1

Information Security – Theory vs. Reality

0368-4474-01, Winter 2012-2013

Lecture 9: Integrity on untrusted platforms:Proof-Carrying Data (cont.)

Eran Tromer

2

Recall our high-level goal

Ensure properties of adistributed computation

when parties aremutually untrusting,

faulty, leaky&

malicious.

3

Proof-Carrying Data [Chiesa Tromer 09]following Incrementally-Verifiable Computation [Valiant 08]

yyF(x) zG(y)

Each party prepares a proof string for the next one.Each proof is:• Tiny (polylogarithmic in party’s own computation).• Efficiently verifiable by the next party.

Alice Bob Carolx, F G

y verifyzz

z

z=G(y)and I got a valid proof

that “y=F(x)”

y=F(x)

4

C-compliance

m1

m2

m3

m 4

m5

m6

m7

mout

System designer specifies his notion of correctness via a compliance predicate C(in,code,out)that must be locally fulfilled at every node.

Ccode

in out

accept / reject

(program, human inputs, randomness)

C-compliantdistributed

computation

5

ConstructingProof-Carrying Data

systems

• Technical background• PCD construction• Towards a PCD implementation

7

Theorems and NP proofs

A theorem is a statement for which there exists a valid proof string (witness) w.

Valid is defined by an efficient verification procedure that, on input the theorem and the (purported) proof string w, decided whether to accepts.

This is just another interpretation of NP (equivalent to the classic “non-determinism based” definition).

VPw 1 ∃ valid wVNPPNP

8

Probabilistically-Checkable Proofs (PCP)

Relaxation: a prover outputs a proof string such that, if the statement is false, the probabilistic verifier is unlikely to be convinced.

Soundness:

A probabilistic verifier can be much more efficient than the NP verifier. In fact, the verifier doesn’t need to read more than a few bits of !

PPCP

1Pr[ ]>2-1000 ∃ valid wVPCP

9

Proofs and Verification Complexity

verifiercost

proof length

NPproofs

exponentialPCPs

probabilisticverification

polynomial exponentiallogarithmic

10

Proofs and Verification Complexity

verifiercost

proof length

NPproofs

polynomialPCPs

exponentialPCPs

probabilisticverification

special codes

polynomial exponentiallogarithmic

11

Proofs and Verification Complexity

verifiercost

proof length

NPproofs

CSproofs

polynomialPCPs

exponentialPCPs

probabilisticverification

special codes

polynomial exponentiallogarithmic

12

Computationally-Sound proofs (CS-proofs / arguments)

Further relaxation:care only about efficient (polynomial-time) provers.An inefficient prover could cheat the verifier, but this can be made arbitrarily hard by increasing a security parameter.Soundness: for all polynomial-time P:

Analogy:• information-theoretically-secure encryption (one-time pad), vs. • computationally-secure encryption (AES).

VCSPPCSP

1Pr[ ]>2-1000 ∃ valid w

13

Computationally-Sound Proofs / [Kilian 92][Micali 94]

• The prover produces a polynomially-long PCP proof.• The verifier reads only a few randomly-chosen indices.• Then why bother sending all of the PCP proof?• … because if the prover knew what the verifier reads, he

could easily fool the verifier.• Idea: use Fiat-Shamir heuristic:

– Prover writes down PCP proof – Prover computes a Merkle

hash tree of ; let r be the root.– Prover use r as “randomness” to choose the indices.– Prover sends these indices to verifier, along with Merkle

tree verification paths.– Verifier checks paths and then invokes PCP verifier.

r

14

Proofs and Verification Complexity

verifiercost

proof length

NPproofs

CSproofs

polynomialPCPs

exponentialPCPs

probabilisticverification

Fiat-Shamir

compressionspecial codes

polynomial exponentiallogarithmic

15

Proof of knowledge

Proof systems may satisfy an additional property:• proof of knowledge: any (possibly cheating) prover P that

convinces the verifier of some theorem “knows” a valid witness w for the theorem.

