Eran Tromer

Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013Lecture 9: Integrity on untrusted platforms:Proof-Carrying Data (cont.) EranTromer

Recall our high-level goal Ensure properties of adistributed computationwhen parties aremutually untrusting, faulty, leaky&malicious.

Proof-Carrying Data[Chiesa Tromer 09]following Incrementally-Verifiable Computation[Valiant 08] Alice Carol Bob x, F G y z verify z zG(y) yF(x) y z y=F(x) z=G(y)and I got a valid proof that “y=F(x)” • Each party prepares a proof string for the next one. • Each proof is: • Tiny (polylogarithmic in party’s own computation). • Efficiently verifiable by the next party.

C-compliance System designer specifies his notion of correctness via a compliance predicateC(in,code,out) that must be locally fulfilled at every node. code (program, human inputs, randomness) C accept / reject C-compliant distributed computation in out m3 m1 m6 mout m4 m2 m7 m5

ConstructingProof-Carrying Datasystems Technical background PCD construction Towards a PCD implementation

Theorems and NP proofs A theorem is a statement for which there exists a valid proof string (witness) w. Valid is defined by an efficient verification procedure that, on input the theorem and the (purported) proof string w, decided whether to accepts. This is just another interpretation of NP (equivalent to the classic “non-determinism based” definition). P PNP V VNP w 1 ∃valid w

Probabilistically-Checkable Proofs (PCP) Relaxation: a prover outputs a proof string  such that, if the statement is false, the probabilistic verifier is unlikely to be convinced. Soundness: A probabilistic verifier can be much more efficient than the NP verifier. In fact, the verifier doesn’t need to read more than a few bits of ! Pr[ ]>2-1000  1 VPCP ∃valid w PPCP

Proofs and Verification Complexity NP proofs probabilistic verification verifiercost exponential PCPs exponential logarithmic polynomial proof length

Proofs and Verification Complexity NP proofs probabilistic verification verifiercost polynomial PCPs special codes exponential PCPs exponential logarithmic polynomial proof length

Proofs and Verification Complexity NP proofs probabilistic verification verifiercost CS proofs polynomial PCPs special codes exponential PCPs exponential logarithmic polynomial proof length

Computationally-Sound proofs (CS-proofs / arguments) • Further relaxation:care only about efficient (polynomial-time) provers. • An inefficient prover could cheat the verifier, but this can be made arbitrarily hard by increasing a security parameter. • Soundness: for all polynomial-time P: • Analogy: • information-theoretically-secure encryption (one-time pad), vs. • computationally-secure encryption (AES). Pr[ ]>2-1000  1 • VCSP PCSP ∃valid w

Computationally-Sound Proofs / [Kilian 92][Micali 94] • The prover produces a polynomially-long PCP proof. • The verifier reads only a few randomly-chosen indices. • Then why bother sending all of the PCP proof? • … because if the prover knew what the verifier reads, he could easily fool the verifier. • Idea: use Fiat-Shamir heuristic: • Prover writes down PCP proof  • Prover computes a Merklehash tree of ; let r be the root. • Prover use r as “randomness” to choose the indices. • Prover sends these indices to verifier, along with Merkle tree verification paths. • Verifier checks paths and then invokes PCP verifier. r 

Proofs and Verification Complexity NP proofs probabilistic verification verifiercost polynomial PCPs Fiat-Shamircompression CS proofs special codes exponential PCPs exponential logarithmic polynomial proof length

Proof of knowledge • Proof systems may satisfy an additional property: • proof of knowledge: any (possibly cheating) prover P that convinces the verifier of some theorem “knows” a valid witness w for the theorem. • Formally captured by a knowledge extractor, an efficient procedure that, with suitable access to such P, extracts a witness: • This is strictly stronger than soundness. • We never run the knowledge extractor in reality.Its existence is used only in the security reduction. knowledgeextractor Pr[ ]≈1 valid w • VCSP PCSP • PCSP  1

PCD construction:Proof aggregation intuition

Back to F and G Bob Alice Carol y z verify z zG(y) yF(x) yfor“y= F(x)” zfor“z=G(y)and I got a proof that“y=F(x)” ” The strings yand z are arguments (computationally sound proofs).

