Vector Commitments with Efficient Proofs Markulf Kohlweiss 1 and - PowerPoint PPT Presentation

Vector Commitments with Efficient Proofs Markulf Kohlweiss 1 and Alfredo Rial 2 1 Microsoft Research Cambridge 2 KU Leuven ESAT/COSIC – IBBT, Belgium Provable Privacy Workshop 10 / 07 / 2012 K.U.Leuven Vector Commitments 10 July 2012

INDEX • GOAL: Efficient proofs of calculation correctness • MOTIVATION: Privacy-Preserving Smart Metering • IDEA: Intermediate tables to store partial results • Vector Commitments o Definition o Application to Smart Metering o Constructions • CONCLUSION Vector Commitments 10 July 2012 2

GOAL • A prover performs calculations and reveals the result to a verifier. • The prover proves to the verifier correctness of the calculations in zero-knowledge. • Some calculations are repetitive, but the prover needs to reprove them each time. • Idea to speed up computation: prove correctness of partial results, and reuse the results. Vector Commitments 10 July 2012 3

MOTIVATION: Smart Metering http://www.simcoe.com/image/821441 http://www.refusesmartmeter.com/ Vector Commitments 10 July 2012 4

Privacy-Preserving Smart Metering SMART METER USER APP SERVICE PROVIDER Fee Calculation Pricing Policy Readings Fee Reporting & Correctness Proof http://www.givenspaceandtime.com/ 𝑜 Meter Readings Provider Policy 𝑔𝑓𝑓 = 𝑑𝑝𝑜𝑡 𝑗 × 𝑠𝑏𝑢𝑓 𝑗 Cons. Time Sig. Time Rate Sig. 𝑗=1 00:00 𝜏 𝑛 (𝑠 1 ) 10 𝜏 𝑞 (𝑠 1 ) 1456 00:00 Time Index i 00:15 𝜏 𝑛 (𝑠 2 ) 9 𝜏 𝑞 (𝑠 2 ) 2341 00:15 00:00 1 00:30 𝜏 𝑛 (𝑠 3 ) 543 8 𝜏 𝑞 (𝑠 3 ) 00:30 00:15 2 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ http://www.hsntech.com/energy/energy-solutions/meter-data-solutions.aspx Vector Commitments 10 July 2012 5

Privacy-Preserving Smart Metering Meter Readings Provider Policy Cons. Time Sig. Time Rate Sig. 00:00 𝜏 𝑛 (𝑠 1 ) 10 𝜏 𝑞 (𝑠 1 ) 1456 00:00 00:15 𝜏 𝑛 (𝑠 2 ) 9 𝜏 𝑞 (𝑠 2 ) 2341 00:15 00:30 𝜏 𝑛 (𝑠 3 ) 8 𝜏 𝑞 (𝑠 3 ) 543 00:30 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ • ZKPK of correctness of fee calculation: 𝑜 𝑄𝐿{ 𝑑𝑝𝑜𝑡 𝑗 , 𝑢𝑗𝑛𝑓 𝑗 , 𝑠𝑏𝑢𝑓 𝑗 , 𝜏 𝑛 𝑠 𝑗 , 𝜏 𝑛 𝑠 𝑗 : 𝑗=1 𝑜 𝑔𝑓𝑓 = 𝑔𝑓𝑓 𝑗 𝑗=1 𝑜 𝑔𝑓𝑓 𝑗 = 𝑑𝑝𝑜𝑡 𝑗 × 𝑠𝑏𝑢𝑓 𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏 𝑛 𝑠 𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑞 𝑠 𝑗 ) } 𝑗=1 Vector Commitments 10 July 2012 6

More Complex Policies Meter Readings Provider Policy Agency Policy Cons. Time Sig. Time Rate Sig. Time Rate Sig. 00:00 𝜏 𝑛 (𝑠 1 ) 11 𝜏 𝑏 (𝑠 1 , 𝑉) 10 𝜏 𝑞 (𝑠 1 ) 1456 00:00 00:00 00:15 𝜏 𝑛 (𝑠 2 ) 8 𝜏 𝑏 (𝑠 2 , 𝑉) 9 𝜏 𝑞 (𝑠 2 ) 2341 00:15 00:15 00:30 𝜏 𝑛 (𝑠 3 ) 7 𝜏 𝑏 (𝑠 3 , 𝑉) 8 𝜏 𝑞 (𝑠 3 ) 543 00:30 00:30 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ • ZKPK of correctness of fee calculation: 𝑜 𝑄𝐿{ 𝑑𝑝𝑜𝑡 𝑗 , 𝑢𝑗𝑛𝑓 𝑗 , 𝑠𝑏𝑢𝑓 𝑗 , 𝜏 𝑛 𝑠 𝑗 , 𝜏 𝑛 𝑠 𝑗 : 𝑗=1 𝑜 𝑔𝑓𝑓 = 𝑔𝑓𝑓 𝑗 𝑗=1 𝑜 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑞 𝑠 𝑗 ) 𝑔𝑓𝑓 𝑗 = 𝑑𝑝𝑜𝑡 𝑗 × 𝑠𝑏𝑢𝑓 𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏 𝑛 𝑠 𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑞 𝑠 𝑗 ) } ∨ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑏 𝑠 𝑗 , 𝑉 )} 𝑗=1 Vector Commitments Vector Commitments 10 July 2012 7 7

