Multi-Client Non-Interactive Verifiable Computation

Multi-Client Non-Interactive Verifiable Computation

Seung Geol Choi (Columbia U.)Jonathan Katz (U. Maryland)Ranjit Kumaresan (Technion)Carlos Cid (Royal Holloway)

Verifiable Computation• Increasing dependence on the cloud

– Individual devices getting smaller & smaller• Resource constrained

– Computation outsourced to the cloud

• “Trust, but verify”– Many incentives for a cloud to cheat

• Minimize resource usage• Malicious server!

• Need to verify whether server performs correct computations– Verification must be cheaper than computation

Verifiable Computation

• Variety of solutions– Interactive proofs [GMR85,LFKN92,S92,GKR08]– MIPs & PCPs [BFL91,BFLS91,BCCT12]– Interactive arguments [BCC88,M94,K92,K95]– Non-Interactive Solutions

[K95,M94,GKR08,CKV10,GGP10,AIK11,BHR12]– Public verifiability [PRV12]

• All of them deal with verifiably computing functions on a single client’s input

Multi-Client Verifiable Computation

. . .. . .

MotivationResource constrained data gathering

sensors located far apart want to compute over joint collected data

Ask one sensor to collect all data & use single-client verifiable comp.?• Requires client-client communication• Mix-and-match attacks

– No analogue in single-client setting• No privacy

Need a model for non-interactive verification of computations over joint inputs of multiple

clients

Our Contributions

• Model, syntax, and definitions• Generic constructions

– Non-interactive solution– Privacy against colluding clients– Privacy against malicious server

Initiate study of non-interactive multi-client verifiable computation in a setting with • n semi-honest clients• malicious server

Talk Outline• Motivation & Introduction

• Model, Syntax, and Definitions

• Building Blocks

• Construction

• Conclusions

Model

. . .

n clients

. . .

• Clients are semi-honest • Want non-interactive solution

– No interaction between clients

Model

. . .

n clients

. . .

• Clients are semi-honest • Want non-interactive solution

– No interaction between clients

Model

• Clients are semi-honest • Want non-interactive solution

– No interaction between clients. . .

n clients

. . .

• How to prevent spoofing attacks?– Use PKI

• How to prevent mix-and-match attacks?– Use global clock

Assumptions of this type are necessary

Model

• Clients are semi-honest • Want non-interactive solution• Assume PKI & global clock

. . .

n clients

. . .

Like [GGP10] use offline preprocessing model• One-time (expensive) preprocessing

– Must be non-interactive • Allows for multiple (cheap) verification stages

Model

• Clients are semi-honest • Want non-interactive solution• Assume PKI & global clock• One-time preprocessing

. . .

n clients

. . .

Only first client gets output • Easily generalized to multiple clients obtaining outputs

– Parallel executions

Model

• Clients are semi-honest • Want non-interactive solution• Assume PKI & global clock• One-time preprocessing• Only first client gets output

. . .

n clients

. . .

• Online– EncInpj

– Compute– Verify

• Offline– EncFun

Syntax

xi,1 Xi,1

xi,2 Xi,2

pk2

pk1

F S

Ti

• Setup– KeyGen

pk2

pk1

pk2pk1

Wi

yi

Properties

Soundness• Given encoding of function, A gets to choose series of inputs &

receive encodings of each input. Finally A outputs (i,Wi)• If Verify(Wi) ≠ f(xi) and Verify(Wi) ≠ λ, output 1, else 0

Scheme is sound if Experiment outputs 1 with negl. prob.

Outsourcing T(encode input)+T(verify output)<T(compute function)

Privacy• Against server: Cannot distinguish between executions where

clients hold input x0 vs. another where client inputs are x1

• Against first client: Conditioned on its input being the same, cannot distinguish between executions having same output

Talk Outline• Motivation & Introduction

• Model, Syntax, and Definitions

• Building Blocks

• Construction

• Conclusions

Building Blocks

• Projective Garbling Schemes [Y86,BHR12]

• Non-Interactive Proxy Oblivious Transfer [NPS99]

• Fully Homomorphic Encryption [G09,BV11]– Converts one-time scheme to a many-time scheme

Our construction builds upon the single-client scheme of [GGP10]

Projective Garbling Schemes

• Garbling Schemes [Y86,BHR12]– “Projective” if individual input

encodings can be generated independently

• Adaptive soundness– Same issue as in [GGP10]– Assume Yao GCs satisfy adap.

soundness• Reasonable in practice• [BHR12]: Does not follow from

CPA security of enc.

GC….

Encoding of function

Projective encoding of Individual input bits

Possible output encodings

Proxy Oblivious Transfer [NPS99]

IdealFunctionality

b=0,1

ProxyOT

ProxyOT

x0,x1

xb

Want a non interactive proxy OT

protocol

Non-Interactive Proxy OT

(xc+rc, x1+c+r1+c)

(c+b, rc+b)

• Use PKI and a non-interactive key exchange (NIKE) protocol to generate common randomness s unknown to server

• Use common randomness s to run PSM protocol [FKN94] for OT, with server as referee

s = (r0, r1, c)

s = (r0, r1, c)

b=0,1

x0,x1pk1 pk2

pk1 pk2

Talk Outline• Motivation & Introduction

• Model, Syntax, and Definitions

• Building Blocks

• Construction

• Conclusions

GC….

One-Time Multi-Client VCPreprocessing

Using a garbling scheme, encode

function & prepare state to encode inputs and to verify

encoded outputs

GC….

Input Encoding

Select own keys

depending on input bits

xi,1

xi,2

One-Time Multi-Client VC

GC….

One-Time Multi-Client VCInput Encoding

xi,1

xi,2

Select keys for others using non-interactive proxy

OT

Keys obtained from Proxy OT

GC

GC….

One-Time Multi-Client VCCompute

xi,1

xi,2

GC….

Evaluate garbled circuit

to obtain output

encoding

GC….

One-Time Multi-Client VCVerify

xi,1

xi,2

GC….

Check whether received key

matches one of the 2 output

keys

Multi-Client VC - Finis

• Soundness– Privacy of non-interactive proxy OT scheme– Authenticity of garbling scheme

• Privacy– Non-interactive nature of the scheme– Privacy of single-client [GGP10] scheme– Privacy of non-interactive proxy OT scheme

• Wrap one-time scheme with Fully Homomorphic Encryption – Converts one-time scheme to many-time– Semantic security preserves one-time soundness & privacy

Talk Outline• Motivation & Introduction

• Model, Syntax, and Definitions

• Building Blocks

• Construction

• Conclusions

Conclusions & Summary• Modeled non-interactive multi-client verifiable

computation in a setting with– n semi-honest clients– Single malicious server

• Formal syntax and definitions

• Generic constructions of schemes based on – Projective Garbling Schemes– Non-Interactive Proxy Oblivious Transfer– Fully Homomorphic Encryption

• Future directions– Stronger models, e.g., malicious clients, etc.

… …

Thank You!