y Abstract What is an algorithm? The interest in this foundational problem is not only theoretical; applications include specification, validation and verification of software and hardware systems. We describe the quest to understand and define the notion of algorithm. We start with the Church-Turing thesis and contrast Church's and Turing's approaches, and we finish with some recent investigations.

Succinct arguments for NP are proof systems that allow a weak verifier to retroactively check computation done by a more powerful prover. These protocols prove membership in languages (consisting of succinctlyrepresented very large constraint satisfaction problems) that, alas, are unnatural in the sense that the problems that arise in practice are not in such form. For general computation tasks, the most natural and efficient representation is typically as random-access machine (RAM) algorithms, because such a representation can be obtained very efficiently by applying a compiler to code written in a high-level programming language. We thus study efficient reductions from RAM to other problem representations for which succinct arguments are known. Specifically, we construct reductions from the correctness of computation of a T-step non-deterministic random-access machine to: 1. (succinct) circuit satisfiability with O(log T) overhead, and 2. (succinct) algebraic constraint satisfaction with O(log 2 T) overhead. On the latter problem representation, the best known Probabilistically Checkable Proofs can be directly invoked. Our constructions are explicit and do not hide large constants. To attain these, we develop a set of tools (both unconditional and leveraging computational assumptions) for generically and efficiently structuring and arithmetizing the computation of random-access machines.

Succinct non-interactive arguments of knowledge (SNARKs), and their generalization to distributed computations by proof-carrying data (PCD), are powerful tools for enforcing the correctness of dynamically evolving computations among multiple mutually-untrusting parties. We present recursive composition and bootstrapping techniques that: 1. Transform any SNARK with an expensive preprocessing phase into a SNARK without such a phase. 2. Transform any SNARK into a PCD system for constant-depth distributed computations. 3. Transform any PCD system for constant-depth distributed computations into a PCD system for distributed computation over paths of fixed polynomial length. Our transformations apply to both the public- and private-verification settings, and assume the existence of CRHs; for the private-verification setting, we additionally assume FHE. By applying our transformations to the NIZKs of [Groth, ASIACRYPT ’10], whose security is based on a Knowledge of Exponent assumption in bilinear groups, we obtain the first publicly-verifiable SNARKs and PCD without preprocessing in the plain model. (Previous constructions were either in the randomoracle model [Micali, FOCS ’94] or in a signature oracle model [Chiesa and Tromer, ICS ’10].) Interestingly,