lattice-based snargs and their application to more efficient ...bootstrapping obfuscation [gghrsw13,...
Post on 07-Feb-2021
6 Views
Preview:
TRANSCRIPT
-
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation
Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu
-
Program Obfuscation [BGIRSVY01, GGHRSW13]
Takes a program as input and โscramblesโ it
๐๐ช
Indistinguishability obfuscation (๐๐ช) has emerged as a โcentral hub for cryptographyโ [BGIRSVY01, GGHRSW13]
[GGHRSW13, SW14, BZ14, BST14, GGHR14, GHRW14, BP15, CHNVW15, CLTV15, GP15, GPS16, BPW16 โฆ]
-
How (Im)Practical is Obfuscation?
Existing constructions rely on multilinear maps [BS04, GGH13, CLT13, GGH15]
โข Bootstrapping: [GGHRSW13, BR14, App14]
โข For AES, requires โซ 2100 levels of multinearity and โซ 2100 encodings
โข Direct obfuscation of circuits: [Zim15, AB15]โข For AES, already require โซ 2100 levels of multilinearity
โข Non-Black Box: [Lin16a, LV16, Lin16b, AS17, LT17]โข Only requires constant-degree multilinear maps (e.g., 3-linear maps [LT17])โข Multilinear maps are complex, so non-black box use of the multilinear maps will be
difficult to implement
multilinear maps
NC1
obfuscationP/Poly
obfuscationbootstrapping
-
How (Im)Practical is Obfuscation?
multilinear maps
NC1
obfuscationP/Poly
obfuscationbootstrapping
Focus of this work will be on candidates that make black-box use of multilinear map
our goal: improve efficiency of bootstrapping
prior works have focused on improving the efficiency of
obfuscation for NC1 (branching programs) [AGIS14, BMSZ16]
for AES, we require โ 4000 levels of multilinearity (compare with โซ 2100
from before)
-
Bootstrapping Obfuscation [GGHRSW13, BR14]
To obfuscate a circuit ๐ถ โ P/Poly:
encrypt the circuit ๐ถ using a public key FHE scheme to
obtain encrypted circuit ๐ถenc
given ๐ถenc, evaluator can homomorphically compute
encryption of ๐ถ(๐ฅ)
๐ถenc
๐ถ(๐ฅ)๐ฅ๐ถ๐ถenc
-
Bootstrapping Obfuscation [GGHRSW13, BR14]
To obfuscate a circuit ๐ถ โ P/Poly:
๐ถenc
๐ถ(๐ฅ)๐ฅ๐ถ๐ถenc
โข Provide obfuscated program that decrypts the FHE ciphertextโข Should not decrypt arbitrary FHE ciphertexts, only those that
correspond to honest evaluationsโข Evaluator includes a proof that evaluation done correctly
-
Bootstrapping Obfuscation [GGHRSW13, BR14]
constants: sk and ๐on input (๐ฅ, ct, ๐):
1. Verify the proof ๐ that ct corresponds to an evaluation of ๐ถenc on ๐ฅ
2. If valid, output FHE. Decrypt(sk, ct) and 0 otherwise
โข Provide obfuscated program that decrypts the FHE ciphertextโข Should not decrypt arbitrary FHE ciphertexts, only those that
correspond to honest evaluationsโข Evaluator includes a proof that evaluation done correctly
NC1 obfuscator
โฎ
๐obfFHE
secret keyCRS for proof
system
-
Bootstrapping Obfuscation [GGHRSW13, BR14]
constants: sk and ๐on input (๐ฅ, ct, ๐):
1. Verify the proof ๐ that ct corresponds to an evaluation of ๐ถenc on ๐ฅ
