Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Pinocchio: Nearly Practical Verifiable Computation Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Joint work: Microsoft Research, IBM Research Presentation by: Karim Baghery Cryptology Research Group; karim.baghery@ut.ee Supervisor: Prof. Dominique Unruh Coordinator: Dr. Vitaly Skacheck Research Seminar In Cryptography (MTAT.07.022) 2016/2017 Fall
Problem Motivation: A question… What do you do when your workload (computations) is out of your power or it gets much more resources from you?
Cambridge Dictionary: Problem Motivation: The most probable answer… Cambridge Dictionary: A situation in which a company employs another organization to do some of its work.
Problem Motivation: Outsourcing (Cloud) Computing A new paradigm of computation. Motivation: allow a computationally weak client to outsource its computation to the worker (cloud). 𝐟 . 𝐱 𝒚=𝒇(𝒙) 𝐟 . 𝒙
Problem Motivation: We do not want to blindly trust the cloud! What would be happen if the cloud be malicious? Or malfunctioning, … Share your direction or location with…! 𝒙 𝑪𝒍𝒂𝒊𝒎: 𝒚=𝒇(𝒙)
Background Knowledge: Verifiable Computation (VC) A public verifiable computation scheme VC consists of a set of three polynomial-time algorithms (KeyGen; Compute; Verify) denoted as follows. ( 𝐸𝐾 𝐹 ; 𝑉𝐾 𝐹 ) ← KeyGen (F, 1𝜆):The randomized key generation algorithm takes the function F to be outsourced and security parameter 𝜆; it outputs a public evaluation key EKF, and a public verification key VKF. (y; πy) ← Compute / Proof (𝐸 𝐾 𝐹 , 𝑢): The deterministic worker algorithm uses the public evaluation key 𝐸 𝐾 𝐹 and input 𝑢; it outputs 𝑦←𝐹(𝑢) and a proof 𝜋 𝑦 of 𝑦’s correctness. (0;1) ← Verify ( VK F , u , y , π y ): Given the verification key 𝑉 𝐾 𝐹 ,the deterministic verification algorithm outputs 1 if 𝐹 𝑢 =𝑦, and 0 otherwise.
Verifiable Computation: Properties Correctness: 𝒚 = ? 𝒇 𝒙 Privacy: Cloud learn about data 𝑥 Efficiency: Verifying should be efficient than evaluating 𝒇(𝑥) directly Zero-Knowledge: In some cases which 𝒇 𝒙,𝒘 →𝒚, client learns nothing about the witness 𝒘 𝒚=𝒇(𝒙, 𝒘)
An Efficient Solution for Verifiable Computation Pinocchio: An Efficient Solution for Verifiable Computation
Matrix Multiplication Relative Works: How quickly this area changing? [𝑨] 𝟏𝟎𝟎𝟎×𝟏𝟎𝟎𝟎 × [𝑩] 𝟏𝟎𝟎𝟎×𝟏𝟎𝟎𝟎 Matrix Multiplication ~ 10 𝑥 72 Trillion Year ~10 23 × ~10 16 × 37 Centuries ~10 10 × Time (Sec) ~10 7 × 6 order of magnitude ~10 6 × (12 𝑀𝑖𝑛) Improve by batching 7 order of magnitude (15 𝑚𝑠𝑒𝑐) 15 ms
