Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova

Slides:



Advertisements
Similar presentations
Perfect Non-interactive Zero-Knowledge for NP
Advertisements

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Sublinear Algorithms … Lecture 23: April 20.
Optical Architecture for (Restricted) Exponential Time Hard Problems Nova Fandina Ben-Gurion University of the Negev, Israel Joint work with: Prof. Shlomi.
Secure Evaluation of Multivariate Polynomials
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
Introduction to Modern Cryptography Homework assignments.
1 The PCP starting point. 2 Overview In this lecture we’ll present the Quadratic Solvability problem. In this lecture we’ll present the Quadratic Solvability.
ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.
1 The PCP starting point. 2 Overview In this lecture we’ll present the Quadratic Solvability problem. We’ll see this problem is closely related to PCP.
11 -1 Chapter 11 Randomized Algorithms Randomized algorithms In a randomized algorithm (probabilistic algorithm), we make some random choices.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Great Theoretical Ideas in Computer Science.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
11 -1 Chapter 11 Randomized Algorithms Randomized Algorithms In a randomized algorithm (probabilistic algorithm), we make some random choices.
Great Theoretical Ideas in Computer Science.
Umans Complexity Theory Lectures Lecture 1a: Problems and Languages.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Verifiable Cloud Computing KANG Yu. Verifiable Computation Weak clients Computationally powerful cloud Goal: – Verify the computing result.
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
ALITHEIA: Towards Practical Verifiable Graph Processing Yupeng Zhang, Charalampos Papamanthou and Jonathan Katz University of Maryland.
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
Graphs 4/13/2018 5:25 AM Presentation for use with the textbook, Algorithm Design and Applications, by M. T. Goodrich and R. Tamassia, Wiley, 2015 NP-Completeness.
P & NP.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
NP-Completeness NP-Completeness Graphs 5/7/ :49 PM x x x x x x x
Verifiable Databases and RAM Programs
Probabilistic Algorithms
A Simple Provably Secure AKE from the LWE Problem
On the Size of Pairing-based Non-interactive Arguments
Public Key Encryption and Digital Signatures
MPC and Verifiable Computation on Committed Data
RSA and El Gamal Cryptosystems
Lecture 22 Complexity and Reductions
Umans Complexity Theory Lectures
Topic 14: Random Oracle Model, Hashing Applications
Digital Signature Schemes and the Random Oracle Model
Course Business I am traveling April 25-May 3rd
Verifiable Oblivious Storage
NP-Completeness NP-Completeness Graphs 11/16/2018 2:32 AM x x x x x x
Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp Multimedia Security.
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Digital Signature Schemes and the Random Oracle Model
Cryptographic protocols 2016, Lecture 12 Sigma protocols
Introduction to Symmetric-key and Public-key Cryptography
NP-Completeness NP-Completeness Graphs 12/3/2018 2:46 AM x x x x x x x
Zcash adds privacy to Bitcoin’s decentralization
Start by talking about lattice assumption on which protocol is based
Classical Algorithms from Quantum and Arthur-Merlin Communication Protocols Lijie Chen MIT Ruosong Wang CMU.
Fiat-Shamir for Highly Sound Protocols is Instantiable
CSC 380: Design and Analysis of Algorithms
Malicious-Secure Private Set Intersection via Dual Execution
CS21 Decidability and Tractability
Compact routing schemes with improved stretch
In the name of God.
Introduction to Modern Cryptography
Impossibility of SNARGs
Zero-Knowledge Proofs
Cryptography Lecture 16.
Cryptography Lecture 18.
Lecture 22 Complexity and Reductions
Jens Groth and Mary Maller University College London
Divide and Conquer Merge sort and quick sort Binary search
Presentation transcript:

Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Pinocchio: Nearly Practical Verifiable Computation Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Joint work: Microsoft Research, IBM Research Presentation by: Karim Baghery Cryptology Research Group; karim.baghery@ut.ee Supervisor: Prof. Dominique Unruh Coordinator: Dr. Vitaly Skacheck Research Seminar In Cryptography (MTAT.07.022) 2016/2017 Fall

Problem Motivation: A question… What do you do when your workload (computations) is out of your power or it gets much more resources from you?

