Presentation is loading. Please wait.

Presentation is loading. Please wait.

MPC and Verifiable Computation on Committed Data

Published byLora Pope Modified over 6 years ago

Similar presentations

Presentation on theme: "MPC and Verifiable Computation on Committed Data"— Presentation transcript:

1 MPC and Verifiable Computation on Committed Data
Meilof Veeningen Philips Research April 4, 2017

2 Last year at TPMPC…

3 Philips Research

4 Philips Research

5 Philips Research

6 Philips Research

7 MPC + Verifiable Computation: Why?
trusted set-up (CRS) secret shares MPC cluster patient data “perform 𝜒 2 test” “show graph comparing treatment vs non-treatment” “provide proof for previous computation!” patient data zero-knowledge proof: output is correct “𝑝=0.085” output + proof patient data signed input commitments Philips Research

8 TPMPC’16: Shamir + Pinocchio Instantiation
3PC based on Shamir secret sharing verifiable computation with Pinocchio [Parno et al. ’13] To combine, want to compute Prove( 𝑥 ) with MPC “Trinocchio”: this is easy! [ 𝑥 ] known from MPC evaluation Proof can be built from shares without extra communication MPC cluster Secure against one passive adversary Computations over 𝔽: local addition, multiplication using a protocol Special-purpose protocols for zero testing, fixed-point multiplication, … Outsourcing is easy ZK proof that committed inputs, outputs, and witness are “correct” “Correctness” formalized by QAP: set of quadratic equations in 𝑥 ∈ 𝔽 𝑁 Secure under PDH + PKE + SDH assumptions Philips Research

9 TPMPC’167: Applying Trinocchio in Practice
population data MPC cluster 2. Efficient correctness of MPC sub-protocols “provide proof for previous computation!” Pinocchio proof: 𝑔 (𝑣𝑤−𝑦)/𝑡 + witness commitment output + proof signed input commitments 1. “Commit once, prove later” for Pinocchio Philips Research

10 1. “Commit once, prove later” for Pinocchio
Philips Research

11 ≅ Modelling Computations as QAPs
Model computation by set of equations given by matrices (𝑉,𝑊,𝑌): Natural relation between arithmetic circuits and QAPs: In particular: evaluating an arithmetic circuit ≡ computing QAP witness + output 𝑉 𝑥 𝑊 𝑥 𝑌 𝑥 inputs × = witness outputs + * 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 × =

12 evaluation in exponent
Pinocchio: (Very) High-Level Idea Need to prove (𝑉⋅ 𝑥 )∗ 𝑊⋅ 𝑥 − 𝑌⋅ 𝑥 ∗ 1 =0 Inputters/provers/verifier build special generalized Pedersen commitments to vectors (𝑉⋅ 𝑥 ), 𝑊⋅ 𝑥 , 𝑌⋅ 𝑥 Prove that: homomorphic 𝑒 𝑔 ,𝑔 ⋅𝑒 𝑔 ,𝑔 −1 ≡0 𝑉 𝑥 𝑊 1 𝑌 pointwise product and pairing commute efficient zero proof: FFTs on polynomials + evaluation in exponent Philips Research

13 (𝑔 ,𝑔 ,𝑔 ) (𝑔 ,𝑔 ,𝑔 ,𝑔 ) “Commit once, prove later”
Inputters/provers/verifier each provide commitments to their part of 𝑥 : Pinocchio: guarantee that parties provide only own part of 𝑥 , and do it consistently! For secret 𝛽, publish 𝑔 𝛽⋅ col.𝑉||col.𝑊||col.𝑌 and let prover provide 𝑔 𝛽 𝑉⋅ 𝑥 ||𝑊⋅ 𝑥 ||𝑌⋅ 𝑥 Basic idea: add computation-independent commitment to this consistency check! Details, optimizations: see our paper (𝑔 ,𝑔 ,𝑔 ) 𝑉 𝑥 𝑊 𝑌 (𝑔 ,𝑔 ,𝑔 ,𝑔 ) 𝑉 𝑥 𝑊 𝑌 1 Philips Research

