Non-Interactive Verifiable Computing - PowerPoint PPT Presentation

About This Presentation
Title:

Non-Interactive Verifiable Computing

Description:

We can convert Yao's Garbled Circuit Scheme into a 1-time Verifiable Computation ... Build the garbled Yao circuit G(C) as before. For each input x, Alice gives ... – PowerPoint PPT presentation

Number of Views:160
Avg rating:3.0/5.0
Slides: 28
Provided by: bryan91
Category:

less

Transcript and Presenter's Notes

Title: Non-Interactive Verifiable Computing


1
Non-InteractiveVerifiable Computing
  • Bryan Parno
  • Carnegie Mellon University

Rosario Gennaro, Craig Gentry IBM Research
August 5, 2009
2
Desire for Computing on Demand
  • Instead of buying hardware, pay for computing
    power
  • Pay for exactly what you use
  • Quickly scale up/down
  • Work done by
  • Volunteers (SETI_at_Home, Folding_at_Home)
  • Companies (Amazon, GoGrid, etc)

Is the result correct?
3
Verifiable Computation Intuition
x
Must be cheaper than computing F
  1. Checks Proof (y)
  2. Accepts y F(x)

F
4
Outline
  • Introduction
  • Prior work
  • Definitions
  • Preliminary Approaches
  • Scheme Proof Sketch

5
Prior Work
  • Secure Hardware
  • Coprocessor, TPM, etc. SW 99, SZJvD 04, MPPRI
    08,
  • Specific Functions
  • Lookups, search on graphs, etc. NN 98, GTTCC
    01,
  • General Functions
  • Kilian 92 Micali 94
  • Worker does polynomial amount of work
  • Interactive (Non-interactive with random oracle
    or CRS)
  • Computational security
  • GTR 08 (previous talk)
  • Interactive, with O(d) rounds
  • Requires uniform circuits
  • Secure against an all-powerful worker

6
Our Contribution
  • Generic (works for any F)
  • Intuitive and Efficient
  • Does not use ZKPs or PCPs
  • Non-interactive
  • Preserves input privacy

7
Outline
  • Introduction
  • Prior work
  • Definitions
  • Preliminary Approaches
  • Scheme Proof Sketch

8
Defining Verifiable Computing
  • A Verifiable Computation (VC) scheme consists of
    4 algorithms
  • KeyGen(F, ?) ? PK, SK
  • ProbGenSK(x) ? sx
  • ComputePK(sx) ? sy
  • VerifySK(sy) ? y or ?

Correctness y F(x)
9
Defining Verifiable Computing
  • A Verifiable Computation (VC) scheme consists of
    4 algorithms
  • KeyGen(F, ?) ? PK, SK
  • ProbGenSK(x) ? sx
  • ComputePK(sx) ? sy
  • VerifySK(sy) ? y or ?

Efficiency
O(F)
O(x)
O(F)
O(y)
10
Security
PK, SK ? KeyGen(F, ?)
ProbGenSK()
Adversary wins if
y ? VerifySK(sy)
y ? ? and y ? F(x)
11
Outline
  • Introduction
  • Prior Work
  • Definitions
  • Preliminary Approaches
  • Fully-homomorphic encryption
  • MPC
  • Scheme Proof Sketch

12
Is Fully-Homomorphic Encryption Sufficient?
  • Full homomorphism allows multiplication and
    addition of encrypted data
  • Naïve scheme
  • 1. Encrypt inputs
  • 2. Ask worker to apply F() homomorphically
  • 3. Decrypt results
  • 4. ???
  • 5. Profit!

This is insecure!
13
Fully-Homomorphic Encryption is Insufficient!
F(A, B, C) (A B) C
(EK(A) EK(B)) EK(C)
As usual, Secrecy ? Integrity
Result decrypts correctly
But (AB)C ? (AB)C !
14
Can Multi-Party Computation Help?
  • MPC protocols are typically at least as expensive
    as the original computation
  • Key Insight
  • We can convert Yaos Garbled Circuit Scheme
    into a 1-time Verifiable Computation

A 1-time Verifiable Computation is still not
efficient
But we can fix that!
15
Refresher on Yaos Circuits Overview
Goal - Compute Y ? F(A,B) - Without
revealing A or B
A
B
F ? C
G(A) G(B)
G(C)
G(Y)
Note Assumes honest-but-curious parties
16
Yaos Circuit Construction
Alice sends Bob
a0
a1
b0
b1
  1. G(g)
  2. a0 or a1
  3. b0 or b1