Verifier Computations Relative Works : A comparison of some efficient Zero-Knowledge Succinct Non-interactive Arguments of Knowledge (ZK-SNARK): CRS Length (Group Element) Prover Computations (Exp.) Verifier Computations (Exp. + Pairing) Gro10 O(C2) O(C) + (1) Lip12 O(C1+O(1)) O(C)+(62) GGPR13 O(C) O(C) Crypto + O(C log2 C) Non-Crypto O(N) I/O Pinocchio C: The size of the circuit N: The size of input
Pinocchio’s Contribution: New cryptographic protocol for public verifiable computation Also has zero knowledge property Quadratic Programs, highly efficient encoding of general computations Good asymptotic For this case One-time Key setup O( C ) Worker (CW: O( C )) O( C log 2 C ) (Cal. H(x)) 60 × faster Verification O(N)(input and output) 107 × faster Generated Proof (Signature) O(𝜆) byte 288 byte Evaluation of several real C applications, in some cases verification beats native C code (First VC)
Cryptographic Verification Protocol (ECC-based) Pinocchio’s Pipeline: C Code Arithmetic Circuit Quadratic Arithmetic Program (QAP) (1) (2) Compiler Encoding (3) Cryptographic Verification Protocol (ECC-based) Compiler Worker Client ← 𝐸 𝐾 𝐹 , 𝑉 𝐾 𝐹 ←𝐆𝐞𝐧𝐊𝐞𝐲𝐬 𝐹 ∏ 𝑦 ←𝐏𝐫𝐨𝐯𝐞 𝐸 𝐾 𝐹 , 𝑥, 𝑦 → 𝑌𝑒𝑠 , 𝑁𝑜 ←𝐕𝐞𝐫𝐢𝐟𝐲 𝑉𝐾 𝐹 , 𝑥, 𝑦, 𝑦
Pinocchio’s Pipeline: C to Arithmetic Circuit Compiler C Code Arithmetic Circuit Compiler knows a subset C code (1) Functions, conditionals, loops Arithmetic & bitwise operator Arrays, structures ... Compiler Outputs an arithmetic circuit with wire values 𝑪 𝒊 ∈ 𝑷 𝒑 C 1 C 2 C 3 C 4 𝑋=11 C 5 + × = ? 0 C 1 + C 2 mod 𝒑 C 3 × C 4 mod 𝒑 C 5 = ? 0 1 : 0 0 1 0 1 1
Cryptographic Verification Protocol (ECC-based) Pinocchio’s Pipeline: C Code Arithmetic Circuit Quadratic Arithmetic Program (QAP) (1) (2) Compiler Encoding (3) Cryptographic Verification Protocol (ECC-based) Compiler Worker Client ← 𝐸 𝐾 𝐹 , 𝑉 𝐾 𝐹 ←𝐆𝐞𝐧𝐊𝐞𝐲𝐬 𝐹 ∏ 𝑦 ←𝐏𝐫𝐨𝐯𝐞 𝐸 𝐾 𝐹 , 𝑥, 𝑦 → 𝑌𝑒𝑠 , 𝑁𝑜 ←𝐕𝐞𝐫𝐢𝐟𝐲 𝑉𝐾 𝐹 , 𝑥, 𝑦, 𝑦
Pinocchio’s Pipeline: Arithmetic Circuit to QAP Encoder An efficient encoding of computation Have deployed in different cryptographic protocols Theorem [GGPR13]: Let C be an arithmetic circuit that computes F, there is a Quadratic Arithmetic Program (QAP) of size 𝑶( 𝑪 ) and degree d that computes F Can verify any poly-time (or even NP) function Similar theorem for Boolean circuits and Quadratic Span Program (QSP) Arithmetic Circuit Quadratic Arithmetic Program (QAP) (2) Encoding
