Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* - PowerPoint PPT Presentation

Scaling Verifiable Computation Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry Whitehat^, Dan Boneh* *Stanford ^Unaffiliated

Problem: Verifiable Storage • Represent a large storage (e.g. array) with a small digest • Verifiably read and update the digest 𝑒 ← 𝐸𝑗𝑕𝑓𝑡𝑢(𝐵) Prover (𝐵, 𝑒) Verifier (𝑒) 𝑗, 𝑤, 𝜌 𝑠 𝑊𝑓𝑠𝑗𝑔𝑧 𝑠𝑓𝑏𝑒 (𝑒, 𝑗, 𝑤, 𝜌 𝑠 ) 𝑤 ← 𝐵[𝑗] 𝐵 𝑗 𝑥 ← 𝑤 𝑥 𝑒′, 𝑗 𝑥 , 𝑤 𝑥 , 𝜌 𝑥 𝑊𝑓𝑠𝑗𝑔𝑧 𝑣𝑞𝑒𝑏𝑢𝑓 (𝑒, 𝑗 𝑥 , 𝑤 𝑥 , 𝑒 ′ , 𝜌 𝑥 ) Context: Verifiable outsourcing/cryptographic proof systems Our Work: Concretely cheaper verifiable storage using RSA accumulators

Cryptographic Programming RSA Proof Systems Them Accumulators 𝑦 0 𝑦 1 𝑦 𝑦 2 𝝆 𝑥 0 𝑥 1 𝑥 2

Cryptographic Programming RSA Proof Systems Them Accumulators 𝑦 0 𝑦 1 𝑦 𝑦 2 𝝆 𝑥 0 𝑥 1 𝑥 2

NP Proof Systems 𝑀 ∈ 𝑂𝑄 (𝑦 ∈ 𝑀)? 𝑥 ← ? 𝑦 𝑥 Properties • 𝑥 ∈ 𝑞𝑝𝑚𝑧(|𝑦|) • 𝑈 𝑊 𝑀 ∈ 𝑞𝑝𝑚𝑧 |𝑦| ∃ 𝑥. 𝑾 𝑴 𝑦, 𝑥 ? • Aladdin learns 𝑥

Cryptographic Proof Systems: Abstract 𝑥 ← ? 𝑀 ∈ 𝑂𝑄 𝑡. 𝑢. 𝑊 𝑀 𝑦, 𝑥 = ⊤ (𝑦 ∈ 𝑀)? 𝝆 ← 𝑸𝒔𝒑𝒘𝒇 𝑾 𝑴 (𝑦, 𝑥) 𝑦 𝝆 Extra Properties Using PCPs + • 𝜌 ∈ 𝑃(1) Cryptography • 𝑈 𝑊𝑓𝑠𝑗𝑔𝑧 ∈ 𝑃 |𝑦| 𝑾𝒇𝒔𝒋𝒈𝒛 𝑾 𝑴 (𝝆, 𝑦 ∈ 𝑀) • (Aladdin doesn’t learn 𝑥 ) • 𝑈 𝑄𝑠𝑝𝑤𝑓 ∈ 𝑞𝑝𝑚𝑧 𝑈 𝑊 𝑀

Cryptographic Proof Systems: Concrete 𝑀 must be verifiable by an arithmetic constraint system (arithmetic circuit) 𝑦 0 𝑦 1 𝑊 𝑀 𝑦, 𝑥 𝑦 2 𝑥 0 𝑥 1 𝑥 2

Rank-1 Constraint Systems (R1CS) • Constraints have the form 𝑦 0 1 − 𝑦 0 = 0 𝐵 × 𝐶 = 𝐷 0 = 𝑥 0 + 2𝑥 1 + 4𝑥 2 − 𝑦 where 𝐵, 𝐶, 𝐷 are linear combinations of variables 𝑦 0 𝑦 1 = 𝑥 • Prover time proportional to 𝑦 0 𝑦 1 𝑦 2 = 𝑥 constraint count.

Cryptographic Programming RSA Proof Systems Them Accumulators 𝑦 0 𝑦 1 𝑦 𝑦 2 𝝆 𝑥 0 𝑥 1 𝑥 2

What Does Programming in R1CS Mean? Abstract Constraint Rank-1 Constraints 𝐵 1 × 𝐶 1 = 𝐷 1 𝐵 2 × 𝐶 2 = 𝐷 2 𝑨 < 16 𝐵 3 × 𝐶 3 = 𝐷 3 “Programming” ⋮ 𝐵 𝑜 × 𝐶 𝑜 = 𝐷 𝑜 Variables encoded as field variables Constraints may use Predicates encoded witness variables as constraints

