Embodiments described herein relate to fixed-point arithmetic, and to the verification of results.
In many applications, it is necessary to perform computations on fixed-point numbers. For the purposes of this disclosure, a fixed-point value is an integer value that represents a particular natural number, and the fixed-point value has an associated scaling factor.
Thus, for example, the natural number 1.234 can be represented by the fixed-point value 1234 with a scaling factor 10−3. In many cases of practical interest, arithmetic operations are carried out in digital processors, which operate using binary arithmetic, and therefore the scaling factor that is used may be a power of 2. For example, the natural binary number 10.101 can be represented by the fixed-point value 10101 with a scaling factor 2−3.
There are situations in which it is necessary to verify that an arithmetic calculation has been performed correctly.
For example, when a client outsources a computation to a third party, it is advantageous for the client to be able to verify that the computation has been performed correctly, and it is preferable for this verification to be performed in a way that does not require the client to perform the entire computation.
Similarly, when one or more party inputs sensitive data to a privacy-preserving computation, it is required that the computation should be verifiable, even if the sensitive data is not available to the verifier.
One issue that arises when performing arithmetic operations on fixed-point values is that the result of performing a multiplication or division on two fixed-point values that each have a given scaling factor cannot be expressed exactly as a third fixed-point value with the same scaling factor. For example, fixed-point values with a scaling factor of 10−3 may accurately represent natural numbers that have up to three digits after the decimal point. If two such numbers are multiplied together, the result will be a natural number that may have up to six digits after the decimal point. This cannot be represented perfectly by a fixed-point value with a scaling factor of 10−3 and so the fixed-point value that is provided as the output of the operation must be generated by truncating the result of the multiplication to reduce the number of digits after the decimal point.
A brief summary of various embodiments is presented below.
Various embodiments relate to a method of verifying a calculation, the method comprising:
The step of determining whether the difference between (a) the product of the product fixed-point value and the inverse of the combined scaling factor and (b) the product of the multiplicand fixed-point values is within a range bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor may comprise:
The step of determining whether the sum of (c) the inverse of the combined scaling factor and (d) the difference between (a) the product of the product fixed-point value and the inverse of the combined scaling factor and (b) the product of the multiplicand fixed-point values is greater than or equal to zero may comprise:
The step of determining whether the difference between (c) the inverse of the combined scaling factor and (d) the difference between (a) the product of the product fixed-point value and the inverse of the combined scaling factor and (b) the product of the multiplicand fixed-point values is greater than or equal to zero may comprise:
The method may comprise providing to a verifier commitments of said plurality of multiplicand fixed-point values and cryptographic proof that the difference between (a) the product of the product fixed-point value and the inverse of a combined scaling factor and (b) the product of the multiplicand fixed-point values is within the range bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor.
The method may comprise obtaining said commitments of said plurality of multiplicand fixed-point values and said cryptographic proof that the difference between (a) the product of the product fixed-point value and the inverse of a combined scaling factor and (b) the product of the multiplicand fixed-point values is within the range bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor using multi-party computation.
The method may comprise performing said method using multi-party computation.
The method may comprise using the product fixed-point value in a further function only if it is determined that it is a correctly truncated result of multiplying the multiplicand fixed-point values together.
Various embodiments relate to a non-transitory machine-readable medium encoded with instructions for performing a method of verifying a calculation, the instructions comprising:
Other embodiments relate to a non-transitory machine-readable medium encoded with instructions for performing any of the method embodiments.
Various embodiments relate to a device for verifying a calculation, the device comprising:
The processor may be configured to determine whether the difference between (a) the product of the product fixed-point value and the inverse of the combined scaling factor and (b) the product of the multiplicand fixed-point values is within a range bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor by:
The processor may be configured to determine whether the sum of (c) the inverse of the combined scaling factor and (d) the difference between (a) the product of the product fixed-point value and the inverse of the combined scaling factor and (b) the product of the multiplicand fixed-point values is greater than or equal to zero by:
The processor may be configured to determine whether the difference between (c) the inverse of the combined scaling factor and (d) the difference between (a) the product of the product fixed-point value and the inverse of the combined scaling factor and (b) the product of the multiplicand fixed-point values is greater than or equal to zero by:
The processor may be configured to provide to a verifier commitments of said plurality of multiplicand fixed-point values and cryptographic proof that the difference between (a) the product of the product fixed-point value and the inverse of a combined scaling factor and (b) the product of the multiplicand fixed-point values is within the range bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor.
The processor may be configured to take part in a multi-party computation for obtaining said commitments of said plurality of multiplicand fixed-point values and said cryptographic proof that the difference between (a) the product of the product fixed-point value and the inverse of a combined scaling factor and (b) the product of the multiplicand fixed-point values is within the range bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor.
The processor may be configured to take part in a multi-party computation for receiving the plurality of multiplicand fixed-point values representing respective natural numbers; receiving the product fixed-point value representing a respective natural number; and determining whether the product fixed-point value is a correctly truncated result of multiplying the multiplicand fixed-point values together.
