boosting verifiable computation on encrypted data
play

Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario - PowerPoint PPT Presentation

Mar 24, 2023 •472 likes •1k views

Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario Fiore, Anca Nitulescu , David Pointcheval Motivational Tale: The Bare Necessities of a Cloud User (In times of a Pandemic) 2 Pandemics biometric surveillance systems data

  1. Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario Fiore, Anca Nitulescu , David Pointcheval

  2. Motivational Tale: The Bare Necessities of a Cloud User (In times of a Pandemic) 2

  3. Pandemics biometric surveillance systems data Client Server User delegates its personal data to a symptom tracking app 3

  4. Pandemics biometric surveillance systems f( data )= y data Client Server User delegates its symptoms Server computes diagnosis 4

  5. Pandemics biometric surveillance systems f( data )= y y data Client Server Server sends back diagnosis 5

  6. So many benefits! data healthy Client Server User receives diagnosis Happy to hear he is healthy 6

  7. Untrusted Server data healthy ? Client Server User runs the risk of a corrupted server 7

  8. What can go wrong? Data can be stolen data Client Server Confidential data is exposed symptoms 8

  9. What can go wrong? Results can be modified f( data ) ≠y data y Client Server Results are not guaranteed to be correct diagnosis 9

  10. Solution for Privacy of Inputs Data Privacy data Encryption Server 10

  11. (Fully) Homomorphic Encryption Data Privacy data Homomorphic Encryption Encryption ✘ Privacy of inputs ✘ Malleability of data ✘ Privacy of output Server [Gen09, BV11, BGV12, GSW13, CGGI16, CKKS17...] 11

  12. Solution for Integrity of the Computation Verifiable Computation f(x) data π Server 12

  13. SNARKs = Proof Systems for lazy clients Verifiable Computation zk-SNARKs ✘ Proof is succinct data ✘ Minimal interaction ✘ Client verifies efficiently ✘ Server algo remains secret Server [GGP10, GGPR13, PHGR13, Gro16, BBC+18...] 13

  14. Full Solution: Verifiable Computation on Encrypted Data Data Privacy Apply Eval of FHE data Server π result Computation Integrity 14

  15. Full Solution: Verifiable Computation on Encrypted Data Data Privacy Apply Eval of FHE data [FGP14] Efficiently verifiable computation on encrypted data. Dario Fiore, Rosario Gennaro, Valerio Pastro ✘ Combines FHE and homomorphic MAC ✘ Efficient VC for quadratic functions only ✘ Designated Verifier - it requires MAC key ✘ Server ✘ Verifier = Client (share secret key for FHE) ✘ Privacy of the inputs and the outputs (from Server) π result Computation Integrity 15

  16. Outline C Private VC Building Blocks Technical The Challenges END Goals Polynomial Commitments Option Strategy CaP zk-SNARKs s 16

  17. Publicly Verifiable Computation with Privacy Compute & Prove Server Verify Result Encrypt the Data data π result 17

  18. Publicly Verifiable Computation with Privacy Compute & Prove Server Verify Result Encrypt the Data Solution that improves on [FGP14] : ✘ Public verifiable: Client & Verifier do not share keys ✘ Efficiency for higher degree computations (arithmetic circuits) 18

  19. Idea: Exploit the specificity of FHE ciphertexts crs Prove efficiently zk-SNARK for Compactly Commit verifiable and private evaluation of circuit to ciphertexts delegation of computation on ciphertexts

  20. FHE: Ciphertexts = Polynomials (ring-LWE, [BV11]) P 1 P 2 P 3 P 4 + + + + + P 6 20

  21. Circuit over ciphertexts / over plaintexts P 1 P 2 P 3 P 4 a 1 a 2 a 3 a 4 + + + + + + + + a 6 P 6 21

  22. Arithmetic Circuit over Polynomials F(x) G(x) P(x) Q(x) p 0 q 0 p 1 q 1 p d q d O(d) scalar + + + ... + + + additions in s 0 s 1 s d H(x) S(x) + + T(x) 22

  23. Arithmetic Circuit over Polynomials F(x) G(x) P(x) Q(x) 2 scalar multiplications in ~ d & reductions modulo of deg d + + + s 0 h 0 s 1 h 1 s 0 ... h 0 s k … h i s k-i … h d s d h 0 H(x) S(x) + + + + + + + + ... + + t 2d t 0 t k t 1 T(x) 23

  24. Arithmetic Circuit over Polynomials F(x) G(x) P(x) Q(x) + + + O( d ) scalar additions H(x) S(x) + + 2 ) scalar multiplications O(d ~ O(d log d ) for large d T(x) 24

