No-Signaling Linear PCPs

Abstract

In this paper, we give a no-signaling linear probabilistically checkable proof (PCP) system for polynomial-time deterministic computation, i.e., a PCP system for \(\mathcal {P}\) such that (1) the honest PCP oracle is a linear function and (2) the soundness holds against any (computational) no-signaling cheating prover, who is allowed to answer each query according to a distribution that depends on the entire query set in a certain way. To the best of our knowledge, our construction is the first PCP system that satisfies these two properties simultaneously. As an application of our PCP system, we obtain a 2-message delegating computation scheme by using a known transformation. Compared with the existing 2-message delegating computation schemes that are based on standard cryptographic assumptions, our scheme requires preprocessing but has a simpler structure and makes use of different (possibly cheaper) standard cryptographic primitives, namely additive/multiplicative homomorphic encryption schemes.

Appendices

A. Overview of ALMSS Linear PCP

In this section, we give an informal overview of the linear PCP system of Arora et al.  [4] (the ALMSS linear PCP in short). (For more formal explanations, we refer the readers to, e.g., the textbook by Arora and Barak [1, Chapter 11.5].) For simplicity, we focus on the case of constant soundness error.

1.1 A.1. Language for which ALMSS Linear PCP is Defined

The ALMSS linear PCP is defined for a particular \(\mathcal{N}\mathcal{P}\)-complete language, namely satisfiability of systems of quadratic equations over finite fields (that is, the language that consists of all the satisfiable systems of quadratic equations over finite fields). We remark that an instance of satisfiability of arithmetic circuits (i.e., the language that we use in the main body of this paper) can be easily reduced to satisfiability of quadratic equations. Indeed, given a triple \((C, \varvec{x}, \varvec{y})\) of an arithmetic circuit \(C\), an input \(\varvec{x}\), and an output \(\varvec{y}\), one can efficiently obtain a system of quadratic equations that is satisfiable if and only if \(C(\varvec{x}) = \varvec{y}\) by considering, e.g., a system that has a variable for each wire of \(C\) and has equation \(z_i + z_j = z_k\) if \(C\) has an addition gate with input wires i, j and output wire k etc.

1.2 A.2. Construction of ALMSS Linear PCP and Its Analysis

Let

be a system of quadratic equation over a finite field \(\mathbb {F}\), where \(\varvec{z} = (z_1, \ldots , z_{N})\) is the variables. Below, we describe the ALMSS linear PCP for the statement that \(\Psi \) is satisfiable.

The honest PCP proof of the ALMSS linear PCP consists of two linear functions \(\pi _f(\varvec{v}) :=\langle \varvec{v}, \varvec{w} \rangle \) and \(\pi _g(\varvec{v'}) :=\langle \varvec{v'}, \varvec{w} \otimes \varvec{w} \rangle \), where \(\varvec{w}\) is a satisfying assignment \(\varvec{w}\in \mathbb {F}^{N}\) to \(\Psi \).¹⁹ In what follows, we give a verifier that accepts this honest PCP proof with probability 1 when the statement is true while rejecting any PCP proof with high probability when the statement is false.

