#### DMCA

## Time-Optimal Interactive Proofs for Circuit Evaluation

### Cached

### Download Links

Citations: | 16 - 2 self |

### Citations

519 | Fast probabilistic algorithms for verification of polynomial identities - Schwartz - 1980 |

360 | Computational Complexity: A Modern Approach. - Arora, Barak - 2009 |

338 | Algebraic methods for interactive proof systems.
- Lund, Fortnow, et al.
- 1992
(Show Context)
Citation Context ...x) for all x ∈ {0,1} d . 3 Time-Optimal Protocols for Circuit Evaluation 3.1 Technical Background 3.1.1 Sum-Check Protocol. Our main technical tool is the well-known sum-check protocol of Lund et al. =-=[27]-=-, and we briefly describe this protocol and summarize the properties that are most important in our analysis. Suppose we are given a v-variate polynomial g defined over a finite field F, such that deg... |

220 | Non-interactive verifiable computing: Outsourcing computation to untrusted workers
- Gennaro, Gentry, et al.
- 2010
(Show Context)
Citation Context ... on the development of protocols targeted at specific problems (e.g. [2,5,16]). Other works have focused on the development of general-purpose argument systems. Several papers in this direction (e.g. =-=[8, 10, 11, 18]-=-) have used fully homomorphic encryption, which unfortunately remains impractical despite substantial recent progress. Work in this category 3by Chung et al. [10] focuses on streaming settings, and i... |

208 | A fully homomorphic encryption scheme - Gentry - 2009 |

113 | Delegating computation: Interactive proofs for muggles.
- Goldwasser, Kalai, et al.
- 2008
(Show Context)
Citation Context ... an answer with a guarantee of correctness, compared to returning an answer with no guarantee. We describe a refinement of a powerful interactive proof protocol due to Goldwasser, Kalai, and Rothblum =-=[20]-=-. Cormode, Mitzenmacher, and Thaler [14] show how to implement the prover in this protocol in time O(SlogS), where S is the size of an arithmetic circuit computing the function of interest. Our refine... |

84 | On the all-pairs-shortest-path problem in unweighted undirected graphs. - SEIDEL - 1995 |

70 | Improved delegation of computation using fully homomorphic encryption.
- Chung, Kalai, et al.
- 2010
(Show Context)
Citation Context ... on the development of protocols targeted at specific problems (e.g. [2,5,16]). Other works have focused on the development of general-purpose argument systems. Several papers in this direction (e.g. =-=[8, 10, 11, 18]-=-) have used fully homomorphic encryption, which unfortunately remains impractical despite substantial recent progress. Work in this category 3by Chung et al. [10] focuses on streaming settings, and i... |

69 | Pinocchio: Nearly practical verifiable computation
- Parno, Howell, et al.
- 2013
(Show Context)
Citation Context ... on avoiding their use [3,6,7,19]. In particular, Gennaro et al. [19] and Bitansky et al. [9] develop argument systems with a clear focus on implementation potential. Very recent work by Parno et al. =-=[28]-=- describes a near-practical general-purpose implementation, called Pinocchio, of an argument system based on [19]. Pinocchio is additionally non-interactive and achieves public verifiability. Another ... |

64 |
Fast probabilistic algorithms
- Freivalds
- 1979
(Show Context)
Citation Context ...usage for the prover up to leading constants, assuming there is no O(n 2 ) time algorithm for matrix multiplication. While these properties are also satisfied 4by a classic protocol due to Freivalds =-=[17]-=-, the protocol of Theorem 3 is significantly more amenable for use as a primitive when verifying computations that repeatedly invoke matrix multiplication. We complement Theorem 3 with experimental re... |