• Formally captured by a knowledge extractor, an efficient procedure that, with suitable access to such P, extracts a witness:

• This is strictly stronger than soundness.• We never run the knowledge extractor in reality.

Its existence is used only in the security reduction.

1PCSP

knowledgeextractor valid w

Pr[ ]≈1 VCSPPCSP

16

PCD construction:

Proof aggregation intuition

17

Back to F and G

The strings y and z are arguments (computationally sound proofs).

zy

z for

“z=G(y)and I got a proof that

“y=F(x)” ”

y for“y= F(x)”

yF(x) zG(y)

Alice Bob Carol

verifyz

18

Proof aggregation

Alice

zyBob Carol

xG

V

P P

V

F

zy

y=F(x) z=G(y) and∃y : V(“y=F(x)”,y)=1

19

Soundness vs. proof of knowledge

Alice

zyBob Carol

xG

V

P P

Need proof of knowledge:

V

VP 1

P

F

knowledgeextractor valid w

Pr[ ]≈1

y=F(x)

Meaninglessfor arguments

zy

z=G(y) and∃y : V(“y=F(x)”,y)=1

`

strong

20

Must use PCPs for compression

• Probabilistically Checkable Proofs (PCPs) used to generate concise proof strings.

Alice

zyBob Carol

PCP

xG

V

P PPCP

V

F

zy

(And there is evidence this is inherent [Rothblum Vadhan 09].)

21

Must use oracles for non-interactive proof of knowledge

Alice

zyBob Carol

zyPCP

xG

V

P PPCP

RO

V

F

The only known construction of non-interactive proofs of knowledge is Micali’s, using Merkle trees where the “hashing” is done using random oracle calls.

22

PCP vs. oracles conflict

• PCP theorem does not relativize [Fortnow ‘94], not even with respect to a RO [Chang et al. ’92]

• this precluded a satisfying proof of security in [Valiant ‘08]

Alice

zyBob Carol

zyPCP

xG

V

P P

RO

V

F

PCP

VPCP

23

The “trusted hardware” solution

Every node has access to a simple, fixed, stateless trusted functionality -- essentially, a signature card.

Cm1

1

m2

2

m 4

4

m5

5

m6

6

m7

7

mout

out

m3

3

SIRSIR

SIR

SIR

SIR

SIR

• Signed-Input-and-Randomness (SIR) oracle

24

SIR model

Every node has access to a simple, fixed, trusted functionality -- essentially, a signature card.

• Signed-Input-and-Randomness (SIR) oracle

xinput string

SIRSK

rrandom string

r ← {0,1}s

← SIGNSK(x,r)

slength

signature on (x,r)

VKcan derandomize:

Generate r using PRF

26

Public-key crypto the rescue

Oracle signs answers using public-key signature:• answers are verifiable without accessing oracle• asymmetry allows us to break “PCP vs. oracle” conflict, and

recursively aggregate proofs

Alice

zyBob Carol

zyPCP

Fx

G

V

P PPCP

OSK

VK

V

SIR

back

29

Sketch of constructions

Constructing APHAs (Assisted Prover Hearsay Arguments):• Start with universal arguments [Micali] [Barak Goldreich ‘02]• De-interactivize by replacing public-coin messages with oracle queries• Add signature to statement to force witness query (≈ [Chandran et al. ‘08])• Prove a very strong PoK by leveraging the weak PoK of UA

Generalizing to PCD:• Handle distributed-computation DAG,

using APHA for the proofs along each edge.• C-compliance: use fixed aggregation rule to reason about arbitrary

computation by proving statements of the form:C(in,code,out)=1 & “each input carries a valid APHA proof string”

≈ Fiat-Shamirheuristic

30

APHA

Construction sketch

31

APHA systems

Needed:• Highly-compressing non-interactive arguments• Proof-of-knowledge property that’s strong enough to

prove hearsay:statements whose truth relies on previous

arguments heard from others.• In the assisted prover model.

