 Okay, hi everyone Today, I'm gonna talk about our recent work Geonology proof with sublinear omitized cost It is co-worked by me and my class like from Oregon State University and the payment from Yahoo Labs So what is the genealogy proof? Informally a genealogy proof is a proof system that for one party says Prover that can convince the another party say the wire file that given statement is true and besides that The welfare the welfare should learn nothing from the proof So for example, the prover can convince the welfare that there exists a Hamiltonian path in a large graph, but without showing this path to the to the waterfowl or cleaning other useful information Okay so we noticed that there already already exist some efficient solutions for the For the special for some special case of the natural proof But in all work will focus on the general purpose genealogy to prove Okay, so in the first part I'll show some possible solutions The first one is by using the circuits So since the general purpose Geology proof is just a special case of malicious to PC so we can just interpret the proof statement as a boring circuit and then use the government circuits to implement the genealogy proof and Use the cut and choose technique to achieve malicious security, but it has some limitations first the conversion to a circuit may lead to a huge blow up both in the circuit side and the running time and Second it is inefficient in some cases for example the binary search or the membership statement proofs so in membership statement and proofs we want to show that a Valuable acts if a viable acts is a member of the larger data set s Another possible solution is to use the random access machine You know run pro in a standard run run program there is a CPU with some small internal states and Also, there is a memory which has a large size of data and the CPU can execute the some Instructions that could to read the data from the address one We call this Instructions as the access pattern then the CPU will go Go to the next internal state and ready for executing the next instruction okay There are two other possible instructions first one is to write the data into the memory and Another one is to hot which means which indicates that the RAM program will be terminated So as you can see that in the standard run program We only need to touch the data that will be used in access pattern So in this example, we can see that we only need to touch the data in a just one and two and three Okay There's a variance of the standard RAM program, which is a previous run It was the first introduced by Godrich and the ostrich ski in 1996 as you can see that's in this in this stand in the standard run program if we Encrypt the data and But the access pattern can still leak important information So for example if the CPU trying to access the same memory over and over again and then the adversary will notice that and This is where leaks. This will leak important information to the adversary So in but in the obvious run this memory access pattern looks random and the leaks nothing about the input or the output or the state So in the real world many applications are more efficiently captured by using run program I just mentioned the binary research or and the membership statement proof So you can see that if we use the circuit solution we need to touch every bit of all data and this makes the circuit size linear to the size of the data and This also makes the running time linear linear to the size of the data But in the run program, we only need to touch the data that will be used in the run program Which means this can make our run program sub linear to the size of the data So we can see that the complexity of the circuit can maybe Expand actually worse than the run program So we need some solutions that the cost depends on the run larger than the size of the data All is all inspiration is from the lamb two-party two-party computation from the paper Golden and others 2012 the idea is to repeatedly evaluated the next memory access circuits and It is a semi honest to PC protocol of run program and the cost is proportional to the run to the run program So to achieve the malicious security, we could adopt the Or not the paper a image are 2015 along with a rash, okay The idea is to extend the gkk protocol using cut and choose and it is malicious to PC protocol Or for run program and the cost is also proportional to the run program But it still has the limitations It requires the first one is that it requires many lines of communications Which proportional to the running time of a run program and also it needs to generate many circuits to perform the cut and choose And in the next part I'll show existing solutions Efficient existing solutions based on the Goblet circuit, which is from the paper GKO 2013 the goal of this protocol is trying to prove that there exist Witness that satisfy some relationship are and first the welfare generates that Generates the Goblet circuit that computes this relationship and then both parties perform a committee OT So the proofer receives his while labels of The witness then the welfare sends this circuit to the prover Now the prover can evaluate the circuit to obtain a single output while label Y and Which represents zero or one and this indicates that if the statement is true or not And then the prover commits to such a label Now the player the verify opens Open circuit so the prover can check that if the circuit was constructed correctly And if so the prover will open the valuable Y Now the verify I can check if Y represents One if so that means the statement is true and the welfare will output accept It's a very simple and efficient and it is a malicious secure But so without using cut and choose and the only one circuit is needed So intuitive for improvement is to combine this the GKO protocol with the Goblet lamb from the paper Lou and Ostrovsky 2013 so we don't have to generate a meaning of circuits for cut and choose So you can see this picture as a overview of the GKO protocol Instead of using the Goblet circuit we can replace it with a Goblet lamb But this Improvement also has limitations since the Goblet lamb requires many copies of a Goblet next memory access circuit And lots of other things inside those circuits And we notice that in the recent work there are some improvements for this extra overhead inside of these circuits But it is still cost some overhead So in this table you can see that the Goblet lamb and the GKO It has a constant runs, but it requires extra overhead inside circuit and the MHR Has no extra overhead, but it but the number of runs is proportional to the lamb program So in our work we want to achieve for both of the properties All protocol is trying to find a more efficient lamb and only one circuit is needed and it has no extra overhead inside the Goblet circuit and it has a constant runs of interaction and Also the running time depends on the lamb program which can be sublinear in the size of the data So more to be more precisely All protocol has the omitized cost by reusing lamb by reusing lamb initialization That means we have a one-time initialization at the very first beginning So the proven needs to commit to the memory M and this cost depends on the size of the M And for each proof then we can have the cost depends on the running time of R instead of the size of M So in the in this part I will show you how we achieve this properties For the first improvements, we can observe that the proven notes all the inputs Including the public lamb program R and also the memory contents M So we can see that the proven can execute at this OLM locally and learn the memory access pattern I in advance then then due to the OLM security this Access pattern I makes no information to the Wi-Fi and Then based on this access pattern the Wi-Fi can construct one single circuit that can perform all computations And then there's a since there's no input from the Wi-Fi Then which means there's no private privacy for the Wi-Fi Then we can use some more efficient a goblin scheme such as paper FMO 2015 the privacy free Goblin circuit So in this picture you can see that This is how it looks like when we convert the lamb program to circuit So since we cannot predict the access pattern in the original in the original jco protocol Then we need to touch every time for each year smaller circuits. We need to touch every data in the memory But if we know this access pattern I in advance then we know which data will be used in the lamb program then the Wi-Fi can just generate a Large a large big circuit that contains the smaller circuit which each so each smaller circuit just to compute the one lamb step and When we know when the verify knows this I And the verify then knows which data will be used in this circuit Okay, so we don't have to touch every data in the memory only the data in I so as this is a jco protocol and To see the improvements before before the verify generate a circuit the Proval will compute the Proval will compute this access pattern I and then send this I to the Wi-Fi Based on this access pattern the Wi-Fi can generate the one big circuit that can that perform the that perform all computations To see the to see the improvement number two We'll adopt the idea from all another paper a HMR 2015 while using the wire labels the main idea of these people is that the Proval stores the OLM memory and the state as well labels So these while labels can be reused the direct directly as input to the next circuit So this avoids the the obvious transfer for the Goblin circuit input So for example Suppose we have for two proofs R1 and R2 and in this smaller circuits small circuit 1 it less some data to the memory block Like a 30 and in the next proof R2 the circuit number 4 wants to read the data from that from that memory block since the Proval already has these wire labels and then The Proval can just use these wire labels directly as the input to the R2 and This can help us to avoid the obvious transfer But there's a big problem as you can see that in the original jco particle and in the Improvement to one we need to open the Goblin circuit and that means when we open the Goblin circuit We need both wire labels will be revealed to the Prover and then the authenticity property is lost here by authenticity, I mean before the Before the proof that the Prover only knows one of the two wire labels and and after the proof We still have the same property and the Prover still only knows one of the two wire labels Okay, so that's what I mean by authenticity So as you can see in these two proofs the Prover can just can successfully cheat by just flipping the bit so We cannot directly use the wire labels. We need some we need somehow to transfer the authenticity The idea is the idea is to use the private function evaluation of strongly universal hash functions So what is the private function evaluation suppose? We have a PFE functionality. It takes the takes the hash function from the Wi-Fi and Also takes the input of why from the Prover and they thought put the H of y to the Prover It has some Beautiful properties the first one is a suppose there are two possible inputs y 0 and y 1 to this PFE and The Prover only knows why zero then when we choose this hash function from the hot from the Function hash family and randomly then from the property of the PFE the Prover knows nothing about this edge and based on that From the strong University of H if the Prover knows H of y 0 and then the both of y 0 and y 1 Then the Prover can still not against this edge of y 1 So how it works in our protocol? Supposing the first proof our one has two possible other port while labels y 0 and y 1 and suppose The Prover holds y 0 Then the people pf and then the Wi-Fi will choose this hash function H and send it to the PFE and Also takes this PFE takes the input of y 0 and send this H of y 0 to the to the Wi-Fi and Then to the Prover then the Prover can use this H of y 0 directly as input to the next proof As long as the Wi-Fi will go about the circuit with the H of y 0 and the H of y 1 And we have we need something more about this PFE since we need to open the We need to open this double circuit and the both y levels and also this edge That means we this PFE must be committing with respect to the input of H So I'll give you an example of this committing PFE So we have the function a x plus b is generally universal It takes a and b from the Wi-Fi and x from the Prover Then gives the output a x plus b to the Prover here x and a and b are in the finite field F And this can be efficiently instantiated via the oblivious transfer or the oblivious linear function evaluation So as you can see the difference between the improvement one and two so before we Open the double circuit we use the PFE to transfer the authenticity From the from the previous variable to the new variables so in some way All Portugal has a sublinear omitized coast and the initialization depends on the size of m and It has a constant number of interaction and it avoids the cryptographic operation inside circuit and One thing I didn't mention here is that Since since the Wi-Fi needs to open the y labels to the Prover That means that the Wi-Fi needs to store all y labels in its memory That means that we need the the storage of the the Wi-Fi needs the storage Proportional to the size of data and but you know in our work. We have fixed this problem We also make the storage of the Wi-Fi has a constant storage Okay for the future work as you can see that in this the logic proof If we know some if we can compute this access pattern in advance then we can greatly improve the Efficiency of the protocol so we just we wanted that if we have some useful information Like this access pattern I and that can be computed in advance in the general case not just in the general proof And then this can help if we have this advice that can help improve the efficiency Okay, and that's it. Thanks for the IACR and the sponsor to support the students presenter and cover the accommodation and Travelling that's it. Thanks for listening