Information Security – Theory vs. Reality
0368-4474-01, Winter 2012-2013
Lecture 9:
Integrity on untrusted platforms:
Proof-Carrying Data (cont.)
Eran Tromer
1
Recall our high-level goal
Ensure properties of a
distributed computation
when parties are
mutually untrusting,
faulty, leaky
&
malicious.
2
Proof-Carrying Data
[Chiesa Tromer 09]
following Incrementally-Verifiable Computation [Valiant 08]
Alice
x, F
yF(x)
Carol
Bob
G
y
y
y=F(x)
z
zG(y)
z
verify
z
z=G(y)
and I got a valid proof
that “y=F(x)”
Each party prepares a proof string for the next one.
Each proof is:
• Tiny (polylogarithmic in party’s own computation).
• Efficiently verifiable by the next party.
3
C-compliance
System designer specifies his notion of correctness via a
compliance predicate C(in,code,out)
that must be locally fulfilled at every node.
code (program, human inputs, randomness)
C
in
accept / reject
out
C-compliant
distributed
computation
m3
mout
m5
4
Constructing
Proof-Carrying Data
systems
• Technical background
• PCD construction
• Towards a PCD implementation
5
Theorems and NP proofs
A theorem is a statement for which there exists a valid proof string
(witness) w.
Valid is defined by an efficient verification procedure that, on input
the theorem and the (purported) proof string w, decided whether
to accepts.
PNP
w
VNP
1
∃ valid w
This is just another interpretation of NP (equivalent to the classic
“non-determinism based” definition).
7
Probabilistically-Checkable Proofs (PCP)
Relaxation: a prover outputs a proof string  such that, if the
statement is false, the probabilistic verifier is unlikely to be
convinced.
Soundness:
Pr
[
PPCP

VPCP
1
]>2-
1000
∃ valid w
A probabilistic verifier can be much more efficient than the NP
verifier. In fact, the verifier doesn’t need to read more than a few
bits of !
8
Proofs and Verification Complexity
NP
proofs
verifier
cost
exponential
PCPs
logarithmic
polynomial
proof length
9
exponential
Proofs and Verification Complexity
NP
proofs
verifier
cost
polynomial
PCPs
exponential
PCPs
logarithmic
polynomial
proof length
10
exponential
Proofs and Verification Complexity
NP
proofs
verifier
cost
CS
proofs
polynomial
PCPs
exponential
PCPs
logarithmic
polynomial
proof length
11
exponential
Computationally-Sound proofs (CS-proofs / arguments)
Further relaxation:
care only about efficient (polynomial-time) provers.
An inefficient prover could cheat the verifier, but this can be made
arbitrarily hard by increasing a security parameter.
Soundness: for all polynomial-time P:
Pr
[
PCSP

VCSP
1
]>2
-1000
∃ valid w
Analogy:
• information-theoretically-secure encryption (one-time pad), vs.
• computationally-secure encryption (AES).
12
Computationally-Sound Proofs /
•
•
•
•
[Kilian 92][Micali 94]
The prover produces a polynomially-long PCP proof.
The verifier reads only a few randomly-chosen indices.
Then why bother sending all of the PCP proof?
… because if the prover knew what the verifier reads, he
could easily fool the verifier.
r
• Idea: use Fiat-Shamir heuristic:
– Prover writes down PCP proof 
– Prover computes a Merkle

hash tree of ; let r be the root.
– Prover use r as “randomness” to choose the indices.
– Prover sends these indices to verifier, along with Merkle
tree verification paths.
– Verifier checks paths and then invokes PCP verifier.
13
Proofs and Verification Complexity
NP
proofs
verifier
cost
CS
proofs
logarithmic
polynomial
PCPs
exponential
PCPs
polynomial
proof length
14
exponential
Proof of knowledge
Proof systems may satisfy an additional property:
• proof of knowledge: any (possibly cheating) prover P that
convinces the verifier of some theorem “knows” a valid
witness w for the theorem.
• Formally captured by a knowledge extractor, an efficient
procedure that, with suitable access to such P, extracts a
witness:
Pr
[
PCSP

