#### DMCA

## Microsoft Research (2014)

### Citations

1744 | Identity-based encryption from the Weil pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...e steps. We present our protocol in terms of a generic quadratic encoding E [33]. In our implementation, we use an encoding based on bilinear groups. Specifically, let e be a non-trivial bilinear map =-=[16]-=- e : G1×G2→ GT and let g1, g2 be generators of G1 and G2 respectively. To simplify notation we define the encoding E(x) to be either gx1 or g x 2 depending on whether it appears on the left or the rig... |

1345 | The Magma algebra system. I. The user language,
- Bosma, Cannon, et al.
- 1997
(Show Context)
Citation Context ...r-than-usual fields, creating additional inefficiency [10]. To estimate the costs of using MNT curves at the 128-bit level used by Pinocchio, we coded up all of the relevant curve operations in Magma =-=[17]-=- and counted the group operations required. We made very optimistic assumptions about the optimal implementation of the curves, e.g., by assuming that the operations employ all available EC tricks wit... |

1240 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics =-=[3, 32, 32, 34, 35, 37, 42, 48]-=- but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combined theoretical and engineering innovations to build systems t... |

852 | LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation
- Lattner, Adve
- 2004
(Show Context)
Citation Context ...VM This section provides details on the construction of the Geppetto compiler. It elides QAP techniques already described in [51]. General-Purpose LLVM Front-End As a front-end compiler, we use clang =-=[44]-=-, a fast full-fledged C compiler with rich syntax, standard semantics, and optimizations. Geppetto compilation to quadratic programs starts with a low-level, typed, integer-centric program representat... |

827 | A Classical Introduction to Modern Number Theory - Ireland, Rosen - 1990 |

439 |
A certified digital signature
- Merkle
- 1989
(Show Context)
Citation Context ...teration. This allows us to shrink key size and key generation time, and, more importantly, to save the prover time and memory. Prior work suggested achieving similar properties via Merkle hash trees =-=[9, 14, 30, 33, 47]-=-, but implementations show that this approach increases the degree of the QAP by tens or hundreds per state element [10, 18, 61], whereas with MultiQAPs, the degree increases only by 1. Second, we sho... |

414 | Probabilistic checking of proofs : A new characterization of NP.
- Arora, Safra
- 1998
(Show Context)
Citation Context ...verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics =-=[3, 32, 32, 34, 35, 37, 42, 48]-=- but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combined theoretical and engineering innovations to build systems t... |

410 | Practical byzantine fault tolerance and proactive recovery.
- Castro, Liskov
- 2002
(Show Context)
Citation Context .... Prior ∗Microsoft Research Intern work on verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures =-=[21, 22, 40]-=-, or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combi... |

393 | Short Signatures Without Random Oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...e-Hellman (qPDH) assumption holds for G if for all A we have Pr[ Gλ← G(1λ) ; g←G∗1×G∗2 ; s← Z∗p ; σ← (Gλ,g,gs, . . . ,gsq ,gsq+2 , . . . ,gs2q) ; y← A(σ) : y = gsq+11 ] = negl(λ). Assumption 3 (q-SDH =-=[15, 31]-=-) The q-strong Diffie-Hellman (q-SDH) assumption holds for G if for all A: Pr[ (Gλ← G(1λ) ; g←G∗1×G∗2 ; s← Z∗p ;σ← (Gλ,g,gs, . . . ,gs q ) ; y← A(σ) : y = e(g1,g2) 1s+c ,c ∈ Z∗p] = negl(λ). 4.4 Proofs... |

334 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. Advances in Cryptology - Crypto 1994, LNCS vol. 839
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ...hai proofs [38]. Zero Knowledge Several systems compile high-level functions to zero-knowledge (ZK) proofs [1, 5, 46]. Compilers from Almeida et al. [1] and Meiklejohn et al. [46] build on Σprotocols =-=[26]-=-, while the work of Backes et al. [5] uses GrothSahai ZK proofs [38]. For the subset of functionality these systems support, they are likely to outperform Geppetto at least for the prover, but none of... |

220 | Non-interactive verifiable computing: Outsourcing computation to untrusted workers
- Gennaro, Gentry, et al.
- 2010
(Show Context)
Citation Context ...verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics =-=[3, 32, 32, 34, 35, 37, 42, 48]-=- but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combined theoretical and engineering innovations to build systems t... |

