Verifiable computing
Encyclopedia
Verifiable computing
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...

 is enabling a computer to offload the computation of some function, to other perhaps untrusted clients, while maintaining verifiable results. The other clients evaluate the function and return the result with a proof that the computation of the function was carried out correctly. The introduction of this notion came as a result of the increasingly common phenomenon of "outsourcing
Outsourcing
Outsourcing is the process of contracting a business function to someone else.-Overview:The term outsourcing is used inconsistently but usually involves the contracting out of a business function - commonly one previously performed in-house - to an external provider...

" computation to untrusted users in projects such as SETI@home
SETI@home
SETI@home is an Internet-based public volunteer computing project employing the BOINC software platform, hosted by the Space Sciences Laboratory, at the University of California, Berkeley, in the United States. SETI is an acronym for the Search for Extra-Terrestrial Intelligence...

 and also to the growing desire of weak clients to outsource computational tasks to a more powerful computation service. The term verifiable computing was invented by Rosario Gennaro, Craig Gentry, and Bryan Parno.

Motivation and overview

The growing desire to outsource computational tasks from a relatively weak computational device (client) to a more powerful computation services (worker), and the problem of dishonest workers who modify their client’s software to return plausible results without performing the actual work motivated the formalization of the notion of Verifiable Computation.

Verifiable computing is not only concerned with getting the result of the outsourced function on the client’s input and the proof
Proof theory
Proof theory is a branch of mathematical logic that represents proofs as formal mathematical objects, facilitating their analysis by mathematical techniques. Proofs are typically presented as inductively-defined data structures such as plain lists, boxed lists, or trees, which are constructed...

 of its correctness, but also with the client being able to verify the proof with significantly less computational effort than computing the function from scratch.

Considerable attention has been devoted to verifying the computation of functions performed by untrusted workers including the use of secure coprocessors
Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....

, Trusted Platform Module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...

s (TPMs), interactive proof
Interactive proof
Interactive proof can refer to:*Interactive proof system*Interactive theorem proving...

s, probabilistically checkable proofs, efficient arguments, and Micali’s CS proofs. These verifications are either interactive which require the client to interact with the worker to verify the correctness proof, or are non-interactive protocols which can be proven in the random oracle
Random oracle
In cryptography, a random oracle is an oracle that responds to every query with a random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query...

 model.

Verifiable computation scheme

Gennaro et al. defined the notion of Verifiable Computation Scheme as a protocol
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...

 between two polynomial time parties to collaborate on the computation of a function F: {0,1}n → {0,1}m. This scheme consists of three main phases:

Preprocessing

This stage is performed once by the client in order to calculate some auxiliary information associated with F. Part of this information is public to be shared with the worker while the rest is private and kept with the client.

Input preparation

In this stage, the client calculates some auxiliary information about the input of the function. Part of this information is public while the rest is private and kept with the client. The public information is sent to the worker to compute F on the input data.

Output computation and verification

In this stage, the worker uses the public information associated with the function F and the input, which are calculated in the previous two phases, to compute an encoded output
Output
Output is the term denoting either an exit or changes which exit a system and which activate/modify a process. It is an abstract concept, used in the modeling, system design and system exploitation.-In control theory:...

 of the function F on the provided input.

This result is then returned to the client to verify its correctness by computing the actual value of the output by decoding
Decoding
Decoding is the reverse of encoding, which is the process of transforming information from one format into another. Information about decoding can be found in the following:* Digital-to-analog converter, the use of analog circuit for decoding operations...

 the result returned by the worker using the private information calculated in the previous phases.

The defined notion of verifiable computation scheme minimizes the interaction
Interaction
Interaction is a kind of action that occurs as two or more objects have an effect upon one another. The idea of a two-way effect is essential in the concept of interaction, as opposed to a one-way causal effect...

 between the client and the worker into exactly two messages, where a single message sent from each party to the other party during the different phases of the protocol.

