Privacy-preserving outsourcing by distributed verifiable ... · • Secret sharing MPC •...
31
Privacy-Preserving Outsourcing by Distributed Verifiable Computation Meilof Veeningen Philips Research MPC 2016, Aarhus, May 30 2016
Transcript of Privacy-preserving outsourcing by distributed verifiable ... · • Secret sharing MPC •...
Privacy-PreservingOutsourcingbyDistributedVerifiableComputationMeilofVeeningenPhilipsResearchMPC2016,Aarhus,May302016
PhilipsResearch2
PhilipsResearch3
PhilipsResearch4
PhilipsResearch5
PhilipsResearch6
OutsourcingComputationsonSensitiveData(I)
PhilipsResearch7
x f(x)privacy? correctness?
OutsourcingComputationsonSensitiveData(I)
PhilipsResearch8
𝑥 " 𝑥 #𝑥 $
securemultipartycomputation
𝑓(𝑥) $𝑓(𝑥) #𝑓(𝑥) "
Jakobsen,Nielsen,Orlandi (CCSW’14):
privacyandcorrectnesswith𝑛 − 1 activelycorruptedworkers
Canweachievecorrectnessevenifallworkersarecorrupted?
Outsourcing&Correctness(ButNoPrivacy)
PhilipsResearch9
Privacy+Correctness:AGenericConstruction
PhilipsResearch10
𝑥 " 𝑥 #𝑥 $
𝑦 = 𝑓(𝑥) $𝑦 = 𝑓(𝑥) #𝑦 = 𝑓(𝑥) "𝑦,Proof(𝑦= 𝑓 𝑥 ) $𝑦, Proof(𝑦 = 𝑓 𝑥 ) #𝑦, Proof(𝑦 = 𝑓 𝑥 ) "
Question:canweefficientlyconstructtheseproofs withmulti-partycomputation?
Privacy: sameasMPCprotocolused
Correctness: always!
Privacy+Correctness:PreviousWork
PhilipsResearch11
openings
PubliclyAuditable SPDZ(Baum/Damgård/Orlandi)
Preprocessing
𝑥 , 𝑦 , 𝑥𝑦+𝑔3, 𝑔4 , 𝑔34
UniversallyVerifiableCDN(deHoogh/Schoenmakers/V.)
ZK
NIZK
CertificateValidation…(deHoogh/Schoenmakers/V.)
Paillier
ElGamal
Verificationeffortscalesincomputationsize!Reason:existingworktakesMPCasstartingpoint!
Privacy+Correctness:PreviousWork
PhilipsResearch12
• Insteadof 𝑦, Proof(𝑦 = 𝑓 𝑥 ) ":– Baum/Damgård/Orlandi: SPDZ+Pedersencommitments=SPDZ’– deHoogh/Schoenmakers/Veeningen:CDN+non-interactiveproofs=CDN’– deHoogh/Schoenmakers/Veeningen:CDN’+ElGamal encryption=CDN’’
• BecauseofMPCstartingpoint,noefficientverification!
Today: 𝑦, Proof(𝑦 = 𝑓 𝑥 ) canbeefficient!
PhilipsResearch13
𝑥 " 𝑥 #𝑥 $
𝑦, PinocchioVC(𝑦 = 𝑓 𝑥 ) $
𝑦, PinocchioVC(𝑦 = 𝑓 𝑥 ) #
𝑦, PinocchioVC(𝑦 = 𝑓 𝑥 ) "
Theorem. (Schoenmakers/V/deVreede,ACNS‘16)Privacy-preservingcomputationofPinocchioVC:threeworkerseachperformessentiallythework oftheoriginalprover.
Corollary. VerifiableMulti-PartyComputationwithconstant-timeverification!
Outline
• SecretsharingMPC• PinocchioVC
• SecretsharingMPC+PinocchioVC
PhilipsResearch14
PhilipsResearch15
SecretsharingMPC
Shamirsecretsharing(2-out-of-3)
PhilipsResearch16
(3,𝑦< + 𝑧<)
(2,𝑦@ + 𝑧@)
(1,𝑦A + 𝑧A)
𝑠$ + 𝑠"
0
𝑠$
𝑦A
𝑦@
𝑦<
1 2 3
𝑠"
(1,𝑦A)
(2,𝑦@)
(3, 𝑦<)
(1, 𝑧A)
(2, 𝑧@)
(3, 𝑧<)
(1,𝑦A𝑧A)
(2,𝑦@𝑧@)
(3,𝑦<𝑧<)
𝛼𝑠$
(1,𝛼𝑦D)
(2,𝛼𝑦E)
(3,𝛼𝑦F)
𝑦 = 𝑎𝑥 + 𝑠$ 𝑏𝑥 + 𝑠" = 𝑎𝑏 𝑥" + 𝑎𝑠" + 𝑏𝑠$ 𝑥 + 𝑠$𝑠"s$s" = 3(𝑦D𝑧D) − 3(𝑦E𝑧E) + (𝑦F𝑧F) (3-out-of-3sharing!)
