Scaling Verifiable Computation Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry Whitehat^, Dan Boneh* *Stanford ^Unaffiliated
Problem: Verifiable Storage โข Represent a large storage (e.g. array) with a small digest โข Verifiably read and update the digest ๐ โ ๐ธ๐๐๐๐ก๐ข(๐ต) Prover (๐ต, ๐) Verifier (๐) ๐, ๐ค, ๐ ๐ ๐๐๐ ๐๐๐ง ๐ ๐๐๐ (๐, ๐, ๐ค, ๐ ๐ ) ๐ค โ ๐ต[๐] ๐ต ๐ ๐ฅ โ ๐ค ๐ฅ ๐โฒ, ๐ ๐ฅ , ๐ค ๐ฅ , ๐ ๐ฅ ๐๐๐ ๐๐๐ง ๐ฃ๐๐๐๐ข๐ (๐, ๐ ๐ฅ , ๐ค ๐ฅ , ๐ โฒ , ๐ ๐ฅ ) Context: Verifiable outsourcing/cryptographic proof systems Our Work: Concretely cheaper verifiable storage using RSA accumulators
Cryptographic Programming RSA Proof Systems Them Accumulators ๐ฆ 0 ๐ฆ 1 ๐ฆ ๐ฆ 2 ๐ ๐ฅ 0 ๐ฅ 1 ๐ฅ 2
Cryptographic Programming RSA Proof Systems Them Accumulators ๐ฆ 0 ๐ฆ 1 ๐ฆ ๐ฆ 2 ๐ ๐ฅ 0 ๐ฅ 1 ๐ฅ 2
NP Proof Systems ๐ โ ๐๐ (๐ฆ โ ๐)? ๐ฅ โ ? ๐ฆ ๐ฅ Properties โข ๐ฅ โ ๐๐๐๐ง(|๐ฆ|) โข ๐ ๐ ๐ โ ๐๐๐๐ง |๐ฆ| โ ๐ฅ. ๐พ ๐ด ๐ฆ, ๐ฅ ? โข Aladdin learns ๐ฅ
Cryptographic Proof Systems: Abstract ๐ฅ โ ? ๐ โ ๐๐ ๐ก. ๐ข. ๐ ๐ ๐ฆ, ๐ฅ = โค (๐ฆ โ ๐)? ๐ โ ๐ธ๐๐๐๐ ๐พ ๐ด (๐ฆ, ๐ฅ) ๐ฆ ๐ Extra Properties Using PCPs + โข ๐ โ ๐(1) Cryptography โข ๐ ๐๐๐ ๐๐๐ง โ ๐ |๐ฆ| ๐พ๐๐๐๐๐ ๐พ ๐ด (๐, ๐ฆ โ ๐) โข (Aladdin doesnโt learn ๐ฅ ) โข ๐ ๐๐ ๐๐ค๐ โ ๐๐๐๐ง ๐ ๐ ๐
Cryptographic Proof Systems: Concrete ๐ must be verifiable by an arithmetic constraint system (arithmetic circuit) ๐ฆ 0 ๐ฆ 1 ๐ ๐ ๐ฆ, ๐ฅ ๐ฆ 2 ๐ฅ 0 ๐ฅ 1 ๐ฅ 2
Rank-1 Constraint Systems (R1CS) โข Constraints have the form ๐ฆ 0 1 โ ๐ฆ 0 = 0 ๐ต ร ๐ถ = ๐ท 0 = ๐ฅ 0 + 2๐ฅ 1 + 4๐ฅ 2 โ ๐ฆ where ๐ต, ๐ถ, ๐ท are linear combinations of variables ๐ฆ 0 ๐ฆ 1 = ๐ฅ โข Prover time proportional to ๐ฆ 0 ๐ฆ 1 ๐ฆ 2 = ๐ฅ constraint count.