Various embodiments relate to a method of verifying a calculation, wherein a prover has performed a method comprising:
Other embodiments relate to a device comprising a memory and a processor in communication with the memory, with the processor being configured to perform said method; and to a non-transitory machine-readable medium encoded with instructions for performing said method.
Various embodiments relate to a method of verifying a calculation, the method comprising:
The step of determining whether the difference between (e) the product of the first fixed-point value and the inverse of the combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is within a range bounded by the negation of the second fixed-point value and the second fixed-point value may comprise:
The step of determining whether the sum of the second fixed-point value and the difference between (e) the product of the first fixed-point value and the inverse of the combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is greater than or equal to zero may comprise:
The step of determining whether the sum of the second fixed-point value and the difference between (f) the product of the second fixed-point value and the third fixed-point value and (e) the product of the first fixed-point value and the inverse of the combined scaling factor is greater than or equal to zero may comprise:
The method may comprise providing to a verifier commitments of said plurality of first, second and third fixed-point values and cryptographic proof that the difference between (e) the product of the first fixed-point value and the inverse of a combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is within the range bounded by the negation of the second fixed-point value and the second fixed-point value.
The method may comprise obtaining said commitments of said plurality of first, second and third fixed-point values and said cryptographic proof that the difference between (e) the product of the first fixed-point value and the inverse of a combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is within the range bounded by the negation of the second fixed-point value and the second fixed-point value, using multi-party computation.
The method may comprise performing said method using multi-party computation.
The method may comprise using the third fixed-point value in a further function only if it is determined that it is a correctly truncated result of dividing the first fixed-point value by the second fixed-point value.
Various embodiments relate to a non-transitory machine-readable medium encoded with instructions for performing a method of verifying a calculation, the instructions comprising:
Other embodiments relate to a non-transitory machine-readable medium encoded with instructions for performing any of the method embodiments.
Various embodiments relate to a device for verifying a calculation, the device comprising:
The processor may be configured to determine whether the difference between (e) the product of the first fixed-point value and the inverse of the combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is within a range bounded by the negation of the second fixed-point value and the second fixed-point value by:
The processor may be configured to determine whether the sum of the second fixed-point value and the difference between (e) the product of the first fixed-point value and the inverse of the combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is greater than or equal to zero by:
The processor may be configured to determine whether the sum of the second fixed-point value and the difference between (f) the product of the second fixed-point value and the third fixed-point value and (e) the product of the first fixed-point value and the inverse of the combined scaling factor is greater than or equal to zero by:
The processor may be configured to provide to a verifier commitments of said first, second, and third fixed-point values and cryptographic proof that the difference between (e) the product of the first fixed-point value and the inverse of a combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is within a range bounded by the negation of the second fixed-point value and the second fixed-point value.
The processor may be configured to take part in a multi-party computation for obtaining said commitments of said first, second, and third multiplicand fixed-point values and said cryptographic proof that the difference between (e) the product of the first fixed-point value and the inverse of a combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is within a range bounded by the negation of the second fixed-point value and the second fixed-point value.
The processor may be configured to take part in a multi-party computation for receiving the first, second, and third fixed-point values representing respective natural numbers; and determining whether the third fixed-point value is a correctly truncated result of dividing the first fixed-point value by the second fixed-point value.
Various embodiments relate to a method of verifying a calculation, wherein a prover has performed a method comprising:
Other embodiments relate to a device comprising a memory and a processor in communication with the memory, with the processor being configured to perform said method; and to a non-transitory machine-readable medium encoded with instructions for performing said method.
For a better understanding of the embodiments, reference is made to the accompanying drawings, in which:
As discussed in more detail below, the verification schemes described herein are particularly suited to use in circumstances in which multiple parties are involved in the computation.
For example, a first party may possess certain data, and may outsource the computation of a function of that data to a second party. In another example, the first party may outsource the computation of the function to multiple second parties. In such examples, the first party may need to verify that the computation was performed correctly by the second party or second parties. Additionally, or alternatively, the second party or second parties may need to provide the first party with proof that the function was computed correctly.
In other examples, the input data may be in the possession of multiple first parties, and the computation may be performed by one or more second parties. Again, in such examples, the first parties may need to verify that the computation was performed correctly by the second party or second parties, and the second party or second parties may need to provide the first parties with proof that the function was computed correctly.
In various examples, as discussed in more detail below, the data may be sensitive. For example, the data may be commercially confidential or may be privacy-related. In such cases, the data that is transferred from one party to another may be encrypted in some way. In the examples below, the term data is used to refer equally to the data of interest in a calculation and to encrypted versions of data that are used to protect confidentiality and/or privacy.
The first hardware device 10 includes an interface 12 for connection to other devices. The first hardware device 10 further includes a processor 14 for performing operations on data. The first hardware device 10 further includes a memory 16 for storing data and for storing program instructions for causing the processor 14 to perform method steps as described in more detail below.
The processor 14 may be any hardware device capable of executing instructions stored in the memory 16. As such, the processor may include a microprocessor, field programmable gate array (FPGA), application-specific integrated circuit (ASIC), or other similar devices.
