## Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers (2009)

### Cached

### Download Links

Citations: | 96 - 8 self |

### BibTeX

@MISC{Gennaro09non-interactiveverifiable,

author = {Rosario Gennaro and Craig Gentry and Bryan Parno},

title = {Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers},

year = {2009}

}

### OpenURL

### Abstract

Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out correctly on the given value xi. The verification of the proof should require substantially less computational effort than computing F(xi) from scratch. We present a protocol that allows the worker to return a computationally-sound, non-interactive proof that can be verified in O(m) time, where m is the bit-length of the output of F. The protocol requires a one-time pre-processing stage by the client which takes O(|C|) time, where C is the smallest Boolean circuit computing F. Our scheme also provides input and output privacy for the client, meaning that the workers do not learn any information about the xi or yi values. 1

### Citations

1041 | The knowledge complexity of interactive proof systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...on, we combine it with other techniques to provide verifiability. The theoretical community has devoted considerable attention to the verifiable computation of arbitrary functions. Interactive proofs =-=[6, 14]-=- are a way for a powerful (e.g. super-polynomial) prover to (probabilistically) convince a weak (e.g. polynomial) verifier of the truth of statements that the verifier could not compute on its own. As... |

557 |
How to generate and exchange secrets
- Yao
- 1986
(Show Context)
Citation Context ...ntrusted server in such a way that the input remains secret. OUR SOLUTION IN A NUTSHELL. Our work is based on the crucial (and somewhat surprising) observation that Yao’s Garbled Circuit Construction =-=[28,29]-=-, in addition to providing secure two-party computation, also provides a “one-time” verifiable computation. In other words, we can adapt Yao’s construction to allow a client to outsource the computati... |

525 |
Protocols for secure computations
- Yao
- 1982
(Show Context)
Citation Context ...ntrusted server in such a way that the input remains secret. OUR SOLUTION IN A NUTSHELL. Our work is based on the crucial (and somewhat surprising) observation that Yao’s Garbled Circuit Construction =-=[28,29]-=-, in addition to providing secure two-party computation, also provides a “one-time” verifiable computation. In other words, we can adapt Yao’s construction to allow a client to outsource the computati... |

303 | Trading group theory for randomness
- Babai
- 1985
(Show Context)
Citation Context ...on, we combine it with other techniques to provide verifiability. The theoretical community has devoted considerable attention to the verifiable computation of arbitrary functions. Interactive proofs =-=[6, 14]-=- are a way for a powerful (e.g. super-polynomial) prover to (probabilistically) convince a weak (e.g. polynomial) verifier of the truth of statements that the verifier could not compute on its own. As... |

300 |
Wallet databases with observers
- Chaum, Pedersen
- 1992
(Show Context)
Citation Context ...ce. In the cryptographic community, the idea to outsource expensive cryptographic operations to a semitrusted device has a long history. Chaum and Pedersen define the notion of wallets with observers =-=[10]-=-, a piece of secure hardware installed by a third party, e.g. a bank, on the client’s computer to “help” with expensive computations. The hardware is not trusted by the client who retains assurance th... |

288 |
SETI@home: An experiment in public-resource computing
- Anderson, Cobb, et al.
- 2002
(Show Context)
Citation Context ...e contributing to a growing desire to “outsource” computing from a (relatively) weak computational device to a more powerful computation service. For years, a variety of projects, including SETI@Home =-=[5]-=-, Folding@Home [2], and the Mersenne prime search [4], have distributed computations to millions of clients around the Internet to take advantage of their idle cycles. A perennial problem is dishonest... |

271 | Fully Homomorphic Encryption Using Ideal Lattices,” Proc. 41st Ann
- Gentry
- 2009
(Show Context)
Citation Context ... requires the client to interact with two non-colluding servers. Other work targets specific function classes, such as one-way function inversion [15]. Recent advances in fully-homomorphic encryption =-=[12]-=- allow a worker to compute arbitrary functions over encrypted data, but they do not suffice to provide outsourceable computing. Indeed, fully-homomorphic encryption provides no guarantee that the work... |

197 | Building a high-performance, programmable secure coprocessor
- Smith, Weingart
- 1999
(Show Context)
Citation Context ... the workers to be honest, or at least non-colluding. Audits based on the time taken to compute the result [25] require detailed knowledge of the hardware employed by the worker. Secure co-processors =-=[26, 30]-=- provide isolated execution environments, but their tamper-resistance typically makes them quite expensive (thousands of dollars each) and sparsely deployed. The requirements of tamper-resistance also... |