Cryptographic Programming RSA Proof Systems Them Accumulators ๐ฆ 0 ๐ฆ 1 ๐ฆ ๐ฆ 2 ๐ ๐ฅ 0 ๐ฅ 1 ๐ฅ 2
What Does Programming in R1CS Mean? Abstract Constraint Rank-1 Constraints ๐ต 1 ร ๐ถ 1 = ๐ท 1 ๐ต 2 ร ๐ถ 2 = ๐ท 2 ๐จ < 16 ๐ต 3 ร ๐ถ 3 = ๐ท 3 โProgrammingโ โฎ ๐ต ๐ ร ๐ถ ๐ = ๐ท ๐ Variables encoded as field variables Constraints may use Predicates encoded witness variables as constraints
Inequality in R1CS Abstract Constraint Rank-1 Constraints ๐ฅ 0 ร (1 โ ๐ฅ 0 ) = 0 ๐ฅ 1 ร (1 โ ๐ฅ 1 ) = 0 ๐จ < 16 ๐ฅ 2 ร (1 โ ๐ฅ 2 ) = 0 ๐ฅ 3 ร (1 โ ๐ฅ 3 ) = 0 0 = ๐ฅ 0 + 2๐ฅ 1 + 4๐ฅ 2 + 8๐ฅ 3 โ ๐จ Encoded as the field variable ๐
Polynomial Multiplication Abstract Constraint Rank-1 Constraints ๐ 0 + ๐ 1 + ๐ ๐ 0 + ๐ 1 + ๐ 2 = โ 0 + โ 1 + โ 2 + โ 3 + โ 4 2 ๐ ๐ฆ โ ๐ ๐ฆ = โ(๐ฆ) ๐ 0 + 2๐ 1 + 4๐ ๐ 0 + 2๐ 1 + 4๐ 2 = โ 0 + 2โ 1 + 4โ 2 + 8โ 3 + 16โ 4 2 ๐ 0 + 3๐ 1 + 9๐ ๐ 0 + 3๐ 1 + 9๐ 2 = โ 0 + 3โ 1 + 9โ 2 + 27โ 3 + 81โ 4 2 Each coefficient is a field variable: ๐ 0 + 4๐ 1 + 16๐ ๐ 0 + 4๐ 1 + 16๐ 2 = โ 0 + 4โ 1 + 16โ 2 + 64โ 3 + 256โ 4 2 โข 2 ๐ฆ 2 ๐ ๐ฆ = ๐ 0 + ๐ 1 ๐ฆ + ๐ ๐ 0 + 5๐ 1 + 25๐ ๐ 0 + 5๐ 1 + 25๐ 2 = โ 0 + 5โ 1 + 25โ 2 + 125โ 3 + 625โ 4 2 ๐ ๐ฆ = ๐ 0 + ๐ 1 ๐ฆ + ๐ 2 ๐ฆ 2 โข โ ๐ฆ = โ 0 + โ 1 ๐ฆ + โ 2 ๐ฆ 2 + โ 3 ๐ฆ 3 + โ 4 ๐ฆ 4 โข Check ๐ ๐ โ ๐ ๐ = โ ๐ for different ๐
Big Natural Multiplication Abstract Constraint Rank-1 Constraints Sketch ๐ฆ โ ๐ง = ๐จ Represent naturals with limbs, base ๐ . Each limb is a field element. ๐๐๐ ๐ ๐ง ๐๐๐ข ๐๐๐๐ง ๐ฆ ร ๐๐๐๐ง ๐ง = ๐จ ๐ฆ = ๐ฆ 0 + ๐ฆ 1 ๐ + ๐ฆ 2 ๐ 2 โข โข ๐ง = ๐ง 0 + ๐ง 1 ๐ + ๐ง 2 ๐ 2 z = ๐จ 0 + ๐จ 1 ๐ + ๐จ 2 ๐ 2 + ๐จ 3 ๐ 3 + ๐จ 4 ๐ 4 + ๐จ 5 ๐ 5 โข ~ a ripple-carry adder from digital architecture (range checks!)
Big Natural Division Abstract Constraint Rank-1 Constraints Sketch ๐ง/๐ฆ = ๐ Represent naturals with limbs, base ๐ . Each limb is a field element. โ๐ . ๐ง = ๐ฆ๐ + ๐ ๐ฆ = ๐ฆ 0 + ๐ฆ 1 ๐ + ๐ฆ 2 ๐ 2 โข โข ๐ง = ๐ง 0 + ๐ง 1 ๐ + ๐ง 2 ๐ 2 ๐ = ๐ 0 + ๐ 1 ๐ + ๐ 2 ๐ 2 โข
Cryptographic Programming RSA Proof Systems Them Accumulators ๐ฆ 0 ๐ฆ 1 ๐ฆ ๐ฆ 2 ๐ ๐ฅ 0 ๐ฅ 1 ๐ฅ 2
The Competition: Merkle Trees ๐ โข Based on a hash function ๐ผ: ๐บ ร ๐บ โ ๐บ H โข Collision-Resistant โ 2 โ 5 โข Reduce the array to a single H H value with a hash-tree โ 0 โ 1 โ 3 โ 4 H H H H โข Proofs based on paths in the tree x0 x1 x2 x3 x4 x5 x6 x7 Verification cost: (roughly) ๐ ๐ฆ๐ฉ๐ก ๐ hashes for ๐ updates and a storage of capacity ๐ .
