Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh
Problem Motivation
Problem Motivation
Problem Motivation
Problem Motivation
Problem Motivation
Problem Motivation
Table of Contents 1 Single-Client Verifiable Computation 2 3 4
Building Blocks Security Models Single-Client Verifiable Computation
Verifiable Computation Building Blocks Security Models Verifiable Computation Scheme Pre-processing: one-time stage in which client computes some auxiliary information associated with F Input Preparation: client prepares some auxiliary (public and private) information about x and sends public part σ x to S Output Computation: server computes a string σ y which encodes F (x) and returns it to the client Verification: from the value σ y, the client can compute the value F (x) and verify its correctness Gennaro, Gentry, Parno. Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers. Crypto 2010.
Requirements and Properties Building Blocks Security Models Efficiency: Input preperation and output verification must take less time than computing F from scratch Amortized notion of efficiency Privacy: Input and output privacy
Building Blocks Security Models Yao s Protocol for Two-party Computation Yao presented the first protocol for secure (two-party) computation A plain circuit is evaluated by setting values to its input gates for each gate: compute the value of the outgoing wire as a function of the wires going into the gate Secure computation no party should learn the values of any internal wires Yao s protocol compiler which takes a circuit and transforms it to a circuit which hides all information but the final output
An AND Gate Single-Client Verifiable Computation Building Blocks Security Models u v w 0 0 0 0 1 0 1 0 0 1 1 1
Building Blocks Security Models An AND Gate with Garbled Values u v w ku 0 kv 0 kw 0 ku 0 kv 1 kw 0 ku 1 kv 0 kw 0 ku 1 kv 1 kw 1 for each wire we choose two random labels ku, 0 ku 1 $ {0, 1} κ they represent the bit values 0 or 1
A Garbled AND Gate Building Blocks Security Models u v w ku 0 kv 0 E k 0 u (E k 0 v (kw 0 )) ku 0 kv 1 E k 0 u (E k 1 v (kw 0 )) ku 1 kv 0 E k 1 u (E k 0 v (kw 0 )) ku 1 kv 1 E k 1 u (E k 1 v (kw 1 )) The actual garbled gate is the permutation of the ciphertexts given k 0 u and k 1 v can only obtain k 0 w since rows are permuted, the party has no idea if it obtained a key for 0 or 1
Output Translation Building Blocks Security Models If the gate is an output gate, need to provide decryption of the output wire Keys known to the evaluator can decrypt only a single entry (random wire key) Output translation table: [(0, k 0 w ), (1, k 1 w )]
Building Blocks Security Models Repeated Evaluation of Garbled Circuit Yao s Garbled Circuit construction is not reusable Reusable garbled circuit scheme [GKPVZ13] Amortized efficiency notion: one expensive pre-processing and then we shall be able to outsource many evaluations for the same function Reusability by using FHE instead of revealing the key-labels associated with the input x, the client will encrypt those labels under the public key of a FHE scheme Rejection problem: if client detects malformed response then client terminates. Otherwise A learns an additional bit of information by sending another request
VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y )
VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) follow Yao s Garbled circuit construction compute for each gate the four ciphertexts PK is full set of ciphertexts; SK is full set of wire values 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y )
VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) run FHE KeyGen and pick wire values representing the binary expression of x encrypt the representation under the FHE public key client keeps FHE secret key private 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y )
VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) server constructs appropriate decryption circuit repeatedly homomorphically evaluate with σ x (basically decrypting our way through the ciphertexts) it outputs wire w i corresponding to y = F (x) and homomorphically encrypts it with the FHE public key 4 y Verify(SK, σ y )
VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y ) use FHE secret key to decrypt σ y obtaining w i use secret key to map the wire values to an output y if decryption fails, output
Security Models Single-Client Verifiable Computation Building Blocks Security Models Verifiability scheme is secure if malicious server cannot convince the verification algorithm to accept an incorrect output A gets oracle access to generate the encoding of multiple problem instances A does not learn whether the output was accepted or not Privacy input privacy defined on a typical indistinguishability argument that guarantees that no information about the inputs is leaked
- Overview Additional properties: Public Delegability - anyone can outsource a computation Public Verifiability - anyone can verify a result Construction is based on the use of KP-ABE
Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.
Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.
Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.
Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.
Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.
ABE is a public key, functional encryption primitive ABE allows decryption of a ciphertext iff some policy formula is satisfied Variants of ABE schemes: Key-policy (KP-ABE) Ciphertext-policy (CP-ABE) Dual-policy (DP-ABE)
Key-policy
Key-policy
Key-policy
Key-policy
Key-policy
Key-policy
Key-policy
Key-policy
Key-policy
Overview Single-Client Verifiable Computation Notion of Revocable Enable revocation of misbehaving servers Enable servers to compute multiple functions Alderman, Janson, Cid, Crampton. Revocation in Publicly Verifiable Outsourced Computation. Inscrypt 2014.
