Redundancy in distributed proofs

Distributed proofs are mechanisms that enable the nodes of a network to collectively and efficiently check the correctness of Boolean predicates on the structure of the network (e.g., having a specific diameter), or on objects distributed over the nodes (e.g., a spanning tree). We consider well known mechanisms consisting of two components: a prover that assigns a certificate to each node, and a distributed algorithm called a verifier that is in charge of verifying the distributed proof formed by the collection of all certificates. We show that many network predicates have distributed proofs offering a high level of redundancy, explicitly or implicitly. We use this remarkable property of distributed proofs to establish perfect tradeoffs between the size of the certificate stored at every node, and the number of rounds of the verification protocol.


Context and Objective
In the context of distributed fault-tolerant computing in large scale networks, it is of the utmost importance that the computing nodes can perpetually check the correctness of distributed data structures (e.g., spanning trees) encoded distributedly over the network.Indeed, such data structures can be the outcome of an algorithm that might be subject to failures, or be a-priori correctly given data-structures but subject to later corruption.Several mechanisms exist enabling checking the correctness of distributed data structures (see, e.g., [2,5,9,10,11]).For its simplicity and versatility, we shall focus on one classical mechanism known as proof-labeling schemes [31], a.k.a.locally checkable proofs [24] 1 .Roughly, a proof-labeling scheme assigns certificates to each node of the network.These certificates can be viewed as forming a distributed proof of the actual data structure (e.g., for a spanning tree, the identity of a root, and the distance to this root in the tree).The nodes are then in charge of collectively verifying the correctness of this proof.The requirements are in a way similar to those imposed on non-deterministic algorithms (e.g., the class NP), namely: (1) on correct structures, the assigned certificates must be accepted, in the sense that every node must accept its given certificate; (2) on corrupted structures, whatever certificates are given to the nodes, they must be rejected, in the sense that at least one node must reject its given certificate.(The rejecting node(s) can raise an alarm, or launch a recovery procedure).Proof-labeling schemes and locally checkable proofs can be viewed as a form of non-deterministic distributed computing (see also [18]).
The main measure of quality for a proof-labeling scheme is the size of the certificates assigned to correct (a.k.a.legal) data structures.Indeed, these certificates are verified using protocols that exchange them between neighboring nodes.Thus using large certificates may result in significant overheads in term of communication.Also, proof-labeling schemes might be combined with other mechanisms enforcing fault-tolerance, including replication.Large certificates may prevent replication, or to the least result in significant overheads in term of space complexity if using replication.
Proof-labeling schemes are extremely versatile, in the sense that they can be used to certify any distributed data-structure.For instance, for certifying a spanning tree, there are several proof-labeling schemes, each using certificates of logarithmic size [25,31].Similarly, certifying a minimum-weight spanning tree (MST) can be achieved with certificates of size Θ(log 2 n) bits in n-node networks [31,28].Moreover, proof-labeling schemes are very local, in the sense that the verification procedure performs in just one round of communication, each node accepting or rejecting based solely on its certificate and the certificates of its neighbors.However, these versatility and locality come with a cost.For instance, certifying rather simple data structures, such as certifying that each node holds the value of the diameter of the network requires certificates of Ω(n) bits [12] 2 .There are even properties that require larger certificates.For instance, certifying that the network is non 3-colorable, or certifying that the network has a non-trivial automorphisms both require certificates of Ω(n 2 ) bits [24].The good news though is that all distributed data-structures (and graph properties) can be certified using certificates of O(n 2 + kn) bits, where k is the size of the part of the data-structure stored at each node -see [24,31].
Several attempts have been made to make proof-labeling schemes more efficient.For instance, it was shown in [8] that randomization helps a lot in term of communication costs, typically by hashing the certificates, but this might actually come at the price of dramatically increasing the certificate size.Sophisticated deterministic and efficient solutions have also been provided for reducing the size of the certificates, but they are targeting specific structures only, such as MST [29].Another direction for reducing the size of the certificates consists of relaxing the decision mechanism, by allowing each node to output more than just a single bit (accept of reject) [3,4].For instance, certifying cycle-freeness simply requires certificates of O(1) bits with just 2-bit output, while certifying cycle-freeness requires certificates of Ω(log n) bits with 1-bit output [31].However, this relaxation assumes the existence of a centralized entity gathering the outputs from the nodes, and there are still network predicates that require certificates of Ω(n 2 ) bits even under this relaxation.Another notable approach is using approximation [12], which reduces, e.g., the certificate size for certifying the diameter of the graph from Ω(n) down to O(log n), but at the cost of only determining if the given value is up to two times the real diameter.
In this paper, we aim at designing deterministic and generic ways for reducing the certificate size of proof-labeling schemes.This is achieved by following the guidelines of [33], that is, trading time for space by exploiting the inherent redundancy in distributed proofs.

Our Results
As mentioned above, proof-labeling schemes include a verification procedure that performs in a single round of communication.In a nutshell, we prove that using more than a single round of communication for verifying the certificates enables to reduce significantly the size of these certificates, often by a factor super-linear in the number of rounds, sometimes even exponential.
More specifically, a proof-labeling scheme of radius t (where t can depend on the size of the input graph) is a proof-labeling scheme where the verification procedure performs t rounds, instead of just one round as in classical proof-labeling schemes.We may expect that proof-labeling schemes of radius t should help reducing the size of the certificates.This expectation is based on the intuition that the verification of classical (radius-1) prooflabeling schemes is done by comparing nearby certificates or computing some function of them, and accept only if they are "compatible".If the certificates are poorly correlated, then allowing more rounds for the verification should not be of much help as, with k-bit certificate per node, the global proof has kn bits in total in n-node graphs, leaving little freedom for reorganizing the assignment of these kn bits to the n nodes.Perhaps surprisingly, we show that distributed proofs do not only involve partially redundant certificates, but inherently highly redundant certificates, which enables reducing their size a lot when more rounds are allowed.To capture this phenomenon, we say that a proof-labeling scheme scales with scaling factor f (t) if its size can be reduced by a factor Ω(f (t)) when using a t-round verification procedure; we say that the scheme weakly scales with scaling factor f (t) if the scaling factor is Ω(f (t)), i.e., Ω(f (t)/polylog n) in n-node networks.
We prove that, in trees and other graph classes including e.g.grids, all proof-labeling schemes scale, with scaling factor t for t-round verification procedures.In other words, for every boolean predicate P on labeled trees (that is, trees whose every node is assigned a label, i.e., a binary string), if P has a proof-labeling scheme with certificates of k bits, for some k ≥ 0, then P has a proof-labeling scheme of radius t with certificates of O(k/t) bits, for all t ≥ 1.
In addition, we prove that, in any graph, uniform parts of proof-labeling schemes weekly scale optimally.That is, for every boolean predicate P on labeled graphs, if P has a prooflabeling scheme such that k bits are identical in all certificates, then the part of these k bits weakly scales in an optimal manner: it can be reduced into O(k/b(t)) bits by using a proof-labeling scheme of radius t, where b(t) denotes the size of the smallest ball of radius-t in the actual graph.Therefore, in graphs whose neighborhoods increase polynomially, or even exponentially with their radius, the benefit in term of space-complexity of using a proof-labeling scheme with radius t can be enormous.This result is of particular interest for the so-called universal proof-labeling scheme, in which every node is given the full n 2 -bit adjacency matrix of the graph as part of its certificate, along with the O(log n)-bit index of that node in the matrix.
We complement these general results by a collection of concrete results, regarding scaling classical boolean predicates on labeled graphs, including spanning tree, minimum-weight spanning tree, diameter, and additive spanners.For each of these predicates we prove tight upper and lower bounds on the certificate size of proof-labeling schemes of radius t on general graphs.

