1 / 37

Verifiable Databases and RAM Programs

Verifiable Databases and RAM Programs. Yupeng Zhang , Daniel Genkin , Jonathan Katz, Dimitrios Papadopoulos and Charalampos Papamanthou. Cloud Computing. Universities. Companies. Individuals. Security Issue: Integrity. Universities. Server failure Software error

Sophia
Télécharger la présentation

Verifiable Databases and RAM Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifiable Databases and RAM Programs Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos and CharalamposPapamanthou

  2. Cloud Computing Universities Companies Individuals

  3. Security Issue: Integrity Universities Server failure Software error Data tampering in transmission Random answer Malicious server behavior … Companies Individuals

  4. Agenda • Background on verifiable computation • Our construction • Applications to Verifiable Databases and RAM Programs

  5. Verifiable Computation client server function result + proof digest δ Verification: or  data

  6. Efficiency Measures of Verifiable Computation setup time prover time client server function result + proof digest δ Verification: or  proof size data verification time

  7. Prior Work in Verifiable Computation 1. Customized Approach • File read and write [Merkle87, NN00, …] • Range search [Tamassia03, GPT07, …] • Set operations [PTT11, CPPT14, KPP+14, …] • Graph algorithms [GTTC03, ZPK14, Grob14, …] • Database queries [ZKP15, …] • Efficient • Only support limited operations Expressiveness databse graph sets range read/write Efficiency

  8. Prior Work in Verifiable Databases 2. Generic Approach (E.g., SNARK[PHGR13, BCGTV13, BFRS+13, BISW17, …]) • Supports all functions that can be modeled as arithmetic circuits • Constant proof size, fast verification time • Large setup time & prover time • Function specific setup Expressiveness SNARK databse graph sets range read/write Efficiency

  9. Our Contribution • Supports arbitrary computations in NP • Up to 2 orders of magnitude faster than SNARKs • Comparable efficiency to customized VC for databases • No function specific setup Expressiveness Our argument system SNARK databse graph sets range read/write Efficiency

  10. Our Construction

  11. Interactive Proof (IP)[GKR08, CMT12, …] Example: polynomial expansion server client Expand f(x) for me • g(x) = 6x3+49x2+128x+105 Polynomial f(x) = (x+3)(3x+5)(2x+7) If f(x) - g(x) ≠ 0, but f(r) - g(r) = 0, →r is a root of f(x) - g(x), →Pr[r is a root] = • pick a random value r, test f(r) - g(r) = 0

  12. Interactive Proof (IP)[GKR08, CMT12, …] Input Output (result) server client Output fout(x) fout(rout) …… r1 × × f1(x) f1(r1) …… × + × f2(x) …… rin …… fd-2(x) fin(rin) …… …… × × + fd-1(x) …… + × + fin(x) = a0+a1x+a2x2+… (Low degree extension) Check the relationship at a random point (Sumcheck protocol) a0 a1 a2 a3 …… Input (data) fin(rin)

  13. Using IP for Verifiable Computation • No setup time • Fast prover time (no crypto operations) • Storage of the data locally (Last step: evaluate a polynomial defined by the input at a random point)

  14. Delegating Data to the Server • Our solution: Verifiable Polynomial Delegation (VPD) [KZG10, PST13] server evaluation point a client f(a) + proof digest δf (32Bytes) Verification: or  f(x)

  15. Our Interactive Argument Protocol function (modeled as a circuit) server client result IP … digest δfin of fin(x) for the data Interactive proof (except last step) data … fin(rin) VPD rin • fin(rin) + proof fin(rin) or  Verification of polynomial delegation

  16. Using IP for Verifiable Databases • No setup time • Fast prover time (no crypto operations) • Storage of the data locally (Last step: evaluate a polynomial defined by the input at a random point)

  17. Supporting Auxiliary Inputs from Server • Some functions are hard to compute using arithmetic circuits E.g., Integer division a÷b • They are easy to verify with inputs from the server: a = q × b + r • Functions in NP • Interactive Proof does not support auxiliary input (Last step: evaluate a polynomial defined by the input at a random point)

  18. Supporting Auxiliary Inputs from Server • Our solution: Extractable Verifiable Polynomial Delegation (VPD) digest δf client server commitment of the auxiliary inputs with extractability evaluation point a f(a) + proof f(x) Verification: or  Result: extending IP (GKR, CMT etc.) to NP computations

  19. Our Interactive Argument Protocol 2.0 fin(x) = f1(x) +f2(x) function (modeled as a circuit with auxiliary inputs) auxiliary inputs server client digestδf2 result IP digest δf1 of f1(x) for the data … Interactive proof (except last step) digest δf2 of f2(x) for auxiliary inputs data … fin(rin) VPD rin • f1(rin), f2(rin) + proofs f1(rin), f2(rin)  or  Verification of polynomial delegation

  20. Our Interactive Argument Protocol • Setup only for the data, not for functions • Faster prover time (crypto operations is only linear to the input size, does not depend on the circuit size) • Supports auxiliary inputs • Dynamic data (details in paper)