VCSP
1
knowledge
extractor
valid w
PCSP
• This is strictly stronger than soundness.
• We never run the knowledge extractor in reality.
Its existence is used only in the security reduction.
15
]≈1
PCD construction:
Proof aggregation intuition
16
Back to F and G
Bob
Alice
yF(x)
y
y for
“y= F(x)”
zG(y)
Carol
z
verify
z for
“z=G(y)
and I got a proof that
“y=F(x)” ”
The strings y and z are arguments
(computationally sound proofs).
17
z
Proof aggregation
Bob
Alice
y
x
z
G
F
y
P
18
Carol
y=F(x)
V
P
z
V
z=G(y) and
∃y : V(“y=F(x)”,y)=1
Soundness vs. proof of knowledge
Bob
Alice
Carol
y
x
z
G
F
y
y=F(x)
P
z
V
V
z=G(y) and
∃y : V(“y=F(x)”,y)=1
`
P
strong
Need proof of knowledge:
Pr
19
[
P

V
1
knowledge
extractor
P
valid w
]≈1
Must use PCPs for compression
Bob
Alice
y
x
z
G
F
PCP
Carol
y
V
z
V
PCP
P
P
• Probabilistically Checkable Proofs (PCPs)
used to generate concise proof strings.
(And there is evidence this is inherent [Rothblum Vadhan 09].)
20
Must use oracles for non-interactive proof of knowledge
Bob
Alice
y
x
z
G
F
PCP
Carol
y
V
z
V
PCP
P
P
RO
The only known construction of non-interactive proofs of
knowledge is Micali’s, using Merkle trees where the
“hashing” is done using random oracle calls.
21
PCP vs. oracles conflict
Bob
Alice
y
x
z
G
F
PCP
Carol
y
V
z
V
PCP
P
P
RO
• PCP theorem does not relativize [Fortnow ‘94], not even
with respect to a RO [Chang et al. ’92]
• this precluded a satisfying proof of security in [Valiant ‘08]
22
The “trusted hardware” solution
Every node has access to a simple, fixed, stateless
trusted functionality -- essentially, a signature card.
• Signed-Input-and-Randomness (SIR) oracle
C
m3
SIR
3
SIR
mout
SIR
SIR
SIR
23
SIR
out
SIR model
Every node has access to a simple, fixed, trusted
functionality -- essentially, a signature card.
• Signed-Input-and-Randomness (SIR) oracle
x
s
input
string
length
r

random
string
signature
on (x,r)
r ← {0,1}s
 ← SIGNSK(x,r)
VK
24
SIRSK
Public-key crypto the rescue
Bob
Alice
y
x
z
G
F
PCP
Carol
y
V
V
PCP
VK
P
z
P
OSK
SIR
Oracle signs answers using public-key signature:
• answers are verifiable without accessing oracle
•
26
asymmetry allows us to break “PCP vs. oracle” conflict, and
recursively aggregate proofs
back
Sketch of constructions
≈ Fiat-Shamir
Constructing APHAs (Assisted Prover
Hearsay Arguments):
•
•
•
•
heuristic
Start with universal arguments
[Micali] [Barak Goldreich ‘02]
De-interactivize by replacing public-coin messages with oracle queries
Add signature to statement to force witness query (≈ [Chandran et al. ‘08])
Prove a very strong PoK by leveraging the weak PoK of UA
Generalizing to PCD:
• Handle distributed-computation DAG,
using APHA for the proofs along each edge.
• C-compliance: use fixed aggregation rule to reason about arbitrary
computation by proving statements of the form:
C(in,code,out)=1 & “each input carries a valid APHA proof string”
29
APHA
Construction sketch
30
APHA systems
Needed:
• Highly-compressing non-interactive arguments
• Proof-of-knowledge property that’s strong enough to
prove hearsay:
statements whose truth relies on previous
arguments heard from others.
• In the assisted prover model.
We call this
Assisted Prover Hearsay Arguments (APHA).
31
back
[Barak and Goldreich ‘02]
Universal arguments
Start with universal arguments:
Efficient interactive arguments of knowledge with
constant rounds and public coins.
UA
prover
r1
resp1
r2
UA
verifier
resp2
• public coin: r1 and r2 are just random coins
• temporal dependence:
r2 is sent only after resp1 is received
32
back
De-interactivize universal arguments: first try
new
prover
UA
prover
random
oracle
random
oracle
new
verifier
UA
verifier
Prover interacts with random oracle, not with verifier:
• obtains random strings
33
back
De-interactivize universal arguments
≈ Fiat-Shamir
heuristic
almost-APHA
prover
UA
prover
SIR
oracle
SIR
oracle
almost-APHA
verifier
UA
verifier
Prover interacts with SIR oracle, not with verifier:
• obtains random signed strings
• temporal ordering enforced by having each oracle query
include the preceding transcript
34
back
Enhance proof of knowledge
w
APHA
prover
“x  L
and
 is a
signature on a
witness for x  L”
almost-
APHA
prover