Our Techniques
Our proof-labeling schemes demonstrate that if we allow t rounds of verification, it is enough to keep only a small portion of the certificates, while all the rest are redundant.In a path, it is enough to keep only two consecutive certificates out of every t: two nodes with t−2 missing certificates between them can try all the possible assignments for the missing certificates, and accept only if such an assignment exists.This reduces the average certificate size; to reduce the maximal size, we split the remaining certificates among the certificate-less nodes.This idea is extended to trees and grids, and is at the heart of the proof-labeling schemes presented in Section 3.
On general graphs, we cannot omit certificates from some nodes and let the others check all the options for missing certificates in a similar manner.This is because, for our approach to apply, the parts of missing certificates must be isolated by nodes with certificates.However, if all the certificates are essentially the same, as in the case of the universal scheme, we can simply keep each part of the certificate at some random node 3 , making sure that each node has all parts in its t-radius neighborhood.A similar, yet more involved idea, applies when the certificates are distances, e.g., when the predicate to check is the diameter, and the (optimal) certificate of a node contains in a distance-1 proof-labeling scheme its distances to all other nodes.While the certificates are not universal in this latter case, we show that it still suffices to randomly keep parts of the distances, such that on each path between two nodes, the distance between two certificates kept is at most t.These ideas are applied in Sections 4 and 5.
In order to prove lower bounds on the certificate size of proof-labeling schemes and on their scaling, we combine several known techniques in an innovative way.The most classic lower bound technique for proof-labeling schemes is called crossing, but this cannot be used for lower bounds higher than logarithmic, and is not suitable for our model.A more powerful technique is the use of nondeterministic communication complexity [24,12], which extends the technique used for the congest model [22,1].In these bounds, the nodes are partitioned between two players, who simulate the verification procedure in order to solve a communication complexity problem, and communicate whenever a message is sent over the edges of the cut between their nodes.When proving lower bounds for proof-labeling schemes, the nondeterminism is used to define the certificates: a nondeterministic string for a communication complexity problem can be understood as a certificate, and, when the players simulate verification on a graph, they interpret their nondeterministic strings as node certificates.However, this technique does not seem to be powerful enough to prove lower bounds for our model of multiple rounds verification.When splitting the nodes between the two players, the first round of verification only depends on the certificates of the nodes touching the cut, but arguing about the other verification rounds seems much harder.To overcome this problem, we use a different style of simulation argument, where the node partition is not fixed but evolves over time [36,13].More specifically, while there are sets of nodes which are simulated explicitly by either of the two players during the t rounds, the nodes in the paths connecting these sets are simulated in a decremental manner: both players start by simulating all these nodes, and then simulate less and less nodes as time passes.After the players communicate the certificates of the nodes along the paths at the beginning, they can simulate the verification process without any further communication.In this way, we are able to adapt some techniques used for the congest model to our model, even though proof-labeling schemes are a computing model that is much more similar to the local model [35].

Previous Work
The mechanism considered in this paper for certifying distributed data-structures and predicates on labeled graphs has at least three variants.The orignal proof-labeling schemes, as defined in [31], assume that nodes exchange solely their certificates between neighbors during the verification procedure.Instead, the variant called locally checkable proofs [24] imposes no restrictions on the type of information that can be exchanged between neighbors during the verification procedure.In fact, they can exchange their full individual states, which makes the design of lower bounds far more complex.This latter model is the one actually considered in this paper.There is a third variant, called non-deterministic local decision [18], which prevents using the actual identities of the nodes in the certificates.That is, the certificate must be oblivious to the actual identity assignment to the nodes.This latter mechanism is weaker than proof-labeling schemes and locally checkable proofs, as there are graph predicates that cannot be certified in this manner.However, all predicates on labeled graphs can be certified whenever allowing randomization [18], or by allowing just one alternation of quantifiers (the analog of Π 2 in the polynomial hierarchy) [6].A distributed variant of the centralized interactive proofs was recently introduced by Kol et al. [26].
Our work was inspired by [33], which aims at reducing the size of the certificates by trading time for space, i.e., allowing the verification procedure to take t rounds (t can be a function of n) in order to reduce the certificate size.For instance, it was shown that, for the so-called universal scheme, the size of the certificates can be reduced from Θ(n 2 ) to Θ(n 2 /t) bits when increasing verification time from 1 round to t rounds.The results in [29] were another source of inspiration, as it is shown that, by allowing O(log 2 n) rounds of communication, one can verify MST using certificates of O(log n) bits.In fact, [29] even describe an entire (non-silent) self-stabilizing algorithm for MST construction based on this mechanism for verifying MST.
In [16], the authors generalized the study of the class log-LCP introduced in [24], consisting of network properties verifiable with certificates of O(log n) bits, to a whole local hierarchy inspired by the polynomial hierarchy.For instance, it is shown that MST is at the second level of that hierarchy, and that there are network properties outside the hierarchy.In [34], the effect of sending different messages to different neighbors on the communication complexity of verification is analyzed.The impact of the number of errors on the ability to detect the illegality of a data-structure w.r.t. a given predicate is studied in [15].The notion of approximate proof-labeling schemes was investigated in [12], and the impact of randomization on communication complexity of verification has been studied in [8].
Finally, verification mechanisms a la proof-labeling schemes were used in other contexts, including the congested clique [27], wait-free computing [20], failure detectors [21], anonymous networks [17], and mobile computing [7,19].For more references to work related to distributed verification, or distributed decision in general, see the survey [14].To our knowledge, in addition to the aforementioned works [29,33], there is no prior work where verification time and certificate size are traded.

Model and Notations
A labeled graph is a pair (G, x) where G = (V, E) is a connected simple graph, and x : V → {0, 1} * is a function assigning a bit-string, called label, to every node of G.When discussing a weighted n-nodes graph G, we assume G = (V, E, w), where w : E → [1, n c ] for some fixed c ≥ 1, and therefore w(e) can be encoded on O(log n) bits.An identity-assignment to a graph G is an assignment for some fixed c ≥ 1, of distinct identities to the nodes.
A distributed decision algorithm is an algorithm in which every node outputs accept or reject.We say that such an algorithm accepts if and only if every node outputs accept.
Given a finite collection G of labeled graphs, we consider a boolean predicate P on every labeled graph in G (which may even depend on the identities assigned to the nodes).For instance, aut is the predicate on graphs stating that there exists a non-trivial automorphism in the graph.Similarly, for any weighted graph with identity-assignment ID, the predicate mst on (G, x, ID) states whether x(v) = ID(v ) for some v ∈ N [v]4 for every v ∈ V (G), and whether the collection of edges {{v, x(v)}, v ∈ V (G)} forms a minimum-weight spanning tree of G.A proof-labeling scheme for a predicate P is a pair (p, v), where p, called prover, is an oracle that assigns a bit-string called certificate to every node of every labeled graph (G, x) ∈ G, potentially using the identities assigned to the nodes, and v, called verifier, is a distributed decision algorithm such that, for every (G, x) ∈ G, and for every identity assignment ID to the nodes of G, That is, if (G, x, ID) satisfies P, then, with the certificates assigned to the nodes by the prover p, the verifier accepts at all nodes.Instead, if (G, x, ID) does not satisfy P, then, whatever certificates are assigned to the nodes, the verifier rejects in at least one node.
The radius of a proof-labeling scheme (p, v) is defined as the maximum number of rounds of the verifier v in the local model [35], over all identity-assignments to all the instances in G, and all arbitrary certificates.It is denoted by radius(p, v).Often in this paper, the phrase proof-labeling scheme is abbreviated into PLS, while a proof-labeling scheme of radius t ≥ 1 is abbreviated into t-PLS.Note that, in a t-PLS, one can assume, w.l.o.g., that the verification procedure, which is given t as input to every node, proceeds at each node in two phases: (1) collecting all the data (i.e., labels and certificates) from nodes at distance at most t, including the structure of the ball of radius t around that node, and (2) processing all the information for producing a verdict, either accept, or reject.
Given an instance (G, x, ID) satisfying P, we denote by p(G, x, ID, v) the certificate assigned by the prover p to node v ∈ V , and by |p(G, x, ID, v)| its size.We also let The certificate-size of a proof-labeling scheme (p, v) for P in G is defined as the maximum of |p(G, x, ID)|, taken over all instances (G, x, ID) satisfying P, where (G, x) ∈ G.It is denoted by size(p, v).In the following, we focus on the graph families G n of connected simple graphs with n nodes, n ≥ 1.That is, the size of a proof-labeling scheme is systematically expressed as a function of the number n of nodes.For the sake of simplifying the presentation, the graph family G n is omitted from the notations.
The minimum certificate size of a t-PLS for the predicate P on n-node labeled graphs is denoted by size-pls(P, t), that is, We also denote by size-pls(P) the size of a standard (radius-1) proof-labeling scheme for P, that is, size-pls(P) = size-pls(P, 1).For instance, it is known that size-pls(mst) = Θ(log 2 n) bits [28,31], and that size-pls(aut) = Ω(n 2 ) bits [24].More generally, for every decidable predicate P, we have size-pls(P) = O(n 2 + nk) bits [24] whenever the labels produced by x are of k bits, and size-pls(P, D) = 0 for graphs of diameter D because the verifier can gather all labels, and all edges at every node in D + 1 rounds.

