305 research outputs found

    LIPIcs, Volume 251, ITCS 2023, Complete Volume

    Get PDF
    LIPIcs, Volume 251, ITCS 2023, Complete Volum

    BaseFold: Efficient Field-Agnostic Polynomial Commitment Schemes from Foldable Codes

    Get PDF
    Interactive Oracle Proof of Proximity (IOPPs) are a powerful tool for constructing succinct non-interactive arguments of knowledge (SNARKs) in the random oracle model, which are fast and plausibly post-quantum secure. The Fast Reed Solomon IOPP (FRI) is the most widely used in practice, while tensor-code IOPPs (such as Brakedown) achieve significantly faster prover times at the cost of much larger proofs. IOPPs are used to construct polynomial commitment schemes (PCS), which are not only an important building block for SNARKs but also have a wide range of independent applications. This work introduces Basefold, a generalization of the FRI IOPP to a broad class of linear codes beyond Reed-Solomon, which we call foldable linear codes\textit{foldable linear codes}. We construct a new family of foldable linear codes, which are a special type of randomly punctured Reed-Muller code, and prove tight bounds on their minimum distance. Finally, we introduce a new construction of a multilinear PCS from any foldable linear code, which is based on interleaving Basefold with the classical sumcheck protocol for multilinear polynomial evaluation. As a special case, this gives a new multilinear PCS from FRI. In addition to these theoretical contributions, the Basefold PCS instantiated with our new foldable linear codes offers a more reasonable tradeoff between prover time, proof size, and verifier time than prior constructions. For instance, for polynomials over a 6464-bit field with 1212 variables, the Basefold prover is faster than both Brakedown and FRI-PCS (22 times faster than Brakedown and 33 times faster than FRI-PCS), and its proof is 44 times smaller than Brakedown\u27s. On the other hand, for polynomials with 2525 variables, Basefold\u27s prover is 6.56.5 times faster than FRI-PCS, it\u27s proof is 2.52.5 times smaller than Brakedown\u27s and its verifier is 7.57.5 times faster. Using Basefold to compile the Hyperplonk PIOP [CBBZ23] results in an extremely fast implementation of Hyperplonk, which in addition to having competitive performance on general circuits, is particularly fast for circuits with high-degree custom gates (e.g., signature verification and table lookups). Hyperplonk with Basefold is approximately equivalent to the speed of Hyperplonk with Brakedown, but with a proof size that is more than 55 times smaller. Finally, Basefold maintains performance across a wider variety of field choices than FRI, which requires FFT-friendly fields. Thus, Basefold can have an extremely fast prover compared to SNARKs from FRI for special applications. Benchmarking a circom ECDSA verification circuit with curve secp256k1, Hyperplonk with Basefold has a prover time that is more than 200×200\times faster than with FRI and its proof size is 5.85.8 times smaller than Hyperplonk with Brakedown

    Optimal Testing of Generalized Reed-Muller Codes in Fewer Queries

    Full text link
    A local tester for an error correcting code CΣnC\subseteq \Sigma^{n} is a tester that makes QQ oracle queries to a given word wΣnw\in \Sigma^n and decides to accept or reject the word ww. An optimal local tester is a local tester that has the additional properties of completeness and optimal soundness. By completeness, we mean that the tester must accept with probability 11 if wCw\in C. By optimal soundness, we mean that if the tester accepts with probability at least 1ϵ1-\epsilon (where ϵ\epsilon is small), then it must be the case that ww is O(ϵ/Q)O(\epsilon/Q)-close to some codeword cCc\in C in Hamming distance. We show that Generalized Reed-Muller codes admit optimal testers with Q=(3q)d+1q1+O(1)Q = (3q)^{\lceil{ \frac{d+1}{q-1}\rceil}+O(1)} queries. Here, for a prime power q=pkq = p^{k}, the Generalized Reed-Muller code, RM[n,q,d], consists of the evaluations of all nn-variate degree dd polynomials over Fq\mathbb{F}_q. Previously, no tester achieving this query complexity was known, and the best known testers due to Haramaty, Shpilka and Sudan(which is optimal) and due to Ron-Zewi and Sudan(which was not known to be optimal) both required qd+1qq/pq^{\lceil{\frac{d+1}{q-q/p} \rceil}} queries. Our tester achieves query complexity which is polynomially better than by a power of p/(p1)p/(p-1), which is nearly the best query complexity possible for generalized Reed-Muller codes. The tester we analyze is due to Ron-Zewi and Sudan, and we show that their basic tester is in fact optimal. Our methods are more general and also allow us to prove that a wide class of testers, which follow the form of the Ron-Zewi and Sudan tester, are optimal. This result applies to testers for all affine-invariant codes (which are not necessarily generalized Reed-Muller codes).Comment: 42 pages, 8 page appendi

    MPC for Tech Giants (GMPC): Enabling Gulliver and the Lilliputians to Cooperate Amicably

    Get PDF
    In the current digital world, large organizations (sometimes referred to as tech giants) provide service to extremely large numbers of users. The service provider is often interested in computing various data analyses over the private data of its users, which in turn have their incentives to cooperate, but do not necessarily trust the service provider. In this work, we introduce the \emph{Gulliver multi-party computation model} (GMPC) to realistically capture the above scenario. The GMPC model considers a single highly powerful party, called the {\em server} or {\em Gulliver}, that is connected to nn users over a star topology network (alternatively formulated as a full network, where the server can block any message). The users are significantly less powerful than the server, and, in particular, should have both computation and communication complexities that are polylogarithmic in nn. Protocols in the GMPC model should be secure against malicious adversaries that may corrupt a subset of the users and/or the server. Designing protocols in the GMPC model is a delicate task, since users can only hold information about polylog(n)\operatorname{polylog}(n) other users (and, in particular, can only communicate with polylog(n)\operatorname{polylog}(n) other users). In addition, the server can block any message between any pair of honest parties. Thus, reaching an agreement becomes a challenging task. Nevertheless, we design generic protocols in the GMPC model, assuming that at most α<1/8\alpha<1/8 fraction of the users may be corrupted (in addition to the server). Our main contribution is a variant of Feige\u27s committee election protocol [FOCS 1999] that is secure in the GMPC model. Given this tool we show: 1. Assuming fully homomorphic encryption (FHE), any computationally efficient function with O(npolylog(n))O\left(n\cdot\operatorname{polylog}(n)\right)-size output can be securely computed in the GMPC model. 2. Any function that can be computed by a circuit of O(polylog(n))O(\operatorname{polylog}(n)) depth, O(npolylog(n))O\left(n\cdot\operatorname{polylog}(n)\right) size, and bounded fan-in and fan-out can be securely computed in the GMPC model {\em without assuming FHE}. 3. In particular, {\em sorting} can be securely computed in the GMPC model without assuming FHE. This has important applications for the {\emph shuffle model of differential privacy}, and resolves an open question of Bell et al. [CCS 2020]

    The Quantum Decoding Problem

    Full text link
    One of the founding results of lattice based cryptography is a quantum reduction from the Short Integer Solution problem to the Learning with Errors problem introduced by Regev. It has recently been pointed out by Chen, Liu and Zhandry that this reduction can be made more powerful by replacing the learning with errors problem with a quantum equivalent, where the errors are given in quantum superposition. In the context of codes, this can be adapted to a reduction from finding short codewords to a quantum decoding problem for random linear codes. We therefore consider in this paper the quantum decoding problem, where we are given a superposition of noisy versions of a codeword and we want to recover the corresponding codeword. When we measure the superposition, we get back the usual classical decoding problem for which the best known algorithms are in the constant rate and error-rate regime exponential in the codelength. However, we will show here that when the noise rate is small enough, then the quantum decoding problem can be solved in quantum polynomial time. Moreover, we also show that the problem can in principle be solved quantumly (albeit not efficiently) for noise rates for which the associated classical decoding problem cannot be solved at all for information theoretic reasons. We then revisit Regev's reduction in the context of codes. We show that using our algorithms for the quantum decoding problem in Regev's reduction matches the best known quantum algorithms for the short codeword problem. This shows in some sense the tightness of Regev's reduction when considering the quantum decoding problem and also paves the way for new quantum algorithms for the short codeword problem