216 | Pairing-friendly elliptic curves of prime order
- Barreto, Naehrig
- 2006
(Show Context)
Citation Context ...e curves fit together [10]. 13 As a pragmatic alternative, we propose and implement bounded bootstrapping. Specifically, we instantiate one version of Geppetto with the same highly efficient BN curve =-=[7]-=- employed by Pinocchio. We use the BN curve to generate a collection of commitments and proofs for our MultiQAP-based CP scheme. We then construct a second curve capable of efficiently embedding the B... |

207 | Fast and secure distributed read-only file system.
- Fu, Kaashoek, et al.
- 2000
(Show Context)
Citation Context ...teration. This allows us to shrink key size and key generation time, and, more importantly, to save the prover time and memory. Prior work suggested achieving similar properties via Merkle hash trees =-=[9, 14, 30, 33, 47]-=-, but implementations show that this approach increases the degree of the QAP by tens or hundreds per state element [10, 18, 61], whereas with MultiQAPs, the degree increases only by 1. Second, we sho... |

169 | A note on efficient zero-knowledge proofs and arguments (extended abstract
- Kilian
- 1992
(Show Context)
Citation Context |

150 | Universally composable two-party and multi-party secure computation
- Canetti, Lindell, et al.
- 2002
(Show Context)
Citation Context ...ermediate state would make it difficult or impossible for the verifier to “win” from outsourcing. To avoid placing this burden on the verifier, we will build a non-interactive commit-and-prove scheme =-=[20, 28, 41]-=-, i.e., a scheme in which the prover can supply a short commitment to intermediate values and prove multiple statements about the Figure 2: Overview for § 2. Geppetto’s compiler runs in two phases: (I... |

125 | A.: Efficient non-interactive proof systems for bilinear groups.
- Groth, Sahai
- 2008
(Show Context)
Citation Context ...first mentioned by Kilian [41]. Canetti et al. [20] define CP schemes in the UC model and realize such schemes in the FZK-hybrid model. Escala and Groth [28] design CP schemes from Groth-Sahai proofs =-=[38]-=-. Zero Knowledge Several systems compile high-level functions to zero-knowledge (ZK) proofs [1, 5, 46]. Compilers from Almeida et al. [1] and Meiklejohn et al. [46] build on Σprotocols [26], while the... |

122 | New explicit conditions of elliptic curve traces for FRreduction
- Miyaji, Nakabayashi, et al.
(Show Context)
Citation Context ...phic operations, since it allows us to condense a long series of proofs and commitments into a single proof and commitment. Remarkably, Ben-Sasson et al. [10] recently discovered a pair of MNT curves =-=[49]-=- E and Ẽ that are pairing friendly and, more importantly, not only can Ẽ be embedded in E, but E can be embedded in Ẽ. While Ben-Sasson et al. use these curves to bootstrap the verification of indi... |

121 | Checking the correctness of memories
- Blum, Evans, et al.
- 1991
(Show Context)
Citation Context ...teration. This allows us to shrink key size and key generation time, and, more importantly, to save the prover time and memory. Prior work suggested achieving similar properties via Merkle hash trees =-=[9, 14, 30, 33, 47]-=-, but implementations show that this approach increases the degree of the QAP by tens or hundreds per state element [10, 18, 61], whereas with MultiQAPs, the degree increases only by 1. Second, we sho... |

117 | Computationally Sound Proofs
- Micali
(Show Context)
Citation Context |

113 | Delegating computation: Interactive proofs for muggles. - Goldwasser, Kalai, et al. - 2008 |

111 | A taxonomy of pairing-friendly elliptic curves. Cryptology ePrint Archive, Report 2006/372 - Freeman, Scott, et al. - 2006 |

101 | Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. - Camenisch, Lysyanskaya - 2002 |

80 | Uncheatable distributed computations”,
- Golle, Mironov
- 2001
(Show Context)
Citation Context ...acy of sensitive data used in such computations, or even the privacy of the computation itself. Prior ∗Microsoft Research Intern work on verifying computation focused on narrow classes of computation =-=[36, 57]-=-, relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [5... |

