eran tromer
DESCRIPTION
Information Security – Theory vs. Reality 0368-4474-01, Winter 201 2 -2013 Lecture 9: Integrity on untrusted platforms: Proof-Carrying Data (cont.). Eran Tromer. Recall our high-level goal. Ensure properties of a distributed computation when parties are mutually untrusting , - PowerPoint PPT PresentationTRANSCRIPT
1
Information Security – Theory vs. Reality
0368-4474-01, Winter 2012-2013
Lecture 9: Integrity on untrusted platforms:Proof-Carrying Data (cont.)
Eran Tromer
2
Recall our high-level goal
Ensure properties of adistributed computation
when parties aremutually untrusting,
faulty, leaky&
malicious.
3
Proof-Carrying Data [Chiesa Tromer 09]following Incrementally-Verifiable Computation [Valiant 08]
yyF(x) zG(y)
Each party prepares a proof string for the next one.Each proof is:• Tiny (polylogarithmic in party’s own computation).• Efficiently verifiable by the next party.
Alice Bob Carolx, F G
y verifyzz
z
z=G(y)and I got a valid proof
that “y=F(x)”
y=F(x)
4
C-compliance
m1
m2
m3
m 4
m5
m6
m7
mout
System designer specifies his notion of correctness via a compliance predicate C(in,code,out)that must be locally fulfilled at every node.
Ccode
in out
accept / reject
(program, human inputs, randomness)
C-compliantdistributed
computation
5
ConstructingProof-Carrying Data
systems
• Technical background• PCD construction• Towards a PCD implementation
7
Theorems and NP proofs
A theorem is a statement for which there exists a valid proof string (witness) w.
Valid is defined by an efficient verification procedure that, on input the theorem and the (purported) proof string w, decided whether to accepts.
This is just another interpretation of NP (equivalent to the classic “non-determinism based” definition).
VPw 1 ∃ valid wVNPPNP
8
Probabilistically-Checkable Proofs (PCP)
Relaxation: a prover outputs a proof string such that, if the statement is false, the probabilistic verifier is unlikely to be convinced.
Soundness:
A probabilistic verifier can be much more efficient than the NP verifier. In fact, the verifier doesn’t need to read more than a few bits of !
PPCP
1Pr[ ]>2-1000 ∃ valid wVPCP
9
Proofs and Verification Complexity
verifiercost
proof length
NPproofs
exponentialPCPs
probabilisticverification
polynomial exponentiallogarithmic
10
Proofs and Verification Complexity
verifiercost
proof length
NPproofs
polynomialPCPs
exponentialPCPs
probabilisticverification
special codes
polynomial exponentiallogarithmic
11
Proofs and Verification Complexity
verifiercost
proof length
NPproofs
CSproofs
polynomialPCPs
exponentialPCPs
probabilisticverification
special codes
polynomial exponentiallogarithmic
12
Computationally-Sound proofs (CS-proofs / arguments)
Further relaxation:care only about efficient (polynomial-time) provers.An inefficient prover could cheat the verifier, but this can be made arbitrarily hard by increasing a security parameter.Soundness: for all polynomial-time P:
Analogy:• information-theoretically-secure encryption (one-time pad), vs. • computationally-secure encryption (AES).
VCSPPCSP
1Pr[ ]>2-1000 ∃ valid w
13
Computationally-Sound Proofs / [Kilian 92][Micali 94]
• The prover produces a polynomially-long PCP proof.• The verifier reads only a few randomly-chosen indices.• Then why bother sending all of the PCP proof?• … because if the prover knew what the verifier reads, he
could easily fool the verifier.• Idea: use Fiat-Shamir heuristic:
– Prover writes down PCP proof – Prover computes a Merkle
hash tree of ; let r be the root.– Prover use r as “randomness” to choose the indices.– Prover sends these indices to verifier, along with Merkle
tree verification paths.– Verifier checks paths and then invokes PCP verifier.
r
14
Proofs and Verification Complexity
verifiercost
proof length
NPproofs
CSproofs
polynomialPCPs
exponentialPCPs
probabilisticverification
Fiat-Shamir
compressionspecial codes
polynomial exponentiallogarithmic
15
Proof of knowledge
Proof systems may satisfy an additional property:• proof of knowledge: any (possibly cheating) prover P that
convinces the verifier of some theorem “knows” a valid witness w for the theorem.
