Download presentation
Presentation is loading. Please wait.
1
Verifiable Databases and RAM Programs
Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos and Charalampos Papamanthou
2
Cloud Computing Universities Companies Individuals
3
Security Issue: Integrity
Universities Server failure Software error Data tampering in transmission Random answer Malicious server behavior … Companies Individuals
4
Agenda Background on verifiable computation Our construction
Applications to Verifiable Databases and RAM Programs
5
Verifiable Computation
client function server result + proof digest δ Verification: or data
6
Efficiency Measures of Verifiable Computation
setup time prover time client function server result + proof digest δ Verification: or proof size data verification time
7
Prior Work in Verifiable Computation
1. Customized Approach File read and write [Merkle87, NN00, …] Range search [Tamassia03, GPT07, …] Set operations [PTT11, CPPT14, KPP+14, …] Graph algorithms [GTTC03, ZPK14, Grob14, …] Database queries [ZKP15, …] Efficient Only support limited operations Expressiveness databse graph sets range read/write Efficiency
8
Prior Work in Verifiable Databases
2. Generic Approach (E.g., SNARK [PHGR13, BCGTV13, BFRS+13, BISW17, …] ) Supports all functions that can be modeled as arithmetic circuits Constant proof size, fast verification time Large setup time & prover time Function specific setup Expressiveness SNARK databse graph sets range read/write Efficiency
9
Our Contribution Supports arbitrary computations in NP
Up to 2 orders of magnitude faster than SNARKs Comparable efficiency to customized VC for databases No function specific setup Expressiveness Our argument system SNARK databse graph sets range read/write Efficiency
10
Our Construction
11
Interactive Proof (IP)[GKR08, CMT12, …]
Example: polynomial expansion client Expand f(x) for me server g(x) = 6x3+49x2+128x+105 Polynomial f(x) = (x+3)(3x+5)(2x+7) pick a random value r, test f(r) - g(r) = 0 If f(x) - g(x) ≠ 0, but f(r) - g(r) = 0, → r is a root of f(x) - g(x), → Pr[r is a root] = 3 |random space|
![Interactive Proof (IP)[GKR08, CMT12, …]](http://slideplayer.com./slide/12953324/78/images/11/Interactive+Proof+%28IP%29%5BGKR08%2C+CMT12%2C+%E2%80%A6%5D.jpg "Example: polynomial expansion. client. Expand f(x) for me. server. g(x) = 6x3+49x2+128x+105. Polynomial. f(x) = (x+3)(3x+5)(2x+7) pick a random value r, test f(r) - g(r) = 0. If f(x) - g(x) ≠ 0, but f(r) - g(r) = 0, → r is a root of f(x) - g(x), → Pr[r is a root] = 3 |random space|")
12
Interactive Proof (IP)[GKR08, CMT12, …]
Input Output (result) client server Output fout(x) fout(rout) …… × r1 × f1(x) f1(r1) + × …… × f2(x) …… rin …… fd-2(x) …… fin(rin) × × …… + fd-1(x) × + …… + fin(x) = a0+a1x+a2x2+… (Low degree extension) a a1 a a …… Check the relationship at a random point (Sumcheck protocol) Input (data) fin(rin)
![Interactive Proof (IP)[GKR08, CMT12, …]](http://slideplayer.com./slide/12953324/78/images/12/Interactive+Proof+%28IP%29%5BGKR08%2C+CMT12%2C+%E2%80%A6%5D.jpg "Input. Output (result) client. server. Output. fout(x) fout(rout) …… × r1. × f1(x) f1(r1) + × …… × f2(x) …… rin. …… fd-2(x) …… fin(rin) × × …… + fd-1(x) × + …… + fin(x) = a0+a1x+a2x2+… (Low degree extension) a0 a1 a2 a3 …… Check the relationship at a random point. (Sumcheck protocol) Input (data) fin(rin)")
13
