Computational Integrity with a Public Random String from Quasi-Linear PCPs

  • Eli Ben-Sasson
  • Iddo Bentov
  • Alessandro Chiesa
  • Ariel Gabizon
  • Daniel Genkin
  • Matan Hamilis
  • Evgenya Pergament
  • Michael Riabzev
  • Mark Silberstein
  • Eran Tromer
  • Madars Virza
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10212)

Abstract

A party executing a computation on behalf of others may benefit from misreporting its output. Cryptographic protocols that detect this can facilitate decentralized systems with stringent computational integrity requirements. For the computation’s result to be publicly trustworthy, it is moreover imperative to usepublicly verifiable protocols that have no “backdoors” or secret keys that enable forgery.

Probabilistically Checkable Proof (PCP) systems can be used to construct such protocols, but some of the main components of such systems—proof composition and low-degree testing via PCPs of Proximity (PCPPs) — have been considered efficiently only asymptotically, for unrealistically large computations. Recent cryptographic alternatives suffer from a non-public setup phase, or require large verification time.

This work introduces SCI, the first implementation of a scalable PCP system (that uses both PCPPs and proof composition). We used SCI to prove correctness of executions of up to \(2^{20}\) cycles of a simple processor, and calculated its break-even point: the minimal input size for which naïve verification via re-execution becomes more costly than PCP-based verification.

This marks the transition of core PCP techniques (like proof composition and PCPs of Proximity) from mathematical theory to practical system engineering. The thresholds obtained are nearly achievable and hence show that PCP-supported computational integrity is closer to reality than previously assumed.

