Presentation on theme: "New Publicly Verifiable Databases with Efficient Updates Xiaofeng Chen Virginiatech."— Presentation transcript:
New Publicly Verifiable Databases with Efficient Updates Xiaofeng Chen Virginiatech
Agenda Outsourcing Computation Verifiable Computation Verifiable Database with Updates (VDB) New Construction for VDB Future Work
1. Outsourcing Computation You want to eat a fish = You need to be a fisherman (NEVER!) Cloud computing facilitates Outsourcing computation. Outsourcing computation paradigm: – the clients with resource-constraint devices can outsource the heavy computation workloads into the cloud server. Outsourcing computation also suffers from some new security challenges.
Outsourcing Computation Architecture
Security model Who is the adversary: the untrusted server(s) – Honest but curious – Lazy but honest – One-malicious of two untrusted program – Refereed delegation of computation – Fully malicious (dishonest, curious, lazy…)- strongest
How to achieve ? Secrecy ： encryption (partial solution)+ blinding – Blinding can preserve some inherent property of operations. – It requires different logic division and blinding techniques. – FHE is inefficient for real-world applications. X m m c c encrypt (k) blind (blind factor) g x mod p h x mod p g x mod p (mg) x mod p
How to achieve ? Checkability (verifiability) ： how to verify the result of a malicious server? – Some programming error – Intentionally send a computational indistinguishable (random) result due to financial reasons
How to achieve ? Three kinds of Checkability (verifiability) ： – Inversion of one–way function problems: F: given y=f(x), compute x, where f is a one-way function. Verification is trivial: verification is just compute f(x)=? y
How to achieve ? Three kinds of Checkability (verifiability) ： – Multiple (non-colluding) servers : given the test queries to (at least two) servers, verification is trivial and equals to check whether the two outputs are equal? f(x)_1 = ? f(x)_2 (This is a probabilistic algorithm!) Note: This idea is a little similar to prisoner's dilemma in game theory.
How to achieve ? Checkability (verifiability) ： – One malicious server: verifiable computation The server needs to provide some auxiliary proof to support result verification. It requires different kinds of knowledge proof techniques.
How to achieve ? Efficiency ： verification must be efficient – The (non-interactive) proof verification is efficient (esp. the 3 rd case) – Computational resources, Storage resources, Communication resources, etc. – The verification requires less resources than the computation task itself!!
Research status Theoretical community: scientific computation such as matrix multiplications (inversion), quadrature, linear equations (programming), sequence comparisons …… Cryptographic community: wallet with observers, bilinear pairing, modular exponentiations, OABE, OABS, inversion one-way function …… – Verifiable computation : will be given later
2. Verifiable Computation A protocol between client and the untrusted server; – C: a function and some input ; S: outputs and some proof; – It mainly focus on the 3 rd case of outsourcing computations – Though C is resources-constrained, it is allowed to perform one-time expensive setup phase (offline; pre-computation)
Security properties Correct: the value and proof generated by the honest server can be always verified successfully and accepted by the client. – honest server results in valid result and proof Secure: a malicious server cannot convince a verifier to accept an invalid output – dishonest server results in invalid result and proof Efficient: the verification should not be involved in plenty of expensive resources (computation, storage, communication) – For real-world applications Three properties of ZKP: Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover. Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability. Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact.
State-of-the-art research Gennaro et al. firstly introduce and formalize the notion of verifiable computing. Crypto 10 This work is suitable for any function (will be encoded by Boolean circuit) Theoretically, no more research work is needed (totally solved!). FHE is a building block! Inefficient for practical applications.
State-of-the-art research Specific problems require specific trick to design efficient schemes. – VC for very large datasets Crypto 11 – Memory delegation Crypto 11 – VC for large polynomials and matrix computations CCS 12 – VC for multi-function TCC 12 – VC for quadratic polynomials CCS 13 – Making argument systems for outsourced computation practical NDSS 12 – Taking proof-based verified computation a few steps closer to practicality USENIX 12 – …..
3. Verifiable Database with Updates (VDB) A special kind of verifiable computing (storage) Benabbas et al. proposed the notion of VDB – Verifiable delegation of computation over large datasets (Crypto 11) x v x, v’ Client Server Database x ; v x ; v’
Static Database Client Server x ; v; Sig (v) x v, Sig (v) Sig (v) can not be forged!!