62 | From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. Cryptology ePrint Archive,
- Bitansky, Canetti, et al.
- 2011
(Show Context)
Citation Context ...– such PCPs can be compiled into efficient interactive arguments. As short PCPs are often a bottleneck in the development of efficient argument systems, other works have focused on avoiding their use =-=[3,6,7,19]-=-. In particular, Gennaro et al. [19] and Bitansky et al. [9] develop argument systems with a clear focus on implementation potential. Very recent work by Parno et al. [28] describes a near-practical g... |

55 | Homomorphic signatures for polynomial functions,”
- Boneh, Freeman
- 2011
(Show Context)
Citation Context ...ofs that are secure only against dishonest provers that run in polynomial time. A substantial body of work in this area has focused on the development of protocols targeted at specific problems (e.g. =-=[2,5,16]-=-). Other works have focused on the development of general-purpose argument systems. Several papers in this direction (e.g. [8, 10, 11, 18]) have used fully homomorphic encryption, which unfortunately ... |

53 |
Recursive composition and bootstrapping for SNARKs and proof-carrying data
- Bitansky, Canetti, et al.
- 2013
(Show Context)
Citation Context ...– such PCPs can be compiled into efficient interactive arguments. As short PCPs are often a bottleneck in the development of efficient argument systems, other works have focused on avoiding their use =-=[3,6,7,19]-=-. In particular, Gennaro et al. [19] and Bitansky et al. [9] develop argument systems with a clear focus on implementation potential. Very recent work by Parno et al. [28] describes a near-practical g... |

46 | Verifiable delegation of computation over large datasets.
- Benabbas, Gennaro, et al.
- 2011
(Show Context)
Citation Context ...ofs that are secure only against dishonest provers that run in polynomial time. A substantial body of work in this area has focused on the development of protocols targeted at specific problems (e.g. =-=[2,5,16]-=-). Other works have focused on the development of general-purpose argument systems. Several papers in this direction (e.g. [8, 10, 11, 18]) have used fully homomorphic encryption, which unfortunately ... |

45 | Thrust: A parallel template library, 2010. Version 1.3.0 - Hoberock, Bell |

42 | Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. - Lipmaa - 2011 |

38 | Practical verified computation with streaming interactive proofs.
- Cormode, Mitzenmacher, et al.
- 2012
(Show Context)
Citation Context ...ss, compared to returning an answer with no guarantee. We describe a refinement of a powerful interactive proof protocol due to Goldwasser, Kalai, and Rothblum [20]. Cormode, Mitzenmacher, and Thaler =-=[14]-=- show how to implement the prover in this protocol in time O(SlogS), where S is the size of an arithmetic circuit computing the function of interest. Our refinements apply to circuits with sufficientl... |

35 | Short pairing-based non-interactive zero-knowledge arguments. - Groth - 2010 |

35 | Making argument systems for outsourced computation practical (sometimes - Setty, McPherson, et al. - 2012 |

29 | Memory delegation
- Chung, Kalai, et al.
(Show Context)
Citation Context ... on the development of protocols targeted at specific problems (e.g. [2,5,16]). Other works have focused on the development of general-purpose argument systems. Several papers in this direction (e.g. =-=[8, 10, 11, 18]-=-) have used fully homomorphic encryption, which unfortunately remains impractical despite substantial recent progress. Work in this category 3by Chung et al. [10] focuses on streaming settings, and i... |

29 | Publicly verifiable delegation of large polynomials and matrix computations, with applications
- Fiore, Gennaro
- 2012
(Show Context)
Citation Context ...ofs that are secure only against dishonest provers that run in polynomial time. A substantial body of work in this area has focused on the development of protocols targeted at specific problems (e.g. =-=[2,5,16]-=-). Other works have focused on the development of general-purpose argument systems. Several papers in this direction (e.g. [8, 10, 11, 18]) have used fully homomorphic encryption, which unfortunately ... |

