Results 1  10
of
63
Taking proofbased verified computation a few steps closer to practicality
 In USENIX Security
, 2012
"... Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). GINGER slashes the query size and costs via theoretical refinements that are of independent interest; broadens the computational model to include (primitive) floatingpoint fractions, inequality comparisons, logical operations, and conditional control flow; and includes a parallel GPUbased implementation that dramatically reduces latency. 1
SNARKs for C: Verifying program executions succinctly and in zero knowledge
 In Proceedings of CRYPTO 2013, LNCS
"... An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate noninteractive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key. We present an implementation of a publiclyverifiable noninteractive argument system for NP. The system, moreover, is a zeroknowledge proofofknowledge. It directly proves correct executions of programs on TinyRAM, a randomaccess machine tailored for efficient verification of nondeterministic computations. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a onetime setup requiring Õ(P  · T) cryptographic operations. An honest prover requires Õ(P  · T) cryptographic operations to generate such a proof, while proof verification can be performed with only O(x) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler. This yields a zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK) for
A hybrid architecture for interactive verifiable computation
 In IEEE Symposium on Security and Privacy
, 2013
"... Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executin ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
(Show Context)
Abstract—We consider interactive, proofbased verifiable computation: how can a client machine specify a computation to a server, receive an answer, and then engage the server in an interactive protocol that convinces the client that the answer is correct, with less work for the client than executing the computation in the first place? Complexity theory and cryptography offer solutions in principle, but if implemented naively, they are ludicrously expensive. Recently, however, several strands of work have refined this theory and implemented the resulting protocols in actual systems. This work is promising but suffers from one of two problems: either it relies on expensive cryptography, or else it applies to a restricted class of computations. Worse, it is not always clear which protocol will perform better for a given problem. We describe a system that (a) extends optimized refinements of the noncryptographic protocols to a much broader class of computations, (b) uses static analysis to fail over to the cryptographic ones when the noncryptographic ones would be more expensive, and (c) incorporates this core into a built system that includes a compiler for a highlevel language, a distributed server, and GPU acceleration. Experimental results indicate that our system performs better and applies more widely than the best in the literature. 1
Resolving the conflict between generality and plausibility in verified computation
"... ..."
(Show Context)
Verifying computations with state
"... When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
(Show Context)
When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, all existing systems require computational models that do not incorporate state. This limits these systems to simplistic programming idioms and rules out computations where the client cannot materialize all of the input (e.g., very large MapReduce instances or database queries). This paper describes Pantry, the first built system that incorporates state. Pantry composes the machinery of proofbased verifiable computation with ideas from untrusted storage: the client expresses its computation in terms of digests that attests to state, and verifiably outsources that computation. Besides the boon to expressiveness, the client can gain from outsourcing even when the computation is sublinear in the input size. We describe a verifiable MapReduce application and a queriable database, among other simple applications. Although the resulting applications result in server overhead that is higher than we would like, Pantry is the first system to provide verifiability for realistic applications in a realistic programming model. 1
TimeOptimal Interactive Proofs for Circuit Evaluation
"... Several research teams have recently been working toward the development of practical generalpurpose protocols for verifiable computation. These protocols enable a computationally weak verifier to offload computations to a powerful but untrusted prover, while providing the verifier with a guarantee ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
(Show Context)
Several research teams have recently been working toward the development of practical generalpurpose protocols for verifiable computation. These protocols enable a computationally weak verifier to offload computations to a powerful but untrusted prover, while providing the verifier with a guarantee that the prover performed the requested computations correctly. Despite substantial progress, existing implementations require further improvements before they become practical for most settings. The main bottleneck is typically the extra effort required by the prover to return an answer with a guarantee of correctness, compared to returning an answer with no guarantee. We describe a refinement of a powerful interactive proof protocol due to Goldwasser, Kalai, and Rothblum [21]. Cormode, Mitzenmacher, and Thaler [14] show how to implement the prover in this protocol in time O(SlogS), where S is the size of an arithmetic circuit computing the function of interest. Our refinements apply to circuits with sufficiently “regular ” wiring patterns; for these circuits, we bring the runtime of the prover down to O(S). That is, our prover can evaluate the circuit with a guarantee of correctness, with only a constantfactor blowup in work compared to evaluating the circuit with no guarantee.
