Practical verified computation with streaming interactive proofs

When delegating computation to a service provider, as in the cloud computing paradigm, we seek some reassurance that the output is correct and complete. Yet recomputing the output as a check is inefficient and expensive, and it may not even be feasible to store all the data locally. We are therefore interested in what can be validated by a streaming (sublinear space) user, who cannot store the full input, or perform the full computation herself. Our aim in this work is to advance a recent line of work on "proof systems" in which the service provider proves the correctness of its output to a user. The goal is to minimize the time and space costs of both parties in generating and checking the proof. Only very recently have there been attempts to implement such proof systems, and thus far these have been quite limited in functionality. Here, our approach is two-fold. First, we describe a carefully chosen instantiation of one of the most efficient general-purpose constructions for arbitrary computations (streaming or otherwise), due to Goldwasser, Kalai, and Rothblum [19]. This requires several new insights and enhancements to move the methodology from a theoretical result to a practical possibility. Our main contribution is in achieving a prover that runs in time O(S(n) log S(n)), where S(n) is the size of an arithmetic circuit computing the function of interest; this compares favorably to the poly(S(n)) runtime for the prover promised in [19]. Our experimental results demonstrate that a practical general-purpose protocol for verifiable computation may be significantly closer to reality than previously realized. Second, we describe a set of techniques that achieve genuine scalability for protocols fine-tuned for specific important problems in streaming and database processing. Focusing in particular on non-interactive protocols for problems ranging from matrix-vector multiplication to bipartite perfect matching, we build on prior work [8, 5] to achieve a prover that runs in nearly linear-time, while obtaining optimal tradeoffs between communication cost and the user's working memory. Existing techniques required (substantially) superlinear time for the prover. Finally, we develop improved interactive protocols for specific problems based on a linearization technique originally due to Shen [33]. We argue that even if general-purpose methods improve, fine-tuned protocols will remain valuable in real-world settings for key problems, and hence special attention to specific problems is warranted.

[1]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[2]  Richard Zippel,et al.  Probabilistic algorithms for sparse polynomials , 1979, EUROSAM.

[3]  Rusins Freivalds,et al.  Fast Probabilistic Algorithms , 1979, MFCS.

[4]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[5]  C. Burrus,et al.  An in-place, in-order prime factor FFT algorithm , 1981 .

[6]  Volume Assp,et al.  ACOUSTICS. SPEECH. AND SIGNAL PROCESSING , 1983 .

[7]  László Babai,et al.  Trading group theory for randomness , 1985, STOC '85.

[8]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[9]  Shafi Goldwasser,et al.  Private coins versus public coins in interactive proof systems , 1986, STOC '86.

[10]  Peter Frankl,et al.  Complexity classes in communication complexity theory , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[11]  Mark Weiser,et al.  Source Code , 1987, Computer.

[12]  Alok Aggarwal,et al.  Hierarchical memory with block transfer , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[13]  V. Rich Personal communication , 1989, Nature.

[14]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[15]  Richard J. Lipton,et al.  Efficient Checking of Computations , 1990, STACS.

[16]  Alexander A. Razborov On the Distributional Complexity of Disjontness , 1990, ICALP.

[17]  M. Yannakakis Expressing combinatorial optimization problems by linear programs , 1991, Symposium on the Theory of Computing.

[18]  Alexander Shen IP = SPACE: simplified proof , 1992, JACM.

[19]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[20]  Anne Condon,et al.  The Complexity of Space Boundes Interactive Proof Systems , 1993, Complexity Theory: Current Research.

[21]  Andrew Chin Permutations on the Block PRAM , 1993, Inf. Process. Lett..

[22]  Tracy Kimbrel,et al.  A Probabilistic Algorithm for Verifying Matrix Products Using O(n²) Time and log_2 n + O(1) Random Bits , 1993, Inf. Process. Lett..

[23]  Raimund Seidel,et al.  On the All-Pairs-Shortest-Path Problem in Unweighted Undirected Graphs , 1995, J. Comput. Syst. Sci..

[24]  Valerie King A Simpler Minimum Spanning Tree Verification Algorithm , 1995, WADS.