Definition 1.
Let I ⊆ N + , and let f : I → N + .Let P be a boolean predicate on labeled graphs.A set (p t , v t ) t∈I of proof-labeling schemes for P, with respective radius t ≥ 1, scales with scaling factor f on • size-pls(P) bits for every t ∈ I. Also, (p t , v t ) t∈I weakly scales with scaling factor f on • size-pls(P) bits for every t ∈ I.
In the following, somewhat abusing terminology, we shall say that a proof-labeling scheme (weakly) scales while, formally, it should be a set of proof-labeling schemes that scales.

Remark.
At first glance, it may seem that no proof-labeling schemes can scale more than linearly, i.e., one may be tempted to claim that for every predicate P we have size-pls(P, t) = Ω 1 t • size-pls(P) .The rational for such a claim is that, given a proof-labeling scheme (p t , v t ) for P, with radius t and size-pls(P, t), one can construct a proof-labeling scheme (p, v) for P with radius 1 as follows: the certificate of every node v is the collection of certificates assigned by p t to the nodes in the ball of radius t centered at v; the verifier v then simulates the execution of v t on these certificates.In paths or cycles, the certificates resulting from this construction are of size O(t • size-pls(P, t)), from which it follows that no proof-labeling scheme can scale more than linearly.There are several flaws in this reasoning, which make it actually erroneous.First, it might be the case that degree-2 graphs are not the worst case graphs for the predicate P; that is, the fact that (p, v) induces certificates of size O(t) times the certificate size of (p t , v t ) in such graphs may be uncorrelated to the size of the certificates of these proof-labeling schemes in worst case instances.Second, in t rounds of verification every node learns not only the certificates of its t-neighborhood, but also its structure, which may contain valuable information for the verification; this idea stands out when the lower bounds for size-pls(P) are established using labeled graphs of constant diameter, in which case there is no room for studying how proof-labeling schemes can scale.The take away message is that establishing lower bounds of the type size-pls(P, t) = Ω( 1 t • size-pls(P)) for t within some non-trivial interval requires specific proofs, which often depend on the given predicate P.
Communication Complexity.We use results from the well studied field of communication complexity [32,37].In the set-disjointness (disj) problem on k bits, each of two players, Alice and Bob, is given a k-bit string, denoted S A and S B , respectively, as input.They aim at deciding whether S A ∩ S B = ∅, i.e., whether there does not exist i ∈ {1, . . ., k} such that The communication complexity of a given protocol solving disj is the number of bits Alice and Bob must communicate, in the worst case, when using this protocol.The communication complexity of disj is the minimum communication complexity of a protocol solving it.
In nondeterministic communication complexity, each of the players receives, in addition to its input, a binary string as a non reliable hint (these hints may depend on both input strings).For example, a good hint for disj, i.e., deciding whether there exists i ∈ {1, . . ., k} such that S A [i] = S B [i] = 1, is the index i itself.Indeed, if one of the two players receives i as a hint, he or she can send it to the other player, and they both check that S A [i] = 1 and The communication complexity of a nondeterministic protocol for disj is the sum of the number of bits the players exchange and the number of nondeterministic proof bits provided to the players in the worst case.The nondeterministic communication complexity of disj is the minimum, among all nondeterministic protocols for disj, of the communication complexity of that protocol.The nondeterministic communication complexity of disj is known to be Ω(k), as a consequence of, e.g., Example 1.23 and Definition 2.3 in [32].

All Proof-Labeling Schemes Scale Linearly in Trees
This section is entirely dedicated to the proof of one of our main results, stating that every predicate on labeled trees has a proof that scales linearly.Further in the section, we also show how to extend this result to cycles and to grids, and, more generally, to multi-dimensional grids and toruses.

Linear scaling for trees
Theorem 2. Let P be a predicate on labeled trees, and let us assume that there exists a (distance-1) proof-labeling scheme (p, v) for P, with size(p, v) = k.Then there exists a proof-labeling scheme for P that scales linearly, that is, size-pls(P, The rest of this subsection is dedicated to the proof of Theorem 2. So, let P be a predicate on labeled trees, and let (p, v) be a proof-labeling scheme for P with size(p, v) = k.First, note that we can restrict attention to trees with diameter > t.Indeed, predicates on labeled trees with diameter ≤ t are easy to verify since every node can gather the input of the entire tree in t rounds.More precisely, if we have a scheme that works for trees with diameter > t, then we can trivially design a scheme that applies to all trees, by adding a single bit to the certificates, indicating whether the tree is of diameter at most t or not.
The setting of the certificates in our scaling scheme is based on a specific decomposition of given tree T .
Tree decomposition.Let T be a tree of diameter > t, and let For assigning the certificates, the tree T is rooted at some node r.A node u such that dist T (r, u) ≡ 0 (mod h), and u possesses a subtree of depth at least h − 1 is called a border node.Similarly, a node u such that dist T (r, u) ≡ −1 (mod h), and u possesses a subtree of depth at least h − 1 is called a extra-border node.A node that is a border or an extra-border node is called a special node.All other nodes are standard nodes.For every border node v, we define the domain of v as the set of nodes in the subtree rooted at v but not in subtrees rooted at border nodes that are descendants of v. Lemma 3.

