optimal verification of operations on dynamic sets
play

Optimal Verification of Operations on Dynamic Sets Charalampos - PowerPoint PPT Presentation

Aug 30, 2022 •243 likes •597 views

Optimal Verification of Operations on Dynamic Sets Charalampos Papamanthou, UC Berkeley Roberto Tamassia, Brown University Nikos Triandopoulos, RSA Labs & BU CRYPTO 2011 08/15/11 Data in the cloud Data privacy Server wants to

  1. Optimal Verification of Operations on Dynamic Sets Charalampos Papamanthou, UC Berkeley Roberto Tamassia, Brown University Nikos Triandopoulos, RSA Labs & BU CRYPTO 2011 08/15/11

  2. Data in the cloud  Data privacy  Server wants to learn our data  Can we enable the server use encrypted data in a meaningful way?  Computing on encrypted data  Data and computations integrity  Server wants to tamper with our data  Are answers to queries the same as if the data were locally stored?  Authenticated data structures  Verifiable delegation of computation 2

  3. Verifying outsourced computation  Conjunctive queries  Emails that have the terms “Brown” and “Berkeley”  Disjunctive queries  Emails that have the terms “thesis” or “publication”  All these queries boil down to set operations ! 3

  4. Authenticated data structures model  Complexity  Security  Update at source and server  A poly-bounded adversary cannot construct invalid proofs  Query at server except with negligible probability  Verification at client  Need for computational  Size of proof assumptions  Space digest(D) query source server C auth(D) answer verification proof + digest(D) D D 4

  5. Authenticated sets collection S 1 ∩ S 4 ? bob source server auth(D) auth(D) 1 2 3 4 1 2 3 4 a c a d a c a d b e d l b e d l c h f m c h f m d z n d z n e w e w 5 f f

  6. Queries on sets m: number of sets (e.g., m = 4)  M: sum of sizes of all the sets (e.g., M = 6 + 4 + 3 + 5 = 18)  t: number of queried sets (e.g., t = 2)  δ: number of elements contained in the answer (e.g., δ = 1)  n: the sum of sizes of the queried sets (e.g., n = 6 + 5 = 11)  S 1 ∩ S 4 ? bob source server + proof d auth(D) auth(D) accept or 1 2 3 4 1 2 3 4 reject S 2 ∩ S 3 ? a c a d a c a d b e d l b e d l {} + proof alice c h f m c h f m d z n d z n e w e w 6 f f

  7. Related work and comparison  Optimal proof size and verification time: O( δ )  Linear space: O(m + M)  Efficient queries and updates  Performance comparison for the intersection of c = O(1) sets space query proof assumption D+04 YP09 m + M n + log m n + log m Generic CR M+04 m + M n n Strong RSA PT04 m c 1 δ Discrete log PTT10 m + M n log 3 n + δ Bilinear q- m ε log m strong DH 7

  8. Our solution: Sets and polynomials  Set X with n elements  Polynomial X(s) in Zp X = {x 1 ,…, x n } X(s) = (s+x 1 )…( s+x n )  Set Z is the intersection of  Polynomial Z(s) is the GCD X and Y of X(s) and Y(s)  The intersection of X and Y  X(s) and Y(s) have GCD is empty, i.e., equal to 1, i.e., X  Y =  gcd(X(s),Y(s)) = 1   There are polynomials P(s) and Q(s) such that P(S)X(s) + Q(s)Y(s) = 1 8

  9. Cryptographic tools we use Two multiplicative groups G and T of prime order p  g is a generator of G  A bilinear map e(.,.) from G to T such that  e(g a ,g b ) = e(g,g) ab for all a,b in Zp  e(g,g) generates T  Bilinear q-strong Diffie Hellman Assumption   Pick a random s in Z p  s is the trapdoor  Compute g s , g s2 , g s3 ,…, g sq  The public key pk are the values g s , g s2 , g s3 ,…, g sq  The probability that a PPT Adv can find an a in Zp and output the tuple (a,e(g,g) 1/(s+a) ) is negligible 9

  10. Bilinear-map accumulator  G and T of order p have a map e(.,.)  X={x,y,z,r} in Z p  Base g  G, generator of G  Secret s  Z p  Digest  D = g (x+s)(y+s)(z+s)(r+s)  Witness for x  W x = g (y+s)(z+s)(r+s)  Verification  e(D,g) = e(W x ,g (x+s) )?  Security: q-strong Diffie-Hellman assumption  [Nguyen (05)] 10

  11. Our construction Compute the accumulation value for every set  g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 11