R
ai, bi, zi ? 0,1?
Via Oblivious Transfer
z0
z1
G(g)
A B Z
0 0 g(0,0)
0 1 g(0,1)
1 0 g(1,0)
1 1 g(1,1)
A B Z
a0 b0 zg(0,0) Ea (Eb (zg(0,0)))
a0 b1 zg(0,1) Ea (Eb (zg(0,1)))
a1 b0 zg(1,0) Ea (Eb (zg(1,0)))
a1 b1 zg(1,1) Ea (Eb (zg(1,1)))
0
0
0
1
1
0
1
1
17
Yaos Circuit Computation
  • Given a0 and b1 Bob computes

a0
a1
b0
b1
Db (Da (Ea (Eb (zg(0,0)))))
Db (Da (Ea (Eb (zg(0,1)))))
Db (Da (Ea (Eb (zg(1,0)))))
Db (Da (Ea (Eb (zg(1,1)))))
z0
z1
  • Bob returns zg(0,1) to Alice
  • Alice maps zg(0,1) to g(0,1)

18
Making Yao 1-time Verifiable
x
G(x)
F ? C
G(C)
Verify G(y) is correct
G(y)
19
Verifying the Computation of aYao Circuit
  • Bob returns z
  • Alice accepts Bobs response if
  • z z0
  • or
  • z z1
  • Security Intuition
  • Encryption scheme guarantees secrecy of incorrect
    zi
  • Since z0 and z1 are randomly chosen, probability
    of a correct guess is 2-?

a0
a1
b0
b1

z0
z1

R
ai, bi, zi ? 0,1?
No longer assumes honest-but-curious worker!
20
Yao is Not Outsourceable
  • Constructing the Yao circuit takes time O(C)
  • Reusing the same circuit for a different input
    allows adversary to recycle previous output
  • Constructing a new circuit is as expensive as
    computing F

21
Outline
  • Introduction
  • Prior Work
  • Definitions
  • Preliminary Approaches
  • Scheme Proof Sketch

22
Our Scheme Overview
  • Intuition Use fully-homomorphic encryption to
    make Yao circuits reusable
  • Build the garbled Yao circuit G(C) as before
  • For each input x, Alice gives out EncryptK(G(x))
  • Chooses a new key K for the fully-homomorphic
    scheme
  • Encrypts the Yao wire values G(x) corresponding
    to x
  • Adversary uses homomorphism to evaluate G(C) and
    obtain an encryption of the output wire values
  • EncryptK(G(y))

Intuition Per-input key prevents output reuse
Provides input privacy too!
23
KeyGen(F, ?) Represent F as circuit C Run Yao
on C PK ? G(C) SK ? ai, bi, zi ?
0,1? ProbGenSK(x) PKe, SKe ? GenKeye(?) sx ?
(PKe, Enc(PKe, ai),
Enc(PKe, bi),) ComputePK(sx) Construct a
circuit D representing Yaos decryption
function Apply D homomorphically to get sy
VerifySK(sy) Use SKe to decrypt sy If result
is not one of zi, return ? Else return y
24
Proof Sketch
  • Intuition
  • Yao is a secure 1-time verifiable computation
  • Multiple executions dont help the attacker
  • In each execution, labels are encrypted with a
    different instance of a semantically secure
    scheme

25
Performance
Worker
  • Homomorphically decrypt O(C)
  • through the circuit

Client
  • Garble the circuit C once O(C)
  • Garble each input X O(X)
  • Verify each output Y O(Y)

Amortized cost Size of Input Size of Output
26
Conclusions Open Problems
  • Growth of computing-as-a-resource will require
    verifiability of results
  • Combining Yao with fully-homomorphic encryption
    yields a (theoretically) efficient,
    non-interactive protocol
  • Can we construct a verifiable computation scheme
    using regular homomorphic encryption?
  • Can we create a verifiable computation with
    non-repudiation?

27
Thank you!
parno_at_cmu.edu
28
Prior Work General Functions
(PCP Inspired)
  • Kilian 92 Micali 94
  • Prover builds a PCP that yF(x) and commits to it
    in an efficient way (e.g., via a Merkle Hash
    Tree)
  • Verifier checks the PCP efficiently by asking for
    the appropriate decommitments
  • Result is an argument (i.e. an all powerful
    prover can cheat)
  • Interactive.
  • Non-interactive with random oracle or CRS
  • GTR 08 (previous talk)

29
Prior Work Specific Functions
  • Specific Data Structures
  • E.g., Searching over graphs GTTCC 01
  • Rare-event searching
  • Inject known chaff into the search data DG 05
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Non-Interactive Verifiable Computing" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!