1.
The domains form a partition of the nodes in the tree T .

Two adjacent nodes of T are in different domains if and only if they are both special.
Proof.Let us first prove the first item.On the one hand, every node belongs to a domain.This is because every node has at least one border ancestor, since the root is a border node.Indeed, the root r has depth 0, and the diameter of T is at least t + 1, which implies that r necessarily possesses a subtree of depth at least h − 1.On the other hand, every node u belongs to a unique domain.This is simply because the closest border ancestor of u is uniquely defined.
To establish second item, we consider the domain of a border node u.Note that, for any node v in the domain of u, v is a descendent of u in T , and all the nodes in the shortest path between u and v are also in the domain of u.Thus the domain of u is indeed a tree rooted at u.The depth of a domain is at least h − 1.Indeed, if the subtree rooted at u has depth < h − 1, then, by definition, u is not special.It remains to show that the depth of a domain is at most 2h − 1.Let us assume for the purpose of contradiction that the depth d of the domain of u satisfies d > 2h − 1.Then there exists a path of length at least 2h starting at u, and going downward the tree for reaching a leaf v of this domain.Then let us consider the node u of that path which is at distance h from u. Node u is not a border node, since otherwise v would not be in domain of u but in the domain of u .However, node u is a border node as its depth is 0 modulo k, and it has a subtree of depth at least d − h > h − 1.This contradiction completes the proof of item 2.
Finally, for establishing the third item, let us consider an edge {u, v} in the tree T , and let us assume, w.l.o.g., that u is the parent of v in T .By construction, there can be three cases only.If none of the two nodes u and v is a border node, then both belong to the same domain, as they have the same closest border ancestor.If u is a border node, and v is a standard node, then v is in the domain of u.Finally, if v is a border node, then necessarily u is an extra-border node, in which case u and v do not belong to the same domain since v is in its own domain, while u cannot belong to the domain of v. Therefore, Item 3 holds in these three cases.
Verifying the decomposition.The certificates of the distance-t proof-labeling scheme will contains a 2-bit field indicating to each node whether it is a root, border, extra-border, or standard node.Let us show that this part of the certificate can be verified in t rounds.The prover orients the edges of the tree towards the root r.It is well-known that such an orientation can be given to the edges of a tree by assigning to each node its distance to the root, modulo 3.These distances can obviously be checked locally, in just one round.So, in the remaining of the proof, we assume that the nodes are given this orientation upward the tree.The following lemma proves that the decomposition into border, extra-border, and standard nodes can be checked in t rounds.Lemma 4. Given a set of nodes marked as border, extra-border, or standard in an oriented tree, there is a verification protocol that checks whether that marking corresponds to a tree decomposition such as the one described above, in 2h < t rounds.
Proof.The checking procedure proceeds as follows.The root r checks that it is a border node.Every border node checks that its subtree truncated at depth 2h fits with the decomposition.That is, it checks that: (1) no nodes in its subtree are border nodes except nodes at depth h and 2h, (2) no nodes in its subtree are extra-border nodes except nodes at depth h − 1 and 2h − 1, and (3) the nodes in its subtree that are special at depth h − 1 and h do have a subtree of depth at least h − 1.By construction, this procedure accepts any marking which is correct with respect to the decomposition rule.
Conversely, let us suppose that the algorithm accepts a marking of the nodes.We prove that this marking is necessarily correct.We proceed by induction on the depth of the nodes.At the root, the verifier checks that r is special as a border node, and it checks that the domain of r is correctly marked.In particular, it checks that the nodes of depth h that are not in its domain are properly marked as border nodes.So, the base of the induction holds.Now, assume that, for α ≥ 0, all the domains whose border nodes stand at depth at most αh are properly marked.The fact that the border nodes at depth αh accept implies that all the nodes at depth (α + 1)h that are not in the domain of the border nodes at depth αh are properly marked.These nodes verify their own domains, as well as all the domains down to depths (α + 1)h, are all correct.Since none of these nodes reject, it follows that all the domains whose border nodes stand at depth at most (α + 1)h are properly marked.This completes the induction step, and hence the proof of the lemma.
We are now ready to describe the distance-t proof-labeling scheme.From the previous discussions, we can assume that the nodes are correctly marked as root, border, extra-border, and standard, with a consistent orientation of the edges towards the root.
The distance-t proof-labeling scheme.We are considering the arbitrarily given predicate P on labeled trees, with its proof-labeling scheme (p, v) using certificates of size k bits.Before reducing the size of the certificates to O(k/t) by communicating at distance t, we describe a proof-labeling scheme at distance t which still uses large certificates, of size O(k), but stored at a few nodes only, with all other nodes storing no certificates.Lemma 5.There exists a distance t proof-labeling scheme for P, in which the prover assigns certificates to special nodes only, and these certificates have size O(k).
Proof.On legally labeled trees, the prover provides every special node (i.e., every border or extra-border node) with the same certificate as the one provided by p.All other nodes are provided with no certificates.
On arbitrary labeled trees, the verifier is active at border nodes only, and all non-border nodes systematically accept (in zero round).At a border node v, the verifier first gathers all information at distance 2h.This includes all the labels of the nodes in its domain, and of the nodes that are neighbors to a node in its domain.Then v checks whether there exists an assignment of k-bit certificates to the standard nodes in its domain that results in v accepting at every node in its domain.If this is the case, then v accepts, else it rejects.There is a subtle point worth to be mentioned here.The value of k may actually depend on n, which is not necessarily known to the nodes.Nevertheless, this can be easily fixed as follows.The t-PLS prover is required to provide all nodes with certificates of the same size (the fact that all certificates have identical size can trivially be checked in just one round).Then k is simply inferred from the certificate size in the t-PLS, by multiplying this size by t, whose value is, as specified in Section 2, given as input to each node.
Note that, as every border node v has a complete view of its whole domain, and of the nodes at distance 1 from its domain, v considers all the nodes that are used by v executed at the nodes of its domain.Also note that the execution of v at nodes in the domain of v concerns only nodes that are either in the domain of v, or are special.This follows from the third item in Lemma 3. Thus no two border nodes will simulate the assignment of certificates to the same node.
We now prove that, in an oriented marked tree, this scheme is correct.
-Assume first that the labeled tree satisfies the predicate P. Giving to the special nodes the certificates as assigned by p, all the border nodes will be able to find a proper assignment of the certificates for the standard nodes in their domain so that v accepts at all these nodes, since, as the labeled tree satisfies the predicate P, there must exists at least one.This leads every node to accept.
-Suppose now that every border node accepts.It follows that, for every border node, there is an assignment of certificates to the nodes in its domain such that v accepts these certificates at every node.The union of these partial assignments of certificates defines a certificate assignment to the whole tree that is well-defined according to the first item of Lemma 3. A every node, v accepts since it has the same view as in the simulation performed by the border nodes in their respective domains.Thus v accepts at every node of T , and therefore it follows that the labeled tree satisfies P.
Lemma 5 basically states that there is a distance-t proof-labeling scheme in which the prover can give certificates to special nodes only.We now show how to spread out the certificates of the border and extra-border nodes to obtain smaller certificates.The following lemma is the main tool for doing so.As this lemma is also used further in the paper, we provide a generalized version of its statement, and we later show how to adapt it to the setting of the current proof.
We say that a local algorithm A recovers an assignment of certificates provided by some prover q from an assignment of certificates provided by another prover q if, given the certificates assigned by q as input to the nodes, A allows every node to output its certificate such as assigned by q.We define a special prover as a prover which assigns certificates only to the special nodes, all other nodes being given empty certificates.Lemma 6.There exists a local algorithm A satisfying the following.For every s ≥ 1, for every oriented marked tree T of depth at least s, and for every assignment of b-bit certificates provided by some special prover q to the nodes of T , there exists assignment of O(b/s)-bit certificates provided by a prover q to the nodes of T such that A recovers q from q is s rounds.
Proof.We first describe the prover q .For each border node v, let us partition the certificate q(v) assigned to node v by the special prover q into s parts of size at most b/s .Then one picks an arbitrary path starting from v, of length s − 1, going downward the tree.Note that such a path exists since v is a border node.For every i ∈ {0, . . ., s − 1}, the ith part of the certificate q(v) is assigned to the ith node of that path as its certificate in q .As such, every node is given at most one part of the initial certificates, as the paths starting at each of the border nodes are non intersecting.To recover the original certificates, for every border node v, the algorithm A simply inspects the tree at distance s − 1 downward, for gathering all the parts of the initial certificate q(v) of v. Then v concatenates these parts, and v outputs the resulting certificate.All other nodes output a certificate formed by the empty string.
We have now all the ingredients to prove Theorem 2.
Proof of Theorem 2. In the distance-t proof-labeling scheme, the prover chooses a root and an orientation of the tree T , and provides every node with a counter modulo 3 in its certificate allowing the nodes to check the consistency of the orientation.Then the prover constructs a tree decomposition of the rooted tree, and provides every node with its type (root, border, extra-border, or standard) in its certificates.Applying Lemmas 5 and 6, the prover spreads the certificates assigned to the special nodes by p. Every node will get at most two parts, because only the paths associated to a border node and to its parent (an extra-border node) can intersect.Overall, the certificates have size O(k/h) = O(k/t).The verifier checks the orientation and the marking, then recovers the certificates of the special nodes, as in Lemma 6, and performs the simulation as in Lemma 5.This verification can be done with a view of radius t ≤ 2h, yielding the desired distance-t proof labeling scheme.

