making verifiable computation useful
play

Making Verifiable Computation Useful Bryan Parno Carnegie Mellon - PowerPoint PPT Presentation

Making Verifiable Computation Useful Bryan Parno Carnegie Mellon University 1 Rapid Perf Improvements 100x100 matrix mult. Verifier Latency Prover Overhead ~10 23 x 72 Trillion years! Cost fell 18 orders of ~10 16 x magnitude in 6 years


  1. Making Verifiable Computation Useful Bryan Parno Carnegie Mellon University 1

  2. Rapid Perf Improvements 100x100 matrix mult. Verifier Latency Prover Overhead ~10 23 x 72 Trillion years! Cost fell 18 orders of ~10 16 x magnitude in 6 years Cost fell 23 orders of magnitude in 6 years ~10 7 x ~10 5 x  12 minutes <10 ms!

  3. Coping with Prover Overhead 1. Leverage zero knowledge – Example: Bitcoin++ [Danezis et al. ‘13] [Ben-Sasson et al. ‘14] [Kosba et al. ‘15] [Miller et al. ‘15 ] 2. Find (rare?) applications that tolerate substantial overhead – Original computation is cheap or infrequent • Example: Fair exchange of digital goods [Maxwell ‘16] – Integrity benefits outweigh costs • Example: Verifiable ASICs [Wahbyet al. ‘15] 3. Innovations in proof generation 3

  4. Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation [IEEE S&P ‘ 16] Antoine Delignat-Lavaud Cédric Fournet VC X.509 Markulf Kohlweiss Bryan Parno

  5. The X.509 Public Key Infrastructure (1988) Chain Endpoint certificate Intermediate Certificate Authority certificate Root Certification Authority certificate

  6. Certificate X.509 Authentication Authority certificates + private keys Authorized Certificate root validation certificates program (data) (1-3 KB /certificate) OCSP, Certificate Transparency

  7. X.509 Problem: App Heterogeneity certificates + private keys Basic Validation Authorized Correct ASN.1 encoding (injective parsing) Certificate root TLS Validation validation certificates Correct signatures linking chain program (data) notBefore < now() < notAfter Valid basic constraints Domain == Subject CN? S/MIME Validation Domain in Subject Alternative Names? Valid key usages notBefore < email date < notAfter Domain matches a wildcard name? Acceptable algorithms & key sizes Subject emailAddress or Alternative Names Domain compatible with Name Constraints? include sender email? Endpoint EKU includes TLS client/server? Endpoint EKU includes S/MIME? Chain allows TLS EKU • TLS Chain allows S/MIME EKU Not revoked now • S/MIME Not revoked when mail was sent (1-3 KB /certificate) • Code signing • Document signing • Client authentication OCSP, Certificate (e.g. smartcards) Transparency • …

  8. Recent PKI Failures The SHAppening Crypto failures HashClash rogue CA Flame maleware 512 bit Korean Debian OpenSSL entropy bug (MD5 collision) NSA/GCHQ attack School CAs Stevens et al. against Windows CA Bleichenbacher’s BERSerk DROWN e=3 attack on (MSR/Inria) KeyUsage PKCS#1 signatures Basic constraints not properly enforced (recurring & catastrophic bug) Name constraints failures OpenSSL GnuTLS X509v1 OpenSSL CVE- null prefix 2015-1793 EKU-unrestricted Formatting & semantics VeriSign certificates VeriSign Superfish Comodo hack Trustwave NetDiscovery ANSSI India NIC VeriSign hack StartCom hack DigiNotar hack TÜRKTRUST China NNIC CA failures 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

  9. X.509 Problem: Privacy violations certificates + private keys Authorized Certificate root validation certificates program (data) Many anonymous credential systems Learns full solve this, but ~0 are used today certificate contents Network Observer (1-3 KB /certificate) OCSP, Certificate Network Transparency Observer

  10. Cinderella: Main Idea certificates + other private keys evidence Geppetto (e.g. OCSP) compiler Evaluation key Verification key [IEEE S&P ‘15] Authorized Certificate root validation certificates program (data) Proof (288 B)

  11. Computation Outsourcing with Pinocchio C program F(p riv , p ub ) Complex programs public verifier inputs compile to large private prover inputs arithmetic circuits D X Verification Evaluation C + X key (VK) key (EK) Arithmetic Circuit Setup Phase Runtime Phase Query(pub) Succinct Proof Verify(Proof, VK) Evaluate(F(priv, pub), EK) [CRYPTO ‘10] [EuroCrypt‘13] [IEEE S&P ‘ 13] [IEEE S&P ‘ 15]

  12. Cinderella: Contributions • A compiler from high-level validation policy templates to Pinocchio-optimized certificate validators • Pinocchio-optimized libraries for hashing and RSA-PKCS#1 signature validation • Several TLS validation policies based on concrete templates and additional evidence (OCSP) • Integrated with OpenSSL • Tested on real certificate chains • e-Voting support based on Helios with Estonian ID cards

