1 Introduction

The availability of on-demand computational power and the ubiquitous connectivity of small devices are some of the main driving forces behind the move to the model of cloud computing. In this model a client faces a computationally demanding task and relies on the assistance of an external server with sufficient computational power, e.g. a cluster of machines. When the weak client asks the powerful server to perform a computation on its behalf it would like to have some guarantees on the correctness of the provided result. This scenario is addressed by the model of verifiable delegation of computation. In this setting, the server provides the client with the result of the computation together with a proof of its correctness. Since the client must be able to verify the proof despite its limited computational resources, the verification should be much easier than running the computation itself, or else there is no point in outsourcing it.

Interactive Proofs and Arguments. A setting where an all-powerful entity aims to convince a computationally bounded one of the correctness of a computational statement was studied in the context of interactive proof systems. In this model interaction and randomization enable the prover to efficiently convince the verifier. The \(\mathrm{IP}= \mathrm{PSPACE}\) theorem [22, 28] showed that it is possible for the prover to convince the verifier about large classes of languages, in particular any language computable in polynomial time. However, this result is not efficient enough to be practically applicable to the problem of verifiable delegation. In this context, one aims to minimize multiple complexity measures at once, such as communication complexity (both in the number and size of exchanged messages), running time of the verifier and prover efficiency.

For higher complexity classes, the round-complexity/prover-efficiency of interactive proofs is a limiting factor to their use in practice. The notion of interactive arguments considers a setting where the prover is computationally bounded, allowing to circumvent these efficiency shortcomings. The work of Kilian [20] gave four round interactive arguments for all languages in \(\mathrm{NP}\). Micali [23], relying on random oracles proposed a non-interactive version of this protocol. More recently, there has been significant effort to obtain more efficient non-interactive arguments for \(\mathrm{NP}\) (see e.g. [5, 10] and the references therein). One limitation of all such known constructions is that they are based on non-standard assumptions (cf. [24]). The problem of constructing efficient non-interactive arguments for \(\mathrm{NP}\) under standard assumptions is still open, though there is some evidence that non-standard assumptions are unavoidable [13].

Unlike in the case of arguments for non-deterministic computation, the situation for tractable languages (which actually correspond to problems common in real-life delegation scenarios) is significantly better. The first evidence that one can attain delegation schemes for restricted complexity classes is the work of Goldwasser et al. [14], who gave a single-round argument that allows to verifiably delegate any bounded depth computation with quasi-linear verification time. Recently, the work of Kalai et al. [18] achieved a single-round argument (under standard assumptions) with quasi-linear verification time for any language in \(\mathrm{P}\).

In some scenarios quasi-linear verification time may not be good enough. For instance, if the input \(x\in \{0,1\}^n\) is a large database and the output f(x) of the outsourced computation is a concise aggregation of its statistics, then it is desirable if the verifier does not need to read the whole database to verify correctness. In such cases one would prefer to have a delegation scheme with verification time sublinear in the input size n, preferably even as low as \(\mathrm {polylog}(n)\). As was pointed out in the literature, delegation schemes with sublinear verification are in general not achievable with respect to the standard notion of soundness (cf. Rothblum  et al. [27]), which led to introduction of alternative relaxed models that would enable sublinear verification time.

Rational Proofs and Arguments. One recent notion that opens the door for sublinear verification is that of rational arguments [15]. This model follows the paradigm of rational proofs introduced by Azar and Micali [2], who relax the prover in interactive proof systems to be rational. In rational proofs the verifier pays the prover according to the quality of the provided answer, and the reward is set up so that it is irrational for the prover to report an incorrect result of the computation. Azar and Micali [2] illustrated the power of rational proofs by giving a single-round rational proof for any problem in \(\mathrm{\#P}\) and in general a constant round rational proof for any level of the counting hierarchy. In subsequent work, Azar and Micali [3] gave a “scaled-down” version of their \(\mathrm{\#P}\)-protocol that leads to constant round rational interactive proof with sublinear (\(O(\log n)\) time) verification for the class of log-time uniform \(\mathrm{TC}^0\), i.e., the class of constant-depth, log-time uniform polynomial-size circuits with threshold gates. They also argue that such efficient rational proofs capture precisely the class of log-time uniform \(\mathrm{TC}^0\).

More recently, Guo et al. [15] put forward the notion of rational arguments, by further restricting the rational prover to be computationally bounded. They then showed how to construct single-round rational arguments with sublinear (\(\mathrm {polylog}(n)\) time) verification for the class \(\mathrm{NC}^1\), of search problems computable by log-time uniform Boolean circuits of \(O(\log n)\)-depth.

1.1 Our Results

We extend the results of Guo et al. [15] and give a single-round rational argument with sublinear (\(\mathrm {polylog}(n)\) time) verification for any language in \(\mathrm{P}\). Our initial observation is that both the non-interactive arguments for \(\mathrm{NC}\) of Goldwasser et al. [14] and the non-interactive arguments for \(\mathrm{P}\) of Kalai et al. [18] have for the most part sublinear verification time, with the exception of a single heavy verification step that ultimately induces quasi-linear running time for the verifier. If we could substitute this step by a more efficient procedure that does not dominate the rest of the protocol then we would achieve sublinear verification time.

Our proposal is to use a rational proof with sublinear verification for the heavy step and get a rational version of the original protocol which enjoys sublinear verification time. There are two main issues that we will need to address: (1) construct sublinear rational proofs for the heavy step; (2) argue how the rationality can be preserved under composition.

Our main contribution is the introduction of rational sumcheck protocols, which are a relaxation of classical sumchecks, a crucial building block for interactive proofs. To show that our approach yields the desired result, we pin down sufficient conditions for our transformation to work and prove that the protocol of Goldwasser et al. [14] (respectively Kalai et al. [18]), with the rational sumcheck replacing the heavy step, yields the sought after rational argument for \(\mathrm{NC}\) (respectively for \(\mathrm{P}\)).

It should be noted that our main efficiency gains are not due to the fact that rational sumcheck protocols are more efficient than their classical counterparts (though we do gain some efficiency by making sumcheck protocols non-interactive). Indeed, one of the key observations behind the works on efficient delegation [14, 18] is that one could verify correctness of computation via very efficient sumcheck protocols. The one place where rational sumcheck protocols turn out to be more useful than classical ones is at the input layer, where usage of the latter would entail a total break-down of soundness.

We show that a rational version of sumcheck protocols is in fact sufficient to carry out verification, even without reading the entire input. This is something that was not possible to achieve using classical sumcheck protocols, since the input layer does not satisfy the structural properties (low-degree) that would guarantee soundness when verifying via classical sumchecks. Our (equally efficient) rational sumcheck protocols, on the other hand, give a meaningful soundness guarantee even when such structural properties are absent.

Sumcheck Protocols. At a high level, a classical sumcheck protocol allows the verifier to check a sum of evaluations of a given low-degree polynomial \(h:\mathbb F_{q}^{m}\rightarrow \mathbb F_{q}\) on a certain subset \(S\subset \mathbb F_{q}^{m}\) of its domain (e.g. \(S=\{0,1\}^m\)). The source of the protocol’s power is that it makes it sufficient for the verifier to evaluate h on a single randomly chosen point \(p\in \mathbb F_q^m\), rather than on the entire subset S. This results in significant efficiency gains, since instead of requiring the evaluation of h on |S| points it reduces the problem of verification to the evaluation on a single point (at the cost of \(m=\log (|S|)\) rounds of communication).

Previous works on delegation [14, 18] make extensive use of sumcheck protocols in order to efficiently verify the low degree extensions \(\tilde{W}\) of intermediate levels of computation.Footnote 1 Specifically, it is possible to write \(\tilde{W}(z) = \sum _{p\in S} \beta _{z}(p) W(p),\) where \(\beta _{z}(p)\) is a low-degree function and W(p) is an appropriate encoding of the corresponding level. This reduces the task of verifying the correctness of evaluating \(\tilde{W}\) on z to the problem of performing a sumcheck on individual inner summands \(\beta _{z}(p) W(p)\). In intermediate levels of the computation, we are guaranteed that W is of low degree, and hence so is \(\beta _{z}(p) W(p)\). However, at the input level the function \(W(p)= W_x(p)\) corresponds to a straightforward bit-wise representation of the input \(x\in \{0,1\}^n\). The problem is that this representation might result in a high-degree polynomial. Not being of low degree, \(\beta _{z}(p) W_x(p)\) cannot be verified by a classical sumcheck protocol. This means that the input x needs to be read in its entirety, or else the protocol is not sound.

Rational Sumcheck Protocols. To circumvent the above issue, we leverage the power of rational proofs, in which soundness relies on rationality of the prover. We give a rational sumcheck protocol that allows to efficiently verify summation of any function over a fixed set, as long as evaluating the function on a single point can be performed efficiently (see Sect. 3 for details). Not only that our rational sumcheck protocol preserves the efficiency of classical sumchecks, but it can also be performed without any communication overhead (it is in fact non-interactive). The main feature of rational sumchecks, however, is that they give a meaningful (rational) soundness guarantee even if the degree of the polynomial is high, which implies that unlike their classical counterparts they are also applicable at the input layer.

Technically speaking, the reason for which the new rational protocols work regardless of the polynomial’s degree is because the soundness analysis does not necessitate invoking the Schwartz-Zippel lemma. Instead, we rely on a specially-tailored reward function that is designed to translate sums of finite field elements to numerical values that are used to determine the reward. The challenge in designing the reward function originates from the fact that modular sums lose information about the summands, whereas the reward is required to reflect this information in its entirety.

Composition of Classical and Rational Interactive Proofs. To make the above fit into a general purpose protocol, we need to carefully show how to plug a rational subprotocol into a larger one while retaining rational soundness. To this end, we show a composition theorem for substituting oracle calls in an interactive proof by a rational protocol. This allows us to use the classical interactive proofs almost as a black-box. This approach may turn out to be useful elsewhere.

Putting the Pieces Together. At a high level, the structure of our construction of single-round rational arguments for \(\mathrm{P}\) follows the delegation scheme of Kalai et al. [18]. In particular, we define and construct \(\delta \)-no-signaling rational multi-prover proofs (\(\mathrm{RMIP}\)s) by using our composition theorem and relying on rational sumchecks as a subprotocol. We then show a general efficient transformation that uses any sub-exponentially secure Fully Homomorphic Encryption (FHE) scheme to transform no-signaling \(\mathrm{RMIP}\)s into single-round rational arguments (in a manner similar to Kalai et al. [18]). Crucial to our transformation is the reward gap of the underlying rational protocol, which roughly captures the utility loss of the prover as a result of misreporting the function’s value. Unlike early rational proofs of Azar and Micali [2] and akin to Guo et al. [15], both our sumchecks and the overall composed protocol enjoy noticeable reward gap. This is sufficient for the overall transformation to go through (enabling a reduction from the security of the FHE scheme), and results in the sought-after single-round rational argument for \(\mathrm{P}\) with sublinear verification time.

Beyond being of importance in the transformation from rational proofs to non-interactive rational arguments, noticeable reward gap is also crucial for incentivizing the prover to report the correct value of the computation, as otherwise he might be tempted to avoid performing the work while risking very little penalty (see Sect. 2 and Guo et al. [15] for an extended discussion of the subject).

1.2 Comparison to Alternative Delegation Schemes

The classical interactive proof for \(\mathrm{NC}\) of Goldwasser et al. [14] has quasi-linear verification time. The running time of the verifier in their protocol appears to be optimal in the standard model, in the sense that achieving sublinear verification time with standard soundness guarantee seems unlikely without reading the whole input (even for a simple function such as parity). To circumvent this limitation Rothblum et al. [27] considered interactive proofs of proximity, a relaxation of interactive proofs motivated by property testing, and show that it is possible to achieve sublinear verification for \(\mathrm{NC}\) in this new model (since the protocol does not need to provide soundness guarantee for all instances).

