Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* - - PowerPoint PPT Presentation

Scaling Verifiable Computation Using Efficient Set Accumulators

USENIX Security, 2020 Alex Ozdemir*, Riad Wahby*, Barry Whitehat^, Dan Boneh* *Stanford ^Unaffiliated

Problem: Verifiable Storage

• Represent a large storage (e.g. array) with a small digest
• Verifiably read and update the digest

𝑊𝑓𝑠𝑗𝑔𝑧𝑠𝑓𝑏𝑒(𝑒, 𝑗, 𝑤, 𝜌𝑠) 𝑊𝑓𝑠𝑗𝑔𝑧𝑣𝑞𝑒𝑏𝑢𝑓(𝑒, 𝑗𝑥, 𝑤𝑥, 𝑒′, 𝜌𝑥)

Prover(𝐵, 𝑒) Verifier(𝑒)

𝑗, 𝑤, 𝜌𝑠 𝑒′, 𝑗𝑥, 𝑤𝑥, 𝜌𝑥 𝑤 ← 𝐵[𝑗] 𝐵 𝑗𝑥 ← 𝑤𝑥 𝑒 ← 𝐸𝑗𝑕𝑓𝑡𝑢(𝐵) Our Work: Concretely cheaper verifiable storage using RSA accumulators Context: Verifiable outsourcing/cryptographic proof systems

𝑦 𝝆

Cryptographic Proof Systems Programming Them

𝑦0 𝑦1 𝑦2 𝑥0 𝑥1 𝑥2

RSA Accumulators

𝑦 𝝆

Cryptographic Proof Systems Programming Them

𝑦0 𝑦1 𝑦2 𝑥0 𝑥1 𝑥2

RSA Accumulators

NP Proof Systems

𝑦 𝑥 ∃ 𝑥. 𝑾𝑴 𝑦, 𝑥 ? 𝑀 ∈ 𝑂𝑄 (𝑦 ∈ 𝑀)?

Properties

• 𝑥 ∈ 𝑞𝑝𝑚𝑧(|𝑦|)
• 𝑈𝑊𝑀 ∈ 𝑞𝑝𝑚𝑧 |𝑦|
• Aladdin learns 𝑥

𝑥 ← ?

Cryptographic Proof Systems: Abstract

𝑦 𝝆 𝑾𝒇𝒔𝒋𝒈𝒛𝑾𝑴(𝝆, 𝑦 ∈ 𝑀)

Extra Properties

• 𝜌 ∈ 𝑃(1)
• 𝑈𝑊𝑓𝑠𝑗𝑔𝑧 ∈ 𝑃 |𝑦|
• (Aladdin doesn’t learn 𝑥)
• 𝑈𝑄𝑠𝑝𝑤𝑓 ∈ 𝑞𝑝𝑚𝑧 𝑈𝑊𝑀

𝝆 ← 𝑸𝒔𝒑𝒘𝒇𝑾𝑴(𝑦, 𝑥) 𝑥 ← ? 𝑡. 𝑢. 𝑊

𝑀 𝑦, 𝑥 = ⊤

Using PCPs + Cryptography 𝑀 ∈ 𝑂𝑄 (𝑦 ∈ 𝑀)?

Cryptographic Proof Systems: Concrete

𝑀 must be verifiable by an arithmetic constraint system (arithmetic circuit)

𝑊

𝑀 𝑦, 𝑥

𝑦0 𝑦1 𝑦2 𝑥0 𝑥1 𝑥2

Rank-1 Constraint Systems (R1CS)

• Constraints have the form

𝐵 × 𝐶 = 𝐷 where 𝐵, 𝐶, 𝐷 are linear combinations of variables

• Prover time proportional to

constraint count. 𝑦0 1 − 𝑦0 = 0 0 = 𝑥0 + 2𝑥1 + 4𝑥2 − 𝑦 𝑦0𝑦1 = 𝑥 𝑦0𝑦1𝑦2 = 𝑥

𝑦 𝝆

Cryptographic Proof Systems Programming Them

𝑦0 𝑦1 𝑦2 𝑥0 𝑥1 𝑥2

RSA Accumulators

What Does Programming in R1CS Mean?