26 | Verifying computations with streaming interactive proofs.
- Cormode, Thaler, et al.
- 2011
(Show Context)
Citation Context ...ccur, for example, while the client is uploading data to the cloud), keeping only a very small summary of the data set. The interactive version of this model was introduced by Cormode, Thaler, and Yi =-=[15]-=-, who observed that many protocols from the interactive proofs literature, including the GKR protocol, can be made to work in this restrictive setting. The observations of [15] imply that all of our p... |

26 | M.: Taking proof-based verified computation a few steps closer to practicality
- Setty, Vu, et al.
- 2012
(Show Context)
Citation Context ...ore general protocol described in Theorem 1, and allows for direct comparison with prior implementation work that also evaluated general-purpose protocols via their performance on the MATMULT problem =-=[14, 28, 32, 33, 35, 37]-=-. The main takeaways of our experiments are as follows. When Theorem 1 is applicable, the prover in the resulting protocol is 200x-250x faster than the previous state of the art implementation of the ... |

25 |
Fast reductions from RAMs to delegatable succinct constraint satisfaction problems.
- Ben-Sasson, Chiesa, et al.
- 2013
(Show Context)
Citation Context ...– such PCPs can be compiled into efficient interactive arguments. As short PCPs are often a bottleneck in the development of efficient argument systems, other works have focused on avoiding their use =-=[3,6,7,19]-=-. In particular, Gennaro et al. [19] and Bitansky et al. [9] develop argument systems with a clear focus on implementation potential. Very recent work by Parno et al. [28] describes a near-practical g... |

25 | Efficient arguments without short PCPs.
- Ishai, Kushilevitz, et al.
- 2007
(Show Context)
Citation Context .... Another line of implementation work focusing on general-purpose interactive argument systems is due to Setty et al. [31–33]. This line of work begins with a base argument system due to Ishai et al. =-=[23]-=-, and substantially refines the theory to achieve an implementation that approaches practicality. The most recent system in this line of work is called Zaatar [33], and is also based on the work of Ge... |

25 | Resolving the conflict between generality and plausibility in verified computation.
- Setty, Braun, et al.
- 2013
(Show Context)
Citation Context ... argument system due to Ishai et al. [23], and substantially refines the theory to achieve an implementation that approaches practicality. The most recent system in this line of work is called Zaatar =-=[33]-=-, and is also based on the work of Gennaro et al. [19]. An empirical comparison of the GKR-based approach and Zaatar performed by Vu et al. [37] finds the GKR approach to be significantly more efficie... |

25 | A hybrid architecture for interactive verifiable computation.
- Vu, Setty, et al.
- 2013
(Show Context)
Citation Context ... and verifier efficiency are taken into account. In brief, existing implementations of interactive proof protocols for circuit evaluation require that the circuit have a highly regular wiring pattern =-=[14,37]-=-. If this is not the case, then these implementations require the verifier to perform an expensive (though data-independent) preprocessing phase to pull out information about the wiring of the circuit... |

19 | Succinct non-interactive arguments via linear interactive proofs.
- Bitansky, Chiesa, et al.
- 2013
(Show Context)
Citation Context ...s short PCPs are often a bottleneck in the development of efficient argument systems, other works have focused on avoiding their use [3,6,7,19]. In particular, Gennaro et al. [19] and Bitansky et al. =-=[9]-=- develop argument systems with a clear focus on implementation potential. Very recent work by Parno et al. [28] describes a near-practical general-purpose implementation, called Pinocchio, of an argum... |

19 | Annotations in data streams. - Chakrabarti, Cormode, et al. - 2012 |

16 | Verifiable computation with massively parallel interactive proofs
- Thaler, Roberts, et al.
- 2012
(Show Context)
Citation Context ...circuit locally); they also demonstrated surprising scalability for the prover, although the prover’s runtime remained a major bottleneck. With the implementation of [14] as a baseline, Thaler et al. =-=[35]-=- described a parallel implementation of the GKR protocol that achieved 40x-100x speedups for the prover and 100x speedups for the (already fast) implementation of the verifier. Vu, Setty, Blumberg, an... |