  12. Our construction Compute the accumulation value for every set  Build an accumulation tree on top [CCS 2008]  O(1/ ε ) levels and O(m ε ) internal degree  O(m ε logm) query, O(1) update and O(1) proof  The accumulation values protect the integrity of the set elements  The accumulation tree protects the integrity of the acc. values  1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 12

  13. Proof of intersection I = S 1 ∩ S 2 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 13

  14. Proof of intersection I = S 1 ∩ S 2  Elements of intersection {c,e} 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 14

  15. Proof of intersection I = S 1 ∩ S 2  Proof of accumulation values A 1 and A 2  Let Π 1 and Π 2 be such proofs 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 15

  16. Proof of intersection I = S 1 ∩ S 2  Proof of accumulation values A 1 and A 2  Let Π 1 and Π 2 be such proofs  Values along the path of the tree  Construction of proofs: O(m ε logm)  Size of proofs: O(1) 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 16

  17. Proof of intersection I = S 1 ∩ S 2  Subset condition : 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 17

  18. Proof of intersection I = S 1 ∩ S 2  Subset condition :  I  S 1 : Subset witness W 1 = g (s+a)(s+b)(s+d)(s+f) = g P(s) 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 18

  19. Proof of intersection I = S 1 ∩ S 2  Subset condition :  I  S 1 : Subset witness W 1 = g (s+a)(s+b)(s+d)(s+f) = g P(s)  I  S 2 : Subset witness W 2 = g (s+h)(s+z) = g Q(s) 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 19

  20. Proof of intersection I = S 1 ∩ S 2  Subset condition :  I  S 1 : Subset witness W 1 = g (s+a)(s+b)(s+d)(s+f) = g P(s)  I  S 2 : Subset witness W 2 = g (s+h)(s+z) = g Q(s)  Complexity  Construction: O(nlog n) (polynomial interpolation)  Size: O(1) (2 group elements) 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 20

  21. Proof of intersection I = S 1 ∩ S 2  Completeness condition :  (S 1 – I) ∩ ( S 2 – I) is empty 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 21

  22. Proof of intersection I = S 1 ∩ S 2  Completeness condition :  (S 1 – I) ∩ ( S 2 – I) is empty  Recall W 1 = g P(s) and W 2 = g Q(s) 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 22

  23. Proof of intersection I = S 1 ∩ S 2  Completeness condition :  (S 1 – I) ∩ ( S 2 – I) is empty  Recall W 1 = g P(s) and W 2 = g Q(s)  Completeness witness F 1 = g A(s) and F 2 = g B(s)  A(s)P(s)+B(s)Q(s) = 1  Complexity: O(nlog 2 nlog log n) (ext. Euclidean algorithm) 1/ ε g (s+a )…( s+f) g (s+c )…( s+z) g (s+a )…( s+f) g (s+d )…( s+w) a b c d e f c e h z a d f d l m n w 23

  24. Recap t sets are intersected and δ is the size of the answer  N is the sum of sizes of intersected sets  element of the proof complexity size Intersection elements N δ 24

  25. Recap t sets are intersected and δ is the size of the answer  N is the sum of sizes of intersected sets  element of the proof complexity size Intersection elements N δ Accumulation values proofs tm ε log m t 25

  26. Recap t sets are intersected and δ is the size of the answer  N is the sum of sizes of intersected sets  element of the proof complexity size Intersection elements N δ Accumulation values proofs tm ε log m t Subset witnesses Nlog N t 26

  27. Recap t sets are intersected and δ is the size of the answer  N is the sum of sizes of intersected sets  element of the proof complexity size Intersection elements N δ Accumulation values proofs tm ε log m t Subset witnesses Nlog N t Completeness witnesses Nlog 2 Nloglog N t 27

  28. Recap t sets are intersected and δ is the size of the answer  N is the sum of sizes of intersected sets  element of the proof complexity size Intersection elements N δ Accumulation values proofs tm ε log m t Subset witnesses Nlog N t Completeness witnesses Nlog 2 Nloglog N t TOTAL Nlog 2 Nlog log N t+ δ + tm ε log m 28

  29. Recap t sets are intersected and δ is the size of the answer  N is the sum of sizes of intersected sets  element of the proof complexity size Intersection elements N δ Accumulation values proofs tm ε log m t Subset witnesses Nlog N t Completeness witnesses Nlog 2 Nloglog N t TOTAL Nlog 2 Nlog log N t+ δ + almost optimal tm ε log m 29

Recommend

Large near-optimal Golomb rulers, a computational search for the verification of Erdos conjecture

Large near-optimal Golomb rulers, a computational search for the verification of Erdos conjecture

Large near-optimal Golomb rulers, a computational search for the verification of Erdos conjecture on Sidon sets Apostolos Dimitromanolakis joint work with Apostolos Dollas (Technical University of Crete) Definition of a Golomb ruler Golomb

