Universal Arguments and Their Applications - PowerPoint PPT Presentation

About This Presentation
Title:

Universal Arguments and Their Applications

Description:

Universal Arguments and Their Applications Boaz Barak & Oded Goldreich – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 17
Provided by: Boa119
Category:

less

Transcript and Presenter's Notes

Title: Universal Arguments and Their Applications


1
Universal Arguments and Their Applications
  • Boaz Barak Oded Goldreich

2
Interactive Proofs for NP
GMW gave ZK proof w/ n2 complexity for
3-Coloring
Corollary ZK proof w/ t(n)4 complexity for any
Ntime(t) language L. (Since L is t(n)2-time
reducible to 3-Coloring)
Corollary 8 NP language L 9 ZK proof for L w/
polynomial complexity.
Note order of quantifiers!
What about a single universal proof system for
all NP languages?
Note This is interesting even without the ZK
property
n input size
3
CS Proofs M Informal Description
A CS proof system is a system for proving
membership in the (N)EXP-complete language U
where ltM,x,tgt 2 U iff M(x) outputs 1 within t
steps ( t is binary number, M is
non-deterministic machine)
Verifiers complexity is fixed polynomial (e.g.
n3) in Mxt
Any NP language L is reducible to U by a
O(n)-time reduction. (e.g., even if L 2
Ntime(n12) !)
Thus a CS proof system yields a single protocol
for proving membership for all L2NP. (even NE)
4
CS Proofs M Informal Description
A CS proof system is a system for proving
membership in the (N)EXP-complete language U
where ltM,x,tgt 2 U iff M(x) outputs 1 within t
steps ( t is binary number, M is
non-deterministic machine)
Our Goal Obtain a single (universal) argument
for NP under a standard assumption (i.e.,
hardness for poly-size circuits).
5
CS Proofs Formal Def
Def ltP,Vgt is a CS proof system for U if it
satisfies complexity V runs in probabilistic
polynomial time completeness 8 ltM,x,tgt 2
U ltP(w), Vgt(M,x,t)1 where P(M,x,t) runs for
tO(1) (possibly 2O(n)) steps soundness 8
2O(n)-sized P and 8 ltM,x,tgt? U Pr
ltP,Vgt(M,x,t) 1 negl(n)
Note Max running time of P lt Allowed running
time for P
6
CS Proofs Formal Def
Universal Argument
Def ltP,Vgt is a CS proof system for U if it
satisfies complexity V runs in probabilistic
polynomial time completeness 8 ltM,x,tgt 2
U ltP(w), Vgt(M,x,t)1 where P(M,x,t) runs for
tO(1) (possibly 2O(n)) steps soundness 8
2O(n)-sized P and 8 ltM,x,tgt? U Pr
ltP,Vgt(M,x,t) 1 negl(n)
polynomial size
proof of knowledge There is a
polynomial-time weak knowledge extractor.
Note Max running time of P lt Allowed running
time for P
7
Our Results
Thm 1 If standard collision-resistant hash
functions exist then there exists a universal
argument system.
Corollary 2 If standard collision resistent hash
functions exist then there exists a ZK argument
satisfying (as in B) - Non-black-box
simulation- Constant-round - Arthur-Merlin
(public coin)- Strict polynomial-time
simulator- Bounded concurrent zero-knowledge
Same conclusion as B under weaker hypothesis
8
Collision Resistant Hash Functions
Def A family H Hn of functions from 0,12n
to 0,1n is called collision resistent if for
any poly-size A Prh2H A(h) (x,y) s.t.
h(x)h(y) negl(n)
9
The Construction (following K)
Thm BFL NEXPPCPpoly,poly
?tO(1) (possibly 2O(n))
?
ltM,x,tgt
1 0 0 1 0 1 1 0 0 1
Ppcp(M,x,t,w)
10
PCP Properties
completeness 9 P s.t. 8 ltM,x,tgt 2 U (and
witness w) PrVP(M,x,t,w) (M,x,t)1 1where
P(M,x,t) runs in time tO(1) soundness If
ltM,x,tgt ? U then 8 ? Pr V?pcp(M,x,t)1 lt
2-n non-adaptive verifier Verifiers queries
are non-adaptive efficient reverse-sampling
Given i,q can sample random verifier tape
conditioned on ith query being q. proof of
knowledge 9 poly-time E s.t. If V?pcp(M,x,t) gt
2-x then 9 witness w s.t. 8 i Pr
E?(ltM,x,tgt,i) wi gt 2/3
11
ltM,x,tgt
?
Pua
Vua
1 0 0 1 0 1 1 0 0 1
h 2R H






root
root
pathq,? is called a certificate that ?q ?
Preliminary Observations 1. Verifier complexity
and communication is polynomial 2. Completeness
follows from completeness of PCP
12
ltM,x,tgt
?
P
Vua
1 0 0 1 0 1 1 0 0 1
h 2R H






root
root
Soundness If poly-size P convinces Vua that
ltM,x,tgt 2 U w.p. ? then 9 pcp proof ? for
ltM,x,tgt that convinces Vpcp w.p. ?2 negl(n).
Fix typical choice of h. Assume w.l.o.g P
deterministic and so root is also fixed. We treat
P as a function that gets a random pcp-verifier
tape and returns a list of paths.
Observation For any q, given two inconsistent
paths pathq,0 and pathq,1 can obtain x,y s.t.
h(x)h(y)
13
ltM,x,tgt
P
Vua
h 2R H
root
Define pq(?) Pr P sends pathq,? q is
asked
0 0/1 0 1 0 0/1 1 0 0 1 0 0 0/1 1
Define
Claim ? is a convincing pcp proof.
14
Define pq(?) Pr P sends pathq,? q is
asked
0 0/1 0 1 0 0/1 1 0 0 1 0 0 0/1 1
Define
Claim ? is a convincing pcp proof.
Let A ambigous locations k - length of
verifiers random tape
Previous AnalysisK,M,B If h is 2k secure then
A
15
Define pq(?) Pr P sends pathq,? q is
asked
0 0/1 0 1 0 0/1 1 0 0 1 0 0 0/1 1
Define
Claim ? is a convincing pcp proof.
Let A ambigous locations k - length of
verifiers random tape
Our Analysis Define AµA to be locations that
are ambigous with non-negligible probability.If
h is poly-size secure then Pr Verifiers
query hits A negl(n) Why? Otherwise could
find collision by reverse-sampling.
16
Proof of Knowledge Property
9 E s.t. if P convinces Vua w.p. ? that ltM,x,tgt
2 U then 9 witness w s.t. w.p. Pr8
i EP(M,x,t,i) wi gt ??(1) where E runs in
poly(1/?,n) time
Follows from analogous property of the pcp system.
Write a Comment
User Comments (0)
About PowerShow.com