Privacy-Preserving Outsourcing by Distributed Verifiable - PowerPoint PPT Presentation

Privacy-Preserving Outsourcing by Distributed Verifiable Computation Meilof Veeningen Philips Research MPC 2016, Aarhus, May 30 2016

2 Philips Research

3 Philips Research

4 Philips Research

5 Philips Research

6 Philips Research

Outsourcing Computations on Sensitive Data (I) f(x) x privacy? correctness? 7 Philips Research

Outsourcing Computations on Sensitive Data (I) secure multiparty computation Can we achieve correctness even if all workers are corrupted? 𝑔(𝑦) " 𝑔(𝑦) # 𝑔(𝑦) $ Jakobsen, Nielsen, Orlandi (CCSW ’14): 𝑦 " 𝑦 # 𝑦 $ privacy and correctness with 𝑜 − 1 actively corrupted workers 8 Philips Research

Outsourcing & Correctness (But No Privacy) 9 Philips Research

Privacy + Correctness: A Generic Construction 𝑧, Proof(𝑧 = 𝑔 𝑦 ) " 𝑧 = 𝑔(𝑦) " 𝑧 = 𝑔(𝑦) # 𝑧, Proof(𝑧 = 𝑔 𝑦 ) # 𝑧,Proof(𝑧 = 𝑔 𝑦 ) $ 𝑧 = 𝑔(𝑦) $ 𝑦 " 𝑦 # 𝑦 $ Question: can we efficiently Privacy: same as MPC construct these proofs with protocol used multi-party computation? Correctness: always! 10 Philips Research

Privacy + Correctness: Previous Work Preprocessing Paillier ZK 𝑦 , 𝑧 , 𝑦𝑧 ElGamal + 𝑕 3 , 𝑕 4 , 𝑕 34 NIZK openings Certificate Validation … Universally Verifiable CDN (de Hoogh/Schoenmakers/V.) (de Hoogh/Schoenmakers/V.) Publicly Auditable SPDZ (Baum/Damgård/Orlandi) Verification effort scales in computation size! Reason: existing work takes MPC as starting point! 11 Philips Research

Privacy + Correctness: Previous Work • Instead of 𝑧, Proof(𝑧 = 𝑔 𝑦 ) " : – Baum/Damgård/Orlandi: SPDZ + Pedersen commitments = SPDZ’ – de Hoogh/Schoenmakers/Veeningen: CDN + non-interactive proofs = CDN’ – de Hoogh/Schoenmakers/Veeningen: CDN’ + ElGamal encryption = CDN’’ • Because of MPC starting point, no efficient verification! 12 Philips Research

Today: 𝑧, Proof(𝑧 = 𝑔 𝑦 ) can be efficient! 𝑧, PinocchioVC(𝑧 = 𝑔 𝑦 ) " 𝑧, PinocchioVC(𝑧 = 𝑔 𝑦 ) # 𝑧, PinocchioVC(𝑧 = 𝑔 𝑦 ) $ Theorem. (Schoenmakers/V/de 𝑦 " 𝑦 # Vreede, ACNS ‘16) Privacy-preserving 𝑦 $ computation of Pinocchio VC: three workers each perform essentially the work of the original prover. Corollary. Verifiable Multi-Party Computation with constant-time verification! 13 Philips Research

Outline • Secret sharing MPC • Pinocchio VC • Secret sharing MPC + Pinocchio VC 14 Philips Research

Secret sharing MPC 15 Philips Research

Animation: Sebastiaan de Hoogh Shamir secret sharing (2-out-of-3) (1, 𝑨 A ) (1,𝑧 A + 𝑨 A ) (1,𝑧 A 𝑨 A ) (1,𝛽𝑧 D ) (1,𝑧 A ) 𝑐𝑦 + 𝑡 " = 𝑏𝑐 𝑦 " + 𝑏𝑡 " + 𝑐𝑡 $ 𝑦 + 𝑡 $ 𝑡 " 𝑧 = 𝑏𝑦 + 𝑡 $ (2, 𝑨 @ ) (2,𝑧 @ + 𝑨 @ ) (2,𝑧 @ 𝑨 @ ) (2,𝛽𝑧 E ) s $ s " = 3(𝑧 D 𝑨 D ) − 3(𝑧 E 𝑨 E ) + (𝑧 F 𝑨 F ) (3-out-of-3 sharing!) (2,𝑧 @ ) (3, 𝑨 < ) (3,𝑧 < + 𝑨 < ) (3,𝑧 < 𝑨 < ) (3,𝛽𝑧 F ) (3, 𝑧 < ) 𝑧 < 𝑧 @ 𝑡 $ + 𝑡 " 𝑧 A 𝛽𝑡 $ 𝑡 $ 𝑡 " 0 1 2 3 16 Philips Research