Cambridge Dictionary: Problem Motivation: The most probable answer… Cambridge Dictionary: A situation in which a company employs another organization to do some of its work.

Problem Motivation: Outsourcing (Cloud) Computing A new paradigm of computation. Motivation: allow a computationally weak client to outsource its computation to the worker (cloud). 𝐟 . 𝐱 𝒚=𝒇(𝒙) 𝐟 . 𝒙

Problem Motivation: We do not want to blindly trust the cloud! What would be happen if the cloud be malicious? Or malfunctioning, … Share your direction or location with…! 𝒙 𝑪𝒍𝒂𝒊𝒎: 𝒚=𝒇(𝒙)

Background Knowledge: Verifiable Computation (VC) A public verifiable computation scheme VC consists of a set of three polynomial-time algorithms (KeyGen; Compute; Verify) denoted as follows. ( 𝐸𝐾 𝐹 ; 𝑉𝐾 𝐹 ) ← KeyGen (F, 1𝜆):The randomized key generation algorithm takes the function F to be outsourced and security parameter 𝜆; it outputs a public evaluation key EKF, and a public verification key VKF. (y; πy) ← Compute / Proof (𝐸 𝐾 𝐹 , 𝑢): The deterministic worker algorithm uses the public evaluation key 𝐸 𝐾 𝐹 and input 𝑢; it outputs 𝑦←𝐹(𝑢) and a proof 𝜋 𝑦 of 𝑦’s correctness. (0;1) ← Verify ( VK F , u , y , π y ): Given the verification key 𝑉 𝐾 𝐹 ,the deterministic verification algorithm outputs 1 if 𝐹 𝑢 =𝑦, and 0 otherwise.

Verifiable Computation: Properties Correctness: 𝒚 = ? 𝒇 𝒙 Privacy: Cloud learn about data 𝑥 Efficiency: Verifying should be efficient than evaluating 𝒇(𝑥) directly Zero-Knowledge: In some cases which 𝒇 𝒙,𝒘 →𝒚, client learns nothing about the witness 𝒘 𝒚=𝒇(𝒙, 𝒘)

An Efficient Solution for Verifiable Computation Pinocchio: An Efficient Solution for Verifiable Computation

Matrix Multiplication Relative Works: How quickly this area changing? [𝑨] 𝟏𝟎𝟎𝟎×𝟏𝟎𝟎𝟎 × [𝑩] 𝟏𝟎𝟎𝟎×𝟏𝟎𝟎𝟎 Matrix Multiplication ~ 10 𝑥 72 Trillion Year ~10 23 × ~10 16 × 37 Centuries ~10 10 × Time (Sec) ~10 7 × 6 order of magnitude ~10 6 × (12 𝑀𝑖𝑛) Improve by batching 7 order of magnitude (15 𝑚𝑠𝑒𝑐) 15 ms

Verifier Computations Relative Works : A comparison of some efficient Zero-Knowledge Succinct Non-interactive Arguments of Knowledge (ZK-SNARK): CRS Length (Group Element) Prover Computations (Exp.) Verifier Computations (Exp. + Pairing) Gro10 O(C2) O(C) + (1) Lip12 O(C1+O(1)) O(C)+(62) GGPR13 O(C) O(C) Crypto + O(C log2 C) Non-Crypto O(N) I/O Pinocchio C: The size of the circuit N: The size of input

Pinocchio’s Contribution: New cryptographic protocol for public verifiable computation Also has zero knowledge property Quadratic Programs, highly efficient encoding of general computations Good asymptotic For this case One-time Key setup O( C ) Worker (CW: O( C )) O( C log 2 C ) (Cal. H(x)) 60 × faster Verification O(N)(input and output) 107 × faster Generated Proof (Signature) O(𝜆) byte 288 byte Evaluation of several real C applications, in some cases verification beats native C code (First VC)

