65 research outputs found

    On the Power of Many One-Bit Provers

    Full text link
    We study the class of languages, denoted by \MIP[k, 1-\epsilon, s], which have kk-prover games where each prover just sends a \emph{single} bit, with completeness 1ϵ1-\epsilon and soundness error ss. For the case that k=1k=1 (i.e., for the case of interactive proofs), Goldreich, Vadhan and Wigderson ({\em Computational Complexity'02}) demonstrate that \SZK exactly characterizes languages having 1-bit proof systems with"non-trivial" soundness (i.e., 1/2<s12ϵ1/2 < s \leq 1-2\epsilon). We demonstrate that for the case that k2k\geq 2, 1-bit kk-prover games exhibit a significantly richer structure: + (Folklore) When s12kϵs \leq \frac{1}{2^k} - \epsilon, \MIP[k, 1-\epsilon, s] = \BPP; + When 12k+ϵs<22kϵ\frac{1}{2^k} + \epsilon \leq s < \frac{2}{2^k}-\epsilon, \MIP[k, 1-\epsilon, s] = \SZK; + When s22k+ϵs \ge \frac{2}{2^k} + \epsilon, \AM \subseteq \MIP[k, 1-\epsilon, s]; + For s0.62k/2ks \le 0.62 k/2^k and sufficiently large kk, \MIP[k, 1-\epsilon, s] \subseteq \EXP; + For s2k/2ks \ge 2k/2^{k}, \MIP[k, 1, 1-\epsilon, s] = \NEXP. As such, 1-bit kk-prover games yield a natural "quantitative" approach to relating complexity classes such as \BPP,\SZK,\AM, \EXP, and \NEXP. We leave open the question of whether a more fine-grained hierarchy (between \AM and \NEXP) can be established for the case when s22k+ϵs \geq \frac{2}{2^k} + \epsilon

    Predictable arguments of knowledge

    Get PDF
    We initiate a formal investigation on the power of predictability for argument of knowledge systems for NP. Specifically, we consider private-coin argument systems where the answer of the prover can be predicted, given the private randomness of the verifier; we call such protocols Predictable Arguments of Knowledge (PAoK). Our study encompasses a full characterization of PAoK, showing that such arguments can be made extremely laconic, with the prover sending a single bit, and assumed to have only one round (i.e., two messages) of communication without loss of generality. We additionally explore PAoK satisfying additional properties (including zero-knowledge and the possibility of re-using the same challenge across multiple executions with the prover), present several constructions of PAoK relying on different cryptographic tools, and discuss applications to cryptography

    Streaming Verification for Graph Problems: Optimal Tradeoffs and Nonlinear Sketches

    Get PDF
    We study graph computations in an enhanced data streaming setting, where a space-bounded client reading the edge stream of a massive graph may delegate some of its work to a cloud service. We seek algorithms that allow the client to verify a purported proof sent by the cloud service that the work done in the cloud is correct. A line of work starting with Chakrabarti et al. (ICALP 2009) has provided such algorithms, which we call schemes, for several statistical and graph-theoretic problems, many of which exhibit a tradeoff between the length of the proof and the space used by the streaming verifier. This work designs new schemes for a number of basic graph problems---including triangle counting, maximum matching, topological sorting, and single-source shortest paths---where past work had either failed to obtain smooth tradeoffs between these two key complexity measures or only obtained suboptimal tradeoffs. Our key innovation is having the verifier compute certain nonlinear sketches of the input stream, leading to either new or improved tradeoffs. In many cases, our schemes in fact provide optimal tradeoffs up to logarithmic factors. Specifically, for most graph problems that we study, it is known that the product of the verifier's space cost vv and the proof length hh must be at least Ω(n2)\Omega(n^2) for nn-vertex graphs. However, matching upper bounds are only known for a handful of settings of hh and vv on the curve hv=Θ~(n2)h \cdot v=\tilde{\Theta}(n^2). For example, for counting triangles and maximum matching, schemes with costs lying on this curve are only known for (h=O~(n2),v=O~(1))(h=\tilde{O}(n^2), v=\tilde{O}(1)), (h=O~(n),v=O~(n))(h=\tilde{O}(n), v=\tilde{O}(n)), and the trivial (h=O~(1),v=O~(n2))(h=\tilde{O}(1), v=\tilde{O}(n^2)). A major message of this work is that by exploiting nonlinear sketches, a significant ``portion'' of costs on the tradeoff curve hv=n2h \cdot v = n^2 can be achieved

    Strong ETH Breaks With Merlin and Arthur: Short Non-Interactive Proofs of Batch Evaluation

