#### DMCA

## Pinocchio: Nearly practical verifiable computation (2013)

### Cached

### Download Links

Venue: | In Proceedings of the IEEE Symposium on Security and Privacy |

Citations: | 63 - 5 self |

### Citations

2869 |
The Design and Analysis of Computer Algorithms
- Aho, Hopcroft, et al.
- 1974
(Show Context)
Citation Context ...ble computing, dwarfed the linear number of cryptographic operations (§5.1). Hence we implemented an FFT-based O(nlogn) polynomial multiplication library and used a polynomial interpolation algorithm =-=[48]-=- that builds a binary tree of polynomials, giving total time O(nlog2 n). Even so optimized, solving for h(x) is the second largest source of worker overhead. Preparing for the Future; Learning from th... |

2174 | Randomized Algorithms - Motwani, Raghavan - 1995 |

1696 | M.K.: Identity-based encryption from the weil pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...o an arithmetic circuit C; then build the corresponding QAP Q = (t(x),V ,W ,Y ) of size m and degree d. Let Imid = {N + 1,...,m}, i.e., the non-IO-related indices. Let e be a non-trivial bilinear map =-=[34]-=- e : G×G → GT , and let g be a generator of G. Choose s,α,βv,βw,βy,γ R ← F. Construct the public evaluation key EKF as: ( {gvk(s)}k∈I , mid {gwk(s)}k∈[m], {gyk(s)}k∈[m], {gαvk(s)}k∈I , mid {gαwk(s)}k∈... |

1411 | Toward the next generation of recommender systems: A survey of the state-of-the-art and possible extensions
- ADOMAVICIUS, TUZHILIN
(Show Context)
Citation Context ...|M| = 1000 × 1000. Two Matrices has parameter n, takes as input two n × n matrices M1 and M2, and outputs the n × n matrix M1 · M2. Matrix operations are widely used, e.g., in collaborative filtering =-=[49]-=-. (|M| = 30 × 30 to |M| = 110 × 110) MultiVar Poly evaluates a k-variable, m-degree multivariate polynomial. The (m + 1) k coefficients are parameters, the k variables x1,...,xk are the inputs, and th... |

1233 | The Knowledge Complexity of Interactive Proof-Systems - Goldwasser, Micali, et al. - 1989 |

792 | Proof verification and hardness of approximation problems
- Arora, Lund, et al.
- 1992
(Show Context)
Citation Context ...tical. Indeed, for applications that can tolerate large batch sizes, the amortized costs of verification can be quite low. A few downsides remain, however. Because the work builds on the Hadamard PCP =-=[56]-=-, the setup time, network overhead, and the prover’s work are quadratic in the size of the original computation, unless the protocol is hand-tailored. To achieve efficiency, the verifier must outsourc... |

413 | Probabilistic checking of proofs: A new characterization of NP
- Arora, Safra
- 1998
(Show Context)
Citation Context ...ity has produced a number of beautiful, generalpurpose protocols [16–23] that offer compelling asymptotics. In practice however, because they rely on complex Probabilistically Checkable Proofs (PCPs) =-=[17]-=- or fully-homomorphic encryption (FHE) [24], the performance is unacceptable – verifying small instances would take hundreds to trillions of years (§5.2). Very recent work [25–28] has improved these p... |

407 | Practical byzantine fault tolerance and proactive recovery
- Castro, Liskov
- 2002
(Show Context)
Citation Context ...ecific solutions [2–6] are often efficient, but only for a narrow class of computations. More general solutions often rely on assumptions that may not apply. For example, systems based on replication =-=[1, 7, 8]-=- assume uncorrelated failures, while those based on Trusted Craig Gentry Mariana Raykova IBM Research Computing [9–11] or other secure hardware [12–15] assume that physical protections cannot be defea... |

405 |
SETI@home: An Experiment in Public-Resource Computing
- Anderson, Cobb, et al.
- 2002
(Show Context)
Citation Context ...obile devices), a relatively weak client may wish to outsource computation to one or more powerful workers. Common examples include cloud or grid computing, as well as volunteer distributed computing =-=[1]-=-. In all of these settings, the client should be able to verify the results returned, to guard against malicious or malfunctioning workers. Even from a legitimate worker’s perspective, verifiable resu... |

