Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 9: Integrity on untrusted platforms: Proof-Carrying Data (cont.) Eran.

Published byAnnabelle Washington Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 9: Integrity on untrusted platforms: Proof-Carrying Data (cont.) Eran."— Presentation transcript:

1 1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 9: Integrity on untrusted platforms: Proof-Carrying Data (cont.) Eran Tromer

2 2 Recall our high-level goal Ensure properties of a distributed computation when parties are mutually untrusting, faulty, leaky & malicious.

3 3 Proof-Carrying Data [Chiesa Tromer 09] following Incrementally-Verifiable Computation [Valiant 08] yy y  F(x) z  G(y) Each party prepares a proof string for the next one. Each proof is: Tiny (polylogarithmic in party’s own computation). Efficiently verifiable by the next party. Alice Bob Carol x, F G y verify  z zz z z=G(y) and I got a valid proof that “y=F(x)” y=F(x)

4 4 C-compliance m1m1 m2m2 m3m3 m4m4 m5m5 m6m6 m7m7 m out System designer specifies his notion of correctness via a compliance predicate C(in,code,out) that must be locally fulfilled at every node. C code inout accept / reject (program, human inputs, randomness)

5 5 Constructing Proof-Carrying Data systems Technical background PCD construction Towards a PCD implementation

6 6 Technical background: proof systems

7 7 Theorems and NP proofs A theorem is a statement for which there exists a valid proof string (witness) w. Valid is defined by an efficient verification procedure that, on input the theorem and the (purported) proof string w, decided whether to accepts. This is just another interpretation of NP (equivalent to the classic “non-determinism based” definition). VP w 1 ∃ valid w V NP P NP

8 8 Probabilistically-Checkable Proofs (PCP) Relaxation: a prover outputs a proof string  such that, if the statement is false, the probabilistic verifier is unlikely to be convinced. Soundness: A probabilistic verifier can be much more efficient than the NP verifier. In fact, the verifier doesn’t need to read more than a few bits of  ! P PCP  1 Pr [ ] >2 - 1000 ∃ valid w V PCP

9 9 Proofs and Verification Complexity verifier cost proof length NP proofs exponential PCPs probabilistic verification polynomial exponential logarithmic

10 10 Proofs and Verification Complexity verifier cost proof length NP proofs polynomial PCPs exponential PCPs probabilistic verification special codes polynomial exponential logarithmic

11 11 Proofs and Verification Complexity verifier cost proof length NP proofs CS proofs polynomial PCPs exponential PCPs probabilistic verification special codes polynomial exponential logarithmic

12 12 Computationally-Sound proofs (CS-proofs / arguments) Further relaxation: care only about efficient (polynomial-time) provers. An inefficient prover could cheat the verifier, but this can be made arbitrarily hard by increasing a security parameter. Soundness: for all polynomial-time P: Analogy: information-theoretically-secure encryption (one-time pad), vs. computationally-secure encryption (AES). V CSP P CSP  1 Pr [ ] >2 -1000 ∃ valid w

13 13 Computationally-Sound Proofs / [Kilian 92][Micali 94] The prover produces a polynomially-long PCP proof. The verifier reads only a few randomly-chosen indices. Then why bother sending all of the PCP proof? … because if the prover knew what the verifier reads, he could easily fool the verifier. Idea: use Fiat-Shamir heuristic: –Prover writes down PCP proof  –Prover computes a Merkle hash tree of  ; let r be the root. –Prover use r as “randomness” to choose the indices. –Prover sends these indices to verifier, along with Merkle tree verification paths. –Verifier checks paths and then invokes PCP verifier.  r

14 14 Proofs and Verification Complexity verifier cost proof length NP proofs CS proofs polynomial PCPs exponential PCPs probabilistic verification Fiat-Shamir compression special codes polynomial exponential logarithmic

15 15 Proof of knowledge Proof systems may satisfy an additional property: proof of knowledge: any (possibly cheating) prover P that convinces the verifier of some theorem “knows” a valid witness w for the theorem. Formally captured by a knowledge extractor, an efficient procedure that, with suitable access to such P, extracts a witness: This is strictly stronger than soundness. We never run the knowledge extractor in reality. Its existence is used only in the security reduction.  1 P CSP knowledge extractor valid w Pr [ ] ≈1 V CSP P CSP

