Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research

2 Desire for Computing on Demand Instead of buying hardware, pay for computing power –Pay for exactly what you use –Quickly scale up/down Work done by: –Volunteers –Companies (Amazon, GoGrid, etc) Is the result correct?

3 Verifiable Computation Intuition F(·),x 1.Checks Proof (y) 2.Accepts y = F(x) y F(x), Proof (y) F x F x Must be cheaper than computing F

4 Outline Introduction Prior work Definitions Preliminary Approaches Scheme & Proof Sketch

5 Prior Work Secure Hardware –Coprocessor, TPM, etc. [SW ’99, SZJvD ‘04, MPPRI ‘08,…] Specific Functions –Lookups, search on graphs, etc. [NN ’98, GTTCC ’01,…] General Functions –Kilian ‘92 & Micali ’94 Worker does polynomial amount of work Interactive (Non-interactive with random oracle or CRS) Computational security –GTR ‘08 (previous talk) Interactive, with O(d) rounds Requires uniform circuits Secure against an all-powerful worker

6 Our Contribution Generic (works for any F) Intuitive and Efficient –Does not use ZKPs or PCPs Non-interactive Preserves input privacy

7 Outline Introduction Prior work Definitions Preliminary Approaches Scheme & Proof Sketch

8 A Verifiable Computation (VC) scheme consists of 4 algorithms: –KeyGen(F, λ) → PK, SK –ProbGen SK (x) → σ x –Compute PK (σ x ) → σ y –Verify SK (σ y ) → y or  May reveal y or keep it private Defining Verifiable Computing Correctness: y = F(x) Correctness: y = F(x) May reveal x or keep it private

9 A Verifiable Computation (VC) scheme consists of 4 algorithms: –KeyGen(F, λ) → PK, SK –ProbGen SK (x) → σ x –Compute PK (σ x ) → σ y –Verify SK (σ y ) → y or  Defining Verifiable Computing Efficiency: O(|F|) O(|x|) O(|y|) O(|F|)

10 Security PK, SK ← KeyGen(F, λ) ProbGen SK (·) x σxσx y ← Verify SK (σ y ) y ≠  and y ≠ F(x) PK (x,σ y ) Adversary wins if:

11 Outline Introduction Prior Work Definitions Preliminary Approaches –Fully-homomorphic encryption –MPC Scheme & Proof Sketch

12 Is Fully-Homomorphic Encryption Sufficient? Full homomorphism allows multiplication and addition of encrypted data Naïve scheme: 1. Encrypt inputs 2. Ask worker to apply F(·) homomorphically 3. Decrypt results 4. ??? 5. Profit! This is insecure!

13 Fully-Homomorphic Encryption is Insufficient! F(A, B, C) = (A * B) + C E K (A), E K (B), E K (C) (E K (A) + E K (B)) * E K (C) E K ((A+B)*C) Result decrypts correctly But (A+B)*C ≠ (A*B)+C ! As usual, Secrecy ≠ Integrity As usual, Secrecy ≠ Integrity

14 Can Multi-Party Computation Help? MPC protocols are typically at least as expensive as the original computation Key Insight: We can convert Yao’s Garbled Circuit Scheme into a 1-time Verifiable Computation A 1-time Verifiable Computation is still not efficient But we can fix that!

15 Refresher on Yao’s Circuits: Overview AB Goal: - Compute Y ← F(A,B) - Without revealing A or B F → C G(C), G(A) G(B) Oblivious Transfer G(A) G(B) G(C) G(Y) Y Note: Assumes honest-but-curious parties

16 Yao’s Circuit Construction g AB Z ABZ 00g(0,0) 01g(0,1) 10g(1,0) 11g(1,1) ABZ a0a0 b0b0 z g(0,0) E a (E b (z g(0,0) )) a0a0 b1b1 z g(0,1) E a (E b (z g(0,1) )) a1a1 b0b0 z g(1,0) E a (E b (z g(1,0) )) a1a1 b1b1 z g(1,1) E a (E b (z g(1,1) )) a0a0 a1a1 b0b0 b1b1 z0z0 z1z a i, b i, z i  {0,1} λ R G(g) Alice sends Bob: 1. G(g) 2. a 0 or a 1 3. b 0 or b 1 Via Oblivious Transfer