384 | Short Signatures without Random Oracles - Boneh, Boyen - 2004 |

353 | Design and Implementation of a TCG-based Integrity Measurement Architecture - Sailer, Zhang, et al. - 2004 |

332 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
- Cramer, Damg˚ard, et al.
- 1994
(Show Context)
Citation Context ...rifying computation. Several systems provide compilers for zero-knowledge (ZK) proofs [62–64]. Both the systems of Almeida et al. [62] and Meiklejohn et al. [63] adopt an approach based on Σprotocols =-=[65]-=-. The former provides functionality for proving knowledge in arbitrary groups, AND and OR compositions, and linear relations. The latter focuses on functionalities for cryptographic protocols, e.g., e... |

272 | ªArchitectural Support for Copy and Tamper Resistant Software,º Architectural Support for Programming Languages and Operating Systems - Lie, Thekkath, et al. - 2000 |

260 | E.J.: Hierarchical identity based encryption with constant size ciphertext. In: EUROCRYPT05
- Boneh, Boyen, et al.
- 2005
(Show Context)
Citation Context ... and outputs of the function. In terms of security, GGPR [30] show this VC scheme is sound under the d-PKE and q-PDH assumptions (see Appendix A), which are weak versions of assumptions in prior work =-=[21, 35, 36]-=-. The q-PDH assumption belongs to a class . 4of cryptographic assumptions that do not lend themselves to efficient falsification [37], though some members have indeed been proven false [38]. Gentry a... |

215 | Pairingfriendly elliptic curves of prime order
- Barreto, Naehrig
- 2005
(Show Context)
Citation Context ...Prior work [28] shows that standard techniques can parallelize work across cores, machines, or GPUs. For the cryptographic code, we use a highspeed elliptic curve library [45] with a 256-bit BN-curve =-=[46]-=- that provides 128 bits of security. The quadratic-programconstruction and protocol-execution code is 10,832 lines of C and C++ [42]. 4.2.1 Optimizing Operations We summarize some of the key optimizat... |

210 | Robust NonInteractive Zero Knowledge - Santis, Crescenzo, et al. - 2001 |

207 | Non-interactive verifiable computing: Outsourcing computation to untrusted workers
- Gennaro, Gentry, et al.
- 2010
(Show Context)
Citation Context ...t, we describe Pinocchio, a concrete system for efficiently verifying general computations while making only cryptographic assumptions. In particular, Pinocchio supports public verifiable computation =-=[22, 29]-=-, which allows an untrusted worker to produce signatures of computation. Initially, the client chooses a function and generates a public evaluation key and a (small) public verification key. Given the... |

198 | A fully homomorphic encryption scheme
- Gentry
(Show Context)
Citation Context ...eralpurpose protocols [16–23] that offer compelling asymptotics. In practice however, because they rely on complex Probabilistically Checkable Proofs (PCPs) [17] or fully-homomorphic encryption (FHE) =-=[24]-=-, the performance is unacceptable – verifying small instances would take hundreds to trillions of years (§5.2). Very recent work [25–28] has improved these protocols considerably, but efficiency is st... |

190 | B.: Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys
- Boneh, Gentry, et al.
- 2005
(Show Context)
Citation Context ... and outputs of the function. In terms of security, GGPR [30] show this VC scheme is sound under the d-PKE and q-PDH assumptions (see Appendix A), which are weak versions of assumptions in prior work =-=[21, 35, 36]-=-. The q-PDH assumption belongs to a class . 4of cryptographic assumptions that do not lend themselves to efficient falsification [37], though some members have indeed been proven false [38]. Gentry a... |

172 | A note on efficient zero-knowledge proofs and arguments (extended abstract - Kilian - 1992 |

166 |
Lattice-gas Cellular Automata and Lattice Boltzmann Models – An Introduction
- Wolf-Gladrow
- 2000
(Show Context)
Citation Context ... n edge matrix, and its output is an n × n matrix of allpairs shortest paths. (n = 8, e = 64 to n = 24, e = 576) LGCA is a Lattice-Gas Cellular Automata implementation that converges to Navier-Stokes =-=[50]-=-. It has parameter n, the fluid lattice size, and k, the iteration count. It inputs one n-cell lattice and outputs another reflecting k steps. (n = 294, k = 5 to n = 294, k = 40) SHA-1 has no paramete... |