As a warm-up, we first give a verifier such that when it is given a PCP proof that is guaranteed to be of the form \(\pi ^*_f(\varvec{v}) :=\langle \varvec{v}, \varvec{w}^* \rangle \) and \(\pi ^*_g(\varvec{v'}) :=\langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \) for an assignment \(\varvec{w}^*\), it can verify whether or not \(\varvec{w}^*\) is a satisfying assignment. Let \(\Psi _{\varvec{\sigma }}(\varvec{z}) = c_{\varvec{\sigma }}\) be the quadratic equation that is obtained by taking a random linear combination of the equations of \(\Psi \), i.e., by defining the left-hand side by \(\Psi _{\varvec{\sigma }}(\varvec{z}) :=\sum _{i=1}^{M}\sigma _i\Psi _i(\varvec{z})\) and the right-hand size by \(c_{\varvec{\sigma }} :=\sum _{i=1}^{M}\sigma _ic_i\) for a random \(\varvec{\sigma } = (\sigma _1, \ldots , \sigma _{M})\in \mathbb {F}^{M}\). Now, a key observation is that we have \(\Psi _{\varvec{\sigma }}(\varvec{w}^*) = c_{\varvec{\sigma }}\) with probability 1 if \(\varvec{w}^*\) is a satisfying assignment, and have \(\Psi _{\varvec{\sigma }}(\varvec{w}^*) \ne c_{\varvec{\sigma }}\) with probability \(1-1/|\mathbb {F} |\) if \(\varvec{w}^*\) is not a satisfying assignment. (To see the latter part, observe that if \(\varvec{w}^*\) is not a satisfying assignment, there exists \(i^*\in [M]\) such that \(\Psi _{i^*}(\varvec{w}^*) \ne c_{i^*}\), so we have \(\Psi _{\varvec{\sigma }}(\varvec{w}^*) = c_{\varvec{\sigma }}\) only when we have

$$\begin{aligned} \sigma _{i^*} = \frac{\sum _{i\ne i^*}\sigma _i(c_i-\Psi _i(\varvec{w}^*))}{\Psi _{i^*}(\varvec{w}^*)-c_{i^*}}, \end{aligned}$$

which we have only with probability \(1/|\mathbb {F} |\).) From this observation, it follows that a verifier can verify whether \(\varvec{w}^*\) is a satisfying assignment or not with soundness error \(1/|\mathbb {F} |\) by checking \(\Psi _{\varvec{\sigma }}(\varvec{w}^*) \overset{?}{=}c_{\varvec{\sigma }}\) for random \(\varvec{\sigma }\in \mathbb {F}^{M}\). This check can be done by making only two queries to the PCP proof (this is because there exist \(\varvec{\psi }_{\varvec{\sigma }}\in \mathbb {F}^{N}\) and \(\varvec{\psi '}_{\varvec{\sigma }}\in \mathbb {F}^{N^2}\) such that \(\Psi _{\varvec{\sigma }}(\varvec{w}^*) = \pi ^*_f(\varvec{\psi }_{\varvec{\sigma }}) + \pi ^*_g(\varvec{\psi '}_{\varvec{\sigma }})\)), and the soundness error can be decreased by repetition.

A problem of this warm-up analysis is, of course, that it relies on a strong guarantee that the (potentially maliciously created) PCP proof \((\pi ^*_f, \pi ^*_g)\) is of the form \(\pi ^*_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\pi ^*_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \) for some \(\varvec{w}^*\). In general, \(\pi ^*_f\) and \(\pi ^*_g\) are not necessarily linear functions, and even if they are, there does not necessarily exist \(\varvec{w}^*\) such that \(\pi ^*_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\pi ^*_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \).

This problem is overcome in the actual analysis by considering a verifier that additionally checks whether or not the PCP proof is “close” to the correct form. Namely, the actual verifier

1. 1.

   first verifies whether or not \(\pi ^*_f\) and \(\pi ^*_g\) are sufficiently “close” to some linear functions \(\tilde{\pi }_f\) and \(\tilde{\pi }_g\) of the form \(\tilde{\pi }_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\tilde{\pi }_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \) for an assignment \(\varvec{w}^*\), and

2. 2.

   if \(\pi ^*_f\) and \(\pi ^*_g\) pass the first test, then verifies whether or not \(\varvec{w}^*\) is a satisfying assignment.

Here, for any \(\delta \in [0,1]\), we say that a function f is \(\delta \)-close to a linear function \(\hat{f}\) if the fraction of the domain on which f agrees with \(\hat{f}\) is at least \(\delta \) (i.e., if \(\Pr _{} [ f(\varvec{r}) = \hat{f}(\varvec{r}) \mid \varvec{r}\leftarrow D ]\ge \delta \), where D is the domain of \(f, \hat{f}\)).

