Local Proofs Approaching the Witness Length

IACR Cryptol. ePrint Arch. Pub Date : 2024-04-25 DOI:10.1145/3661483

Noga Ron-Zewi, Ron D. Rothblum

{"title":"Local Proofs Approaching the Witness Length","authors":"Noga Ron-Zewi, Ron D. Rothblum","doi":"10.1145/3661483","DOIUrl":null,"url":null,"abstract":"\n Interactive oracle proofs (\n \n \\(\\mathsf {IOP} \\)\n \n s) are a hybrid between interactive proofs and\n \n \\(\\mathsf {PCP} \\)\n \n s. In an\n \n \\(\\mathsf {IOP} \\)\n \n the prover is allowed to interact with a verifier (like in an interactive proof) by sending relatively long messages to the verifier, who in turn is only allowed to query a few of the bits that were sent (like in a\n \n \\(\\mathsf {PCP} \\)\n \n ). Efficient\n \n \\(\\mathsf {IOP} \\)\n \n s are currently at the core of leading practical implementations of highly efficient proof-systems.\n \n \n In this work we construct, for a large class of\n \n \\(\\mathsf {NP} \\)\n \n relations,\n \n \\(\\mathsf {IOP} \\)\n \n s in which the communication complexity approaches the witness length. More precisely, for any\n \n \\(\\mathsf {NP} \\)\n \n relation for which membership can be decided in polynomial-time with bounded polynomial space (i.e., space\n \n n\n ξ\n \n for some sufficiently small constant\n ξ\n > 0; e.g.,\n \n \\(\\mathsf {SAT} \\)\n \n ,\n \n \\(\\mathsf {Hamiltonicity} \\)\n \n ,\n \n \\(\\mathsf {Clique} \\)\n \n ,\n \n \\(\\mathsf {Vertex\\text{-}Cover} \\)\n \n , etc.) and for any constant\n γ\n > 0, we construct an\n \n \\(\\mathsf {IOP} \\)\n \n with communication complexity (1 +\n γ\n ) ·\n n\n , where\n n\n is the original witness length. The number of rounds, as well as the number of queries made by the\n \n \\(\\mathsf {IOP} \\)\n \n verifier, are constant.\n \n \n This result improves over prior works on short\n \n \\(\\mathsf {IOP} \\)\n \n s/\n \n \\(\\mathsf {PCP} \\)\n \n s in two ways. First, the communication complexity in these short\n \n \\(\\mathsf {IOP} \\)\n \n s is proportional to the complexity of\n verifying\n the\n \n \\(\\mathsf {NP} \\)\n \n witness, which can be polynomially larger than the witness size. Second, even ignoring the difference between witness length and non-deterministic verification time, prior works incur (at the very least) a large constant multiplicative overhead to the communication complexity.\n \n \n In particular, as a special case, we also obtain an\n \n \\(\\mathsf {IOP} \\)\n \n for\n \n \\(\\mathsf {CircuitSAT} \\)\n \n with communication complexity (1 +\n γ\n ) ·\n t\n , for circuits of size\n t\n and any constant\n γ\n > 0. This improves upon the prior state-of-the-art work of Ben Sasson \n et al.\n (ICALP, 2017) who construct an\n \n \\(\\mathsf {IOP} \\)\n \n for\n \n \\(\\mathsf {CircuitSAT} \\)\n \n with communication length\n c\n ·\n t\n for a large (unspecified) constant\n c\n ≥ 1.\n \n \n Our proof leverages the local testability and (relaxed) local correctability of high-rate tensor codes, as well as their support of a sumcheck-like procedure. In particular, we bypass the barrier imposed by the low rate of\n multiplication codes\n (e.g., Reed-Solomon, Reed-Muller or AG codes) - a key building block of all known short\n \n \\(\\mathsf {PCP} \\)\n \n /\n \n \\(\\mathsf {IOP} \\)\n \n constructions.\n","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"53 32","pages":"1062"},"PeriodicalIF":0.0000,"publicationDate":"2024-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"35","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3661483","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 35

