Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Published byDiane Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research."— Presentation transcript:

1 Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research

2 2 Desire for Computing on Demand Instead of buying hardware, pay for computing power –Pay for exactly what you use –Quickly scale up/down Work done by: –Volunteers (SETI@Home, Folding@Home) –Companies (Amazon, GoGrid, etc) Is the result correct?

3 3 Verifiable Computation Intuition F(·),x 1.Checks Proof (y) 2.Accepts y = F(x) y F(x), Proof (y) F x F x Must be cheaper than computing F

4 4 Outline Introduction Prior work Definitions Preliminary Approaches Scheme & Proof Sketch

5 5 Prior Work Secure Hardware –Coprocessor, TPM, etc. [SW ’99, SZJvD ‘04, MPPRI ‘08,…] Specific Functions –Lookups, search on graphs, etc. [NN ’98, GTTCC ’01,…] General Functions –Kilian ‘92 & Micali ’94 Worker does polynomial amount of work Interactive (Non-interactive with random oracle or CRS) Computational security –GTR ‘08 (previous talk) Interactive, with O(d) rounds Requires uniform circuits Secure against an all-powerful worker

6 6 Our Contribution Generic (works for any F) Intuitive and Efficient –Does not use ZKPs or PCPs Non-interactive Preserves input privacy

7 7 Outline Introduction Prior work Definitions Preliminary Approaches Scheme & Proof Sketch

8 8 A Verifiable Computation (VC) scheme consists of 4 algorithms: –KeyGen(F, λ) → PK, SK –ProbGen SK (x) → σ x –Compute PK (σ x ) → σ y –Verify SK (σ y ) → y or  May reveal y or keep it private Defining Verifiable Computing Correctness: y = F(x) Correctness: y = F(x) May reveal x or keep it private

9 9 A Verifiable Computation (VC) scheme consists of 4 algorithms: –KeyGen(F, λ) → PK, SK –ProbGen SK (x) → σ x –Compute PK (σ x ) → σ y –Verify SK (σ y ) → y or  Defining Verifiable Computing Efficiency: O(|F|) O(|x|) O(|y|) O(|F|)

10 10 Security PK, SK ← KeyGen(F, λ) ProbGen SK (·) x σxσx y ← Verify SK (σ y ) y ≠  and y ≠ F(x) PK (x,σ y ) Adversary wins if:

11 11 Outline Introduction Prior Work Definitions Preliminary Approaches –Fully-homomorphic encryption –MPC Scheme & Proof Sketch

12 12 Is Fully-Homomorphic Encryption Sufficient? Full homomorphism allows multiplication and addition of encrypted data Naïve scheme: 1. Encrypt inputs 2. Ask worker to apply F(·) homomorphically 3. Decrypt results 4. ??? 5. Profit! This is insecure!

13 13 Fully-Homomorphic Encryption is Insufficient! F(A, B, C) = (A * B) + C E K (A), E K (B), E K (C) (E K (A) + E K (B)) * E K (C) E K ((A+B)*C) Result decrypts correctly But (A+B)*C ≠ (A*B)+C ! As usual, Secrecy ≠ Integrity As usual, Secrecy ≠ Integrity

14 14 Can Multi-Party Computation Help? MPC protocols are typically at least as expensive as the original computation Key Insight: We can convert Yao’s Garbled Circuit Scheme into a 1-time Verifiable Computation A 1-time Verifiable Computation is still not efficient But we can fix that!

15 15 Refresher on Yao’s Circuits: Overview AB Goal: - Compute Y ← F(A,B) - Without revealing A or B F → C G(C), G(A) G(B) Oblivious Transfer G(A) G(B) G(C) G(Y) Y Note: Assumes honest-but-curious parties

16 16 Yao’s Circuit Construction g AB Z ABZ 00g(0,0) 01g(0,1) 10g(1,0) 11g(1,1) ABZ a0a0 b0b0 z g(0,0) E a (E b (z g(0,0) )) a0a0 b1b1 z g(0,1) E a (E b (z g(0,1) )) a1a1 b0b0 z g(1,0) E a (E b (z g(1,0) )) a1a1 b1b1 z g(1,1) E a (E b (z g(1,1) )) a0a0 a1a1 b0b0 b1b1 z0z0 z1z1 0 0 1 1 1 1 0 0 a i, b i, z i  {0,1} λ R G(g) Alice sends Bob: 1. G(g) 2. a 0 or a 1 3. b 0 or b 1 Via Oblivious Transfer