𝑨 < 16

Abstract Constraint

“Programming”

Rank-1 Constraints

𝐵1 × 𝐶1 = 𝐷1 𝐵2 × 𝐶2 = 𝐷2 𝐵3 × 𝐶3 = 𝐷3 ⋮ 𝐵𝑜 × 𝐶𝑜 = 𝐷𝑜

Variables encoded as field variables Predicates encoded as constraints Constraints may use witness variables

Inequality in R1CS

𝑨 < 16

Abstract Constraint

Encoded as the field variable 𝒜

Rank-1 Constraints

𝑥0 × (1 − 𝑥0) = 0 𝑥1 × (1 − 𝑥1) = 0 𝑥2 × (1 − 𝑥2) = 0 𝑥3 × (1 − 𝑥3) = 0 0 = 𝑥0 + 2𝑥1 + 4𝑥2 + 8𝑥3 − 𝑨

Polynomial Multiplication

𝑔 𝑦 ⋅ 𝑕 𝑦 = ℎ(𝑦)

Abstract Constraint Rank-1 Constraints

𝑔

0 + 𝑔 1 + 𝑔 2

𝑕0 + 𝑕1 + 𝑕2 = ℎ0 + ℎ1 + ℎ2 + ℎ3 + ℎ4 𝑔

0 + 2𝑔 1 + 4𝑔 2

𝑕0 + 2𝑕1 + 4𝑕2 = ℎ0 + 2ℎ1 + 4ℎ2 + 8ℎ3 + 16ℎ4 𝑔

0 + 3𝑔 1 + 9𝑔 2

𝑕0 + 3𝑕1 + 9𝑕2 = ℎ0 + 3ℎ1 + 9ℎ2 + 27ℎ3 + 81ℎ4 𝑔

0 + 4𝑔 1 + 16𝑔 2

𝑕0 + 4𝑕1 + 16𝑕2 = ℎ0 + 4ℎ1 + 16ℎ2 + 64ℎ3 + 256ℎ4 𝑔

0 + 5𝑔 1 + 25𝑔 2

𝑕0 + 5𝑕1 + 25𝑕2 = ℎ0 + 5ℎ1 + 25ℎ2 + 125ℎ3 + 625ℎ4

Each coefficient is a field variable:

• 𝑔 𝑦 = 𝑔

0 + 𝑔 1𝑦 + 𝑔 2𝑦2

• 𝑕 𝑦 = 𝑕0 + 𝑕1𝑦 + 𝑕2𝑦2
• ℎ 𝑦 = ℎ0 + ℎ1𝑦 + ℎ2𝑦2 + ℎ3𝑦3 + ℎ4𝑦4

Check 𝑔 𝑏 ⋅ 𝑕 𝑏 = ℎ 𝑏 for different 𝑏

Big Natural Multiplication

𝑦 ⋅ 𝑧 = 𝑨

Abstract Constraint Rank-1 Constraints Sketch

Represent naturals with limbs, base 𝑐. Each limb is a field element.

• 𝑦 = 𝑦0 + 𝑦1𝑐 + 𝑦2𝑐2
• 𝑧 = 𝑧0 + 𝑧1𝑐 + 𝑧2𝑐2
• z = 𝑨0 + 𝑨1𝑐 + 𝑨2𝑐2 + 𝑨3𝑐3 + 𝑨4𝑐4 + 𝑨5𝑐5

𝑑𝑏𝑠𝑠𝑧 𝑜𝑏𝑢 𝑞𝑝𝑚𝑧 𝑦 × 𝑞𝑝𝑚𝑧 𝑧 = 𝑨 ~ a ripple-carry adder from digital architecture (range checks!)

Big Natural Division

𝑧/𝑦 = 𝑟

Abstract Constraint Rank-1 Constraints Sketch

Represent naturals with limbs, base 𝑐. Each limb is a field element.

• 𝑦 = 𝑦0 + 𝑦1𝑐 + 𝑦2𝑐2
• 𝑧 = 𝑧0 + 𝑧1𝑐 + 𝑧2𝑐2
• 𝑟 = 𝑟0 + 𝑟1𝑐 + 𝑟2𝑐2

∃𝑠. 𝑧 = 𝑦𝑟 + 𝑠

𝑦 𝝆

Cryptographic Proof Systems Programming Them

𝑦0 𝑦1 𝑦2 𝑥0 𝑥1 𝑥2

RSA Accumulators

The Competition: Merkle Trees

• Based on a hash function

𝐼: 𝐺 × 𝐺 → 𝐺

• Collision-Resistant
• Reduce the array to a single

value with a hash-tree

• Proofs based on paths in the

tree

x0 x1 x2 x3 x4 x5 x6 x7 H H H H H H H 𝑒 ℎ0 ℎ1 ℎ2 ℎ3 ℎ4 ℎ5

Verification cost: (roughly) 𝒍 𝐦𝐩𝐡 𝒏 hashes for 𝑙 updates and a storage of capacity 𝑛.