Abstract

Interactive oracle proofs ( \(\mathsf {IOP} \) s) are a hybrid between interactive proofs and \(\mathsf {PCP} \) s. In an \(\mathsf {IOP} \) the prover is allowed to interact with a verifier (like in an interactive proof) by sending relatively long messages to the verifier, who in turn is only allowed to query a few of the bits that were sent (like in a \(\mathsf {PCP} \) ). Efficient \(\mathsf {IOP} \) s are currently at the core of leading practical implementations of highly efficient proof-systems. In this work we construct, for a large class of \(\mathsf {NP} \) relations, \(\mathsf {IOP} \) s in which the communication complexity approaches the witness length. More precisely, for any \(\mathsf {NP} \) relation for which membership can be decided in polynomial-time with bounded polynomial space (i.e., space n ξ for some sufficiently small constant ξ > 0; e.g., \(\mathsf {SAT} \) , \(\mathsf {Hamiltonicity} \) , \(\mathsf {Clique} \) , \(\mathsf {Vertex\text{-}Cover} \) , etc.) and for any constant γ > 0, we construct an \(\mathsf {IOP} \) with communication complexity (1 + γ ) · n , where n is the original witness length. The number of rounds, as well as the number of queries made by the \(\mathsf {IOP} \) verifier, are constant. This result improves over prior works on short \(\mathsf {IOP} \) s/ \(\mathsf {PCP} \) s in two ways. First, the communication complexity in these short \(\mathsf {IOP} \) s is proportional to the complexity of verifying the \(\mathsf {NP} \) witness, which can be polynomially larger than the witness size. Second, even ignoring the difference between witness length and non-deterministic verification time, prior works incur (at the very least) a large constant multiplicative overhead to the communication complexity. In particular, as a special case, we also obtain an \(\mathsf {IOP} \) for \(\mathsf {CircuitSAT} \) with communication complexity (1 + γ ) · t , for circuits of size t and any constant γ > 0. This improves upon the prior state-of-the-art work of Ben Sasson et al. (ICALP, 2017) who construct an \(\mathsf {IOP} \) for \(\mathsf {CircuitSAT} \) with communication length c · t for a large (unspecified) constant c ≥ 1. Our proof leverages the local testability and (relaxed) local correctability of high-rate tensor codes, as well as their support of a sumcheck-like procedure. In particular, we bypass the barrier imposed by the low rate of multiplication codes (e.g., Reed-Solomon, Reed-Muller or AG codes) - a key building block of all known short \(\mathsf {PCP} \) / \(\mathsf {IOP} \) constructions.

查看原文本刊更多论文

接近证人长度的本地证明

交互式甲骨文证明（Interactive oracle proofs）是交互式证明和(\mathsf {PCP} \)s的混合体。在（\mathsf {IOP} \）中，证明者被允许通过向验证者发送相对较长的信息来与验证者交互（就像在交互式证明中一样），而验证者反过来只被允许查询所发送的几个比特（就像在（\mathsf {PCP} \）中一样）。高效的（\mathsf {IOP} \）目前是领先的高效证明系统实际实现的核心。在这项工作中，我们为一大类 \(\mathsf {NP} \)关系构建了 \(\mathsf {IOP} \)s，其中的通信复杂度接近于见证长度。更确切地说，对于任何一个可以在有界多项式空间的多项式时间内决定其成员资格的 \(\mathsf {NP}\) 关系（即，对于某个足够小的常数ξ > 0，空间 n ξ；例如、 \(\mathsf {SAT} \) , \(\mathsf {Hamiltonicity} \) , \(\mathsf {Clique} \) , \(\mathsf {Vertex\text{-}Cover} \) , etc.) 并且对于任意常数 γ > 0，我们构建一个通信复杂度为 (1 + γ ) - n 的 \(\mathsf {IOP} \) ，其中 n 是原始见证长度。轮数以及 \(\mathsf {IOP} \)验证器的查询次数都是常数。与之前关于短（\mathsf {IOP} \）s/ （\mathsf {PCP} \）s的工作相比，这一结果在两个方面有所改进。首先，这些短（\mathsf {IOP} \）s 中的通信复杂度与验证（\mathsf {NP} \）见证的复杂度成正比，而后者可能比见证大小大得多。其次，即使忽略见证长度和非确定性验证时间之间的差异，先前的工作（至少）也会给通信复杂度带来很大的常数乘法开销。特别是，作为一个特例，我们还得到了一个对于大小为 t 的电路和任意常数 γ > 0 的通信复杂度为 (1 + γ ) - t 的 \(\mathsf {IOP} \) for \(\mathsf {CircuitSAT} \)。这改进了 Ben Sasson 等人（ICALP，2017）之前的最先进工作，他们为一个大的（未指定的）常数 c ≥ 1 的通信长度为 c - t 的 \(\mathsf {IOP} \) 构造了一个 \(\mathsf {CircuitSAT} \)。我们的证明利用了高速率张量码的局部可测试性和（宽松的）局部可校正性，以及它们对类似和检查程序的支持。特别是，我们绕过了乘法码（如里德-所罗门码、里德-穆勒码或AG码）的低速率所带来的障碍--乘法码是所有已知短（\mathsf {PCP} \）/（\mathsf {IOP} \）结构的关键组成部分。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Cryptol. ePrint Arch.

自引率

0.00%

发文量