Results 1  10
of
62
Quadratic Span Programs and Succinct NIZKs without PCPs
"... We introduce a new characterization of the NP complexity class, called Quadratic Span Programs (QSPs), which is a natural extension of span programs defined by Karchmer and Wigderson. Our main motivation is the construction of succinct arguments of NPstatements that are quick to construct and verif ..."
Abstract

Cited by 72 (8 self)
 Add to MetaCart
(Show Context)
We introduce a new characterization of the NP complexity class, called Quadratic Span Programs (QSPs), which is a natural extension of span programs defined by Karchmer and Wigderson. Our main motivation is the construction of succinct arguments of NPstatements that are quick to construct and verify. QSPs seem wellsuited for this task, perhaps even better than Probabilistically Checkable Proofs (PCPs). In 2010, Groth constructed a NIZK argument in the common reference string (CRS) model for CircuitSAT consisting of only 42 elements in a bilinear group. Interestingly, his argument does not (explicitly) use PCPs. But his scheme has some disadvantages – namely, the CRS size and prover computation are both quadratic in the circuit size. In 2011, Lipmaa reduced the CRS size to quasilinear, but with prover computation still quadratic. Using QSPs we construct a NIZK argument in the CRS model for CircuitSAT consisting of just 7 group elements. The CRS size is linear in the circuit size, and prover computation is quasilinear, making our scheme seemingly quite practical. (The prover only needs to do a linear number of group operations; the quasilinear computation is a multipoint evaluation and interpolation.) Our results are complementary to those of Valiant (TCC 2008) and Bitansky et al. (2012), who use “bootstrapping ” (recursive composition) of arguments to reduce CRS size and prover and verifier computation. QSPs also provide a crisp mathematical abstraction of some of the techniques underlying Groth’s and Lipmaa’s constructions.
Functional Signatures and Pseudorandom Functions
, 2013
"... In this paper, we introduce functional digital signatures and pseudorandom functions. In a functional signature scheme, in addition to a master signing key that can be used to sign any message, there are signing keys for a function f, which allow one to sign any message in the range of f. We show ap ..."
Abstract

Cited by 69 (7 self)
 Add to MetaCart
In this paper, we introduce functional digital signatures and pseudorandom functions. In a functional signature scheme, in addition to a master signing key that can be used to sign any message, there are signing keys for a function f, which allow one to sign any message in the range of f. We show applications of functional signatures to construct succinct noninteractive arguments and delegation schemes. We give several general constructions for this primitive based on different computational hardness assumptions, and describe the tradeoffs between them in terms of the assumptions they require and the size of the signatures. In a functional pseudorandom function, in addition to a master secret key that can be used to evaluate the pseudorandom function F on any point in the domain, there are additional secret keys for a function f, which allow one to evaluate F on any y for which there exists an x such that f(x) = y. This implies the ability to delegate keys per function f for computing a pseudorandom function F on points y for which f(y) = 1. We define and provide a sample construction of a functional pseudorandom function family for the prefixfixing function family. 1
How to delegate and verify in public: Verifiable computation from attributebased encryption,”
 in Proceedings of the 9th International Conference on Theory of Cryptography (TCC’12),
, 2012
"... Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable co ..."
Abstract

