![Tree decomposition for t=6\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t=6$$\end{document} (i.e., h=3\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h=3$$\end{document}). Black nodes are border nodes, the gray node is an extra-border node, and white nodes are standard nodes. Note that v1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_1$$\end{document} is not a border node since the depth of its subtree is 1<h-1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$1<h-1$$\end{document}. The domains are marked with dashed frames](https://www.researchgate.net/publication/323655091/figure/fig3/AS:961003319750656@1606132454059/Tree-decomposition-for-t6documentclass12ptminimal-usepackageamsmath_Q320.jpg)
![Cycle decomposition for t=6\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t=6$$\end{document} (i.e., h=3\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h=3$$\end{document}). Black nodes are border nodes, gray nodes are extra-border nodes, and white nodes are standard nodes. Note that v1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_1$$\end{document} is not a border node since the number of nodes between v1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_1$$\end{document} and r in the oriented cycle is 1<h-1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$1<h-1$$\end{document}, and v2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_2$$\end{document} is an extra-border node since this is the farthest node from r in the oriented cycle. The domains are marked with dashed frames](https://www.researchgate.net/publication/323655091/figure/fig4/AS:961003319750657@1606132454150/Cycle-decomposition-for-t6documentclass12ptminimal-usepackageamsmath_Q320.jpg)
![Grid decomposition for t=16\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t=16$$\end{document} (i.e., h=4\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h=4$$\end{document}). Black nodes are border nodes, gray nodes are extra-border nodes, and white nodes are standard nodes. The domains are marked with dashed frames](https://www.researchgate.net/publication/323655091/figure/fig5/AS:961003319738375@1606132454265/Grid-decomposition-for-t16documentclass12ptminimal-usepackageamsmath_Q320.jpg)
Access to this full-text is provided by Springer Nature.
Content available from Distributed Computing
This content is subject to copyright. Terms and conditions apply.
Distributed Computing (2021) 34:113–132
https://doi.org/10.1007/s00446-020-00386-z
Redundancy in distributed proofs
Laurent Feuilloley1·Pierre Fraigniaud2·Juho Hirvonen3·Ami Paz4·Mor Perry5
Received: 8 October 2019 / Accepted: 24 September 2020 / Published online: 7 October 2020
© The Author(s) 2020
Abstract
Distributed proofs are mechanisms that enable the nodes of a network to collectively and efficiently check the correctness of
Boolean predicates on the structure of the network (e.g., having a specific diameter), or on objects distributed over the nodes
(e.g., a spanning tree). We consider well known mechanisms consisting of two components: a prover that assigns a certificate
to each node, and a distributed algorithm called a verifier that is in charge of verifying the distributed proof formed by the
collection of all certificates. We show that many network predicates have distributed proofs offering a high level of redundancy,
explicitly or implicitly. We use this remarkable property of distributed proofs to establish perfect tradeoffs between the size
of the certificate stored at every node, and the number of rounds of the verification protocol.
Keywords Distributed verification ·Distributed graph algorithms ·Proof-labeling schemes ·Space-time tradeoffs ·
Nondeterminism
1 Introduction
1.1 Context and objective
In the context of distributed fault-tolerant computing in large
scale networks, it is of the utmost importance that the comput-
ing nodes can perpetually check the correctness of distributed
objects (e.g., spanning trees) encoded distributively over the
An extended abstract of this work was presented in DISC 2018 [21].
BAmi Paz
ami.paz@univie.ac.at
Laurent Feuilloley
feuilloley@dii.uchile.cl
Pierre Fraigniaud
pierref@irif.fr
Juho Hirvonen
juho.hirvonen@aalto.fi
Mor Perry
mor.perry@weizmann.ac.il
1Universidad de Chile, Santiago, Chile
2IRIF, CNRS, Université de , Paris, France
3Aalto University, Espoo, Finland
4Faculty of Computer Science, University of Vienna, Vienna,
Austria
5Weizmann Institute of Science, Rehovot, Israel
network. Such objects can be the outcome of an algorithm
that might be subject to failures, or be a-priori correctly
given objects but subject to later corruption. There are sev-
eral mechanisms for checking the correctness of distributed
objects (see, e.g., [2,3,7,10–12]), and here we focus on one
classical mechanism which is both simple and versatile,
known as proof-labeling schemes [37], or as locally check-
able proofs [30].1
Roughly, a proof-labeling scheme assigns certificates to
each node of the network. These certificates can be viewed as
forming a distributed proof of the actual object. The nodes are
then in charge of collectively verifying the correctness of this
proof. The requirements are in a way similar to those imposed
on non-deterministic algorithms (e.g., the class NP), namely:
(1) on correct structures, the assigned certificates must be
accepted, in the sense that every node must accept its given
certificate; (2) on corrupted structures, whatever certificates
are given to the nodes, they must be rejected, in the sense
that at least one node must reject its given certificate. (The
rejecting node(s) can raise an alarm, or launch a recovery
procedure.) For example, a spanning-tree can be verified in
one communication round by the following process. Root the
tree and give every node a certificate which is the identity of
1These two mechanisms slightly differ: the latter assumes that every
node can have access to the whole state of each of its neighbors, while
the former assumes that only part of this state (the certificate that is
assigned for the verification process) is visible from neighboring nodes;
nevertheless, the two mechanisms share the same essential features.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
114 L. Feuilloley et al.
the root and its distance from the root. The nodes use the
distances to verify that the structure is acyclic, by making
sure each non-root node has a neighbor with smaller distance;
they use the root-ID to verify connectivity, by making sure
they all have the same root-ID. If the structure is connected
and acyclic, it is a spanning tree. Proof-labeling schemes
and locally checkable proofs can be viewed as a form of
non-deterministic distributed computing (see also [23]).
The main measure of quality for a proof-labeling scheme
is the size of the certificates assigned to correct (a.k.a. legal)
objects. These certificates are verified using protocols that
exchange certificates between neighboring nodes, so using
large certificates may result in significant overheads in
term of communication. In addition, proof-labeling schemes
can be combined with other mechanisms enforcing fault-
tolerance, including replication (multiple copies of the mem-
ory of each node). Large certificates may prevent replication,
or at the least result in significant overheads in term of space
complexity if using replication.
Proof-labeling schemes are extremely versatile, in the
sense that they can be used to certify any distributed object
or graph property. For instance, to certify a spanning tree,
there are several proof-labeling schemes, each using cer-
tificates of logarithmic size [32,37]. Similarly, certifying a
minimum-weight spanning tree (MST) can be achieved with
certificates of size Θ(log2n)bits in n-node networks [35,37].
Moreover, proof-labeling schemes are very local, in the sense
that the verification procedure performs in just one round of
communication, with each node accepting or rejecting based
solely on its certificate and the certificates of its neighbors.
However, this versatility and locality comes with a cost. For
instance, certifying rather simple graph property, such as cer-
tifying that each node holds the value of the diameter of the
network, requires certificates of
Ω(n)bits [13].2There are
properties that require even larger certificates. For instance,
certifying that the network is not 3-colorable, or certifying
that the network has a non-trivial automorphism both require
certificates of
Ω(n2)bits [30]. The good news though is that
all distributed objects (and graph properties) can be certified
using certificates of O(n2+kn)bits, which is the number of
bits needed to store the entire n-node graph with k-bit node
labels—see [30,37].
Several attempts have been made to make proof-labeling
schemes more efficient. For instance, it was shown in [24]
that randomization helps a lot in terms of communication
costs, typically by hashing the certificates, but this might
actually come at the price of dramatically increasing the
certificate size. Sophisticated deterministic and efficient solu-
tions have also been provided for reducing the size of the
certificates, but they are targeting specific structures only,
2The O-tilde notation
O(f(n)) is similar to the big-Onotation
O(f(n)), but ignores factors which are poly-logarithmic in f(n).
such as MST [36]. Another direction for reducing the size of
the certificates consists of relaxing the decision mechanism
to be some function of the local outputs (not necessarily a
conjunction), and allowing each node to output more than
just a single bit (accept or reject) [4,5]. For instance, cer-
tifying cycle-freeness simply requires certificates of O(1)
bits with just 2-bit output, while certifying cycle-freeness
requires certificates of Ω(log n)bits with 1-bit output [37].
However, this relaxation assumes the existence of a central-
ized entity gathering the outputs from the nodes, and there
are still network predicates that require certificates of
Ω(n2)
bits even under this relaxation. Another notable approach is
using approximation [13], which reduces, e.g., the certificate
size for certifying the diameter of the graph from Ω(n)down
to O(log n), but at the cost of only determining if the given
value is up to two times the real diameter.
In this paper, we aim at designing deterministic and
generic ways for reducing the certificate size of proof-
labeling schemes. This is achieved by following the guide-
lines of [41], that is, trading time for space by exploiting the
inherent redundancy in distributed proofs. We focus only on
questions regarding the existence of proof-labeling schemes,
and give upper and lower bounds on their sizes. While some
of our techniques, such as randomized proofs of existence
of some efficient schemes, seem to point to specific ways of
implementation, we leave the design for efficient algorithms
for constructing the labels as an intriguing open question.
1.2 Our results
As mentioned above, proof-labeling schemes include a
verification procedure consisting of a single round of com-
munication. In a nutshell, we prove that using more rounds
of communication for verifying the distributed proof enables
one to reduce significantly the size of the certificates, often by
a factor super-linear in the number of rounds, and sometimes
even exponential.
More specifically, a proof-labeling scheme of radius t
(where tcan depend on the size of the input graph) is a
proof-labeling scheme where the verification procedure per-
forms trounds, instead of just one round as in classical
proof-labeling schemes. We may expect that proof-labeling
schemes of radius tshould help reduce the size of the cer-
tificates. This expectation is based on the intuition that the
verification of classical (radius-1) proof-labeling schemes is
done by comparing certificates of neighboring nodes or com-
puting some function of them, and accepting only if they are
consistent with one another (in a sense that depends on the
scheme). If the certificates are poorly correlated, then allow-
ing more rounds for the verification should not be of much
help as, with a k-bit certificate per node, the global proof has
kn bits in total in n-node graphs, leaving little freedom for
reorganizing the assignment of these kn bits to the nnodes.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 115
Perhaps surprisingly, we show that distributed proofs do not
only involve partially redundant certificates, but inherently
highly redundant certificates, which enables one to reduce
their size significantly when more rounds are allowed. To cap-
ture this phenomenon, we say that a proof-labeling scheme
scales with scaling factor f(t)if its size can be reduced
by a factor Ω( f(t)) when using a t-round verification pro-
cedure; we say that the scheme weakly scales with scaling
factor f(t)if the scaling factor is Ω( f(t)/ poly log n)in
n-node networks.
Our results can be split into three classes, as follows.
All schemes, specific graphs. In Sect. 3, we prove that, in
trees and other graph classes including e.g. grids, all proof-
labeling schemes scale, with scaling factor tfor t-round
verification procedures. In other words, for every Boolean
predicate Pon labeled trees (that is, trees whose every node
is assigned a label, i.e., a binary string), if Phas a proof-
labeling scheme with certificates of kbits, for some k≥0,
then Phas a proof-labeling scheme of radius twith cer-
tificates of O(k/t)bits, for all t≥1. See Theorem 2and
Corolary 1.
Specific families of schemes, all graphs. While the above
results are restricted to specific families of graphs, in Sect. 4
we study general graphs, restricting our attention to spe-
cific families of proof-labeling schemes. We prove that, in
any graph, uniform parts of proof-labeling schemes weakly
scale in an growth-dependent manner, which could be much
faster than linear. More precisely, for every Boolean predi-
cate Pon labeled graphs, if Phas a proof-labeling scheme
such that kbits are identical in all certificates, then the part
with these kbits weakly scales in proportion to the num-
ber of nodes in a ball in the graph: it can be reduced into
roughly
O(k/b(t)) bits by using a proof-labeling scheme
of radius t, where b(t)denotes the size of the smallest ball
of radius tin the actual graph. Therefore, in graphs whose
neighborhoods increase polynomially, or even exponentially
with their radius, the benefit in terms of space-complexity of
using a proof-labeling scheme with radius tcan be enormous.
This result is of particular interest for the so-called universal
proof-labeling scheme, in which every node is given the full
n2-bit adjacency matrix of the graph as part of its certificate,
along with the O(log n)-bit index of that node in the matrix.
See Theorem 3and Corollary 2.