Cryptographic Verification Protocol (ECC-based) Pinocchio’s Pipeline: C Code Arithmetic Circuit Quadratic Arithmetic Program (QAP) (1) (2) Compiler Encoding (3) Cryptographic Verification Protocol (ECC-based) Compiler Worker Client ← 𝐸 𝐾 𝐹 , 𝑉 𝐾 𝐹 ←𝐆𝐞𝐧𝐊𝐞𝐲𝐬 𝐹 ∏ 𝑦 ­←𝐏𝐫𝐨𝐯𝐞 𝐸 𝐾 𝐹 , 𝑥, 𝑦 → 𝑌𝑒𝑠 , 𝑁𝑜 ­←𝐕𝐞𝐫𝐢𝐟𝐲 𝑉𝐾 𝐹 , 𝑥, 𝑦, 𝑦  

Pinocchio’s Pipeline: C to Arithmetic Circuit Compiler C Code Arithmetic Circuit Compiler knows a subset C code (1) Functions, conditionals, loops Arithmetic & bitwise operator Arrays, structures ... Compiler Outputs an arithmetic circuit with wire values 𝑪 𝒊 ∈ 𝑷 𝒑 C 1 C 2 C 3 C 4 𝑋=11 C 5 + × = ? 0 C 1 + C 2 mod 𝒑 C 3 × C 4 mod 𝒑 C 5 = ? 0 1 : 0 0 1 0 1 1

Cryptographic Verification Protocol (ECC-based) Pinocchio’s Pipeline: C Code Arithmetic Circuit Quadratic Arithmetic Program (QAP) (1) (2) Compiler Encoding (3) Cryptographic Verification Protocol (ECC-based) Compiler Worker Client ← 𝐸 𝐾 𝐹 , 𝑉 𝐾 𝐹 ←𝐆𝐞𝐧𝐊𝐞𝐲𝐬 𝐹 ∏ 𝑦 ­←𝐏𝐫𝐨𝐯𝐞 𝐸 𝐾 𝐹 , 𝑥, 𝑦 → 𝑌𝑒𝑠 , 𝑁𝑜 ­←𝐕𝐞𝐫𝐢𝐟𝐲 𝑉𝐾 𝐹 , 𝑥, 𝑦, 𝑦  

Pinocchio’s Pipeline: Arithmetic Circuit to QAP Encoder An efficient encoding of computation Have deployed in different cryptographic protocols Theorem [GGPR13]: Let C be an arithmetic circuit that computes F, there is a Quadratic Arithmetic Program (QAP) of size 𝑶( 𝑪 ) and degree d that computes F Can verify any poly-time (or even NP) function Similar theorem for Boolean circuits and Quadratic Span Program (QSP) Arithmetic Circuit Quadratic Arithmetic Program (QAP) (2) Encoding

Quadratic Arithmetic Program: Overview on Main Intuition 1. Define: T(z) = ( 𝑧−𝑟 5 )(z− 𝑟 6 ) 2. Define: 𝑣1 𝑧 , …,𝑣6(𝑧) , 𝑤1 𝑧 , …,𝑤6(𝑧) , 𝑦1 𝑧 ,…,𝑦6(𝑧) . Evaluates the circuit with inputs ( 𝑐 1, 𝑐 2, …, 𝑐 6 ) Arithmetic Circuit 2. Computes 𝑉 𝑧 =𝑐1𝑣1 𝑧 +…+𝑐6𝑣6(𝑧), 𝑊 𝑧 =𝑐1𝑤1 𝑧 +…+𝑐6𝑤6(𝑧) 𝑌 𝑧 =𝑐1𝑦1 𝑧 +…+𝑐6𝑦6(𝑧) 𝑣𝑖 𝑧 ,𝑤𝑖 𝑧 , 𝑦𝑖 𝑧 , T(z), Circuit, Input (I) 3. Computes 𝑃 𝑧 = 𝑐𝑖𝑣𝑖(𝑧) 𝑉(𝑧) 𝑐𝑖𝑤𝑖(𝑧) 𝑊(𝑧) − 𝑐𝑖𝑦𝑖(𝑧) 𝑌(𝑧) , 𝑉 𝑧 , 𝑊 𝑧 , 𝑌 𝑧 , 𝐻(𝑧) (II) 4. Computes 𝐻 𝑧 =𝑃(𝑧)/𝑇(𝑧) 3. 𝐶ℎ𝑒𝑐𝑘: 𝑉 𝑧 ⋅𝑊 𝑧 −𝑌 𝑧 𝑌(𝑧) = ? 𝐻 𝑧 ⋅𝑇(𝑧) Which holds when ( 𝑐 1, 𝑐 2, …, 𝑐 6 ) be a valid assignments of 𝐹’s input and output. By QAP Encoding: 𝐻 𝑧 ⋅𝑇 𝑧 =𝑃(𝑧) 𝑃 𝑧 = 𝑐𝑖𝑣𝑖(𝑧) 𝑐𝑖𝑤𝑖(𝑧) − 𝑐𝑖𝑦𝑖(𝑧)

