305 research outputs found
LIPIcs, Volume 251, ITCS 2023, Complete Volume
LIPIcs, Volume 251, ITCS 2023, Complete Volum
BaseFold: Efficient Field-Agnostic Polynomial Commitment Schemes from Foldable Codes
Interactive Oracle Proof of Proximity (IOPPs) are a powerful tool for constructing succinct non-interactive arguments of knowledge (SNARKs) in the random oracle model, which are fast and plausibly post-quantum secure. The Fast Reed Solomon IOPP (FRI) is the most widely used in practice, while tensor-code IOPPs (such as Brakedown) achieve significantly faster prover times at the cost of much larger proofs. IOPPs are used to construct polynomial commitment schemes (PCS), which are not only an important building block for SNARKs but also have a wide range of independent applications.
This work introduces Basefold, a generalization of the FRI IOPP to a broad class of linear codes beyond Reed-Solomon, which we call . We construct a new family of foldable linear codes, which are a special type of randomly punctured Reed-Muller code, and prove tight bounds on their minimum distance. Finally, we introduce a new construction of a multilinear PCS from any foldable linear code, which is based on interleaving Basefold with the classical sumcheck protocol for multilinear polynomial evaluation. As a special case, this gives a new multilinear PCS from FRI.
In addition to these theoretical contributions, the Basefold PCS instantiated with our new foldable linear codes offers a more reasonable tradeoff between prover time, proof size, and verifier time than prior constructions. For instance, for polynomials over a -bit field with variables, the Basefold prover is faster than both Brakedown and FRI-PCS ( times faster than Brakedown and times faster than FRI-PCS), and its proof is times smaller than Brakedown\u27s. On the other hand, for polynomials with variables, Basefold\u27s prover is times faster than FRI-PCS, it\u27s proof is times smaller than Brakedown\u27s and its verifier is times faster. Using Basefold to compile the Hyperplonk PIOP [CBBZ23] results in an extremely fast implementation of Hyperplonk, which in addition to having competitive performance on general circuits, is particularly fast for circuits with high-degree custom gates (e.g., signature verification and table lookups). Hyperplonk with Basefold is approximately equivalent to the speed of Hyperplonk with Brakedown, but with a proof size that is more than times smaller. Finally, Basefold maintains performance across a wider variety of field choices than FRI, which requires FFT-friendly fields. Thus, Basefold can have an extremely fast prover compared to SNARKs from FRI for special applications. Benchmarking a circom ECDSA verification circuit with curve secp256k1, Hyperplonk with Basefold has a prover time that is more than faster than with FRI and its proof size is times smaller than Hyperplonk with Brakedown
Optimal Testing of Generalized Reed-Muller Codes in Fewer Queries
A local tester for an error correcting code is a
tester that makes oracle queries to a given word and
decides to accept or reject the word . An optimal local tester is a local
tester that has the additional properties of completeness and optimal
soundness. By completeness, we mean that the tester must accept with
probability if . By optimal soundness, we mean that if the tester
accepts with probability at least (where is small),
then it must be the case that is -close to some codeword
in Hamming distance.
We show that Generalized Reed-Muller codes admit optimal testers with queries. Here, for a prime power , the Generalized Reed-Muller code, RM[n,q,d], consists of the
evaluations of all -variate degree polynomials over .
Previously, no tester achieving this query complexity was known, and the best
known testers due to Haramaty, Shpilka and Sudan(which is optimal) and due to
Ron-Zewi and Sudan(which was not known to be optimal) both required
queries. Our tester achieves query
complexity which is polynomially better than by a power of , which is
nearly the best query complexity possible for generalized Reed-Muller codes.
The tester we analyze is due to Ron-Zewi and Sudan, and we show that their
basic tester is in fact optimal. Our methods are more general and also allow us
to prove that a wide class of testers, which follow the form of the Ron-Zewi
and Sudan tester, are optimal. This result applies to testers for all
affine-invariant codes (which are not necessarily generalized Reed-Muller
codes).Comment: 42 pages, 8 page appendi
MPC for Tech Giants (GMPC): Enabling Gulliver and the Lilliputians to Cooperate Amicably
In the current digital world, large organizations (sometimes referred to as tech giants) provide service to extremely large numbers of users. The service provider is often interested in computing various data analyses over the private data of its users, which in turn have their incentives to cooperate, but do not necessarily trust the service provider.
In this work, we introduce the \emph{Gulliver multi-party computation model} (GMPC) to realistically capture the above scenario. The GMPC model considers a single highly powerful party, called the {\em server} or {\em Gulliver}, that is connected to users over a star topology network (alternatively formulated as a full network, where the server can block any message). The users are significantly less powerful than the server, and, in particular, should have both computation and communication complexities that are polylogarithmic in . Protocols in the GMPC model should be secure against malicious adversaries that may corrupt a subset of the users and/or the server.