Specific predicates, all graphs. We complement these results
of scaling for general predicates with results regarding
scaling for some concrete predicates. We address classical
Boolean predicates on labeled graphs, including spanning
tree, minimum-weight spanning tree, diameter, and addi-
tive spanners. In Sect. 5, we show that the certificate sizes
of proof-labeling schemes for diameter and spanners pred-
icates weakly scale linearly on general graphs, and cannot
be scaled better. See Theorems 4and 5. In Sect. 6,we
study the classical predicates of spanning tree and mini-
mum spanning tree—for both, we present proof-labeling
schemes that scale linearly, and in the minimum spanning
tree case, this bridges the gap between two known schemes:
a distance-1 O(log2n)-bit scheme [36], and a distance-
O(log n)O(log n)-bit scheme [35,36]. See Theorem 6and
7.
1.3 Our techniques
Our proof-labeling schemes demonstrate that if we allow t
rounds of verification, it is enough to keep only a small por-
tion of the certificates, while all the rest are redundant. In a
path, it is enough to keep only two consecutive certificates out
of every t: two nodes with t−2 missing certificates between
them can try all the possible assignments for the missing cer-
tificates, and accept only if such an assignment exists. This
reduces the average certificate size; to reduce the maximal
size, we split the remaining certificates equally among the
certificate-less nodes. This idea is extended to trees and grids,
and is at the heart of the proof-labeling schemes presented in
Sect. 3.
On general graphs, we cannot omit certificates from some
nodes and let the others check all the options for missing cer-
tificates in a similar manner. This is because, for our approach
to apply, the parts of missing certificates must be isolated by
nodes with certificates. That is, when removing the nodes
with certificates from the graph, what remains should con-
sists only of small connected components. However, if all
the certificates are essentially the same, as in the case of the
universal scheme, we can simply keep each part of the cer-
tificate at some random node,3making sure that each node
has all parts in its radius-tneighborhood. A similar, yet more
involved idea, applies when the certificates are distances, e.g.,
when the predicate to check is the diameter, and the certifi-
cate of a node contains in a radius-1 proof-labeling scheme
its distances to all other nodes. While the certificates are not
universal in this latter case, we show that it still suffices to
randomly keep parts of the distances, such that on a fixed
shortest path between every two nodes, the distance between
two certificates kept is at most t. These ideas are applied in
Sects. 4and 5.
In order to prove lower bounds on the certificate size of
proof-labeling schemes and on their scaling, we combine
several known techniques in an innovative way. A classic
lower bound technique for proof-labeling schemes is called
crossing, but this cannot be used for lower bounds higher
than logarithmic, and is not suitable for our model. A more
powerful technique is the use of nondeterministic communi-
cation complexity [13,30], which extends the technique used
for the congest model [1,28]. In these bounds, the nodes are
3All our proof-labeling schemes are deterministic, but we use the prob-
abilistic method for proving the existence of some of them.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
116 L. Feuilloley et al.
partitioned between two players, who simulate the verifica-
tion procedure in order to solve a communication complexity
problem, and communicate whenever a message is sent over
the edges of the cut between their nodes. When proving lower
bounds for proof-labeling schemes, the nondeterminism is
used to define the certificates: a nondeterministic string for
a communication complexity problem can be understood as
a certificate, and, when the players simulate verification on
a graph, they interpret their nondeterministic strings as node
certificates.
However, even this technique does not seem to be powerful
enough to prove lower bounds for our model, due to the mul-
tiple rounds verification. When splitting the nodes between
the two players, the first round of verification only depends
on the certificates of the nodes touching the cut, but arguing
about the other verification rounds seems much harder. To
overcome this problem, we use a different style of simulation
argument, where the node partition is not fixed but evolves
over time [16,17,44]. More specifically, while there are sets
of nodes which are simulated explicitly by either of the two
players during the trounds, the nodes in the paths connecting
these sets are simulated in a decremental manner: both play-
ers start by simulating all these nodes, and then simulate less
and less nodes as time passes. After the players communicate
the certificates of the nodes along the paths at the beginning,
they can simulate the verification process without any further
communication. In this way, we are able to adapt some tech-
niques used for the congest model (that is a model where
one has to cope with bandwidth restrictions) to our model,
even though proof-labeling schemes are a computing model
that is much more similar to the local model [43] (where
there is no bandwidth restriction).
1.4 Previous work
The mechanism considered in this paper for certifying dis-
tributed objects and predicates on labeled graphs has at
least three variants. The original proof-labeling schemes,
as defined in [37], assume that nodes exchange solely their
certificates between neighbors during the verification proce-
dure. Instead, the variant called locally checkable proofs [30]
imposes no restrictions on the type of information that can
be exchanged between neighbors during the verification pro-
cedure. In fact, they can exchange their full labels and local
views of the graph, which makes the design of lower bounds
far more complex. There is a third variant, called nondeter-
ministic local decision [23], which prevents using the actual
identities of the nodes in the certificates. That is, the certifi-
cate must be oblivious to the assignment of identifiers to the
nodes. This latter mechanism is weaker than proof-labeling
schemes and locally checkable proofs, as there are graph
predicates that cannot be certified in this manner. For exam-
ple, the certificates can not indicate a unique leader without
using the identities. Note that if the certificates contain some
artificial assignment of identities, the nodes must verify their
uniqueness, which in turn, is impossible without using the
unique node identifiers. However, all predicates on labeled
graphs can be certified by allowing randomization [23], or
by allowing just one alternation of quantifiers (the analog of
Π2in the polynomial hierarchy) [8]. A recent line of work
studies a distributed variant of interactive proofs [15,33,40].
Our work focuses on the second model, of locally check-
able proofs. However, for consistency with previous literature
on scaling [41], we stick to the name proof-labeling schemes.
Note that the main difference is the use of node identifiers,
and when the certificates are of size Ω(log n), the prover can
add the idbandwidth restrictionentifiers to the certificates,
making the models equivalent.
Our work was inspired by [41], which aims at reducing the
size of the certificates by trading time for space, i.e., allowing
the verification procedure to take trounds, for a non-constant
t, in order to reduce the certificate size. They show a tradeoff
of this kind for example for proving the acyclicity of the input
graph. The results in [36] were another source of inspiration,
as it is shown that, by allowing O(log2n)rounds of commu-
nication, one can verify MST using certificates of O(log n)
bits. In fact, [36] even describe an entire self-stabilizing algo-
rithm for MST construction based on this mechanism for
verifying MST.
In [20], the authors generalized the study of the class
log-LCP introduced in [30], consisting of network proper-
ties verifiable with certificates of O(log n)bits, to present a
whole local hierarchy inspired by the polynomial hierarchy.
For instance, it is shown that MST is at the second level of that
hierarchy, and that there are network properties outside the
hierarchy. In [42], the effect of sending different messages
to different neighbors on the communication complexity of
verification is analyzed. The impact of the number of errors
on the ability to detect the illegality of a object w.r.t. a given
predicate is studied in [19]. The notion of approximate proof-
labeling schemes was investigated in [13], and the impact of
randomization on communication complexity of verification
has been studied in [24].
Finally, verification mechanisms a la proof-labeling
schemes were used in other contexts, including the congested
clique [34], wait-free computing [26], failure detectors [27],
anonymous networks [22], and mobile computing [9,25]. For
more references to work related to distributed verification, or
distributed decision in general, see the survey [18]. To our
knowledge, the aforementioned works [36,41] are the only
prior works studying tradeoffs between time and certificate
size.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 117
2 Model and notations
Adistributed network is modeled as a graph composed of
nodes connected by edges, where the nodes represent proces-
sors and each edge represents a communication link. Each
node has a unique identity number (henceforth, ID). The
edges are undirected and the communication on each edge is
bidirectional. The nodes communicate synchronously over
the edges, i.e., a computation starts simultaneously in all
nodes and proceeds in discrete rounds. In each round, each
node sends messages to its neighbors, receives messages
from its neighbors, and performs a local computation. Nodes
are allowed to perform arbitrarily heavy local computations,
and these are not taken into account in the complexity of
the distributed computations in this model. Nevertheless, in
this work, the running time of local computations is at most
polynomial in the size of the input. The running time of a
distributed algorithm is defined to be the number of commu-
nication rounds.
A labeled graph is a pair (G,x)where G=(V,E)is a
connected simple graph, and x:V→{0,1}∗is a function
assigning a bit-string, called a label, to every node of G.
When discussing a weighted n-node graph G, we assume
G=(V,E,w), where w:E→[1,nc]for a fixed c≥
1, so w(e)can be encoded on O(log n)bits. An identity-
assignment to a graph Gis an assignment ID :V→[1,nc],
for some fixed c≥1, of distinct identities to the nodes.
A distributed decision algorithm is an algorithm in which
every node outputs accept or reject. We say that such an
algorithm accepts if and only if every node outputs accept.
Given a finite collection Gof labeled graphs, we con-
sider a Boolean predicate Pon every labeled graph in G
(which may even depend on the identities assigned to the
nodes). For instance, aut is the predicate on graphs stat-
ing that there exists a non-trivial automorphism of the graph
(Recall that an automorphism of a graph is permutation σ
of the nodes, such that for all pair of nodes u,v,(u,v) is an
edge if and only if (σ (u), σ (v)) is an edge, and that it is non-
trivial if the permutation is not the identity.) Similarly, for any
weighted graph with identity-assignment ID, the predicate
mst on (G,x,ID)states whether x(v) =ID(v)for some
v∈N[v]4for every v∈V(G), and whether the collection
of edges {{v, x(v)},v ∈V(G)}forms a minimum-weight
spanning tree of G.
Definition 1 A proof-labeling scheme for a predicate Pis a
pair (p,v), where
–p, called prover, is an oracle that assigns a bit-string called
acertificate to every node of every labeled graph (G,x)∈
4In a graph, N(v) denotes the set of neighbors of node v,andN[v]=
N(v) ∪{v}.
G, potentially using the identities assigned to the nodes,
and
–v, called verifier, is a distributed decision algorithm such
that, for every (G,x)∈G, and for every identity assign-
ment ID to the nodes of G,
⎧
⎪
⎪
⎨
⎪
⎪
⎩
(G,x,ID)satisfies P
⇒ v◦p(G,x,ID)=accept;
(G,x,ID)does not satisfy P
⇒ for every prover p,v◦p(G,x,ID)=reject;
here, v◦pis the output of the verifier von the certificates
assigned to the nodes by p. That is, if (G,x,ID)satisfies P,
then, with the certificates assigned to the nodes by the prover
p, the verifier accepts at all nodes. Instead, if (G,x,ID)does
not satisfy P, then, whatever certificates are assigned to the
nodes, the verifier rejects in at least one node. We emphasize
that in this work, the verifier is always deterministic.
The radius of a proof-labeling scheme (p,v)is defined
as the maximum number of rounds of the verifier vin the
local model [43], over all identity-assignments to all the
instances in G, and all arbitrary certificates. It is denoted by
radius(p,v). Often in this paper, the phrase proof-labeling
scheme is abbreviated to PLS, while a proof-labeling scheme
of radius t≥1 is abbreviated to t-PLS. Note that, in a t-
PLS, one can assume, w.l.o.g., that the verification procedure,
which is given tas input to every node, proceeds at each
node in two phases: (1) collecting all the data (i.e., labels
and certificates) from nodes at distance at most t, including
the structure of the ball of radius taround that node, and
(2) processing all the information for producing a verdict,
either accept or reject. Note that, while the examples in this
paper are of highly uniform graphs, and thus the structure
of the t-balls might be known to the nodes in advance, our
scaling mechanisms work for arbitrary graphs.
Given an instance (G,x,ID)satisfying P, we denote
by p(G,x,ID,v) the certificate assigned by the prover
pto node v∈V, and by |p(G,x,ID,v)|its size. We
also let |p(G,x,ID)|=maxv∈V(G)|p(G,x,ID,v)|.The
certificate-size of a proof-labeling scheme (p,v)for P
in G, denoted size(p,v), is defined as the maximum of
|p(G,x,ID)|, taken over all instances (G,x,ID)satisfy-
ing P, where (G,x)∈G. In the following, we focus on the
graph families Gnof connected simple graphs with nnodes,
n≥1. That is, the size of a proof-labeling scheme is system-
atically expressed as a function of the number nof nodes. For
the sake of simplifying the presentation, the graph family Gn
is omitted from the notations.
The minimum certificate size of a t-PLS for the predicate
Pon n-node labeled graphs is denoted by size-pls(P,t), that
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
118 L. Feuilloley et al.
is,
size-pls(P,t)=min
radius(p,v)≤t
size(p,v).