14 Improvement 2: QAPs for sub-protocols
Philips Research

15 ≅ QAPs for sub-protocols (I)
Natural relation between arithmetic circuits and QAPs: In particular: evaluating an arithmetic circuit ≡ computing output + QAP witness But how about QAPs for special-purpose sub-protocols (e.g., integer comparison, zero testing, fixed-point multiplication, …)? See as arithmetic circuits? Then verifier needs to see and process opened values… Task: design efficient QAPs for sub-protocols + * 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 𝑥 1 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 𝑥 2 𝑥 3 𝑥 4 𝑥 5 𝑥 1 𝑥 2 𝑥 3 𝑥 4 𝑥 5 × =

16 QAPs for sub-protocols (II)
MPC QAP 𝑑⋅𝑑=𝑑⇒𝑑=1 𝑎⋅𝑐=𝑏 𝑎⋅ 1−𝑏 =0 𝑏 ←[𝑎≠0] 1. design efficient QAP elaborate protocol using, e.g., bit decompositions, … 𝑎 𝑏 𝑐 𝑑 × = - “zero-equality gate” [PHGR13] 2. compute witness (MPC) 𝑑 ←1 𝑐 ← 𝑎 + 1− 𝑏 −1 Philips Research

17 QAPs for sub-protocols (III)
More examples: Comparison protocol 𝑏 =[𝑎≥0]: Letting |𝑎| ← 𝑎 , 𝑏=1 &[−𝑎], 𝑏=0 , prove that 𝑏∈{0,1} and |𝑎| ≥0 Division protocol 𝑐 = 𝑎 /[𝑏] Computation: Newton/Goldschmidt iteration Correctness of result: 0≤ 𝑎 − 𝑏 ⋅ 𝑐 <[𝑏] with bit decompositions Or: correctness of full computation in one go! Linear programming: computing (with simplex algorithm) is complex, but verification (with dual solution) is just checking a few equations make bit decomposition 𝑎 1 ,…, 𝑎 𝑙 + prove correct (i.e., bits adding up to [ 𝑎 ]) Philips Research

18 Some performance figures…
On the same arithmetic circuit, MPC is much faster than VC (≈20×) [SVdV15]: Trinocchio “adds privacy to verifiable computation with little overhead” (for arithmetic circuits) But, VC typically needs to be applied to much smaller circuits! [Vee17]: In Geppetri, “proving is faster than computing with MPC” (in a practical case study) Example: 𝜒 2 test on survival data (175 data points) # divisions = 351, # QAP equations = 30189 Computing function (MPC): 148 s Computing witness (MPC): 51 s Proving (plain): s Proving (MPC): s Philips Research

19 https://soda-project.eu/
Conclusions Combining MPC with verifiable computation gives privacy auditability at low cost By making Pinocchio adaptive, we can re-use inputs + build modular proofs (construction: see soonnow) Using special QAPs for sub-protocols, proving is faster than computing Task: design efficient QAPs and efficient protocols to compute the QAPs’ witnesses Geppetri: user-friendly programming of verifiable computations (with or without MPC), see More information: Philips Research

20

Download ppt "MPC and Verifiable Computation on Committed Data"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
ADDITIONAL ANALYSIS TECHNIQUES LEARNING GOALS REVIEW LINEARITY The property has two equivalent definitions. We show and application of homogeneity APPLY.

ADDITIONAL ANALYSIS TECHNIQUES LEARNING GOALS REVIEW LINEARITY The property has two equivalent definitions. We show and application of homogeneity APPLY.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
Revision.

Revision.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Anuj Dawar.

Anuj Dawar.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
How to play ANY mental game

How to play ANY mental game
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.

Similar presentations

Ads by Google