Using IP for Verifiable Computation
No setup time Fast prover time (no crypto operations) Storage of the data locally (Last step: evaluate a polynomial defined by the input at a random point)
14
Delegating Data to the Server
Our solution: Verifiable Polynomial Delegation (VPD) [KZG10, PST13] server client evaluation point a f(a) + proof digest δf (32Bytes) Verification: or f(x)
15
Our Interactive Argument Protocol
function (modeled as a circuit) server client result IP digest δfin of fin(x) for the data … Interactive proof (except last step) data … fin(rin) VPD rin fin (rin) + proof fin (rin) or Verification of polynomial delegation
16
Using IP for Verifiable Databases
No setup time Fast prover time (no crypto operations) Storage of the data locally (Last step: evaluate a polynomial defined by the input at a random point)
17
Supporting Auxiliary Inputs from Server
Some functions are hard to compute using arithmetic circuits E.g., Integer division a÷b They are easy to verify with inputs from the server: a = q × b + r Functions in NP Interactive Proof does not support auxiliary input (Last step: evaluate a polynomial defined by the input at a random point)
18
Supporting Auxiliary Inputs from Server
Our solution: Extractable Verifiable Polynomial Delegation (VPD) digest δf client server commitment of the auxiliary inputs with extractability evaluation point a f(a) + proof Verification: or f(x) Result: extending IP (GKR, CMT etc.) to NP computations
19
Our Interactive Argument Protocol 2.0
fin(x) = f1(x) +f2(x) function (modeled as a circuit with auxiliary inputs) auxiliary inputs client server digest δf2 result IP digest δf1 of f1(x) for the data … Interactive proof (except last step) digest δf2 of f2(x) for auxiliary inputs data … fin(rin) VPD rin f1 (rin), f2 (rin) + proofs f1 (rin), f2 (rin) or Verification of polynomial delegation
20
Our Interactive Argument Protocol
Setup only for the data, not for functions Faster prover time (crypto operations is only linear to the input size, does not depend on the circuit size) Supports auxiliary inputs Dynamic data (details in paper)
21
vSQL: Verifiable Database
22
Verifiable Databases client server SQL database queries result + proof
digest δ Verification: or database
23
Example Query #19 of the TPC-H benchmark http://www.tpc.org/tpch
1. SELECT SUM (l_extendedprice * (1 - l_discount)) AS revenue FROM lineitem, part WHERE 2. ( p_partkey = l_partkey 3. AND p_brand = ‘Brand#41’ 4. AND p_container IN (‘SM CASE’, ‘SM BOX’, ‘SM PACK’, ‘SM PKG’) 5. AND l_quantity >= 7 AND l_quantity <= 6. AND p_size BETWEEN 1 AND 5 7. AND l_shipmode IN (‘AIR’, ‘AIR REG’) 8. AND l_shipinstruct = ‘DELIVER IN PERSON’ ) 9. OR 10. ( p_partkey = l_partkey 11. AND p_brand = ‘Brand#14’ 12. AND p_container IN (‘MED BAG’, ‘MED BOX’,‘MED PKG’, ‘MED PACK’) 13. AND l_quantity >= 14 AND l_quantity <= 14. AND p_size BETWEEN 1 AND 10 15. AND l_shipmode IN (‘AIR’, ‘AIR REG’) 16. AND l_shipinstruct = ‘DELIVER IN PERSON’ ) 17. OR 18. ( p_partkey = l_partkey 19. AND p_brand = ‘Brand#23’ 20. AND p_container IN (‘LG CASE’, ‘LG BOX’, ‘LG PACK’, ‘LG PKG’) 21. AND l_quantity >= 25 AND l_quantity <= 22. AND p_size BETWEEN 1 AND 15 23. AND l_shipmode IN (‘AIR’, ‘AIR REG’) 24. AND l_shipinstruct = ‘DELIVER IN PERSON’ ); Query #19 of the TPC-H benchmark
24
Comparison with Prior Work
