Verifiable Set Operations over Outsourced Databases Ran Dimitris - - PowerPoint PPT Presentation
Verifiable Set Operations over Outsourced Databases Ran Dimitris Nikos Omer Canetti Papadopoulos Triandopoulos Paneth Boston University Boston RSA Laboratories Boston & Tel Aviv University University & Boston University
Ran Canetti
Boston University & Tel Aviv University
Omer Paneth
Boston University
Nikos Triandopoulos
RSA Laboratories & Boston University
Dimitris Papadopoulos
Boston University
“weak” devices
→ asymmetric computational environment
Big Data
“weak” devices
→ asymmetric computational environment
computation result Big Data
“weak” devices
→ asymmetric computational environment
computation result
Big Data
“weak” devices
→ asymmetric computational environment
Did you do it correctly?
computation result
Big Data
x, f
x, f y = f(x), Π Verify(x,f,y,Π) = accept/reject
Verify(x,f,y,Π) = accept/reject x, f y = f(x), Π
Soundness: Verify accepts with negligible probability if y ≠ f(x)
Soundness: Verify accepts with negligible probability if y ≠ f(x) Efficiency: Verification should be faster than computation
Verify(x,f,y,Π) = accept/reject x, f y = f(x), Π
f
Setup(sk,f) = f
f
Setup(sk,f) =
f f
f
Setup(sk,f) =
f f
x1 y = f(x1 ), Π xi y = f(xi ), Π
–
[Bitansky,Canetti,Chiesa,Tromer'13]
f
Setup(sk,f) =
f f
x1 y = f(x1 ), Π xi y = f(xi ), Π
dataset D
dataset D Setup(sk,D) = auth(D)
D, auth(D)
digest d
dataset D Setup(sk,D) = auth(D)
D, auth(D)
digest d
dataset D query Q y = Q(D), Π Setup(sk,D) = auth(D)
D, auth(D)
digest d
– memory delegation [Chung,Kalai,Liu,Raz'11] – outsourced datasets [Backes,Fiore,Reischuk'13] – authenticated data structures [Nissim,Naor'98][Tamassia'03]
dataset D query Q y = Q(D), Π Setup(sk,D) = auth(D)
D, auth(D)
digest d dataset D query Q y = Q(D), Π Setup(sk,D) = auth(D)
D, auth(D)
digest d
– fix function / fix data
dataset D query Q y = Q(D), Π Setup(sk,D) = auth(D)
D, auth(D)
digest d
– fix function / fix data
dataset D query Q y = Q(D), Π Setup(sk,D) = auth(D)
D, auth(D)
digest d
– fix function / fix data
– handle updates efficiently
dataset D query Q y = Q(D), Π Setup(sk,D) = auth(D)
Gen($) → sk,pk
pk
Gen($) → sk,pk
pk D0 auth(D0 )
Prove and Verify using pk Provides oracle access to Setup and Update Gen($) → sk,pk
pk D0 auth(D0 ) update u1 auth(D0 , u1 ) update ut auth(Dt-1 , ut )
Prove and Verify using pk Provides oracle access to Setup and Update Gen($) → sk,pk
{Di ,auth(Di ),d, Q, A*, Π} Adv wins if A* is not the correct answer but Verify accepts
Finally:
for 0 ≤ i ≤ t
(in this model and others)
[Micali'00],[Ishai,Kushilevitz,Ostrovsky'08], [Goldwasser,Kalai,Rothblum'08], [Applebaum,Ishai,Kusilevitz'10], [Gennaro,Gentry,Parno'10] [Chung,Kalai,Vadhan'10], [Canetti,Riva,Rothblum'11], [Gennaro,Gentry,Parno,Raykova'13], [Bitansky,Canetti,Chiesa,Tromer'13],...
[Cormode,Mitzenmacher,Thaler'12] [Setty,Braun,Vu,Blumberg,Parno,Walfish'13], [Parno,Gentry,Howell,Raykova'13] [Ben-Sasson,Chiesa,Genkin,Tromer,Virza'13]...
– non-interactive – general (i.e. for any language in NP) – verification cost O(|input| + |output|) – O(1) proof size – poly-log overhead for proof computation
– non-interactive – general (i.e. for any language in NP) – verification cost O(|input| + |output|) – O(1) proof size – poly-log overhead for proof computation
– server's cost prohibitive for general functions
– reduce concrete functions to circuit problems
– not determined by “largest” query
– reduce concrete functions to circuit problems
– not determined by “largest” query
Recent works explore alternative models
–
[Goldwasser,Kalai,Popa,Vaikuntanathan,Zeldovich'13]
–
[Gentry,Halevi,Raykova,Wichs'14]
– exploit algebraic structure for practical solutions – existing works
[Papamanthou,Tamassia,Triandopoulos'11] ...
– exploit algebraic structure for practical solutions – existing works
[Papamanthou,Tamassia,Triandopoulos'11] ...
Nested Intersections, Unions and Set Differences
– exploit algebraic structure for practical solutions – existing works
[Papamanthou,Tamassia,Triandopoulos'11] ...
