 Today, we'll see how to obtain delegation schemes with updatable and unambiguous proofs and show P-pad hardness. This is based on joint work with Yael, Tom and Kalei, and Omar Paneth. The delegation scheme, a weak machine such as a smartwatch wants to learn the outcome of a costly computation. He doesn't have the resources to perform the computation himself, so he'll delegate it to a more powerful machine such as the cloud who will perform the computation and return the output Y. Now, he doesn't just want to trust the cloud, so he also asks for a proof pi to check that the output Y is indeed the correct output. Importantly, checking this proof should take much less time than performing the original computation. The question we ask is, can verifying actually be faster than computing? In prior constructions of delegation schemes, the verifier needed access to secret trapdoor information in order to check the proof. What we're after today is a notion of a publicly verifiable delegation scheme where the prover can write down the statement and proof in a public place such as in a book or on the internet, and anyone can come and verify the proof without needing any trapdoor information. To actually realize such schemes, we'll work in the common reference string or CRS model. Now, publicly verifiable delegation schemes are essential to decentralized applications, such as cryptocurrencies and blockchains, where you really want to allow anyone to be able to verify the proofs. There's been a lot of prior work on publicly verifiable delegation. First, we had many constructions, but they were all based on pretty strong cryptographic assumptions. More recently, we have constructions of publicly verifiable delegation schemes based on weaker cryptographic assumptions. Last year, we had a delegation for bounded-dev circuits based on what was called the optimal security of LWE, and this assumption was reduced to sub-exponential LWE in the recent work. Also last year, we had a construction of a delegation scheme for polynomial-time computations based on a bilinear group assumption. Today, we'll be building upon this delegation scheme by making its proofs updateable and unambiguous. The first notion that we're after today is the notion of updateable proofs, which is introduced by valiant. In this setting, we have a long computation going from C0 to CT, which is carried out over B-separ iterations. At any point in time, you'll have some prefix of the computation that's been carried out and a proof for the computation that's been carried out so far. Now, we want to allow any prover to perform the next block of the computation, and to update the proof from pi i into pi i plus 1. Importantly, the time to update the proof should take time proportional to the amount of computation he performed. In particular, if a large amount of the computation has already been performed, we don't want the prover to have to redo any of that computation in order to update his proof. Secondly, we also want the proofs to remain succinct. So the size of the proofs should not grow with the number of iterations B. A potential solution would be to have the prover simply perform the next block of the computation and append a fresh proof just for the part that he performed. But of course, then the proof would grow with the number of updates. So today we'll see how to get updateable proofs with both the efficiency and the succinctness properties. And previously, the constructions of updateable proofs were based on snargs, which we only know under pretty strong assumptions, whereas today we'll construct updateable proofs from a falsifiable assumption. The second notion we're after is the notion of unambiguous proofs. We say that the delegation scheme has unambiguous proofs. If it's hard for a prover to generate two different accepting proofs for the same statement. So our result is a delegation scheme that's publicly verifiable and has both updateable and unambiguous proofs and is based on the following this decisional bilinear group assumption. In the assumption, the adversary is given this three-by-alpha matrix of bilinear group elements where alpha is logarithmic in the security parameter. And while this assumption is new, it's similar in spirit to the wide range of bilinear group assumptions made previously and also holds in the generic group model. So using this delegation scheme, we show P-pad hardness based on the quasi-polynomial hardness of this bilinear group assumption and also the existence of any hard language L that's decidable in superpolynomial time and polynomial space. And so for instance, assuming the hardness of SAT for sub-exponential size circuits or assuming non-uniform ETH would suffice to insentiate the hard language L. And we use our delegation scheme to show P-pad hardness by following the blueprint of Chanduri et al. So today we'll just focus on the delegation scheme itself. And for those who aren't familiar, P-pad is an important complexity class of total search problems that's known to contain the problem of computing Nash equilibria. And there's actually been a lot of work trying to show P-pad hardness based on cryptographic assumptions. So the first of these works show P-pad hardness based on pretty strong assumptions. And just recently, there were several works showing P-pad hardness based on LWD assumptions. And all of these works are preceded by applying Fiat Shamir to an interactive protocol for a specific language. And you can actually think of this as constructing a publicly verifiable delegation scheme with updatable and unambiguous proofs, but just for the particular language. And so the first of these works relied on the security of Fiat Shamir or the optimal security of LWD. And just recently, this was reduced to sub-exponential LWD. Another related work shows the hardness of PLS, which is another class of total search problems. And they proceed by making the KBY delegation scheme have updatable proofs. But for P-pad hardness, we will need both the updatability and unambiguity properties. So for the rest of this talk, we'll just focus on the delegation scheme and we'll start with showing how to make its proofs updatable. So as I mentioned, previous works obtain updatable proofs, but based on pretty strong assumptions. And what we do is we use the same technique of recursive proof composition, but we show how to do this without using strong assumptions. And in particular, we extend the idea of local extraction, which is introduced in KBY in order to obtain updatable proofs under this bilinear group assumption. So recalling the setting of updatable proofs will have a proof pi for the part of the computation that's been performed so far. And to update pi, we could just append a proof for the computation that we perform, but then the proof will grow with the number of updates. So at any point in time, the proof could contain B proofs pi sub i for separate parts of the computation. And what we'd like to do is we'd like to prevent the proof from growing by shrinking it back down. So what we'd like to do is we would like to merge the B proofs and replace the B proofs with the single proof pi