586 views • 34 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Data Structures for representative member. Disjoint Sets ! Operations: Make-Set(x): create a

Data Structures for representative member. Disjoint Sets ! Operations: Make-Set(x): create a

Disjoint Sets Data Structure ! A dynamic collection S = {S 1 ,S 2 ,,S k } of disjoint sets. ! Each set S i is identified by a Data Structures for representative member. Disjoint Sets ! Operations: Make-Set(x): create a new set in S,

177 views • 4 slides
5 Operations and Aggregations of Fuzzy Sets Fuzzy Systems Engineering Toward Human-Centric

5 Operations and Aggregations of Fuzzy Sets Fuzzy Systems Engineering Toward Human-Centric

5 Operations and Aggregations of Fuzzy Sets Fuzzy Systems Engineering Toward Human-Centric Computing Contents 5.1 Standard operations on sets and fuzzy sets 5.2 Generic requirements for operations on fuzzy sets 5.3 Triangular norms 5.4

1.78k views • 104 slides
S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic Dictionaries Let K be a set of dictionary elements, called keys. For any finite subset D of K and for any key k three operations of search, insertion,

387 views • 13 slides
Dynamic Programming Prof. Kuan-Ting Lai 2020/4/10 Dynamic Programming Dynamic Programming is

Dynamic Programming Prof. Kuan-Ting Lai 2020/4/10 Dynamic Programming Dynamic Programming is

Dynamic Programming Prof. Kuan-Ting Lai 2020/4/10 Dynamic Programming Dynamic Programming is for problems with two properties: 1. Optimal substructure Optimal solution can be decomposed into subproblems 2. Overlapping subproblems

569 views • 19 slides
V K Simon J. Puglisi n Rajeev Raman dynamic associative map map f K V n K, V: sets

V K Simon J. Puglisi n Rajeev Raman dynamic associative map map f K V n K, V: sets

Fast and Simple Compact Hashing via Bucketing Dominik Kppl f V K Simon J. Puglisi n Rajeev Raman dynamic associative map map f K V n K, V: sets f maps a dynamic subset of size n of K to V common representations of f

705 views • 32 slides
2. Convex sets affine and convex sets some important examples operations that preserve

2. Convex sets affine and convex sets some important examples operations that preserve

Convex Optimization Boyd & Vandenberghe 2. Convex sets affine and convex sets some important examples operations that preserve convexity generalized inequalities separating and supporting hyperplanes dual cones and

449 views • 23 slides
Week 6 Oliver Kullmann Dynamic sets Data structures Simple implementa- tion Dynamic sets

Week 6 Oliver Kullmann Dynamic sets Data structures Simple implementa- tion Dynamic sets

CS 270 Algorithms Week 6 Oliver Kullmann Dynamic sets Data structures Simple implementa- tion Dynamic sets 1 Special cases Simple implementation 2 Stacks Implementatio Special cases 3 Queues Implementatio Stacks 4 Tutorial

944 views • 41 slides
Week 6 Oliver Kullmann Dynamic sets Data structures Simple implementa- tion Dynamic sets

Week 6 Oliver Kullmann Dynamic sets Data structures Simple implementa- tion Dynamic sets

CS 270 Algorithms Week 6 Oliver Kullmann Dynamic sets Data structures Simple implementa- tion Dynamic sets 1 Special cases Simple implementation 2 Stacks Implementatio Special cases 3 Queues Implementatio Stacks 4 Tutorial

610 views • 37 slides
Dynamic logics INF5140 Specification and Verification of Parallel Systems Dynamic logics,

Dynamic logics INF5140 Specification and Verification of Parallel Systems Dynamic logics,

Dynamic logics INF5140 Specification and Verification of Parallel Systems Dynamic logics, lecture 3 Spring 2015 February 24, 2015 2 / 21 Introduction Problem FOL is very (at leat relative) expressive but undecidable. Good for

380 views • 21 slides
MA/CSSE 473 Day 28 Optimal BSTs Dynamic Programming Example OPTIMAL BINARY SEARCH TREES 1

MA/CSSE 473 Day 28 Optimal BSTs Dynamic Programming Example OPTIMAL BINARY SEARCH TREES 1

MA/CSSE 473 Day 28 Optimal BSTs Dynamic Programming Example OPTIMAL BINARY SEARCH TREES 1 Warmup: Optimal linked list order Suppose we have n distinct data items x 1 , x 2 , , x n in a linked list. Also suppose that we know the

515 views • 15 slides
Optimal PID-Control on First Order Plus Time Delay Systems Verification of the SIMC rules Chriss

Optimal PID-Control on First Order Plus Time Delay Systems Verification of the SIMC rules Chriss