We also denote by size-pls(P)the size of a standard (radius-
1) proof-labeling scheme for P, that is, size-pls(P)=
size-pls(P,1). For instance, it is known that size-pls(mst)=
Θ(log2n)bits [35,37], and that size-pls(aut)=
Ω(n2)bits
[30]. More generally, for every decidable predicate P,we
have size-pls(P)=O(n2+nk)bits [30] whenever the input
labels are of kbits, and size-pls(P,D)=0 for graphs of
diameter Dbecause the verifier can gather all labels, and all
edges at every node in Drounds.
Definition 2 Let I⊆N+, and let f:I→N+.LetPbe a
Boolean predicate on labeled graphs.
Aset(pt,vt)t∈Iof proof-labeling schemes for P, with
respective radius t≥1, scales with scaling factor fon Iif
size(pt,vt)=O1
f(t)·size-pls(P)bits for every t∈I.
The set (pt,vt)t∈Iweakly scales with scaling factor fon
Iif size(pt,vt)=Opoly log n
f(t)·size-pls(P)bits for every
t∈I.
In the following, somewhat abusing terminology, we shall
say that a proof-labeling scheme (weakly) scales while, for-
mally, it should be a set of proof-labeling schemes that scales.
Remark 1 At first glance, it may seem that no proof-labeling
scheme can scale more than linearly, i.e., one may be tempted
to claim that for every predicate Pwe have size-pls(P,t)=
Ω1
t·size-pls(P). The rationale for such a claim is that,
given a proof-labeling scheme (pt,vt)for P, with radius t
and size-pls(P,t), one can construct a proof-labeling scheme
(p,v)for Pwith radius 1 as follows: the certificate of every
node vis the collection of certificates assigned by ptto the
nodes in the ball of radius tcentered at v; the verifier vthen
simulates the execution of vton these certificates. In paths
or cycles, the certificates resulting from this construction are
of size O(t·size-pls(P,t)), from which it follows that no
proof-labeling scheme can scale more than linearly. There
are several flaws in this reasoning, which actually make it
erroneous.
First, it might be the case that degree-2 graphs are not the
worst case graphs for the predicate P; for instance, if the pred-
icate Prequires large certificates only on degree-3 graphs,
then the same rational cannot rule out much better scaling, as
it only leads to size-pls(P,t)=Ω1
2t·size-pls(P). Sec-
ond, in trounds of verification every node learns not only
the certificates of its t-neighborhood, but also its structure,
which may contain valuable information for the verification;
this idea stands out when the lower bounds for size-pls(P)
(without scaling) are established using labeled graphs of con-
stant diameter, in which case there is no room for studying
how proof-labeling schemes can scale.
The take away message is that establishing lower bounds
of the type size-pls(P,t)=Ω(1
t·size-pls(P)) for twithin
some non-trivial interval requires specific proofs, which often
depend on the given predicate P.
Communication Complexity. We use results from the well
studied field of communication complexity [14,38]. In the
set-disjointness (disj) problem on kbits, each of two play-
ers, Alice and Bob, is given a k-bit string, denoted SAand
SB, respectively, as input. They aim at deciding whether there
does not exist i∈{1,...,k}such that SA[i]=SB[i]=1.
We associate sets with characteristic vectors, i.e., the set
includes all indexes ifor which S[i]=1. A standard abuse
of notation leads to the following alternative definition of this
problem. The goal in set-disjointness is to deciding whether
SA∩SB=∅. The communication complexity of a given
protocol solving disj is the number of bits Alice and Bob
must communicate, in the worst case, when using this proto-
col. The communication complexity of disj is the minimum
communication complexity of a protocol solving it.
In nondeterministic communication complexity, each of
the players receives, in addition to its input, a binary string
as a hint, which may depend on both input strings, and
the following holds. For every TRUE-instance, there exists
a hint such that the players output ‘TRUE’; and for every
FALSE-instance, for all hints, the players output ‘FALSE’.
For example, a good hint for disj, i.e., deciding whether there
exists i∈{1,...,k}such that SA[i]=SB[i]=1, is the
index iitself. Indeed, if one of the two players receives ias
a hint, he or she can send it to the other player, and they both
check that SA[i]=1 and SB[i]=1.
The communication complexity of a nondeterministic
protocol for disj is the number of bits the players exchange on
two input strings that are disjoint, in the worst case, when they
are given optimal nondeterministic strings. The nondeter-
ministic communication complexity of disj is the minimum,
among all nondeterministic protocols for disj, of the commu-
nication complexity of that protocol. The following theorem
holds. The nondeterministic communication complexity of
disj is known to be Ω(k), as a consequence of, e.g., Exam-
ple 1.23 and Definition 2.3 in [38].
Theorem 1 The nondeterministic communication complex-
ity of disj is Ω(k).
3 All proof-labeling schemes scale linearly in
trees
This section is entirely dedicated to the proof of one of our
main results, stating that every predicate on labeled trees has
a proof that scales linearly. Further in the section, we also
show how to extend this result to cycles and to grids, and,
more generally, to multi-dimensional grids and toruses.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 119
Fig. 1 Tree decomposition for t=6(i.e.,h=3). Black nodes are
border nodes, the gray node is an extra-border node, and white nodes
are standard nodes. Note that v1is not a border node since the depth of
itssubtreeis1<h−1. The domains are marked with dashed frames
3.1 Linear scaling for trees
Theorem 2 Let Pbe a predicate on labeled trees. Then
size-pls(P,t)=Osize(P)
t.
Remark 2 Here and in other places in the paper, we use ceil-
ings in the asymptotics, because the size of the certificates
needs to be at least one bit.
The rest of this subsection is dedicated to the proof of
Theorem 2. So, let Pbe a predicate on labeled trees, and let
(p,v)be a proof-labeling scheme for Pwith size(p,v)=k.
First, note that we can restrict attention to trees with diameter
>t. Indeed, predicates on labeled trees with diameter ≤t
are easy to verify since every node can gather the input of the
entire tree in trounds. More precisely, if we have a scheme
that works for trees with diameter >t, then we can trivially
design a scheme that applies to all trees, by adding a single bit
to the certificates, indicating whether the tree is of diameter
at most tor not.
The certificate assignment in our scaling scheme is based
on a specific decomposition of given tree T.
Tree decomposition.
A key tool in the proof is a decomposition of the tree. It
is defined the following way.
Definition 3 Let Tbeatreeofdiameter>t, and let
h=t/2.
The tree Tis rooted at some node r. A node usuch that
distT(r,u)≡0(mod h),
and upossesses a subtree of depth at least h−1 is called a
border node. Similarly, a node usuch that
distT(r,u)≡−1(mod h),
and upossesses a subtree of depth at least h−1 is called an
extra-border node. A node that is a border or an extra-border
node is called a special node. All other nodes are standard
nodes. For every border node v, we define the domain of vas
the set of nodes in the subtree rooted at vbut not in subtrees
rooted at border nodes that are descendants of v.
Figure 1illustrates of the tree decomposition, and can also
serve as intuition for the following lemma.
Lemma 1 1. The domains form a partition of the nodes in
the tree T .
2. Every domain forms a tree rooted at a border node, with
depth in the range [h−1,2h−1].
3. Two adjacent nodes of T are in different domains if and
only if they are both special.
Proof Let us first prove the first item. On the one hand, every
node belongs to a domain. This is because every node has
at least one border ancestor, since the root is a border node.
Indeed, the root rhas depth 0, and the diameter of Tis at least
t+1, which implies that rnecessarily possesses a subtree of
depth at least h−1. On the other hand, every node ubelongs
to a unique domain. This is simply because the closest border
ancestor of uis uniquely defined.
To establish second item, we consider the domain of a
border node u. Note that, for any node vin the domain of u,
vis a descendent of uin T, and all the nodes in the shortest
path between uand vare also in the domain of u. Thus the
domain of uis indeed a tree rooted at u. The depth of a
domain is at least h−1. Indeed, if the subtree rooted at uhas
depth <h−1, then, by definition, uis not special. It remains
to show that the depth of a domain is at most 2h−1. Let us
assume for the purpose of contradiction that the depth dof
the domain of usatisfies d>2h−1. Then there exists a path
of length at least 2hstarting at u, and going downward the
tree for reaching a leaf vof this domain. Then let us consider
the node uof that path which is at distance hfrom u. Node
uis not a border node, since otherwise vwould not be in
domain of ubut in the domain of u. However, node uis a
border node as its depth is 0 modulo k, and it has a subtree of
depth at least d−h>h−1. This contradiction completes
the proof of item 2.
Finally, for establishing the third item, let us consider an
edge {u,v}in the tree T, and let us assume, w.l.o.g., that u
is the parent of vin T. By construction, there can be three
cases only. If neither of the two nodes uand vis a border
node, then both belong to the same domain, as they have the
same closest border ancestor. If uis a border node, and vis
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
120 L. Feuilloley et al.
a standard node, then vis in the domain of u. Finally, if vis
a border node, then necessarily uis an extra-border node, in
which case uand vdo not belong to the same domain since
vis in its own domain, while ucannot belong to the domain
of v. Therefore, Item 3 holds in these three cases.
Verifying the decomposition.
The certificates of the radius-tproof-labeling scheme con-
tain a 2-bit field indicating to each node whether it is a root,
border, extra-border, or standard node. Let us show that this
part of the certificate can be verified in trounds. The prover
orients the edges of the tree towards the root r.
Such an orientation can be given to the edges of a tree
by assigning to each node its distance to the root, modulo 3.
The assumption is that every edge is oriented from dto d−1
mod 3. Hence, a node with distance d, is either the root, and
then and all of its neighbors are at distance d+1 mod 3,
or it has exactly one neighbor with distance d−1mod3
which is its parent in the tree. These distances can obviously
be checked locally, in just one round. So, in the remaining
of the proof, we assume that the nodes are given this orien-
tation upward the tree. The following lemma proves that the
decomposition into border, extra-border, and standard nodes
can be checked in trounds.
Lemma 2 Given a set of nodes marked as border, extra-
border, or standard in an oriented tree, there is a verification
protocol that checks whether the marking corresponds to a
tree decomposition (as in Definition 3), in 2h<t rounds.
Proof The checking procedure proceeds as follows. The root
rchecks that it is a border node. Every border node checks
that its subtree truncated at depth 2hfits with the decompo-
sition. That is, it checks that: (1) no nodes in its subtree are
border nodes except nodes at depth hand 2h, (2) no nodes in
its subtree are extra-border nodes except nodes at depth h−1
and 2h−1, and (3) the nodes in its subtree that are special at
depth h−1 and hdo have a subtree of depth at least h−1.
By construction, this procedure accepts any marking which
is correct with respect to the decomposition rule.
Conversely, let us suppose that the algorithm accepts a
marking of the nodes. We prove that this marking is neces-
sarily correct. We proceed by induction on the depth of the
nodes. At the root, the verifier checks that ris special as a
border node, and it checks that the domain of ris correctly
marked. In particular, it checks that the nodes of depth hthat
are not in its domain are properly marked as border nodes. So,
the base of the induction holds. Now, assume that, for α≥0,
all the domains whose border nodes stand at depth at most
αhare properly marked. The fact that the border nodes at
depth αhaccept implies that all the nodes at depth (α +1)h
that are not in the domain of the border nodes at depth αhare
properly marked. These nodes verify their own domains, as
well as all the domains down to depths (α +1)h, are all cor-
rect. Since none of these nodes reject, it follows that all the
domains whose border nodes stand at depth at most (α +1)h
are properly marked. This completes the induction step, and
hence the proof of the lemma.
We are now ready to describe the radius-tproof-labeling
scheme for an arbitrary predicate. From Lemma 2(and the
paragraph above it that defines the decomposition), we can
assume that the nodes are correctly marked as root, border,
extra-border, and standard, with a consistent orientation of
the edges towards the root.
The radius-t proof-labeling scheme.
We are considering the arbitrarily given predicate Pon
labeled trees, with its proof-labeling scheme (p,v)using
certificates of size kbits. Before reducing the size of the cer-
tificates to O(k/t)by communicating at radius t, we describe
a proof-labeling scheme at radius twhich still uses large cer-
tificates, of size O(k), but stored at a few nodes only, with
all other nodes storing no certificates.
Lemma 3 There exists a radius-t proof-labeling scheme for
P, in which the prover assigns certificates to special nodes
only, and these certificates have size O(k).
Proof On legally labeled trees, the prover provides every spe-
cial node (i.e., every border or extra-border node) with the
same certificate as the one provided by p. All other nodes are
provided with no certificates.