Example

Gennaro et al. defined a verifiable computation scheme for any function F using Yao’s Garbled Circuit combined with a fully homomorphic encryption system.

This verifiable computation scheme VC is defined as follows:

VC = (KeyGen, ProbGen, Compute, Verify) consists of four algorithms as follows:
  1. KeyGen(F, λ) → (PK, SK): The randomized key generation algorithm
    Key generation
    Key generation is the process of generating keys for cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted....

     generates two keys, public and private, based on the security parameter
    Security parameter
    In cryptography, the security parameter is a variable that measures the input size of the problem. Both the resource requirements of the cryptographic algorithm or protocol as well as the adversary's probability of breaking security are expressed in terms of the security parameter.The security...

     λ. The public key encodes the target function F and is sent to the worker to compute F. On the other hand, the secret key is kept private by the client.

  1. ProbGenSK(x) → (σx, τx): The problem generation algorithm encodes the function input x into two values, public and private, using the secret key SK. The public value σx is given to the worker to compute F(x) with, while the secret value τx is kept private by the client.

  1. ComputePK(σx) → σy: The worker computes an encoded value σy of the function’s output y = F(x) using the client’s public key PK and the encoded input σx.

  1. VerifySK(τx,σy) → y ∪ ⊥: The verification algorithm converts the worker’s encoded output σy into the actual output of the function F using both the secret key SK and the secret “decoding” τx. It outputs y = F(x) if the σy represents a valid output of F on x, or outputs ⊥ otherwise.


The protocol of the verifiable computations scheme defined by Gennaro et al.
Verifiable computing
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...

 is enabling a computer to offload the computation of some function, to other perhaps untrusted clients, while maintaining verifiable results. The other clients evaluate the function and return the result with a proof that the computation of the function was carried out correctly. The introduction of this notion came as a result of the increasingly common phenomenon of "outsourcing
Outsourcing
Outsourcing is the process of contracting a business function to someone else.-Overview:The term outsourcing is used inconsistently but usually involves the contracting out of a business function - commonly one previously performed in-house - to an external provider...

" computation to untrusted users in projects such as SETI@home
SETI@home
SETI@home is an Internet-based public volunteer computing project employing the BOINC software platform, hosted by the Space Sciences Laboratory, at the University of California, Berkeley, in the United States. SETI is an acronym for the Search for Extra-Terrestrial Intelligence...

 and also to the growing desire of weak clients to outsource computational tasks to a more powerful computation service. The term verifiable computing was invented by Rosario Gennaro, Craig Gentry, and Bryan Parno.

Motivation and overview

The growing desire to outsource computational tasks from a relatively weak computational device (client) to a more powerful computation services (worker), and the problem of dishonest workers who modify their client’s software to return plausible results without performing the actual work motivated the formalization of the notion of Verifiable Computation.

Verifiable computing is not only concerned with getting the result of the outsourced function on the client’s input and the proof
Proof theory
Proof theory is a branch of mathematical logic that represents proofs as formal mathematical objects, facilitating their analysis by mathematical techniques. Proofs are typically presented as inductively-defined data structures such as plain lists, boxed lists, or trees, which are constructed...

 of its correctness, but also with the client being able to verify the proof with significantly less computational effort than computing the function from scratch.

Considerable attention has been devoted to verifying the computation of functions performed by untrusted workers including the use of secure coprocessors
Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....

, Trusted Platform Module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...

s (TPMs), interactive proof
Interactive proof
Interactive proof can refer to:*Interactive proof system*Interactive theorem proving...

s, probabilistically checkable proofs, efficient arguments,J. Kilian (1992). "A note on efficient zero-knowledge proofs and arguments (extended abstract)." In Proceedings of the ACM Symposium on Theory of Computing (STOC)J. Kilian (1995). "Improved efficient arguments (preliminary version)." In Proceedings of Crypto, London, UK, pp. 311–324. Springer-Verlag and Micali’s CS proofs.S. Micali (1994). "CS proofs (extended abstract)." In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 436-453. These verifications are either interactive which require the client to interact with the worker to verify the correctness proof, or are non-interactive protocols which can be proven in the random oracle
Random oracle
In cryptography, a random oracle is an oracle that responds to every query with a random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query...

 model.

