Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike - - PowerPoint PPT Presentation

sublinear zero knowledge arguments for ram programs
SMART_READER_LITE
LIVE PREVIEW

Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike - - PowerPoint PPT Presentation

Jan 09, 2024 50 likes •1.04k views

Sublinear Zero-Knowledge Arguments for RAM Programs Payman Mike Alessandra Mohassel Scafuro Rosulek OSU NCState V I S Oregon State University A Problem C Data S Problem C Data S R 1 Problem C Data S R 1 y 1 Problem C

slide-1
SLIDE 1

Sublinear Zero-Knowledge Arguments for RAM Programs

OSU

V I S A

NCState

Payman Mohassel

Mike Rosulek

Alessandra Scafuro

Oregon State University

slide-2
SLIDE 2

Problem

S C

Data

slide-3
SLIDE 3

Problem

S C

Data R1

slide-4
SLIDE 4

Problem

S C

Data R1 y1

slide-5
SLIDE 5

Problem

S C

Data R1 y1 R2

slide-6
SLIDE 6

Problem

S C

Data R1 y1 R2 y2

slide-7
SLIDE 7

Problem

S C

Data R1 y1 R2 y2 . . . .

slide-8
SLIDE 8

Problem

S C

Data R1 y1

correct computation

  • n same data

R2 y2 . . . .

𝜌1

𝜌2

proof

slide-9
SLIDE 9

Problem

S C

Data R1 y1

correct computation

  • n same data

R2 y2 . . . .

𝜌1

𝜌2

proof Zero-Knowledge

slide-10
SLIDE 10

S C

Data R1 y1

𝜌1

Properties

Zero-knowledge proof

Problem

slide-11
SLIDE 11

S C

Data R1 y1

𝜌1

Properties

work depends only on running time T Efficiency: Zero-knowledge proof

Problem

slide-12
SLIDE 12

S C

Data R1 y1

𝜌1

Properties

work depends only on running time T Efficiency: Composability Security: Zero-knowledge proof

Problem

slide-13
SLIDE 13

S C

Data R1 y1

𝜌1

Properties

work depends only on running time T Efficiency: Composability Security: [constant-round] Zero-knowledge proof

Problem

slide-14
SLIDE 14

Sub-linear Zero Knowledge

slide-15
SLIDE 15

Sub-linear Zero Knowledge

P V

pcp / snarks Goal: proof as short as possible

[Kil92,Mic94,Gro10a,Lip12, GGPR13,….]

slide-16
SLIDE 16

Sub-linear Zero Knowledge

P V

pcp / snarks Goal: proof as short as possible

[Kil92,Mic94,Gro10a,Lip12, GGPR13,….]

Problem

P’s work depends on size of the input

slide-17
SLIDE 17

Sub-linear Zero Knowledge

P V

pcp / snarks Goal: proof as short as possible

[Kil92,Mic94,Gro10a,Lip12, GGPR13,….]

Problem

P’s work depends on size of the input

Circuit-based approaches

slide-18
SLIDE 18

Sub-linear Zero Knowledge

P V

pcp / snarks Goal: proof as short as possible

[Kil92,Mic94,Gro10a,Lip12, GGPR13,….]

Problem

P’s work depends on size of the input

Circuit-based approaches

slide-19
SLIDE 19

Sub-linear Zero Knowledge

P V

pcp / snarks Goal: proof as short as possible

[Kil92,Mic94,Gro10a,Lip12, GGPR13,….]

Problem

P’s work depends on size of the input

Circuit-based approaches

ORAM [GO96…]

slide-20
SLIDE 20

P V

Setup phase proof phase

Sub-linear amortized Zero-Knowledge [HMR15]

slide-21
SLIDE 21

P V

Setup phase proof phase

Sub-linear amortized Zero-Knowledge [HMR15]

slide-22
SLIDE 22

GC

T garbled circuits

GC GC GC

P V

Setup phase proof phase

Sub-linear amortized Zero-Knowledge [HMR15]

slide-23
SLIDE 23

GC

T garbled circuits

GC GC GC

P V

Setup phase

Setup Phase: O(N) for both!

Problem

proof phase

Sub-linear amortized Zero-Knowledge [HMR15]

slide-24
SLIDE 24

GC

T garbled circuits

GC GC GC

P V

Setup phase

Setup Phase: O(N) for both!