17 17 Yao’s Circuit Computation D b (D a (E a (E b (z g(0,0) )))) D b (D a (E a (E b (z g(0,1) )))) D b (D a (E a (E b (z g(1,0) )))) D b (D a (E a (E b (z g(1,1) )))) Given a 0 and b 1 Bob computes: 0 0 1 11 1 0 0 0 0 0 0 1 1 1 1 Bob returns z g(0,1) to Alice Alice maps z g(0,1) to g(0,1) g AB Z a0a0 a1a1 b0b0 b1b1 z0z0 z1z1

18 18 Making Yao 1-time Verifiable x F → C G(C), G(x) G(x) G(C) G(y) Verify G(y) is “correct”

19 19 Verifying the Computation of a Yao Circuit Bob returns z Alice accepts Bob’s response if: z = z 0 or z = z 1 Security Intuition: –Encryption scheme guarantees secrecy of incorrect z i –Since z 0 and z 1 are randomly chosen, probability of a correct guess is 2 -λ g AB Z a0a0 a1a1 b0b0 b1b1 z0z0 z1z1 a i, b i, z i  {0,1} λ R No longer assumes honest-but-curious worker! ^ ^ ^

20 20 Yao is Not Outsourceable Constructing the Yao circuit takes time O(C) Reusing the same circuit for a different input allows adversary to recycle previous output Constructing a new circuit is as expensive as computing F

21 21 Outline Introduction Prior Work Definitions Preliminary Approaches Scheme & Proof Sketch

22 22 Our Scheme: Overview Intuition: Use fully-homomorphic encryption to make Yao circuits reusable Build the garbled Yao circuit G(C) as before For each input x, Alice gives out Encrypt K (G(x)) –Chooses a new key K for the fully-homomorphic scheme –Encrypts the Yao wire values G(x) corresponding to x Adversary uses homomorphism to evaluate G(C) and obtain an encryption of the output wire values: Encrypt K (G(y)) Intuition: Per-input key prevents output reuse Provides input privacy too!

23 23 KeyGen(F, λ): Represent F as circuit C Run Yao on C PK ← G(C) SK ← a i, b i, z i  {0,1} λ ProbGen SK (x) PK ε, SK ε ← GenKey ε (λ) σ x ← (PK ε, Enc(PK ε, a i ), Enc(PK ε, b i ),…) Compute PK (σ x ) Construct a circuit D representing Yao’s decryption function Apply D homomorphically to get σ y Verify SK (σ y ) Use SK ε to decrypt σ y If result is not one of z i, return  Else return y Garble the circuit computing F. Public key is the garbled circuit Secret key is the labels. Create a new key for the homomorphic encryption scheme. Encrypt the correct input wire values Use ε ’s homomorphism to obtain an encryption of the correct output wire value Check that decrypted output matches a valid output wire label

24 24 Proof Sketch Intuition –Yao is a secure 1-time verifiable computation –Multiple executions don’t help the attacker In each execution, labels are encrypted with a different instance of a semantically secure scheme

25 25 Performance Garble the circuit C onceO(|C|) Garble each input XO(|X|) Verify each output YO(|Y|) Amortized cost: Size of Input + Size of Output Amortized cost: Size of Input + Size of Output Client: Homomorphically “decrypt”O(|C|) through the circuit Worker:

26 26 Conclusions & Open Problems Growth of computing-as-a-resource will require verifiability of results Combining Yao with fully-homomorphic encryption yields a (theoretically) efficient, non-interactive protocol Can we construct a verifiable computation scheme using “regular” homomorphic encryption? Can we create a verifiable computation with non-repudiation?

27 27 Thank you! parno@cmu.edu

28 28 Prior Work: General Functions Kilian ‘92 & Micali ‘94 –Prover builds a PCP that y=F(x) and commits to it in an efficient way (e.g., via a Merkle Hash Tree) –Verifier checks the PCP efficiently by asking for the appropriate decommitments –Result is an “argument” (i.e. an all powerful prover can cheat) –Interactive. Non-interactive with random oracle or CRS GTR ‘08 (previous talk) (PCP Inspired)

29 29 Specific Data Structures –E.g., Searching over graphs [GTTCC ’01] Rare-event searching –Inject known chaff into the search data [DG ’05] Prior Work: Specific Functions

Download ppt "Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google