Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Secrecy to Soundness: Efficient Verification via Secure Computation Benny Applebaum Weizmann Yuval Ishai Technion/UCLA Eyal KushilevitzTechnion.

Similar presentations


Presentation on theme: "From Secrecy to Soundness: Efficient Verification via Secure Computation Benny Applebaum Weizmann Yuval Ishai Technion/UCLA Eyal KushilevitzTechnion."— Presentation transcript:

1 From Secrecy to Soundness: Efficient Verification via Secure Computation Benny Applebaum Weizmann Yuval Ishai Technion/UCLA Eyal KushilevitzTechnion

2 Delegating Computation computationally weak Input: x Goal: compute y=f(x) x Client Provider y=f(x) y

3 Delegating Computation computationally weak Input: x Goal: compute y=f(x) x Client Provider y  f(x) y Verifiable Computation: Client detects cheating Correctable Computation: Client corrects “random” errors  y=f(x)

4 Verifiable/Correctable Computation Old problem - Interactive proofs [Bab,GMR85], program checking [BK89,BLR90,Lip91] New motivation - Weak devices are common (e.g., smart phones, netbooks) - Strong servers are available (e.g., cloud computing, - Relevant for functions in poly-time General framework with many variants - Complexity of the client, provider, adversary, interaction,… - Many works [Micali94, GGHKR07/8, GKR08, GGP10,CKV10,…]

5 Our Contribution New generic approach: verifiable/correctable computation from secure multiparty computation (MPC) Get soundness from secrecy Applications of generic approach: - New VC/CVC protocols - Simplification & generalization of old protocols

6 Plan Formal definitions Techniques (only for VC) - Classical approach - Our approach Applications Correctable Computation

7 Verifiable Computation (VC) x Client Honest Provider output Correctness: If P is honest:  x, output=f(x) y z=P(y) VC for f

8 Verifiable Computation (VC) x Client Cheating Provider  Correctness: If P is honest:  x, output=f(x) Soundness:  cheating P*,  x Pr[output  {f(x),  }]> 1-2 -t y z  P(y) VC for f

9 Plan Formal definitions Techniques (only for VC) - Classical approach - Our approach Applications Correctable Computation

10 Secrecy  Soundness: The classical way

11 Tools: 1. Random self-reducibility: - randomization: h  random h ’ - recovery: Given DLOG(h ’ )  DLOG(h) Secrecy  Soundness: The classical way h Client Provider VC for DLOG [BLR] Given h find e s.t g e =h taken from cyclic group G with generator g = h  g r where r is random = DLOG(h ’ ) - r 

12 Tools: 1. Random self-reducibility 2. Generate Random Solved Instance: (g s,s) where s is random Secrecy  Soundness: The classical way h Client Provider VC for DLOG [BLR] Given h find e s.t g e =h taken from cyclic group G with generator g

13 Soundness: If pair is randomly permuted then cheater is detected w.p ½. Amplify soundness via parallel repetition Secrecy  Soundness: The classical way h Client Provider VC for DLOG [BLR] hgrhgr (a, b)=DLOG(h  g r, g s ) Given h find e s.t g e =h If b  s output  ; otherwise, output a-r. gsgs (, )

14 Soundness: If pair is randomly permuted then cheater is detected w.p ½. Amplify soundness via parallel repetition Secrecy  Soundness: The classical way h Client Provider VC for DLOG [BLR] If “dummies” are consistent then recover real Solved Instances Rerandomization

15 Soundness: If pair is randomly permuted then cheater is detected w.p ½. Amplify soundness via parallel repetition Generally: Random-Self-Reducibility+ Solved Instance Generator (SIG) More Generally: Instance Hiding Protocol + SIG Specific instantiations used by [BLR90,Feig93,GGHKR07,08,CKV10] Secrecy  Soundness: The classical way h Client Provider VC for DLOG [BLR] If “dummies” are consistent then recover real Solved Instances Rerandomization

16 Our Approach

17 Tool 1: Randomized Encoding x Client Provider Goal: Provider should learn f(x) without learning x Non-Trivial if Client is too weak to compute f(x) a f(x)

18 Tool 1: Randomized Encoding x Client Provider Randomized Encoding [IK00] Dec(a)=f(x) The distribution of a=g(x;r) ”encodes” f(x) Correctness: there exists a decoder Dec s.t Dec(a)=f(x) Secrecy: The distribution of a depends only on f(x) - There exists a simulator Sim s.t Sim(f(x))  a a=g(x;r) f(x) g(x;r)

19 Tool 1: Randomized Encoding x Client Provider Randomized Encoding [IK00] Dec(a)=f(x) The distribution of a=g(x;r) ”encodes” f(x) [IK00] RE useful tool for secure multiparty computation Many MPC protocols implicitly/explicitly give RE a=g(x;r) f(x) g(x;r)