Verifiable computation scheme

Gennaro et al. defined the notion of Verifiable Computation Scheme as a protocol
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...

 between two polynomial time parties to collaborate on the computation of a function F: {0,1}n → {0,1}m. This scheme consists of three main phases:

Preprocessing

This stage is performed once by the client in order to calculate some auxiliary information associated with F. Part of this information is public to be shared with the worker while the rest is private and kept with the client.

Input preparation

In this stage, the client calculates some auxiliary information about the input of the function. Part of this information is public while the rest is private and kept with the client. The public information is sent to the worker to compute F on the input data.

Output computation and verification

In this stage, the worker uses the public information associated with the function F and the input, which are calculated in the previous two phases, to compute an encoded output
Output
Output is the term denoting either an exit or changes which exit a system and which activate/modify a process. It is an abstract concept, used in the modeling, system design and system exploitation.-In control theory:...

 of the function F on the provided input.

This result is then returned to the client to verify its correctness by computing the actual value of the output by decoding
Decoding
Decoding is the reverse of encoding, which is the process of transforming information from one format into another. Information about decoding can be found in the following:* Digital-to-analog converter, the use of analog circuit for decoding operations...

 the result returned by the worker using the private information calculated in the previous phases.

The defined notion of verifiable computation scheme minimizes the interaction
Interaction
Interaction is a kind of action that occurs as two or more objects have an effect upon one another. The idea of a two-way effect is essential in the concept of interaction, as opposed to a one-way causal effect...

 between the client and the worker into exactly two messages, where a single message sent from each party to the other party during the different phases of the protocol.

Example

Gennaro et al. defined a verifiable computation scheme for any function F using Yao’s Garbled CircuitA. Yao (1982). "Protocols for secure computations." In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 160-164A. Yao (1986). "How to generate and exchange secrets." In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 162-167 combined with a fully homomorphic encryption system.

This verifiable computation scheme VC is defined as follows:

VC = (KeyGen, ProbGen, Compute, Verify) consists of four algorithms as follows:
  1. KeyGen(F, λ) → (PK, SK): The randomized key generation algorithm
    Key generation
    Key generation is the process of generating keys for cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted....

     generates two keys, public and private, based on the security parameter
    Security parameter
    In cryptography, the security parameter is a variable that measures the input size of the problem. Both the resource requirements of the cryptographic algorithm or protocol as well as the adversary's probability of breaking security are expressed in terms of the security parameter.The security...

     λ. The public key encodes the target function F and is sent to the worker to compute F. On the other hand, the secret key is kept private by the client.

  1. ProbGenSK(x) → (σx, τx): The problem generation algorithm encodes the function input x into two values, public and private, using the secret key SK. The public value σx is given to the worker to compute F(x) with, while the secret value τx is kept private by the client.

  1. ComputePK(σx) → σy: The worker computes an encoded value σy of the function’s output y = F(x) using the client’s public key PK and the encoded input σx.

  1. VerifySK(τx,σy) → y ∪ ⊥: The verification algorithm converts the worker’s encoded output σy into the actual output of the function F using both the secret key SK and the secret “decoding” τx. It outputs y = F(x) if the σy represents a valid output of F on x, or outputs ⊥ otherwise.


The protocol of the verifiable computations scheme defined by Gennaro et al.
Verifiable computing
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...

 is enabling a computer to offload the computation of some function, to other perhaps untrusted clients, while maintaining verifiable results. The other clients evaluate the function and return the result with a proof that the computation of the function was carried out correctly. The introduction of this notion came as a result of the increasingly common phenomenon of "outsourcing
Outsourcing
Outsourcing is the process of contracting a business function to someone else.-Overview:The term outsourcing is used inconsistently but usually involves the contracting out of a business function - commonly one previously performed in-house - to an external provider...

