Publicly Verifiable Non-Interactive Arguments
for Delegating Computation
OMER PANETH AND GUY ROTHBLUM
Meet Ran
Computational task:
Review submission #123
Accept \ Reject
Delegating Computation
Review Submission #123
Accept \ Reject + Proof
Delegating Computation
𝑓 𝑥 =?
Worker
Delegator
𝑓 𝑥 = 𝑦 + Proof
Proof System Properties
Prover
Proof that 𝑓 𝑥 = 𝑦
(Worker)
Verifier
(Delegator)
• Standard completeness and soundness
• Efficiency:
• Verifier - 𝑂 𝑥 ⋅ 𝑃𝑜𝑙𝑦𝑙𝑜𝑔 (𝑇𝑓 )
• Prover - 𝑃𝑜𝑙𝑦(𝑇𝑓 )
The Best Possible Proofs
Trusted party
Prover
CRS
Proof that 𝑓 𝑥 = 𝑦
Verifier
Publicly-Verifiable
Non-Interactive
1. Computational
soundness
(arguments)
Arguments for Delegating Computation
2. Trusted common reference string (CRS)
(or Publicly-Verifiable Delegation)
Constructions from Strong Assumptions
1. In the Random Oracle model [Micali 94]
2. In the plain model based on
“knowledge-of-exponent” assumptions
[G10, L12, DFH12, GGPR13, BCCT13, BCIOP13]
Can delegate non-deterministic computations
(evidence for necessity of non-falsifiable assumptions)
[Gentry-Wichs 11]
Privately-Verifiable Delegation
[Kalai-Raz-Rothblum 14]
Challenge
Prover
𝑓 𝑥 = 𝑦 + Proof
Challenge +𝑡
Verifier
𝑉𝑒𝑟(𝑡, Proof)
Based on (sub-exponentially) secure FHE (or PIR)
Do publicly-verifiable delegation exist
under natural falsifiable assumptions?
Results
Publicly-verifiable delegation
for all poly-time computations
assuming Graded Encodings
satisfying a natural hardness assumption.
Delegation for bounded depth computations
with adaptive soundness
based on a milder assumption.
Concurrent Work
Publicly-verifiable delegation through Obfuscation
[Gentry-Lewko-Sahai-Waters 14] + [Lin-Pass-Bitansky-Garg-Telang 14,
Canetti-Holmgren-Jain-Vaikuntanathan 14, Koppula-Lewko-Waters 14]
1. non-interactive delegation for poly-time computation
from sub-exponential Subgroup Elimination.
2. two-message delegation for bounded-space
from polynomial Subgroup Elimination.
Next
1. High-level Overview of the first protocol.
2. Graded encodings and the assumption.
3. More details on the first protocol.
Not today : second protocol.
PCPs to Privately-Verifiable Delegation
[Aiello-Bhatt-Ostrovsky-Rajagopalan 00]
𝐸𝑠𝑘1 𝑞1 , … , 𝐸𝑠𝑘𝑛 𝑞𝑛
Prover
PCP Proof 𝜋
𝑞1 , … , 𝑞𝑛
𝑠𝑘1 , … , 𝑠𝑘𝑛
Verifier
𝐸𝑠𝑘1 𝜋(𝑞1 ) , … , 𝐸𝑠𝑘𝑛 𝜋(𝑞𝑛 )
Don’t know how to prove security with arbitrary PCPs
[Dwork-Langberg-Naor-Nissim-Reingold 04]
Secure with no-signaling PCPs [Kalai-Raz-Rothblum 14]
From Private to Public Verifiability
𝐸𝑠𝑘1 𝑞1 , … , 𝐸𝑠𝑘𝑛 𝑞𝑛
Prover
𝐸𝑠𝑘1 𝜋(𝑞1 ) , … , 𝐸𝑠𝑘𝑛 𝜋(𝑞𝑛 )
Verifier
Our Approach
exploit structure - no generic transformation.