Queries and database: TPC-H benchmark Database size: 6 million rows × 13 columns (2.8GB) in the largest table. Query #19 IntegriDB SNARK vSQL Setup Prover Verification Communication MySQL 0.67s 7 hours 100 hours* 0.4 hour 1.8 hours 54 hours* 1.3 hours 232 ms 6 ms 148 ms 184 KB 0.3 KB 28 KB Query #5 (5-way join) Setup Prover Verification Communication 325 hours* 0 hour 171 hours* 1.4 hours 4.16s 40 ms 398ms 0.3 KB 103 KB
25
Expressive SQL Update Query #15: create a new table on the fly by range and sum Old table: 2.8GB new table: 1.7MB Prover Verification Communication 0.5 hour 85ms 85.7KB
26
vSQL Comparable efficiency, better expressiveness compared to customized VC Up to 2 orders of magnitude faster compared to SNARKs Setup only for database, no query dependent setup
27
Verifiable RAM
28
RAM to Circuit Reduction [BCTV14]
By time: state1 CPU state Time Program counter Instruction number Flag Registers ….. state2 state3 …… stateT
![RAM to Circuit Reduction [BCTV14]](http://slideplayer.com./slide/12953324/78/images/28/RAM+to+Circuit+Reduction+%5BBCTV14%5D.jpg "By time: state1. CPU state. Time. Program counter. Instruction number. Flag. Registers. ….. state2. state3. …… stateT.")
29
RAM to Circuit Reduction [BCTV14]
By time: By memory: state1 state'1 CPU step E.g., Add r1, r2, r3 Sorting Network Memory consistency state2 state'2 Memory consistency CPU step state3 state'3 …… …… CPU step Memory consistency stateT state'T
![RAM to Circuit Reduction [BCTV14]](http://slideplayer.com./slide/12953324/78/images/29/RAM+to+Circuit+Reduction+%5BBCTV14%5D.jpg "By time: By memory: state1. state 1. CPU step. E.g., Add r1, r2, r3. Sorting Network. Memory consistency. state2. state 2. Memory consistency. CPU step. state3. state 3. …… …… CPU step. Memory consistency. stateT. state T.")
30
Inefficiency: Preprocessing
By time: state1 CPU step CPU step All possible CPU instructions: ADD, MUL, JMP, CMP, LOAD,… state2 CPU step state3 …… CPU step stateT
31
Our New RAM to Circuit Reduction
By Instruction: By time: By Memory: state''1 state1 state'1 Add Sorting Network Sorting Network state''2 state2 state'2 # of Add Add state3 state''3 state'3 # of Load …… …… …… Load state''T stateT state'T
32
Our New RAM to Circuit Reduction
By Instruction: By time: By Memory: state''1 state1 state'1 Add Permuta-tion protocol Permuta-tion protocol state''2 state2 state'2 # of Add Add state3 state''3 state'3 # of Load …… …… …… Load state''T stateT state'T
33
Our New Verifiable RAM Prover time linear in #of CPU steps T
(vs T log2 T in [BCTV14]) 8× faster prover time 120× smaller memory consumption. Up to 2 million CPU steps (vs 32K in [BCTV14])
34
Summary Verifiable Polynomial Delegation + Interactive Proof vSQL, verifiable databases Verifiable RAM Ongoing work: Zero-knowledge with applications to crypto-currencies Thank you!!! Q&A
35
Memory check for every CPU state
Inefficiency: Preprocessing By memory: state'1 Memory consistency state'2 Memory check for every CPU state Memory consistency state'3 …… Memory consistency state'T
36
Our New RAM to Circuit Reduction
By Memory: Memory check only for states accessing memory state'1 state'2 state'3 …… state'T
37
Our New RAM to Circuit Reduction
By Instruction: By time: By Memory: state''1 state1 state'1 Add Sorting Network Sorting Network state''2 state2 state'2 # of Add Add state3 state''3 # of Load …… …… Load state''T stateT
Similar presentations