190 | On the (im)possibility of obfuscating programs
- Barak, Goldreich, et al.
- 2001
(Show Context)
Citation Context ...orphism.) We do not know of any way to prevent this distinguishing attack, and suspect that preventing it may be rather difficult in light of Barak et al.’s result that there is no general obfuscator =-=[7]-=-. Security with Verification Access. We say that a verifiable computation scheme is secure with verification access if the adversary is allowed to see the result of Verify over the queries xi he has m... |

152 | Using secure coprocessors
- Yee
- 1994
(Show Context)
Citation Context ... the workers to be honest, or at least non-colluding. Audits based on the time taken to compute the result [25] require detailed knowledge of the hardware employed by the worker. Secure co-processors =-=[26, 30]-=- provide isolated execution environments, but their tamper-resistance typically makes them quite expensive (thousands of dollars each) and sparsely deployed. The requirements of tamper-resistance also... |

143 | A note on efficient zero-knowledge proofs and arguments (extended abstract
- Kilian
- 1992
(Show Context)
Citation Context ...r NP languages). Notice, however, that the PCP proof might be very long, potentially too long for the verifier to process. To avoid this complication, Kilian proposed the use of efficient arguments 1 =-=[18,19]-=- in which the prover sends the verifier a short commitment to the entire proof using a Merkle tree. The prover can then interactively open the bits requested by the verifier (this requires the use of ... |

77 | A fully homomorphic encryption scheme
- Gentry
- 2009
(Show Context)
Citation Context ...tional assumptions underlying the security of our scheme are the security of block ciphers (i.e., the existence of one-way functions) and the existence of a secure fully homomorphic encryption scheme =-=[11,12]-=- (more details below). We stress that our non-interactive protocol works for any function (as opposed to Goldwasser et al.’s protocol [13] which works only for a restricted class of functions) and can... |

63 | A proof of Yao’s protocol for secure two-party computation
- Lindell, Pinkas
(Show Context)
Citation Context ...ao’s Garbled Circuit Construction We summarize Yao’s protocol for two-party private computation [28, 29]. For more details, we refer the interested reader to Lindell and Pinkas’ excellent description =-=[20]-=-. We assume two parties, Alice and Bob, wish to compute a function F over their private inputs a and b. For simplicity, we focus on polynomial-time deterministic functions, but the generalization to s... |

62 |
Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms
- Seshadri, Luk, et al.
- 2005
(Show Context)
Citation Context ... This may be infeasible for resource-constrained clients and often relies on some fraction of the workers to be honest, or at least non-colluding. Audits based on the time taken to compute the result =-=[25]-=- require detailed knowledge of the hardware employed by the worker. Secure co-processors [26, 30] provide isolated execution environments, but their tamper-resistance typically makes them quite expens... |

59 | Uncheatable distributed computations
- Golle, Mironov
- 2001
(Show Context)
Citation Context ...in public-key cryptography operations). Their protocol requires the client to interact with two non-colluding servers. Other work targets specific function classes, such as one-way function inversion =-=[15]-=-. Recent advances in fully-homomorphic encryption [12] allow a worker to compute arbitrary functions over encrypted data, but they do not suffice to provide outsourceable computing. Indeed, fully-homo... |

56 | Delegating computation: Interactive proofs for muggles
- Goldwasser, Kalai, et al.
- 2008
(Show Context)
Citation Context ...argument by choosing the bits to open based on the application of a random oracle to the commitment string. In more recent work, which still uses some of the standard PCP machinery, Goldwasser et al. =-=[13]-=- show how to build an interactive proof to verify arbitrary polynomial-time computations in almost linear time. They also extend the result to a non-interactive argument for a restricted class of func... |

55 | Fully homomorphic encryption with relatively small key and ciphertext sizes
- Smart, Vercauteren
- 2010
(Show Context)
Citation Context ... requires the client to interact with two non-colluding servers. Other work targets specific function classes, such as one-way function inversion [15]. Recent advances in fully-homomorphic encryption =-=[11, 12, 27, 30]-=- allow a worker to compute arbitrary functions over encrypted data, but they do not suffice to provide outsourceable computing. Indeed, fullyhomomorphic encryption provides no guarantee that the worke... |

54 | Fully homomorphic encryption over the integers
- Dijk, Gentry, et al.
- 2010
(Show Context)
Citation Context ... requires the client to interact with two non-colluding servers. Other work targets specific function classes, such as one-way function inversion [15]. Recent advances in fully-homomorphic encryption =-=[11, 12, 27, 30]-=- allow a worker to compute arbitrary functions over encrypted data, but they do not suffice to provide outsourceable computing. Indeed, fullyhomomorphic encryption provides no guarantee that the worke... |