[Kalai-Raz-Rothblum 14]:
Any
No-Signaling PCP
+
Any
FHE
Privately-Verifiable
Delegation
This work:
A Specific PCP
(Sum-Check Protocol)
+
A Specific
Encryption
(from Graded Encoding)
Publicly-Verifiable
Delegation
Curve Encryption – High Level
Proof: a low degree polynomial 𝑃: 𝐹 𝑚 → 𝐹.
Query: an Input 𝑞 ∈ 𝐹 𝑚 .
Answer: the evaluation 𝑃 𝑞 .
𝑞
Curve Encryption – High Level
Proof: a low degree polynomial 𝑃: 𝐹 𝑚 → 𝐹.
“Encrypted” query:
𝛾
𝑞
A random low degree curve 𝛾: 𝐹 →
𝐹 𝑚 though 𝑞
“hidden” among other points
Curve Encryption – High Level
Proof: a low degree polynomial 𝑃: 𝐹 𝑚 → 𝐹.
“Encrypted” answer:
𝛾
𝑞
the univariate restriction 𝑃(𝛾(⋅)).
Example: 𝑃 𝛾 ⋅
≡0 ⇒ 𝑃 𝑞 =0
Curve Encryption – High Level
Proof: a low degree polynomial 𝑃: 𝐹 𝑚 → 𝐹.
Encrypted query:
𝛾
𝑞
“encoded” curve 𝛾
Encrypted answer:
“encoded” restriction 𝑃(𝛾(⋅))
Completely hidden
Graded Encodings
[Garg-Gentry-Halevi 13]
Encoding 𝛼
1.
𝛼
ℓ
2.
𝛼
ℓ1
± 𝛽
ℓ
× 𝛽
3. 𝑍𝑇 𝛼
ℓ
ℓ
of element 𝛼 ∈ 𝐹 under level ℓ ∈ 0, … , 𝑑
→ 𝛼±𝛽
ℓ2
ℓ
→ 𝛼×𝛽
ℓ1 +ℓ2
if ℓ1 + ℓ2 ≤ 𝑑
→ 1 if and only if 𝛼 = 0
Given polynomial 𝑃: 𝐹 𝑚 → 𝐹 and encodings 𝛼1 1 , … , 𝛼𝑚
• If 𝑃 is of degree ≤ 𝑑, can test if 𝑃 𝛼1 , … , 𝛼𝑚 = 0
• Hard for 𝑃 of degree > 𝑑
1
Encoding Curves
A curve 𝛾: 𝐹 → 𝐹 𝑚 of degree 𝑑:
𝑑
𝑎𝑖 ⋅ 𝑡 𝑖 ,
𝛾 𝑡 =
𝑎𝑖 = (𝑎𝑖,1 , … , 𝑎𝑖,𝑚 ) ∈ 𝐹 𝑚
𝑖=0
The level-ℓ encoding of 𝛾 is:
𝛾
ℓ
≝
𝑎𝑖,𝑗
ℓ 𝑖∈ 0,𝑑 ,𝑗∈[𝑚]
Curve Encryption
For 𝑞 ∈ 𝐹 𝑚 let 𝛾𝑞 be a random degree 𝑑 curve though 𝑞:
∃𝑡 ∈ 𝐹: 𝛾𝑞 𝑡 = 𝑞.
Plaintext: 𝑞 ∈ 0,1
𝑚,
Ciphertext: 𝛾𝑞 ,
Security: for every 𝑞0 , 𝑞1 ∈ 0,1
Secret key: 𝑡 0 .
1
𝑚:
𝛾𝑞0
1
≈𝑐 𝛾𝑞1 .
1
The Hardness Assumption
Intuitively: Hard to evaluate an encoded polynomial on
encoded input.
Given graded encoding with maximal level 𝑑:
𝑑
𝛼𝑖 ⋅ 𝑡 𝑖
𝑡 1 , 𝑎0 1 , … , 𝛼𝑑 1 ,
𝑖=0
≈𝑐
1
Where 𝑡, 𝛼0 , … , 𝛼𝑑 , 𝑧 are random in 𝐹.
