Scalable Transparent ARguments-of-Knowledge Michael Riabzev - - PowerPoint PPT Presentation

1/21 Our result Features A peak under the hood Summary

Scalable Transparent ARguments-of-Knowledge

Michael Riabzev

Department of Computer Science, Technion

DIMACS Workshop on Outsourcing Computation Securely

Joint work with Eli Ben-Sasson, Iddo Bentov, and Yinon Horesh

2/21 Our result Features A peak under the hood Summary

Talk outline

• Our result
• Novel theory review (Low degree testing)
• Concrete implementation performance review

3/21 Our result Features A peak under the hood Summary

Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary

4/21 Our result Features A peak under the hood Summary

Our result

Today I will tell you about STARK:

• “Scalable Transparent ARgument
• f Knowledge”
• New construction

(theory+implementation1) featuring:

• Perfect

witness-indistinguishability

• Publicly verifiable
• No trusted-setup
• Universal
• Succinct verification
• And additionally:
• Post-quantum secure
• Scalable prover (quasi-linear)

W

Prover Verifier

(P,X,T) P(X,W) ⊢<T accept

1Proof-of-concept in C++

5/21 Our result Features A peak under the hood Summary

Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary

6/21 Our result Features A peak under the hood Summary

Computational model

Interactive Oracle Proofs (IOP)[BCS16, RRR16]2:

• A generalization of IP[GMR89] and PCP[BFL91, AS98]
• Verifier interacts with the Prover
• Prover’s messages too big for the verifier to read entirely
• Also known as oracles

2also known as PCIP in [RRR16]

6/21 Our result Features A peak under the hood Summary

Computational model

Interactive Oracle Proofs (IOP)[BCS16, RRR16]2:

• A generalization of IP[GMR89] and PCP[BFL91, AS98]
• Verifier interacts with the Prover
• Prover’s messages too big for the verifier to read entirely
• Also known as oracles

Realistic argument-system:

• Using Merkle trees [Kil92, Kil95, Mic00, BCS16]
• Noninteractive system : Fiat-Shamir heuristic

2also known as PCIP in [RRR16]

7/21 Our result Features A peak under the hood Summary

Cryptographic assumption

• Inner protocol (IOP):
• Provably sound3
• Provably perfect zero-knowledge
• Compilation to (noninteractive) argument system:
• Using the random oracle model
• Implementation:
• Simulating a random-oracle using a hash-function

3Implementation uses security conjectures to improve concrete efficiency.

8/21 Our result Features A peak under the hood Summary

Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary

9/21 Our result Features A peak under the hood Summary

Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary

10/21 Our result Features A peak under the hood Summary

STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza)

• Privacy — witness indistinguishability based on [BCGV16]

10/21 Our result Features A peak under the hood Summary

STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza)

• Privacy — witness indistinguishability based on [BCGV16]
• Arithmetization — optimized for interactive systems
• Disclaimer: RAM usage introduces ∼ 8T log T additive
• verhead to witness size
• in addition to O(T) witness size when no RAM is used
• Derived from SCI

10/21 Our result Features A peak under the hood Summary

STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza)

• Privacy — witness indistinguishability based on [BCGV16]
• Arithmetization — optimized for interactive systems
• Disclaimer: RAM usage introduces ∼ 8T log T additive
• verhead to witness size
• in addition to O(T) witness size when no RAM is used
• Derived from SCI
• Low degree test — optimized for interactive systems

10/21 Our result Features A peak under the hood Summary

STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza)

• Privacy — witness indistinguishability based on [BCGV16]
• Arithmetization — optimized for interactive systems
• Disclaimer: RAM usage introduces ∼ 8T log T additive
• verhead to witness size
• in addition to O(T) witness size when no RAM is used
• Derived from SCI
• Low degree test — optimized for interactive systems
• Hash-tree commitment — optimization based on queries

patter

• Reducing communication complexity

10/21 Our result Features A peak under the hood Summary

STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza)

• Privacy — witness indistinguishability based on [BCGV16]
• Arithmetization — optimized for interactive systems
• Disclaimer: RAM usage introduces ∼ 8T log T additive
• verhead to witness size
• in addition to O(T) witness size when no RAM is used
• Derived from SCI
• Low degree test — optimized for interactive systems
• Hash-tree commitment — optimization based on queries

patter

• Reducing communication complexity
• System — code optimizations

10/21 Our result Features A peak under the hood Summary

STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza)

• Privacy — witness indistinguishability based on [BCGV16]
• Arithmetization — optimized for interactive systems
• Disclaimer: RAM usage introduces ∼ 8T log T additive
• verhead to witness size
• in addition to O(T) witness size when no RAM is used
• Derived from SCI
• Low degree test — optimized for interactive systems
• Hash-tree commitment — optimization based on queries

patter

• Reducing communication complexity
• System — code optimizations

10/21 Our result Features A peak under the hood Summary

STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza)

• Privacy — witness indistinguishability based on [BCGV16]
• Arithmetization — optimized for interactive systems
• Disclaimer: RAM usage introduces ∼ 8T log T additive
• verhead to witness size
• in addition to O(T) witness size when no RAM is used
• Derived from SCI
• Low degree test — optimized for interactive systems
• Hash-tree commitment — optimization based on queries

patter

• Reducing communication complexity
• System — code optimizations

In this talk we focus on the novel low-degree test

11/21 Our result Features A peak under the hood Summary

Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary

12/21 Our result Features A peak under the hood Summary

IOPP novel low-degree test

Theorem ([BBHR17])

Given oracle access to an evaluation f ∶ S → F2n over F2 linear subspace S ⊂ F2n, there is an IOPP protocol to verify f is close to degree d < ∣S∣

3 , with the following properties:

• Total proof size < ∣S∣

2 .

• Round complexity log ∣S∣

2

.

• Prover complexity < 4∣S∣ arithmetic operations over F2n.
• Highly parallelizable.
• Query complexity is 2log ∣S∣.
• Soundness:

Pr[Reject∣dist(f ,C) = δ] ≥ min(δ, 1

4 − 3d 4∣S∣) − 3 ∣S∣ ∣F2n∣.

• Close to δ in the unique-decoding-radius.
• Shown to be tight there.

13/21 Our result Features A peak under the hood Summary

Low-degree testing in the Interactive-Oracle-Proof model

• Redundancy addition: Prover

transforms univariate polynomial p(x) into a bivariate polynomial Q(x,y)

• Invariant: degy(Q) = deg(p)/4
• Verification: Verifier chooses

random x0 and verifies q(y) = Q(x0,y) is low-degree

• By repeating the test recursively
• Until deg(q) is small enough

⋰ ⋮ ⋱ ⋰ ⋮ ⋱

14/21 Our result Features A peak under the hood Summary

Low-degree testing — more details

The transformation T ∶ F[x] → F[x,y] is basically a biased version of [?]:

• p(x) ∈ F[x] is evaluated over

V = Span{b1,b2,...,bn}

• Define:
• V0 ∶= Span{b1,b2}
• V1 ∶= Span{b3,...,bn}
• ZV0(x) ∶= ∏

α∈V0

(x − α)

• T(p) = Q(x,y) where

Q(x,y) ∶= p(x) mod (y − ZV0(x))

• Features:
• ∀x ∶ Q(x,Zv0(x)) = p(x)
• degx(Q) < 4
• degy(Q) = deg(p)/4

⋰ ⋮ ⋱ ⋰ ⋮ ⋱

15/21 Our result Features A peak under the hood Summary

Low-degree testing — advantages of interactivity

• Deeper recursion is possible due to

provers adaptivity

• ‘Lightweight’ prover algorithm
• Better soundness:
• Rows are low degree by definition
• Any column can be queried

⋰ ⋮ ⋱ ⋰ ⋮ ⋱

16/21 Our result Features A peak under the hood Summary

Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary

17/21 Our result Features A peak under the hood Summary

Benchmark : Forensics DNA blacklist

• FBI has the forensics DB
• knows hash digest of the DB
• Davies-Meyer-AES160
• FBI provide Andy’s DNA

profiling4result with an integrity proof

• The program verified:

def prog ( database ) : currHash = 0 f o r c u r r E n t r y i n database : i f c u r r E n t r y matches AndysDNA : REJECT currHash = Hash ( currEntry , c u r r V a l ) i f currHash == expectedHash : ACCEPT e l s e : REJECT Any match for Andy? No match found 4Based on https://www.fbi.gov/services/laboratory/biometric-analysis/codis

18/21 Our result Features A peak under the hood Summary

Machine specifications: Prover: CPU: 4 X AMD Opteron(tm) Processor 6328 (32 cores total, 3.2GHz), RAM: 512GB Verifier: CPU: Intel(R) Core(TM) i7-4600 2.1GHz, RAM: 12GB, Circuit: runtime simulated for long inputs Security: Security level: 80 bits (Probability of cheating < 2−80)

2 34 555 9K 142K 1 sec 1 min 1 hour 1 day 1M num profiles Execution time Prover time 2 34 555 9K 142K 50 100 150 200 250 ⋅103 1M num profiles Ratio proving/execution time 2 34 555 9K 142K 100MB 1GB 100GB 1TB 66TB 1M num profiles Proof size Proof size

Conclusions: Prover asymptotic behaviour as predicted; Proving is ∼ ×50K slower than program execution

2 277 36K 5M 582M 75B 20ms 39ms 59ms 80ms 149B num profiles Execution time Verifier time Prover constructed 2 138 9K 569K 36M 2B 0.0001 0.01 1 100 10,000 cutoff num profiles Ratio verification/execution time Prover constructed 2 277 36K 5M 582M 75B 0KB 200KB 400KB 600KB 800KB 1000KB 1200KB 149B num profiles Argument size Argument size Inner protocol (IOP) Total

Conclusions: Verifier asymptotic behaviour as predicted; Speedup achieved only for a few generated arguments

19/21 Our result Features A peak under the hood Summary

Comparison to other approaches

Machine specifications: CPU: 4 X AMD Opteron(tm) Processor 6328 (32 cores total, 3.2GHz), RAM: 512GB Benchmark: Executing subset-sum solver for 64K TinyRAM steps (9 elements — exhaustive algorithm). Prover (mins) Verifier (mSec)

• Comm. (bytes)

10s 43M 4.2 days 25 374 28min 19G 18 9 230 41 500 42M 1.3 40 452K

Comparison to other systems - lower is better (log scale)

Fastest prover; Verification ∼ fastest so far; CC lowest; Argument ∼ ×1K longer “best”

• STARK
• SCI[BBCGGHPRSTV17] — based on

IOP.

• KOE[BCGTV13] — zkSNARK based
• n Knowledge Of Exponent hardness.

Non-succinct setup required.

• IVC[BCTV14] — Incrementally

Verifiable Computation based on

• KOE. Setup required (succinct).

20/21 Our result Features A peak under the hood Summary

Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary

21/21 Our result Features A peak under the hood Summary

Summary

STARK Introduction:

Any match for Andy? No match found

New low-degree test:

⋰ ⋮ ⋱ ⋰ ⋮ ⋱

Concrete measurements:

Prover (mins) Verifier (mSec)

• Comm. (bytes)

10s 43M 4.2 days 25 374 28min 19G 18 9 230 41 500 42M 1.3 40 452K

Comparison to other systems - lower is better (log scale)

21/21 Our result Features A peak under the hood Summary

Summary

STARK Introduction:

Any match for Andy? No match found

New low-degree test:

⋰ ⋮ ⋱ ⋰ ⋮ ⋱

Concrete measurements:

Prover (mins) Verifier (mSec)

• Comm. (bytes)

10s 43M 4.2 days 25 374 28min 19G 18 9 230 41 500 42M 1.3 40 452K

Comparison to other systems - lower is better (log scale)

21/21 Our result Features A peak under the hood Summary

Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: a new characterization of NP. Journal of the ACM, 45(1):70–122, 1998. Preliminary version in FOCS ’92. Eli Ben-Sasson, Alessandro Chiesa, Ariel Gabizon, and Madars Virza. Quasilinear-size zero knowledge from linear-algebraic PCPs. In Proceedings of the 13th Theory of Cryptography Conference, TCC ’16-A, pages 33–64, 2016. Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. Interactive oracle proofs. In Theory of Cryptography - 14th International Conference, TCC 2016-B, Beijing, China, October 31 - November 3, 2016, Proceedings, Part II, pages 31–60, 2016. L´ aszl´

• Babai, Lance Fortnow, and Carsten Lund.

21/21 Our result Features A peak under the hood Summary

Non-deterministic exponential time has two-prover interactive protocols. Computational Complexity, 1:3–40, 1991. Preliminary version appeared in FOCS ’90. Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1):186–208, 1989. Preliminary version appeared in STOC ’85. Joe Kilian. A note on efficient zero-knowledge proofs and arguments. In Proceedings of the 24th Annual ACM Symposium on Theory of Computing, STOC ’92, pages 723–732, 1992. Joe Kilian. Improved efficient arguments. In Proceedings of the 15th Annual International Cryptology Conference, CRYPTO ’95, pages 311–324, 1995.

21/21 Our result Features A peak under the hood Summary

Silvio Micali. Computationally sound proofs. SIAM Journal on Computing, 30(4):1253–1298, 2000. Preliminary version appeared in FOCS ’94. Omer Reingold, Guy N. Rothblum, and Ron D. Rothblum. Constant-round interactive proofs for delegating computation. In Proceedings of the 48th Annual ACM SIGACT Symposium

• n Theory of Computing, STOC 2016, Cambridge, MA, USA,

June 18-21, 2016, pages 49–62, 2016.