IDEA: Intermediate Tables Provider Policy Agency Policy Intermediate Table Time Rate Sig. Time Rate Time Rate Sig. 10 𝜏 𝑞 (𝑠 1 ) + 00:00 11 𝜏 𝑏 (𝑠 1 , 𝑉) 00:00 10 = 00:00 9 𝜏 𝑞 (𝑠 2 ) 00:15 8 𝜏 𝑏 (𝑠 2 , 𝑉) 00:15 8 00:15 8 𝜏 𝑞 (𝑠 3 ) 00:30 7 𝜏 𝑏 (𝑠 3 , 𝑉) 00:30 7 00:30 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ 1. User creates an intermediate table and proves it correct 2. ZKPK of correctness of fee calculation: 𝑜 𝑄𝐿{ 𝑑𝑝𝑜𝑡 𝑗 , 𝑢𝑗𝑛𝑓 𝑗 , 𝑠𝑏𝑢𝑓 𝑗 , 𝜏 𝑛 𝑠 𝑗 , 𝜏 𝑛 𝑠 𝑗 : 𝑗=1 𝑜 𝑔𝑓𝑓 = 𝑔𝑓𝑓 𝑗 𝑗=1 𝑜 𝑔𝑓𝑓 𝑗 = 𝑑𝑝𝑜𝑡 𝑗 × 𝑠𝑏𝑢𝑓 𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏 𝑛 𝑠 𝑗 ∧ (𝑊𝑓𝑠𝑇𝑗𝑕 𝜏 𝑞 𝑠 𝑗 ∨ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏 𝑏 𝑠 𝑗 ) } 𝑀𝑝𝑝𝑙𝑉𝑞(𝑗, 𝑠𝑏𝑢𝑓) 𝑗=1 Vector Commitments 10 July 2012 8

IDEA: Intermediate Tables If 𝑀𝑝𝑝𝑙𝑉𝑞(𝑗, 𝑠𝑏𝑢𝑓) < 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑞 𝑠 𝑗 ) ∨ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑏 𝑠 𝑗 , 𝑉 ) THE COST OF CREATING AND PROVING CORRECTNESS OF INTERMEDIATE TABLE (STEP 1) WILL BE AMORTIZED AFTER USING IT A SUFFICIENT AMOUNT OF TIMES TO PROVE CORRECTNESS OF FEE (STEP 2) Vector Commitments 10 July 2012 9

Vector Commitments: Definition Vector Commitments 10 July 2012 10

Definition: Algorithms Let 𝑊 = 𝑦 1 , … , 𝑦 𝑜 . • 𝑻𝒇𝒖𝒗𝒒 1 𝑙 , 𝑚 → 𝑞𝑏𝑠 • 𝑫𝒔𝒇𝒃𝒖𝒇 𝑞𝑏𝑠, 𝑊, 𝑠 → 𝐷 • 𝑸𝒔𝒑𝒘𝒇 𝑞𝑏𝑠, 𝑗, 𝑊, 𝑠 → 𝑋 𝑗 • 𝑾𝒇𝒔𝒋𝒈𝒛 𝑞𝑏𝑠, 𝐷, 𝑦, 𝑗, 𝑋 → {𝑏𝑑𝑑𝑓𝑞𝑢, 𝑠𝑓𝑘𝑓𝑑𝑢} SIZE OF 𝑋 𝑗 IS INDEPENDENT OF 𝑜 Vector Commitments 10 July 2012 11

Definition: Efficient Proofs • ZKPK of 𝑊 committed to in 𝐷 : 𝜌 𝑑 = 𝑄𝐿{ 𝑊, 𝑠 : 𝐷 = 𝐷𝑠𝑓𝑏𝑢𝑓(𝑞𝑏𝑠, 𝑊, 𝑠)} • ZKPK of witness 𝑋 𝑗 to 𝑦 𝑗 in position 𝑗: 𝜌 𝑞 = 𝑄𝐿{ 𝑗, 𝑦 𝑗 , 𝑋 𝑗 : 𝑊𝑓𝑠𝑗𝑔𝑧 𝑞𝑏𝑠, 𝐷, 𝑦, 𝑗, 𝑋 → 𝑏𝑑𝑑𝑓𝑞𝑢 } Vector Commitments 10 July 2012 12

Definitions: Hiding Property • Hiding: a commitment 𝐷 to a vector 𝑊 does not reveal information on 𝑊 . o Once a vector component is revealed, the other components are not hidden anymore o [Eprint 2011/495] Hiding property is not required Vector Commitments 10 July 2012 13