𝑡 1 , 𝑎0 1 , … , 𝛼𝑑 1 , 𝑧
1
Plausibility of the Assumption
𝑡 1 , 𝑎0 1 , … , 𝛼𝑑 1 ,
𝑑
𝑖=0 𝛼𝑖
⋅ 𝑡𝑖
1
≈𝑐
𝑡 1 , 𝑎0 1 , … , 𝛼𝑑 1 , 𝑧
1
.
• Reduction from curve encryption use re-randomization
• Recent attack [GGH13, CHLRS 14, GHMS14, BWZ14, CLT14]
• No candidate are known.
• Alternative assumption: curve encryption is secure
(no known attacks in all candidate graded encodings)
Back to Delegation
Arithmetization of Computation
Can write any time 𝑇 computation as an assignment:
𝑋: 0,1
𝑚
→ 0,1 for 𝑚 = 𝑂(log 𝑇)
The assignment 𝑋 is globally consistent if:
∀𝑞1 , 𝑞2 , 𝑞3 ∈ 0,1
𝑚
: 𝑓 𝑞1 , 𝑞2 , 𝑞3 , 𝑋 𝑞1 , 𝑋 𝑞2 , 𝑋 𝑞3
=0
Where 𝑓: 𝐹 3𝑚+3 → 𝐹 is a low-degree arithmetic circuit
Protocol Outline
𝛾1 1, … , 𝛾 𝑛
Prover
𝑋 ∘ 𝛾1
1
𝑛
,
…
,
𝑋
∘
𝛾
𝑚
𝑚
Verifier
Proof 𝑋
𝑋: 0,1
𝑚
level- 𝑚 encoding of the coefficients
1 ⋅ .
of
the
univariate
restriction
𝑋
𝛾
→ 0,1 - assignment
𝑋: 𝐹 𝑚 → 𝐹 – multi-linear extension of 𝑋
(𝑋 is multi-linear and agrees with 𝑋 on 0,1
𝑚
)
Security Proof Outline
Prover convinces verifier to accept
locally consistent assignment
[Kalai-Raz-Rothblum 14]
There exists a globally consistent assignment
Locally Consistent Assignment
[Kalai-Raz-Rothblum 14]
An 𝑛-local assignment generator is a PPT algorithm:
𝑎1 , … , 𝑎𝑛 ← 𝐴𝐺(𝑞1 , … , 𝑞𝑛 )
1. Everywhere local consistency: for all 𝑞 = 𝑞1 , … , 𝑞𝑛 :
Pr
𝑎←𝐴𝐺(𝑞)
∃𝑖, 𝑗, 𝑘 ∈ 𝑛 : 𝑓 𝑞𝑖 , 𝑞𝑗 , 𝑞𝑘 , 𝑎𝑖 , 𝑎𝑗 , 𝑎𝑘 ≠ 0 ≤ 𝑛𝑒𝑔𝑙 .
2. No-signaling
Constructing an Assignment Generator
∀𝑖 ∈ 𝑛 sample 𝛾𝑞𝑖
𝛾𝑞1 , … , 𝛾𝑞𝑛
1
Prover
1
and 𝑡𝑖
𝐴𝐺
0
𝑞1 , … , 𝑞𝑛 ∈ 0,1
1
𝑋 ∘ 𝛾𝑞1 , … , 𝑋 ∘ 𝛾𝑞𝑛
If proof is rejecting:
∀𝑖 ∈ 𝑛 obtain [𝑎𝑖 = 𝑋 q𝑖 = 𝑋(𝛾𝑞𝑖 (𝑡𝑖 ))]
𝑎1 , … , 𝑎𝑛 ∈ 0,1
𝑚
Protocol Details
Recall: 𝑋 is the multi-linear extension of 𝑋.
