using efficient set accumulators
play

Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* - PowerPoint PPT Presentation

Scaling Verifiable Computation Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry Whitehat^, Dan Boneh* *Stanford ^Unaffiliated Problem: Verifiable Storage Represent a large storage (e.g. array)


  1. Scaling Verifiable Computation Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry Whitehat^, Dan Boneh* *Stanford ^Unaffiliated

  2. Problem: Verifiable Storage โ€ข Represent a large storage (e.g. array) with a small digest โ€ข Verifiably read and update the digest ๐‘’ โ† ๐ธ๐‘—๐‘•๐‘“๐‘ก๐‘ข(๐ต) Prover (๐ต, ๐‘’) Verifier (๐‘’) ๐‘—, ๐‘ค, ๐œŒ ๐‘  ๐‘Š๐‘“๐‘ ๐‘—๐‘”๐‘ง ๐‘ ๐‘“๐‘๐‘’ (๐‘’, ๐‘—, ๐‘ค, ๐œŒ ๐‘  ) ๐‘ค โ† ๐ต[๐‘—] ๐ต ๐‘— ๐‘ฅ โ† ๐‘ค ๐‘ฅ ๐‘’โ€ฒ, ๐‘— ๐‘ฅ , ๐‘ค ๐‘ฅ , ๐œŒ ๐‘ฅ ๐‘Š๐‘“๐‘ ๐‘—๐‘”๐‘ง ๐‘ฃ๐‘ž๐‘’๐‘๐‘ข๐‘“ (๐‘’, ๐‘— ๐‘ฅ , ๐‘ค ๐‘ฅ , ๐‘’ โ€ฒ , ๐œŒ ๐‘ฅ ) Context: Verifiable outsourcing/cryptographic proof systems Our Work: Concretely cheaper verifiable storage using RSA accumulators

  3. Cryptographic Programming RSA Proof Systems Them Accumulators ๐‘ฆ 0 ๐‘ฆ 1 ๐‘ฆ ๐‘ฆ 2 ๐† ๐‘ฅ 0 ๐‘ฅ 1 ๐‘ฅ 2

  4. Cryptographic Programming RSA Proof Systems Them Accumulators ๐‘ฆ 0 ๐‘ฆ 1 ๐‘ฆ ๐‘ฆ 2 ๐† ๐‘ฅ 0 ๐‘ฅ 1 ๐‘ฅ 2

  5. NP Proof Systems ๐‘€ โˆˆ ๐‘‚๐‘„ (๐‘ฆ โˆˆ ๐‘€)? ๐‘ฅ โ† ? ๐‘ฆ ๐‘ฅ Properties โ€ข ๐‘ฅ โˆˆ ๐‘ž๐‘๐‘š๐‘ง(|๐‘ฆ|) โ€ข ๐‘ˆ ๐‘Š ๐‘€ โˆˆ ๐‘ž๐‘๐‘š๐‘ง |๐‘ฆ| โˆƒ ๐‘ฅ. ๐‘พ ๐‘ด ๐‘ฆ, ๐‘ฅ ? โ€ข Aladdin learns ๐‘ฅ

  6. Cryptographic Proof Systems: Abstract ๐‘ฅ โ† ? ๐‘€ โˆˆ ๐‘‚๐‘„ ๐‘ก. ๐‘ข. ๐‘Š ๐‘€ ๐‘ฆ, ๐‘ฅ = โŠค (๐‘ฆ โˆˆ ๐‘€)? ๐† โ† ๐‘ธ๐’”๐’‘๐’˜๐’‡ ๐‘พ ๐‘ด (๐‘ฆ, ๐‘ฅ) ๐‘ฆ ๐† Extra Properties Using PCPs + โ€ข ๐œŒ โˆˆ ๐‘ƒ(1) Cryptography โ€ข ๐‘ˆ ๐‘Š๐‘“๐‘ ๐‘—๐‘”๐‘ง โˆˆ ๐‘ƒ |๐‘ฆ| ๐‘พ๐’‡๐’”๐’‹๐’ˆ๐’› ๐‘พ ๐‘ด (๐†, ๐‘ฆ โˆˆ ๐‘€) โ€ข (Aladdin doesnโ€™t learn ๐‘ฅ ) โ€ข ๐‘ˆ ๐‘„๐‘ ๐‘๐‘ค๐‘“ โˆˆ ๐‘ž๐‘๐‘š๐‘ง ๐‘ˆ ๐‘Š ๐‘€

  7. Cryptographic Proof Systems: Concrete ๐‘€ must be verifiable by an arithmetic constraint system (arithmetic circuit) ๐‘ฆ 0 ๐‘ฆ 1 ๐‘Š ๐‘€ ๐‘ฆ, ๐‘ฅ ๐‘ฆ 2 ๐‘ฅ 0 ๐‘ฅ 1 ๐‘ฅ 2