References

  1. 1.
    Arora, S., Lund, C., Motwani, R., Sudan, M., Szegedy, M.: Proof verification and the hardness of approximation problems. J. ACM 45(3), 501–555 (1998). Preliminary version in FOCS 1992MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Arora, S., Safra, S.: Probabilistic checking of proofs: a new characterization of NP. J. ACM 45(1), 70–122 (1998). Preliminary version in FOCS 1992MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, pp. 21–32, STOC 1991(1991)Google Scholar
  4. 4.
    Babai, L., Fortnow, L., Lund, C.: Nondeterministic exponential time has two-prover interactive protocols. In: Proceedings of the 31st Annual Symposium on Foundations of Computer Science, pp. 16–25, SFCS 1990 (1990)Google Scholar
  5. 5.
    Babai, L., Moran, S.: Arthur-Merlin games: a randomized proof system, and a hierarchy of complexity class. J. Comput. Syst. Sci. 36(2), 254–276 (1988)CrossRefMATHGoogle Scholar
  6. 6.
    Bellare, M., Fuchsbauer, G., Scafuro, A.: Nizks with an untrusted CRS: Security in the face of parameter subversion. Cryptology ePrint Archive, Report 2016/372 (2016). http://eprint.iacr.org/
  7. 7.
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993). doi:10.1007/3-540-48071-4_28 CrossRefGoogle Scholar
  8. 8.
    Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: how to remove intractability assumptions. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, pp. 113–131, STOC 1988 (1988)Google Scholar
  9. 9.
    Ben-Sasson, E., Ben-Tov, I., Gabizon, A., Riabzev, M.: Improved concrete efficiency and security analysis of Reed-Solomon PCPPS (2016). http://eccc.hpi-web.de/report/2016/073
  10. 10.
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Riabzev, M., Spooner, N.: Short interactive oracle proofs with constant query complexity, via composition and sumcheck. Electronic Colloquium on Computational Complexity, p. tR16-046 (2016)Google Scholar
  11. 11.
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Virza, M.: Quasi-Linear size zero knowledge from linear-algebraic PCPs. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 33–64. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49099-0_2 CrossRefGoogle Scholar
  12. 12.
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: decentralized anonymous payments from Bitcoin. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, pp. 459–474, SP 2014 (2014)Google Scholar
  13. 13.
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: Fast reductions from RAMs to delegatable succinct constraint satisfaction problems. In: Proceedings of the 4th Innovations in Theoretical Computer Science Conference, pp. 401–414, ITCS 2013 (2013)Google Scholar
  14. 14.
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: On the concrete efficiency of probabilistically-checkable proofs. In: Proceedings of the 45th ACM Symposium on the Theory of Computing, pp. 585–594, STOC 2013 (2013)Google Scholar
  15. 15.
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_6 CrossRefGoogle Scholar
  16. 16.
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: TinyRAM Architecture Specification (2013). http://scipr-lab.org/tinyram
  17. 17.
    Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M.: Secure sampling of public parameters for succinct zero knowledge proofs. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, 17–21 May 2015, pp. 287–304, (2015). http://dx.doi.org/10.1109/SP.2015.25
  18. 18.
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 276–294. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44381-1_16 CrossRefGoogle Scholar
  19. 19.
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: Proceedings of the 23rd USENIX Security Symposium, San Diego, 20–22 August 2014, pp. 781–796 (2014)Google Scholar
  20. 20.
    Ben-Sasson, E., Goldreich, O., Harsha, P., Sudan, M., Vadhan, S.: Short PCPs verifiable in polylogarithmic time. In: Proceedings of the 20th Annual IEEE Conference on Computational Complexity, pp. 120–134, CCC 2005 (2005)Google Scholar
  21. 21.
    Ben-Sasson, E., Goldreich, O., Harsha, P., Sudan, M., Vadhan, S.: Robust PCPs of proximity, shorter PCPs, and applications to coding. SIAM J. Comput. 36(4), 889–974 (2006). Preliminary versions of this paper have appeared in Proceedings of the 36th ACM Symposium on Theory of Computing and in Electronic Colloquium on Computational ComplexityMathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Ben-Sasson, E., Hamilis, M., Silberstein, M., Tromer, E.: Fast multiplication in binary fields on GPUS via register cache. In: Proceedings of the 2016 International Conference on Supercomputing, ICS 2016 (2016)Google Scholar
  23. 23.
    Ben-Sasson, E., Sudan, M.: Short PCPs with polylog query complexity. SIAM J. Comput. 38(2), 551–607 (2008). Preliminary version appeared in STOC 2005MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Ben-Sasson, E., Sudan, M., Vadhan, S., Wigderson, A.: Randomness-efficient low degree tests and short PCPs via epsilon-biased sets. In: Proceedings of the 35th Annual ACM Symposium on Theory of Computing, pp. 612–621, STOC 2003 (2003)Google Scholar
