next steps
play

next steps Srinath Setty Microsoft Research (Thanks to Michael - PowerPoint PPT Presentation

Sep 25, 2022 •320 likes •674 views

Implementations of probabilistic proofs for verifiable outsourcing: survey and next steps Srinath Setty Microsoft Research (Thanks to Michael Walfish for some of the slides.) GMR 85 BCC 88 Kilian92 without executing f, Micali94 can check

  1. Implementations of probabilistic proofs for verifiable outsourcing: survey and next steps Srinath Setty Microsoft Research (Thanks to Michael Walfish for some of the slides.)

  2. GMR 85 BCC 88 Kilian92 without executing f, Micali94 can check that: “y = f(x)” BG 02 more generally: “ prover knows w s.t. y = f(x,w )” GOS 06 IKO 07 GKR 08 CKV10 GGP 10 Groth10 Efficiency Lipmaa1 • 2 Privacy of w zero-knowledge • GGPR 12 BCCT 13 …

  3. Practicality efficiency privacy for w

  4. SBW 11 CMT 12 SMBW 12 TRMP 12 Running code; cost reductions of 10 20 vs. theory SVPBBW 12 • SBVBPW 13 VSBW 13 Compilers from C to protocol entities PGHR 13 • Thaler13 BCGTV 13 Stateful computations; remote inputs, outputs BFRSBW 13 • BFR 13 DFKP 13 Concretely efficient verifiers BCTV 14a • BCTV 14b BCGGMTV 14 FL 14 KPPSST 14 FGV 14 BBFR 14 Extreme expense: 10 6 x overhead vs. native • WSRHBW 15 CFHKKNPZ 15 CTV 15 Programming model is clumsy • WHGSW 16 DFKP 16 Useful only for special-purpose applications FFGKOP 16 • ZGKPP 17 WJBSTWW 17

  5. [Castro & Liskov TOCS02] Intel SGX

  6. Summar mmary y of s f sta tate te of th f the e art t im implementa plementati tions ons

  7. front-end back-end (program translator) (probabilistic proof protocol) verifier main(){ ... x } y, π C program arithmetic circuit prover (non-det. input) General “processor” interactive proof [ GKR 08 ] Custom circuit interactive argument [ IKO 07 ] non-interactive argument [ Groth10, Lipmaa12 , GGPR 12 ]

  8. Arguments Interactive Non-interactive Interactive proofs [IKO07, SBW11, SMBW12, … ] [Groth10, Lipmaa12, GGPR12, [GKR08, CMT12, … ] … ] Circuit type Deterministic Non- Non- deterministic deterministic #Rounds Lots Two One Assumptions None Simple, falsifiable Non-standard Prover expense 10 to 100x 10 6 x 10 6 x Verifier setup 0 or (10 to 100x) 10 6 x 10 6 x Zero-knowledge No No Yes Hardware impl. Yes Non-amenable Non-amenable [GGPR12]

  9. Attempt 1: Use PCPs that are asymptotically short [ BGHSV 05, BGHSV 06, Dinur07, BS 08, Meir12, BCGT 13] [ ALMSS 92, AS92] prover verifier ... ... “short” PCP ACCEPT / REJEC T This does not meet the efficiency requirements (because |PCP| > running time of f).

  10. Attempt 2: Use arguments or CS proofs [Kilian92, Micali94] prover verifier ... “short” PCP ACCEPT / REJEC T But the constants seem too high …

  11. Attempt 3: Use long PCPs interactively [ IKO 07, SMBW 12, SVPBBW 12] prover verifier L(  ) = <  , v > z ⊗ z v ... z Hadamard ACCEPT / REJEC encoding of Z T Achieves simplicity, with good constants … … but pre-processing is required (because |q i |=|v|) … and prover’s work is quadratic; address that shortly

  12. Attempt 4: Use long PCPs non- [ BCIOP 13] interactively prover verifier L(  ) = <  , v > z ⊗ z v ... z Hadamard ACCEPT / REJEC encoding of v T Query processing now happens “in the exponent” … pre-processing still required (again because |q i |=|v|) … prover’s work still quadratic; addressing that soon

  13. Recap efficient arguments, arguments w/ SNARGs w/ (short) PCPs CS proofs preprocessing preprocessing who ALMSS 92, AS 92, Kilian92, IKO 07, SMBW 12, GGPR 12, BGSHV , Dinur, … Micali94 SVPBBW 12, BCIOP 13, … SBVBPW13 what classical PCP commit to commit to encrypt queries PCP by long PCP to a long PCP hashing using linearity security unconditional CRHFs linearly HE knowledge-of- exponent why/why not efficient constants simple simple, non- for V are interactive not unfavorable (Thanks to Rafael Pass.)

  14. Final attempt: apply linear query structure to GGPR’s QAPs [Groth10, Lipmaa 12 , GGPR 12 ] prover L(  ) { return <  , v >; z ⊗ h } v z z z Addresses the issue of quadratic costs. PCP structure implicit in GGPR. Made explicit in [ BCIOP 13, SBVBBW 13] .

  15. “ Zaatar ” “Pinocchio,” “ libsnark ” [ SBVBBW 13 ] [ PGHR 13 , BCTV 14a ] queries in plaintex exponent t interactive SNARG , zk- SNARK with pre- queries argument processing [ IKO 07] [Groth10, BCCT 12, GGPR 12] pre-processing QAPs avoidable in theory [ BCCT 13 , BCTV 14b , CTV 15 ] standard assumptions non-falsifiable assumptions • • amortize over batch amortize indefinitely • • interactive non- interactive, ZK, … • •

  16. front-end back-end (program translator) (argument variants) verifier main(){ ... x y, π } QAPs [ GGPR 12] C program arithmetic circuit prover (non-det. input)

  17. State of the art front- ends “General” processor fetch-decode-execute [TinyRAM] … Verbose circuits (costly)  MIPS C prog .exe Good amortization  CPU state Great programmability  circuit is unrolled CPU execution [ BCGTV 13 , BCTV 14a , BCTV 14b , CTV 1 5] Custom circuits C prog Concise circuits  Amortization worse  each line translates to gates How is programmability?  [ SBVBPW 13 , VSBW 13 , PGHR 13 , BFRSBW 13 , BCGGMTV 14 , BBFR 1 4, FL 14 , KPPSST 14 , WSRBW 15 , CFHKKNPZ 15]

  18. Front-ends trade off performance and expressiveness applicable computations concrete genera function costs special-purpose pure stateful l loops pointers Thaler lower CRYPTO 13 CMT, TRMP ITCS , Hotcloud 12 Custom circuit Geppetto Zaatar Pepper, Ginger ? Buffet Oakland15 Eurosys13 NDSS 12, Security12 WSRHBW Trueset, Zerocash Pinocchio Pantry NDSS 15 Security14,Oakland15 Oakland13 SOSP 13 BCTV Security14 General higher BCGTV CRYPTO 13 “processor Proof-carrying data highest ” CRYPTO 14, Eurocrypt15 (still theory) Short PCPs Eurocrypt17

  19. Summary of common framework: front-end back-end (program translator) (argument variants) “general processor” … verifier main(){ ... x y, π } QAPs [ GGPR 12] prover “custom circuit”

  20. Summary of state of the art implementations Rea eality lity ch check eck wi with th a pe perfo formance rmance ev evaluatio luation

  21. Back-end: libsnark i.e., BCTV’s optimized Pinocchio implementation Front-ends: implementations or re-implementations of  Zaatar (Custom circuit) [ SBVBPW Eurosys13]  BCTV (General processor) [Security14]  Buffet (Custom circuit) [ WSRHBW NDSS 15]

  22. Landscape of front-ends (again) applicable computations concrete genera function costs special-purpose pure stateful l loops pointers Thaler lower CRYPTO 13 CMT, TRMP ITCS , Hotcloud 12 Geppetto Zaatar Pepper, Ginger Oakland15 Eurosys13 Buffet NDSS 12, Security12 Trueset, Zerocash Pinocchio NDSS 15 Pantry Security14, Oakland15 Oakland13 SOSP 13 BCTV Security14 higher BCGTV CRYPTO 13 Proof-carrying data highest CRYPTO 14, Eurocrypt15 (still theory) Short PCPs Eurocrypt17

  23. Quick performance study Back-end: libsnark i.e., BCTV’s optimized Pinocchio implementation Front-ends: implementations or re-implementations of: Zaatar (Custom circuit) [ SBVBPW Eurosys13]  BCTV (General processor) [Security14]  Buffet (Custom circuit) [ WSRHBW NDSS 15]  Evaluation platform: cluster at Texas Advanced Computing Center ( TACC ) Each machine runs Linux on an Intel Xeon 2.7 GHz with 32 GB of RAM .

  24. (1) What are the verifier’s costs? (2) What are the prover’s costs? Proof length 288 bytes V per-instance 6 ms + (|x| + |y|) ・ 3 µs V pre-processing |C| ・ 180 µs P per-instance |C| ・ 60 µs +|C|log |C| ・ 0.9µs P’s memory requirements O(|C|log|C|) (|C|: circuit size) (3) How do the front-ends compare to each other? (4) Are the constants good or bad?

  25. How does the prover’s cost vary with the choice of front-end? Extrapolated prover execution time, normalized to Buffet

  26. All of the front-ends have terrible concrete performance Extrapolated prover execution time, normalized to native execution

  27. Front-end: generality brings a concrete price (but better in theory)  Verifier’s “variable costs”: genuinely inexpensive  Prover’s computational costs: near-total disaster  Memory: creates scaling limit for verifier and prover 

  28. One option: T arget domains where verifier cannot simply execute the computation • Anonymous credentials: Cinderella [Oakland16] • Anonymity for Bitcoin: Zerocash [Oakland14] • Location-private tolling [Security09]: Pantry [ SOSP 13] Another option: try to motivate theoretical advances

  29. Summary of state of the art implementations Reality check with a performance evaluation Nex ext t ste teps: ps: We n e nee eed d 3-6 6 or orde ders of m f magnitude gnitude spe peed edup up

  30. • More efficient reductions from programs to circuits • Inexpensive floating-point operations (to target domains such as deep learning, machine learning, … ) • Better handling of state

  31. ADSNARK [S&P15] , Hash first argue Pantry [SOSP13] Geppetto [S&P15] later [CCS16] Technique CRHF in circuit SNARK already has SNARK already (folklore) a CRHF has a CRHF Generality Any circuit Specific Any circuit Prover expense O(k log(|D|)) O(k |D|) O(k |D|) 10 6 to 10 8 x 10 6 to 10 8 x 10 6 to10 8 x Concrete expense [S&P17]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps. Chapter One: The first step is about narrating some facts, by which my project and research were based on. Egypt is located in north east africa,

690 views • 46 slides
The Six Steps Promise What are the Six Steps? How can we use them to improve our library

The Six Steps Promise What are the Six Steps? How can we use them to improve our library

The Six Steps Promise What are the Six Steps? How can we use them to improve our library services? Six Steps to better library services for blind and partially sighted people Share the Vision National Charity Over 25 years of engagement

594 views • 16 slides
Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps.

Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps.

Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps. Move from Creating products To .. Assembling products Step 1: Turn your challenge into an opportunity How to anticipate and manage complexity

496 views • 38 slides
Ann Arbors Ann Arbors Non Non- -motorized Transportation motorized Transportation Steps

Ann Arbors Ann Arbors Non Non- -motorized Transportation motorized Transportation Steps

Ann Arbors Ann Arbors Non Non- -motorized Transportation motorized Transportation Steps Forward Steps Forward Steps Forward Steps Forward Eli Cooper, AICP p , Presentation to Pedestrian Access and Safety Task Force June 2014 Non

161 views • 14 slides
Two Steps Ahead Capabilities Presentation Who We Are: Two Steps Ahead is a full-service

Two Steps Ahead Capabilities Presentation Who We Are: Two Steps Ahead is a full-service

Two Steps Ahead Capabilities Presentation Who We Are: Two Steps Ahead is a full-service consulting, training and marketing development firm with particular expertise in the effective use and integration of media to support educational

550 views • 20 slides
(Action) Steps to a Healthier You Small steps make a big difference ! Plateful of Prevention

(Action) Steps to a Healthier You Small steps make a big difference ! Plateful of Prevention

(Action) Steps to a Healthier You Small steps make a big difference ! Plateful of Prevention Session 3: Choose the Best Nutritional Deal Use the Nutrition Facts label and ingredients list to compare food items. Use information on labels to