  8. Rank-1 Constraint Systems (R1CS) โ€ข Constraints have the form ๐‘ฆ 0 1 โˆ’ ๐‘ฆ 0 = 0 ๐ต ร— ๐ถ = ๐ท 0 = ๐‘ฅ 0 + 2๐‘ฅ 1 + 4๐‘ฅ 2 โˆ’ ๐‘ฆ where ๐ต, ๐ถ, ๐ท are linear combinations of variables ๐‘ฆ 0 ๐‘ฆ 1 = ๐‘ฅ โ€ข Prover time proportional to ๐‘ฆ 0 ๐‘ฆ 1 ๐‘ฆ 2 = ๐‘ฅ constraint count.

  9. Cryptographic Programming RSA Proof Systems Them Accumulators ๐‘ฆ 0 ๐‘ฆ 1 ๐‘ฆ ๐‘ฆ 2 ๐† ๐‘ฅ 0 ๐‘ฅ 1 ๐‘ฅ 2

  10. What Does Programming in R1CS Mean? Abstract Constraint Rank-1 Constraints ๐ต 1 ร— ๐ถ 1 = ๐ท 1 ๐ต 2 ร— ๐ถ 2 = ๐ท 2 ๐‘จ < 16 ๐ต 3 ร— ๐ถ 3 = ๐ท 3 โ€œProgrammingโ€ โ‹ฎ ๐ต ๐‘œ ร— ๐ถ ๐‘œ = ๐ท ๐‘œ Variables encoded as field variables Constraints may use Predicates encoded witness variables as constraints

  11. Inequality in R1CS Abstract Constraint Rank-1 Constraints ๐‘ฅ 0 ร— (1 โˆ’ ๐‘ฅ 0 ) = 0 ๐‘ฅ 1 ร— (1 โˆ’ ๐‘ฅ 1 ) = 0 ๐‘จ < 16 ๐‘ฅ 2 ร— (1 โˆ’ ๐‘ฅ 2 ) = 0 ๐‘ฅ 3 ร— (1 โˆ’ ๐‘ฅ 3 ) = 0 0 = ๐‘ฅ 0 + 2๐‘ฅ 1 + 4๐‘ฅ 2 + 8๐‘ฅ 3 โˆ’ ๐‘จ Encoded as the field variable ๐’œ

  12. Polynomial Multiplication Abstract Constraint Rank-1 Constraints ๐‘” 0 + ๐‘” 1 + ๐‘” ๐‘• 0 + ๐‘• 1 + ๐‘• 2 = โ„Ž 0 + โ„Ž 1 + โ„Ž 2 + โ„Ž 3 + โ„Ž 4 2 ๐‘” ๐‘ฆ โ‹… ๐‘• ๐‘ฆ = โ„Ž(๐‘ฆ) ๐‘” 0 + 2๐‘” 1 + 4๐‘” ๐‘• 0 + 2๐‘• 1 + 4๐‘• 2 = โ„Ž 0 + 2โ„Ž 1 + 4โ„Ž 2 + 8โ„Ž 3 + 16โ„Ž 4 2 ๐‘” 0 + 3๐‘” 1 + 9๐‘” ๐‘• 0 + 3๐‘• 1 + 9๐‘• 2 = โ„Ž 0 + 3โ„Ž 1 + 9โ„Ž 2 + 27โ„Ž 3 + 81โ„Ž 4 2 Each coefficient is a field variable: ๐‘” 0 + 4๐‘” 1 + 16๐‘” ๐‘• 0 + 4๐‘• 1 + 16๐‘• 2 = โ„Ž 0 + 4โ„Ž 1 + 16โ„Ž 2 + 64โ„Ž 3 + 256โ„Ž 4 2 โ€ข 2 ๐‘ฆ 2 ๐‘” ๐‘ฆ = ๐‘” 0 + ๐‘” 1 ๐‘ฆ + ๐‘” ๐‘” 0 + 5๐‘” 1 + 25๐‘” ๐‘• 0 + 5๐‘• 1 + 25๐‘• 2 = โ„Ž 0 + 5โ„Ž 1 + 25โ„Ž 2 + 125โ„Ž 3 + 625โ„Ž 4 2 ๐‘• ๐‘ฆ = ๐‘• 0 + ๐‘• 1 ๐‘ฆ + ๐‘• 2 ๐‘ฆ 2 โ€ข โ„Ž ๐‘ฆ = โ„Ž 0 + โ„Ž 1 ๐‘ฆ + โ„Ž 2 ๐‘ฆ 2 + โ„Ž 3 ๐‘ฆ 3 + โ„Ž 4 ๐‘ฆ 4 โ€ข Check ๐‘” ๐‘ โ‹… ๐‘• ๐‘ = โ„Ž ๐‘ for different ๐‘

