ECCC
Electronic Colloquium on Computational Complexity
Login | Register | Classic Style



REPORTS > DETAIL:

Revision(s):

Revision #3 to TR12-045 | 30th December 2012 23:27

On the Concrete-Efficiency Threshold of Probabilistically-Checkable Proofs

RSS-Feed




Revision #3
Authors: Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer
Accepted on: 30th December 2012 23:27
Downloads: 812
Keywords: 


Abstract:

Probabilistically-Checkable Proofs (PCPs) form the algorithmic core that enables fast verification of long computations in many cryptographic constructions. Yet, despite the wonderful asymptotic savings they bring, PCPs are also the infamous computational bottleneck preventing these powerful cryptographic constructions from being used in practice. To address this problem, we present several results about the computational efficiency of PCPs.

We construct the first PCP where the prover and verifier time complexities are quasi-optimal (i.e., optimal up to poly-logarithmic factors). The prover and verifier are also higly-parallelizable, and these computational guarantees hold even when proving and verifying the correctness of random-access machine computations. Our construction is explicit and has the requisite properties for being used in the cryptographic applications mentioned above.

Next, to better understand the efficiency of our PCP, we propose a new efficiency measure for PCPs (and their major components, locally-testable codes and PCPs of proximity). We define a concrete-efficiency threshold that indicates the smallest problem size beyond which the PCP becomes “useful”, in the sense that using it is cheaper than performing naive verification (i.e., rerunning the computation); our definition accounts for both the prover and verifier complexity.

We then show that our PCP has a finite concrete-efficiency threshold. That such a PCP exists does not follow from existing works on PCPs with polylogarithmic-time verifiers.

As in [Ben-Sasson and Sudan, STOC ’05], PCPs of proximity for Reed–Solomon (RS) codes are the main component of our PCP. We construct a PCP of proximity that reduces the concrete-efficiency threshold for testing proximity to RS codes from $2^{683}$ in their work to $2^{43}$, which is tantalizingly close to practicality.



Changes to previous version:

Revisions in the introductory sections. Also, in previous versions, we claimed threshold computations that were smaller for both [BSS08] and our construction, since we computed the threshold by dividing by the block length n(k) instead of the dimension k; this has been corrected.


Revision #2 to TR12-045 | 17th August 2012 16:31

On the Concrete-Efficiency Threshold of Probabilistically-Checkable Proofs





Revision #2
Authors: Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer
Accepted on: 17th August 2012 16:31
Downloads: 436
Keywords: 


Abstract:

Probabilistically-Checkable Proofs (PCPs) form the algorithmic core that enables succinct verification of long proofs/computations in many cryptographic constructions, such as succinct arguments and proof-carrying data.

Despite the wonderful asymptotic savings they bring, PCPs are also the infamous computational bottleneck preventing these cryptographic constructions from being used in practice. This reflects a lack of understanding of how to study and improve the concrete (as opposed to asymptotic) efficiency of PCPs.

We propose a new efficiency measure for PCPs (and its major component: locally-testable codes and PCPs of proximity). We define a \emph{concrete-efficiency threshold} that indicates the smallest problem size beyond which the PCP becomes ``useful'', in the sense that using it actually pays off relative to naive verification by simply rerunning the computation; our definition takes into account \emph{both} the prover's and verifier's complexity.

We then show that there exists a PCP with a \emph{finite} concrete-efficiency threshold. This does not follow from existing works on PCPs with succinct verifiers. We provide an explicit PCP construction where the prover and verifier are efficient enough to achieve a finite threshold, and further show that this PCP has the requisite properties for being used in the cryptographic applications mentioned above. Our construction in fact also yields a PCP system for random-access machines where the (asymptotic) time complexity of both the prover and verifier are \emph{essentially optimal} and where both prover and verifier are \emph{highly-parallelizable}.

