Eli Ben- - PowerPoint Presentation

Slide1

Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer and Madars VirzaUSENIX Security Symposium 2014

Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture

1Slide2

OutlineWarm-up exampleProblem definitionContribution EvaluationComparisonQuestion time

2Slide3

What is zero knowledge proofInteractive zero knowledge prooftheoretical systems where a first party ('Prover') exchanges messages with a second party ('Verifier') to convince the Verifier that some mathematical statement is true.PropertiesCompleteness: honest

prover can convince the verifierSoundness: no cheating prover can convince the verifierZero-knowledge: no cheating verifier learns anything other than the fact that the fact is true/false

3Slide4

ExampleAT&T want to assign frequency optimally across base stationsSeeking help from GoogleNo pay until knowing them have the coloringNo solution until they are paid up

4Slide5

Solve the dilemmaZero knowledge proofAT&T place empty chart in the room and leaveGoogle walk in, shuffle the pens, color and cover node by hatsAT&T walk in, challenge one of the edgesRepeat until confidence is high enough

5Slide6

Non-interactive zero knowledge proofProblem with interactive solutionNo conversation, no proofCannot maintain conversation with many verifiersDesired propertiesSolution and proof achieved in one pass

6Slide7

Non-interactive solutionLet Google prepare a sequence of color pairsTrivial to cheat: modifying the coloring whenever adjacent nodes conflictAn extra mile – no control over the edge sequenceSolutionTake all the commitments from proof iterations, join them into a batch

Compute the hash of the batch, and treat the hash as if it was a sequence of integers

hash

7Slide8

Problem definition Security problemA client owns a public input xA server owns private input DBClient wishes to learn z = A(x,DB) for problem A known to both parties

Integrity vs. confidentiality

8Slide9

More than thatUniversality“hash” function for all kinds of problemsEfficiencyInterfacing problem to a universal settingConduct efficient proving & verfication

9Slide10

General Solution10Slide11

General Solution11Slide12

Circuit generationLimitation of prior workPer program key generationLimited support to high level languageProposalOne setting for all problemPython?

A mini von Neumann architecture: vnTinyMem

12Slide13

Circuit generationGoalValidity of instruction fetchValidity of instruction executionValidity of memory access

13Slide14

Circuit generationApproachCPU operation states (registers S and instruction I) Trace = (S1, I1, … ST, IT

)Non-deterministic rounting

14Slide15

SNARK for circuitTailored implementation of underlying componentsFinite-field arithmetic, elliptic-curve group arithmetic, pairing-based checks, and so onPerformance

15Slide16

EvaluationCircuit generatorAdditive dependence of program sizeMost gates dedicated to check execution

16Slide17

EvaluationSNARKLow time consumption per gateSmall proof/key size

17Slide18

ComparisonPinocchio: Nearly Practical Verifiable ComputationSimilar proof tool chain workflowConstant proof sizeCircuit generation: program analysisRestrict loop iteration bounds and memory accesses to be known at compile

timeGood for circuit-like routinesBad for memory intensive programs

18Slide19

ComparisonPantry: Verifying computations with stateRe-implemented protocol in “Pinocchio”, allow data dependent memory accessExtend verifiable map-reduce frameworkGate consumption is high for memory accessesAlso rely on program analysis

19Slide20

ComparisonTRUESET: Faster Verifiable Set ComputationsMixture arithmetic gates and set gatesSpecialized in set operation (SQL subset)Intersection, union and set differenceInput specific runtime

20Slide21

Thank youQuestion & answer21