The memory 16 may include various memories such as cache or system memory. As such, the memory 16 may include static random access memory (SRAM), dynamic RAM (DRAM), flash memory, read only memory (ROM), or other similar memory devices.
The second hardware device 20 includes an interface 22 for connection to other devices. The second hardware device 20 further includes a processor 24 for performing operations on data. The second hardware device 20 further includes a memory 26 for storing data and for storing program instructions for causing the processor 24 to perform method steps as described in more detail below.
The processor 24 may be any hardware device capable of executing instructions stored in the memory 26. As such, the processor may include a microprocessor, field programmable gate array (FPGA), application-specific integrated circuit (ASIC), or other similar devices.
The memory 26 may include various memories such as cache or system memory. As such, the memory 26 may include static random access memory (SRAM), dynamic RAM (DRAM), flash memory, read only memory (ROM), or other similar memory devices.
The third hardware device 30 includes an interface 32 for connection to other devices. The third hardware device 30 further includes a processor 34 for performing operations on data. The third hardware device 30 further includes a memory 36 for storing data and for storing program instructions for causing the processor 34 to perform method steps as described in more detail below.
The processor 34 may be any hardware device capable of executing instructions stored in the memory 36. As such, the processor may include a microprocessor, field programmable gate array (FPGA), application-specific integrated circuit (ASIC), or other similar devices.
The memory 36 may include various memories such as cache or system memory. As such, the memory 36 may include static random access memory (SRAM), dynamic RAM (DRAM), flash memory, read only memory (ROM), or other similar memory devices.
The fourth hardware device 40 includes an interface 42 for connection to other devices. The fourth hardware device 40 further includes a processor 44 for performing operations on data. The fourth hardware device 40 further includes a memory 46 for storing data and for storing program instructions for causing the processor 44 to perform method steps as described in more detail below.
The processor 44 may be any hardware device capable of executing instructions stored in the memory 46. As such, the processor may include a microprocessor, field programmable gate array (FPGA), application-specific integrated circuit (ASIC), or other similar devices.
The memory 46 may include various memories such as cache or system memory. As such, the memory 46 may include static random access memory (SRAM), dynamic RAM (DRAM), flash memory, read only memory (ROM), or other similar memory devices.
The system may include any desired number of hardware devices similar to the hardware devices 10, 20, 30, 40.
As shown in
Thus, in step 202, the method involves receiving a first fixed-point value c. The first fixed-point value c represents a first natural number {tilde over (c)}, and the first fixed-point value has a first scaling factor 2−k1, such that {tilde over (c)}=c·2−k1. Step 202 also involves receiving a second fixed-point value d. The second fixed-point value d represents a second natural number {tilde over (d)}, and the second fixed-point value has a second scaling factor 2−k2, such that {tilde over (d)}=d·2−k2.
Step 202 also involves receiving a third fixed-point value e. The third fixed-point value e represents a third natural number {tilde over (e)}, and the third fixed-point value has a third scaling factor 2−k3, such that {tilde over (e)}=e·2−k3.
It is required to verify that the third fixed-point value e is the correct result of multiplying the first fixed-point value c and the second fixed-point value d.
One issue that arises when performing arithmetic operations on fixed-point values is that the result of performing a multiplication on two fixed-point values that each have a given scaling factor cannot necessarily be expressed exactly as a third fixed-point value with the same scaling factor. That is, fixed-point values with a scaling factor of 2−k may accurately represent natural numbers that have up to k binary digits after the radix point (i.e. the equivalent of the decimal point in binary numbers). If two such numbers are multiplied together, the result will be a natural number that may have up to 2k digits after the radix point. This cannot be represented perfectly by a fixed-point value with a scaling factor of 2−k, and so the fixed-point value that is provided as the output of the operation must be generated by truncating the result of the multiplication to reduce the number of digits after the radix point.
Step 204 of the process shown in
In the example described above, if the third fixed-point value is a correctly truncated result of multiplying the first fixed-point value by the second fixed-point value, then it can be said that {tilde over (e)}≈{tilde over (c)}·{tilde over (d)}. From the definitions given above, it therefore follows that e·2−k3≈c·2−k1·d·2−k2, and therefore that 2(k1+k2−k3)·e≈c·d. The product of the first scaling factor 2−k1 and the second scaling factor 2−k2, divided by the third scaling factor 2−k3, can then be considered to be a combined scaling factor 2−(k1+k2−k3).
It is recognised here that, if the third fixed-point value is a correctly truncated result of multiplying the first fixed-point value by the second fixed-point value, the difference between, on the one hand, the product of the third fixed-point value and the inverse of the combined scaling factor and, on the other hand, the product of the first fixed-point value and the second fixed-point value will lie within a known range. More specifically, this range is bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor.
When reference is made herein to the “difference between” two numbers x and y, presented in that order, this refers to the absolute value of (x−y).
