Results 1  10
of
71
Pinocchio: Nearly practical verifiable computation
 In Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland ’13
, 2013
"... Abstract To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumption ..."
Abstract

Cited by 69 (6 self)
 Add to MetaCart
(Show Context)
Abstract To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof. Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio's verification time is typically 10ms: 57 orders of magnitude less than previous work; indeed Pinocchio is the first generalpurpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker's proof effort by an additional 1960×. As an additional feature, Pinocchio generalizes to zeroknowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an endtoend toolchain that compiles a subset of C into programs that implement the verifiable computation protocol.
From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again
 In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS '12
, 2012
"... The existence of noninteractive succinct arguments (namely, noninteractive computationallysound proof systems where the verifier’s time complexity is only polylogarithmically related to the complexity of deciding the language) has been an intriguing question for the past two decades. The question ..."
Abstract

Cited by 62 (18 self)
 Add to MetaCart
The existence of noninteractive succinct arguments (namely, noninteractive computationallysound proof systems where the verifier’s time complexity is only polylogarithmically related to the complexity of deciding the language) has been an intriguing question for the past two decades. The question has gained renewed importance in light of the recent interest in delegating computation to untrusted workers. Still, other than Micali’s CS proofs in the Random Oracle Model, the only existing candidate construction is based on an elaborate assumption that is tailored to the specific proposal [Di Crescenzo and Lipmaa, CiE ’08]. We modify and reanalyze that construction: • We formulate a general and relatively mild notion of extractable collisionresistant hash functions (ECRHs), and show that if ECRHs exist then the modified construction is a noninteractive succinct argument (SNARG) for NP. Furthermore, we show that (a) this construction is a proof of knowledge, and (b) it remains secure against adaptively chosen instances. These two properties are arguably essential for using the construction as a delegation of computation scheme. • We show that existence of SNARGs of knowledge (SNARKs) for NP implies existence of ECRHs, as well as extractable variants of some other cryptographic primitives. This provides further evi
Delegatable Pseudorandom Functions and Applications
"... We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delega ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delegation is policybased: the trapdoor is constructed with respect to a certain policy that determines the subset of input values which the proxy is allowed to compute. Interesting DPRFs should achieve lowbandwidth delegation: Enabling the proxy to compute the PRF values that conform to the policy should be more efficient than simply providing the proxy with the sequence of all such values precomputed. The main challenge in constructing DPRFs is in maintaining the pseudorandomness of unknown values in the face of an attacker that adaptively controls proxy servers. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRFquerying proxy: achieving this raises new design challenges as policy privacy and efficiency are seemingly conflicting goals. For the important class of policies described as (1dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the wellknown treebased GGM PRF family [15], our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constantfactor efficiency reduction, we show that our second construction is also policy private. As we finally describe, their new security and efficiency properties render our delegated PRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption. 1
Homomorphic signatures for polynomial functions
, 2010
"... We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Prev ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
(Show Context)
We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Previous systems for computing on signed data could only handle linear operations. For polynomials of constant degree, the length of a derived signature only depends logarithmically on the size of the data set. Our system uses ideal lattices in a way that is a “signature analogue” of Gentry’s fully homomorphic encryption. Security is based on hard problems on ideal lattices similar to those in Gentry’s system.
How to delegate and verify in public: Verifiable computation from attributebased encryption,”
 in Proceedings of the 9th International Conference on Theory of Cryptography (TCC’12),
, 2012
"... Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable co ..."
Abstract