Inequality in R1CS Abstract Constraint Rank-1 Constraints 𝑥 0 × (1 − 𝑥 0 ) = 0 𝑥 1 × (1 − 𝑥 1 ) = 0 𝑨 < 16 𝑥 2 × (1 − 𝑥 2 ) = 0 𝑥 3 × (1 − 𝑥 3 ) = 0 0 = 𝑥 0 + 2𝑥 1 + 4𝑥 2 + 8𝑥 3 − 𝑨 Encoded as the field variable 𝒜

Polynomial Multiplication Abstract Constraint Rank-1 Constraints 𝑔 0 + 𝑔 1 + 𝑔 𝑕 0 + 𝑕 1 + 𝑕 2 = ℎ 0 + ℎ 1 + ℎ 2 + ℎ 3 + ℎ 4 2 𝑔 𝑦 ⋅ 𝑕 𝑦 = ℎ(𝑦) 𝑔 0 + 2𝑔 1 + 4𝑔 𝑕 0 + 2𝑕 1 + 4𝑕 2 = ℎ 0 + 2ℎ 1 + 4ℎ 2 + 8ℎ 3 + 16ℎ 4 2 𝑔 0 + 3𝑔 1 + 9𝑔 𝑕 0 + 3𝑕 1 + 9𝑕 2 = ℎ 0 + 3ℎ 1 + 9ℎ 2 + 27ℎ 3 + 81ℎ 4 2 Each coefficient is a field variable: 𝑔 0 + 4𝑔 1 + 16𝑔 𝑕 0 + 4𝑕 1 + 16𝑕 2 = ℎ 0 + 4ℎ 1 + 16ℎ 2 + 64ℎ 3 + 256ℎ 4 2 • 2 𝑦 2 𝑔 𝑦 = 𝑔 0 + 𝑔 1 𝑦 + 𝑔 𝑔 0 + 5𝑔 1 + 25𝑔 𝑕 0 + 5𝑕 1 + 25𝑕 2 = ℎ 0 + 5ℎ 1 + 25ℎ 2 + 125ℎ 3 + 625ℎ 4 2 𝑕 𝑦 = 𝑕 0 + 𝑕 1 𝑦 + 𝑕 2 𝑦 2 • ℎ 𝑦 = ℎ 0 + ℎ 1 𝑦 + ℎ 2 𝑦 2 + ℎ 3 𝑦 3 + ℎ 4 𝑦 4 • Check 𝑔 𝑏 ⋅ 𝑕 𝑏 = ℎ 𝑏 for different 𝑏

Big Natural Multiplication Abstract Constraint Rank-1 Constraints Sketch 𝑦 ⋅ 𝑧 = 𝑨 Represent naturals with limbs, base 𝑐 . Each limb is a field element. 𝑑𝑏𝑠𝑠𝑧 𝑜𝑏𝑢 𝑞𝑝𝑚𝑧 𝑦 × 𝑞𝑝𝑚𝑧 𝑧 = 𝑨 𝑦 = 𝑦 0 + 𝑦 1 𝑐 + 𝑦 2 𝑐 2 • • 𝑧 = 𝑧 0 + 𝑧 1 𝑐 + 𝑧 2 𝑐 2 z = 𝑨 0 + 𝑨 1 𝑐 + 𝑨 2 𝑐 2 + 𝑨 3 𝑐 3 + 𝑨 4 𝑐 4 + 𝑨 5 𝑐 5 • ~ a ripple-carry adder from digital architecture (range checks!)

Big Natural Division Abstract Constraint Rank-1 Constraints Sketch 𝑧/𝑦 = 𝑟 Represent naturals with limbs, base 𝑐 . Each limb is a field element. ∃𝑠. 𝑧 = 𝑦𝑟 + 𝑠 𝑦 = 𝑦 0 + 𝑦 1 𝑐 + 𝑦 2 𝑐 2 • • 𝑧 = 𝑧 0 + 𝑧 1 𝑐 + 𝑧 2 𝑐 2 𝑟 = 𝑟 0 + 𝑟 1 𝑐 + 𝑟 2 𝑐 2 •

Cryptographic Programming RSA Proof Systems Them Accumulators 𝑦 0 𝑦 1 𝑦 𝑦 2 𝝆 𝑥 0 𝑥 1 𝑥 2

The Competition: Merkle Trees 𝑒 • Based on a hash function 𝐼: 𝐺 × 𝐺 → 𝐺 H • Collision-Resistant ℎ 2 ℎ 5 • Reduce the array to a single H H value with a hash-tree ℎ 0 ℎ 1 ℎ 3 ℎ 4 H H H H • Proofs based on paths in the tree x0 x1 x2 x3 x4 x5 x6 x7 Verification cost: (roughly) 𝒍 𝐦𝐩𝐡 𝒏 hashes for 𝑙 updates and a storage of capacity 𝑛 .

