Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal Holloway)

Verifiable Computation Increasing dependence on the cloud –Individual devices getting smaller & smaller Resource constrained –Computation outsourced to the cloud “Trust, but verify” –Many incentives for a cloud to cheat Minimize resource usage Malicious server! Need to verify whether server performs correct computations –Verification must be cheaper than computation

Verifiable Computation Variety of solutions –Interactive proofs [GMR85,LFKN92,S92,GKR08] –MIPs & PCPs [BFL91,BFLS91,BCCT12] –Interactive arguments [BCC88,M94,K92,K95] –Non-Interactive Solutions [K95,M94,GKR08,CKV10,GGP10,AIK11,BHR12] –Public verifiability [PRV12] All of them deal with verifiably computing functions on a single client’s input

Multi-Client Verifiable Computation...

Motivation Resource constrained data gathering sensors located far apart want to compute over joint collected data Ask one sensor to collect all data & use single-client verifiable comp.? Requires client-client communication Mix-and-match attacks –No analogue in single-client setting No privacy Need a model for non-interactive verification of computations over joint inputs of multiple clients

Our Contributions Model, syntax, and definitions Generic constructions –Non-interactive solution –Privacy against colluding clients –Privacy against malicious server Initiate study of non- interactive multi-client verifiable computation in a setting with n semi-honest clients malicious server

Talk Outline Motivation & Introduction Model, Syntax, and Definitions Building Blocks Construction Conclusions

Model... n clients... Clients are semi-honest Want non-interactive solution –No interaction between clients

Model... n clients... Clients are semi-honest Want non-interactive solution –No interaction between clients

Model Clients are semi-honest Want non-interactive solution –No interaction between clients... n clients... How to prevent spoofing attacks? –Use PKI How to prevent mix-and-match attacks? –Use global clock Assumptions of this type are necessary

Model Clients are semi-honest Want non-interactive solution Assume PKI & global clock... n clients... Like [GGP10] use offline preprocessing model One-time (expensive) preprocessing –Must be non-interactive Allows for multiple (cheap) verification stages

Model Clients are semi-honest Want non-interactive solution Assume PKI & global clock One-time preprocessing... n clients... Only first client gets output Easily generalized to multiple clients obtaining outputs –Parallel executions

Model Clients are semi-honest Want non-interactive solution Assume PKI & global clock One-time preprocessing Only first client gets output... n clients...

Online –EncInp j –Compute –Verify Offline –EncFun Syntax x i,1 X i,1 x i,2 X i,2 pk 2 pk 1 F S TiTi Setup –KeyGen pk 2 pk 1 pk 2 pk 1 WiWi yiyi

Properties Soundness Given encoding of function, A gets to choose series of inputs & receive encodings of each input. Finally A outputs (i,W i ) If Verify(W i ) ≠ f(x i ) and Verify(W i ) ≠ λ, output 1, else 0 Scheme is sound if Experiment outputs 1 with negl. prob. Outsourcing T(encode input)+T(verify output)<T(compute function) Privacy Against server: Cannot distinguish between executions where clients hold input x 0 vs. another where client inputs are x 1 Against first client: Conditioned on its input being the same, cannot distinguish between executions having same output

Talk Outline Motivation & Introduction Model, Syntax, and Definitions Building Blocks Construction Conclusions

Building Blocks Projective Garbling Schemes [Y86,BHR12] Non-Interactive Proxy Oblivious Transfer [NPS99] Fully Homomorphic Encryption [G09,BV11] –Converts one-time scheme to a many-time scheme Our construction builds upon the single-client scheme of [GGP10]

Projective Garbling Schemes Garbling Schemes [Y86,BHR12] –“Projective” if individual input encodings can be generated independently Adaptive soundness –Same issue as in [GGP10] –Assume Yao GCs satisfy adap. soundness Reasonable in practice [BHR12]: Does not follow from CPA security of enc. GC …. Encoding of function Projective encoding of Individual input bits Possible output encodings

Proxy Oblivious Transfer [NPS99] Ideal Functionality b=0,1 Proxy OT Proxy OT Proxy OT x 0,x 1 xbxb Want a non interactive proxy OT protocol