124 |
Relations among complexity measures
- Pippenger, Fischer
- 1979
(Show Context)
Citation Context ...an Program (QSP). We summarize these transformations. Standard results show that polynomially-sized circuits are equivalent (up to a logarithmic factor) to Turing machines that run in polynomial time =-=[33]-=-, though of course the actual efficiency of computing via circuits versus on native hardware depends heavily on the application (e.g., an arithmetic circuit for matrix multiplication adds essentially ... |

121 | Efficient non-interactive proof systems for bilinear groups
- Groth, Sahai
- 2008
(Show Context)
Citation Context ...r relations. The latter focuses on functionalities for cryptographic protocols, e.g., e-cash, blind signatures, or verifiable encryption. The compiler of Backes et al. [64] uses Groth-Sahai ZK proofs =-=[66]-=- and handles logical formulas. Rial and Danezis [32] propose a system for privacypreserving smart metering in which clients use a ZK protocol to prove correctness of the billing computation they perfo... |

119 | Faster secure two-party computation using garbled circuits - Huang, Evans, et al. - 2011 |

117 | Computationally sound proofs - Micali |

112 | Delegating computation: Interactive proofs for muggles
- Goldwasser, Kalai, et al.
- 2008
(Show Context)
Citation Context ...aluating the function. With regard to implementing verified computation, in the last year, two parallel efforts have emerged. One effort [25, 26] builds on the interactive proofs of Goldwasser et al. =-=[20]-=- (GKR), which draw on many techniques from the PCP literature. They target a streaming setting where the client cannot store all of the data it wishes to compute over; the system currently requires th... |

87 |
Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks
- Damgard
(Show Context)
Citation Context ...d applying the same linear combination (in the exponent) to the left and right elements of the pairs. This hardness is formalized in the d-PKE assumption, a sort of “knowledge-of-exponent” assumption =-=[40]-=-, that says that the adversary must “know” such a linear combination, in the sense that this linear combination can be extracted from him. Roughly, this means that, in the security proof, we can extra... |

76 | Privacy-preserving smart metering
- Rial, Danezis
(Show Context)
Citation Context ...nd all operations are performed over, a field F. The polynomials in the QAP are defined in terms of their evaluations at the two roots, r5 and r6. See text for details. context of smart-meter billing =-=[32]-=-, where individual meter readings should be private to the client, but the utility needs to authenticate the aggregate amount owed. 2.2 Quadratic Programs Gennaro, Gentry, Parno, and Raykova (GGPR) re... |

76 | On cryptographic assumptions and challenges
- Naor
(Show Context)
Citation Context ... A), which are weak versions of assumptions in prior work [21, 35, 36]. The q-PDH assumption belongs to a class . 4of cryptographic assumptions that do not lend themselves to efficient falsification =-=[37]-=-, though some members have indeed been proven false [38]. Gentry and Wichs recently showed that assumptions from this class are likely to be inherent for efficient, non-interactive arguments for NP re... |

75 | Uncheatable distributed computations - Golle, Mironov - 2001 |

74 | Query execution assurance for outsourced databases - Sion - 2005 |

74 | Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms - Seshadri, Luk, et al. - 2005 |

74 | Separating succinct non-interactive arguments from all falsifiable assumptions
- Gentry, Wichs
- 2011
(Show Context)
Citation Context ... some members have indeed been proven false [38]. Gentry and Wichs recently showed that assumptions from this class are likely to be inherent for efficient, non-interactive arguments for NP relations =-=[39]-=-. Zero Knowledge. Making the VC scheme zero-knowledge is remarkably simple. One simply includes the target polynomial t(x) itself in the polynomial sets V , W , and Y . This allows the worker to “rand... |

70 | Improved delegation of computation using fully homomorphic encryption - Chung, Kalai, et al. |