RSA Accumulators

• Based on RSA groups
• The integers modulo 𝑞𝑟: the produce of two unknown primes.
• Hard to compute roots.
• 𝑦𝑜 is easy, 𝑜 𝑦 is hard.
• The digest of an RSA Accumulator is

𝑒 = 𝑕ς𝑗 𝐼Δ 𝑧𝑗

Fixed generator A (special) hash function The stored elements

RSA Accumulator Proofs

• Insertion proof:
• Verifier checks an exponentiation
• Removal proof:
• Insertion in reverse
• Membership proof:
• A removal proof, but the new digest is forgotten
• Sound because computing roots is hard!

𝑒′ = 𝑒𝐼Δ 𝑧

Batched RSA Accumulator Proofs

• Batches require two small exponentiations [BBF 18]/[Wes 18]
• Requires a hash function to prime numbers (for non-interactivity)

𝑒′ = 𝑅ℓ ⋅ 𝑒ς𝑗 𝐼Δ 𝑧𝑗 %ℓ

Verification cost: 𝒍 (𝐢𝐛𝐭𝐢𝐟𝐭 & 𝐧𝐩𝐞𝐯𝐦𝐛𝐬 ×) + 𝟑 𝐟𝐲𝐪𝐩𝐨𝐟𝐨𝐮𝐣𝐛𝐮𝐣𝐩𝐨𝒕 for 𝑙 updates and a storage of capacity 𝑛.

𝑒′ = 𝑒ς𝑗 𝐼Δ 𝑧𝑗

Prover Verifier

ℓ ⇜ Primes ℓ 𝑅 ← 𝑒

ൗ ς𝑗 𝐼Δ(𝑧𝑗) ℓ

𝑅

RSA Accumulator Circuit Overview

ℓ ← 𝐼𝑞(… ) 𝑒′ = 𝑅ℓ ⋅ 𝑒ς𝑗 𝐼Δ 𝑧𝑗 %ℓ

Multiprecision Arithmetic

Traditional Hash-to-Prime

• Rejection sampling of primes
• Miller Rabin primality test
• Probabilistic!
• 2−𝜇 soundness uses 𝑃(𝜇), ෨

𝑃 𝜇 - bit exponentiations

• Many constraints

procedure HashToPrime(x): 𝑕 ← 𝑄𝑆𝐻(𝑡𝑓𝑓𝑒 = 𝑦) while 𝑕.output() is composite: 𝑕.advance() Return 𝑕.output()

Pocklington Prime Generation

• Pocklington’s criterion:
• If
• 𝑞 is prime
• 𝑜 < 𝑞
• ∃𝑏. 𝑏𝑜𝑞 ≡𝑜𝑞+1 1 ⋀ gcd 𝑏𝑜 − 1, 𝑜𝑞 + 1 = 1
• Then 𝑜𝑞 + 1 is prime
• Basis for a recursive primality

certificate

• Idea: Rejection sampling of prime

certificates

𝑞0 𝑞1 𝑞2 𝑞3

P’s Criterion with 𝑜1 P’s Criterion with 𝑜2 P’s Criterion with 𝑜3 Base prime test PRG-based rejection sampling Many fewer constraints than Miller-Rabin, and provably prime

Other Techniques and Tricks

• Optimizations for multiprecision arithmetic in constraints
• Based on xjSnark [KPS 18]
• A new hash function, conjectured to be division-intractable
• Precise semantics for batching dependent accesses.

Evaluation: Constraints

• Implementation in

Bellman, using Groth16.

• Consider storage of

varying size

• Perform varying

numbers of swaps (remove x, add y)

• Measure constraints
• Crossover occurs at a

few thousand operations

25 210 215 220

Evaluation: Prover Time

• Includes RSA accumulator

removal time (≈43s)

• Computing 𝑒′ such that

𝑒 = 𝑒′ς𝑗 𝐼Δ 𝑧𝑗

• Independent of batch size,

linear in storage size.

• Machine info:
• 48 logical cores
• 132GB memory

220 220

Future Directions

• Better investigation of concrete prover costs
• Integration with the proof system
• Direct support for range-proofs (𝑨 < 232)
• Arithmetic circuits over ℤ/𝑞𝑟ℤ (crazy?)
• Managing non-proof prover costs
• Multi-tiered accumulators?
• Hybrid RSA-Merkle accumulators?

Summary

Techniques

• Multiprecision arithmetic
• Division-intractable hashing
• Hashing to prime numbers
• Semantics of dependent

accesses

Conclusions Research Question

Do RSA accumulators use fewer constraints than Merkle Trees?

Implementation: github.com/alex-ozdemir/bellman-bignat Paper: ia.cr/2019/1494