    LIPIcs, Volume 261, ICALP 2023, Complete Volume

    Get PDF
    LIPIcs, Volume 261, ICALP 2023, Complete Volum

    NP-Hardness of Approximating Meta-Complexity: A Cryptographic Approach

    Get PDF
    It is a long-standing open problem whether the Minimum Circuit Size Problem (MCSP\mathrm{MCSP}) and related meta-complexity problems are NP-complete. Even for the rare cases where the NP-hardness of meta-complexity problems are known, we only know very weak hardness of approximation. In this work, we prove NP-hardness of approximating meta-complexity with nearly-optimal approximation gaps. Our key idea is to use *cryptographic constructions* in our reductions, where the security of the cryptographic construction implies the correctness of the reduction. We present both conditional and unconditional hardness of approximation results as follows. \bullet Assuming subexponentially-secure witness encryption exists, we prove essentially optimal NP-hardness of approximating conditional time-bounded Kolmogorov complexity (Kt(xy)\mathrm{K}^t(x \mid y)) in the regime where tyt \gg |y|. Previously, the best hardness of approximation known was a x1/poly(loglogx)|x|^{1/ \mathrm{poly}(\log \log |x|)} factor and only in the sublinear regime (tyt \ll |y|). \bullet Unconditionally, we show near-optimal NP-hardness of approximation for the Minimum Oracle Circuit Size Problem (MOCSP), where Yes instances have circuit complexity at most 2εn2^{\varepsilon n}, and No instances are essentially as hard as random truth tables. Our reduction builds on a witness encryption construction proposed by Garg, Gentry, Sahai, and Waters (STOC\u2713). Previously, it was unknown whether it is NP-hard to distinguish between oracle circuit complexity ss versus 10slogN10s\log N. \bullet Finally, we define a multi-valued version of MCSP\mathrm{MCSP}, called mvMCSP\mathrm{mvMCSP}, and show that w.p. 11 over a random oracle OO, mvMCSPO\mathrm{mvMCSP}^O is NP-hard to approximate under quasi-polynomial-time reductions with OO oracle access. Intriguingly, this result follows almost directly from the security of Micali\u27s CS proofs (Micali, SICOMP\u2700). In conclusion, we give three results convincingly demonstrating the power of cryptographic techniques in proving NP-hardness of approximating meta-complexity

    On Black-Box Verifiable Outsourcing

    Get PDF
    We study verifiable outsourcing of computation in a model where the verifier has black-box access to the function being computed. We introduce the problem of oracle-aided batch verification of computation (OBVC) for a function class F\mathcal{F}. This allows a verifier to efficiently verify the correctness of any fFf \in \mathcal{F} evaluated on a batch of nn instances x1,,xnx_1, \ldots, x_n, while only making λ\lambda calls to an oracle for ff (along with O(nλ)O(n \lambda) calls to low-complexity helper oracles), for security parameter λ\lambda. We obtain the following positive and negative results: 1.) We build OBVC protocols for the class of all functions that admit random-self-reductions. Some of our protocols rely on homomorphic encryption schemes. 2.) We show that there cannot exist OBVC schemes for the class of all functions mapping λ\lambda-bit inputs to λ\lambda-bit outputs, for any n=poly(λ)n = \mathsf{poly}(\lambda)

    On Efficient Zero-Knowledge Arguments

    Get PDF

    Tighter MA/1 Circuit Lower Bounds from Verifier Efficient PCPs for PSPACE

    Get PDF
    corecore