Linear scaling in cycles and grids
For the proof techniques of Theorem 2 to apply to other graphs, we need to compute a partition of the nodes into the two categories, special and standard, satisfying three main properties.First, the partition should split the graph into regions formed by standard nodes, separated by special nodes.Second, each region should have a diameter small enough for allowing special nodes at the border of the region to simulate the standard nodes in that region, as in Lemma 5. Third, the regions should have a diameter large enough to allow efficient spreading of certificates assigned to special nodes over the standard nodes, as in Lemma 6.For any graph family in which one can define such a decomposition, an analogue of Theorem 2 holds.We show that this is the case for cycles and grids.

Corollary 7.
Let P be a predicate on labeled cycles, and let us assume that there exists a (distance-1) proof-labeling scheme (p, v) for P with size(p, v) = k.Then there exists a proof-labeling scheme for P that scales linearly, that is, size-pls(P, t) = O k t .The same holds for predicates on 2-dimensional labeled grids.
Proof.We just explain how the proof of Theorem 2 can be adapted to apply for cycles and grids.
For every labeled cycle, the prover picks an arbitrary node r, which will play the same role as the root chosen in the proof of Theorem 2, and an orientation of the cycle pointing toward r.The chosen node is called leader.Let h = t/2 .The prover marks as border node every node u such that dist(r, u) ≡ 0 (mod h), where the distance is taken in the oriented cycle.Similarly, the prover marks as extra-border node every node u such that dist(r, u) ≡ −1 (mod h).Note that the border and extra-border nodes that are the furthest away from the leader by the orientation may actually be close to the leader in the undirected cycle.As this may cause difficulties for spreading the certificates, the prover does not mark them, and keep these nodes standard.The domain of a border node is defined in a way similar to trees.The leader, the orientation, and the marking can be checked in a way similar to the proof of Lemma 4. In particular, observe that that the size of each domain is at most t.The marking separates the graph into independent domains that can be simulated in parallel as in Lemma 5.The diameter of each domain is at least t/2 which allows to do the spreading as in Lemma 6, resulting in certificates of size O(k/t).
For every labeled grid, the prover provides the edges with north-south and east-west orientations, using two counters modulo 3.In a grid p×q with n = pq nodes, this orientation induces a coordinate system with edges directed from (0, 0), defined as the south-west corner, to (p, q), defined as the north-east corner.The leader is the node at position (0, 0).Let h = t/4 .The partition of the nodes is as follows.Every node with coordinate (x, y) where both x and y are 0 modulo h are the border nodes.Non-border nodes with coordinate (x, y) where x or y equals 0 or −1 modulo h are extra-border nodes.Now, as for cycles, we slightly modify that decomposition for avoiding domains with too small diameter.Specifically, northmost border and extra-border nodes, and the east-most border and extra-border nodes are turned back to standard nodes.The domain of a border node is composed of all nodes with larger x-coordinate and larger y-coordinates for which there are no closer border node in the oriented grid.Using the same technique as in the proof of Lemma 4, this partition of the nodes can be checked locally.The simulation as performed in the proof of Lemma 5 can be performed similarly using that decomposition, because the domains have diameter at most t, and are well separated by special nodes.Finally, the spreading of the certificates as in Lemma 6 can be done in the following way.For every special node (x, y) where x equals 0 or −1 modulo h, the certificate is spread over the h − 1 nodes to the east.For every special node (x, y) where y equals 0 or −1 modulo h, the certificate is spread over the h − 1 nodes to the north.Note that there is always enough space to the east or to the north of the special nodes as we have removed the special nodes that could be too close to the east and north borders.Also note that some node have their certificates spread in two directions, but this does not cause problem as it just increases the size of the certificates by a constant factor.
By the same techniques, Corollary 7 can be generalized to toroidal 2-dimensional labeled grids, as well as to d-dimensional labeled grids and toruses, for every d ≥ 2.

Universal Scaling of Uniform Proof-Labeling Schemes
It is known [33] that, for every predicate P on labeled graphs with size-pls(P) = Ω(n 2 ), there is a proof-labeling scheme that scales linearly on the interval [1, D] in graphs of diameter D. We show that, in fact, the scaling factor can be much larger.First, recall that a graph G = (V, E) has growth b = b(t) if, for every v ∈ V , and every t ∈ We say that a proof-labeling scheme is uniform if the same certificate is assigned to all nodes by the prover.
Theorem 8. Let P be a predicate on labeled graphs, and let us assume that there exists a uniform 1-PLS (p, v) for P with size(p, v) = k.There is a proof-labeling scheme for P that weakly scales with scaling factor b(t) on graphs of growth b(t).More specifically, let Proof.Let s = (s 1 , . . ., s k ), where s i ∈ {0, 1} for every i = 1, . . ., k, be the k-bit certificate assigned to every node of a graph G = (V, E).Let t ≥ 1 be such that k ≥ b(t) ≥ c log n for a constant c large enough.For every node v ∈ V , we set the certificate of v, denoted s (v) , as follows: for every i = 1, . . ., k, v stores the pair (i, s i ) in s (v) with probability On the one hand, for every v ∈ V , let X v be the random variable equal to the number of pairs stored in s (v) .By Chernoff bounds, we have Pr[ . Therefore, by union bound, the probability that a node v stores more than , which is less than 1 2 for c large enough.On the other hand, for every v ∈ V , and every i = 1, . . ., k, let Y v,i be the number of occurrences of the pair (i, s i ) in the ball of radius t centered at v. By Chernoff bound, we have Pr . Therefore, by union bound, the probability that there exists a node v ∈ V , and an index i ∈ {1, . . ., k} such that none of the nodes in the ball of radius t centered at v store the pair (i, s i ) is at most kn 1−c/8 , which is less than 1  2 for c large enough.
It follows that, for c large enough, the probability that no nodes store more than O(k/b(t)) pairs (i, s i ), and every pair (i, s i ) is stored in at least one node of each ball of radius t, is positive.Therefore, there is a way for a prover to distribute the pairs (i, s i ), i = 1, . . ., k, to the nodes such that (1) no nodes store more than O(k/b(t)) bits, and (2) every pair (i, s i ) appears at least once in every t-neighborhood of each node.At each node v, the verification procedure first collects all pairs (i, s i ) in the t-neighborhood of v, in order to recover s, and then runs the verifier of the original (distance-1) proof-labeling scheme.Finally, we emphasize that we only use probabilistic arguments as a way to prove the existence of certificate assignment, but the resulting proof-labeling scheme is deterministic and its correctness is not probabilistic.Theorem 8 finds direct application to the universal proof-labeling scheme [24] using O(n 2 + kn) bits in n-node graphs labeled with k-bit labels.Indeed, the certificate of each node consists of the n × n adjacency matrix of the graph, the array of n entries, each one equal to the k-bit label at the corresponding node, and the array of n entries listing the identities of the n nodes.It was proved in [33] that the universal proof-labeling scheme can be scaled by a factor t. Theorem 8 significantly improves that result, by showing that the universal proof-labeling scheme can actually be scaled by a factor b(t), which can be exponential in t.Corollary 9.For every predicate P on labeled graphs, there is a proof-labeling scheme for P as follows.For every graph G with growth b(t), let Then, for every t ≥ t 0 we have size-pls(P, t) = O n 2 +kn b(t) .Theorem 8 also tells us that, if a proof-labeling scheme is involving certificates in which the same k-bit sub-certificate is assigned to every node, then the size of this common subcertificate can be drastically reduced by using a t-round verification procedure.This is particularly interesting when the size of the common sub-certificate is large compared to the size of the rest of the certificates.An example of such a scheme is in essence the one described in [30,Corollary 2.2].Given a parameter k ∈ Ω(log n), let iso k be the predicate on graph stating that there exist two vertex-disjoint isomorphic induced subgraphs of size k in the given graph.
Corollary 10.For every k ∈ 1, n 2 , we have size-pls(iso k ) = Θ(k 2 ) bits, and, for every Proof.We first sketch a 1-PLS.Every node is given as certificate the k × k adjacency matrix of the two isomorphic subgraphs, along with the corresponding IDs of the nodes in the two subgraphs.The certificates also provides each node with the ID of an arbitrary node in each subgraphs, that we call the leaders.In addition, the nodes are given certificates that correspond to two spanning trees rooted at the two leaders.The verification procedure works as follows.Every node first checks that the spanning trees structures are correct.Then the roots of the spanning trees check that they are marked as leader.Finally every node whose ID appear in one of the two adjacency matrices checks that its actual neighborhood corresponds to what it should be according to the given adjacency matrices.By construction, this is a valid 1-PLS, using certificates on O(k 2 + log n) bits.A simple adaptation of the proof of [24,Theorem 6.1] enables to prove that Ω(k 2 ) bits are needed.The result regarding t-PLS is a direct application of Theorem 8 to the part of the certificate that is common to all nodes.

