Presentation on theme: "New Publicly Verifiable Databases with Efficient Updates"— Presentation transcript:
1New Publicly Verifiable Databases with Efficient Updates Xiaofeng ChenVirginiatech
2Agenda Outsourcing Computation Verifiable Computation Verifiable Database with Updates (VDB)New Construction for VDBFuture Work
31. Outsourcing Computation You want to eat a fish = You need to be a fisherman (NEVER!)Cloud computing facilitates Outsourcing computation.Outsourcing computation paradigm:the clients with resource-constraint devices can outsource the heavy computation workloads into the cloud server.Outsourcing computation also suffers from some new security challenges.
5Security model Who is the adversary: the untrusted server(s) Honest but curiousLazy but honestOne-malicious of two untrusted programRefereed delegation of computationFully malicious (dishonest, curious, lazy…)- strongest
6How to achieve ? Secrecy：encryption (partial solution)+ blinding Blinding can preserve some inherent property of operations.It requires different logic division and blinding techniques.FHE is inefficient for real-world applications.Xgx mod pmencrypt (k)chx mod pgx mod pmblind (blind factor)c(mg)x mod p
7How to achieve ?Checkability (verifiability)：how to verify the result of a malicious server?Some programming errorIntentionally send a computational indistinguishable (random) result due to financial reasons
8How to achieve ? Three kinds of Checkability (verifiability)： Inversion of one–way function problems:F: given y=f(x), compute x, where f is a one-way function.Verification is trivial: verification is just compute f(x)=? y
9f(x)_1 = ? f(x)_2 (This is a probabilistic algorithm!) How to achieve ?Three kinds of Checkability (verifiability)：Multiple (non-colluding) servers :given the test queries to (at least two) servers, verification is trivial and equals to check whether the two outputs are equal?f(x)_1 = ? f(x)_2 (This is a probabilistic algorithm!)Note: This idea is a little similar to prisoner's dilemma in game theory.
10How to achieve ? Checkability (verifiability)： One malicious server: verifiable computationThe server needs to provide some auxiliary proof to support result verification.It requires different kinds of knowledge proof techniques.
11How to achieve ? Efficiency：verification must be efficient The (non-interactive) proof verification is efficient (esp. the 3rd case)Computational resources, Storage resources, Communication resources, etc.The verification requires less resources than the computation task itself!!
12Research statusTheoretical community: scientific computation such as matrix multiplications (inversion), quadrature, linear equations (programming), sequence comparisons ……Cryptographic community: wallet with observers, bilinear pairing,modular exponentiations, OABE, OABS, inversion one-way function ……Verifiable computation: will be given later
132. Verifiable Computation A protocol between client and the untrusted server;C: a function and some input ; S: outputs and some proof;It mainly focus on the 3rd case of outsourcing computationsThough C is resources-constrained, it is allowed to perform one-time expensive setup phase (offline; pre-computation)
15Security propertiesCorrect: the value and proof generated by the honest server can be always verified successfully and accepted by the client.honest server results in valid result and proofSecure: a malicious server cannot convince a verifier to accept an invalid outputdishonest server results in invalid result and proofEfficient: the verification should not be involved in plenty of expensive resources (computation, storage, communication)For real-world applicationsThree properties of ZKP:Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact.
16State-of-the-art research Gennaro et al. firstly introduce and formalize the notion of verifiable computing. Crypto 10This work is suitable for any function (will be encoded by Boolean circuit)Theoretically, no more research work is needed (totally solved!).FHE is a building block! Inefficient for practical applications.
17State-of-the-art research Specific problems require specific trick to design efficient schemes.VC for very large datasets Crypto 11Memory delegation Crypto 11VC for large polynomials and matrix computations CCS 12VC for multi-function TCC 12VC for quadratic polynomials CCS 13Making argument systems for outsourced computation practical NDSS 12Taking proof-based verified computation a few steps closer to practicality USENIX 12…..
183. Verifiable Database with Updates (VDB) A special kind of verifiable computing (storage)Benabbas et al. proposed the notion of VDBVerifiable delegation of computation over large datasets (Crypto 11)x vx, v’x ; v’x ; vDatabaseClientServer
19Static Database x ; v; Sig (v) x v, Sig (v) Client Server Sig (v) can not be forged!!
