Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario - PowerPoint PPT Presentation

Boosting Verifiable Computation on Encrypted Data PKC 2020 Dario Fiore, Anca Nitulescu , David Pointcheval

Motivational Tale: The Bare Necessities of a Cloud User (In times of a Pandemic) 2

Pandemics biometric surveillance systems data Client Server User delegates its personal data to a symptom tracking app 3

Pandemics biometric surveillance systems f( data )= y data Client Server User delegates its symptoms Server computes diagnosis 4

Pandemics biometric surveillance systems f( data )= y y data Client Server Server sends back diagnosis 5

So many benefits! data healthy Client Server User receives diagnosis Happy to hear he is healthy 6

Untrusted Server data healthy ? Client Server User runs the risk of a corrupted server 7

What can go wrong? Data can be stolen data Client Server Confidential data is exposed symptoms 8

What can go wrong? Results can be modified f( data ) ≠y data y Client Server Results are not guaranteed to be correct diagnosis 9

Solution for Privacy of Inputs Data Privacy data Encryption Server 10

(Fully) Homomorphic Encryption Data Privacy data Homomorphic Encryption Encryption ✘ Privacy of inputs ✘ Malleability of data ✘ Privacy of output Server [Gen09, BV11, BGV12, GSW13, CGGI16, CKKS17...] 11

Solution for Integrity of the Computation Verifiable Computation f(x) data π Server 12

SNARKs = Proof Systems for lazy clients Verifiable Computation zk-SNARKs ✘ Proof is succinct data ✘ Minimal interaction ✘ Client verifies efficiently ✘ Server algo remains secret Server [GGP10, GGPR13, PHGR13, Gro16, BBC+18...] 13

Full Solution: Verifiable Computation on Encrypted Data Data Privacy Apply Eval of FHE data Server π result Computation Integrity 14

Full Solution: Verifiable Computation on Encrypted Data Data Privacy Apply Eval of FHE data [FGP14] Efficiently verifiable computation on encrypted data. Dario Fiore, Rosario Gennaro, Valerio Pastro ✘ Combines FHE and homomorphic MAC ✘ Efficient VC for quadratic functions only ✘ Designated Verifier - it requires MAC key ✘ Server ✘ Verifier = Client (share secret key for FHE) ✘ Privacy of the inputs and the outputs (from Server) π result Computation Integrity 15

Outline C Private VC Building Blocks Technical The Challenges END Goals Polynomial Commitments Option Strategy CaP zk-SNARKs s 16

Publicly Verifiable Computation with Privacy Compute & Prove Server Verify Result Encrypt the Data data π result 17

Publicly Verifiable Computation with Privacy Compute & Prove Server Verify Result Encrypt the Data Solution that improves on [FGP14] : ✘ Public verifiable: Client & Verifier do not share keys ✘ Efficiency for higher degree computations (arithmetic circuits) 18

Idea: Exploit the specificity of FHE ciphertexts crs Prove efficiently zk-SNARK for Compactly Commit verifiable and private evaluation of circuit to ciphertexts delegation of computation on ciphertexts

FHE: Ciphertexts = Polynomials (ring-LWE, [BV11]) P 1 P 2 P 3 P 4 + + + + + P 6 20

Circuit over ciphertexts / over plaintexts P 1 P 2 P 3 P 4 a 1 a 2 a 3 a 4 + + + + + + + + a 6 P 6 21

Arithmetic Circuit over Polynomials F(x) G(x) P(x) Q(x) p 0 q 0 p 1 q 1 p d q d O(d) scalar + + + ... + + + additions in s 0 s 1 s d H(x) S(x) + + T(x) 22

Arithmetic Circuit over Polynomials F(x) G(x) P(x) Q(x) 2 scalar multiplications in ~ d & reductions modulo of deg d + + + s 0 h 0 s 1 h 1 s 0 ... h 0 s k … h i s k-i … h d s d h 0 H(x) S(x) + + + + + + + + ... + + t 2d t 0 t k t 1 T(x) 23

Arithmetic Circuit over Polynomials F(x) G(x) P(x) Q(x) + + + O( d ) scalar additions H(x) S(x) + + 2 ) scalar multiplications O(d ~ O(d log d ) for large d T(x) 24

Arithmetic Circuit over Polynomials n inputs n inputs F(x) G(x) P(x) Q(x) + + + O( m ⋅ d ) + scalar additions & m H(x) S(x) + O (m ⋅ d ⋅ log d ) gates scalar multiplications + + *for polynomials of degree d T(x) 25

Goals: Efficient VC with Privacy F(x) G(x) P(x) Q(x) + + F(x) , G(x), P(x),Q(x) T(x) + Verify Result Compute & Prove Encrypt the Data Want a solution that: ✘ Compactly commits to the input ciphertexts → hiding from Verifier ✘ Reduces the proof for → efficiency close to cleartext proof for 26

Compress Circuit over Polynomials n inputs n inputs F(x) G(x) P(x) Q(x) F( k ) G( k ) P( k ) Q( k ) + + + + + m H(x) S(x) gates + evaluate + + in k T( k ) T(x) 27