  13. Big Natural Multiplication Abstract Constraint Rank-1 Constraints Sketch ๐‘ฆ โ‹… ๐‘ง = ๐‘จ Represent naturals with limbs, base ๐‘ . Each limb is a field element. ๐‘‘๐‘๐‘ ๐‘ ๐‘ง ๐‘œ๐‘๐‘ข ๐‘ž๐‘๐‘š๐‘ง ๐‘ฆ ร— ๐‘ž๐‘๐‘š๐‘ง ๐‘ง = ๐‘จ ๐‘ฆ = ๐‘ฆ 0 + ๐‘ฆ 1 ๐‘ + ๐‘ฆ 2 ๐‘ 2 โ€ข โ€ข ๐‘ง = ๐‘ง 0 + ๐‘ง 1 ๐‘ + ๐‘ง 2 ๐‘ 2 z = ๐‘จ 0 + ๐‘จ 1 ๐‘ + ๐‘จ 2 ๐‘ 2 + ๐‘จ 3 ๐‘ 3 + ๐‘จ 4 ๐‘ 4 + ๐‘จ 5 ๐‘ 5 โ€ข ~ a ripple-carry adder from digital architecture (range checks!)

  14. Big Natural Division Abstract Constraint Rank-1 Constraints Sketch ๐‘ง/๐‘ฆ = ๐‘Ÿ Represent naturals with limbs, base ๐‘ . Each limb is a field element. โˆƒ๐‘ . ๐‘ง = ๐‘ฆ๐‘Ÿ + ๐‘  ๐‘ฆ = ๐‘ฆ 0 + ๐‘ฆ 1 ๐‘ + ๐‘ฆ 2 ๐‘ 2 โ€ข โ€ข ๐‘ง = ๐‘ง 0 + ๐‘ง 1 ๐‘ + ๐‘ง 2 ๐‘ 2 ๐‘Ÿ = ๐‘Ÿ 0 + ๐‘Ÿ 1 ๐‘ + ๐‘Ÿ 2 ๐‘ 2 โ€ข

  15. Cryptographic Programming RSA Proof Systems Them Accumulators ๐‘ฆ 0 ๐‘ฆ 1 ๐‘ฆ ๐‘ฆ 2 ๐† ๐‘ฅ 0 ๐‘ฅ 1 ๐‘ฅ 2

  16. The Competition: Merkle Trees ๐‘’ โ€ข Based on a hash function ๐ผ: ๐บ ร— ๐บ โ†’ ๐บ H โ€ข Collision-Resistant โ„Ž 2 โ„Ž 5 โ€ข Reduce the array to a single H H value with a hash-tree โ„Ž 0 โ„Ž 1 โ„Ž 3 โ„Ž 4 H H H H โ€ข Proofs based on paths in the tree x0 x1 x2 x3 x4 x5 x6 x7 Verification cost: (roughly) ๐’ ๐ฆ๐ฉ๐ก ๐’ hashes for ๐‘™ updates and a storage of capacity ๐‘› .

  17. RSA Accumulators โ€ข Based on RSA groups โ€ข The integers modulo ๐‘ž๐‘Ÿ : the produce of two unknown primes. โ€ข Hard to compute roots. โ€ข ๐‘ฆ ๐‘œ is easy, ๐‘œ ๐‘ฆ is hard. The stored โ€ข The digest of an RSA Accumulator is elements ๐‘’ = ๐‘• ฯ‚ ๐‘— ๐ผ ฮ” ๐‘ง ๐‘— Fixed A (special) hash generator function

  18. RSA Accumulator Proofs โ€ข Insertion proof: ๐‘’ โ€ฒ = ๐‘’ ๐ผ ฮ” ๐‘ง โ€ข Verifier checks an exponentiation โ€ข Removal proof: โ€ข Insertion in reverse โ€ข Membership proof: โ€ข A removal proof, but the new digest is forgotten โ€ข Sound because computing roots is hard!

