Succinct NIZKs from Quadratic Span Programs (QSPs) and Quadratic Arithmetic Programs (QAPs), and Pinocchio - a system for nearly practical verifiable computation
We introduce a new characterization of the NP complexity class, called Quadratic Span Programs (QSPs), which is a natural extension of span programs defined by Karchmer and Wigderson. Our main motivation is the quick construction of succinct, easily verified arguments for NP statements. Using QSPs, we construct a succinct NIZK argument – in the CRS model – for Circuit-SAT consisting of just 7 group elements. The CRS size and prover computation are quasi-linear and our NIZK argument attains the shortest proof, most efficient prover, and most efficient verifier of any known technique. We also present Quadratic Arithmetic Programs (QAPs), that “naturally” compute arithmetic circuits over large fields, along with succinct NIZK constructions that use QAPs.
We show how QSPs and QAPs can be used to efficiently and publicly verify outsourced computations, where a client asks a server to compute F(x) for a given function F and must verify the result provided by the server in considerably less time than it would take to compute F from scratch. The resulting schemes are the most efficient, general-purpose publicly verifiable computation schemes. Our verifiable computation protocol from QAPs exhibits efficiency also in practical terms. To demonstrate this we introduce Pinocchio, a built system for efficiently verifying general computations, which implements our VC construction from QAPs. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof.
Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio’s verification time is typically 10ms: 5-7 orders of magni- tude less than previous work; indeed Pinocchio is the first general-purpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker’s proof effort by an additional 19-60×. As an additional feature, Pinocchio generalizes to zero-knowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an end-to-end toolchain that compiles a subset of C into programs that implement the verifiable computation protocol.
This talk will include results from two papers: Quadratic Span Program and Succinct NIZKs without PCPs, joint work with Rosario Gennaro, Craig Gentry, Bryan Parno and Pinocchio: Nearly Practical Verifiable Computation, joint work with Craig Gentry, Jon Howell, Bryan Parno.