Non-Cooperative Rational Interactive Proofs

Interactive-proof games model the scenario where an honest party interacts with powerful but strategic provers, to elicit from them the correct answer to a computational question. Interactive proofs are increasingly used as a framework to design protocols for computation outsourcing. Existing interactive-proof games largely fall into two categories: either as games of cooperation such as multi-prover interactive proofs and cooperative rational proofs, where the provers work together as a team; or as games of conflict such as refereed games, where the provers directly compete with each other in a zero-sum game. Neither of these extremes truly capture the strategic nature of service providers in outsourcing applications. How to design and analyze non-cooperative interactive proofs is an important open problem. In this paper, we introduce a mechanism-design approach to define a multi-prover interactive-proof model in which the provers are rational and non-cooperative - they act to maximize their expected utility given others\u27 strategies. We define a strong notion of backwards induction as our solution concept to analyze the resulting extensive-form game with imperfect information. We fully characterize the complexity of our proof system under different utility gap guarantees. (At a high level, a utility gap of u means that the protocol is robust against provers that may not care about a utility loss of 1/u.) We show, for example, that the power of non-cooperative rational interactive proofs with a polynomial utility gap is exactly equal to the complexity class P^{NEXP}

Verifiable computation using multiple provers

The increasing ubiquity of the cloud computing paradigm has renewed focus on the classical problem of allowing weak clients to check the results of computation delegated to powerful servers. Recent advances in proof-based verifiable computation have led to several near-practical protocols. Protocols based on interactive proofs (IPs) work with highly restrictive models of computation and are thus efficient only for a limited class of computations. In contrast, protocols based on argument systems apply to a much larger class of computations, but efficiency requires amortization of very expensive setup costs. This paper initiates the study of the practical efficiency of multiprover interactive proofs (MIPs). We present a new MIP for delegating computation that extends insights from a powerful IP protocol (Goldwasser et al., STOC, 2008). Without reductions or amplification, our protocol uses only two provers (departing from prior work on MIPs), and achieves both the efficiency of interactive proof-based protocols and the generality of argument system-based protocols. Also, this result, together with recently developed machinery, creates a potential avenue toward concretely efficient arguments without setup costs. We describe Clover, a built system for verifiable computation, based on our protocol. Although Clover does not implement the full theory (it has setup costs), it applies to problems that existing IPs cannot efficiently handle, and achieves performance comparable to, or better than, the best argument systems

Competing Provers Protocols for Circuit Evaluation ∗

Let C be a (fan-in 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier that knows C but doesn’t know x can access the low degree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively, and assume that one of the provers is honest. For any r ≥ 1, we give an r rounds protocol with communication complexity d 1 r polylog (s) that convinces the verifier in the correct value of C(x) (with small probability of error). In particular, when we allow only one round, the protocol exchanges d · polylog (s) bits, and when we allow r = O rounds, the protocol exchanges only log(d) loglog(s) polylog (s) bits. Moreover, the complexity of the verifier and honest provers in this protocol is poly(s), and if in addition the circuit is log(s)-space uniform, the complexity of the verifier is d 1 r polylog (s). 1 The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai and Rothblum [5] and the competing provers protocols of Feige and Kilian [3] and some new techniques. We suggest two applications of these results: Delegating computation to competing clouds: The main motivation behind the protocol of [5] was delegating computation to a cloud. Using our new protocol, a verifier can delegate computation to two (or more) competing clouds. If at least one of the clouds is reliable the verifier can trust that the computation is correct (with high probability). The advantage over the protocol of [5] is that the communication complexity and the number of rounds in our protocol are significantly lower. Communication complexity with competin