70 | The Knowledge-of-Exponent Assumptions and 3-Round ZeroKnowledge Protocols
- Bellare, Palacio
- 2004
(Show Context)
Citation Context ...k [21, 35, 36]. The q-PDH assumption belongs to a class . 4of cryptographic assumptions that do not lend themselves to efficient falsification [37], though some members have indeed been proven false =-=[38]-=-. Gentry and Wichs recently showed that assumptions from this class are likely to be inherent for efficient, non-interactive arguments for NP relations [39]. Zero Knowledge. Making the VC scheme zero-... |

69 | Quadratic span programs and succinct NIZKs without PCPs
- Gennaro, Gentry, et al.
- 2013
(Show Context)
Citation Context ...2.1), and Boolean circuits via Quadratic Span Programs (§2.2.2). To achieve efficient verifiable computation, Pinocchio combines quadratic programs, a computational model introduced by Gennaro et al. =-=[30]-=-, with a series of theoretical refinements and systems engineering to produce an end-to-end toolchain for verifying computations. Specifically, via an improved protocol and proof technique, we slash t... |

66 | Architecture for protecting critical secrets in microprocessors - Lee, Kwan, et al. - 2005 |

63 | Homomorphic evaluation of the AES circuit
- Gentry, Halevi, et al.
- 2012
(Show Context)
Citation Context ...ince most of these schemes are ridiculously impractical, we model, rather than measure, their performance. For GGP, we built a model of its performance based on the latest performance results for FHE =-=[53]-=-, while for the others, we used previously published models [27, 28]. For Pinocchio, however, we use real numbers from our implementation. Figure 6 shows that Pinocchio continues the recent trend of r... |

63 | Billion-gate secure computation with malicious adversaries - Kreuter, shelat, et al. - 2012 |

56 | Fairplay—a secure two-party computation system - Malkhi, Nisan, et al. - 2004 |

53 | How to delegate and verify in public: verifiable computation from attribute-based encryption
- Parno, Raykova, et al.
- 2012
(Show Context)
Citation Context ...t, we describe Pinocchio, a concrete system for efficiently verifying general computations while making only cryptographic assumptions. In particular, Pinocchio supports public verifiable computation =-=[22, 29]-=-, which allows an untrusted worker to produce signatures of computation. Initially, the client chooses a function and generates a public evaluation key and a (small) public verification key. Given the... |

42 | Distributed execution with remote audit - Monrose, Wycko, et al. - 1999 |

38 | Practical verified computation with streaming interactive proofs
- Cormode, Mitzenmacher, et al.
- 2012
(Show Context)
Citation Context ...which relies on fully-homomorphicencryption (FHE); 3) Pepper [27], an optimized refinement of (1); and 4) Ginger [28], a further refinement of Pepper. We omit results from a separate PCP-based effort =-=[25, 26]-=-, since Ginger’s performance dominates it [28]. See Section 6 for more details on these schemes and the tradeoffs between them. Since most of these schemes are ridiculously impractical, we model, rath... |

37 | Making argument systems for outsourced computation practical (sometimes
- Setty, McPherson, et al.
- 2012
(Show Context)
Citation Context ...igure 6 plots Pinocchio’s performance against that of previous general-purpose systems. We use the multiplication of two matrices as our test application since it has appeared in several prior papers =-=[25, 27]-=-, though simpler, noncryptographic verification procedures exist [51, §7.1]. Since 9Time (s) 10 21 10 19 10 17 10 15 10 13 10 11 10 9 10 7 10 5 10 3 10 1 10 -1 10 -3 25 50 75 100 Matrix Dimension (Nx... |

35 | Short Pairing-Based Non-interactive Zero-Knowledge Arguments
- Groth
- 2010
(Show Context)
Citation Context ... and outputs of the function. In terms of security, GGPR [30] show this VC scheme is sound under the d-PKE and q-PDH assumptions (see Appendix A), which are weak versions of assumptions in prior work =-=[21, 35, 36]-=-. The q-PDH assumption belongs to a class . 4of cryptographic assumptions that do not lend themselves to efficient falsification [37], though some members have indeed been proven false [38]. Gentry a... |

33 | Secure distributed computing in a commercial environment.” Financial Cryptography (pp - Golle, Stubblebine - 2002 |