Cited by 55 (6 self)
 Add to MetaCart
(Show Context)
Abstract. The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable computation (VC) a must for such scenarios. In this work we extend the definition of verifiable computation in two important directions: public delegation and public verifiability, which have important applications in many practical delegation scenarios. Yet, existing VC constructions based on standard cryptographic assumptions fail to achieve these properties. As the primary contribution of our work, we establish an important (and somewhat surprising) connection between verifiable computation and attributebased encryption (ABE), a primitive that has been widely studied. Namely, we show how to construct a VC scheme with public delegation and public verifiability from any ABE scheme. The VC scheme verifies any function in the class of functions covered by the permissible ABE policies (currently Boolean formulas). This scheme enjoys a very efficient verification algorithm that depends only on the output size. Efficient delegation, however, requires the ABE encryption algorithm to be cheaper than the original function computation. Strengthening this connection, we show a construction of a multifunction verifiable computation scheme from an ABE scheme with outsourced decryption, a primitive defined recently by Green, Hohenberger and Waters (USENIX Security 2011). A multifunction VC scheme allows the verifiable evaluation of multiple functions on the same preprocessed input. In the other direction, we also explore the construction of an ABE scheme from verifiable computation protocols. Research conducted as part of an internship with Microsoft Research.
SNARKs for C: Verifying program executions succinctly and in zero knowledge
 In Proceedings of CRYPTO 2013, LNCS
"... An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate noninteractive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key. We present an implementation of a publiclyverifiable noninteractive argument system for NP. The system, moreover, is a zeroknowledge proofofknowledge. It directly proves correct executions of programs on TinyRAM, a randomaccess machine tailored for efficient verification of nondeterministic computations. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a onetime setup requiring Õ(P  · T) cryptographic operations. An honest prover requires Õ(P  · T) cryptographic operations to generate such a proof, while proof verification can be performed with only O(x) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler. This yields a zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK) for
Verifying computations with state
"... When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, all existing systems require computational models that do not incorporate state. This limits these systems to simplistic programming idioms and rules out computations where the client cannot materialize all of the input (e.g., very large MapReduce instances or database queries). This paper describes Pantry, the first built system that incorporates state. Pantry composes the machinery of proofbased verifiable computation with ideas from untrusted storage: the client expresses its computation in terms of digests that attests to state, and verifiably outsources that computation. Besides the boon to expressiveness, the client can gain from outsourcing even when the computation is sublinear in the input size. We describe a verifiable MapReduce application and a queriable database, among other simple applications. Although the resulting applications result in server overhead that is higher than we would like, Pantry is the first system to provide verifiability for realistic applications in a realistic programming model. 1
Succinct noninteractive arguments via linear . . .
, 2012
"... Succinct noninteractive arguments (SNARGs) enable verifying NP statements with lower complexity than required for classical NP verification. Traditionally, the focus has been on minimizing the length of such arguments; nowadays researches have focused also on minimizing verification time, by drawin ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Succinct noninteractive arguments (SNARGs) enable verifying NP statements with lower complexity than required for classical NP verification. Traditionally, the focus has been on minimizing the length of such arguments; nowadays researches have focused also on minimizing verification time, by drawing motivation from the problem of delegating computation. A common relaxation is a preprocessing SNARG, which allows the verifier to conduct an expensive offline phase that is independent of the statement to be proven later. Recent constructions of preprocessing SNARGs have achieved attractive features: they are publiclyverifiable, proofs consist of only O(1) encrypted (or encoded) field elements, and verification is via arithmetic circuits of size linear in the NP statement. Additionally, these constructions seem to have “escaped the hegemony ” of probabilisticallycheckable proofs (PCPs) as a basic building block of succinct arguments. We present
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE ⋆
, 2012
"... Abstract. Fully homomorphic encryption (FHE) enables secure computation over the encrypted data of a single party. We explore how to extend this to multiple parties, using threshold fully homomorphic encryption (TFHE). In such scheme, the parties jointly generate a common FHE public key along with a ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Fully homomorphic encryption (FHE) enables secure computation over the encrypted data of a single party. We explore how to extend this to multiple parties, using threshold fully homomorphic encryption (TFHE). In such scheme, the parties jointly generate a common FHE public key along with a secret key that is shared among them; they can later cooperatively decrypt ciphertexts without learning anything but the plaintext. We show how to instantiate this approach efficiently, by extending the recent FHE schemes of Brakerski, Gentry and Vaikuntanathan (CRYPTO ’11, FOCS ’11, ITCS ’12) based on the (ring) learning with errors assumption. Our main tool is to exploit the property that such schemes are additively homomorphic over their keys. Using TFHE, we construct simple multiparty computation protocols secure against fully malicious attackers, tolerating any number of corruptions, and providing security in the universal composability framework. Our protocols have the following properties: Low interaction: 3 rounds of interaction given a common random string, or 2 rounds with a publickey infrastructure. Low communication: independent of the function being computed (proportional to just input and output sizes). Cloudassisted computation: the bulk of the computation can be efficiently outsourced to an external entity (e.g. a cloud service) so that the computation of all other parties is independent of the complexity of the evaluated function. 1
TimeOptimal Interactive Proofs for Circuit Evaluation
"... Several research teams have recently been working toward the development of practical generalpurpose protocols for verifiable computation. These protocols enable a computationally weak verifier to offload computations to a powerful but untrusted prover, while providing the verifier with a guarantee ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
(Show Context)
Several research teams have recently been working toward the development of practical generalpurpose protocols for verifiable computation. These protocols enable a computationally weak verifier to offload computations to a powerful but untrusted prover, while providing the verifier with a guarantee that the prover performed the requested computations correctly. Despite substantial progress, existing implementations require further improvements before they become practical for most settings. The main bottleneck is typically the extra effort required by the prover to return an answer with a guarantee of correctness, compared to returning an answer with no guarantee. We describe a refinement of a powerful interactive proof protocol due to Goldwasser, Kalai, and Rothblum [21]. Cormode, Mitzenmacher, and Thaler [14] show how to implement the prover in this protocol in time O(SlogS), where S is the size of an arithmetic circuit computing the function of interest. Our refinements apply to circuits with sufficiently “regular ” wiring patterns; for these circuits, we bring the runtime of the prover down to O(S). That is, our prover can evaluate the circuit with a guarantee of correctness, with only a constantfactor blowup in work compared to evaluating the circuit with no guarantee.
Fully homomorphic message authenticators
 IACR Cryptology ePrint Archive
"... We define and construct a new primitive called a fully homomorphic message authenticator. With such scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation (without knowing the secret key). This tag can be ve ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
We define and construct a new primitive called a fully homomorphic message authenticator. With such scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation (without knowing the secret key). This tag can be verified using the secret key to ensure that the claimed result is indeed the correct output of the specified computation over previously authenticated data (without knowing the underlying data). For example, Alice can upload authenticated data to “the cloud”, which then performs some specified computations over this data and sends the output to Bob, along with a short tag that convinces Bob of correctness. Alice and Bob only share a secret key, and Bob never needs to know Alice’s underlying data. Our construction relies on fully homomorphic encryption to build fully homomorphic message authenticators. 1
Indistinguishability Obfuscation vs. AuxiliaryInput Extractable Functions: One Must Fall
, 2013
"... We show that if there exist indistinguishability obfuscators for all circuits then there do not exist auxiliaryinput extractable oneway functions. In particular, the knowledge of exponent assumption with respect to adversaries with auxiliary input is false in any group where computing discrete log ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We show that if there exist indistinguishability obfuscators for all circuits then there do not exist auxiliaryinput extractable oneway functions. In particular, the knowledge of exponent assumption with respect to adversaries with auxiliary input is false in any group where computing discrete logarithms is intractable. The proof uses the “punctured programs” technique of [SahaiWaters 2013].