An alternative relaxation was studied by Azar and Micali [3] and Guo et al. [15]. These works considered delegation in the setting of rational proofs and proposed schemes whith both sublinear verification (as small as polylogarithmic) and (rational) soundness guarantees, which in contrast to proofs of proximity hold for all instances. Whereas their protocols work only for \(\mathrm{NC}^1\), our new rational proof, which is a combination of classical and rational proofs, works for the entirety of \(\mathrm{NC}\) while preserving the desired properties of sublinear verification and rational soundness (see Table 1 for a detailed comparison). By composing classical and rational proofs, we obtain a rational multi-prover proof (secure against no-signaling provers) with sublinear verification for any deterministic computation akin to the classical proof of Kalai et al. [18] (see Table 2 for a detailed comparison). We remark it is possible to transform the above classical proofs and rational proofs into one-round classical and rational arguments.

Table 1. Efficiency comparison of results for \(\mathrm{NC}\)
Full size table
Table 2. Efficiency comparison of results for \(\mathrm{P}\)
Full size table

1.3 Other Related Work

To give a complete overview of works on verifiable delegation of computation is out of the scope of this paper, an interested reader can find many related results in the recent survey by Blumberg and Walfish [6].

An alternative approach for interactive proofs with sublinear verification was given in Rothblum et al. [27] who introduced interactive proofs of proximity and Gur and Rothblum [16] who considered their non-interactive analogues. Since both works studied a protocol analogue of property testing, their protocols provide guarantees only for instances that are either in the language or far from being in the language. Independently an in parallel to our work, Kalai and Rothblum [19] studied proofs of proximity with computationally bounded provers and introduced arguments of proximity.

Besides the mentioned works in the context of rational proofs, Zheng and Blanton [29] study the specific problem of delegating matrix multiplication and give also a rational argument for this task. The work of Chen et al. [9] introduces the model of rational interactive proofs with multiple provers.

Alternative approaches for incentivizing correct computation can be found in the work of Bentov and Kumaresan [21] who consider a model for incentivizing computation over Bitcoin. Alternatively, Belenkiy et al. [4] or Pham et al. [25] study a model where the verifier infrequently performs the whole computation to verify the correctness of prover’s output.

The treatise of general composition of rational protocols in scientific literature is limited. The work of Garay et al. [12] provides some insights on composition of protocols secure in the presence of a single central rational adversary. The framework of Canetti and Vald [8] studies a notion sufficient for preserving rationality under composition by imposing strong restrictions on the information available to distinct adversarial entities.

2 Preliminaries

Throughout the rest of the paper we use the following notation and definitions. For \(n\in \mathbb N\), let [n] denote the set \(\{1,\ldots ,n\}\). A function \(g:\mathbb N\rightarrow \mathbb R^{+}\) is negligible if it tends to 0 faster than any inverse polynomial, i.e., for all \(c\in \mathbb N\) there exists \(k_c\in \mathbb N\) such that for every \(k>k_c\) it holds that \(g(k)<k^{-c}\). We use \(\mathrm {negl}(\cdot )\) to talk about negligible function if we do not need to specify its name.

Rational Proofs. In a rational proof, Arthur pays Merlin a randomized reward according to the transcript of the communication, and the communication constitutes a rational Merlin Arthur game if the correct evaluation \(y=f(x)\) can be derived from a transcript that maximizes the expected reward.

For a pair of interactive Turing machines, P and V, we denote by (PV)(x) the random variable representing the transcript between P and V when interacting on common input x. Let \({\mathsf {reward}}(\cdot )\) denote a randomized function computed by V that given a transcript calculates a reward for P, and by \({\mathsf {output}}((P,V)(x))\) the output of V after interacting with P on common input x. In this setting, the goal of a rational P is to maximize the expected value of \({\mathsf {reward}}(\cdot )\), while the goal of V is to learn (and output) the true evaluation of the desired function f on x. We consider the setting where a rational prover first declares his answer to f(x), and only then tries to prove the correctness of the reported value.

Definition 1

[Functional Rational Merlin Arthur]. Let \(C,T:\mathbb N\rightarrow \mathbb R\) be some functions. A function \(f:\left\{ 0,1\right\} ^{*}\rightarrow \left\{ 0,1\right\} ^{*}\) is in \(\mathrm {FRMA}\left[ r,C,T\right] \) if there exists an r-round public-coin protocol (PV), referred as rational proof, and a randomized reward function \({\mathsf {reward}}:\left\{ 0,1\right\} ^{*}\rightarrow \mathbb R_{\ge 0}\) such that for all inputs \(x\in \left\{ 0,1\right\} ^{*}\):

  1. (a)

    \(\Pr [{\mathsf {output}}((P,V)(x))=f(x)]=1\).

  2. (b)

    For every round i and for any prover \(P^*\) that misreports f(x) and behaves as P up to round i and differs on round i’th message it holds that: \( {{\mathrm{E}}}[{\mathsf {reward}}((P,V)(x))]>{{\mathrm{E}}}[{\mathsf {reward}}((P^*,V)(x))],\) where the expectation is taken over the random coins of the verifier and the prover.

  3. (c)

    The communication complexity of P is \(C\left( \left| x\right| \right) \).

  4. (d)

    The running time of V is \(T\left( \left| x\right| \right) \).

No-Signaling Provers. In this work we use the heuristic suggested by Aiello et al. [1] for transforming a multi-prover proof into a single round argument using an efficient Private Information Retrieval (PIR) scheme (or alternatively a Fully Homomorpic Encryption scheme), though in the rational setting. As pointed out in the work of Dwork et al. [11], the bottleneck when proving soundness of the resulting argument is the possibility for the prover to correlate the answers in an undetectable way. Such no-signaling strategies (introduced as “spooky interactions” in the work of Dwork et al. [11]) need to be accounted for in the proof of soundness, as shown in Kalai et al. [17].

Thus, we extend Definition 1 to the setting with multiple provers restricted to \(\delta \)-no-signaling strategies. In contrast to the classical multi-prover setting, where each prover strategy is completely independent of other provers’ queries, \(\delta \)-no-signaling strategies can be correlated as long as for any subset of provers their answers do not contain information about the queries of provers outside the subset.

Definition 2

(Statistically No-Signaling Distributions). Let D be a query alphabet and let \(\Sigma \) be an answer alphabet. For every \(q=(q_1,\ldots ,q_k)\in D^k\), let \(\mathcal {A}_q\) be a distribution over \(\Sigma ^k\). We think of \(\mathcal {A}_q\) as the distribution of the answers for queries q. We say that the family of distributions \(\{\mathcal {A}_q\}_{q\in D^k}\) is \(\delta \)-no-signaling if for every subset \(S\subset [k]\) and every two sequences of queries \(q,q' \in D^k\), such that \(q_S = q'_S\), the following two random variables are \(\delta \)-close: \(\{a_S: a \leftarrow \mathcal {A}_q\}\) and \(\{a'_S: a' \leftarrow \mathcal {A}_{q'}\}\).

The rational no-signaling multi-prover proof consists of only one round. Given an input, the verifier generates queries, one for each prover, and sends them to the k provers. Each prover responds with an answer that might depend on all the queries, as long as the provers’ strategies are no-signaling. Finally, the verifier computes the reward based on the received answers (as well as the input and the randomness used).

Definition 3

(One-Round Rational Multi-prover Interactive Proof). Let \(C,T:\mathbb N\rightarrow \mathbb R\) be some functions. A function \(f:\left\{ 0,1\right\} ^{*}\rightarrow \left\{ 0,1\right\} ^{*}\) is in \(\mathrm {FRMIP}\left[ k,\delta ,C,T\right] \) if there exists a one-round public-coin protocol \((\overrightarrow{P},V)=(P_1,\ldots ,P_k,V)\), referred as multi-prover rational proof, and a randomized reward function \({\mathsf {reward}}:\left\{ 0,1\right\} ^{*}\rightarrow \mathbb R_{\ge 0}\) such that for all inputs \(x\in \left\{ 0,1\right\} ^{*}\):

  1. (a)

    \(\Pr [{\mathsf {output}}((\overrightarrow{P},V)(x))=f(x)]=1\).

  2. (b)

    For every set of provers \(P^*_1,\ldots ,P^*_k\) with \(\delta \)-no-signaling distributions that misreport f(x) it holds that: \({{\mathrm{E}}}[{\mathsf {reward}}((P_1,\ldots ,P_k,V)(x))]>{{\mathrm{E}}}[{\mathsf {reward}}((P^*_1,\ldots ,P^*_k,V)(x))],\) where the expectation is taken over the random coins of the verifier and the provers.

  3. (c)

    The communication complexity from any of the provers to V is at most is \(C\left( \left| x\right| \right) \).

  4. (d)

    The running time of V is \(T\left( \left| x\right| \right) \).

Reward Gap. We note that once computation incurs some cost to the prover the Definitions 1 and 3 of rational proofs do not rule out a “lazy behavior” of the prover corresponding to outputting a fixed default value. Having this in mind, Guo et al. [15] proposes the notion of reward gap that measures how big is the loss of a prover that always reports f(x) incorrectly. A noticeable gap in expectation between such a prover and the prescribed behavior then assures that it is beneficial for the prover to perform the computation to significantly increase its expectation.

Definition 4

(Reward Gap). Let \(f\in \mathrm {FRMA}\left[ r,C,T\right] \) be some function and let (PV) and \({\mathsf {reward}}(\cdot )\) be the guaranteed protocol and reward function. The reward gap of \({\mathsf {reward}}(\cdot )\) is a function \(\varDelta _{{\mathsf {reward}}}:\mathbb N\rightarrow \mathbb R\), such that for every \(n\in \mathbb N\),

$$ \varDelta _{{\mathsf {reward}}}(n)=\min _{x\in \{0,1\}^n}\min _{P^* \in S} \big ({{\mathrm{E}}}[{\mathsf {reward}}((P,V)(x))]{\;}-{{\mathrm{E}}}[{\mathsf {reward}}((P^*,V)(x))]\big ), $$

where the expectation is taken over the random coins of the verifier and the prover, and S is the set of all \(P^*\) such that \(\Pr [{\mathsf {output}}((P^*,V)(x))\ne f(x)]=1\).

We emphasize that scaling the reward does not imply a real improvement in the reward gap. In order to have a robust notion we always work with a normalized reward gap, i.e., reward gap divided by the maximal value of the reward function. An alternative approach (taken for example in Azar and Micali [3]) that prevents the use of scaling to improve the reward gap might be to assume that the verifier has a fixed budget. We use the natural extension of reward gap to rational multi-prover interactive proofs.

Rational Arguments. Rational arguments were defined by Guo et al. [15] to capture the behavior of a rational prover that is computationally bounded. The definition of rational arguments allows negligible gains over the reward guaranteed by the prescribed behavior (but not more), since the rational prover might not follow the prescribed strategy, and it would try to solve the underlying hard problems (see item (b) in Definition 5).

Another important issue needed to be addressed in the computational setting is the cost of computing f(x). As in the unbounded setting, it must rule out a prover that always gives some default (possibly incorrect) output, without performing any computation, while getting just slightly less than the expectation of the prescribed behavior. To address this shortcoming the definition of rational arguments “pins down” the profitability of deviation explicitly by appropriately adapting the notion of reward gap to the computationally bounded setting (see item (c) in Definition 5).

Definition 5

(Rational Argument). A function \(f:\{0,1\}^* \rightarrow \{0,1\}^*\) admits a rational argument with security parameter \(\kappa :\mathbb N\rightarrow \mathbb N\) if there exists a protocol (PV) and a randomized reward function \({\mathsf {reward}}:\{0,1\}^*\rightarrow \mathbb R_{\ge 0}\) such that for any input \(x\in \left\{ 0,1\right\} ^{*}\) and any prover \(P^*\) of size \(\le \mathrm {poly}(2^{\kappa \left( |x|\right) })\) the following hold:

  1. (a)

    \(\Pr [{\mathsf {output}}((P,V)(x))=f(x)]=1\).