31 | A protocol for property-based attestation - Chen, Landfermann, et al. - 2006 |

28 | Taking proof-based verified computation a few steps closer to practicality
- Setty, Vu, et al.
- 2012
(Show Context)
Citation Context ...le. On the plus side, it does not require cryptography, and it is secure against computationally unbounded adversaries. Setty et al. produced a line of PCP-based systems called Pepper [27] and Ginger =-=[28]-=-. They build on a particular type of PCP called a linear PCP [52], in which the proof can be represented as a linear function. This allows the worker to use a linearly-homomorphic encryption scheme to... |

28 | Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks - Gennaro - 2004 |

27 | Efficient arguments without short PCPs
- Ishai, Kushilevitz, et al.
- 2007
(Show Context)
Citation Context ... multiplying two NxN matrices. all of these prior schemes are designated verifier, we measure against Pinocchio’s designated verifier mode. We compare against 1) a naïve version of a PCP-based scheme =-=[52]-=-; 2) GGP [22], an early scheme that defined verifiable computation, but which relies on fully-homomorphicencryption (FHE); 3) Pepper [27], an optimized refinement of (1); and 4) Ginger [28], a further... |

25 | Resolving the conflict between generality and plausibility in verified computation
- Setty, Braun, et al.
- 2013
(Show Context)
Citation Context ...the results of outsourced computations without sharing the client’s secret key, and hence opening the possibility for fraud. The scheme also does not support zero-knowledge proofs. 12Concurrent work =-=[60]-=- also builds on the quadratic programs of Gennaro et al [30]. They observe that QAPs can be viewed as linear PCPs and hence can fit into Ginger’s cryptographic framework [28]. Their work shows worker ... |

25 | A hybrid architecture for interactive verifiable computation
- Vu, Setty, et al.
- 2013
(Show Context)
Citation Context ...s can be viewed as linear PCPs and hence can fit into Ginger’s cryptographic framework [28]. Their work shows worker computation improvements similar to those of Pinocchio. Additional concurrent work =-=[61]-=- adapts previous GKR-based protocols [25, 26] to the batching model and develops a compiler that chooses amongst three PCP-based backends. Both systems retain PCPs and Ginger’s cryptographic protocol,... |

20 | New software speed records for cryptographic pairings
- Naehrig, Niederhagen, et al.
- 2010
(Show Context)
Citation Context ... is embarrassingly parallel. Prior work [28] shows that standard techniques can parallelize work across cores, machines, or GPUs. For the cryptographic code, we use a highspeed elliptic curve library =-=[45]-=- with a 256-bit BN-curve [46] that provides 128 bits of security. The quadratic-programconstruction and protocol-execution code is 10,832 lines of C and C++ [42]. 4.2.1 Optimizing Operations We summar... |

16 | Verifiable computation with massively parallel interactive proofs
- Thaler, Roberts, et al.
- 2012
(Show Context)
Citation Context ...igure 6 plots Pinocchio’s performance against that of previous general-purpose systems. We use the multiplication of two matrices as our test application since it has appeared in several prior papers =-=[25, 27]-=-, though simpler, noncryptographic verification procedures exist [51, §7.1]. Since 9Time (s) 10 21 10 19 10 17 10 15 10 13 10 11 10 9 10 7 10 5 10 3 10 1 10 -1 10 -3 25 50 75 100 Matrix Dimension (Nx... |

16 | A certifying compiler for zero-knowledge proofs of knowledge based on sigma-protocols
- Almeida, Bangerter, et al.
- 2010
(Show Context)
Citation Context ...le from a subset of C, which should ease the development burden for verifying computation. Several systems provide compilers for zero-knowledge (ZK) proofs [62–64]. Both the systems of Almeida et al. =-=[62]-=- and Meiklejohn et al. [63] adopt an approach based on Σprotocols [65]. The former provides functionality for proving knowledge in arbitrary groups, AND and OR compositions, and linear relations. The ... |