Concretely, the actual verifier of the ALMSS linear PCP does the following three tests on the PCP proof \((\pi ^*_f, \pi ^*_g)\):

1. 1.

   Linearity Test: This test verifies whether or not \(\pi ^*_f\) and \(\pi ^*_g\) are \(\delta \)-close to some linear functions for sufficiently large \(\delta \).

2. 2.

   Tensor-Product Test: Under the assumption that \(\pi ^*_f\) and \(\pi ^*_g\) are \(\delta \)-close to some linear functions \(\tilde{\pi }_f\) and \(\tilde{\pi }_g\) for sufficiently large \(\delta \), this test verifies whether or not \(\tilde{\pi }_f, \tilde{\pi }_g\) are of the form \(\tilde{\pi }_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\tilde{\pi }_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \) for an assignment \(\varvec{w}^*\).

3. 3.

   SAT Test: Under that assumption that \(\pi ^*_f\) and \(\pi ^*_g\) are \(\delta \)-close to linear functions \(\tilde{\pi }_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\tilde{\pi }_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \) for sufficiently large \(\delta \) and an assignment \(\varvec{w}^*\), this test verifies whether or not \(\varvec{w}^*\) is a satisfying assignment to \(\Psi \).

These three tests are done in parallel, and repeated many times to decrease the soundness error. The detail of these three tests are described below.

Linearity Test. In Linearity Test, the verifier checks \(\pi ^*_f(\varvec{r}_1) + \pi ^*_f(\varvec{r}_2) \overset{?}{=}\pi ^*_f(\varvec{r}_1 + \varvec{r}_2)\) and \(\pi ^*_g(\varvec{r}'_1) + \pi ^*_g(\varvec{r}'_2) \overset{?}{=}\pi ^*_g(\varvec{r}'_1 + \varvec{r}'_2)\) for random \(\varvec{r}_1, \varvec{r}_2 \in \mathbb {F}^{N}\) and \(\varvec{r}'_1, \varvec{r}'_2 \in \mathbb {F}^{N^2}\). Clearly, if \(\pi ^*_f\) and \(\pi ^*_g\) are linear functions, they pass this test with probability 1. Furthermore, somewhat unexpectedly, it is known that the converse is also true in the following sense: If \(\pi ^*_f\) and \(\pi ^*_g\) pass this test with probability \(1-\rho \) for any \(\rho <1/6\), they are \((1-2\rho )\)-close to linear functions [22, 37].²⁰ Thus, for any sufficiently large \(\delta \) (say, \(\delta =0.999\)), if the above test is repeated many times and still \(\pi ^*_f\) and \(\pi ^*_g\) pass all of them, they are \(\delta \)-close to linear function with high probability.

Tensor-Product Test. As a warm-up, we first consider the case that \(\pi ^*_f\) and \(\pi ^*_g\) are guaranteed to be linear functions (rather than just being \(\delta \)-close to them). Consider a test that checks \(\pi ^*_f(\varvec{r}_1)\pi ^*_f(\varvec{r}_2) \overset{?}{=}\pi ^*_g(\varvec{r}_1\otimes \varvec{r}_1)\) for random \(\varvec{r}_1, \varvec{r}_2\in \mathbb {F}^{N}\). Let \(\varvec{u}\in \mathbb {F}^{N}, \varvec{u'}\in \mathbb {F}^{N^2}\) be the coefficients such that \(\pi ^*_f(\varvec{v}) = \langle \varvec{v}, \varvec{u} \rangle \) and \(\pi ^*_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{u'} \rangle \).