MPC based on Shamir secret sharing Goal: compute 𝑧 = 𝑡 ⋅ 𝑢 ⋅ (𝑡 + 𝑢) 𝑡 " , 𝑢 " 𝑡𝑢 " 𝑡𝑢 " 𝑡 + 𝑢 " 𝑡𝑢(𝑡 + 𝑢) " 𝑡𝑢 " $ 𝑡𝑢 " $ 𝑡𝑢 $ " 𝑡 $ , 𝑢 $ 𝑡𝑢 # " 𝑡𝑢 $ 𝑡𝑢 $ # 𝑡 # , 𝑢 # 𝑡𝑢 $ 𝑡𝑢 # $ 𝑡𝑢 # 𝑡 + 𝑢 $ 𝑡 " , 𝑢 " 𝑡𝑢(𝑡 + 𝑢) " 𝑡𝑢 # 𝑡𝑢(𝑡 + 𝑢) $ 𝑡 + 𝑢 # 𝑡𝑢(𝑡 + 𝑢) $ 𝑡 $ , 𝑢 $ 𝑡𝑢(𝑡 + 𝑢) # 𝑡𝑢 = 3 𝑡𝑢 $ − 3 𝑡𝑢 " + 𝑡𝑢 # 𝑡𝑢 M = 3 𝑡𝑢 $ M − 3 𝑡𝑢 " M + 𝑡𝑢 # M 𝑡𝑢(𝑡 + 𝑢) # 𝑡 # , 𝑢 # 𝑦 : 2-out-of-3 sharing of 𝑦 𝑦 : 3-out-of-3 sharing of 𝑦 𝑡, 𝑢 , 𝑡𝑢(𝑡 + 𝑢) 17 Philips Research

Pinocchio VC 18 Philips Research

Pinocchio: Quadratic Arithmetic Programs “quadratic arithmetic Prove that committed 𝑦 ⃗ satisfies equations program” (QAP) 𝑊 ⋅ 𝑦 ⃗ ∗ 𝑋 ⋅ 𝑦 ⃗ = (𝑍 ⋅ 𝑦 ⃗) Example: 𝑧 = 𝑡 ⋅ 𝑢 ⋅ 𝑡 + 𝑢 if and only if: ∃𝑨 ∶ U𝑡 ⋅ 𝑢 = 𝑨 𝑧 𝑨 ⋅ (𝑡 + 𝑢) = 𝑡 𝑡 𝑡 𝑢 𝑢 𝑢 1 0 0 0 ∗ 0 1 0 0 = 0 0 1 0 0 ⋅ 0 ⋅ 1 ⋅ 𝑨 𝑨 𝑨 0 0 1 1 1 0 0 0 0 𝑧 𝑧 𝑧 E.g.: 𝑡 𝑢 𝑧 𝑨 = 3 2 6 30 is a solution 19 Philips Research

