computational integrity with a public random string from
play

Computational Integrity with a Public Random String from - PowerPoint PPT Presentation

Mar 08, 2023 •9 likes •469 views

Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Computational Integrity with a Public Random String from Quasi-Linear PCPs Michael Riabzev Technion - Israel Institute of Technology EUROCRYPT 2017

  1. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Computational Integrity with a Public Random String from Quasi-Linear PCPs Michael Riabzev Technion - Israel Institute of Technology EUROCRYPT 2017 Joint work with Eli Ben-Sasson, Iddo Ben-Tov, Alessandro Chiesa, Ariel Gabizon, Daniel Genkin, Matan Hamilis, Evgenya Pergament, Mark Silberstein, Eran Tromer and Madars Virza 1/25

  2. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Talk outline Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary 2/25

  3. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary 3/25

  4. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Motivation Definition (Computational-integrity 1 (CI)) The language of triples ( M , X , T ) such W that: Nondeterministic machine M accepts X , within at most T steps ( T is binary). Prover Verifier M ( X , W ) ⊢ < T accept Goal: Practical CI system implementation (POC) Take home message: Practical solutions without trusted-setup are achievable 1 This problem also known as checking [BFLS91], certifying [Mic00], delegating [GKR08],and verifying [GGP10] (computations). 4/25

  5. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Our result Today I will tell you about SCI: • “Scalable Computational Integrity” W • First implementation 2 of a theoretical construction that achieves all of the below: Prover Verifier M ( X , W ) ⊢ < T accept • Publicly verifiable • No trusted-setup • Universal • Succinct verification 2 Proof-of-concept in C++ 5/25

  6. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary 6/25

  7. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Other approaches • Designated-verifier/trusted-setup systems [IKO07, GGPR13, PGHR13, BCG + 13, BCG + 14, CFH + 15, . . . ] • � Tiny proofs (hundreds of bytes) • � Very efficient verification (milliseconds) • � Designated-verifier. . . • � . . . or require a trusted-setup 3 7/25

  8. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Other approaches • Designated-verifier/trusted-setup systems [IKO07, GGPR13, PGHR13, BCG + 13, BCG + 14, CFH + 15, . . . ] • � Tiny proofs (hundreds of bytes) • � Very efficient verification (milliseconds) • � Designated-verifier. . . • � . . . or require a trusted-setup • Non-universal systems [GKR08, RRR16, . . . ] • � No cryptographic assumptions • � Restricted class of programs 3 7/25

  9. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Other approaches • Designated-verifier/trusted-setup systems [IKO07, GGPR13, PGHR13, BCG + 13, BCG + 14, CFH + 15, . . . ] • � Tiny proofs (hundreds of bytes) • � Very efficient verification (milliseconds) • � Designated-verifier. . . • � . . . or require a trusted-setup • Non-universal systems [GKR08, RRR16, . . . ] • � No cryptographic assumptions • � Restricted class of programs • Non-succinct systems [Gro11, GMO16, . . . ] 3 • � Efficient prover • � Verification time ∼ program execution time 3 Succinct communication-complexity in [Gro11] 7/25

  10. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary 8/25

  11. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Background • Uses classical approach (PCP) [BM88, GMR89, BFL91, BGKW88, FLS99, BFLS91, AS98, ALM + 92, Kil92, Mic00, . . . ] • With recent asymptotic improvements [BGH + 05, BS08, BCS16] • And concrete (non-asymptotic) constructions [BCGT13, CA15] 9/25

  12. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Cryptographic assumption • Inner protocol (IOP[BCS16, RRR16] 4 ): • Provably sound 5 . 4 also known as PCIP in [RRR16] 5 Implementation uses security conjectures to improve concrete efficiency. 10/25

  13. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Cryptographic assumption • Inner protocol (IOP[BCS16, RRR16] 4 ): • Provably sound 5 . • Compilation to argument system: • Using the random oracle model. • Non-interactive using Fiat-Shamir heuristic. 4 also known as PCIP in [RRR16] 5 Implementation uses security conjectures to improve concrete efficiency. 10/25