27 | Distributed execution with remote audit
- Monrose, Wycko, et al.
- 1999
(Show Context)
Citation Context ...he cost to the client may become prohibitive. PRIOR WORK: In the security community, research has focused on solutions based on audits and various forms of secure co-processors. Audit-based solutions =-=[9, 23]-=- typically require the client (or randomly selected workers) to recalculate some portion of the work done by untrusted workers. This may be infeasible for resource-constrained clients and often relies... |

25 | How to securely outsource cryptographic computations
- Hohenberger, Lysyanskaya
(Show Context)
Citation Context ...tations. The hardware is not trusted by the client who retains assurance that it is performing correctly by analyzing its communication with the bank. Hohenberger and Lysyanskaya formalize this model =-=[16]-=-, and present protocols for the computation of modular exponentiations (arguably the most expensive step in public-key cryptography operations). Their protocol requires the client to interact with two... |

21 |
The SETI@Home problem
- Molnar
- 2000
(Show Context)
Citation Context ...he Internet to take advantage of their idle cycles. A perennial problem is dishonest clients: end users who modify their client software to return plausible results without performing any actual work =-=[22]-=-. Users commit such fraud, even when the only incentive is to increase their relative ranking on a website listing. Many projects cope with such fraud via redundancy; the same work unit is sent to sev... |

19 |
Improved efficient arguments (preliminary version
- Kilian
- 1995
(Show Context)
Citation Context ...r NP languages). Notice, however, that the PCP proof might be very long, potentially too long for the verifier to process. To avoid this complication, Kilian proposed the use of efficient arguments 1 =-=[18,19]-=- in which the prover sends the verifier a short commitment to the entire proof using a Merkle tree. The prover can then interactively open the bits requested by the verifier (this requires the use of ... |

17 | CS proofs (extended abstract - Micali - 1994 |

14 | Bounded key-dependent message security
- Barak, Haitner, et al.
- 2010
(Show Context)
Citation Context ...encryption scheme is circular secure – i.e., roughly, that it is “safe” to reveal an encryption of a secret key under its associated public key 6– the complexity of KeyGen E is independent of C. See =-=[8, 11, 12]-=- for more discussion on circular-security (and, more generally, key-dependent-message security) as it relates to fully homomorphic encryption. In this paper, we use fully homomorphic encryption as a b... |

10 | Incentivizing outsourced computation
- Belenkiy, Chase, et al.
- 2008
(Show Context)
Citation Context ...he cost to the client may become prohibitive. PRIOR WORK: In the security community, research has focused on solutions based on audits and various forms of secure co-processors. Audit-based solutions =-=[9, 23]-=- typically require the client (or randomly selected workers) to recalculate some portion of the work done by untrusted workers. This may be infeasible for resource-constrained clients and often relies... |

7 | Probabilistically checkable arguments
- Kalai, Raz
- 2009
(Show Context)
Citation Context ...le device in the field). Dynamic and Adaptive Input Choice. We note that in this amortized model of computation, Goldwasser et al.’s protocol [13] can be modified using Kalai and Raz’s transformation =-=[17]-=- to achieve a non-interactive scheme (see [24]). However an important feature of our scheme, that is not enjoyed by Goldwasser et al.’s protocol [13], is that the inputs to the computation of F can be... |

7 | Are pcps inherent in efficient arguments
- Rothblum, Vadhan
(Show Context)
Citation Context ...then used by his portable device in the field). 3By introducing a one-time preprocessing stage (and the resulting amortized notion of complexity), we can circumvent the result of Rothblum and Vadhan =-=[25]-=-, which indicated that efficient verifiable computation requires the use of PCP constructions. In other words, unless a substantial improvement in the efficiency of PCP constructions is achieved, our ... |

6 |
Delegating computation reliably: paradigms and constructions
- Rothblum
- 2009
(Show Context)
Citation Context ...Input Choice. We note that in this amortized model of computation, Goldwasser et al.’s protocol [13] can be modified using Kalai and Raz’s transformation [17] to achieve a non-interactive scheme (see =-=[24]-=-). However an important feature of our scheme, that is not enjoyed by Goldwasser et al.’s protocol [13], is that the inputs to the computation of F can be chosen in a dynamic and adaptive fashion thro... |

5 |
Utility Computing. Online at http://www.sun.com/service/sungrid/index.jsp
- Sun
(Show Context)
Citation Context ...efense against colluding users. A related fear plagues cloud computing, where businesses buy computing time from a service, rather than purchase, provision, and maintain their own computing resources =-=[1, 3]-=-. Sometimes the applications outsourced to the cloud are so critical that it is imperative to rule out accidental errors during the computation. Moreover, in such arrangements, the business providing ... |