  2. (b)

    There exists a negligible function \(\epsilon (\cdot )\) such that \({{\mathrm{E}}}[{\mathsf {reward}}((P,V)(x))]+\epsilon \left( |x|\right) \ge {{\mathrm{E}}}[{\mathsf {reward}}((P^*,V)(x))].\)

  3. (c)

    If there exists a polynomial \(p(\cdot )\) such that \(\Pr [{\mathsf {output}}((P^{*},V)(x))\ne f(x)]\ge p(|x|)^{-1}\) then there exists a polynomial \(q(\cdot )\) such that \({{\mathrm{E}}}[{\mathsf {reward}}((P^*,V)(x))]+q(|x|)^{-1}\le {{\mathrm{E}}}[{\mathsf {reward}}((P,V)(x))]\).

The expectations and the probabilities are taken over the random coins of the respective prover and verifier. We say that the rational argument is efficient if the running time of V is o(|x|) for every \(x\in \left\{ 0,1\right\} ^{*}\).

3 Rational Sumcheck Protocols

Sumcheck protocols are an important building block in many classical interactive proofs. In particular, they play a crucial role in the \(\mathrm{IP}= \mathrm{PSPACE}\) theorem [22, 28]. Informally, a sumcheck protocol allows a verifier to efficiently check that a summation of evaluations of a polynomial of low degree on a given set of points is equal to a certain value (e.g. zero). In this section we show how to construct a rational sumcheck protocol that is sound (against a rational prover) even when applied on a polynomial of high degree. An important property of rational proofs is the reward gap, that captures the minimal loss in reward of the prover that always misreports the value of the function (formal definitions of rational proofs and reward gap are provided in Sect. 2). All of our rational proofs achieve noticeable reward gap.

Before describing our rational sumchecks, we show how to solve a simpler related problem: the verifier is given a bound M and n integers \(x_1,\dots ,x_n\in \{0,\ldots ,M-1\}\), the verifier’s goal is to learn the sum of \(x_1,\dots ,x_n\). In the even more restricted case when \(x_1,\ldots ,x_n\) are bits (i.e., \(M=2\)), one could solve this binary counting problem using an analogue of the rational proof of Azar and Micali [2]. In particular, the verifier can use a strictly proper scoring rule (e.g. the Brier’s score [7]) to reward the quality of the prover’s answer \(y=\sum _{i=1}^{n}{x_i}\) as a prediction of the binary random variable b defined by outputting a uniformly random \(x_i\). The intuition behind such protocol is that the Boolean random variable b encodes the information about the number of ones within \(x_1,\ldots ,x_n\); specifically, the probability of \(b=1\) is exactly the number of ones divided by n. Since the reward is defined according to a strictly proper scoring rule, a rational prover will uniquely maximize its expected reward by reporting the correct \(y=\sum _{i=1}^{n}{x_i}\) (it describes the true distribution of b) as long as it is possible to efficiently sample b.

When \(M>2\), the mean of the random variable defined by outputting a uniformly random \(x_i\) still encodes the sum of \(x_1,\dots , x_n\). However, b is not necessarily Boolean and, unlike in the case when \(x_1\ldots ,x_n\) are bits, the problem can no longer be solved by the protocol of Azar and Micali [2]. In order to use the Brier’s score, it is necessary to appropriately modify the procedure of sampling b. Our more general protocol is given in Fig. 1. The verifier picks a random i from \(\{1,\ldots ,n\}\), and sets \(b=1\) with probability \(x_i/M\) and otherwise sets \(b=0\). After this normalization the probability of \(b=1\) is \(\sum _{i=1}^nx_i/(nM)\) which still encodes the sum of \(x_1,\dots , x_n\), and since b is a Boolean variable it is possible to use the same reward function to incentivize any rational prover to report correct description of b. Therefore, the protocol in Fig. 1 is a non-interactive rational proof for the simplified problem of summation of n bounded non-negative values.

Fig. 1.
figure 1

Rational proof for summation of n non-negative integers.

Full size image

Lemma 1

(Rational Proof for Summation). For any integer \(M\ge 2\), let \(f(x_1,\ldots ,x_n)=\sum _{i=1}^{n}{x_i}\) be the function that computes the sum of any n-tuple of integers \(x_1,\ldots ,x_{n} \in \{0,\dots ,M-1\}\). Then \(f\in \mathrm {FRMA} [1,\log (nM), O(\mathrm {polylog}(nM))]\) with reward gap at least \(\frac{1}{(nM)^2}\).

Proof 1

Consider the protocol in Fig. 1. The expected reward when prover sends y is

$$ {{\mathrm{E}}}[R(y)] = -2\left( \frac{y}{nM}- \frac{\sum _{i=1}^n{x_i}}{nM}\right) ^2 + 2\left( \frac{\sum _{i=1}^n{x_i}}{nM}\right) ^2 - 2\left( \frac{\sum _{i=1}^n{x_i}}{nM}\right) + 2\ , $$

therefore the expected reward of the prover is uniquely maximized when \(y = \sum _{i=1}^nx_i\).

For any integer \(y^{*}\ne \sum _{i=1}^nx_i\),

$$ {{\mathrm{E}}}\left[ R\left( \textstyle \sum _{i=1}^n x_i\right) \right] - {{\mathrm{E}}}[R(y^*)] = 2\left( \frac{y^*}{nM}- \frac{\sum _{i=1}^n{x_i}}{nM}\right) ^2\ge \frac{2}{\left( nM\right) ^2}\ , $$

where the equality holds when \(y^*= \sum _{i=1}^{n}{x_i}\pm 1\). The reward function has maximal value 2, hence the (normalized) reward gap is \(\frac{1}{(nM)^2}\). Because \(y=\sum _{i=1}^n x_i \le nM\), y can be represented using \(\log {(nM)}\) bits which upper bounds the total communication. The verifier only needs to access a single \(x_i\) where i is chosen uniformly and randomly from \(\{1,\ldots ,n\}\). After accessing to \(x_i\), the computation of the reward can be done in \(O(\mathrm {polylog}(nM))\) time.   \(\square \)

Note that for any polynomially bounded M, the protocol in Fig. 1 achieves sublinear verification (the verifier only needs to access a single value) and noticeable reward gap. Moreover, based on the protocol in Fig. 1, we can construct an efficient rational proof for any problem which can be reduced to summation of several bounded values. For example, we immediately obtain a rational proof for addition of n elements over a finite field \(\mathbb Z_p\) of prime characteristic p. Given \(x_1,\dots , x_n\in \mathbb Z_p\):

  1. 1.

    The prover sends to the verifier the sum \(s=\sum _{i=1}^nx_i\) over \(\mathbb Z\) (i.e., without performing the modulo operation) together with \(y=(s \mod p)\), where s serves as the proof of correctness of y.

  2. 2.

    If \(y\ne (s \mod p)\) then the verifier pays reward 0, and otherwise the verifier computes the reward for s as in the rational proof for summation of \(x_1,\dots , x_n\) with \(M=p\) (as described in Fig. 1).

To deal with general summation over a finite field \(\mathbb F_{q}\) of prime power characteristic \(q=p^m\), we leverage the fact that the additive group of \(\mathbb F_{p^m}\) is isomorphic to \((\mathbb Z_p,+_{\mod p})^m\), where \(+_{\mod p}\) denotes addition over \(\mathbb Z_p\). Thus, we can work with the representation of elements in \(\mathbb F_{p^m}\) as vectors over \(\mathbb Z_{p}^{m}\), i.e., we represent any \(x\in \mathbb F_{p^m}\) as \((x^1,\ldots ,x^m)\in \mathbb Z_{p}^{m}\). This allows us to get a rational proof for the function \(\sum _{i=1}^{n}x_i\) that computes the sum of any n-tuple of elements \(x_1,\dots , x_n \in \mathbb F_{p^m}\) over \(\mathbb F_{p^m}\) simply by applying the rational protocol for summation over \(\mathbb Z_p\) on a randomly chosen coordinate of the vector representation \((y^1,\ldots ,y^m)\in \mathbb Z_{p}^{m}\) of the output \(y\in \mathbb F_{p^m}\) declared by the prover. The protocol is given in Fig. 2.

Fig. 2.
figure 2

Rational proof for summation of n elements over a finite field.

Full size image

Corollary 1

(Rational Proof for Addition over Finite Fields). For any integer \(m\ge 1\) and any prime \(p\in \mathbb N\). Let \(f(x_1,\ldots ,x_n)=\sum _{i=1}^{n}{x_i}\) be the function that computes the sum of any n-tuple of elements \(x_1,\ldots ,x_{n}\in \mathbb F_{p^m}\) over the field \(\mathbb F_{p^m}\). Then \(f\in \mathrm {FRMA}\left[ 1,\log {(np^m)}, O(m\cdot \mathrm {polylog}(np))\right] \) with reward gap at least \(\frac{1}{m(np)^2}\).

Proof 2

Consider the protocol in Fig. 2. Let y and s denote the vectors sent by the prover when he tells the truth. It is easy to check the expected reward of the prover is maximized at ys. When prover answers \(\tilde{y}\ne y\) and \(\tilde{s}\), if \(\tilde{y}\ne (\tilde{s}\mod p^m)\) then the prover gets reward 0, otherwise s and \(\tilde{s}\) must differ in at least one entry and the expected reward of the prover is

$$\begin{aligned} \begin{aligned} {{\mathrm{E}}}_{j}[R(\tilde{s}^j)]&= {{\mathrm{E}}}_{j}\left[ -2\left( \frac{\tilde{s}^j}{np}- \frac{s^{j}}{np}\right) ^2+ 2\left( \frac{s^j}{np}\right) ^2 - 2\left( \frac{s^j}{np}\right) + 2\right] \\&\le {{\mathrm{E}}}_{j}\left[ 2\left( \frac{s^j}{np}\right) ^2 - 2\left( \frac{s^j}{np}\right) + 2\right] - \frac{2}{m(np)^2}\ . \end{aligned} \end{aligned}$$

Note the reward function has maximal value 2 therefore the reward gap is at least \(\frac{1}{m(np)^2}\).   \(\square \)

Note that a sumcheck protocol is used to verify a sum of evaluations of a polynomial on a given set of points. Corollary 1 immediatelly gives rise to a non-interactive rational sumcheck protocol, where the verifier needs to evaluate the polynomial on a single point from the subset.

Corollary 2

(Rational Sumcheck Protocol). For any finite field \(\mathbb F\) and integer \(m\ge 1\). Let \(S\subseteq \mathbb F^m\) be a non-empty subset of \(\mathbb F^m\). Let \(\sum _{z\in S} f(z)\) be the function that sums evaluations of a given polynomial \(f:\mathbb F^m\rightarrow \mathbb F\) (of arbitrary degree) on S. Then \(f\in \mathrm {FRMA}[1,\log (|S||\mathbb F|),O(t+ \mathrm {polylog}(|S||\mathbb F|))]\), where t is the time it takes to evaluate f on any \(z\in \mathbb F^m\). The rational proof has reward gap at least \(1/(\log (|\mathbb F|)\cdot (|S||\mathbb F|)^2)\).

Proof 3

Using the protocol in Fig. 2 with field \(\mathbb F\) and setting \(n=|S|\), we obtain a rational proof for \(\sum _{z\in S}{f(z)}\) with reward gap \(\frac{1}{\log {(|\mathbb F|)}\cdot (|S||\mathbb F|)^2}\), verification time \(O(t+\mathrm {polylog}(|S||\mathbb F|))\), and communication \(\log (|S||\mathbb F|)\) bits.    \(\square \)

4 Composition of Classical and Rational Interactive Proofs

In this section we investigate on the possibility of composition of classical interactive proofs with rational interactive proofs. In particular, we show a composition theorem for replacing oracle calls in a certain type of classical interactive proofs by a rational proof implementing the oracle. The composition is presented for both interactive proofs and \(\delta \)-no-signaling multi-prover interactive proofs (for formal definition see Definition 3 in Sect. 2) resulting in their respective rational counterparts. The obtained rational proof has minimal loss in the reward gap that is proportional to the soundness of the classical interactive proof.