Non-Interactive Proxy OT (x c +r c, x 1+c +r 1+c ) (c+b, r c+b ) Use PKI and a non-interactive key exchange (NIKE) protocol to generate common randomness s unknown to server Use common randomness s to run PSM protocol [FKN94] for OT, with server as referee s = (r 0, r 1, c) b=0,1 x 0,x 1 pk 1 pk 2 pk 1 pk 2

Talk Outline Motivation & Introduction Model, Syntax, and Definitions Building Blocks Construction Conclusions

GC …. One-Time Multi-Client VC Preprocessing Using a garbling scheme, encode function & prepare state to encode inputs and to verify encoded outputs

GC …. Input Encoding Select own keys depending on input bits x i,1 x i,2 One-Time Multi-Client VC

GC …. One-Time Multi-Client VC Input Encoding x i,1 x i,2 Select keys for others using non- interactive proxy OT Keys obtained from Proxy OT GC

…. One-Time Multi-Client VC Compute x i,1 x i,2 GC …. Evaluate garbled circuit to obtain output encoding

GC …. One-Time Multi-Client VC Verify x i,1 x i,2 GC …. Check whether received key matches one of the 2 output keys

Multi-Client VC - Finis Soundness –Privacy of non-interactive proxy OT scheme –Authenticity of garbling scheme Privacy –Non-interactive nature of the scheme –Privacy of single-client [GGP10] scheme –Privacy of non-interactive proxy OT scheme Wrap one-time scheme with Fully Homomorphic Encryption –Converts one-time scheme to many-time –Semantic security preserves one-time soundness & privacy

Talk Outline Motivation & Introduction Model, Syntax, and Definitions Building Blocks Construction Conclusions

Conclusions & Summary Modeled non-interactive multi-client verifiable computation in a setting with –n semi-honest clients –Single malicious server Formal syntax and definitions Generic constructions of schemes based on –Projective Garbling Schemes –Non-Interactive Proxy Oblivious Transfer –Fully Homomorphic Encryption Future directions –Stronger models, e.g., malicious clients, etc. … …

Thank You!

Multi-Client VC Input Encoding GC …. x i,1 x i,2 Keys obtained from Proxy OT Select others’ keys using non-interactive proxy OT

GC …. GC …. Multi-Client VC Compute x i,1 x i,2 Evaluate garbled circuit to obtain output encoding

GC …. GC …. Multi-Client VC Compute x i,1 x i,2 Evaluate garbled circuit to obtain output encoding

GC …. Multi-Client VC Verify Check whether received key matches one of the 2 output keys x i,1 x i,2

Model Clients are semi-honest Want non-interactive solution –No interaction between clients... n clients... How to prevent mix-and-match attacks? Spoofing attacks –Use PKI Mixing inputs from different instances –Use global clock

Online –EncInp j –Compute –Verify Offline –KeyGen –EncFun Syntax x i,1 X i,1 x i,2 X i,2 pk 2 pk 1 F S TiTi pk 2 pk 1 pk 2 pk 1 WiWi yiyi

Properties Soundness Experiment Given encoding of function, A gets to choose series of inputs (for each client) & receive encodings of each input Finally, for some i, A outputs (i,W i ) If Verify(W i ) ≠ f(x i ) and Verify(W i ) ≠ λ, output 1, else 0 Scheme is sound if Experiment outputs 1 with negl. prob. T(encode input) + T(verify output) < T(compute function)

Properties Privacy Experiment (against malicious server) Given encoding of function, A chooses 2 inputs x 0, x 1 Choose random b and give A encoding of x b If A successfully guesses b, output 1, else 0 Scheme is private if A’s advantage is at most negl. Privacy Experiment (against first client) C chooses x 0 =(x i,1,x i,2,..) & x 1 =(x i,1,x i,2 ’,..) s.t. f(x 0 )= f(x 1 ) Choose random b and give C the output of Compute(X b ) If C successfully guesses b, output 1, else 0 Scheme is private if C’s advantage is at most negl.

