Efficient Consistency Proofs for Generalized Queries on a

Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky UCLA July 12, 2004 C. Rackoff Toronto U. A. Smith MIT http: //www. cs. ucla. edu/~rafail

Main goal Potentially cheating party publishes a short certificate to a “database” which “commits” it to the entire database Answers to any complex query can be shown (with a very short proof) to be consistent with the certificate No poly-time adversary can cheat and come up with a certificate and two different answers to the same query Main challenge – achieve short certificate and short proofs for general queries 2 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

History Commitment to Sets of Values – [Buldas, Laud, Lipmaa] – [Kilian] – [Micali and Rabin] Protocols with Trusted Committer – Authenticated Data-Structures – [Naor, Nissim] – [Goodrich, Tamassia, Tiandopoulus, Cohen], – many others Zero-Knowledge Sets – [Micali, Rabin Kilian] 3 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Our Contributions (1) Def of Consistent Query Protocols (CQP): short certificate that “binds” general datastructures together with short proof of consistency CQP for Orthogonal Range queries 4 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Our contributions (cont) For orthogonal range queries: – – Each entry: (key 1, …keyd, value) Query: d ranges, each range [x 1, x 2] d dimensions K is a security parameter Proof size: O(k(m+1) logd. N) We show to modify Bentley’s data structure. (authenticated data-structures are not sufficient) 5 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Our contributions (cont) General transformation: we show to modify any consistent query protocol to have the same property as ZK-sets. That is, not to reveal DB size using O(poly(k)) overhead based on general assumptions. We show construction based on explicithash Merkle trees with better constants. 6 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

The rest of the talk… Machinery needed. Some of the ideas in our constructions. 7 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Motivation – Commitment Protocols Two player game: Committer and Receiver. Commitment stage: “storing” some hidden value. De-commit stage: “opening” this value. Two properties: binding property and privacy property. 8 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

An example of a commitment protocol Alice has a hidden bit b. Alice picks a 1 -way permutation f: n n, a random n-bit x, r and sends to Bob – f(x), [(x*r) mod 2] xor b If f is verifiable 1 -way permutation, this is both binding and secure. To open, Alice sends x to Bob. 9 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Multiple commitments What if Alice wants to commit – b 1, …, bn One way to do it is to repeat the protocol above, and commit each bit separately. How can we do it more efficiently? 10 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

A faster way to do it – Merkle trees Assume h: 2 k k is a collision-resistant hash function such that no poly-time adversary can find a collision. Group N bits that we wish to commit into groups of size 2 k each, apply h, Now, we have N/2 bits. Repeat until get to k bit. Commit (using basic scheme) the last k bits. Merkle: this is secure, since otherwise can find a collision. 11 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Commitment of a set Committing to a set of integers. The naïve approach: commit each integer separately using basic scheme Easy on yes answers Hard on “no” answers 12 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Do Merkle trees work? Not as is. Yes answers are fast No answers are slow– have to go over all the leaves [BLL][K][MR] gave a faster solution (for no asnwers) for a set based on Merkle trees. (If the set has total order the solution also works for intervals) 13 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

The basic idea of [BLL][K][MR]: Merkle interval tree Sort the keys Each internal node contains: – Left sub tree interval – Right sub tree interval – MD 5 of its children values To show that the item is present, show the path to the root, with all siblings along the path. To show that the item is NOT in the DB, show the path until intervals EXCLUDES the item. 14 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Orthogonal range queries What if we wish to commit to more general data-objects, such as relational database? Example: DB of “employee name”, “age”, “salary”. We wish to support range-queries of the form “find all employees between age 30 -40 and between salary x and y”. What does Consistent range-query mean here? In this talk: we’ll limit to 2 -d range queries, though our solution generalizes. 15 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

2 -D range queries: the data-structure DB: (xkey, ykey, value) Query: find all entries in DB in the rectangle [x 1, x 2][y 1, y 2] Modification to Bentley’s 2 -dim range query – Make Merkle-Interval tree for X-coordinate – For each internal node (corresponding to Xinterval) store inside the node the root of “secondary” Merkle Interval tree for Y coordinates in that X-range. (each y point is stored log N times) 16 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

2 -D range queries: searching for range Search primary tree and check for consistency Search a secondary tree and check for consistency For each entry that is retrieved, check that it is valid in ALL secondary trees which are on the path to the root in the primary tree. (Takes O(log 2 N) steps). Easy to generalize to d-dimensions Proof: if Adv can chat on any range can find collisions. 17 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Extending idea to Zero-Knowledge Sets Previous scheme works for 2 -dimensional ranges [KMR] show to extends to ZK-sets (i. e. Not to reveal N) using DDH assumption. We show to extend this idea to Zero. Knowledge Sets under general assumptions using [Barak-Golreich] universal arguments: – Commit to a root – Give a commitment of CQP – Give a [BG] universal argument of supper-poly bound on N of consistency. 18 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu

Conclusions Consistent query protocols (CQP) are generalizations of: – Zero-knowledge sets – Commitment schemes (for large datasets) – Authenticated Data structures CQP be achieved under general assumptions. For special cases (such as low-dimensional range-queries) we show implementations that do not require PCP, and are efficient. (O(log N) away from best know non-private bound) 19 Rafail Ostrovsky, UCLA rafail@cs. ucla. edu