non-interactive verifiable computing august 5, 2009 bryan parno carnegie mellon university rosario...

Non-InteractiveNon-InteractiveVerifiable ComputingVerifiable Computing

August 5, 2009

Bryan ParnoCarnegie Mellon University

Rosario Gennaro, Craig GentryIBM Research

2

Desire for Computing on Demand

• Instead of buying hardware, pay for computing power– Pay for exactly what you use– Quickly scale up/down

• Work done by:– Volunteers (SETI@Home, Folding@Home)– Companies (Amazon, GoGrid, etc)

Is the result correct?Is the result correct?

3

Verifiable Computation Intuition

F(·),x

1.Checks Proof (y)

2.Accepts y = F(x)

y F(x), Proof (y)F

x

Fx

Must be cheaper than computing F

Must be cheaper than computing F

4

Outline

• Introduction

• Prior work

• Definitions

• Preliminary Approaches

• Scheme & Proof Sketch

5

Prior Work• Secure Hardware

– Coprocessor, TPM, etc. [SW ’99, SZJvD ‘04, MPPRI ‘08,…]

• Specific Functions– Lookups, search on graphs, etc. [NN ’98, GTTCC ’01,…]

• General Functions– Kilian ‘92 & Micali ’94

• Worker does polynomial amount of work• Interactive (Non-interactive with random oracle or CRS)• Computational security

– GTR ‘08 (previous talk)• Interactive, with O(d) rounds• Requires uniform circuits• Secure against an all-powerful worker

6

Our Contribution

• Generic (works for any F)

• Intuitive and Efficient– Does not use ZKPs or PCPs

• Non-interactive

• Preserves input privacy

7

Outline

• Introduction

• Prior work

• Definitions

• Preliminary Approaches

• Scheme & Proof Sketch

8

• A Verifiable Computation (VC) scheme consists of 4 algorithms:

– KeyGen(F, λ) → PK, SK

– ProbGenSK(x) → σx

– ComputePK(σx) → σy

– VerifySK(σy) → y or

May reveal y or keep it private

Defining Verifiable Computing

Correctness:y = F(x)

Correctness:y = F(x)

May reveal x or keep it private

9

• A Verifiable Computation (VC) scheme consists of 4 algorithms:

– KeyGen(F, λ) → PK, SK

– ProbGenSK(x) → σx

– ComputePK(σx) → σy

– VerifySK(σy) → y or

Defining Verifiable Computing

Efficiency:Efficiency:

O(|F|)

O(|x|)

O(|y|)

O(|F|)

10

SecurityPK, SK ← KeyGen(F, λ)

ProbGenSK(·)

x σx

y ← VerifySK(σy)y ≠ and

y ≠ F(x)

PK

(x,σy)

Adversary wins if:

11

Outline

• Introduction

• Prior Work

• Definitions

• Preliminary Approaches– Fully-homomorphic encryption– MPC

• Scheme & Proof Sketch

12

Is Fully-Homomorphic Encryption Sufficient?

• Full homomorphism allows multiplication and addition of encrypted data

• Naïve scheme:

1. Encrypt inputs

2. Ask worker to apply F(·) homomorphically

3. Decrypt results

4. ???

5. Profit!This is insecure!This is insecure!

13

Fully-Homomorphic Encryption is Insufficient!

F(A, B, C) = (A * B) + C

EK(A), EK(B), EK(C)

(EK(A) + EK(B)) * EK(C)

EK((A+B)*C)

Result decrypts correctly

But (A+B)*C ≠ (A*B)+C !As usual,

Secrecy ≠ IntegrityAs usual,

Secrecy ≠ Integrity

14

Can Multi-Party Computation Help?

• MPC protocols are typically at least as expensive as the original computation

• Key Insight: We can convert Yao’s Garbled Circuit Scheme

into a 1-time Verifiable Computation

A 1-time Verifiable Computation is still not efficient

But we can fix that!

