20 research outputs found
Publicly Verifiable Delegation of Large Polynomials and Matrix Computations, with Applications
Outsourced computations (where a client requests a server to perform some computation on its behalf) are becoming increasingly important due to the rise of Cloud Computing and the proliferation of mobile devices.
Since cloud providers may not be trusted, a crucial problem is the verification of the integrity and correctness of such computation, possibly in a {\em public} way, i.e., the result of a computation can be verified by any third party, and requires no secret key -- akin to a digital signature on a message.
We present new protocols for publicly verifiable secure outsourcing of
{\em Evaluation of High Degree Polynomials} and {\em Matrix Multiplication}. Compared to previously
proposed solutions, ours improve in efficiency and offer security in a stronger model.
The paper also discusses several practical applications of our protocols
Interactive certificate for the verification of Wiedemann's Krylov sequence: application to the certification of the determinant, the minimal and the characteristic polynomials of sparse matrices
Certificates to a linear algebra computation are additional data structures
for each output, which can be used by a-possibly randomized- verification
algorithm that proves the correctness of each output. Wiede-mann's algorithm
projects the Krylov sequence obtained by repeatedly multiplying a vector by a
matrix to obtain a linearly recurrent sequence. The minimal polynomial of this
sequence divides the minimal polynomial of the matrix. For instance, if the
input matrix is sparse with n 1+o(1) non-zero entries, the
computation of the sequence is quadratic in the dimension of the matrix while
the computation of the minimal polynomial is n 1+o(1), once that projected
Krylov sequence is obtained. In this paper we give algorithms that compute
certificates for the Krylov sequence of sparse or structured
matrices over an abstract field, whose Monte Carlo verification complexity can
be made essentially linear. As an application this gives certificates for the
determinant, the minimal and characteristic polynomials of sparse or structured
matrices at the same cost
Strong ETH Breaks With Merlin and Arthur: Short Non-Interactive Proofs of Batch Evaluation
We present an efficient proof system for Multipoint Arithmetic Circuit
Evaluation: for every arithmetic circuit of size and
degree over a field , and any inputs ,
the Prover sends the Verifier the values and a proof of length, and
the Verifier tosses coins and can check the proof in about time, with probability of error less than .
For small degree , this "Merlin-Arthur" proof system (a.k.a. MA-proof
system) runs in nearly-linear time, and has many applications. For example, we
obtain MA-proof systems that run in time (for various ) for the
Permanent, Circuit-SAT for all sublinear-depth circuits, counting
Hamiltonian cycles, and infeasibility of - linear programs. In general,
the value of any polynomial in Valiant's class can be certified
faster than "exhaustive summation" over all possible assignments. These results
strongly refute a Merlin-Arthur Strong ETH and Arthur-Merlin Strong ETH posed
by Russell Impagliazzo and others.
We also give a three-round (AMA) proof system for quantified Boolean formulas
running in time, nearly-linear time MA-proof systems for
counting orthogonal vectors in a collection and finding Closest Pairs in the
Hamming metric, and a MA-proof system running in -time for
counting -cliques in graphs.
We point to some potential future directions for refuting the
Nondeterministic Strong ETH.Comment: 17 page
Linear Time Interactive Certificates for the Minimal Polynomial and the Determinant of a Sparse Matrix
International audienceComputational problem certificates are additional data structures for each output, which can be used by a—possibly randomized—verification algorithm that proves the correctness of each output. In this paper, we give an algorithm that computes a certificate for the minimal polynomial of sparse or structured n×n matrices over an abstract field, of sufficiently large cardinality, whose Monte Carlo verification complexity requires a single matrix-vector multiplication and a linear number of extra field operations. We also propose a novel preconditioner that ensures irreducibility of the characteristic polynomial of the generically preconditioned matrix. This preconditioner takes linear time to be applied and uses only two random entries. We then combine these two techniques to give algorithms that compute certificates for the determinant, and thus for the characteristic polynomial, whose Monte Carlo verification complexity is therefore also linear
Weave ElGamal Encryption for Secure Outsourcing Algebraic Computations over Zp
Thispaperaddressesthesecureoutsourcingproblemforlarge-scalematrixcomputationto a public cloud. We propose a novel public-key weave ElGamal encryption (WEE) scheme for encrypting a matrix over the field Zp. The scheme has the echelon transformation property. We can apply a series of elementary row/column operations to transform an encrypted matrix under our WEE scheme into the row/column echelon form. The decrypted result matches the result of the corresponding operations performed on the original matrix. For security, our WEE scheme is shown to be entry irrecoverable for non-zero entries under the computational Diffie-Hellman assumption.
By using our WEE scheme, we propose five secure outsourcing protocols of Gaussian elimination, Gaussian-Jordan elimination, matrix determinant, linear system solver, and matrix inversion. Each of these protocols preserves data privacy for clients (data owners). Furthermore, the linear system solver and matrix inversion protocols provide a cheating-resistant mechanism to verify correctness of computation results. Our experimental result shows that our protocols gain efficiency significantly for an outsourcer. Our outsourcing protocol solves a linear system of n = 1, 000 equations and m = 1, 000 unknown variables about 472 times faster than a non-outsourced version. The efficiency gain is more substantial when (n, m) gets larger. For example, when n = 10, 000 and m = 10, 000, the protocol can solve it about 56, 274 times faster. Our protocols can also be easily implemented in parallel computation architecture to get more efficiency improvement
Efficient and Secure Delegation of Exponentiation in General Groups to a Single Malicious Server
Group exponentiation is an important and relatively expensive operation used in many public-key cryptosystems and, more generally, cryptographic protocols. To expand the applicability of these solutions to computationally weaker devices, it has been advocated that this operation is delegated from a computationally weaker client to a computationally stronger server. Solving this problem in the case of a single, possibly malicious, server, has remained open since the introduction of a formal model. In previous work we have proposed practical and secure solutions applicable to two classes of specific groups, related to well-known cryptosystems. In this paper, we investigate this problem in a general class of multiplicative groups, possibly going beyond groups currently subject to quantum cryptanalysis attacks. Our main results are efficient delegation protocols for exponentiation in these general groups. The main technique in our results is a reduction of the protocol's security probability (i.e., the probability that a malicious server convinces a client of an incorrect exponentiation output) that is more efficient than by standard parallel repetition. The resulting protocols satisfy natural requirements such as correctness, security, privacy and efficiency, even if the adversary uses the full power of quantum computers. In particular, in our protocols the client performs a number of online group multiplications smaller by 1 to 2 orders of magnitude than in a non-delegated computation