  25. Arithmetic Circuit over Polynomials n inputs n inputs F(x) G(x) P(x) Q(x) + + + O( m ⋅ d ) + scalar additions & m H(x) S(x) + O (m ⋅ d ⋅ log d ) gates scalar multiplications + + *for polynomials of degree d T(x) 25

  26. Goals: Efficient VC with Privacy F(x) G(x) P(x) Q(x) + + F(x) , G(x), P(x),Q(x) T(x) + Verify Result Compute & Prove Encrypt the Data Want a solution that: ✘ Compactly commits to the input ciphertexts → hiding from Verifier ✘ Reduces the proof for → efficiency close to cleartext proof for 26

  27. Compress Circuit over Polynomials n inputs n inputs F(x) G(x) P(x) Q(x) F( k ) G( k ) P( k ) Q( k ) + + + + + m H(x) S(x) gates + evaluate + + in k T( k ) T(x) 27

  28. Prove Circuit over Scalars & Evaluation in k n inputs n inputs F(x) G(x) P(x) Q(x) f g p q + + + + + h s H(x) S(x) + evaluate + + in k f = F( k ) p = P( k ) & t q = Q( k ) g = G( k ) T(x) 28

  29. Idea: Commit & Prove Methodology F(x) G(x) P(x) Q(x) f g p q + + + + + H(x) S(x) h s + + + F( k ) = f P( k ) = p G( k ) = g Q( k ) = q t T(x) 29

  30. Idea: Commit & Prove Methodology F(x) G(x) P(x) Q(x) f g p q + + + + σ + H(x) S(x) h s + + + F( k ) = f P( k ) = p π G( k ) = g Q( k ) = q t T(x) 30

  31. Blueprint of our construction crs Verifiable CaP zk-SNARK ZK Proof for evaluation Compactly Commit Computation for arithmetic circuit in random point k to Polynomials with over scalars Privacy π σ + + + + VC + + 31

  32. Our Techniques C Private VC Building Blocks Technical The Challenges END Goals Polynomial Commitments Option Strategy CaP zk-SNARKs s 32

  33. Polynomial Commitments F(x) G(x) P(x) Q(x) Input Commit(P) + + + P(x) P(x) H(x) S(x) + + T(x) 33

  34. Polynomial Commitments - hiding inputs F(x) G(x) P(x) Q(x) Input Commit(P) + + + P(x) P(x) H(x) S(x) + + Server T(x) 34

  35. Multi-Polynomial Commitments F(x) G(x) P(x) Q(x) Commitments Single bi-variate Commitment + + + F(x) G(x) Z(x,y) T(x) H(x) S(x) P(x) Q(x) + + T(x) 35

  36. Multi-Polynomial Commitments F(x) G(x) P(x) Q(x) Commitments Single bi-variate Commitment + + + F(x) G(x) Z(x,y) T(x) H(x) S(x) P(x) Q(x) + + Z(x, y ) = F(x) + G(x) y + T(x) y 2 + P(x) y 3 + Q(x) y 4 T(x) 36

  37. Commit & Prove Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + H(x) S(x) h s + + + t T(x) 37

  38. Commit & Prove Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + t T(x) 38

  39. Many Evaluations = Partial Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + Z(x,y) = F(x) + G(x) y + P(x) y 2 + Q(x) y 3 t T(x) V(y) = f + g y + p y 2 + q y 3 39

  40. Many Evaluations = Partial Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + Z(x,y) = F(x) + G(x) y + P(x) y 2 + Q(x) y 3 Z( k ,y) = F( k ) + G( k ) y + P( k ) y 2 + Q( k ) y 3 t T(x) V(y) = f + g y + p y 2 + q y 3 = 40

  41. Proof of Many Evaluations F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + σ Z( k ,y) = V(y) t T(x) 41

  42. Proof of Arithmetic Circuit over Scalars F(x) G(x) P(x) Q(x) π f g p q SNARK + + + + + Z(x,y) V(y) H(x) S(x) h s + + + σ Z( k ,y) = V(y) t T(x) 42

  43. Reuse the same commitment [CFQ19] Modular π f g p q Commit-and-Prove (LegoSNARK) SNARK + + Z(x,y) V(y) h s + σ Z( k ,y) = V(y) t 43

