover. After interacting, the verifier outputs a guess for f(x): either 0, 1 or “?” (don’t know). Whp:– Prover follows his strategy Verifier outputs f(x) – Else, the verifier outputs (whp) either f(x) or “?”
Delegation Protocols• Delegation Protocol for f: An IP protocol for f, where additionally:
– The verifier is almost-linear-time (npolylog(n))– The honest prover is poly-time (Soundness against an unbounded prover)
• More realistic setting…
• Theorem [S‘92,LFKN‘92]: IP = PSPACE with poly(n) rounds – Does not yield a delegation protocol, parties do not
meet the additional complexity demands
Previous Result [GKR‘08]
• For log-space uniform, poly-size, linear-depth circuits we get a delegation protocol
Theorem [GKR‘08]: Let C be a log-space uniform circuit of size s and depth d.Interactive Proof protocol for C with⁻Communication rounds: dpolylog(s)⁻Bits exchanged: dpolylog(s)⁻Prover’s complexity: poly(s)⁻Verfier’s complexity: (d+n)polylog(s)
allows a fast access to the structure of C
The Class P
Delegation to Several Provers
Delegation to Several Provers• Our Motivation: In real life, one can delegate to more
than one prover
Delegation to Several Provers• Our Motivation: In real life, one can delegate to more
than one prover• Assumption: From now on assume that at least one of
the provers is reliable• Observation: In this case, the verifier can always learn
the correct value:Run a delegation protocol with each prover separately
Is More Merrier?• Our Work: Can we get protocols with less communication
by delegating to several provers instead of just one? • Main Challenge: Suppose we ask all the provers for f(x)
– If they all agree, it must be the correct value– But, if they don’t, how do we tell who’s reliable?
• Idea: The provers now compete on the verifier’s trust. The verifier can use the provers one against the other: Use the first prover to validate the claims of the second…
Competing Provers (CP) Protocols• CP Setting [FST‘88]: A poly-time verifier wants to
compute f(x) with the help of 2 computationally-unbounded provers P0 and P1, where f,x are known to all
• CP Protocol for f: Strategies for the verifier and provers. After interacting, the verifier outputs a guess for f(x): either 0 or 1 – One of the provers follows his strategy Verifier outputs f(x) (whp)
• Observation: Wlog, may assume that at the beginningP0 claims f(x) = 0, while P1 claims f(x) = 1. Hence, P0 and P1 are Competing Provers
CP Delegation Protocols• CP Delegation Protocol for f: A CP protocol for f, where additionally:
– The verifier is almost-linear-time– The honest provers are poly-time (Soundness against unbounded provers)
• Theorem [FK‘97]: CP = EXP with poly(n) roundsCP = PSAPCE with 1 round– Does not yield CP delegation protocols, parties do
not meet the additional complexity demands
Our ResultTheorem: Let C be a log-space uniform circuit of size s and depth d.r Competing Provers protocol for C with⁻Communication rounds: r⁻Bits exchanged: d1/rpolylog(s)⁻Provers’ complexity: poly(s)⁻Verfier’s complexity: (d1/r+n)polylog(s)
• r = 1 Bits exchanged: dpolylog(s) (independently proved by [CRR])
• r = O(log(d)/loglog(s)) Bits exchanged: polylog(s)
in GKRdpolylog(s)
in GKR(d+n)polylog)
s(
Our ResultTheorem: Let C be a log-space uniform circuit of size s and depth d.r Competing Provers protocol for C with⁻Communication rounds: r⁻Bits exchanged: d1/rpolylog(s)⁻Provers’ complexity: poly(s)⁻Verfier’s complexity: (d1/r+n)polylog(s)
• We give a delegation protocol for every language in P
in GKRdpolylog(s)
in GKR(d+n)polylog)
s(
Another ApplicationCommunication Complexity & Circuit Lower Bounds [AW‘09]
Communication Complexity• Setting:
– Alice and Bob are computationally-unbounded players– Alice has input x and Bob has input y– The players’ mutual goal is computing f(x,y) with the
least amount of communication between them
Communication Complexity with CP• New Setting: Alice and Bob want to compute f(x,y)
with the help of Competing Provers with the least amount of communication between all parties– f is known to all, Alice knows x, Bob knows y,
Provers know both x and y– P0 claims f(x,y) = 0, while P1 claims f(x,y) = 1– Each party can communicate with every other party
Corollary of Our Result
Corollary: Let C(x,y) be a circuit of size s and depth d. r Communication Complexity protocol with Competing Provers for C with⁻ Communication rounds: r⁻ Bits exchanged: d1/rpolylog(s)
s = poly(n), d = polylog(n)
• The corollary follows easily from the proof of our theorem, using the approach of [AW‘09]
• For example, if CNC then a 1-round protocol exchanges polylog(n) bits
Circuit Lower-Bounds• Our corollary can be viewed as a possible direction
towards proving circuit lower-bounds • For example, in order to prove fNC, it suffices to show:
Any 1-round Communication Complexity protocol with Competing Provers for f requires the exchange of (polylog(n)) bits– Relatively simple combinatorial property that implies
strong lower bounds
Proof of Main Theorem for r = 1(sketch of sketch)
Main Ingredient I: [GKR‘08]Delegation to a Single Prover
. . .
