Delegation of Computation without Rejection Problem from Designated Verifier CS-Proofs

We present a designated verifier CS proof system for polynomial time computations. The proof system can only be verified by a designated verifier: one who has published a public-key for which it knows a matching secret key unknown to the prover. Whereas Micali’s CS proofs require the existence of random oracles, we can base soundness on computational assumptions: the existence of leveled fully homomorphic encryption (FHE) schemes, the DDH assumption and a new knowledge of exponent assumption. Using our designated verifier CS proof system, we construct two schemes for delegating (polynomial-time) computation. In such schemes, a delegator outsources the computation of a function F on input x to a polynomial time worker, who computes the output y = F (x) and proves to the delegator the correctness of the output. Let T be the complexity of computing F on inputs of length n = |x| and let k be a security parameter. Our first scheme calls for an one-time off-line stage where the delegator sends a message to the worker, and a non-interactive on-line stage where the worker sends the output together with a certificate of correctness to the prover per input x. The total computational complexity of the delegator during off-line and on-line stages is poly(k, n, log T ). Compared with previous constructions by Gennaro-Gentry-Parno and Chung-Kalai-Vadhan [GGP10, CKV10] based on FHE, their on-line stage consists of two messages and their off-line stage has (delegator’s) complexity of poly(k, n, T ). Thus, they achieve delegator complexity poly(k, n, log T ) only in an amortized sense. Compared with the construction of [GKR08] based on poly-log PIR, our first construction can handle any polynomial-time computable F rather than being restricted to NC computable F . Our second scheme requires no off-line stage and has a two-message “online” stage with complexity of poly(k, n, log T ). Most importantly, it achieves robust soundness that guarantees that it is infeasible for a cheating worker to convince the delegator of an invalid output even if the worker learns whether the delegator accepts or rejects previous outputs and proofs. Previously the only two-round protocol that achieves robust soundness under a computational assumption appeared in [GKR08] and is restricted to only NC computations. ∗This material is based on research sponsored in part by NSF Contract CCF-1018064, NSF Contract CCF0729011, and the Air Force Research Laboratory under agreement number FA8750-11-2-0225. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force Research Laboratory or the U.S. Government. †MIT, E-Mail: shafi@theory.csail.mit.edu. ‡MIT, E-Mail: huijia@csail.mit.edu. §Tel Aviv University aviadrub@mail.tau.ac.il

[1]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[2]  Daniel A. Spielman,et al.  Nearly-linear size holographic proofs , 1994, STOC '94.

[3]  Oded Goldreich,et al.  Universal arguments and their applications , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[4]  Joe Kilian,et al.  Improved Efficient Arguments (Preliminary Version) , 1995, CRYPTO.

[5]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[6]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[7]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[8]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[9]  Yael Tauman Kalai,et al.  Interactive PCP , 2007 .

[10]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[11]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[12]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[13]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[14]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[15]  Giovanni Di Crescenzo,et al.  Succinct NP Proofs from an Extractability Assumption , 2008, CiE.

[16]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[17]  Ran Canetti,et al.  Extractable Perfectly One-Way Functions , 2008, ICALP.

[18]  Carsten Lund,et al.  Interactive Proof Systems and Alternating Time-Space Complexity , 1991, STACS.

[19]  Craig Gentry,et al.  Fully Homomorphic Encryption without Bootstrapping , 2011, IACR Cryptol. ePrint Arch..

[20]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[21]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[22]  Eli Ben-Sasson,et al.  Robust PCPs of Proximity, Shorter PCPs, and Applications to Coding , 2004, SIAM J. Comput..

[23]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1992, JACM.

[24]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[25]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[26]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[27]  Silvio Micali,et al.  Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[28]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[29]  Eli Ben-Sasson,et al.  Short PCPs verifiable in polylogarithmic time , 2005, 20th Annual IEEE Conference on Computational Complexity (CCC'05).

[30]  Serge Fehr,et al.  Perfect NIZK with Adaptive Soundness , 2007, TCC.

[31]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[32]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[33]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[34]  Irit Dinur,et al.  The PCP theorem by gap amplification , 2006, STOC.