Introduction Optimal Controller Tuning rule Conclusions Optimal PID-Control on First Order Plus Time Delay Systems Verification of the SIMC rules Chriss Grimholt and Sigurd Skogestad Norwegian University of Science and Technology February

433 views • 22 slides
Set Theory CMPS/MATH 2170: Discrete Mathematics Outline Sets and Set Operations (2.1-2.2)

Set Theory CMPS/MATH 2170: Discrete Mathematics Outline Sets and Set Operations (2.1-2.2)

Set Theory CMPS/MATH 2170: Discrete Mathematics Outline Sets and Set Operations (2.1-2.2) Functions (2.3) Sequences and Summations (2.4) Cardinality of Sets (2.5) Introduction to Sets A set is an unordered collection of

657 views • 39 slides
Optimal Control and Dynamic Programming 4SC000 Q2 2017-2018 Duarte Antunes Part III

Optimal Control and Dynamic Programming 4SC000 Q2 2017-2018 Duarte Antunes Part III

Optimal Control and Dynamic Programming 4SC000 Q2 2017-2018 Duarte Antunes Part III Continuous-time optimal control problems Recap Discrete optimization Stage decision problems problems Dynamic system & Formulation Transition

792 views • 37 slides
Set operations and facts about sets Slides to accompany Sections 1.(4 & 5) of Discrete

Set operations and facts about sets Slides to accompany Sections 1.(4 & 5) of Discrete

Set operations and facts about sets Slides to accompany Sections 1.(4 & 5) of Discrete Mathematics and Functional Programming Thomas VanDrunen Operations from arithmetic These operations on numbers produce new numbers. Grammatically, they

533 views • 17 slides
Optimal partitions of finite sets: a report on unfinished work in progress PJC60 at Ambleside:

Optimal partitions of finite sets: a report on unfinished work in progress PJC60 at Ambleside:

Optimal partitions of finite sets: a report on unfinished work in progress PJC60 at Ambleside: Thursday, 23 August 2007 Peter M Neumann: Queens College, Oxford Introduction: set partitions and Bell numbers Optimal partitions and the

289 views • 17 slides
Algorithms Theory Algorithms Theory 14 Dynamic Programming (3) Programming (3) Optimal

Algorithms Theory Algorithms Theory 14 Dynamic Programming (3) Programming (3) Optimal

Algorithms Theory Algorithms Theory 14 Dynamic Programming (3) Programming (3) Optimal binary search trees P.D. Dr. Alexander Souza Winter term 11/12 Method of dynamic programming Recursive approach: Solve a problem by solving several

486 views • 16 slides
MA/CSSE 473 Day 27 Dynamic Programming Binomial Coefficients Warshall's algorithm (Optimal

MA/CSSE 473 Day 27 Dynamic Programming Binomial Coefficients Warshall's algorithm (Optimal

MA/CSSE 473 Day 27 Dynamic Programming Binomial Coefficients Warshall's algorithm (Optimal BSTs) Student questions? Dynamic programming Used for problems with recursive solutions and overlapping subproblems Typically, we save

284 views • 11 slides
Dynamic formulations of Optimal Transportation and variational MFGs Jean-David Benamou EPC

Dynamic formulations of Optimal Transportation and variational MFGs Jean-David Benamou EPC

Dynamic formulations of Optimal Transportation and variational MFGs Jean-David Benamou EPC MOKAPLAN CEMRACS-CIRM July 2017 Summary 2 / 36 1. Basic Introduction to Dynamic OT 2. Time Discretization and MultiMarginal OT 3. Entropic

786 views • 36 slides
Optimal Control and Dynamic Programming 4SC000 Q2 2017-2018 Duarte Antunes Introduction

Optimal Control and Dynamic Programming 4SC000 Q2 2017-2018 Duarte Antunes Introduction

Optimal Control and Dynamic Programming 4SC000 Q2 2017-2018 Duarte Antunes Introduction Outline Course info Introduction to optimal control and applications Dynamic programming algorithm Course information Teaching staff

799 views • 59 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
The Comparison of ACI and MCB Methods for Choosing a Set that Contains the Optimal Dynamic

The Comparison of ACI and MCB Methods for Choosing a Set that Contains the Optimal Dynamic

The Comparison of ACI and MCB Methods for Choosing a Set that Contains the Optimal Dynamic Treatment Regime Rong Zhou Joint work with Tianshuang Wu March 11th 2016 Outline Organization of this presentation About the project Simulation Rong

949 views • 13 slides
Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S. Albers Winter term 07/08 Method of dynamic programming Recursive approach: Solve a problem by solving several smaller analogous subproblems of the same

559 views • 16 slides

More recommend