prime. And our construction of this merge operation will just consist of verifying each of the B proofs and then generating a proof pi prime for this verification computation. And now the proof of pi prime will be shorter than the length of the B proofs from before. And so we've succeeded in reducing the size of the proof, but unfortunately this verification computation is non-deterministic. And so it's not actually clear how to prove that this transformation preserves soundness because we know from works on non-deterministic delegation that in general it's hard to extract a lot of information, such as the B proofs from a single short proof pi prime. So previous works actually assumed that you can extract all B proofs by relying on strong assumptions. What we do is we instead extract small parts of the proof and show that each of these small parts can actually be pieced together via a technique that we call local extraction. And this is how we'll get updatable proofs under a falsifiable assumption. So for the rest of this talk, we'll just focus on obtaining unambiguous proofs. So first we need to understand a little bit more about the KPY delegation scheme. So in the delegation scheme, the prover performs the computation and writes down the tableau, which he encodes via a polynomial F. And now the CRS contains homomorphic encryptions of queries to this tableau, which you can just think of as inputs to this polynomial. And the prover will homomorphically evaluate the answers and send them back as a proof. Then the verifier will publicly check the proof pi using an operation called the zero test, which acts on the ciphertext themselves. This notion was introduced in the work of PR and constructed in the work of KPY. And we won't go into the details today, but this is how the public verifiability is obtained. So next we'll see how to make this delegation scheme have unambiguous proofs. So the first observation is since the proof consists of ciphertext, we'll have to use an encryption scheme that has an unambiguity property. And our property will say, and our property will require that any cheating prover cannot generate two different ciphertexts that encrypt the same message. This property might seem a little counterintuitive, but it's pretty easy to see that it holds in the KPY encryption scheme. In this encryption scheme, a secret key is a random field element S and a ciphertext is just an encoding of a low degree polynomial R that passes through the message at the secret key. And so now if a prover succeeds in generating two different ciphertexts, C and C prime that encrypt the same message, then R and R prime are two different polynomials that agree at a random point S with noticeable probability. So with this unambiguity of ciphertext property, it suffices just to ensure that the answers underneath the encryption are unambiguous and this will give us unambiguous proofs. So now we'll just focus on ensuring the unambiguity of the answers underneath the encryption. So recall that the prover encodes the computation via a polynomial F and actually the honest prover will encode this polynomial by taking the multilinear extension of the computation tableau. Following the work of PRR, we can show that for queries in 01, the corresponding answers will be unambiguous because they correspond to a deterministic computation tableau. But for the unambiguity of ciphertext property, we need to ensure the unambiguity of answers for queries in F. If we could ensure that the prover evaluates a multilinear polynomial F, then we could use the unambiguity for 01 to show unambiguity for every query. And so the idea is to ask the prover to send a proof of multilinearity for his evaluated ciphertext. But it's not clear that an adversarial prover has to evaluate any polynomial to compute his answers. And even if we could ensure that he evaluates some polynomial, it's not clear how to get a succinct proof that he's evaluating a multilinear polynomial. For instance, if he sends back the polynomial itself, then the communication grows with the size of the computation. And so again, we're stuck with the task of designing a succinct proof for a potentially large, non-deterministic statement. And we do this by introducing the notion of local multilinearity, which will allow us to construct a succinct proof. So our proof of local multilinearity will ask the prover for the restriction of the polynomial F in each coordinate. So this will consist of encryptions of AI BI that describe a line passing through the evaluation of F at the point Q sub I. And the verifier will check the consistency of these restrictions and the evaluation of F using the zero test. The problem with this protocol is that since the encryption is homomorphic, an adversarial prover can use the encryption of Q sub I and compute different restrictions. And so our idea is to encrypt the query again, but without the I've coordinate and to ask the prover for the restriction in the I've coordinate. And so now we'll have the guarantee that the second restriction is computed independently of Q sub I. And so all we have to do is test that this restriction agrees with the original restriction. And to do this, we construct what we call a proof of equality that allows a prover to prove that he evaluated the same function on both encryptions. And this will allow the prover to prove that A B and A prime B prime are the same. Then we'll have our proof of local multilinearity that ensures the unambiguity of answers. And recall that together with the unambiguity of ciphertext property, this ensures the unambiguity of the prover's proof. So then we'll have constructed a delegation scheme with updatable and unambiguous proofs. But we aren't quite done yet because to show the unambiguity of the entire proof, we actually need to show the unambiguity of the other ciphertext in the KPY proof. So far we've just described how to show the unambiguity of a ciphertext that corresponds to the computation tableau. And we'll also have to show the unambiguity of all the ciphertext that we added to the proof in constructing these equality and multilinearity proofs. Once we do that, we'll have unambiguous proofs, but we still need to ensure that the unambiguity is preserved in the recursive proof composition that allows us to get updatable proofs. In the full version of our work, we do indeed show how to perform these other steps. And this allows us to obtain our delegation scheme with updatable and unambiguous proofs based on the bilinear group assumption introduced in KPY. And recall that a corollary of this result is P-pad hardness based on the quasi-polynomial hardness of this assumption. To conclude, I just want to highlight the idea that underlies our result, which is the power of local proofs in the setting of non-deterministic statements. So in non-deterministic delegation, we know that in general, it's hard to extract a lot of information from a very short proof. But by using locality, we're able to construct succinct proofs for seemingly large, non-deterministic statements, obtain updatable and unambiguous proofs, under standard assumptions. Thank you for your time.