Results 1 
7 of
7
NonInteractive Verifiable Computing: Outsourcing Computation to Untrusted Workers
, 2009
"... Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out co ..."
Abstract

Cited by 221 (13 self)
 Add to MetaCart
(Show Context)
Verifiable Computation enables a computationally weak client to “outsource ” the computation of a function F on various inputs x1,...,xk to one or more workers. The workers return the result of the function evaluation, e.g., yi = F(xi), as well as a proof that the computation of F was carried out correctly on the given value xi. The verification of the proof should require substantially less computational effort than computing F(xi) from scratch. We present a protocol that allows the worker to return a computationallysound, noninteractive proof that can be verified in O(m) time, where m is the bitlength of the output of F. The protocol requires a onetime preprocessing stage by the client which takes O(C) time, where C is the smallest Boolean circuit computing F. Our scheme also provides input and output privacy for the client, meaning that the workers do not learn any information about the xi or yi values. 1
A hybrid architecture for interactive verifiable computation
 In IEEE Symposium on Security and Privacy
, 2013
"... Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executin ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executing the computation in the first place? Complexity theory and cryptography offer solutions in principle, but if implemented naively, they are ludicrously expensive. Recently, however, several strands of work have refined this theory and implemented the resulting protocols in actual systems. This work is promising but suffers from one of two problems: either it relies on expensive cryptography, or else it applies to a restricted class of computations. Worse, it is not always clear which protocol will perform better for a given problem. We describe a system that (a) extends optimized refinements of the noncryptographic protocols to a much broader class of computations, (b) uses static analysis to fail over to the cryptographic ones when the noncryptographic ones would be more expensive, and (c) incorporates this core into a built system that includes a compiler for a highlevel language, a distributed server, and GPU acceleration. Experimental results indicate that our system performs better and applies more widely than the best in the literature. 1
TimeOptimal Interactive Proofs for Circuit Evaluation
"... Several research teams have recently been working toward the development of practical generalpurpose protocols for verifiable computation. These protocols enable a computationally weak verifier to offload computations to a powerful but untrusted prover, while providing the verifier with a guarantee ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Several research teams have recently been working toward the development of practical generalpurpose protocols for verifiable computation. These protocols enable a computationally weak verifier to offload computations to a powerful but untrusted prover, while providing the verifier with a guarantee that the prover performed the requested computations correctly. Despite substantial progress, existing implementations require further improvements before they become practical for most settings. The main bottleneck is typically the extra effort required by the prover to return an answer with a guarantee of correctness, compared to returning an answer with no guarantee. We describe a refinement of a powerful interactive proof protocol due to Goldwasser, Kalai, and Rothblum [21]. Cormode, Mitzenmacher, and Thaler [14] show how to implement the prover in this protocol in time O(SlogS), where S is the size of an arithmetic circuit computing the function of interest. Our refinements apply to circuits with sufficiently “regular ” wiring patterns; for these circuits, we bring the runtime of the prover down to O(S). That is, our prover can evaluate the circuit with a guarantee of correctness, with only a constantfactor blowup in work compared to evaluating the circuit with no guarantee.
Competing Provers Protocols for Circuit Evaluation ∗
"... Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier that knows C but doesn’t know x can access the low degree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Let C be a (fanin 2) Boolean circuit of size s and depth d, and let x be an input for C. Assume that a verifier that knows C but doesn’t know x can access the low degree extension of x at one random point. Two competing provers try to convince the verifier that C(x) = 0 and C(x) = 1, respectively, and assume that one of the provers is honest. For any r ≥ 1, we give an r rounds protocol with communication complexity d 1 r polylog (s) that convinces the verifier in the correct value of C(x) (with small probability of error). In particular, when we allow only one round, the protocol exchanges d · polylog (s) bits, and when we allow r = O rounds, the protocol exchanges only log(d) loglog(s) polylog (s) bits. Moreover, the complexity of the verifier and honest provers in this protocol is poly(s), and if in addition the circuit is log(s)space uniform, the complexity of the verifier is d 1 r polylog (s). 1 The protocol is obtained by combining the delegation protocol of Goldwasser, Kalai and Rothblum [5] and the competing provers protocols of Feige and Kilian [3] and some new techniques. We suggest two applications of these results: Delegating computation to competing clouds: The main motivation behind the protocol of [5] was delegating computation to a cloud. Using our new protocol, a verifier can delegate computation to two (or more) competing clouds. If at least one of the clouds is reliable the verifier can trust that the computation is correct (with high probability). The advantage over the protocol of [5] is that the communication complexity and the number of rounds in our protocol are significantly lower. Communication complexity with competing
Refereed delegation of computation
"... We consider a weak client that wishes to learn and verify the result of an expensive computation. When the client uses only a single untrusted server, current techniques suffer from disadvantages such as computational inefficiency for the client or the server, limited functionality, or high round co ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
We consider a weak client that wishes to learn and verify the result of an expensive computation. When the client uses only a single untrusted server, current techniques suffer from disadvantages such as computational inefficiency for the client or the server, limited functionality, or high round complexity. We demonstrate relatively efficient and general solutions where the client delegates the computation to several servers, and is guaranteed to determine the correct answer as long as even a single server is honest. We call such protocols Refereed Delegation of Computation (RDoC) and show: 1. A 1round (2messages) unconditionallysound RDoC for any function computable in logspace uniform N C, assuming the existence of private communication channels. 2. A potentially practical computationallysound RDoC for any efficiently computable function, with logarithmically many rounds, based on any collisionresistant hash family. In both protocols the servers incur only a polynomial overhead relative to simply computing the function and the client is at most quasilinear in the input length. These protocols adapt techniques from the works of Feige and Kilian [STOC 1997] and Goldwasser, Kalai and Rothblum [STOC 2008].
Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers
, 2010
"... As society rushes to digitize sensitive information and services, it is imperative to adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
As society rushes to digitize sensitive information and services, it is imperative to adopt adequate security protections. However, such protections fundamentally conflict with the benefits we expect from commodity computers. In other words, consumers and businesses value commodity computers because they provide good performance and an abundance of features at relatively low costs. Meanwhile, attempts to build secure systems from the ground up typically abandon such goals, and hence are seldom adopted [8, 72, 104].
In this dissertation, I argue that we can resolve the tension between security and features by leveraging the trust a user has in one device to enable her to securely use another commodity device or service, without sacrificing the performance and features expected ofcommodity systems. At a high level, we support this premise by developing techniques to allow a user to employ a small, trusted, portable device to securely learn what code is executing on her local computer. Rather than entrusting her data to the mountain of buggy code likely running on her computer, we construct an ondemand secure execution environment which can perform securitysensitive tasks and handle private data in complete isolation from all other software (and most hardware) on the system. Meanwhile, nonsecuritysensitive software retains the same abundance of features and performance it enjoys today.
Having established an environment for secure code execution on an individual computer, we then show how to extend trust in this environment to network elements in a secure and efficient manner. This allows us to reexamine the design of network protocols and defenses, since we can now execute code on endhosts and trust the results within the network. Lastly, we extend the user’s trust one more step to encompass computations performed on a remote host (e.g., in the cloud). We design, analyze, and prove secure a protocol that allows a user to outsource arbitrary computations to commodity computers run by an untrusted remote party (or parties) who may subject the computers to both software and hardware attacks. Our protocol guarantees that the user can both verify that the results returned are indeed the correct results of the specified computations on the inputs provided, and protect the secrecy of both the inputs and outputs of the computations. These guarantees are provided in a noninteractive, asymptotically optimal (with respect to CPU and bandwidth) manner.
Thus, extending a user’s trust, via software, hardware, and cryptographic techniques, allows us to provide strong security protections for both local and remote computations on sensitive data, while still preserving the performance and features of commodity computers.
Rational Sumchecks?
"... Abstract. Rational proofs, introduced by Azar and Micali (STOC 2012) are a variant of interactive proofs in which the prover is neither honest nor malicious, but rather rational. The advantage of rational proofs over their classical counterparts is that they allow for extremely low communication and ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Rational proofs, introduced by Azar and Micali (STOC 2012) are a variant of interactive proofs in which the prover is neither honest nor malicious, but rather rational. The advantage of rational proofs over their classical counterparts is that they allow for extremely low communication and verification time. In recent work, Guo et al. (ITCS 2014) demonstrated their relevance to delegation of computation by showing that, if the rational prover is additionally restricted to being computationally bounded, then every language in NC1 admits a singleround delegation scheme that can be verified in sublinear time. We extend the Guo et al. result by constructing a singleround delegation scheme with sublinear verification for all languages in P. Our main contribution is the introduction of rational sumcheck protocols, which are a relaxation of classical sumchecks, a crucial building block for interactive proofs. Unlike their classical counterparts, rational sumchecks retain their (rational) soundness properties, even if the polynomial being verified is of high degree (in particular, they do not rely on the SchwartzZippel lemma). This enables us to bypass the main efficiency