Dynamic (Updated) Database Client Server x ; v; Sig (v) x v, Sig (v) How to revoke the signature for previous value? The client have to keep track of every change locally. Why outsourcing?
Verifiable Database with Updates How to design efficient VDB? Previous works requires either some non-constant size assumptions or expensive operations; – q-Strong Diffie-Hellman assumption
Verifiable Database with Updates Why standard assumption is good? – IF related ones: IF ; RSA; Strong-RSA; …… – DL related ones: DL; CDH; DDH; …… » Bilinear pairings related ones ……
Benabbas-Gennaro-Vahlis Construction BGV construction is the first practical solution in the bilinear groups with composite order ( Crypto 11 ); The solution is based on verifiable delegation of polynomials (subgroup membership assumption); It cannot support public verifiability;
Catalano-Fiore Construction The second practical construction (PKC 2013) ； It is based on a primitive called vector commitment; The specific constructions based on standard assumptions; Compare with BGV construction, it only uses the bilinear groups with prime order; It can support public verifiability – The private key of client is not involved in the updating; Surprising it is empty! – It is good or bad?
Commitment – Hiding: A computationally bounded receiver learns nothing about m. – – Binding: it can only be “opened” to the value m. Receiver Sender Commit Phase Sender Receiver Open Phase m m Open Verification Algorithm r, m yes/no r, m
Commitment Commitment is one of primitive in cryptography; One building block to design ZKP, authentication, financial cryptographic protocols etc.; …… Some variants of commitment (additional properties); – Trapdoor (chameleon) commitment : chameleon signatures (NDSS 2000), online-offline signatures (Crypto 2001), fair exchange protocols, …… – Mercurial commitment: ZKS (how to proof whether an element x is in a set or not; FOCS 2003) – Multi-trapdoor commitment; Timed commitment, Non-malleable commitment, …..
Vector Commitment Commit a vector message (m1,m2, …., mq); Position binding: should not open the commitment to two different values at the same position. Hiding can be achieved by composing a standard commitment scheme with any vector commitment scheme that does not satisfy hiding. (Not concerned in VDB)
4. New Construction for VDB Our main contribution – Catalano-Fiore Construction may suffer from the Forward Automatic Update (FAU) attack; – Propose a new framework that is public verifiable and secure against FAU attack; – Present a concrete construction based on Squ- CDH assumption (equals to CDH assumption)
FAU attack The adversary (just as the real client) can update the database in a forward and automatic manner; Forward means that the updating is based on the latest database (new update!). – We also defined Backward Substitute Update attack Automatic means that the updating can be performed at any time and any steps. V 0 V 1 V i V L V L+1
Why it suffers from FAU attack The secret key in Catalano-Fiore Construction is not involved in the updating. – More precise, the secret key of client is empty. Why? – In crypto 11 construction, secret key is used for updating and verification (thus private verifiability); – Guess: no private key, verification is performed only using the public key? Thus support public verifiability. – Anyone can update the database (especially the server)!
Paradox Using SK: cannot support public verifiability Not Using SK: cannot resist FAU attack How to solve this paradox? – SK must be used in update ； – Signature can be used but not enough (needs revoke?)
Some Notations Database: (i, v i ) ; C is a vector commitment on database values v i ; C (0), C (1), ……C (T) denotes the update of the database;
Our Main Idea Commitment binding technique: ( After T times update ) – it is difficult to forge a new BLS signature! BLS signature Counter binding Database (current) Public key (last time) Public key (current)
Our Main Idea Commitment binding technique: ( After T times update ) The definition for T = 0 (setup phase): This results in a general construction for VDB
Our Main Idea The proof consists of the (BLS) signature of the client and opening of the vector commitment; – Both of them can be verified (only) with the public key; The update requires the secret key of the client. – No forward automatic update by the adversary The client needs not store the changes locally or revoke the signature
A concrete VDB construction It is based on the following specific vector commitment; We proved that it satisfies the security properties under the Squ-CDH assumption; The construction is efficient since it is independent of the size of the database ; It provides the first efficient VDB scheme that is both public verifiable and secure against FAU attack;
5. Future Works Needs more simulation result… (though Crypto 11 and PKC 13 papers never provide the experimental results) For different update (delete, insert, or else…) Support more index update in a step? It seems okay, need more deep thought…. Incremental update….