We call thisAssisted Prover Hearsay Arguments (APHA).

back

32

Universal arguments [Barak and Goldreich ‘02]

UAprover

UAverifierr2

r1

resp1

resp2

• public coin: r1 and r2 are just random coins• temporal dependence:

r2 is sent only after resp1 is received

Start with universal arguments:Efficient interactive arguments of knowledge with constant rounds and public coins.

back

33

De-interactivize universal arguments: first try

Prover interacts with random oracle, not with verifier:• obtains random strings

newprover

randomoracle

newverifier

randomoracle

UAprover

UAverifier

back

34

De-interactivize universal arguments

Prover interacts with SIR oracle, not with verifier:• obtains random signed strings• temporal ordering enforced by having each oracle query

include the preceding transcript

almost-APHA prover

SIRoracle

almost-APHAverifier

SIRoracle

UAprover

UAverifier

≈ Fiat-Shamirheuristic

back

35

Enhance proof of knowledge

• Forces prover to get signature on witness• Knowledge extractor finds witness by examining the queries

strong proof of knowledge

APHAprover

SIRoracle

APHAverifier

SIRoracle

almost-APHA prover

almost-APHA verifier

SIRoracle

SIRoracle

get signature onthe witness

“x Land

is asignature on a

witness for x L”

w

cf. [ChandranGoyalSahai 08]

back

36

Can now do F and G example

We can now do the above example!

... how about proof-carrying data?

Alice

zyBob Carol

PCP

x

PCP

G

V

P P

V

F

zy

back

37

PCD

Construction sketch

back

38

PCD systems

PCD systems are wrappers around APHA systems, with:– Simpler interface for applications

(no need to reason about theorems and proofs)– Simpler proof-of-knowledge property

(APHAs have a very technical “list extraction” definition)

– C-compliance

back

39

PCD definition

At every node, a party uses the PCD prover PPCD:

PPCD

Osk

zin1, in1

zin2, in2

C, VK

out

Proofs are checked by the PCD verifier:VPCD(C, VK, z*, ) decidesif π is a convincing proof for z*.

codezout

back

40

PCD definition

PCD systems satisfy• efficient verifiability:

TIME(VPCD(C, VK, z, π)) = polylog(time to make π) (actually, much better... )

• completeness via a relatively efficient prover:if computation is C-compliant, then the proof output byprover convinces verifier. Moreover:TIME(PPCD(...)) = poly(time to check C)

+ polylog(time to generate inputs’ proofs) • proof of knowledge: from any convincing prover, can extract a

whole C-compliant computation

back

41

Back to F and G

• Having APHA systems, we can already do the above example

• How to generalize to C-compliance?

Alice

zyBob Carol

πzπyPCP

x

PCP

G

V

P P

V

F

back

42

Adding C-compliance

Alicezy

Bob Carol

πzπyPCP

Fx

PCP

G

V

P P

C C

• “Export” the choice of computation to be an input to a “fixed rule of aggregation”

V

back

43

PCD Machine

Alicezy

Bob Carol

πzπyPCP

Fx

PCP

G

V

P P

C C

• Such fixed rule we call the PCD machine, and it depends on C

PCD machine

V

back

44

Implementation

45

PCP implementation stack: overview

“natural” problem

verifying properties ofa polynomial in a

finite field

problemreduction

Javaprogram

circuit

solution tothe problem

executiontrace

solutionreduction

polynomial to be verified

PCPproverPCP

verifier

PROOF

Task 1:“PCP engine”

Task 2:“reduction path”

assignment

46

Does this work?

Established: Formal framework• Explicit construction

– “Polynomial time” - not practically feasible (yet…)– Requires signature cards

Ongoing and future work:• Full implementation• Practicality• Reduce requirement for signature cards (or prove necessity)• Extensions (e.g., zero knowledge)• Interface with complementary approaches: tie “compliance”

into existing methods and a larger science of security• Applications and “compliance engineering” methodology