1 / 30

Multi-Client Non-Interactive Verifiable Computation

Multi-Client Non-Interactive Verifiable Computation. Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan ( Technion ) Carlos Cid (Royal Holloway). Verifiable Computation. Increasing dependence on the cloud Individual devices getting smaller & smaller

morse
Download Presentation

Multi-Client Non-Interactive Verifiable Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Client Non-Interactive Verifiable Computation SeungGeol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal Holloway)

  2. Verifiable Computation • Increasing dependence on the cloud • Individual devices getting smaller & smaller • Resource constrained • Computation outsourced to the cloud • “Trust, but verify” • Many incentives for a cloud to cheat • Minimize resource usage • Malicious server! • Need to verify whether server performs correct computations • Verification must be cheaper than computation

  3. Verifiable Computation • Variety of solutions • Interactive proofs [GMR85,LFKN92,S92,GKR08] • MIPs & PCPs [BFL91,BFLS91,BCCT12] • Interactive arguments [BCC88,M94,K92,K95] • Non-Interactive Solutions [K95,M94,GKR08,CKV10,GGP10,AIK11,BHR12] • Public verifiability [PRV12] • All of them deal with verifiably computing functions on a single client’s input

  4. Multi-Client Verifiable Computation . . . . . .

  5. Motivation Resource constrained data gathering sensors located far apart want to compute over joint collected data Ask one sensor to collect all data & use single-client verifiable comp.? • Requires client-client communication • Mix-and-match attacks • No analogue in single-client setting • No privacy Need a model for non-interactive verification of computations over joint inputs of multiple clients

  6. Our Contributions Initiate study of non-interactive multi-client verifiable computation in a setting with • n semi-honest clients • malicious server • Model, syntax, and definitions • Generic constructions • Non-interactive solution • Privacy against colluding clients • Privacy against malicious server

  7. Talk Outline • Motivation & Introduction • Model, Syntax, and Definitions • Building Blocks • Construction • Conclusions

  8. Model • Clients are semi-honest • Want non-interactive solution • No interaction between clients . . . . . . n clients

  9. Model • Clients are semi-honest • Want non-interactive solution • No interaction between clients . . . . . . n clients

  10. Model • How to prevent spoofing attacks? • Use PKI • How to prevent mix-and-match attacks? • Use global clock Assumptions of this type are necessary • Clients are semi-honest • Want non-interactive solution • No interaction between clients . . . . . . n clients

  11. Model Like [GGP10] use offline preprocessing model • One-time (expensive) preprocessing • Must be non-interactive • Allows for multiple (cheap) verification stages • Clients are semi-honest • Want non-interactive solution • Assume PKI & global clock . . . . . . n clients

  12. Model Only first client gets output • Easily generalized to multiple clients obtaining outputs • Parallel executions • Clients are semi-honest • Want non-interactive solution • Assume PKI & global clock • One-time preprocessing . . . . . . n clients

  13. Model • Clients are semi-honest • Want non-interactive solution • Assume PKI & global clock • One-time preprocessing • Only first client gets output . . . . . . n clients

  14. Syntax • Setup • KeyGen • Online • EncInpj • Compute • Verify pk1 pk2 xi,2 Xi,2 • Offline • EncFun pk1 pk2 Wi yi Ti xi,1 pk2 Xi,1 pk1 F S

  15. Properties OutsourcingT(encode input)+T(verify output)<T(compute function) Soundness • Given encoding of function, A gets to choose series of inputs & receive encodings of each input. Finally A outputs (i,Wi) • If Verify(Wi) ≠ f(xi) and Verify(Wi) ≠ λ, output 1, else 0 Scheme is sound if Experiment outputs 1 with negl. prob. Privacy • Against server: Cannot distinguish between executions where clients hold input x0 vs. another where client inputs are x1 • Against first client: Conditioned on its input being the same, cannot distinguish between executions having same output

  16. Talk Outline • Motivation & Introduction • Model, Syntax, and Definitions • Building Blocks • Construction • Conclusions

  17. Building Blocks • Projective Garbling Schemes [Y86,BHR12] • Non-Interactive Proxy Oblivious Transfer [NPS99] • Fully Homomorphic Encryption [G09,BV11] • Converts one-time scheme to a many-time scheme Our construction builds upon the single-client scheme of [GGP10]

  18. Projective Garbling Schemes • Garbling Schemes [Y86,BHR12] • “Projective” if individual input encodings can be generated independently • Adaptive soundness • Same issue as in [GGP10] • Assume Yao GCs satisfy adap. soundness • Reasonable in practice • [BHR12]: Does not follow from CPA security of enc. Possible output encodings Encoding of function GC …. Projective encoding of Individual input bits

  19. Proxy Oblivious Transfer [NPS99] Ideal Functionality b=0,1 xb Proxy OT Proxy OT Want a non interactive proxy OT protocol x0,x1

  20. Non-Interactive Proxy OT s = (r0, r1, c) (c+b, rc+b) b=0,1 pk2 pk1 • Use PKI and a non-interactive key exchange (NIKE) protocol to generate common randomness s unknown to server • Use common randomness s to run PSM protocol [FKN94] for OT, with server as referee (xc+rc, x1+c+r1+c) pk2 pk1 x0,x1 s = (r0, r1, c)

  21. Talk Outline • Motivation & Introduction • Model, Syntax, and Definitions • Building Blocks • Construction • Conclusions

  22. One-Time Multi-Client VC Preprocessing Using a garbling scheme, encode function & prepare state to encode inputs and to verify encoded outputs GC ….

  23. One-Time Multi-Client VC Input Encoding xi,2 Select own keys depending on input bits xi,1 GC ….

  24. One-Time Multi-Client VC Input Encoding xi,2 Select keys for others using non-interactive proxy OT GC xi,1 GC Keys obtained from Proxy OT ….

  25. One-Time Multi-Client VC Compute xi,2 Evaluate garbled circuit to obtain output encoding GC …. xi,1 GC ….

  26. One-Time Multi-Client VC Verify Check whether received key matches one of the 2 output keys xi,2 GC …. xi,1 GC ….

  27. Multi-Client VC - Finis • Soundness • Privacy of non-interactive proxy OT scheme • Authenticity of garbling scheme • Privacy • Non-interactive nature of the scheme • Privacy of single-client [GGP10] scheme • Privacy of non-interactive proxy OT scheme • Wrap one-time scheme with Fully Homomorphic Encryption • Converts one-time scheme to many-time • Semantic security preserves one-time soundness & privacy

  28. Talk Outline • Motivation & Introduction • Model, Syntax, and Definitions • Building Blocks • Construction • Conclusions

  29. Conclusions & Summary • Modeled non-interactive multi-client verifiable computation in a setting with • n semi-honest clients • Single malicious server • Formal syntax and definitions • Generic constructions of schemes based on • Projective Garbling Schemes • Non-Interactive Proxy Oblivious Transfer • Fully Homomorphic Encryption • Future directions • Stronger models, e.g., malicious clients, etc. … …

  30. Thank You!

More Related