#### DMCA

## From secrecy to soundness: efficient verification via secure computation (2010)

Venue: | In Proceedings of the 37th international colloquium conference on Automata, languages and programming |

Citations: | 44 - 4 self |

### Citations

1236 | The Knowledge complexity of interactive proof-systems
- Goldwasser, Micali, et al.
(Show Context)
Citation Context ...as the correctable verifiable computation (CVC) problem. VC and CVC are fundamental problems which were extensively studied in various settings, originating from the early works on interactive proofs =-=[4, 21]-=- and program checking [7, 9, 28]. Recent advances in technology further motivate these problems. On the one hand, computationally weak peripheral devices such as smart phones and netbooks are becoming... |

736 |
ACC: How to generate and exchange secrets
- Yao
- 1986
(Show Context)
Citation Context ...es. 1.1 Background Before introducing our new approaches to VC, we review some of the relevant notions and previous approaches. MPC and related primitives. A protocol for secure two-party computation =-=[32, 17]-=- allows two parties, each holding a private input xi, to compute a function on their joint input without revealing any additional information to each other. That is, the first (resp., second) party le... |

658 | Fully homomorphic encryption using ideal lattices - Gentry |

630 |
How to play any mental game or a completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...es. 1.1 Background Before introducing our new approaches to VC, we review some of the relevant notions and previous approaches. MPC and related primitives. A protocol for secure two-party computation =-=[32, 17]-=- allows two parties, each holding a private input xi, to compute a function on their joint input without revealing any additional information to each other. That is, the first (resp., second) party le... |

351 | Trading group theory for randomness
- Babai
- 1985
(Show Context)
Citation Context ...as the correctable verifiable computation (CVC) problem. VC and CVC are fundamental problems which were extensively studied in various settings, originating from the early works on interactive proofs =-=[4, 21]-=- and program checking [7, 9, 28]. Recent advances in technology further motivate these problems. On the one hand, computationally weak peripheral devices such as smart phones and netbooks are becoming... |

347 | Designing programs that check their work
- Blum, Kannan
- 1989
(Show Context)
Citation Context ... computation (CVC) problem. VC and CVC are fundamental problems which were extensively studied in various settings, originating from the early works on interactive proofs [4, 21] and program checking =-=[7, 9, 28]-=-. Recent advances in technology further motivate these problems. On the one hand, computationally weak peripheral devices such as smart phones and netbooks are becoming increasingly common; on the oth... |

217 | Non-interactive verifiable computing: outsourcing computation to untrusted workers
- Gennaro, Gentry, et al.
- 2010
(Show Context)
Citation Context ...g” or in projects like SETI@Home has attracted a renewed interest in the VC problem, and a considerable amount of research was devoted to these problems in the last few years [22, 18–20, 15, 11]. See =-=[20, 15]-=- for further discussion of applications as well as a survey of related work. In this work, we present new general approaches for solving the VC and CVC problems, as well as the related problems of pro... |

158 |
Hiding instances in multioracle queries
- Beaver, Feigenbaum
- 1990
(Show Context)
Citation Context ...e ruled out for almost all natural functions which depend on both inputs.) A client-server protocol in which only the client has an input and gets an output is called an instance-hiding (IH) protocol =-=[1, 5]-=-. For simplicity, we will mainly restrict the attention to one-round (or two-message) IH protocols which consist of a single “query” from the client to the server followed by a single “answer” from th... |

147 | On span programs - Karchmer, Wigderson - 1993 |

146 | On Hiding Information from an Oracle,
- Abadi, Feigenbaum, et al.
- 1989
(Show Context)
Citation Context ...e ruled out for almost all natural functions which depend on both inputs.) A client-server protocol in which only the client has an input and gets an output is called an instance-hiding (IH) protocol =-=[1, 5]-=-. For simplicity, we will mainly restrict the attention to one-round (or two-message) IH protocols which consist of a single “query” from the client to the server followed by a single “answer” from th... |

112 | Delegating computation: Interactive proofs for Muggles - Goldwasser, Kalai, et al. - 2008 |