V0
Vd-1
V1
Vd
• Fix circuit C of size s and depth d, and an input x • Enumerate C’s layers: layer 0 = output, layer d = inputs• Let Li be the vector of values of layer i’s gates when C
is evaluated on x
Representing the Circuit
• Let Vi = LDE(Li)
• V0(0m) = C(x), Vd = LDE(x)
• The verifier knows Vd(r) for r unknown to the prover, and wants to compute V0(0m)
input x
output C(x)
C
• Let z0 = 0m and zd = r
• The prover sends V0(z0) = C(x)
• For i = 1,…,d– Reduce knowing a value in a layer to knowing a random value in the layer below:
The verifier randomly selects zi, and reduces the correctness of the claim “vi-1 = Vi-1(zi-1)” to the correctness of the claim “vi = Vi(zi)” using the prover
• Finally, the verifier checks Vd(zd)
The Protocol of [GKR‘08] V0
Vi
Vi-1
Vd
input x
output C(x)
C
. . .
. . .
vi
vi-1
• Claim: A point in layer i-1 is a degree-2 polynomial in the values of the gates of layer i
Vi-1(z) = w,w’Hm Cz,w,w’ Li (w) Li (w’)
• Proof: – Vi-1 = LDE(Li-1), thus a point in Vi-1 is a linear combination
of points in Li-1 (the values of layer i-1’s gates)
Connection Between Layers
– The value of a gate in layer i-1 is a degree-2 polynomial in the values of its two children in layer i
MULT
w’w
z
Li-1(z) = Li (w)Li (w’)
layer i
layer i-1
• The reduction between the layers is via a standard IP protocol called Sum-Check [LFKN‘92] – Central in PCPs, IP = PSPACE, MIP = NEXP, …– Allows computing xHm g(x) for a low-degree g, when
the verifier knows g(r) for random rFm, unknown to the prover (the verifier “tests” the prover on r)
• Sum-Check can be used to reduce layer i-1 to layer i as:– Recall: A point in layer i-1 is a deg-2 poly in layer i
polynomial = sum of monomials– The prover does not know the test point zi until the
next iteration
Sum-Check Protocol
Main Ingredient II: [FK‘97]Sum-Check for Competing Provers
• Recall: IP = PSPACE with poly(n) rounds [S‘92]– Proof uses the poly(n)-rounds IP Sum-Check protocol
of [LFKN‘92]
• Recall: CP = PSAPCE with 1 round [FK‘97]– Proof constructs a 1-round CP Sum-Check protocol
Sum-Check for CP
Combining Main Ingredients
• Our Goal: Reduce dpolylog(s) rounds to 1
• First Attempt: Implement iteration i of GKR using the 1-round Competing Provers Sum-Check protocol of FK– Problem: Still requires d rounds
• Second Attempt: Run all d Sum-Checks simultaneously –The verifier sends all z1,…,zd at once, provers reply to all– Problem: During iteration i, provers mustn’t know
the test point zi
Combining Main Ingredients
• Main Idea: Disguise z1,…,zd
i, the verifier gives the provers a low-degree curve i: FFm that passes through zi (instead of zi itself)
• The parties run d Sum-Checks simultaneously, one for each layer
• The ith Sum-Check uses i-1 instead of zi-1, and i instead of zi. I.e., it computes Vi-1(z) for all the points z on i-1, using any of the points r on i as a test point
• The proof relies on the fact that the replies of the honest provers are low-degree polynomials in the zi variables
Main Ideai
zi
• The verifier checks the replies (low-deg polynomials H) in an alternating order (one of P0 and one of P1)
• When reply H is checked, the verifier already knows a point on H using a previous reply G of the other prover– E.g., assume H(t) = ((t)) and G(t) = ((t)) ( is a low-deg func, , are intersecting low-deg curves).Knowing G implies knowing a point on H
• If a prover sends an incorrect reply, it disagrees with the correct reply on the known point whp (both are low-deg)
Verifier’s Check Algo
• Generalization to r rounds and d1/rpolylog(s) bits:– Set k = d1/r. Run r-1 rounds of a k-ary search to find
layers i > j, i-j = k s.t. the provers agree on a point on Vi but disagree on a point on Vj
– Run the 1-round protocol on the subcircuit C’ of depth k obtained from layers j…i of C
Our Result Requires More Work…
. . .
V0
Vd-1
V1
Vd
input x
output C(x)
C
j
i
C’
• Getting a very efficient verifier (assuming log-space uniformity)
Thank You!