 Hello, my name is Anka Nitsurescu and welcome to my talk on boosting verifiable computation on encrypted data. This is a joint work with Dario Fiori and David Poinscheva. I would like to start with a short motivation and this is the story of the bare necessities of a cloud user. Our cloud user Baloo lives in times of a pandemic and he needs to use these biometric surveillance systems in order to keep track of his medical situation. He needs to send his symptoms, his private data to some server which is run by Mowgli and Mowgli computes some algorithms in order to decide if Baloo is infected by the virus and send back the diagnosis. So Baloo is able to learn if he is sick and he enjoys all the benefits of this solution without thinking at the risk that he can run to. So of course Mowgli can get corrupted and things can go wrong. The data is completely exposed to the server and it can get stolen and also the results of the diagnosis of the computation are not guaranteed to be correct here. So a solution to this would be in order to protect the data privacy to use encryption and we have encryption schemes that further allow the cloud to the server to perform computation on the ciphertext and obtain encrypted results and a long line of work was dedicated to constructing more efficient such schemes and here are some results in the area of fully homomorphic encryption. For the second problem of Baloo, the integrity of the results of the computation, he can use verifiable computation. Those schemes allow the server to compute next approved that the evaluation was done correctly. So Baloo can check that. We have schemes that are even adapted to lazy clients as Baloo and those are zero knowledge snacks that allow verifiable computation with very short proofs non interactively and with a minimal overhead for the verification verification process. Also the zero knowledge property protects the server against two curious client that wants to learn parts of the algorithms of the server. So a lot of efforts were done in this area to construct better and more efficient snark schemes and I give here an example of those results. So a perfect solution for Baloo will be a combination of the two I mentioned before. One that ensures the data privacy and the computation integrity in the same time. Unfortunately, a straightforward combination of the two encryption and verifiable computation will just result in a very inefficient scheme that solves the private delegation of computation. So this kind of approach was already explored by previous work by theory and all that tries to construct efficient verifiable computation and encrypted data and starts with combining fully homomorphic encryption with verifiable computation, but it achieves efficiency only for quadratic function when using homomorphic message authentication codes, which is a symmetric primitive. So this results in a scheme that is designated verifier where the verifier needs a secret key to check the proof. Also in this scenario, the verifier and the client should share the same secret key for fully homomorphic decryption. So we would like to improve this result and overcome some of the drawbacks. And in my talk, I'll try to state the goals of our construction, give an overview of our strategy and then more intuition and more details about the building blocks and the technical challenges. So we'll start with defining publicly verifiable computation with privacy folding. In our scheme, we would like to separate the client and the verifier in the sense that the client has the input of the computation, encrypted, delegated to the server, who is able to compute and prove that the evaluation on those ciphertexts was correct. And give the result and the proof to some verifier that has the secret key and can learn the output of the computation in clear and check that the computation was done correctly, but should not learn the inputs of the computation. So we will have privacy of the personal data of value with respect to this verifier but give. So to make it clear, what we achieve and what we improve on the previous work, we obtain public verifiable scheme where the client and verifier don't have to share any secret key. Also we are able to prove computation of higher degree than just quadratic polynomials. And those are any arithmetic circuits of some bounded multiplicative degree. And how are we doing that? The idea is just to exploit the specific structure of a fully homomorphic encryption ciphertext. And like that, we can compactly commit to those ciphertexts and prove very efficiently the evaluation of some secret on the ciphertext. And this will lead to some zero knowledge marks for verifiable and private delegation of computation. So let's start to look at how computation of a ciphertext looks like. And in many schemes, the ciphertext are based on ring LWE problems. So they lay into a polynomial ring argument. So we'll consider a ciphertext just polynomials. And we need to compute polynomials and here is a circuit where the red gates are multiplication of polynomials and the yellow gates are additions of polynomials. But what we know how to do current state of art on a proving system is just considering computation of a plaintext. So applying a circuit on a clear text means just an arithmetic circuit over scalars that are in ZQ, integrals, modules, or some prime Q. Whereas we are about to prove something about the computation on this left circuit which computes over polynomials. So the first attempt will be to rewrite this circuit over polynomials as a circuit over its coefficients, which are scalars in ZQ. And to do a computation about this. But if we look closer at the addition gate over polynomials of degree T, this will result in D plus 1 additions over its coefficients, so over scalars. Moreover, the multiplication gate will have even more overhead compared to scalar multiplication. So we will need this square scalar multiplication in order to compute all the resulting coefficients of a product of two polynomials. And here we really ignore that we have also some addition gates that we need to compute and some reduction model, IQ, the polynomial of degree T that defines our ring of polynomial IQ. So if we look at how to rewrite each gate, we will see that each multiplication will result in around all the scalar addition and each addition will result in all the additions and each multiplication over polynomials will result in all the square scalar multiplications. And if we are optimistic, we can apply optimized algorithms for LIHD and have even a better estimation of this. But the overall conclusion is that rewriting such a secret for n inputs and m gates into a computation of ZQ has a lot of overhead and it depends on degree D of the polynomials and we would like to get rid of these dependence. So we aim for a solution that will compactly commit to the input ciphertext. So in this way, we will hide the ciphertext from the verifier who has the decryption key, so the inputs will stay private. And we will like to reduce the overhead of computing over polynomials like this c over IQ sacred into computation proving over something close to computation over a clear text. And in order to do so, we find a way to compress secrets over polynomial by using a nice homomorphic property of evaluations of polynomials. So we will map this secret from the left to a secret of our scalars by simply evaluating all the input polynomials on the left in a random point K and obtaining some scalars which are the evaluation results. And those will be the inputs of a equivalent secret that will just have gates, the same number of gates m as the secret on the right, but over the scalars. So the problem will have now just to prove the evaluation of a secret over the scalars, which is something that we know how to do. The only problem is that we also have to guarantee that this secret has some link with the initial secret over the polynomials and to show some connection. And this connection is exactly the transformation we did, which means we evaluate in some random point K, the first secret, and we obtain the inputs for the second secret. So the problem will have also to convince the verifier that the inputs to the scalars secret here on the right are actually the evaluations in the point K, in the same point K, of all the polynomial inputs to the left side. And the overhead of this is d where d is the degree of the polynomial times the number of inputs n. So great. Once we have this, the idea of our proof is to use the commit and proof methodology and to link the two words, the evaluation over the secret and the evaluation of the scalars. So we will commit to all the input polynomials in the left secret, and this will result into a commitment in the left here. And we will also commit to the scalar inputs here on the right secret. And we'll show that there is a connection between the set of the two commitments. And this connection is exactly the evaluation in the random point K. So this will be a proof sigma. And what is left to do is to show that evaluating the secret over the scalars that are the evaluation results will be done correctly. And this is just a proof pi of a correct evaluation of hermetic secrets over ZQ. So a blueprint of our construction looks as follows. We compactly commit to polynomials. And then we show that these commitments are linked to some other commitments to some scalars in the evaluation point K. So this is the proof sigma that shows that there is a connection between the two commitments. And the proof pi will show that the set of the second commitments are correct inputs to some secret and show the correct evaluation of the secret. And this will lead us to a very viable computation with privacy for the input. So our techniques in more details and the building blocks are polynomial commitments and commit and prove zero noise. So polynomial commitments are commitments that are compact and that are binding in the sense that one committed value cannot open to two different polynomials. And also they are hiding. So this means that a commitment will not give any information about the underlying polynomial. And this is important for the point of view of the verifier who has the description key. So a verifier should not know the polynomials which are the ciphertext in order to achieve privacy of the input. The problem here is that we need to compute a lot of polynomial commitments, one for each input of this secret here. And instead of doing so, we will compact this to a single commitment to a bivariate polynomial which aggregates together using this second variable y, some univariate polynomials, the ones that we need to commit to. So this is shown here how z, x, and y is able to aggregate together many, many polynomials in x. We will use this in our commit and prove methodology. So we have the secret in the left side where we have commitments to polynomials that we will aggregate together into a commitment to a bivariate polynomial. And we'll do the same for commitments to some scalars which can always be seen at zero degree polynomial. And this will result into a commitment to some v of y polynomial that is defined as an aggregation of all the scalars. So what's the connection between those two commitments that we have to prove is that if we look closely at how v of y is defined, we know that all of these scalars are evaluation of the corresponding polynomials on the left in a point k. So v of y is simply z evaluated partially in the first variable x on a point k. So we have zk of y is equal to v of y. And this is what we need to prove in the proof sigma. Once we have this, we will use the same commitments to the inputs on the right secret in order to prove, commit and prove that this secret is correctly evaluated with respect to these inputs. So we have to combine these two proofs, the sigma and pi, where they share together a set of commitments on some scalars, the inputs of this arithmetic secret. And this is possible thanks to the work of Matteo Dario and Anais that allows to compile any snark into a modular commit and prove snark, for short LEGO snark, that allows us to recombine and reuse the same commitment for different proofs. So let's get into more details about the proof sigma that shows partial evaluation of some bivariate polynomial in a random point k. What we use here are sigma protocols and the Fiat-Chameleuristic in order to make it non-interactive. So we start with an interactive proof that commits to polynomial and prove the evaluation in a point. And with a random protocol, we get a non-interactive protocol. Our commitments are based on a strong DVL assumption and the power of knowledge of exponent assumption. And we obtain zero knowledge because we never open the communities. Compared to other polynomial commitment schemes that are previously defined in the literature, we will never open the evaluation of polynomial. We will show that a set of committed polynomial is evaluation of a set of bivariate committed polynomials. This is the proof sigma. So for the second proof pi, we will just use the transformation by Matteo Dario and Anais from any efficient snark that computes on aromatic circuits to Lego snark, which will allow us to reuse the same commitment vi that we had in the proof sigma. So our choice will be for the variant of growth 16, which is the most efficient protocol to date for quadratic aromatic programs. And we will use the Lego growth 16 defined by Matteo and Anais. And to just recap our contribution and the main challenges, we obtained this verifiable and private delegation of computation by mainly constructing a new snark, which is committed proof and zero knowledge for simultaneous evaluation of many committed polynomials, which is done by proving partial evaluation in one point of a bivariate polynomial. And the privacy challenge, like the zero knowledge of our snark, is obtained by re-randomizing ciphertext, which was not possible in previous work, and committed results that are never open. Also, I would like to state that our committed and proof snark for partial evaluation of polynomials has better efficiency than just using one state-of-the-art snark that will compute approved for evaluation of polynomials. And more details can be found in the paper. With this, I will thank you for watching my talk and for any question I will invite you to write me or just watch the online short version of this talk. Thank you so much.