20Dynamic (Updated) Database x ; v; Sig (v)x v, Sig (v)ClientServerHow to revoke the signature for previous value?The client have to keep track of every change locally.Why outsourcing?
21Verifiable Database with Updates How to design efficient VDB?Previous works requires either some non-constant size assumptions or expensive operations;q-Strong Diffie-Hellman assumption
22Verifiable Database with Updates Why standard assumption is good?IF related ones: IF ; RSA; Strong-RSA; ……DL related ones: DL; CDH; DDH; ……Bilinear pairings related ones ……
23Benabbas-Gennaro-Vahlis Construction BGV construction is the first practical solution in the bilinear groups with composite order (Crypto 11);The solution is based on verifiable delegation of polynomials (subgroup membership assumption);It cannot support public verifiability;
24Catalano-Fiore Construction The second practical construction (PKC 2013)；It is based on a primitive called vector commitment;The specific constructions based on standard assumptions;Compare with BGV construction, it only uses the bilinear groups with prime order;It can support public verifiabilityThe private key of client is not involved in the updating; Surprising it is empty!It is good or bad?
25Open Verification Algorithm CommitmentHiding: A computationally bounded receiver learns nothing about m.Binding: it can only be “opened” to the value m.mCommitPhaseSenderReceiverOpenPhasemSenderr, mReceiverr, mOpen Verification Algorithmyes/no
26Commitment Commitment is one of primitive in cryptography; One building block to design ZKP, authentication, financial cryptographic protocols etc.; ……Some variants of commitment (additional properties);Trapdoor (chameleon) commitment : chameleon signatures (NDSS 2000), online-offline signatures (Crypto 2001), fair exchange protocols, ……Mercurial commitment: ZKS (how to proof whether an element x is in a set or not; FOCS 2003)Multi-trapdoor commitment; Timed commitment, Non-malleable commitment, …..
27Vector Commitment Commit a vector message (m1,m2, …., mq); Position binding: should not open the commitment to two different values at the same position.Hiding can be achieved by composing a standard commitment scheme with any vector commitment scheme that does not satisfy hiding. (Not concerned in VDB)
284. New Construction for VDB Our main contributionCatalano-Fiore Construction may suffer from the Forward Automatic Update (FAU) attack;Propose a new framework that is public verifiable and secure against FAU attack;Present a concrete construction based on Squ-CDH assumption (equals to CDH assumption)
29FAU attackThe adversary (just as the real client) can update the database in a forward and automatic manner;Forward means that the updating is based on the latest database (new update!).We also defined Backward Substitute Update attackAutomatic means that the updating can be performed at any time and any steps.V 1V L+1V 0V iV L
30Why it suffers from FAU attack The secret key in Catalano-Fiore Construction is not involved in the updating.More precise, the secret key of client is empty .Why?In crypto 11 construction, secret key is used for updating and verification (thus private verifiability);Guess: no private key, verification is performed only using the public key? Thus support public verifiability.Anyone can update the database (especially the server)!
32Paradox Using SK: cannot support public verifiability Not Using SK: cannot resist FAU attackHow to solve this paradox?SK must be used in update；Signature can be used but not enough (needs revoke?)
33Some Notations Database: (i, vi) ; C is a vector commitment on database values vi ;C(0) , C(1), ……C(T) denotes the update of the database;
34Recursion definition for PK Our Main IdeaCommitment binding technique: (After T times update )it is difficult to forge a new BLS signature!Public key(last time)bindingPublic key (current)BLS signatureDatabase(current)CounterRecursion definition for PK
35Our Main Idea Commitment binding technique: (After T times update ) The definition for T = 0 (setup phase):This results in a general construction for VDB
36Our Main IdeaThe proof consists of the (BLS) signature of the client and opening of the vector commitment;Both of them can be verified (only) with the public key;The update requires the secret key of the client.No forward automatic update by the adversaryThe client needs not store the changes locally or revoke the signature
37A concrete VDB construction It is based on the following specific vector commitment;We proved that it satisfies the security properties under the Squ-CDH assumption;The construction is efficient since it is independent of the size of the database ;It provides the first efficient VDB scheme that is both public verifiable and secure against FAU attack;
385. Future WorksNeeds more simulation result… (though Crypto 11 and PKC 13 papers never provide the experimental results)For different update (delete, insert, or else…)Support more index update in a step? It seems okay, need more deep thought….Incremental update….