Pinocchio: From QAP to SNARK (I) Prove that committed 𝑦 ⃗ satisfies equations 𝑊 ⋅ 𝑦 ⃗ ∗ 𝑋 ⋅ 𝑦 ⃗ = 𝑍 ⋅ 𝑦 ⃗ . Define 𝑊 M 𝜊 ,𝑋 M 𝜊 ,𝑍 M 𝜊 by “columnwiseLagrange interpolation” 𝑡 𝑡 𝑡 value 𝑢 𝑢 𝑢 at 1 1 0 0 0 ∗ 0 1 0 0 = 0 0 1 0 0 ⋅ 0 ⋅ 1 ⋅ 𝑨 𝑨 𝑨 0 0 1 1 1 0 0 0 0 value 𝑧 𝑧 𝑧 at 2 𝑋 " 1 = 1, 𝑋 " 2 = 1 𝑊 $ 1 = 1, 𝑊 $ 2 = 0 … 𝑋 " 𝜊 = 1 𝑊 $ 𝜊 = 2 − 𝜊 Consider polynomial 𝑄 3 ⃗ 𝜊 = 𝑊 $ 𝜊 𝑡+ 𝑊 " 𝜊 𝑢 + ⋯ ⋅ 𝑋 $ 𝜊 𝑡 + ⋯ − 𝑍 $ 𝜊 𝑡 + ⋯ : In 𝜊 = 1 : 𝑄 3 ⃗ 1 = 𝑊 $ 1 𝑡 + 𝑊 " 1 𝑢 + ⋯ ⋅ 𝑋 $ 1 𝑡 + ⋯ − 𝑍 $ 1 𝑡 + ⋯ = 𝑡 ⋅ 𝑢 − 𝑨 • In 𝜊 = 2 : 𝑄 3 ⃗ 2 = 𝑊 $ 1 𝑡 + 𝑊 " 1 𝑢 + ⋯ ⋅ 𝑋 $ 1 𝑡 + ⋯ − 𝑍 $ 1 𝑡 + ⋯ = 𝑨 ⋅ 𝑡 + 𝑢 − 𝑧 • So 𝑊 ⋅ 𝑦 ⃗ ∗ 𝑋 ⋅ 𝑦 ⃗ = 𝑍 ⋅ 𝑦 ⃗ if and only if 𝑄 3 ⃗ 1 = 𝑄 3 ⃗ 2 = 0 if and only if 𝜊 − 1 ⋅ 𝜊 − 2 | 𝑄 𝜊 if and only if there exists ℎ 𝜊 : 𝜊 − 1 ⋅ 𝜊 − 2 ⋅ ℎ 𝜊 = 𝑄 3 ⃗ 𝜊 20 Philips Research

Pinocchio: From QAP to SNARK (II) Example. 𝑡 𝑡 𝑡 value 𝑢 𝑢 𝑢 1 0 0 0 ∗ 0 1 0 0 = 0 0 1 0 at 1 0 ⋅ 0 ⋅ 1 ⋅ 𝑨 𝑨 𝑨 0 0 1 1 1 0 0 0 0 value 𝑧 𝑧 𝑧 at 2 𝑊 $ 𝜊 = 𝑍 # 𝜊 = 2 − 𝜊 𝑊 " 𝜊 = 𝑊 ` 𝜊 = 𝑋 # 𝜊 = 𝑋 ` 𝜊 = 𝑍 $ 𝜊 = 𝑍 " 𝜊 = 0 𝑊 # 𝜊 = 𝑋 $ 𝜊 = 𝑍 ` 𝜊 = 𝜊 − 1 𝑋 " 𝜊 = 1 Claim: 𝑡 𝑢 𝑨 𝑧 is solution iff there exists ℎ 𝜊 such that Claim: 3 2 6 30 is solution iff there exists ℎ 𝜊 such that Claim: 3 2 6 30 is solution iff there exists ℎ 𝜊 such that Claim: 3 2 6 30 is solution iff there exists ℎ 𝜊 such that 𝜊 − 2 ℎ 𝜊 = 9𝜊 " − 27𝜊 + 18 𝜊 − 1 𝜊 − 2 ℎ 𝜊 = 3𝜊 ⋅ 3𝜊 − 1 − 24𝜊 − 18 𝜊 − 1 𝜊 − 1 𝜊 − 1 𝜊 − 2 ℎ 𝜊 = 𝑡𝑊 𝜊 − 2 ℎ 𝜊 = 3𝑊 $ 𝜊 + 𝑢𝑊 $ 𝜊 + 2𝑊 " 𝜊 + 𝑨𝑊 " 𝜊 + 6𝑊 # 𝜊 + 𝑧𝑊 # 𝜊 + 30𝑊 ` 𝜊 ` 𝜊 ⋅ ⋅ 3𝑋 $ 𝜊 + 2𝑋 𝑡𝑋 $ 𝜊 + 𝑢𝑋 " 𝜊 + 6𝑋 " 𝜊 + 𝑨𝑋 # 𝜊 + 30𝑋 # 𝜊 + 𝑧𝑋 ` 𝜊 ` 𝜊 − 3𝑍 − 𝑡𝑍 $ 𝜊 + 2𝑍 $ 𝜊 + 𝑢𝑍 " 𝜊 + 6𝑍 " 𝜊 + 𝑨𝑍 # 𝜊 + 30𝑍 # 𝜊 + 𝑧𝑍 ` 𝜊 ` 𝜊 21 Philips Research