2. If valid, output FHE. Decrypt(sk, ct) and 0 otherwise
NC1 obfuscator
โฎ
๐obf
โข Obfuscated program does two things: proof verification and FHE decryptionโข NC1 obfuscator works on branching programs, so need primitives with short
branching programs (e.g., computing an inner products over a small field)
For VBB obfuscation, can use a succinct argument
(SNARG)
-
Bootstrapping Obfuscation [GGHRSW13, BR14]
constants: sk and ๐on input (๐ฅ, ct, ๐):
1. Verify the proof ๐ that ct corresponds to an evaluation of ๐ถenc on ๐ฅ
2. If valid, output FHE. Decrypt(sk, ct) and 0 otherwise
NC1 obfuscator
โฎ
๐obf
โข Obfuscated program does two things: proof verification and FHE decryptionโข NC1 obfuscator works on branching programs, so need primitives with short
branching programs (e.g., computing an inner products over a small field)
For VBB obfuscation, can use a succinct argument
(SNARG)
Inner products over ๐ฝ๐๐
implemented using branching programs of length ๐ and width ๐
-
Bootstrapping Obfuscation [GGHRSW13, BR14]
constants: sk and ๐on input (๐ฅ, ct, ๐):
1. Verify the proof ๐ that ct corresponds to an evaluation of ๐ถenc on ๐ฅ
2. If valid, output FHE. Decrypt(sk, ct) and 0 otherwise
NC1 obfuscator
โฎ
๐obf
โข Obfuscated program does two things: proof verification and FHE decryptionโข NC1 obfuscator works on branching programs, so need primitives with short
branching programs (e.g., computing an inner products over a small field)โข FHE decryption is (rounded) inner product [BV11, BGV12, Bra12, GSW13, AP14, DM15, โฆ], so
just need a SNARG with simple verification
-
Branching-Program-Friendly SNARGs
Goal: construct a succinct non-interactive argument (SNARG)that can be verified by a short branching program
-
Branching-Program-Friendly SNARGs
Goal: construct a succinct non-interactive argument (SNARG)that can be verified by a short branching program
Succinct non-interactive arguments (SNARG) for NP relation [GW11]
โข Setup 1๐ โ ๐, ๐ : outputs common reference string ๐ and
verification state ๐โข Prove ๐, ๐ฅ, ๐ค โ ๐: on input a statement ๐ฅ and witness ๐ค,
outputs a proof ๐โข Verify ๐, ๐ฅ, ๐ โ 0/1: on input the verification state ๐, the
statement ๐ฅ, decides if proof ๐ is valid
-
Branching-Program-Friendly SNARGs
Goal: construct a succinct non-interactive argument (SNARG)that can be verified by a short branching program
Succinct non-interactive arguments (SNARG) for NP relation [GW11]โข Must satisfy usual notions of completeness and computational
soundnessโข Succinctness: proof size and verifier run-time should be
polylogarithmic in the circuit size (for circuit satisfiability)โข Verifier run-time: poly ๐ + ๐ฅ + log ๐ถโข Proof size: poly ๐ + log ๐ถ
-
Branching-Program-Friendly SNARGs
Main result: new designated-verifier SNARGs in the preprocessing model with the following properties:
Goal: construct a succinct non-interactive argument (SNARG)that can be verified by a short branching programVerification state ๐