• If \(\varvec{u'} = \varvec{u}\otimes \varvec{u}\), we have that \(\pi ^*_f\) and \(\pi ^*_g\) pass the above test with probability 1 since we have

  $$\begin{aligned} \pi ^*_f(\varvec{r}_1)\pi ^*_f(\varvec{r}_2) = \left( \sum _{i=1}^{N}u_ir_{1,i} \right) \left( \sum _{i=1}^{N}u_ir_{2,i} \right) = \sum _{1\le i,j \le N} u_iu_jr_{1,i}r_{2,j} = \pi ^*_g(\varvec{r}_1\otimes \varvec{r}_1). \end{aligned}$$

• If \(\varvec{u'} \ne \varvec{u}\otimes \varvec{u}\), we can see that \(\pi ^*_f\) and \(\pi ^*_g\) fail to pass the above test with probability \(2/|\mathbb {F} |\) as follows. Let \(M, M'\) be the matrices such that

  $$\begin{aligned} \pi ^*_f(\varvec{r}_1)\pi ^*_f(\varvec{r}_2) = \varvec{r}_1 M \varvec{r}_2^T&\quad \text {and}&\pi ^*_g(\varvec{r}_1\otimes \varvec{r}_1) = \varvec{r}_1 M' \varvec{r}_2^T. \end{aligned}$$

  (That is, \(M, M'\) are the \(N\times N\) matrices such that \(m_{i,j} = u_iu_j\) and \(m'_{i,j} = u'_{(i-1)N+j}\).) If we have \(\varvec{u'} \ne \varvec{u}\otimes \varvec{u}\), we have \(M \ne M'\), so we have \(\varvec{r}_1 M \ne \varvec{r}_1 M'\) with probability at least \(1-1/|\mathbb {F} |\) over the choice of \(\varvec{r}_1\). Furthermore, if we have \(\varvec{r}_1 M \ne \varvec{r}_1 M'\), we have \(\varvec{r}_1 M \varvec{r}_2^T \ne \varvec{r}_1 M' \varvec{r}_2^T\) with probability at least \(1-1/|\mathbb {F} |\) over the choice of \(\varvec{r}_2\). Hence, if \(\varvec{u'} \ne \varvec{u}\otimes \varvec{u}\), we have \(\varvec{r}_1 M \varvec{r}_2^T \ne \varvec{r}_1 M' \varvec{r}_2^T\) (and thus \(\pi ^*_f(\varvec{r}_1)\pi ^*_f(\varvec{r}_2) \ne \pi ^*_g(\varvec{r}_1\otimes \varvec{r}_1)\)) with probability at least \(1-2/|\mathbb {F} |\) over the choice of \(\varvec{r}_1, \varvec{r}_2\).

Therefore, if the above test is repeated many times and still \(\pi ^*_f\) and \(\pi ^*_g\) pass all of them, we have \(\varvec{u'} = \varvec{u}\otimes \varvec{u}\) (and thus there exists \(\varvec{w}^*\) such that \(\pi ^*_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\pi ^*_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^*\otimes \varvec{w}^* \rangle \)) with high probability.

Now, we consider the actual case that \(\pi ^*_f\) and \(\pi ^*_g\) are just \(\delta \)-close to some linear functions \(\pi ^*_f, \pi ^*_g\). A key observation is that since \(\delta \) is assumed to be sufficiently large, the verifier can approximately evaluate \(\tilde{\pi }_f, \tilde{\pi }_g\) through \(\pi ^*_f, \pi ^*_g\) via “self-correction”; namely, the verifier can evaluate \(\tilde{\pi }_f\) (resp., \(\tilde{\pi }_g\)) on any point \(\varvec{x}\in \mathbb {F}^{N}\) (resp., \(\varvec{x}\in \mathbb {F}^{N^2}\)) with error probability \(2(1-\delta )\) through the following simple probabilistic procedure.

\(\underline{{\textbf {Algorithm}}\,\textsf{Self}\textsf {-}\textsf{Correct}^{\pi ^*_f, \pi ^*_g}(\varvec{x})}\): Choose random \(\varvec{r}\in \mathbb {F}^{N}\) (resp., \(\varvec{r}\in \mathbb {F}^{N^2}\)) and output \(\tilde{\pi }_f(\varvec{x}+\varvec{r}) - \tilde{\pi }_f(\varvec{r})\) (resp., \(\tilde{\pi }_g(\varvec{x}+\varvec{r}) - \tilde{\pi }_g(\varvec{r})\)).

