Succinct Non-Interactive Arguments for a von Neumann Architecture

We design and build a system that enables clients to verify the outputs of programs executed by untrusted servers. A server provides a succinct non-interactive zero-knowledge proof (also known as a zk-SNARK), which the client verifies to ascertain correct execution. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate program executions to such circuits. Our design of both components improves in functionality and efficiency over previous work, as follows. Our circuit generator is the first to be universal: it does not need to know the program, but only a bound on its running time. It is also the first to support programs expressed as code for a von Neumann RISC random-access memory architecture, where programs may use just-in-time compilation and selfmodifying code. Moreover, the dependence on program size is additive (instead of multiplicative as in prior works), allowing efficient verification of large programs. The cryptographic proof system significantly improves proving and verification times, using a new pairing-based cryptographic library tailored to the protocol. We evaluated our system for programs with up to 10,000 instructions, running for up to 32,000 machine steps, each of which can arbitrarily access random-access memory; and demonstrated it executing programs that use just-in-time compilation. Our proofs are 230 bytes long at 80 bits of security, or 288 bytes long at 128 bits of security. Typical verification time is 5 ms, regardless of the original program’s running time.

[1]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[2]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[3]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[4]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[5]  U. Feige,et al.  Making Games Short , 2006 .

[6]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[7]  E. Szemerédi,et al.  O(n LOG n) SORTING NETWORK. , 1983 .

[8]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[9]  Benny Pinkas,et al.  FairplayMP: a system for secure multi-party computation , 2008, CCS.

[10]  Helger Lipmaa,et al.  Succinct Non-Interactive Zero Knowledge Arguments from Span Programs and Linear Error-Correcting Codes , 2013, IACR Cryptol. ePrint Arch..

[11]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[12]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[13]  Jens Groth,et al.  Short Non-interactive Zero-Knowledge Proofs , 2010, ASIACRYPT.

[14]  Hanspeter Pfister,et al.  Verifiable Computation with Massively Parallel Interactive Proofs , 2012, HotCloud.

[15]  Michael Scott,et al.  On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves , 2009, Pairing.

[16]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[17]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[18]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[19]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[20]  Nigel P. Smart,et al.  On Computing Products of Pairings , 2006, IACR Cryptol. ePrint Arch..

[21]  Carsten Lund,et al.  Proof verification and the hardness of approximation problems , 1998, JACM.

[22]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[23]  Samuele Pedroni,et al.  PyPy's approach to virtual machine construction , 2006, OOPSLA '06.

[24]  Sanjeev Arora,et al.  Probabilistic checking of proofs; a new characterization of NP , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[25]  Jung Hee Cheon,et al.  On the Final Exponentiation in Tate Pairing Computations , 2013, IEEE Transactions on Information Theory.

[26]  Michael Scott,et al.  Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography , 2010, WAIFI.

[27]  Matthijs J. Coster,et al.  Addition Chain Heuristics , 1989, CRYPTO.

[28]  Ricardo Dahab,et al.  Multiplication and Squaring on Pairing-Friendly Fields , 2006, IACR Cryptol. ePrint Arch..

[29]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[30]  Tolga Acar,et al.  Analyzing and comparing Montgomery multiplication algorithms , 1996, IEEE Micro.

[31]  Srinath T. V. Setty,et al.  A Hybrid Architecture for Interactive Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[32]  Tanja Lange,et al.  Faster Pairing Computations on Curves with High-Degree Twists , 2010, Public Key Cryptography.

[33]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[34]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[35]  Tanja Lange,et al.  Faster Computation of the Tate Pairing , 2009, IACR Cryptol. ePrint Arch..

[36]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[37]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[38]  Paulo S. L. M. Barreto,et al.  Compressed Pairings , 2004, CRYPTO.

[39]  Ran Canetti,et al.  Practical delegation of computation using multiple servers , 2011, CCS '11.

[40]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[41]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[42]  Yuval Ishai,et al.  From Secrecy to Soundness: Efficient Verification via Secure Computation , 2010, ICALP.

[43]  Bodo Möller Algorithms for Multi-exponentiation , 2001, Selected Areas in Cryptography.

[44]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[45]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[46]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[47]  Jerome A. Solinas,et al.  ID-based Digital Signature Algorithms , 2003 .

[48]  Ran Canetti,et al.  Two Protocols for Delegation of Computation , 2012, ICITS.

[49]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[50]  Yael Tauman Kalai,et al.  Probabilistically Checkable Arguments , 2009, CRYPTO.

[51]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[52]  M. Scott Implementing cryptographic pairings , 2007 .

[53]  A. Atkin,et al.  ELLIPTIC CURVES AND PRIMALITY PROVING , 1993 .

[54]  Shigeo Mitsunari A Fast Implementation of the Optimal Ate Pairing over BN curve on Intel Haswell Processor , 2013, IACR Cryptol. ePrint Arch..

[55]  Jacques Sakarovitch,et al.  The universal automaton , 2008, Logic and Automata.

[56]  Mason Chang,et al.  Trace-based just-in-time type specialization for dynamic languages , 2009, PLDI '09.

[57]  Yael Tauman Kalai,et al.  Reusable garbled circuits and succinct functional encryption , 2013, STOC '13.

[58]  Claus-Peter Schnorr Satisfiability Is Quasilinear Complete in NQL , 1978, JACM.

[59]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[60]  Francisco Rodríguez-Henríquez,et al.  High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves , 2010, Pairing.

[61]  H. Edwards A normal form for elliptic curves , 2007 .

[62]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[63]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[64]  Dan Boneh,et al.  Secure Identity Based Encryption Without Random Oracles , 2004, CRYPTO.

[65]  Yael Tauman Kalai,et al.  Delegation for bounded space , 2013, STOC '13.

[66]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[67]  Ivan Damgård,et al.  Linear zero-knowledge—a note on efficient zero-knowledge proofs and arguments , 1997, STOC '97.

[68]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[69]  Steven D. Galbraith,et al.  Ordinary abelian varieties having small embedding degree , 2007, Finite Fields Their Appl..

[70]  Chae Hoon Lim,et al.  Fast Implementation of Elliptic Curve Arithmetic in GF(pn) , 2000, Public Key Cryptography.

[71]  Andrew J. Blumberg Toward Practical and Unconditional Verification of Remote Computations , 2011, HotOS.

[72]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[73]  Michael Scott,et al.  Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions , 2009, IACR Cryptol. ePrint Arch..

[74]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[75]  John Michael Robson,et al.  An O (T log T) Reduction from RAM Computations to Satisfiability , 1991, Theor. Comput. Sci..

[76]  Rosario Gennaro,et al.  Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks , 2004, CRYPTO.

[77]  Ernest F. Brickell,et al.  Fast Exponentiation with Precomputation (Extended Abstract) , 1992, EUROCRYPT.

[78]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System (Awarded Best Student Paper!) , 2004 .

[79]  Saharon Shelah,et al.  Nearly Linear Time , 1989, Logic at Botik.

[80]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[81]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[82]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[83]  Gerhard Frey,et al.  The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems , 1999, IEEE Trans. Inf. Theory.