  21. vSQL: Verifiable Database

  22. Verifiable Databases SQL database queries client server result + proof digest δ Verification: or  database

  23. Example 1. SELECTSUM (l_extendedprice* (1 - l_discount)) AS revenueFROM lineitem, partWHERE 2. ( p_partkey = l_partkey 3. ANDp_brand = ‘Brand#41’ 4. ANDp_containerIN (‘SM CASE’, ‘SM BOX’, ‘SM PACK’, ‘SM PKG’) 5. ANDl_quantity >= 7 ANDl_quantity <= 7 + 10 6. ANDp_sizeBETWEEN 1 AND 5 7. ANDl_shipmodeIN (‘AIR’, ‘AIR REG’) 8. ANDl_shipinstruct = ‘DELIVER IN PERSON’ ) 9. OR 10. ( p_partkey = l_partkey 11. ANDp_brand = ‘Brand#14’ 12. ANDp_containerIN (‘MED BAG’, ‘MED BOX’,‘MED PKG’, ‘MED PACK’) 13. ANDl_quantity >= 14 ANDl_quantity <= 14 + 10 14. ANDp_sizeBETWEEN 1 AND 10 15. ANDl_shipmodeIN (‘AIR’, ‘AIR REG’) 16. ANDl_shipinstruct = ‘DELIVER IN PERSON’ ) 17. OR 18. ( p_partkey = l_partkey 19. ANDp_brand = ‘Brand#23’ 20. ANDp_containerIN (‘LG CASE’, ‘LG BOX’, ‘LG PACK’, ‘LG PKG’) 21. ANDl_quantity >= 25 ANDl_quantity <= 25 + 10 22. ANDp_sizeBETWEEN 1 AND 15 23. ANDl_shipmodeIN (‘AIR’, ‘AIR REG’) 24. ANDl_shipinstruct = ‘DELIVER IN PERSON’ ); Query #19 of the TPC-H benchmark http://www.tpc.org/tpch

  24. Comparison with Prior Work Queries and database: TPC-H benchmark Database size: 6 million rows × 13 columns (2.8GB) in the largest table. MySQL 0.67s 100 hours* 7 hours 0.4 hour 54 hours* 1.8 hours 1.3 hours 6 ms 232 ms 148 ms 184 KB 0.3 KB 28 KB 325 hours*  0 hour 1.4 hours 171 hours*  4.16s 398ms 40 ms  0.3 KB 103 KB 

  25. Expressive SQL Update Query #15: create a new table on the fly by range and sum Old table: 2.8GB new table: 1.7MB

  26. vSQL • Comparable efficiency, better expressiveness compared to customized VC • Up to 2 orders of magnitude faster compared to SNARKs • Setup only for database, no query dependent setup

  27. Verifiable RAM

  28. RAM to Circuit Reduction [BCTV14] By time: state1 • CPU state • Time • Program counter • Instruction number • Flag • Registers • ….. state2 state3 …… stateT

  29. RAM to Circuit Reduction [BCTV14] By time: By memory: state1 state'1 E.g., Add r1, r2, r3 Sorting Network CPU step Memory consistency state2 state'2 Memory consistency CPU step state3 state'3 …… …… CPU step Memory consistency stateT state'T

  30. Inefficiency: Preprocessing By time: state1 CPU step • CPU step • All possible CPU instructions: • ADD, MUL, JMP, CMP, LOAD,… state2 CPU step state3 …… CPU step stateT

  31. Our New RAM to Circuit Reduction By Instruction: By time: By Memory: state1 state''1 state'1 Add Sorting Network Sorting Network state2 state''2 state'2 # of Add Add state3 state'3 state''3 # of Load …… …… …… Load stateT state''T state'T

  32. Our New RAM to Circuit Reduction By Instruction: By time: By Memory: state1 state''1 state'1 Add Permuta-tion protocol Permuta-tion protocol state2 state''2 state'2 # of Add Add state3 state'3 state''3 # of Load …… …… …… Load stateT state''T state'T

  33. Our New Verifiable RAM • Prover time linear in #of CPU steps T (vs T log2 T in [BCTV14]) • 8× faster prover time • 120× smaller memory consumption. Up to 2 million CPU steps (vs 32K in [BCTV14])

  34. Summary Verifiable Polynomial Delegation + Interactive Proof • vSQL, verifiable databases • Verifiable RAM Ongoing work: • Zero-knowledge with applications to crypto-currencies Thank you!!! Q&A

  35. Inefficiency: Preprocessing By memory: state'1 Memory consistency state'2 Memory check for every CPU state Memory consistency state'3 …… Memory consistency state'T

  36. Our New RAM to Circuit Reduction By Memory: Memory check only for states accessing memory state'1 state'2 state'3 …… state'T

  37. Our New RAM to Circuit Reduction By Instruction: By time: By Memory: state1 state''1 state'1 Add Sorting Network Sorting Network state2 state''2 state'2 # of Add Add state3 state''3 # of Load …… …… Load stateT state''T

More Related