4.1 Substituting Oracle by Rational Proof in Interactive Proof

Let \(f:\{0,1\}^*\rightarrow \{0,1\}^*\) be a function implicitly defining language \(L_f=\{(x,y)|y=f(x)\}\). Let \(\pi ^g=(P_\pi ,V_{\pi }^g)\) be an interactive proof for \(L_f\) where the verifier has oracle access to function \(g:\{0,1\}^*\rightarrow \{0,1\}^*\). Let \(\varphi =(P_\varphi ,V_\varphi )\) be a rational interactive proof for g with reward function \({\mathsf {reward}}_\varphi \). We denote by \(\pi ^{\varphi }=(P,V)\) with a reward function R the protocol between the prover P and verifier V given in Fig. 3. We define the reward in the resulting protocol as the average of the rewards obtained for each rational proof implementing an oracle query, though we note that this is not crucial for our results. The new reward function can be defined in other natural ways depending on the application.

We concentrate on a class of query independent interactive proofs in which the queries to the oracle can depend only on the input and the randomness of the verifier. Aditionally, once a query is submitted to the oracle the prover also recives the query.

Fig. 3.
figure 3

Rational proof \(\pi ^{\varphi }=(P,V)\) resulting from interactive proof \(\pi ^g=(P_\pi ,V_{\pi }^g)\) with oracle calls to g substituted by a rational proof \(\varphi =(P_\varphi ,V_\varphi )\).

Full size image

Definition 6

(Query Independent Interactive Proofs). Let \(f:\{0,1\}^*\rightarrow \{0,1\}^*\) be a function and let \(\pi ^g=(P_\pi ,V_{\pi }^g)\) be an interactive proof for \(L_f=\{(x,y)|y=f(x)\}\) with \(V_{\pi }^g\) having oracle access to some function \(g:\{0,1\}^*\rightarrow \{0,1\}^*\). We say that \(\pi ^g\) is a query independent interactive proof if for any input x the following holds:

  1. 1.

    Only one query is issued by \(V_{\pi }^g\) to g and it depends only on the input x and on the randomness of \(V_{\pi }^g\).

  2. 2.

    The query issued by \(V_{\pi }^g\) is send to \(P_{\pi }\) in the next round.

Theorem 1

(Oracle Substitution in IP). Let \(f:\{0,1\}^*\rightarrow \{0,1\}^*\) be a function and let \(\pi ^g=(P_\pi ,V_{\pi }^g)\) be a query independent interactive proof for \(L_f=\{(x,y)|y=f(x)\}\) with \(V_{\pi }^g\) having oracle access to some function \(g:\{0,1\}^*\rightarrow \{0,1\}^*\). If \(\pi ^g\) has perfect completeness and soundness s then for any rational interactive proof \(\varphi =(P_\varphi ,V_\varphi )\) for g with reward gap \(\varDelta \), the composed protocol \(\pi ^\varphi =(P,V)\) is a rational proof for f with reward gap \(\varDelta (1-s)\).

Proof 4

The reward in the rational protocol \(\pi ^\varphi \) (defined in Fig. 3) is equal to the reward in the rational proof \(\varphi \) for evaluating the oracle query if the verifier accepts and zero otherwise. In order to show that \(\pi ^\varphi \) is a rational proof with the claimed reward gap, we show that for every x the expectation of any prover \(P^{*}\) that reports \(y'\ne f(x)\) (i.e., \((x,y')\) is not in \(L_f\)) can be bound. To simplify the notation, we define three events that might happen during the execution of the protocol \(\pi ^\varphi \):

  • \(E_0\) corresponds to the event when \(V_{\pi }^{g}\) (simulated by V) accepts and \(P^*\) supplies a correct answer to the oracle query q (i.e., \((P^{*},V_{\pi }^{g})(x)=1 \wedge {\mathsf {output}}(P^{*},V_\varphi )(q)= g(q)\)).

  • \(E_1\) corresponds to the event when \(V_{\pi }^{g}\) (simulated by V) accepts and \(P^*\) supplies an incorrect answer to the oracle query q (i.e., \((P^{*},V_{\pi }^{g})(x)=1 \wedge {\mathsf {output}}(P^{*},V_\varphi )(q)\ne g(q)\)).

  • \(E_2\) corresponds to the event when \(V_{\pi }^{g}\) (simulated by V) rejects.

We can express the expectation of \(P^{*}\) as

$$\begin{aligned}&{{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)] = \Pr [E_0]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_0]\\&\qquad \qquad \qquad +\,\Pr [E_1]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_1] +\,\Pr [E_2]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_2]. \end{aligned}$$

Since the expected reward is zero in case of event \(E_2\) (the verifier \(V_{\pi }^{g}\) rejects), the above is equal to

$$ \Pr [E_0]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_0] + \Pr [E_1]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_1]. $$

We can bound \(\Pr [E_1]\) by \(1-\Pr [E_0]\), so

$$\begin{aligned} \begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)] \le \Pr [E_0]\cdot&{{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_0] \\&+\,(1-\Pr [E_0])\cdot {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_1]. \end{aligned} \end{aligned}$$

We use the following two claims to conclude the proof.

Claim 1

\(\Pr [E_0]\le s\).

Proof 5

(of Claim 1 ). The interactive protocol with oracle access \((P_\pi ,V_{\pi }^{g})\) is query independent in the sense of Definition 6, hence the prover in the composed protocol \(\pi ^\varphi \) does not gain any additional information from the verifier’s query to the oracle for g. It follows that in the case when the prover \(P^*\) supplies a correct answer to the oracle query the verifier accepts at most with the same probability as in the interactive proof with an oracle access, and the claim follows from the soundness of the interactive proof \((P_\pi ,V_{\pi }^g)\).    \(\square \)

Claim 2

\({{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_1]\le {{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\varphi )(q)]-\varDelta \).

Proof 6

(of Claim 2 ). Assume that the claim does not hold, then the prover \(P^{*}\) achieves for some q a higher reward than \({{\mathrm{E}}}[{\mathsf {reward}}(P_\varphi ,V_\varphi )(q)]-\varDelta \). \(P^*\) can be used in the rational proof \((P_\varphi ,V_\varphi )\) for evaluating the oracle in order to achieve a higher reward than what is guaranteed by the reward gap of \((P_\varphi ,V_\varphi )\), since the oracle query is completely independent of the transcript.    \(\square \)

We use Claim 2 to bound the expectation as:

$$\begin{aligned} \begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)] \le \Pr [E_0]\cdot&{{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)|E_0] \\&+\,(1-\Pr [E_0])\cdot ({{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\phi )(q)]-\varDelta )\ . \end{aligned} \end{aligned}$$

Notice that the expectation when event \(E_0\) materializes is equal to \({{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\phi )(q)]\), and hence we can rewrite the right side of the above inequality:

$$\begin{aligned} \begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)] \le \Pr [E_0]\cdot&{{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\phi )(q)] \\&+\,(1-\Pr [E_0])\cdot ({{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\phi )(q)]-\varDelta ). \end{aligned} \end{aligned}$$

The distribution of oracle queries q is independent of the communication between the prover and the verifier and we can merge the expressions on the right side of the inequality.

$$ {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)] \le {{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\varphi )(q)] - (1-\Pr [E_0])\cdot \varDelta , $$

Finally, by Claim 1:

$$ {{\mathrm{E}}}[{\mathsf {reward}}(P^{*},V)(x)] \le {{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\varphi )(q)] - (1-s)\cdot \varDelta \ . $$

By observing that for all x it holds that \({{\mathrm{E}}}_q[{\mathsf {reward}}(P_\varphi ,V_\varphi )(q)]\!=\!{{\mathrm{E}}}[{\mathsf {reward}}(P,V)(x)]\) (since the distribution of queries produced by V is independent of x), we get the sought after bound on the reward gap of the resulting rational proof.    \(\square \)

4.2 Substituting Oracle by Rational Multi-prover Proof in Multi-prover Proof

The composition theorem holds for oracle substitution also in the setting of \(\delta \)-no-signaling multi-prover proofs. Given a k-prover interactive proof \(\pi ^g=(\overrightarrow{P_\pi },V_{\pi }^g)\) for function f with an oracle access to a function g and a “rational” \(k'\)-prover implementation \(\varphi =(\overrightarrow{P_\varphi },V_\varphi )\) of the function g, a new rational protocol \(\pi ^{\varphi }=(\overrightarrow{P},V)\) with \((k+k')\) provers can be obtained by executing the rational protocol \(\varphi \) instead of the oracle call with a new set of \(k'\) provers, as defined in Fig. 4. We define the reward in the resulting protocol analogously to the single prover setting and take the average of the rewards.

Similarly to the previous setting we require the oracle queries to depend only on the input and the randomness of the verifier and the queries to the provers to be independent of the answers of the oracle. Definition 6 of query independent interactive proofs naturally extends to multi-prover interactive proofs and we refer to multi-prover interactive proofs with this analogous property as query independent. Note that item 1 in Definition 6 is no longer required since we only deal with no-signaling strategies. In order to enable submission of all queries at once in the composed protocol, we must require independence of the queries to the provers from the oracle answers.

Fig. 4.
figure 4

Rational multi-prover proof \(\pi ^{\varphi }=(\overrightarrow{P},V)\) resulting from multi-prover proof \(\pi ^g=(\overrightarrow{P_\pi },V_{\pi }^g)\) with oracle calls to g substituted by a (multi-prover) rational proof \(\varphi =(\overrightarrow{P_\varphi },V_\varphi )\) for evaluating g.

Full size image

Definition 7

(Query Independent Multi-prover Proofs). Let f: \(\{0,1\}^*\rightarrow \{0,1\}^*\) be a function and let \(\pi ^g=(\overrightarrow{P_\pi },V_{\pi }^g)\) be a multi-prover proof for \(L_f=\{(x,y)|y=f(x)\}\) with \(V_{\pi }^g\) having oracle access to some function \(g:\{0,1\}^*\rightarrow \{0,1\}^*\). We say that \(\pi ^g\) is a query independent multi-prover proof if for any input x the following holds:

  1. 1.

    Only a single query q is issued by \(V_{\pi }^g\) to g and it depends only on the input x and on the randomness of \(V_{\pi }^g\).

  2. 2.

    The queries of \(V_{\pi }^g\) to \(\overrightarrow{P_{\pi }}\) are independent of the oracle answer to the query q.

We show that the composition theorem holds also for oracle substitution in the setting of query independent multi-prover proofs. Note that our composition theorem shows that when dealing with \(\delta \)-no-signaling strategies, a loss in the reward gap proportional to \(\delta \) is incurred in the resulting composed protocol.

Theorem 2

(Oracle Substitution in MIP). Let \(f:\{0,1\}^*\rightarrow \{0,1\}^*\) be a function and let \(\pi ^g=(\overrightarrow{P_\pi },V_{\pi }^g)\) be a query independent k-prover \(\mathrm{MIP}\) for \(L_f=\{(x,y)|y=f(x)\}\) with \(V_{\pi }^g\) having oracle access to some function \(g:\{0,1\}^*\rightarrow \{0,1\}^*\). If \(\pi ^g\) has perfect completeness and soundness s against \(\delta \)-statistically no-signaling strategies then for any rational \(k'\)-prover \(\mathrm{RMIP}\) \(\varphi =(\overrightarrow{P_\varphi },V_\varphi )\) for evaluating g with reward gap \(\varDelta \) in presence of \(\delta '\)-statistically no-signaling strategies, the composed protocol \(\pi ^\varphi =(\overrightarrow{P},V)\) is a \((k+k')\)-prover \(\mathrm{RMIP}\) for evaluating f with reward gap \(\varDelta (1-s-\delta '')\) against \(\delta ''\)-no-signaling strategies, where \(\delta ''=\min \{\delta ,\delta '\}\).