Moreover, we extend and improve the Reed-Solomon PCPs of proximity over fields of characteristic $2$, which constitute the main component in the quasilinear-size construction of [Ben-Sasson and Sudan, STOC~'05] as well as our construction. Our improvements reduce the concrete-efficiency threshold for testing proximity to Reed-Solomon codes from $2^{572}$ in their work to $2^{35}$, which is tantalizingly close to practicality. We hope this will motivate the search for even better constructions, ultimately leading to practical PCPs for succinct verification of long computations.



Changes to previous version:

Thorough revisions for clarity and consistency in the technical sections.


Revision #1 to TR12-045 | 23rd May 2012 04:11

On the Concrete-Efficiency Threshold of Probabilistically-Checkable Proofs





Revision #1
Authors: Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer
Accepted on: 23rd May 2012 04:11
Downloads: 564
Keywords: 


Abstract:

Probabilistically-Checkable Proofs (PCPs) form the algorithmic core that enables succinct verification of long proofs/computations in many cryptographic constructions, such as succinct arguments and proof-carrying data.

Despite the wonderful asymptotic savings they bring, PCPs are also the infamous computational bottleneck preventing these cryptographic constructions from being used in practice. This reflects a lack of understanding of how to study and improve the concrete (as opposed to asymptotic) efficiency of PCPs.

We propose a new efficiency measure for PCPs (and its major component: locally-testable codes and PCPs of proximity). We define a concrete-efficiency threshold that indicates the smallest problem size beyond which the PCP becomes “useful”, in the sense that using it actually pays off relative to naive verification by simply rerunning the computation; our definition takes into account both the prover’s and verifier’s complexity.

We then show that there exists a PCP with a finite concrete-efficiency threshold. This does not follow from existing works on PCPs with succinct verifiers. We provide a PCP construction where the prover and verifier are efficient enough to achieve a finite threshold, and further show that this PCP has the requisite properties for being used in the cryptographic applications mentioned above.

Moreover, we extend and improve the Reed-Solomon PCPs of proximity over fields of characteristic 2, which constitute the main component in the quasilinear-size construction of [Ben-Sasson and Sudan, STOC ’05] as well as our construction. Our improvements reduce the concrete-efficiency threshold for testing proximity to Reed-Solomon codes from $2^{572}$ in their work to $2^{35}$, which is tantalizingly close to practicality. We hope this will motivate the search for even better constructions, ultimately leading to practical PCPs for succinct verification of long computations.


Paper:

TR12-045 | 22nd April 2012 21:11

On the Concrete-Efficiency Threshold of Probabilistically-Checkable Proofs


Abstract:

Probabilistically-Checkable Proofs (PCPs) form the algorithmic core that enables succinct verification of long proofs/computations in many cryptographic constructions, such as succinct arguments and proof-carrying data.

Despite the wonderful asymptotic savings they bring, PCPs are also the infamous computational bottleneck preventing these cryptographic constructions from being used in practice. This reflects a lack of understanding of how to study and improve the concrete (as opposed to asymptotic) efficiency of PCPs.

We propose a new efficiency measure for PCPs (and its major component: locally-testable codes and PCPs of proximity). We define a concrete-efficiency threshold that indicates the smallest problem size beyond which the PCP becomes “useful”, in the sense that using it actually pays off relative to naive verification by simply rerunning the computation; our definition takes into account both the prover’s and verifier’s complexity.

We then show that there exists a PCP with a finite concrete-efficiency threshold. This does not follow from existing works on PCPs with succinct verifiers. We provide a PCP construction where the prover and verifier are efficient enough to achieve a finite threshold, and further show that this PCP has the requisite properties for being used in the cryptographic applications mentioned above.

Moreover, we extend and improve the Reed-Solomon PCPs of proximity over fields of characteristic 2, which constitute the main component in the quasilinear-size construction of [Ben-Sasson and Sudan, STOC ’05] as well as our construction. Our improvements reduce the concrete-efficiency threshold for testing proximity to Reed-Solomon codes from $2^{572}$ in their work to $2^{35}$, which is tantalizingly close to practicality. We hope this will motivate the search for even better constructions, ultimately leading to practical PCPs for succinct verification of long computations.



ISSN 1433-8092 | Imprint