Efficient Verification of Computation on Untrusted Platforms�
Yael Tauman Kalai
MSR and MIT
Computation Goes Remote
Local Trusted Platform
Remote Untrusted Platform
Computation Goes Remote
Local Trusted Platform
Remote Untrusted Platform
Challenges
Economics
Privacy
Integrity
Efficient Verification of Computation
If adv succeeds
then it can break a
cryptographic assumption
Efficient Verification of Computation
If adv succeeds
then it can break a
cryptographic assumption
Efficient Verification of Computation
Common Random String (CRS)
computational
If adv succeeds
then it can break a
cryptographic assumption
Efficient Verification of Computation
Common Random String (CRS)
Succinct Non-interactive Argument (SNARG)
computational
Constructions
First SNARG construction [Kilian92, Micali94]
Verifying correctness of computation: IP, MIP, PCPs
Focus: High complexity classes, and statistical soundness
[GMR85, B85, LFKN90, S90, BGKW88, BLR89, BFL90, FRS88, FGLS, BFLS91, AS92, ALMSS92,…]
Security issues…
Doubly Efficient Interactive Proof (IP) �[Goldwasser-K-Rothblum08]
Focus: On real world computations
Goal: Verifier is super efficient, and generating a proof incurs a
minimal overhead
[GKR]: Construction of doubly efficient IP for all bounded depth computations
SNARG
Known as GKR
Fiat-Shamir
heuristic
Follow-up Work
K-Raz09, Groth10, Gennaro-Gentry-Parno2010 , Chung-K-Vadhan2010, Applebaum-Ishai-Kushilevitz2010, Parno-Raykova-Vaikuntanathan2011,Goldwasser-Lin-Rubinstein11, Damgard-Faust -Hazay11, Lipma12, Bitanski-Canetti12, Gennaro-Gentry-Parno-Raykova12, Bitansky-Canetti-Chiesa-Tromer12a, Bitansky-Canetti-Chiesa-Tromer12b, Bitansky-Chiesa-Ishai-Ostrovsky-Paneth13, K-Raz-Rothblum13, Thaler13, K-Raz-Rothblum14, Bitansky-Sanjam-Lin-Pass-Telang14, Canetti-Holmgren-Jain-Vaikuntanathan14, Koppula-Lewko-Waters14,K-Paenth15, Canetti-Holmgren16, Chen-Chow-Chung-Lai16, Bootle-Cerulli-Chaidos-Growth-Petit16, Giacomelli-Madsen-Orlandi16, K-Rothblum-Rothblum16, Paneth-Rothblum17, Wahby-Ji-Blumberg-shelat-Thaler-Walfish-Wies17, Ames-Hazay-Ishai-Venkitasubramaniam17 Brakerski-Holmgren-K17, Holmgren-Rothblum17, Zhang-Genkin-Katz-Papadopoulos-Papamanthou17 ,Reingold-Rothblum-Rothblum17, Badrinarayanan-K-Khurana-Sahai-Wichs18, Bunz-Bootle-Boneh-Poelstra-Wuille-Maxwell18, Canetti-Chen-Reyzin-Rothblum18, Zhang-Genkin-Katz-Papadopoulos-Papamanthou18, Wahby-Tzialla-shelat-Thaler-Walfish18, Katz-Kolesnikov-Wang18, Holmgren-Lombardi18, Bootle-Lyubashevsky-Seiler19, Canetti-Chen-Holmgren-Lombardi-Rothblum-Rothblum-Wichs19, K-Paneth-Yang19, Ben-Sasson-Bentov-Horesh-Riabzev19, Xie-Zhang-Zhang-Papamanthou-Song19, Ben-Sasson-Chiesa-Riabzev-Spooner-Virza-Ward19, Boschini-Camenisch-Ovsiankin-Spooner20, Chiesa-Ojha-Spooner20, Baum-Nof20, Setty-Lee20, Bhadauria-Fang-Hazay-Venkitasubramaniam-Xie-Zhang20, Setty20, Esgin-Nguyen-Seiler20, Zhang-Xie-Zhang-Song20, Bunz-Fisch-Szepieniec20, Chiesa-Hu-Maller-Mishra-Vesely-Ward20,Boneh-Drake-Fisch-Gabizon21, Baum-Malozemoff-Rosen-Scholl21, Dittmer-Ishai-Ostrovsky21, Jawale-K-Khurana-Zhang21, K-Vaikuntanathan-Zhang21, Weng-Yang-Katz-Wang21, Zhang-Liu-Wang-Zhang-Song-Xie-Zhang21, Chiesa-Yogev21
From Theory to Practice
From Theory to Deployment
Securing Information for Encrypted
Verification and Evaluation (SIEVE)
Until Very Recently…
All SNARGs were only
heuristically secure
Goal: Provable security!
You cannot fake certificates under a standard hardness assumption (Factoring, LWE,…)
Today: Provably Secure SNARGs
Doubly-efficient
Interactive Proof�[GKR08]
Multi-Prover
Interactive Proof
[KRR14, BHK17,…]
SNARG
(for any det. computation)
[KRR13]
SNARG
(for bounded depth comp.)
