succinct arguments from linear interactive proofs · a pcp where the proof oracle is a linear...
TRANSCRIPT
![Page 1: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/1.jpg)
Succinct ArgumentsgFromLinear Interactive Proofs
l d hii i k l h iAlessandro ChiesaNir Bitansky Yuval Ishai
Rafail Ostrovsky Omer Paneth
![Page 2: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/2.jpg)
Verifying NP Computations Fast
statement
efficiency:
completeness:
soundness:
![Page 3: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/3.jpg)
Verifying NP Computations Fast
statement
efficiency:
completeness:
soundness:[BHZ,GH,GVW,Wee]
![Page 4: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/4.jpg)
Verifying NP Computations Fast
statement
efficiency:SUCCINCTARGUMENTARGUMENT
completeness:
soundness:[BHZ,GH,GVW,Wee]
![Page 5: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/5.jpg)
WHAT KINDS OFWHAT KINDS OFSUCCINCT ARGUMENTS
ARE THERE?
![Page 6: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/6.jpg)
[Kilian][ ]tools: PCP system + collision‐resistant hashing
1 offline message3 online messages
public coins
[Micali][ ]
apply Fiat‐Shamir paradigm in the Random Oracle model
1 non‐interactive & publicly‐verifiable message
![Page 7: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/7.jpg)
CANWE REDUCECAN WE REDUCE# ONLINE MESSAGES
W/O RANDOM ORACLES?
![Page 8: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/8.jpg)
Succinct Non‐Interactive Arguments(SNARGs)(SNARGs)
statement proofstatement proof
![Page 9: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/9.jpg)
Succinct Non‐Interactive Arguments(SNARGs)(SNARGs)
proving key verification key
statement proofstatement proof
have privately‐verifiable constructions( f f )under relatively‐clean (albeit non‐falsifiable) assumptions[DL] [Mie] [BCCTa] [DFH] [GLR] [BC]
![Page 10: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/10.jpg)
Probabilistic Checking & Succinct Arguments
Step 1: information‐theoretic probabilistic checkingA VERY PRODUCTIVE PARADIGM
Step 1: information‐theoretic probabilistic checking,in a model where the prover is restricted in some form
St 2 t h t f th t i ti
EXAMPLES
Step 2: use cryptography to force the restriction
EXAMPLES
Step 1 = design a PCPSt 2 f t it t PCPStep 2 = force prover to commit to a PCPStep 1 = design a no‐signaling MIPStep 2 = force prover to act as no‐signaling proversStep 1 = design an MIPStep 2 = force prover to act as non‐communicating provers
![Page 11: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/11.jpg)
TODAY: Preprocessing SNARGs
proving key verification key
statement proof
![Page 12: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/12.jpg)
Preprocessing SNARGs
setup work is amortized over MANY proofs
can obtain public verifiability [Groth,Lipmaa,GGPR]
lead to constructions w/o expensive preprocessing [BCCTb](provided the SNARG has a natural POK)(provided the SNARG has a natural POK)
step 1: reduce CircuitSAT to algebraic satisfaction problemstep 2: use crypto to succinctly verify the latter
surprising: do not seem to rely on probabilistic checking!
step 2: use crypto to succinctly verify the latter
surprising: do not seem to rely on probabilistic checking!
![Page 13: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/13.jpg)
OUR CONTRIBUTIONS
![Page 14: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/14.jpg)
THIS WORKgive a general recipe to construct preprocessing SNARGs;give a general recipe to construct preprocessing SNARGs;the recipe is a new instantiation of the paradigm
Step 1: (information‐theoretic)
Specifically:
Step 1: (information theoretic)design a 2‐message linear interactive proof (LIP)
Step 2: (cryptographic)Step 2: (cryptographic)force prover to act as a linear function
results for Step 1: constructions of succinct LIPsresults for Step 2: compilers for private and public cases
simpler and more efficient preprocessing SNARGs
re‐interpret previous constructions from new perspective
![Page 15: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/15.jpg)
Linear PCPsA PCP where the proof oracle is a linear function.Previously used in another instantiation of paradigm:
[IKO]
linear PCPli i i
strong
+ linearity testing
linear PCP+ function commitment
4‐msg NP argumentwith small communication
![Page 16: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/16.jpg)
Linear Interactive Proofs (LIPs)The prover is algebraically bounded: specifically, linear.
(in both completenessand soundness!)and soundness!)