15

Refresher on Yao’s Circuits: Overview

A B

Goal: - Compute Y ← F(A,B) - Without revealing A or B

F → CG(C), G(A)

G(B)Oblivious Transfer

G(A) G(B)

G(C)

G(Y)G(Y)

Y

Note: Assumes honest-but-curious parties

16

Yao’s Circuit Construction

g

A B

Z

A B Z

0 0 g(0,0)

0 1 g(0,1)

1 0 g(1,0)

1 1 g(1,1)

A B Z

a0 b0 zg(0,0) Ea (Eb (zg(0,0)))

a0 b1 zg(0,1) Ea (Eb (zg(0,1)))

a1 b0 zg(1,0) Ea (Eb (zg(1,0)))

a1 b1 zg(1,1) Ea (Eb (zg(1,1)))

a0 a1 b0 b1

z0 z1

0

0

1

1 1

1

0

0

ai, bi, zi {0,1}λR

G(g)

Alice sends Bob:1. G(g)2. a0 or a1

3. b0 or b1

Via Oblivious Transfer

17

Yao’s Circuit Computation

Db (Da (Ea (Eb (zg(0,0)))))

Db (Da (Ea (Eb (zg(0,1)))))

Db (Da (Ea (Eb (zg(1,0)))))

Db (Da (Ea (Eb (zg(1,1)))))

• Given a0 and b1 Bob computes:

0

0

1

1 1

1

0

0

0

0

0

0

1

1

1

1

• Bob returns zg(0,1) to Alice

• Alice maps zg(0,1) to g(0,1)

g

A B

Z

a0 a1 b0 b1

z0 z1

18

Making Yao 1-time Verifiable

x

F → CG(C), G(x) G(x)

G(C)

G(y)G(y)Verify G(y) is“correct”

19

Verifying the Computation of aYao Circuit

• Bob returns z

• Alice accepts Bob’s response if:

z = z0

orz = z1

• Security Intuition:– Encryption scheme guarantees

secrecy of incorrect zi

– Since z0 and z1 are randomly chosen,

probability of a correct guess is 2-λ

g

A B

Z

a0 a1 b0 b1

z0 z1

ai, bi, zi {0,1}λR

No longer assumes honest-but-curious worker!

^

^

^

20

Yao is Not Outsourceable• Constructing the Yao circuit takes time O(C)

• Reusing the same circuit for a different input allows adversary to recycle previous output

• Constructing a new circuit is as expensive as computing F

21

Outline

• Introduction

• Prior Work

• Definitions

• Preliminary Approaches

• Scheme & Proof Sketch

22

Our Scheme: Overview• Intuition: Use fully-homomorphic encryption to make

Yao circuits reusable

• Build the garbled Yao circuit G(C) as before

• For each input x, Alice gives out EncryptK(G(x))– Chooses a new key K for the fully-homomorphic scheme– Encrypts the Yao wire values G(x) corresponding to x

• Adversary uses homomorphism to evaluate G(C) and obtain an encryption of the output wire values:

EncryptK(G(y))

Intuition: Per-input key prevents output reuseIntuition: Per-input key prevents output reuseProvides input privacy too!Provides input privacy too!

23

KeyGen(F, λ): Represent F as circuit CRun Yao on CPK ← G(C) SK ← ai, bi, zi {0,1}λ

ProbGenSK(x)PKε, SKε ← GenKeyε(λ)

σx ← (PKε, Enc(PKε, ai),

Enc(PKε, bi),…)

ComputePK(σx)Construct a circuit D representing Yao’s decryption function

Apply D homomorphically to get σy

VerifySK(σy)Use SKε to decrypt σy

If result is not one of zi, return Else return y

Garble the circuit computing F.Public key is the garbled circuitSecret key is the labels.

Create a new key for the homomorphic encryption scheme.Encrypt the correct input wire values

Use ε’s homomorphism to obtain an encryption of the correct output wire value

Check that decrypted output matches a valid output wire label

24

Proof Sketch

• Intuition

– Yao is a secure 1-time verifiable computation

– Multiple executions don’t help the attacker• In each execution, labels are encrypted with a

different instance of a semantically secure scheme

25

Performance

• Garble the circuit C once O(|C|)

• Garble each input X O(|X|)

• Verify each output Y O(|Y|)

Amortized cost:Size of Input + Size of Output

Amortized cost:Size of Input + Size of Output

Client:

• Homomorphically “decrypt” O(|C|)through the circuit

Worker:

26

Conclusions & Open Problems• Growth of computing-as-a-resource will

require verifiability of results

• Combining Yao with fully-homomorphic encryption yields a (theoretically) efficient, non-interactive protocol

• Can we construct a verifiable computation scheme using “regular” homomorphic encryption?

• Can we create a verifiable computation with non-repudiation?

27

Thank you!parno@cmu.edu