241 views • 10 slides
Exercise 7: Two-Steps Method Exercise 7: Two Steps Method FLUKA Advanced Course Exercise 7 -

Exercise 7: Two-Steps Method Exercise 7: Two Steps Method FLUKA Advanced Course Exercise 7 -

Exercise 7: Two-Steps Method Exercise 7: Two Steps Method FLUKA Advanced Course Exercise 7 - Layout Exercise 7 Goal Evaluate the contribution to the energy deposition in a Beam Loss Monitor (BLM) from direct losses inside a quadrupole,

195 views • 5 slides
Operational Semantics Part I Jim Royer CIS 352 February 12, 2019 1 / 22 [Syntax] [Big Steps]

Operational Semantics Part I Jim Royer CIS 352 February 12, 2019 1 / 22 [Syntax] [Big Steps]

[Syntax] [Big Steps] [Small Steps] Operational Semantics Part I Jim Royer CIS 352 February 12, 2019 1 / 22 [Syntax] [Big Steps] [Small Steps] References Andrew Pitts Lecture Notes on Semantics of Programming Languages

705 views • 26 slides
5 1 10 Steps to a Successful Not For The Enterprise Agile Faint of Transformation - Heart!

5 1 10 Steps to a Successful Not For The Enterprise Agile Faint of Transformation - Heart!

WELCOME ACTIVITY 1. Stand up! Find a person from another table. 2. Discuss/Explore what might be some potential steps for a full-on enterprise Agile transformation from your context . 3. Gain consensus on your top 2 - 3 steps. Write a post-it

585 views • 33 slides
STEPS TO ACADEMIC SUCCESS STEPS TO ACADEMIC SUCCESS To create a To awarene ness a and nd und

STEPS TO ACADEMIC SUCCESS STEPS TO ACADEMIC SUCCESS To create a To awarene ness a and nd und

STEPS TO ACADEMIC SUCCESS STEPS TO ACADEMIC SUCCESS To create a To awarene ness a and nd und nderstand nding ng of of THE GOAL: resources th that t emp mpower stu tudents ts to to be acti tive pa part rticipants in thei eir

586 views • 17 slides
A C A D E M Y STEPS STEPS Training is the digital marketing training services for both

A C A D E M Y STEPS STEPS Training is the digital marketing training services for both

A C A D E M Y STEPS STEPS Training is the digital marketing training services for both entrepreneurs and marketers.It was founded by Khun Nuttawee Tantisajjatham ( or Coach Emmie ), the leading digital marketing speaker and digital marketing

587 views • 20 slides
X X Y Y Y ZX rX

X X Y Y Y ZX rX

X X Y Y Y ZX rX Z bZ XY Introduction of the Topic Derivation Explanation Project Outline The First Steps Current Status Next Steps

454 views • 22 slides
Wh y? Because while T ( n ) steps on a 3 computer ma y b ecome T ( n ) steps

Wh y? Because while T ( n ) steps on a 3 computer ma y b ecome T ( n ) steps

The Class of Languages P If a (deterministic) TM has some M p olynomial p ( n ) suc h that nev er mak es M more than p ( n ) mo v es when presen ted with input of length n , then is said to b e a M TM .

592 views • 5 slides
7 Steps to Commercial Insight Graham Hall www.ambitiousbrands.com 12th June 2012 1 7 Steps to

7 Steps to Commercial Insight Graham Hall www.ambitiousbrands.com 12th June 2012 1 7 Steps to

7 Steps to Commercial Insight Graham Hall www.ambitiousbrands.com 12th June 2012 1 7 Steps to Insight This is what I call the SuBo moment. That first 2 minutes when an overweight, middle aged person with suspect social skills W h a t w e

587 views • 12 slides
Presentation Skills in 7 simple steps Presentation Skills in 7 simple steps Filesize: 5.14 MB

Presentation Skills in 7 simple steps Presentation Skills in 7 simple steps Filesize: 5.14 MB

UA6OODCACXWK &gt; Kindle ~ Presentation Skills in 7 simple steps Presentation Skills in 7 simple steps Presentation Skills in 7 simple steps Filesize: 5.14 MB Reviews Reviews Extensive manual! Its this kind of very good read through. I

159 views • 3 slides
EE3CL4: Sketching the Root Locus, Introduction to Linear Control Systems Steps 14 Steps 1