  13. Benefits and Caveats • Computationally expensive • Practicality: Compatible with existing PKI and certificates • Initial agreement on the • Ensures uniform application of the validation policy validation policy but allows • Reliance on security of verified flexible issuance policies computation system • Anonymity : Complete control over • Exotic crypto assumption disclosure of certificate contents • Trusted key generation • Less exposure of long-term private • Does not solve key management keys through weak algorithms (one more layer to manage)

  14. Compiling Certificate Templates Private inputs seq {seq { # Validity Period # Version seq { tag<0>: const<2L>; var<date, notbefore, 13, 13>; Untrusted Native Parser # Serial Number var<date, notafter, 13, 13>; Parse certificate var<int, serial, 10, 20>; }; Variables Generate Prover Inputs # Signature Algorithm seq { # Subject const<O1.2.840.113549.1.1.5> seq { ; const<null>; }; varlist<subject, 2, 4>: C/QAP verifier set { Variable lists Concatenate compile-time # Issuer seq { constants and run-time vars Template seq { set { seq { var<oid, subjectoid, 3, 10>; Compute running hash compiler const<O2.5.4.10>; var<x500, subjectval, 2, 31>; const<printable:"AlphaSSL">; }; };};set { seq { const<O2.5.4.3>; }; const<printable:"AlphaSSL CA - }; Template G2">; }; }; }; […] Constants

  15. Verifying PKCS#1 RSA Signatures S ^ e mod N = 1ffffffffff[…] ffffffkkkkk […] kkkkkkyyyyyyyyyyyyyyyyyyyy S ^ e = S (((S ^ 2) ^ 2) … Hash (computed before) Assume fixed e = 65537 = 2 16 + 1 … S 120 bits 120 bits 120 bits … S 2 240+ bits 240+ bits 240+ bits 240+ bits 240+ bits S 2 = Q*N + R Verify prover hints are valid Private inputs Q and R … Q*N 240+ bits 240+ bits 240+ bits 240+ bits 240+ bits … R 120 bits 120 bits 120 bits S <- R

  16. Application: TLS Client Authentication Geppetto Ephem Ephem Client compiler Key Key Cert [IEEE S&P ‘15] F(fields) Proof F(fields) fields ✓ Verification key Evaluation key Offline Proof Ephem Key Proof F(fields) Key Exchange signed with Ephem Key

  17. Application evaluation 1000 Seconds 100 10 1 0.1 0.01 0.001 TLS (2 intermediates TLS (1 intermediate TLS (no Helios (OCSP) + OCSP) + OCSP) intermediate, OCSP) Keygen time Proof time Verify time

  18. Cinderella Summary • One of the first practical applications of verifiable computing • We achieve privacy and integrity for X.509 authentication • No change to PKI or to protocols • Working prototype for TLS and Helios

  19. Coping with Prover Overhead 1. Leverage zero knowledge – Example: Bitcoin++ [Danezis et al. ‘13] [Ben-Sasson et al. ‘14] [Kosba et al. ‘15] [Miller et al. ‘15 ] 2. Find (rare?) applications that tolerate substantial overhead – Original computation is cheap or infrequent • Example: Fair exchange of digital goods [Maxwell ‘16] – Integrity benefits outweigh costs • Example: Verifiable ASICs [Wahbyet al. ‘15] 3. Innovations in proof generation 20

  20. Recent Innovations in Proof Generation • Improve efficiency of popular programming paradigms – Ex: Hash-and-Prove [Fiore et al. ‘ 16] – Ex: vSQL [Zhang et al. ‘ 17] • Meld SNARKs with interactive proofs – Ex: Allspice [Vu et al. ’ 13] , vSQL [Zhang et al. ‘ 17] 21

  21. Future Innovations in Proof Generation • More efficient cryptographic encodings – Lattices? – Symmetric homomorphic primitives? • Specialized verifiable computation protocols – Ex: ZK verifiable regular expressions 22

  22. Disruptive Approaches Software Trusted Ubiquitous Guard Platform secure Extensions Module hardware (SGX) (TPM) + Ironclad Apps Fully A • ~0 performance overhead p App verified p • Fully general Std. Lib Common L software • Obfuscated programs ? UDP/IP Datatypes RSA i Ethernet SHA-256 BigNum • Platform assurance b Net Driver TPM Driver Math Secure Late Device Segs IOMMU GC IO launch verifiable Hardware specs computation 23

  23. Conclusions • Despite progress, prover overheads limits usefulness of verifiable computation • Cinderella circumvents prover overhead to improve the privacy, security, and flexibility of the X.509 PKI • Secure hardware + verified software may disrupt crypto-only solutions Thank you! parno@cmu.edu 24

Recommend


More recommend