20 Tool 2: Message Authentication Code Signer Forger Goal: new pair (w, MAC k (w)) MAC: (key k, message y)  signature MAC k (y) 1-time security: given (y,MAC k (y)) can’t forge new pair E.g., pair-wise independent hash function MAC k (y) y MAC k

21 RE+MAC  VC x Client Provider a=f(x), b=Dec(g(x,k;r)( If b=MAC k (a) output a x, g(x,k;r) Idea: Ask P to compute f(x) + signature MAC k (f(x)) and verify consistency P should not know the key k ! Define the the mapping (x,k)  MAC k (f(x)) Let g(x,k;r) be an RE of this mapping Choose k Encodes MAC k (f(x))

22 RE+MAC  VC x Client Provider a=f(x), b=Dec(g(x,k;r)( If b=MAC k (a) output a x, g(x,k;r) Correctness: follows from correctness of RE Soundness: If P is able to cheat then can forge the MAC Choose k Encodes MAC k (f(x))

23 RE+MAC  VC x Client Provider a  f(x), b=MAC k (a) If b=MAC k (a) output a x, g(x,k;r) Encodes MAC k (f(x)) Correctness: follows from correctness of RE Soundness: If P is able to cheat then can forge the MAC

24 MAC k (y) Encodes MAC k (f(x)) RE+MAC  VC x, y=f(x), Provider a  f(x), b=MAC k (a) (a,b) x, g(x,k;r) Sim(MAC k (y)) x MAC k Correctness: follows from correctness of RE Soundness: If P is able to cheat then can forge the MAC

25 Our Approach vs. Classical Approach f(x), MAC k (f(x)) Compute MAC x, RE(MAC(f(x)) Secrecy: used to hide MAC’s key Efficiency: Good soundness at low cost Requirements: - Pro: doesn’t need SIG -Con: RE is “harder” to achieve than IH Compare t values IH SIG IH… Secrecy: used to hide inputs Efficiency: Big overhead - 2 -t soundness requires t repetitions Requirements: -Con: SIG may be hard to get [G+08] - Pro: IH is quite liberal

26 Applications

27 Application 1: VC for Arithmetic Computation First VC for Arithmetic computation –f:F n  F where F is field/ring –f represented as an arithmetic branching program –Previous works: Convert to Boolean circuit  expensive ! –Our protocol: treats F as a black-box

28 Application 2: VC for Boolean Circuits Thm.  VC for any Boolean circuit C:{0,1} n  {0,1} m soundness error negl(t) where t is security parameter offline complexity |C|t online complexity nt+m |C|t nt+mt [GGP] This work |C|t (only computation) nt+mt [CKV] output offline y z x

29 Correctable Computation

30 Correctable Verifiable Computation (CVC) x Client Buggy Provider output Correctness+ Soundness + Correctability: If P* is usually correct  Client does well on all inputs i.e., Pr[P*(Y)=P(Y)]> 2/3   x Pr[output  =f(x)]> 0.99 y z  P(y) whp CVC for f If P=f then CVC is program corrector [BLR90]

31 Correctable Verifiable Computation (CVC) x Client Buggy Provider output Correctness+ Soundness + Correctability: If P* is usually correct  Client does well on all inputs [BLR90] Program correction: 1/3-faulty program  BPP-program y z  P(y) whp CVC for f

32 Correctable Verifiable Computation (CVC) x Client Buggy Provider output Classical Approach for CVC from IH+SIG In some cases SIG is a bottleneck We use RE+one-time pad to get rid of SIG(See paper) y z  P(y) whp CVC for f If P=f then CVC is program tester/corrector [BLR90]

33 Parallel Program Verification/Correction Q: What is the parallel-complexity of verification/correction? input output NC 0 constant-depth circuits bounded fan-in AC 0 constant-depth circuits unbounded fan-in ANDs Verification Correction Many non-trivial functions [Rubinfeld96] Any L complete for NC 1, LOG-SPACE [GGHKR07] Any L complete for NC 1, LOG-SPACE [GGHKR07] Any L complete for NC 1, LOG-SPACE This work non-adaptively O(1) queries non-adaptively

34 Conclusion New modular approach for VC/CVC Leads to simplifications, generalizations and improvements More applications? Combine with PCP based approaches? Construct practical protocols for specific tasks Future Directions Thank you!


Download ppt "From Secrecy to Soundness: Efficient Verification via Secure Computation Benny Applebaum Weizmann Yuval Ishai Technion/UCLA Eyal KushilevitzTechnion."

Similar presentations


Ads by Google