On the Security and Privacy of delegated computation Anca Nitulescu - PowerPoint PPT Presentation

On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade

Outline Directions SNARKs Motivation Introduction Quantum SNARKs Arguments of Difficulties Knowledge Cloud Applications Computation SNARK Open Problems Cryptography Definition, Security Conclusions Construction Primitives requirements 2

Cryptography Much of the cryptography used today offers security properties for data and communication . Aspects in information security: data confidentiality ● authentication ● data integrity ● What about computations ? 3

Cryptographic Primitives ● Primitives = algorithms with basic cryptographic properties Theoretical work in cryptography ● Tools used to build more complicated cryptographic protocols ● Provide one functionality at the time: ● privacy authentication integrity D igital signatures Hash functions Encryption schemes compute a ciphertext to confirm the author compute a reduced hash of a message hide a message for a message ( e.g. SHA-256 ) 4

Privacy Encryption schemes m → C = Enc(m) C → M = Dec(C) m m 5

Privacy Encryption schemes m → C = Enc(m) C → M = Dec(C) m C C = Enc (m) C m = Dec (C) 6

Privacy Encryption schemes m → C = Enc(m) C → M = Dec(C) m’ C’ C’ = Enc (m’) m’ = Dec (C’) C’ 7

Authenticity Signature schemes m → σ =Sig(m) V er( σ ) → accept/reject m σ = σ =Sig(m) 8

Authenticity Signature schemes m → σ =Sig(m) V er( σ ) → accept/reject V er( σ ) 9

Data Integrity Attack on Integrity Adversary: intercepts the message m 10

Data Integrity Attack on Integrity Adversary: changes the message m’ 11

Data Integrity One-Way Hash Functions m → H = Hash(m) H → ? m’ H = Hash(m’) m H = Hash(m) m H H 12

Delegate Computation to Cloud ? ? ? data User Server 13 13

Delegate Computation to Cloud f(x)=y data x User Server 14 14

Integrity of Delegated Computation ? data y, π trust the server / ask for a proof 15 15

CLOUD - Available for Everything Store Share them with documents, colleagues, photos, friends, family videos, etc Process Ask queries the data on the data 16

Outsourced Processing The Cloud Provider: ● knows the content ● performs the computations Claims to ● identify users ● apply access rights ● safely store the data ● securely process the data ● answer correct our queries ● protect privacy 17

Risks For economical reasons, by accident, or attacks ● data can get deleted ● results of computation can be modified ● one can use your private data to analyze and sell/negotiate the information 18

Delegated Computation - Requirements Confidentiality Medical Record Integrity Verify Computation Result 19

Delegated Computation - Requirements Confidentiality Fully Homomorphic Encryption 20

Delegated Computation - Requirements Integrity π Proof of Knowledge 21

Properties for the new tool Fast Sound Succinct 22

Nir Bitansky Ran Canetti Alessandro Chiesa Shafi Goldwasser Huijia Lin Lewis Carroll Lewis Carroll 23

Non-Interactive proofs crs f data x y , π f(x)=y f(x)=y Verifier Prover 24

Algorithms of a SNARK Algorithms 25

SNARK : Succinct Non-interactive ARgument of Knowledge Efficiency verification easier than computing f Zero-Knowledge Succinctness SNARK does not leak informa- proof size independent tion about the witness of NP witness size Non-Interactivity no exchange between prover and verifier 26

Argument of Knowledge Property crs, aux crs, aux Adversary extractor SNARK 27

SNARK: Overview of Toolchain Circuit for f(x) 28

SNARK: Overview of Toolchain Circuit for f(x) SSP Compile Find h(x) to t(x)h(x)=p(x) SSP/ QAP 29

SNARK: Overview of Toolchain t(s), p(s), Circuit h(s) Evaluate for f(x) in a point SSP Compile Find h(x) to t(x)h(x)=p(x) SSP/ QAP 30

SNARK: Overview of Toolchain t(s), p(s), Circuit h(s) Evaluate for f(x) in a point ? t(s)h(s)=p(s) SSP Compile Verify Verify Find h(x) h(s) to the proof t(x)h(x)=p(x) p(s) SSP/ QAP 31

From Functions to Circuits x 1 x 2 y Circuit for f(x) f(x 1 , x 2 )=y C(x 1 ,x 2 ,y) 0/1 32

Step 1. Linearization of logic gates OR gate XOR gate AND gate a b a b a b c c c SSP Compile Find h(x) to t(x)h(x)=p(x) a b c a b c a b c SSP 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 1 1 0 1 1 0 0 1 0 1 1 1 1 1 1 1 1 1 0 – a – b + 2c ∈ {0,1} a + b – 2c ∈ {0,1} a + b + c ∈ {0,2} 33

Step 2. Matrix equation for circuit OR gate AND gate XOR gate Output gate – a – b + 2c ∈ {0,1} a + b – 2c ∈ {0,1} a + b + c ∈ {0,2} 3 – 3c ∈ {0,1} αa + βb +γc + δ ∈ {0,2} SSP Compile V Find h(x) ∈ {0,2} d a + to δ t(x)h(x)=p(x) SSP 34

Step 2. Matrix equation for circuit OR gate AND gate XOR gate Output gate – a – b + 2c ∈ {0,1} a + b – 2c ∈ {0,1} a + b + c ∈ {0,2} 3 – 3c ∈ {0,1} αa + βb +γc + δ ∈ {0,2} SSP Compile V Find h(x) ∈ {0,2} d δ a + to t(x)h(x)=p(x) SSP 。 V V + δ δ a a + 2 0 – = 35

Step 2. Matrix equation for circuit OR gate AND gate XOR gate Output gate – a – b + 2c ∈ {0,1} a + b – 2c ∈ {0,1} a + b + c ∈ {0,2} 3 – 3c ∈ {0,1} 。 a + V V + δ δ a 2 – 0 SSP = Compile Find h(x) to t(x)h(x)=p(x) SSP 。 a + a + V V δ – 1 δ – 1 = 1 36

Step 3. Polynomial Problem SSP 。 a + a + V V δ – 1 δ – 1 = 1 SSP Compile Find h(x) to t(x)h(x)=p(x) SSP 37

Step 3. Polynomial Problem SSP 。 a + a + V V δ – 1 δ – 1 = 1 SSP Compile Find h(x) to t(x)h(x)=p(x) SSP 38

Step 3. Polynomial Problem SSP 。 a + a + V V δ – 1 δ – 1 = 1 SSP Compile Find h(x) to t(x)h(x)=p(x) SSP 39

Step 3. Polynomial Problem SSP 。 a + a + V V δ – 1 δ – 1 = 1 SSP Compile Find h(x) to t(x)h(x)=p(x) SSP SSP: 40

Proving on top of SSP: Setup SSP: t(s), p(s), h(s) Evaluate Prover: Evaluate the solution in a random in a point unknown point s Preprocessing: Publish all necessary powers of s (hidden from the Prover ) 41

Proving on top of SSP: Setup SSP: t(s), p(s), Enc(s 2 ) Enc(s d ) Enc(s) h(s) Evaluate in a point 42

Proving on top of SSP: Setup SSP: t(s), p(s), Enc(s 2 ) Enc(s d ) Enc(s) h(s) Evaluate in a point Encoding: ● linear-only homomorphic (affine) ● quadratic root detection ● image verification 43

Proving on top of SSP: Setup SSP: t(s), p(s), h(s) Evaluate in a point s r c Enc(s 2 ) Enc(s d ) Enc(s) 44

Proving on top of SSP: Prover SSP: crs Enc(s 2 ) Enc(s d ) Enc(s) t(s), p(s), h(s) Evaluate in a point Enc(p(s)) = Σ p j Enc(s j ) Prover Enc(h(s)) = Σ h j Enc(s j ) 45

Proving on top of SSP: Prover SSP: crs Enc(s 2 ) Enc(s d ) Enc(s) t(s), p(s), h(s) Evaluate in a point Proof Enc(p(s)) Enc(h(s)) π = , 46

Proving on top of SSP: Verifier SSP: crs Enc(s 2 ) Enc(s d ) Enc(s) ? t(s)h(s)=p(s) Verify Enc(p(s)) Verify h(s) the proof p(s) π Verifier Enc(h(s)) 47

Proving on top of SSP: Verifier SSP: crs Enc(s 2 ) Enc(s d ) Enc(s) ? t(s)h(s)=p(s) Enc(p(s)) Verify Verify h(s) the proof = ( Σ a i Enc(v i (s)) ) 2 -1 ? p(s) Verifier Enc(h(s)) = Enc(p(s)) / Enc(t(s)) ? 48

Security: Types of encodings Public Verifiable Encoding: Designated V erifiable Encoding: ● affine operation using crs ● affine operation using crs ● quadratic root detection using crs ● quadratic root detection needs sk ● image verification using crs ● image verification using crs Dec Enc Enc crs Prover crs sk Prover Verifier Verifier 49

Security: Publicly Verifiable Encoding SSP: crs g s 2 g s d g s Prover crs

Security: Publicly Verifiable Encoding SSP: crs g s 2 g s d g s Prover crs Verifier ? crs

Security: Designated Verifiable Encoding SSP: Encryption: crs Decryption: E pk (s) E pk (s 2 ) E pk (s d ) Prover crs 52

Security: Designated Verifiable Encoding SSP: Encryption: crs Decryption: E pk (s) E pk (s 2 ) E pk (s d ) Verifier ? π sk crs E pk (h(s)) E pk (p(s)) 53

SNARKs: Further Directions Standard SNARKs based on DLog in EC groups not quantum resistant publicly-verifiable zero-knowledge Post-Quantum SNARKs based on lattice assumptions designated-verifiable zero-knowledge 54

Post-Quantum SNARK s from Lattice-based Encodings e r r o r Encryption: Decryption: 55

Post-Quantum SNARK s from Lattice-based Encodings e r r o r Encryption: Decryption: E s (m 1 +m 2 ) E s (m 1 ) E s (m 2 ) error error error 56

Post Quantum SNARK s from Lattice-based Encodings Encryption: Decryption: SSP: crs E sk (s i ) error 57