Definitions: Binding Property • Binding: it is not possible to prove that (i, x) ∈ 𝑊 if 𝑊 𝑗 ≠ 𝑦 . o [Eprint 2011/495] Stronger definition where adversary sends the tuple (C, i , x, x’, w, w’) o We achieve this property via 𝜌 𝑑 and 𝜌 𝑞 Vector Commitments 10 July 2012 14

Application to Smart Metering: Overwiew USER APP SERVICE PROVIDER Input (1 𝑙 , 𝑚) Input 𝑊 𝑞𝑏𝑠 Setup 1 𝑙 , 𝑚 → 𝑞𝑏𝑠 𝐷𝑠𝑓𝑏𝑢𝑓 𝑞𝑏𝑠, 𝑊, 𝑠 → 𝐷 𝐷, 𝜌 𝑑 Compute 𝜌 𝑑 Verify 𝜌 𝑑 𝑄𝑠𝑝𝑤𝑓 𝑞𝑏𝑠, 𝑗, 𝑊, 𝑠 → 𝑋 𝑗 𝜌 𝑞 Compute 𝜌 𝑞 Verify 𝜌 𝑞 Vector Commitments 10 July 2012 15

Application to Smart Metering: Step 1 Provider Policy Agency Policy Intermediate Table Time Rate Sig. Time Rate Time Rate Sig. 10 𝜏 𝑞 (𝑠 1 ) + 00:00 11 𝜏 𝑏 (𝑠 1 , 𝑉) 00:00 10 = 00:00 9 𝜏 𝑞 (𝑠 2 ) 00:15 8 𝜏 𝑏 (𝑠 2 , 𝑉) 00:15 8 00:15 8 𝜏 𝑞 (𝑠 3 ) 00:30 7 𝜏 𝑏 (𝑠 3 , 𝑉) 00:30 7 00:30 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ 1. User creates an intermediate table and proves it correct o Let 𝑊 = 𝑠𝑏𝑢𝑓 1 , … , 𝑠𝑏𝑢𝑓 𝑜 o Run 𝐷𝑠𝑓𝑏𝑢𝑓 𝑞𝑏𝑠, 𝑊, 𝑠 → 𝐷 o Compute ZKPK of intermediate table correctness: 𝜌 𝑑 = 𝑄𝐿{ 𝑊, 𝑠, 𝜏 𝑞 𝑠 𝑗 , 𝜏 𝑏 𝑠 𝑗 , 𝑉 : 𝐷 = 𝐷𝑠𝑓𝑏𝑢𝑓 𝑞𝑏𝑠, 𝑊, 𝑠 ∧ 𝑜 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑞 𝑠 𝑗 ) ∨ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏 𝑏 𝑠 𝑗 , 𝑉 ) } 𝑗=1 Vector Commitments 10 July 2012 16

Application to Smart Metering: Step 2 Meter Readings Intermediate Table Cons. Time Sig. Time Rate 00:00 𝜏 𝑛 (𝑠 1 ) 1456 00:00 10 00:15 𝜏 𝑛 (𝑠 2 ) 2341 00:15 8 00:30 𝜏 𝑛 (𝑠 3 ) 543 00:30 7 ⋮ ⋮ ⋮ ⋮ ⋮ • ZKPK of correctness of fee calculation: 𝑜 𝜌 𝑞 = 𝑄𝐿{( 𝑗, 𝑠𝑏𝑢𝑓 𝑗 , 𝑋 𝑗 , 𝜏 𝑛 𝑠 𝑗 ): 𝑗=1 𝑜 𝑔𝑓𝑓 = 𝑔𝑓𝑓 𝑗 𝑗=1 𝑜 𝑀𝑝𝑝𝑙𝑉𝑞(𝑗, 𝑠𝑏𝑢𝑓) 𝑔𝑓𝑓 𝑗 = 𝑑𝑝𝑜𝑡 𝑗 × 𝑠𝑏𝑢𝑓 𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏 𝑛 𝑠 𝑗 ∧ 𝑊𝑓𝑠𝑗𝑔𝑧 𝑞𝑏𝑠, 𝐷, 𝑠𝑏𝑢𝑓, 𝑗, 𝑋 → 𝑏𝑑𝑑𝑓𝑞𝑢) } 𝑗=1 Vector Commitments 10 July 2012 17

Vector Commitments: Related Work • Polynomial Commitments [Asiacrypt 2010] o Imply Vector Commitments • Concise Mercurial Vector Commitments [TCC 2010] o Imply Vector Commitments o No ZKPK are provided • Vector Commitments [Eprint 2011/495] o No ZKPK are provided • Cryptographic Accumulators [Eurocrypt 1993, CRYPTO 2002] o Eficient ZKPK are provided o Do not imply vector commitments Vector Commitments 10 July 2012 18

Vector Commitments: Constructions • Construction based on SDH assumption o Akin to polynomial commitments [Asiacrypt 2010] • Construction based on BDHE assumption o Akin to concise mecurial vector commitments [TCC 2010] • Construction based on CDH assumption o Akin to vector commitments [Eprint 2011/495] • Generic construction based on any cryptographic accumulator and any commitment scheme Vector Commitments 10 July 2012 19