Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto."— Presentation transcript:

1 Efficient Consistency Proofs for Generalized Queries on a Committed Database http://www.cs.ucla.edu/~rafail R. Ostrovsky C. Rackoff A. Smith UCLA Toronto U. MIT July 12, 2004

2 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 2 Main goal  Potentially cheating party publishes a short certificate to a “database” which “commits” it to the entire database  Answers to any complex query can be shown (with a very short proof) to be consistent with the certificate  No poly-time adversary can cheat and come up with a certificate and two different answers to the same query  Main challenge – achieve short certificate and short proofs for general queries

3 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 3 History  Commitment to Sets of Values –[Buldas, Laud, Lipmaa] –[Kilian] –[Micali and Rabin]  Protocols with Trusted Committer – Authenticated Data-Structures –[Naor, Nissim] –[Goodrich, Tamassia, Tiandopoulus, Cohen], –many others  Zero-Knowledge Sets –[Micali, Rabin Kilian]

4 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 4 Our Contributions (1)  Def of Consistent Query Protocols (CQP): short certificate that “binds” general data- structures together with short proof of consistency  CQP for Orthogonal Range queries

5 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 5 Our contributions (cont)  For orthogonal range queries: –Each entry: (key 1,…key d, value) –Query: d ranges, each range [x1,x2] –d dimensions –K is a security parameter  Proof size: O(k(m+1) log d N)  We show how to modify Bentley’s data structure. (authenticated data-structures are not sufficient)

6 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 6 Our contributions (cont)  General transformation: we show how to modify any consistent query protocol to have the same property as ZK-sets. That is, not to reveal DB size using O(poly(k)) overhead based on general assumptions.  We show construction based on explicit- hash Merkle trees with better constants.

7 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 7 The rest of the talk…  Machinery needed.  Some of the ideas in our constructions.

8 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 8 Motivation – Commitment Protocols  Two player game: Committer and Receiver.  Commitment stage: “storing” some hidden value.  De-commit stage: “opening” this value.  Two properties: binding property and privacy property.

9 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 9 An example of a commitment protocol  Alice has a hidden bit b.  Alice picks a 1-way permutation f:n  n, a random n-bit x, r and sends to Bob –f(x), [(x*r) mod 2] xor b  If f is verifiable 1-way permutation, this is both binding and secure.  To open, Alice sends x to Bob.

10 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 10 Multiple commitments  What if Alice wants to commit –b 1,…,b n  One way to do it is to repeat the protocol above, and commit each bit separately.  How can we do it more efficiently?

11 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 11 A faster way to do it – Merkle trees  Assume h: 2k  k is a collision-resistant hash function such that no poly-time adversary can find a collision.  Group N bits that we wish to commit into groups of size 2k each, apply h, Now, we have N/2 bits. Repeat until get to k bit.  Commit (using basic scheme) the last k bits.  Merkle: this is secure, since otherwise can find a collision.

12 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 12 Commitment of a set  Committing to a set of integers.  The naïve approach: commit each integer separately using basic scheme  Easy on yes answers  Hard on “no” answers

13 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 13 Do Merkle trees work?  Not as is.  Yes answers are fast  No answers are slow– have to go over all the leaves  [BLL][K][MR] gave a faster solution (for no asnwers) for a set based on Merkle trees. (If the set has total order the solution also works for intervals)

14 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 14 The basic idea of [BLL][K][MR]: Merkle interval tree  Sort the keys  Each internal node contains: –Left sub tree interval –Right sub tree interval –MD5 of its children values  To show that the item is present, show the path to the root, with all siblings along the path.  To show that the item is NOT in the DB, show the path until intervals EXCLUDES the item.

15 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 15 Orthogonal range queries  What if we wish to commit to more general data-objects, such as relational database? Example: DB of “employee name”, “age”, “salary”.  We wish to support range-queries of the form “find all employees between age 30-40 and between salary x and y”.  What does Consistent range-query mean here?  In this talk: we’ll limit to 2-d range queries, though our solution generalizes.

16 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 16 2-D range queries: the data-structure  DB: (xkey,ykey, value)  Query: find all entries in DB in the rectangle [x1,x2][y1,y2]  Modification to Bentley’s 2-dim range query –Make Merkle-Interval tree for X-coordinate –For each internal node (corresponding to X- interval) store inside the node the root of “secondary” Merkle Interval tree for Y coordinates in that X-range. (each y point is stored log N times)

17 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 17 2-D range queries: searching for range  Search primary tree and check for consistency  Search a secondary tree and check for consistency  For each entry that is retrieved, check that it is valid in ALL secondary trees which are on the path to the root in the primary tree. (Takes O(log 2 N) steps).  Easy to generalize to d-dimensions  Proof: if Adv can chat on any range  can find collisions.

18 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 18 Extending idea to Zero-Knowledge Sets  Previous scheme works for 2-dimensional ranges  [KMR] show how to extends to ZK-sets (i.e. Not to reveal N) using DDH assumption.  We show how to extend this idea to Zero- Knowledge Sets under general assumptions using [Barak-Golreich] universal arguments: –Commit to a root –Give a commitment of CQP –Give a [BG] universal argument of supper-poly bound on N of consistency.

19 Rafail Ostrovsky, UCLA rafail@cs.ucla.edurafail@cs.ucla.edu 19 Conclusions  Consistent query protocols (CQP) are generalizations of: –Zero-knowledge sets –Commitment schemes (for large datasets) –Authenticated Data structures  CQP be achieved under general assumptions.  For special cases (such as low-dimensional range-queries) we show implementations that do not require PCP, and are efficient. (O(log N) away from best know non-private bound)

Download ppt "Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto."

Similar presentations

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Augmenting Data Structures Advanced Algorithms & Data Structures Lecture Theme 07 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.

Augmenting Data Structures Advanced Algorithms & Data Structures Lecture Theme 07 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Multiversion Access Methods - Temporal Indexing. Basics A data structure is called : Ephemeral: updates create a new version and the old version cannot.

Multiversion Access Methods - Temporal Indexing. Basics A data structure is called : Ephemeral: updates create a new version and the old version cannot.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.

Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.
Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.

Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.

Similar presentations

Ads by Google