Results 1 
6 of
6
NonInteractive Verifiable Computing: Outsourcing Computation to Untrusted Workers
, 2009
"... Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out co ..."
Abstract

Cited by 102 (8 self)
 Add to MetaCart
Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out correctly on the given value xi. The verification of the proof should require substantially less computational effort than computing F(xi) from scratch. We present a protocol that allows the worker to return a computationallysound, noninteractive proof that can be verified in O(m) time, where m is the bitlength of the output of F. The protocol requires a onetime preprocessing stage by the client which takes O(C) time, where C is the smallest Boolean circuit computing F. Our scheme also provides input and output privacy for the client, meaning that the workers do not learn any information about the xi or yi values. 1
Separating succinct noninteractive arguments from all falsifiable assumptions
 In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, STOC ’11
, 2011
"... An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with f ..."
Abstract

Cited by 42 (1 self)
 Add to MetaCart
An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with four rounds of interaction, and that they be made noninteractive in the randomoracle model. The latter construction also gives us some evidence that succinct noninteractive arguments (SNARGs) may exist in the standard model with a common reference string (CRS), by replacing the oracle with a sufficiently complicated hash function whose description goes in the CRS. However, we currently do not know of any construction of SNARGs with a proof of security under any simple cryptographic assumption. In this work, we give a broad blackbox separation result, showing that blackbox reductions cannot be used to prove the security of any SNARG construction based on any falsifiable cryptographic assumption. This includes essentially all common assumptions used in cryptography (oneway functions, trapdoor permutations, DDH, RSA, LWE etc.). More generally, we say that an assumption is falsifiable if it can be modeled as an interactive game between an adversary and an efficient challenger that can efficiently decide if the adversary won the game. This is similar, in spirit, to the notion of falsifiability of Naor ’03, and captures the fact that we can efficiently check if an adversarial strategy breaks the assumption. Our separation result also extends to designated verifier SNARGs, where the verifier needs a trapdoor associated with the CRS to verify arguments, and slightly succinct SNARGs, whose size is only required to be sublinear in the statement and witness size.
Limits of Provable Security From Standard Assumptions
, 2011
"... We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing (i.e., blackbox) reduction. These results follow from a general result showing that Turing reductions cannot be used to prove security of constantround sequentially witnesshiding specialsound protocols for unique witness relations, based on standard assumptions; we emphasize that this result holds even if the protocol makes nonblackbox use of the
Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers
, 2010
"... As society rushes to digitize sensitive information and services, it is imperative to adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
As society rushes to digitize sensitive information and services, it is imperative to adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low costs. Meanwhile, attempts to build secure systems from the ground up typically abandon such goals, and hence are seldom adopted [8, 72, 104].
In this dissertation, I argue that we can resolve the tension between security and features by leveraging the trust a user has in one device to enable her to securely use another commodity device or service, without sacrificing the performance and features expected ofcommodity systems. At a high level, we support this premise by developing techniques to allow a user to employ a small, trusted, portable device to securely learn what code is executing on her local computer. Rather than entrusting her data to the mountain of buggy code likely running on her computer, we construct an ondemand secure execution environment which can perform securitysensitive tasks and handle private data in complete isolation from all other software (and most hardware) on the system. Meanwhile, nonsecuritysensitive software retains the same abundance of features and performance it enjoys today.
Having established an environment for secure code execution on an individual computer, we then show how to extend trust in this environment to network elements in a secure and efficient manner. This allows us to reexamine the design of network protocols and defenses, since we can now execute code on endhosts and trust the results within the network. Lastly, we extend the user’s trust one more step to encompass computations performed on a remote host (e.g., in the cloud). We design, analyze, and prove secure a protocol that allows a user to outsource arbitrary computations to commodity computers run by an untrusted remote party (or parties) who may subject the computers to both software and hardware attacks. Our protocol guarantees that the user can both verify that the results returned are indeed the correct results of the specified computations on the inputs provided, and protect the secrecy of both the inputs and outputs of the computations. These guarantees are provided in a noninteractive, asymptotically optimal (with respect to CPU and bandwidth) manner.
Thus, extending a user’s trust, via software, hardware, and cryptographic techniques, allows us to provide strong security protections for both local and remote computations on sensitive data, while still preserving the performance and features of commodity computers.
On the Power of Nonuniformity in Proofs of Security ABSTRACT
"... Nonuniform proofs of security are common in cryptography, but traditional blackbox separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform blackbox proofs of security. We first show that a known protocol (based on the e ..."
Abstract
 Add to MetaCart
Nonuniform proofs of security are common in cryptography, but traditional blackbox separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform blackbox proofs of security. We first show that a known protocol (based on the existence of oneway permutations) that uses a nonuniform proof of security, and it cannot be proven secure through a uniform security reduction. Therefore, nonuniform proofs of security are indeed provably more powerful than uniform ones. We complement this result by showing that many known blackbox separations in the uniform regime actually do extend to the nonuniform regime. We prove our results by providing general techniques for extending certain types of blackbox separations to handle nonuniformity.
Unprovable Security of Perfect NIZK and Noninteractive Nonmalleable Commitments
, 2012
"... We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statem ..."
Abstract
 Add to MetaCart
We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statement to be proven is chosen as a function of the common reference string) of any statistical (and thus also perfect) NIZK for N P based on any “standard ” intractability assumptions. • Blackbox reductions cannot be used to demonstrate nonmalleability of noninteractive, or even 2message, commitment schemes based on any “standard ” intractability assumptions. We emphasize that the above separations apply even if the construction of the considered primitives makes a nonblackbox use of the underlying assumption. As an independent contribution, we suggest a taxonomy of gamebased intractability assumption based on 1) the security threshold, 2) the number of communication rounds in the security game, 3) the computational complexity of the game challenger, 4) the communication complexity of the challenger, and 5) the computational complexity of the security reduction.