Construction Details RPVC extends the Parno et al. scheme that uses KP-ABE in a black-box manner Restrict attention to Boolean functions closed under complement; in particular the complexity class NC 1 Functions can be built from common operations such as AND, OR, NOT, equality and comparison operators, arithmetic operators and regular expressions
Technical Details Single-Client Verifiable Computation Assume the existence of a revocable KP-ABE scheme for a class of functions F that is closed under complement Make use of a signature scheme and a one-way function g Universes of attributes acceptable by the ABE scheme: U ID comprises attributes representing entity identifiers U time comprises attributes representing time periods issued by the time source T U F be a universe of attribute labels representing functions U attr form characteristic tuples for input values to outsourced computations
Input Data as Attributes Define attribute universe U = {A 1, A 2, A 3 } Read input data as a binary string Select attributes corresponding to 1 s in the binary string Example: X = 101 X = {A 1, A 3 }
Policy Label Single-Client Verifiable Computation Add a conjunctive clause with an attribute label Labels let us query keys for multiple functions Labels give us oracle access for Security Games We also add the function attribute to the attribute set representing the input data x f
Construction Overview Setup two independant ABE schemes Client encrypts two random messages m 0 and m 1 Server must attempt to decrypt d 0 using a key for F and d 1 with a key for F. Only one decryption will succeed Well-formed response θ F (x), comprising recovered plaintexts (d b, d 1 b ), satisfies the following, where RK F,x = b: { (m b, ), if F (x) = 1 (d b, d 1 b ) = (, m 1 b ), if F (x) = 0 Flipping b $ {0, 1} enables us to hide the structure and leads to blind verification
Setup Single-Client Verifiable Computation (PP, MK) RPVC.Setup(1 κ ) U = U attr U ID U time U F (MPK 0 ABE, MSK 0 ABE ) ABE.Setup(1κ, U) (MPK 1 ABE, MPK 1 ABE ) ABE.Setup(1κ, U) PP = (MPK 0 ABE, MPK 1 ABE, L Reg, T) MSK = (MSK 0 ABE, MSK 1 ABE, L Rev)
Register Single-Client Verifiable Computation SK S RPVC.Register(S, MK, PP) (SK Sig, VK Sig ) Sig.KeyGen(1 κ ) SK S = SK Sig L Reg [S][0] = VK Sig
Certify Single-Client Verifiable Computation EK F,S RPVC.Certify(S, F, MK, PP) SKABE 0 ABE.KeyGen(S, F f, MSK ABE 0, MPK ABE 0 ) SKABE 1 ABE.KeyGen(S, F f, MSK ABE 1, MPK ABE 1 ) UKL 0 Rev,t ABE.KeyUpdate(L Rev, t, MSKABE 0, MPK ABE 0 ) UKL 1 Rev,t ABE.KeyUpdate(L Rev, t, MSKABE 1, MPK ABE 1 ) Output: EK F,S = (SKABE 0, SK ABE 1, UK L 0 Rev,t, UK L 1 Rev,t )
ProbGen Single-Client Verifiable Computation (σ F,x, VK F,x, RK F,x ) RPVC.ProbGen(x, PK F, PP) (m 0, m 1 ) $ M M and b $ {0, 1} c b ABE.Encrypt(m b, (x f ), t, MPKABE 0 ) c 1 b ABE.Encrypt(m 1 b, (x f ), t, MPKABE 1 ) Output: σ F,x = (c b, c 1 b ), VK F,x = (g(m b ), g(m 1 b ), L Reg )
Compute Single-Client Verifiable Computation θ F (x) RPVC.Compute(σ F,x, EK F,S, SK S, PP) d b ABE.Decrypt(c b, SKABE 0, MPK ABE 0, UK L 0 Rev,t ) d 1 b ABE.Decrypt(c 1 b, SKABE 1, MPK ABE 1, UK L 1 Rev,t ) γ Sig.Sign((d b, d 1 b, S), SK S ) Output: θ F (x) = (d b, d 1 b, S, γ)
BVerif Single-Client Verifiable Computation (RT F,x, τ θf (x) ) RPVC.BVerif(θ F (x), VK F,x, PP) Sig.Verify((d b, d 1 b, S), γ, VK Sig ) accept g(m b ) = g(d b ) then (RT F,x = d b, τ θf (x) = (accept, S)) g(m 1 b ) = g(d 1 b ) then (RT F,x = d 1 b, τ θf (x) = (accept, S))
Retrieve Single-Client Verifiable Computation ŷ RPVC.Retrieve(τ θf (x), RT F,x, VK F,x, RK F,x, PP) If τ θf (x) = (accept, S) g(rt F,x ) = g(m 0 ) then ŷ = 1 g(rt F,x ) = g(m 1 ) then ŷ = 0 If τ θf (x) = (reject, S) then ŷ =
Revoke Single-Client Verifiable Computation {EK F,S } or RPVC.Revoke(τ θf (x), MK, PP) If τ θf (x) = (reject, S) UKL 0 F,t+1 ABE.KeyUpdate(L Rev, t + 1, MSKABE 0, MPK ABE 0 ) UKL 1 F,t+1 ABE.KeyUpdate(L Rev, t + 1, MSKABE 1, MPK ABE 1 ) Update EK F,S = (SKABE 0, SK ABE 1, UK L 0 Rev,t+1, UK L 1 Rev,t+1 )
Overview Single-Client Verifiable Computation Multi-client Non-interactive Verifiable Computation [CKKC13] Publicly Verifiable Delegation of Large Polynomials and Matrix Computations, with Application [FG12] Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps [ZS13] Access Control in [AJCC15a] Memory Delegation [CKLR11] Hybrid [AJCC15b] Outsourcing Private RAM Computations [GHRW14]
Summary Single-Client Verifiable Computation Motivated the problem of Verifiable Computation Yao s Garbled Circuit construction provides one-time verifiability Publicly VC via Key-policy Revocation mechanism for PVC
Thank You Questions?