verifiable asics trustworthy hardware with untrusted
play

Verifiable ASICs: trustworthy hardware with untrusted components - PowerPoint PPT Presentation

Verifiable ASICs: trustworthy hardware with untrusted components Riad S. Wahby , Max Howald , Siddharth Garg , abhi shelat , and Michael Walfish Stanford University New York University The Cooper Union


  1. Verifiable ASICs: trustworthy hardware with untrusted components Riad S. Wahby ◦ ⋆ , Max Howald † ⋆ , Siddharth Garg ⋆ , abhi shelat ‡ , and Michael Walfish ⋆ ◦ Stanford University ⋆ New York University † The Cooper Union ‡ The University of Virginia May 25 th , 2016

  2. Untrusted manufacturers can craft hardware Trojans

  3. Untrusted manufacturers can craft hardware Trojans

  4. Untrusted manufacturers can craft hardware Trojans

  5. Untrusted manufacturers can craft hardware Trojans

  6. Untrusted manufacturers can craft hardware Trojans Trusted fabrication is not a panacea: ✗ Only 5 countries have cutting-edge fabs on-shore ✗ Building a new fab takes $$$$$$, years of R&D ✗ An old fab could mean 10 8 × performance hit accounting for speed, chip area, and energy Can we get trust more cheaply?

  7. Can we build Verifiable ASICs? Principal F → designs for P , V

  8. Can we build Verifiable ASICs? Principal F → designs Trusted Untrusted for P , V fab (slow) fab (fast) builds V builds P

  9. Can we build Verifiable ASICs? Principal F → designs Trusted Untrusted for P , V fab (slow) fab (fast) builds V builds P Integrator V P

  10. Can we build Verifiable ASICs? Principal F → designs Trusted Untrusted for P , V fab (slow) fab (fast) builds V builds P Integrator input V P output

  11. Can we build Verifiable ASICs? Principal F → designs Trusted Untrusted for P , V fab (slow) fab (fast) builds V builds P Integrator input x V y P output proof that y = F( x )

  12. Can we build Verifiable ASICs? input x V y P vs. F output proof that y = F( x ) • Makes sense if V + P are cheaper than trusted F

  13. Can we build Verifiable ASICs? input x V y P vs. F output proof that y = F( x ) • Makes sense if V + P are cheaper than trusted F • Reasons for hope: • running time of V < running time of F (asymptotically) • speed of cutting-edge fab might offset P ’s overheads

  14. Can we build Verifiable ASICs? input x V y P vs. F output proof that y = F( x ) • Makes sense if V + P are cheaper than trusted F • Reasons for hope: • running time of V < running time of F (asymptotically) • speed of cutting-edge fab might offset P ’s overheads • Challenges remain: • Hardware issues: energy, chip area • Need physically realizable circuit design • V needs to save work at plausible computation sizes

  15. Zebra: a hardware design that saves costs

  16. A qualified success Zebra: a hardware design that saves costs. . . . . . sometimes.

  17. Probabilistic proof systems, briefly input x V y P output proof that y = F( x ) F must be expressed as an arithmetic circuit (AC) generalized boolean circuit over F p ∨ → + ∧ → ×

  18. Probabilistic proof systems, briefly input x V y P output proof that y = F( x ) F must be expressed as an arithmetic circuit (AC) AC satisfiable ⇐ ⇒ F was executed correctly P convinces V that the AC is satisfiable

  19. Probabilistic proof systems, briefly input x V y P output proof that y = F( x ) Arguments [GGPR13, IPs SBVBPW13, PGHR13, BCTV14] [GKR08, CMT12, VSBW13] e.g., Muggles, CMT, Allspice e.g., Zaatar, Pinocchio, libsnark

  20. Probabilistic proof systems, briefly input x V y P output proof that y = F( x ) Arguments [GGPR13, IPs SBVBPW13, PGHR13, BCTV14] [GKR08, CMT12, VSBW13] e.g., Muggles, CMT, Allspice e.g., Zaatar, Pinocchio, libsnark – “Quasi–straight line” F + F with RAM, complex control flow – Lots of V - P communication + Little V - P communication

  21. Probabilistic proof systems, briefly input x V y P output proof that y = F( x ) Arguments [GGPR13, IPs SBVBPW13, PGHR13, BCTV14] [GKR08, CMT12, VSBW13] e.g., Muggles, CMT, Allspice e.g., Zaatar, Pinocchio, libsnark – “Quasi–straight line” F + F with RAM, complex control flow – Lots of V - P communication + Little V - P communication Unsuited to hardware ✗ implementation