    Get PDF
    We present an efficient proof system for Multipoint Arithmetic Circuit Evaluation: for every arithmetic circuit C(x1,,xn)C(x_1,\ldots,x_n) of size ss and degree dd over a field F{\mathbb F}, and any inputs a1,,aKFna_1,\ldots,a_K \in {\mathbb F}^n, \bullet the Prover sends the Verifier the values C(a1),,C(aK)FC(a_1), \ldots, C(a_K) \in {\mathbb F} and a proof of O~(Kd)\tilde{O}(K \cdot d) length, and \bullet the Verifier tosses poly(log(dKF/ε))\textrm{poly}(\log(dK|{\mathbb F}|/\varepsilon)) coins and can check the proof in about O~(K(n+d)+s)\tilde{O}(K \cdot(n + d) + s) time, with probability of error less than ε\varepsilon. For small degree dd, this "Merlin-Arthur" proof system (a.k.a. MA-proof system) runs in nearly-linear time, and has many applications. For example, we obtain MA-proof systems that run in cnc^{n} time (for various c<2c < 2) for the Permanent, #\#Circuit-SAT for all sublinear-depth circuits, counting Hamiltonian cycles, and infeasibility of 00-11 linear programs. In general, the value of any polynomial in Valiant's class VP{\sf VP} can be certified faster than "exhaustive summation" over all possible assignments. These results strongly refute a Merlin-Arthur Strong ETH and Arthur-Merlin Strong ETH posed by Russell Impagliazzo and others. We also give a three-round (AMA) proof system for quantified Boolean formulas running in 22n/3+o(n)2^{2n/3+o(n)} time, nearly-linear time MA-proof systems for counting orthogonal vectors in a collection and finding Closest Pairs in the Hamming metric, and a MA-proof system running in nk/2+O(1)n^{k/2+O(1)}-time for counting kk-cliques in graphs. We point to some potential future directions for refuting the Nondeterministic Strong ETH.Comment: 17 page

    From Laconic Zero-Knowledge to Public-Key Cryptography

    Get PDF
    Since its inception, public-key encryption (PKE) has been one of the main cornerstones of cryptography. A central goal in cryptographic research is to understand the foundations of public-key encryption and in particular, base its existence on a natural and generic complexity-theoretic assumption. An intriguing candidate for such an assumption is the existence of a cryptographically hard language in the intersection of NP and SZK. In this work we prove that public-key encryption can be based on the foregoing assumption, as long as the (honest) prover in the zero-knowledge protocol is efficient and laconic. That is, messages that the prover sends should be efficiently computable (given the NP witness) and short (i.e., of sufficiently sub-logarithmic length). Actually, our result is stronger and only requires the protocol to be zero-knowledge for an honest-verifier and sound against computationally bounded cheating provers. Languages in NP with such laconic zero-knowledge protocols are known from a variety of computational assumptions (e.g., Quadratic Residuocity, Decisional Diffie-Hellman, Learning with Errors, etc.). Thus, our main result can also be viewed as giving a unifying framework for constructing PKE which, in particular, captures many of the assumptions that were already known to yield PKE. We also show several extensions of our result. First, that a certain weakening of our assumption on laconic zero-knowledge is actually equivalent to PKE, thereby giving a complexity-theoretic characterization of PKE. Second, a mild strengthening of our assumption also yields a (2-message) oblivious transfer protocol

    Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs

    Get PDF
    Succinct non-interactive arguments (SNARGs) enable verifying NP computations with significantly less complexity than that required for classical NP verification. In this work, we focus on simultaneously minimizing the proof size and the prover complexity of SNARGs. Concretely, for a security parameter λ\lambda, we measure the asymptotic cost of achieving soundness error 2λ2^{-\lambda} against provers of size 2λ2^\lambda. We say a SNARG is quasi-optimally succinct if its proof length is O~(λ)\tilde{O}(\lambda), and that it is quasi-optimal, if moreover, its prover complexity is only polylogarithmically greater than the running time of the classical NP prover. We show that this definition is the best we could hope for assuming that NP does not have succinct proofs. Our definition strictly strengthens the previous notion of quasi-optimality introduced in the work of Boneh et al. (Eurocrypt 2017). This work gives the first quasi-optimal SNARG for Boolean circuit satisfiability from a concrete cryptographic assumption. Our construction takes a two-step approach. The first is an information-theoretic construction of a quasi-optimal linear multi-prover interactive proof (linear MIP) for circuit satisfiability. Then, we describe a generic cryptographic compiler that transforms our quasi-optimal linear MIP into a quasi-optimal SNARG by relying on the notion of linear-only vector encryption over rings introduced by Boneh et al. Combining these two primitives yields the first quasi-optimal SNARG based on linear-only vector encryption. Moreover, our linear MIP construction leverages a new robust circuit decomposition primitive that allows us to decompose a circuit satisfiability instance into several smaller circuit satisfiability instances. This primitive may be of independent interest. Finally, we consider (designated-verifier) SNARGs that provide optimal succinctness for a non-negligible soundness error. Concretely, we put forward the notion of 1-bit SNARGs that achieve soundness error 1/2 with only one bit of proof. We first show how to build 1-bit SNARGs from indistinguishability obfuscation, and then show that 1-bit SNARGs also suffice for realizing a form of witness encryption. The latter result highlights a two-way connection between the soundness of very succinct argument systems and powerful forms of encryption