That is, if the third fixed-point value e is the correct result of multiplying the first fixed-point value c and the second fixed-point value d, then:
2(k1+k2−k3)·e−c·d∈[−2(k1+k2−k3), 2(k1+k2−k3)].
As mentioned above, this method can be used for testing the correctness of the multiplication of more than two multiplicand fixed point values, with respective multiplicand scaling factors, given a product fixed point value having a product scaling factor. It can readily be deduced as above that, if the product fixed-point value is a correctly truncated result of multiplying the multiplicand fixed-point values, then the difference between, on the one hand, the product of the product fixed-point value and the inverse of a combined scaling factor and, on the other hand, the product of the multiplicand fixed-point values will lie within a known range. More specifically, this range is bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor, where the combined scaling factor is now the product of the multiplicand scaling factors, divided by the product scaling factor.
However, for ease of explanation, the illustrated example will now consider one specific case, in which it is required to verify that the third fixed-point value e is the correct result of multiplying the first fixed-point value c and the second fixed-point value d, and moreover the first scaling factor 2−k1, the second scaling factor 2−k2, and the third scaling factor 2−k3, are all equal to 2−k, and so the combined scaling factor 2−(k1+k2−k3) is also 2−k.
Thus, the method 300 recognises that, for the relationship 2k·e−c·d∈[−2k,2k] to be satisfied, it is necessary for two further relationships to be satisfied, namely:
2k+(2k·e−c·d)≥0,
and
2k−(2k·e−c·d)≥0.
Thus, step 302 tests the first of these further relationships, and determines whether the sum of, on the one hand, the inverse of the combined scaling factor and, on the other hand, the difference between, firstly, the product of the third fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the first fixed-point value and the second fixed-point value, is greater than or equal to zero.
Similarly, step 304 tests the second of these further relationships, and determines whether the difference between, on the one hand, the inverse of the combined scaling factor and, on the other hand, the difference between, firstly, the product of the third fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the first fixed-point value and the second fixed-point value, is greater than or equal to zero.
In step 402, the sum of, on the one hand, the inverse of the combined scaling factor and, on the other hand, the difference between, firstly, the product of the third fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the first fixed-point value and the second fixed-point value is formed.
In order to determine whether this sum is greater than or equal to zero, step 404 comprises computing a bit decomposition of the sum, and step 406 comprises determining whether each bit of the bit decomposition is a binary value.
It is known that the sum of, on the one hand, the inverse of the combined scaling factor and, on the other hand, the difference between, firstly, the product of the third fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the first fixed-point value and the second fixed-point value will have a maximum length that depends on the combined scaling factor. Specifically, with a combined scaling factor of 2−k, as in this example, the sum will contain no more than (k+1) binary digits.
Thus, the sum can be expressed as a0+a1·2+a2·22+a3·23+. . . +ak2k.
Step 404, computing the bit decomposition of the sum, therefore involves finding the bit values ai for values of i from 0 to k, namely a0, a1, a2, a3, . . . , ak.
Step 406 then involves proving that each of the bit values is in fact a binary value, by proving that, for each value of i from 0 to k, ai·(1−ai)=0.
If required, it can then be checked that the bit decomposition of the sum into the bit values a0, a1, a2, a3, . . . , ak is correct, by proving that:
2k·e+(2k·e−c·d)=a0+a1·2+a2·22+a3·23+. . . +ak2k.
In step 502, the difference between, on the one hand, the inverse of the combined scaling factor and, on the other hand, the difference between, firstly, the product of the third fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the first fixed-point value and the second fixed-point value is formed.
In order to determine whether this difference is greater than or equal to zero, step 504 comprises computing a bit decomposition of the difference, and step 506 comprises determining whether each bit of the bit decomposition is a binary value.
It is known that the difference between, on the one hand, the inverse of the combined scaling factor and, on the other hand, the difference between, firstly, the product of the third fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the first fixed-point value and the second fixed-point value will have a maximum length that depends on the combined scaling factor. Specifically, with a combined scaling factor of 2−k, as in this example, the sum will contain no more than (k+1) binary digits.
Thus, the difference can be expressed as b0+b1·2+b2·22+b3·23+. . . +bk2k.
Step 504, computing the bit decomposition of the difference, therefore involves finding the bit values bi for values of i from 0 to k, namely b0, b1, b2, b3, . . . , bk.
Step 506 then involves proving that each of the bit values is in fact a binary value, by proving that, for each value of i from 0 to k, bi·(1−bi)=0.
If required, it can then be checked that the bit decomposition of the difference into the bit values b0, b1, b2, b3, . . . , bk is correct, by proving that:
2k·e−(2k·e−c·d)=b0+b1·2+b2·22+b3·23+. . . +bk2k.
Thus, if these tests are passed, it can be verified that the third fixed-point value received in step 202 is a correctly truncated result of multiplying the first fixed-point value by the second fixed-point value.
The multiplication of the first fixed-point value by the second fixed-point value will typically be a part of a larger computation, containing many calculations that will need to be verified. Therefore, if it is verified that the third fixed-point value is a correctly truncated result, the process can continue by verifying the next calculation in that larger computation. More generally, if it is verified that the third fixed-point value is a correctly truncated result, that third fixed-point value can be used in a further function.