EE3CL4: Sketching the Root Locus, Introduction to Linear Control Systems Steps 14 Steps 1

EE 3CL4, 5 1 / 65 Tim Davidson Preliminary examples Principles EE3CL4: Sketching the Root Locus, Introduction to Linear Control Systems Steps 14 Steps 1 and 2 Section 5: Root Locus Procedure Review of Principles Review of Steps 1,

936 views • 58 slides
OCaml Scope: a New OCaml API Search Jun Furuse - Standard Chartered Bank Who am I? OCaml

OCaml Scope: a New OCaml API Search Jun Furuse - Standard Chartered Bank Who am I? OCaml

OCaml Scope: a New OCaml API Search Jun Furuse - Standard Chartered Bank Who am I? OCaml hacker using Haskell at work What did helped me most in Haskell industry? Type class? Purity? Laziness? It's Hoogle. API Search Engine for Haskell

509 views • 21 slides
A simple holographic model of momentum relaxation Tom as Andrade (Durham U) January 28th,

A simple holographic model of momentum relaxation Tom as Andrade (Durham U) January 28th,

A simple holographic model of momentum relaxation Tom as Andrade (Durham U) January 28th, 2014, Oxford in collaboration with Ben Withers (Southampton) Hasnt it occurred to you to suspect that behind that Mondrian could a Viera da Silva

816 views • 66 slides
Speculative Asset Prices Robert J. Shiller Prize Lecture Stockholm, December 8, 2013 Prices as

Speculative Asset Prices Robert J. Shiller Prize Lecture Stockholm, December 8, 2013 Prices as

Speculative Asset Prices Robert J. Shiller Prize Lecture Stockholm, December 8, 2013 Prices as Expected Present Values Constant Discount Rate Case Real Stock Prices 1871-2013 Actual (Blue) and Ex-Post Rational (Red) Based on Shiller (Am.

540 views • 18 slides
Liberty Queues for EPIC Architectures Thomas Jablin, Yun Zhang, James A. Jablin, Jialu Huang,

Liberty Queues for EPIC Architectures Thomas Jablin, Yun Zhang, James A. Jablin, Jialu Huang,

Liberty Queues for EPIC Architectures Thomas Jablin, Yun Zhang, James A. Jablin, Jialu Huang, Hanjun Kim, &amp; David I. August The Liberty Research Group Princeton University Comparison: IMT, PMT, CMT IMT PMT CMT Core 1 Core 2 Core 1

670 views • 19 slides
through Glo lobal Valu lue Chains: Methodological Innovations in measuring technological

through Glo lobal Valu lue Chains: Methodological Innovations in measuring technological

Local fi firm Capabilities &amp; In Industrialization through Glo lobal Valu lue Chains: Methodological Innovations in measuring technological capabilities Dr. Lindsay Whitfield Professor MSO in Global Studies Roskilde University, Denmark

271 views • 12 slides
CAPITAMALL TRUST Singapores First &amp; Largest REIT Annual General Meeting 16 April 2015

CAPITAMALL TRUST Singapores First &amp; Largest REIT Annual General Meeting 16 April 2015

Photo Credit: Kwek Swee Seng, Singapore CAPITAMALL TRUST Singapores First &amp; Largest REIT Annual General Meeting 16 April 2015 Annual General Meeting *April 2015* Disclaimer This presentation may contain forward-looking statements that

535 views • 38 slides
11-731 Machine Translation Speech 2 Speech Translation Speech Translation Three part systems

11-731 Machine Translation Speech 2 Speech Translation Speech Translation Three part systems

11-731 Machine Translation Speech 2 Speech Translation Speech Translation Three part systems Three part systems ASR ASR - -&gt; Translation &gt; Translation - -&gt; TTS &gt; TTS System configurations System

284 views • 27 slides
Verifiable ASICs: trustworthy hardware with untrusted components Riad S. Wahby , Max

Verifiable ASICs: trustworthy hardware with untrusted components Riad S. Wahby , Max

Verifiable ASICs: trustworthy hardware with untrusted components Riad S. Wahby , Max Howald , Siddharth Garg , abhi shelat , and Michael Walfish Stanford University New York University The Cooper Union

1.04k views • 72 slides

More recommend