Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client...
Transcript of Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client...
![Page 1: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/1.jpg)
Verifying remote computations using PCPs
Srinath Setty, Andrew Blumberg, and Michael WalfishUT Austin
![Page 2: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/2.jpg)
Can we build this?
ClientF(x)
y
Computation
output
Server
![Page 3: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/3.jpg)
Can we build this?
ClientF(x)
y
Computation
output
Server
• Check if y equals F(x) without re-executing
![Page 4: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/4.jpg)
Can we build this?
ClientF(x)
y
Computation
output
Server
• Check if y equals F(x) without re-executing
• Unconditional: no assumptions
![Page 5: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/5.jpg)
Why should we build this?
• Offloading computations to the cloud
• Outsourcing computations to volunteer machines (Enigma@home, Einstein@home, ...)
![Page 6: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/6.jpg)
How can we solve this problem in principle?
• Probabilistically checkable proofs (PCPs) and argument systems [Arora et al. JACM, 1998]
![Page 7: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/7.jpg)
How can we solve this problem in principle?
• Probabilistically checkable proofs (PCPs) and argument systems [Arora et al. JACM, 1998]
• PCP theorem: server proves that y = F(x) and client validates without re-executing
![Page 8: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/8.jpg)
We have a conflict
• PCPs are mind-blowing
![Page 9: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/9.jpg)
We have a conflict
• PCPs are mind-blowing
• But the costs are also mind-blowing
![Page 10: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/10.jpg)
We have a conflict
• PCPs are mind-blowing
• But the costs are also mind-blowing
‣ For polynomial evaluation (700 variables), the server takes 105 years!
![Page 11: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/11.jpg)
We have a conflict
• PCPs are mind-blowing
• But the costs are also mind-blowing
‣ For polynomial evaluation (700 variables), the server takes 105 years!
• Our research program: try to make PCPs practical
![Page 12: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/12.jpg)
Rest of this talk:
• Overview of PCPs
• Our refinements
![Page 13: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/13.jpg)
PCPs from 200,000 feet
ServerClient
Booleancircuit
F(x)
F(x)
y
![Page 14: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/14.jpg)
PCPs from 200,000 feet
ServerClient
Proof
Booleancircuit
F(x)
F(x)
y
![Page 15: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/15.jpg)
PCPs from 200,000 feet
ServerClient
Proof
Proof
Booleancircuit
F(x)
F(x)
y
![Page 16: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/16.jpg)
PCPs from 200,000 feet
ServerClient
Proof
Random locations
Proof
Booleancircuit
F(x)
F(x)
y
![Page 17: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/17.jpg)
PCPs from 200,000 feet
ServerClient
ProofProof
Random locations
Chosen values
Proof
Booleancircuit
F(x)
F(x)
y
![Page 18: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/18.jpg)
PCPs from 200,000 feet
ServerClient
ProofProof
Accept/Reject
Random locations
Tests
Chosen values
Proof
Booleancircuit
F(x)
F(x)
y
![Page 19: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/19.jpg)
Our attempt to make PCPs practical
• Build on the work that introduces interaction [Kilian CRYPTO’95, Ishai et al. CC’07]
• Use a higher-level abstraction to represent computations
‣ Reduces cost by 8 orders of magnitude
• Apply a divide-and-conquer technique
‣ Reduces cost by 2 orders of magnitude
![Page 20: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/20.jpg)
We build on an interactive variant of PCPs
• The server proof is a generating function
• The server responds to queries by evaluating the function
• The client binds the server to its function using cryptographic commitment
[Ishai et al. CC’07]
![Page 21: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/21.jpg)
Can we use a higher-level abstraction?
• Use arithmetic circuits instead of Boolean circuits
• Savings:
‣ 8 orders of magnitude at the server
‣ 4 orders of magnitude at the client
![Page 22: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/22.jpg)
Can we apply a divide-and-conquer strategy?
• Decompose the computation into parallel pieces
• The client batch-verifies the computation
• Saves two orders of magnitude in costs
![Page 23: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/23.jpg)
Examples that we implemented
• Polynomial evaluation
• Matrix multiplication
• Fast Fourier Transform (FFT)
• Image filtering with convolution matrices
![Page 24: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/24.jpg)
Example savingsFor polynomial evaluation with 700 variables
(Local execution time: 164 msec)
interactive baseline
post-refinements
Server’s work 130,000 years 11.5 hours
Client’s work 940 sec 94 msec
The scheme is near-practical
![Page 25: Verifying remote computations using PCPs · • PCP theorem: server proves that y = F(x) and client validates without re-executing. We have a conflict](https://reader033.fdocuments.us/reader033/viewer/2022051608/603e5f05ca716545932996e8/html5/thumbnails/25.jpg)
Summary
• Our refinements reduce costs by over 10 orders of magnitude
• More refinements are required to make the scheme fully practical
• Upshot: PCP-based verified computation can be a systems problem