" computation to untrusted users in projects such as SETI@home
SETI@home
SETI@home is an Internet-based public volunteer computing project employing the BOINC software platform, hosted by the Space Sciences Laboratory, at the University of California, Berkeley, in the United States. SETI is an acronym for the Search for Extra-Terrestrial Intelligence...

 and also to the growing desire of weak clients to outsource computational tasks to a more powerful computation service. The term verifiable computing was invented by Rosario Gennaro, Craig Gentry, and Bryan Parno.

Motivation and overview

The growing desire to outsource computational tasks from a relatively weak computational device (client) to a more powerful computation services (worker), and the problem of dishonest workers who modify their client’s software to return plausible results without performing the actual work motivated the formalization of the notion of Verifiable Computation.

Verifiable computing is not only concerned with getting the result of the outsourced function on the client’s input and the proof
Proof theory
Proof theory is a branch of mathematical logic that represents proofs as formal mathematical objects, facilitating their analysis by mathematical techniques. Proofs are typically presented as inductively-defined data structures such as plain lists, boxed lists, or trees, which are constructed...

 of its correctness, but also with the client being able to verify the proof with significantly less computational effort than computing the function from scratch.

Considerable attention has been devoted to verifying the computation of functions performed by untrusted workers including the use of secure coprocessors
Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....

, Trusted Platform Module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...

s (TPMs), interactive proof
Interactive proof
Interactive proof can refer to:*Interactive proof system*Interactive theorem proving...

s, probabilistically checkable proofs, efficient arguments,J. Kilian (1992). "A note on efficient zero-knowledge proofs and arguments (extended abstract)." In Proceedings of the ACM Symposium on Theory of Computing (STOC)J. Kilian (1995). "Improved efficient arguments (preliminary version)." In Proceedings of Crypto, London, UK, pp. 311–324. Springer-Verlag and Micali’s CS proofs.S. Micali (1994). "CS proofs (extended abstract)." In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 436-453. These verifications are either interactive which require the client to interact with the worker to verify the correctness proof, or are non-interactive protocols which can be proven in the random oracle
Random oracle
In cryptography, a random oracle is an oracle that responds to every query with a random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query...

 model.

Verifiable computation scheme

Gennaro et al. defined the notion of Verifiable Computation Scheme as a protocol
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...

 between two polynomial time parties to collaborate on the computation of a function F: {0,1}n → {0,1}m. This scheme consists of three main phases:

Preprocessing

This stage is performed once by the client in order to calculate some auxiliary information associated with F. Part of this information is public to be shared with the worker while the rest is private and kept with the client.

Input preparation

In this stage, the client calculates some auxiliary information about the input of the function. Part of this information is public while the rest is private and kept with the client. The public information is sent to the worker to compute F on the input data.

Output computation and verification

In this stage, the worker uses the public information associated with the function F and the input, which are calculated in the previous two phases, to compute an encoded output
Output
Output is the term denoting either an exit or changes which exit a system and which activate/modify a process. It is an abstract concept, used in the modeling, system design and system exploitation.-In control theory:...

 of the function F on the provided input.

This result is then returned to the client to verify its correctness by computing the actual value of the output by decoding
Decoding
Decoding is the reverse of encoding, which is the process of transforming information from one format into another. Information about decoding can be found in the following:* Digital-to-analog converter, the use of analog circuit for decoding operations...

 the result returned by the worker using the private information calculated in the previous phases.

The defined notion of verifiable computation scheme minimizes the interaction
Interaction
Interaction is a kind of action that occurs as two or more objects have an effect upon one another. The idea of a two-way effect is essential in the concept of interaction, as opposed to a one-way causal effect...

 between the client and the worker into exactly two messages, where a single message sent from each party to the other party during the different phases of the protocol.