16 | Zkpdl: A language-based system for efficient zero-knowledge proofs and electronic cash
- Meiklejohn, Erway, et al.
- 2010
(Show Context)
Citation Context ...h should ease the development burden for verifying computation. Several systems provide compilers for zero-knowledge (ZK) proofs [62–64]. Both the systems of Almeida et al. [62] and Meiklejohn et al. =-=[63]-=- adopt an approach based on Σprotocols [65]. The former provides functionality for proving knowledge in arbitrary groups, AND and OR compositions, and linear relations. The latter focuses on functiona... |

15 |
On the evaluation of powers and related problems (preliminary version
- Pippenger
- 1976
(Show Context)
Citation Context ...rned. Faster Exponentiation. Generating the evaluation key EK requires exponentiating the same base g to many different powers. We optimize this operation by adapting Pippenger’s multi-exponentiation =-=[47]-=- algorithm for use with a single base. Essentially this means that we build a table of intermediate powers of g, allowing us to compute any particular exponent with only a few multiplications. In a si... |

13 | Token-based cloud computing: Secure outsourcing of data and arbitrary computations with lower latency - Sadeghi, Schneider, et al. - 2010 |

12 | To cloud or not to cloud?: musings on costs and viability
- Chen, Sion
- 2011
(Show Context)
Citation Context ...gh-level operations are 2.6x, 2.8x, and 1.3x faster than the original. (N = 10,σ ≤ 2%). Sion estimate that the cost of cloud computing is about 60× cheaper than local computing for a small enterprise =-=[54]-=-. This provides an approximate upper-bound for the amount of extra work we should be willing to add to the worker’s overhead. While we do not yet achieve this bound, we make substantial progress on re... |

11 | Searching for high-value rare events with uncheatable grid computing - Du, Goodrich - 2005 |

11 |
Secure remote execution of sequential computations
- Karame, Strasser, et al.
(Show Context)
Citation Context ...rior work in this area focuses on verifying specific functions via auditing or special properties of the functions [2–6]. Other systems rely on replication, and hence assume failures are uncorrelated =-=[1, 7, 8, 55]-=-. A large body of work verifies computation by assuming the worker employs secure hardware [9–15]. While the theory and cryptography community has long studied the problem of general-purpose proof sys... |

10 |
Automated synthesis of privacy-preserving distributed applications
- Backes, Maffei, et al.
- 2012
(Show Context)
Citation Context ...D and OR compositions, and linear relations. The latter focuses on functionalities for cryptographic protocols, e.g., e-cash, blind signatures, or verifiable encryption. The compiler of Backes et al. =-=[64]-=- uses Groth-Sahai ZK proofs [66] and handles logical formulas. Rial and Danezis [32] propose a system for privacypreserving smart metering in which clients use a ZK protocol to prove correctness of th... |

9 | Bootstrapping Trust in Modern Computers - Parno, McCune, et al. - 2011 |

6 | Uncheatable reputation for distributed computation markets
- Carbunar, Sion
- 2006
(Show Context)
Citation Context ...ecific solutions [2–6] are often efficient, but only for a narrow class of computations. More general solutions often rely on assumptions that may not apply. For example, systems based on replication =-=[1, 7, 8]-=- assume uncorrelated failures, while those based on Trusted Craig Gentry Mariana Raykova IBM Research Computing [9–11] or other secure hardware [12–15] assume that physical protections cannot be defea... |

6 |
Secure two-party computations
- Holzer, Franz, et al.
- 2012
(Show Context)
Citation Context ...sable masking with a compiler flag. We plan to extend our compiler to support floating point values via standard techniques [28, 43]. These features (and limitations) are similar to a parallel effort =-=[44]-=- to compile C for the purposes of secure multiparty computation, though they compile only to Boolean circuits. Details. The compiler front-end tracks scopes and variable values (as expressions), and u... |

5 | A.: Secure computation on floating point numbers
- Aliasgari, Blanton, et al.
- 2013
(Show Context)
Citation Context ...ogram’s computation is known not to overflow 254 bits, the programmer can disable masking with a compiler flag. We plan to extend our compiler to support floating point values via standard techniques =-=[28, 43]-=-. These features (and limitations) are similar to a parallel effort [44] to compile C for the purposes of secure multiparty computation, though they compile only to Boolean circuits. Details. The comp... |