Pinocchio Coin: building Zerocoin from a succinct pairingbased proof system
 in PETShop ’13. [Online]. Available: http://www0.cs.ucl.ac.uk/staff/G. Danezis/papers/DanezisFournetKohlweissParno13.pdf
"... Bitcoin is the first widely adopted distributed ecash system and Zerocoin is a recent proposal to extend Bitcoin with anonymous transactions. The original Zerocoin protocol relies heavily on the Strong RSA assumption and doublediscrete logarithm proofs, longstanding techniques with known performa ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
Bitcoin is the first widely adopted distributed ecash system and Zerocoin is a recent proposal to extend Bitcoin with anonymous transactions. The original Zerocoin protocol relies heavily on the Strong RSA assumption and doublediscrete logarithm proofs, longstanding techniques with known performance restrictions. We show a variant of the Zerocoin protocol using instead elliptic curves and bilinear pairings. The proof system makes use of modern techniques based on quadratic arithmetic programs resulting in smaller proofs and quicker verification. We remark on several extensions to Zerocoin that are enabled by the generalpurpose nature of these techniques.
Verifiable Delegation of Computation on Outsourced Data
, 2013
"... We address the problem in which a client stores a large amount of data with an untrusted server in such a way that, at any moment, the client can ask the server to compute a function on some portion of its outsourced data. In this scenario, the client must be able to efficiently verify the correct ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
We address the problem in which a client stores a large amount of data with an untrusted server in such a way that, at any moment, the client can ask the server to compute a function on some portion of its outsourced data. In this scenario, the client must be able to efficiently verify the correctness of the result despite no longer knowing the inputs of the delegated computation, it must be able to keep adding elements to its remote storage, and it does not have to fix in advance (i.e., at data outsourcing time) the functions that it will delegate. Even more ambitiously, clients should be able to verify in time independent of the inputsize – a very appealing property for computations over huge amounts of data. In this work we propose novel cryptographic techniques that solve the above problem for the class of computations of quadratic polynomials over a large number of variables. This class covers a wide range of significant arithmetic computations – notably, many important statistics. To confirm the efficiency of our solution, we show encouraging performance results, e.g., correctness proofs have size below 1 kB
Verifiable set operations over outsourced databases
, 2013
"... We study the problem of verifiable delegation of computation over outsourced data, whereby a powerful worker maintains a large data structure for a weak client in a verifiable way. Compared to the wellstudied problem of verifiable computation, this setting imposes additional difficulties since the ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
We study the problem of verifiable delegation of computation over outsourced data, whereby a powerful worker maintains a large data structure for a weak client in a verifiable way. Compared to the wellstudied problem of verifiable computation, this setting imposes additional difficulties since the verifier needs to verify consistency of updates succinctly and without maintaining large state. In particular, existing general solutions are far from practical in this setting. We present a scheme for verifiable evaluation of hierarchical set operations (unions, intersections and setdifferences) applied to a collection of dynamically changing sets of elements from a given domain. That is, we consider two types of queries issued by the client: updates (insertions and deletions) and data queries, which consist of “circuits” of unions, intersections, and setdifferences on the current collection of sets. This type of queries comes up in database queries, keyword search and numerous other applications, and indeed our scheme can be effectively used in such scenarios. The computational cost incurred is proportional only to the size of the final outcome set and to the size of the query, and is independent of the cardinalities of the involved sets. The cost of updates is optimal (O(1) modular operations per update). Our construction extends that of [Papamanthou et al., Crypto 2011] and relies on a modified version of the extractable collisionresistant hash function (ECRH) construction, introduced in [Bitansky et al., ITCS 2012] that can be used to succinctly hash univariate polynomials.
Permacoin: Repurposing Bitcoin Work for Data Preservation
"... Bitcoin is widely regarded as the first broadly successful ecash system. An oftcited concern, though, is that mining Bitcoins wastes computational resources. Indeed, Bitcoin’s underlying mining mechanism, which we call a scratchoff puzzle (SOP), involves continuously attempting to solve computat ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Bitcoin is widely regarded as the first broadly successful ecash system. An oftcited concern, though, is that mining Bitcoins wastes computational resources. Indeed, Bitcoin’s underlying mining mechanism, which we call a scratchoff puzzle (SOP), involves continuously attempting to solve computational puzzles that have no intrinsic utility. We propose a modification to Bitcoin that repurposes its mining resources to achieve a more broadly useful goal: distributed storage of archival data. We call our new scheme Permacoin. Unlike Bitcoin and its proposed alternatives, Permacoin requires clients to invest not just computational resources, but also storage. Our scheme involves an alternative scratchoff puzzle for Bitcoin based on ProofsofRetrievability (PORs). Successfully minting money with this SOP requires local, random access to a copy of a file. Given the competition among mining clients in Bitcoin, this modified SOP gives rise to highly decentralized file storage, thus reducing the overall waste of Bitcoin. Using a model of rational economic agents we show that our modified SOP preserves the essential properties of the original Bitcoin puzzle. We also provide parameterizations and calculations based on realistic hardware constraints to demonstrate the practicality of Permacoin as a whole. 1