non-interactive verifiable computing august 5, 2009 bryan parno carnegie mellon university rosario...
TRANSCRIPT
Non-InteractiveNon-InteractiveVerifiable ComputingVerifiable Computing
August 5, 2009
Bryan ParnoCarnegie Mellon University
Rosario Gennaro, Craig GentryIBM Research
2
Desire for Computing on Demand
• Instead of buying hardware, pay for computing power– Pay for exactly what you use– Quickly scale up/down
• Work done by:– Volunteers (SETI@Home, Folding@Home)– Companies (Amazon, GoGrid, etc)
Is the result correct?Is the result correct?
3
Verifiable Computation Intuition
F(·),x
1.Checks Proof (y)
2.Accepts y = F(x)
y F(x), Proof (y)F
x
Fx
Must be cheaper than computing F
Must be cheaper than computing F
4
Outline
• Introduction
• Prior work
• Definitions
• Preliminary Approaches
• Scheme & Proof Sketch
5
Prior Work• Secure Hardware
– Coprocessor, TPM, etc. [SW ’99, SZJvD ‘04, MPPRI ‘08,…]
• Specific Functions– Lookups, search on graphs, etc. [NN ’98, GTTCC ’01,…]
• General Functions– Kilian ‘92 & Micali ’94
• Worker does polynomial amount of work• Interactive (Non-interactive with random oracle or CRS)• Computational security
– GTR ‘08 (previous talk)• Interactive, with O(d) rounds• Requires uniform circuits• Secure against an all-powerful worker
6
Our Contribution
• Generic (works for any F)
• Intuitive and Efficient– Does not use ZKPs or PCPs
• Non-interactive
• Preserves input privacy
7
Outline
• Introduction
• Prior work
• Definitions
• Preliminary Approaches
• Scheme & Proof Sketch
8
• A Verifiable Computation (VC) scheme consists of 4 algorithms:
– KeyGen(F, λ) → PK, SK
– ProbGenSK(x) → σx
– ComputePK(σx) → σy
– VerifySK(σy) → y or
May reveal y or keep it private
Defining Verifiable Computing
Correctness:y = F(x)
Correctness:y = F(x)
May reveal x or keep it private
9
• A Verifiable Computation (VC) scheme consists of 4 algorithms:
– KeyGen(F, λ) → PK, SK
– ProbGenSK(x) → σx
– ComputePK(σx) → σy
– VerifySK(σy) → y or
Defining Verifiable Computing
Efficiency:Efficiency:
O(|F|)
O(|x|)
O(|y|)
O(|F|)
10
SecurityPK, SK ← KeyGen(F, λ)
ProbGenSK(·)
x σx
y ← VerifySK(σy)y ≠ and
y ≠ F(x)
PK
(x,σy)
Adversary wins if:
11
Outline
• Introduction
• Prior Work
• Definitions
• Preliminary Approaches– Fully-homomorphic encryption– MPC
• Scheme & Proof Sketch
12
Is Fully-Homomorphic Encryption Sufficient?
• Full homomorphism allows multiplication and addition of encrypted data
• Naïve scheme:
1. Encrypt inputs
2. Ask worker to apply F(·) homomorphically
3. Decrypt results
4. ???
5. Profit!This is insecure!This is insecure!
13
Fully-Homomorphic Encryption is Insufficient!
F(A, B, C) = (A * B) + C
EK(A), EK(B), EK(C)
(EK(A) + EK(B)) * EK(C)
EK((A+B)*C)
Result decrypts correctly
But (A+B)*C ≠ (A*B)+C !As usual,
Secrecy ≠ IntegrityAs usual,
Secrecy ≠ Integrity
14
Can Multi-Party Computation Help?
• MPC protocols are typically at least as expensive as the original computation
• Key Insight: We can convert Yao’s Garbled Circuit Scheme
into a 1-time Verifiable Computation
A 1-time Verifiable Computation is still not efficient
But we can fix that!