. Quadratic Arithmetic Program: Main Intuition 𝑇 𝑧 divides 𝑃(𝑧) ≡ Construct polynomials T(z) = ( 𝑧−𝑟 5 )(z− 𝑟 6 ) and P(z)= 𝑐 𝑖 𝑣 𝑖 (𝑧) 𝑐 𝑖 𝑤 𝑖 (𝑧) − 𝑐 𝑖 𝑦 𝑖 (𝑧) that encode gate equations and wire values { 𝑐 𝑖 } ( 𝑐 1 , …, 𝑐 𝑚 ) is a valid set of wire values iff: 𝑇 𝑧 divides 𝑃(𝑧) ≡ ∃ 𝐻 𝑧 : 𝐻 𝑧 ∙𝑇 𝑧 ==𝑃(𝑧) C3 * C4 == C5 (C1 + C2)*C5 == C6 ≡ . ∀ 𝑟 𝑖 :𝑇 𝑟 𝑖 ==0 ⇒ 𝑃 𝑟 𝑖 ==0 Crypto protocol checks divisibility at a random point, and hence cheaply checks correctness

x Converting Arithmetic Circuit to QAPs: Inputs Output Pick arbitrary root for each : r5 , r6 from F Define: T(z) = (z – r5)(z – r6) Define P(z) via three sets of polynomials: {v0(z), …, v6(z)} {w0(z), …, w6(z)} {y0(z), …, y6(z)} where 𝑃(𝑧) = 𝑐𝑖𝑣𝑖(𝑧) 𝑐𝑖𝑤𝑖(𝑧) − 𝑐𝑖𝑦𝑖(𝑧) Output 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 v0(z) … v6(z) w0(z) … w6(z) y0(z) … y6(z) r5 1 1 1 ⚪ - = r6 Left Inputs 𝑣 𝑖 Right Inputs 𝑤 𝑖 Outputs 𝑦 𝑖

P(r5) = (c3)(c4) – (c5) P(r6) = (c1 +c2)(c5) –(c6) T(r5) = 0 T(r6) = 0 Why it works? 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 1 C1 C2 C3 C4 C5 C6 v0(z) … v6(z) w0(z) … w6(z) y0(z) … y6(z) r5 1 1 1 ⚪ - = r6 Left Inputs 𝑣 𝑖 Right Inputs 𝑤 𝑖 Outputs 𝑦 𝑖 Inputs Based on definitions: T(z) = ( 𝑧−𝑟 5 )(z− 𝑟 6 ) & 𝑃(𝑧) = 𝑐𝑖𝑣𝑖(𝑧) 𝑐𝑖𝑤𝑖(𝑧) − 𝑐𝑖𝑦𝑖(𝑧) 𝑇 𝑧 divides 𝑃(𝑧) means: ∀ 𝑟 𝑖 :𝑇 𝑟 𝑖 ==0 ⇒ 𝑃 𝑟 𝑖 ==0 P(r5) = (c3)(c4) – (c5) T(r5) = 0 Output T(r6) = 0 P(r6) = (c1 +c2)(c5) –(c6)

Cryptographic Verification Protocol (ECC-based) Pinocchio’s Pipeline: C Code Arithmetic Circuit Quadratic Arithmetic Program (QAP) (1) (2) Compiler Encoding (3) Cryptographic Verification Protocol (ECC-based) Compiler Worker Client ← 𝐸 𝐾 𝐹 , 𝑉 𝐾 𝐹 ←𝐆𝐞𝐧𝐊𝐞𝐲𝐬 𝐹 ∏ 𝑦 ­←𝐏𝐫𝐨𝐯𝐞 𝐸 𝐾 𝐹 , 𝑥, 𝑦 → 𝑌𝑒𝑠 , 𝑁𝑜 ­←𝐕𝐞𝐫𝐢𝐟𝐲 𝑉𝐾 𝐹 , 𝑥, 𝑦, 𝑦   Now build up these polynomials and now we have to turn up to cryptographic protocol.