  44. Reuse the same commitment π f g p q SNARK + + Z(x,y) V(y) h s + σ Z( k ,y) = V(y) t 44

  45. Σ - Protocol & Fiat-Shamir Heuristic σ Z( k ,y) = V(y) CaP zk-SNARK Random Oracle Interactive for Multi-Polynomial Model Proof Evaluation ✘ based on the SDH and PKE assumptions P: Commits to polynomials ✘ non-interactive and zero-knowledge V: Sends random point P: Queries point to RO ✘ evaluations are committed (never opened) P: Prove the evaluation 45

  46. Reuse the same commitment [CFQ19] Modular π f g p q Commit-and-Prove (LegoSNARK) SNARK + + Z(x,y) V(y) h s + σ Z( k ,y) = V(y) t 46

  47. CaP zk-SNARK for Arithmetic Circuits π CaP SNARK [CFQ19] Lego-SNARK Pre-Processing zk-SNARK “lifting” tool CRS for QAP Groth 16 LegoGro16 Quadratic Arithmetic Programs Universal, circuit-independent, UAC - GKMMM 18 LegoUAC updatable CRS 47

  48. Review of Contributions C Private VC Building Blocks Technical The Challenges END Goals Polynomial Commitments Option Strategy CaP zk-SNARKs s 48

  49. Verifiable and private delegation of computation F( k ) G( k ) P( k ) Q( k ) + + F(x) , G(x), P(x),Q(x) T(x) + T( k ) Verify Result Compute & Prove Encrypt the Data ✘ CaP-SNARK for simultaneous evaluation of many committed polynomials (based on the SDH and PKE assumptions in the RO Model) ✘ Privacy : randomisation of ciphertexts & commited results of evaluation 49

  50. Thank you! eprint.iacr.org/2020/132 Questions? anca.nitulescu@ens.fr

  51. Credits Special thanks to all those who made and released these resources for free: Presentation template by SlidesCarnival ✘ Illustrations by Disneyclips, Iconfinder and Flaticon ✘ 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT Verifiable Computation Verifiable Computation Verifiable Computation M(x)=? M(x) = y Verifiable Computation M(x)=? , challenge , proof

1.73k views • 119 slides
Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted

Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted

CS573 Data Privacy and Security Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted data Homomorphic encryption What is Cloud Computing ? Cloud computing Type of computing that relies on sharing

1.29k views • 62 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Verifiable ASICs Aarhus Workshop on Secure Multiparty Computation 1 June 2016 Michael Walfish

Verifiable ASICs Aarhus Workshop on Secure Multiparty Computation 1 June 2016 Michael Walfish

Verifiable ASICs Aarhus Workshop on Secure Multiparty Computation 1 June 2016 Michael Walfish Dept. of Computer Science, Courant Institute, NYU This is joint work with: Riad S. Wahby (Stanford), Max Howald (Cooper Union and NYU), Siddharth

723 views • 44 slides
Making Verifiable Computation Useful Bryan Parno Carnegie Mellon University 1 Rapid Perf

Making Verifiable Computation Useful Bryan Parno Carnegie Mellon University 1 Rapid Perf

Making Verifiable Computation Useful Bryan Parno Carnegie Mellon University 1 Rapid Perf Improvements 100x100 matrix mult. Verifier Latency Prover Overhead ~10 23 x 72 Trillion years! Cost fell 18 orders of ~10 16 x magnitude in 6 years

255 views • 23 slides
Boosting (ensemble) Module 4 - Ensemble classifiers - Objectives module 4: boosting (ensemble

Boosting (ensemble) Module 4 - Ensemble classifiers - Objectives module 4: boosting (ensemble

Boosting (ensemble) Module 4 - Ensemble classifiers - Objectives module 4: boosting (ensemble models) LEARNING PERFORMANCE REPRESENTATION DATA PROBLEM RAW DATA CLUSTERING EVALUATION FEATURES UCI datasets unigrams 20newsgroups SUPERVISED

926 views • 34 slides
Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401]

Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401]

Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401] Alexandru Gheorghiu, Petros Wallden, Elham Kashefi 8 June 2016 QPL 2016, Glasgow I V N E U R S E I H T Y T O H F G R E U D B I N

669 views • 47 slides
A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York rosario@cs.ccny.cuny.edu CANS 2013, Paraty, Brasil November 22, 2013 Outline Motivation Verifiable Computation Memory Delegation Conclusion

937 views • 80 slides
Non-interactive classical verification of quantum computation Shih-Han Hung Gorjan Alagic

Non-interactive classical verification of quantum computation Shih-Han Hung Gorjan Alagic

Non-interactive classical verification of quantum computation Shih-Han Hung Gorjan Alagic Andrew M. Childs Alex B. Grilo QCrypt 2020 arXiv:1911.08101 Verifiable quantum advantage 1 Verifiable quantum advantage When a quantum cloud is

