A rational proof is an interactive proof where the prover, Merlin, is neither honest nor malicious, but rational. That is, Merlin acts in order to maximize his own utility. Rational proofs have been previously studied when the verifier, Arthur, is a probabilistic polynomial-time machine. In this paper, we characterize super efficient rational proofs, that is, rational proofs where Arthur runs in logarithmic time. Our new rational proofs are very practical. Not only are they much faster than their classical analogues, but they also provide very tangible incentives for the expert to be honest. Arthur only needs a polynomial-size budget, yet he can penalize Merlin by a large quantity if he deviates from the truth. 1.

Abstract not found

Rational proofs, recently introduced by Azar and Micali (STOC 2012), are a variant of interactive proofs in which the prover is neither honest nor malicious, but rather rational. The advantage of rational proofs over their classical counterparts is that they allow for extremely low communication and verification time. Azar and Micali demonstrated their potential by giving a one message rational proof for #SAT, in which the verifier runs in time O(n), where n denotes the instance size. In a follow-up work (EC 2013), Azar and Micali proposed “super-efficient ” and interactive versions of rational proofs and argued that they capture precisely the class TC0 of constant-depth, polynomial-size circuits with threshold gates. In this paper, we show that by considering rational arguments, in which the prover is additionally restricted to be computationally bounded, the class NC1, of search problems computable by log-space uniform circuits of O(logn)-depth, admits rational protocols that are simultaneously one-round and polylog(n) time verifiable. This demonstrates the potential of rational arguments as a way to extend the notion of “super-efficient " rational proofs beyond the class TC0. The low interaction nature of our protocols, along with their sub-linear verification time, make them well suited for delegation of computation. While they provide a weaker (yet arguably meaningful)

Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client delegates the computation to two or more servers, and is guaranteed to output the correct answer as long as even a single server is honest. We call this model Refereed Delegation of Computation (RDoC). In this model, we show a 1-round unconditionally statistically sound protocol for any log-space uniform N C circuit. In contrast, all known oneround delegation protocols with a single server are only computationally sound. • We consider a model with a non-succinct offline stage and pubic verifiability. (Previously, this model was considered only with private verifiability, namely the client has to maintain some secret local information pertaining to the offline stage [Gennaro et al., CRYPTO 2010]). Public verifiability does away with the secret state, and so allows delegating the offline stage to a “semi-trusted” external third party that is potentially used by many clients, even mutually suspicious ones. It also allows for a stronger, more adaptive notion of soundness.

Abstract: Let C be a (fan-in 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier, that knows C but does not know x, can access the low-degree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively, and it is assumed that one of the provers is honest. For any r ≥ 1, we construct1 an r-round protocol with communication complexity d1/r poly log(s) that convinces the verifier of the correct value of C(x) (with small probability of error). In particular, when we allow only one round, the protocol exchanges d ·poly log(s) bits, and when we allow r = O(log(d)/log log(s)) rounds, the protocol exchanges only poly log(s) bits. Moreover, the complexity of the verifier and the honest prover in this protocol is poly(s), and if in addition the circuit is log(s)-space uniform, the complexity of the verifier is d1/r poly log(s). The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai, and Rothblum (STOC 2008), the competing-provers protocols of Feige and Kilian (STOC 1997), and some new techniques. We suggest two applications of these results: