making verifiable computation useful
play

Making Verifiable Computation Useful Bryan Parno Carnegie Mellon - PowerPoint PPT Presentation

Jul 21, 2023 •25 likes •255 views

Making Verifiable Computation Useful Bryan Parno Carnegie Mellon University 1 Rapid Perf Improvements 100x100 matrix mult. Verifier Latency Prover Overhead ~10 23 x 72 Trillion years! Cost fell 18 orders of ~10 16 x magnitude in 6 years

  1. Making Verifiable Computation Useful Bryan Parno Carnegie Mellon University 1

  2. Rapid Perf Improvements 100x100 matrix mult. Verifier Latency Prover Overhead ~10 23 x 72 Trillion years! Cost fell 18 orders of ~10 16 x magnitude in 6 years Cost fell 23 orders of magnitude in 6 years ~10 7 x ~10 5 x  12 minutes <10 ms!

  3. Coping with Prover Overhead 1. Leverage zero knowledge – Example: Bitcoin++ [Danezis et al. ‘13] [Ben-Sasson et al. ‘14] [Kosba et al. ‘15] [Miller et al. ‘15 ] 2. Find (rare?) applications that tolerate substantial overhead – Original computation is cheap or infrequent • Example: Fair exchange of digital goods [Maxwell ‘16] – Integrity benefits outweigh costs • Example: Verifiable ASICs [Wahbyet al. ‘15] 3. Innovations in proof generation 3

  4. Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation [IEEE S&P ‘ 16] Antoine Delignat-Lavaud Cédric Fournet VC X.509 Markulf Kohlweiss Bryan Parno

  5. The X.509 Public Key Infrastructure (1988) Chain Endpoint certificate Intermediate Certificate Authority certificate Root Certification Authority certificate

  6. Certificate X.509 Authentication Authority certificates + private keys Authorized Certificate root validation certificates program (data) (1-3 KB /certificate) OCSP, Certificate Transparency

  7. X.509 Problem: App Heterogeneity certificates + private keys Basic Validation Authorized Correct ASN.1 encoding (injective parsing) Certificate root TLS Validation validation certificates Correct signatures linking chain program (data) notBefore < now() < notAfter Valid basic constraints Domain == Subject CN? S/MIME Validation Domain in Subject Alternative Names? Valid key usages notBefore < email date < notAfter Domain matches a wildcard name? Acceptable algorithms & key sizes Subject emailAddress or Alternative Names Domain compatible with Name Constraints? include sender email? Endpoint EKU includes TLS client/server? Endpoint EKU includes S/MIME? Chain allows TLS EKU • TLS Chain allows S/MIME EKU Not revoked now • S/MIME Not revoked when mail was sent (1-3 KB /certificate) • Code signing • Document signing • Client authentication OCSP, Certificate (e.g. smartcards) Transparency • …

  8. Recent PKI Failures The SHAppening Crypto failures HashClash rogue CA Flame maleware 512 bit Korean Debian OpenSSL entropy bug (MD5 collision) NSA/GCHQ attack School CAs Stevens et al. against Windows CA Bleichenbacher’s BERSerk DROWN e=3 attack on (MSR/Inria) KeyUsage PKCS#1 signatures Basic constraints not properly enforced (recurring & catastrophic bug) Name constraints failures OpenSSL GnuTLS X509v1 OpenSSL CVE- null prefix 2015-1793 EKU-unrestricted Formatting & semantics VeriSign certificates VeriSign Superfish Comodo hack Trustwave NetDiscovery ANSSI India NIC VeriSign hack StartCom hack DigiNotar hack TÜRKTRUST China NNIC CA failures 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

  9. X.509 Problem: Privacy violations certificates + private keys Authorized Certificate root validation certificates program (data) Many anonymous credential systems Learns full solve this, but ~0 are used today certificate contents Network Observer (1-3 KB /certificate) OCSP, Certificate Network Transparency Observer

  10. Cinderella: Main Idea certificates + other private keys evidence Geppetto (e.g. OCSP) compiler Evaluation key Verification key [IEEE S&P ‘15] Authorized Certificate root validation certificates program (data) Proof (288 B)

  11. Computation Outsourcing with Pinocchio C program F(p riv , p ub ) Complex programs public verifier inputs compile to large private prover inputs arithmetic circuits D X Verification Evaluation C + X key (VK) key (EK) Arithmetic Circuit Setup Phase Runtime Phase Query(pub) Succinct Proof Verify(Proof, VK) Evaluate(F(priv, pub), EK) [CRYPTO ‘10] [EuroCrypt‘13] [IEEE S&P ‘ 13] [IEEE S&P ‘ 15]

  12. Cinderella: Contributions • A compiler from high-level validation policy templates to Pinocchio-optimized certificate validators • Pinocchio-optimized libraries for hashing and RSA-PKCS#1 signature validation • Several TLS validation policies based on concrete templates and additional evidence (OCSP) • Integrated with OpenSSL • Tested on real certificate chains • e-Voting support based on Helios with Estonian ID cards

  13. Benefits and Caveats • Computationally expensive • Practicality: Compatible with existing PKI and certificates • Initial agreement on the • Ensures uniform application of the validation policy validation policy but allows • Reliance on security of verified flexible issuance policies computation system • Anonymity : Complete control over • Exotic crypto assumption disclosure of certificate contents • Trusted key generation • Less exposure of long-term private • Does not solve key management keys through weak algorithms (one more layer to manage)

  14. Compiling Certificate Templates Private inputs seq {seq { # Validity Period # Version seq { tag<0>: const<2L>; var<date, notbefore, 13, 13>; Untrusted Native Parser # Serial Number var<date, notafter, 13, 13>; Parse certificate var<int, serial, 10, 20>; }; Variables Generate Prover Inputs # Signature Algorithm seq { # Subject const<O1.2.840.113549.1.1.5> seq { ; const<null>; }; varlist<subject, 2, 4>: C/QAP verifier set { Variable lists Concatenate compile-time # Issuer seq { constants and run-time vars Template seq { set { seq { var<oid, subjectoid, 3, 10>; Compute running hash compiler const<O2.5.4.10>; var<x500, subjectval, 2, 31>; const<printable:"AlphaSSL">; }; };};set { seq { const<O2.5.4.3>; }; const<printable:"AlphaSSL CA - }; Template G2">; }; }; }; […] Constants

  15. Verifying PKCS#1 RSA Signatures S ^ e mod N = 1ffffffffff[…] ffffffkkkkk […] kkkkkkyyyyyyyyyyyyyyyyyyyy S ^ e = S (((S ^ 2) ^ 2) … Hash (computed before) Assume fixed e = 65537 = 2 16 + 1 … S 120 bits 120 bits 120 bits … S 2 240+ bits 240+ bits 240+ bits 240+ bits 240+ bits S 2 = Q*N + R Verify prover hints are valid Private inputs Q and R … Q*N 240+ bits 240+ bits 240+ bits 240+ bits 240+ bits … R 120 bits 120 bits 120 bits S <- R

  16. Application: TLS Client Authentication Geppetto Ephem Ephem Client compiler Key Key Cert [IEEE S&P ‘15] F(fields) Proof F(fields) fields ✓ Verification key Evaluation key Offline Proof Ephem Key Proof F(fields) Key Exchange signed with Ephem Key

  17. Application evaluation 1000 Seconds 100 10 1 0.1 0.01 0.001 TLS (2 intermediates TLS (1 intermediate TLS (no Helios (OCSP) + OCSP) + OCSP) intermediate, OCSP) Keygen time Proof time Verify time

  18. Cinderella Summary • One of the first practical applications of verifiable computing • We achieve privacy and integrity for X.509 authentication • No change to PKI or to protocols • Working prototype for TLS and Helios

  19. Coping with Prover Overhead 1. Leverage zero knowledge – Example: Bitcoin++ [Danezis et al. ‘13] [Ben-Sasson et al. ‘14] [Kosba et al. ‘15] [Miller et al. ‘15 ] 2. Find (rare?) applications that tolerate substantial overhead – Original computation is cheap or infrequent • Example: Fair exchange of digital goods [Maxwell ‘16] – Integrity benefits outweigh costs • Example: Verifiable ASICs [Wahbyet al. ‘15] 3. Innovations in proof generation 20

  20. Recent Innovations in Proof Generation • Improve efficiency of popular programming paradigms – Ex: Hash-and-Prove [Fiore et al. ‘ 16] – Ex: vSQL [Zhang et al. ‘ 17] • Meld SNARKs with interactive proofs – Ex: Allspice [Vu et al. ’ 13] , vSQL [Zhang et al. ‘ 17] 21

  21. Future Innovations in Proof Generation • More efficient cryptographic encodings – Lattices? – Symmetric homomorphic primitives? • Specialized verifiable computation protocols – Ex: ZK verifiable regular expressions 22

  22. Disruptive Approaches Software Trusted Ubiquitous Guard Platform secure Extensions Module hardware (SGX) (TPM) + Ironclad Apps Fully A • ~0 performance overhead p App verified p • Fully general Std. Lib Common L software • Obfuscated programs ? UDP/IP Datatypes RSA i Ethernet SHA-256 BigNum • Platform assurance b Net Driver TPM Driver Math Secure Late Device Segs IOMMU GC IO launch verifiable Hardware specs computation 23

  23. Conclusions • Despite progress, prover overheads limits usefulness of verifiable computation • Cinderella circumvents prover overhead to improve the privacy, security, and flexibility of the X.509 PKI • Secure hardware + verified software may disrupt crypto-only solutions Thank you! parno@cmu.edu 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT Verifiable Computation Verifiable Computation Verifiable Computation M(x)=? M(x) = y Verifiable Computation M(x)=? , challenge , proof

1.73k views • 119 slides
Verifiable ASICs Aarhus Workshop on Secure Multiparty Computation 1 June 2016 Michael Walfish

Verifiable ASICs Aarhus Workshop on Secure Multiparty Computation 1 June 2016 Michael Walfish

Verifiable ASICs Aarhus Workshop on Secure Multiparty Computation 1 June 2016 Michael Walfish Dept. of Computer Science, Courant Institute, NYU This is joint work with: Riad S. Wahby (Stanford), Max Howald (Cooper Union and NYU), Siddharth

723 views • 44 slides
Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario Fiore, Anca Nitulescu , David

Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario Fiore, Anca Nitulescu , David

Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario Fiore, Anca Nitulescu , David Pointcheval Motivational Tale: The Bare Necessities of a Cloud User (In times of a Pandemic) 2 Pandemics biometric surveillance systems data

1k views • 51 slides
Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401]

Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401]

Rigidity of quantum steering and 1sDI verifiable quantum computation [arXiv:1512.07401] Alexandru Gheorghiu, Petros Wallden, Elham Kashefi 8 June 2016 QPL 2016, Glasgow I V N E U R S E I H T Y T O H F G R E U D B I N

669 views • 47 slides
A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York rosario@cs.ccny.cuny.edu CANS 2013, Paraty, Brasil November 22, 2013 Outline Motivation Verifiable Computation Memory Delegation Conclusion

937 views • 80 slides
Non-interactive classical verification of quantum computation Shih-Han Hung Gorjan Alagic

Non-interactive classical verification of quantum computation Shih-Han Hung Gorjan Alagic

Non-interactive classical verification of quantum computation Shih-Han Hung Gorjan Alagic Andrew M. Childs Alex B. Grilo QCrypt 2020 arXiv:1911.08101 Verifiable quantum advantage 1 Verifiable quantum advantage When a quantum cloud is

808 views • 51 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vNFO joint with Seyed Fayazbakhsh,

434 views • 28 slides
Alex Bredariol Grilo joint work with Andrea Coladangelo, Stacey Jeffery and Thomas Vidick Why

Alex Bredariol Grilo joint work with Andrea Coladangelo, Stacey Jeffery and Thomas Vidick Why

Non-local games and verifiable delegation of quantum computation Alex Bredariol Grilo joint work with Andrea Coladangelo, Stacey Jeffery and Thomas Vidick Why verifiably delegate quantum computation? Non-local games and verifiable delegation of

835 views • 81 slides
Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry

Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry

Scaling Verifiable Computation Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry Whitehat^, Dan Boneh* *Stanford ^Unaffiliated Problem: Verifiable Storage Represent a large storage (e.g. array)

759 views • 27 slides
Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Leonard Lensink, Sjaak Smetsers and Marko van Eekelen Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable Java Code from Verified PVS Specifications Overview Motivation Code generation

544 views • 26 slides
Privacy-Preserving Outsourcing by Distributed Verifiable Computation Meilof Veeningen Philips

Privacy-Preserving Outsourcing by Distributed Verifiable Computation Meilof Veeningen Philips

Privacy-Preserving Outsourcing by Distributed Verifiable Computation Meilof Veeningen Philips Research MPC 2016, Aarhus, May 30 2016 2 Philips Research 3 Philips Research 4 Philips Research 5 Philips Research 6 Philips Research

529 views • 31 slides
Towards Making Theory of Describing a For-Loop . . . Computation Course More Resulting

Towards Making Theory of Describing a For-Loop . . . Computation Course More Resulting

Theory of . . . Pedagogical Problem Notion of a Recursive . . . How to Describe a . . . Towards Making Theory of Describing a For-Loop . . . Computation Course More Resulting Description . . . Beyond For-Loops: A . . . Understandable and

347 views • 10 slides
Learning and Meta-learning computation making predictions choosing actions

Learning and Meta-learning computation making predictions choosing actions

Learning and Meta-learning computation making predictions choosing actions acquiring episodes statistics algorithm gradient ascent ( eg of the likelihood) correlation Kalman filtering implementation

1.05k views • 56 slides
Economics and Computation Lirong Xia 1 This Course Economics: decision making by multiple

Economics and Computation Lirong Xia 1 This Course Economics: decision making by multiple

Economics and Computation Lirong Xia 1 This Course Economics: decision making by multiple actors, each with individual preferences, capabilities, and information, and motivated to act in regard to these preferences. Computer science:

448 views • 22 slides
Using Language Models to Detect Errors in Second-Language Learner Writing Nils Rethmeier Bauhaus

Using Language Models to Detect Errors in Second-Language Learner Writing Nils Rethmeier Bauhaus

Using Language Models to Detect Errors in Second-Language Learner Writing Nils Rethmeier Bauhaus Universitt Weimar Web Technology and Information Systems Group Motivation Problem: We wrote a text but do not know if and where we made errors

444 views • 30 slides
Seminar: Search and Optimization 4. An Introduction to Revision Control with Mercurial Gabi R

Seminar: Search and Optimization 4. An Introduction to Revision Control with Mercurial Gabi R

Seminar: Search and Optimization 4. An Introduction to Revision Control with Mercurial Gabi R oger Universit at Basel October 2, 2014 Revision Control First steps Distributed development Wrap-up Revision Control Revision Control

488 views • 28 slides
Fibonacci Heaps Group: N = NP Leader: T ang Hao Member: Chen Zhiqin Liao Mingding Shen

Fibonacci Heaps Group: N = NP Leader: T ang Hao Member: Chen Zhiqin Liao Mingding Shen

Fibonacci Heaps Group: N = NP Leader: T ang Hao Member: Chen Zhiqin Liao Mingding Shen Bingyu Introduction Binominal Heap Fibonacci Heap a better amortized running time than a binomial heap developed by Michael L. Fredman and

450 views • 42 slides
May the GIT --FORCE Be With You Mark Dorison @markdorison My git log Why are you here? No

May the GIT --FORCE Be With You Mark Dorison @markdorison My git log Why are you here? No

May the GIT --FORCE Be With You Mark Dorison @markdorison My git log Why are you here? No Drupal Here No Live Demos You Must Learn the Ways of the GIT --FORCE These Are the Commits You're Looking For Commit Structure nolan

1k views • 74 slides
CMSC 206 Binary Heaps Priority Queues Priority Queues n Priority: some property of an object

CMSC 206 Binary Heaps Priority Queues Priority Queues n Priority: some property of an object

CMSC 206 Binary Heaps Priority Queues Priority Queues n Priority: some property of an object that allows it to be prioritized with respect to other objects of the same type n Min Priority Queue: homogeneous collection of Comparables with

679 views • 38 slides
Your simulator for Programmable Matter Benoit PIRANDA, Andr NAZ, Julien BOURGEOIS

Your simulator for Programmable Matter Benoit PIRANDA, Andr NAZ, Julien BOURGEOIS

VisibleSim: Your simulator for Programmable Matter Benoit PIRANDA, Andr NAZ, Julien BOURGEOIS github.com/claytronics/visiblesim Dagstuhl Seminar,&quot;Algorithmic Foundations of Programmable Matter&quot; (16271) Schloss Dagstuhl -

881 views • 21 slides
KDiff3 - Diff-icult? Benefits of KDiff3 usage for programmers and &quot;civilians&quot; KDiff3

KDiff3 - Diff-icult? Benefits of KDiff3 usage for programmers and &quot;civilians&quot; KDiff3

KDiff3 - Diff-icult? Benefits of KDiff3 usage for programmers and &quot;civilians&quot; KDiff3 is a tool for comparison, synchronisation and merge of files and directories By Joachim Eibl KDE Community World Summit 2004 . p.1/12 Other

248 views • 12 slides
CS 6280: Fall 2008 Algorithm Design Review Guozhang Wang September 25, 2010 1 Graph Algorithms

CS 6280: Fall 2008 Algorithm Design Review Guozhang Wang September 25, 2010 1 Graph Algorithms

CS 6280: Fall 2008 Algorithm Design Review Guozhang Wang September 25, 2010 1 Graph Algorithms 1.1 Depth-First Search In this section we present DFS and one of its applications: finding Strongly Connected Components of a directed graph. One

325 views • 19 slides

More recommend