Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario - - PowerPoint PPT Presentation

boosting verifiable computation on encrypted data
SMART_READER_LITE
LIVE PREVIEW

Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario - - PowerPoint PPT Presentation

Mar 24, 2023 472 likes •1.01k views

Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario Fiore, Anca Nitulescu , David Pointcheval Motivational Tale: The Bare Necessities of a Cloud User (In times of a Pandemic) 2 Pandemics biometric surveillance systems data

slide-1
SLIDE 1

Boosting Verifiable Computation

  • n Encrypted Data

PKC 2020

Dario Fiore, Anca Nitulescu, David Pointcheval

slide-2
SLIDE 2

2

Motivational Tale: The Bare Necessities of a Cloud User

(In times of a Pandemic)

slide-3
SLIDE 3

Pandemics biometric surveillance systems

3

User delegates its personal data to a symptom tracking app Client Server

data

slide-4
SLIDE 4

4

User delegates its symptoms Server computes diagnosis Client

Pandemics biometric surveillance systems

Server

data

f(data)=y

slide-5
SLIDE 5

5

Server sends back diagnosis Client

Pandemics biometric surveillance systems

Server

data

f(data)=y

y

slide-6
SLIDE 6

So many benefits!

6

Client Server

data

User receives diagnosis Happy to hear he is healthy

healthy

slide-7
SLIDE 7

Untrusted Server

7

Client Server

data

healthy?

User runs the risk of a corrupted server

slide-8
SLIDE 8

Server

What can go wrong? Data can be stolen

8

Client

data

Confidential data is exposed symptoms

slide-9
SLIDE 9

Server

What can go wrong? Results can be modified

f(data)≠y

9

Client

data

y Results are not guaranteed to be correct diagnosis

slide-10
SLIDE 10

Solution for Privacy of Inputs

10

Data Privacy

data

Server Encryption

slide-11
SLIDE 11

(Fully) Homomorphic Encryption

11

Data Privacy

data

Server Encryption

Homomorphic Encryption ✘ Privacy of inputs ✘ Malleability of data ✘ Privacy of output

[Gen09, BV11, BGV12, GSW13, CGGI16, CKKS17...]

slide-12
SLIDE 12

Server

Solution for Integrity of the Computation

12 f(x)

π

data

Verifiable Computation

slide-13
SLIDE 13

Server

data

13

zk-SNARKs

✘ Proof is succinct ✘ Minimal interaction ✘ Client verifies efficiently ✘ Server algo remains secret [GGP10, GGPR13, PHGR13, Gro16, BBC+18...]

SNARKs = Proof Systems for lazy clients

Verifiable Computation

slide-14
SLIDE 14

Full Solution: Verifiable Computation on Encrypted Data

14

Server Apply Eval of FHE Computation Integrity

π

Data Privacy

data result

slide-15
SLIDE 15

Apply Eval of FHE

Full Solution: Verifiable Computation on Encrypted Data

15

Server Computation Integrity

π

Data Privacy

data result

[FGP14] Efficiently verifiable computation on encrypted data.

Dario Fiore, Rosario Gennaro, Valerio Pastro ✘ Combines FHE and homomorphic MAC ✘ Efficient VC for quadratic functions only ✘ Designated Verifier - it requires MAC key ✘ Verifier = Client (share secret key for FHE) ✘ Privacy of the inputs and the outputs (from Server)

slide-16
SLIDE 16

Outline

16

C

Option s

Private VC

Goals Strategy

Building Blocks The END Technical Challenges

Polynomial Commitments CaP zk-SNARKs

slide-17
SLIDE 17

Publicly Verifiable Computation with Privacy

17

Server Verify Result

π

data result

Encrypt the Data Compute & Prove

slide-18
SLIDE 18

Publicly Verifiable Computation with Privacy

18

Server Verify Result Encrypt the Data Compute & Prove

Solution that improves on [FGP14] : ✘ Public verifiable: Client & Verifier do not share keys ✘ Efficiency for higher degree computations (arithmetic circuits)

slide-19
SLIDE 19

Idea: Exploit the specificity of FHE ciphertexts

Compactly Commit to ciphertexts Prove efficiently evaluation of circuit

  • n ciphertexts

crs

zk-SNARK for verifiable and private delegation of computation

slide-20
SLIDE 20

FHE: Ciphertexts = Polynomials (ring-LWE, [BV11])