Proof aggregation Bob Carol Alice y z x y z y=F(x) z=G(y) and∃y: V(“y=F(x)”,y)=1 P P V V F G

Soundness vs. proof of knowledge Bob Carol Alice y z x y z y=F(x) z=G(y) and∃y: V(“y=F(x)”,y)=1 ` P P V V P P V F G Meaninglessfor arguments Need proof of knowledge: strong knowledgeextractor Pr[ ]≈1 valid w  1

Must use PCPs for compression Probabilistically Checkable Proofs (PCPs) used to generate concise proof strings. Bob Carol Alice y z x PCP y z PCP P P V V F G (And there is evidence this is inherent [Rothblum Vadhan 09].)

Must use oracles for non-interactive proof of knowledge Bob Carol Alice y z x y z PCP P P V V F G RO PCP The only known construction of non-interactive proofs of knowledge is Micali’s, using Merkle trees where the “hashing” is done using random oracle calls.

PCP vs. oracles conflict PCP theorem does not relativize [Fortnow ‘94], not even with respect to a RO [Chang et al. ’92] this precluded a satisfying proof of security in [Valiant ‘08] Bob Carol Alice y z x z y PCP PCP P P V V V F G RO PCP

The “trusted hardware” solution Every node has access to a simple, fixed, stateless trusted functionality -- essentially, a signature card. • Signed-Input-and-Randomness (SIR) oracle C SIR SIR SIR SIR SIR SIR m33 m11 m66 moutout m44 m22 m77 m55

SIR model Every node has access to a simple, fixed, trusted functionality -- essentially, a signature card. • Signed-Input-and-Randomness (SIR) oracle x input string s length SIRSK r ← {0,1}s  ← SIGNSK(x,r)  signature on (x,r) r random string VK can derandomize: Generate r using PRF

Public-key crypto the rescue Oracle signs answers using public-key signature: answers are verifiable without accessing oracle asymmetry allows us to break “PCP vs. oracle” conflict, and recursively aggregate proofs Bob Carol Alice y z x z y VK P P V V F G SIR OSK PCP PCP back

Sketch of constructions Constructing APHAs (Assisted Prover Hearsay Arguments): Start with universal arguments [Micali] [Barak Goldreich ‘02] De-interactivize by replacing public-coin messages with oracle queries Add signature to statement to force witness query (≈ [Chandran et al. ‘08]) Prove a very strong PoK by leveraging the weak PoK of UA ≈ Fiat-Shamir heuristic • Generalizing to PCD: • Handle distributed-computation DAG,using APHA for the proofs along each edge. • C-compliance: use fixed aggregation rule to reason about arbitrary computation by proving statements of the form: • C(in,code,out)=1 & “each input carries a valid APHA proof string”

APHA Construction sketch

APHA systems • Needed: • Highly-compressing non-interactive arguments • Proof-of-knowledge property that’s strong enough to prove hearsay:statements whose truth relies on previous arguments heard from others. • In the assisted prover model. We call thisAssisted Prover Hearsay Arguments (APHA). back

Universal arguments[Barak and Goldreich ‘02] Start with universal arguments:Efficient interactive arguments of knowledge with constant rounds and public coins. r1 resp1 UA prover UA verifier r2 resp2 • public coin: r1 and r2 are just random coins • temporal dependence:r2 is sent only after resp1 is received back

De-interactivize universal arguments: first try Prover interacts with random oracle, not with verifier: obtains random strings newprover random oracle UA prover random oracle new verifier UA verifier back