RSA Accumulators • Based on RSA groups • The integers modulo 𝑞𝑟 : the produce of two unknown primes. • Hard to compute roots. • 𝑦 𝑜 is easy, 𝑜 𝑦 is hard. The stored • The digest of an RSA Accumulator is elements 𝑒 = 𝑕 ς 𝑗 𝐼 Δ 𝑧 𝑗 Fixed A (special) hash generator function

RSA Accumulator Proofs • Insertion proof: 𝑒 ′ = 𝑒 𝐼 Δ 𝑧 • Verifier checks an exponentiation • Removal proof: • Insertion in reverse • Membership proof: • A removal proof, but the new digest is forgotten • Sound because computing roots is hard!

Batched RSA Accumulator Proofs • Batches require two small exponentiations [BBF 18]/[Wes 18] • Requires a hash function to prime numbers (for non-interactivity) Prover Verifier ℓ ℓ ⇜ Primes 𝑒 ′ = 𝑒 ς 𝑗 𝐼 Δ 𝑧 𝑗 ς 𝑗 𝐼 Δ (𝑧 𝑗 ) ൗ ℓ 𝑅 ← 𝑒 𝑅 𝑒 ′ = 𝑅 ℓ ⋅ 𝑒 ς 𝑗 𝐼 Δ 𝑧 𝑗 %ℓ Verification cost: 𝒍 (𝐢𝐛𝐭𝐢𝐟𝐭 & 𝐧𝐩𝐞𝐯𝐦𝐛𝐬 ×) + 𝟑 𝐟𝐲𝐪𝐩𝐨𝐟𝐨𝐮𝐣𝐛𝐮𝐣𝐩𝐨𝒕 for 𝑙 updates and a storage of capacity 𝑛 .

RSA Accumulator Circuit Overview Multiprecision Arithmetic ℓ ← 𝐼 𝑞 (… ) 𝑒 ′ = 𝑅 ℓ ⋅ 𝑒 ς 𝑗 𝐼 Δ 𝑧 𝑗 %ℓ

Traditional Hash-to-Prime • Rejection sampling of primes procedure HashToPrime(x): • Miller Rabin primality test 𝑕 ← 𝑄𝑆𝐻(𝑡𝑓𝑓𝑒 = 𝑦) • Probabilistic! while 𝑕 .output() is composite: • 2 −𝜇 soundness uses 𝑃(𝜇) , ෨ 𝑃 𝜇 - 𝑕 .advance() bit exponentiations • Many constraints Return 𝑕 .output()

Pocklington Prime Generation • Pocklington’s criterion: Base prime test • If 𝑞 0 PRG-based • 𝑞 is prime rejection • 𝑜 < 𝑞 P’s Criterion with 𝑜 1 sampling ∃𝑏. 𝑏 𝑜𝑞 ≡ 𝑜𝑞+1 1 ⋀ gcd 𝑏 𝑜 − 1, 𝑜𝑞 + 1 = 1 • 𝑞 1 • Then 𝑜𝑞 + 1 is prime • Basis for a recursive primality P’s Criterion with 𝑜 2 certificate 𝑞 2 • Idea: Rejection sampling of prime P’s Criterion with 𝑜 3 certificates 𝑞 3 Many fewer constraints than Miller-Rabin, and provably prime

Other Techniques and Tricks • Optimizations for multiprecision arithmetic in constraints • Based on xjSnark [KPS 18] • A new hash function, conjectured to be division-intractable • Precise semantics for batching dependent accesses.

Evaluation: Constraints • Implementation in 2 5 Bellman, using Groth16. 2 10 • Consider storage of 2 15 varying size 2 20 • Perform varying numbers of swaps (remove x, add y) • Measure constraints • Crossover occurs at a few thousand operations

Evaluation: Prover Time • Includes RSA accumulator removal time ( ≈ 43s) • Computing 𝑒 ′ such that 𝑒 = 𝑒 ′ς 𝑗 𝐼 Δ 𝑧 𝑗 2 20 • Independent of batch size, 2 20 linear in storage size. • Machine info: • 48 logical cores • 132GB memory

Future Directions • Better investigation of concrete prover costs • Integration with the proof system • Direct support for range-proofs ( 𝑨 < 2 32 ) • Arithmetic circuits over ℤ/𝑞𝑟ℤ (crazy?) • Managing non-proof prover costs • Multi-tiered accumulators? • Hybrid RSA-Merkle accumulators?

Summary Research Question Conclusions Do RSA accumulators use fewer constraints than Merkle Trees? Techniques • Multiprecision arithmetic • Division-intractable hashing • Hashing to prime numbers • Semantics of dependent accesses Paper: ia.cr/2019/1494 Implementation: github.com/alex-ozdemir/bellman-bignat