We are interested in LIPs that are input oblivious:
![Page 17: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/17.jpg)
PRIVATE VERIFICATION [ALMSS]
linear PCPPCP
compilercompiler
[GGPR]
succinct
compilercompiler
Step 1 (information‐theoretic)
linear IPStep 2 (cryptographic)
compiler
privately verifiableprivately‐verifiablepreprocessing SNARG
![Page 18: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/18.jpg)
Step 2: From LIP To pp SNARG(private verification)(private verification)
proving key verification key
![Page 19: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/19.jpg)
Step 2: From LIP To pp SNARG(private verification)(private verification)
non‐falsifiableassumption( h t
(e.g., knowledge variant of Paillier)
( somewhatjustified by [GW] )
proving key verification key
![Page 20: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/20.jpg)
PUBLIC VERIFICATION [ALMSS]
???linear PCPlinear PCP
compiler
[GGPR]
???
compiler
Step 1 (information‐theoretic)
linear IPStep 2 (cryptographic)
compiler
publicly verifiablepublicly‐verifiablepreprocessing SNARG
![Page 21: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/21.jpg)
Step 2: From LIP To pp SNARG (sketch)
proving key verification key
(same)(same)
![Page 22: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/22.jpg)
Step 2: From LIP To pp SNARG (sketch)
proving key verification key
what we have:what we have:
(same)(same)
![Page 23: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/23.jpg)
Step 2: From LIP To pp SNARG (sketch)
proving key verification key
need to test roots:need to test roots:
(same)(same)
![Page 24: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/24.jpg)
Step 2: From LIP To pp SNARG (sketch)
proving key verification key
(same)(same)
![Page 25: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/25.jpg)
Publicly‐Verifiable pp SNARGs???linear
interactive compiler publicly‐verifiable
???
interactiveproof
compilerpreprocessing SNARG
uses bilinear maps + KEA??? gives us EncodingEncoding with:
‐ test quadratic predicatest i h d
???=
/d i i l i h ‐ certain one‐way hardness‐ almost‐linear homomorph.
query/decision algorithmsare low‐degree polynomials
a balancing act:a balancing act:
![Page 26: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/26.jpg)
Summary
A simple and motivated recipe
li PCPPCP
low‐degreelinear PCP
linear PCPPCP
compilercompilercompiler
linear IP
compilercompilerlow‐degreelinear IP
compiler compiler
privately‐verifiablepreprocessing SNARG
publicly‐verifiablepreprocessing SNARGpreprocessing SNARG preprocessing SNARG
See paper for more (including ZK generic transformation)See paper for more (including ZK generic transformation)
![Page 27: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/27.jpg)
THANKS!http://eprint.iacr.org/2012/718
![Page 28: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/28.jpg)
THANKS!http://eprint.iacr.org/2012/718
![Page 29: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/29.jpg)
![Page 30: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/30.jpg)
FOLLOWING ARE OLD SLIDES
![Page 31: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/31.jpg)
Falsifiable Assumptions[Naor 03] [GW11]
An assumption is falsifiable if a challenger can efficiently test, via an interactive protocol, whether an efficient adversary breaks it.
Example:
p , y
win/lose
Other examples:DDH RSA LWE QRDDH, RSA, LWE, QR, …
(not a game: requires a simulator)(not a game: requires a simulator)
(not a game: requires an extractor)( g q )
[Dam91] [HT98]
![Page 32: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/32.jpg)
non‐falsifiable assumptionspare not all equally strong/complex
By investigating such assumptionsBy investigating such assumptions and their power, we may:
‐ identify “nice” NF assumptionsidentify nice NF assumptions
‐ discover entirely new constructions
![Page 33: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/33.jpg)
Bilinear Techniques & Preprocessingi f li f k NIZK [G h GOS AF]coming from a line of work on NIZKs [Groth,GOS,AF]
seeking to minimize #group elements in a NI proof
very different construction approach
supportedfunctions
# messages offlinework ischeap?
securew. verifieroracle?
publiclyverifiable?
mainassumptionoffline online cheap? oracle?
