Lucas Schabhüser

Privately and Publicly Verifiable Computing Techniques

This book presents the first comprehensive overview of various verifiable computing techniques, which allow the computation of a function on outsourced data to be delegated to a server. It provides a brief description of all the approaches and highlights the properties each solution achieves. Further, it analyzes the level of security provided, how efficient the verification process is, who can act as a verifier and check the correctness of the result, which function class the verifiable computing scheme supports, and whether privacy with respect to t he input and/or output data is provided. On the basis of this analysis the authors then compare the different approaches and outline possible directions for future work. The book is of interest to anyone wanting to understand the state of the art of this research field.

A Linearly Homomorphic Signature Scheme from Weaker Assumptions

In delegated computing, prominent in the context of cloud computing, guaranteeing both the correctness and authenticity of computations is of critical importance. Homomorphic signatures can be used as cryptographic solutions to this problem. In this paper we solve the open problem of constructing a linearly homomorphic signature scheme that is secure against an active adversary under standard assumptions. We provide a construction based on the DL and CDH assumption. Furthermore we show how our scheme can be combined with homomorphic encryption under the framework of Linearly Homomorphic Authenticated Encryption with Public Verifiability. This way we can provide the first such scheme that is context hiding. Furthermore our solution even allows verification in constant time (in an amortized sense).

An unconditionally hiding auditing procedure for computations over distributed data

In this work an unconditionally hiding auditing procedure for distributed (cloud) storage solutions is introduced. There is only one multi-party computation (MPC) scheme providing auditability which computationally protects the inputs of the computations. Building on this, we propose a computationally hiding solution that uses bilinear maps and therefore produces no additional overhead in the online phase. In addition, we introduce a second variation that is the first auditable MPC scheme for distributed storage systems providing unconditional (or information-theoretic) hidingness. We achieve this by combining bilinear maps with unconditionally hiding commitments leading to only a small overhead in the online phase. We prove our solutions secure and give arguments for practicability and efficiency. The auditing procedures presented here are an important contribution since distributed storage solutions, e.g. cloud of clouds, allow for information-theoretic confidentiality. Using our technique, they can be extended to perform auditable computations on the data stored.

Linearly Homomorphic Authenticated Encryption with Provable Correctness and Public Verifiability

In this work the first linearly homomorphic authenticated encryption scheme with public verifiability and provable correctness, called \(\mathsf {LEPCoV}\), is presented. It improves the initial proposal by avoiding false negatives during the verification algorithm. This work provides a detailed description of \(\mathsf {LEPCoV}\), a comparison with the original scheme, a security and correctness proof, and a performance analysis showing that all algorithms run in reasonable time for parameters that are currently considered secure. The scheme presented here allows a user to outsource computations on encrypted data to the cloud, such that any third party can verify the correctness of the computations without having access to the original data. This makes this work an important contribution to cloud computing and applications where operations on sensitive data have to be performed, such as statistics on medical records and tallying of electronically cast votes.

Function-Dependent Commitments for Verifiable Multi-party Computation

In cloud computing, delegated computing raises the security issue of guaranteeing data authenticity during a remote computation. Existing solutions do not simultaneously provide fast correctness verification, strong security properties, and information-theoretic confidentiality. We introduce a novel approach, in the form of function-dependent commitments, that combines these strengths. We also provide an instantiation of function-dependent commitments for linear functions that is unconditionally, i.e. information-theoretically, hiding and relies on standard hardness assumptions. This powerful construction can for instance be used to build verifiable computing schemes providing information-theoretic confidentiality. As an example, we introduce a verifiable multi-party computation scheme for shared data providing public verifiability and unconditional privacy towards the servers and parties verifying the correctness of the result. Our scheme can be used to perform verifiable computations on secret shares while requiring only a single party to compute the audit data for verification. Furthermore, our verification procedure is asymptotically even more efficient than performing operations locally on the shared data. Thus, our solution improves the state of the art for authenticated computing, verifiable computing and multi-party computation.

CHQS: Publicly Verifiable Homomorphic Signatures Beyond the Linear Case

Sensitive data is often outsourced to cloud servers, with the server performing computation on the data. Computational correctness must be efficiently verifiable by a third party while the input data remains confidential. We introduce CHQS, a homomorphic signature scheme from bilinear groups fulfilling these requirements. CHQS is the first such scheme to be both context hiding and publicly verifiable for arithmetic circuits of degree 2. It also achieves amortized efficiency: after a precomputation, verification can be faster than the circuit evaluation itself.