Example

Gennaro et al. defined a verifiable computation scheme for any function F using Yao’s Garbled CircuitA. Yao (1982). "Protocols for secure computations." In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 160-164A. Yao (1986). "How to generate and exchange secrets." In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 162-167 combined with a fully homomorphic encryption system.

This verifiable computation scheme VC is defined as follows:

VC = (KeyGen, ProbGen, Compute, Verify) consists of four algorithms as follows:
  1. KeyGen(F, λ) → (PK, SK): The randomized key generation algorithm
    Key generation
    Key generation is the process of generating keys for cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted....

     generates two keys, public and private, based on the security parameter
    Security parameter
    In cryptography, the security parameter is a variable that measures the input size of the problem. Both the resource requirements of the cryptographic algorithm or protocol as well as the adversary's probability of breaking security are expressed in terms of the security parameter.The security...

     λ. The public key encodes the target function F and is sent to the worker to compute F. On the other hand, the secret key is kept private by the client.

  1. ProbGenSK(x) → (σx, τx): The problem generation algorithm encodes the function input x into two values, public and private, using the secret key SK. The public value σx is given to the worker to compute F(x) with, while the secret value τx is kept private by the client.

  1. ComputePK(σx) → σy: The worker computes an encoded value σy of the function’s output y = F(x) using the client’s public key PK and the encoded input σx.

  1. VerifySK(τx,σy) → y ∪ ⊥: The verification algorithm converts the worker’s encoded output σy into the actual output of the function F using both the secret key SK and the secret “decoding” τx. It outputs y = F(x) if the σy represents a valid output of F on x, or outputs ⊥ otherwise.


The protocol of the verifiable computations scheme defined by Gennaro et al.
The function F should be represented as a Boolean circuit
Boolean circuit
A Boolean circuit is a mathematical model of computation used in studying computational complexity theory. Boolean circuits are the main object of study in circuit complexity and are a special kind of circuits; a formal language can be decided by a family of Boolean circuits, one circuit for each...

 on which the key generation
Key generation
Key generation is the process of generating keys for cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted....

 algorithm would be applied. The key generation algorithm runs Yao’s garbling procedure over this Boolean circuit] to compute the public and secret keys. The public key (PK) is composed of all the ciphertexts that represent the garbled circuit, and the secret key (SK) is composed of all the random wire labels. The generated secret key is then used in the problem generation algorithm. This algorithm first generates a new pair of public and secret keys for the homomorphic encryption scheme
Homomorphic encryption
Homomorphic encryption is a form of encryption where a specific algebraic operation performed on the plaintext is equivalent to another algebraic operation performed on the ciphertext. Depending on one's viewpoint, this can be seen as either a positive or negative attribute of the cryptosystem....

, and then uses these keys with the homomorphic scheme to encrypt the correct input wires, represented as the secret key of the garbled circuit. The produced ciphertexts represent the public encoding of the input (σx) that is given to the worker, while the secret key (τx) is kept private by the client. After that, the worker applies the computation steps of the Yao’s protocol over the ciphertexts generated by the problem generation algorithm. This is done by recursively decrypting the gate ciphertexts until arriving to the final output wire values (σy). The homomorphic properties of the encryption scheme enable the worker to obtain an encryption of the correct output wire. Finally, the worker returns the ciphertexts of the output to the client who decrypts them to compute the actual output y = F(x) or ⊥.

The definition of the verifiable computation scheme states that the scheme should be both correct and secure. Scheme Correctness is achieved if the problem generation algorithm produces values that enable an honest worker to compute encoded output values that will verify successfully and correspond to the evaluation of F on those inputs. On the other hand, a verifiable computation scheme is secure if a malicious worker cannot convince the verification algorithm to accept an incorrect output for a given function F and input x.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK