New Publicly Verifiable Databases with Efficient Updates
Download
Report
Transcript New Publicly Verifiable Databases with Efficient Updates
New Publicly Verifiable
Databases with Efficient Updates
Xiaofeng Chen
Virginiatech
Agenda
•
•
•
•
•
Outsourcing Computation
Verifiable Computation
Verifiable Database with Updates (VDB)
New Construction for VDB
Future Work
1. Outsourcing Computation
• You want to eat a fish = You need to be a fisherman (NEVER!)
• Cloud computing facilitates Outsourcing computation.
• Outsourcing computation paradigm:
– the clients with resource-constraint devices can outsource the heavy
computation workloads into the cloud server.
• Outsourcing computation also suffers from some new security
challenges.
Outsourcing Computation Architecture
Security model
• Who is the adversary: the untrusted server(s)
–
–
–
–
–
Honest but curious
Lazy but honest
One-malicious of two untrusted program
Refereed delegation of computation
Fully malicious (dishonest, curious, lazy…)- strongest
How to achieve ?
• Secrecy:encryption (partial solution)+ blinding
– Blinding can preserve some inherent property of operations.
– It requires different logic division and blinding techniques.
– FHE is inefficient for real-world applications.
gx mod p
m
encrypt (k)
X
c
hx mod p
gx mod p
m
blind (blind factor)
c
(mg)x mod p
How to achieve ?
• Checkability (verifiability):how to verify the
result of a malicious server?
– Some programming error
– Intentionally send a computational indistinguishable (random) result due to
financial reasons
How to achieve ?
• Three kinds of Checkability (verifiability):
– Inversion of one–way function problems:
F: given y=f(x), compute x, where f is a one-way function.
Verification is trivial: verification is just compute f(x)=? y
How to achieve ?
• Three kinds of Checkability (verifiability):
– Multiple (non-colluding) servers :
given the test queries to (at least two) servers, verification is trivial and equals to
check whether the two outputs are equal?
f(x)_1 = ? f(x)_2 (This is a probabilistic algorithm!)
Note: This idea is a little similar to prisoner's dilemma in game theory.
How to achieve ?
• Checkability (verifiability):
– One malicious server: verifiable computation
The server needs to provide some auxiliary proof to support result verification.
It requires different kinds of knowledge proof techniques.
How to achieve ?
• Efficiency:verification must be efficient
– The (non-interactive) proof verification is efficient (esp. the 3rd case)
– Computational resources, Storage resources, Communication resources, etc.
– The verification requires less resources than the computation task itself!!
Research status
• Theoretical community: scientific computation such as matrix
multiplications (inversion), quadrature, linear equations (programming),
sequence comparisons ……
• Cryptographic community: wallet with observers, bilinear pairing,
modular exponentiations, OABE, OABS, inversion one-way function ……
– Verifiable computation: will be given later
2. Verifiable Computation
• A protocol between client and the untrusted server;
– C: a function and some input ; S: outputs and some proof;
– It mainly focus on the 3rd case of outsourcing
computations
– Though C is resources-constrained, it is allowed to perform
one-time expensive setup phase (offline; pre-computation)
Formal definitions
Security properties
• Correct: the value and proof generated by the honest server can be always verified
successfully and accepted by the client.
– honest server results in valid result and proof
• Secure: a malicious server cannot convince a verifier to accept an invalid output
– dishonest server results in invalid result and proof
• Efficient: the verification should not be involved in plenty of expensive resources
(computation, storage, communication)
–
For real-world applications
Three properties of ZKP:
•
•
•
Completeness: if the statement is true, the honest verifier (that is, one following the
protocol properly) will be convinced of this fact by an honest prover.
Soundness: if the statement is false, no cheating prover can convince the honest verifier
that it is true, except with some small probability.
Zero-knowledge: if the statement is true, no cheating verifier learns anything other than
this fact.
State-of-the-art research
• Gennaro et al. firstly introduce and formalize the notion of verifiable
computing. Crypto 10
• This work is suitable for any function (will be encoded by Boolean circuit)
• Theoretically, no more research work is needed (totally solved!).
• FHE is a building block! Inefficient for practical applications.
State-of-the-art research
• Specific problems require specific trick to design efficient schemes.
–
–
–
–
–
–
–
VC for very large datasets Crypto 11
Memory delegation Crypto 11
VC for large polynomials and matrix computations CCS 12
VC for multi-function TCC 12
VC for quadratic polynomials CCS 13
Making argument systems for outsourced computation practical NDSS 12
Taking proof-based verified computation a few steps closer to practicality
USENIX 12
– …..
3. Verifiable Database with Updates
(VDB)
• A special kind of verifiable computing (storage)
• Benabbas et al. proposed the notion of VDB
– Verifiable delegation of computation over large datasets (Crypto 11)
x ; vv’
x
x, v’
Client
v
Database
Server
Static Database
x ; v; Sig (v)
x
v, Sig (v)
Client
Server
Sig (v) can not be forged!!
Dynamic (Updated) Database
x ; v; Sig (v)
x
Client
v, Sig (v)
Server
How to revoke the signature for previous value?
The client have to keep track of every change locally.
Why outsourcing?
Verifiable Database with Updates
• How to design efficient VDB?
• Previous works requires either some non-constant
size assumptions or expensive operations;
– q-Strong Diffie-Hellman assumption
Verifiable Database with Updates
• Why standard assumption is good?
– IF related ones: IF ; RSA; Strong-RSA; ……
– DL related ones: DL; CDH; DDH; ……
» Bilinear pairings related ones ……
Benabbas-Gennaro-Vahlis Construction
• BGV construction is the first practical solution in the
bilinear groups with composite order (Crypto 11);
• The solution is based on verifiable delegation of
polynomials (subgroup membership assumption);
• It cannot support public verifiability;
Catalano-Fiore Construction
•
•
•
•
The second practical construction (PKC 2013);
It is based on a primitive called vector commitment;
The specific constructions based on standard assumptions;
Compare with BGV construction, it only uses the bilinear
groups with prime order;
• It can support public verifiability
– The private key of client is not involved in the updating; Surprising
it is empty!
– It is good or bad?
Commitment
Commit
m
Sender
Phase
Receiver
– Hiding: A computationally bounded receiver learns
nothing about m.
Open
Phase
Sender
–
r, m
m
Receiver
r, m
Open Verification
Algorithm
– Binding: it can only be “opened” to the value m.
yes/no
Commitment
• Commitment is one of primitive in cryptography;
• One building block to design ZKP, authentication,
financial cryptographic protocols etc.; ……
• Some variants of commitment (additional properties);
– Trapdoor (chameleon) commitment : chameleon signatures (NDSS
2000), online-offline signatures (Crypto 2001), fair exchange
protocols, ……
– Mercurial commitment: ZKS (how to proof whether an element x is in
a set or not; FOCS 2003)
– Multi-trapdoor commitment; Timed commitment, Non-malleable
commitment, …..
Vector Commitment
• Commit a vector message (m1,m2, …., mq);
• Position binding: should not open the commitment
to two different values at the same position.
• Hiding can be achieved by composing a standard
commitment scheme with any vector commitment
scheme that does not satisfy hiding. (Not concerned
in VDB)
4. New Construction for VDB
• Our main contribution
– Catalano-Fiore Construction may suffer from the
Forward Automatic Update (FAU) attack;
– Propose a new framework that is public verifiable
and secure against FAU attack;
– Present a concrete construction based on SquCDH assumption (equals to CDH assumption)
FAU attack
• The adversary (just as the real client) can update the
database in a forward and automatic manner;
• Forward means that the updating is based on the
latest database (new update!).
– We also defined Backward Substitute Update attack
• Automatic means that the updating can be performed
at any time and any steps.
V1
V0
V L+1
Vi
VL
Why it suffers from FAU attack
• The secret key in Catalano-Fiore Construction is
not involved in the updating.
– More precise, the secret key of client is empty .
• Why?
– In crypto 11 construction, secret key is used for updating
and verification (thus private verifiability);
– Guess: no private key, verification is performed only using
the public key? Thus support public verifiability.
– Anyone can update the database (especially the server)!
Formal analysis
Paradox
• Using SK: cannot support public verifiability
• Not Using SK: cannot resist FAU attack
• How to solve this paradox?
– SK must be used in update;
– Signature can be used but not enough (needs
revoke?)
Some Notations
• Database: (i, vi) ;
• C is a vector commitment on database values vi ;
• C(0) , C(1), ……C(T) denotes the update of the database;
Our Main Idea
• Commitment binding technique: (After T times update )
– it is difficult to forge a new BLS signature!
Public key
(last time)
Public key
(current)
binding
BLS signature
Database
(current)
Counter
Our Main Idea
• Commitment binding technique: (After T times update )
• The definition for T = 0 (setup phase):
• This results in a general construction for VDB
Our Main Idea
• The proof consists of the (BLS) signature of the client and
opening of the vector commitment;
– Both of them can be verified (only) with the public key;
• The update requires the secret key of the client.
– No forward automatic update by the adversary
•
The client needs not store the changes locally or revoke the
signature
A concrete VDB construction
• It is based on the following specific vector commitment;
• We proved that it satisfies the security properties under
the Squ-CDH assumption;
• The construction is efficient since it is independent of the
size of the database ;
• It provides the first efficient VDB scheme that is both
public verifiable and secure against FAU attack;
5. Future Works
• Needs more simulation result… (though Crypto 11
and PKC 13 papers never provide the experimental
results)
• For different update (delete, insert, or else…)
• Support more index update in a step? It seems okay,
need more deep thought….
• Incremental update….
Thank you & questions?