RSA Accumulators โข Based on RSA groups โข The integers modulo ๐๐ : the produce of two unknown primes. โข Hard to compute roots. โข ๐ฆ ๐ is easy, ๐ ๐ฆ is hard. The stored โข The digest of an RSA Accumulator is elements ๐ = ๐ ฯ ๐ ๐ผ ฮ ๐ง ๐ Fixed A (special) hash generator function
RSA Accumulator Proofs โข Insertion proof: ๐ โฒ = ๐ ๐ผ ฮ ๐ง โข Verifier checks an exponentiation โข Removal proof: โข Insertion in reverse โข Membership proof: โข A removal proof, but the new digest is forgotten โข Sound because computing roots is hard!
Batched RSA Accumulator Proofs โข Batches require two small exponentiations [BBF 18]/[Wes 18] โข Requires a hash function to prime numbers (for non-interactivity) Prover Verifier โ โ โ Primes ๐ โฒ = ๐ ฯ ๐ ๐ผ ฮ ๐ง ๐ ฯ ๐ ๐ผ ฮ (๐ง ๐ ) เต โ ๐ โ ๐ ๐ ๐ โฒ = ๐ โ โ ๐ ฯ ๐ ๐ผ ฮ ๐ง ๐ %โ Verification cost: ๐ (๐ข๐๐ญ๐ข๐๐ญ & ๐ง๐ฉ๐๐ฏ๐ฆ๐๐ฌ ร) + ๐ ๐๐ฒ๐ช๐ฉ๐จ๐๐จ๐ฎ๐ฃ๐๐ฎ๐ฃ๐ฉ๐จ๐ for ๐ updates and a storage of capacity ๐ .
RSA Accumulator Circuit Overview Multiprecision Arithmetic โ โ ๐ผ ๐ (โฆ ) ๐ โฒ = ๐ โ โ ๐ ฯ ๐ ๐ผ ฮ ๐ง ๐ %โ
Traditional Hash-to-Prime โข Rejection sampling of primes procedure HashToPrime(x): โข Miller Rabin primality test ๐ โ ๐๐๐ป(๐ก๐๐๐ = ๐ฆ) โข Probabilistic! while ๐ .output() is composite: โข 2 โ๐ soundness uses ๐(๐) , เทจ ๐ ๐ - ๐ .advance() bit exponentiations โข Many constraints Return ๐ .output()
Pocklington Prime Generation โข Pocklingtonโs criterion: Base prime test โข If ๐ 0 PRG-based โข ๐ is prime rejection โข ๐ < ๐ Pโs Criterion with ๐ 1 sampling โ๐. ๐ ๐๐ โก ๐๐+1 1 โ gcd ๐ ๐ โ 1, ๐๐ + 1 = 1 โข ๐ 1 โข Then ๐๐ + 1 is prime โข Basis for a recursive primality Pโs Criterion with ๐ 2 certificate ๐ 2 โข Idea: Rejection sampling of prime Pโs Criterion with ๐ 3 certificates ๐ 3 Many fewer constraints than Miller-Rabin, and provably prime
Other Techniques and Tricks โข Optimizations for multiprecision arithmetic in constraints โข Based on xjSnark [KPS 18] โข A new hash function, conjectured to be division-intractable โข Precise semantics for batching dependent accesses.
Evaluation: Constraints โข Implementation in 2 5 Bellman, using Groth16. 2 10 โข Consider storage of 2 15 varying size 2 20 โข Perform varying numbers of swaps (remove x, add y) โข Measure constraints โข Crossover occurs at a few thousand operations
Evaluation: Prover Time โข Includes RSA accumulator removal time ( โ 43s) โข Computing ๐ โฒ such that ๐ = ๐ โฒฯ ๐ ๐ผ ฮ ๐ง ๐ 2 20 โข Independent of batch size, 2 20 linear in storage size. โข Machine info: โข 48 logical cores โข 132GB memory
Future Directions โข Better investigation of concrete prover costs โข Integration with the proof system โข Direct support for range-proofs ( ๐จ < 2 32 ) โข Arithmetic circuits over โค/๐๐โค (crazy?) โข Managing non-proof prover costs โข Multi-tiered accumulators? โข Hybrid RSA-Merkle accumulators?
Summary Research Question Conclusions Do RSA accumulators use fewer constraints than Merkle Trees? Techniques โข Multiprecision arithmetic โข Division-intractable hashing โข Hashing to prime numbers โข Semantics of dependent accesses Paper: ia.cr/2019/1494 Implementation: github.com/alex-ozdemir/bellman-bignat
Recommend
More recommend