[Groth][Lipmaa][GGPR]
NP 1 1 NO YES YES “KEA”[GGPR]
h ifithe verifier must preprocessthe circuit to make a CRS
![Page 34: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/34.jpg)
1)
Bootstrapping SNARKs:pp g
A New Path To the Holy Grail
[Bitansky, Canetti, C, Tromer]
![Page 35: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/35.jpg)
Bootstrapping SNARKsid d SNARG h l f f k l dprovided a SNARG has a natural proof of knowledge
(all known ones do)i ffi i i b i d “ i l”
supported # messages offline securepublicly main
its efficiency properties can be improved to “optimal”
supportedfunctions
work ischeap?
w. verifieroracle?
publiclyverifiable?
mainassumptionoffline online
NP 1 1 X X X X[BCCTb]
NP 1 1 X X X X
NP 1 1 YES X X X + CRH
ADDITIONAL EFFICIENCY BONUSES
complexity preservation:prover in for computationscomplexity preservation:
transformation does not invoke the PCP theorem
![Page 36: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/36.jpg)
The Old Path
Kilian then FS
preprocessing (pv) SNARK
Kilian then FSw/ “RO HASH”
PCP[G th][Groth][Lipmaa][GGPR]
w/ “KEA”
machine computations
![Page 37: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/37.jpg)
A New Path
Kilian then FS
preprocessing (pv) SNARK
Kilian then FSw/ “RO HASH”
PCP[G th][Groth][Lipmaa][GGPR]
w/ “KEA”
machine computations
![Page 38: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/38.jpg)
A New & Better Path
any SNARK(no matter how weak)
Kilian then FSKilian then FSw/ “RO HASH”
preprocessing (pv) SNARKSNARK line
PCP[G th]
SNARK line
[Groth][Lipmaa][GGPR]
w/ “KEA”
machine computations
![Page 39: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/39.jpg)
2)
A General TechniqueFor Making Preprocessing SNARKs
[Bitansky, C, Ishai, Ostrovsky, Paneth]
![Page 40: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/40.jpg)
How Make Preprocessing SNARKs?
#messages offline securesupportedfunctions
# messages offlinework ischeap?
securew. verifieroracle?
publiclyverifiable?
mainassumptionoffline online
[Groth][Groth][Lipmaa][GGPR][BCIOP]
NP 1 1 NO YES YES “KEA”
[BCIOP]
General technique to make preprocessing SNARKs:
Step 1 = design a 2‐message linear interactive proof (LIP)Step 1 = design a 2 message linear interactive proof (LIP)Step 2 = force prover to act as a linear function
![Page 41: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/41.jpg)
A New & Better Path
any SNARK(no matter how crappy)
Kilian then FSKilian then FSw/ “RO HASH”
preprocessing (pv) SNARKSNARK line
PCP
SNARK line
LIPlinear targetedmalleability[BCIOP]
machine computations
![Page 42: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/42.jpg)
REST OF TALK
1) on bootstrapping SNARKs[Bitansky, Canetti, C, Tromer]
2) on making preprocessing SNARKs[Bit k C I h i O t k P th][Bitansky, C, Ishai, Ostrovsky, Paneth]
![Page 43: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/43.jpg)
1
ONBOOTSTRAPPING SNARKs
![Page 44: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/44.jpg)
TheoremSuppose CRHs exist.
any SNARKany SNARK
complexity‐preserving SNARK
complexity‐preserving PCDcomplexity preserving PCD
complexity‐preserving = ‐ no preprocessingp y p g p p g‐ prover has quasi‐optimaltime & space complexity
![Page 45: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/45.jpg)
high‐level intuitionwith no abstraction layers for
Theorem’ (removing preprocessing)Suppose CRHs existSuppose CRHs exist.
preprocessing publicly‐verifiable SNARK
bli l ifi bl SNARKpublicly‐verifiable SNARK
WHAT DO WE DO??
![Page 46: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/46.jpg)
The Core Idea:bootstrap the SNARK
Main Observationonly need to budget for small computations…
Main Observation
ll SNARK ifi tias small as SNARK verification(plus a bit more)
![Page 47: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/47.jpg)
2
ON MAKINGPREPROCESSING SNARKs
![Page 48: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/48.jpg)
Designing Efficient Arguments
Step 1: information‐theoretic probabilistic checking,in a model where the prover is restricted in some form in a model where the prover is restricted in some form
Step 2: use cryptography to “implement” the model
EXAMPLES
Step 1 = design a PCPStep 2 = force prover to commit to a PCPStep 2 force prover to commit to a PCP
Step 1 = design a nsMIPfStep 2 = force prover to act as no‐signaling provers
Step 1 = design an MIPStep 1 design an MIPStep 2 = force prover to act as non‐communicating provers
![Page 49: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/49.jpg)
Designing Efficient Arguments
Step 1: information‐theoretic probabilistic checking,in a model where the prover is restricted in some form in a model where the prover is restricted in some form
Step 2: use cryptography to “implement” the model
A New ExampleA New ExampleStep 1 = design a 2‐message linear interactive proofStep 2 = force prover to act as a linear function
Q1: how to design LIPs with suitable efficiency?Q2: how to use crypto to make a prover linear?Q2: how to use crypto to make a prover linear?
