Results 1  10
of
13
Delegating computation: interactive proofs for muggles
 In Proceedings of the ACM Symposium on the Theory of Computing (STOC
, 2008
"... In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a se ..."
Abstract

Cited by 115 (6 self)
 Add to MetaCart
(Show Context)
In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a server can run a computation for a client and interactively prove the correctness of the result. The client can verify the result’s correctness in nearlylinear time (instead of running the entire computation itself). Previously, related questions were considered in the Holographic Proof setting by Babai, Fortnow, Levin and Szegedy, in the argument setting under computational assumptions by Kilian, and in the random oracle model by Micali. Our focus, however, is on the original interactive proof model where no assumptions are made on the computational power or adaptiveness of dishonest provers. Our main technical theorem gives a public coin interactive proof for any language computable by a logspace uniform boolean circuit with depth d and input length n. The verifier runs in time (n+d)·polylog(n) and space O(log(n)), the communication complexity is d · polylog(n), and the prover runs in time poly(n). In particular, for languages computable by logspace uniform N C (circuits of polylog(n) depth), the prover is efficient, the verifier runs in time n · polylog(n) and space O(log(n)), and the communication complexity is polylog(n).
Competing Provers Protocols for Circuit Evaluation ∗
"... Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier that knows C but doesn’t know x can access the low degree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier that knows C but doesn’t know x can access the low degree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively, and assume that one of the provers is honest. For any r ≥ 1, we give an r rounds protocol with communication complexity d 1 r polylog (s) that convinces the verifier in the correct value of C(x) (with small probability of error). In particular, when we allow only one round, the protocol exchanges d · polylog (s) bits, and when we allow r = O rounds, the protocol exchanges only log(d) loglog(s) polylog (s) bits. Moreover, the complexity of the verifier and honest provers in this protocol is poly(s), and if in addition the circuit is log(s)space uniform, the complexity of the verifier is d 1 r polylog (s). 1 The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai and Rothblum [5] and the competing provers protocols of Feige and Kilian [3] and some new techniques. We suggest two applications of these results: Delegating computation to competing clouds: The main motivation behind the protocol of [5] was delegating computation to a cloud. Using our new protocol, a verifier can delegate computation to two (or more) competing clouds. If at least one of the clouds is reliable the verifier can trust that the computation is correct (with high probability). The advantage over the protocol of [5] is that the communication complexity and the number of rounds in our protocol are significantly lower. Communication complexity with competing
Locally vs. Globally Optimized FlowBased Content Distribution to Mobile Nodes
"... Abstract—The paper deals with efficient distribution of timely information to flows of mobile devices. We consider the case where a set of Information Dissemination Devices (IDDs) broadcast a limited amount of information to passing mobile nodes that are moving along welldefined paths. This is the ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract—The paper deals with efficient distribution of timely information to flows of mobile devices. We consider the case where a set of Information Dissemination Devices (IDDs) broadcast a limited amount of information to passing mobile nodes that are moving along welldefined paths. This is the case, for example, in intelligent transportation systems. We develop a novel model that captures the main aspects of the problem, and define a new optimization problem we call MBMAP (Maximum Benefit Message Assignment Problem). We study the computational complexity of this problem in the global and local cases, and provide new approximation algorithms. I.
A Super Efficient Rational Proofs
"... A rational proof is an interactive proof where the prover, Merlin, is neither honest nor malicious, but rational. That is, Merlin acts in order to maximize his own utility. Rational proofs have been previously studied when the verifier, Arthur, is a probabilistic polynomialtime machine. In this pap ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
A rational proof is an interactive proof where the prover, Merlin, is neither honest nor malicious, but rational. That is, Merlin acts in order to maximize his own utility. Rational proofs have been previously studied when the verifier, Arthur, is a probabilistic polynomialtime machine. In this paper, we characterize super efficient rational proofs, that is, rational proofs where Arthur runs in logarithmic time. Our new rational proofs are very practical. Not only are they much faster than their classical analogues, but they also provide very tangible incentives for the expert to be honest. Arthur only needs a polynomialsize budget, yet he can penalize Merlin by a large quantity if he deviates from the truth. 1.