Animation:SebastiaandeHoogh
, 𝑠𝑡(𝑠 + 𝑡)
𝑠𝑡(𝑠 + 𝑡) $
𝑠𝑡(𝑠 + 𝑡) "
𝑠𝑡(𝑠 + 𝑡) #
𝑠𝑡(𝑠 + 𝑡) $
𝑠𝑡(𝑠 + 𝑡) "
𝑠𝑡(𝑠 + 𝑡) #
𝑠 + 𝑡 $
𝑠 + 𝑡 "
𝑠 + 𝑡 #
𝑠𝑡 $
𝑠𝑡 "
𝑠𝑡 #
𝑠𝑡 # "
𝑠𝑡 # $
𝑠𝑡 " $ 𝑠𝑡 " $
𝑠𝑡 $ "
𝑠𝑡 $ #𝑠𝑡 $
𝑠𝑡 "
𝑠𝑡 #
𝑠 $, 𝑡 $
𝑠 ", 𝑡 "
𝑠 #, 𝑡 #
𝑠 $, 𝑡 $
𝑠 ", 𝑡 "
𝑠 #, 𝑡 #
Goal:compute𝑦 = 𝑠 ⋅ 𝑡 ⋅ (𝑠 + 𝑡)
𝑥 :2-out-of-3sharingof𝑥𝑥 :3-out-of-3sharingof𝑥
𝑠, 𝑡PhilipsResearch17
MPCbasedonShamirsecretsharing
𝑠𝑡 = 3 𝑠𝑡 $ − 3 𝑠𝑡 " + 𝑠𝑡 #𝑠𝑡 M = 3 𝑠𝑡 $ M − 3 𝑠𝑡 " M + 𝑠𝑡 # M
PhilipsResearch18
PinocchioVC
Pinocchio:QuadraticArithmeticPrograms
Provethatcommitted �⃗� satisfies equations
𝑉 ⋅ �⃗� ∗ 𝑊 ⋅ �⃗� = (𝑌 ⋅ �⃗�)
Example: 𝑦 = 𝑠 ⋅ 𝑡 ⋅ 𝑠 + 𝑡 ifandonlyif:
∃𝑧 ∶ U𝑠 ⋅ 𝑡 = 𝑧𝑧 ⋅ (𝑠 + 𝑡) = 𝑦
1 0 0 00 0 1 0 ⋅
𝑠𝑡𝑧𝑦
∗ 0 1 0 01 1 0 0 ⋅
𝑠𝑡𝑧𝑦
= 0 0 1 00 0 0 1 ⋅
𝑠𝑡𝑧𝑦
E.g.: 𝑠𝑡𝑦𝑧 = 32630 isasolution
PhilipsResearch19
“quadraticarithmeticprogram”(QAP)
Pinocchio:FromQAPtoSNARK(I)
PhilipsResearch20
Provethatcommitted𝑥 satisfiesequations 𝑉 ⋅ 𝑥 ∗ 𝑊 ⋅ 𝑥 = 𝑌 ⋅ 𝑥 .
Define𝑉M 𝜉 ,𝑊M 𝜉 , 𝑌M 𝜉 by“columnwise Lagrangeinterpolation”
1 0 0 00 0 1 0 ⋅
𝑠𝑡𝑧𝑦
∗ 0 1 0 01 1 0 0 ⋅
𝑠𝑡𝑧𝑦
= 0 0 1 00 0 0 1 ⋅
𝑠𝑡𝑧𝑦
𝑉$ 1 = 1, 𝑉$ 2 = 0𝑉$ 𝜉 = 2 − 𝜉
𝑊" 1 = 1, 𝑊" 2 = 1𝑊" 𝜉 = 1
…
valueat1valueat2
Considerpolynomial𝑃3⃗ 𝜉 = 𝑉$ 𝜉 𝑠+ 𝑉" 𝜉 𝑡 +⋯ ⋅ 𝑊$ 𝜉 𝑠+⋯ − 𝑌$ 𝜉 𝑠 + ⋯ :
• In𝜉 = 1:𝑃3⃗ 1 = 𝑉$ 1 𝑠+ 𝑉" 1 𝑡 + ⋯ ⋅ 𝑊$ 1 𝑠 +⋯ − 𝑌$ 1 𝑠 +⋯ = 𝑠 ⋅ 𝑡 − 𝑧• In𝜉 = 2:𝑃3⃗ 2 = 𝑉$ 1 𝑠+ 𝑉" 1 𝑡 + ⋯ ⋅ 𝑊$ 1 𝑠 +⋯ − 𝑌$ 1 𝑠 +⋯ = 𝑧 ⋅ 𝑠 + 𝑡 − 𝑦
So 𝑉 ⋅ 𝑥 ∗ 𝑊 ⋅ 𝑥 = 𝑌 ⋅ 𝑥ifandonlyif𝑃3⃗ 1 = 𝑃3⃗ 2 = 0ifandonlyif 𝜉 − 1 ⋅ 𝜉 − 2 |𝑃 𝜉ifandonlyif thereexistsℎ 𝜉 : 𝜉 − 1 ⋅ 𝜉 − 2 ⋅ ℎ 𝜉 = 𝑃3⃗ 𝜉
Pinocchio:FromQAPtoSNARK(II)
PhilipsResearch21
Example.
1 0 0 00 0 1 0 ⋅
𝑠𝑡𝑧𝑦
∗ 0 1 0 01 1 0 0 ⋅
𝑠𝑡𝑧𝑦
= 0 0 1 00 0 0 1 ⋅
𝑠𝑡𝑧𝑦
𝑉$ 𝜉 = 𝑌# 𝜉 = 2 − 𝜉𝑉" 𝜉 = 𝑉 𝜉 = 𝑊# 𝜉 = 𝑊 𝜉 = 𝑌$ 𝜉 = 𝑌" 𝜉 = 0𝑉# 𝜉 = 𝑊$ 𝜉 = 𝑌 𝜉 = 𝜉 − 1𝑊" 𝜉 = 1
valueat1valueat2
Claim: 𝑠𝑡𝑧𝑦 issolution iff thereexistsℎ 𝜉 suchthat
𝜉 − 1 𝜉 − 2 ℎ 𝜉 = 𝑠𝑉$ 𝜉 + 𝑡𝑉" 𝜉 + 𝑧𝑉# 𝜉 + 𝑦𝑉 𝜉 ⋅𝑠𝑊$ 𝜉 + 𝑡𝑊" 𝜉 + 𝑧𝑊# 𝜉 + 𝑦𝑊 𝜉 − 𝑠𝑌$ 𝜉 + 𝑡𝑌" 𝜉 + 𝑧𝑌# 𝜉 + 𝑦𝑌 𝜉
Claim: 32630 issolution iff thereexistsℎ 𝜉 suchthat
𝜉 − 1 𝜉 − 2 ℎ 𝜉 = 3𝑉$ 𝜉 + 2𝑉" 𝜉 + 6𝑉# 𝜉 + 30𝑉 𝜉 ⋅3𝑊$ 𝜉 + 2𝑊" 𝜉 + 6𝑊# 𝜉 + 30𝑊 𝜉 − 3𝑌$ 𝜉 + 2𝑌" 𝜉 + 6𝑌# 𝜉 + 30𝑌 𝜉
Claim: 32630 issolution iff thereexistsℎ 𝜉 suchthat
𝜉 − 1 𝜉 − 2 ℎ 𝜉 = 3𝜉 ⋅ 3𝜉 − 1 − 24𝜉 − 18
Claim: 32630 issolution iff thereexistsℎ 𝜉 suchthat
𝜉 − 1 𝜉 − 2 ℎ 𝜉 = 9𝜉" − 27𝜉 + 18
Pinocchio:FromQAPtoSNARK(III)
Lemma⇒ 32630 issolution iff thereexistsℎ 𝜉 suchthat
𝜉 − 1 𝜉 − 2 ℎ 𝜉 = 9𝜉" − 27𝜉 + 18
PhilipsResearch22
9𝜉" − 27𝜉 + 18𝜉" − 3𝜉 + 29(𝜉" − 3𝜉 + 2)
9
0−
ℎ 𝜉 = 9
Pinocchio:FromQAPtoSNARK(IV)
PhilipsResearch23
verificationkey:𝑔 fg$ ⋅…⋅ fgh
prover:𝑔i f
prover/verifier:𝑔jk f 3kl⋯
prover/verifier:𝑔mk f 3kl⋯
prover/verifier:𝑔nk f 3kl⋯
evaluationkey:𝑔, 𝑔f, 𝑔fo ,…
evaluation/verification key:𝑔jp(f),𝑔mp(f), 𝑔np (f)
𝑒𝑔r𝑔s 𝑒 𝑔r,𝑔s = 𝑒(𝑔t, 𝑔h)
iff𝑎 ⋅ 𝑏 = 𝑐 ⋅ 𝑑
𝑒𝑔t𝑔h
Magiccryptotool:pairing
verifier: 𝑒 𝑔 fg$ ⋅…⋅ fgh ,𝑔i f = 𝑒 𝑔jk f 3kl⋯,𝑔mk f 3kl⋯ ⋅ 𝑒 𝑔nk f 3kl⋯,𝑔g$
?
Ξ − 1 ⋅ … ⋅ Ξ − 𝑑 ⋅ ℎ Ξ = 𝑉$ Ξ 𝑥$ +⋯ ⋅ 𝑊$ Ξ 𝑥$ + ⋯ − 𝑌$ Ξ 𝑥$ +⋯ ⋅ 1𝜉 − 1 ⋅ … ⋅ 𝜉 − 𝑑 ⋅ ℎ 𝜉 = 𝑉$ 𝜉 𝑥$ +⋯ ⋅ 𝑊$ 𝜉 𝑥$ + ⋯ − 𝑌$ 𝜉 𝑥$ + ⋯ ⋅ 1
Ξ:random,unknown
Prove:
Pinocchio:FromQAPtoSNARK(V)
PhilipsResearch24
𝑠, 𝑡
- evaluatefunction:get𝑧, 𝑦- compute𝑔jx f y, 𝑔mx f y, 𝑔nx f y
- computeℎ 𝜉 = j z m z gn zzg$ ⋅…⋅(zgh)
- compute𝑔i f
verify:𝑒 𝑔 fg$ ⋅…⋅ fgh , 𝑔i f
= 𝑒(𝑔jk f {ljo f |lj} f 4 ⋅ 𝑔jx f y,𝑔mk f {lmo f |lm} f 4 ⋅ 𝑔mx f y) ⋅
𝑒 𝑔nk f {lno f |ln} f 4 ⋅ 𝑔nx f y,𝑔g$
𝑦, 𝑔i f , 𝑔jx f y,𝑔mx f y, 𝑔nx f y
evaluationkey:𝑔, 𝑔f, 𝑔fo ,…𝑔jx f ,𝑔mx f , 𝑔nx f
verificationkey:𝑔 fg$ ⋅…⋅ fgh
𝑔jk f ,𝑔mk f ,𝑔nk f
𝑔jo f ,𝑔mo f ,𝑔no f
𝑔j} f , 𝑔m} f , 𝑔n} f
PhilipsResearch25
PinocchioVCSecretsharingMPC
+
Trinocchio:DistributingthePinocchioSystem(I)
PhilipsResearch26
- evaluatefunction:get𝑧, 𝑦- compute𝑔jx f y, 𝑔mx f y, 𝑔nx f y
- computeℎ 𝜉 = j z m z gn zzg$ ⋅…⋅(zgh)
- compute𝑔i f
𝑠, 𝑡 𝑦, 𝑔i f , 𝑔jx f y,𝑔mx f y, 𝑔nx f y𝑠 , 𝑡 𝑦 , 𝑔i f , 𝑔jx f y , 𝑔mx f y , 𝑔nx f y
Trinocchio:DistributingthePinocchioSystem(II)
PhilipsResearch27
prove 𝑔,𝑔f, 𝑔fo ,… ,𝑔jx f ,𝑔mx f ,𝑔nx f ,𝑠, 𝑡 :
𝑧, 𝑦 = 𝑓(𝑠, 𝑡)
𝑔jx f y = exp(𝑔jx f ,𝑧)
𝑔mx f y = exp(𝑔mx f ,𝑧)
𝑔nx f y = exp(𝑔nx f ,𝑧)
𝑛 𝜉 = 𝑉$ 𝜉 𝑠+ 𝑉" 𝜉 𝑡 + 𝑉# 𝜉 𝑧 + 𝑉 𝜉 𝑦 ∗ 𝑊$ 𝜉 𝑠 +⋯ − 𝑌$ 𝜉 𝑠 + ⋯
ℎ 𝜉 = � zzg$ ⋅…⋅ zgh
𝑔i f = exp 𝑔, ℎ� ⋅ exp 𝑔f,ℎ$ ⋅ … ⋅ exp(𝑔f��k ,ℎhg$)
return𝑦, 𝑔i f ,𝑔jx f y,𝑔mx f y,𝑔nx f y
Trinocchio:DistributingthePinocchioSystem(II)
PhilipsResearch28
return 𝑦 , 𝑔i f , 𝑔jx f y , 𝑔mx f y , 𝑔nx f yreturn𝑦, 𝑔i f ,𝑔jx f y,𝑔mx f y,𝑔nx f y
𝑔i f = exp 𝑔, ℎ� ⋅ exp 𝑔f, ℎ$ ⋅ … ⋅ exp(𝑔f��k , ℎhg$ )𝑔i f = exp 𝑔, ℎ� ⋅ exp 𝑔f,ℎ$ ⋅ … ⋅ exp(𝑔f��k ,ℎhg$)
ℎ 𝜉 = � zzg$ ⋅…⋅ zgh
ℎ 𝜉 = � zzg$ ⋅…⋅ zgh
Productsof2-out-of-3sharesgive3-out-of-3shares
𝑛 𝜉 = 𝑉$ 𝜉 𝑠 + 𝑉" 𝜉 𝑡 + 𝑉# 𝜉 𝑧 + 𝑉 𝜉 𝑦 ∗ 𝑊$ 𝜉 𝑠 +⋯− 𝑌$ 𝜉 𝑠 +⋯
𝑛 𝜉 = 𝑉$ 𝜉 𝑠 + 𝑉" 𝜉 𝑡 + 𝑉# 𝜉 𝑧 + 𝑉 𝜉 𝑦 ∗ 𝑊$ 𝜉 𝑠 + ⋯ − 𝑌$ 𝜉 𝑠+ ⋯
𝑔nx f y = exp(𝑔nx f , 𝑧 )
𝑔mx f y = exp(𝑔mx f , 𝑧 )
𝑔jx f y = exp(𝑔jx f , 𝑧 )
𝑔nx f y = exp(𝑔nx f ,𝑧)
𝑔mx f y = exp(𝑔mx f ,𝑧)
𝑔jx f y = exp(𝑔jx f ,𝑧)
MPCcomputationof𝑓 givesinternalwirevalues“forfree”
𝑧 , 𝑦 = 𝑓( 𝑠 , 𝑡 )𝑧, 𝑦 = 𝑓(𝑠, 𝑡)
prove 𝑔,𝑔f, 𝑔fo ,… ,𝑔jx f ,𝑔mx f ,𝑔nx f , 𝑠 , 𝑡 :prove 𝑔, 𝑔f, 𝑔fo, … ,𝑔jx f ,𝑔mx f ,𝑔nx f ,𝑠, 𝑡 :
Divisionbypublicpolynomialislinear!
Shamirreconstruction“intheexponent”
Onlystep inwhichtheworkerscommunicate!
Trinocchio:DistributingthePinocchioSystem(III)
PhilipsResearch29
𝑦 , 𝜋
�⃗�
�⃗�
�⃗�
𝑠 , 𝑡Theorem. Privacy-preservingcomputationofPinocchioVC:threeworkerseachperformessentiallytheworkoftheoriginalprover.
275s
275s
275s
6427s
6427s
6427s
0.05s
Extensions/FutureDirections
PhilipsResearch30
𝑋 ⋅ 𝑅 = 1
𝑋 = 𝐵$ + 2𝐵" +…+2�𝐵�
1 = 𝐵$ ⋅ 1− 𝐵$…1 = 𝐵� ⋅ 1− 𝐵�
QAP MPC
nonzerotest
positivitytest
𝑈 ∈� ℱ𝑉 = 𝑂𝑝𝑒𝑛( 𝑋𝑈 )𝑅 = 𝑉g$ 𝑈
𝐵$ ,… , 𝐵$ =𝐵𝑖𝑡𝐷𝑒𝑐( 𝑋 )
…
• Multiple inputters
• AuditableMPC
• Verifiabilitybycertificatevalidation
• QAPs+MPCforparticulartasks?– Zerotesting– Comparison– …
• Easilyprogrammabledistributedverifiablecomputation
