Results 1  10
of
15
NonInteractive Verifiable Computing: Outsourcing Computation to Untrusted Workers
, 2009
"... Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out co ..."
Abstract

Cited by 96 (10 self)
 Add to MetaCart
Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out correctly on the given value xi. The verification of the proof should require substantially less computational effort than computing F(xi) from scratch. We present a protocol that allows the worker to return a computationallysound, noninteractive proof that can be verified in O(m) time, where m is the bitlength of the output of F. The protocol requires a onetime preprocessing stage by the client which takes O(C) time, where C is the smallest Boolean circuit computing F. Our scheme also provides input and output privacy for the client, meaning that the workers do not learn any information about the xi or yi values. 1
Delegating computation: interactive proofs for muggles
 In Proceedings of the ACM Symposium on the Theory of Computing (STOC
, 2008
"... In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a se ..."
Abstract

Cited by 57 (4 self)
 Add to MetaCart
In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a server can run a computation for a client and interactively prove the correctness of the result. The client can verify the result’s correctness in nearlylinear time (instead of running the entire computation itself). Previously, related questions were considered in the Holographic Proof setting by Babai, Fortnow, Levin and Szegedy, in the argument setting under computational assumptions by Kilian, and in the random oracle model by Micali. Our focus, however, is on the original interactive proof model where no assumptions are made on the computational power or adaptiveness of dishonest provers. Our main technical theorem gives a public coin interactive proof for any language computable by a logspace uniform boolean circuit with depth d and input length n. The verifier runs in time (n+d)·polylog(n) and space O(log(n)), the communication complexity is d · polylog(n), and the prover runs in time poly(n). In particular, for languages computable by logspace uniform N C (circuits of polylog(n) depth), the prover is efficient, the verifier runs in time n · polylog(n) and space O(log(n)), and the communication complexity is polylog(n).
Improved delegation of computation using fully homomorphic encryption
 CRYPTO 2010, LNCS 6223
, 2010
"... Following Gennaro, Gentry, and Parno (Cryptology ePrint Archive 2009/547), we use fully homomorphic encryption to design improved schemes for delegating computation. In such schemes, a delegator outsources the computation of a function F on many, dynamically chosen inputs xi to a worker in such a wa ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
Following Gennaro, Gentry, and Parno (Cryptology ePrint Archive 2009/547), we use fully homomorphic encryption to design improved schemes for delegating computation. In such schemes, a delegator outsources the computation of a function F on many, dynamically chosen inputs xi to a worker in such a way that it is infeasible for the worker to make the delegator accept a result other than F (xi). The “online stage ” of the Gennaro et al. scheme is very efficient: the parties exchange two messages, the delegator runs in time poly(log T), and the worker runs in time poly(T), where T is the time complexity of F. However, the “offline stage ” (which depends on the function F but not the inputs to be delegated) is inefficient: the delegator runs in time poly(T) and generates a public key of length poly(T) that needs to be accessed by the worker during the online stage. Our first construction eliminates the large public key from the Gennaro et al. scheme. The delegator still invests poly(T) time in the offline stage, but does not need to communicate or publish anything. Our second construction reduces the work of the delegator in the offline stage to poly(log T) at the price of a 4message (offline) interaction with a poly(T)time worker
Separating succinct noninteractive arguments from all falsifiable assumptions
 In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, STOC ’11
, 2011
"... An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with f ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with four rounds of interaction, and that they be made noninteractive in the randomoracle model. The latter construction also gives us some evidence that succinct noninteractive arguments (SNARGs) may exist in the standard model with a common reference string (CRS), by replacing the oracle with a sufficiently complicated hash function whose description goes in the CRS. However, we currently do not know of any construction of SNARGs with a proof of security under any simple cryptographic assumption. In this work, we give a broad blackbox separation result, showing that blackbox reductions cannot be used to prove the security of any SNARG construction based on any falsifiable cryptographic assumption. This includes essentially all common assumptions used in cryptography (oneway functions, trapdoor permutations, DDH, RSA, LWE etc.). More generally, we say that an assumption is falsifiable if it can be modeled as an interactive game between an adversary and an efficient challenger that can efficiently decide if the adversary won the game. This is similar, in spirit, to the notion of falsifiability of Naor ’03, and captures the fact that we can efficiently check if an adversarial strategy breaks the assumption. Our separation result also extends to designated verifier SNARGs, where the verifier needs a trapdoor associated with the CRS to verify arguments, and slightly succinct SNARGs, whose size is only required to be sublinear in the statement and witness size.