must be secretAllow Setup algorithm to run in time poly(๐ + ๐ถ )
-
Branching-Program-Friendly SNARGs
Main result: new designated-verifier SNARGs in the preprocessing model with the following properties:
โข Quasi-optimal succinctnessโข Quasi-optimal prover complexity
first SNARG that isโquasi-optimalโ
Asymptotics based on achieving negl(๐) soundness
error against provers of size 2๐
proofs have size ๐(๐)
prover complexity is ๐ ๐ถ
Goal: construct a succinct non-interactive argument (SNARG)that can be verified by a short branching program
-
Branching-Program-Friendly SNARGs
Main result: new designated-verifier SNARGs in the preprocessing model with the following properties:
โข Quasi-optimal succinctnessโข Quasi-optimal prover complexityโข Post-quantum securityโข Works over polynomial-size fields
first SNARG that isโquasi-optimalโ
New SNARG candidates are lattice-basedโข Over integer lattices, verification is branching-program friendlyโข Over ideal lattices, SNARGs are quasi-optimal
Goal: construct a succinct non-interactive argument (SNARG)that can be verified by a short branching program
-
Branching-Program-Friendly SNARGs
Goal: construct a succinct non-interactive argument (SNARG)that can be verified by a short branching program
Starting point: preprocessing SNARGs from [BCIOP13]
linear PCP2-round linear
interactive proofpreprocessing SNARG
information-theoretic compiler
cryptographic compiler (linear-only encryption)
-
Linear PCPs (LPCPs) [IKO07]
(๐ฅ, ๐ค) ๐ โ ๐ฝ๐
linear PCP
๐ โ ๐ฝ๐๐ โ ๐ฝ๐
๐, ๐ โ ๐ฝ
verifier
โข Verifier given oracle access to a linear function ๐ โ ๐ฝ๐
โข Several instantiations:โข 3-query LPCP based on the Walsh-
Hadamard code: ๐ = ๐( ๐ถ 2) [ALMSS92]โข 3-query LPCP based on quadratic span
programs: ๐ = ๐( ๐ถ ) [GGPR13]
Require large fields, but can be adapted to operate over small fields.
[See paper for details.]
-
Linear PCPs (LPCPs) [IKO07]
(๐ฅ, ๐ค) ๐ โ ๐ฝ๐
linear PCP
๐ โ ๐ฝ๐๐ โ ๐ฝ๐
๐, ๐ โ ๐ฝ
verifier
Oftentimes, verifier is oblivious: the queries ๐ do not depend on
the statement ๐ฅ
-
Linear PCPs (LPCPs) [IKO07]
Equivalent view (if verifier is oblivious):
๐1 ๐2 ๐3 ๐๐โฏ๐ = โ ๐ฝ๐ร๐๐ โ ๐ฝ๐
๐ โ ๐ฝ๐ร๐
๐๐๐ โ ๐ฝ๐
verifier pack all queries into single matrix
-
From Linear PCPs to Preprocessing SNARGs [BCIOP13]
Oblivious verifier can โcommitโ to its queries ahead of time
๐1 ๐2 ๐3 ๐๐โฏ
part of the CRS
Honest prover takes (๐ฅ, ๐ค) and constructs
linear PCP ๐ โ ๐ฝ๐ and computes ๐T๐
๐ = Two problems:โข Malicious prover can choose ๐ based
on queriesโข Malicious prover can apply different ๐
to the different columns of ๐
-
Oblivious verifier can โcommitโ to its queries ahead of time
๐1 ๐2 ๐3 ๐๐โฏ
part of the CRS
Honest prover takes (๐ฅ, ๐ค) and constructs
linear PCP ๐ โ ๐ฝ๐ and computes ๐T๐
๐ = Two problems:โข Malicious prover can choose ๐ based