16 16 PCD construction: Proof aggregation intuition

17 17 Back to F and G The strings  y and  z are arguments (computationally sound proofs). zy  z for “ z=G(y) and I got a proof that “y=F(x)” ”  y for “y= F(x)” y  F(x) z  G(y) Alice Bob Carol verify  z

18 18 Proof aggregation Alice z y Bob Carol x GV P P VF zz yy y=F(x) z=G(y) and ∃  y : V(“y=F(x)”,  y )=1

19 19 Soundness vs. proof of knowledge Alice z y Bob Carol x GV P P Need proof of knowledge: VVP  1 PF knowledge extractor valid w Pr [ ] ≈1 y=F(x) Meaningless for arguments zz yy z=G(y) and ∃  y : V(“y=F(x)”,  y )=1 ` strong

20 20 Must use PCPs for compression Probabilistically Checkable Proofs (PCPs) used to generate concise proof strings. Alice z y Bob Carol PCP x GV P P VF zz yy (And there is evidence this is inherent [Rothblum Vadhan 09]. )

21 21 Must use oracles for non-interactive proof of knowledge Alice z y Bob Carol zz yy PCP x GV P P RO VF The only known construction of non-interactive proofs of knowledge is Micali’s, using Merkle trees where the “hashing” is done using random oracle calls.

22 22 PCP vs. oracles conflict PCP theorem does not relativize [Fortnow ‘94], not even with respect to a RO [Chang et al. ’92] this precluded a satisfying proof of security in [Valiant ‘08] Alice z y Bob Carol zz yy PCP x GV P P RO VF PCP V

23 23 The “trusted hardware” solution Every node has access to a simple, fixed, stateless trusted functionality -- essentially, a signature card. C m11m11 m22m22 m44m44 m55m55 m66m66 m77m77 m out  out m33m33 SIR Signed-Input-and-Randomness (SIR) oracle

24 24 SIR model Every node has access to a simple, fixed, trusted functionality -- essentially, a signature card. Signed-Input-and-Randomness (SIR) oracle x input string SIR SK r random string r ← {0,1} s  ← SIGN SK (x, r) s length  signature on (x,r) VK can derandomize: Generate r using PRF

25 25 SIR model and trust Assume that: trusted party generates the key pair (SK,VK) tells VK to each party gives O SK to each party Similar assumptions [Hofheinz Muller-Quade Unruh 05] ― model [Katz 07] [Moran Segev 08] [Chandran Sahai Goyal 08] ― technical approach to PoK [Damgard Nielsen Wichs 09]

26 26 Public-key crypto the rescue Oracle signs answers using public-key signature: answers are verifiable without accessing oracle asymmetry allows us to break “PCP vs. oracle” conflict, and recursively aggregate proofs Alice z y Bob Carol zz yy PCP F x GV P P O SK VK V SIR back

27 27 Model and trust Assume that: trusted party generates the key pair (SK,VK) gives O SK to each party, as black-box access (e.g., tamper-proof leak-proof device) tells VK to each party back

28 28 Construction sketches

29 29 Sketch of constructions Constructing APHAs (Assisted Prover Hearsay Arguments)Constructing APHAs (Assisted Prover Hearsay Arguments): Start with universal arguments [Micali] [Barak Goldreich ‘02] De-interactivize by replacing public-coin messages with oracle queries Add signature to statement to force witness query ( ≈ [Chandran et al. ‘08]) Prove a very strong PoK by leveraging the weak PoK of UA Generalizing to PCDGeneralizing to PCD: Handle distributed-computation DAG, using APHA for the proofs along each edge. C-compliance: use fixed aggregation rule to reason about arbitrary computation by proving statements of the form: C(in,code,out)=1 & “each input carries a valid APHA proof string” ≈ Fiat-Shamir heuristic

30 30 APHA Construction sketch

31 31 APHA systems Needed: Highly-compressing non-interactive arguments Proof-of-knowledge property that’s strong enough to prove hearsay: statements whose truth relies on previous arguments heard from others. In the assisted prover model. We call this Assisted Prover Hearsay Arguments (APHA). back