79 | Privacy-Preserving Smart Metering
- Rial, Danezis
- 2011
(Show Context)
Citation Context ... arise in many outsourcing applications. For instance, a MapReduce job may need to compute over signed data, or a customer with a smart meter may wish to privately compute a bill over signed readings =-=[53]-=-. As another example, recent work [8, 27] shows how to anonymize Bitcoin transactions using Pinocchio [51] and would benefit from the ability to verify signatures within Bitcoin transactions. In exist... |

74 | Query execution assurance for outsourced databases,”
- Sion
- 2005
(Show Context)
Citation Context ...acy of sensitive data used in such computations, or even the privacy of the computation itself. Prior ∗Microsoft Research Intern work on verifying computation focused on narrow classes of computation =-=[36, 57]-=-, relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [5... |

72 | Quadratic span programs and succinct NIZKs without PCPs.
- Gennaro, Gentry, et al.
- 2013
(Show Context)
Citation Context ...tions while making at most cryptographic assumptions. Currently, the best performing, fully general-purpose verifiable computation protocols [51, 55] are based on Quadratic Arithmetic Programs (QAPs) =-=[33]-=-. To provide non-interactive, publicly verifiable computation, as well as zero-knowledge proofs (i.e., computations in which some or all of the worker’s inputs are private) recent systems [4, 8, 10, 1... |

69 | Pinocchio: Nearly practical verifiable computation
- Parno, Howell, et al.
- 2013
(Show Context)
Citation Context ...7], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance =-=[51, 56]-=-. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combined theoretical and engineering innovations to build systems that can verify the results of general-purpose ... |

67 | Architecture for protecting critical secrets in microprocessors.
- Lee, Kwan, et al.
- 2005
(Show Context)
Citation Context ...r even the privacy of the computation itself. Prior ∗Microsoft Research Intern work on verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions =-=[45, 52, 54]-=-, assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 5... |

53 |
Recursive composition and bootstrapping for SNARKs and proof-carrying data
- Bitansky, Canetti, et al.
- 2013
(Show Context)
Citation Context ...e IO. As a third contribution, we combine our MultiQAPs and cryptographic embeddings to obtain MultiQAPs with constantsized proofs via bounded proof bootstrapping. In theory, with proof bootstrapping =-=[12, 59]-=-, the prover can combine any series of proofs into one constant-sized proof by verifiably computing the verification of all of those proofs. Very recent work elegantly achieves unbounded proof bootstr... |

51 | Optimal pairings. - Vercauteren - 2010 |

44 |
Uses of Randomness in Algorithms and Protocols
- Kilian
- 1989
(Show Context)
Citation Context ...ermediate state would make it difficult or impossible for the verifier to “win” from outsourcing. To avoid placing this burden on the verifier, we will build a non-interactive commit-and-prove scheme =-=[20, 28, 41]-=-, i.e., a scheme in which the prover can supply a short commitment to intermediate values and prove multiple statements about the Figure 2: Overview for § 2. Geppetto’s compiler runs in two phases: (I... |

38 | Faster explicit formulas for computing pairings over ordinary curves. In:
- Aranha, Karabina, et al.
- 2011
(Show Context)
Citation Context ...ify_job(DATA b0, QUERY b1) { commitment cs[4]; cs[0] = b0->c; // reuse commitment produced by save_DATA cs[1] = b1->c; // reuse commitment produced by save_QUERY RESULT b2 = load_recommit_RESULT(); cs=-=[2]-=- = b2->c; load_verify_commit(&STATE.vk, &cs[3], C_job_LOCALS); cProof pi; load_cProof("job", &pi, outsource_id, RUN_TIME); verify_proof(&STATE.vk, &pi, 4, cs); return b2; } Just like job, verify_job t... |

38 | Practical verified computation with streaming interactive proofs.
- Cormode, Mitzenmacher, et al.
- 2012
(Show Context)
Citation Context ...iply costs 68% more than the static version (rather than 5×), and costs a negligible 1% in the five-multiply case. 7.5 Compiler Some previous verifiable computations systems do not include a compiler =-=[25, 58]-=-, while those that do [11, 18, 51] have typically compiled small examples with less than 100 lines of C code. In contrast, Geppetto’s compiler handles large cryptographic libraries, with the largest c... |