17 Yao’s Circuit Computation D b (D a (E a (E b (z g(0,0) )))) D b (D a (E a (E b (z g(0,1) )))) D b (D a (E a (E b (z g(1,0) )))) D b (D a (E a (E b (z g(1,1) )))) Given a 0 and b 1 Bob computes: Bob returns z g(0,1) to Alice Alice maps z g(0,1) to g(0,1) g AB Z a0a0 a1a1 b0b0 b1b1 z0z0 z1z1

18 Making Yao 1-time Verifiable x F → C G(C), G(x) G(x) G(C) G(y) Verify G(y) is “correct”

19 Verifying the Computation of a Yao Circuit Bob returns z Alice accepts Bob’s response if: z = z 0 or z = z 1 Security Intuition: –Encryption scheme guarantees secrecy of incorrect z i –Since z 0 and z 1 are randomly chosen, probability of a correct guess is 2 -λ g AB Z a0a0 a1a1 b0b0 b1b1 z0z0 z1z1 a i, b i, z i  {0,1} λ R No longer assumes honest-but-curious worker! ^ ^ ^

20 Yao is Not Outsourceable Constructing the Yao circuit takes time O(C) Reusing the same circuit for a different input allows adversary to recycle previous output Constructing a new circuit is as expensive as computing F

21 Outline Introduction Prior Work Definitions Preliminary Approaches Scheme & Proof Sketch

22 Our Scheme: Overview Intuition: Use fully-homomorphic encryption to make Yao circuits reusable Build the garbled Yao circuit G(C) as before For each input x, Alice gives out Encrypt K (G(x)) –Chooses a new key K for the fully-homomorphic scheme –Encrypts the Yao wire values G(x) corresponding to x Adversary uses homomorphism to evaluate G(C) and obtain an encryption of the output wire values: Encrypt K (G(y)) Intuition: Per-input key prevents output reuse Provides input privacy too!

23 KeyGen(F, λ): Represent F as circuit C Run Yao on C PK ← G(C) SK ← a i, b i, z i  {0,1} λ ProbGen SK (x) PK ε, SK ε ← GenKey ε (λ) σ x ← (PK ε, Enc(PK ε, a i ), Enc(PK ε, b i ),…) Compute PK (σ x ) Construct a circuit D representing Yao’s decryption function Apply D homomorphically to get σ y Verify SK (σ y ) Use SK ε to decrypt σ y If result is not one of z i, return  Else return y Garble the circuit computing F. Public key is the garbled circuit Secret key is the labels. Create a new key for the homomorphic encryption scheme. Encrypt the correct input wire values Use ε ’s homomorphism to obtain an encryption of the correct output wire value Check that decrypted output matches a valid output wire label

24 Proof Sketch Intuition –Yao is a secure 1-time verifiable computation –Multiple executions don’t help the attacker In each execution, labels are encrypted with a different instance of a semantically secure scheme

25 Performance Garble the circuit C onceO(|C|) Garble each input XO(|X|) Verify each output YO(|Y|) Amortized cost: Size of Input + Size of Output Amortized cost: Size of Input + Size of Output Client: Homomorphically “decrypt”O(|C|) through the circuit Worker:

26 Conclusions & Open Problems Growth of computing-as-a-resource will require verifiability of results Combining Yao with fully-homomorphic encryption yields a (theoretically) efficient, non-interactive protocol Can we construct a verifiable computation scheme using “regular” homomorphic encryption? Can we create a verifiable computation with non-repudiation?

27 Thank you!

28 Prior Work: General Functions Kilian ‘92 & Micali ‘94 –Prover builds a PCP that y=F(x) and commits to it in an efficient way (e.g., via a Merkle Hash Tree) –Verifier checks the PCP efficiently by asking for the appropriate decommitments –Result is an “argument” (i.e. an all powerful prover can cheat) –Interactive. Non-interactive with random oracle or CRS GTR ‘08 (previous talk) (PCP Inspired)

29 Specific Data Structures –E.g., Searching over graphs [GTTCC ’01] Rare-event searching –Inject known chaff into the search data [DG ’05] Prior Work: Specific Functions