If it is found that the third fixed-point value is not a correctly truncated result, the third fixed-point value can be rejected. If the verification is performed by the party or parties performing the calculation, then a suitable notification can be sent, for example prompting the calculation to be checked or performed again. If the verification is performed by a party that is verifying a calculation performed by another party or parties, then again a suitable notification can be provided.
Thus, in step 602, the method involves receiving a first fixed-point value c. The first fixed-point value c represents a first natural number {tilde over (c)}, and the first fixed-point value has a first scaling factor 2−k1, such that {tilde over (c)}=c·2−k1. Step 602 also involves receiving a second fixed-point value d. The second fixed-point value d represents a second natural number {tilde over (d)}, and the second fixed-point value has a second scaling factor 2−k2, such that {tilde over (d)}=d·2−k2.
Step 602 also involves receiving a third fixed-point value e. The third fixed-point value e represents a third natural number {tilde over (e)}, and the third fixed-point value has a third scaling factor 2−k3, such that {tilde over (e)}=e·2−k3.
It is required to verify that the third fixed-point value e is the correct result of dividing the first fixed-point value c by the second fixed-point value d.
One issue that arises when performing arithmetic operations on fixed-point values is that the result of performing a division of two fixed-point values that each have a given scaling factor cannot necessarily be expressed exactly as a third fixed-point value with the same scaling factor. That is, fixed-point values with a scaling factor of 2−k, as in this example, may accurately represent natural numbers that have up to k binary digits after the radix point (i.e. the equivalent of the decimal point in binary numbers). If one such number is divided by another such number, the result will be a natural number that may have more than k binary digits after the radix point. This cannot be represented perfectly by a fixed-point value with a scaling factor of 2−k, and so the fixed-point value that is provided as the output of the operation must be generated by truncating the result of the division to reduce the number of digits after the radix point.
Step 604 of the process shown in
For the third fixed-point value e to be correct, we require that {tilde over (e)}={tilde over (c)}/{tilde over (d)}, that is {tilde over (c)}≈{tilde over (d)}·{tilde over (e)}. As {tilde over (c)}=c·2−k1, {tilde over (d)}=d·2−k2, and {tilde over (e)}=e·2−k3, this means that we require that c·2−k1≈d·2−k2·e·2−k3, and therefore that c·2(k2+k3−k1)≈d·e. The product of the second scaling factor 2−k2 and the third scaling factor 2−k3, divided by the first scaling factor 2−k1, can then be considered to be a combined scaling factor 2−(k2+k3−k1).
It is then recognised here that, if the third fixed-point value is a correctly truncated result of dividing the first fixed-point value by the second fixed-point value, the difference between, on the one hand, the product of the first fixed-point value and the inverse of the combined scaling factor and, on the other hand, the product of the second fixed-point value and the third fixed-point value will lie within a known range. More specifically, this range is bounded by the negation of the second fixed-point value and the second fixed-point value.
That is, if the third fixed-point value e is the correct result of multiplying the first fixed-point value c and the second fixed-point value d, then:
2(k2+k3−k1)·c−d·e∈[−d,d].
However, for ease of explanation, the illustrated example will now consider one specific case, in which it is required to verify that the third fixed-point value e is the correct result of dividing the first fixed-point value c by the second fixed-point value d, in which the first scaling factor 2−k1, the second scaling factor 2−k2, and the third scaling factor 2−k3, are all equal to 2−k, and so the combined scaling factor 2−(k2+k3−k1) is also 2−k.
Thus, the method 700 recognises that, for the relationship 2k·c−d·e∈[−d,d] to be satisfied, it is necessary for two further relationships to be satisfied, namely:
d+(2k·c−d·e)≥0,
and
d+(d·e−2k·c)≥0.
Thus, step 702 tests the first of these further relationships, and determines whether the sum of, on the one hand, the second fixed-point value and, on the other hand, the difference between, firstly, the product of the first fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the second fixed-point value and the third fixed-point value is greater than or equal to zero.
Similarly, step 704 tests the second of these further relationships, and determines whether the sum of, on the one hand, the second fixed-point value and, on the other hand, the difference between, firstly, the product of the second fixed-point value and the third fixed-point value and, secondly, the product of the first fixed-point value and the inverse of the combined scaling factor is greater than or equal to zero.
In step 802, the sum of, on the one hand, the second fixed-point value and, on the other hand, the difference between, firstly, the product of the first fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the second fixed-point value and the third fixed-point value is formed.
In order to determine whether this sum is greater than or equal to zero, step 804 comprises computing a bit decomposition of the sum, and step 806 comprises determining whether each bit of the bit decomposition is a binary value.
The length of the bit decomposition to be computed in step 804 depends on the magnitude of the second fixed-point value, d. If it is known that d has at most K bits, i.e. |{tilde over (d)}|≤2K−k, then the sum of, on the one hand, the second fixed-point value and, on the other hand, the difference between, firstly, the product of the first fixed-point value and the inverse of the combined scaling factor and, secondly, the product of the second fixed-point value and the third fixed-point value will contain no more than (K+1) binary digits.