14 | Streaming graph computations with a helpful advisor.
- Cormode, Mitzenmacher, et al.
- 2013
(Show Context)
Citation Context ...tting. The observations of [15] imply that all of our protocols also work with streaming verifiers. Non-interactive variants of the streaming interactive proofs model have also been studied in detail =-=[12, 13, 22, 25]-=-. Work on Argument Systems. There has been a lot of work on the development of efficient interactive arguments, which are essentially interactive proofs that are secure only against dishonest provers ... |

12 |
Succinct arguments from multi-prover interactive proofs and their efficiency benefits
- Bitansky, Chiesa
- 2012
(Show Context)
Citation Context |

11 | Arthur-Merlin Streaming Complexity.
- Gur, Raz
- 2013
(Show Context)
Citation Context ...tting. The observations of [15] imply that all of our protocols also work with streaming verifiers. Non-interactive variants of the streaming interactive proofs model have also been studied in detail =-=[12, 13, 22, 25]-=-. Work on Argument Systems. There has been a lot of work on the development of efficient interactive arguments, which are essentially interactive proofs that are secure only against dishonest provers ... |

11 | A probabilistic algorithm for verifying matrix products using o(n2) time and log2n+o(1) random bits
- Kimbrel, Sinha
- 1993
(Show Context)
Citation Context ...ifiers. In Freivalds’ algorithm, V has the store the random vector x, which requires Ω(n) space. There are methods to reduce V’s space usage by generating x with limited randomness: Kimbrel and Sinha =-=[24]-=- show how to reduce V’s space to O(logn), but their solution does not work if V must make a streaming pass over arbitrarily ordered input. Chakrabarti et al. [12] extend the method of Kimbrel and Sinh... |

10 |
On the concrete-efficiency threshold of probabilistically-checkable proofs.
- Ben-Sasson, Chiesa, et al.
- 2013
(Show Context)
Citation Context ...re particularly relevant. Several research teams have been pursuing the development of general-purpose argument systems that might be suitable for practical use. Theoretical work by Ben-Sasson et al. =-=[4]-=- focuses on the development of short PCPs that might be suitable for use in practice – such PCPs can be compiled into efficient interactive arguments. As short PCPs are often a bottleneck in the devel... |

7 | Delegating Computation Reliably: Paradigms and Constructions - Rothblum - 2009 |

6 |
Streaming Computations With a Loquacious Prover. In
- Klauck, Prakash
- 2013
(Show Context)
Citation Context ...tting. The observations of [15] imply that all of our protocols also work with streaming verifiers. Non-interactive variants of the streaming interactive proofs model have also been studied in detail =-=[12, 13, 22, 25]-=-. Work on Argument Systems. There has been a lot of work on the development of efficient interactive arguments, which are essentially interactive proofs that are secure only against dishonest provers ... |

3 | Computing the diameter polynomially faster than APSP
- YUSTER
- 2010
(Show Context)
Citation Context ...s diameter protocol is O(mlogn), where m is the number of edges in G. P’s runtime in the above diameter protocol matches the best known unverifiable diameter algorithm up to a low-order additive term =-=[30, 38]-=-, and the communication is just polylog(n). We know of no other protocol achieving this. In many settings, practitioners will not tolerate even a 2x slowdown to achieve verifiability, so the fact that... |

1 |
Quadratic span programs and succint NIZKs without PCPs
- Gennaro, Gentry, et al.
- 2013
(Show Context)
Citation Context |

1 | Pinocchio: nearly practical verifiable computation - ACM - 1992 |

1 | Source code. Available online at http://http://people.seas.harvard.edu/ ˜jthaler/Tcode.htm - Thaler |

1 | Source Code for Time-Optimal interactive proofs for circuit evaluation. Available online at http://http://people.seas.harvard.edu/∼jthaler/Tcode.htm [40 - Thaler - 2012 |