330 likes | 413 Views
This joint work explores Delegation of Computation options where a weak verifier wants to delegate tasks to untrusted provers. Interactive Proof Protocols and Delegation Protocols are discussed, including the concept of Delegation to Several Provers and the introduction of Competing Provers Protocols. The main challenge addressed is determining the reliability of multiple provers. The research focuses on reducing communication complexity by having provers compete. The results offer insights into communication efficiency and circuit lower bounds.
E N D
Competing Provers Protocols for Circuit Evaluation Gillat Kol joint work with Ran Raz
Delegation of Computation A computationally weak verifier (client) wants to delegate computation to a more powerful untrusted (buggy, dishonest,…) prover (cloud, server) The prover needs to convince the verifier that the computation was performed correctly data result
Interactive Proof (IP) Protocols IP Setting: A poly-time verifier wants to compute f(x) with the help of a computationally-unboundedprover, where f,x are known to both IP Protocol for f:Strategies for the verifier and prover. After interacting, the verifier outputs a guess for f(x): either 0, 1 or “?” (don’t know). Whp: Prover follows his strategy Verifier outputs f(x) Else, the verifier outputs (whp) either f(x) or “?”
Delegation Protocols Delegation Protocol for f: An IP protocol for f, where additionally: The verifier is almost-linear-time (npolylog(n)) The honestprover is poly-time (Soundness against an unboundedprover) More realistic setting… Theorem[S‘92,LFKN‘92]:IP = PSPACE with poly(n) rounds Doesnot yield a delegation protocol, parties do not meet the additional complexity demands
Previous Result [GKR‘08] Theorem [GKR‘08]: Let C be a log-space uniform circuit of size s and depth d. Interactive Proof protocol for C with Communication rounds:dpolylog(s) Bits exchanged: dpolylog(s) Prover’s complexity:poly(s) Verfier’s complexity:(d+n)polylog(s) allows a fast access to the structure of C The Class P • For log-space uniform, poly-size, linear-depth circuits we get a delegation protocol
Delegation to Several Provers • Our Motivation:In real life, one can delegate to more than one prover
Delegation to Several Provers Our Motivation:In real life, one can delegate to more than one prover Assumption: From now on assume that at least one of the provers is reliable Observation: In this case, the verifier can always learn the correct value: Run a delegation protocol with each prover separately
Is More Merrier? Our Work:Can we get protocols with less communication by delegating to several provers instead of just one? Main Challenge: Suppose we ask all the provers for f(x) If they all agree, it must be the correct value But, if they don’t, how do we tell who’s reliable? Idea: The provers now compete on the verifier’s trust. The verifier can use the provers one against the other: Use the first proverto validate the claims of the second…
Competing Provers (CP) Protocols CP Setting[FST‘88]:A poly-time verifier wants to compute f(x) with the help of 2computationally-unboundedproversP0and P1, where f,x are known to all CP Protocol for f:Strategies for the verifier and provers. After interacting, the verifier outputs a guess for f(x): either 0or 1 One of the provers follows his strategy Verifier outputs f(x) (whp) Observation: Wlog, may assume that at the beginning P0 claimsf(x) = 0, while P1claimsf(x) = 1. Hence, P0 and P1 are Competing Provers
CP Delegation Protocols CP Delegation Protocol for f: A CP protocol for f, where additionally: The verifier is almost-linear-time The honest provers are poly-time (Soundness against unboundedprovers) Theorem [FK‘97]: CP = EXP with poly(n)rounds CP = PSAPCE with 1 round Doesnot yield CP delegation protocols, parties do not meet the additional complexity demands
Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d. rCompeting Provers protocol for C with Communication rounds:r Bits exchanged: d1/rpolylog(s) Provers’complexity:poly(s) Verfier’s complexity:(d1/r+n)polylog(s) in GKR dpolylog(s) in GKR (d+n)polylog(s) • r = 1 Bits exchanged:dpolylog(s) (independently proved by [CRR]) • r = O(log(d)/loglog(s))Bits exchanged:polylog(s)
Our Result Theorem: Let C be a log-space uniform circuit of size s and depth d. rCompeting Provers protocol for C with Communication rounds:r Bits exchanged: d1/rpolylog(s) Provers’complexity:poly(s) Verfier’s complexity:(d1/r+n)polylog(s) in GKR dpolylog(s) in GKR (d+n)polylog(s) • We give a delegation protocol for every language in P
Another Application Communication Complexity & Circuit Lower Bounds [AW‘09]
Communication Complexity Setting: Alice and Bob are computationally-unbounded players Alice has input x and Bob has input y The players’ mutualgoal is computing f(x,y)with the least amount of communication between them
Communication Complexity with CP • New Setting: Alice andBobwant to computef(x,y) with the help of Competing Proverswith the least amount of communication between all parties • fis known to all, Alice knows x, Bob knows y, Provers know both x and y • P0 claims f(x,y)= 0, while P1claims f(x,y) = 1 • Each party can communicate with every other party
Corollary of Our Result Corollary: Let C(x,y)be a circuit of size s and depth d. rCommunication Complexity protocol with Competing ProversforC with • Communication rounds:r • Bits exchanged: d1/rpolylog(s) • The corollary follows easily from the proof of our theorem, using the approach of [AW‘09] • For example, if CNC then a 1-round protocol exchanges polylog(n) bits s = poly(n), d = polylog(n)
Circuit Lower-Bounds Our corollary can be viewed as a possible direction towards proving circuit lower-bounds For example, in order to prove fNC, it suffices to show: Any 1-round Communication Complexity protocol with Competing Proversfor f requires the exchange of (polylog(n)) bits Relatively simple combinatorial property that implies strong lower bounds
Fix circuit C of size s and depth d, and an input x Enumerate C’s layers: layer 0= output, layer d= inputs Let Li be the vector of values of layer i’s gates when C is evaluated on x Representing the Circuit output C(x) • Let Vi = LDE(Li) • V0(0m) = C(x),Vd= LDE(x) • The verifier knowsVd(r) • for r unknown to the prover, • and wants to compute V0(0m) V0 V1 . . . C Vd-1 Vd input x
Let z0 =0m and zd= r The prover sends V0(z0) = C(x) For i = 1,…,d Reduce knowing a value in a layer to knowing a random value in the layer below: The verifier randomly selects zi, and reduces the correctness of the claim “vi-1 = Vi-1(zi-1)” to the correctness of the claim “vi = Vi(zi)” using the prover Finally, the verifier checks Vd(zd) The Protocol of [GKR‘08] . . . vi-1 vi . . . output C(x) V0 Vi-1 C Vi Vd input x
Claim: A point in layer i-1 is a degree-2 polynomial in the values of the gates of layer i Vi-1(z) = w,w’HmCz,w,w’ Li (w) Li (w’) Proof: Vi-1= LDE(Li-1), thus a point in Vi-1is a linear combination of points in Li-1 (the values of layer i-1’s gates) Connection Between Layers MULT • The value of a gate in layer i-1 is a degree-2 polynomial in the values of its two children in layer i layeri-1 z w w’ layeri Li-1(z) = Li (w)Li (w’)
The reduction between the layers is via a standard IP protocol called Sum-Check [LFKN‘92] Central in PCPs, IP = PSPACE, MIP = NEXP, … Allows computing xHmg(x)for a low-degree g, when the verifier knows g(r) for randomrFm, unknown to the prover (the verifier “tests” the prover on r) Sum-Check can be used to reduce layer i-1 to layer i as: Recall: A point in layer i-1 is a deg-2 poly in layer i polynomial = sum of monomials The prover does not know the test point ziuntil the next iteration Sum-Check Protocol
Recall: IP = PSPACE with poly(n)rounds [S‘92] Proof uses the poly(n)-rounds IPSum-Check protocol of[LFKN‘92] Recall: CP = PSAPCE with 1 round[FK‘97] Proof constructs a 1-round CP Sum-Check protocol Sum-Check for CP
Our Goal: Reduce dpolylog(s) rounds to 1 First Attempt: Implement iteration i of GKR using the 1-round Competing ProversSum-Check protocol of FK Problem: Still requires d rounds Second Attempt: Run all d Sum-Checks simultaneously–Theverifier sends all z1,…,zdat once, provers reply to all Problem: During iteration i, provers mustn’t know the test point zi Combining Main Ingredients
Main Idea:Disguisez1,…,zd i, the verifier gives the proversa low-degree curve i:FFmthat passes throughzi(instead of ziitself) The parties run dSum-Checks simultaneously, one for each layer The ithSum-Check uses i-1 instead of zi-1, and iinstead of zi. I.e., it computes Vi-1(z) for all the points zoni-1, using any of the points ronias a test point The proof relies on the fact that the replies of the honest provers are low-degree polynomialsin the zivariables Main Idea i • zi
The verifier checks the replies (low-deg polynomials H) in an alternating order (one of P0 and one of P1) When reply H is checked, the verifier already knows a point on H using a previous reply G of the other prover E.g., assume H(t) = ((t)) and G(t) = ((t)) ( is a low-degfunc, , are intersecting low-deg curves).Knowing G implies knowing a point on H If a proversends an incorrect reply, it disagrees with the correct reply on the known point whp (both are low-deg) Verifier’s Check Algo
Generalization to rrounds and d1/rpolylog(s) bits: Setk = d1/r.Run r-1 rounds of a k-ary search to find layers i > j,i-j = k s.t. the provers agree on a point on Vi but disagree on a point on Vj Run the 1-round protocol on the subcircuitC’ of depth k obtained from layers j…i of C Our Result Requires More Work… output C(x) V0 • Getting a very efficient verifier (assuming log-space uniformity) V1 j C’ . . . C i Vd-1 Vd input x