vRAM: Faster Verifiable RAM with Program-Independent Preprocessing

We study the problem of verifiable computation (VC) for RAM programs, where a computationally weak verifier outsources the execution of a program to a powerful (but untrusted) prover. Existing efficient implementations of VC protocols require an expensive preprocessing phase that binds the parties to a single circuit. (While there are schemes that avoid preprocessing entirely, their performance remains significantly worse than constructions with preprocessing.) Thus, a prover and verifier are forced to choose between two approaches: (1) Allow verification of arbitrary RAM programs, at the expense of efficiency, by preprocessing a universal circuit which can handle all possible instructions during each CPU cycle; or (2) Sacrifice expressiveness by preprocessing an efficient circuit which is tailored to the verification of a single specific RAM program. We present vRAM, a VC system for RAM programs that avoids both the above drawbacks by having a preprocessing phase that is entirely circuit-independent (other than an upper bound on the circuit size). During the proving phase, once the program to be verified and its inputs are chosen, the circuit-independence of our construction allows the parties to use a smaller circuit tailored to verifying the specific program on the chosen inputs, i.e., without needing to encode all possible instructions in each cycle. Moreover, our construction is the first with asymptotically optimal prover overhead; i.e., the work of the prover is a constant multiplicative factor of the time to execute the program. Our experimental evaluation demonstrates that vRAM reduces the prover's memory consumption by 55-110x and its running time by 9-30x compared to existing schemes with universal preprocessing. This allows us to scale to RAM computations with more than 2 million CPU cycles, a 65x improvement compared to the state of the art. Finally, vRAM has performance comparable to (and sometimes better than) the best existing scheme with program-specific preprocessing despite the fact that the latter can deploy program-specific optimizations (and has to pay a separate preprocessing cost for every new program).

[1]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[2]  Cédric Fournet,et al.  Hash First, Argue Later: Adaptive Verifiable Computations on Outsourced Data , 2016, CCS.

[3]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[4]  Andrew J. Blumberg,et al.  Verifying computations without reexecuting them , 2015, Commun. ACM.

[5]  Allan L. Fisher,et al.  Flattening and parallelizing irregular, recurrent loop nests , 1995, PPOPP '95.

[6]  George Danezis,et al.  Square Span Programs with Applications to Succinct NIZK Arguments , 2014, ASIACRYPT.

[7]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[8]  Elaine Shi,et al.  Signatures of Correct Computation , 2013, TCC.

[9]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[10]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[11]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1992, JACM.

[12]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[13]  Rafail Ostrovsky,et al.  Fast Verification of Any Remote Procedure Call: Short Witness-Indistinguishable One-Round Proofs for NP , 2000, ICALP.

[14]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[15]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[16]  Nir Bitansky,et al.  On the existence of extractable one-way functions , 2014, SIAM J. Comput..

[17]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[18]  Ariel J. Feldman,et al.  Verifying computations with state ( extended version ) , 2013 .

[19]  Eran Tromer,et al.  Cluster Computing in Zero Knowledge , 2015, EUROCRYPT.

[20]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[21]  Vinod Vaikuntanathan,et al.  How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption , 2012, IACR Cryptol. ePrint Arch..

[22]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[23]  Helger Lipmaa,et al.  Succinct Non-Interactive Zero Knowledge Arguments from Span Programs and Linear Error-Correcting Codes , 2013, IACR Cryptol. ePrint Arch..

[24]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[25]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[26]  Eli Ben-Sasson,et al.  Computational Integrity with a Public Random String from Quasi-Linear PCPs , 2017, EUROCRYPT.

[27]  Rafael Pass,et al.  Limits of Extractability Assumptions with Distributional Auxiliary Input , 2015, ASIACRYPT.

[28]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[29]  Zuocheng Ren,et al.  Efficient RAM and control flow in verifiable outsourced computation , 2015, NDSS.

[30]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.