Proof 7

The reward in the rational protocol \(\pi ^\varphi \) (defined in Fig. 4) is equal to the reward in the rational proof \(\varphi \) for evaluating the oracle query if the verifier accepts and zero otherwise. In order to show that \(\pi ^\varphi \) is a multi-prover rational proof for evaluating f with the claimed reward gap, we show that for every x the expectation of any set of provers \(\overrightarrow{P^{*}}\) that report \(y'\ne f(x)\) (i.e., \((x,y')\) is not in \(L_f\)) can be bounded. To simplify the notation, we define three events that might happen during the course of the protocol \(\pi ^\varphi \):

  • \(E_0\) corresponds to the event when \(V_{\pi }^{g}\) (simulated by V) accepts and \(\overrightarrow{P^*}\) supply a correct answer to the oracle query \(q^*\) (i.e., \((\overrightarrow{P^*},V_{\pi }^{g})(x)=1 \wedge {\mathsf {output}}(\overrightarrow{P^*},V_\varphi )(q^*)= g(q^*)\)).

  • \(E_1\) corresponds to the event when \(V_{\pi }^{g}\) (simulated by V) accepts and \(\overrightarrow{P^*}\) supply an incorrect answer to the oracle query \(q^*\) (i.e., \((\overrightarrow{P^*},V_{\pi }^{g})(x)=1 \wedge {\mathsf {output}}(\overrightarrow{P^*},V_\varphi )(q^*)\ne g(q^*)\)).

  • \(E_2\) corresponds to the event when \(V_{\pi }^{g}\) (simulated by V) rejects.

We can express the expectation of \(\overrightarrow{P^*}\),

$$\begin{aligned}&{{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)]=\Pr [E_0]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_0]\\&\qquad \qquad \qquad + \Pr [E_1]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_1] + \Pr [E_2]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_2]. \end{aligned}$$

Since the expected reward in case of event \(E_2\) is zero, the above is equal to

$$ \Pr [E_0]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_0] + \Pr [E_1]\cdot {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_1]. $$

We can bound the \(\Pr [E_1]\) by \(1-\Pr [E_0]\), so

$$\begin{aligned} \begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)] \le \Pr [E_0]\cdot&{{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_0] \\&+\,(1-\Pr [E_0])\cdot {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_1]. \end{aligned} \end{aligned}$$

We use the two following claims to complete the proof.

Claim 3

\(\Pr [E_0]\le s+\delta ''\).

Proof 8

(of Claim 3 ). For any \(q^*\), an oracle query of \(V_{\pi }^{g}\), define \(\omega (q^{*})\) to be the queries to \(\overrightarrow{P_{\varphi }}\) generated by \(V_{\varphi }\) on input \(q^{*}\). Let \(\mathsf {A}=\{\mathsf {A}_{\mathbf {q},\omega (q^{*})}\}\) denote the \(\delta ''\)-no-signaling family of distributions, where \(\mathsf {A}_{\mathbf {q},\omega (q^{*})}\) is the distribution of answers of \(\overrightarrow{P^*}\) given queries \((\mathbf {q}, \omega (q^{*}))\). We fix an arbitrary set of queries \(\mathbf {w}\) of \(V_{\varphi }\) to \(\overrightarrow{P_{\varphi }}\) and consider the family of distributions \(\mathsf {B}=\{\mathsf {B}_{\mathbf {q}}\}\), where \(\mathsf {B}_{\mathbf {q}}\) is defined by sampling uniformly and randomly \((\mathbf {a}, \mathbf {z})\leftarrow \mathsf {A}_{\mathbf {q}, \mathbf {w}}\) and outputting \(\mathbf {a}\).

First, we show that \(\mathsf {B}\) is \(\delta \)-no-signaling. Let S be an arbitrary subset of [k] and \(\mathbf {q},\mathbf {q'}\) be two arbitrary queries such that \(\mathbf {q}_{S}=\mathbf {q'}_{S}\). Since the projections of \(\mathsf {A}_{\mathbf {q},\mathbf {w}}\) and \(\mathsf {A}_{\mathbf {q'},\mathbf {w}}\) on the coordinates in S are \(\delta ''\)-close (by the fact that \(\mathsf {A}\) is \(\delta ''\)-no-signaling), the statistical distance between \(\mathsf {B}_{\mathbf {q}}\) and \(\mathsf {B}_{\mathbf {q'}}\) when projected on S is

$$\begin{aligned} \begin{aligned} \frac{1}{2}\sum _{\beta }{\left| \Pr _{\mathbf {a}\leftarrow \mathsf {B}_{\mathbf {q}}}\left[ \mathbf {a}_{S}=\beta \right] - \Pr _{\mathbf {a}'\leftarrow \mathsf {B}_{\mathbf {q'}}}[\mathbf {a}'_{S}=\beta ]\right| }&= \frac{1}{2}\sum _{\beta }{\left| \Pr _{\mathbf {a}\leftarrow \mathsf {A}_{\mathbf {q},\mathbf {w}}} [\mathbf {a}_{S}=\beta ] - \Pr _{\mathbf {a}'\leftarrow \mathsf {A}_{\mathbf {q'},\mathbf {w}}}[\mathbf {a}'_{S}=\beta ]\right| } \\&\le \delta '' \\&\le \delta \ , \end{aligned} \end{aligned}$$

where the last inequality follows from \(\delta ''\) being defined as \(\min \{\delta ,\delta '\}\). Hence, \(\mathsf {B}\) is \(\delta \)-no-signaling.

Let \(\overrightarrow{P^*_{\pi }}\) be the set of provers in \(\pi ^g\) that follow the \(\delta \)-no-signaling strategies \(\mathsf {B}\). By the soundness of \(\pi ^g\) in the presence of \(\delta \)-no-signaling strategies, \(\Pr [(\overrightarrow{P^*_{\pi }}, V^g_{\pi })(x)=1]\le s\). Assume that the claim does not hold, then

$$\begin{aligned} \delta ''&< \Pr [E_0] - \Pr [(\overrightarrow{P^*_{\pi }}, V^g_{\pi })(x)=1]\\&= \Pr _{(\mathbf {a},\mathbf {z})\leftarrow \mathsf {A}_{\mathbf {q},\omega (q^{*})}}[V_{\pi }^{g}(x, \mathbf {a},\mathbf {z}_1)=1 \wedge \mathbf {z}_1=g(q^{*}) ] - \Pr _{(\mathbf {a},\mathbf {z})\leftarrow \mathsf {A}_{\mathbf {q},\mathbf {w}}}[V_{\pi }^{g}(x, \mathbf {a}, g(q^{*}))\!=\!1] \end{aligned}$$

A contradiction to \(\mathsf {A}\) being \(\delta ''\)-no-signaling.    \(\square \)

Claim 4

For all x it holds that \({{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_1]\le {{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^*)]-\varDelta \).

Proof 9

(of Claim 4 ). Assume that the claim does not hold. By an averaging argument over the randomness of the verifier V for generating queries to the provers \(\overrightarrow{P}\), there exists an x and a fixed choice of randomness for generating the queries such that

$$ {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_1, (\mathbf {q}, \omega (q^{*}))] > {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^{*})]-\varDelta \ , $$

where \(\mathbf {q}\) and \(q^{*}\) are fixed. Let \(\mathsf {A}_{\mathbf {q},\omega (q^{*})}\) denote the \(\delta ''\)-no-signaling distribution of answers of \(\overrightarrow{P^*}\) to the queries \((\mathbf {q}, \omega (q^{*}))\). Consider the family of distributions \(\mathsf {B}=\{\mathsf {B}_{\omega (q^*)}\}\), where \(\mathsf {B}_{\omega (q^*)}\) is defined by sampling uniformly and randomly \((\mathbf {a}, \mathbf {z})\leftarrow \mathsf {A}_{\mathbf {q},\omega (q^{*})}\) and outputting \(\mathbf {z}\).

First, we show that \(\mathsf {B}\) is \(\delta '\)-no-signaling. Let S be an arbitrary subset of \([k']\) and \(\mathbf {w},\mathbf {w}'\) be two sets of queries such that \(\mathbf {w}_{S}=\mathbf {w}'_{S}\). Since the projections of \(\mathsf {A}_{\mathbf {q},\mathbf {w}}\) and \(\mathsf {A}_{\mathbf {q},\mathbf {w}'}\) on the coordinates \(S'=\{k+i:i\in S\}\) are \(\delta ''\)-close, the statistical distance between \(\mathsf {B}_{\mathbf {w}}\) and \(\mathsf {B}_{\mathbf {w}'}\) is

$$\begin{aligned} \begin{aligned} \frac{1}{2}\sum _{\beta }\left| \Pr _{\mathbf {z}\leftarrow \mathsf {B}_{\mathbf {w}}}[\mathbf {z}_{S}=\beta ] - \Pr _{\mathbf {z}'\leftarrow \mathsf {B}_{\mathbf {w}'}}[\mathbf {z}'_{S}=\beta ]\right|&= \frac{1}{2}\sum _{\beta }\left| \Pr _{\mathbf {z}\leftarrow \mathsf {A}_{\mathbf {q},\mathbf {w}}}[\mathbf {z}_{S}=\beta ] - \Pr _{\mathbf {z}'\leftarrow \mathsf {A}_{\mathbf {q},\mathbf {w}'}}[\mathbf {z}'_{S}=\beta ]\right| \\&\le \delta '' \\&\le \delta '\ . \end{aligned} \end{aligned}$$

where the last inequality follows from \(\delta ''\) being defined as \(\min \{\delta ,\delta '\}\), and hence \(\mathsf {B}\) is \(\delta '\)-no-signaling.

Let \(\overrightarrow{P^*_{\varphi }}\) behave according to \(\mathsf {B}\), then on input \(q^{*}\),

$$\begin{aligned} \begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*_{\varphi }}, V_{\varphi })(q^{*})]&={{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_1, (\mathbf {q}, \omega (q^{*}))]\\&> {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P_{\varphi }},V_\varphi )(q^{*})]-\varDelta \ . \end{aligned} \end{aligned}$$

Therefore, \(\overrightarrow{P^*_{\varphi }}\) is a set of \(\delta '\)-no-signaling provers that break the reward gap guarantee of \(\varphi \), a contradiction.    \(\square \)

We use Claim 4 to bound the expectation as:

$$\begin{aligned} \begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)]\le \Pr [E_0]\cdot&{{\mathrm{E}}}[{\mathsf {reward}}(\overrightarrow{P^*},V)(x)|E_0] \\&+\,(1-\Pr [E_0])\cdot ({{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^*)]-\varDelta )\ . \end{aligned} \end{aligned}$$

Notice that due to the query independence of the protocol \(\pi ^g\) the expectation when event \(E_0\) materializes is equal to \({{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^*)]\). Hence, we can rewrite the right side of the above inequality as

$$\begin{aligned}&\Pr [E_0]\cdot {{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^*)] +\,(1-\Pr [E_0])\cdot ({{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^*)]-\varDelta )\\ {}&= {{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^*)] - (1-\Pr [E_0])\cdot \varDelta \ . \end{aligned}$$

Finally, by Claim 3:

$$ {{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P^*},V)(q^*)] \le {{\mathrm{E}}}_{q^*}[{\mathsf {reward}}(\overrightarrow{P_\varphi },V_\varphi )(q^*)] - (1-s-\delta '')\cdot \varDelta \ . $$

Therefore, we get the sought after bound on the reward gap of the multi-prover rational proof \(\pi ^\varphi \) resulting from the composition of \(\pi ^g\) and \(\varphi \).    \(\square \)

5 Rational Delegation for NC

The work of Guo et al. [15] showed how to efficiently delegate computation performed by low-depth circuits in the rational setting, and in particular constructed a rational proof with noticeable reward gap for any language in \(\mathrm{NC}^1\). However, the reward gap in their construction is proportional to the depth of the evaluated circuit (the reward is scaled proportionally to the depth) and this prevents to use their rational proof with meaningful (noticeable) reward gap beyond the class \(\mathrm{NC}^1\). In this section we give a rational proof with sublinear verification time for any function computable by log-space uniform \(\mathrm{NC}\) by composing the rational sumcheck protocol from Sect. 3 with the classical protocol of Goldwasser et al. [14].