Thus, the sum can be expressed as m0+m1·2+m2·22+m3·23+. . . +mk2K.
Step 804, computing the bit decomposition of the sum, therefore involves finding the bit values mi for values of i from 0 to K, namely m0, m1, m2, m3, . . . , mK.
Step 806 then involves proving that each of the bit values is in fact a binary value, by proving that, for each value of i from 0 to K, mi·(1−mi)=0.
If required, it can then be checked that the bit decomposition of the sum into the bit values m0, m1, m2, m3, . . . , mK is correct, by proving that:
d+(2k·c−d·e)=m0+m1·2+m2·22+m3·23+. . . +mK2K.
In step 902, the sum of, on the one hand, the second fixed-point value and, on the other hand, the difference between, firstly, the product of the second fixed-point value and the third fixed-point value and, secondly, the product of the first fixed-point value and the inverse of the combined scaling factor is formed.
In order to determine whether this sum is greater than or equal to zero, step 904 comprises computing a bit decomposition of the sum, and step 906 comprises determining whether each bit of the bit decomposition is a binary value.
The length of the bit decomposition to be computed in step 904 depends on the magnitude of the second fixed-point value, d. If it is known that d has at most K bits, i.e. |{tilde over (d)}≤2K−k, then the sum of, on the one hand, the second fixed-point value and, on the other hand, the difference between, firstly, the product of the second fixed-point value and the third fixed-point value and, secondly, the product of the first fixed-point value and the inverse of the combined scaling factor will contain no more than (K+1) binary digits.
Thus, the sum can be expressed as n0+n1·2+n2·22+n3·23+. . . +nk2K.
Step 904, computing the bit decomposition of the sum, therefore involves finding the bit values ni for values of i from 0 to K, namely n0, n1, n2, n3, . . . , nK.
Step 906 then involves proving that each of the bit values is in fact a binary value, by proving that, for each value of i from 0 to K, ni·(1−ni)=0.
If required, it can then be checked that the bit decomposition of the sum into the bit values n0, n1, n2, n3, . . . , nK is correct, by proving that:
d+(d·e−2k·c)=n0+n1·2+n2·22+n3·23+. . . +nK2K.
Thus, if these tests are passed, it can be verified that the third fixed-point value received in step 602 is a correctly truncated result of dividing the first fixed-point value by the second fixed-point value.
The division of the first fixed-point value by the second fixed-point value will typically be a part of a larger computation, containing many calculations that will need to be verified. Therefore, if it is verified that the third fixed-point value is a correctly truncated result, the process can continue by verifying the next calculation in that larger computation. More generally, if it is verified that the third fixed-point value is a correctly truncated result, that third fixed-point value can be used in a further function.
If it is found that the third fixed-point value is not a correctly truncated result, the third fixed-point value can be rejected. If the verification is performed by the party or parties performing the calculation, then a suitable notification can be sent, for example prompting the calculation to be checked or performed again. If the verification is performed by a party that is verifying a calculation performed by another party or parties, then again a suitable notification can be provided.
The methods described herein can be used in a wide range of situations, for example in the technologies of verifiable computation and multiparty computation, and in particular in their application to outsourcing computation. In such settings, it is often needed to receive assurance that computations are performed correctly. The methods described herein are therefore particularly relevant, particularly when computations based on non-integers are needed. For instance, computations in numerical optimization or statistics typically involve non-integers, and performing multiplication and division operations is almost unavoidable. Hence, methods for verifying computations performed on fixed-point numbers are useful.
One example of outsourcing concerns collaborative supply chain management scenarios. In such scenarios, different companies want to optimize their supply chain without having to share sensitive company information. They can achieve this by outsourcing the optimization problem to different cloud parties that each individually do not learn the sensitive data, but can provide a result that is guaranteed to be optimal. In this scenario, it is known how to prove correctness of integer-based optimization algorithms, but fixed-point algorithms often scale better, and so the methods described herein may be used.
Another example concerns distributed medical research, in which cryptographic proofs allow a researcher to prove (to peer reviewers, or the public) that the results of statistical tests are accurate, without the need to reveal the underlying dataset (which indeed is not possible because of patient confidentiality). Statistical tests often cannot be performed using integer arithmetic alone, and require computations based on fixed-point numbers. For instance, the logrank test for testing difference between two Kaplan-Meier survival curves (or more generally, any X2 test) requires proving correctness of fixed-point divisions and multiplications. Thus, methods as described herein can be used to provide cryptographic proof of correctness of this logrank test.
In general, embodiments can be classified in two ways, firstly, what kind of commitment scheme and proof system is used, and secondly, whether or not the sensitive data is hidden from the worker.
Concerning the kind of commitment scheme and proof system, we need a commitment (or encryption) scheme and a proof (or argument) system that allows efficient proofs (or arguments) that commitments satisfy polynomial relations of degree at most two, i.e., involving additions and at most one layer of multiplications.