808 views • 51 slides
Modes of operations for computing on encrypted data Dragos Rotaru, N.P. Smart, and Martijn Stam

Modes of operations for computing on encrypted data Dragos Rotaru, N.P. Smart, and Martijn Stam

FSE 2018 Modes of operations for computing on encrypted data Dragos Rotaru, N.P. Smart, and Martijn Stam KU Leuven, University of Bristol 1 Dragos Rotaru , N.P. Smart, M. Stam imec-Cosic, Dept. Electrical Engineering Multiparty computation

471 views • 44 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
STK-IN4300 Statistical Learning Methods in Data Science Statistical Boosting Boosting as a

STK-IN4300 Statistical Learning Methods in Data Science Statistical Boosting Boosting as a

STK-IN4300 - Statistical Learning Methods in Data Science Outline of the lecture AdaBoost Introduction algorithm STK-IN4300 Statistical Learning Methods in Data Science Statistical Boosting Boosting as a forward stagewise additive modelling

211 views • 8 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security (600/650.624) Introduction Searching usually done over plaintext But what if we could search encrypted data? Bloom Filters Efficient

459 views • 30 slides
Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019 Project Background Baffle Inc. https://baffle.io/

407 views • 23 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Module 7 Policy Iteration CS 886 Sequential Decision Making and Reinforcement Learning

Module 7 Policy Iteration CS 886 Sequential Decision Making and Reinforcement Learning

Module 7 Policy Iteration CS 886 Sequential Decision Making and Reinforcement Learning University of Waterloo Policy Optimization Value iteration Optimize value function Extract induced policy Can we directly optimize the

589 views • 12 slides
On Completion of Constraint Handling Rules Slim Abdennadher and Thom Fr uhwirth Computer

On Completion of Constraint Handling Rules Slim Abdennadher and Thom Fr uhwirth Computer

On Completion of Constraint Handling Rules Slim Abdennadher and Thom Fr uhwirth Computer Science Department University of Munich Oettingenstr. 67, 80538 Munich, Germany 1 6 Architecture of Constraint Programs application (e.g. in a CLP

258 views • 23 slides
Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke Martin Schulz Chair of Computer Architecture and Parallel Systems TUM Department of Informatics Technical University of Munich VEE 2020, virtual

396 views • 25 slides
I dont care! On Incompleteness in Abstract Argumentation (and Belief Revision?) Pietro

I dont care! On Incompleteness in Abstract Argumentation (and Belief Revision?) Pietro

I dont care! On Incompleteness in Abstract Argumentation (and Belief Revision?) Pietro Baroni DII - Dip. di Ingegneria dellInformazione University of Brescia (Italy) Based on joint work with Massimiliano Giacomin and Beishui Liao

1.2k views • 67 slides
Concepts of Programming Design Scala and Lightweight Modular Staging (LMS) Alexey Rodriguez

Concepts of Programming Design Scala and Lightweight Modular Staging (LMS) Alexey Rodriguez

Concepts of Programming Design Scala and Lightweight Modular Staging (LMS) Alexey Rodriguez Blanter, Ferenc Balla, Matthijs Steen, Ruben Meerkerk, Ratih Ngestrini [ Faculty of Science Information and Computing Sciences] 1 Scala and Lightweight

1.33k views • 56 slides
In tro duction to F unctional Programming: Lecture 6 1 In tro duction to F unctional

In tro duction to F unctional Programming: Lecture 6 1 In tro duction to F unctional

In tro duction to F unctional Programming: Lecture 6 1 In tro duction to F unctional Programming John Harrison Univ ersit y of Cam bridge Lecture 6 Eectiv e ML T opics co v ered: Using standard com

302 views • 18 slides
Lesson 23 Linear partial differential equations 1 We have seen that ODEs can be reduced to

Lesson 23 Linear partial differential equations 1 We have seen that ODEs can be reduced to

Lesson 23 Linear partial differential equations 1 We have seen that ODEs can be reduced to almost banded infinite-dimensional equations using Chebyshev and ultraspherical polynomials These infinite-dimensional equations can be solved

878 views • 76 slides
Deep Learning for Partial Differential Equations William Wei National Center for Supercomputing

Deep Learning for Partial Differential Equations William Wei National Center for Supercomputing

Deep Learning for Partial Differential Equations William Wei National Center for Supercomputing Applications Center for Artificial Intelligence Innovation Department of Physics, University of Illinois Urban-Champaign Reference:

159 views • 12 slides

More recommend