verifiable set operations over outsourced databases
play

Verifiable Set Operations over Outsourced Databases Ran Dimitris - PowerPoint PPT Presentation

Verifiable Set Operations over Outsourced Databases Ran Dimitris Nikos Omer Canetti Papadopoulos Triandopoulos Paneth Boston University Boston RSA Laboratories Boston & Tel Aviv University University & Boston University


  1. Verifiable Set Operations over Outsourced Databases Ran Dimitris Nikos Omer Canetti Papadopoulos Triandopoulos Paneth Boston University Boston RSA Laboratories Boston & Tel Aviv University University & Boston University University

  2. Outsourced Computation ● Modern Computing → asymmetric computational environment ● Powerful Servers ● Multiple types of “weak” devices Big Data

  3. Outsourced Computation ● Modern Computing → asymmetric computational environment ● Powerful Servers ● Multiple types of ● Cloud Computing “weak” devices computation Big Data result

  4. Outsourced Computation ● Modern Computing → asymmetric computational environment ● Powerful Servers ● Multiple types of ● Cloud Computing “weak” devices computation Big Data result ● Integrity-of-computation

  5. Outsourced Computation ● Modern Computing → asymmetric computational environment ● Powerful Servers ● Multiple types of ● Cloud Computing “weak” devices computation Big Data result ● Integrity-of-computation Did you do it correctly?

  6. Verifiable Computation (VC) Protocol

  7. Verifiable Computation (VC) Protocol x, f

  8. Verifiable Computation (VC) Protocol x, f y = f(x), Π Verify(x,f,y,Π) = accept/reject

  9. Verifiable Computation (VC) Protocol ● Untrusted prover – server can arbitrarily cheat x, f y = f(x), Π Verify(x,f,y,Π) = accept/reject Soundness: Verify accepts with negligible probability if y ≠ f(x)

  10. Verifiable Computation (VC) Protocol ● Untrusted prover – server can arbitrarily cheat x, f y = f(x), Π Verify(x,f,y,Π) = accept/reject Soundness: Verify accepts with negligible probability if y ≠ f(x) Efficiency: Verification should be faster than computation

  11. VC with Pre-processing ● Client runs expensive pre-processing for f once f Setup(sk,f) = f

  12. VC with Pre-processing ● Client runs expensive pre-processing for f once f f Setup(sk,f) = f

  13. VC with Pre-processing ● Client runs expensive pre-processing for f once ● Amortizes cost over multiple executions f x 1 f . y = f(x 1 ), Π . . Setup(sk,f) = f x i y = f(x i ), Π

  14. VC with Pre-processing ● Client runs expensive pre-processing for f once ● Amortizes cost over multiple executions f x 1 f . y = f(x 1 ), Π . . Setup(sk,f) = f x i y = f(x i ), Π ● Pre-processing not inherently necessary [Bitansky,Canetti,Chiesa,Tromer'13] –

  15. VC with Outsourced Storage dataset D

  16. VC with Outsourced Storage dataset D Setup(sk,D) = auth(D)

  17. VC with Outsourced Storage VC with Outsourced Storage dataset D D, auth(D) digest d Setup(sk,D) = auth(D)

  18. VC with Outsourced Storage VC with Outsourced Storage dataset D D, auth(D) query Q digest d y = Q(D), Π Setup(sk,D) = auth(D)

  19. VC with Outsourced Storage VC with Outsourced Storage dataset D D, auth(D) query Q digest d y = Q(D), Π Setup(sk,D) = auth(D) ● Studied in existing work – memory delegation [Chung,Kalai,Liu,Raz'11] – outsourced datasets [Backes,Fiore,Reischuk'13] – authenticated data structures [Nissim,Naor'98][Tamassia'03]

  20. VC with Outsourced Storage dataset D D, auth(D) query Q digest d y = Q(D), Π Setup(sk,D) = auth(D)

  21. VC with Outsourced Storage VC with Outsourced Storage dataset D D, auth(D) query Q digest d y = Q(D), Π Setup(sk,D) = auth(D) ● Dual of the classic model – fix function / fix data

  22. VC with Outsourced Storage VC with Outsourced Storage dataset D D, auth(D) query Q digest d y = Q(D), Π Setup(sk,D) = auth(D) ● Dual of the classic model – fix function / fix data ● Additional query type: updates in D

  23. VC with Outsourced Storage VC with Outsourced Storage dataset D D, auth(D) query Q digest d y = Q(D), Π Setup(sk,D) = auth(D) ● Dual of the classic model – fix function / fix data ● Additional query type: updates in D – handle updates efficiently

  24. Security Game Gen($) → sk,pk

  25. Security Game pk Gen($) → sk,pk

  26. Security Game pk D 0 Gen($) → sk,pk auth(D 0 ) Provides oracle access to Prove and Verify Setup and Update using pk

  27. Security Game pk D 0 Gen($) → sk,pk auth(D 0 ) update u 1 auth(D 0 , u 1 ) . Provides oracle . access to . Prove and Verify Setup and Update using pk update u t auth(D t-1 , u t )

  28. Security Game Finally : {D i ,auth(D i ),d, Q, A * , Π} for 0 ≤ i ≤ t Adv wins if A * is not the correct answer but Verify accepts

  29. Known Solutions (in this model and others) ● Theoretical Results [Micali'00],[Ishai,Kushilevitz,Ostrovsky'08], [Goldwasser,Kalai,Rothblum'08], [Applebaum,Ishai,Kusilevitz'10], [Gennaro,Gentry,Parno'10] [Chung,Kalai,Vadhan'10], [Canetti,Riva,Rothblum'11], [Gennaro,Gentry,Parno,Raykova'13], [Bitansky,Canetti,Chiesa,Tromer'13],... ● Implementation Works [Cormode,Mitzenmacher,Thaler'12] [Setty,Braun,Vu,Blumberg,Parno,Walfish'13], [Parno,Gentry,Howell,Raykova'13] [Ben-Sasson,Chiesa,Genkin,Tromer,Virza'13]...

  30. State of the art ✔ Excellent asymptotic behavior – non-interactive – general (i.e. for any language in NP) – verification cost O ( |input| + |output| ) – O ( 1 ) proof size – poly-log overhead for proof computation

  31. State of the art ✔ Excellent asymptotic behavior – non-interactive – general (i.e. for any language in NP) – verification cost O ( |input| + |output| ) – O ( 1 ) proof size – poly-log overhead for proof computation ✗ High concrete overhead – server's cost prohibitive for general functions

  32. Examples of Practical Issues ● Delegation in the circuit-based model of computation – reduce concrete functions to circuit problems ● Prover's overhead should be query-specific – not determined by “largest” query

  33. Examples of Practical Issues ● Delegation in the circuit-based model of computation – reduce concrete functions to circuit problems ● Prover's overhead should be query-specific – not determined by “largest” query Recent works explore alternative models [Goldwasser,Kalai,Popa,Vaikuntanathan,Zeldovich'13] – [Gentry,Halevi,Raykova,Wichs'14] –

  34. In this Work ● Focus on specific class of functions – exploit algebraic structure for practical solutions – existing works ● [Benabbas,Gennaro,Vahlis'11],[Backes,Fiore,Reischuk'13], [Papamanthou,Tamassia,Triandopoulos'11] ...

  35. In this Work ● Focus on specific class of functions – exploit algebraic structure for practical solutions – existing works ● [Benabbas,Gennaro,Vahlis'11],[Backes,Fiore,Reischuk'13], [Papamanthou,Tamassia,Triandopoulos'11] ... ● Functionality: Nested Intersections, Unions and Set Differences

  36. In this Work ● Focus on specific class of functions – exploit algebraic structure for practical solutions – existing works ● [Benabbas,Gennaro,Vahlis'11],[Backes,Fiore,Reischuk'13], [Papamanthou,Tamassia,Triandopoulos'11] ... ● Functionality: Nested Intersections, Unions and Set Differences ● Applications – A rich class of SQL queries – Keyword search – Similarity Measurements (e.g. Jaccard distance) – Set Membership

  37. Outsourced Sets ● Database D consisting of m sets X 1 ,...,X m with elements from Z p

  38. Outsourced Sets ● Database D consisting of m sets X 1 ,...,X m with elements from Z p ● Supports queries expressed as polynomial ∩ length formulas of nested intersections, unions, and set differences U \ ∪ ( X 8 ∩ X 5 )) ∩ ( X 1 \ X 9 )) ● e.g. (( X 2 ∩ X 4 ) ∩ ∩ X 5 X 6 X 3 X 4 X 1 X 2

  39. Outsourced Sets ● Database D consisting of m sets X 1 ,...,X m with elements from Z p ● Supports queries expressed as polynomial ∩ length formulas of nested intersections, unions, and set differences U \ ∪ ( X 8 ∩ X 5 )) ∩ ( X 1 \ X 9 )) ● e.g. (( X 2 ∩ X 4 ) ∩ ∩ X 5 X 6 X 3 X 4 X 1 X 2 ● D changes dynamically under element insertion and deletion

  40. Our Result ● VC with outsourced storage for sets: – query-specific proof-construction cost – efficient non-interactive updates – circuit-independent – public verifiability – concrete complexity analysis ● low involved constants

  41. Our Result ● Setup cost: – client's pre-processing cost → O(|D|) ● Given query Q computable in O(N) with answer A : – verification time O(|Q| + |A|) – proof size O(|Q|) – proof construction O(N) ● Update cost: – O(1) operations for client and server

  42. Our Result ● Setup cost: – client's pre-processing cost → O(|D|) ● Given query Q computable in O(N) with answer A : – verification time O(|Q| + |A|) independent of – proof size O(|Q|) cardinalities of – proof construction O(N) other sets ● Update cost: – O(1) operations for client and server

  43. Large Intermediate Results ∩ Note Circle size denotes set U U cardinality X 5 X 6 X 6 X 1 X 2 X 3 X 4 Verification cost and proof size should be oblivious to the set cardinalities (except for answer set)

  44. Main Idea (attempt 1) ● i [Papamanthou,Tamassia,Triandopoulos'11] – construction for a single set operation based on bilinear accumulators I 1 ,Π 1 ∩ X 1 X 2

  45. Main Idea (attempt 1) ● i [Papamanthou,Tamassia,Triandopoulos'11] – construction for a single set operation based on bilinear accumulators ∩ U U I 1 ,Π 1 ∩ ∩ X 5 X 6 X 3 X 4 X 1 X 2

Recommend


More recommend