20

P1 P2 P3 P4

P6

+ + + +

+

slide-21
SLIDE 21

a1 a2 a3 a4

Circuit over ciphertexts / over plaintexts a6

+

+

P1 P2 P3 P4

P6

+ + + +

+

+

21

slide-22
SLIDE 22

Arithmetic Circuit over Polynomials

22

T(x)

+ + + +

+

+ + +

p0

q0 p1 q1 pd qd

s0 s1 sd ...

O(d) scalar additions in

H(x) S(x) F(x) G(x) P(x) Q(x)

slide-23
SLIDE 23

t2d h0

s0 h0 s1 h1 s0 ...

T(x)

+ + + +

+

H(x) S(x)

+ +

t1 t0

...

+ + + +

tk

+ +

~ d

2 scalar multiplications in

& reductions modulo of deg d F(x) G(x) P(x) Q(x)

Arithmetic Circuit over Polynomials

23 h0 sk… hi sk-i … hd sd

slide-24
SLIDE 24

24

T(x)

+ + + +

+

O(d) scalar additions O(d

2) scalar multiplications

~ O(d log d) for large d H(x) S(x) F(x) G(x) P(x) Q(x)

Arithmetic Circuit over Polynomials

slide-25
SLIDE 25

25

T(x)

+

O(m⋅d )

scalar additions

& O(m⋅d⋅log d )

scalar multiplications *for polynomials of degree d n inputs

+ +

F(x) G(x) P(x) Q(x)

+ + + +

H(x) S(x)

m gates n inputs

Arithmetic Circuit over Polynomials

slide-26
SLIDE 26

Goals: Efficient VC with Privacy

26

Encrypt the Data Compute & Prove Verify Result

+ + +

F(x) G(x) P(x) Q(x) F(x),G(x), P(x),Q(x) T(x)

Want a solution that: ✘ Compactly commits to the input ciphertexts → hiding from Verifier ✘ Reduces the proof for → efficiency close to cleartext proof for

slide-27
SLIDE 27

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

F(k) G(k) P(k) Q(k) T(k)

+

+ +

evaluate in k

Compress Circuit over Polynomials

n inputs n inputs

27

m gates

slide-28
SLIDE 28

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

evaluate in k f = F(k) p = P(k) g = G(k) q = Q(k)

Prove Circuit over Scalars & Evaluation in k

&

28

n inputs n inputs

slide-29
SLIDE 29

Idea: Commit & Prove Methodology

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

29

F(k) = f P(k) = p G(k) = g Q(k) = q

slide-30
SLIDE 30

Idea: Commit & Prove Methodology

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

30

F(k) = f P(k) = p G(k) = g Q(k) = q

π σ

slide-31
SLIDE 31

31

Compactly Commit to Polynomials ZK Proof for evaluation in random point k

crs

σ

CaP zk-SNARK for arithmetic circuit

  • ver scalars

+ + + + +

Verifiable Computation with Privacy

π

VC

Blueprint of our construction

+

slide-32
SLIDE 32

Building Blocks

Polynomial Commitments CaP zk-SNARKs

Our Techniques

32

C

Option s

Private VC

Goals Strategy

The END Technical Challenges

slide-33
SLIDE 33

Input P(x)

Polynomial Commitments

33

Commit(P) P(x) F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

slide-34
SLIDE 34

Input P(x)

Polynomial Commitments - hiding inputs

34

Commit(P) P(x) F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x) Server

slide-35
SLIDE 35

Multi-Polynomial Commitments

35

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

F(x) G(x)

T(x) P(x) Q(x)

Z(x,y)

Commitments Single bi-variate Commitment

slide-36
SLIDE 36

Multi-Polynomial Commitments

36

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

F(x) G(x)

