new publicly verifiable databases with efficient updates xiaofeng chen virginiatech
TRANSCRIPT
New Publicly Verifiable Databases with Efficient Updates
Xiaofeng Chen Virginiatech
Agenda
• Outsourcing Computation• Verifiable Computation• Verifiable Database with Updates (VDB)• New Construction for VDB• Future Work
1. Outsourcing Computation
• You want to eat a fish = You need to be a fisherman (NEVER!)• Cloud computing facilitates Outsourcing computation.• Outsourcing computation paradigm:
– the clients with resource-constraint devices can outsource the heavy computation workloads into the cloud server.
• Outsourcing computation also suffers from some new security challenges.
Outsourcing Computation Architecture
Security model
• Who is the adversary: the untrusted server(s)– Honest but curious – Lazy but honest – One-malicious of two untrusted program– Refereed delegation of computation – Fully malicious (dishonest, curious, lazy…)- strongest
How to achieve ?
• Secrecy : encryption (partial solution)+ blinding– Blinding can preserve some inherent property of operations.– It requires different logic division and blinding techniques.– FHE is inefficient for real-world applications.
Xm
m
c
c
encrypt (k)
blind (blind factor)
gx mod p
hx mod p
gx mod p
(mg)x mod p
How to achieve ?
• Checkability (verifiability) : how to verify the result of a malicious server?
– Some programming error – Intentionally send a computational indistinguishable (random) result due to
financial reasons
How to achieve ?
• Three kinds of Checkability (verifiability):
– Inversion of one–way function problems:
F: given y=f(x), compute x, where f is a one-way function.
Verification is trivial: verification is just compute f(x)=? y
How to achieve ?
• Three kinds of Checkability (verifiability):
– Multiple (non-colluding) servers :
given the test queries to (at least two) servers, verification is trivial and equals to check whether the two outputs are equal?
f(x)_1 = ? f(x)_2 (This is a probabilistic algorithm!)
Note: This idea is a little similar to prisoner's dilemma in game theory.
How to achieve ?
• Checkability (verifiability):
– One malicious server: verifiable computation
The server needs to provide some auxiliary proof to support result verification. It requires different kinds of knowledge proof techniques.
How to achieve ?
• Efficiency : verification must be efficient
– The (non-interactive) proof verification is efficient (esp. the 3rd case)– Computational resources, Storage resources, Communication resources, etc.– The verification requires less resources than the computation task itself!!
Research status• Theoretical community: scientific computation such as matrix
multiplications (inversion), quadrature, linear equations (programming), sequence comparisons ……
• Cryptographic community: wallet with observers, bilinear pairing, modular exponentiations, OABE, OABS, inversion one-way function ……
– Verifiable computation: will be given later
2. Verifiable Computation
• A protocol between client and the untrusted server;– C: a function and some input ; S: outputs and some proof;– It mainly focus on the 3rd case of outsourcing
computations– Though C is resources-constrained, it is allowed to perform
one-time expensive setup phase (offline; pre-computation)
Formal definitions
Security properties• Correct: the value and proof generated by the honest server can be always
verified successfully and accepted by the client.– honest server results in valid result and proof
• Secure: a malicious server cannot convince a verifier to accept an invalid output– dishonest server results in invalid result and proof
• Efficient: the verification should not be involved in plenty of expensive resources (computation, storage, communication) – For real-world applications
Three properties of ZKP:• Completeness: if the statement is true, the honest verifier (that is, one following the
protocol properly) will be convinced of this fact by an honest prover.• Soundness: if the statement is false, no cheating prover can convince the honest
verifier that it is true, except with some small probability.• Zero-knowledge: if the statement is true, no cheating verifier learns anything other than
this fact.
State-of-the-art research
• Gennaro et al. firstly introduce and formalize the notion of verifiable computing. Crypto 10
• This work is suitable for any function (will be encoded by Boolean circuit)• Theoretically, no more research work is needed (totally solved!). • FHE is a building block! Inefficient for practical applications.
State-of-the-art research• Specific problems require specific trick to design efficient schemes.
– VC for very large datasets Crypto 11– Memory delegation Crypto 11– VC for large polynomials and matrix computations CCS 12– VC for multi-function TCC 12– VC for quadratic polynomials CCS 13– Making argument systems for outsourced computation practical NDSS 12– Taking proof-based verified computation a few steps closer to practicality
USENIX 12– …..
3. Verifiable Database with Updates (VDB)
• A special kind of verifiable computing (storage)• Benabbas et al. proposed the notion of VDB
– Verifiable delegation of computation over large datasets (Crypto 11)
x v x, v’
Client Server
Database
x ; v x ; v’
Static Database
Client Server
x ; v; Sig (v)
x v, Sig (v)
Sig (v) can not be forged!!