5.1 The Protocol of Goldwasser, Kalai and Rothblum [15]

In their work Goldwasser et al. [14] gave a protocol that allows to delegate computation of any function computable by log-space uniform circuits via an interactive proof with a polynomial prover and a quasi-linear verifier. In particular, they showed the following theorem:

Theorem 3

(Theorem 1.1.1. in [26]). Let L be a language computable by a family of \(O\left( \log \left( S(n)\right) \right) \)-space uniform boolean circuits of size S(n) and depth d(n). L has an interactive proof where:

  1. 1.

    The prover runs in time \(\mathrm {poly}(S(n))\). The verifier runs in time \(n\cdot \mathrm {poly}(d(n),\log (S(n)))\) and space \(O(\log (S(n)))\). Moreover, if the verifier is given oracle access to the low degree extension of its input, then its running time is only \(\mathrm {poly}(d(n), \log (S(n)))\).

  2. 2.

    The protocol has perfect completeness and soundness 1/2.

  3. 3.

    The protocol is public-coin, with communication complexity \(d(n)\cdot \mathrm {polylog}(S(n))\).

  4. 4.

    Each message of the prover depends only on \(O(\log (n))\) random bits sent by the verifier.

Their interactive proof builds on arithmetization techniques and employs efficient sumcheck protocols in order to establish correctness of the output. The sumcheck is run on multivariate polynomials of low degree that encode the values of intermediate layers of computation to allow the verifier to efficiently check consistency of the prover’s answers.

Let \(w=(w_1,\ldots , w_k)\) be k bits. The vector w defines a function \(W:\{1,\ldots ,k\}\rightarrow \{0,1\}\) such that \(W(i)=w_i\) for all \(i\in \{1,\ldots ,n\}\). Let \(\mathbb {H}\) be an extension field of \(\mathbb {GF}[2]\), m be an integer such that \(k\le |\mathbb {H}|^m\), and let \(\mathbb F\) be an extension field of \(\mathbb {H}\). The low degree extension of w is the unique m-variate polynomial \(\tilde{W}:\mathbb F^m\rightarrow \mathbb F\) of degree at most \(|\mathbb {H}|-1\) in each variable that agrees with W on \(\mathbb {H}^m\). It is a useful fact that the low degree extension can be expressed as sum over \(\mathbb {H}^m\), where each term is efficiently computable (for the details see Appendix A).

Here we provide a high-level overview of the protocol (for the full exposition see e.g. [26]):

  1. 1.

    The prover P evaluates the circuit C on input x received from the verifier V, and computes a low degree extension \(\widetilde{W_i}\) for every layer i of the circuit C.

  2. 2.

    For \(1\le i\le d\), in each phase i the prover initiates an interactive sumcheck protocol to convince the verifier that \(\widetilde{W_{i-1}}(z_{i-1})=r_{i-1}\). In the first phase \(z_0=(0,\ldots ,0)\) and \(r_0=(C(x),0,\ldots ,0)\). To complete the i-th sumcheck protocol the verifier would need to evaluate \(\widetilde{W_{i}}\) on two random points \(\omega _1,\omega _2\), but to avoid the related computational burden this task is reduced to another sumcheck performed in phase \(i+1\). In particular, the prover and the verifier run an interactive procedure using \(\omega _1,\omega _2\), the verifier picks a random \(z_i\) and the prover reports a corresponding value \(r_i=\widetilde{W_{i}}(z_{i})\). The protocol proceeds to phase \(i+1\).

  3. 3.

    In phase \(d+1\) the verifier evaluates the low degree extension \(\widetilde{W_d}\) (of the input x) on the random point \(z_d\) and checks that it is equal to \(r_d\) reported by the prover. This is the final phase and the only point at which the verifier evaluates a low degree extension.

The running time of the verifier in the first d phases is \(\mathrm {poly}(d(n),\log (S(n)))\), and it is the evaluation of the low degree extension of the input in the last step that induces the overall quasi-linear overhead of \(n\cdot \mathrm {poly}(d(n),\log (S(n)))\) for the verifier. Hence, given oracle access to the low degree extension of the input the verification can be performed in sublinear time. Moreover, the protocol of Goldwasser et al. [14] is query independent in the sense of Definition 6, i.e., after receiving the answer to its query the verifier can send the query (the random point \(z_d\)) to the prover and the soundness is preserved. This allows us to use our composition framework from Sect. 4 in order to substitute the oracle call with our rational sumcheck protocol.

Substituting the Low Degree Extension Oracle with a Rational Proof. First, we show that our rational sumcheck protocol from Sect. 3 can evaluate an arbitrary low degree extension.

Proposition 1

(Rational Protocol for Evaluating Low Degree Extension). The low degree extension \(\tilde{W}:\mathbb F^m\rightarrow \mathbb F\) of \((w_1,\dots , w_{k})\in \{0,1\}^k\) admits a rational proof with verification time \(\mathrm {poly}(|\mathbb {H}|,m)\), assuming oracle access to \((w_1,\dots , w_{k})\), with reward gap \(1/4(\log {|\mathbb {F}|})|\mathbb {H}^m|^2\).

Proof 10

By Proposition 2 (given in Appendix A), for any \(z\in \mathbb F^m\), \(\tilde{W}(z)\) is a summation of \(|\mathbb {H}|^m\) terms of the form \(\sum _{p\in \mathbb {H}^m} \tilde{\beta }(z,p)\cdot W(p)\), where the addition is over \(\mathbb {F}\) and \(\mathbb {F}\) is a extension field of \(\mathbb {GF}[2]\). Moreover, for every (zp), \(\tilde{\beta }(z,p)\) can be computed in time \(\mathrm {poly}(|\mathbb {H}|,m)\), therefore \(\tilde{\beta }(z,p)\cdot W(p)\) can be computed in time \(\mathrm {poly}(|\mathbb {H}|,m)\). By Corollary 2, \(\tilde{W}(z)\) admits rational proof with reward gap \(1/(\log {|\mathbb {F}|})(2|\mathbb {H}^m|)^2 = 1/4(\log {|\mathbb {F}|})|\mathbb {H}^m|^2\) and verification time \(\mathrm {poly}(|\mathbb {H}|,m)\).    \(\square \)

Finally, we use the above efficient rational proof in the protocol of Goldwasser et al. [14] to allow the verifier to avoid reading the whole input when evaluating the low degree extension of the input.

Theorem 4

(Rational Interactive Proof for NC). For any function \(f: \{0, 1\}^* \rightarrow \{0, 1\}\), if \(L_{f}=\{(x,y)|y=f(x)\}\) is computable by a family of \(O(\log (S(n)))\)-space uniform Boolean circuits of size S(n) and depth \(d(n)=O(\mathrm {polylog}(n))\) then \(f\in \mathrm{FRMA}[d(n)\cdot \mathrm {polylog}(n),d(n)\cdot \mathrm {polylog}(S(n)),\mathrm {poly}(d(n),\log (S(n)))]\) with a public-coin rational interactive proof with a noticeable reward gap, where the prover runs in time \(\mathrm {poly}(S(n))\) and the verifier runs in space \(O(\log (S(n)))\).

Proof 11

For \(f\in NC\), we let \(\pi ^g=(P_{\pi }, V^g_{\pi })\) be the interactive proof for \(L_{f}=\{(x,y)|y=f(x)\}\) defined in Theorem 3 where g is the low degree extension of x with \(|\mathbb F|=\mathrm {poly}(n,d)\) and \(|\mathbb {H}^m|=\mathrm {poly}(n)\), the soundness is 1/2 and the completeness is 1. Let \(\varphi =(P_{\varphi }, V_{\varphi })\) be the rational proof for g as defined in Proposition 1 with reward gap \(\varDelta = 1/(4\log {|F|})(|\mathbb {H}|^{2m})\). Note that \(V^g_{\pi }\) only issues a single query and for all x the communication between \(P_{\pi }\) and \(V^{g}_{\pi }\) is independent of (qg(q)). By Theorem 1, \(\pi ^{\varphi }\) is a rational proof for f with regard gap \(\varDelta (1-s) = \varDelta /2 = 1/\mathrm {poly}(n)\).

The running time of the prover or verifier is at most the sum of the running time of \(P_{\pi }\) in Theorem 3 and the running time of \(P_{\varphi }\). The total running time is \(\mathrm {poly}(S(n))\). The verifier runs in at most \(V^{g}_{\pi }\) and the running time of \(V_{\varphi }\). Therefore the running time of verifier is upper bounded by \(\mathrm {poly}(d(n), \log {(S(n))})\). The total communication is the communication of \(\varphi \) and the communication of \(\pi \) which is upper bounded by \(d(n)\cdot \mathrm {poly}(S(n))\).    \(\square \)

5.2 Single-Round Rational Arguments for \(\mathrm{NC}\)

Guo et al. [15] gave an efficient transformation from any rational proof with noticeable reward gap to single-round rational argument. The transformation uses an efficient Private Information Retrieval (PIR) scheme (for formal definition see the full version) in order to submit all the round queries to the prover at once.

Theorem 5

(Theorem 6 in [15]). Let \(f:\{0,1\}^{n}\rightarrow \{0,1\}\) be a function in \(\mathrm {FRMA}\left[ r,C,T\right] \). Assume the existence of a PIR scheme with communication complexity \(\mathrm {poly}(\kappa )\) and receiver work \(\mathrm {poly}(\kappa )\), where \(\kappa \ge \mathrm {max}\left\{ C(n),\log {n}\right\} \) is the security parameter. If f has an admissible rational proof with noticeable reward gap \(\varDelta \), then f admits single-round rational argument which has the following properties:

  1. (a)

    The verifier runs in time \(C(n)\cdot \mathrm {poly}(\kappa ) +O(T(n))\).

  2. (b)

    The communication complexity is \(r\cdot \mathrm {poly}(\kappa ,\lambda )\) where \(\lambda \) is the longest message sent by the prover.

By applying the above transformation of Guo et al. [15] on the rational interactive proofs in Theorem 4, we obtain single-round rational arguments for \(\mathrm{NC}\) with sublinear verification.

Corollary 3

(Rational Argument for NC). Let \(f:\{0,1\}^n \rightarrow \{0,1\}\) be a function computable by log-space uniform \(\mathrm{NC}\) of size \(S(n) = \mathrm {poly}(n)\) and depth \(d(n)=O(\mathrm {polylog}(n))\). Assume the existence of a PIR scheme with communication complexity \(\mathrm {poly}(\kappa )\) and receiver work \(\mathrm {poly}(\kappa )\), where \(\kappa \ge d(n)\cdot \mathrm {polylog}(S(n))\) is the security parameter. Then f admits single-round efficient rational argument which has the following properties:

  1. 1.

    The verifier runs in \(\mathrm {poly}(\kappa ,d(n),\log (S(n)))\) and the prover runs in \(\mathrm {poly}(\kappa ,S(n))\).

  2. 2.

    The length of the prover’s message and the verifier’s challenge is \(d(n)\cdot \mathrm {poly}(\kappa ,\log (S(n)))\). The verifier’s challenge depends only on his random coins and is independent of the input x.

6 Rational Delegation for \(\mathrm{P}\)

Recently, Kalai et al. [18] gave a single-round delegation scheme for every language computable in time t(n), where the running time of the verifier is \(n\cdot \mathrm {polylog}(t(n))\). For languages in \(\mathrm{P}\) where \(t(n)=\mathrm {poly}(n)\), the verification time is \(O(n\cdot \mathrm {polylog}(n))\). The efficiency bottleneck for achieving sublinear verification for \(\mathrm{P}\) in Kalai et al. [18] (similarly to the protocol for \(\mathrm{NC}\) of Goldwasser et al. [14]) is that the verifier needs to evaluate a low degree extension of the input which takes quasi-linear time. We show that it is possible to improve the verification time to be sublinear in the rational setting.

6.1 The Protocol of Kalai, Raz and Rothblum [19]

Recently, Kalai et al. [18] gave an \(\mathrm{MIP}\) secure against no-signaling provers for any deterministic computation.