[25]  Farid M. Ablayev,et al.  Lower Bounds for One-Way Probabilistic Communication Complexity and Their Application to Space Complexity , 1996, Theor. Comput. Sci..

[26]  Prabhakar Raghavan,et al.  Computing on data streams , 1999, External Memory Algorithms.

[27]  Noga Alon,et al.  The Space Complexity of Approximating the Frequency Moments , 1999 .

[28]  Alexander Schrijver,et al.  Theory of linear and integer programming , 1986, Wiley-Interscience series in discrete mathematics and optimization.

[29]  Mikkel Thorup Even strongly universal hashing is pretty fast , 2000, SODA '00.

[30]  Dimitris Achlioptas,et al.  Database-friendly random projections , 2001, PODS.

[31]  Ziv Bar-Yossef,et al.  Reductions in streaming algorithms, with an application to counting triangles in graphs , 2002, SODA '02.

[32]  S. Muthukrishnan,et al.  Estimating Rarity and Similarity over Data Stream Windows , 2002, ESA.

[33]  S. Muthukrishnan,et al.  Data streams: algorithms and applications , 2005, SODA '03.

[34]  Divesh Srivastava,et al.  Finding Hierarchical Heavy Hitters in Data Streams , 2003, VLDB.

[35]  Yaron Minsky,et al.  Set reconciliation with nearly optimal communication complexity , 2003, IEEE Trans. Inf. Theory.

[36]  Subhash Khot,et al.  Near-optimal lower bounds on the multi-party communication complexity of set disjointness , 2003, 18th IEEE Annual Conference on Computational Complexity, 2003. Proceedings..

[37]  Hartmut Klauck,et al.  Rectangle size bounds and threshold covers in communication complexity , 2002, 18th IEEE Annual Conference on Computational Complexity, 2003. Proceedings..

[38]  Moses Charikar,et al.  Finding frequent items in data streams , 2004, Theor. Comput. Sci..

[39]  Mikkel Thorup,et al.  Tabulation based 4-universal hashing with applications to second moment estimation , 2004, SODA '04.

[40]  Martin Ziegler,et al.  Fast Multipoint Evaluation of Bivariate Polynomials , 2004, ESA.

[41]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System , 2004, USENIX Security Symposium.

[42]  Ran Raz,et al.  On the power of quantum proofs , 2004, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[43]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[44]  Éva Tardos,et al.  Algorithm design , 2005 .

[45]  Arnab Bhattacharyya,et al.  Implementing Probabilistically Checkable Proofs of Proximity , 2005 .

[46]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[47]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[48]  Mohammad Ghodsi,et al.  New Streaming Algorithms for Counting Triangles in Graphs , 2005, COCOON.

[49]  Joan Feigenbaum,et al.  On graph problems in a semi-streaming model , 2005, Theor. Comput. Sci..

[50]  S. Aaronson QMA/qpoly ⊆ PSPACE/poly: De-Merlinizing Quantum Protocols , 2006 .

[51]  Christian Sohler,et al.  Counting triangles in data streams , 2006, PODS.

[52]  Camil Demetrescu,et al.  Trading off space for passes in graph streaming problems , 2009, SODA '06.

[53]  Valerie King A simpler minimum spanning tree verification algorithm , 2006, Algorithmica.

[54]  Avi Wigderson,et al.  The Randomized Communication Complexity of Set Disjointness , 2007, Theory Comput..

[55]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[56]  Feifei Li,et al.  Proof-Infused Streams: Enabling Authentication of Sliding Window Queries On Streams , 2007, VLDB.

[57]  Ari Juels,et al.  Pors: proofs of retrievability for large files , 2007, CCS '07.

[58]  Raphaël Clifford,et al.  Simple deterministic wildcard matching , 2007, Inf. Process. Lett..

[59]  Paul Beame,et al.  On the Value of Multiple Read/Write Streams for Approximating Frequency Moments , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[60]  Feifei Li,et al.  Randomized Synopses for Query Assurance on Data Streams , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[61]  Joan Feigenbaum,et al.  Graph Distances in the Data-Stream Model , 2008, SIAM J. Comput..

[62]  Yin Yang,et al.  Authenticated indexing for outsourced spatial databases , 2009, The VLDB Journal.