• Formally captured by a knowledge extractor, an efficient procedure that, with suitable access to such P, extracts a witness:
• This is strictly stronger than soundness.• We never run the knowledge extractor in reality.
Its existence is used only in the security reduction.
1PCSP
knowledgeextractor valid w
Pr[ ]≈1 VCSPPCSP
16
PCD construction:
Proof aggregation intuition
17
Back to F and G
The strings y and z are arguments (computationally sound proofs).
zy
z for
“z=G(y)and I got a proof that
“y=F(x)” ”
y for“y= F(x)”
yF(x) zG(y)
Alice Bob Carol
verifyz
18
Proof aggregation
Alice
zyBob Carol
xG
V
P P
V
F
zy
y=F(x) z=G(y) and∃y : V(“y=F(x)”,y)=1
19
Soundness vs. proof of knowledge
Alice
zyBob Carol
xG
V
P P
Need proof of knowledge:
V
VP 1
P
F
knowledgeextractor valid w
Pr[ ]≈1
y=F(x)
Meaninglessfor arguments
zy
z=G(y) and∃y : V(“y=F(x)”,y)=1
`
strong
20
Must use PCPs for compression
• Probabilistically Checkable Proofs (PCPs) used to generate concise proof strings.
Alice
zyBob Carol
PCP
xG
V
P PPCP
V
F
zy
(And there is evidence this is inherent [Rothblum Vadhan 09].)
21
Must use oracles for non-interactive proof of knowledge
Alice
zyBob Carol
zyPCP
xG
V
P PPCP
RO
V
F
The only known construction of non-interactive proofs of knowledge is Micali’s, using Merkle trees where the “hashing” is done using random oracle calls.
22
PCP vs. oracles conflict
• PCP theorem does not relativize [Fortnow ‘94], not even with respect to a RO [Chang et al. ’92]
• this precluded a satisfying proof of security in [Valiant ‘08]
Alice
zyBob Carol
zyPCP
xG
V
P P
RO
V
F
PCP
VPCP
23
The “trusted hardware” solution
Every node has access to a simple, fixed, stateless trusted functionality -- essentially, a signature card.
Cm1
1
m2
2
m 4
4
m5
5
m6
6
m7
7
mout
out
m3
3
SIRSIR
SIR
SIR
SIR
SIR
• Signed-Input-and-Randomness (SIR) oracle
24
SIR model
Every node has access to a simple, fixed, trusted functionality -- essentially, a signature card.
• Signed-Input-and-Randomness (SIR) oracle
xinput string
SIRSK
rrandom string
r ← {0,1}s
← SIGNSK(x,r)
slength
signature on (x,r)
VKcan derandomize:
Generate r using PRF
26
Public-key crypto the rescue
Oracle signs answers using public-key signature:• answers are verifiable without accessing oracle• asymmetry allows us to break “PCP vs. oracle” conflict, and
recursively aggregate proofs
Alice
zyBob Carol
zyPCP
Fx
G
V
P PPCP
OSK
VK
V
SIR
back
29
Sketch of constructions
Constructing APHAs (Assisted Prover Hearsay Arguments):• Start with universal arguments [Micali] [Barak Goldreich ‘02]• De-interactivize by replacing public-coin messages with oracle queries• Add signature to statement to force witness query (≈ [Chandran et al. ‘08])• Prove a very strong PoK by leveraging the weak PoK of UA
Generalizing to PCD:• Handle distributed-computation DAG,
using APHA for the proofs along each edge.• C-compliance: use fixed aggregation rule to reason about arbitrary
computation by proving statements of the form:C(in,code,out)=1 & “each input carries a valid APHA proof string”
≈ Fiat-Shamirheuristic
30
APHA
Construction sketch
31
APHA systems
Needed:• Highly-compressing non-interactive arguments• Proof-of-knowledge property that’s strong enough to
prove hearsay:statements whose truth relies on previous
arguments heard from others.• In the assisted prover model.