103 |
New directions in testing.
- Lipton
- 1989
(Show Context)
Citation Context ... computation (CVC) problem. VC and CVC are fundamental problems which were extensively studied in various settings, originating from the early works on interactive proofs [4, 21] and program checking =-=[7, 9, 28]-=-. Recent advances in technology further motivate these problems. On the one hand, computationally weak peripheral devices such as smart phones and netbooks are becoming increasingly common; on the oth... |

69 | Improved delegation of computation using fully homomorphic encryption
- Chung, Kalai, et al.
- 2010
(Show Context)
Citation Context ...verification is not unique to our work. This idea can be traced back to the first works on interactive proofs and program checking [4, 21, 7, 28] and is also implicit in more recent works in the area =-=[18, 19, 15, 11]-=-. Our work provides new approaches for converting secrecy into soundness that have advantages of generality, efficiency, and simplicity over previous approaches. 1.1 Background Before introducing our ... |

59 | Randomizing polynomials: A new representation with applications to round-efficient secure computation
- Ishai, Kushilevitz
- 2000
(Show Context)
Citation Context ... of client-server protocols, in which only the client has an input x but both parties learn the same output f(x). One-round protocols of this type coincide with the notion of randomized encoding from =-=[23, 3]-=-. A randomized encoding (RE) of f is a function f̂(x; r) whose output on a uniformly random and secret r can be used to decode f(x) but reveals no additional information about x. In the corresponding ... |

54 | Structure and importance of logspace-MOD classes - Buntrock, Damm, et al. - 1992 |

53 | How to securely outsource cryptographic computations,” - Hohenberger, Lysyanskaya - 2005 |

37 | J.B.: Universally composable efficient multiparty computation from threshold homomorphic encryption - Damg̊ard, Nielsen - 2003 |

36 | Computationally private randomizing polynomials and their applications
- Applebaum, Ishai, et al.
- 2005
(Show Context)
Citation Context ...e is used to reduce the amortized complexity of the offline phase. Our version of the basic protocol follows immediately by instantiating the RE+MAC approach with computationally-sound RE based on GC =-=[2]-=-. This leads to the following theorem: Theorem 2 (informal). Assuming the existence of one-way functions, every function f : {0, 1}n → {0, 1}m of circuit size s, can be realized by a NIVC with perfect... |

29 | Determinant: Combinatorics, algorithms, and complexity
- Mahajan, Vinay
- 1997
(Show Context)
Citation Context ...As a concrete example of our improvement, consider the function Det which computes the determinant of an n×n matrix over a field Fp of fixed prime order. Since Det is complete for the classModpL/poly =-=[29]-=-, we can get an NC0 tester/correcter for the determinant over any fixed finite field which makes a constant number of calls to the program. Previous correctors either had polynomial depth [9], or were... |

29 |
CS proofs (extended abstract).
- Micali
- 1994
(Show Context)
Citation Context ...ynomial in the time complexity of f . There are only few known solutions that yield almost optimal non-interactive VCs (NIVCs) for general Boolean functions. These include the constructions of Micali =-=[30]-=- 6 Consider, for example, an IH in which a client whose input equals to the all zero string, ignores the server’s answers and outputs f(0). A CVC protocol which makes use of such an IH together with x... |

28 | Perfect Constant-Round Secure Computation via Perfect Randomizing Polynomials.
- Ishai, Kushilevitz
- 2002
(Show Context)
Citation Context ...el, even for the case of black-vox fields and even if many rounds of interaction are allowed. The main ingredient is a new construction of arithmetic REs with low online complexity (which is based on =-=[24, 12]-=-). The 8 For example, even in the case of finite fields with n-bit elements, the size of the best known Boolean multiplication circuits is ω(n log n); the situation is significantly worse for other us... |

