Results 1  10
of
28
How to Go Beyond the BlackBox Simulation Barrier
 In 42nd FOCS
, 2001
"... The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present t ..."
Abstract

Cited by 247 (13 self)
 Add to MetaCart
(Show Context)
The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present the first constructions of nonblackbox simulators. Using these new nonblackbox techniques we obtain several results that were previously proven to be impossible to obtain using blackbox simulators. Specifically, assuming the existence of collision resistent hash functions, we construct a new zeroknowledge argument system for NP that satisfies the following properties: 1. This system has a constant number of rounds with negligible soundness error. 2. It remains zero knowledge even when composed concurrently n times, where n is the security parameter. Simultaneously obtaining 1 and 2 has been recently proven to be impossible to achieve using blackbox simulators. 3. It is an ArthurMerlin (public coins) protocol. Simultaneously obtaining 1 and 3 was known to be impossible to achieve with a blackbox simulator. 4. It has a simulator that runs in strict polynomial time, rather than in expected polynomial time. All previously known constantround, negligibleerror zeroknowledge arguments utilized expected polynomialtime simulators.
NonInteractive Verifiable Computing: Outsourcing Computation to Untrusted Workers
, 2009
"... Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out co ..."
Abstract

Cited by 214 (12 self)
 Add to MetaCart
(Show Context)
Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out correctly on the given value xi. The verification of the proof should require substantially less computational effort than computing F(xi) from scratch. We present a protocol that allows the worker to return a computationallysound, noninteractive proof that can be verified in O(m) time, where m is the bitlength of the output of F. The protocol requires a onetime preprocessing stage by the client which takes O(C) time, where C is the smallest Boolean circuit computing F. Our scheme also provides input and output privacy for the client, meaning that the workers do not learn any information about the xi or yi values. 1
Delegating computation: interactive proofs for muggles
 In Proceedings of the ACM Symposium on the Theory of Computing (STOC
, 2008
"... In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a se ..."
Abstract

Cited by 115 (6 self)
 Add to MetaCart
(Show Context)
In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a server can run a computation for a client and interactively prove the correctness of the result. The client can verify the result’s correctness in nearlylinear time (instead of running the entire computation itself). Previously, related questions were considered in the Holographic Proof setting by Babai, Fortnow, Levin and Szegedy, in the argument setting under computational assumptions by Kilian, and in the random oracle model by Micali. Our focus, however, is on the original interactive proof model where no assumptions are made on the computational power or adaptiveness of dishonest provers. Our main technical theorem gives a public coin interactive proof for any language computable by a logspace uniform boolean circuit with depth d and input length n. The verifier runs in time (n+d)·polylog(n) and space O(log(n)), the communication complexity is d · polylog(n), and the prover runs in time poly(n). In particular, for languages computable by logspace uniform N C (circuits of polylog(n) depth), the prover is efficient, the verifier runs in time n · polylog(n) and space O(log(n)), and the communication complexity is polylog(n).
Communication Preserving Protocols for Secure Function Evaluation
 In Proc. of 33rd STOC
, 2001
"... A secure function evaluation protocol allows two parties to jointly compute a function f(x; y) of their inputs in a manner not leaking more information than necessary. A major result in this field is: "any function f that can be computed using polynomial resources can be computed securely usin ..."
Abstract

Cited by 64 (5 self)
 Add to MetaCart
(Show Context)
A secure function evaluation protocol allows two parties to jointly compute a function f(x; y) of their inputs in a manner not leaking more information than necessary. A major result in this field is: "any function f that can be computed using polynomial resources can be computed securely using polynomial resources" (where `resources' refers to communication and computation). This result follows by a general transformation from any circuit for f to a secure protocol that evaluates f . Although the resources used by protocols resulting from this transformation are polynomial in the circuit size, they are much higher (in general) than those required for an insecure computation of f . We propose a new methodology for designing secure protocols, utilizing the communication complexity tree (or branching program) representation of f . We start with an efficient (insecure) protocol for f and transform it into a secure protocol. In other words, "any function f that can be computed using communication complexity c can be can be computed securely using communication complexity that is polynomial in c and a security parameter". We show several simple applications of this new methodology resulting in protocols efficient either in communication or in computation. In particular, we exemplify a protocol for the "millionaires problem ", where two participants want to compare their values but reveal no other information. Our protocol is more efficient than previously known ones in either communication or computation. 1.
How to delegate and verify in public: Verifiable computation from attributebased encryption
 In Proceedings of the 9th Theory of Cryptography Conference, TCC ’12
, 2012
"... Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable com ..."
Abstract