35 | Short pairing-based non-interactive zero-knowledge arguments.
- Groth
- 2010
(Show Context)
Citation Context |

35 | Making argument systems for outsourced computation practical (sometimes
- Setty, McPherson, et al.
- 2012
(Show Context)
Citation Context ...7], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance =-=[51, 56]-=-. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combined theoretical and engineering innovations to build systems that can verify the results of general-purpose ... |

28 | Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks,
- Gennaro
- 2004
(Show Context)
Citation Context ...e-Hellman (qPDH) assumption holds for G if for all A we have Pr[ Gλ← G(1λ) ; g←G∗1×G∗2 ; s← Z∗p ; σ← (Gλ,g,gs, . . . ,gsq ,gsq+2 , . . . ,gs2q) ; y← A(σ) : y = gsq+11 ] = negl(λ). Assumption 3 (q-SDH =-=[15, 31]-=-) The q-strong Diffie-Hellman (q-SDH) assumption holds for G if for all A: Pr[ (Gλ← G(1λ) ; g←G∗1×G∗2 ; s← Z∗p ;σ← (Gλ,g,gs, . . . ,gs q ) ; y← A(σ) : y = e(g1,g2) 1s+c ,c ∈ Z∗p] = negl(λ). 4.4 Proofs... |

25 |
Fast reductions from RAMs to delegatable succinct constraint satisfaction problems.
- Ben-Sasson, Chiesa, et al.
- 2013
(Show Context)
Citation Context |

25 | Resolving the conflict between generality and plausibility in verified computation.
- Setty, Braun, et al.
- 2013
(Show Context)
Citation Context ...s [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work =-=[10, 51, 55, 58]-=- on verifiable computation [32] have combined theoretical and engineering innovations to build systems that can verify the results of general-purpose outsourced computations while making at most crypt... |

21 | Incrementally verifiable computation or proofs of knowledge imply time/space efficiency
- Valiant
- 2008
(Show Context)
Citation Context ...e IO. As a third contribution, we combine our MultiQAPs and cryptographic embeddings to obtain MultiQAPs with constantsized proofs via bounded proof bootstrapping. In theory, with proof bootstrapping =-=[12, 59]-=-, the prover can combine any series of proofs into one constant-sized proof by verifiably computing the verification of all of those proofs. Very recent work elegantly achieves unbounded proof bootstr... |

20 |
Zerocash: Decentralized anonymous payments from Bitcoin
- Ben-Sasson, Chiesa, et al.
- 2014
(Show Context)
Citation Context ... (QAPs) [33]. To provide non-interactive, publicly verifiable computation, as well as zero-knowledge proofs (i.e., computations in which some or all of the worker’s inputs are private) recent systems =-=[4, 8, 10, 11, 18, 27, 43, 61]-=- have converged on the Pinocchio protocol [51] as a cryptographic back end. Pinocchio, in turn, depends on QAPs. While these protocols have made proof verification nearly practical, the cost to genera... |

20 | Verifying computations with state.
- Braun, Feldman, et al.
- 2013
(Show Context)
Citation Context ... (QAPs) [33]. To provide non-interactive, publicly verifiable computation, as well as zero-knowledge proofs (i.e., computations in which some or all of the worker’s inputs are private) recent systems =-=[4, 8, 10, 11, 18, 27, 43, 61]-=- have converged on the Pinocchio protocol [51] as a cryptographic back end. Pinocchio, in turn, depends on QAPs. While these protocols have made proof verification nearly practical, the cost to genera... |

19 |
Identity-based cryptosystems based on the weil pairing. Unpublished manuscript
- Cocks, Pinch
- 2001
(Show Context)
Citation Context ...tems, GIN and GOUT . To achieve this at the 128-bit security level, we instantiate GIN using a Barreto-Naehrig (BN) elliptic curve [7], and then construct GOUT accordingly with the Cocks-Pinch method =-=[24]-=-. Roughly, the latter constructs a pairing-friendly curve by outputting a finite field corresponding to a given, prescribed group order. We fix the prime p from the BN parameterization as the group or... |