Dynamic (Updated) Database
Client Server
x ; v; Sig (v)
x v, Sig (v)
How to revoke the signature for previous value? The client have to keep track of every change locally. Why outsourcing?
Verifiable Database with Updates
• How to design efficient VDB?• Previous works requires either some non-constant
size assumptions or expensive operations; – q-Strong Diffie-Hellman assumption
Verifiable Database with Updates
• Why standard assumption is good?– IF related ones: IF ; RSA; Strong-RSA; ……– DL related ones: DL; CDH; DDH; ……» Bilinear pairings related ones ……
Benabbas-Gennaro-Vahlis Construction
• BGV construction is the first practical solution in the bilinear groups with composite order (Crypto 11);
• The solution is based on verifiable delegation of polynomials (subgroup membership assumption);
• It cannot support public verifiability;
Catalano-Fiore Construction
• The second practical construction (PKC 2013);• It is based on a primitive called vector commitment;• The specific constructions based on standard assumptions;• Compare with BGV construction, it only uses the bilinear
groups with prime order;• It can support public verifiability
– The private key of client is not involved in the updating; Surprising it is empty!
– It is good or bad?
Commitment
– Hiding: A computationally bounded receiver learns nothing about m.
–
– Binding: it can only be “opened” to the value m.
ReceiverSenderCommit
Phase
Sender ReceiverOpen
Phase
m
m
Open Verification Algorithm
r, m
yes/no
r, m
Commitment
• Commitment is one of primitive in cryptography;• One building block to design ZKP, authentication,
financial cryptographic protocols etc.; ……• Some variants of commitment (additional properties);
– Trapdoor (chameleon) commitment : chameleon signatures (NDSS 2000), online-offline signatures (Crypto 2001), fair exchange protocols, ……
– Mercurial commitment: ZKS (how to proof whether an element x is in a set or not; FOCS 2003)
– Multi-trapdoor commitment; Timed commitment, Non-malleable commitment, …..
Vector Commitment
• Commit a vector message (m1,m2, …., mq);• Position binding: should not open the commitment
to two different values at the same position. • Hiding can be achieved by composing a standard
commitment scheme with any vector commitment scheme that does not satisfy hiding. (Not concerned in VDB)
4. New Construction for VDB
• Our main contribution– Catalano-Fiore Construction may suffer from the
Forward Automatic Update (FAU) attack;– Propose a new framework that is public verifiable
and secure against FAU attack;– Present a concrete construction based on Squ-
CDH assumption (equals to CDH assumption)
FAU attack
• The adversary (just as the real client) can update the database in a forward and automatic manner;
• Forward means that the updating is based on the latest database (new update!). – We also defined Backward Substitute Update attack
• Automatic means that the updating can be performed at any time and any steps.
V 0
V 1
V i V L
V L+1
Why it suffers from FAU attack
• The secret key in Catalano-Fiore Construction is not involved in the updating. – More precise, the secret key of client is empty .
• Why?– In crypto 11 construction, secret key is used for updating
and verification (thus private verifiability);– Guess: no private key, verification is performed only using
the public key? Thus support public verifiability. – Anyone can update the database (especially the server)!
Formal analysis
Paradox
• Using SK: cannot support public verifiability• Not Using SK: cannot resist FAU attack• How to solve this paradox?– SK must be used in update;– Signature can be used but not enough (needs
revoke?)
Some Notations
• Database: (i, vi) ;
• C is a vector commitment on database values vi ;
• C(0) , C(1), ……C(T) denotes the update of the database;
Our Main Idea
• Commitment binding technique: (After T times update )– it is difficult to forge a new BLS signature!
BLS signature
Counter
binding
Database(current)
Public key(last time)
Public key (current)
Our Main Idea
• Commitment binding technique: (After T times update )
• The definition for T = 0 (setup phase):
• This results in a general construction for VDB
Our Main Idea
• The proof consists of the (BLS) signature of the client and opening of the vector commitment;– Both of them can be verified (only) with the public key;
• The update requires the secret key of the client. – No forward automatic update by the adversary
• The client needs not store the changes locally or revoke the
signature
A concrete VDB construction • It is based on the following specific vector commitment;
• We proved that it satisfies the security properties under the Squ-CDH assumption;
• The construction is efficient since it is independent of the size of the database ;
• It provides the first efficient VDB scheme that is both public verifiable and secure against FAU attack;
5. Future Works
• Needs more simulation result… (though Crypto 11 and PKC 13 papers never provide the experimental results)
• For different update (delete, insert, or else…)• Support more index update in a step? It seems okay,
need more deep thought….• Incremental update….
Thank you & questions?