Verifiable Databases and RAM Programs - PowerPoint Presentation

Slide1

Verifiable Databases and RAM Programs

Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos and Charalampos Papamanthou Slide2

Cloud Computing

Individuals

Companies

UniversitiesSlide3

Security Issue: Integrity

Individuals

Companies

Universities

Server failure

Software error

Data tampering in transmission

Random answer

Malicious server behavior

…Slide4

Agenda

Background on verifiable computationOur constructionApplications to Verifiable Databases and RAM ProgramsSlide5

Verifiable Computation

functionclient

server

data

result + proof

digest δ

Verification:

 or 

Slide6

Efficiency Measures of

Verifiable Computationfunction

client

server

data

result + proof

digest δ Verification:



or 

setuptime

prover time

proof size

verification timeSlide7

Prior Work in Verifiable Computation

1. Customized ApproachFile read and write [Merkle87, NN00, …]Range search [Tamassia03, GPT07, …]Set operations [PTT11, CPPT14, KPP+14, …]Graph algorithms [GTTC03, ZPK14, Grob14, …]Database queries [ZKP15, …]

EfficientOnly support limited operations

Efficiency

Expressiveness

read/write

sets

range

graph

databseSlide8

Prior Work in Verifiable Databases

2. Generic Approach (E.g., SNARK

[PHGR13, BCGTV13, BFRS

+

13, BISW17, …]

)Supports all functions that can be modeled as arithmetic circuitsConstant proof size, fast verification timeLarge setup time & prover timeFunction specific setup

SNARK

Efficiency

Expressiveness

read/write

sets

range

graph

databseSlide9

Our Contribution

Supports arbitrary computations in NPUp to 2 orders of magnitude faster than SNARKsComparable efficiency to customized VC for databasesNo function specific setup

Our argument system

SNARK

Efficiency

Expressiveness

read/write

sets

range

graph

databseSlide10

Our ConstructionSlide11

Interactive Proof (IP)

[GKR08, CMT12, …]

Expand f(x) for me

client

server

Example: polynomial expansion

Polynomial

f(x) = (x+3)(3x+5)(2

x+7) g(x) = 6

x3+49x2+128x+105

pick a random value r, test f(r) - g(r) = 0

If f(x) -

g(x) ≠ 0, but f(r) - g(r) = 0,

→

r is a root of f(x) -

g(x),→

Pr

[r is a root] =

 Slide12

+

××

……

×

×

+

……

……

×

+

+

……

×

×

……

Input (data)

Output (result)

f

in

(

x

)

f

out

(

x

)

client

server

Output

Input

f

in

(

r

in

)

f

out

(

r

out

)

f

1

(

x

)

f

2

(

x

)

f

d-2

(

x

)

f

d-1

(

x

)

r

1

f

1

(

r

1

)

……

r

in

f

in

(

r

in

)

Check the relationship at a random point

(

Sumcheck

protocol)

……

(Low degree extension)

Interactive Proof (IP)

[GKR08, CMT12, …]

a

0

a

1

a

2

a

3 ……

= a

0

+a

1

x+a

2

x

2

+…Slide13

Using IP for Verifiable Computation

No setup time Fast prover time (no crypto operations) Storage of the data locally(Last step: evaluate a polynomial defined by the input at a random point)Slide14

Delegating Data to the Server

Our solution: Verifiable Polynomial Delegation (VPD) [KZG10, PST13]evaluation point

aclient

server

f

(

a) + proofdigest δf

(32Bytes)

Verification:  or



f(x)Slide15

Our Interactive Argument Protocol

function(modeled as a circuit)client

server

data

digest

δ

fin of fin(x) for the data result

Interactive proof

(except last step)

…

…

r

in

f

in

(rin) + proof

f

in (r

in)

 or



Verification of polynomial delegation

f

in

(

r

in

)

IP

VPDSlide16

Using IP for Verifiable Databases

No setup time Fast prover time (no crypto operations) Storage of the data locally(Last step: evaluate a polynomial defined by the input at a random point) Slide17

Supporting Auxiliary Inputs from Server

Some functions are hard to compute using arithmetic circuits E.g., Integer division a÷bThey are easy to verify with inputs from the server: a = q × b + rFunctions in NPInteractive Proof does not support auxiliary input(Last step: evaluate a polynomial defined by the input at a random point)Slide18

Our solution: Extractable Verifiable Polynomial Delegation (VPD)

evaluation point a

client

server

f

(

a) + proofdigest δf Verification:



or 

f(x)

commitment of the auxiliary inputs

with extractability

Result: extending IP (GKR, CMT etc.) to NP computations

Supporting Auxiliary Inputs from ServerSlide19

digest

δf2 of f2(x) for auxiliary inputs Our Interactive Argument Protocol 2.0

function (modeled as a circuit with auxiliary inputs

)client

server

data

digest

δf1 of

f1(x) for the data

result

Interactive proof (except last step)

…

…

r

in

f

1

(

r

in), f2

(r

in

) + proofs

f

1

(

r

in

),

f

2

(

r

in

)



or



Verification of polynomial delegation

f

in

(

r

in

)

IP

VPD

digest

δ

f2

auxiliary inputs

f

in

(

x

) =

f

1

(

x

) +

f

2

(

x

)Slide20

Our Interactive Argument Protocol

Setup only for the data, not for functions Faster prover time (crypto operations is only linear to the input size, does not depend on the circuit size) Supports auxiliary inputs

Dynamic data (details in paper)Slide21

vSQL: Verifiable DatabaseSlide22

Verifiable Databases

SQL database queriesclient

server

database

result + proof

digest δ

Verification:

 or

 Slide23

1.