Two 1Round Protocols for Delegation of Computation
, 2011
"... Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client d ..."
Abstract
 Add to MetaCart
Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client delegates the computation to two or more servers, and is guaranteed to output the correct answer as long as even a single server is honest. We call this model Refereed Delegation of Computation (RDoC). In this model, we show a 1round unconditionally statistically sound protocol for any logspace uniform N C circuit. In contrast, all known oneround delegation protocols with a single server are only computationally sound. • We consider a model with a nonsuccinct offline stage and pubic verifiability. (Previously, this model was considered only with private verifiability, namely the client has to maintain some secret local information pertaining to the offline stage [Gennaro et al., CRYPTO 2010]). Public verifiability does away with the secret state, and so allows delegating the offline stage to a “semitrusted” external third party that is potentially used by many clients, even mutually suspicious ones. It also allows for a stronger, more adaptive notion of soundness.
1Identitybased Encryption with Outsourced Revocation in Cloud Computing
"... Abstract—IdentityBased Encryption (IBE) which simplifies the ..."
(Show Context)
1 Efficient LocationBased Decision Supporting Content Distribution to Mobile Groups
"... Abstract — The paper deals with efficient locationbased decision supporting content distribution to mobile groups. We consider the case where a set of Information Dissemination Devices (IDDs) broadcast a limited amount of locationbased information to passing mobile nodes that are moving along well ..."
Abstract
 Add to MetaCart
Abstract — The paper deals with efficient locationbased decision supporting content distribution to mobile groups. We consider the case where a set of Information Dissemination Devices (IDDs) broadcast a limited amount of locationbased information to passing mobile nodes that are moving along welldefined paths. We develop a novel model that captures the main aspects of the problem, and define a new optimization problem we call MBMAP (Maximum Benefit Message Assignment Problem). We study several variants of this problem in the case where the IDDs are cooperative and in the case where they are not. We develop new approximation algorithms for these variants and then focus on the practical effects of using them in realistic networking scenarios. I.
cb Licensed under a Creative Commons Attribution License (CCBY) DOI: 10.4086/toc.2014.v010a005
, 2011
"... Abstract: Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier, that knows C but does not know x, can access the lowdegree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract: Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier, that knows C but does not know x, can access the lowdegree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively, and it is assumed that one of the provers is honest. For any r ≥ 1, we construct1 an rround protocol with communication complexity d1/r poly log(s) that convinces the verifier of the correct value of C(x) (with small probability of error). In particular, when we allow only one round, the protocol exchanges d ·poly log(s) bits, and when we allow r = O(log(d)/log log(s)) rounds, the protocol exchanges only poly log(s) bits. Moreover, the complexity of the verifier and the honest prover in this protocol is poly(s), and if in addition the circuit is log(s)space uniform, the complexity of the verifier is d1/r poly log(s). The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai, and Rothblum (STOC 2008), the competingprovers protocols of Feige and Kilian (STOC 1997), and some new techniques. We suggest two applications of these results:
Paradigms and Constructions
, 2009
"... In an emerging computing paradigm, computational capabilities, from processing power to storage capacities, are offered to users over communication networks as a service. This new paradigm holds enormous promise for increasing the utility of computationally weak devices. A natural approach is for w ..."
Abstract
 Add to MetaCart
(Show Context)
In an emerging computing paradigm, computational capabilities, from processing power to storage capacities, are offered to users over communication networks as a service. This new paradigm holds enormous promise for increasing the utility of computationally weak devices. A natural approach is for weak devices to delegate expensive tasks, such as storing a large file or running a complex computation, to more powerful entities (say servers) connected to the same network. While the delegation approach seems promising, it raises an immediate concern: when and how can a weak device verify that a computational task was completed correctly? This practically motivated question touches on foundational questions in cryptography and complexity theory. The focus of this thesis is verifying the correctness of delegated computations. We construct efficient protocols (interactive proofs) for delegating computational tasks. In particular, we present: e A protocol for delegating any computation, where the work needed to verify the correctness of the output is linear in the input length, polynomial in the computation's