Cryptographic Protocol: (Simplified) GenKeys(F) EKF , VKF Prove(EKF, x, y) y 1. Generate the QAP for F 2. Pick random 𝑠 3. Compute EKF = { 𝑔 𝑣 1 (𝑠) , …, 𝑔 𝑣 𝑚 (𝑠) , 𝑔 𝑤 1 (𝑠) , …, 𝑔 𝑤 𝑚 (𝑠) , 𝑔 𝑦 1 (𝑠) , …, 𝑔 𝑦 𝑚 (𝑠) , 𝑔 𝑠 𝑖 } 4. Compute VKF = { 𝑔 𝑇(𝑠) } 1. Evaluate circuit. Get wire values c1,…,cm 2. Compute: 𝑔 𝑣(𝑠) = ( 𝑔 𝑣 𝑖 (𝑠) ) 𝑐 𝑖 , 𝑔 𝑤(𝑠) = ( 𝑔 𝑤 𝑖 (𝑠) ) 𝑐 𝑖 𝑔 𝑦(𝑠) = ( 𝑔 𝑦 𝑖 (𝑠) ) 𝑐 𝑖 3. Find H(z) s.t. H(z)*T(z) = V(z)*W(z)-Y(z) = 𝑖=1 𝑑 ℎ 𝑖 . 𝑧 𝑖 4. Compute gH(s) =  (gs^i)h_i 5. Proof is (gv(s), gw(s), gy(s), gH(s)) In particular, I am goanna on high level intuition behind the protocol. Verify(VKF, x, y, y) {Yes, No} e(∙, ∙) is a pairing: e(ga, gb) == e(g, g)ab Check: e(gv(s) , gw(s))/e(gy(s), g) =?= e(gH(s), gT(s))

Source code is available! Implementation: 3,525 LoC + libraries (Python) void main(){ ... x = b[i] + d[j]; y *= x; return y; } Quadratic Program Applications: Matrix & vector mult. Multivariate polynomials Image matching All-pairs shortest path Lattice gas simulator SHA-1 Compile Compile 10,832 LoC + libraries (C++) Compile EKF , VKF GenKeys(F) y Prove(EKF, x, y) BN elliptic curves with 128 bits of security Source code is available! {Yes, No} Verify(VKF, x, y, y)

Verification Time vs. Native Execution:

Quadratic Program y Detailed Matrices: EKF , VKF GenKeys(F) Native Time 12.9 ms 0.4 ms Circuit Time 265 ms 177 ms void main(){ ... x = b[i] + d[j]; y *= x; return y; } Quadratic Program Compile Compile Apps MultiVar Poly Gas Simulation Gates 812k 802k Polynomials 571k 283k Size 157 MB 78 MB Size 0.6 KB 1.1 KB Time 127s 76s Compile Size 288 B Time 713s 166s EKF , VKF GenKeys(F) y Prove(EKF, x, y) Time 12.7ms 10.9ms {Yes, No} Verify(VKF, x, y, y)

References: Bryan Porno, Jon Howell, Craig Gentry, and Mariana Raykova; Pinocchio: Nearly Practical Verifiable Computation, 2013 IEEE Symposium on Security and Privacy (SP), pp. 238-252. Bryan Porno, Jon Howell, Craig Gentry, and Mariana Raykova; Pinocchio: Nearly Practical Verifiable Computation, 2016 Communications of the ACM, Vol. 59, No 2, pp. 103-112. Gennaro, Rosario, et al. "Quadratic span programs and succinct NIZKs without PCPs.“ Advances in Cryptology–EUROCRYPT 2013. Springer Berlin Heidelberg, 2013. 626-645.

Thank You! Pinocchio: Nearly Practical Verifiable Computation Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Presentation by: Karim Baghery Cryptology Research Group; karim.baghery@ut.ee

? Thank You. Write catchy header here! Text goes here A sample of Persian calligraphy .