Certifying Distance-Related Predicates
For any labeled (weighted) graph (G, x), the predicate diam on (G, x) states whether, for every v ∈ V (G), x(v) is equal to the (weighted) diameter of G.
Theorem 11.There is a proof-labeling scheme for diam that scales linearly between [c log n, n/ log n], for some constant c.More specifically, there exists c > 0, such that, for every t ∈ [c log n, n/ log n], size-pls(diam, t) = O n t .Moreover, no proof-labeling schemes for diam can scale more than linearly on the interval [1, n/ log n], that is, for every t ∈ [1, n/ log n], size-pls(diam, t) = Ω n t .The theorem follows from the next lemmas.Lemma 12.There exists a constant c, such that for every t ∈ [c log n, n], size-pls(diam, t) = O n log 2 n t .
Proof.A proof-labeling scheme for diameter with optimal certificate size Θ(n log n) bits has been designed in [12].We simply use this scheme for certifying that, for every node v, the diameter of the graph is at least x(v).Indeed, [12] uses only O(log n)-bit certificates to certify the existence of a pair of nodes at mutual distance at least x(v) in the graph.The rest of the proof is dedicated to certifying that no pairs of nodes are at distance more than x(v) in the graph, i.e., "diameter ≤ x(v)".Namely, we show how the scheme in [12] scales with the radius of verification.For this purpose, let us briefly recall this scheme.Each node v of a graph G = (V, E) is provided with a certificate D v consisting of a table with n entries storing the ID of every node in G, and the distance to these nodes.(Every certificate is therefore on O(n log n) bits).Somewhat abusing notations, let us denote by D v (u) the distance to node u, as stored in table D v .The verification proceeds by, first, having each node checking that it stores the same set of IDs as the ones stored by its neighbors, and that its own ID appears in its table.Second, each node checks that the distances in its certificate vary as expected.That is, each node v checks that: (1) D v (v) = 0, (2) for every node u and every neighbor v , Finally, every node v checks that D v (u) ≤ x(v) for every node u.This verification process is correct, as shown in [12].Now, let t ≥ c log n for a constant c > 0 large enough, and let us construct a prooflabeling scheme for "diameter ≤ x(v)", with radius t.The idea is that each node v does not store all entries in the table D v but only a fraction t of these entries.The issue is to select which entries to keep, and which entries to drop.For our scheme to work, we need to guarantee that, if the distance to node u is not stored in D v , then there is a node v on a shortest path from v to u, at distance at most t from v, that stores dist(v , u) in its table D v .To achieve this, for every node u = v, each node v keeps dist(v, u) in its table D v with probability c log n t .(Node v systematically keeps D v (v) = 0 in its table).From this setting, we derive the following two properties.

1.
For every pair of nodes (u, v), let us denote by P v,u the path of length t formed by the t first nodes on a shortest path from v to u, and let X v,u denote the sum of t Bernoulli random variables with parameter c log n t .By the use of the same Chernoff bound as in the proof of Theorem 8, we have Pr[X v,u ≤ 1 2 c log n] ≤ e − c 8 log n = n −c/8 < 1 2n 2 for c large enough.Therefore, by union bound, the probability that there exists a pair of nodes (u, v) such that no nodes of P v,u store the distance to node u is less than 1 2 .2. For every node v, let Y v be the number of nodes for which v keeps the distance these nodes.Again, by Chernoff bound, for c large enough.Therefore, by union bound, the probability that there exists a node v that stores the distances to more than 2cn log n t nodes is less than 1 2 .
Let E v,u be the event "at least one node of P v,u stores its distance to node u", and let E v be the event "node v stores no more than 2cn ln n t distances to other nodes".We derive from the above that Pr It follows that there exists an assignment of entries to be kept in each table D v , v ∈ V , such that each resulting partial table is of size O n log 2 n t bits, and, for every two nodes u and v, at least one node at distance at most t, on a shortest path from v to u, stores its distance to node u.
It remains to show that these sparse certificates can be verified in t rounds.Let B(v, t) be the ball of radius t around v. Each node v verifies that, first, for every node v ∈ B(v, t) such that both v and v stores the distance to a same node u, we have and, second, for every node u such that v stores its distance to u, there exists a node for every node u.If all these tests are passed, then v accepts, otherwise it rejects.
By the setting of the partial tables D v , v ∈ V , in a legal instance, we get that D v (u) = dist(v, u) for every node u, and therefore all nodes accepts.Instead, if there exists (u, v) ∈ V × V such that information about u are stored in D v , but D v (u) = dist(u, v), then let us consider such a pair (u, v) where D v (u) is minimum.For v to accept, there must exist some node The lower bound graph construction.Thin lines represent P -paths, thick lines represent (2t + 1)-paths, and the dashed lines represent edges who's existence depend on the input.The paths connecting i and ri to their binary representations are omitted, except for those of 0 and r0.exist, and thus v rejects.It follows that this scheme is a correct t-PLS for diameter, using O n log 2 n t -bit certificates.