Problem

proof phase

Sub-linear amortized Zero-Knowledge [HMR15]

slide-25
SLIDE 25

GC

T garbled circuits

GC GC GC

P V

Setup phase

Setup Phase: O(N) for both!

Problem

proof phase

Sub-linear amortized Zero-Knowledge [HMR15]

ZK Sets [MRK03] and generalizations [ORS07,..] Special cases

slide-26
SLIDE 26

Our Result

slide-27
SLIDE 27

P V

work depends only on running time T UC-Secure

Sulinear Zero-Knowledge for RAM programs

Setup Phase

T = running time

Proof Phase

[based on efficient primitives (GC, Zkboo[GMO16])]

slide-28
SLIDE 28

P V

work depends only on running time T UC-Secure

Sulinear Zero-Knowledge for RAM programs

Setup Phase

T = running time

Proof Phase

[based on efficient primitives (GC, Zkboo[GMO16])]

slide-29
SLIDE 29

Ideal functionality FzkRAM

FzkRAM

P V

UC-Secure

slide-30
SLIDE 30

Ideal functionality FzkRAM

FzkRAM

Init: M

P V

UC-Secure

slide-31
SLIDE 31

Ideal functionality FzkRAM

FzkRAM

Init: M

P V

M UC-Secure

slide-32
SLIDE 32

Ideal functionality FzkRAM

FzkRAM

Init: M

PProve: Ri ,wi V

M UC-Secure

slide-33
SLIDE 33

Ideal functionality FzkRAM

FzkRAM

M’,y← Ri(M, wi) Init: M

PProve: Ri ,wi V

M UC-Secure

slide-34
SLIDE 34

Ideal functionality FzkRAM

FzkRAM

M’,y← Ri(M, wi) Init: M

PProve: Ri ,wi V

M

M’

UC-Secure

slide-35
SLIDE 35

Ideal functionality FzkRAM

FzkRAM

M’,y← Ri(M, wi) Init: M

PProve: Ri ,wi

Ri ,y V M

M’

UC-Secure

slide-36
SLIDE 36

Ideal functionality FzkRAM

FzkRAM

M’,y← Ri(M, wi) Init: M

PProve: Ri ,wi

Ri ,y V Challenge:

extract M from transcript

M

M’

UC-Secure

slide-37
SLIDE 37

Our technique

slide-38
SLIDE 38

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Setup phase Data

slide-39
SLIDE 39

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

Setup phase Data

slide-40
SLIDE 40

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • Garbling

Setup phase Data

slide-41
SLIDE 41

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • Garbling

Setup phase Data Ri

slide-42
SLIDE 42

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • Garbling

Setup phase Data

access pattern (i1,i2,i3,..)

Ri

slide-43
SLIDE 43

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • Garbling

Setup phase Data prepares T garbled circuits

access pattern (i1,i2,i3,..)

Ri

slide-44
SLIDE 44

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • Garbling

Setup phase Data

GC GC GC

[JOK13] prepares T garbled circuits

access pattern (i1,i2,i3,..)

Ri

slide-45
SLIDE 45

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

access pattern (i1,i2,i3,..)

Ri

slide-46
SLIDE 46

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

access pattern (i1,i2,i3,..)

Ri

i1

slide-47
SLIDE 47

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

access pattern (i1,i2,i3,..)

Ri

i1 i2

slide-48
SLIDE 48

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

access pattern (i1,i2,i3,..)

Ri

i1 i2 i3

slide-49
SLIDE 49

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

0/1

access pattern (i1,i2,i3,..)

Ri

i1 i2 i3

slide-50
SLIDE 50

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

0/1 y

access pattern (i1,i2,i3,..)

Ri

i1 i2 i3

slide-51
SLIDE 51

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

replace used encoding

0/1 y

access pattern (i1,i2,i3,..)

Ri

i1 i2 i3

slide-52
SLIDE 52

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

replace used encoding

soundness: V fully controls encoding of the dataset

0/1 y

access pattern (i1,i2,i3,..)

Ri

i1 i2 i3

slide-53
SLIDE 53

Sub-linear amortized Zero-Knowledge [HMR15]

P V

Garbling values

  • ORAM
  • “Garbling”

Setup phase Data

GC GC GC

replace used encoding

soundness: V fully controls encoding of the dataset

0/1

V should do nothing. Soundness….?

y

access pattern (i1,i2,i3,..)

Ri

i1 i2 i3

slide-54
SLIDE 54

P V

GC GC GC

Setup phase

access pattern (i1,i2,i3,..)

slide-55
SLIDE 55

P V

GC GC GC

Setup phase

initial data

access pattern (i1,i2,i3,..)

slide-56
SLIDE 56

P V

GC GC GC

Setup phase

ORAM initial data

access pattern (i1,i2,i3,..)

slide-57
SLIDE 57

P V

GC GC GC

Setup phase

encode ORAM initial data

access pattern (i1,i2,i3,..)

slide-58
SLIDE 58

P V

GC GC GC

Setup phase

encode ORAM initial data

Merkle Tree access pattern (i1,i2,i3,..)

slide-59
SLIDE 59

P V

GC GC GC

Setup phase

encode ORAM initial data

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-60
SLIDE 60

P V

GC GC GC

Setup phase

encode ORAM initial data

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-61
SLIDE 61

P V

GC GC GC

Setup phase

encode ORAM initial data

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-62
SLIDE 62

P V

GC GC GC

Setup phase

encode ORAM initial data

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-63
SLIDE 63

P V

GC GC GC

Setup phase

encode ORAM initial data

?

  • 1. Consistency with committed input? (black-box)

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-64
SLIDE 64

P V

GC GC GC

Setup phase

encode ORAM initial data

?

  • 1. Consistency with committed input? (black-box)
  • 2. Extraction committed input?

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-65
SLIDE 65

P V

GC GC GC

Setup phase

encode ORAM initial data

?

  • 1. Consistency with committed input? (black-box)
  • 2. Extraction committed input?
  • 3. “Malicious" ORAM?

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-66
SLIDE 66

P V

GC GC GC

Setup phase

encode ORAM initial data

?

  • 1. Consistency with committed input? (black-box)
  • 2. Extraction committed input?
  • 3. “Malicious" ORAM?

Merkle Tree

OT

access pattern (i1,i2,i3,..)

slide-67
SLIDE 67

GC GC

[GOSV14, IW14]

y

  • 1. Black box proof of consistency

P V

slide-68
SLIDE 68

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

P V

slide-69
SLIDE 69

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit

P V

slide-70
SLIDE 70

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit Merkle Tree

P V

slide-71
SLIDE 71

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit

codeword

Merkle Tree

P V

i1

slide-72
SLIDE 72

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit

codeword

Merkle Tree

  • 1. reconstruct word
  • 2. compute new encoding for i1

P V

i1

slide-73
SLIDE 73

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit

codeword

Merkle Tree

  • 1. reconstruct word
  • 2. compute new encoding for i1

P V

i1

slide-74
SLIDE 74

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit

codeword

Merkle Tree

  • 1. reconstruct word
  • 2. compute new encoding for i1

P V

i1

slide-75
SLIDE 75

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit

codeword

  • 3. output a subset of shares

Merkle Tree

  • 1. reconstruct word
  • 2. compute new encoding for i1

P V

i1

slide-76
SLIDE 76

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

y

  • 1. Black box proof of consistency

commit

codeword

  • 3. output a subset of shares

Merkle Tree

  • 1. reconstruct word
  • 2. compute new encoding for i1

P V

i1

slide-77
SLIDE 77

P V

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

0/1

  • 1. Black box proof of consistency

commit

codeword

Merkle Tree

i1 i2

slide-78
SLIDE 78

P V

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

0/1

  • 1. Black box proof of consistency

commit

codeword

Merkle Tree

?

i1 i2 i1 i2

slide-79
SLIDE 79

P V

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

0/1

  • 1. Black box proof of consistency

commit

codeword

Merkle Tree

?

i1 i2 i1 i2

Merkle path

i1

Merkle path

i2

slide-80
SLIDE 80

P V

GC GC

[GOSV14, IW14]

Reed- Solomon

encode

0/1

  • 1. Black box proof of consistency

commit

codeword

=?