32 32 Universal arguments [Barak and Goldreich ‘02] UA prover UA verifier r2r2 r1r1 resp 1 resp 2 public coin: r 1 and r 2 are just random coins temporal dependence: r 2 is sent only after resp 1 is received Start with universal arguments: Efficient interactive arguments of knowledge with constant rounds and public coins. back

33 33 De-interactivize universal arguments: first try Prover interacts with random oracle, not with verifier: obtains random strings new prover random oracle new verifier random oracle UA prover UA verifier back

34 34 De-interactivize universal arguments Prover interacts with SIR oracle, not with verifier: obtains random signed strings temporal ordering enforced by having each oracle query include the preceding transcript almost- APHA prover SIR oracle almost- APHA verifier SIR oracle UA prover UA verifier ≈ Fiat-Shamir heuristic back

35 35 Enhance proof of knowledge Forces prover to get signature on witness Knowledge extractor finds witness by examining the queries  strong proof of knowledge APHA prover SIR oracle APHA verifier SIR oracle almost- APHA prover almost- APHA verifier SIR oracle SIR oracle get signature on the witness “x  L and  is a signature on a witness for x  L”  w cf. [Chandran Goyal Sahai 08] back

36 36 Can now do F and G example We can now do the above example!... how about proof-carrying data? Alice z y Bob Carol PCP x GV P P VF zz yy back

37 37 PCD Construction sketch back

38 38 PCD systems PCD systems are wrappers around APHA systems, with: –Simpler interface for applications (no need to reason about theorems and proofs) –Simpler proof-of-knowledge property (APHAs have a very technical “list extraction” definition) –C-compliance back

39 39 PCD definition At every node, a party uses the PCD prover P PCD : P PCD O sk z in1,  in1 z in2,  in2 C, VK  out Proofs are checked by the PCD verifier: V PCD (C, VK, z *,  ) decides if π is a convincing proof for z *. code z out back

40 40 PCD definition PCD systems satisfy efficient verifiability: TIME ( V PCD (C, VK, z, π) ) = polylog(time to make π) (actually, much better... ) completeness via a relatively efficient prover: if computation is C-compliant, then the proof output by prover convinces verifier. Moreover: TIME ( P PCD (...) ) = poly(time to check C) + polylog(time to generate inputs’ proofs) proof of knowledge: from any convincing prover, can extract a whole C-compliant computation back

41 41 Back to F and G Having APHA systems, we can already do the above example How to generalize to C-compliance? Alice z y Bob Carol πzπz πyπy PCP x GV P P VF back

42 42 Adding C-compliance Alice z y Bob Carol πzπz πyπy PCP F x GV P P CC “Export” the choice of computation to be an input to a “fixed rule of aggregation” V back

43 43 PCD Machine Alice z y Bob Carol πzπz πyπy PCP F x GV P P CC Such fixed rule we call the PCD machine, and it depends on C PCD machine V back

44 44 Implementation

45 45 PCP implementation stack: overview “natural” problem verifying properties of a polynomial in a finite field problem reduction Java program circuit solution to the problem execution trace solution reduction polynomial to be verified PCP prover PCP verifier PROOFPROOF Task 1: “PCP engine” Task 2: “reduction path” assignment

46 46 Does this work? Established: Formal framework Explicit construction –“Polynomial time” - not practically feasible (yet…) –Requires signature cards Ongoing and future work: Full implementation Practicality Reduce requirement for signature cards (or prove necessity) Extensions (e.g., zero knowledge) Interface with complementary approaches: tie “compliance” into existing methods and a larger science of security Applications and “compliance engineering” methodology

Download ppt "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 9: Integrity on untrusted platforms: Proof-Carrying Data (cont.) Eran."

Similar presentations

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Department of Computer Science & Engineering

Department of Computer Science & Engineering
Universal Communication Brendan Juba (MIT) With: Madhu Sudan (MIT)

Universal Communication Brendan Juba (MIT) With: Madhu Sudan (MIT)
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
PCPs and Inapproximability Introduction. My T. Thai 2 Why Approximation Algorithms  Problems that we cannot find an optimal solution.

PCPs and Inapproximability Introduction. My T. Thai 2 Why Approximation Algorithms  Problems that we cannot find an optimal solution.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Complexity and Cryptography

Complexity and Cryptography
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent

Similar presentations

Ads by Google