[PPT] - Privacy-Preserving Outsourcing by Distributed Verifiable PowerPoint Presentation

SLIDE 1

Privacy-Preserving Outsourcing by Distributed Verifiable Computation

Meilof Veeningen

Philips Research MPC 2016, Aarhus, May 30 2016

SLIDE 2

Philips Research

2

SLIDE 3

Philips Research

3

SLIDE 4

Philips Research

4

SLIDE 5

Philips Research

5

SLIDE 6

Philips Research

6

SLIDE 7

Outsourcing Computations on Sensitive Data (I)

Philips Research

7

x f(x) privacy? correctness?

SLIDE 8

Outsourcing Computations on Sensitive Data (I)

Philips Research

8

𝑦 " 𝑦 # 𝑦 $

secure multiparty computation

𝑔(𝑦) $ 𝑔(𝑦) # 𝑔(𝑦) "

Jakobsen, Nielsen, Orlandi (CCSW ’14): privacy and correctness with 𝑜 − 1 actively corrupted workers

Can we achieve correctness even if all workers are corrupted?

SLIDE 9

Outsourcing & Correctness (But No Privacy)

Philips Research

9

SLIDE 10

Privacy + Correctness: A Generic Construction

Philips Research

10

𝑦 " 𝑦 # 𝑦 $ 𝑧 = 𝑔(𝑦) $ 𝑧 = 𝑔(𝑦) # 𝑧 = 𝑔(𝑦) " 𝑧,Proof(𝑧 = 𝑔 𝑦 ) $ 𝑧, Proof(𝑧 = 𝑔 𝑦 ) # 𝑧, Proof(𝑧 = 𝑔 𝑦 ) "

Question: can we efficiently construct these proofs with multi-party computation? Privacy: same as MPC protocol used Correctness: always!

SLIDE 11

Privacy + Correctness: Previous Work

Philips Research

11

penings

Publicly Auditable SPDZ (Baum/Damgård/Orlandi) Preprocessing 𝑦 , 𝑧 , 𝑦𝑧 +𝑕3, 𝑕4, 𝑕34 Universally Verifiable CDN (de Hoogh/Schoenmakers/V.) ZK NIZK Certificate Validation … (de Hoogh/Schoenmakers/V.) Paillier ElGamal Verification effort scales in computation size! Reason: existing work takes MPC as starting point!

SLIDE 12

Privacy + Correctness: Previous Work

Philips Research

12

Instead of 𝑧, Proof(𝑧 = 𝑔 𝑦 ) ":

– Baum/Damgård/Orlandi: SPDZ + Pedersen commitments = SPDZ’ – de Hoogh/Schoenmakers/Veeningen: CDN + non-interactive proofs = CDN’ – de Hoogh/Schoenmakers/Veeningen: CDN’ + ElGamal encryption = CDN’’

Because of MPC starting point, no efficient verification!

SLIDE 13

Today: 𝑧, Proof(𝑧 = 𝑔 𝑦 ) can be efficient!

Philips Research

13

𝑦 " 𝑦 # 𝑦 $ 𝑧, PinocchioVC(𝑧 = 𝑔 𝑦 ) $ 𝑧, PinocchioVC(𝑧 = 𝑔 𝑦 ) # 𝑧, PinocchioVC(𝑧 = 𝑔 𝑦 ) "

Theorem. (Schoenmakers/V/de

Vreede, ACNS ‘16) Privacy-preserving computation of Pinocchio VC: three workers each perform essentially the work of the original prover.

Corollary. Verifiable Multi-Party

Computation with constant-time verification!

SLIDE 14

Outline

Secret sharing MPC
Pinocchio VC
Secret sharing MPC + Pinocchio VC

Philips Research

14

SLIDE 15

Philips Research

15

Secret sharing MPC

SLIDE 16

Shamir secret sharing (2-out-of-3)

Philips Research

16

(3,𝑧< + 𝑨<) (2,𝑧@ + 𝑨@) (1,𝑧A + 𝑨A) 𝑡$ + 𝑡" 𝑡$ 𝑧A 𝑧@ 𝑧< 1 2 3 𝑡" (1,𝑧A) (2,𝑧@) (3, 𝑧<) (1, 𝑨A) (2, 𝑨@) (3, 𝑨<) (1,𝑧A𝑨A) (2,𝑧@𝑨@) (3,𝑧<𝑨<) 𝛽𝑡$ (1,𝛽𝑧D) (2,𝛽𝑧E) (3,𝛽𝑧F) 𝑧 = 𝑏𝑦 + 𝑡$ 𝑐𝑦 + 𝑡" = 𝑏𝑐 𝑦" + 𝑏𝑡" + 𝑐𝑡$ 𝑦 + 𝑡$𝑡" s$s" = 3(𝑧D𝑨D) − 3(𝑧E𝑨E) + (𝑧F𝑨F) (3-out-of-3 sharing!) Animation: Sebastiaan de Hoogh

SLIDE 17

, 𝑡𝑢(𝑡 + 𝑢) 𝑡𝑢(𝑡 + 𝑢) $ 𝑡𝑢(𝑡 + 𝑢) " 𝑡𝑢(𝑡 + 𝑢) # 𝑡𝑢(𝑡 + 𝑢) $ 𝑡𝑢(𝑡 + 𝑢) " 𝑡𝑢(𝑡 + 𝑢) # 𝑡 + 𝑢 $ 𝑡 + 𝑢 " 𝑡 + 𝑢 # 𝑡𝑢 $ 𝑡𝑢 " 𝑡𝑢 # 𝑡𝑢 # " 𝑡𝑢 # $ 𝑡𝑢 " $ 𝑡𝑢 " $ 𝑡𝑢 $ " 𝑡𝑢 $ # 𝑡𝑢 $ 𝑡𝑢 " 𝑡𝑢 # 𝑡 $, 𝑢 $ 𝑡 ", 𝑢 " 𝑡 #, 𝑢 # 𝑡 $, 𝑢 $ 𝑡 ", 𝑢 " 𝑡 #, 𝑢 # Goal: compute 𝑧 = 𝑡 ⋅ 𝑢 ⋅ (𝑡 + 𝑢) 𝑦 : 2-out-of-3 sharing of 𝑦 𝑦 : 3-out-of-3 sharing of 𝑦 𝑡, 𝑢

Philips Research

17

MPC based on Shamir secret sharing

𝑡𝑢 = 3 𝑡𝑢 $ − 3 𝑡𝑢 " + 𝑡𝑢 # 𝑡𝑢 M = 3 𝑡𝑢 $ M − 3 𝑡𝑢 " M + 𝑡𝑢 # M

SLIDE 18

Philips Research

18

Pinocchio VC

SLIDE 19

Pinocchio: Quadratic Arithmetic Programs

Prove that committed 𝑦 ⃗ satisfies equations 𝑊 ⋅ 𝑦 ⃗ ∗ 𝑋 ⋅ 𝑦 ⃗ = (𝑍 ⋅ 𝑦 ⃗) Example: 𝑧 = 𝑡 ⋅ 𝑢 ⋅ 𝑡 + 𝑢 if and only if: ∃𝑨 ∶ U𝑡 ⋅ 𝑢 = 𝑨 𝑨 ⋅ (𝑡 + 𝑢) = 𝑧 1 1 0 ⋅ 𝑡 𝑢 𝑨 𝑧 ∗ 0 1 1 1 0 ⋅ 𝑡 𝑢 𝑨 𝑧 = 0 1 1 ⋅ 𝑡 𝑢 𝑨 𝑧 E.g.: 𝑡 𝑢 𝑧 𝑨 = 3 2 6 30 is a solution

Philips Research

19

“quadratic arithmetic program” (QAP)

SLIDE 20

Pinocchio: From QAP to SNARK (I)

Philips Research

20

Prove that committed 𝑦 ⃗ satisfies equations 𝑊 ⋅ 𝑦 ⃗ ∗ 𝑋 ⋅ 𝑦 ⃗ = 𝑍 ⋅ 𝑦 ⃗ . Define 𝑊M 𝜊 ,𝑋

M 𝜊 ,𝑍 M 𝜊 by “columnwiseLagrange interpolation”

1 1 0 ⋅ 𝑡 𝑢 𝑨 𝑧 ∗ 0 1 1 1 0 ⋅ 𝑡 𝑢 𝑨 𝑧 = 0 1 1 ⋅ 𝑡 𝑢 𝑨 𝑧 𝑊$ 1 = 1, 𝑊$ 2 = 0 𝑊$ 𝜊 = 2 − 𝜊 𝑋

" 1 = 1, 𝑋 " 2 = 1

𝑋

" 𝜊 = 1

…

value at 1 value at 2 Consider polynomial 𝑄3

⃗ 𝜊 = 𝑊$ 𝜊 𝑡+ 𝑊" 𝜊 𝑢 + ⋯ ⋅ 𝑋 $ 𝜊 𝑡 + ⋯ − 𝑍 $ 𝜊 𝑡 + ⋯ :

In 𝜊 = 1: 𝑄3

⃗ 1 = 𝑊$ 1 𝑡 + 𝑊" 1 𝑢 + ⋯ ⋅ 𝑋 $ 1 𝑡 + ⋯ − 𝑍 $ 1 𝑡 + ⋯

= 𝑡 ⋅ 𝑢 − 𝑨

In 𝜊 = 2: 𝑄3

⃗ 2 = 𝑊$ 1 𝑡 + 𝑊" 1 𝑢 + ⋯ ⋅ 𝑋 $ 1 𝑡 + ⋯ − 𝑍 $ 1 𝑡 + ⋯

= 𝑨 ⋅ 𝑡 + 𝑢 − 𝑧 So 𝑊 ⋅ 𝑦 ⃗ ∗ 𝑋 ⋅ 𝑦 ⃗ = 𝑍 ⋅ 𝑦 ⃗ if and only if 𝑄3

⃗ 1 = 𝑄3 ⃗ 2 = 0

if and only if 𝜊 − 1 ⋅ 𝜊 − 2 | 𝑄 𝜊 if and only if there exists ℎ 𝜊 : 𝜊 − 1 ⋅ 𝜊 − 2 ⋅ ℎ 𝜊 = 𝑄3

⃗ 𝜊

SLIDE 21

Pinocchio: From QAP to SNARK (II)

Philips Research

21

Example. 1 1 0 ⋅ 𝑡 𝑢 𝑨 𝑧 ∗ 0 1 1 1 0 ⋅ 𝑡 𝑢 𝑨 𝑧 = 0 1 1 ⋅ 𝑡 𝑢 𝑨 𝑧 𝑊

$ 𝜊 = 𝑍 # 𝜊 = 2 − 𝜊

𝑊

" 𝜊 = 𝑊 ` 𝜊 = 𝑋 # 𝜊 = 𝑋 ` 𝜊 = 𝑍 $ 𝜊 = 𝑍 " 𝜊 = 0

𝑊

# 𝜊 = 𝑋 $ 𝜊 = 𝑍 ` 𝜊 = 𝜊 − 1

𝑋

" 𝜊 = 1

value at 1 value at 2 Claim: 𝑡 𝑢 𝑨 𝑧 is solution iff there exists ℎ 𝜊 such that 𝜊 − 1 𝜊 − 2 ℎ 𝜊 = 𝑡𝑊

$ 𝜊 + 𝑢𝑊 " 𝜊 + 𝑨𝑊 # 𝜊 + 𝑧𝑊 ` 𝜊

⋅ 𝑡𝑋

$ 𝜊 + 𝑢𝑋 " 𝜊 + 𝑨𝑋 # 𝜊 + 𝑧𝑋 ` 𝜊

− 𝑡𝑍

$ 𝜊 + 𝑢𝑍 " 𝜊 + 𝑨𝑍 # 𝜊 + 𝑧𝑍 ` 𝜊

Claim: 3 2 6 30 is solution iff there exists ℎ 𝜊 such that 𝜊 − 1 𝜊 − 2 ℎ 𝜊 = 3𝑊

$ 𝜊 + 2𝑊 " 𝜊 + 6𝑊 # 𝜊 + 30𝑊 ` 𝜊

⋅ 3𝑋

$ 𝜊 + 2𝑋 " 𝜊 + 6𝑋 # 𝜊 + 30𝑋 ` 𝜊

− 3𝑍

$ 𝜊 + 2𝑍 " 𝜊 + 6𝑍 # 𝜊 + 30𝑍 ` 𝜊

Claim: 3 2 6 30 is solution iff there exists ℎ 𝜊 such that 𝜊 − 1 𝜊 − 2 ℎ 𝜊 = 3𝜊 ⋅ 3𝜊 − 1 − 24𝜊 − 18 Claim: 3 2 6 30 is solution iff there exists ℎ 𝜊 such that 𝜊 − 1 𝜊 − 2 ℎ 𝜊 = 9𝜊" − 27𝜊 + 18

SLIDE 22

Pinocchio: From QAP to SNARK (III)

Lemma ⇒ 3 2 6 30 is solution iff there exists ℎ 𝜊 such that 𝜊 − 1 𝜊 − 2 ℎ 𝜊 = 9𝜊" − 27𝜊 + 18

Philips Research

22

9𝜊" − 27𝜊 + 18 𝜊" − 3𝜊 + 2 9 (𝜊" − 3𝜊 + 2) 9 − ℎ 𝜊 = 9

SLIDE 23

Pinocchio: From QAP to SNARK (IV)

Philips Research

23

verification key: 𝑕 fg$ ⋅…⋅ fgh prover: 𝑕i f prover/verifier: 𝑕j

k f 3kl⋯

prover/verifier: 𝑕m

k f 3kl⋯

prover/verifier: 𝑕n

k f 3kl⋯

evaluation key: 𝑕, 𝑕f, 𝑕fo,… evaluation/verification key: 𝑕jp(f),𝑕mp(f), 𝑕n

p(f)

𝑓 𝑕r 𝑕s 𝑓 𝑕r,𝑕s = 𝑓(𝑕t, 𝑕h) iff 𝑏 ⋅ 𝑐 = 𝑑 ⋅ 𝑒 𝑓 𝑕t 𝑕h Magic crypto tool: pairing verifier: 𝑓 𝑕 fg$ ⋅…⋅ fgh ,𝑕i f = 𝑓 𝑕j

k f 3kl⋯,𝑕m k f 3kl⋯ ⋅ 𝑓 𝑕n k f 3kl⋯,𝑕

g$ ?

Ξ − 1 ⋅ …⋅ Ξ − 𝑒 ⋅ ℎ Ξ = 𝑊

$ Ξ 𝑦$ + ⋯

⋅ 𝑋

$ Ξ 𝑦$ + ⋯ − 𝑍 $ Ξ 𝑦$ + ⋯

⋅ 1 𝜊 − 1 ⋅ …⋅ 𝜊 − 𝑒 ⋅ ℎ 𝜊 = 𝑊

$ 𝜊 𝑦$ + ⋯ ⋅ 𝑋 $ 𝜊 𝑦$ + ⋯ − 𝑍 $ 𝜊 𝑦$ + ⋯ ⋅ 1

Ξ: random, unknown Prove:

SLIDE 24

Pinocchio: From QAP to SNARK (V)

Philips Research

24

𝑡, 𝑢

evaluate function: get 𝑨, 𝑧
compute 𝑕j

x f y, 𝑕m x f y, 𝑕n x f y

compute ℎ 𝜊 = j z m z gn z

zg$ ⋅…⋅(zgh)

compute 𝑕i f

verify: 𝑓 𝑕 fg$ ⋅…⋅ fgh , 𝑕i f = 𝑓(𝑕j

k f {lj

f |lj

} f 4 ⋅ 𝑕j x f y,

𝑕m

k f {lm

f |lm

} f 4 ⋅ 𝑕m x f y) ⋅

𝑓 𝑕n

k f {ln

f |ln

} f 4 ⋅ 𝑕n x f y,𝑕

g$

𝑧, 𝑕i f , 𝑕j

x f y,𝑕m x f y, 𝑕n x f y

evaluation key: 𝑕, 𝑕f, 𝑕fo,… 𝑕j

x f ,𝑕m x f , 𝑕n x f

verification key: 𝑕 fg$ ⋅…⋅ fgh 𝑕j

k f ,𝑕m k f ,𝑕n k f

𝑕j

f ,𝑕m
f ,𝑕n
f

𝑕j

} f , 𝑕m } f , 𝑕n } f

SLIDE 25

Philips Research

25

Pinocchio VC Secret sharing MPC +

SLIDE 26

Trinocchio: Distributing the Pinocchio System (I)

Philips Research

26

evaluate function: get 𝑨, 𝑧
compute 𝑕j

x f y, 𝑕m x f y, 𝑕n x f y

compute ℎ 𝜊 = j z m z gn z

zg$ ⋅…⋅(zgh)

compute 𝑕i f

𝑡, 𝑢 𝑧, 𝑕i f , 𝑕j

x f y,𝑕m x f y, 𝑕n x f y

𝑡 , 𝑢 𝑧 , 𝑕i f , 𝑕j

x f y , 𝑕m x f y , 𝑕n x f y

SLIDE 27

Trinocchio: Distributing the Pinocchio System (II)

Philips Research

27

prove 𝑕,𝑕f, 𝑕fo,…,𝑕j

x f ,𝑕m x f , 𝑕n x f ,𝑡, 𝑢 :

𝑨, 𝑧 = 𝑔(𝑡, 𝑢) 𝑕j

x f y = exp

(𝑕j

x f ,𝑨)

𝑕m

x f y = exp

(𝑕m

x f ,𝑨)

𝑕n

x f y = exp(𝑕n x f ,𝑨)

𝑜 𝜊 = 𝑊

$ 𝜊 𝑡 + 𝑊 " 𝜊 𝑢 + 𝑊 # 𝜊 𝑨 + 𝑊 ` 𝜊 𝑧 ∗ 𝑋 $ 𝜊 𝑡 + ⋯

− 𝑍

$ 𝜊 𝑡 + ⋯

ℎ 𝜊 =

‚ z zg$ ⋅…⋅ zgh

𝑕i f = exp 𝑕, ℎƒ ⋅ exp 𝑕f,ℎ$ ⋅ …⋅ exp (𝑕f„…k,ℎhg$) return 𝑧, 𝑕i f , 𝑕j

x f y,𝑕m x f y, 𝑕n x f y

SLIDE 28

Trinocchio: Distributing the Pinocchio System (II)

Philips Research

28

return 𝑧 , 𝑕i f , 𝑕j

x f y , 𝑕m x f y , 𝑕n x f y

return 𝑧, 𝑕i f , 𝑕j

x f y,𝑕m x f y, 𝑕n x f y

𝑕i f = exp 𝑕, ℎƒ ⋅ exp 𝑕f, ℎ$ ⋅ …⋅ exp (𝑕f„…k, ℎhg$ ) 𝑕i f = exp 𝑕, ℎƒ ⋅ exp 𝑕f,ℎ$ ⋅ …⋅ exp (𝑕f„…k,ℎhg$) ℎ 𝜊 =

‚ z zg$ ⋅…⋅ zgh

ℎ 𝜊 =

‚ z zg$ ⋅…⋅ zgh

Products of 2-out-of-3 shares give 3-out-of-3 shares 𝑜 𝜊 = 𝑊

$ 𝜊

𝑡 + 𝑊

" 𝜊

𝑢 + 𝑊

# 𝜊

𝑨 + 𝑊

` 𝜊

𝑧 ∗ 𝑋

$ 𝜊

𝑡 + ⋯ − 𝑍

$ 𝜊

𝑡 + ⋯ 𝑜 𝜊 = 𝑊

$ 𝜊 𝑡 + 𝑊 " 𝜊 𝑢 + 𝑊 # 𝜊 𝑨 + 𝑊 ` 𝜊 𝑧 ∗ 𝑋 $ 𝜊 𝑡 + ⋯ − 𝑍 $ 𝜊 𝑡 + ⋯

𝑕n

x f y = exp(𝑕n x f , 𝑨 )

𝑕m

x f y = exp

(𝑕m

x f , 𝑨 )

𝑕j

x f y = exp

(𝑕j

x f , 𝑨 )

𝑕n

x f y = exp(𝑕n x f ,𝑨)

𝑕m

x f y = exp

(𝑕m

x f ,𝑨)

𝑕j

x f y = exp

(𝑕j

x f ,𝑨)

MPC computation of 𝑔 gives internal wire values “for free” 𝑨 , 𝑧 = 𝑔( 𝑡 , 𝑢 ) 𝑨, 𝑧 = 𝑔(𝑡, 𝑢) prove 𝑕,𝑕f, 𝑕fo,…,𝑕j

x f ,𝑕m x f , 𝑕n x f , 𝑡 , 𝑢 :

prove 𝑕, 𝑕f, 𝑕fo, …,𝑕j

x f ,𝑕m x f , 𝑕n x f ,𝑡, 𝑢 :

Division by public polynomial is linear! Shamir reconstruction “in the exponent” Only step in which the workers communicate!

SLIDE 29

Trinocchio: Distributing the Pinocchio System (III)

Philips Research

29

𝑧 , 𝜌 𝑦 ⃗ 𝑦 ⃗ 𝑦 ⃗ 𝑡 , 𝑢

Theorem. Privacy-preserving

computation of Pinocchio VC: three workers each perform essentially the work of the original prover. 275 s 275 s 275 s 6427 s 6427 s 6427 s 0.05 s

SLIDE 30

Extensions / Future Directions

Philips Research

30

𝑌 ⋅ 𝑆 = 1

𝑌 = 𝐶

$ + 2𝐶" +

… + 2Œ𝐶Œ 1 = 𝐶

$ ⋅ 1 − 𝐶 $

… 1 = 𝐶Œ ⋅ 1 − 𝐶Œ

QAP MPC nonzero test positivity test 𝑉 ∈• ℱ 𝑊 = 𝑃𝑞𝑓𝑜( 𝑌𝑉 ) 𝑆 = 𝑊g$ 𝑉 𝐶$ , …, 𝐶$ = 𝐶𝑗𝑢𝐸𝑓𝑑( 𝑌 ) …

Multiple inputters
Auditable MPC
Verifiability by certificate validation
QAPs + MPC for particular tasks?

– Zero testing – Comparison – …

Easily programmable distributed

verifiable computation

SLIDE 31