Lemma 13. For every
Peleg and Rubinovich [36] proved distributed lower bounds by a reduction to communication complexity; Abboud et al [1] gave a lower bound on the approximability of the diameter, using a simpler reduction; both results are in the congest model.We adapt the graph construction from the latter and the simulation construction of the former in order to prove lower bounds on the label size in the t-PLS model.Interestingly, in our model there are no bandwidth restrictions, which makes it more similar to the local model than to the congest model, yet our lower bounds are based on a congest lower bound.
We now describe the construction of the lower bound graph (see Figure 1).Let k = Θ(n) be a parameter whose exact value will follow from the graph construction.Alice and Bob use the graph in order to decide disj on k-bit strings.Let P ≥ 1 be a constant, and let t be the parameter of the t-PLS, which may or may not be constant.The graph consists of the following sets of nodes: L = { 0 , . . ., k−1 }, L = 0 , . . ., k−1 , T = {t 0 , . . ., t log k−1 }, F = {f 0 , . . ., f log k−1 }, and k and k+1 , which will be simulated by Alice, and similarly and r k and r k+1 , which will be simulated by Bob.
The nodes are connected by paths, where the paths consist of additional, distinct nodes.For each 0 ≤ i ≤ k − 1, connect with P -paths (i.e., paths of P edges and P − 1 new nodes) the following pairs of nodes: ( i , i ), ( i , k ), ( k , k+1 ), (r i , r i ), (r i , r k ), and (r k , r k+1 ).Add such paths also between k+1 and all t h ∈ T and f h ∈ F , and between r k+1 and all t h ∈ T and f h ∈ F .Connect by a P -path each i ∈ L with the nodes representing its binary encoding, that is, connect i to each t h that satisfies i[h] = 1, and to each f h that satisfies i[h] = 0, where i[h] is bit h of the binary encoding of i. Add similar paths between each r i ∈ R and its encoding by nodes t h and f h .In addition, for each 0 ≤ h ≤ log k − 1, add a (2t + 1)-path from t h to f h and from f h to t h , and a similar path from k+1 to r k+1 .
The lower bound graph construction for t = 3, and the sets of nodes simulated by Alice in the three rounds of verification.Alice eventually knows the outputs of all the nodes in the light-shaded set.
Assume Alice and Bob want to solve the disj problem for two k-bit strings S A and S B using a non-deterministic protocol.They build the graph described above, and add the following edges: ( i , k+1 ) whenever S A [i] = 0, and (r i , r k+1 ) whenever S B [i] = 0.The next claim is at the heart of our proof.Proof.A more detailed analysis can be found in [1].Each node in L, T, F or on a path connecting two such nodes is at distance at most 2P from k+1 , and each node in R, T , F or in a path connecting two such nodes is at distance at most 2P from r k+1 .Since k+1 and r k+1 are connected by a (2t + 1)-path, the distance between every two nodes in L, R, T, F, T , F or on a path between them is at most 4P + 2t + 1.
Consider two nodes i and r j with indices i = j, an index h such that i[h] = j[h], and assume w.l.o.g that h[i] = 1.In this case, there is a simple path connecting the following nodes: i , i , t j , f h , r j , r j , and its length is 4P + 2t + 1.For two nodes i and r i of the same index, a simple case analysis shows that the distance between these nodes is at most 6P + 2t + 1.
To see the claim, note that if the inputs are disjoint then for every 0 ≤ i ≤ k − 1, at least one of the edges ( i , k+1 ) or (r i , r k+1 ) exists, and thus there is a (4P + 2t + 2)-path between i and r i , through k+1 or through r k+1 , e.g.i , k+1 , r k+1 , r k , r i , r i .The other distances in the graph are not larger, and the distance between i and r i is indeed 4P + 2t + 2 whenever S A [i] = 0 or S B [i] = 05 so the diameter is indeed 4P + 2t + 2. On the other hand, if the sets are not disjoint, there is an index i such that S A [i] = S B [i] = 1, and the distance between i and r i is 6P + 2t + 1 so the diameter is at least 6P + 2t + 1.
With this claim in hand, we are ready to prove Lemma 13.
Proof of Lemma 13.Fix t ∈ [1, n/ log n], and let S A and S B be two input strings for the disj problem on k bits.We show how Alice and Bob can solve disj on S A and S B in a nondeterministic manner, using the graph described above and a t-PLS for diam = 4P + 2t + 2.
Alice and Bob simulate the verifier on the labeled graph.The nodes simulated by Alice, denoted A, are L ∪ L ∪ T ∪ F ∪ { k , k+1 } and all the paths between them, and by Bob, denoted B, are R ∪ R ∪ T ∪ F ∪ {r k , r k+1 } and the paths between them.For each pair of nodes (a, b) ∈ A×B that are connected by a (2t+1)-path, let P ab be this path, and {P ab (i)}, i = 0, . . ., 2t + 1 be its nodes in consecutive order, where P ab (0) = a and P ab (2t + 1) = b.Let C be the set of all (2t + 1)-path nodes, i.e.C = V \ (A ∪ B).The nodes in C are simulated by both players, in a decremental way described below.
Alice interprets her nondeterministic string as the certificates given to the nodes in A∪C, and she sends the certificates of C to Bob. Bob interprets his nondeterministic string as the certificates of B, and gets the certificates of C from Alice.They simulate the verifier execution for t rounds, where, in round r = 1, . . ., t, Alice simulates the nodes of A and all nodes P ab (i) with (a, b) ∈ A × B and i ≤ 2t + 1 − r, while Bob simulates the nodes of B and all nodes P ab (i) with i ≥ r.
Note that this simulation is possible without further communication.The initial state of nodes in A is determined by S A , the initial state of the nodes P ab (i) with i ≤ 2t is independent of the inputs, and the certificates of both node sets are encoded in the nondeterministic string of Alice.In each round of verification, all nodes whose states may depend on the input of Bob or on his nondeterministic string are omitted from Alice's simulation, and so she can continue the simulation without communication with Bob.Similar arguments apply to the nodes simulated by Bob.Finally, each node is simulated for t rounds by at least one of the players.Thus, if the verifier rejects, that is, at least one node rejects, then at least one of the players knows about this rejection.
Using this simulation, Alice and Bob can determine whether disj on (S A , S B ) is true as, from Claim 1, we know that if it is true then diam = 4P + 2t + 2, and the verifier of the PLS accepts, while otherwise it rejects.The nondeterministic communication complexity of the true case of disj on k-bit strings is Ω(k) = Ω(n), so Alice and Bob must communicate this amount of bits.From the graph definition, |C| = Θ(t log n) which implies size-pls(diam, t) = Ω n t log n , as desired.
Let β be a non-negative integer.For any labeled graph (G, x), β-additive spanner is the predicate on (G, x) that states whether, for every v ∈ V (G), x(v) ⊆ {ID(w), w ∈ N (v)} for every v ∈ V (G), and whether the collection of edges E H = {{v, w}, v ∈ V (G), w ∈ x(v)} forms a β-additive spanner of G, i.e., a subgraph H of G such that, for every two nodes s, t, we have dist H (s, t) ≤ dist G (s, t) + β.Similarly, the predicate (α, β)-spanner on (G, x) states whether H is such that, for every two nodes s, t, dist H (s, t) ≤ α dist G (s, t) + β.Theorem 14.There is a proof-labeling scheme for additive-spanner that weakly scales linearly on the interval [1, n/ log n].More precisely, for every pair of integers α ≥ 1 and β ≥ 0, there is a one-round proof-labeling scheme for (α, β)-spanner of size O(n), and a t-round proof-labeling scheme of size O( n t ).Moreover, this is optimal for additive spanners with a constant β and t ∈ [1, n/ log n], that is, size-pls(β-additive spanner, t) = Θ( n t ) for β and t as above.
Proof.The upper bound proof is similar to the one of Lemma 12 for diameter.Specifically, instead of using a unique table D v storing distances in the graph, every node v stores two tables D v and D v , where D v stores the distances in the spanner.To scale, each node keeps only a fraction c log n t of the entries in each table, for some constant c > 0. For c large enough, this is sufficient for every node to recover its distance to every other node in both the graph and the spanner, by using the same arguments as in the proof of Lemma 12.The verification again proceeds as in the proof of Lemma 12, excepted that, instead of checking whether D v (u) ≤ x(v) for every node u, every node v checks that, for every node u, D v (u) ≤ αD v (u) + β or D v (u) ≤ D v (u) + β, depending on whether one is dealing with general spanners or additive spanners, respectively.Correctness directly follows from the same arguments as in the proof of Lemma 12.
To achieve the lower bound, we use the same construction as in the proof of Lemma 13.The original graph is the graph described above for the case where both S A and S B are the all-0 strings, i.e. all the potential edges are present in the graph.To decide disj, Alice and Bob build a spanner for this graph in the same manner as in the proof of Lemma 13, i.e. keep all the nodes and paths, and keep the edges that correspond to zeros in their input strings.This construction guarantees that each graph edge that is not in the spanner can be replaced by a 2P -path in it.If the inputs are disjoint, then at most one edge in each shortest path is not in the spanner, so the stretch is at most 2P − 1.On the other hand, if the inputs are not disjoint then there is a pair ( i , r i ) that stretches from 4P + 2t + 1 in the original graph to 6P + 2t + 1 in the spanner.

Distributed Proofs for Spanning Trees
In this section, we study two specific problems which are classical in the domain of prooflabeling schemes: the verification of a spanning tree, and of a minimum-weight spanning tree.The predicates st and mst are the sets of labeled graphs where some edges are marked and these edges form a spanning tree, and a minimum spanning tree, respectively.We present proof-labeling schemes for them that scale linearly in t.Note that st and mst are problems on general labeled graphs and not on trees, i.e., the results in this section improve upon Section 4 (for these specific problems), and are incomparable with the results of Section 3. Formally, let F be the family of all connected undirected, weighted, labeled graphs (G, x).For simplicity, we assume all edge weights are distinct, and thus the minimum spanning tree is also unique.Each label x(v) contains a (possibly empty) subset of edges adjacent to v, which is consistent with the neighbors of v, and we denote the collection of edges represented in x by T x .In the st (respectively, mst) problem, the goal is to decide for every labeled graph (G, x) ∈ F whether T x is a spanning tree of G (respectively, whether T x is a spanning tree of G with the sum of all its edge-weights minimal among all spanning trees of G).For these problems we have the following results.Theorem 15.For every t ∈ O(log n), we have that size-pls(st, t) = O log n t .Ostrovsky et al. [33,Theorem 8] designed a t-distance proof-labeling scheme for acyclicity, with (log n/t)-bit certificates, for t ≤ min {log n, D}.Here, D is the diameter of the graph, which is at least the largest depth of a tree in it.In the scheme, each tree is oriented outwards from an arbitrarily chosen root, and after running the verification process, each node knows who is his parent in its tree, and the root of each tree knows it is the root.This scheme plays an essential role in the proof of Theorem 15.

Proof of Theorem 15.
To prove that a marked subgraph T x is a spanning tree, we need to verify it has the following properties: (1) spanning the graph, (2) acyclic, (3) connected.We choose an arbitrary node as the root of T x .
The certificate of a node v is composed of three parts: a bit indicating whether the tree is shallow as in the proof of Theorem 2, O(log n/t)-bits by the scheme of Ostrovsky et al. [33,Theorem 8] for acyclicity, and O(log n/t)-bits that are a part of the ID of the root, as in the proof of Theorem 2.
In the verification process, the nodes first verify they all have the same first bit.If the tree is shallow, all nodes but the root accept, and the root collects the whole structure of the graph and of T x and verifies it is a spanning tree.Otherwise, each node verifies that at least one of its edges is marked to be in T x , making sure T x is spanning all the graph.The nodes then run the verification process from [33,Theorem 8], while ignoring edges not in T x , to make sure the graph is acyclic.Finally, they all run the reconstruction process from Theorem 8 to find the root ID, and the root of T x (as defined by the acyclicity scheme) verifies this root ID is indeed its own ID.This guarantees T x is a connected forest, i.e. a tree, as desired.
Theorem 16.For every t ∈ O(log n), we have that size-pls(mst, t) = O log 2 n t .
The upper bound matches the lower bound of Korman et al. [29,Corollary 3] for the specific case t = Θ(log n).Note that our theorem holds only for t ∈ O(log n), meaning that we can get from proofs of size O(log 2 n) to proofs of size O(log n), but not to a constant.
Our upper bound is based on a famous 1-round PLS for MST [29,28], which in turn builds upon the algorithm of Gallager, Humblet, and Spira (GHS) [23] for a distributed construction of MST.The idea behind this scheme is, given a labeled graph (G, x), to verify that T x is consistent with an execution of the GHS algorithm in G.
The GHS algorithm maintains a spanning forest that is a subgraph of the minimum spanning tree, i.e., the trees of the forest are fragments of the desired minimum spanning tree.The algorithm starts with a spanning forest consisting of all nodes and no edges.At each phase each of the fragments adds the minimum edge going out of it, thus merging several fragments into one.After O(log n) iterations, all the fragments are merged into a single component, which is the desired minimum-weight spanning tree.We show that each phase can be verified with O(log n/t) bits, giving a total complexity of O(log 2 n/t) bits.
Proof.Let (G, x) be a labeled graph such that T x is a minimum-weight spanning tree.If t is greater than the diameter D of G, every node can see the entire labeled graph in the verification process, and we are done; we henceforth assume t ≤ D. The certificates consist of four parts.
First, we choose a root and orient the edges of T x towards it.We give each node its distance from the root modulo 3, which allows it to obtain the ID of its parent and the edge pointing to it in one round.Second, we assign the certificate described above for st (Theorem 15), which certifies that T x is indeed a spanning tree.This takes O(log n/t) bits.
The third part of the certificate tells each node the phase in which the edge connecting it to its parent is added to the tree in the GHS algorithm, and which of the edge's endpoints added it to the tree.Note that after one round of verification, each node knows for every incident edge, at which phase it is added to the spanning tree, and by which of its endpoints.This part uses O(log log n) bits.
The fourth part of the certificate consists of O(log 2 n/t) bits, O(log n/t) for each phase of the GHS algorithm.To define the part of a certificate of every phase, fix a phase, a fragment F in the beginning of this phase, and let e = (u, v) be the minimum-weight edge going out of F , where u ∈ F and v / ∈ F .Our goal is that the nodes of F verify together that e is the minimum-weight outgoing edge of F , and that no other edge was added by F in this phase.To this end, we first orient the edges of F towards u, i.e. set u as the root of F .If the depth of F is less than t, then in t − 1 rounds the root u can see all of F and check that (u, v) is the lightest outgoing edge.All other nodes just have to verify that no other edge is added by the nodes of F in this phase.Otherwise, if the depth of F is at least t, by Theorem 8, the information about ID(u) and w(e) can be spread on F such that in t rounds it can be collected by all nodes of F .With this information known to all the nodes of F , the root can locally verify that it is named as the node that adds the edge and that it has the named edge with the right weight.The other nodes of F can locally verify that they do not have incident edges with a smaller weight, and that no other edge is added by F .This part takes O(log n/t) bits per iteration, which sums to a total of O(log 2 n/t) bits.
Overall, our scheme verifies that T x is a spanning tree, and that it is consistent with every phase of the GHS algorithm.Therefore, the scheme accepts (G, x) if and only if T x is a minimum spanning tree.

Conclusion
We have proved that, for many classical boolean predicates on labeled graphs (including MST), there are proof-labeling schemes that linearly scale with the radius of the scheme, i.e., the number of rounds of the verification procedure.More generally, we have shown that for every boolean predicate on labeled trees, cycles and grids, there is a proof-labeling scheme that scales linearly with the radius of the scheme.This yields the following question: Open Problem 1. Prove or disprove that, for every predicate P on labeled graphs, there is a proof-labeling scheme for P that (weakly) scales linearly.
In fact, the scaling factor might even be larger than t, and be as large as b(t) in graphs with ball growth b.We have proved that the uniform part of any proof-labeling scheme can be scaled by such a factor b(t) for t-PLS.This yields the following stronger open problem: Open Problem 2. Prove or disprove that, for every predicate P on labeled graphs, there is a proof-labeling scheme for P that scales with factor Ω(b) in graphs with ball growth b.
We are tempted to conjecture that the answer to the first problem is positive (as it holds for trees and cycles).However, we believe that the answer to the second problem might well be negative.In particular, it seems challenging to design a proof-labeling scheme for diam that would scale with the size of the balls.Indeed, checking diameter is strongly related to checking shortest paths in the graph, and this restricts significantly the way the certificates can be redistributed among nodes in a ball of radius t.Yet, there might be some other way to certify diam, so we let the following as an open problem: Open Problem 3. Is there a proof-labeling scheme for diam that scales by a factor greater than t in all graphs where b(t) t?