Outsourcing of Storage and Computations Cloud Services Client - - PowerPoint PPT Presentation
T RUE S ET : Faster Verifiable Set Computations Ahmed E. Kosba , Dimitrios Papadopoulos , Charalampos Papamanthou Mahmoud F. Sayed , Elaine Shi , Nikos Triandopoulos University of Maryland, College Park Boston
Ahmed E. Kosba†, Dimitrios Papadopoulos‡, Charalampos Papamanthou† Mahmoud F. Sayed†, Elaine Shi†, Nikos Triandopoulos§‡
† University of Maryland, College Park ‡ Boston University § RSA Laboratories
USENIX Security’14
August 22nd, 2014
Short Proof - Short Verification Time - Short Proof Computation Time
2
Input u Output F(u) – Proof 𝜌
Verifier Prover Verifiable Computation (VC) Client Devices Cloud Services Not there yet!!
element sets.
3
SELECT UNIVERSITY.id FROM UNIVERSITY JOIN CS ON UNIVERSITY.id = CS.id
Similarity =
| 𝑩 𝑪 | | 𝑩 𝑪 |
SQL Join Queries Jaccard index Applications
void func(struct Input* in, struct Output* out){ /* subset of C */ }
Approaches:
Characteristics:
+ x x
4
……… ……… ………
Each individual operation is mapped to a set of gates or constraints
BCGTV [Ben-sasson et al, Crypto’13] Pinocchio [Parno et al, IEEE S&P’13] Pantry [Braun et al, SOSP’13]
Set Cardinality Proof Time
case set size during proof computation.
5
Arithmetic Set Circuit C .. .. .. A B
+ x x + x x + x x + x x
…. …. …. ….
Goals:
Main Idea:
6
Arithmetic Set Circuit D .. .. .. A B
+ x x + x x + x x + x x
…. …. …. …. .. C
A B C
U
∩
D Polynomial Set Circuit A(z) B(z) C(z) D(z) + x x + x x instead of
polynomial A(z) = (z+a1)(z+a2) .. (z+an)
7
Polynomial Intersection Circuit (z+1)(z+2) (z+2)(z+3) (z+2) Polynomial Intersection Circuit (z+3)(z+4) (z+5)(z+6) 1
Two Primary Advantages:
8
9
) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( z B z I z z A z I z z I z B z z A z
GCD(A, B)
for polynomials. I(z) = GCD(A(z), B(z)) iff there exists polynomials 𝛽 𝑨 , 𝛾 𝑨 , 𝛿 𝑨 , 𝜀 𝑨 such that
10
) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( z U z A z z B z i z z A z i z z i z B z z A z
) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( z B z i z z A z i z D z i z B z z A z
expressiveness
11
Input sets Output Value
SELECT COUNT(UNIVERSITY.id) FROM UNIVERSITY JOIN CS ON UNIVERSITY.id = CS.id
+ x x + x x
+ x x
Set Circuit
+ x x
12
13
[Gennaro et al. EUROCRYPT’13, Parno et al. IEEE S&P’13] + x x
c1 c2 c3 c4 c5 c6
……… ……… ……… Equivalent Constraints c5 = c3.c4 c6 = c5.(c1 + c2) …
( 𝑙=1
𝑛
𝑑𝑙𝑤𝑙(𝑦)) ( 𝑙=1
𝑛
𝑑𝑙𝑥𝑙(𝑦)) - ( 𝑙=1
𝑛
𝑑𝑙𝑧𝑙(𝑦)) = 𝑢(𝑦)ℎ(𝑦)
where
t(x) = (x – r1) (x – r2) .. (x – rd) vk, wk and yk are polynomials defined based on the circuit structure.
14
……… ……… ……… Equivalent Constraints c5(z) = c3(z).c4(z) c6(z) = c5(z).(c1(z) + c2(z)) …
( 𝑙=1
𝑛
𝑑𝑙(𝑨)𝑤𝑙(𝑦)) ( 𝑙=1
𝑛
𝑑𝑙(𝑨)𝑥𝑙(𝑦)) - ( 𝑙=1
𝑛
𝑑𝑙(𝑨)𝑧𝑙(𝑦)) = 𝑢(𝑦)ℎ(𝑦, 𝑨)
where
t(x) = (x – r1) (x – r2) .. (x – rd) vk, wk and yk are polynomials defined based on the circuit structure.
+ x x
c1(z) c2(z) c3(z) c4(z) c5(z) c6(z)
Bivariate Polynomial
15
u F(u), 𝜌
polynomial circuits with loops.
and nifty ate-pairing.
level is 127.
TrueSet (NTL-ZM Pinocchio)
16
Set 1 Set 2 Odd Even Merge Sort ..... …. Check for a duplicate O(n log2(n)) comparators O(n) equality gates 17
Example Intersection Circuit using a Sorting Network
the field Fp.
produced for Pinocchio alternatives. U
A B C D E F G H
U
∩
U U
OUT
18
Proof Computation – Single Gate
19
150x improvement when |s| = 256
50 100 150 200 2² 2³ 2⁴ 2⁵ 2⁶ 2⁷ 2⁸ 2⁹ 2¹⁰ Proof Time (sec) Input Set Cardinality TrueSet NTL-ZM Pinocchio (pairwise) MS Pinocchio (pairwise)
Proof Computation – Multi-gate
50 100 150 200
2² 2³ 2⁴ 2⁵ 2⁶ 2⁷ 2⁸ 2⁹ 2¹⁰ 2¹¹ 2¹² 2¹³
Proof Time (sec)
Input Set Cardinality
TrueSet NTL-ZM Pinocchio (pairwise) NTL-ZM Pinocchio (sorting network) MS Pinocchio (pairwise) MS Pinocchio (sorting network)
> 50x improvement when |s| = 64
|s| refers to each input set size
20
computation time for verifiable set computations.
achieve:
size is 256)
21
Questions? akosba@cs.umd.edu