Transcript Slide 1
A Parallel Repetition Theorem for
Any Interactive Argument
Iftach Haitner
Microsoft Research
Hardness Amplification
Starting point - A primitive with “weak security”
Goal - A “fully secure” primitive
Examples: hard functions, PCP’s, puzzles, interactive
proofs, MIP, interactive arguments, …
Secondary goal - Do the amplification while
preserving efficiency
Interactive
Proofs
Interactive
Arguments
P(x,w)
q1
a1
…
qm
am
L 2 NP and x2 L
Accept / Reject
“1” / ”0”
Completeness: 8 x2 L
Pr[(P(x,w),V(x)) = 1] = 1
*and x2 L
Weak soundness:
Soundness:
P*and
x2 LPx2
88 PPT
P8* PPT
and
L
*,V(x))
*,V(x))
Pr[(P
= 1]= <1] ··neg
1 – 1/poly
Pr[(P
Also known as Computationally Sound Proofs
Soundness error
3
Soundness Amplification of
Interactive Arguments
Fix L, and let (P,V) be s.t. 8x2 L and 8 ppt P*
Pr[(P*,V(x)) = 1] < ² · 1 – 1/poly
We want a protocol (P’,V’) s.t. 8x2 L and 8 ppt P*
Pr[(P*,V’(x)) = 1] · negl
We want a generic transformation that preserves the other
properties of (P,V), and can be applied to any protocol
4
Sequential Repetition
P(x,w)
…
• No overlap between executions
• Verifier accepts iff all subverifiers do
Accept / Reject
P(x,w)
…
K
• Known to reduce the soundness error at an
exponential rate (i.e., ²(k) · max{negl., ²k} )
Accept / Reject
• Blow up in round complexity
…
P(x,w)
…
Accept / Reject
5
Parallel repetition
P(x,w)
P(x,w)
P(x,w)
Accept / Reject
…
…
…
…
Accept / Reject
Accept / Reject
K
• Interactions are done in parallel. Verifier accepts iff all subverifiers do.
• Preserve round complexity.
• Does it reduce the soundness error?
Positive results - Soundness error is reduced at an exponential rate, in:
• 3-message protocols [Bellare, Impagliazzo, Naor ‘97]
• Public-coin protocols [Håstad, Pass, Pietrzak, Wikström ‘08], [Chung-Liu ‘09]
Also in interactive proofs [Goldreich ‘99] and MIP [Raz ’95]
Impossibility results - Soundness error might not be reduced in
(t ¸ 8)-message protocols [BlN ’97, Pietrzak-Wikstrom ’07]
Under common hardness assumptions, there exists an 8-message protocol with
soundness error ½, whose soundness is not improved via parallel repetition. 6
The Counter Example of [BlN ’97]
• Safes are realized as (perfectly binding) commitment schemes.
• Soundness error ½ w.r.t the empty language.
• Soundness error 1 (soundness is 0) when viewed as interactive proof.
P
b Ã{0,1}
b’, b’’Ã{0,1}
b’
b’’
b’
b’’
Output “1” if b’© b’’ = b,
and the safes P sent are
different from the safe V
sent
All verifiers accept if b1 © b2 © b3 = 0
Cheating
Prover
for
3
Repetitions
) Soundness error ½
*
P
Can be extended to any (# of repetitions) k
1
[Pietrzak-Wikstrom ‘07] 9 a single protocol whose soundnessb11error
Ã{0,1}
remains ½ for any (poly.) k
1
b22 Ã{0,1}
2
2
b33 Ã{0,1}
3
3
Our Result
For any interactive argument (P,V) there exists a simple
variant V of V, s.t. the parallel repetition of (P,V) always
reduces the soundness error at a (weakly) exponential
rate.
̃̃̃̃̃̃
̃̃̃̃̃̃
The Random Terminating Verifier
̃̃̃̃̃̃
P(x,w)
w.p 1/4m halt and accept
m rounds
…
w.p 1/4m halt and accept
w.p 1/4m halt and accept
Accept iff V does
10
̃̃̃̃̃̃
Our Result cont.
(P,V) has essentially the same soundness as (P,V). I.e., at
least ¾ times the original soundness.
Preserves completeness, zero-knowledge, …
Applies to any cryptographic primitive that can be cast as
an interactive argument. E.g., binding amplification of
computationally binding commitment.
Applicability to Other Primitives
Let Q be any cryptographic primitive whose security can be cast as a
two-party game (e.g., OWF, DDH, commitment schemes).
The soundness of (P,V) (w.r.t. the empty language) is equal to the
“security” of Q.
) Parallel repetition of Q – the random terminating variant of Q, is
(fully) secure.
̃̃̃̃̃̃
̃̃̃̃̃̃
P
Q
̃̃̃̃̃̃
Accepts if P “breaks”
the security of Q
12
Proof’s Idea
Let’s start with proving parallel repetition of a (standard)
public-coin protocol (P,V) (in the spirit of [HPPW ‘08])
Fix L and x2 L, and assume that 8 ppt P*
(1) Pr[(P*,V(x)) = 1] < ²
*
We want to prove that 8ppt P(k)
*
(2) Pr[(P(k) ,V(k)(x)) = 1] < ²(k) w ²k
*
The proof is by reduction. Assume 9 ppt P(k) that contradicts (2),
we use it to build a ppt P* that contradicts (1).
*
* In the following we omit L and x, and assume wlog that P(k) is
deterministic
Defining
…
…
*
(k)
P
*
P
…
i chosen at random
Defining
*
P
(if succeeded) We have reduced the problem to (m-1)-round protocol.
Does such q(k)1,-i always exist?
W.h.p, over q1, a noticeable fraction of the q(k)1,-i are “good”.
How to find q(k)1,-i?
Sample
(k)* (at random)*many candidates, and for each of them
estimate ® = Pr[(P(k) ,V(k)(x)) = 1 | q(k)1]
P
q1
Find q(k)1,-i such that
Pr[(P(k)*,V(k)(x)) =1|q(k)1] ¸(1- 1/2m)²(k)
where q(k)1,i= q1.
*
Let a(k)1 be P(k) ’s answer on q(k)1
a1 = a(k)1,i
A candidate
sampled at random
Estimating ®
*
(k)
P
q1
a1
……
qm
am
Estimate ® as the fraction of successful (random) continuations (i.e., all verifiers
accept)
Since V is public coin, sampling random continuations is easy.
Might be infeasible for an arbitrary V - As hard as finding a random preimage of an
arbitrary (efficient) function.
The Random Terminating Case
̃̃̃̃̃̃
̃̃̃̃̃̃
*
(k)
P
q1
a1
q2
……
Hard to sample
We sample random continuations,
the first round.
I.e., we estimate the value of
®’ =
̃̃̃̃̃̃
* (k)
(k)
Pr[(P ,V (x))
=1|
q(k)1
qm
conditioned
am
Accepts & halts
̃̃̃
that Ṽ̃̃ halts after
̃̃̃
, V ̃̃̃ halts after the first round]
i
®’ approximates ® well
̃̃̃̃̃̃
…
*
(k)
P
̃̃̃̃̃̃
i chosen at random
…
̃̃̃̃̃̃
Since (for large enough k) many of the Ṽ̃̃̃̃̃ j’s are expected to halt
after the first round, ®’ w ® for a random i
Further Issues
• More security preserving reductions (wrt
communication complexity)
• More applications of “random terminating”