Results 1 
5 of
5
A Super Efficient Rational Proofs
"... A rational proof is an interactive proof where the prover, Merlin, is neither honest nor malicious, but rational. That is, Merlin acts in order to maximize his own utility. Rational proofs have been previously studied when the verifier, Arthur, is a probabilistic polynomialtime machine. In this pap ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
A rational proof is an interactive proof where the prover, Merlin, is neither honest nor malicious, but rational. That is, Merlin acts in order to maximize his own utility. Rational proofs have been previously studied when the verifier, Arthur, is a probabilistic polynomialtime machine. In this paper, we characterize super efficient rational proofs, that is, rational proofs where Arthur runs in logarithmic time. Our new rational proofs are very practical. Not only are they much faster than their classical analogues, but they also provide very tangible incentives for the expert to be honest. Arthur only needs a polynomialsize budget, yet he can penalize Merlin by a large quantity if he deviates from the truth. 1.
Rational arguments: Single round delegation with sublinear verification
 In Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, ITCS ’14
, 2014
"... Rational proofs, recently introduced by Azar and Micali (STOC 2012), are a variant of interactive proofs in which the prover is neither honest nor malicious, but rather rational. The advantage of rational proofs over their classical counterparts is that they allow for extremely low communication and ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Rational proofs, recently introduced by Azar and Micali (STOC 2012), are a variant of interactive proofs in which the prover is neither honest nor malicious, but rather rational. The advantage of rational proofs over their classical counterparts is that they allow for extremely low communication and verification time. Azar and Micali demonstrated their potential by giving a one message rational proof for #SAT, in which the verifier runs in time O(n), where n denotes the instance size. In a followup work (EC 2013), Azar and Micali proposed “superefficient ” and interactive versions of rational proofs and argued that they capture precisely the class TC0 of constantdepth, polynomialsize circuits with threshold gates. In this paper, we show that by considering rational arguments, in which the prover is additionally restricted to be computationally bounded, the class NC1, of search problems computable by logspace uniform circuits of O(logn)depth, admits rational protocols that are simultaneously oneround and polylog(n) time verifiable. This demonstrates the potential of rational arguments as a way to extend the notion of “superefficient " rational proofs beyond the class TC0. The low interaction nature of our protocols, along with their sublinear verification time, make them well suited for delegation of computation. While they provide a weaker (yet arguably meaningful)
Two 1Round Protocols for Delegation of Computation
, 2011
"... Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client d ..."
Abstract
 Add to MetaCart
Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client delegates the computation to two or more servers, and is guaranteed to output the correct answer as long as even a single server is honest. We call this model Refereed Delegation of Computation (RDoC). In this model, we show a 1round unconditionally statistically sound protocol for any logspace uniform N C circuit. In contrast, all known oneround delegation protocols with a single server are only computationally sound. • We consider a model with a nonsuccinct offline stage and pubic verifiability. (Previously, this model was considered only with private verifiability, namely the client has to maintain some secret local information pertaining to the offline stage [Gennaro et al., CRYPTO 2010]). Public verifiability does away with the secret state, and so allows delegating the offline stage to a “semitrusted” external third party that is potentially used by many clients, even mutually suspicious ones. It also allows for a stronger, more adaptive notion of soundness.
cb Licensed under a Creative Commons Attribution License (CCBY) DOI: 10.4086/toc.2014.v010a005
, 2011
"... Abstract: Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier, that knows C but does not know x, can access the lowdegree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract: Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier, that knows C but does not know x, can access the lowdegree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively, and it is assumed that one of the provers is honest. For any r ≥ 1, we construct1 an rround protocol with communication complexity d1/r poly log(s) that convinces the verifier of the correct value of C(x) (with small probability of error). In particular, when we allow only one round, the protocol exchanges d ·poly log(s) bits, and when we allow r = O(log(d)/log log(s)) rounds, the protocol exchanges only poly log(s) bits. Moreover, the complexity of the verifier and the honest prover in this protocol is poly(s), and if in addition the circuit is log(s)space uniform, the complexity of the verifier is d1/r poly log(s). The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai, and Rothblum (STOC 2008), the competingprovers protocols of Feige and Kilian (STOC 1997), and some new techniques. We suggest two applications of these results: