Multi-Client Non-Interactive Verifiable Computation
description
Transcript of Multi-Client Non-Interactive Verifiable Computation
Multi-Client Non-Interactive Verifiable Computation
Seung Geol Choi (Columbia U.)Jonathan Katz (U. Maryland)Ranjit Kumaresan (Technion)Carlos Cid (Royal Holloway)
Verifiable Computation• Increasing dependence on the cloud
– Individual devices getting smaller & smaller• Resource constrained
– Computation outsourced to the cloud
• “Trust, but verify”– Many incentives for a cloud to cheat
• Minimize resource usage• Malicious server!
• Need to verify whether server performs correct computations– Verification must be cheaper than computation
Verifiable Computation
• Variety of solutions– Interactive proofs [GMR85,LFKN92,S92,GKR08]– MIPs & PCPs [BFL91,BFLS91,BCCT12]– Interactive arguments [BCC88,M94,K92,K95]– Non-Interactive Solutions
[K95,M94,GKR08,CKV10,GGP10,AIK11,BHR12]– Public verifiability [PRV12]
• All of them deal with verifiably computing functions on a single client’s input
Multi-Client Verifiable Computation
. . .. . .
MotivationResource constrained data gathering
sensors located far apart want to compute over joint collected data
Ask one sensor to collect all data & use single-client verifiable comp.?• Requires client-client communication• Mix-and-match attacks
– No analogue in single-client setting• No privacy
Need a model for non-interactive verification of computations over joint inputs of multiple
clients
Our Contributions
• Model, syntax, and definitions• Generic constructions
– Non-interactive solution– Privacy against colluding clients– Privacy against malicious server
Initiate study of non-interactive multi-client verifiable computation in a setting with • n semi-honest clients• malicious server
Talk Outline• Motivation & Introduction
• Model, Syntax, and Definitions
• Building Blocks
• Construction
• Conclusions
Model
. . .
n clients
. . .
• Clients are semi-honest • Want non-interactive solution
– No interaction between clients
Model
. . .
n clients
. . .
• Clients are semi-honest • Want non-interactive solution
– No interaction between clients
Model
• Clients are semi-honest • Want non-interactive solution
– No interaction between clients. . .
n clients
. . .
• How to prevent spoofing attacks?– Use PKI
• How to prevent mix-and-match attacks?– Use global clock
Assumptions of this type are necessary
Model
• Clients are semi-honest • Want non-interactive solution• Assume PKI & global clock
. . .
n clients
. . .
Like [GGP10] use offline preprocessing model• One-time (expensive) preprocessing
– Must be non-interactive • Allows for multiple (cheap) verification stages
Model
• Clients are semi-honest • Want non-interactive solution• Assume PKI & global clock• One-time preprocessing
. . .
n clients
. . .
Only first client gets output • Easily generalized to multiple clients obtaining outputs
– Parallel executions
Model
• Clients are semi-honest • Want non-interactive solution• Assume PKI & global clock• One-time preprocessing• Only first client gets output
. . .
n clients
. . .
• Online– EncInpj
– Compute– Verify
• Offline– EncFun
Syntax
xi,1 Xi,1
xi,2 Xi,2
pk2
pk1
F S
Ti
• Setup– KeyGen
pk2
pk1
pk2pk1
Wi
yi
Properties
Soundness• Given encoding of function, A gets to choose series of inputs &
receive encodings of each input. Finally A outputs (i,Wi)• If Verify(Wi) ≠ f(xi) and Verify(Wi) ≠ λ, output 1, else 0
Scheme is sound if Experiment outputs 1 with negl. prob.
Outsourcing T(encode input)+T(verify output)<T(compute function)
Privacy• Against server: Cannot distinguish between executions where
clients hold input x0 vs. another where client inputs are x1
• Against first client: Conditioned on its input being the same, cannot distinguish between executions having same output
Talk Outline• Motivation & Introduction
• Model, Syntax, and Definitions
• Building Blocks
• Construction
• Conclusions
Building Blocks
• Projective Garbling Schemes [Y86,BHR12]
• Non-Interactive Proxy Oblivious Transfer [NPS99]
• Fully Homomorphic Encryption [G09,BV11]– Converts one-time scheme to a many-time scheme
Our construction builds upon the single-client scheme of [GGP10]
Projective Garbling Schemes
• Garbling Schemes [Y86,BHR12]– “Projective” if individual input
encodings can be generated independently
• Adaptive soundness– Same issue as in [GGP10]– Assume Yao GCs satisfy adap.
soundness• Reasonable in practice• [BHR12]: Does not follow from
CPA security of enc.
GC….
Encoding of function
Projective encoding of Individual input bits
Possible output encodings
Proxy Oblivious Transfer [NPS99]
IdealFunctionality
b=0,1
ProxyOT
ProxyOT
x0,x1
xb
Want a non interactive proxy OT
protocol
Non-Interactive Proxy OT
(xc+rc, x1+c+r1+c)
(c+b, rc+b)
• Use PKI and a non-interactive key exchange (NIKE) protocol to generate common randomness s unknown to server
• Use common randomness s to run PSM protocol [FKN94] for OT, with server as referee
s = (r0, r1, c)
s = (r0, r1, c)
b=0,1
x0,x1pk1 pk2
pk1 pk2
Talk Outline• Motivation & Introduction
• Model, Syntax, and Definitions
• Building Blocks
• Construction
• Conclusions
GC….
One-Time Multi-Client VCPreprocessing
Using a garbling scheme, encode
function & prepare state to encode inputs and to verify
encoded outputs
GC….
Input Encoding
Select own keys
depending on input bits
xi,1
xi,2
One-Time Multi-Client VC
GC….
One-Time Multi-Client VCInput Encoding
xi,1
xi,2
Select keys for others using non-interactive proxy
OT
Keys obtained from Proxy OT
GC
GC….
One-Time Multi-Client VCCompute
xi,1
xi,2
GC….
Evaluate garbled circuit
to obtain output
encoding
GC….
One-Time Multi-Client VCVerify
xi,1
xi,2
GC….
Check whether received key
matches one of the 2 output
keys
Multi-Client VC - Finis
• Soundness– Privacy of non-interactive proxy OT scheme– Authenticity of garbling scheme
• Privacy– Non-interactive nature of the scheme– Privacy of single-client [GGP10] scheme– Privacy of non-interactive proxy OT scheme
• Wrap one-time scheme with Fully Homomorphic Encryption – Converts one-time scheme to many-time– Semantic security preserves one-time soundness & privacy
Talk Outline• Motivation & Introduction
• Model, Syntax, and Definitions
• Building Blocks
• Construction
• Conclusions
Conclusions & Summary• Modeled non-interactive multi-client verifiable
computation in a setting with– n semi-honest clients– Single malicious server
• Formal syntax and definitions
• Generic constructions of schemes based on – Projective Garbling Schemes– Non-Interactive Proxy Oblivious Transfer– Fully Homomorphic Encryption
• Future directions– Stronger models, e.g., malicious clients, etc.
… …
Thank You!