Verifying computations without reexecuting them: from theoretical possibility to near-practicality

How can a single PC check a herd of supercomputers with unreliable software and untested hardware? This classic problem is particularly relevant today, as much computation is now outsourced: it is performed by machines that are rented, remote, or both. For example, service providers (SPs) now offer storage, computation, managed desktops, and more. As a result, relatively weak devices (phones, tablets, laptops, PCs) can run computations (storage, image processing, data analysis, video encoding, etc.) on banks of machines controlled by someone else. This arrangement is known as cloud computing, and its promise is enormous. A lone graduate student with an intensive analysis of genome data can now rent a hundred computers for twelve hours for less than $200. And many companies now run their core computing tasks (Web sites, application logic, storage, etc.) on machines owned by SPs, which automatically replicate applications to meet demand. Without cloud computing, these examples would require buying hundreds of physical machines when demand spikes . . . and then selling them back the next day. But with this promise comes risk. SPs are complex and large-scale, making it unlikely that execution is always correct. Moreover, SPs do not necessarily have strong incentives to ensure correctness. Finally, SPs are black boxes, so faults—which can include misconfigurations, corruption of data in storage or transit, hardware problems, malicious operation, and more [33]—are unlikely to be detectable. This raises a central question, which goes beyond cloud computing: How can we ever trust results computed by a third-party, or the integrity of data stored by such a party? A common answer is to replicate computations [15, 16, 34]. However, replication assumes that failures are uncorrelated, which may not be a valid assumption: the hardware and software platforms in cloud computing are often homogeneous. Another answer is auditing—checking the responses in a small sample—but this assumes that incorrect outputs, if they occur, are relatively frequent. Still other solutions involve trusted hardware [39] or attestation [37], but these mechanisms require a chain of trust and assumptions that the hardware or a hypervisor works correctly. But what if the third party returned its results along with a proof that the results were computed correctly? And what if the proof were inexpensive to check, compared to the cost of re-doing the computation? Then few assumptions would be needed about the kinds of faults that can occur: either the proof would check or it wouldn’t. We call this vision proof-based verifiable computation, and the question now becomes: Can this vision be realized for a wide class of computations? Deep results in complexity theory and cryptography tell us that in principle the answer is “yes”. Probabilistic proof systems [24, 44]— which include interactive proofs (IPs) [3, 26, 32], probabilistically checkable proofs (PCPs) [1, 2, 44], and argument systems [13] (PCPs coupled with cryptographic commitments [30])—consist of two parties: a verifier and a prover. In these protocols, the prover can efficiently convince the verifier of a mathematical assertion. In fact, the acclaimed PCP theorem [1, 2], together with refinements [27], implies that a verifier only has to check three randomly chosen bits in a suitably encoded proof! Meanwhile, the claim “this program, when executed on this input, produces that output” can be represented as a mathematical assertion of the necessary form. The only requirement is that the verifier knows the program, the input (or at least a digest, or fingerprint, of the input), and the purported output. And this requirement is met in many uses of outsourced computing; examples include MapReducestyle text processing, scientific computing and simulations, database queries, and Web request-response. Indeed, although the modern significance of PCPs lies elsewhere, an original motivation was verifying the correctness of remotely executed computations: the paper quoted in our epigraph [4] was one of the seminal works that led to the PCP theorem. However, for decades these approaches to verifiable computation were purely theoretical. Interactive protocols were prohibitive (exponential-time) for the prover and did not appear to save the verifier work. The proofs arising from the PCP theorem (despite asymptotic improvements [10, 20]) were so long and complicated that it would have taken thousands of years to generate and check them, and more storage bits than there are atoms in the universe. But beginning around 2007, a number of theoretical works achieved results that were especially relevant to the problem of verifying cloud computations. Goldwasser et al., in their influential Muggles paper [25], refocused the theory community’s attention on verifying outsourced computations, in the context of an interactive proof system that required only polynomial work from the prover, and that applied to computations expressed as certain kinds of circuits; Ishai et al. [29] proposed a novel cryptographic commitment to an entire linear function, and used this primitive to apply simple PCP constructions to verifying general-purpose outsourced computations; and a couple of years later, Gentry’s breakthrough protocol for fully homomorphic encryption (FHE) [23] led to work (GGP) on non-interactive protocols for general-purpose computations [17, 21]. These developments were exciting, but, as with the earlier work, implementations were thought to be out of the question. So the theory continued to remain theory—until recently. The last few years have seen a number of projects overturn the conventional wisdom about the hopeless impracticality of proof-based verifiable computation. These projects aim squarely at building real systems based on the theory mentioned above, specifically PCPs and Muggles (FHE-based protocols still seem too expensive). The

[1]  Michael J. Fischer,et al.  Relations Among Complexity Measures , 1979, JACM.