17 | A certifying compiler for zeroknowledge proofs of knowledge based on σ-protocols.
- Almeida, Bangerter, et al.
- 2010
(Show Context)
Citation Context ...functions for verifying commitments, and OUTSOURCE(job, db, q) is implemented with: RESULT verify_job(DATA b0, QUERY b1) { commitment cs[4]; cs[0] = b0->c; // reuse commitment produced by save_DATA cs=-=[1]-=- = b1->c; // reuse commitment produced by save_QUERY RESULT b2 = load_recommit_RESULT(); cs[2] = b2->c; load_verify_commit(&STATE.vk, &cs[3], C_job_LOCALS); cProof pi; load_cProof("job", &pi, outsourc... |

16 | Pinocchio Coin: building Zerocoin from a succinct pairing-based proof system
- Danezis, Fournet, et al.
- 2013
(Show Context)
Citation Context ... (QAPs) [33]. To provide non-interactive, publicly verifiable computation, as well as zero-knowledge proofs (i.e., computations in which some or all of the worker’s inputs are private) recent systems =-=[4, 8, 10, 11, 18, 27, 43, 61]-=- have converged on the Pinocchio protocol [51] as a cryptographic back end. Pinocchio, in turn, depends on QAPs. While these protocols have made proof verification nearly practical, the cost to genera... |

16 | ZKPDL: a language-based system for efficient zeroknowledge proofs and electronic cash.
- Meiklejohn, Erway, et al.
- 2010
(Show Context)
Citation Context ...e such schemes in the FZK-hybrid model. Escala and Groth [28] design CP schemes from Groth-Sahai proofs [38]. Zero Knowledge Several systems compile high-level functions to zero-knowledge (ZK) proofs =-=[1, 5, 46]-=-. Compilers from Almeida et al. [1] and Meiklejohn et al. [46] build on Σprotocols [26], while the work of Backes et al. [5] uses GrothSahai ZK proofs [38]. For the subset of functionality these syste... |

16 | Time-optimal interactive proofs for circuit evaluation
- Thaler
- 2013
(Show Context)
Citation Context ...s [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work =-=[10, 51, 55, 58]-=- on verifiable computation [32] have combined theoretical and engineering innovations to build systems that can verify the results of general-purpose outsourced computations while making at most crypt... |

14 | On the existence of extractable one-way functions.
- Bitansky, Canetti, et al.
- 2014
(Show Context)
Citation Context ...is negligible, as REK guarantees that Verify(VK,C,pi) accepts, and because P is a knowledge sound proof system for the relation Rλ. In the bootstrapping theorem we avoid controversial auxiliary input =-=[13]-=-, contrary to [23]. The missing information for running A ′ is be obtained from the relation REK being proven. 4 Geppetto’s CP Protocol We now construct an efficient commit-and-prove protocol for a re... |

13 | Succinct non-interactive zero knowledge for a von Neumann architecture.
- Ben-Sasson, Chiesa, et al.
- 2014
(Show Context)
Citation Context ...tatic version (rather than 5×), and costs a negligible 1% in the five-multiply case. 7.5 Compiler Some previous verifiable computations systems do not include a compiler [25, 58], while those that do =-=[11, 18, 51]-=- have typically compiled small examples with less than 100 lines of C code. In contrast, Geppetto’s compiler handles large cryptographic libraries, with the largest clocking in at 4,159 SLOC [62] of c... |

13 | Token-based cloud computing: Secure outsourcing of data and arbitrary computations with lower latency
- Sadeghi, Schneider, et al.
- 2010
(Show Context)
Citation Context ...r even the privacy of the computation itself. Prior ∗Microsoft Research Intern work on verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions =-=[45, 52, 54]-=-, assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 5... |

12 |
Secure Remote Execution of Sequential Computations.
- Karame, Strasser, et al.
- 2009
(Show Context)
Citation Context .... Prior ∗Microsoft Research Intern work on verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures =-=[21, 22, 40]-=-, or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combi... |

10 |
Automated synthesis of privacy-preserving distributed applications.
- Backes, Maffei, et al.
- 2012
(Show Context)
Citation Context ...e such schemes in the FZK-hybrid model. Escala and Groth [28] design CP schemes from Groth-Sahai proofs [38]. Zero Knowledge Several systems compile high-level functions to zero-knowledge (ZK) proofs =-=[1, 5, 46]-=-. Compilers from Almeida et al. [1] and Meiklejohn et al. [46] build on Σprotocols [26], while the work of Backes et al. [5] uses GrothSahai ZK proofs [38]. For the subset of functionality these syste... |