on queriesโข Malicious prover can apply different ๐
to the different columns of ๐
From Linear PCPs to Preprocessing SNARGs [BCIOP13]
-
Oblivious verifier can โcommitโ to its queries ahead of time
๐1 ๐2 ๐3 ๐๐โฏ
part of the CRS
Honest prover takes (๐ฅ, ๐ค) and constructs
linear PCP ๐ โ ๐ฝ๐ and computes ๐T๐
๐ =Step 1: Encrypt elements of ๐ using additively homomorphic encryption schemeโข Prover homomorphically computes ๐๐๐โข Verifier decrypts encrypted response
vector and performs LPCP verification
From Linear PCPs to Preprocessing SNARGs [BCIOP13]
-
Oblivious verifier can โcommitโ to its queries ahead of time
๐1 ๐2 ๐3 ๐๐โฏ
part of the CRS
Honest prover takes (๐ฅ, ๐ค) and constructs
linear PCP ๐ โ ๐ฝ๐ and computes ๐T๐
๐ = Two problems:โข Malicious prover can choose ๐ based
on queriesโข Malicious prover can apply different ๐
to the different columns of ๐
From Linear PCPs to Preprocessing SNARGs [BCIOP13]
-
From Linear PCPs to Preprocessing SNARGs
Oblivious verifier can โcommitโ to its queries ahead of time
๐1 ๐2 ๐3 ๐๐โฏ
part of the CRS
Honest prover takes (๐ฅ, ๐ค) and constructs
linear PCP ๐ โ ๐ฝ๐ and computes ๐T๐
๐ =Step 2: Conjecture that the encryption scheme only supports a limited subset of homomorphic operations (linear-only vector encryption)
-
Linear-Only Vector Encryption
๐ฃ1 โ ๐ฝ๐
๐ฃ2 โ ๐ฝ๐
๐ฃ๐ โ ๐ฝ๐
โฎ
plaintext space is a vector space
-
Linear-Only Vector Encryption
โฎ
plaintext space is a vector space
๐ฃ1 โ ๐ฝ๐
๐ฃ2 โ ๐ฝ๐
๐ฃ๐ โ ๐ฝ๐
๐โ[๐]
๐ผ๐๐ฃ๐ โ ๐ฝ๐
encryption scheme is semantically-secure and additively homomorphic
-
Linear-Only Vector Encryption
โฎ
๐ฃ1 โ ๐ฝ๐
๐ฃ2 โ ๐ฝ๐
๐ฃ๐ โ ๐ฝ๐
ct
For all adversaries, there is an efficient extractor such that if ct is valid, then the extractor is able to produce a vector of coefficients ๐ผ1, โฆ , ๐ผ๐ โ ๐ฝ
๐
and ๐ โ ๐ฝ๐ such that Decrypt sk, ct = ๐โ[๐] ๐ผ๐๐ฃ๐ + ๐
Weaker property also suffices. [See paper for details.]
๐ผ1, โฆ , ๐ผ๐ โ ๐ฝ, ๐ โ ๐ฝ๐
adversary
extractor
-
Linear-Only Vector Encryption
โฎ
๐ฃ1 โ ๐ฝ๐
๐ฃ2 โ ๐ฝ๐
๐ฃ๐ โ ๐ฝ๐
ct
For all adversaries, there is an efficient extractor such that if ct is valid, then the extractor is able to produce a vector of coefficients ๐ผ1, โฆ , ๐ผ๐ โ ๐ฝ
๐
and ๐ โ ๐ฝ๐ such that Decrypt sk, ct = ๐โ[๐] ๐ผ๐๐ฃ๐ + ๐
Weaker property also suffices. [See paper for details.]
๐ผ1, โฆ , ๐ผ๐ โ ๐ฝ, ๐ โ ๐ฝ๐
adversary
extractor
extractor can โexplainโ the ciphertexts as an affine
function of its inputs
-
From Linear PCPs to Preprocessing SNARGs
Oblivious verifier can โcommitโ to its queries ahead of time
๐1 ๐2 ๐3 ๐๐โฏ
part of the CRS
Honest prover takes (๐ฅ, ๐ค) and constructs
linear PCP ๐ โ ๐ฝ๐ and computes ๐T๐
๐ =Step 2: Conjecture that the encryption scheme only supports a limited subset of homomorphic operations (linear-only vector encryption)
Linear-only vector encryption โ all prover strategies can be explained by (๐, ๐) as ๐๐๐ + ๐
encrypt row by row
[See paper for full details.]