  19. Batched RSA Accumulator Proofs โ€ข Batches require two small exponentiations [BBF 18]/[Wes 18] โ€ข Requires a hash function to prime numbers (for non-interactivity) Prover Verifier โ„“ โ„“ โ‡œ Primes ๐‘’ โ€ฒ = ๐‘’ ฯ‚ ๐‘— ๐ผ ฮ” ๐‘ง ๐‘— ฯ‚ ๐‘— ๐ผ ฮ” (๐‘ง ๐‘— ) เต— โ„“ ๐‘… โ† ๐‘’ ๐‘… ๐‘’ โ€ฒ = ๐‘… โ„“ โ‹… ๐‘’ ฯ‚ ๐‘— ๐ผ ฮ” ๐‘ง ๐‘— %โ„“ Verification cost: ๐’ (๐ข๐›๐ญ๐ข๐Ÿ๐ญ & ๐ง๐ฉ๐ž๐ฏ๐ฆ๐›๐ฌ ร—) + ๐Ÿ‘ ๐Ÿ๐ฒ๐ช๐ฉ๐จ๐Ÿ๐จ๐ฎ๐ฃ๐›๐ฎ๐ฃ๐ฉ๐จ๐’• for ๐‘™ updates and a storage of capacity ๐‘› .

  20. RSA Accumulator Circuit Overview Multiprecision Arithmetic โ„“ โ† ๐ผ ๐‘ž (โ€ฆ ) ๐‘’ โ€ฒ = ๐‘… โ„“ โ‹… ๐‘’ ฯ‚ ๐‘— ๐ผ ฮ” ๐‘ง ๐‘— %โ„“

  21. Traditional Hash-to-Prime โ€ข Rejection sampling of primes procedure HashToPrime(x): โ€ข Miller Rabin primality test ๐‘• โ† ๐‘„๐‘†๐ป(๐‘ก๐‘“๐‘“๐‘’ = ๐‘ฆ) โ€ข Probabilistic! while ๐‘• .output() is composite: โ€ข 2 โˆ’๐œ‡ soundness uses ๐‘ƒ(๐œ‡) , เทจ ๐‘ƒ ๐œ‡ - ๐‘• .advance() bit exponentiations โ€ข Many constraints Return ๐‘• .output()

  22. Pocklington Prime Generation โ€ข Pocklingtonโ€™s criterion: Base prime test โ€ข If ๐‘ž 0 PRG-based โ€ข ๐‘ž is prime rejection โ€ข ๐‘œ < ๐‘ž Pโ€™s Criterion with ๐‘œ 1 sampling โˆƒ๐‘. ๐‘ ๐‘œ๐‘ž โ‰ก ๐‘œ๐‘ž+1 1 โ‹€ gcd ๐‘ ๐‘œ โˆ’ 1, ๐‘œ๐‘ž + 1 = 1 โ€ข ๐‘ž 1 โ€ข Then ๐‘œ๐‘ž + 1 is prime โ€ข Basis for a recursive primality Pโ€™s Criterion with ๐‘œ 2 certificate ๐‘ž 2 โ€ข Idea: Rejection sampling of prime Pโ€™s Criterion with ๐‘œ 3 certificates ๐‘ž 3 Many fewer constraints than Miller-Rabin, and provably prime

  23. Other Techniques and Tricks โ€ข Optimizations for multiprecision arithmetic in constraints โ€ข Based on xjSnark [KPS 18] โ€ข A new hash function, conjectured to be division-intractable โ€ข Precise semantics for batching dependent accesses.

  24. Evaluation: Constraints โ€ข Implementation in 2 5 Bellman, using Groth16. 2 10 โ€ข Consider storage of 2 15 varying size 2 20 โ€ข Perform varying numbers of swaps (remove x, add y) โ€ข Measure constraints โ€ข Crossover occurs at a few thousand operations

  25. Evaluation: Prover Time โ€ข Includes RSA accumulator removal time ( โ‰ˆ 43s) โ€ข Computing ๐‘’ โ€ฒ such that ๐‘’ = ๐‘’ โ€ฒฯ‚ ๐‘— ๐ผ ฮ” ๐‘ง ๐‘— 2 20 โ€ข Independent of batch size, 2 20 linear in storage size. โ€ข Machine info: โ€ข 48 logical cores โ€ข 132GB memory

  26. Future Directions โ€ข Better investigation of concrete prover costs โ€ข Integration with the proof system โ€ข Direct support for range-proofs ( ๐‘จ < 2 32 ) โ€ข Arithmetic circuits over โ„ค/๐‘ž๐‘Ÿโ„ค (crazy?) โ€ข Managing non-proof prover costs โ€ข Multi-tiered accumulators? โ€ข Hybrid RSA-Merkle accumulators?

  27. Summary Research Question Conclusions Do RSA accumulators use fewer constraints than Merkle Trees? Techniques โ€ข Multiprecision arithmetic โ€ข Division-intractable hashing โ€ข Hashing to prime numbers โ€ข Semantics of dependent accesses Paper: ia.cr/2019/1494 Implementation: github.com/alex-ozdemir/bellman-bignat

Recommend


More recommend