TR11-122 Authors: Gillat Kol, Ran Raz

Publication: 14th September 2011 18:42

Downloads: 3266

Keywords:

Let $C$ be a (fan-in $2$) Boolean circuit of size $s$ and depth $d$, and let $x$ be an input for $C$. Assume that a verifier that knows $C$ but doesn't know $x$ can access the low degree extension of $x$ at one random point. Two competing provers try to convince the verifier that $C(x)=0$ and $C(x)=1$, respectively, and assume that one of the provers is honest.

For any $r\geq1$, we give an $r$ rounds protocol with communication complexity $d^{\frac{1}{r}}\cdot polylog\left(s\right)$ that convinces the verifier in the correct value of $C(x)$ (with small probability of error). In particular, when we allow only one round, the protocol exchanges $d\cdot polylog(s)$ bits, and when we allow $r=O\left(\frac{\log\left(d\right)}{\log\log\left(s\right)}\right)$ rounds, the protocol exchanges only $polylog\left(s\right)$ bits.

Moreover, the complexity of the verifier and honest provers in this protocol is $poly(s)$, and if in addition the circuit is $\log(s)$-space uniform, the complexity of the verifier is $d^{\frac{1}{r}}\cdot polylog\left(s\right)$.

The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai and Rothblum and the competing provers protocols of Feige and Kilian and some new techniques.

We suggest two applications of these results:

Delegating computation to competing clouds: The main motivation behind the protocol of GKR was delegating computation to a cloud. Using our new protocol, a verifier can delegate computation to two (or more) competing clouds. If at least one of the clouds is reliable the verifier can trust that the computation is correct (with high probability). The advantage over the protocol of GKR is that the communication complexity and the number of rounds in our protocol are significantly lower.

Communication complexity with competing provers, and circuit lower bounds: Aaronson and Wigderson suggested the model of communication complexity with competing provers, where two competing provers try to convince two players that $f(x,y)=0$ and $f(x,y)=1$, respectively, where $x$ is an input held by the first player and $y$ is an input held by the second player. By scaling down the competing provers protocols of Feige and Kilian, they showed that strong enough lower bounds for the communication complexity of $f$, in this model, imply lower bounds for the computational complexity of $f$.

Our results strengthen this connection. More precisely, we show that if $f$ can be computed by a Boolean circuit of size $s$ and depth $d$ then for any $r\geq1$ there is an $r$ rounds protocol for $f$, in this model, with communication complexity $d^{\frac{1}{r}}\cdot polylog\left(s\right)$. This can be viewed as a possible direction towards proving circuit lower bounds. For instance, in order to prove $f\notin NC$, it suffices to show that any one round protocol for $f$, in this model, requires the exchange of $\omega\left(polylog (n)\right)$ bits. This gives a relatively simple combinatorial property that implies strong circuit lower bounds.