  14. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Cryptographic assumption • Inner protocol (IOP[BCS16, RRR16] 4 ): • Provably sound 5 . • Compilation to argument system: • Using the random oracle model. • Non-interactive using Fiat-Shamir heuristic. • Implementation: • Treating the hash-function as a random-oracle. 4 also known as PCIP in [RRR16] 5 Implementation uses security conjectures to improve concrete efficiency. 10/25

  15. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Protocol overview (based on [Kil92]) 1. Prover constructs a proof for the CI claim • Proof is too big to be sent to verifier • Only Merkle commitment is passed to verifier • Interaction with verifier used to reduce load on prover • Formalized in [BCGRS17], to be presented in ICALP 2017 • Time complexity ˜ O ( T ) 2. Verifier draws polylog ( T ) random queries to proof, sends them to prover 3. Prover answers queries • Merkle paths added for integrity with commitment 4. Verifier decides whether to accept • False-rejection impossible • False-acceptance with probability < 2 − 80 11/25

  16. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Protocol overview (based on [Kil92]) 1. Prover constructs a proof for the CI claim • Proof is too big to be sent to verifier • Only Merkle commitment is passed to verifier • Interaction with verifier used to reduce load on prover • Formalized in [BCGRS17], to be presented in ICALP 2017 • Time complexity ˜ O ( T ) 2. Verifier draws polylog ( T ) random queries to proof, sends them to prover 3. Prover answers queries • Merkle paths added for integrity with commitment 4. Verifier decides whether to accept • False-rejection impossible • False-acceptance with probability < 2 − 80 11/25

  17. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary 12/25

  18. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Low-degree testing definition (informal) Verifier 13/25

  19. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Low-degree testing definition (informal) I wonder if this polynomial is of degree < 2 n . Too bad my time complexity is only poly ( n ) � Verifier 13/25

  20. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Low-degree testing definition (informal) I wonder if this polynomial is of degree < 2 n . Too bad my time complexity is only poly ( n ) � Of course it is low degree! Prover Verifier 13/25

  21. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Low-degree testing definition (informal) I wonder if this polynomial is of degree < 2 n . Too bad my time complexity is only poly ( n ) � Of course it is low degree! I don’t know you, why would I trust you? Prover Verifier 13/25

  22. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Low-degree testing definition (informal) I wonder if this polynomial is of degree < 2 n . Too bad my time complexity is only poly ( n ) � Of course it is low degree! I don’t know you, why would I trust you? Don’t trust—Verify! Here is a proof oracle! (PCPP) Prover Verifier 13/25

  23. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Low-degree testing • Low-degree testing is common in classical CI solutions • SCI is the first system implementing succinct low-degree testing • Based on [BS08] • In contrast: Trusted-setup systems use public-key cryptography that enforces low-degree polynomials • Using homomorphic encryption ⋰ ⋮ ⋱ ⋰ ⋮ ⋱ 14/25

  24. Goal Other approaches SCI overview Under the hood Measurements Acknowledgment Summary Low-degree testing — the [BS08] test The [BS08] test: Prover algorithm: • Given a candidate f ∶ F → F claimed to be of degree d • The prover constructs Q ∶ F × F → F s.t. √ deg x ( Q ) , deg y ( Q ) < d ⇐ ⇒ deg ( f ) < d ⋱ ⋰ ⋮ ⋱ ⋰ ⋮ 15/25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

02110 String indexing Computational geometry Introduction to NP-completeness Inge Li

02110 String indexing Computational geometry Introduction to NP-completeness Inge Li

Overview Balanced binary search trees: Red-black trees and 2-3-4 trees Amortized analysis Dynamic programming Network flows String matching 02110 String indexing Computational geometry Introduction to NP-completeness

596 views • 8 slides
02110 String indexing Computational geometry Introduction to NP-completeness Inge Li

02110 String indexing Computational geometry Introduction to NP-completeness Inge Li

Overview Balanced binary search trees: Red-black trees and 2-3-4 trees Amortized analysis Dynamic programming Network flows String matching 02110 String indexing Computational geometry Introduction to NP-completeness