15
Refresher on Yao’s Circuits: Overview
A B
Goal: - Compute Y ← F(A,B) - Without revealing A or B
F → CG(C), G(A)
G(B)Oblivious Transfer
G(A) G(B)
G(C)
G(Y)G(Y)
Y
Note: Assumes honest-but-curious parties
16
Yao’s Circuit Construction
g
A B
Z
A B Z
0 0 g(0,0)
0 1 g(0,1)
1 0 g(1,0)
1 1 g(1,1)
A B Z
a0 b0 zg(0,0) Ea (Eb (zg(0,0)))
a0 b1 zg(0,1) Ea (Eb (zg(0,1)))
a1 b0 zg(1,0) Ea (Eb (zg(1,0)))
a1 b1 zg(1,1) Ea (Eb (zg(1,1)))
a0 a1 b0 b1
z0 z1
0
0
1
1 1
1
0
0
ai, bi, zi {0,1}λR
G(g)
Alice sends Bob:1. G(g)2. a0 or a1
3. b0 or b1
Via Oblivious Transfer
17
Yao’s Circuit Computation
Db (Da (Ea (Eb (zg(0,0)))))
Db (Da (Ea (Eb (zg(0,1)))))
Db (Da (Ea (Eb (zg(1,0)))))
Db (Da (Ea (Eb (zg(1,1)))))
• Given a0 and b1 Bob computes:
0
0
1
1 1
1
0
0
0
0
0
0
1
1
1
1
• Bob returns zg(0,1) to Alice
• Alice maps zg(0,1) to g(0,1)
g
A B
Z
a0 a1 b0 b1
z0 z1
18
Making Yao 1-time Verifiable
x
F → CG(C), G(x) G(x)
G(C)
G(y)G(y)Verify G(y) is“correct”
19
Verifying the Computation of aYao Circuit
• Bob returns z
• Alice accepts Bob’s response if:
z = z0
orz = z1
• Security Intuition:– Encryption scheme guarantees
secrecy of incorrect zi
– Since z0 and z1 are randomly chosen,
probability of a correct guess is 2-λ
g
A B
Z
a0 a1 b0 b1
z0 z1
ai, bi, zi {0,1}λR
No longer assumes honest-but-curious worker!
^
^
^
20
Yao is Not Outsourceable• Constructing the Yao circuit takes time O(C)
• Reusing the same circuit for a different input allows adversary to recycle previous output
• Constructing a new circuit is as expensive as computing F
21
Outline
• Introduction
• Prior Work
• Definitions
• Preliminary Approaches
• Scheme & Proof Sketch
22
Our Scheme: Overview• Intuition: Use fully-homomorphic encryption to make
Yao circuits reusable
• Build the garbled Yao circuit G(C) as before
• For each input x, Alice gives out EncryptK(G(x))– Chooses a new key K for the fully-homomorphic scheme– Encrypts the Yao wire values G(x) corresponding to x
• Adversary uses homomorphism to evaluate G(C) and obtain an encryption of the output wire values:
EncryptK(G(y))
Intuition: Per-input key prevents output reuseIntuition: Per-input key prevents output reuseProvides input privacy too!Provides input privacy too!
23
KeyGen(F, λ): Represent F as circuit CRun Yao on CPK ← G(C) SK ← ai, bi, zi {0,1}λ
ProbGenSK(x)PKε, SKε ← GenKeyε(λ)
σx ← (PKε, Enc(PKε, ai),
Enc(PKε, bi),…)
ComputePK(σx)Construct a circuit D representing Yao’s decryption function
Apply D homomorphically to get σy
VerifySK(σy)Use SKε to decrypt σy
If result is not one of zi, return Else return y
Garble the circuit computing F.Public key is the garbled circuitSecret key is the labels.
Create a new key for the homomorphic encryption scheme.Encrypt the correct input wire values
Use ε’s homomorphism to obtain an encryption of the correct output wire value
Check that decrypted output matches a valid output wire label
24
Proof Sketch
• Intuition
– Yao is a secure 1-time verifiable computation
– Multiple executions don’t help the attacker• In each execution, labels are encrypted with a
different instance of a semantically secure scheme
25
Performance
• Garble the circuit C once O(|C|)
• Garble each input X O(|X|)
• Verify each output Y O(|Y|)
Amortized cost:Size of Input + Size of Output
Amortized cost:Size of Input + Size of Output
Client:
• Homomorphically “decrypt” O(|C|)through the circuit
Worker:
26
Conclusions & Open Problems• Growth of computing-as-a-resource will
require verifiability of results
• Combining Yao with fully-homomorphic encryption yields a (theoretically) efficient, non-interactive protocol
• Can we construct a verifiable computation scheme using “regular” homomorphic encryption?
• Can we create a verifiable computation with non-repudiation?