![Page 50: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/50.jpg)
Linear Interactive Proofs (LIPs)The prover is algebraically bounded: specifically, linear.
![Page 51: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/51.jpg)
Step 2: Making Provers LinearWARM UP: from LIP to privately‐verifiable pp SNARK
TOOLS:
&
“crypto”
![Page 52: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/52.jpg)
Step 2: Making Provers LinearWARM UP: from LIP to privately‐verifiable pp SNARK
proving key verification key
![Page 53: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/53.jpg)
Step 2: Making Provers LinearWARM UP: from LIP to privately‐verifiable pp SNARK
f fnon‐falsifiableassumption
(e.g., Paillier)
proving key verification key
![Page 54: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/54.jpg)
Step 2: Making Provers LinearWhat happens if we want public verifiability?
Being able to test properties of the prover’s answersimplies that we must give up semantic securityimplies that we must give up semantic security.
In particular, security must be preserved evengiven certain leakage on the queries.
(2) What kinds of LIPs then suffice?
![Page 55: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/55.jpg)
Step 2: Making Provers Linear
(2) What kinds of LIPs then suffice?
( ) h l f(2) LIPs with low‐degree verifiers
![Page 56: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/56.jpg)
Step 2: Making Provers LinearSKETCH
proving key verification key
![Page 57: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/57.jpg)
Step 2: Making Provers LinearSKETCH
proving key verification key
![Page 58: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/58.jpg)
Step 2: Making Provers LinearSKETCH
proving key verification key
![Page 59: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/59.jpg)
Step 2: Making Provers LinearSKETCH
proving key verification key
“tests quadratic roots”
![Page 60: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/60.jpg)
publicly‐verifiable pp SNARKpublicly verifiable pp SNARK
Step 2
LIP with degree (poly(k) 2)LIP with degree (poly(k),2)
Step 1
??????
![Page 61: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/61.jpg)
publicly‐verifiable pp SNARKpublicly verifiable pp SNARK
Step 2
LIP with degree (poly(k) 2)LIP with degree (poly(k),2)
Step 1
Linear PCP with degree (poly(k),2)g (p y( ), )
![Page 62: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/62.jpg)
Linear PCPs (LPCPs)
![Page 63: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/63.jpg)
Linear PCPs (LPCPs)
![Page 64: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/64.jpg)
Linear PCPs (LPCPs)
Two technical notes:Two technical notes:
(1) linear PCP in [IKO,SMBW,SVP+,SBV+] does not t i t l t b li i di h trestrict oracle to be linear in dishonest case
(2) not the same as linear PCPP in [BSHLM09,Mei12]; there it is a proximity tester for the kernels of linear circuits
![Page 65: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/65.jpg)
From LPCPs To LIPs
Why isn’t an LPCP already an LIP? Consistency.
![Page 66: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/66.jpg)
From LPCPs To LIPs
++consistency check
preserves algebraic properties!
![Page 67: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/67.jpg)
publicly‐verifiable pp SNARK
Step 2
LIP with degree (poly(k),2)LIP with degree (poly(k),2)
St 1Step 1
Linear PCP ith degree (pol (k) 2)Linear PCP with degree (poly(k),2)
St 0Step 0
??????
![Page 68: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/68.jpg)
publicly‐verifiable pp SNARK
Step 2
LIP with degree (poly(k),2)LIP with degree (poly(k),2)
St 1Step 1
Linear PCP ith degree (pol (k) 2)Linear PCP with degree (poly(k),2)
St 0
d i i LPCP f NP ith O(1) i i !
Step 0
designing LPCPs for NP with O(1) queries is easy!
![Page 69: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/69.jpg)
publicly‐verifiable pp SNARK
Step 2
LIP with degree (poly(k),2)LIP with degree (poly(k),2)
St 1Step 1
Linear PCP ith degree (pol (k) 2)Linear PCP with degree (poly(k),2)
St 0[ALMSS] [GGPR]
Step 0
![Page 70: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/70.jpg)
Two Known Paths To The Holy Grail
“CS proof”
SNARK line preprocessing SNARKSNARK line
LIPPCP
LPCPLPCPmachine
computations
![Page 71: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/71.jpg)
THANKS!
![Page 72: Succinct Arguments From Linear Interactive Proofs · A PCP where the proof oracle is a linear function. Previously used in another instantiation of paradigm: [IKO] linear PCP li i](https://reader034.vdocuments.us/reader034/viewer/2022052103/603e5f05ca716545932996e9/html5/thumbnails/72.jpg)
THANKS!