Pinocchio: From QAP to SNARK (III) Lemma ⇒ 3 2 6 30 is solution iff there exists ℎ 𝜊 such that 𝜊 − 2 ℎ 𝜊 = 9𝜊 " − 27𝜊 + 18 𝜊 − 1 𝜊 " − 3𝜊 + 2 9𝜊 " − 27𝜊 + 18 9 9 (𝜊 " − 3𝜊 + 2) − 0 ℎ 𝜊 = 9 22 Philips Research

Pinocchio: From QAP to SNARK (IV) Ξ : random, evaluation key: evaluation/verification key: 𝑕, 𝑕 f , 𝑕 f o ,… 𝑕 j p (f) ,𝑕 m p (f) , 𝑕 n p (f) unknown Prove: 𝜊 − 1 ⋅ …⋅ 𝜊 − 𝑒 ⋅ ℎ 𝜊 = 𝑊 Ξ − 1 ⋅ …⋅ Ξ − 𝑒 ⋅ ℎ Ξ = 𝑊 $ 𝜊 𝑦 $ + ⋯ ⋅ 𝑋 $ Ξ 𝑦 $ + ⋯ ⋅ 𝑋 $ 𝜊 𝑦 $ + ⋯ − 𝑍 $ Ξ 𝑦 $ + ⋯ − 𝑍 $ 𝜊 𝑦 $ + ⋯ ⋅ 1 $ Ξ 𝑦 $ + ⋯ ⋅ 1 verification key: prover: prover/verifier: prover/verifier: prover/verifier: 𝑕 fg$ ⋅…⋅ fgh 𝑕 i f 𝑕 j k f 3 k l⋯ 𝑕 m k f 3 k l⋯ 𝑕 n k f 3 k l⋯ g$ ? verifier: 𝑓 𝑕 fg$ ⋅…⋅ fgh ,𝑕 i f k f 3 k l⋯ ⋅ 𝑓 𝑕 n = 𝑓 𝑕 j k f 3 k l⋯ ,𝑕 m k f 3 k l⋯ ,𝑕 Magic crypto tool: pairing 𝑕 t 𝑕 r 𝑓 𝑕 r ,𝑕 s = 𝑓(𝑕 t , 𝑕 h ) 𝑓 𝑓 𝑕 s 𝑕 h iff 𝑏 ⋅ 𝑐 = 𝑑 ⋅ 𝑒 23 Philips Research

Pinocchio: From QAP to SNARK (V) - evaluate function: get 𝑨, 𝑧 compute 𝑕 j x f y , 𝑕 m x f y , 𝑕 n x f y - evaluation key: compute ℎ 𝜊 = j z m z gn z - 𝑕, 𝑕 f , 𝑕 f o ,… zg$ ⋅…⋅(zgh) x f ,𝑕 m x f , 𝑕 n compute 𝑕 i f 𝑕 j x f - 𝑧, 𝑕 i f , 𝑕 j 𝑡, 𝑢 x f y ,𝑕 m x f y , 𝑕 n x f y verify: 𝑓 𝑕 fg$ ⋅…⋅ fgh , 𝑕 i f verification key: 𝑕 fg$ ⋅…⋅ fgh } f 4 ⋅ 𝑕 j = 𝑓(𝑕 j k f {lj o f |lj x f y , k f ,𝑕 m k f ,𝑕 n 𝑕 j k f } f 4 ⋅ 𝑕 m 𝑕 m k f {lm o f |lm x f y ) ⋅ o f ,𝑕 m o f ,𝑕 n 𝑕 j o f g$ } f 4 ⋅ 𝑕 n 𝑓 𝑕 n k f {ln o f |ln x f y ,𝑕 } f , 𝑕 m } f , 𝑕 n 𝑕 j } f 24 Philips Research

Secret sharing MPC + Pinocchio VC 25 Philips Research