Model... Clients are semi-honest Want non-interactive solution Allow a preprocessing phase Amortized complexity n clients Also want privacy –Against colluding clients –Against malicious server

Projective Garbling Schemes Garbling Schemes [BHR12] –“Projective” if individual input encodings can be generated independently Adaptive soundness requires garbling scheme to satisfy aut! security GC …. Encoding of function (indep. of inputs) Encoding of inputs Encoding of outputs (one of which is obtained after evaluating GC)

Multi-Client VC Preprocessing GC …. Encode function, inputs & outputs using a garbling scheme

Multi-Client VC Input Encoding GC …. x = (x 1,…,x p ) Select own keys depending on input bits Keys obtained from Proxy OT

GC …. Multi-Client VC Preprocessing Using a garbling scheme, encode function & prepare state to encode inputs and to verify encoded outputs

GC …. Multi-Client VC Input Encoding x i,1 Select own keys depending on input bits x i,2

Multi-Client VC Input Encoding GC …. x i,1 Select own keys depending on input bits x i,2

Online –EncInp j –Compute –Verify Offline –EncFun Soundness x i,1 X i,1 x i,2 X i,2 pk 2 pk 1 F S TiTi pk 2 pk 1 pk 2 pk 1 WiWi yiyi

Soundness Experiment For j=1 to n: (pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) For i = 1 to L: –x i ← Adv(F, {pk j }, Z) /* Z initially empty*/ –(X i,1,T i ) ← EncInp 1 (i,{pk j },S,sk 1,x i,1 ) –For j=1 to n: X i,j ← EncInp j (i,{pk j },sk j,x i,j ) –Z = Z ∪ { (x i,{X i,j }) } (i,W i )← Adv(F,{pk j }, (x 1,{X 1,j },…,x L,{X L,j })) y i ← Verify(i,S,T i,W i ) If y i ≠ f(x i ) and y i ≠ λ, output 1, else 0 Scheme is sound if Exp. outputs 1 with negl. prob.

Non-Interactive Proxy OT Assume clients share common random bits r 0,r 1, and a permutation bit c unknown to the server (x c +r c, x 1+c +r 1+c ) (c+b, r c+b ) Shared secret randomness can be generated via non- interactive key exchange (using PKI) (r 0, r 1, c) b=0,1 x 0,x 1

Our Contributions.... Need a model for verifying computations over joint inputs of multiple clients Resource constrained data- gathering sensors located far apart Want to perform computation over collected data Propose a model for non- interactive multi-client verifiable computation n semi-honest clients malicious server Definitions Constructions

Our Contributions.... Propose a model for non- interactive multi-client verifiable computation n semi-honest clients malicious server Definitions Constructions Need a model for non-interactive verification of computations over joint inputs of multiple clients

Multi-Client VC Input Encoding GC …. x = (x 1,…,x p ) Select own keys depending on input bits Keys obtained from Proxy OT

Multi-Client VC Input Encoding GC …. x = (x 1,…,x p ) Select keys depending on input bits

Online –EncInp j –Compute –Verify Offline –EncFun Syntax x i, X i,1 x i, X i,2 pk 2 pk 1 F S TiTi Setup –KeyGen pk 2 pk 1

Online –EncInp j –Compute –Verify Offline –EncFun Syntax x i,1 X i,1 x i,2 X i,2 pk 2 pk 1 F S TiTi Setup –KeyGen pk 2 pk 1 pk 2 pk 1 WiWi yiyi

Syntax (pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1,T i ) ← EncInp 1 (i,{pk j },S,sk 1,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Online algorithms executed in the i th time period X i,1 X i,2

Properties Soundness Experiment Given encoding of function, A gets to choose series of inputs (for each client) & receive encodings of each input Finally, for some i, A outputs (i,W i ) If Verify(W i ) ≠ f(x i ) and Verify(W i ) ≠ λ, output 1, else 0 Scheme is sound if Experiment outputs 1 with negl. prob. Time taken to encode input and verify output must be smaller than the time taken to compute the function from scratch

Soundness & Privacy Soundness Experiment Given encoding of function, A gets to choose series of inputs (for each client) & receive encodings of each input Finally, for some i, A outputs W i If Verify(W i ) ≠ f(x i ) and Verify(W i ) ≠ λ, output 1, else 0 Scheme is sound if Experiment outputs 1 with negl. prob. Privacy Experiment Given encoding of function, A chooses 2 inputs x 0, x 1 Choose random b and give A encoding of x b If A successfully guesses b, output 1, else 0 Scheme is private if Experiment outputs 1 with negl. prob.