-
Comparison with [BCIOP13]
Preprocessing SNARGs from [BCIOP13]:
linear PCP2-round linear
interactive proofpreprocessing SNARG
introduce additional consistency check to force prover to apply
consistent linear function โsoundness only over a large field
relies on weaker cryptographic assumption: linear-only
encryption rather than linear-only vector encryption
-
Comparison with [BCIOP13]
Preprocessing SNARGs from [BCIOP13]:
linear PCP2-round linear
interactive proofpreprocessing SNARG
Our construction
linear PCP preprocessing SNARG
-
Comparison with [BCIOP13]
Preprocessing SNARGs from [BCIOP13]:
linear PCP2-round linear
interactive proofpreprocessing SNARG
Our construction
linear PCP preprocessing SNARG
stronger cryptographic assumption, but enables new constructions with
better efficiency
-
Instantiating Linear-Only Vector Encryption
Conjecture: Regev-based encryption (specifically, the [PVW08] variant) is a linear-only vector encryption scheme.
PVW decryption (for plaintexts with dimension ๐):
๐
๐ โ โค๐๐ร(๐+๐)
๐
๐ โ โค๐๐+๐
round
Each row of ๐ can be is an independent Regev secret key
-
Concrete Instantiations
Using QSP-based linear PCP [GGPR12] and PVW encryption scheme:โข Prover complexity: ๐( ๐ถ ) homomorphic operations โ ๐ ๐ ๐ถโข Proof size: single ciphertext โ ๐(๐) bits
โข Soundness error: 2โ๐-soundness against 2๐-bounded provers
Matches existing pairing-based constructions [GGPR12, BCIOP13]
-
Concrete Instantiations
Using QSP-based linear PCP [GGPR12] and PVW encryption scheme:โข Prover complexity: ๐( ๐ถ ) homomorphic operations โ ๐ ๐ ๐ถโข Proof size: single ciphertext โ ๐(๐) bits
โข Soundness error: 2โ๐-soundness against 2๐-bounded provers
Matches existing pairing-based constructions [GGPR12, BCIOP13]Direct instantiation of BCIOP compiler with Regev encryption yields ๐(๐2 ๐ถ ) prover
complexity and ๐( ๐2) proof size to achieve same soundness guarantees
-
Towards Quasi-Optimality
Consider vector encryption where plaintext space is a ring ๐ :๐ โ ๐ฝ๐ ร ๐ฝ๐ ร โฏร ๐ฝ๐
splits into ๐ copies of ๐ฝ๐
๐ฃ โ ๐ ๐
๐ฃ11
๐ฃ21
โฎ
๐ฃ๐1
๐ฃ12
๐ฃ22
โฎ
๐ฃ๐2
๐ฃ13
๐ฃ23
โฎ
๐ฃ๐3
โฏ
โฏ
โฑ
โฏ
๐ฃ1๐
๐ฃ2๐
โฎ
๐ฃ๐๐
CRT decomposition
Can embed ๐ sets of linear PCP queries in the slots of the CRT decomposition โ batch
proof verification
-
Towards Quasi-Optimality
Consider vector encryption where plaintext space is a ring ๐ :๐ โ ๐ฝ๐ ร ๐ฝ๐ ร โฏร ๐ฝ๐
splits into ๐ copies of ๐ฝ๐
1. For circuit satisfiability, take circuit ๐ถ and reduce it to checking ๐ formulas each of size ๐( ๐ถ ๐).
2. Each formula can be verified by a LPCP of length ๐( ๐ถ ๐).
3. Verify ๐ proofs in parallel using batching.
๐ฃ โ ๐ ๐
๐ฃ11
๐ฃ21
โฎ
๐ฃ๐1
๐ฃ12
๐ฃ22
โฎ
๐ฃ๐2
๐ฃ13
๐ฃ23
โฎ
๐ฃ๐3
โฏ
โฏ
โฑ
โฏ
๐ฃ1๐
๐ฃ2๐
โฎ
๐ฃ๐๐
CRT decomposition [See paper for full details.]