Let 𝑃: 𝐹 3𝑚 → 𝐹 be the low-degree polynomial:
𝑃 𝑞1 , 𝑞2 , 𝑞3 ≝ 𝑓 𝑞1 , 𝑞2 , 𝑞3 , 𝑋 𝑞1 , 𝑋 𝑞2 , 𝑋 𝑞3
Goal: verify that:
1. 𝑃 is consistent with 𝑋
2. 𝑃 𝑧 = 0 for all 𝑧 ∈ 0,1
3𝑚
Only over the CRS curves
,
(1)
The Prover Strategy
Given CRS = 𝛾 1 1 , … , 𝛾 𝑛
1 , and
computes 𝑋, 𝑃.
1. ∀𝑖 ∈ 𝑛 :
𝑋𝑖 𝜁 ≝ 𝑋 𝛾 𝑖 𝜁
2. ∀𝑖, 𝑗, 𝑘 ∈ 𝑛 :
𝑃𝑖,𝑗,𝑘 𝜁1 , 𝜁2 , 𝜁3 ≝ 𝑃 𝛾 𝑖 𝜁1 , 𝛾 𝑗 𝜁2 , 𝛾 𝑘 𝜁3
Proof contains:
𝑋𝑖
𝑚
,
𝑃𝑖,𝑗,𝑘
3𝑚
The Verifier Strategy
Given:
CRS =
𝛾1 1, … , 𝛾 𝑛
1
, Proof =
𝑋𝑖
𝑚
, 𝑃𝑖,𝑗,𝑘
3𝑚
Test (1) over every three curves 𝑖, 𝑗, 𝑘 ∈ 𝑛 :
𝑃 𝑞1 , 𝑞2 , 𝑞3 = 𝑓 𝑞1 , 𝑞2 , 𝑞3 , 𝑋 𝑞1 , 𝑋 𝑞2 , 𝑋 𝑞3
,
𝑃𝑖,𝑗,𝑘 𝜁1 , 𝜁2 , 𝜁3
≡ 𝑓 𝛾 𝑖 𝜁1 , 𝛾 𝑗 𝜁2 , 𝛾 𝑘 𝜁3 , 𝑋𝑖 𝜁1 , 𝑋𝑗 𝜁2 , 𝑋𝑘 𝜁3
(1)
Back to the Assignment Generator
∀𝑖 ∈ 3 sample 𝛾𝑞𝑖
1
and 𝑡𝑖
𝐴𝐺
0
𝑞1 , 𝑞2 , 𝑞3 ∈ 0,1
𝛾𝑞1 , 𝛾𝑞2 , 𝛾𝑞3
Prover
𝑋1 , 𝑋2 , 𝑋3 , 𝑃1,2,3
If proof is accepting:
∀𝑖 ∈ 3 obtain 𝑎𝑖 = 𝑋𝑖 𝑡𝑖
𝑎1 , 𝑎2 , 𝑎3 ∈ 0,1
𝑚
Everywhere Local Consistency
𝑃1,2,3 𝜁1 , 𝜁2 , 𝜁3 ≡ 𝑓 𝛾 1 𝜁1 , 𝛾 2 𝜁2 , 𝛾 3 𝜁3 , 𝑋1 𝜁1 , 𝑋2 𝜁2 , 𝑋3 𝜁3
𝑃𝑖,𝑗,𝑘 𝑡1 , 𝑡2 , 𝑡3
= 𝑓 𝛾 1 𝑡1 , 𝛾 2 𝑡2 , 𝛾 3 𝑡3 , 𝑋1 𝑡1 , 𝑋2 𝑡2 , 𝑋3 𝑡3
Follows from
missing tests
0 = 𝑃𝑖,𝑗,𝑘 𝑡1 , 𝑡2 , 𝑡3 = 𝑓 𝑞1 , 𝑞2 , 𝑞3 , 𝑎1 , 𝑎2 , 𝑎3
Achieving Local Consistency Everywhere
Verifier
Random
Everywhere
accepts
Local consistency
Localconsistency
In standard PCPs:
Follows from low-degree test
and Schwartz–Zippel lemma
In our protocol:
Follows from security
of curve encryptions
THANKS!