Designing protocols in the GMPC model is a delicate task, since users can only hold information about other users (and, in particular, can only communicate with other users). In addition, the server can block any message between any pair of honest parties. Thus, reaching an agreement becomes a challenging task. Nevertheless, we design generic protocols in the GMPC model, assuming that at most fraction of the users may be corrupted (in addition to the server). Our main contribution is a variant of Feige\u27s committee election protocol [FOCS 1999] that is secure in the GMPC model. Given this tool we show:
1. Assuming fully homomorphic encryption (FHE), any computationally efficient function with -size output can be securely computed in the GMPC model.
2. Any function that can be computed by a circuit of depth, size, and bounded fan-in and fan-out can be securely computed in the GMPC model {\em without assuming FHE}.
3. In particular, {\em sorting} can be securely computed in the GMPC model without assuming FHE. This has important applications for the {\emph shuffle model of differential privacy}, and resolves an open question of Bell et al. [CCS 2020]
The Quantum Decoding Problem
One of the founding results of lattice based cryptography is a quantum
reduction from the Short Integer Solution problem to the Learning with Errors
problem introduced by Regev. It has recently been pointed out by Chen, Liu and
Zhandry that this reduction can be made more powerful by replacing the learning
with errors problem with a quantum equivalent, where the errors are given in
quantum superposition. In the context of codes, this can be adapted to a
reduction from finding short codewords to a quantum decoding problem for random
linear codes.
We therefore consider in this paper the quantum decoding problem, where we
are given a superposition of noisy versions of a codeword and we want to
recover the corresponding codeword. When we measure the superposition, we get
back the usual classical decoding problem for which the best known algorithms
are in the constant rate and error-rate regime exponential in the codelength.
However, we will show here that when the noise rate is small enough, then the
quantum decoding problem can be solved in quantum polynomial time. Moreover, we
also show that the problem can in principle be solved quantumly (albeit not
efficiently) for noise rates for which the associated classical decoding
problem cannot be solved at all for information theoretic reasons.
We then revisit Regev's reduction in the context of codes. We show that using
our algorithms for the quantum decoding problem in Regev's reduction matches
the best known quantum algorithms for the short codeword problem. This shows in
some sense the tightness of Regev's reduction when considering the quantum
decoding problem and also paves the way for new quantum algorithms for the
short codeword problem
LIPIcs, Volume 261, ICALP 2023, Complete Volume
LIPIcs, Volume 261, ICALP 2023, Complete Volum
NP-Hardness of Approximating Meta-Complexity: A Cryptographic Approach
It is a long-standing open problem whether the Minimum Circuit Size Problem () and related meta-complexity problems are NP-complete. Even for the rare cases where the NP-hardness of meta-complexity problems are known, we only know very weak hardness of approximation.
In this work, we prove NP-hardness of approximating meta-complexity with nearly-optimal approximation gaps. Our key idea is to use *cryptographic constructions* in our reductions, where the security of the cryptographic construction implies the correctness of the reduction. We present both conditional and unconditional hardness of approximation results as follows.
Assuming subexponentially-secure witness encryption exists, we prove essentially optimal NP-hardness of approximating conditional time-bounded Kolmogorov complexity () in the regime where . Previously, the best hardness of approximation known was a factor and only in the sublinear regime ().
Unconditionally, we show near-optimal NP-hardness of approximation for the Minimum Oracle Circuit Size Problem (MOCSP), where Yes instances have circuit complexity at most , and No instances are essentially as hard as random truth tables. Our reduction builds on a witness encryption construction proposed by Garg, Gentry, Sahai, and Waters (STOC\u2713). Previously, it was unknown whether it is NP-hard to distinguish between oracle circuit complexity versus .
Finally, we define a multi-valued version of , called , and show that w.p. over a random oracle , is NP-hard to approximate under quasi-polynomial-time reductions with oracle access. Intriguingly, this result follows almost directly from the security of Micali\u27s CS proofs (Micali, SICOMP\u2700).
In conclusion, we give three results convincingly demonstrating the power of cryptographic techniques in proving NP-hardness of approximating meta-complexity
On Black-Box Verifiable Outsourcing
We study verifiable outsourcing of computation in a model where the verifier has black-box access to the function being computed. We introduce the problem of oracle-aided batch verification of computation (OBVC) for a function class . This allows a verifier to efficiently verify the correctness of any evaluated on a batch of instances , while only making calls to an oracle for (along with calls to low-complexity helper oracles), for security parameter .
We obtain the following positive and negative results:
1.) We build OBVC protocols for the class of all functions that admit random-self-reductions. Some of our protocols rely on homomorphic encryption schemes.
2.) We show that there cannot exist OBVC schemes for the class of all functions mapping -bit inputs to -bit outputs, for any
- …