  22. Probabilistic proof systems, briefly input x V y P output proof that y = F( x ) Arguments [GGPR13, IPs SBVBPW13, PGHR13, BCTV14] [GKR08, CMT12, VSBW13] e.g., Muggles, CMT, Allspice e.g., Zaatar, Pinocchio, libsnark – “Quasi–straight line” F + F with RAM, complex control flow – Lots of V - P communication + Little V - P communication Suited to hardware Unsuited to hardware ✓ ✗ implementation implementation

  23. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] F must be expressed as a layered arithmetic circuit. Note: this is an abstraction of F, not a physical circuit!

  24. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs

  25. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit

  26. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit

  27. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit

  28. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y y

  29. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y 3. V cross-examines P about the last layer

  30. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y 3. V cross-examines P about the last layer, ends up with claim about second-last layer

  31. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y 3. V cross-examines P about the last layer, ends up with claim about second-last layer 4. V iterates

  32. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y 3. V cross-examines P about the last layer, ends up with claim about second-last layer 4. V iterates

  33. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y 3. V cross-examines P about the last layer, ends up with claim about second-last layer 4. V iterates

  34. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y 3. V cross-examines P about the last layer, ends up with claim about second-last layer 4. V iterates, ends up with claim about inputs

  35. Zebra builds on IPs of GKR [GKR08, CMT12, VSBW13] 1. V sends inputs 2. P evaluates circuit, returns output y 3. V cross-examines P about the last layer, ends up with claim about second-last layer 4. V iterates, ends up with claim about inputs 5. V checks consistency with the inputs V ’s work ≈ O (depth · log width), so it saves work when width ≫ depth

  36. Can we parallelize this interaction? Can V and P interact about all of F’s layers at once? No. V must ask questions in correct order or P can cheat!

  37. Can we parallelize this interaction? Can V and P interact about all of F’s layers at once? No. V must ask questions in correct order or P can cheat! But: Zebra uses pipelining to parallelize several Fs.

  38. Extracting parallelism through pipelining V questions P about F( x 1 )’s output layer. F( x 1 )

  39. Extracting parallelism through pipelining V questions P about F( x 1 )’s output layer. Simultaneously, P returns F( x 2 ). F( x 1 ) F( x 2 )

  40. Extracting parallelism through pipelining V questions P about F( x 1 )’s next layer F( x 1 )

  41. Extracting parallelism through pipelining V questions P about F( x 1 )’s next layer, and F( x 2 )’s output layer. F( x 1 ) F( x 2 )

  42. Extracting parallelism through pipelining V questions P about F( x 1 )’s next layer, and F( x 2 )’s output layer. Meanwhile, P returns F( x 3 ). F( x 1 ) F( x 2 ) F( x 3 )

  43. Extracting parallelism through pipelining This process continues until the pipeline is full. F( x 1 ) F( x 2 ) F( x 3 ) F( x 4 )

  44. Extracting parallelism through pipelining This process continues until the pipeline is full. F( x 1 ) F( x 2 ) F( x 3 ) F( x 4 ) F( x 5 )

  45. Extracting parallelism through pipelining F( x 1 ) This process continues F( x 2 ) until the pipeline is full. F( x 3 ) V and P can complete one proof in each time F( x 4 ) step. F( x 5 ) F( x 6 ) F( x 7 ) F( x 8 )

  46. Zebra’s design approach ✓ Extract parallelism e.g., pipelined proving

  47. Zebra’s design approach ✓ Extract parallelism e.g., pipelined proving ✓ Exploit locality: distribute data and control e.g., no RAM: data is kept close to places it is needed e.g., latency-insensitive design: distributed state machine avoids bottlenecks associated with central controller

  48. Zebra’s design approach ✓ Extract parallelism e.g., pipelined proving ✓ Exploit locality: distribute data and control e.g., no RAM: data is kept close to places it is needed e.g., latency-insensitive design: distributed state machine avoids bottlenecks associated with central controller ✓ Reduce, reuse, recycle e.g., computation: save energy by adding memoization to P e.g., hardware: save chip area by reusing the same circuits

  49. Architectural challenges Interaction between V and P requires a lot of bandwidth ✗ V and P on circuit board? Too much energy, circuit area Protocol requires input-independent precomputation [Allspice13]

Recommend


More recommend