MPC and Verifiable Computation on Committed Data Meilof Veeningen Philips Research April 4, 2017

Last year at TPMPC…

Philips Research

Philips Research

Philips Research

Philips Research

MPC + Verifiable Computation: Why? trusted set-up (CRS) secret shares MPC cluster patient data “perform 𝜒 2 test” “show graph comparing treatment vs non-treatment” “provide proof for previous computation!” patient data zero-knowledge proof: output is correct “𝑝=0.085” output + proof patient data signed input commitments Philips Research

TPMPC’16: Shamir + Pinocchio Instantiation 3PC based on Shamir secret sharing verifiable computation with Pinocchio [Parno et al. ’13] To combine, want to compute Prove( 𝑥 ) with MPC “Trinocchio”: this is easy! [ 𝑥 ] known from MPC evaluation Proof can be built from shares without extra communication MPC cluster Secure against one passive adversary Computations over 𝔽: local addition, multiplication using a protocol Special-purpose protocols for zero testing, fixed-point multiplication, … Outsourcing is easy ZK proof that committed inputs, outputs, and witness are “correct” “Correctness” formalized by QAP: set of quadratic equations in 𝑥 ∈ 𝔽 𝑁 Secure under PDH + PKE + SDH assumptions Philips Research

TPMPC’167: Applying Trinocchio in Practice population data MPC cluster 2. Efficient correctness of MPC sub-protocols “provide proof for previous computation!” Pinocchio proof: 𝑔 (𝑣𝑤−𝑦)/𝑡 + witness commitment output + proof signed input commitments 1. “Commit once, prove later” for Pinocchio Philips Research

1. “Commit once, prove later” for Pinocchio Philips Research

≅ Modelling Computations as QAPs Model computation by set of equations given by matrices (𝑉,𝑊,𝑌): Natural relation between arithmetic circuits and QAPs: In particular: evaluating an arithmetic circuit ≡ computing QAP witness + output 𝑉 𝑥 𝑊 𝑥 𝑌 𝑥 inputs ⋅ × ⋅ = ⋅ witness outputs + * 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 ≅ 1 1 0 0 0 0 0 0 1 0 ⋅ × 0 1 0 0 0 0 1 1 0 0 = 0 0 0 0 1

evaluation in exponent Pinocchio: (Very) High-Level Idea Need to prove (𝑉⋅ 𝑥 )∗ 𝑊⋅ 𝑥 − 𝑌⋅ 𝑥 ∗ 1 =0 Inputters/provers/verifier build special generalized Pedersen commitments to vectors (𝑉⋅ 𝑥 ), 𝑊⋅ 𝑥 , 𝑌⋅ 𝑥 Prove that: homomorphic 𝑒 𝑔 ,𝑔 ⋅𝑒 𝑔 ,𝑔 −1 ≡0 𝑉 ⋅ 𝑥 𝑊 1 𝑌 pointwise product and pairing commute efficient zero proof: FFTs on polynomials + evaluation in exponent Philips Research

(𝑔 ,𝑔 ,𝑔 ) (𝑔 ,𝑔 ,𝑔 ,𝑔 ) “Commit once, prove later” Inputters/provers/verifier each provide commitments to their part of 𝑥 : Pinocchio: guarantee that parties provide only own part of 𝑥 , and do it consistently! For secret 𝛽, publish 𝑔 𝛽⋅ col.𝑉||col.𝑊||col.𝑌 and let prover provide 𝑔 𝛽 𝑉⋅ 𝑥 ||𝑊⋅ 𝑥 ||𝑌⋅ 𝑥 Basic idea: add computation-independent commitment to this consistency check! Details, optimizations: see our paper (𝑔 ,𝑔 ,𝑔 ) 𝑉 ⋅ 𝑥 𝑊 𝑌 (𝑔 ,𝑔 ,𝑔 ,𝑔 ) 𝑉 ⋅ 𝑥 𝑊 𝑌 1 ⋱ Philips Research

Improvement 2: QAPs for sub-protocols Philips Research

≅ QAPs for sub-protocols (I) Natural relation between arithmetic circuits and QAPs: In particular: evaluating an arithmetic circuit ≡ computing output + QAP witness But how about QAPs for special-purpose sub-protocols (e.g., integer comparison, zero testing, fixed-point multiplication, …)? See as arithmetic circuits? Then verifier needs to see and process opened values… Task: design efficient QAPs for sub-protocols + * 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 𝑥 1 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 𝑥 2 𝑥 3 𝑥 4 𝑥 5 ≅ 1 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 1 1 0 0 0 0 0 1 0 0 0 0 0 1 ⋅ × ⋅ = ⋅

QAPs for sub-protocols (II) MPC QAP 𝑑⋅𝑑=𝑑⇒𝑑=1 𝑎⋅𝑐=𝑏 𝑎⋅ 1−𝑏 =0 𝑏 ←[𝑎≠0] 1. design efficient QAP elaborate protocol using, e.g., bit decompositions, … 0 0 0 1 1 0 0 0 𝑎 𝑏 𝑐 𝑑 × = ⋅ 0 0 0 1 0 0 1 0 0 1 0 1 0 1 0 0 0 0 0 0 - “zero-equality gate” [PHGR13] 2. compute witness (MPC) 𝑑 ←1 𝑐 ← 𝑎 + 1− 𝑏 −1 Philips Research

QAPs for sub-protocols (III) More examples: Comparison protocol 𝑏 =[𝑎≥0]: Letting |𝑎| ← 𝑎 , 𝑏=1 &[−𝑎], 𝑏=0 , prove that 𝑏∈{0,1} and |𝑎| ≥0 Division protocol 𝑐 = 𝑎 /[𝑏] Computation: Newton/Goldschmidt iteration Correctness of result: 0≤ 𝑎 − 𝑏 ⋅ 𝑐 <[𝑏] with bit decompositions Or: correctness of full computation in one go! Linear programming: computing (with simplex algorithm) is complex, but verification (with dual solution) is just checking a few equations make bit decomposition 𝑎 1 ,…, 𝑎 𝑙 + prove correct (i.e., bits adding up to [ 𝑎 ]) Philips Research

Some performance figures… On the same arithmetic circuit, MPC is much faster than VC (≈20×) [SVdV15]: Trinocchio “adds privacy to verifiable computation with little overhead” (for arithmetic circuits) But, VC typically needs to be applied to much smaller circuits! [Vee17]: In Geppetri, “proving is faster than computing with MPC” (in a practical case study) Example: 𝜒 2 test on survival data (175 data points) # divisions = 351, # QAP equations = 30189 Computing function (MPC): 148 s Computing witness (MPC): 51 s Proving (plain): 10 s Proving (MPC): 73 s Philips Research

https://soda-project.eu/ Conclusions Combining MPC with verifiable computation gives privacy auditability at low cost By making Pinocchio adaptive, we can re-use inputs + build modular proofs (construction: see https://eprint.iacr.org/2017/013 soonnow) Using special QAPs for sub-protocols, proving is faster than computing Task: design efficient QAPs and efficient protocols to compute the QAPs’ witnesses Geppetri: user-friendly programming of verifiable computations (with or without MPC), see https://github.com/meilof/geppetri More information: meilof.veeningen@philips.com https://soda-project.eu/ Philips Research