10 | Bootstrapping Trust in Modern Computers. - Parno, McCune, et al. - 2011 |

8 |
Scalable zero knowledge via cycles of elliptic curves.
- Ben-Sasson, Chiesa, et al.
- 2014
(Show Context)
Citation Context ...s [45, 52, 54], assumed uncorrelated failures [21, 22, 40], or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work =-=[10, 51, 55, 58]-=- on verifiable computation [32] have combined theoretical and engineering innovations to build systems that can verify the results of general-purpose outsourced computations while making at most crypt... |

7 | Anonymous credentials light
- Baldimtsi, Lysyanskaya
- 2013
(Show Context)
Citation Context ...e committed before being opened and/or used to prove statements about them. For instance, they easily integrate with existing Σ-protocols as employed by protocols such as anonymous credential systems =-=[6, 19]-=-. Definition 3 (Succinct Commit-and-Prove) Consider a family of polynomial-time verifiable relations {R λ}λ∈N on tuples u of a fixed length `. A succinct commit-and-prove scheme P = (KeyGen = (KeyGen1... |

7 | Succinct malleable NIZKs and an application to compact shuffles,”
- Chase, Kohlweiss, et al.
- 2013
(Show Context)
Citation Context ...REK guarantees that Verify(VK,C,pi) accepts, and because P is a knowledge sound proof system for the relation Rλ. In the bootstrapping theorem we avoid controversial auxiliary input [13], contrary to =-=[23]-=-. The missing information for running A ′ is be obtained from the relation REK being proven. 4 Geppetto’s CP Protocol We now construct an efficient commit-and-prove protocol for a relation R for the M... |

7 |
Efficient ram and control flow in verifiable outsourced computation,”
- Wahby, Setty, et al.
- 2015
(Show Context)
Citation Context |

6 | Uncheatable reputation for distributed computation markets,” in Financial Cryptography,
- Carbunar, Sion
- 2006
(Show Context)
Citation Context .... Prior ∗Microsoft Research Intern work on verifying computation focused on narrow classes of computation [36, 57], relied on physical-security assumptions [45, 52, 54], assumed uncorrelated failures =-=[21, 22, 40]-=-, or achieved good asymptotics [3, 32, 32, 34, 35, 37, 42, 48] but impractical concrete performance [51, 56]. Recently, several lines of work [10, 51, 55, 58] on verifiable computation [32] have combi... |

5 | Nearly practical and privacy-preserving proofs on authenticated data.
- Backes, Fiore, et al.
- 2015
(Show Context)
Citation Context |

5 | Constructive and computational aspects of cryptographic pairings - Naehrig - 2009 |

4 |
Trueset: Nearly practical verifiable set computations
- Kosba, Papadopoulos, et al.
- 2014
(Show Context)
Citation Context |

1 |
Fine-tuning groth-sahai proofs. Cryptology ePrint Archive, Report 2004/155
- Escala, Groth
- 2013
(Show Context)
Citation Context ...ermediate state would make it difficult or impossible for the verifier to “win” from outsourcing. To avoid placing this burden on the verifier, we will build a non-interactive commit-and-prove scheme =-=[20, 28, 41]-=-, i.e., a scheme in which the prover can supply a short commitment to intermediate values and prove multiple statements about the Figure 2: Overview for § 2. Geppetto’s compiler runs in two phases: (I... |

1 |
A Elliptic Curve details We construct bilinear systems, GIN and GOUT . Let GIN = (p′,G1,G2,GT ,e,Fp): that is, G1, G2 and GT are groups of prime order p′, all defined over fields of large prime characteristic p, such that there exists an efficiently compu
- comsloccount
(Show Context)
Citation Context ..., 18, 51] have typically compiled small examples with less than 100 lines of C code. In contrast, Geppetto’s compiler handles large cryptographic libraries, with the largest clocking in at 4,159 SLOC =-=[62]-=- of com18 plex cryptographic code supporting elliptic curve operations, including pairing. 8 Related Work Verifiable Computation As discussed in §1, many previous systems for verifying outsourced comp... |