De-interactivize universal arguments Prover interacts with SIR oracle, not with verifier: obtains random signed strings temporal ordering enforced by having each oracle query include the preceding transcript almost-APHA prover ≈ Fiat-Shamir heuristic SIR oracle UA prover SIR oracle almost-APHA verifier UA verifier back

Enhance proof of knowledge Forces prover to get signature on witness Knowledge extractor finds witness by examining the queries  strong proof of knowledge get signature on the witness w SIR oracle APHA prover  SIR oracle cf. [Chandran Goyal Sahai 08] “x  Land is asignature on awitness for x  L” almost-APHA prover SIR oracle SIR oracle APHA verifier almost-APHA verifier back

Can now do F and G example Bob Carol Alice y z x y z P P V V F G PCP PCP We can now do the above example! ... how about proof-carrying data? back

PCD Construction sketch back

PCD systems PCD systems are wrappers around APHA systems, with: Simpler interface for applications(no need to reason about theorems and proofs) Simpler proof-of-knowledge property(APHAs have a very technical “list extraction” definition) C-compliance back

PCD definition At every node, a party uses the PCD prover PPCD: code zout zin1, in1 out PPCD zin2,in2 C, VK Osk Proofs are checked by the PCD verifier:VPCD(C, VK, z*, ) decidesif π is a convincing proof for z*. back

PCD definition PCD systems satisfy efficient verifiability: TIME(VPCD(C, VK, z, π)) = polylog(time to make π) (actually, much better... ) completeness via a relatively efficient prover: if computation is C-compliant, then the proof output byprover convinces verifier. Moreover: TIME(PPCD(...)) = poly(time to check C) + polylog(time to generate inputs’ proofs) proof of knowledge: from any convincing prover, can extract a whole C-compliant computation back

Back to F and G Bob Carol Alice y z x πz πy P P V V F G • Having APHA systems, we can already do the above example • How to generalize to C-compliance? PCP PCP back

Adding C-compliance Bob Carol Alice y z x πz πy V V F C C G P P PCP PCP • “Export” the choice of computation to be an input to a “fixed rule of aggregation” back

PCD Machine Bob Carol Alice y z x πz πy V V F C C G PCD machine P P PCP PCP • Such fixed rule we call the PCD machine, and it depends on C back

Implementation

PCP implementation stack: overview Java program execution trace “natural” problem solution to the problem assignment circuit Task 2: “reduction path” problem reduction solution reduction verifying properties of a polynomial in a finite field polynomial to be verified PROOF PCP prover Task 1: “PCP engine” PCP verifier

Does this work? Established:Formal framework • Explicit construction • “Polynomial time” - not practically feasible (yet…) • Requires signature cards • Ongoing and future work: • Full implementation • Practicality • Reduce requirement for signature cards (or prove necessity) • Extensions (e.g., zero knowledge) • Interface with complementary approaches: tie “compliance” into existing methods and a larger science of security • Applications and “compliance engineering” methodology

Eran Tromer

Eran Tromer

Presentation Transcript

Simulating Physics with Computers Richard P. Feynman Presented by Pinchas Birnbaum and Eran Tromer, Weizmann Inst

Eran Tromer Slides credit: Dan Boneh , Stanford Roei Schuster, Tel Aviv University

Eran Tromer

Eran Tromer Slides credit: Dan Boneh , Stanford

Eran Tromer Slides credit: Vinod Vaikuntanathan (U. Toronto)

Eran Tromer Slides credit: Vinod Vaikuntanathan (U. Toronto)

Eran Tromer

Eran Tromer Slides credit: Sergei Skorobogatov, Yuval Ishai

Eran Tromer

Eran Tromer Slides credit: Dan Boneh, Yuval Ishai

Eran Tromer Slide credits: John Mitchell, Stanford

Eran Tromer Slide credits: John Mitchell, Stanford

Eran Bendavid

Eran Tromer Slides credit: Dan Boneh , Stanford

Performed by : Segev Eran

Eran Toch technion.ac.il/~erant

Eran Toch technion.ac.il/~erant