##
###
Verifiable Delegation of Computation over Large Datasets
[chapter]

Siavosh Benabbas, Rosario Gennaro, Yevgeniy Vahlis

2011
*
Lecture Notes in Computer Science
*

We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many non-cryptographic
## more »

... ons of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup membership problem in composite order bilinear groups. This is the first such construction that relies on a "constant-size" assumption, and does not require expensive generation of primes per operation. If R(·) was a random polynomial, then we can prove that this is a secure delegation scheme in the sense of [27] . However checking that t = g ay+R(x) would require the client to perform computation polynomial in the degree of P (·) -the exact work that we set out to avoid. The crucial point, therefore, is how to perform this verification fast, in time which is independent, or at the very least sublinear in the degree of P (·). We do that by defining r i = F K (i) where F is a pseudo-random function (PRF in the following) with a special property which we call closed form efficiency. The property is that given the polynomial R(·) defined by the r i coefficients, the value R(x) (for any input x) can be computed very efficiently (sub-linearly in d) by a party who knows the secret key K for the PRF. Since F is a PRF, the security of the scheme is not compromised (as F is indistinguishable from a random function), and the closed form efficiency of F will allow the client to verify the result in time sub-linear in the degree of the polynomial. We generalize our result for PRFs with other types of closed form efficiency, which yield efficient and secure delegation protocols not only for single-variable polynomials of degree d, but also for multivariate polynomials with total degree d or of degree d in each variable. We have several different variations of PRFs: the least efficient one is secure under the Decisional Diffie-Hellman assumption, while more efficient ones require a decisional variant of the Strong DH assumption. Adaptivity: One of the main questions to remain open after the work of GGP [27] is whether we can achieve verifiable delegation even if the malicious server knows whether the verifier accepted or rejected the correctness proof of the value computed by the server. Indeed, the GPV scheme becomes insecure if the server learns this single bit of information after each proof is sent to the verifier. Our constructions are the first to achieve adaptive security in the amortized setting. Privacy: Our solution allows the client to preserve the secrecy of the polynomial stored with the server, by encrypting it with an additively homomorphic encryption scheme. In this case the server returns an encrypted form of y which the client will decrypt. Keyword Search: The applications to keyword search without updates is almost immediate. Consider a text file F = {w 1 , . . . , w ℓ } where w i are the words contained in it. Encode F as the polynomial P (·) of degree ℓ such that P (w i ) = 0. To make this basic solution efficiently updatable we use a variation of the polynomial delegation scheme which uses bilinear maps. We also present a generic, but less efficient way to make any static keyword search protocol updatable which might be of independent interest. Proof of Retrievability: Again the application of our technique is quite simple. The client encodes the file as a polynomial F (x) of degree d (each block representing a coefficient), and delegates the computation of

doi:10.1007/978-3-642-22792-9_7
fatcat:qqwpxqvan5hj7phqk7zrk2h76e