Quadratic Arithmetic Program: Overview on Main Intuition 1. Define: T(z) = ( 𝑧−𝑟 5 )(z− 𝑟 6 ) 2. Define: 𝑣1 𝑧 , …,𝑣6(𝑧) , 𝑤1 𝑧 , …,𝑤6(𝑧) , 𝑦1 𝑧 ,…,𝑦6(𝑧) . Evaluates the circuit with inputs ( 𝑐 1, 𝑐 2, …, 𝑐 6 ) Arithmetic Circuit 2. Computes 𝑉 𝑧 =𝑐1𝑣1 𝑧 +…+𝑐6𝑣6(𝑧), 𝑊 𝑧 =𝑐1𝑤1 𝑧 +…+𝑐6𝑤6(𝑧) 𝑌 𝑧 =𝑐1𝑦1 𝑧 +…+𝑐6𝑦6(𝑧) 𝑣𝑖 𝑧 ,𝑤𝑖 𝑧 , 𝑦𝑖 𝑧 , T(z), Circuit, Input (I) 3. Computes 𝑃 𝑧 = 𝑐𝑖𝑣𝑖(𝑧) 𝑉(𝑧) 𝑐𝑖𝑤𝑖(𝑧) 𝑊(𝑧) − 𝑐𝑖𝑦𝑖(𝑧) 𝑌(𝑧) , 𝑉 𝑧 , 𝑊 𝑧 , 𝑌 𝑧 , 𝐻(𝑧) (II) 4. Computes 𝐻 𝑧 =𝑃(𝑧)/𝑇(𝑧) 3. 𝐶ℎ𝑒𝑐𝑘: 𝑉 𝑧 ⋅𝑊 𝑧 −𝑌 𝑧 𝑌(𝑧) = ? 𝐻 𝑧 ⋅𝑇(𝑧) Which holds when ( 𝑐 1, 𝑐 2, …, 𝑐 6 ) be a valid assignments of 𝐹’s input and output. By QAP Encoding: 𝐻 𝑧 ⋅𝑇 𝑧 =𝑃(𝑧) 𝑃 𝑧 = 𝑐𝑖𝑣𝑖(𝑧) 𝑐𝑖𝑤𝑖(𝑧) − 𝑐𝑖𝑦𝑖(𝑧)
. Quadratic Arithmetic Program: Main Intuition 𝑇 𝑧 divides 𝑃(𝑧) ≡ Construct polynomials T(z) = ( 𝑧−𝑟 5 )(z− 𝑟 6 ) and P(z)= 𝑐 𝑖 𝑣 𝑖 (𝑧) 𝑐 𝑖 𝑤 𝑖 (𝑧) − 𝑐 𝑖 𝑦 𝑖 (𝑧) that encode gate equations and wire values { 𝑐 𝑖 } ( 𝑐 1 , …, 𝑐 𝑚 ) is a valid set of wire values iff: 𝑇 𝑧 divides 𝑃(𝑧) ≡ ∃ 𝐻 𝑧 : 𝐻 𝑧 ∙𝑇 𝑧 ==𝑃(𝑧) C3 * C4 == C5 (C1 + C2)*C5 == C6 ≡ . ∀ 𝑟 𝑖 :𝑇 𝑟 𝑖 ==0 ⇒ 𝑃 𝑟 𝑖 ==0 Crypto protocol checks divisibility at a random point, and hence cheaply checks correctness
x Converting Arithmetic Circuit to QAPs: Inputs Output Pick arbitrary root for each : r5 , r6 from F Define: T(z) = (z – r5)(z – r6) Define P(z) via three sets of polynomials: {v0(z), …, v6(z)} {w0(z), …, w6(z)} {y0(z), …, y6(z)} where 𝑃(𝑧) = 𝑐𝑖𝑣𝑖(𝑧) 𝑐𝑖𝑤𝑖(𝑧) − 𝑐𝑖𝑦𝑖(𝑧) Output 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 v0(z) … v6(z) w0(z) … w6(z) y0(z) … y6(z) r5 1 1 1 ⚪ - = r6 Left Inputs 𝑣 𝑖 Right Inputs 𝑤 𝑖 Outputs 𝑦 𝑖
P(r5) = (c3)(c4) – (c5) P(r6) = (c1 +c2)(c5) –(c6) T(r5) = 0 T(r6) = 0 Why it works? 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 v0(z) … v6(z) w0(z) … w6(z) y0(z) … y6(z) r5 1 1 1 ⚪ - = r6 Left Inputs 𝑣 𝑖 Right Inputs 𝑤 𝑖 Outputs 𝑦 𝑖 Inputs Based on definitions: T(z) = ( 𝑧−𝑟 5 )(z− 𝑟 6 ) & 𝑃(𝑧) = 𝑐𝑖𝑣𝑖(𝑧) 𝑐𝑖𝑤𝑖(𝑧) − 𝑐𝑖𝑦𝑖(𝑧) 𝑇 𝑧 divides 𝑃(𝑧) means: ∀ 𝑟 𝑖 :𝑇 𝑟 𝑖 ==0 ⇒ 𝑃 𝑟 𝑖 ==0 P(r5) = (c3)(c4) – (c5) T(r5) = 0 Output T(r6) = 0 P(r6) = (c1 +c2)(c5) –(c6)
Cryptographic Verification Protocol (ECC-based) Pinocchio’s Pipeline: C Code Arithmetic Circuit Quadratic Arithmetic Program (QAP) (1) (2) Compiler Encoding (3) Cryptographic Verification Protocol (ECC-based) Compiler Worker Client ← 𝐸 𝐾 𝐹 , 𝑉 𝐾 𝐹 ←𝐆𝐞𝐧𝐊𝐞𝐲𝐬 𝐹 ∏ 𝑦 ←𝐏𝐫𝐨𝐯𝐞 𝐸 𝐾 𝐹 , 𝑥, 𝑦 → 𝑌𝑒𝑠 , 𝑁𝑜 ←𝐕𝐞𝐫𝐢𝐟𝐲 𝑉𝐾 𝐹 , 𝑥, 𝑦, 𝑦 Now build up these polynomials and now we have to turn up to cryptographic protocol.
Cryptographic Protocol: (Simplified) GenKeys(F) EKF , VKF Prove(EKF, x, y) y 1. Generate the QAP for F 2. Pick random 𝑠 3. Compute EKF = { 𝑔 𝑣 1 (𝑠) , …, 𝑔 𝑣 𝑚 (𝑠) , 𝑔 𝑤 1 (𝑠) , …, 𝑔 𝑤 𝑚 (𝑠) , 𝑔 𝑦 1 (𝑠) , …, 𝑔 𝑦 𝑚 (𝑠) , 𝑔 𝑠 𝑖 } 4. Compute VKF = { 𝑔 𝑇(𝑠) } 1. Evaluate circuit. Get wire values c1,…,cm 2. Compute: 𝑔 𝑣(𝑠) = ( 𝑔 𝑣 𝑖 (𝑠) ) 𝑐 𝑖 , 𝑔 𝑤(𝑠) = ( 𝑔 𝑤 𝑖 (𝑠) ) 𝑐 𝑖 𝑔 𝑦(𝑠) = ( 𝑔 𝑦 𝑖 (𝑠) ) 𝑐 𝑖 3. Find H(z) s.t. H(z)*T(z) = V(z)*W(z)-Y(z) = 𝑖=1 𝑑 ℎ 𝑖 . 𝑧 𝑖 4. Compute gH(s) = (gs^i)h_i 5. Proof is (gv(s), gw(s), gy(s), gH(s)) In particular, I am goanna on high level intuition behind the protocol. Verify(VKF, x, y, y) {Yes, No} e(∙, ∙) is a pairing: e(ga, gb) == e(g, g)ab Check: e(gv(s) , gw(s))/e(gy(s), g) =?= e(gH(s), gT(s))
Source code is available! Implementation: 3,525 LoC + libraries (Python) void main(){ ... x = b[i] + d[j]; y *= x; return y; } Quadratic Program Applications: Matrix & vector mult. Multivariate polynomials Image matching All-pairs shortest path Lattice gas simulator SHA-1 Compile Compile 10,832 LoC + libraries (C++) Compile EKF , VKF GenKeys(F) y Prove(EKF, x, y) BN elliptic curves with 128 bits of security Source code is available! {Yes, No} Verify(VKF, x, y, y)
Verification Time vs. Native Execution:
Quadratic Program y Detailed Matrices: EKF , VKF GenKeys(F) Native Time 12.9 ms 0.4 ms Circuit Time 265 ms 177 ms void main(){ ... x = b[i] + d[j]; y *= x; return y; } Quadratic Program Compile Compile Apps MultiVar Poly Gas Simulation Gates 812k 802k Polynomials 571k 283k Size 157 MB 78 MB Size 0.6 KB 1.1 KB Time 127s 76s Compile Size 288 B Time 713s 166s EKF , VKF GenKeys(F) y Prove(EKF, x, y) Time 12.7ms 10.9ms {Yes, No} Verify(VKF, x, y, y)
References: Bryan Porno, Jon Howell, Craig Gentry, and Mariana Raykova; Pinocchio: Nearly Practical Verifiable Computation, 2013 IEEE Symposium on Security and Privacy (SP), pp. 238-252. Bryan Porno, Jon Howell, Craig Gentry, and Mariana Raykova; Pinocchio: Nearly Practical Verifiable Computation, 2016 Communications of the ACM, Vol. 59, No 2, pp. 103-112. Gennaro, Rosario, et al. "Quadratic span programs and succinct NIZKs without PCPs.“ Advances in Cryptology–EUROCRYPT 2013. Springer Berlin Heidelberg, 2013. 626-645.
Thank You! Pinocchio: Nearly Practical Verifiable Computation Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Presentation by: Karim Baghery Cryptology Research Group; karim.baghery@ut.ee
? Thank You. Write catchy header here! Text goes here A sample of Persian calligraphy .