SIR
oracle
get signature on
the witness
SIR
oracle
cf. [Chandran
Goyal
Sahai 08]
SIR
oracle
SIR
oracle
APHA
verifier
almost-
APHA
verifier
• Forces prover to get signature on witness
• Knowledge extractor finds witness by examining the queries
 strong proof of knowledge
35
back
Can now do F and G example
Bob
Alice
y
x
z
G
F
PCP
Carol
y
V
z
PCP
P
P
We can now do the above example!
... how about proof-carrying data?
36
back
V
PCD
Construction sketch
37
back
PCD systems
PCD systems are wrappers around APHA systems, with:
– Simpler interface for applications
(no need to reason about theorems and proofs)
– Simpler proof-of-knowledge property
(APHAs have a very technical “list extraction”
definition)
– C-compliance
38
back
PCD definition
At every node, a party uses the PCD prover PPCD:
code
zout
zin1, in1
zin2, in2
PPCD
Osk
out
C, VK
Proofs are checked by the PCD verifier:
VPCD(C, VK, z*, ) decides
if π is a convincing proof for z*.
39
back
PCD definition
PCD systems satisfy
• efficient verifiability:
TIME(VPCD(C, VK, z, π)) = polylog(time to make π)
(actually, much better... )
• completeness via a relatively efficient prover:
if computation is C-compliant, then the proof output by
prover convinces verifier. Moreover:
TIME(PPCD(...)) = poly(time to check C)
+ polylog(time to generate inputs’ proofs)
• proof of knowledge: from any convincing prover, can extract a
whole C-compliant computation
40
back
Back to F and G
Bob
Alice
y
x
z
G
F
PCP
Carol
πy
V
πz
V
PCP
P
P
• Having APHA systems, we can already do the
above example
• How to generalize to C-compliance?
41
back
Adding C-compliance
x
Alice
Bob
y
F
G
C
C
PCP
πy
V
z
πz
Carol
V
PCP
P
P
• “Export” the choice of computation to be an
input to a “fixed rule of aggregation”
42
back
PCD Machine
x
Alice
Bob
y
F
G
C
C
PCP
πy
V
z
πz
Carol
V
PCP
P
PCD
machine
P
• Such fixed rule we call the PCD machine, and
it depends on C
43
back
Implementation
44
PCP implementation stack: overview
Java
program
“natural”
problem
solution to
the problem
circuit
problem
reduction
solution
reduction
verifying properties of
a polynomial in a
finite field
PCP
verifier
45
execution
trace
assignment
Task 2:
“reduction path”
polynomial to
be verified
P
R
O
O
F
PCP
prover
Task 1:
“PCP engine”
Does this work?
Established: Formal framework
• Explicit construction
– “Polynomial time” - not practically feasible (yet…)
– Requires signature cards
Ongoing and future work:
• Full implementation
• Practicality
• Reduce requirement for signature cards (or prove necessity)
• Extensions (e.g., zero knowledge)
• Interface with complementary approaches: tie “compliance”
into existing methods and a larger science of security
• Applications and “compliance engineering” methodology
46