Toward Practical and Unconditional Verification of Remote Computations

This paper revisits a classic question: how can a machine specify a computation to another one and then, without executing the computation, check that the other machine carried it out correctly? The applications of such a primitive include cloud computing (a computationally limited device offloads processing to the cloud [11] but does not assume the cloud’s correctness [12]); volunteer computing (some 30 projects use the BOINC [1] software platform to leverage volunteers’ spare cycles, but some “volunteers” return wrong answers [2]); and high-assurance computing (a machine may be remotely deployed and subject to physical tampering). Today, a common way to verify computations is replication [9, 17, 23, 27]. However, replication may not be viable (say if the performing computer is an embedded robot). It also requires assumptions about failure independence. Another technique is auditing [17, 24], but if the performer understands the computation better than the requester, the performer can alter strategic bits, undetected by an audit. A final technique is trusted computing [10, 21, 26, 28, 29], but it assumes that some component—the hardware, the hypervisor, a higher layer—is not physically altered. Can we instead make no correctness assumptions about the performer? In theory, such unconditional verification has been achievable since the 1980s, using both interactive proofs [15] and probabilistically checkable proofs (PCPs) [3, 5]. Informally, the central theorem in the area states that a client can—with a suitably encoded proof and under a negligible chance of viewing a wrong answer as correct—check an answer’s correctness in constant time [3]. Unfortunately, this astonishing body of theory is considered by folklore to be impractical. This skepticism is well-founded: it is based on the complexity of the algorithms and long experience trying to use generalpurpose cryptographic results in practical systems. This brings us to the purpose of this paper, which is to propose a new line of systems research: using the machinery of PCPs, can we build a system that (a) has practical performance, (b) is simple to implement, and (c) provides unconditional guarantees? Note that (a) and (b) contrast with PCPs as used in the theory literature and (c) contrasts with current systems approaches. To illustrate the promise of this line of research, we do the following: (1) Identify work in the PCP literature that provides a base for systems research (§3.1–§3.2). We first looked to the PCP literature, then observed that efficient argument systems [19, 22] (PCP variants in which the server proves that it has a proof by answering questions interactively) are promising, and then noticed that a particular argument system [18] could lead to a practical solution. (2) Refine the approach of [18] into a design that is practical over a limited domain (§3.3). We applied refinements to shrink program encoding (via arithmetic circuits instead of Boolean circuits), enable batched proofs (which enhances performance for computations that can be decomposed into parallel pieces), and improve amortization (by moving more of the work to a setup phase). These innovations are essential to practical performance. (3) Implement this design to demonstrate its practicality (§4). To our knowledge, PCP theory has never before found its way into any efficient implementation. Thus, we believe that our implementation, though limited, is a contribution. Our implementation is also comparatively simple; it could conceivably be formally verified. (4) Articulate a research agenda for extending the reach of our approach (§5). Our ultimate goal is a practical system for general-purpose verified computation.

[1]  Radu Sion,et al.  Query Execution Assurance for Outsourced Databases , 2005, VLDB.

[2]  Joe Kilian,et al.  Improved Efficient Arguments (Preliminary Version) , 1995, CRYPTO.

[3]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[4]  Manuel Blum,et al.  Designing programs that check their work , 1989, STOC '89.

[5]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[6]  Eran Tromer,et al.  Proof-Carrying Data and Hearsay Arguments from Signature Cards , 2010, ICS.

[7]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[8]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[9]  David P. Anderson,et al.  SETI@home: an experiment in public-resource computing , 2002, CACM.

[10]  Jens Groth,et al.  Linear Algebra with Sub-linear Zero-Knowledge Arguments , 2009, CRYPTO.

[11]  Jerome H. Saltzer,et al.  Principles of Computer System Design: An Introduction , 2009 .

[12]  Carsten Lund,et al.  Proof verification and hardness of approximation problems , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[13]  Fabian Monrose,et al.  Distributed Execution with Remote Audit , 1999, NDSS.

[14]  A. Sadeghi,et al.  Token-Based Cloud Computing Secure Outsourcing of Data and Arbitrary Computations with Lower Latency , 2010 .

[15]  Eli Ben-Sasson,et al.  Robust PCPs of Proximity, Shorter PCPs, and Applications to Coding , 2004, SIAM J. Comput..

[16]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[17]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[18]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[19]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System , 2004, USENIX Security Symposium.

[20]  Robert Grimm,et al.  Ensuring Content Integrity for Untrusted Peer-to-Peer Content Distribution Networks , 2007, NSDI.

[21]  Miguel Vargas-Lombardo,et al.  Security Threats in Volunteer Computing Environments Using the Berkeley Open Infrastructure for Network Computing (BOINC) , 2012 .

[22]  Byung-Gon Chun,et al.  Augmented Smartphone Applications Through Clone Cloud Execution , 2009, HotOS.

[23]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[24]  Mikhail J. Atallah,et al.  Securely outsourcing linear algebra computations , 2010, ASIACCS '10.

[25]  Yehuda Koren,et al.  Improved Neighborhood-based Collaborative Filtering , 2007 .

[26]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[27]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[28]  Russ Bubley,et al.  Randomized algorithms , 1995, CSUR.

[29]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.