Syntax (pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1,T i ) ← EncInp 1 (i,{pk j },S,sk 1,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Online algorithms executed in the i th time period WiWi

Multi-Client VC Input Encoding GC …. x = (x 1,…,x p ) Select keys depending on input bits

Multi-Client VC Input Encoding GC …. x = (x 1,…,x p ) Select own keys depending on input bits Keys obtained from Proxy OT

Non-Interactive Proxy OT Assume clients share common random bits r 0,r 1, and a permutation bit c unknown to the server (x c +r c, x 1+c +r 1+c ) (c+b, r c+b ) Shared secret randomness can be generate via non- interactive key exchange (using public keys) (x 0, x 1 ) b (r 0, r 1, c)

Model... Clients are semi-honest Want non-interactive solution Definitions Constructions n clients

Motivation... Propose a model for non- interactive multi-client verifiable computation n semi-honest clients malicious server Need a model for verifying computations over joint inputs of multiple clients Definitions Constructions

Syntax (pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1,T i ) ← EncInp 1 (i,{pk j },S,sk 1,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Online algorithms executed for each time period i X i,j encodes inputs x i,j y i is the real output W i encodes y i

Syntax (pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1, T i ) ← EncInp 1 (i,{pk j },sk 1,S,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Projective Garbling Schemes [BHR12] Proxy Oblivious Transfer [NPS99] Fully Homomorphic Encryption [G09,BV11] Our construction builds upon the single-client scheme of [GGP10]

Syntax (pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1, T i ) ← EncInp 1 (i,{pk j },sk 1,S,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Projective Garbling Schemes [BHR12] Proxy Oblivious Transfer [NPS99] Fully Homomorphic Encryption [G09,BV11] Our construction builds upon the single-client scheme of [GGP10]

Model... n clients Clients are semi-honest Want non-interactive solution –No interaction between clients

Model... n clients Also want privacy –Against colluding clients –Against malicious server Clients are semi-honest Want non-interactive solution –No interaction between clients

Assumptions Distinguish multiple computations using time periods (denoted by i) –Necessary to prevent server from using inp. from a different time period Each client has a public-key secret-key pair –(pk j,sk j ) ← KeyGen(1 k,j) –Necessary to prevent spoofing attacks by malicious server Offline preprocessing phase –Only parties receiving output execute offline phase –(F, S) ← EncFun(1 k,f) –Computationally expensive but will be amortized over many executions

(pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1, T i ) ← EncInp 1 (i,{pk j },sk 1,S,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Syntax Each party has public key, secret key pair Necessary in our setting to prevent spoofing attacks by malicious server

(pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1, T i ) ← EncInp 1 (i,{pk j },sk 1,S,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Syntax Each party has public keys Necessary in our setting to prevent spoofing attacks by malicious server

(pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1, T i ) ← EncInp 1 (i,{pk j },sk 1,S,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Syntax Each party has public keys Necessary in our setting to prevent spoofing attacks by malicious server

Assumptions Distinguish multiple computations using time periods (denoted by i) –Necessary to prevent server from using inp. from a different time period –Denote joint input to the i th computation by x i Client j’s input in time period i denoted by x i,j Each client has a public-key secret-key pair –(pk j,sk j ) ← KeyGen(1 k,j) –Necessary to prevent spoofing attacks by malicious server Offline preprocessing phase executed by first client (w.l.o.g) –More generally, only parties receiving output execute offline phase –(F, S) ← EncFun(1 k,f) –Computationally expensive but will be amortized over many executions

Multi-Client VC Input Encoding GC ….

(pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1, T i ) ← EncInp 1 (i,{pk j },sk 1,S,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Syntax Each party has public keys Necessary in our setting to prevent spoofing attacks by malicious server

(pk j,sk j ) ← KeyGen(1 k,j) (F, S) ← EncFun(1 k,f) (X i,1, T i ) ← EncInp 1 (i,{pk j },sk 1,S,x i,1 ) X i,j ← EncInp j (i,{pk j },sk j,x i,j ) W i ← Compute(i,{pk j },F,{X i,j }) y i ∪ {λ} ← Verify(i,S,T i,W i ) Syntax Each party has public keys Necessary in our setting to prevent spoofing attacks by malicious server

Proxy OT Ideal Functionality b=0,1 Proxy OT Proxy OT Proxy OT x 0,x 1 xbxb  Originally defined in [NPS99] as a 3- party functionality  Here we need generalization to n parties

Our Contributions Several solutions –Interactive proofs [GMR85,LFKN92,S92,GKR08] –MIPs & PCPs [BFL91,BFLS91,BCCT12] –Interactive arguments [BCC88,M94,K92,K95] –Non-Interactive Solutions [K95,M94,GKR08,CKV10,GGP10,AIK11,BHR12] All of them are in the single client setting

Single-Client VC [GGP10] KeyGen ProbGen Compute Verify

Single-Client VC [GGP10] GC ….

Single-Client VC [GGP10] GC … Preprocessing Stage

Single-Client VC [GGP10] GC … Preprocessing Stage GC …. Private State

Single-Client VC [GGP10] GC …. Private State Input Encoding x = (x 1,…,x p )

Single-Client VC [GGP10] GC …. Private State Input Encoding x = (x 1,…,x p )......

Single-Client VC [GGP10] Input Encoding GC …. Private State x = (x 1,…,x p )

Multi-Client VC GC …. Private State Input Encoding x = (x 1,…,x p ) y = (y 1,…,y p )

x = (x 1,…,x p ) y = (y 1,…,y p ) Multi-Client VC GC …. Private State Input Encoding

x = (x 1,…,x p ) y = (y 1,…,y p ) Multi-Client VC GC …. Private State Input Encoding

b=0,1 Proxy OT Ideal Functionality Proxy OT Proxy OT Proxy OT x 0,x 1 xbxb

Proxy OT Ideal Functionality b=0,1 Proxy OT Proxy OT Proxy OT x 0,x 1 xbxb

Proxy OT Ideal Functionality b=0,1 Proxy OT Proxy OT Proxy OT x 0,x 1 xbxb

Proxy OT Ideal Functionality b=0,1 Proxy OT Proxy OT Proxy OT x 0,x 1 xbxb  Originally defined in [NPS99] as a 3- party functionality  Here we need generalization to n parties

Single-Client VC Preprocessing GC …  Uses any projective garbling scheme [BHR12]  For adaptive security, garbling scheme needs to satisfy aut!

Single-Client VC Preprocessing GC …  Uses any projective garbling scheme [BHR12]  For adaptive security, garbling scheme needs to satisfy aut!

Single-Client VC [GGP10] Preprocessing GC ….  Uses projective garbling scheme [BHR12]  For adaptive security, garbling scheme needs to satisfy aut! [BHR12]

Single-Client VC [GGP10] Preprocessing GC ….  Uses projective garbling scheme [BHR12]  For adaptive security, garbling scheme needs to satisfy aut! [BHR12]

Single-Client VC [GGP10] Preprocessing GC ….  Uses projective garbling scheme [BHR12]  For adaptive security, garbling scheme needs to satisfy aut! [BHR12]

Single-Client VC [GGP10] Input Encoding GC …. x = (x 1,…,x p ) Select keys depending on input bits

Single-Client VC [GGP10] Output Computation x = (x 1,…,x p ) Select keys depending on input bits GC ….

Single-Client VC [GGP10] Output Computation GC …. x = (x 1,…,x p ) Select keys depending on input bits GC ….

Single-Client VC [GGP10] Verification GC …. Check whether received key matches one of the 2 output keys GC ….

Single-Client VC [GGP10] Output Computation GC …. Select keys depending on input bits x = (x 1,…,x p )

Single-Client VC Preprocessing  Originally defined in [NPS99] as a 3- party functionality  Here we need generalization to n parties GC …

b=0,1 Proxy OT Private State Input Encoding

Yao Garbled Circuits ab c AND a a b b a b b a ab

Oblivious Transfer xbxb Alice (input x 0,x 1 ) x 1-b hidden Does not learn b Bob (input b) OT