Theorem 6

(Theorem 4 in [18]). Suppose that \(L\in \mathrm{DTIME}(t(n))\), where \(t = t(n)\) satisfies \(\mathrm {poly}(n)\le t\le \exp (n)\). Then, for any integer \((\log t)^c\le k \le \mathrm {poly}(n)\), where c is some (sufficiently large) universal constant, there exists an \(\mathrm{MIP}\) for L with \(k\cdot \mathrm {polylog}(t)\) provers where:

  1. 1.

    The verifier runs in time \(n\cdot k^2\cdot \mathrm {polylog}(t)\) and the provers run in time \(\mathrm {poly}(t,k)\). Moreover, if the verifier is given oracle access to the low degree extension of its input, then its running time is only \(t' \cdot k^2\cdot \mathrm {polylog}(t)\), where \(t'\) is the cost of the oracle access.

  2. 2.

    The protocol has perfect completeness and soundness \(2^{-k}\) against \(2^{-k\cdot \mathrm {polylog}(t)}\)-no-signaling strategies.

  3. 3.

    Each query and answer is of length \(k\cdot \mathrm {polylog}(t)\).

Here we give a high level overview of the \(\mathrm{MIP}\) construction of Kalai et al. [18]. It is obtained in three steps:

  1. 1.

    No-signaling PCP with Oracle. They first construct a Probabilisticaly Checkable Proof (PCP) with oracle access to a function which makes at most k queries and is secure against no-signaling provers. The construction of the PCP is the most technical part of their work and we refer to Kalai et al. [18] for the construction and analysis of this PCP. The total number of oracle queries is at most \(k\cdot \mathrm {polylog}(t)\) and the running time of the verifier is \(k\cdot \mathrm {polylog}(n)\).

  2. 2.

    No-signaling \(\mathrm{MIP}\) with Oracle. Based on the PCP, they construct in a straightforward way an \(\mathrm{MIP}\) with \(k_{\max }\le k\cdot \mathrm {polylog}(t)\) provers secure against no-signaling strategies given oracle access to the same function as for the PCP. In this \(\mathrm{MIP}\), the verifier simulates the PCP verifier, and the i-th prover prepares the PCP proof and answers the i-th query according to the PCP. The running time of the verifier is \(O(k\cdot \mathrm {polylog}(t))\).

  3. 3.

    No-signaling \(\mathrm{MIP}\) without Oracle. In order to remove the oracle, they employ an \(\mathrm{MIP}\) for the oracle which is secure against no-signaling provers. They replace the number of queries to the oracle one by one, each time reducing one query to the oracle by letting the verifier run the \(\mathrm{MIP}\) for the oracle with additional provers. At the end, they obtain an \(\mathrm{MIP}\) without oracle access which is secure against no-signaling provers. To construct the \(\mathrm{MIP}\) for the oracle, they observe that any interactive proof gives rise to an \(\mathrm{MIP}\) secure against no-signaling provers by sending the first i messages to the i-th prover and letting the i-th prover answer the message in the i-th round. Observed that the oracle is computable by linear space, we have \(\mathrm{IP}\) for this oracle so that we can obtain an \(\mathrm{MIP}\) against no-signaling provers. The running time of the verifier is \(k\cdot \mathrm {polylog}(t)+n\cdot k^2\cdot \mathrm {polylog}(t)\). Moreover, if the verifier can compute the low degree extension of the input in time \(t'\), then the running time can be further improved into \(k\cdot \mathrm {polylog}(n)+ t' \cdot k^2\cdot \mathrm {polylog}(t)\).

Note that for languages in \(\mathrm{P}\) where \(t=\mathrm {poly}(n)\), we can let \(k = \mathrm {polylog}(t)\) so that the verifier runs in time \(n\cdot \mathrm {polylog}(n)\). Moreover, the running time can be improved to \(t' \cdot \mathrm {polylog}(n)\) when the verifier is given oracle access to evaluate the low degree extension and \(t'\) is the cost of the oracle access. Therefore, the task of constructing delegation scheme for \(\mathrm{P}\) with sublinear verification can be reduced to constructing a delegation scheme for low degree extension with sublinear verification.

6.2 No-Signaling Rational Multi-prover Proofs for Deterministic Computations

In this section, we present our \(\mathrm{RMIP}\)s for deterministic computations which are secure against no-signaling provers. Recall from the previous section that the efficiency bottleneck for achieving sublinear verification for \(\mathrm{P}\) is that the evaluation of low degree extension runs in quasi-linear time. To overcome the efficiency bottleneck we combine the no-signaling MIP of Kalai et al. [18] with our sublinear rational proofs for evaluating the low degree extension of the input (Proposition 1). Unlike the oracle simulation mentioned in the third step of the work of Kalai et al. [18], we reduce all queries to the low degree extension oracle at once and only increase the number of provers by 1. To do this, we view the queries to the oracle as a single query consisting of many points to a larger oracle that evaluates the low degree extension of inputs on all the points and returns the answers at once.

For a function \(g:\mathbb F^n\rightarrow \mathbb F\), we let \(g^{l}:(\mathbb F^n)^l\rightarrow (\mathbb F)^l\) be the function that on any l-tuple \((x_1,\dots , x_l)\in (\mathbb F^n)^l\) outputs \((g(x_1), \dots , g(x_l))\). For a rational proof \(\varphi = (V_{\varphi }, P_{\varphi })\) for g with input \(x\in \mathbb F^n\), we define another rational proof \(\varphi ^l = (V_{\varphi ^l}, P_{\varphi ^l})\) for \(g^{l}\) with input \((x_1,\dots , x_l)\in (\mathbb F^n)^l\), where the verifier \(V_{\varphi ^l}\) simulates \(V_{\varphi }\) on \(x_i\) for all \(i\in \{1,\ldots ,l\}\) and pays the average reward outputted by \(V_{\phi }\) on the l inputs and \(P_{\varphi ^l}\) simulates \(P_{\varphi }\) on \(x_i\) for all \(i\in \{1,\ldots ,l\}\). It is easy to see that if g admits rational proof \(\varphi \) with reward gap \(\varDelta \), then \(g^{l}\) admits a rational proof \(\varphi ^l\) with reward gap \(\varDelta /l\).

Theorem 7

Suppose that \(f:\{0,1\}^{n}\rightarrow \{0,1\}\) is a function computable by deterministic Turing machine in time t(n), where \(t = t(n)\) satisfies \(\mathrm {poly}(n)\le t\le \exp (n)\). Then, for any integer \((\log t)^c\le k \le \mathrm {poly}(n)\), where c is some (sufficiently large) universal constant, there exists an \(\mathrm{RMIP}\) for f with \(k\cdot \mathrm {polylog}(t)+1\) provers where:

  1. 1.

    The provers run in time \(\mathrm {poly}(t,k)\) and the verifier runs in time \(k^2\cdot \mathrm {polylog}(t)\).

  2. 2.

    The protocol has reward gap \(1/k\cdot \mathrm {poly}(\log (t),n)\) against \(2^{-k\cdot \mathrm {polylog}(t)}\)-no-signaling strategies.

  3. 3.

    Each query and answer is of length \(k\cdot \mathrm {polylog}(t)\).

Proof 12

Let \(\pi ^{g}=(\overrightarrow{P_{\pi }}, V^g_{\pi })\) be the \(\mathrm{MIP}\) for \(L_{f}=\{(x,y)|y=f(x)\}\) from Theorem 6, which has soundness \(s=2^{-k}\) against \(\delta = 2^{-k\cdot \mathrm {polylog}(t)}\)-no-signaling strategies and perfect completeness, where \(g:\mathbb {F}^m\rightarrow \mathbb {F}\) is the low degree extension of inputs with parameters \(\mathbb {F},\mathbb {H}, m\) such that \(|\mathbb {H}|\le |\mathbb {F}|\le \mathrm {polylog}(t)\), \(|\mathbb {H}^m|=\mathrm {poly}(n)\). As noted in [18], the total number of the queries to g is \(l\le k\cdot \mathrm {polylog}(t)\). We consider \(\pi ^{g^l}=(\overrightarrow{P_{\pi }}, V^{g^l}_{\pi })\) where \(V^{g^l}_{\pi }\) behaves exactly as \(V^{g}\) except that \(V^{g^l}\) only makes a single query which consists all the queries of \(V^{g}\) to the oracle for g. Because the queries made by \(V^{g}_{\pi }\) are independent of each other, it is possible to query them at once and conclude that \(\pi ^{g^l}\) is also an \(\mathrm{MIP}\) for \(L_f\) with the same guarantee.

By Proposition 1, g admits a rational proof \(\varphi =(P_{\varphi }, V_{\varphi })\) with reward gap \(\varDelta = 1/(4\log {|\mathbb F|})(|\mathbb {H}^m|^{2})\). Therefore \(g^l\) admits a rational proof \(\varphi ^{l}\) with reward gap \(\varDelta ' = \varDelta /l\). Note that \(\varphi ^{l}\) is also an \(\mathrm{RMIP}\) with reward gap \(\varDelta \) in presence of \(\delta '=1\)-no-signaling strategies.

Note that \(V^{g^l}_{\pi }\) only issues a single query and for all x the communication between \(\overrightarrow{P_{\pi }}\) and \(V^{g^l}_{\pi }\) is independent of (qg(q)). By Theorem 2, \(\pi ^{\varphi ^l}\) is an \(\mathrm{RMIP}\) for f with reward gap \(\varDelta '(1-s - \min (\delta ,\delta ')) = \Omega (\varDelta /l) = 1/k\cdot \mathrm {poly}(\log (t),n)\), in presence of \(\delta '' = \delta \)-no-signaling strategies.

The running time of the prover is at most the sum of the running time of \(\overrightarrow{P_{\pi }}\) in Theorem 6 and the running time of \(P_{\varphi ^m}\) which is upper bounded by \(\mathrm {poly}(t,k)\). The verifier runs in at most \(t'\cdot k^2\cdot \mathrm {polylog}(t)\) where the \(t'\) is the running time of \(V_{\varphi }\) upper bounded by \(\mathrm {poly}(\mathbb {H},m) \le \mathrm {polylog}(t)\). Therefore the running time of verifier is \(k^2\cdot \mathrm {polylog}(t)\). The maximal length of queries and answers in \(\pi ^{g^{l}}\) is \(k\cdot \mathrm {polylog}(t)\) by Theorem 6, and the maximal length of queries and answers in \(\pi ^{g^{l}}\) is \((m\log {\mathbb F})\cdot l \le k\cdot \mathrm {polylog}(t)\). Therefore the maximal length of queries and answers in \(\pi ^{g^{l}}\) is bounded by \(k\cdot \mathrm {polylog}(t)\).    \(\square \)

6.3 Single-Round Rational Arguments for \(\mathrm{P}\)

We show how to transform any \(\mathrm{RMIP}\) secure against no-signaling provers into a single-round rational argument using a sub-exponentially secure Fully Homomorphic Encryption (see Definition 8), and as a result obtain a single-round rational argument with sublinear verification for any language in \(\mathrm{P}\). For that we extend the transformation of Guo et al. [15] to the multi-prover setting.

Theorem 8

Let \(f:\{0,1\}^{n}\rightarrow \{0,1\}\) be a function in \(\mathrm {FRMIP}\left[ k,\delta ,C,T\right] \). Assume f has a \(\mathrm{RMIP}\) with noticeable reward gap \(\varDelta \) and negligible no-signaling parameter \(\delta \), and let \(\lambda \) denote the length of the longest message sent by the verifier. If there exists a secure FHE scheme, where \(\kappa \ge \mathrm {max}\left\{ \mathrm {polylog}(n),\,\lambda ,\,C\right\} \) is the security parameter, then f admits single-round rational argument which has the following properties:

  1. 1.

    The verifier runs in time \(\mathrm {poly}(\kappa ) +O(T(n))\).

  2. 2.

    The prover runs in time \(\mathrm {poly}\left( \kappa ,\,n,\, T_{\overrightarrow{P_{MIP}}}\right) \), where \(T_{\overrightarrow{P_{MIP}}}\) is the sum of the running times of the provers in the \(\mathrm{RMIP}\).