SELECT SUM (l_extendedprice * (1 - l_discount)) AS revenue

FROM lineitem, part

WHERE2. ( p_partkey =

l_partkey

3.

AND p_brand = ‘Brand#41’4. AND p_container IN (‘SM CASE’, ‘SM BOX’, ‘SM PACK’, ‘SM PKG’)5. AND l_quantity >= 7

AND l_quantity

<= 7 + 106. AND p_size

BETWEEN 1 AND 57. AND

l_shipmode IN (‘AIR’, ‘AIR REG’)

8. AND l_shipinstruct = ‘DELIVER IN PERSON’ )

9. OR10. ( p_partkey = l_partkey

11. AND p_brand = ‘Brand#14’

12. AND

p_container

IN (‘MED BAG’, ‘MED BOX’,‘MED PKG’, ‘MED PACK’)13. AND

l_quantity >= 14 AND

l_quantity <= 14 + 1014. AND

p_size

BETWEEN 1 AND 10

15. AND l_shipmode

IN

(‘AIR’, ‘AIR REG’)

16.

AND

l_shipinstruct

= ‘DELIVER IN PERSON’ )

17.

OR

18. (

p_partkey

=

l_partkey

19.

AND

p_brand

= ‘Brand#23’

20.

AND

p_container

IN

(‘LG CASE’, ‘LG BOX’, ‘LG PACK’, ‘LG PKG’)

21.

AND

l_quantity

>= 25

AND

l_quantity

<= 25 + 10

22.

AND

p_size

BETWEEN

1

AND

15

23.

AND

l_shipmode

IN

(‘AIR’, ‘AIR REG’)

24.

AND

l_shipinstruct

= ‘DELIVER IN PERSON’ );

Query #19 of the TPC-H benchmark

http://www.tpc.org/tpch

ExampleSlide24

Comparison with Prior Work

Query

#19

IntegriDB

SNARK

vSQL

Setup

Prover

Verification

Communication

7 hours

100 hours*

0.4 hour

1.8 hours

54 hours*

1.3 hours

232

ms

6

ms

148

ms

Queries and database: TPC-H benchmark

Database size: 6 million rows × 13 columns (2.8GB) in the largest table

.

184 KB

0.3 KB

28 KB

Query

#5

(5-way join)

Setup

Prover

Verification

Communication



325 hours*

0 hour



171 hours*

1.4 hours



40

ms

398ms



0.3 KB

103 KB

MySQL

0.67s

4.16sSlide25

Expressive SQL Update

Query #15: create a new table on the fly by range and sumOld table: 2.8GB new table: 1.7MB

Prover

Verification

Communication

0.5 hour

85ms

85.7KBSlide26

vSQL

Comparable efficiency, better expressiveness compared to customized VCUp to 2 orders of magnitude faster compared to SNARKsSetup only for database, no query dependent setupSlide27

Verifiable RAMSlide28

RAM to Circuit Reduction [BCTV14]

state1

state2

state3

state

T

……By time:CPU state

Time

Program counterInstruction numberFlag

Registers…..Slide29

RAM to Circuit Reduction [BCTV14]

state1

state2

state3

state

T

……

CPU step

CPU step

CPU step

By time:

E.g., Add r

1

, r

2

, r

3

state'

1

state'

2

state'

3

state'

T

……

By memory:

Memory consistency

Memory consistency

Memory consistency

Sorting NetworkSlide30

Inefficiency: Preprocessing

state1

state2

state3

state

T

……

CPU step

CPU step

CPU step

By time:

CPU step

All possible CPU instructions:

ADD, MUL, JMP, CMP, LOAD,…Slide31

Our New RAM to Circuit Reduction

state1

state2

state3

state

T

……state''1

state''

2

state''3

state''T

……

Add

Add

By time:

By Instruction:

Sorting Network

Load

# of Add

# of Load

state'

1

state'

2

state'

3

state'

T

……

By Memory:

Sorting NetworkSlide32

Our New RAM to Circuit Reduction

state1

state2

state3

state

T

……state''1

state''

2

state''3

state''T

……

Add

Add

By time:

By Instruction:

Permuta-tion

protocol

Load

# of Add

# of Load

state'

1

state'

2

By Memory:

Permuta-tion

protocol

state'

3

state'

T

……Slide33

Our New Verifiable RAM

Prover time linear in #of CPU steps T (vs T log2 T in [BCTV14])8× faster prover time120× smaller memory consumption. Up to 2 million CPU steps (vs

32K in [BCTV14])Slide34

Summary

Verifiable Polynomial Delegation + Interactive Proof vSQL, verifiable databases Verifiable RAMOngoing work: Zero-knowledge with applications to crypto-currencies

Thank you!!!

Q&ASlide35

state'

1state'2

state'3

state'

T

……

By memory:

Memory consistency

Memory consistency

Memory consistency

Inefficiency: Preprocessing

Memory check for every CPU stateSlide36

Our New RAM to Circuit Reduction

state'1

state'2

state'3

state'

T

……By Memory:Memory check only for states accessing memorySlide37

Our New RAM to Circuit Reduction

state1

state2

state3

state

T

……state''1

state''

2

state''3

state''T

……

Add

Add

By time:

By Instruction:

Sorting Network

Load

# of Add

# of Load

state'

1

state'

2

By Memory:

Sorting Network