We call thisAssisted Prover Hearsay Arguments (APHA).
back
32
Universal arguments [Barak and Goldreich ‘02]
UAprover
UAverifierr2
r1
resp1
resp2
• public coin: r1 and r2 are just random coins• temporal dependence:
r2 is sent only after resp1 is received
Start with universal arguments:Efficient interactive arguments of knowledge with constant rounds and public coins.
back
33
De-interactivize universal arguments: first try
Prover interacts with random oracle, not with verifier:• obtains random strings
newprover
randomoracle
newverifier
randomoracle
UAprover
UAverifier
back
34
De-interactivize universal arguments
Prover interacts with SIR oracle, not with verifier:• obtains random signed strings• temporal ordering enforced by having each oracle query
include the preceding transcript
almost-APHA prover
SIRoracle
almost-APHAverifier
SIRoracle
UAprover
UAverifier
≈ Fiat-Shamirheuristic
back
35
Enhance proof of knowledge
• Forces prover to get signature on witness• Knowledge extractor finds witness by examining the queries
strong proof of knowledge
APHAprover
SIRoracle
APHAverifier
SIRoracle
almost-APHA prover
almost-APHA verifier
SIRoracle
SIRoracle
get signature onthe witness
“x Land
is asignature on a
witness for x L”
w
cf. [ChandranGoyalSahai 08]
back
36
Can now do F and G example
We can now do the above example!
... how about proof-carrying data?
Alice
zyBob Carol
PCP
x
PCP
G
V
P P
V
F
zy
back
37
PCD
Construction sketch
back
38
PCD systems
PCD systems are wrappers around APHA systems, with:– Simpler interface for applications
(no need to reason about theorems and proofs)– Simpler proof-of-knowledge property
(APHAs have a very technical “list extraction” definition)
– C-compliance
back
39
PCD definition
At every node, a party uses the PCD prover PPCD:
PPCD
Osk
zin1, in1
zin2, in2
C, VK
out
Proofs are checked by the PCD verifier:VPCD(C, VK, z*, ) decidesif π is a convincing proof for z*.
codezout
back
40
PCD definition
PCD systems satisfy• efficient verifiability:
TIME(VPCD(C, VK, z, π)) = polylog(time to make π) (actually, much better... )
• completeness via a relatively efficient prover:if computation is C-compliant, then the proof output byprover convinces verifier. Moreover:TIME(PPCD(...)) = poly(time to check C)
+ polylog(time to generate inputs’ proofs) • proof of knowledge: from any convincing prover, can extract a
whole C-compliant computation
back
41
Back to F and G
• Having APHA systems, we can already do the above example
• How to generalize to C-compliance?
Alice
zyBob Carol
πzπyPCP
x
PCP
G
V
P P
V
F
back
42
Adding C-compliance
Alicezy
Bob Carol
πzπyPCP
Fx
PCP
G
V
P P
C C
• “Export” the choice of computation to be an input to a “fixed rule of aggregation”
V
back
43
PCD Machine
Alicezy
Bob Carol
πzπyPCP
Fx
PCP
G
V
P P
C C
• Such fixed rule we call the PCD machine, and it depends on C
PCD machine
V
back
44
Implementation
45
PCP implementation stack: overview
“natural” problem
verifying properties ofa polynomial in a
finite field
problemreduction
Javaprogram
circuit
solution tothe problem
executiontrace
solutionreduction
polynomial to be verified
PCPproverPCP
verifier
PROOF
Task 1:“PCP engine”
Task 2:“reduction path”
assignment
46
Does this work?
Established: Formal framework• Explicit construction
– “Polynomial time” - not practically feasible (yet…)– Requires signature cards
Ongoing and future work:• Full implementation• Practicality• Reduce requirement for signature cards (or prove necessity)• Extensions (e.g., zero knowledge)• Interface with complementary approaches: tie “compliance”
into existing methods and a larger science of security• Applications and “compliance engineering” methodology