Signatures of Correct Computation

We introduce Signatures of Correct Computation (SCC), a new model for verifying dynamic computations in cloud settings. In the SCC model, a trusted source outsources a function f to an untrusted server, along with a public key for that function (to be used during verification). The server can then produce a succinct signature σ vouching for the correctness of the computation of f, i.e., that some result v is indeed the correct outcome of the function f evaluated on some point a. There are two crucial performance properties that we want to guarantee in an SCC construction: (1) verifying the signature should take asymptotically less time than evaluating the function f; and (2) the public key should be efficiently updated whenever the function changes. We construct SCC schemes (satisfying the above two properties) supporting expressive manipulations over multivariate polynomials, such as polynomial evaluation and differentiation. Our constructions are adaptively secure in the random oracle model and achieve optimal updates, i.e., the function's public key can be updated in time proportional to the number of updated coefficients, without performing a linear-time computation (in the size of the polynomial). We also show that signatures of correct computation imply Publicly Verifiable Computation (PVC), a model recently introduced in several concurrent and independent works. Roughly speaking, in the SCC model, any client can verify the signature σ and be convinced of some computation result, whereas in the PVC model only the client that issued a query (or anyone who trusts this client) can verify that the server returned a valid signature (proof) for the answer to the query. Our techniques can be readily adapted to construct PVC schemes with adaptive security, efficient updates and without the random oracle model.

[1]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[2]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[3]  Brent Waters,et al.  Conjunctive, Subset, and Range Queries on Encrypted Data , 2007, TCC.

[4]  Rosario Gennaro,et al.  Publicly verifiable delegation of large polynomials and matrix computations, with applications , 2012, IACR Cryptol. ePrint Arch..

[5]  Dan Boneh,et al.  Efficient Selective Identity-Based Encryption Without Random Oracles , 2011, Journal of Cryptology.

[6]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[7]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[8]  Allison Bishop,et al.  New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques , 2012, CRYPTO.

[9]  Markus Kasper,et al.  The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..

[10]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[11]  Elisabeth Oswald,et al.  A Comprehensive Evaluation of Mutual Information Analysis Using a Fair Evaluation Framework , 2011, CRYPTO.

[12]  Michael T. Goodrich,et al.  Super-Efficient Verification of Dynamic Outsourced Databases , 2008, CT-RSA.

[13]  Venkatesan Guruswami,et al.  Optimal Rate List Decoding via Derivative Codes , 2011, APPROX-RANDOM.

[14]  Andrzej Pelc,et al.  Deterministic Rendezvous in Graphs , 2003 .

[15]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[16]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[17]  Roberto Tamassia,et al.  Certification and Authentication of Data Structures , 2010, AMW.

[18]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[19]  Michael T. Goodrich,et al.  Implementation of an authenticated dictionary with skip lists and commutative hashing , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[20]  Ran Canetti,et al.  Two 1-Round Protocols for Delegation of Computation , 2011, IACR Cryptol. ePrint Arch..

[21]  Yuval Ishai,et al.  From Secrecy to Soundness: Efficient Verification via Secure Computation , 2010, ICALP.

[22]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[23]  Roberto Tamassia,et al.  Authenticated Data Structures , 2003, ESA.

[24]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[25]  Yevgeniy Vahlis,et al.  Verifiable Delegation of Computation over Large Datasets , 2011, IACR Cryptol. ePrint Arch..

[26]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[27]  Roberto Tamassia,et al.  Authenticated hash tables , 2008, CCS.

[28]  Mikhail J. Atallah,et al.  Efficient Data Authentication in an Environment of Untrusted Third-Party Distributors , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[29]  Roberto Tamassia,et al.  Optimal Verification of Operations on Dynamic Sets , 2011, CRYPTO.

[30]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[31]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[32]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[33]  Roberto Tamassia,et al.  Efficient Content Authentication in Peer-to-Peer Networks , 2007, ACNS.

[34]  Ian Goldberg,et al.  Polynomial Commitments , 2010 .

[35]  Kyriakos Mouratidis,et al.  Efficient verification of shortest path search via authenticated hints , 2010, 2010 IEEE 26th International Conference on Data Engineering (ICDE 2010).

[36]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[37]  Vinod Vaikuntanathan,et al.  How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption , 2012, IACR Cryptol. ePrint Arch..

[38]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[39]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[40]  Michael T. Goodrich,et al.  Efficient Authenticated Data Structures for Graph Connectivity and Geometric Search Problems , 2009, Algorithmica.

[41]  Jens Groth,et al.  Short Non-interactive Zero-Knowledge Proofs , 2010, ASIACRYPT.

[42]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[43]  Rosario Gennaro,et al.  Improved Publicly Verifiable Delegation of Large Polynomials and Matrix Computations , 2012, IACR Cryptol. ePrint Arch..

[44]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[45]  Amit Sahai,et al.  Bounded Ciphertext Policy Attribute Based Encryption , 2008, ICALP.

[46]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[47]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[48]  Tal Malkin Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008. Proceedings , 2008, CT-RSA.