Results 1 
4 of
4
Rational arguments: Single round delegation with sublinear verification
 In Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, ITCS ’14
, 2014
"... Rational proofs, recently introduced by Azar and Micali (STOC 2012), are a variant of interactive proofs in which the prover is neither honest nor malicious, but rather rational. The advantage of rational proofs over their classical counterparts is that they allow for extremely low communication and ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Rational proofs, recently introduced by Azar and Micali (STOC 2012), are a variant of interactive proofs in which the prover is neither honest nor malicious, but rather rational. The advantage of rational proofs over their classical counterparts is that they allow for extremely low communication and verification time. Azar and Micali demonstrated their potential by giving a one message rational proof for #SAT, in which the verifier runs in time O(n), where n denotes the instance size. In a followup work (EC 2013), Azar and Micali proposed “superefficient ” and interactive versions of rational proofs and argued that they capture precisely the class TC0 of constantdepth, polynomialsize circuits with threshold gates. In this paper, we show that by considering rational arguments, in which the prover is additionally restricted to be computationally bounded, the class NC1, of search problems computable by logspace uniform circuits of O(logn)depth, admits rational protocols that are simultaneously oneround and polylog(n) time verifiable. This demonstrates the potential of rational arguments as a way to extend the notion of “superefficient " rational proofs beyond the class TC0. The low interaction nature of our protocols, along with their sublinear verification time, make them well suited for delegation of computation. While they provide a weaker (yet arguably meaningful)
Proofs of Space: When Space is of the Essence
"... Abstract. Proofs of computational effort were devised to control denial of service attacks. Dwork and Naor (CRYPTO ’92), for example, proposed to use such proofs to discourage spam. The idea is to couple each email message with a proof of work that demonstrates the sender performed some computationa ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Proofs of computational effort were devised to control denial of service attacks. Dwork and Naor (CRYPTO ’92), for example, proposed to use such proofs to discourage spam. The idea is to couple each email message with a proof of work that demonstrates the sender performed some computational task. A proof of work can be either CPUbound or memorybound. In a CPUbound proof, the prover must compute a CPUintensive function that is easy to check by the verifier. A memorybound proof, instead, forces the prover to access the main memory several times, effectively replacing CPU cycles with memory accesses. In this paper we put forward a new concept dubbed proof of space. To compute such a proof, the prover must use a specified amount of space, i.e., we are not interested in the number of accesses to the main memory (as in memorybound proof of work) but rather on the amount of actual memory the prover must employ to compute the proof. We give a complete and detailed algorithmic description of our model. We develop a comprehensive theoretical analysis which uses combinatorial tools from Complexity Theory (such as pebbling games) which are essential in studying space lower bounds.
Two 1Round Protocols for Delegation of Computation
, 2011
"... Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client d ..."
Abstract
 Add to MetaCart
Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client delegates the computation to two or more servers, and is guaranteed to output the correct answer as long as even a single server is honest. We call this model Refereed Delegation of Computation (RDoC). In this model, we show a 1round unconditionally statistically sound protocol for any logspace uniform N C circuit. In contrast, all known oneround delegation protocols with a single server are only computationally sound. • We consider a model with a nonsuccinct offline stage and pubic verifiability. (Previously, this model was considered only with private verifiability, namely the client has to maintain some secret local information pertaining to the offline stage [Gennaro et al., CRYPTO 2010]). Public verifiability does away with the secret state, and so allows delegating the offline stage to a “semitrusted” external third party that is potentially used by many clients, even mutually suspicious ones. It also allows for a stronger, more adaptive notion of soundness.
cb Licensed under a Creative Commons Attribution License (CCBY) DOI: 10.4086/toc.2014.v010a005
, 2011
"... Abstract: Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier, that knows C but does not know x, can access the lowdegree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract: Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier, that knows C but does not know x, can access the lowdegree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively, and it is assumed that one of the provers is honest. For any r ≥ 1, we construct1 an rround protocol with communication complexity d1/r poly log(s) that convinces the verifier of the correct value of C(x) (with small probability of error). In particular, when we allow only one round, the protocol exchanges d ·poly log(s) bits, and when we allow r = O(log(d)/log log(s)) rounds, the protocol exchanges only poly log(s) bits. Moreover, the complexity of the verifier and the honest prover in this protocol is poly(s), and if in addition the circuit is log(s)space uniform, the complexity of the verifier is d1/r poly log(s). The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai, and Rothblum (STOC 2008), the competingprovers protocols of Feige and Kilian (STOC 1997), and some new techniques. We suggest two applications of these results: