Practical Verified Computation with Streaming Interactive Proofs

When delegating computation to a service provider, as in cloud computing, we seek some reassurance that the output is correct and complete. Yet recomputing the output as a check is inefficient and expensive, and it may not even be feasible to store all the data locally. We are therefore interested in proof systems which allow a service provider to prove the correctness of its output to a streaming (sublinear space) user, who cannot store the full input or perform the full computation herself. Our approach is two-fold. First, we describe a carefully chosen instantiation of one of the most efficient general-purpose constructions for arbitrary computations (streaming or otherwise), due to Goldwasser, Kalai, and Rothblum. This requires several new insights to make the methodology more practical. Our main contribution is in achieving a prover who runs in time O(S(n) log S(n)), where S(n) is the size of an arithmetic circuit computing the function of interest. Our experimental results demonstrate that a practical general-purpose protocol for verifiable computation may be significantly closer to reality than previously realized. Second, we describe techniques that achieve genuine scalability for protocols fine-tuned for specific important problems in streaming and database processing. Focusing in particular on non-interactive protocols for problems ranging from matrix-vector multiplication to bipartite perfect matching, we build on prior work to achieve a prover who runs in nearly linear-time, while obtaining optimal tradeoffs between communication cost and the user’s working memory. Existing techniques required (substantially) superlinear time for the prover. We argue that even if general-purpose methods improve, fine-tuned protocols will remain valuable in real-world settings for key problems, and hence special attention to specific problems is warranted.

💡 Research Summary

The paper tackles the practical deployment of verifiable computation in a streaming setting, where a client (the verifier) can only make a single pass over the input data and must operate with sub‑linear memory, while a cloud server (the prover) supplies both the answer to a query and a proof of correctness. The authors pursue a two‑pronged strategy.

First, they take the most efficient known general‑purpose interactive proof construction for arbitrary computations—the Goldwasser‑Kalai‑Rothblum (GKR) protocol—and engineer a concrete implementation that dramatically reduces the prover’s runtime. In theory GKR guarantees a prover running in time poly‑logarithmic overhead over the size S of the arithmetic circuit that computes the target function, but prior implementations required O(S · polylog S) time. By reorganizing the circuit into layers, expressing each layer’s gate values as a convolution of low‑degree polynomials, and evaluating these convolutions with Fast Fourier Transform (FFT) techniques, the authors achieve a prover runtime of O(S log S). They also streamline the verifier’s work: the verifier needs only to maintain a single low‑degree extension (LDE) value LDE_a(r) for a randomly chosen point r, which can be updated incrementally in O(1) words of memory and O(log n) field operations per stream update. Communication is kept polylogarithmic, with each round consisting of a few field elements. Experimental results on circuits with hundreds of millions of gates show prover runtimes of a few seconds and verifier runtimes of a few hundred milliseconds, confirming that the general‑purpose protocol is now within practical reach, though still not optimal for everyday use.

Second, recognizing that many real‑world tasks have special structure, the authors design problem‑specific protocols that dramatically improve over the generic GKR approach. For matrix‑vector multiplication (MVM), they treat the matrix as a polynomial in two variables, compute its FFT‑based representation, and let the verifier check a single random evaluation point. The prover’s cost becomes O(n log n) for an n × n matrix, communication O(log n) words, and verifier memory O(log n) words. For bipartite perfect matching, they apply a linearization technique originally due to Shen: the adjacency matrix is encoded as a polynomial, and the existence of a perfect matching reduces to checking that a certain determinant polynomial is non‑zero at a random point. Again the prover runs in near‑linear time, while the verifier’s resources remain polylogarithmic. Similar techniques yield ultra‑lightweight protocols for frequency‑based aggregations (sum, average, histograms) where the verifier only needs the LDE of the frequency vector.

The paper also discusses non‑interactive variants (single‑message proofs) that are attractive when network latency is high, and interactive variants that further reduce verifier memory. Compared with fully homomorphic encryption based delegation, the presented protocols are information‑theoretically sound (no cryptographic assumptions) and orders of magnitude faster.

Overall, the contributions are: (1) a practical, engineered implementation of the GKR circuit‑checking protocol with prover time O(S log S) and verifier space O(log n); (2) a suite of specialized, near‑linear‑time prover protocols for key streaming and database problems, achieving optimal trade‑offs between prover time, verifier space, and communication. The experimental evaluation demonstrates scalability to streams containing billions of updates and inputs of terabyte size, with prover memory in the low‑gigabyte range and verifier memory in the megabyte range. These results suggest that trustworthy cloud computation via streaming interactive proofs is moving from theory toward real‑world deployment, and that both general‑purpose and problem‑specific approaches will be valuable in practice.