Two 1-Round Protocols for Delegation of Computation

Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: • We consider a model where the client delegates the computation to two or more servers, and is guaranteed to output the correct answer as long as even a single server is honest. We call this model Refereed Delegation of Computation (RDoC). In this model, we show a 1-round unconditionally statistically sound protocol for any log-space uniform NC circuit. In contrast, all known oneround delegation protocols with a single server are only computationally sound. • We consider a model with a non-succinct offline stage and pubic verifiability. (Previously, this model was considered only with private verifiability, namely the client has to maintain some secret local information pertaining to the offline stage [Gennaro et al., CRYPTO 2010]). Public verifiability does away with the secret state, and so allows delegating the offline stage to a “semi-trusted” external third party that is potentially used by many clients, even mutually suspicious ones. It also allows for a stronger, more adaptive notion of soundness. In this model we show a 1-round computationally-sound protocol for any circuit C, even a nonuniform one. The client runs in time poly(log(size(C)), depth(C)), and soundness is guaranteed assuming the existence of collisions resistant hashing and poly-logarithmic PIR. Previously, publicly verifiable one round delegation protocols were known only for functions in log-space uniform NC. ∗Boston University and Tel Aviv University, [email protected]. †Tel Aviv University, [email protected]. ‡Microsoft Research, Silicon Valley Campus, [email protected].