Cited by 55 (6 self)
 Add to MetaCart
(Show Context)
Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable computation (VC) a must for such scenarios. In this work we extend the definition of verifiable computation in two important directions: public delegation and public verifiability, which have important applications in many practical delegation scenarios. Yet, existing VC constructions based on standard cryptographic assumptions fail to achieve these properties. As the primary contribution of our work, we establish an important (and somewhat surprising) connection between verifiable computation and attributebased encryption (ABE), a primitive that has been widely studied. Namely, we show how to construct a VC scheme with public delegation and public verifiability from any ABE scheme. The VC scheme verifies any function in the class of functions covered by the permissible ABE policies (currently Boolean formulas). This scheme enjoys a very efficient verification algorithm that depends only on the output size. Efficient delegation, however, requires the ABE encryption algorithm to be cheaper than the original function computation. Strengthening this connection, we show a construction of a multifunction verifiable computation scheme from an ABE scheme with outsourced decryption, a primitive defined recently by Green, Hohenberger and Waters (USENIX Security 2011). A multifunction VC scheme allows the verifiable evaluation of multiple functions on the same preprocessed input. In the other direction, we also explore the construction of an ABE scheme from verifiable computation protocols.
Verifiable delegation of computation over large datasets
 In Proceedings of the 31st annual conference on Advances in cryptology, CRYPTO’11
, 2011
"... We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial func ..."
Abstract

Cited by 48 (4 self)
 Add to MetaCart
(Show Context)
We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup
Making argument systems for outsourced computation practical (sometimes
 In NDSS
, 2012
"... This paper describes the design, implementation, and evaluation of a system for performing verifiable outsourced computation. It has long been known that (1) this problem can be solved in theory using probabilistically checkable proofs (PCPs) coupled with modern cryptographic tools, and (2) these ..."
Abstract

Cited by 38 (7 self)
 Add to MetaCart
(Show Context)
This paper describes the design, implementation, and evaluation of a system for performing verifiable outsourced computation. It has long been known that (1) this problem can be solved in theory using probabilistically checkable proofs (PCPs) coupled with modern cryptographic tools, and (2) these solutions have wholly impractical performance, according to the conventional (and wellfounded) wisdom. Our goal is to challenge (2), with a built system that implements an argument system based on PCPs. We describe a generalpurpose system that builds on work of Ishai et al. (CCC ’07) and incorporates new theoretical work to improve performance by 20 orders of magnitude. The system is (arguably) practical in some cases, suggesting that, as a tool for building secure systems, PCPs are not a lost cause. 1
Delegation of computation without rejection problem from designated verifier CSproofs
, 2011
"... We present a designated verifier CS proof system for polynomial time computations. The proof system can only be verified by a designated verifier: one who has published a publickey for which it knows a matching secret key unknown to the prover. Whereas Micali’s CS proofs require the existence of ra ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
We present a designated verifier CS proof system for polynomial time computations. The proof system can only be verified by a designated verifier: one who has published a publickey for which it knows a matching secret key unknown to the prover. Whereas Micali’s CS proofs require the existence of random oracles, we can base soundness on computational assumptions: the existence of leveled fully homomorphic encryption (FHE) schemes, the DDH assumption and a new knowledge of exponent assumption. Using our designated verifier CS proof system, we construct two schemes for delegating (polynomialtime) computation. In such schemes, a delegator outsources the computation of a function F on input x to a polynomial time worker, who computes the output y = F (x) and proves to the delegator the correctness of the output. Let T be the complexity of computing F on inputs of length n = x  and let k be a security parameter. Our first scheme calls for an onetime offline stage where the delegator sends a message to the worker, and a noninteractive online stage where the worker sends the output together with a certificate of correctness to the prover per input x. The total computational
Taking proofbased verified computation a few steps closer to practicality
 In USENIX Security
, 2012
"... Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). GINGER slashes the query size and costs via theoretical refinements that are of independent interest; broadens the computational model to include (primitive) floatingpoint fractions, inequality comparisons, logical operations, and conditional control flow; and includes a parallel GPUbased implementation that dramatically reduces latency. 1
A hybrid architecture for interactive verifiable computation
 In IEEE Symposium on Security and Privacy
, 2013
"... Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executin ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executing the computation in the first place? Complexity theory and cryptography offer solutions in principle, but if implemented naively, they are ludicrously expensive. Recently, however, several strands of work have refined this theory and implemented the resulting protocols in actual systems. This work is promising but suffers from one of two problems: either it relies on expensive cryptography, or else it applies to a restricted class of computations. Worse, it is not always clear which protocol will perform better for a given problem. We describe a system that (a) extends optimized refinements of the noncryptographic protocols to a much broader class of computations, (b) uses static analysis to fail over to the cryptographic ones when the noncryptographic ones would be more expensive, and (c) incorporates this core into a built system that includes a compiler for a highlevel language, a distributed server, and GPU acceleration. Experimental results indicate that our system performs better and applies more widely than the best in the literature. 1