On arbitrary labeled trees, the verifier is active at border
nodes only, and all non-border nodes systematically accept
(in zero rounds). At a border node v, the verifier first gathers
all information at radius 2h. This includes all the labels of
the nodes in its domain, and of the nodes that are neighbors
to a node in its domain. Then vchecks whether there exists
an assignment of k-bit certificates to the standard nodes in its
domain that results in vaccepting at every node in its domain.
If this is the case, then vaccepts, else it rejects. There is a
subtle point worth to be mentioned here. The value of kmay
actually depend on n, which is not necessarily known to the
nodes. Nevertheless, this can be easily fixed as follows. The t-
PLS prover is required to provide all nodes with certificates of
the same size (the fact that all certificates have identical size
can trivially be checked in just one round). Then kis simply
inferred from the certificate size in the t-PLS, by multiplying
this size by t, whose value is, as specified in Sect. 2,given
as input to each node.
Note that, as every border node vhas a complete view
of its whole domain, and of the nodes at distance 1 from its
domain, vconsiders all the nodes that are used by vexecuted
at the nodes of its domain. Also note that the execution of
vat nodes in the domain of vconcerns only nodes that are
either in the domain of v, or are special. This follows from
the third item in Lemma 1. Thus no two border nodes will
simulate the assignment of certificates to the same node.
We now prove that, in an oriented marked tree, this scheme
is correct.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 121
– Assume first that the labeled tree satisfies the predicate
P. Giving to the special nodes the certificates as assigned
by p, all the border nodes will be able to find a proper
assignment of the certificates for the standard nodes in
their domain so that vaccepts at all these nodes, since,
as the labeled tree satisfies the predicate P, there must
exists at least one. This leads every node to accept.
– Suppose now that every border node accepts. It follows
that, for every border node, there is an assignment of
certificates to the nodes in its domain such that vaccepts
these certificates at every node. The union of these partial
assignments of certificates defines a certificate assign-
ment to the whole tree that is well-defined according to
the first item of Lemma 1. At every node, vaccepts since
it has the same view as in the simulation performed by the
border nodes in their respective domains. Thus vaccepts
at every node of T, and therefore it follows that the labeled
tree satisfies P.
Lemma 3basically states that there is a radius-tproof-
labeling scheme in which the prover can give certificates
to special nodes only. We now show how to spread out the
certificates of the border and extra-border nodes to obtain
smaller certificates. The following lemma is the main tool
for doing so. As this lemma is also used further in the paper,
we provide a generalized version of its statement, and we
later show how to adapt it to the setting of the current proof.
We say that a local algorithm Arecovers an assignment of
certificates provided by some prover qfrom an assignment
of certificates provided by another prover qif, given the
certificates assigned by qas input to the nodes, Aallows
every node to output its certificate such as assigned by q.We
define a special prover as a prover which assigns certificates
only to the special nodes, all other nodes being given empty
certificates.
Lemma 4 For every prover q, there exists a local algorithm
Aand a prover qsatisfying the following. For every s ≥1,
for every oriented marked tree T of depth at least s, and for
every assignment of b-bit labels provided by qto the nodes of
T , there exists assignment of O(b/s)-bit labels provided
by qto the nodes of T such that Arecovers qfrom qin s
rounds.
Proof We first describe the prover q. For each special node
v, let us partition the certificate q(v) assigned to node vby
the special prover qinto sparts of size at most b/s. Then
one picks an arbitrary path starting from v, of length s−1,
going downward the tree. Note that such a path exists by
definition of border and extra-border nodes. For every i∈
{0,...,s−1},theith part of the certificate q(v) is assigned to
the ith node of that path as its certificate in q. As such, every
Fig. 2 Cycle decomposition for t=6(i.e.,h=3). Black nodes are
border nodes, gray nodes are extra-border nodes, and white nodes are
standard nodes. Note that v1is not a border node since the number of
nodes between v1and rin the oriented cycle is 1 <h−1, and v2is an
extra-border node since this is the farthest node from rin the oriented
cycle. The domains are marked with dashed frames
node is given at most two parts of the initial certificates, as the
paths starting at each of the border nodes are non intersecting,
and the paths starting at each of the extra-border nodes are
non intersecting as well. To recover the original certificates,
for every special node v, the algorithm Asimply inspects the
tree at distance s−1 downward, for gathering all the parts
of the initial certificate q(v) of v. Then vconcatenates these
parts, and voutputs the resulting certificate. All other nodes
output a certificate formed by the empty string.
We have now all the ingredients to prove Theorem 2.
Proof of Theorem 2.
In the radius-tproof-labeling scheme, the prover chooses
a root and an orientation of the tree T, and provides every
node with a counter modulo 3 in its certificate allowing the
nodes to check the consistency of the orientation. Then the
prover constructs a tree decomposition of the rooted tree, and
provides every node with its type (root, border, extra-border,
or standard) in its certificates. Applying Lemmas 3and 4
, the prover spreads the certificates assigned to the special
nodes by p. Every node will get at most two parts, because
only the paths associated to a border node and to its parent (an
extra-border node) can intersect. Overall, the certificates have
size O(k/h)=O(k/t). The verifier checks the orientation
and the marking, then recovers the certificates of the special
nodes, as in Lemma 4, and performs the simulation as in
Lemma 3. This verification can be done with a view of radius
t≤2h, yielding the desired radius-tproof labeling scheme.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
122 L. Feuilloley et al.
3.2 Linear scaling in cycles and grids
For the proof techniques of Theorem 2to apply to other
graphs, we need to compute a partition of the nodes into
the two categories, special and standard, satisfying three
main properties. First, the partition should split the graph
into regions formed by standard nodes, separated by special
nodes. Second, each region should have a diameter small
enough for allowing special nodes at the border of the region
to simulate the standard nodes in that region, as in Lemma 3.
Third, the regions should have a diameter large enough to
allow efficient spreading of certificates assigned to special
nodes over the standard nodes, as in Lemma 4. For any graph
family in which one can define such a decomposition, an ana-
logue of Theorem 2holds. We show that this is the case for
cycles and grids.
Corollary 1 Let Pbe a predicate on labeled cycles. If there
exists a (radius-1) proof-labeling scheme (p,v)for Pwith
size(p,v)=k, then size-pls(P,t)=Ok
t. The same
holds for predicates on 2-dimensional labeled grids.
See Fig. 2for an example of cycle decomposition. The
idea is to orient the cycle edges in a consistent way, starting
from an arbitrary node r. The partition to domains is exactly
as in a tree, while ignoring the last oriented edge that closes
the cycle with r(e.g., the edge (v2,r)in Fig. 2). The only
difference from a tree is that the farthest node from rin the
oriented cycle (v2in Fig. 2) must be an extra-border node in
order to make a proper partition in which there are two spacial
nodes on every boundary. Also, see Fig. 3for an example of
grid decomposition.
Proof of Corollary 1.We just explain how the proof of Theo-
rem 2can be adapted to apply for cycles and grids.
For every labeled cycle, the prover picks an arbitrary node
r, which will play the same role as the root chosen in the
proof of Theorem 2, and an orientation of the cycle pointing
toward r. The chosen node is called leader.Leth=t/2.
The prover marks as border node every node usuch that
dist(r,u)≡0(mod h), where the distance is taken in the
oriented cycle. Similarly, the prover marks as extra-border
node every node usuch that dist(r,u)≡−1(mod h). Note
that the border and extra-border nodes that are the furthest
away from the leader by the orientation may actually be close
to the leader in the undirected cycle. As this may cause dif-
ficulties for spreading the certificates, the prover does not
mark them, and keep these nodes standard. The domain of a
border node is defined in a way similar to trees. The leader,
the orientation, and the marking can be checked in a way
similar to the proof of Lemma 2. In particular, observe that
the size of each domain is at most t. The marking separates
the graph into independent domains that can be simulated in
parallel as in Lemma 3. The diameter of each domain is at
least t/2 which allows one to do the spreading as in Lemma 4,
resulting in certificates of size O(k/t).
For every labeled grid, the prover provides the edges with
north-south and east-west orientations, using two counters
modulo 3. In a grid p×qwith n=pq nodes, this orien-
tation induces a coordinate system with edges directed from
(0,0), defined as the south-west corner, to (p,q), defined
as the north-east corner. The leader is the node at position
(0,0).Leth=t/4. The partition of the nodes is as fol-
lows. Every node with coordinate (x,y)where both xand
Fig. 3 Grid decomposition for
t=16 (i.e., h=4). Black
nodes are border nodes, gray
nodes are extra-border nodes,
and white nodes are standard
nodes. The domains are marked
with dashed frames
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 123
yare 0 modulo hare the border nodes. Non-border nodes
with coordinate (x,y)where xor yequals 0 or −1 modulo h
are extra-border nodes. Now, as for cycles, we slightly mod-
ify that decomposition for avoiding domains with too small
diameter. Specifically, north-most border and extra-border
nodes, and the east-most border and extra-border nodes are
turned back to standard nodes. The domain of a border node
is composed of all nodes with larger x-coordinate and larger
y-coordinates for which there are no closer border node in
the oriented grid. Using the same technique as in the proof of
Lemma 2, this partition of the nodes can be checked locally.
The simulation as performed in the proof of Lemma 3can be
performed similarly using that decomposition, because the
domains have diameter at most t, and are well separated by
special nodes. Finally, the spreading of the certificates as in
Lemma 4can be done in the following way. For every special
node (x,y)where xequals 0 or −1 modulo h, the certificate
is spread over the h−1 nodes to the east. For every special
node (x,y)where yequals 0 or −1 modulo h, the certificate
is spread over the h−1 nodes to the north. Note that there is
always enough space to the east or to the north of the special
nodes as we have removed the special nodes that could be
too close to the east and north borders. Also note that some
node have their certificates spread in two directions, but this
does not cause problem as it just increases the size of the
certificates by a constant factor.
By the same techniques, Corollary 1can be generalized
to toroidal 2-dimensional labeled grids, as well as to d-
dimensional labeled grids and toruses, for every constant
d≥2.
4 Growth-dependent scaling of uniform
proof-labeling schemes
In Sect. 3, we presented a general tradeoff for every predi-
cate, on specific graph structures. In this section, we give
a general tradeoff on every graph structure, for specific
type of schemes. We say that a graph G=(V,E)has
growth b =b(t)if, for every v∈Vand t∈[1,D],we
have that |BG(v, t)|≥b(t). We say that a proof-labeling
scheme is uniform if the same certificate is assigned to all
nodes by the prover.
Theorem 3 Let Gbe a family of graphs with growth fac-
tor b, let Pbe a predicate on labeled graphs in G,
and let us assume that there exists a uniform 1-PLS
(p,v)for Pwith size(p,v)=k. Then, size-pls(P,t)=
O k
b(t)log nlog kfor every t for which b(t)≥log n.
The rounding up operator ·is used to indicate that the
scaling cannot reduce the logarithmic factors outside it, even
in the case k
b(t)<1.
In the proof of this theorem, we use the probabilistic
method to prove the existence of the required certificates.
However, we emphasize that the scheme is deterministic. We
will use the classic Chernoff bounds (see, e.g., [39, Chapter
4]).
Lemma 5 (Chernoff bounds) Suppose Z 1,..., Zmare inde-
pendent random variables taking values in {0,1}, and let
Z=m
i=1Zi. For every 0≤δ≤1, we have Pr[Z≤
(1−δ)EZ]≤e−1
2δ2EZ, and Pr[Z≥(1+δ)EZ]≤e−1
3δ2EZ.
Proof of Theorem 3Let (p,v)be a uniform 1-PLS for Pwith
size(p,v)=k.Lets=(s1,...,sk), where si∈{0,1}
for every i=1,...,k,bethek-bit certificate assigned to
every node of Gby the prover p.Lett≥1 be such that
k≥b(t)≥clog nfor a constant clarge enough. For every
node v∈V, set the certificate of v, denoted s(v), as follows:
for every i=1,...,k,vstores the pair (i,si)in s(v) with
probability clog n
b(t).
– On the one hand, for every v∈V,let Xvbe the ran-
dom variable equal to the number of pairs stored in s(v).
By a Chernoff bound (Lemma 5), we have Pr[Xv≥
2cklog n
b(t)]≤e
cklog n
3b(t)=n−ck
3b(t). Therefore, by union
bound, the probability that a node vstores more than
2cklog n
b(t)pairs (i,si)is at most n1−ck
3b(t), which is less
than 1
2for clarge enough.
– On the other hand, for every v∈V, and every i=
1,...,k,letYv,ibe the number of occurrences of the
pair (i,si)in the ball of radius tcentered at v. By a Cher-
noff bound (Lemma 5), we have Pr[Yv,i≤1
2clog n]≤
e−clog n
8=n−c/8. Therefore, by union bound, the prob-
ability that there exists a node v∈V, and an index
i∈{1,...,k}such that none of the nodes in the ball
of radius tcentered at vstore the pair (i,si)is at most
kn1−c/8, which is less than 1
2for clarge enough.
It follows that, for clarge enough, the probability that
each node stores O(klog n/b(t)) pairs (i,si), and every pair
(i,si)is stored in at least one node of each ball of radius t,is
positive. Note that each pair can be represented by O(log k)
bits.
Therefore, there is a way for a prover to distribute the pairs
(i,si),i=1,...,kto the nodes, such that
(1) each node stores O(klog nlog k/b(t)) bits, and
(2) every pair (i,si)appears at least once in every t-
neighborhood of each node.
In the verification procedure, each node vfirst collects all
pairs (i,si)in its t-neighborhood, then recovers s, and then
runs the verifier of the original (radius-1) proof-labeling
scheme.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
124 L. Feuilloley et al.
Finally, we emphasize that we only use probabilistic
arguments as a way to prove the existence of certificate
assignment, but the resulting proof-labeling scheme is deter-
ministic and its correctness is not probabilistic.
Theorem 3finds direct application to the universal proof-
labeling scheme [30,37], which uses O(n2+kn)bits in
n-node graphs labeled with k-bit labels. The certificate of
each node consists of the n×nadjacency matrix of the
graph, an array of nentries each equals to the k-bit label
at the corresponding node, and an array of nentries listing
the identities of the nnodes. It was proved in [41] that the
universal proof-labeling scheme can be scaled by a factor t.
Theorem 3significantly improves that result, by showing that
the universal proof-labeling scheme can actually be scaled by
a factor b(t), which can be exponential in t.
Corollary 2 For every predicate Pon labeled graphs, there
is a proof-labeling scheme for Pas follows. For every graph
G with growth b(t),lett
0=min{t|b(t)≥log n}. Then, for
every t ≥t0we have:
size-pls(P,t)=On2+kn
b(t)log n(log n+log k).
Theorem 3is also applicable to proof-labeling schemes
where the certificates have the same sub-certificate assigned
to all nodes; in this case, the size of this common sub-
certificate can be drastically reduced by using a t-round
verification procedure. This is particularly interesting when
the size of the common sub-certificate is large compared to
the size of the rest of the certificates. An example of such a
scheme is in essence the one described in [37, Corollary 2.4]
for isok. Given a parameter k∈Ω(log n),letisokbe the
predicate on graph stating that there exist two vertex-disjoint
isomorphic induced subgraphs of size kin the given graph.
Corollary 3 For every k ∈1,n
2, we have:
size-pls(isok)=O(k2+klog n)
and
size-pls(isok)=Ω(k2).
In addition, for every t >1, we have:
size-pls(isok,t)=O k2
b(t)log2nlog log n.
Proof We first sketch a 1-PLS. Every node is given as cer-
tificate the k×kadjacency matrix of the two isomorphic
subgraphs, along with the corresponding IDs of the nodes in
the two subgraphs. The certificates also provide each node
with the ID of an arbitrary node in each subgraph, that we call
the leaders. In addition, the nodes are given certificates that
correspond to two spanning trees rooted at the two leaders.
All this requires O(k2+klog n)-bit certificates.
The verification procedure works as follows. Every node
first checks that the spanning trees structures are correct.
Then the roots of the spanning trees check that they are
marked as leader. Finally every node whose ID appears in one
of the two adjacency matrices checks that its actual neighbor-
hood corresponds to what it should be according to the given
adjacency matrices. By construction, this is a valid 1-PLS,
using certificates on O(k2+klog n)bits. A simple adapta-
tion of the proof of [30, Theorem 6.1] enables one to prove
that Ω(k2)bits are needed.
For the case of t-PLS, a direct application of Theorem 3
to the part of the certificate that is common to all nodes gives
at-PLS for isokwith certificates of size:
Ok2+klog n
b(t)log nlog(k2+klog n).
By analyzing the cases k<log nand k≥log nseparately,
the corollary follows.
5 Certifying distance-related predicates
In this section, we study two problems related to distances:
diameter and spanners. For any labeled (weighted) graph
(G,x), the predicate diam on (G,x)states whether, for every
v∈V(G),x(v) is equal to the (weighted) diameter of G.The
next theorem states that there is a proof-labeling scheme for
diam that weakly scales linearly, and that better scaling on
all graphs is not possible. Theorem 5states similar results for
spanners. It is unknown whether better scaling, and specif-
ically scaling by factor b(t), is possible for these problems
on graphs with high growth.
Theorem 4 There exists c >0such that for every t ∈
[clog n,n/log n],size-pls(diam,t)=On
tlog2n. More-
over, for every t ∈[1,n/log n],size-pls(diam,t)=
Ωn
tlog n.
The theorem follows from the next lemmas.
Lemma 6 There exists a constant c, such that for every t ∈
[clog n,n],size-pls(diam,t)=On
tlog2n.
Proof A proof-labeling scheme for diameter with optimal
certificate size Θ(nlog n)bits has been designed in [13]. We
simply use this scheme for certifying that, for every node v,
the diameter of the graph is at least x(v). Indeed, [13]uses
only O(log n)-bit certificates to certify the existence of a pair
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 125
of nodes at mutual distance at least x(v) in the graph. The rest
of the proof is dedicated to certifying that no pairs of nodes
are at distance more than x(v) in the graph, i.e., “diameter
≤x(v)”. Namely, we show how the scheme in [13] scales
with the radius of verification. For this purpose, let us briefly
recall this scheme. Each node vof a graph G=(V,E)
is provided with a certificate Dvconsisting of a table with
nentries storing the ID of every node in G, and the distance
to these nodes. (Every certificate is therefore on O(nlog n)
bits). Somewhat abusing notations, let us denote by Dv(u)
the distance to node u,asstoredintable Dv. The verification
proceeds by, first, having each node checking that it stores
the same set of IDs as the ones stored by its neighbors, and
that its own ID appears in its table. Second, each node checks
that the distances in its certificate vary as expected. That is,
each node vchecks that: (1) Dv(v) =0, (2) for every node
uand every neighbor v,Dv(u)−w({v,v})≤Dv(u)≤
Dv(u)+w({v, v}), and (3) there exists a neighbor vsuch
that Dv(u)=Dv(u)−w({v, v}). Finally, every node v
checks that Dv(u)≤x(v ) for every node u. This verification
process is correct, as shown in [13].
Now, let t≥clog nfor a constant c>0 large enough,
and let us construct a proof-labeling scheme for “diameter
≤x(v)”, with radius t. The idea is that each node vdoes not
store all entries in the table Dvbut only a fraction tof these
entries. The issue is to select which entries to keep, and which
entries to drop. For our scheme to work, we need to guarantee
that, if the distance to node uis not stored in Dv, then there
is a node von a shortest path from vto u, at distance at most
tfrom v, that stores dist(v,u)in its table Dv.
We use the randomized hitting-set technique presented in
[45], to prove the existence of a correct assignment of cer-
tificates: for every node u= v, each node vkeeps dist(v, u)
in its table Dvwith probability clog n
t. In addition, node v
systematically keeps Dv(v) =0 in its table. Note that our
scheme is deterministic, although we use the probabilistic
method to prove its existence. We derive the following two
properties.
1. For every pair of nodes (u,v), let us denote by Pv,u
the path of length tformed by the tfirst nodes on a
shortest path from vto u, and let Xv,udenote the sum
of tBernoulli random variables with parameter clog n
t.
By the use of Chernoff bounds (Lemma 5), we have
Pr[Xv,u≤1
2clog n]≤e−c
8log n=n−c/8<1
2n2for c
large enough. Therefore, by union bound, the probability
that there exists a pair of nodes (u,v)such that no nodes
of Pv,ustore the distance to node uis less than 1
2.
2. For every node v,letYvbe the number of nodes for
which vkeeps the distance these nodes. Again, by Cher-
noff bound (Lemma 5), Pr[Yv≥2cn log n
t]≤e−cnlog n
3t≤
e−clog n
3=n−c/3<1
2nfor clarge enough. Therefore,
by union bound, the probability that there exists a node
vthat stores the distances to more than 2cn log n
tnodes is
less than 1
2.
Let Ev,ube the event “at least one node of Pv,ustores its
distance to node u”, and let Evbe the event “node vstores no
more than 2cn ln n
tdistances to other nodes”. We derive from
the above that
Pr[∀(u,v) ∈V×V,Ev,u∧Ev]>0.
It follows that there exists an assignment of entries to be kept
in each table Dv,v ∈V, such that each resulting partial table
is of size Onlog2n
tbits, and, for every two nodes uand
v, at least one node at distance at most t, on a shortest path
from vto u, stores its distance to node u.
It remains to show that these sparse certificates can be
verified in trounds. Let B(v , t)be the ball of radius t
around v. Each node vverifies that, first, for every node
v∈B(v, t)such that both vand vstore the distance to
a same node u,wehave Dv(u)−dist(v, v )≤Dv(u)≤
Dv(u)+dist(v, v), and, second, for every node usuch that
vstores its distance to u, there exists a node v∈B(v, t)
such that Dv(u)=Dv(u)+dist(v, v ). Third, using the dis-
tances collected in B(v , t), node vconstructs the table D
v
where D
v(u)=Dv(u)if uis stored in Dv, and D
v(u)=
minv∈B(v,t)(Dv(u)+dist(v, v)) otherwise. Finally, node v
checks that D
v(u)≤x(v) for every node u. If all these tests
are passed, then vaccepts, otherwise it rejects.
By the setting of the partial tables Dv,v ∈V,ina
legal instance, we get that D
v(u)=dist(v, u)for every
node u, and therefore all nodes accept. Instead, if there
exists (u,v) ∈V×Vsuch that information about uis
stored in Dv,but Dv(u)= dist(u,v), then let us con-
sider such a pair (u,v) where Dv(u)is minimum. For vto
accept, there must exist some node v∈B(v, t)such that
Dv(u)=Dv(u)−dist(v, v). By the choice of the pair
(u,v),Dv(u)=dist(u,v
), and thus Dv(u)=dist(u,v),a
contradiction. Therefore vcannot exist, and thus vrejects.
It follows that this scheme is a correct t-PLS for diameter,
using On
tlog2n-bit certificates.
Lemma 7 For every t ∈[1,n/log n],size-pls(diam,t)=
Ωn
tlog n.
The proof of this lemma is based on two previous works.
First, Peleg and Rubinovich [44] proved distributed lower
bounds by a reduction to communication complexity, and
second, Abboud et al [1] gave a lower bound on the approx-
imability of the diameter, using a simpler reduction. Both
results are in the congest model. We adapt the graph con-
struction from the latter and the simulation technique from
the former, in order to prove lower bounds on the label size
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
126 L. Feuilloley et al.
Fig. 4 The lower bound graph
construction. Thin lines
represent P-paths, thick lines
represent (2t+1)-paths. The
dashed lines represent edges
whose existence depend on the
input (these edges are not
considered in the claims
“Distance bound for central
nodes” and “Distance bound for
extreme nodes”. The paths
connecting iand rito their
binary representations are
omitted, except for those of 0
and r0
in the t-PLS model. Interestingly, in our model there are no
bandwidth restrictions, which makes it more similar to the
local model than to the congest model, yet the construc-
tions we use were designed to achieve congest lower bound.
We now describe the construction of the lower bound
graph (see Fig. 4). Let k=Θ(n)be a parameter whose exact
value will follow from the graph construction. Alice and Bob
use the graph in order to decide disj on k-bit strings. Let t
be the parameter of the t-PLS, which may or may not be
constant, and let Pbe a constant, 1 ≤P≤t, to be cho-
sen later (for the proof of Lemma 7,P=1 suffices, but
we will reuse the construction for spanners later, and then
we will need to set Pto a precise value). The graph con-
sists of the following sets of nodes: L={0,...,
k−1},
L=
0,...,
k−1,T=t0,...,tlog k−1,F=
f0,..., flog k−1, and k, which will be simulated by Alice,
and similarly R={r0,...,rk−1},R=r
0,...,r
k−1,
T=t
0,...,t
log k−1,F=f
0,..., f
log k−1, and rk,
which will be simulated by Bob.
The nodes are connected by paths, where the paths consist
of additional, distinct nodes. For each 0 ≤i≤k−1, connect
by P-paths (i.e., paths of Pedges and P−1 new nodes)
the pairs of nodes: (i,
i)and (ri,r
i). Add such paths also
between kand all th∈Tand fh∈F, and between rkand all
t
h∈Tand f
h∈F. Connect by a P-path each i∈Lwith
the nodes representing its binary encoding, that is, connect i
to each ththat satisfies i[h]=1, and to each fhthat satisfies
i[h]=0, where i[h]is bit hof the binary encoding of i.Add
similar paths between each ri∈Rand its encoding by nodes
t
hand f
h. In addition, for each 0 ≤h≤log k−1, add a
(2t+1)-path from thto f
hand from fhto t
h, and a similar
path from kto rk.
We start by noting that the distances between most pairs of
nodes is at most 4P+2t+1. (The only nodes not considered
in the following claim are the ones of Rand L.)
Claim (Distance bound for central nodes) The distance
between every two nodes in L∪R∪F∪T∪F∪T∪{k,rk}
and in the paths connecting these nodes is at most 4 P+2t+1.
Proof The proof of this claim is by a lengthy but simple case
analysis.
The distance from kto every node in F∪Tis P, and to
every node in F∪Tis P+2t+1, through rkor through
the corresponding node in F∪T. Hence, the distance from
kto every node in F∪T∪F∪T∪{k,rk}or in the paths
between them is at most P+2t+1. The same holds for
distances from rk.
The distance from a node in Lto a node in F∪T∪F∪T∪
{k,rk}or in the paths between them is at most 3P+2t+1,
by a path connecting it to kin 2Phops, and then to the
target node. If a node uresides on a path from a node in L
to a node in F∪T, then the distance from uto any node in
F∪T∪F∪T∪{k,rk}or in the paths between them is
less than 3P+2t+1, by a similar argument.
For a node in R, or in the paths from nodes in Rto F∪T,
the distance to any node in F∪T∪F∪T∪{k,rk}is also
at most 3P+2t+1, by a similar argument.
The distance between two nodes in Lis at most 4 P, going
through k, and the same holds for nodes on path connecting
Land F∪T. The distance between two nodes in R,orin
the paths from Rto F∪T, is similarly bounded, by a path
through rk. The distance between a node in Land a node in
Ris at most 4P+2t+1, through kand rk, and the same
holds for nodes on paths connecting Land F∪Tand Rto
F∪T.
Finally, for two nodes in F∪T∪F∪T∪{k,rk}or in the
paths between them, note that they reside on a (4P+4t+2)-
cycle through kand rk, and thus their distance is at most
2P+2t+1.
Claim (Distance bound for extreme nodes) The distance
between two nodes in Lis at most 6 P, and so is the distance
between two nodes in R. The same holds for two nodes on
the path connecting Land L(including nodes in L), or on
the path connecting Rand R.
The distance between two nodes
i∈Land r
j∈Rwith
i= jis at most 4 P+2t+1. The same bound applies to
the distance between a node on the path connecting
ito i
and a node on one of the P-path going out of rj(to nodes in
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 127
{r
j}∪F∪T), and to the distance between a node on the
path connecting r
jto rj, and a node on one of the P-path
going out of i(to nodes in {
i}∪F∪T).
Proof Each node in Lis at distance 3 Pfrom k, and nodes
on paths from Lto Lare closer to k. The same holds for
nodes in Ror in the paths from Rto R, with rk. This proves
the first claim.
For the second claim, consider two nodes iand rj,i= j,
and an index hsuch that i[h] = j[h]. Assume without loss
of generality that i[h]=1 while j[h]=0. There is a simple
path connecting these nodes, through i,th,f
h,rj, and its
length is 2P+2t+1. The other nodes discussed are at
distance at most Pfrom ior from rj, and the claim follows
using a similar path.
We now introduce the link with communication complex-
ity, in order to use Theorem 1. Assume Alice and Bob want
to solve the disj problem for two k-bit strings SAand SB,
by using a non-deterministic protocol. They build the graph
described above, and add the following edges: (i,
k)when-
ever SA[i]=0, and (ri,rk)whenever SB[i]=0. (Note that
these are simply edges, not paths.) The next claim is at the
heart of our proof.
Claim (Disjointness and diameter) If SAand SBare disjoint
then D=4P+2t+2, and otherwise D≥6P+2t+1.
Proof First, note that adding edges can only shorten dis-
tances, so the two claims about distances bounds hold after
adding the input-dependent edges. These lemmas show that
the distances between almost all pairs of nodes is at most
4P+2t+1, with the exception of pairs of the form
i∈L
and r
i∈R,forsomei, and pairs where one node is on a
path connecting
iand i, and the other on a path connecting
r
iand ri. Hence, we need to focus only on pairs of nodes of
the form (
i,r
i).
If the inputs are disjoint then for every 0 ≤i≤k−1, either
SA[i]=0orSB[i]=0, so at least one of the edges (i,
k)
and (ri,rk)exists. Thus, there is a (4P+2t+2)-path between
iand r
i, through kor through rk,e.g.
i,
i,
k,rk,t
h,ri,r
i
for the case SA[i]=0. The other distances in the graph are
not larger, and the distance between
iand r
iis exactly 4P+
2t+2 whenever SA[i] = 0or SB[i] = 0.5The other nodes
discussed are on this path, so their distances are smaller.
Hence, the diameter in this case is exactly 4P+2t+2.
On the other hand, if the sets are not disjoint, there is an
index isuch that SA[i]=SB[i]=1. Hence, there is no edge
connecting
iand k, and no edge connecting r
iand rk.We
can split the nodes of F∪Tto two sets: nodes that correspond
5In the case where both inputs are the 0 strings, the diameter is only
4P+2t+1; we can exclude this unique case by forbidding this input
to the disj problem without changing its asymptotic complexity.
to the binary representation of i, and have distance 2Pfrom
i; and the other nodes, whose distances from
iare 4P.A
similar split of F∪Tapplies, regarding the distance from
r
i. The graph is specifically crafted so that the nodes close
to
iand the nodes close to r
iare far apart from one another.
More precisely, if
iis at distance 2Pfrom a node ain F∪T,
and r
iis at distance 2Pfrom a node bin F∪T, then aand
bare not linked by a path on 2t+1 nodes. Then a shortest
path from
ito r
ishould use four P-paths, either on the left
part of the graph, or on the right part; and then two additonal
P-paths on the other part. Hence, any path connecting
iand
r
ihas length at least 6P+2t+1, and the claim follows.
With this claim in hand, we are ready to prove Lemma 7.
Proof of Lemma 7Fix t∈[1,n/log n], and let SAand SBbe
two input strings for the disj problem on kbits. We show
how Alice and Bob can solve disj on SAand SBin a non-
deterministic manner, using the graph described above and a
t-PLS for diam =4P+2t+2.
Let us first define a partition of the nodes of the graph
(see Fig. 5). Let Abe the set of nodes that are either in L∪
L∪T∪F∪{k}or in a P-path between two nodes of this
union. Similarly let Bbe the set of nodes that are either in
R∪R∪T∪F∪{rk}or in a P-path between two nodes
of this union. For each pair of nodes (a,b)∈A×Bthat
are connected by a (2t+1)-path, let Pab be this path, and
{Pab(i)},i=0,...,2t+1 be its nodes in consecutive order,
where Pab(0)=aand Pab(2t+1)=b.LetCbe the set
of nodes on such paths, at the exception of the endpoints.
The set Cis partitioned into CAand CB, where CAis the set
of nodes {Pab(i)},i=1,...,t, and CBis the set of nodes
{Pab(i)},i=t+1,...,2t. Note that A∪B∪CA∪CB
forms a partition of the nodes of the graph.
Alice interprets her nondeterministic string as the certifi-
cates given to the nodes in A∪C, and sends the certificates
of Cto Bob. Bob interprets his nondeterministic string as the
certificates of B, and gets the certificates of Cfrom Alice.
Alice can simulate the verifier on the nodes of A∪CA,asfol-
lows. Consider a node vof A∪CA. Our construction assures
that the ball of radius taround vis contained in A∪C. Hence,
Alice knows the topology of this ball—the only edges in the
graph she is not aware of are between rkand nodes in R.In
addition, Alice knows all the certificates of the nodes in this
ball.
Thus, Alice can simulate the verifier on every node vof
A∪CA. Similarly, Bob can simulate the verifier on every
node of B∪CB, because he also knows the full topology
of the t-balls around these nodes, and the certificates of the
ball’s nodes.
Using this simulation, Alice and Bob can determine
whether disj on (SA,SB)is true: from the claim “Dis-
jointness and diameter”, we know that if it is true then
diam =4P+2t+2, and the verifier of the PLS accepts,
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
128 L. Feuilloley et al.
Fig. 5 The lower bound graph
construction for t=3, and the
partition of Vinto A,CA,CB
and B
while otherwise it rejects. The nondeterministic communi-
cation complexity of the true case of disj on k-bit strings is
Ω(k)by Theorem 1, so Alice and Bob must communicate
this many bits. In our construction, kis in Θ(n), thus Alice
and Bob have to communicate Ω(n)bits. From the graph def-
inition, |C|=Θ(tlog n)which implies size-pls(diam,t)=
Ωn
tlog n, as desired.
Let α, β be two non-negative integers, that may depend
on n. For any labeled graph (G,x),β-additive span-
ner is the predicate on (G,x)that states whether, for every
v∈V(G),x(v) ⊆{ID(w ), w ∈N(v)}for every v∈V(G),
and whether the collection of edges EH={{v, w},v ∈
V(G), w ∈x(v)}forms a β-additive spanner of G, i.e., a
subgraph Hof Gsuch that, for every two nodes s,t,we
have distH(s,t)≤distG(s,t)+β. Similarly, the predicate
(α, β)-spanner on (G,x)states whether His such that, for
every two nodes s,t,dist
H(s,t)≤αdistG(s,t)+β. There
is a proof-labeling scheme for (α, β)-spanner that weakly
scales linearly. For the spacial case of α=1, i.e., the predi-
cate β-additivespanner, this is also optimal if βis constant.
Theorem 5 For every pair of integers α≥1and β≥
0, there is a one-round proof-labeling scheme for (α, β)-
spanner of size O (n), and a t -round proof-labeling scheme
of size O (n
tlog2n). Moreover, for a constant βwe also have
size-pls(β-a dditivespanner,t)=Ω(n
t).
Proof The upper bound proof is similar to the one of
Lemma 6for diameter. Specifically, instead of using a unique
table Dvstoring distances in the graph, every node vstores
two tables Dvand
Dv, where
Dvstores the distances in the
spanner. To scale, each node keeps only a fraction clog n
tof
the entries in each table, for some constant c>0. For clarge
enough, this is sufficient for every node to recover its dis-
tance to every other node in both the graph and the spanner,
by using the same arguments as in the proof of Lemma 6.
The verification again proceeds as in the proof of Lemma 6,
excepted that, instead of checking whether Dv(u)≤x(v)
for every node u, every node vchecks that, for every node u,
Dv(u)≤αDv(u)+βor
Dv(u)≤Dv(u)+β, depending
on whether one is dealing with general spanners or additive
spanners, respectively. Correctness directly follows from the
same arguments as in the proof of Lemma 6.
To achieve the lower bound, we rely on the same construc-
tion as in the proof of Lemma 7. The base graph, for which
a spanner is constructed, is the graph described above for
the case where both SAand SBare the all-0 strings, i.e. all
the potential edges are present in the graph. To decide disj,
Alice and Bob build a spanner for this base graph in the same
manner as the graph is constructed in the proof of Lemma 7,
i.e., the spanner contains all the nodes and paths, and among
the input-dependent edges, the ones that correspond to zeros
in the input strings. This construction guarantees that each
graph edge that is not in the spanner has a 2P-path between
its endpoint that is in the spanner. If the inputs are disjoint,
then at most one edge in each shortest path is not in the span-
ner, so the stretch is at most 2P−1. On the other hand, if the
inputs are not disjoint then there is a pair (
i,r
i)that stretches
from 4P+2t+1 in the original graph to 6P+2t+1inthe
spanner.
We pick Psuch that the spanner is a legal (α, β)-spanner
if and only if the inputs are disjoint, that is, 4P+2t+2≤
α(4P+2t+1)+β, while 6P+2t+1>α(4P+2t+1)+β.
For additive spanners, i.e. α=1, the first condition always
holds; to guarantee the second, we choose P>β/2. The
lower bound is thus Ωn
βt,orΩn
tfor a constant β.
6 Distributed proofs for spanning trees
In this section, we study two specific problems which are
classical in the domain of proof-labeling schemes: the verifi-
cation of a spanning tree, and of a minimum-weight spanning
tree. The predicates st and mst are the sets of labeled graphs
where some edges are marked and these edges form a span-
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 129
ning tree, and a minimum spanning tree, respectively. For
these predicates, we present proof-labeling schemes that
scale linearly in t. Note that st and mst are problems on
general labeled graphs and not on trees, i.e., the results in
this section improve upon Sect. 4(for these specific prob-
lems), and are incomparable with the results of Sect. 3.
Formally, let Fbe the family of all connected undirected,
weighted, labeled graphs (G,x). Each label x(v) contains
a (possibly empty) subset of edges adjacent to v, which is
consistent with the neighbors of v, and we denote the collec-
tion of edges represented in xby Tx.Inthest (respectively,
mst) problem, the goal is to decide for every labeled graph
(G,x)∈Fwhether Txis a spanning tree of G(respectively,
whether Txis a spanning tree of Gwith the sum of all its
edge-weights minimal among all spanning trees of G). For
these problems we have the following results.
Theorem 6 For every t ∈O(log n), we have that:
pls(st,t)=Olog n
t.
Ostrovsky et al. [41, Theorem 8] designed a radius-t
proof-labeling scheme for acyclicity, with (log n/t)-bit
certificates, for t≤D. Here, Dis the diameter of the graph,
which is at least the largest depth of a tree in it. In the scheme,
each tree is oriented outwards from an arbitrarily chosen root,
and after running the verification process, each node knows
who is his parent in its tree, and the root of each tree knows
it is the root.
For completeness we describe here in a high level this
t-PLS for acyclicity. The following scheme can be used to
verify that a graph contains no cycles using certificates of
size O(log n)in a single round. The certificate of a node v
consists of an integer d(v) which encodes the distance from
vto a root (which has d(v) =0). Nodes verify the correct-
ness of the certificates in a single communication round. If
vsatisfies d(v) =0 (i.e., vis a root), then it accepts the
certificate if all of its neighbors wsatisfy d(w) =1. If v
satisfies d(v) = 0 then vverifies that vhas exactly one
neighbor uwith d(u)=d(v) −1 while all other neighbors
wsatisfy d(w) =b(v) +1. This scheme is used, for exam-
ple, in [6,7,31]. To achieve certificates of size O((log n)/t)
for acyclicity, Ostrovsky et al. simulate the 1-PLS described
above. The idea is to take only some “special” nodes, break
their O(log n)-bit certificates indicating the distances into
shares of size O((log n)/t), and spread the shares on paths
of length Θ(t)down the tree (similarly to the way we spread
out the certificates of the border and extra-border nodes in
the proof of Lemma 4). In the verification process, the “spe-
cial” nodes recover their distances to the root by collecting
the relevant shares from their t-neighborhood, and all other
nodes recover their distances using the fact that a node with
distance d1(down the tree) to a node with distance d2to the
root, must be with distance d1+d2to the root. Then, nodes
can make the verification exactly as in the 1-PLS described
above. This scheme plays an essential role in the proof of
Theorem 6.
Proof of Theorem 6To prove that a marked subgraph Txis a
spanning tree, we need to verify it has the following proper-
ties: (1) spanning the graph, (2) acyclic, (3) connected. We
choose an arbitrary node as the root of Tx.
The certificate of a node vis composed of three parts: a
bit indicating whether the tree is shallow as in the proof of
Theorem 2,O(log n/t)-bits by the scheme of Ostrovsky et
al. [41, Theorem 8] for acyclicity, and O(log n/t)-bits that
are a part of the ID of the root, as in the proof of Theorem 2.
In the verification process, the nodes first verify they all
have the same first bit. If the tree is shallow, all nodes but the
root accept, and the root collects the whole structure of the
graph and of Txand verifies it is a spanning tree. Otherwise,
each node verifies that at least one of its edges is marked
to be in Tx, making sure Txis spanning all the graph. The
nodes then run the verification process from [41, Theorem
8], while ignoring edges not in Tx, to make sure the graph is
acyclic. Finally, they all run the reconstruction process from
Theorem 3to find the root ID, and the root of Tx(as defined
by the acyclicity scheme) verifies this root ID is indeed its
own ID. This guarantees Txis a connected forest, i.e. a tree,
as desired.
Theorem 7 For every t ∈O(log n), we have that
size-pls(mst,t)=Olog2n
t.
Our theorem only applies for t∈O(log n), meaning
that we can get from proofs of size O(log2n)to proofs of
size O(log n), but not to a constant. For the specific case
t=Θ(log n), our upper bound matches the lower bound
of Korman et al. [36, Corollary 3]. In the same paper, the
authors also present an O(log2n)-round verification scheme
for mst using O(log n)bits of memory at each node (both
for certificates and for local computation). Removing the
restriction of O(log n)-bit memory for local computation,
one may derive an O(log n)-round verification scheme with
O(log n)proof size out of the aforementioned O(log2n)-
round scheme, which matches our result for t=Θ(log n).
The improvement we present is two-fold: our scheme is scal-
able for different values of t(as opposed to schemes for only
t=1 and t=Θ(log n)), and our construction is much
simpler, as described next.
Our upper bound is based on a classic 1-round PLS for
MST [35,36], which in turn builds upon the algorithm of
Gallager, Humblet, and Spira (GHS) [29] for a distributed
construction of an MST. The idea behind this scheme is,
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
130 L. Feuilloley et al.
given a labeled graph (G,x), to verify that Txis consistent
with an execution of the GHS algorithm in G.
The GHS algorithm maintains a spanning forest that is a
subgraph of the minimum spanning tree, i.e., the trees of the
forest are fragments of the desired minimum spanning tree.
The algorithm starts with a spanning forest consisting of all
nodes and no edges. At each phase each of the fragments
adds the minimum-weight edge going out of it, thus merging
several fragments into one. After O(log n)iterations, all the
fragments are merged into a single component, which is the
desired minimum-weight spanning tree. We show that each
phase can be verified with O(log n/t)bits, giving a total
complexity of O(log2n/t)bits.
We note that the GHS algorithm requires either distinct
edge weights or a fixed ordering of the edges in order to break
ties between edges with the same weight in a consistent way.
In addition, given a labeled graph (G,x),anyMSTTcan
be a result of the GHS algorithm on (G,x)for some fixed
ordering of the edges: any order that prefers the edges of T
over the other edges will result in Tas an output.
Proof Let (G,x)be a labeled graph such that Txis a
minimum-weight spanning tree, and fix an ordering of the
edges such that an execution of the GHS algorithm on (G,x)
yields the tree Tx. Let pos(e)be the position of ein this order-
ing. If tis greater than the diameter Dof G, every node can
see the entire labeled graph in the verification process, and
we are done; we henceforth assume t≤D. The certificates
consist of four parts.
First, we choose a root and orient the edges of Txtowards
it. We give each node its distance from the root modulo 3,
which allows it to obtain the ID of its parent and the edge
pointing to it in one round. Second, we assign the certificate
described above for st (Theorem 6), which certifies that Tx
is indeed a spanning tree. This requires O(log n/t)bits.
The third part of the certificate tells each node the position
of the edge connecting it to its parent in the fixed ordering, the
phase in which the edge is added to the tree in the execution
of the GHS algorithm, and which of the edge’s endpoints
added it to the tree. Note that after one round of verification,
each node knows for every incident edge, its position in the
ordering, at which phase it is added to the spanning tree, and
by which of its endpoints. This part uses O(log n)bits.
The fourth part of the certificate consists of O(log2n/t)
bits, O(log n/t)for each of the O(log n)phases of the GHS
algorithm. To define the part of a certificate of every phase, fix
a phase, a fragment Fin the beginning of this phase, and let
e=(u,v)be the edge added to the spanning tree by fragment
Fin this phase, where u∈Fand v/∈F. Our goal is that
the nodes of Fverify together that eis a minimum-weight
outgoing edge with the smallest position in the ordering, and
that no other edge was added by Fin this phase. To this
end, we first orient the edges of Ftowards u, i.e., set uas
the root of F. If the depth of Fis less than t, then in t−1
rounds the root ucan see all of Fand check that (u,v) is
the desired minimum-weight outgoing edge. All other nodes
just have to verify that no other edge is added by the nodes of
Fin this phase. Otherwise, if the depth of Fis at least t,by
Theorem 3, the information about ID(u),w(e), and pos(e)
can be spread on Fsuch that in trounds it can be collected by
all nodes of F. With this information known to all the nodes
of F, the root can locally verify that it is named as the node
that adds the edge and that it has the named edge with the
right weight and position. The other nodes of Fcan locally
verify that they do not have incident edges with a smaller
weight, that every incident edge with the same weight has a
greater position, and that no other edge is added by F.This
part takes O(log n/t)bits per iteration, which sums to a total
of O(log2n/t)bits.
Overall, our scheme verifies that Txis a spanning tree, and
that it is consistent with every phase of some execution of the
GHS algorithm. Therefore, the scheme accepts (G,x)if and
only if Txis a minimum spanning tree.
7 Open problems
We finish with a list of open problems. We first present a
series of open questions directly related to our setting, and
then consider natural alternative settings.
We have proved that, for many classical Boolean predi-
cates on labeled graphs (including MST), there are proof-
labeling schemes that scale linearly with the radius of the
scheme, i.e., the number of rounds of the verification proce-
dure. More generally, we have shown that for every Boolean
predicate on labeled trees, cycles and grids, there is a proof-
labeling scheme that scales linearly with the radius of the
scheme. This yields the following question:
Problem 1 Prove or disprove that, for every predicate Pon
labeled graphs, there is a proof-labeling scheme for Pthat
(weakly) scales linearly.
In fact, the scaling factor might even be larger than t, and
be as large as b(t)in graphs with ball growth b.Wehave
proved that the uniform part of any proof-labeling scheme
can be scaled by such a factor b(t)for t-PLS. This yields the
following, stronger open problem:
Problem 2 Prove or disprove that, for every predicate P
on labeled graphs, there is a proof-labeling scheme for P
that scales with factor Ω(b(t)poly log n)in graphs with ball
growth b.
We are tempted to conjecture that the answer to the first
problem is positive (as it holds for trees and cycles). However,
we believe that the answer to the second problem might well
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Redundancy in distributed proofs 131
be negative. In particular, it seems challenging to design a
proof-labeling scheme for diam that would scale with the
size of the balls. Indeed, checking diameter is strongly related
to checking shortest paths in the graph, and this significantly
restricts the way the certificates can be redistributed among
nodes in a ball of radius t. Yet, there might be some other way
to certify diam, so we let the following as an open problem:
Problem 3 Is there a proof-labeling scheme for diam that
scales by a factor greater than tin all graphs where b(t)t?
Another type of open problem is to adapt our result to
different settings, and in particular, more practical settings.
Proof-labeling schemes were originally designed as a com-
ponent of self-stabilizing algorithms, that are algorithms that
not only check the certificates but also build the desired object
and its certificates. Given that we use the probabilistic method
in various places a natural question is:
Problem 4 Can we have simple explicit construction of the
certificate assignments used in this paper? And further, how
can these be efficiently implemented in a distributed setting?
Even if we consider only the verification phase, we could
try to move to a more practical setting. For example for clas-
sic self-stabilizing algorithms, the size of the certificates is
a measure of the bandwidth needed for certification, which
is no longer the case when aggregating certificates from dis-
tance greater than one. Indeed, we use a view of radius t,
which, if we had to send messages, would require either large
messages, or many more that trounds. Thus, a natural open
problem is:
Problem 5 Can we make the verification algorithm work effi-
ciently in a message-passing model? More precisely, can we
perform the verification in trounds by allowing the nodes
to only exchange messages whose size is the same as the
certificate size?
Acknowledgements We thank Seri Khoury and Boaz Patt-Shamir for
valuable discussions, and the anonymous reviewers of DISC 2018 and
Distributed Computing journal for their comments.
Funding Open access funding provided by Austrian Science Fund
(FWF). Research supported by the French-Israeli Laboratory on Foun-
dations of Computer Science (FILOFOCS). Laurent Feuilloley: sup-
ported by ANR Descartes, INRIA project GANG, ANR ESTATE, MIPP
and Amazon Research award. Pierre Fraigniaud: supported by ANR
Descartes, INRIA project GANG, ANR Displexity. Juho Hirvonen:
supported by the Ulla Tuominen Foundation and Academy of Finland,
Grant 314888. Ami Paz: supported by the Fondation Sciences Mathéma-
tiques de Paris (FSMP) and Austrian Science Fund (FWF): P 33775-N,
Fast Algorithms for a Reactive Network Layer.
