Revision #2 Authors: Itay Berman, Iftach Haitner, Eliad Tsfadia

Accepted on: 2nd June 2020 12:53

Downloads: 18

Keywords:

Hardness amplification is a central problem in the study of interactive protocols. While "natural" parallel repetition transformation is known to reduce the soundness error of some special cases of interactive arguments: three-message protocols (Bellare, Impagliazzo, and Naor [FOCS '97]) and public-coin protocols (Hastad, Pass, Wikstrom, and Pietrzak [TCC '10], Chung and Lu [TCC '10] and Chung and Pass [TCC '15]), it fails to do so in the general case (the above Bellare et al.; also Pietrzak and Wikstrom [TCC '07]).

The only known round-preserving approach that applies to all interactive arguments is Haitner's random-terminating transformation [SICOMP '13], who showed that the parallel repetition of the transformed protocol reduces the soundness error at a weak exponential rate: if the original $m$-round protocol has soundness error $1-\varepsilon$, then the $n$-parallel repetition of its random-terminating variant has soundness error $(1-\varepsilon)^{\varepsilon n / m^4}$ (omitting constant factors). Hastad et al. have generalized this result to partially simulatable interactive arguments, showing that the $n$-fold repetition of an $m$-round $\delta$-simulatable argument of soundness error $1-\varepsilon$ has soundness error $(1-\varepsilon)^{\varepsilon \delta^2 n / m^2}$. When applied to random-terminating arguments, the Hastad et al. bound matches that of Haitner.

In this work we prove that parallel repetition of random-terminating arguments reduces the soundness error at a much stronger exponential rate: the soundness error of the $n$ parallel repetition is $(1-\varepsilon)^{n / m}$, only an $m$ factor from the optimal rate of $(1-\varepsilon)^n$ achievable in public-coin and three-message arguments. The result generalizes to $\delta$-simulatable arguments, for which we prove a bound of $(1-\varepsilon)^{\delta n / m}$. This is achieved by presenting a tight bound on a relaxed variant of the KL-divergence between the distribution induced by our reduction and its ideal variant, a result whose scope extends beyond parallel repetition proofs. We prove the tightness of the above bound for random-terminating arguments, by presenting a matching protocol.

(1) Extending the result to partially simulatable interactive arguments.

(2) Rewriting most parts of previous version.

Revision #1 Authors: Itay Berman, Iftach Haitner, Eliad Tsfadia

Accepted on: 15th April 2019 13:39

Downloads: 167

Keywords:

Soundness amplification is a central problem in the study of interactive protocols. While ``natural'' parallel repetition transformation is known to reduce the soundness error of some special cases of interactive arguments: three-message protocols and public-coin protocols, it fails to do so in the general case.

The only known round-preserving approach that applies to the general case of interactive arguments is Haitner's "random-terminating" transform [FOCS '09, SiCOMP '13]. Roughly speaking, a protocol $\pi$ is first transformed into a new slightly modified protocol $\widetilde{\pi}$, referred as the random terminating variant of $\pi$, and then parallel repetition is applied. Haitner's analysis shows that the parallel repetition of $\widetilde{\pi}$ does reduce the soundness error at a weak exponential rate. More precisely, if $\pi$ has $m$ rounds and soundness error $1-\epsilon$, then $\widetilde{\pi}^k$, the $k$-parallel repetition of $\widetilde{\pi}$, has soundness error $(1-\epsilon)^{\epsilon k / m^4}$. Since the security of many cryptographic protocols (e.g., binding) depends on the soundness of a related interactive argument, improving the above analysis is a key challenge in the study of cryptographic protocols.

In this work we introduce a different analysis for Haitner's method, proving that parallel repetition of random terminating protocols reduces the soundness error at a much stronger exponential rate: the soundness error of $\widetilde{\pi}^k$ is $(1-\epsilon)^{k / m}$, only an $m$ factor from the optimal rate of $(1-\epsilon)^k$, achievable in public-coin and three-message protocols. We prove the tightness of our analysis by presenting a matching protocol.

TR19-049 Authors: Itay Berman, Iftach Haitner, Eliad Tsfadia

Publication: 2nd April 2019 15:39

Downloads: 289

Keywords:

Parallel repetition is known to reduce the soundness error of some special cases of interactive arguments: three-message protocols and public-coin protocols. However, it does not do so in the general case.

Haitner [FOCS '09, SiCOMP '13] presented a simple method for transforming any interactive argument $\pi$ into a slightly modified protocol $\widetilde{\pi}$, which he named the random terminating variant of $\pi$, such that the parallel repetition of $\widetilde{\pi}$ does reduce the soundness error at a weak exponential rate. More precisely, if $\pi$ has $m$ rounds and soundness error $(1-\epsilon)$, then Haitner proved that $\widetilde{\pi}^k$, the $k$-parallel repetition of $\widetilde{\pi}$, has soundness error $(1-\epsilon)^{\epsilon k / m^4}$.

We emphasize that parallel repetition of the random-terminating variant of a protocol is the only unconditional round-preserving hardness amplification technique we have for arbitrary interactive arguments. Since the security of many cryptographic protocols (e.g., binding) depends on the soundness of a related interactive argument, improving the analysis of Haitner is a key challenge in the study of cryptographic protocols.

In this work we introduce a different analysis for Haitner's method, proving that parallel repetition of random terminating protocols reduces the soundness error at a much stronger exponential rate: the soundness error of $\widetilde{\pi}^k$ is $(1-\epsilon)^{k / m}$, only an $m$ factor from the optimal rate of $(1-\epsilon)^k$, achievable in public-coin and three-message protocols. We prove the tightness of our analysis by presenting a matching protocol.