-
Towards Quasi-Optimality
Consider vector encryption where plaintext space is a ring ๐ :๐ โ ๐ฝ๐ ร ๐ฝ๐ ร โฏร ๐ฝ๐
splits into ๐ copies of ๐ฝ๐
1. For circuit satisfiability, take circuit ๐ถ and reduce it to checking ๐ formulas each of size ๐( ๐ถ ๐).
2. Each formula can be verified by a LPCP of length ๐( ๐ถ ๐).
3. Verify ๐ proofs in parallel using batching.
๐ฃ โ ๐ ๐
๐ฃ11
๐ฃ21
โฎ
๐ฃ๐1
๐ฃ12
๐ฃ22
โฎ
๐ฃ๐2
๐ฃ13
๐ฃ23
โฎ
๐ฃ๐3
โฏ
โฏ
โฑ
โฏ
๐ฃ1๐
๐ฃ2๐
โฎ
๐ฃ๐๐
CRT decomposition
Using Regev-style encryption over rings, prover complexity is now ๐( ๐ถ ) and
proof size is still ๐(๐) โ the first quasi-optimal SNARG from any assumption
[See paper for full details.]
-
Concrete Comparisons
ConstructionProver
ComplexityProofSize Assumption
Public vs.Designated
CS Proofs [Mic00]
Groth [Gro10]
GGPR [GGPR12]
BCIOP (Pairing) [BCIOP13]
BCIOP (LWE) [BCIOP13]
Our Construction (LWE)
Our Construction (RLWE)
Public
Public
Public
Designated
Designated
๐( ๐ถ + ๐2)
๐( ๐ถ 2๐ + ๐ถ ๐2)
๐( ๐ถ ๐)
๐( ๐ถ ๐)
๐( ๐ถ ๐)
๐( ๐ถ ๐)
๐( ๐ถ )
๐(๐2)
๐(๐)
๐(๐)
๐(๐)
๐(๐)
๐(๐)
๐(๐)
Public
Designated
Random Oracle
Knowledge of Exponent
Linear-Only Encryption
Linear-Only Vector Encryption
Only negl ๐ -soundness (instead of 2โ๐-soundness) against 2๐-bounded provers
-
Concrete Comparisons
ConstructionProver
ComplexityProofSize Assumption
Public vs.Designated
CS Proofs [Mic00]
Groth [Gro10]
GGPR [GGPR12]
BCIOP (Pairing) [BCIOP13]
BCIOP (LWE) [BCIOP13]
Our Construction (LWE)
Our Construction (RLWE)
Public
Public
Public
Designated
Designated
๐( ๐ถ + ๐2)
๐( ๐ถ 2๐ + ๐ถ ๐2)
๐( ๐ถ ๐)
๐( ๐ถ ๐)
๐( ๐ถ ๐)
๐( ๐ถ ๐)
๐( ๐ถ )
๐(๐2)
๐(๐)
๐(๐)
๐(๐)
๐(๐)
๐(๐)
๐(๐)
Public
Designated
Random Oracle
Knowledge of Exponent
Linear-Only Encryption
Linear-Only Vector Encryption
Post-quantum resistant!
-
Back to Obfuscationโฆ
For bootstrapping obfuscationโฆโข Obfuscate FHE decryption and SNARG verificationโข Degree of multilinearity: โ 212
โข Number of encodings: โ 244 Still infeasible, but much, much better than 2100 for previous
black-box constructions!
Looking into obfuscation gave us new insights into constructing better SNARGs:
โข More direct framework of building SNARGs from linear PCPsโข First quasi-succinct construction from standard latticesโข First quasi-optimal construction from ideal lattices
Many optimizations. [See paper for details.]
-
Open Problems
Publicly-verifiable SNARGs from lattice-based assumptions?
Stronger notion of quasi-optimality (achieve 2โ๐ soundness rather than negl(๐) soundness)?
Concrete efficiency of new lattice-based SNARGs?
Thank you!http://eprint.iacr.org/2017/240
top related