22 | Locally Random Reductions in Interactive Complexity Theory
- Feigenbaum
- 1993
(Show Context)
Citation Context ...de or MAC). Unlike previous approaches, we employ secrecy in order to hide the MAC’s secret key, rather than the inputs 5 The following formulation is similar to the one from Section 1.2 of [18]; see =-=[9, 14, 19, 11]-=- for other variants and applications of this approach. of the computation. The idea is as follows: Given an input x, the client asks the server to compute y = f(x) and, in addition, to generate a sign... |

19 | E.: Efficient multi-party computation over rings - Cramer, Fehr, et al. |

16 | Program Result Checking Against Adaptive Programs and
- Blum, Luby, et al.
- 1991
(Show Context)
Citation Context ... by instantiating the RE+OTP approach with the NC0 REs of [3]. 11 In fact, the notion defined here is slightly stronger than the original definition of [7], and corresponds to adaptive checkers as in =-=[8]-=-. 12 Recall that there is a considerable gap between these two classes, as in NC0 circuits each bit of the output depends only on a constant number of input bits; thus, an NC0 circuit cannot compute e... |

16 | Designing Checkers for Programs that Run in Parallel", ICSI
- Rubinfeld
(Show Context)
Citation Context ... can be implemented by f is called a self-tester/corrector pair, as it allows to test whether a given program is not too faulty, and if so to correct it. Minimizing the parallel complexity. Rubinfeld =-=[31]-=- initiated the study of the parallel complexity (circuit depth) of program checkers and correctors, and showed that some non-trivial functions can be checked by AC0 checkers (i.e., constant depth circ... |

15 | On arithmetic branching programs
- Beimel, Gál
- 1999
(Show Context)
Citation Context ... [15]) do not seem to work in the arithmetic black-box model, even for the special case of black-box fields. Our results. We obtain NIVCs in the black-box ring model for arithmetic branching programs =-=[6]-=- (ABPs) which are the arithmetic analog of log-space counting classes.9 Theorem 1 (informal). Assuming the existence of one-way functions, there exists a NIVC in the BBR model with perfect completenes... |

15 | Verifying and decoding in constant depth
- Goldwasser, Gutfreund, et al.
- 2007
(Show Context)
Citation Context ...verification is not unique to our work. This idea can be traced back to the first works on interactive proofs and program checking [4, 21, 7, 28] and is also implicit in more recent works in the area =-=[18, 19, 15, 11]-=-. Our work provides new approaches for converting secrecy into soundness that have advantages of generality, efficiency, and simplicity over previous approaches. 1.1 Background Before introducing our ... |

14 | Secure arithmetic computation with no honest majority. Cryptology ePrint Archive, Report 2008/465 - Ishai, Prabhakaran, et al. - 2008 |

12 | A (de)constructive approach to program checking
- Goldwasser, Gutfreund, et al.
- 2008
(Show Context)
Citation Context ...verification is not unique to our work. This idea can be traced back to the first works on interactive proofs and program checking [4, 21, 7, 28] and is also implicit in more recent works in the area =-=[18, 19, 15, 11]-=-. Our work provides new approaches for converting secrecy into soundness that have advantages of generality, efficiency, and simplicity over previous approaches. 1.1 Background Before introducing our ... |

12 | Probabilistically checkable arguments
- Kalai, Raz
- 2009
(Show Context)
Citation Context ...we present only apply to the weaker model of non-interactive VC, but obtain better online efficiency in this model. in the random oracle model, the construction of Goldwasser et al. and Kalai and Raz =-=[20, 26]-=- for low-depth circuits, and the recent construction by Gennaro et al. [15] for polynomial-size Boolean circuits which relies on the existence of one-way functions. While these constructions provide g... |

3 |
Self-testing/correcting programs with applications to numerical problems
- Blum, Luby, et al.
- 1990
(Show Context)
Citation Context ... computation (CVC) problem. VC and CVC are fundamental problems which were extensively studied in various settings, originating from the early works on interactive proofs [4, 21] and program checking =-=[7, 9, 28]-=-. Recent advances in technology further motivate these problems. On the one hand, computationally weak peripheral devices such as smart phones and netbooks are becoming increasingly common; on the oth... |