  25. 25.
    Beneš, V.E.: Mathematical Theory of Connecting Networks and Telephone Traffic. Academic Press, New York (1965). http://opac.inria.fr/record=b1083990 MATHGoogle Scholar
  26. 26.
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 326–349, ITCS 2012 (2012)Google Scholar
  27. 27.
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: Proceedings of the 45th ACM Symposium on the Theory of Computing, pp. 111–120, STOC 2013 (2013)Google Scholar
  28. 28.
    Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36594-2_18 CrossRefGoogle Scholar
  29. 29.
    Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_12 CrossRefGoogle Scholar
  30. 30.
    Chiesa, A., Zhu, Z.A.: Shorter arithmetization of nondeterministic computations. Theor. Comput. Sci. 600, 107–131 (2015). http://www.sciencedirect.com/science/article/pii/S0304397515006647 MathSciNetCrossRefMATHGoogle Scholar
  31. 31.
    Clos, C.: A study of non-blocking switching networks. Bell Syst. Tech. J. 32(2), 406–424 (1953). http://dx.doi.org/10.1002/j.1538-7305.1953.tb01433.x CrossRefGoogle Scholar
  32. 32.
    Cormode, G., Mitzenmacher, M., Thaler, J.: Practical verified computation with streaming interactive proofs. In: Proceedings of the 4th Symposium on Innovations in Theoretical Computer Science, pp. 90–112, ITCS 2012 (2012)Google Scholar
  33. 33.
    Cormode, G., Thaler, J., Yi, K.: Verifying computations with streaming interactive proofs. Proc. VLDB Endowment 5(1), 25–36 (2011)CrossRefGoogle Scholar
  34. 34.
    Dinur, I.: The PCP theorem by gap amplification. J. ACM 54(3), 12 (2007)MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Dinur, I., Reingold, O.: Assignment testers: towards a combinatorial proof of the PCP theorem. SIAM J. Comput. 36(4), 975–1024 (2006). http://dx.doi.org/10.1137/S0097539705446962 MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    Dwork, C., Feige, U., Kilian, J., Naor, M., Safra, M.: Low communication 2-prover zero-knowledge proofs for NP. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 215–227. Springer, Heidelberg (1993). doi:10.1007/3-540-48071-4_15 CrossRefGoogle Scholar
  37. 37.
    Ben-Sasson, E., Chiesa, N.S.A.: Interactive oracle proofs. IACR Cryptology ePrint Archive 2016, 116 (2016). http://eprint.iacr.org/2016/116
  38. 38.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi:10.1007/3-540-47721-7_12 CrossRefGoogle Scholar
  39. 39.
    Gao, S., Mateer, T.: Additive fast fourier transforms over finite fields. IEEE Trans. Inf. Theor. 56(12), 6265–6272 (2010). http://dx.doi.org/10.1109/TIT.2010.2079016 MathSciNetCrossRefGoogle Scholar
  40. 40.
    Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_25 CrossRefGoogle Scholar
  41. 41.
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_37 CrossRefGoogle Scholar
  42. 42.
    Goldreich, O., Sudan, M.: Locally testable codes and PCPs of almost-linear length. J. ACM 53, 558–655 (2006). Preliminary version in STOC 2002MathSciNetCrossRefMATHGoogle Scholar
  43. 43.
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 113–122, STOC 2008 (2008)Google Scholar
  44. 44.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). Preliminary version appeared in STOC 1985MathSciNetCrossRefMATHGoogle Scholar
  45. 45.
    Greenberg, A.: Zcash, an untraceable bitcoin alternative, launches in alpha (January 2016). Wired.com. Accessed 20 Jan 2016
  46. 46.
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17373-8_19 CrossRefGoogle Scholar
  47. 47.
    Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_23 CrossRefGoogle Scholar
  48. 48.
    Harsha, P., Sudan, M.: Small PCPs with low query complexity. Comput. Complex. 9(3–4), 157–201 (2000). Preliminary version in STACS 1991MathSciNetCrossRefMATHGoogle Scholar
  49. 49.
    Håstad, J.: Some optimal inapproximability results. J. ACM 48(4), 798–859 (2001)MathSciNetCrossRefMATHGoogle Scholar
  50. 50.
    Horowitz, E., Sahni, S.: Computing partitions with applications to the knapsack problem. J. ACM 21(2), 277–292 (1974). http://doi.acm.org/10.1145/321812.321823 MathSciNetCrossRefMATHGoogle Scholar
  51. 51.
    Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Efficient arguments without short PCPs. In: Proceedings of the Twenty-Second Annual IEEE Conference on Computational Complexity, pp. 278–291, CCC 2007 (2007)Google Scholar
  52. 52.
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)MathSciNetCrossRefMATHGoogle Scholar
  53. 53.
    Ishai, Y., Mahmoody, M., Sahai, A.: On efficient zero-knowledge PCPs. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 151–168. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28914-9_9 CrossRefGoogle Scholar
  54. 54.
    Ishai, Y., Mahmoody, M., Sahai, A., Xiao, D.: On zero-knowledge PCPs: Limitations, simplifications, and applications (2015). http://www.cs.virginia.edu/mohammad/files/papers/ZKPCPs-Full.pdf
  55. 55.
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: Proceedings of the 24th Annual ACM Symposium on Theory of Computing, pp. 723–732, STOC 1992 (1992)Google Scholar
  56. 56.
    Kilian, J., Petrank, E., Tardos, G.: Probabilistically checkable proofs with zero knowledge. In: Proceedings of the 29th Annual ACM Symposium on Theory of Computing, pp. 496–505, STOC 1997 (1997)Google Scholar
  57. 57.
    Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. Cryptology ePrint Archive, Report 2015/675 (2015). http://eprint.iacr.org/
  58. 58.
    Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28914-9_10 CrossRefGoogle Scholar
  59. 59.
    Lund, C., Fortnow, L., Karloff, H., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992). http://doi.acm.org/10.1145/146585.146605 MathSciNetCrossRefMATHGoogle Scholar
  60. 60.
    Mahmoody, M., Xiao, D.: Languages with efficient zero-knowledge PCPs are in SZK. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 297–314. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36594-2_17 CrossRefGoogle Scholar
  61. 61.
    Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000). Preliminary version appeared in FOCS 1994MathSciNetCrossRefMATHGoogle Scholar
  62. 62.
    Mie, T.: Short PCPPs verifiable in polylogarithmic time with O(1) queries. Ann. Math. Artif. Intell. 56, 313–338 (2009)MathSciNetCrossRefMATHGoogle Scholar
  63. 63.
    Moshkovitz, D., Raz, R.: Two-query PCP with subconstant error. J. ACM 57, 1–29 (2008). Preliminary version appeared in FOCS 2008MathSciNetCrossRefMATHGoogle Scholar
  64. 64.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (May 2009). http://www.bitcoin.org/bitcoin.pdf
  65. 65.
    Parno, B., Gentry, C., Howell, J., Raykova, M.: Pinocchio: Nearly practical verifiable computation. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland 2013, pp. 238–252 (2013)Google Scholar
  66. 66.
    Raz, R.: A parallel repetition theorem. In: Proceedings of the 27th Annual ACM Symposium on Theory of Computing, pp. 447–456, STOC 1995 (1995)Google Scholar
  67. 67.
    Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Industr. Appl. Math. 8(2), 300–304 (1960). http://dx.doi.org/10.1137/0108018 MathSciNetCrossRefMATHGoogle Scholar
  68. 68.
    Seo, J.H.: Round-efficient sub-linear zero-knowledge arguments for linear algebra. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 387–402. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19379-8_24 CrossRefGoogle Scholar
  69. 69.
    Setty, S., Blumberg, A.J., Walfish, M.: Toward practical and unconditional verification of remote computations. In: Proceedings of the 13th USENIX Conference on Hot Topics in Operating Systems, p. 29, HotOS 2011 (2011)Google Scholar
  70. 70.
    Setty, S., Braun, B., Vu, V., Blumberg, A.J., Parno, B., Walfish, M.: Resolving the conflict between generality and plausibility in verified computation. In: Proceedings of the 8th EuoroSys Conference, pp. 71–84, EuroSys 2013 (2013)Google Scholar
  71. 71.
    Setty, S., McPherson, M., Blumberg, A.J., Walfish, M.: Making argument systems for outsourced computation practical (sometimes). In: Proceedings of the 2012 Network and Distributed System Security Symposium, NDSS 2012 (2012)Google Scholar
  72. 72.
    Setty, S., Vu, V., Panpalia, N., Braun, B., Blumberg, A.J., Walfish, M.: Taking proof-based verified computation a few steps closer to practicality. In: Proceedings of the 21st USENIX Security Symposium, pp. 253–268, Security 2012 (2012)Google Scholar
  73. 73.
    Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_5 CrossRefGoogle Scholar
  74. 74.
    Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78524-8_1 CrossRefGoogle Scholar
  75. 75.
    Vu, V., Setty, S., Blumberg, A.J., Walfish, M.: A hybrid architecture for interactive verifiable computation. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland 2013, pp. 223–237 (2013)Google Scholar
  76. 76.
    Wahby, R.S., Setty, S.T.V., Ren, Z., Blumberg, A.J., Walfish, M.: Efficient RAM and control flow in verifiable outsourced computation. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, February 8–11 2014 (2015)Google Scholar
  77. 77.
    Walfish, M., Blumberg, A.J.: Verifying computations without reexecuting them. Commun. ACM 58(2), 74–84 (2015). http://doi.acm.org/10.1145/2641562 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Eli Ben-Sasson
    • 1
  • Iddo Bentov
    • 2
  • Alessandro Chiesa
    • 3
  • Ariel Gabizon
    • 4
  • Daniel Genkin
    • 5
  • Matan Hamilis
    • 1
  • Evgenya Pergament
    • 1
  • Michael Riabzev
    • 1
  • Mark Silberstein
    • 1
  • Eran Tromer
    • 6
  • Madars Virza
    • 7
  1. 1.Technion—Israel Institute of TechnologyHaifaIsrael
  2. 2.Cornell UniversityIthacaUSA
  3. 3.University of CaliforniaBerkeleyUSA
  4. 4.Zerocoin Electric Coin Company (Zcash)LakewoodUSA
  5. 5.University of Pennsylvania and University of MarylandCollege ParkUSA
  6. 6.Tel Aviv UniversityTel AvivIsrael
  7. 7.Massachusetts Institute of TechnologyCambridgeUSA

Personalised recommendations