Cited by 55 (6 self)
 Add to MetaCart
(Show Context)
Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable computation (VC) a must for such scenarios. In this work we extend the definition of verifiable computation in two important directions: public delegation and public verifiability, which have important applications in many practical delegation scenarios. Yet, existing VC constructions based on standard cryptographic assumptions fail to achieve these properties. As the primary contribution of our work, we establish an important (and somewhat surprising) connection between verifiable computation and attributebased encryption (ABE), a primitive that has been widely studied. Namely, we show how to construct a VC scheme with public delegation and public verifiability from any ABE scheme. The VC scheme verifies any function in the class of functions covered by the permissible ABE policies (currently Boolean formulas). This scheme enjoys a very efficient verification algorithm that depends only on the output size. Efficient delegation, however, requires the ABE encryption algorithm to be cheaper than the original function computation. Strengthening this connection, we show a construction of a multifunction verifiable computation scheme from an ABE scheme with outsourced decryption, a primitive defined recently by Green, Hohenberger and Waters (USENIX Security 2011). A multifunction VC scheme allows the verifiable evaluation of multiple functions on the same preprocessed input. In the other direction, we also explore the construction of an ABE scheme from verifiable computation protocols. Research conducted as part of an internship with Microsoft Research.
Verifiable delegation of computation over large datasets
 In Proceedings of the 31st annual conference on Advances in cryptology, CRYPTO’11
, 2011
"... We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial func ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
(Show Context)
We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup
From secrecy to soundness: efficient verification via secure computation
 In Proceedings of the 37th international colloquium conference on Automata, languages and programming
, 2010
"... Abstract. We study the problem of verifiable computation (VC) in which a computationally weak client wishes to delegate the computation of a function f on an input x to a computationally strong but untrusted server. We present new general approaches for constructing VC protocols, as well as solving ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We study the problem of verifiable computation (VC) in which a computationally weak client wishes to delegate the computation of a function f on an input x to a computationally strong but untrusted server. We present new general approaches for constructing VC protocols, as well as solving the related problems of program checking and selfcorrecting. The new approaches reduce the task of verifiable computation to suitable variants of secure multiparty computation (MPC) protocols. In particular, we show how to efficiently convert the secrecy property of MPC protocols into soundness of a VC protocol via the use of a message authentication code (MAC). The new connections allow us to apply results from the area of MPC towards simplifying, unifying, and improving over previous results on VC and related problems. In particular, we obtain the following concrete applications: (1) The first VC protocols for arithmetic computations which only make a blackbox use of the underlying field or ring; (2) a noninteractive VC protocol for boolean circuits in the preprocessing model, conceptually simplifying and improving the online complexity of a recent protocol of Gennaro et al. (Cryptology ePrint Archive: Report 2009/547); (3) NC0 selfcorrectors for complete languages in the complexity class NC1 and various logspace classes, strengthening previous AC0 correctors of Goldwasser et al. (STOC 2008). 1
Attributebased encryption for circuits
 In STOC
"... In an attributebased encryption (ABE) scheme, a ciphertext is associated with an ℓbit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows to decrypt the ciphertext and learn m iff P (ind) = 1. Moreover, the scheme should be secure aga ..."
Abstract

Cited by 42 (11 self)
 Add to MetaCart
In an attributebased encryption (ABE) scheme, a ciphertext is associated with an ℓbit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows to decrypt the ciphertext and learn m iff P (ind) = 1. Moreover, the scheme should be secure against collusions of users, namely, given secret keys for polynomially many predicates, an adversary learns nothing about the message if none of the secret keys can individually decrypt the ciphertext. We present attributebased encryption schemes for circuits of any arbitrary polynomial size, where the public parameters and the ciphertext grow linearly with the depth of the circuit. Our construction is secure under the standard learning with errors (LWE) assumption. Previous constructions of attributebased encryption were for Boolean formulas, captured by the complexity class NC1. In the course of our construction, we present a new framework for constructing ABE schemes. As a byproduct of our framework, we obtain ABE schemes for polynomialsize branching programs, corresponding to the complexity class LOGSPACE, under quantitatively better assumptions.
Practical Verified Computation with Streaming Interactive Proofs
"... When delegating computation to a service provider, as in the cloud computing paradigm, we seek some reassurance that the output is correct and complete. Yet recomputing the output as a check is inefficient and expensive, and it may not even be feasible to store all the data locally. We are therefore ..."
Abstract

Cited by 38 (7 self)
 Add to MetaCart
(Show Context)
When delegating computation to a service provider, as in the cloud computing paradigm, we seek some reassurance that the output is correct and complete. Yet recomputing the output as a check is inefficient and expensive, and it may not even be feasible to store all the data locally. We are therefore interested in what can be validated by a streaming (sublinear space) user, who cannot store the full input, or perform the full computation herself. Our aim in this work is to advance a recent line of work on “proof systems ” in which the service provider proves the correctness of its output to a user. The goal is to minimize the time and space costs of both parties in generating and checking the proof. Only very recently have there been attempts to implement such proof systems, and thus far these have been quite limited in
Making argument systems for outsourced computation practical (sometimes
 In NDSS
, 2012
"... This paper describes the design, implementation, and evaluation of a system for performing verifiable outsourced computation. It has long been known that (1) this problem can be solved in theory using probabilistically checkable proofs (PCPs) coupled with modern cryptographic tools, and (2) these ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
(Show Context)
This paper describes the design, implementation, and evaluation of a system for performing verifiable outsourced computation. It has long been known that (1) this problem can be solved in theory using probabilistically checkable proofs (PCPs) coupled with modern cryptographic tools, and (2) these solutions have wholly impractical performance, according to the conventional (and wellfounded) wisdom. Our goal is to challenge (2), with a built system that implements an argument system based on PCPs. We describe a generalpurpose system that builds on work of Ishai et al. (CCC ’07) and incorporates new theoretical work to improve performance by 20 orders of magnitude. The system is (arguably) practical in some cases, suggesting that, as a tool for building secure systems, PCPs are not a lost cause. 1