Nested Intersections, Unions and Set Differences
– A rich class of SQL queries – Keyword search – Similarity Measurements (e.g. Jaccard distance) – Set Membership
X1 ,...,Xm with elements from Zp
X1 ,...,Xm with elements from Zp
length formulas of nested intersections, unions, and set differences
∪ (X8 ∩ X5 )) ∩ (X1 \ X9 ))
X1 X3 X2 X4 X5 X6 ∩ ∩ U \ ∩
X1 ,...,Xm with elements from Zp
length formulas of nested intersections, unions, and set differences
∪ (X8 ∩ X5 )) ∩ (X1 \ X9 ))
insertion and deletion
X1 X3 X2 X4 X5 X6 ∩ ∩ U \ ∩
– query-specific proof-construction cost – efficient non-interactive updates – circuit-independent – public verifiability – concrete complexity analysis
– client's pre-processing cost → O(|D|)
– verification time O(|Q| + |A|) – proof size O(|Q|) – proof construction O(N)
– O(1) operations for client and server
– client's pre-processing cost → O(|D|)
– verification time O(|Q| + |A|) – proof size O(|Q|) – proof construction O(N)
– O(1) operations for client and server
independent of cardinalities of
X1
∩ U U
X2 X3 X4 X5 X6 X6
Verification cost and proof size should be oblivious to the set cardinalities (except for answer set) Note Circle size denotes set cardinality
X1 X2
I1 ,Π1
∩
– construction for a single set operation based
X1 X3 X2 X4 X5 X6
I1 ,Π1
∩ ∩ U U ∩
– construction for a single set operation based
– construction for a single set operation based
X1 X3 X2 X4 X5 X6
I1 ,Π1 I2 ,Π2 U1 ,Π3 U2 ,Π4 Answer A, Π5
∩ ∩ U U ∩
X1 X3 X2 X4 X5 X6
I1 ,Π1 I2 ,Π2 U1 ,Π3 U2 ,Π4 Answer A, Π5
Π = { (I1 ,Π1 ), (I2 ,Π2 ), (U1 ,Π3 ),(U2 ,Π4 ),(A,Π5 ) }
∩ ∩ U U ∩
X1 X3 X2 X4 X5 X6
I1 ,Π1 I2 ,Π2 U1 ,Π3 U2 ,Π4 Answer A, Π5
Π = { (I1 ,Π1 ), (I2 ,Π2 ), (U1 ,Π3 ),(U2 ,Π4 ),(A,Π5 ) }
∩ ∩ U U ∩
X1 X3 X2 X4 X5 X6
I1 ,Π1 I2 ,Π2 U1 ,Π3 U2 ,Π4 Answer A, Π5
Π = { (I1 ,Π1 ), (I2 ,Π2 ), (U1 ,Π3 ),(U2 ,Π4 ),(A,Π5 ) }
∩ ∩ U U ∩
Π = { (I1 ,Π1 ), (I2 ,Π2 ), (U1 ,Π3 ),(U2 ,Π4 ),(A,Π5 ) }
X1 X3 X2 X4 X5 X6
I1 ,Π1 I2 ,Π2 U1 ,Π3 U2 ,Π4 Answer A, Π5
∩ ∩ U U ∩
– construct adversary for a single operation
X1 X3 X2 X4 X5 X6 ∩ U ∩ ∩ .
.
Y X6
. .
Π = { Π1 , Π2 , ..., Πn }
– construct adversary for a single operation
X1 X3 X2 X4 X5 X6 ∩ U ∩ ∩ .
.
Y X6
A B ∩ C
. .
Π = { Π1 , Π2 , ..., Πn } Πi
– construct adversary for a single operation
X1 X3 X2 X4 X5 X6
∩ U ∩ ∩
Y X6
X1 X3 X2 X4 X5 X6
∩ U ∩ ∩
A B
∩
Y X6 C
honest input A,B, cheating output C and proof Πi
X1 X3 X2 X4 X5 X6
∩ U ∩ ∩
A B
∩
Y X6 C
– even the adversary may not know!
– For any convincing (cheating) prover
Ǝ extractor that outputs witness
– For any convincing (cheating) prover
Ǝ extractor that outputs witness
Exponent assumption [Groth'10]
Exponent assumption [Groth'10]
– only two additional group elements on Πi
Exponent assumption [Groth'10]
– only two additional group elements on Πi
– “accumulators with knowledge”
– numerous general solutions in literature – asymptotically excellent but not practical for general
deployment yet (continuous improvements though... [SBV+'12],[PGHR'13],[BCGTV'13], etc.)
– sacrifice generality for practicality
– constant-size proofs – extends the Quadratic Span Program framework – server cost ~30x smaller than [PGHR'13]
– numerous general solutions in literature – asymptotically excellent but not practical for general
deployment yet (continuous improvements though... [SBV+'12],[PGHR'13],[BCGTV'13], etc.)
– sacrifice generality for practicality
– constant-size proofs – extends the Quadratic Span Program framework – server cost ~30x smaller than [PGHR'13]