[KRR16, …, JKKZ21, KLV23]
Part 1:
Part 2:
Sound against
non-signaling strategies
Reflections on the Journey
Quantum complexity
[KRR14, HK20]
Hardness of approximating the value of Linear Program
[KRR16]
Hardness of finding a Nash Equilibrium
[JKKZ21, KLV22]
Connections to other areas of Theory of Computation:
Applications in cryptography:
Fiat-Shamir Paradigm
[GK03, KRR16, JKKZ21, KLV22]
Aggregate signatures
[DGKV22]
Zero-testable encryption
[KPY19]
Non-signaling
[KRR13]
Quantum supremacy
[KLVY23]
From Succinct Doubly-Efficient IP to SNARGs
Statistical soundness
Fiat-Shamir heuristic
[FS86]
SNARG
Interactive proofs (for bounded space computations)
[GMR85, B85, LFKN90, Sha90]
Public
coin
Statistical soundness
Fiat-Shamir heuristic
[FS86]
SNARG
Doubly efficient interactive proofs
[GKR08]
Public
coin
From Succinct Doubly-Efficient IP to SNARGs
Bounded Depth Computations
Fiat-Shamir heuristic
[FS86]
.
.
.
1
Reduction:
ECC
ECC
ECC
SNARG
SNARG for Bounded Depth Computations�[GKR08, JKKZ21, KLV23]
Fiat-Shamir heuristic
[FS86]
.
.
.
1
Reduction:
SNARG
ECC
ECC
ECC
SNARG for Bounded Depth Computations�[GKR08, JKKZ21, KLV23]
Fiat-Shamir heuristic
[FS86]
.
.
.
1
Reduction:
Verifier can check
SNARG
Reduction:
Sum-check
Protocol
[LFKN90]
Secure?
Secure under sub-exp. LWE or DDH�[JKKZ21, KLV23]
SNARG for Bounded Depth Computations�[GKR08, JKKZ21, KLV23]
The (In)Security of the Fiat-Shamir Heuristic�[FS86]
In practice:
In theory:
Proposed as a heuristic for converting identification schemes into signature schemes.
One of the most widely used signature scheme (ECDSA)
is based on this heuristic
The (In)Security of the Fiat-Shamir Heuristic�[FS86]
In practice:
In theory:
[GK03] (based on [Barak01])
First SNARG construction: Kilian92, Micali94
[FS86]
SNARG
[BBHMR19]
Computational soundness
Proposed as a heuristic for converting identification schemes into signature schemes.
The (In)Security of the Fiat-Shamir Heuristic�[FS86]
Is this heuristic secure when applied to statistically sound proofs??
The (In)Security of the Fiat-Shamir Heuristic�[FS86]
Theorem [JKKZ21, KLV23]: The FS-Heuristic is secure when applied to the GKR protocol under sub-exponential LWE or DDH.
Theorem [KRR16]: The FS-Heuristic is secure when applied to any statistically sound proofs under a strong hardness assumptions.
Building upon [CCHLRRW19, PS19]
Bonus 1: Deeper understanding of the security of the Fiat-Shamir heuristic
Bonus 2: Application to complexity theory:
Finding a Nash Equilibrium is sub-exponentially hard under sub-exponential LWE/DDH.
Takeaways from Part 1
unique and updatable SNARGs can be embedded in PPAD problem
[CHKPRR19]
Nash is PPAD complete [Papadimitriou94, DGP09]
Beyond Bounded Depth
[K-Raz-Rothblum13, KRR14, KP16, BHK17, BKKSW18, KPY19, KVZ21, CJJ21, DGKV22, WW22, HJKS22, KLVW23]
SNARGs for any deterministic computation,
any RAM, or space-bounded non-deterministic computation,
provably secure under LWE or DLIN or DDH & QR
From MIPs to SNARGs
Multi-Prover Interactive Proof
[BGKW88]
[Biel-Meyer-Wetzel99]
BMW
heuristic
Fully Homomorphic Encryption (LWE)
1. It is not a SNARG
It is a 2-message privately verifiable protocol!
2. It is not secure! [DLNN01, DHRW16]
From MIPs to SNARGs
Multi-Prover Interactive Proof
[BGKW88]
[Biel-Meyer-Wetzel99]
BMW
heuristic
Fully Homomorphic Encryption (LWE)
Local strategies
Non-signaling strategies
From MIPs to SNARGs
Multi-Prover Interactive Proof
[BGKW88]
Fully Homomorphic Encryption (LWE)
[Biel-Meyer-Wetzel99]
BMW
heuristic
1. If the MIP has non-signaling soundness then the 2-msg protocol is secure [KRR13]
From MIPs to SNARGs
SNARG!
[KPY19]:
zero-testable encryption
(from bilinear maps)
From MIPs to SNARGs
SNARG!
CRS
[CJJ21, KVZ21]:
Assuming a BARG
(SNARG for BatchNP)
SNARG
BARG
For all comp. with non-signaling MIP
Boosting BARGs
[KLVW23]
[DGKV22]
BARG composition
Applications: Aggregate signature scheme and incremental verifiable computation (IVC)
Takeaways from Part 2
used for quantum supremacy
[KLVY23]
Interactive Proof
[GKR]
SNARG
[JKKZ21, KLV23]
Fiat-Shamir heuristic
[FS86]
BMW heuristic
[BMW99]
SNARG for bounded depth
SNARG for arbitrary comp.
SNARG
[KPY19, KVZ21, CJJ21, WW22, HJKS22, KLVW23]
NS-soundness
[KRR13+14,…]
BARG
Success for theory of cryptography!
Grand Challenge
SNARGs for NP