Analysis of the State of the Art

In this chapter, all verifiable computing schemes discussed in this survey are summarized and their properties are highlighted. We first summarize for each type of verifiable computing scheme presented in the survey, i.e. proof and argument based verifiable computing, verifiable computing from fully homomorphic encryption, homomorphic authenticators, verifiable computing frameworks from functional encryption and functional signatures, and verifiable computing for specific applications, which properties they provide. Like in the rest of the survey the properties concerned are the level of security the scheme provides, how efficient the verification process is, whether anyone or only the client can check the correctness of the result, which function class the verifiable computing scheme supports, and whether privacy with respect to the input and/or output data is given. Afterwards, we discuss to what extent the schemes provide long-term privacy, i.e. are secure against attackers with unbounded computation power. Finally, we discuss for which approaches implementations are available.

Verifiable Computing from Fully Homomorphic Encryption

In this chapter we discuss approaches to verifiable computing that use fully homomorphic encryption (FHE) as a building block. First, we define homomorphic encryption and fully homomorphic encryption. Then, we describe the verifiable computing schemes using this primitive, i.e. “Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers” by Gennaro et al., “Improved Delegation of Computation Using Fully Homomorphic Encryption” by Chung et al., and “Efficient Non-Interactive Verifiable Outsourced Computation for Arbitrary Functions” by Chen et al. Note that using these solutions the client encrypts the data before it outsources it to the server. Thus, these solutions achieve input privacy. In addition, only the client can decrypt the result, which is why also output privacy is assured. However, on the downside all fully homomorphic encryption based schemes are only privately verifiable. Furthermore, all solutions are only secure against weak adversaries and providing efficient FHE schemes is still an open research challenge.

Proof and Argument Based Verifiable Computing

In this chapter the state of the art with respect to proof based verifiable computing schemes is presented. In this setting a prover wants to convince a verifier of the correctness of a computed result. The first proof based solutions that achieve this were interactive proof systems. Depending on the computation power of the prover we distinguish here between proof based and argument based approaches. While all proof based schemes are interactive protocols, the argument based solutions were further improved, such that also non-interactive solutions are available. In this chapter, we first provide an introduction presenting the setting and the notions, i.e. quadratic span program (QSP), quadratic arithmetic program (QAP), and succinct non-interactive arguments of knowledge (SNARKs). Then, we present the interactive proof based solutions, i.e. “Verifiable Computation with Massively Parallel Interactive Proofs” by Thaler et al. and “Allspice” by Vu et al., and the argument based approaches, i.e. “Pepper” by Setty et al., “Ginger” by Setty et al., “Zaatar” by Setty et al., “Pantry” by Braun et al., and “River” by Xu et al. Afterwards, we present the definitions and solutions for the non-interactive argument based verifiable computing schemes, i.e. “Pinocchio” by Parno et al., “Geppetto” by Costello et al., “SNARKs for C” by Ben-Sasson et al., “Succinct Non-interactive Zero Knowledge for a von Neumann Architecture” by Ben-Sasson et al., “Buffet” by Wahby et al., “ADSNARK” by Backes et al., and “Block Programs: Improving Efficiency of Verifiable Computation for Circuits with Repeated Substructures” by Xu et al.

Verifiable Computing Frameworks from Functional Encryption and Functional Signatures

In addition to proof or argument based verifiable computing schemes and constructions that rely on homomorphic encryption or homomorphic authenticators, verifiable computing schemes can also be constructed using functional encryption or functional signatures. Thus, in this chapter we present the verifiable computing schemes using one of these primitives. Functional encryption refers to encryption schemes where ciphertexts can be decrypted only if they fulfill certain requirements. There are basically two approaches that use functional encryption to build a verifiable computing scheme. “Verifiable Computation from Attribute Based Encryption” by Parno et al. uses (key-policy) attribute-based encryption, a specific instantiation of functional encryption, while the approach presented in “Delegatable Homomorphic Encryption with Applications to Secure Outsourcing of Computation” by Barbosa and Farshim is constructed directly from functional encryption schemes. Functional signatures come with a secondary parameterized signing key, in addition to the master signing key, that allows to sign messages, but restricts the signing capabilities to messages in a certain range. This property allows to build verifiable computing schemes as shown by Boyle et al. in “Functional Signatures and Pseudorandom Functions”.