Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto U. MIT July 12, 2004

Rafail Ostrovsky, UCLA 2 Main goal  Potentially cheating party publishes a short certificate to a “database” which “commits” it to the entire database  Answers to any complex query can be shown (with a very short proof) to be consistent with the certificate  No poly-time adversary can cheat and come up with a certificate and two different answers to the same query  Main challenge – achieve short certificate and short proofs for general queries

Rafail Ostrovsky, UCLA 3 History  Commitment to Sets of Values –[Buldas, Laud, Lipmaa] –[Kilian] –[Micali and Rabin]  Protocols with Trusted Committer – Authenticated Data-Structures –[Naor, Nissim] –[Goodrich, Tamassia, Tiandopoulus, Cohen], –many others  Zero-Knowledge Sets –[Micali, Rabin Kilian]

Rafail Ostrovsky, UCLA 4 Our Contributions (1)  Def of Consistent Query Protocols (CQP): short certificate that “binds” general data- structures together with short proof of consistency  CQP for Orthogonal Range queries

Rafail Ostrovsky, UCLA 5 Our contributions (cont)  For orthogonal range queries: –Each entry: (key 1,…key d, value) –Query: d ranges, each range [x1,x2] –d dimensions –K is a security parameter  Proof size: O(k(m+1) log d N)  We show how to modify Bentley’s data structure. (authenticated data-structures are not sufficient)

Rafail Ostrovsky, UCLA 6 Our contributions (cont)  General transformation: we show how to modify any consistent query protocol to have the same property as ZK-sets. That is, not to reveal DB size using O(poly(k)) overhead based on general assumptions.  We show construction based on explicit- hash Merkle trees with better constants.

Rafail Ostrovsky, UCLA 7 The rest of the talk…  Machinery needed.  Some of the ideas in our constructions.

Rafail Ostrovsky, UCLA 8 Motivation – Commitment Protocols  Two player game: Committer and Receiver.  Commitment stage: “storing” some hidden value.  De-commit stage: “opening” this value.  Two properties: binding property and privacy property.

Rafail Ostrovsky, UCLA 9 An example of a commitment protocol  Alice has a hidden bit b.  Alice picks a 1-way permutation f:n  n, a random n-bit x, r and sends to Bob –f(x), [(x*r) mod 2] xor b  If f is verifiable 1-way permutation, this is both binding and secure.  To open, Alice sends x to Bob.

Rafail Ostrovsky, UCLA 10 Multiple commitments  What if Alice wants to commit –b 1,…,b n  One way to do it is to repeat the protocol above, and commit each bit separately.  How can we do it more efficiently?

Rafail Ostrovsky, UCLA 11 A faster way to do it – Merkle trees  Assume h: 2k  k is a collision-resistant hash function such that no poly-time adversary can find a collision.  Group N bits that we wish to commit into groups of size 2k each, apply h, Now, we have N/2 bits. Repeat until get to k bit.  Commit (using basic scheme) the last k bits.  Merkle: this is secure, since otherwise can find a collision.

Rafail Ostrovsky, UCLA 12 Commitment of a set  Committing to a set of integers.  The naïve approach: commit each integer separately using basic scheme  Easy on yes answers  Hard on “no” answers

Rafail Ostrovsky, UCLA 13 Do Merkle trees work?  Not as is.  Yes answers are fast  No answers are slow– have to go over all the leaves  [BLL][K][MR] gave a faster solution (for no asnwers) for a set based on Merkle trees. (If the set has total order the solution also works for intervals)

Rafail Ostrovsky, UCLA 14 The basic idea of [BLL][K][MR]: Merkle interval tree  Sort the keys  Each internal node contains: –Left sub tree interval –Right sub tree interval –MD5 of its children values  To show that the item is present, show the path to the root, with all siblings along the path.  To show that the item is NOT in the DB, show the path until intervals EXCLUDES the item.

Rafail Ostrovsky, UCLA 15 Orthogonal range queries  What if we wish to commit to more general data-objects, such as relational database? Example: DB of “employee name”, “age”, “salary”.  We wish to support range-queries of the form “find all employees between age and between salary x and y”.  What does Consistent range-query mean here?  In this talk: we’ll limit to 2-d range queries, though our solution generalizes.

Rafail Ostrovsky, UCLA 16 2-D range queries: the data-structure  DB: (xkey,ykey, value)  Query: find all entries in DB in the rectangle [x1,x2][y1,y2]  Modification to Bentley’s 2-dim range query –Make Merkle-Interval tree for X-coordinate –For each internal node (corresponding to X- interval) store inside the node the root of “secondary” Merkle Interval tree for Y coordinates in that X-range. (each y point is stored log N times)

Rafail Ostrovsky, UCLA 17 2-D range queries: searching for range  Search primary tree and check for consistency  Search a secondary tree and check for consistency  For each entry that is retrieved, check that it is valid in ALL secondary trees which are on the path to the root in the primary tree. (Takes O(log 2 N) steps).  Easy to generalize to d-dimensions  Proof: if Adv can chat on any range  can find collisions.

Rafail Ostrovsky, UCLA 18 Extending idea to Zero-Knowledge Sets  Previous scheme works for 2-dimensional ranges  [KMR] show how to extends to ZK-sets (i.e. Not to reveal N) using DDH assumption.  We show how to extend this idea to Zero- Knowledge Sets under general assumptions using [Barak-Golreich] universal arguments: –Commit to a root –Give a commitment of CQP –Give a [BG] universal argument of supper-poly bound on N of consistency.

Rafail Ostrovsky, UCLA 19 Conclusions  Consistent query protocols (CQP) are generalizations of: –Zero-knowledge sets –Commitment schemes (for large datasets) –Authenticated Data structures  CQP be achieved under general assumptions.  For special cases (such as low-dimensional range-queries) we show implementations that do not require PCP, and are efficient. (O(log N) away from best know non-private bound)