For computations on the integers (not modulo), it is possible to use the Fujisaki-Okomoto commitment scheme, homomorphic addition, and the multiplication proofs from the document E. Fujisaki and T. Okamoto, “Statistical zero knowledge protocols to prove modular polynomial relations”, Advances in Cryptology—CRYPTO '97, 17th Annual International Cryptology Conference, Santa Barbara, Calif., USA, Aug. 17-21, 1997, Proceedings, pages 16-30, 1997.
An alternative is to use an additively homomorphic commitment scheme modulo a prime, such as Pedersen commitments or ElGamal encryption as described in B. Schoenmakers, Cryptography 2 (2WC13)/Cryptographic Protocols (2WC17) Lecture Notes, 2014. Version 1.0, and proofs of correct multiplication based on Σ-protocols.
A further alternative is to use the Pinocchio verifiable computation scheme and model the proofs as a “quadratic arithmetic program”, as described in B. Parno, J. Howell, C. Gentry, and M. Raykova. “Pinocchio: Nearly Practical Verifiable Computation”, Proceedings of S&P, 2013.
A first concrete embodiment is described below, in which sensitive data is not hidden from the worker. This may for example apply in a scenario where a medical researcher wants to prove correctness of a statistical test on a dataset, where the researcher has access to the dataset but does not want to disclose it to a reviewer. In this scenario, the researcher is considered a “prover” and the reviewer is considered a “verifier”.
To prove correctness of the statistical test, different computations need to be verified, and these will include not only additions and subtractions, but also fixed-point multiplications. Firstly, the prover computes (in a provably correct manner) commitments to the values that are to be multiplied or divided. Then, it is necessary to prove the correctness of the multiplication or division. In this embodiment, any one of the proof systems described above can be used.
The procedure for multiplication or division is implemented as follows, using the notation indicated above, where, in the case of a multiplication, it is required to verify that the third fixed-point value e is the correct result of multiplying the first fixed-point value c and the second fixed-point value d, or, in the case of a division, it is required to verify that the third fixed-point value e is the correct result of dividing the first fixed-point value c by the second fixed-point value d.
1. It is taken as given that the prover knows c; d; e; and the prover and verifier both know respective commitments C; D; E to these values.
2. The prover then provides to the verifier cryptographic proof that the fixed-point computation has been performed correctly. That is, in the case of a multiplication, the prover provides to the verifier cryptographic proof that the difference between (a) the product of the product fixed-point value and the inverse of a combined scaling factor and (b) the product of the multiplicand fixed-point values is within the range bounded by the negation of the inverse of the combined scaling factor and the inverse of the combined scaling factor. In the case of a division, the prover provides to the verifier cryptographic proof that the difference between (e) the product of the first fixed-point value and the inverse of a combined scaling factor and (f) the product of the second fixed-point value and the third fixed-point value is within a range bounded by the negation of the second fixed-point value and the second fixed-point value. More specifically, the prover provides commitments to the bits of the bit decompositions, as described in steps 404 and 504, or in steps 804 and 904 above, to the verifier.
3. The prover proves correctness of the bit decomposition commitments, i.e. proves that they are all bits, using the proofs (or arguments), which the verifier verifies.
4. The prover proves that the bit decomposition commitments correspond to the values that they are supposed to be bit commitments of, using the proofs (or arguments), which the verifier verifies.
Thus, the prover is able to verify that e is the correct result of the multiplication or division, using the procedure shown in
A second concrete embodiment is described below, in which the data is sensitive, and is hidden. For example, in a scenario arising in medical research, even the researcher is not allowed to see the dataset. Hence, the computation is done on behalf of the researcher by multiple cloud computation parties. These cloud computation parties act as “provers”, and it is required that the researcher and reviewers can both check the results obtained from the cloud computation parties, and hence act as “verifiers”.
This embodiment is similar to the first embodiment described above, except that, instead of a single prover holding the data, the data is now secret-shared between multiple provers, and proofs are computed in a distributed way. For example, the process may use Shamir secret sharing between three provers. This embodiment can be based on either the second or third commitment scheme and proof system described above. Note that, in this case, the proof system needs to be zero-knowledge and so, for Pinocchio, its zero-knowledge variant needs to be used.
The procedure for multiplication or division is implemented as follows, using the notation indicated above, where, in the case of a multiplication, it is required to verify that the third fixed-point value e is the correct result of multiplying the first fixed-point value c and the second fixed-point value d, or, in the case of a division, it is required to verify that the third fixed-point value e is the correct result of dividing the first fixed-point value c by the second fixed-point value d.
1. The result e is computed using a multi-party computation fixed-point multiplication or division protocol, for example as described in “Design of large scale applications of secure multiparty computation: secure linear programming”, S. de Hoogh. PhD thesis, Eindhoven University of Technology, 2012. It is then taken as given that c; d; e are Shamir secret-shared between multiple provers; and the provers and one or more verifier know respective commitments C; D; E to those values.
