SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE

Jawale, Ruta; Kalai, Yael Tauman; Khurana, Dakshita; Zhang, Rachel

doi:10.1145/3406325.3451055

Cited by 31 publications

(10 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For interactive probabilistic proof protocols with a public randomization coin, whose outcome both the verifier and the prover can see, interaction can be replaced by a cryptographic hash function in the Fiat-Shamir [12] heuristic, which yields a proof of primality/compositeness which can be verified at a later time and whose soundness is justified by the hardness of predicting the hash values. Note that for protocols where interaction is replaced by the Fiat-Shamir idea, a provable soundness requires a special design for the hash functions and cryptographic hardness assumptions [5,19,23]. For Google's Rubik's Cube computation mentioned above, such a proof-of-work certificate could have been produced.…”

Section: Primality Of -Bit Integers 2a 2+ (1)mentioning

confidence: 99%

“…Row 1c puts Fiat-Shamir in practice by placing the previous hash value as an additional argument to the next hash operation, and may incur a loss of soundness [14], which is mitigated by our protocol of fewer rounds. The papers [5,19,23] prove the hardness of predicting the hash values; Row 1d is for the hash functions in [19].…”

Section: Primality Of -Bit Integers 2a 2+ (1)mentioning

confidence: 99%

“…equal(src2(ℓ, ), ) ℓ+1 ( ), (19) using two summation trees. Note that the bits for needed for the equal's are available from the decoders that produce the 1 , .…”

Section: Prover-near-optimality For Polynomial-time Local Wiring Algo...mentioning

confidence: 99%

See 2 more Smart Citations

The GKR Protocol Revisited

Kaltofen

2022

Proceedings of the 2022 International Symposium on Symbolic and Algebraic Computation

View full text Add to dashboard Cite

The proof-of-work interactive protocol by Shafi Goldwasser, Yael T. Kalai and Guy N. Rothblum (GKR) [STOC 2008, JACM 2015 certifies the execution of an algorithm via the evaluation of a corresponding boolean or arithmetic circuit whose structure is known to the verifier by circuit wiring algorithms that define the uniformity of the circuit. Here we study protocols whose prover timeand space-complexities are within a poly-logarithmic factor of the time-and space-complexity of the algorithm; we call those protocols 'prover-nearly-optimal. ' We show that the uniformity assumptions can be relaxed from LOGSPACE to polynomial-time in the bitlengths of the labels which enumerate the nodes in the circuit. Our protocol applies GKR recursively to the arising sumcheck problems on each level of the circuit whose values are verified, and deploys any of the prover-nearly-optimal versions of GKR on the constructed sorting/prefix circuits with log-depth wiring functions.The verifier time-complexity of GKR grows linearly in the depth of the circuit. For deep circuits such as the Miller-Rabin integer primality test of an -bit integer, the large number of rounds may interfere with soundness guarantees after the application of the Fiat-Shamir heuristic. We re-arrange the circuit evaluation problem by the baby-steps/giant-steps method to achieve a depth of 1/2+ (1) , at prover cost 2+ (1) bit complexity and communication and verifier cost 3/2+ (1) . CCS CONCEPTS• Theory of computation → Cryptographic protocols.

show abstract

Section: Primality Of -Bit Integers 2a 2+ (1)mentioning

confidence: 99%

Section: Primality Of -Bit Integers 2a 2+ (1)mentioning

confidence: 99%

See 1 more Smart Citation

The GKR Protocol Revisited

Kaltofen

2022

Proceedings of the 2022 International Symposium on Symbolic and Algebraic Computation

View full text Add to dashboard Cite

show abstract

“…For 𝑐 > 0 and 𝐿 : ℕ + → ℕ, let ℛ 𝐿,𝑐 be the same as ℛ 𝐿 , except that the adversaries can run in time 𝗉𝗈𝗅𝗒 (︀ 2 𝜆 𝑐 )︀ instead of 𝗉𝗈𝗅𝗒(𝜆). We denote 𝑐-subexponential hardness [JKKZ21,HLR21] to mean that any 𝗉𝗈𝗅𝗒 (︀ 2 𝜆 𝑐 )︀ -time adversary achieving advantage at most 𝗇𝖾𝗀𝗅 (︀ 2 𝜆 𝑐 )︀ .…”

Section: Bounded-entanglement Soundness From Subexponential Hardnessmentioning

confidence: 99%

Beating Classical Impossibility of Position Verification

Liu

Liu²,

Qian

2021

Preprint

View full text Add to dashboard Cite

Chandran et al. (SIAM J. Comput. '14) formally introduced the cryptographic task of position verification, where they also showed that it cannot be achieved by classical protocols. In this work, we initiate the study of position verification protocols with classical verifiers. We identify that proofs of quantumness (and thus computational assumptions) are necessary for such position verification protocols. For the other direction, we adapt the proof of quantumness protocol by Brakerski et al. (FOCS '18) to instantiate such a position verification protocol. As a result, we achieve classically verifiable position verification assuming the quantum hardness of Learning with Errors.Along the way, we develop the notion of 1-of-2 non-local soundness for the framework of 1-of-2 puzzles, first introduced by Radian and Sattath (AFT '19), which can be viewed as a computational unclonability property. We show that 1-of-2 non-local soundness follows from the standard 2-of-2 soundness, which could be of independent interest.

show abstract

“…LWE-based cryptosystems lie at the center of efforts by the National Institute of Standards and Technology (NIST) to develop post-quantum cryptographic standards. LWE has also had applications to learning theory, in the form of hardness results for learning intersections of halfspaces [KS09], and in game theory, where the hardness of LWE implies the hardness of the complexity class PPAD [JKKZ21]. Finally, LWE enjoys remarkable structural properties such as leakage-resilience [GKPV10].…”

Section: Introductionmentioning

confidence: 99%

Continuous LWE is as Hard as LWE & Applications to Learning Gaussian Mixtures

Gupte¹,

Vafa²,

Vaikuntanathan³

2022

Preprint

View full text Add to dashboard Cite

We show direct and conceptually simple reductions between the classical learning with errors (LWE) problem and its continuous analog, CLWE (Bruna, Regev, Song and Tang, STOC 2021). This allows us to bring to bear the powerful machinery of LWE-based cryptography to the applications of CLWE. For example, we obtain the hardness of CLWE under the classical worst-case hardness of the gap shortest vector problem. Previously, this was known only under quantum worst-case hardness of lattice problems. More broadly, with our reductions between the two problems, any future developments to LWE will also apply to CLWE and its downstream applications.As a concrete application, we show an improved hardness result for density estimation for mixtures of Gaussians. In this computational problem, given sample access to a mixture of Gaussians, the goal is to output a function that estimates the density function of the mixture. Under the (plausible and widely believed) exponential hardness of the classical LWE problem, we show that Gaussian mixture density estimation in R n with roughly log n Gaussian components given poly(n) samples requires time quasi-polynomial in n. Under the (conservative) polynomial hardness of LWE, we show hardness of density estimation for n ǫ Gaussians for any constant ǫ > 0, which improves on Bruna, Regev, Song and Tang (STOC 2021), who show hardness for at least √ n Gaussians under polynomial (quantum) hardness assumptions. Our key technical tool is a reduction from classical LWE to LWE with k-sparse secrets where the multiplicative increase in the noise is only O( √ k), independent of the ambient dimension n.

show abstract

SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE

Cited by 31 publications

References 50 publications

The GKR Protocol Revisited

The GKR Protocol Revisited

Beating Classical Impossibility of Position Verification

Continuous LWE is as Hard as LWE & Applications to Learning Gaussian Mixtures

Contact Info

Product

Resources

About