Given this observation, in Tensor-Product Test the verifier applies the above warm-up test on \(\tilde{\pi }_f, \tilde{\pi }_g\) by evaluating them through \(\textsf{Self}\textsf {-}\textsf{Correct}^{\pi ^*_f, \pi ^*_g}\). Since the values that the verifier obtains through \(\textsf{Self}\textsf {-}\textsf{Correct}^{\pi ^*_f, \pi ^*_g}\) are correct with high probability, it follows that if \(\pi ^*_f\) and \(\pi ^*_g\) pass this test, there exists \(\varvec{w}^*\) such that \(\tilde{\pi }_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\tilde{\pi }_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^*\otimes \varvec{w}^* \rangle \) with high probability. SAT Test. Recall that, as observed at the beginning as a warm-up, when \(\pi ^*_f\) and \(\pi ^*_g\) are guaranteed to be of the form \(\pi ^*_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\pi ^*_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \) for an assignment \(\varvec{w}^*\), there exists a test that verifies whether or not \(\varvec{w}^*\) is a satisfying assignment to \(\Psi \). In SAT Test, assuming that \(\pi ^*_f\) and \(\pi ^*_g\) are \(\delta \)-close to some linear functions \(\tilde{\pi }_f, \tilde{\pi }_g\) such that \(\pi ^*_f(\varvec{v}) = \langle \varvec{v}, \varvec{w}^* \rangle \) and \(\pi ^*_g(\varvec{v'}) = \langle \varvec{v'}, \varvec{w}^* \otimes \varvec{w}^* \rangle \) for an assignment \(\varvec{w}^*\), the verifier applies this warm-up tests on \(\tilde{\pi }_f, \tilde{\pi }_g\) by evaluating them through \(\textsf{Self}\textsf {-}\textsf{Correct}^{\pi ^*_f, \pi ^*_g}\). Since the values that the verifier obtains through \(\textsf{Self}\textsf {-}\textsf{Correct}^{\pi ^*_f, \pi ^*_g}\) are correct with high probability, it follows that if \(\pi ^*_f\) and \(\pi ^*_g\) pass this test, \(\varvec{w}^*\) is a satisfying assignment to \(\Psi \) with high probability.

B. Delegation Scheme based on Multiplicative Homomorphic Encryption

In this section, we explain how we prove Theorem 2 in the case of using multiplicative homomorphic encryption schemes over prime-order bilinear groups. Construction. The construction is based on the one given in Sect. 10.3.1 for the case of additive homomorphic encryption schemes. In the following, the differences are highlighted by red.

• \(\underline{{\textbf {Algorithm}}\,\textsf{Gen}(1^{\lambda }, C)}\)

1. 1.

   Run \((Q, \textsf{st}_{V}) \leftarrow \mathsf {PCP.V}_0(1^{\lambda }, C)\). Then, parse Q as \(\{\varvec{q}_i \}_{i\in [\kappa _{V}(\lambda )]}\), where \(\varvec{q}_i = (q_{i,1}, \ldots , q_{i,N'})\in \mathbb {F}^{N'}\).

2. 2.

   , and define \(\textsf{ct}_{1}, \ldots , \textsf{ct}_{\kappa _{\textrm{max}}(\lambda )}\) as follows.

   1. (a)

      Choose a random injective function \(\tau : [\kappa _{V}(\lambda )] \rightarrow [\kappa _{\textrm{max}}(\lambda )]\).

   2. (b)

      Define \(\textsf{ct}_i\) for each \(i\in [\kappa _{\textrm{max}}(\lambda )]\) by

      

      where \(({\textsf {HE}}\mathsf {.pk}_i, {\textsf {HE}}\mathsf {.sk}_i) {\leftarrow } \mathsf {HE.Gen}(1^{\lambda })\), , and .

