Time-Optimal Interactive Proofs for Circuit Evaluation

Recently, researchers have been working toward the development of practical general-purpose protocols for verifiable computation. These protocols enable a computationally weak verifier to offload computations to a powerful but untrusted prover, while providing the verifier with a guarantee that the prover performed the computations correctly. Despite substantial progress, existing implementations are not yet practical. The main bottleneck is typically the extra effort required by the prover to return an answer with a guarantee of correctness, compared to returning an answer with no guarantee. We describe a refinement of a powerful interactive proof protocol originally due to Goldwasser, Kalai, and Rothblum. Cormode, Mitzenmacher, and Thaler show how to implement the prover in this protocol in time O(S log S), where S is the size of an arithmetic circuit computing the function of interest. Our refinements apply to circuits whose wiring pattern is sufficiently "regular"; for these circuits, we bring the runtime of the prover down to O(S). That is, our prover can evaluate the circuit with a guarantee of correctness, with only a constant-factor blowup in work compared to evaluating the circuit with no guarantee. We argue that our refinements capture a large class of circuits, and prove some theorems formalizing this. Experimentally, our refinements yield a 200x speedup for the prover over the implementation of Cormode et al., and our prover is less than 10x slower than a C++ program that simply evaluates the circuit. Along the way, we describe a special-purpose protocol for matrix multiplication that is of interest in its own right. Our final contribution is a protocol targeted at general data parallel computation. Compared to prior work, this protocol can more efficiently verify complicated computations as long as that computation is applied independently to many pieces of data.

[1]  Rusins Freivalds,et al.  Fast Probabilistic Algorithms , 1979, MFCS.

[2]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[3]  Mark Weiser,et al.  Source Code , 1987, Computer.

[4]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[5]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[6]  Tracy Kimbrel,et al.  A Probabilistic Algorithm for Verifying Matrix Products Using O(n²) Time and log_2 n + O(1) Random Bits , 1993, Inf. Process. Lett..

[7]  Raimund Seidel,et al.  On the All-Pairs-Shortest-Path Problem in Unweighted Undirected Graphs , 1995, J. Comput. Syst. Sci..

[8]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[9]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[10]  Guy N. Rothblum,et al.  Delegating computation reliably: paradigms and constructions , 2009 .

[11]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[12]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[13]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[14]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[15]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[16]  Raphael Yuster,et al.  Computing the diameter polynomially faster than APSP , 2010, ArXiv.

[17]  Graham Cormode,et al.  Verifying Computations with Streaming Interactive Proofs , 2011, Proc. VLDB Endow..

[18]  Graham Cormode,et al.  Streaming Graph Computations with a Helpful Advisor , 2010, Algorithmica.

[19]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[20]  Yael Tauman Kalai,et al.  Memory Delegation , 2011, CRYPTO.

[21]  Yevgeniy Vahlis,et al.  Verifiable Delegation of Computation over Large Datasets , 2011, IACR Cryptol. ePrint Arch..

[22]  Graham Cormode,et al.  Annotations in Data Streams , 2009, ICALP.

[23]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[24]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[25]  Rosario Gennaro,et al.  Improved Publicly Verifiable Delegation of Large Polynomials and Matrix Computations , 2012, IACR Cryptol. ePrint Arch..

[26]  Eli Ben-Sasson,et al.  On the Concrete-Efficiency Threshold of Probabilistically-Checkable Proofs , 2012, Electron. Colloquium Comput. Complex..

[27]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[28]  Rosario Gennaro,et al.  Publicly verifiable delegation of large polynomials and matrix computations, with applications , 2012, IACR Cryptol. ePrint Arch..

[29]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[30]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[31]  Hanspeter Pfister,et al.  Verifiable Computation with Massively Parallel Interactive Proofs , 2012, HotCloud.

[32]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[33]  Nir Bitansky,et al.  Succinct Arguments from Multi-prover Interactive Proofs and Their Efficiency Benefits , 2012, CRYPTO.

[34]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[35]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[36]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[37]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[38]  Hartmut Klauck,et al.  Streaming computations with a loquacious prover , 2013, ITCS '13.

[39]  Ran Raz,et al.  Arthur-Merlin streaming complexity , 2013, Inf. Comput..

[40]  Eli Ben-Sasson,et al.  On the concrete efficiency of probabilistically-checkable proofs , 2013, STOC '13.

[41]  Srinath T. V. Setty,et al.  A Hybrid Architecture for Interactive Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[42]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.