    Imbalanced Cryptographic Protocols

    Get PDF
    Efficiency is paramount when designing cryptographic protocols, heavy mathematical operations often increase computation time, even for modern computers. Moreover, they produce large amounts of data that need to be sent through (often limited) network connections. Therefore, many research efforts are invested in improving efficiency, sometimes leading to imbalanced cryptographic protocols. We define three types of imbalanced protocols, computationally, communicationally, and functionally imbalanced protocols. Computationally imbalanced cryptographic protocols appear when optimizing a protocol for one party having significantly more computing power. In communicationally imbalanced cryptographic protocols the messages mainly flow from one party to the others. Finally, in functionally imbalanced cryptographic protocols the functional requirements of one party strongly differ from the other parties. We start our study by looking into laconic cryptography, which fits both the computational and communicational category. The emerging area of laconic cryptography involves the design of two-party protocols involving a sender and a receiver, where the receiver’s input is large. The key efficiency requirement is that the protocol communication complexity must be independent of the receiver’s input size. We show a new way to build laconic OT based on the new notion of Set Membership Encryption (SME) – a new member in the area of laconic cryptography. SME allows a sender to encrypt to one recipient from a universe of receivers, while using a small digest from a large subset of receivers. A recipient is only able to decrypt the message if and only if it is part of the large subset. As another example of a communicationally imbalanced protocol we will look at NIZKs. We consider the problem of proving in zero-knowledge the existence of exploits in executables compiled to run on real-world processors. Finally, we investigate the problem of constructing law enforcement access systems that mitigate the possibility of unauthorized surveillance, as a functionally imbalanced cryptographic protocol. We present two main constructions. The first construction enables prospective access, allowing surveillance only if encryption occurs after a warrant has been issued and activated. The second allows retrospective access to communications that occurred prior to a warrant’s issuance

    A Protocol for Generating Random Elements with their Probabilities

    Full text link
    We give an AM protocol that allows the verifier to sample elements x from a probability distribution P, which is held by the prover. If the prover is honest, the verifier outputs (x, P(x)) with probability close to P(x). In case the prover is dishonest, one may hope for the following guarantee: if the verifier outputs (x, p), then the probability that the verifier outputs x is close to p. Simple examples show that this cannot be achieved. Instead, we show that the following weaker condition holds (in a well defined sense) on average: If (x, p) is output, then p is an upper bound on the probability that x is output. Our protocol yields a new transformation to turn interactive proofs where the verifier uses private random coins into proofs with public coins. The verifier has better running time compared to the well-known Goldwasser-Sipser transformation (STOC, 1986). For constant-round protocols, we only lose an arbitrarily small constant in soundness and completeness, while our public-coin verifier calls the private-coin verifier only once

    Barriers for Succinct Arguments in the Random Oracle Model

    Get PDF
    We establish barriers on the efficiency of succinct arguments in the random oracle model. We give evidence that, under standard complexity assumptions, there do not exist succinct arguments where the argument verifier makes a small number of queries to the random oracle. The new barriers follow from new insights into how probabilistic proofs play a fundamental role in constructing succinct arguments in the random oracle model. *IOPs are necessary for succinctness.* We prove that any succinct argument in the random oracle model can be transformed into a corresponding interactive oracle proof (IOP). The query complexity of the IOP is related to the succinctness of the argument. *Algorithms for IOPs.* We prove that if a language has an IOP with good soundness relative to query complexity, then it can be decided via a fast algorithm with small space complexity. By combining these results we obtain barriers for a large class of deterministic and non-deterministic languages. For example, a succinct argument for 3SAT with few verifier queries implies an IOP with good parameters, which in turn implies a fast algorithm for 3SAT that contradicts the Exponential-Time Hypothesis. We additionally present results that shed light on the necessity of several features of probabilistic proofs that are typically used to construct succinct arguments, such as holography and state restoration soundness. Our results collectively provide an explanation for why known constructions of succinct arguments have a certain structure
    corecore