[63]  Graham Cormode,et al.  Robust lower bounds for communication and stream computation , 2008, Theory Comput..

[64]  Yin Yang,et al.  Continuous authentication on relational streams , 2009, The VLDB Journal.

[65]  Richard J. Lipton,et al.  Best-order streaming model , 2009, Theor. Comput. Sci..

[66]  Guy N. Rothblum,et al.  Delegating computation reliably: paradigms and constructions , 2009 .

[67]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[68]  Avi Wigderson,et al.  Algebrization: A New Barrier in Complexity Theory , 2009, TOCT.

[69]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[70]  Dmitry Gavinsky,et al.  A Separation of NP and coNP in Multiparty Communication Complexity , 2010, Theory Comput..

[71]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[72]  R. Ostrovsky,et al.  Zero-one frequency laws , 2010, STOC '10.

[73]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[74]  Raphael Yuster,et al.  Computing the diameter polynomially faster than APSP , 2010, ArXiv.

[75]  Mariano Zelke,et al.  Weighted Matching in the Semi-Streaming Model , 2007, Algorithmica.

[76]  Graham Cormode,et al.  Verifying Computations with Streaming Interactive Proofs , 2011, Proc. VLDB Endow..

[77]  Graham Cormode,et al.  Streaming Graph Computations with a Helpful Advisor , 2010, Algorithmica.

[78]  Andrew J. Blumberg Toward Practical and Unconditional Verification of Remote Computations , 2011, HotOS.

[79]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[80]  Alexandr Andoni,et al.  Streaming Algorithms via Precision Sampling , 2010, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[81]  Yael Tauman Kalai,et al.  Memory Delegation , 2011, CRYPTO.

[82]  David Eppstein,et al.  Straggler Identification in Round-Trip Data Streams via Newton's Identities and Invertible Bloom Filters , 2007, IEEE Transactions on Knowledge and Data Engineering.

[83]  Joshua Brody,et al.  Property Testing Lower Bounds via Communication Complexity , 2011, 2011 IEEE 26th Annual Conference on Computational Complexity.

[84]  Yevgeniy Vahlis,et al.  Verifiable Delegation of Computation over Large Datasets , 2011, IACR Cryptol. ePrint Arch..

[85]  Ran Canetti,et al.  Practical delegation of computation using multiple servers , 2011, CCS '11.

[86]  Hartmut Klauck,et al.  On Arthur Merlin Games in Communication Complexity , 2011, 2011 IEEE 26th Annual Conference on Computational Complexity.

[87]  Graham Cormode,et al.  Annotations in Data Streams , 2009, ICALP.

[88]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[89]  Piotr Indyk,et al.  Approximate Nearest Neighbor: Towards Removing the Curse of Dimensionality , 2012, Theory Comput..

[90]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[91]  Rosario Gennaro,et al.  Publicly verifiable delegation of large polynomials and matrix computations, with applications , 2012, IACR Cryptol. ePrint Arch..

[92]  Anirban Dasgupta,et al.  Sparse and Lopsided Set Disjointness via Information Theory , 2012, APPROX-RANDOM.

[93]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[94]  Alexander A. Sherstov The multiparty communication complexity of set disjointness , 2012, STOC '12.

[95]  Nir Bitansky,et al.  Succinct Arguments from Multi-prover Interactive Proofs and Their Efficiency Benefits , 2012, CRYPTO.

[96]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[97]  Ran Canetti,et al.  Refereed delegation of computation , 2013, Inf. Comput..

[98]  Communication lower bounds using directional derivatives , 2013, STOC '13.

[99]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[100]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[101]  Ronald de Wolf,et al.  The non-adaptive query complexity of testing k-parities , 2013, Chic. J. Theor. Comput. Sci..

[102]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[103]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[104]  Hartmut Klauck,et al.  Streaming computations with a loquacious prover , 2013, ITCS '13.

[105]  Gábor Tardos,et al.  On the Communication Complexity of Sparse Set Disjointness and Exists-Equal Problems , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[106]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[107]  Eli Ben-Sasson,et al.  On the concrete efficiency of probabilistically-checkable proofs , 2013, STOC '13.

[108]  Srinath T. V. Setty,et al.  A Hybrid Architecture for Interactive Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.