2. The provers run a multi-party computation protocol to obtain secret-shared bit decompositions of the appropriate values, for example as described in “Design of large scale applications of secure multiparty computation: secure linear programming”, S. de Hoogh. PhD thesis, Eindhoven University of Technology, 2012. The provers then provide commitment shares to the verifier, who reconstructs the commitment from the shares. This can be achieved as described, for example, in “Certificate validation in secure computation and its use in verifiable linear programming”, S. de Hoogh, B. Schoenmakers, and M. Veeningen, Progress in Cryptology—AFRICACRYPT 2016—8th International Conference on Cryptology in Africa, Fes, Morocco, Apr. 13-15, 2016, Proceedings, pages 265-284, 2016); or as described in “Trinocchio: Privacy-friendly outsourcing by distributed verifiable computation”, B. Schoenmakers, M. Veeningen, and N. de Vreede, IACR Cryptology ePrint Archive, 2015:480, 2015. In the Pinocchio case, commitments to multiple values from the same computation are typically combined into a small number of group elements, and so typically this step does not take place exactly once for every multiplication or division.
3. The provers prove correctness of the bit decomposition commitments using the zero-knowledge proofs (or arguments) in a distributed way, for example ElGamal (as described in “Certificate validation in secure computation and its use in verifiable linear programming”, S. de Hoogh, B. Schoenmakers, and M. Veeningen, Progress in Cryptology—AFRICACRYPT 2016—8th International Conference on Cryptology in Africa, Fes, Morocco, Apr. 13-15, 2016, Proceedings, pages 265-284, 2016); Pinocchio (as described in “Trinocchio: Privacy-friendly outsourcing by distributed verifiable computation”, B. Schoenmakers, M. Veeningen, and N. de Vreede, IACR Cryptology ePrint Archive, 2015:480, 2015); or Pedersen (as a natural extension to the description in “Certificate validation in secure computation and its use in verifiable linear programming”, cited above). The verifier verifies this.
4. The prover proves correspondence of the bit decomposition commitments using the zero-knowledge proofs (or arguments), which the verifier verifies.
It was mentioned above that this embodiment can be based on either the second or third proof system described above. In order to use the first (Fujisaki-Okomoto) commitment scheme while hiding sensitive inputs from provers, multi-party computation over the integers (as described in “Linear Integer Secret Sharing”, R. Thorbek, PhD thesis, University of Aarhus, 2009) can be used, provided that the bit decomposition protocols from the document in “Design of large scale applications of secure multiparty computation: secure linear programming”, cited above, translate to this setting.
There are thus described techniques for verifying computations performed using fixed-point values.
These techniques may be performed on suitable hardware, programmed with an appropriate computer program. Thus, there is also provided a computer program product comprising a computer readable medium, the computer readable medium having computer readable code embodied therein, the computer readable code being configured such that, on execution by a suitable computer or processor, the computer or processor is caused to perform the method or methods described herein. Thus, it will be appreciated that the invention also applies to computer programs, particularly computer programs on or in a carrier, adapted to put the invention into practice. The program may be in the form of a source code, an object code, a code intermediate source and an object code such as in a partially compiled form, or in any other form suitable for use in the implementation of the method according to the invention.
It will also be appreciated that such a program may have many different architectural designs. For example, a program code implementing the functionality of the method or system according to the invention may be sub-divided into one or more sub-routines. Many different ways of distributing the functionality among these sub-routines will be apparent to the skilled person. The sub-routines may be stored together in one executable file to form a self-contained program. Such an executable file may comprise computer-executable instructions, for example, processor instructions and/or interpreter instructions (e.g. Java interpreter instructions). Alternatively, one or more or all of the sub-routines may be stored in at least one external library file and linked with a main program either statically or dynamically, e.g. at run-time. The main program contains at least one call to at least one of the sub-routines. The sub-routines may also comprise function calls to each other.
An embodiment relating to a computer program product comprises computer-executable instructions corresponding to each processing stage of at least one of the methods set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer-executable instructions corresponding to each means of at least one of the systems and/or products set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically.
The carrier of a computer program may be any entity or device capable of carrying the program. For example, the carrier may include any non-transitory machine-readable medium for data storage, such as a ROM, for example, a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example, a hard disk. Furthermore, the carrier may be a transmissible carrier such as an electric or optical signal, which may be conveyed via electric or optical cable or by radio or other means. When the program is embodied in such a signal, the carrier may be constituted by such a cable or other device or means. Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted to perform, or used in the performance of, the relevant method.
Variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single processor or other unit may fulfil the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. A computer program may be stored/distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems. Any reference signs in the claims should not be construed as limiting the scope.
The present application is related to U.S. Provisional Application No. 62/443,080 filed Jan. 6, 2017, and U.S. Provisional Application No. 62/489,688 filed Apr. 25, 2017. These applications are hereby incorporated by reference herein, for all purposes.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2018/050287 | 1/5/2018 | WO | 00 |
Number | Date | Country | |
---|---|---|---|
62489688 | Apr 2017 | US | |
62443080 | Jan 2017 | US |