Results 1 
7 of
7
Algorithms: A quest for absolute definitions
 Bulletin of the European Association for Theoretical Computer Science
, 2003
"... y Abstract What is an algorithm? The interest in this foundational problem is not only theoretical; applications include specification, validation and verification of software and hardware systems. We describe the quest to understand and define the notion of algorithm. We start with the ChurchTurin ..."
Abstract

Cited by 20 (9 self)
 Add to MetaCart
y Abstract What is an algorithm? The interest in this foundational problem is not only theoretical; applications include specification, validation and verification of software and hardware systems. We describe the quest to understand and define the notion of algorithm. We start with the ChurchTuring thesis and contrast Church's and Turing's approaches, and we finish with some recent investigations.
From RAM to SAT
, 2012
"... Common presentations of the NPcompleteness of SAT suffer from two drawbacks which hinder the scope of this flagship result. First, they do not apply to machines equipped with randomaccess memory, also known as directaccess memory, even though this feature is critical in basic algorithms. Second, ..."
Abstract
 Add to MetaCart
Common presentations of the NPcompleteness of SAT suffer from two drawbacks which hinder the scope of this flagship result. First, they do not apply to machines equipped with randomaccess memory, also known as directaccess memory, even though this feature is critical in basic algorithms. Second, they incur a quadratic blowup in parameters, even though the distinction between, say, linear and quadratic time is often as critical as the one between polynomial and exponential. But the landmark result of a sequence of works overcomes both these drawbacks simultaneously! [HS66, Sch78, PF79, Coo88, GS89, Rob91] The proof of this result is simplified by Van Melkebeek in [vM06, §2.3.1]. Compared to previous proofs, this proof more directly reduces randomaccess machines to SAT, bypassing sequential Turing machines, and using a simple, wellknown sorting algorithm: OddEven Merge sort [Bat68]. In this work we give a selfcontained rendering of this simpler proof. For context, we note that the impressive works [BSCGT12b, BSCGT12a] give the stronger type of reduction where a candidate satisfying assignment to the SAT instance can be verified
Local reductions
, 2013
"... We reduce nondeterministic time T ≥ 2 n to a 3SAT instance φ of size φ  = T ·log O(1) T such that there is an explicit circuit C that on input an index i of logφ bits outputs the ith clause, and each output bit of C depends on O(1) inputs bits. The previous best result was C in NC 1. Even in th ..."
Abstract
 Add to MetaCart
We reduce nondeterministic time T ≥ 2 n to a 3SAT instance φ of size φ  = T ·log O(1) T such that there is an explicit circuit C that on input an index i of logφ bits outputs the ith clause, and each output bit of C depends on O(1) inputs bits. The previous best result was C in NC 1. Even in the simpler setting of φ  = poly(T) the previous best result was C in AC 0. More generally, for any time T ≥ n and parameter r ≤ n we obtain log 2φ  = max(logT,n/r)+O(logn)+O(loglogT) and each output bit of C is a decision tree of depth O(logr). As an application, we simplify the proof of Williams ’ ACC 0 lower bound, and tighten his connection between satisfiability algorithms and lower bounds.
Recursive composition and . . .
, 2012
"... Succinct noninteractive arguments (SNARGs) enable verifying NP statements with much lower complexity than required for classical NP verification (in fact, with complexity that is independent of the NP language at hand). In particular, SNARGs provide strong solutions to the problem of verifiably del ..."
Abstract
 Add to MetaCart
Succinct noninteractive arguments (SNARGs) enable verifying NP statements with much lower complexity than required for classical NP verification (in fact, with complexity that is independent of the NP language at hand). In particular, SNARGs provide strong solutions to the problem of verifiably delegating computation. Despite recent progress in the understanding and construction of SNARGs, there remain unattained goals. First, publiclyverifiable SNARGs are only known either in the random oracle model, or in a model that allows expensive offline preprocessing. Second, known SNARGs require from the prover significantly more time or space than required for classical NP verification. We show that, assuming collisionresistant hashing, any SNARG having a natural proof of knowledge property (i.e., a SNARK) can be “bootstrapped ” to obtain a complexitypreserving SNARK, i.e., one without expensive preprocessing and where the prover’s time and space complexity is essentially the same as that required for classical NP verification. By applying our transformation to known publiclyverifiable SNARKs with expensive preprocessing, we obtain the first publiclyverifiable complexitypreserving SNARK in the plain model (and in particular, eliminate the expensive preprocessing), thereby attaining the aforementioned goals. We also show an analogous transformation for privatelyverifiable SNARKs, assuming fullyhomomorphic encryption. Curiously, our transformations do not rely on PCPs. At the heart of our transformations is recursive composition of SNARKs and, more generally, new techniques for constructing and using proofcarrying data (PCD) systems, which extend the notion of a SNARK to the distributed setting. Concretely, to bootstrap a given SNARK, we recursively compose the SNARK to obtain a “weak” PCD system for shallow distributed computations, and then use the PCD framework to attain stronger, complexitypreserving SNARKs and PCD systems.