116 views • 10 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain &amp; Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
Public integrity reform: Public integrity reform: The role of the Ombudsman The role of the

Public integrity reform: Public integrity reform: The role of the Ombudsman The role of the

Public integrity reform: Public integrity reform: The role of the Ombudsman The role of the Ombudsman Richar chard B d Bingham ngham SA Ombudsman 19 September 2013 1 What I will speak about What I will speak about compare and contrast

449 views • 18 slides
ENHANCING INTEGRITY IN PUBLIC PROCUREMENT: THE OECDS HOLISTIC APPROACH Paulo Magina Head of

ENHANCING INTEGRITY IN PUBLIC PROCUREMENT: THE OECDS HOLISTIC APPROACH Paulo Magina Head of

ENHANCING INTEGRITY IN PUBLIC PROCUREMENT: THE OECDS HOLISTIC APPROACH Paulo Magina Head of the Public Procurement Unit Public Sector Integrity Division Public Governance and Territorial Development Directorate PRIMO Kiev May 2017

295 views • 26 slides
Strings &amp; StringBuffer String: Java library provides String class stores

Strings &amp; StringBuffer String: Java library provides String class stores

Strings &amp; StringBuffer String: Java library provides String class stores sequence of character data Example: public static void main(String[] args) { String s; s = Comp182&quot;; ... s = Comp282&quot;; } Strings

460 views • 19 slides
Random Numbers Computational Randomness is Hard The best known academic computer scientist at

Random Numbers Computational Randomness is Hard The best known academic computer scientist at

Eric Roberts Handout #23 CS 106A January 22, 2010 Random Numbers Computational Randomness is Hard The best known academic computer scientist at Random Numbers Stanfordand probably in the worldis Don Knuth, who has now been retired for

56 views • 4 slides
CS133 Computational Geometry Simplification Algorithms 1 Line Simplification ? 2 Line

CS133 Computational Geometry Simplification Algorithms 1 Line Simplification ? 2 Line

CS133 Computational Geometry Simplification Algorithms 1 Line Simplification ? 2 Line Simplification Given a line string and a distance threshold , return a simplified line string such that any point in the input line string is not

481 views • 23 slides
String Matching String matching problem: string T (text) and string P (pattern) over an

String Matching String matching problem: string T (text) and string P (pattern) over an

String Matching String matching problem: string T (text) and string P (pattern) over an alphabet . String Matching |T| = n, |P| = m. Report all starting positions of occurrences of P in T. Inge Li Grtz P = a b a b a c a T

468 views • 9 slides
Character String 1 What we should learn about strings Representation in C String Literals

Character String 1 What we should learn about strings Representation in C String Literals

10-02-2016 Character String 1 What we should learn about strings Representation in C String Literals String Variables String Input/Output printf, scanf, gets, fgets, puts, fputs String Functions strlen, strcpy,

663 views • 18 slides
Anti-Fraud Office of Catalonia | Prevention Directorate Author: Lara Baena Garca

Anti-Fraud Office of Catalonia | Prevention Directorate Author: Lara Baena Garca

Risks to integrity in public procurement: presentation of the project Risks to integrity in public procurement | Working Documents 1 Public procurement moves an immense volume of resources, and corruption, fraud and other irregularities produced

145 views • 13 slides
Data Streams: Random Order &amp; Multiple Passes 2009 Barbados Workshop on Computational

Data Streams: Random Order &amp; Multiple Passes 2009 Barbados Workshop on Computational

Data Streams: Random Order &amp; Multiple Passes 2009 Barbados Workshop on Computational Complexity Andrew McGregor Introduction Random Order Streams: Average case analysis: data is worst-case but order is random. Lower bounds are more

1.27k views • 84 slides
Computational Exploration of String Theory Michael R. Douglas 1 Simons Center / Stony Brook

Computational Exploration of String Theory Michael R. Douglas 1 Simons Center / Stony Brook

Computational Exploration of String Theory Michael R. Douglas 1 Simons Center / Stony Brook University AITP 2018 Aussois, France Michael R. Douglas (Simons Center) Computational Exploration of String Theory AITP 2018 1 / 30 Abstract