Merkle Tree

?

i1 i2 i1 i2

Merkle path

i1

Merkle path

i2

slide-81
SLIDE 81

correctness of computation

P V

[GOSV14,IW14]

Reed- Solomon

encode

  • 1. Black box proof of consistency

commit Merkle Tree

=?

consistency with tree

proof phase

slide-82
SLIDE 82

correctness of computation

P V

[GOSV14,IW14]

Reed- Solomon

encode

  • 1. Black box proof of consistency

commit Merkle Tree

0/1

F_check

challenge

=?

consistency with tree

proof phase

slide-83
SLIDE 83

correctness of computation

P V

[GOSV14,IW14]

Reed- Solomon

encode

  • 1. Black box proof of consistency

commit Merkle Tree

0/1

F_check

challenge

Zkboo [gmo16]

=?

consistency with tree

proof phase

slide-84
SLIDE 84

P V

GC GC GC

Setup phase

encode ORAM initial data

  • 1. Consistency with committed input? (black-box)
  • 2. Extraction committed input?
  • 3. “Malicious" ORAM?

Merkle Tree

OT

access pattern (i1, i2,..)

slide-85
SLIDE 85

P V

  • 2. UC-commitments

commit

Extractable (from P’s mind) Equivocal UC-security

slide-86
SLIDE 86
  • 2. UC-secure commitment scheme in gRO [CJS14]

extractability equivocality

Can’t program gRO gRO = NPRO

slide-87
SLIDE 87
  • 2. UC-secure commitment scheme in gRO [CJS14]

extractability equivocality

Can’t program gRO gRO = NPRO

Use Pedersen commitment Interactive Commitment Phase

[CJS14]

slide-88
SLIDE 88
  • 2. UC-secure commitment scheme in gRO [CJS14]

extractability equivocality

Can’t program gRO gRO = NPRO

Use Pedersen commitment Interactive Commitment Phase

[CJS14]

slide-89
SLIDE 89
  • 2. UC-secure commitment scheme in gRO [CJS14]

extractability equivocality

Can’t program gRO gRO = NPRO

Use Pedersen commitment Interactive Commitment Phase

[CJS14]

interactive one-time setup Non-interactive commitment

[this work]

slide-90
SLIDE 90
  • 2. UC-secure commitment scheme in gRO [CJS14]

extractability equivocality

Can’t program gRO gRO = NPRO

Use Pedersen commitment Interactive Commitment Phase

[CJS14]

interactive one-time setup Non-interactive commitment

[this work]

Improve CJS14 when # commitments > O(k)

slide-91
SLIDE 91

P V

GC GC GC

Setup phase

encode ORAM initial data

  • 1. Consistency with committed input? (black-box)
  • 2. Extraction committed input?
  • 3. “Malicious" ORAM?

Merkle Tree

OT

access pattern (i1, i2,..)

slide-92
SLIDE 92

P V

GC GC GC

Setup phase

encode ORAM initial data

  • 1. Consistency with committed input? (black-box)
  • 2. Extraction committed input?
  • 3. “Malicious" ORAM?

Merkle Tree

OT

access pattern (i1, i2,..)

?

slide-93
SLIDE 93

[4,bbb]

[1,cq]

1 2 3 4

block 1—> physical path 2

[4,aaa] [3,0aa] [1,0aa]

block 2—> physical path 3

[2,xca]

block 4—> physical path 1 block 3—> physical path 4

Position MAP: ORAM state

ORAM tree Example: “Path ORAM”

slide-94
SLIDE 94

[4,bbb]

[1,cq]

1 2 3 4

block 1—> physical path 2

[4,aaa] [3,0aa] [1,0aa]

block 2—> physical path 3

[2,xca]

block 4—> physical path 1 block 3—> physical path 4

Position MAP: ORAM state

ORAM tree Example: “Path ORAM”

slide-95
SLIDE 95

[4,bbb]

[1,cq]

1 2 3 4

block 1—> physical path 2

[4,aaa] [3,0aa] [1,0aa]

block 2—> physical path 3

[2,xca]

block 4—> physical path 1 block 3—> physical path 4

Position MAP: ORAM state

ORAM tree

?

Example: “Path ORAM”

slide-96
SLIDE 96

Extractability: ORAM state + ORAM tree (path ORAM) yield an unambiguous memory Minimal modification to Path ORAM suffices.

New ORAM properties

slide-97
SLIDE 97

P V

Putting Things Together

=? New UC-Com in gRO “Malicious” ORAM

0/1

F_check

challenge

work depends only on running time T UC-Secure [based on efficient primitives (GC, Zkboo)]

slide-98
SLIDE 98

Going Forward

Equivocal Commitment in gRO from OWF only (with non interactive commitment) Sigma-Protocol for RAM Programs

slide-99
SLIDE 99

thank

you!

Questions?