Recursive composition and bootstrapping for SNARKs . . .
, 2012
"... Succinct noninteractive arguments of knowledge (SNARKs), and their generalization to distributed computations by proofcarrying data (PCD), are powerful tools for enforcing the correctness of dynamically evolving computations among multiple mutuallyuntrusting parties. We present recursive composit ..."
Abstract
 Add to MetaCart
Succinct noninteractive arguments of knowledge (SNARKs), and their generalization to distributed computations by proofcarrying data (PCD), are powerful tools for enforcing the correctness of dynamically evolving computations among multiple mutuallyuntrusting parties. We present recursive composition and bootstrapping techniques that: 1. Transform any SNARK with an expensive preprocessing phase into a SNARK without such a phase. 2. Transform any SNARK into a PCD system for constantdepth distributed computations. 3. Transform any PCD system for constantdepth distributed computations into a PCD system for distributed computation over paths of fixed polynomial length. Our transformations apply to both the public and privateverification settings, and assume the existence of CRHs; for the privateverification setting, we additionally assume FHE. By applying our transformations to the NIZKs of [Groth, ASIACRYPT ’10], whose security is based on a Knowledge of Exponent assumption in bilinear groups, we obtain the first publiclyverifiable SNARKs and PCD without preprocessing in the plain model. (Previous constructions were either in the randomoracle model [Micali, FOCS ’94] or in a signature oracle model [Chiesa and Tromer, ICS ’10].) Interestingly,
Fast reductions from RAMs to . . .
, 2012
"... Succinct arguments for NP are proof systems that allow a weak verifier to retroactively check computation done by a more powerful prover. These protocols prove membership in languages (consisting of succinctlyrepresented very large constraint satisfaction problems) that, alas, are unnatural in the s ..."
Abstract
 Add to MetaCart
Succinct arguments for NP are proof systems that allow a weak verifier to retroactively check computation done by a more powerful prover. These protocols prove membership in languages (consisting of succinctlyrepresented very large constraint satisfaction problems) that, alas, are unnatural in the sense that the problems that arise in practice are not in such form. For general computation tasks, the most natural and efficient representation is typically as randomaccess machine (RAM) algorithms, because such a representation can be obtained very efficiently by applying a compiler to code written in a highlevel programming language. We thus study efficient reductions from RAM to other problem representations for which succinct arguments are known. Specifically, we construct reductions from the correctness of computation of a Tstep nondeterministic randomaccess machine to: 1. (succinct) circuit satisfiability with O(log T) overhead, and 2. (succinct) algebraic constraint satisfaction with O(log 2 T) overhead. On the latter problem representation, the best known Probabilistically Checkable Proofs can be directly invoked. Our constructions are explicit and do not hide large constants. To attain these, we develop a set of tools (both unconditional and leveraging computational assumptions) for generically and efficiently structuring and arithmetizing the computation of randomaccess machines.
Technion
, 2014
"... We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate ..."
Abstract
 Add to MetaCart
We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate program executions to such circuits. Our design of both components improves in functionality and efficiency over prior work, as follows. Our circuit generator is the first to be universal: it does not need to know the program, but only a bound on its running time. Moreover, the size of the output circuit depends additively (rather than multiplicatively) on program size, allowing verification of larger programs. The cryptographic proof system improves proving and verification times, by leveraging new algorithms and a pairing library tailored to the protocol. We evaluated our system for programs with up to 10,000 instructions, running for up to 32,000 machine steps, each of which can arbitrarily access randomaccess memory; and also demonstrated it executing programs that use justintime compilation. Our proofs are 230 bytes long at 80 bits of security, or 288 bytes long at 128 bits of security. Typical verification time is 5 milliseconds, regardless of the original program’s running time.