  3. 3.

    The length of prover’s message and the verifier’s challenge is \(\ell \cdot \mathrm {poly}(\kappa )\).

The proof of Theorem 8 follows by the following lemma (due to space restrictions, we provide the proof of Lemma 2 in the full version).

Lemma 2

Let \((\overrightarrow{P_{MIP}},V_{MIP})\) be a \(\delta \)-no signaling \(\mathrm{RMIP}\) protocol for a function f with \(\ell \) provers. Let \(\lambda \) be the longest query size and C be the answer size. Let \({\mathsf {reward}}(\cdot )\) and \(\varDelta \) be the reward function and the corresponding reward gap. Assume the existence of a \((Z,\delta ')\)-secure FHE with correctness \(1-\gamma \) (where \(\gamma \) is some negligible function), and let \(\gamma _0=\gamma \cdot \ell \). If \(\delta '\le \delta /\ell \) and the security parameter \(\kappa =\kappa \left( n\right) \ge \max \left\{ \mathrm {poly}\log (n),\, \lambda ,\, C\right\} \) and \(Z=Z(\kappa )\ge \kappa \) such that \(Z\ge \max \left\{ n,\,2^{\ell \cdot C}\right\} \), then there exists a one-round protocol \((P_{A},V_{A})\) with the following properties:

  1. (a)

    \(\Pr [{\mathsf {output}}((P_A,V_A)(x))=f(x)]=1.\)

  2. (b)

    \({{\mathrm{E}}}[{\mathsf {reward}}((P_A,V_A)(x))]\!\ge \!{{\mathrm{E}}}[{\mathsf {reward}}((\overrightarrow{P_{MIP}},V_{MIP})(x))]\cdot (1-\gamma _0)).\)

  3. (c)

    The length of \(P_A\)’s message and the \(V_A\)’s challenge is \(\ell \cdot \mathrm {poly}(\kappa )\).

  4. (d)

    The verifier \(V_{A}\) runs in time \(\mathrm {poly}(\kappa ) +O(T_{V_{MIP}})\), where \(T_{V_{MIP}}\) is the running time of \(V_{MIP}\).

  5. (e)

    The prover \(P_{A}\) runs in time \(\mathrm {poly}\left( \kappa ,\,n,\, T_{\overrightarrow{P_{MIP}}}\right) \), where \(T_{\overrightarrow{P_{MIP}}}\) is the sum of the running times of the provers in \(\overrightarrow{P_{MIP}}\).

  6. (f)

    For any prover \(P^{*}\) of size \(\le \mathrm {poly}(Z(\kappa ))\) that achieves

    $$\begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}((P^{*},V_A)(x))]={{\mathrm{E}}}[{\mathsf {reward}}((P_A,V_A)(x))]+\delta ^{*}\ , \end{aligned}$$

    let \(\mu =\mathrm {Pr}[{\mathsf {output}}((P^{*},V_A)(x))\ne f\left( x\right) ]\). It holds that

    1. (a)

      (Utility gain) \(\delta ^{*} \le \gamma _0\), and

    2. (b)

      (Utility loss) \((-\delta ^{*}) \ge \mu \varDelta - \gamma _0.\)

From Interactive Rational Proofs to Rational Arguments. Let \((\overrightarrow{P_{MIP}},V_{MIP})\) be a \(\delta \)-no-signaling rational MIP with \(\ell \) provers \(P^1_{MIP},\dots ,P^\ell _{MIP}\) for evaluating some function f, as in the statement of the Lemma 2. Recall that \(\lambda \) denotes length of the longest message sent by \(V_{MIP}\) in \((\overrightarrow{P_{MIP}},V_{MIP})\). For simplicity of exposition (and without loss of generality) we assume that the first prover \(P^1_{MIP}\) sends f(x), and all queries are of size exactly \(\lambda \).

Fix any security parameter \(\kappa \ge \max \left\{ \mathrm {polylog}(n),\lambda ,C\right\} \) and let \((\mathsf {Gen}, \mathsf {Enc}, \mathsf {Eval},\mathsf {Dec})\) be a \((Z,\delta ')\)-secure FHE scheme, with respect to security parameter \(\kappa \). The one-round rational argument \((P_{A},V_{A})\) is constructed as follows:

  1. 1.

    On common input \(x\in \left\{ 0,1\right\} ^{n}\), the verifier \(V_{A}\) proceeds as follows:

    1. (a)

      Emulate the verifier \(V_{MIP}\) and obtain queries \(m_{1},\ldots ,m_{\ell }\in \left\{ 0,1\right\} ^{\lambda }\) to be sent by \(V_{MIP}\).Footnote 2

    2. (b)

      Compute key-pairs \((pk_i,sk_i)\leftarrow \mathsf {Gen}(1^\kappa )\) and encryptions \(q_{i}\leftarrow \mathsf {Enc}(pk_i, m_{i})\) for \(1\le i\le \ell \). Send \(pk=\left( pk_{1},\ldots ,pk_{\ell }\right) \) and \(q=\left( q_{1},\ldots ,q_{\ell }\right) \) to \(P_{A}\).

  2. 2.

    Upon receiving keys \(pk=\left( pk_{1},\ldots ,pk_{\ell }\right) \) and queries \(q=\left( q_{1},\ldots ,q_{\ell }\right) \) from \(V_{A}\), the prover \(P_{A}\) operates as follows:

    1. (a)

      Emulate provers \(\overrightarrow{P_{MIP}}\) to obtain f(x).

    2. (b)

      For each \(1\le i\le \ell \), compute \(P_{x,i}\), a Boolean circuit that on input query m computes the function \(P^i_{MIP}(x,m)\).

    3. (c)

      For each \(1\le i\le \ell \), compute \(a_{i}\leftarrow \mathsf {Eval}(pk_i,P_{x,i},q_i)\) and send the message \(\left( f(x),a_{1},\ldots ,a_{\ell }\right) \) to \(V_{A}\).

  3. 3.

    Upon receiving the message \(\left( f(x),a_{1},\ldots ,a_{\ell }\right) \) from \(P_{A}\), the verifier \(V_{A}\) operates as follows:

    1. (a)

      For every \(1\le i\le \ell \), compute \(b_{i}^{\prime }\leftarrow \mathsf {Dec}(sk_i,a_{i})\).

    2. (b)

      Emulate \(V_{MIP}\) on \(\left( f(x),b_{1}^{\prime },\ldots ,b_{\ell }^{\prime }\right) \), as if each \(b_{i}^{\prime }\) is \(P^i_{MIP}\)’s response.

    3. (c)

      Output whatever \(V_{MIP}\) outputs (i.e., f(x) and ‘1’ with probability of the computed reward).

Proof 13

(of Theorem 8 ). The running time of the verifier, the communication complexity, and property (a) of Definition 5 of rational arguments are all explicitly provided by Lemma 2. It remains to show property (b) and property (c) of definition of rational arguments.

The utility gain is \(\delta ^{*} \le \gamma _0\le \kappa \cdot \mathrm {negl}(\kappa ) = \mathrm {negl}(n)\). By the definition of \(\delta ^{*}\) we have, \( \mathrm {negl}(n) + {{\mathrm{E}}}[{\mathsf {reward}}((P_A,V_A)(x))] \ge \delta ^{*}+{{\mathrm{E}}}[{\mathsf {reward}}((P_A,V_A)(x))] \) which is equal to \({{\mathrm{E}}}[{\mathsf {reward}}((P^*,V_A)(x))]\). Hence, the property (a) of rational arguments holds.

To show property (c) of Definition 5, we assume that \(\mu \ge p^{-1}(|x|)\) for some polynomial \(p(\cdot )\). Due to the noticeable \(\varDelta \), we know that \(\mu \varDelta \ge q_1^{-1}(|x|)\) for some polynomial \(q_1(\cdot )\). From the utility loss bound we obtain that

$$ (-\delta ^{*}) \ge \mu \varDelta - \gamma _0 = \mu \varDelta - \mathrm {negl}(n) \ge q_1^{-1}(|x|)- \mathrm {negl}(n) \ge q_1^{-1}(|x|)/2\ . $$

By defining polynomial \(q(\cdot )\) to be \(q(|x|)=2q_1(|x|)\) we get

$$\begin{aligned} {{\mathrm{E}}}[{\mathsf {reward}}((P_A,V_A)(x))]&={{\mathrm{E}}}[{\mathsf {reward}}((P^*,V_A)(x))]-\delta ^{*}\\&\ge {{\mathrm{E}}}[{\mathsf {reward}}((P^*,V_A)(x))]+q^{-1}(|x|)\ , \end{aligned}$$

as desired.    \(\square \)

By applying the above transformation on the no-signaling \(\mathrm{RMIP}\) protocol presented in Theorem 7, we obtain the following single-round rational arguments for \(\mathrm{P}\) with sublinear verification.

Corollary 4

(Rational Argument for P). Let \(f:\{0,1\}^{n}\rightarrow \{0,1\}\) be a function computable by deterministic Turing machine in time \(\mathrm {poly}(n)\le T(n)\le \mathrm {exp}(n)\) and let \(k=\mathrm {polylog}(T(n))\). Let \(\kappa \ge \mathrm {polylog}(T(n))\cdot k\) be a security parameter and let \(Z=Z(\kappa )\) be such that \(2^{(\log T(n))^c}\le Z\le 2^\kappa \) for sufficiently large constant c. If there exists \((Z,2^{-{k}^2\cdot \mathrm {polylog}( T(n))})\)-secure FHE scheme then f admits single-round efficient rational argument which has the following properties:

  1. 1.

    The verifier runs in time \(\mathrm {poly}(\kappa , \log (T(n)))\) and the prover runs in \(\mathrm {poly}(\kappa ,T(n))\).

  2. 2.

    The length of prover’s message and the verifier’s challenge is \(k\cdot \mathrm {poly}(\kappa ,\log (T(n)))\). The verifier’s challenge depends only on his random coins and is independent of the input x.

Proof 14

Suppose that \(f\in \mathrm {DTIME}(T)\), where \(T=T(n)\) satisfies \(\mathrm {poly}(n)\le T \le \mathrm {exp}(n)\) and set \(k=\mathrm {polylog}(T)\). Let \(\kappa =\kappa (n)\) be a security parameter such that \(k\cdot \mathrm {polylog}(T) \le \kappa \). Let \(Z = Z(\kappa )\) such that \(2^{(\log T)^c}\le Z\le 2^\kappa \) for sufficiently large universal constant c satisfying \(Z\ge \mathrm {max}\{n,2^{k^2\cdot \mathrm {polylog}(T)}\}\). Let \(\delta '=2^{-k^2\mathrm {polylog}(T)}\). By applying Theorem 7 (with respect to the parameter k) to the function f, we obtain an \(\mathrm{RMIP}\) for f with \(k\cdot \mathrm {polylog}(T)\) provers and reward gap \(1/k\cdot \mathrm {poly}(\log (T),n)\) against \(2^{-k\cdot \mathrm {polylog}(T)}\)-no-signaling strategies. The verifier of the \(\mathrm{RMIP}\) runs in time \(k^2\cdot \mathrm {polylog}(T)\) and the provers run in time \(\mathrm {poly}(T,k)\). Each query and answer is of length \(k\cdot \mathrm {polylog}(T)\). Assume that there exists an \((Z,\delta ')\)-secure FHE.

By Theorem 8, we obtain that f has a 1-round rational argument. The running time of the verifier is \(\mathrm {poly}(\kappa ,\log (T)\) and the running time of the prover is \(\mathrm {poly}(\kappa ,T)\). The message of the prover and the verifier is of length \(k\cdot \mathrm {poly}(\kappa ,\log T)\).    \(\square \)

We remark that Corollary 3 could be alternatively obtained using our new transformation presented in Theorem 8. This is done by first transforming the rational interactive proof for \(\mathrm{NC}\) to \(\mathrm{RMIP}\) (with only negligible loss in the reward gap) and then applying Theorem 8 on the resulted \(\mathrm{RMIP}\).