Efficient Consistency Proofs for Generalized Queries on a Committed Database

1. Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto U. MIT July 12, 2004 http://www.cs.ucla.edu/~rafail

2. Main goal • Potentially cheating party publishes a short certificate to a “database” which “commits” it to the entire database • Answers to any complex query can be shown (with a very short proof) to be consistent with the certificate • No poly-time adversary can cheat and come up with a certificate and two different answers to the same query • Main challenge – achieve short certificate and short proofs for general queries

3. History • Commitment to Sets of Values • [Buldas, Laud, Lipmaa] • [Kilian] • [Micali and Rabin] • Protocols with Trusted Committer – Authenticated Data-Structures • [Naor, Nissim] • [Goodrich, Tamassia, Tiandopoulus, Cohen], • many others • Zero-Knowledge Sets • [Micali, Rabin Kilian]

4. Our Contributions (1) • Def of Consistent Query Protocols (CQP): short certificate that “binds” general data-structures together with short proof of consistency • CQP for Orthogonal Range queries

5. Our contributions (cont) • For orthogonal range queries: • Each entry: (key1,…keyd, value) • Query: d ranges, each range [x1,x2] • d dimensions • K is a security parameter • Proof size: O(k(m+1) logdN) • We show how to modify Bentley’s data structure. (authenticated data-structures are not sufficient)

6. Our contributions (cont) • General transformation: we show how to modify any consistent query protocol to have the same property as ZK-sets. That is, not to reveal DB size using O(poly(k)) overhead based on general assumptions. • We show construction based on explicit-hash Merkle trees with better constants.

7. The rest of the talk… • Machinery needed. • Some of the ideas in our constructions.

8. Motivation – Commitment Protocols • Two player game: Committer and Receiver. • Commitment stage: “storing” some hidden value. • De-commit stage: “opening” this value. • Two properties: binding property and privacy property.

9. An example of a commitment protocol • Alice has a hidden bit b. • Alice picks a 1-way permutation f:nn, a random n-bit x, r and sends to Bob • f(x), [(x*r) mod 2] xor b • If f is verifiable 1-way permutation, this is both binding and secure. • To open, Alice sends x to Bob.

10. Multiple commitments • What if Alice wants to commit • b1,…,bn • One way to do it is to repeat the protocol above, and commit each bit separately. • How can we do it more efficiently?

11. A faster way to do it – Merkle trees • Assume h: 2kk is a collision-resistant hash function such that no poly-time adversary can find a collision. • Group N bits that we wish to commit into groups of size 2k each, apply h, Now, we have N/2 bits. Repeat until get to k bit. • Commit (using basic scheme) the last k bits. • Merkle: this is secure, since otherwise can find a collision.

12. Commitment of a set • Committing to a set of integers. • The naïve approach: commit each integer separately using basic scheme • Easy on yes answers • Hard on “no” answers

13. Do Merkle trees work? • Not as is. • Yes answers are fast • No answers are slow– have to go over all the leaves • [BLL][K][MR] gave a faster solution (for no asnwers) for a set based on Merkle trees. (If the set has total order the solution also works for intervals)

14. The basic idea of [BLL][K][MR]:Merkle interval tree • Sort the keys • Each internal node contains: • Left sub tree interval • Right sub tree interval • MD5 of its children values • To show that the item is present, show the path to the root, with all siblings along the path. • To show that the item is NOT in the DB, show the path until intervals EXCLUDES the item.

15. Orthogonal range queries • What if we wish to commit to more general data-objects, such as relational database? Example: DB of “employee name”, “age”, “salary”. • We wish to support range-queries of the form “find all employees between age 30-40 and between salary x and y”. • What does Consistent range-query mean here? • In this talk: we’ll limit to 2-d range queries, though our solution generalizes.

16. 2-D range queries: the data-structure • DB: (xkey,ykey, value) • Query: find all entries in DB in the rectangle [x1,x2][y1,y2] • Modification to Bentley’s 2-dim range query • Make Merkle-Interval tree for X-coordinate • For each internal node (corresponding to X-interval) store inside the node the root of “secondary” Merkle Interval tree for Y coordinates in that X-range. (each y point is stored log N times)

17. 2-D range queries: searching for range • Search primary tree and check for consistency • Search a secondary tree and check for consistency • For each entry that is retrieved, check that it is valid in ALL secondary trees which are on the path to the root in the primary tree. (Takes O(log2N) steps). • Easy to generalize to d-dimensions • Proof: if Adv can chat on any range  can find collisions.

18. Extending idea to Zero-Knowledge Sets • Previous scheme works for 2-dimensional ranges • [KMR] show how to extends to ZK-sets (i.e. Not to reveal N) using DDH assumption. • We show how to extend this idea to Zero-Knowledge Sets under general assumptions using [Barak-Golreich] universal arguments: • Commit to a root • Give a commitment of CQP • Give a [BG] universal argument of supper-poly bound on N of consistency.

19. Conclusions • Consistent query protocols (CQP) are generalizations of: • Zero-knowledge sets • Commitment schemes (for large datasets) • Authenticated Data structures • CQP be achieved under general assumptions. • For special cases (such as low-dimensional range-queries) we show implementations that do not require PCP, and are efficient. (O(log N) away from best know non-private bound)