Prove Circuit over Scalars & Evaluation in k n inputs n inputs F(x) G(x) P(x) Q(x) f g p q + + + + + h s H(x) S(x) + evaluate + + in k f = F( k ) p = P( k ) & t q = Q( k ) g = G( k ) T(x) 28

Idea: Commit & Prove Methodology F(x) G(x) P(x) Q(x) f g p q + + + + + H(x) S(x) h s + + + F( k ) = f P( k ) = p G( k ) = g Q( k ) = q t T(x) 29

Idea: Commit & Prove Methodology F(x) G(x) P(x) Q(x) f g p q + + + + σ + H(x) S(x) h s + + + F( k ) = f P( k ) = p π G( k ) = g Q( k ) = q t T(x) 30

Blueprint of our construction crs Verifiable CaP zk-SNARK ZK Proof for evaluation Compactly Commit Computation for arithmetic circuit in random point k to Polynomials with over scalars Privacy π σ + + + + VC + + 31

Our Techniques C Private VC Building Blocks Technical The Challenges END Goals Polynomial Commitments Option Strategy CaP zk-SNARKs s 32

Polynomial Commitments F(x) G(x) P(x) Q(x) Input Commit(P) + + + P(x) P(x) H(x) S(x) + + T(x) 33

Polynomial Commitments - hiding inputs F(x) G(x) P(x) Q(x) Input Commit(P) + + + P(x) P(x) H(x) S(x) + + Server T(x) 34

Multi-Polynomial Commitments F(x) G(x) P(x) Q(x) Commitments Single bi-variate Commitment + + + F(x) G(x) Z(x,y) T(x) H(x) S(x) P(x) Q(x) + + T(x) 35

Multi-Polynomial Commitments F(x) G(x) P(x) Q(x) Commitments Single bi-variate Commitment + + + F(x) G(x) Z(x,y) T(x) H(x) S(x) P(x) Q(x) + + Z(x, y ) = F(x) + G(x) y + T(x) y 2 + P(x) y 3 + Q(x) y 4 T(x) 36

Commit & Prove Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + H(x) S(x) h s + + + t T(x) 37

Commit & Prove Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + t T(x) 38

Many Evaluations = Partial Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + Z(x,y) = F(x) + G(x) y + P(x) y 2 + Q(x) y 3 t T(x) V(y) = f + g y + p y 2 + q y 3 39

Many Evaluations = Partial Evaluation F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + Z(x,y) = F(x) + G(x) y + P(x) y 2 + Q(x) y 3 Z( k ,y) = F( k ) + G( k ) y + P( k ) y 2 + Q( k ) y 3 t T(x) V(y) = f + g y + p y 2 + q y 3 = 40

Proof of Many Evaluations F(x) G(x) P(x) Q(x) f g p q + + + + + Z(x,y) V(y) H(x) S(x) h s + + + σ Z( k ,y) = V(y) t T(x) 41

Proof of Arithmetic Circuit over Scalars F(x) G(x) P(x) Q(x) π f g p q SNARK + + + + + Z(x,y) V(y) H(x) S(x) h s + + + σ Z( k ,y) = V(y) t T(x) 42

Reuse the same commitment [CFQ19] Modular π f g p q Commit-and-Prove (LegoSNARK) SNARK + + Z(x,y) V(y) h s + σ Z( k ,y) = V(y) t 43

Reuse the same commitment π f g p q SNARK + + Z(x,y) V(y) h s + σ Z( k ,y) = V(y) t 44

Σ - Protocol & Fiat-Shamir Heuristic σ Z( k ,y) = V(y) CaP zk-SNARK Random Oracle Interactive for Multi-Polynomial Model Proof Evaluation ✘ based on the SDH and PKE assumptions P: Commits to polynomials ✘ non-interactive and zero-knowledge V: Sends random point P: Queries point to RO ✘ evaluations are committed (never opened) P: Prove the evaluation 45

Reuse the same commitment [CFQ19] Modular π f g p q Commit-and-Prove (LegoSNARK) SNARK + + Z(x,y) V(y) h s + σ Z( k ,y) = V(y) t 46

CaP zk-SNARK for Arithmetic Circuits π CaP SNARK [CFQ19] Lego-SNARK Pre-Processing zk-SNARK “lifting” tool CRS for QAP Groth 16 LegoGro16 Quadratic Arithmetic Programs Universal, circuit-independent, UAC - GKMMM 18 LegoUAC updatable CRS 47

Review of Contributions C Private VC Building Blocks Technical The Challenges END Goals Polynomial Commitments Option Strategy CaP zk-SNARKs s 48

Verifiable and private delegation of computation F( k ) G( k ) P( k ) Q( k ) + + F(x) , G(x), P(x),Q(x) T(x) + T( k ) Verify Result Compute & Prove Encrypt the Data ✘ CaP-SNARK for simultaneous evaluation of many committed polynomials (based on the SDH and PKE assumptions in the RO Model) ✘ Privacy : randomisation of ciphertexts & commited results of evaluation 49

Thank you! eprint.iacr.org/2020/132 Questions? anca.nitulescu@ens.fr

Credits Special thanks to all those who made and released these resources for free: Presentation template by SlidesCarnival ✘ Illustrations by Disneyclips, Iconfinder and Flaticon ✘ 51