The complexity of online memory checking
 In Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science
, 2005
"... We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and t ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and the required fingerprint size is well understood. We study the problem of sublinear authentication: suppose the user would like to encode and store the file in a way that allows him to verify that it has not been corrupted, but without reading the entire file. If the user only wants to read q bits of the file, how large does the size s of the private fingerprint need to be? We define this problem formally, and show a tight lower bound on the relationship between s and q when the adversary is not computationally bounded, namely: s × q = Ω(n), where n is the file size. This is an easier case of the online memory checking problem, introduced by Blum et al. in 1991, and hence the same (tight) lower bound applies also to that problem. It was previously shown that when the adversary is computationally bounded, under the assumption that oneway functions exist, it is possible to construct much better online memory checkers. T he same is also true for sublinear authentication schemes. We show that the existence of oneway functions is also a necessary condition: even slightly breaking the s × q = Ω(n) lower bound in a computational setting implies the existence of oneway functions. 1
Verifiable delegation of computation over large datasets
 In Proceedings of the 31st annual conference on Advances in cryptology, CRYPTO’11
, 2011
"... We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial func ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup
How to delegate and verify in public: Verifiable computation from attributebased encryption
 In Proceedings of the 9th Theory of Cryptography Conference, TCC ’12
, 2012
"... Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable com ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable computation (VC) a must for such scenarios. In this work we extend the definition of verifiable computation in two important directions: public delegation and public verifiability, which have important applications in many practical delegation scenarios. Yet, existing VC constructions based on standard cryptographic assumptions fail to achieve these properties. As the primary contribution of our work, we establish an important (and somewhat surprising) connection between verifiable computation and attributebased encryption (ABE), a primitive that has been widely studied. Namely, we show how to construct a VC scheme with public delegation and public verifiability from any ABE scheme. The VC scheme verifies any function in the class of functions covered by the permissible ABE policies (currently Boolean formulas). This scheme enjoys a very efficient verification algorithm that depends only on the output size. Efficient delegation, however, requires the ABE encryption algorithm to be cheaper than the original function computation. Strengthening this connection, we show a construction of a multifunction verifiable computation scheme from an ABE scheme with outsourced decryption, a primitive defined recently by Green, Hohenberger and Waters (USENIX Security 2011). A multifunction VC scheme allows the verifiable evaluation of multiple functions on the same preprocessed input. In the other direction, we also explore the construction of an ABE scheme from verifiable computation protocols.
Memory Delegation
, 2011
"... We consider the problem of delegating computation, where the delegator doesn’t even know the input to the function being delegated, and runs in time significantly smaller than the input length. For example, consider the setting of memory delegation, where a delegator wishes to delegate her entire me ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
We consider the problem of delegating computation, where the delegator doesn’t even know the input to the function being delegated, and runs in time significantly smaller than the input length. For example, consider the setting of memory delegation, where a delegator wishes to delegate her entire memory to the cloud. The delegator may want the cloud to compute functions on this memory, and prove that the functions were computed correctly. As another example, consider the setting of streaming delegation, where a stream of data goes by, and a delegator, who cannot store this data, delegates this task to the cloud. Later the delegator may ask the cloud to compute statistics on this streaming data, and prove the correctness of the computation. We note that in both settings the delegator must keep a (short) certificate of the data being delegated, in order to later verify the correctness of the computations. Moreover, in the streaming setting, this certificate should be computed in a streaming manner. We construct both memory and streaming delegation schemes. We present noninteractive constructions based on the (standard) delegation scheme of Goldwasswer et. al. [GKR08]. These schemes allow the delegation of any function computable by an Luniform circuit of low depth (the complexity of the delegator depends linearly on the depth). For memory delegation, we rely on the existence of a polylog PIR scheme, and for streaming, we rely on the existence of a fully homomorphic encryption scheme. We also present constructions based on the CSproofs of Micali. These schemes allow the delegation of any function in P. However, they are interactive (i.e., consists of 4 messages), or are noninteractive in the Random Oracle Model.
Efficient Consistency Proofs on a Committed Database
 In Automata, Languages and Programming: 31st International Colloquium, ICALP 2004
, 2003
"... A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and welldefined answer with respect to D.) Moreover, when a user makes a query, any ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and welldefined answer with respect to D.) Moreover, when a user makes a query, any server hosting the database can answer the query, and provide a very short proof # that the answer is welldefined, unique, and consistent with c (and hence with D). One potential application of consistent query protocols is for guaranteeing the consistency of many replicated copies of Dthe owner can publish c, and users can verify the consistency of a query to some copy of D by making sure # is consistent with c. This strong guarantee holds even for owners who try to cheat, while creating c.
Are pcps inherent in efficient arguments
 In IEEE Conference on Computational Complexity
"... Abstract. Starting with Kilian (STOC ‘92), several works have shown how to use probabilistically checkable proofs (PCPs) and cryptographic primitives such as collisionresistant hashing to construct very efficient argument systems (a.k.a. computationally sound proofs), for example with polylogarithm ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. Starting with Kilian (STOC ‘92), several works have shown how to use probabilistically checkable proofs (PCPs) and cryptographic primitives such as collisionresistant hashing to construct very efficient argument systems (a.k.a. computationally sound proofs), for example with polylogarithmic communication complexity. Ishai et al. (CCC ‘07) raised the question of whether PCPs are inherent in efficient arguments, and if so, to what extent. We give evidence that they are, by showing how to convert any argument system whose soundness is reducible to the security of some cryptographic primitive into a PCP system whose efficiency is related to that of the argument system and the reduction (under certain complexity assumptions).