696 views • 66 slides
Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30

Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30

Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30 September, 2019 Janyl Jumadinova Computational Expression 30 September, 2019 1 / 8 Random Class The Random class is part of the java.util package It

415 views • 15 slides
String Matching Inge Li Grtz CLRS 32 String Matching String matching problem: string

String Matching Inge Li Grtz CLRS 32 String Matching String matching problem: string

String Matching Inge Li Grtz CLRS 32 String Matching String matching problem: string T (text) and string P (pattern) over an alphabet . |T| = n, |P| = m. Report all starting positions of occurrences of P in T. P = a b a b

903 views • 43 slides
Computational Complexity of Cosmology in String Theory Michael R. Douglas 1 Simons Center / Stony

Computational Complexity of Cosmology in String Theory Michael R. Douglas 1 Simons Center / Stony

Computational Complexity of Cosmology in String Theory Michael R. Douglas 1 Simons Center / Stony Brook University NYU, November 29, 2017 Abstract Based on arXiv:1706.06430, with Frederik Denef, Brian Greene and Claire Zukowski. Michael R.

717 views • 69 slides
Towards Refactoring-Aware Regression Test Selection Kaiyuan Wang , Chenguang Zhu, Ahmet Celik,

Towards Refactoring-Aware Regression Test Selection Kaiyuan Wang , Chenguang Zhu, Ahmet Celik,

Towards Refactoring-Aware Regression Test Selection Kaiyuan Wang , Chenguang Zhu, Ahmet Celik, Jongwook Kim, Don Batory, Milos Gligoric Funded in part by the US National Science Foundation and a Google Faculty Research Award 1 Regression

783 views • 31 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Verifying, testing and running smart contracts in ConCert Danil Annenkov, Mikkel Milo, Jakob

Verifying, testing and running smart contracts in ConCert Danil Annenkov, Mikkel Milo, Jakob

Verifying, testing and running smart contracts in ConCert Danil Annenkov, Mikkel Milo, Jakob Botsch Nielsen and Bas Spitters Aarhus University, Concordium Blockchain Research Center The Coq Workshop 2020, July 6 #1 Danil Annenkov, Mikkel Milo,

607 views • 28 slides
Drug Testing and Marijuana in the New England Workplace Presented by: Charlie Einsiedler and

Drug Testing and Marijuana in the New England Workplace Presented by: Charlie Einsiedler and

Drug Testing and Marijuana in the New England Workplace Presented by: Charlie Einsiedler and Dan Strader October 11, 2018 Overview of Presentation What laws apply in each state? May employers prohibit use in and/ or outside

659 views • 41 slides
Mixminion a best-of-breed anonymous remailer (systems track) Nick Mathewson, Roger Dingledine

Mixminion a best-of-breed anonymous remailer (systems track) Nick Mathewson, Roger Dingledine

Mixminion a best-of-breed anonymous remailer (systems track) Nick Mathewson, Roger Dingledine The Free Haven Project {nickm,arma}@freehaven.net Scope Introduction to anonymity How we got started Introduction to mix-nets

649 views • 27 slides
Intervention, and Referral to Treatment Tool Cindy Clouner HECAOD Powered by: The Ohio State

Intervention, and Referral to Treatment Tool Cindy Clouner HECAOD Powered by: The Ohio State

5/24/2018 ScreenU: Exploring a Screening, Brief Intervention, and Referral to Treatment Tool Cindy Clouner HECAOD Powered by: The Ohio State University The audio is by default through your computers speakers. If you would like to call

670 views • 19 slides
Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in Bitcoin Jonas Nick 1/34 Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy

1.22k views • 96 slides
? ! Richard Atterer , Albrecht Schmidt Recruit regular site How to make visitors as test users!

? ! Richard Atterer , Albrecht Schmidt Recruit regular site How to make visitors as test users!

Tracking the Interaction of Users with AJAX Applications for Usability Testing ? ! Richard Atterer , Albrecht Schmidt Recruit regular site How to make visitors as test users! usability tests of Use AJAX technology websites easier to record

332 views • 10 slides

More recommend