3. 3.

   Output \(\textsf{pk}:=(\textsf{ct}_1, \ldots , \textsf{ct}_{\kappa _{\textrm{max}}(\lambda )})\) and .

• \(\underline{{\textbf {Algorithm}}\,\textsf{Prove}(\textsf{pk}, C, \varvec{x}, \varvec{y})}\)

1. 1.

   Run \(\pi \leftarrow \mathsf {PCP.P}(C, \varvec{x}, \varvec{y})\). Let \(d_1, \ldots , d_{N'}\in \mathbb {F}\) be the elements such that \(\pi (\varvec{z}) = \sum _{i\in [N']}d_iz_i\).

2. 2.

   Parse \(\textsf{pk}\) as \((\textsf{ct}_1, \ldots , \textsf{ct}_{\kappa _{\textrm{max}}(\lambda )})\), where \(\textsf{ct}_i = (\textsf{ct}_{i,1}, \ldots , \textsf{ct}_{i, N'})\). Then, perform homomorphic operation to obtain

   

   for every \(i\in [\kappa _{\textrm{max}}(\lambda )]\).

3. 3.

   Output \(\textsf{pr}:=(\tilde{\textsf{ct}}_1, \ldots , \tilde{\textsf{ct}}_{\kappa _{\textrm{max}}(\lambda )})\).

• \(\underline{{\textbf {Algorithm}}\, \textsf{Verify}(\textsf{sk}, \varvec{x}, \varvec{y}, \textsf{pr})}\)

1. 1.

   Parse \(\textsf{sk}\) as , and \(\textsf{pr}\) as \((\tilde{\textsf{ct}}_1, \ldots , \tilde{\textsf{ct}}_{\kappa _{\textrm{max}}(\lambda )})\) Then, run \(a_i :=\mathsf {HE.Dec}({\textsf {HE}}\mathsf {.sk}_{\tau (i)}, \tilde{\textsf{ct}}_{\tau (i)})\) for every \(i\in [\kappa _{V}(\lambda )]\).

2. 2.

   Output , .

Security Analysis. The analysis is also based on the one given in Sect. 10.3.2 for the case of additive homomorphic encryption schemes. That is, given any successful cheating \(\textsc {ppt} \) adversary against the above scheme, we obtain a cheating PCP prover \(\mathsf {PCP.P}^*\) and show that it successfully fools the PCP verifier as well as that it is \(\kappa _{\textrm{max}}\)-wise no-signaling.

The problem is that if we obtain the PCP prover \(\mathsf {PCP.P}^*\) in exactly the same way as in Sect. 10.3.2, \(\mathsf {PCP.P}^*\) runs in super-polynomial time since the PCP answers in the delegation scheme are now encoded in the exponent of g and thus \(\mathsf {PCP.P}^*\) need to solve the discrete-logarithm problem to obtain the PCP answers. This is problematic since, if \(\mathsf {PCP.P}^*\) runs in super-polynomial time, we can no longer show the no-signaling property of \(\mathsf {PCP.P}^*\) under the CPA-security of \(\textsf{HE}\), which holds only against \(\textsc {ppt} \) adversaries.

To overcome this problem, we modify our PCP system so that the prover returns the PCP answers in the exponent of a generator of a bilinear group (which is chosen by the verifier as a public parameter), and the verifier runs the verification algorithm in the exponent by using the bilinear map. (Recall that the verification algorithm of our (original) PCP system only checks quadratic equations on the PCP answers.) It is easy to see that if this modified PCP system is sound against \(\kappa _{\textrm{max}}\)-wise no-signaling cheating provers, we can prove the soundness of the above delegating scheme as in Sect. 10.3.2. Furthermore, it can be verified by inspection that the analysis of our original PCP system (Sect. 5 to Sect. 9) can be straightforwardly modified so that it works for the above modified PCP system. (A key point is every event that we consider in the analysis can be efficiently checked by quadratic tests on PCP answers.)