T(x) P(x) Q(x)

Z(x,y)

Commitments Single bi-variate Commitment

Z(x,y) = F(x) + G(x)y + T(x)y2 + P(x)y3 + Q(x)y4

slide-37
SLIDE 37

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

Commit & Prove Evaluation

37

slide-38
SLIDE 38

Commit & Prove Evaluation

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

Z(x,y) V(y)

38

slide-39
SLIDE 39

Many Evaluations = Partial Evaluation

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

Z(x,y) V(y)

Z(x,y) = F(x) + G(x)y + P(x)y2 + Q(x)y3 V(y) = f + g y + p y2 + q y3

39

slide-40
SLIDE 40

Many Evaluations = Partial Evaluation

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

Z(x,y) V(y)

Z(x,y) = F(x) + G(x)y + P(x)y2 + Q(x)y3 Z(k,y) = F(k) + G(k)y + P(k)y2 + Q(k)y3 V(y) = f + g y + p y2 + q y3 =

40

slide-41
SLIDE 41

Proof of Many Evaluations

Z(x,y)

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

V(y) Z(k,y) = V(y)

σ

41

slide-42
SLIDE 42

Z(x,y)

Proof of Arithmetic Circuit over Scalars

F(x) G(x) P(x) Q(x) T(x)

+ + + +

+

H(x) S(x)

f g

p q t

+

+ +

h s

SNARK

V(y)

42

π

Z(k,y) = V(y)

σ

slide-43
SLIDE 43

Z(x,y)

f g

p q t

+

+ +

h s

SNARK

V(y)

π

Z(k,y) = V(y)

σ Reuse the same commitment

[CFQ19] Modular Commit-and-Prove (LegoSNARK)

43

slide-44
SLIDE 44

Z(x,y)

f g

p q t

+

+ +

h s

SNARK

V(y)

π

Z(k,y) = V(y)

σ Reuse the same commitment

44

slide-45
SLIDE 45

Σ - Protocol & Fiat-Shamir Heuristic

45

CaP zk-SNARK for Multi-Polynomial Evaluation Interactive Proof Random Oracle Model

P: Commits to polynomials ✘ based on the SDH and PKE assumptions V: Sends random point P: Queries point to RO ✘ non-interactive and zero-knowledge P: Prove the evaluation ✘ evaluations are committed (never opened)

Z(k,y) = V(y)

σ

slide-46
SLIDE 46

Z(x,y)

f g

p q t

+

+ +

h s

SNARK

V(y)

π

Z(k,y) = V(y)

σ Reuse the same commitment

[CFQ19] Modular Commit-and-Prove (LegoSNARK)

46

slide-47
SLIDE 47

CaP zk-SNARK for Arithmetic Circuits

47

Lego-SNARK “lifting” tool zk-SNARK Pre-Processing

Groth 16 CRS for QAP

Quadratic Arithmetic Programs

LegoGro16 UAC - GKMMM 18 Universal, circuit-independent, updatable CRS LegoUAC

π

CaP SNARK [CFQ19]

slide-48
SLIDE 48

Review of Contributions

48

C

Option s

Private VC

Goals Strategy

The END Technical Challenges Building Blocks

Polynomial Commitments CaP zk-SNARKs

slide-49
SLIDE 49

Verifiable and private delegation of computation

49

Encrypt the Data Compute & Prove Verify Result

F(k) G(k) P(k) Q(k) F(x),G(x), P(x),Q(x) T(x)

✘ CaP-SNARK for simultaneous evaluation of many committed polynomials

(based on the SDH and PKE assumptions in the RO Model)

✘ Privacy: randomisation of ciphertexts & commited results of evaluation

+ + +

T(k)

slide-50
SLIDE 50

Thank you!

eprint.iacr.org/2020/132 Questions? anca.nitulescu@ens.fr

slide-51
SLIDE 51

Credits

51

Special thanks to all those who made and released these resources for free: ✘ Presentation template by SlidesCarnival ✘ Illustrations by Disneyclips, Iconfinder and Flaticon