[2]  László Babai,et al.  Trading group theory for randomness , 1985, STOC '85.

[3]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[4]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[5]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[6]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[7]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[8]  Carsten Lund,et al.  Proof verification and hardness of approximation problems , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[9]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[10]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[11]  Rajeev Motwani,et al.  Randomized algorithms , 1996, CSUR.

[12]  Michael K. Reiter,et al.  Byzantine quorum systems , 1997, STOC '97.

[13]  Sanjeev Arora,et al.  Probabilistic checking of proofs: a new characterization of NP , 1998, JACM.

[14]  Johan Håstad,et al.  Some optimal inapproximability results , 2001, JACM.

[15]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[16]  David P. Anderson,et al.  SETI@home: an experiment in public-resource computing , 2002, CACM.

[17]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[18]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[19]  Eli Ben-Sasson,et al.  Robust PCPs of Proximity, Shorter PCPs, and Applications to Coding , 2004, SIAM J. Comput..

[20]  Irit Dinur,et al.  The PCP theorem by gap amplification , 2006, STOC.

[21]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[22]  Oded Goldreich,et al.  Probabilistic Proof Systems: A Primer , 2008, Found. Trends Theor. Comput. Sci..

[23]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[24]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[25]  Guy N. Rothblum,et al.  Delegating computation reliably: paradigms and constructions , 2009 .

[26]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[27]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[28]  Madhu Sudan,et al.  Probabilistically checkable proofs , 2009, CACM.

[29]  A. Sadeghi,et al.  Token-Based Cloud Computing Secure Outsourcing of Data and Arbitrary Computations with Lower Latency , 2010 .

[30]  Eran Tromer,et al.  Proof-Carrying Data and Hearsay Arguments from Signature Cards , 2010, ICS.

[31]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[32]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[33]  Jonathan Katz,et al.  Faster Secure Two-Party Computation Using Garbled Circuits , 2011, USENIX Security Symposium.

[34]  Srinath T. V. Setty,et al.  Depot: Cloud Storage with Minimal Trust , 2010, TOCS.

[35]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[36]  Andrew J. Blumberg Toward Practical and Unconditional Verification of Remote Computations , 2011, HotOS.

[37]  Adrian Perrig,et al.  Bootstrapping Trust in Modern Computers , 2011, Springer Briefs in Computer Science.

[38]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[39]  Ran Canetti,et al.  Practical delegation of computation using multiple servers , 2011, CCS '11.

[40]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[41]  Abhi Shelat,et al.  Billion-Gate Secure Computation with Malicious Adversaries , 2012, USENIX Security Symposium.

[42]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[43]  Andreas Haeberlen,et al.  DJoin: differentially private join queries over distributed databases , 2012, OSDI 2012.

[44]  David Wolinsky,et al.  Dissent in Numbers: Making Strong Anonymity Scale , 2012, OSDI.

[45]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[46]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[47]  Hanspeter Pfister,et al.  Verifiable Computation with Massively Parallel Interactive Proofs , 2012, HotCloud.

[48]  Craig Gentry,et al.  Homomorphic Evaluation of the AES Circuit , 2012, IACR Cryptol. ePrint Arch..

[49]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[50]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[51]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[52]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[53]  George Danezis,et al.  Pinocchio coin: building zerocoin from a succinct pairing-based proof system , 2013, PETShop '13.

[54]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[55]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[56]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[57]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[58]  Srinath T. V. Setty,et al.  A Hybrid Architecture for Interactive Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[59]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[60]  Elaine Shi,et al.  PHANTOM: practical oblivious computation in a secure processor , 2013, CCS.

[61]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[62]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[63]  Zuocheng Ren,et al.  Efficient RAM and control flow in verifiable outsourced computation , 2015, NDSS.