Knowledge Preserving Interactive Coding

Transcription

1 Knowledge Preserving Interactive Coding Sidharth Telang (Cornell University) Joint work with Kai-min Chung (Academia Sinica) and Rafael Pass (Cornell U, Ithaca & NYC) To appear in FOCS 2013

2 Error-resilient Communication Sender Receiver How can Alice and Bob communicate over a noisy channel? Dates back to [Shannon,Hamming] from 1940s : Use ECC

3 Error-correcting Codes (ECC) Sender Receiver Pair (E,D): E : {0,1} n -> {0,1} L=Bn D : {0,1} l -> {0,1} n Information rate R(n): L/n=1/B Error Rate μ(n): fraction of ADVERSARIAL errors we can handle; If E(m) and c differ in less than μl bits, then Dec(c) = m Thm [Justensen 72]: Efficient ECC with O(1) error and information rate.

4 Error-resilient Interactive Communication Alice Bob How to encode communication to become resilient to corruption? Naïve Approach : Encode each message using a good ECC

5 Error-resilient Interactive Communication Alice Bob How to encode communication to become resilient to corruption? Naïve Approach : Encode each message using a good ECC Awful error rate: at most 1/m (m = # rounds) Can we do better? Yes! Interactive Coding Q=(Q 1,Q 2 ) [Schulman 92]

6 Error-resilient Interactive Communication Alice Bob Q 1 Q 2 Correctness: Q π emulates π: same output w.h.p Information Rate R(n,m) Error Rate μ(n,m): CC(π) / CC(Q π ) Q π resilient to μ fraction errors Error rate Error type Encoding time [Schulman 92] 1/240 Adversarial Exp [BR 11,B 12] 1/8 + eps Adversarial Exp [GMS 11] - Random Poly [BK 12] 1/32 + eps Adversarial Poly DONE?

7 Alice Interactive Coding, Revisited Bob Q 1 Q 2 ECC: encoded messages carry same knowledge as original messages Interactive Coding: carries AT LEAST same knowledge But maybe MORE! Example 1: Oral exam on the internet ; does it remain sound if encoded? Example 2: Do crypto protocols remain secure if encoded? NO! (encodings typically allow rewinding players)

8 Alice What Went Wrong? Bob Q 1 Q 2 Interactive Coding: Q π emulates π as long as both players are honest.

9 Alice What Went Wrong? Bob Q 1 Interactive Coding: Q π emulates π as long as both players are honest. NEED: Q π emulates π even if one of the player is malicious Knowledge-Preserving Interactive Coding

10 Knowledge-Preserving Emulation ~ B B Q 1 REAL exec of π ~ = Q π IDEAL exec of π ~ For every real-world adversarial B there exists an ideal-world B such that outputs of all players in REAL and IDEAL are indistinguishable. In particular, preserves (stand-alone) security properties of π Can we achieve knowledge-preserving interactive coding? Our Focus: Efficient interactive coding; Q is PPT

11 Knowledge-Preserving Interactive Coding Observation: Naïve ECC approach is a knowledge preserving interactive coding with μ = O(1/m), where m = # rounds. Thm 1: No knowledge-preserving interactive coding with μ > 1/m Naïve ECC approach is optimal

12 Computational Knowledge-Preserving Interactive Coding Restrict to attackers and channels that are PPT (a la [Lipt 94,MPSW 10]) Thm 2: Assume existence of OWF (resp. SubExp OWF). Computational knowledge-preserving interactive coding with μ = 1/12 + ε and R=O(1/n ε ) (resp O(1/polylog n) ) Thm 3: OWF necessary if μ > 1/m. Thm 4: super-log blow-up necessary if μ = O(1).

13 Error rate Results (by Error-rate) 1/12 : Positive result [Thm 2] O(1) : super-log blowup necessary [Thm 4] > 1/m : Impossible [Thm 1] 1/4m : Naïve approach > 1/m : OWF necessary [Thm 3] 1/4m : Naïve approach Knowledge-Preserving Interactive coding Computational Knowledge-Preserving Interactive Coding

14 Concluding Remarks Shannon 1948 initiated a mathematical study of 2 fields: Cryptography Error-resilient communication Restricting to computationally bounded attackers and relying on computational assumptions (OWF) necessary for both!