Open Access This article is licensed under a Creative Commons
Attribution 4.0 International License, which permits use, sharing, adap-
tation, distribution and reproduction in any medium or format, as
long as you give appropriate credit to the original author(s) and the
source, provide a link to the Creative Commons licence, and indi-
cate if changes were made. The images or other third party material
in this article are included in the article’s Creative Commons licence,
unless indicated otherwise in a credit line to the material. If material
is not included in the article’s Creative Commons licence and your
intended use is not permitted by statutory regulation or exceeds the
permitted use, you will need to obtain permission directly from the copy-
right holder. To view a copy of this licence, visit http://creativecomm
ons.org/licenses/by/4.0/.
References
1. Abboud, A., Censor-Hillel, K., Khoury, S.: Near-linear lower
bounds for distributed distance computations, even in sparse
networks. In: 30th International Symposium on Distributed Com-
puting (DISC), pp. 29–42 (2016). arXiv:1901.01630
2. Afek, Y., Dolev, S.: Local stabilizer. J. Parallel Distrib. Comput.
62(5), 745–765 (2002)
3. Afek, Y., Kutten, S., Yung, M.: The local detection paradigm and
its applications to self-stabilization. Theor. Comput. Sci. 186(1),
199–229 (1997)
4. Arfaoui, H., Fraigniaud, P., Ilcinkas, D., Mathieu, F.: Distributedly
testing cycle-freeness. In: 40th International Workshop on Graph-
Theoretic Concepts in Computer Science (WG), vol. 8747, LNCS,
Springer, pp. 15–28 (2014)
5. Arfaoui, H., Fraigniaud, P.,Pelc, A.: Local decision and verification
with bounded-size outputs. In: 15th Symposium on Stabilization,
Safety, and Security of Distributed Systems (SSS), vol. 8255,
LNCS, Springer, pp. 133–147 (2013)
6. Awerbuch,B., Ostrovsky, R.: Memory-efficient and self-stabilizing
network reset (extended abstract). In: Proceedings of the Thirteenth
Annual ACM Symposium on Principles of Distributed Computing,
PODC ’94, ACM, New York, NY, USA, pp. 254–263 (1994)
7. Awerbuch, B., Patt-Shamir, B., Varghese, G.: Self-stabilization by
local checking and correction. In: 32nd Symposium on Foundations
of Computer Science (FOCS), IEEE, pp. 268–277 (1991)
8. Balliu, A., D’Angelo, G., Fraigniaud, P., Olivetti, D.: What can be
verified locally? In: 34th Symposium on Theoretical Aspects of
Computer Science (STACS), vol. 66, LIPIcs, pp. 8:1–8:13 (2017)
9. Bampas, E., Ilcinkas, D.: On mobile agent verifiable problems.
In: 12th Latin American Symposium on Theoretical Informatics
(LATIN), LNCS, vol. 9644, Springer, pp. 123–137 (2016)
10. Beauquier, J., Delaët, S., Dolev, S., Tixeuil, S.: Transient fault
detectors. Distrib. Comput. 20(1), 39–51 (2007)
11. Blin, L., Fraigniaud, P.: Space-optimal time-efficient silent self-
stabilizing constructions of constrained spanning trees. In: 35th
International Conference on Distributed Computing Systems
(ICDCS), IEEE, pp. 589–598 (2015)
12. Blin, L., Fraigniaud, P.,Patt-Shamir, B.: On proof-labeling schemes
versus silent self-stabilizing algorithms. In: 16th International
Symposium on Stabilization, Safety, and Security of Distributed
Systems (SSS), LNCS, Springer, pp. 18–32 (2014)
13. Censor-Hillel, K., Paz, A., Perry, M.: Approximate proof-labeling
schemes. Theor. Comput. Sci. 811, 112–124 (2020)
14. Chi-Chih Yao, A.: Some complexity questions related to distribu-
tive computing. In: 11th Symposium on Theory of Computing
(STOC), ACM, pp. 209–213 (1979)
15. Crescenzi, P.,Fraigniaud, P., Paz, A.: Trade-offs in distributed inter-
active proofs. In: 33rd International Symposium on Distributed
Computing (DISC), pp. 13:1–13:17 (2019)
16. Das Sarma, A., Holzer, S., Kor, L., Korman, A., Nanongkai, D.,
Pandurangan, G., Peleg, D., Wattenhofer, R.: Distributed verifica-
tion and hardness of distributed approximation. SIAM J. Comput.
41(5), 1235–1265 (2012)
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
132 L. Feuilloley et al.
17. Elkin, M.: Unconditional lower bounds on the time-approximation
tradeoffs for the distributed minimum spanning tree problem. In:
Proceedings of the 36th Annual ACM Symposium on Theory of
Computing (STOC), pp. 331–340 (2004)
18. Feuilloley, L., Fraigniaud, P.: Survey of distributed decision. In:
Bulletin of the EATCS, vol. 119 (2016)
19. Feuilloley, L., Fraigniaud, P.: Error-sensitive proof-labeling
schemes. In: 31st International Symposium on Distributed Com-
puting (DISC), pp. 16:1–16:15 (2017)
20. Feuilloley, L., Fraigniaud, P., Hirvonen, J.: A hierarchy of local
decision. In: 43rd International Colloquium on Automata, Lan-
guages, and Programming (ICALP), LIPIcs, pp. 118:1–118:15
(2016)
21. Feuilloley, L., Fraigniaud, P., Hirvonen, J., Paz, A., Perry, M.:
Redundancy in distributed proofs. In: Schmid, U., Widder, J. (eds),
32nd International Symposium on Distributed Computing, DISC
2018, New Orleans, LA, USA, October 15–19, 2018, vol. 121,
LIPIcs, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, pp.
24:1–24:18 (2018)
22. Foerster, K.-T., Luedi, T., Seidel, J., Wattenhofer, R.: Local check-
ability, no strings attached: (a)cyclicity, reachability, loop free
updates in sdns. Theor. Comput. Sci. 709, 48–63 (2018)
23. Fraigniaud, P.,Korman, A., Peleg, D.: Towardsa complexity theory
for local distributed computing. J. ACM 60(5), 35 (2013)
24. Fraigniaud, P., Patt-Shamir, B., Perry, M.: Randomized proof-
labeling schemes. Distrib. Comput. 32(3), 217–234 (2019)
25. Fraigniaud, P.,Pelc, A.: Decidability classes for mobile agents com-
puting. J. Parallel Distrib. Comput. 109, 117–128 (2017)
26. Fraigniaud, P., Rajsbaum, S., Travers, C.: Minimizing the number
of opinions for fault-tolerant distributed decision using well-quasi
orderings. In: 12th Latin American Symposium on Theoretical
Informatics (LATIN), Springer, pp. 497–508 (2016)
27. Fraigniaud, P., Rajsbaum, S., Travers, C., Kuznetsov, P., Rieutord,
T.:Perfect failure detection with very few bits. In: 18th International
Symposium on Stabilization, Safety, and Security of Distributed
Systems (SSS), LNCS 10083, Springer, pp. 154–169 (2016)
28. Frischknecht, S., Holzer, S., Wattenhofer, R.: Networks cannot
compute their diameter in sublinear time. In: 23rd Symposium on
Discrete Algorithms (SODA), ACM-SIAM, pp. 1150–1162 (2012)
29. Gallager, R.G., Humblet, P.A., Spira, P.M.: A distributed algorithm
for minimum-weight spanning trees. ACM Trans. Program. Lang.
Syst. (TOPLAS) 5(1), 66–77 (1983)
30. Göös, M., Suomela, J.: Locally checkable proofs in distributed
computing. Theory Comput. 12(1), 1–33 (2016)
31. Itkis, G., Levin, L.: Fast and lean self-stabilizing asynchronous
protocols. In: Proceedings of the 35th Annual Symposium on Foun-
dations of Computer Science, SFCS ’94, IEEE Computer Society,
Washington, DC, USA, pp. 226–239 (1994)
32. Itkis, G., Levin, L.A.: Fast and lean self-stabilizing asynchronous
protocols. In: 35th Symposium on Foundations of Computer Sci-
ence (FOCS), IEEE, pp. 226–239 (1994)
33. Kol, G., Oshman, R., Saxena, R.R.: Interactive distributed proofs.
In: Proceedings of the 2018 ACM Symposium on Principles of
Distributed Computing, PODC, pp. 255–264 (2018)
34. Korhonen, J.H., Suomela, J.: Brief announcement: Towards a com-
plexity theory for the congested clique. In: 31st International
Symposium on Distributed Computing (DISC), pp. 55:1–55:3
(2017)
35. Korman, A., Kutten, S.: Distributed verification of minimum span-
ning trees. Distrib. Comput. 20, 253–266 (2007)
36. Korman, A., Kutten, S., Masuzawa, T.: Fast and compact self-
stabilizing verification, computation, and fault detection of an MST.
Distrib. Comput. 28(4), 253–295 (2015)
37. Korman, A., Kutten, S., Peleg, D.: Proof labeling schemes. Distrib.
Comput. 22(4), 215–233 (2010)
38. Kushilevitz, E., Nisan, N.: Communication Complexity. Cam-
bridge University Press, New York (1997)
39. Mitzenmacher, M., Upfal, E.: Probability and Computing: Ran-
domized Algorithms and Probabilistic Analysis. Cambridge Uni-
versity Press, Cambridge (2005)
40. Naor, M., Parter, M., Yogev, E.: The power of distributed verifiersin
interactive proofs. In: Proceedings of the 2020 ACM-SIAM Sym-
posium on Discrete Algorithms, SODA, pp. 1096–115 (2020)
41. Ostrovsky, R., Perry, M., Rosenbaum, W.: Space-time tradeoffs for
distributed verification. In: 24th International Colloquium on Struc-
tural Information and Communication Complexity (SIROCCO),
pp. 53–70 (2017)
42. Patt-Shamir, B., Perry, M.: Proof-labeling schemes: broadcast, uni-
cast and in between. In: 19th Int. Symposium on Stabilization,
Safety, and Security of Distributed Systems (SSS), LNCS 10616,
Springer, pp. 1–17 (2017)
43. Peleg, D.: Distributed Computing: A Locality-Sensitive Approach.
Discrete Mathematics and Applications. SIAM, Philadelphia
(2000)
44. Peleg, D., Rubinovich, V.: A near-tight lower bound on the time
complexity of distributed MST construction. In: 40th Symposium
on Foundations of Computer Science (FOCS), IEEE, pp. 253–261
(1999)
45. Ullman, J.D., Yannakakis, M.: High-probability parallel transitive-
closure algorithms. SIAM J. Comput. 20(1), 100–125 (1991)
Publisher’s Note Springer Nature remains neutral with regard to juris-
dictional claims in published maps and institutional affiliations.
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
1.
2.
3.
4.
5.
6.
Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers and authorised users (“Users”), for small-
scale personal, non-commercial use provided that all copyright, trade and service marks and other proprietary notices are maintained. By
accessing, sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of use (“Terms”). For these
purposes, Springer Nature considers academic use (by researchers and students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and conditions, a relevant site licence or a personal
subscription. These Terms will prevail over any conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription
(to the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of the Creative Commons license used will
apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may also use these personal data internally within
ResearchGate and Springer Nature and as agreed share it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not
otherwise disclose your personal data outside the ResearchGate or the Springer Nature group of companies unless we have your permission as
detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial use, it is important to note that Users may
not:
use such content for the purpose of providing other users with access on a regular or large scale basis or as a means to circumvent access
control;
use such content where to do so would be considered a criminal or statutory offence in any jurisdiction, or gives rise to civil liability, or is
otherwise unlawful;
falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association unless explicitly agreed to by Springer Nature in
writing;
use bots or other automated methods to access the content or redirect messages
override any security feature or exclusionary protocol; or
share the content in order to create substitute for Springer Nature products or services or a systematic database of Springer Nature journal
content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a product or service that creates revenue,
royalties, rent or income from our content or its inclusion as part of a paid for service or for other commercial gain. Springer Nature journal
content cannot be used for inter-library loans and librarians may not upload Springer Nature journal content on a large scale into their, or any
other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not obligated to publish any information or
content on this website and may remove it or features or functionality at our sole discretion, at any time with or without notice. Springer Nature
may revoke this licence to you at any time and remove access to any copies of the Springer Nature journal content which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or guarantees to Users, either express or implied
with respect to the Springer nature journal content and all parties disclaim and waive any implied warranties or warranties imposed by law,
including merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published by Springer Nature that may be licensed
from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a regular basis or in any other manner not
expressly permitted by these Terms, please contact Springer Nature at
onlineservice@springernature.com
Available via license: CC BY 4.0
Content may be subject to copyright.
