Probabilistically Checkable Arguments

1
Probabilistically Checkable Arguments

• Yael Tauman Kalai
• Microsoft Research
• Ran Raz
• Weizmann Institute

2
Our Results
Main Result
LFKN, Shamir, Goldwasser-Sipser
PSPACE IP Public-coin IP
Corollary1 PSPACE µ 1-round arguments
3
Our Results (Cont.)
Main Result

• Define probabilistically checkable
  arguments (PCAs)
• ¼ PCPs that are only
  computationally sound

Main Result with IPGoldwasser-K-Rothblum08
Corollary2 Short PCAs of size poly(witness)
4
Interactive Proofs (IP)Golwasser-Micali-Rackoff,
Babai

• Proofs that use interaction and randomization
• IPPSPACE Lund-Fortnow-Karloff-Nissan, Shamir
• rounds poly(n)
• Can we reduce the number of rounds?
• O(1)-round IP 1-round IP
• Believed 1-round IP does not contain much
• (1-round IP ? PSPACE)

5
Interactive Arguments (IA)
Interactive proofs that are only computationally
sound Security holds only against comp. bounded
cheating provers
Poly-time verifier
Honest provers runtime T
Soundness against cheating provers of size 2k
6
Interactive Arguments (cont.)

• IANEXP Kilian,Micali
• rounds 2 (4 messages)
• What can be proved via 1-round interactive
  argument?
• Micali In random oracle model
• NEXP1-round IA
• What about in the plain model??

PSPACE µ 1-round IA
7
Our Result
public-coin verifier only sends his coin
tosses Goldwasser-Sipser IP public-coin IP
one-round argument
PIR
public-coin IP
msgV
P
V
P
V
Independent of instance
8
public-coin verifier only sends his coin
tosses Goldwasser-Sipser IP public-coin IP
one-round argument
PIR
public-coin IP
No blowup if we use fully-homomorphic encryption
Gentry09
Main Thm Under exponential hardness
assumptions, any public-coin IP can be converted
into a one-round argument (blowup in provers
run-time)
No blowup if we use IP of GKR08
9
Previous Attempts

• Fiat-Shamir88
• Use hash-function to convert any public-coin
  IP into 1-round argument
• Barak01, Goldwasser-K03
• Exhibit inherent difficulties in proving
  soundness
• Aiello-Bhatt-Ostrovsky-Rajagopalan00
• Use PIR scheme to convert the two-round
  Kilian/Micali argument for NEXP into a (short)
  one-round argument
• Dwork-Langberg-Naor-Nissim-Reingold04
• Exhibit inherent difficulties in proving
  soundness

10
Proof Idea
Public-coin interactive proof
1-round argument
PIR
11
PIR Scheme Chor-Goldreich-Kushilevitz-Sudan95,
Kushilevitz-Ostrovsky97
DB
U
x1
query
x2
xi
answer
xN
12
PIR Scheme Chor-Goldreich-Kushilevitz-Sudan95,
Kushilevitz-Ostrovsky97
Secrecy 8i,j21,,N
q(i) ¼ q(j)
For distinguishers of size poly(N)
polylog PIR Scheme CMS99 Communication
complexity poly(?, log N) User run-time poly(?,
log N)
13
Public-coin interactive proof
1-round argument
P
V
P
V
r1
q1,,qt
m1
r2
a1,,at
m2

• qiquery(r1,,ri)
• aianswer(qi,DBi), where the (r1,,ri) entry of
  DBi is mi(r1,,ri)

rt
mt
14
Proof Idea

• Fix x not in L. Suppose 9 P of size 2?
  s.t.

Pr(P,V)(x)1 s?
P
V
P
V
?
?
x 2 L
x 2 L
r1
q1,,qt
m1
a1,,at
r2
m2

• qiquery(r1,,ri)
• aianswer(qi,DBi), where the (r1,,ri) entry of
  DBi is mi(r1,,ri)

rt
mt
15
Proof Idea
P0
V0
Pi
Vi
Pt
Vt
q1,,qi
q1,,qt
r1
m1
a1,,ai
a1,,at
r2
rj, mj, ri1
m2
mi1
rt
rt
mt
mt
9P of size 2? s.t. Pr(P,Vt)(x)1 s?
soundness s against any cheating prover
16
Proof Idea (Cont.)
Pi-1
Vi-1
Pi
Vi
?
?
x 2 L
x 2 L
q1,,qi-1
q1,,qi
a1,,ai-1
a1,,ai
rjj1,..,i, mjj1,..,i,ri1
rjj1,..,i-1, mjj1,..,i-1,ri
mi1
mi
rt
rt
mt
mt
¼ Pi2O(cc)
soundness s against any cheating prover of
size 2?
Pr(Pi,Vi)(x)1 s ?/t
Use Pi to break PIR in time 2O(k)
17
Summary
one-round argument
PIR
public-coin IP

• Corollary PSPACE µ 1-round argument

Open 1-round argument PSPACE ?
Open 1-round argument NEXP ?
Remark This method does not seem to work when
applied to interactive arguments (rather than
proofs)
PCA
Interactive proof GKR08
18
Thanks !!