Verifiable ASICs: trustworthy hardware with untrusted components
|
|
- Mark Holt
- 5 years ago
- Views:
Transcription
1 Verifiable ASICs: trustworthy hardware with untrusted components Riad S. Wahby, Max Howald, Siddharth Garg, abhi shelat, and Michael Walfish Stanford University New York University The Cooper Union The University of Virginia April 8, 2016
2 You (probably) shouldn t trust your hardware...
3 You (probably) shouldn t trust your hardware...
4 You (probably) shouldn t trust your hardware...
5 You (probably) shouldn t trust your hardware because fabs sometimes make mistakes
6 You (probably) shouldn t trust your hardware because fabs sometimes make mistakes [Tehranipoor and Koushanfar. A survey of hardware Trojan taxonomy and detection. IEEE DTC, 2010.]
7 What s a chip designer to do? Post-fab testing Hardware obfuscation Trusted manufacturer [Bhunia, Hsiao, Banga, and Narasimhan. Hardware Trojan attacks: threat analysis and countermeasures. Proc. IEEE, Aug ]
8 What s a chip designer to do? Post-fab testing Hardware obfuscation Trusted manufacturer [Bhunia, Hsiao, Banga, and Narasimhan. Hardware Trojan attacks: threat analysis and countermeasures. Proc. IEEE, Aug ]
9 What s a chip designer to do? Post-fab testing Hardware obfuscation Trusted manufacturer but a fab is expensive and hard to build... [Bhunia, Hsiao, Banga, and Narasimhan. Hardware Trojan attacks: threat analysis and countermeasures. Proc. IEEE, Aug ]
10 What s a chip designer to do? Post-fab testing Hardware obfuscation Trusted manufacturer but a fab is expensive and hard to build so trusted fab might have 10 8 worse performance! [Bhunia, Hsiao, Banga, and Narasimhan. Hardware Trojan attacks: threat analysis and countermeasures. Proc. IEEE, Aug ]
11 Roadmap 1. Problem statement: verifiable ASICs 2. Probabilistic proof systems, briefly 3. Zebra: a system for verifiable ASICs 4. Implementation and evaluation
12 Roadmap 1. Problem statement: verifiable ASICs 2. Probabilistic proof systems, briefly 3. Zebra: a system for verifiable ASICs 4. Implementation and evaluation
13 Problem statement: verifiable ASICs Principal Ψ specs for P,V
14 Problem statement: verifiable ASICs Supplier (foundry, processor vendor, etc.) Principal Ψ specs for P,V Foundry
15 Problem statement: verifiable ASICs Supplier (foundry, processor vendor, etc.) V Principal Ψ specs for P,V Integrator P Foundry
16 Problem statement: verifiable ASICs Supplier (foundry, processor vendor, etc.) Principal Ψ specs for P,V Integrator Foundry Operator V P
17 Problem statement: verifiable ASICs Operator V P
18 Problem statement: verifiable ASICs Operator V x P
19 Problem statement: verifiable ASICs Operator V x y P
20 Problem statement: verifiable ASICs Operator V x y proof P
21 Problem statement: verifiable ASICs Operator V x y proof P P is efficient, but can deviate arbitrarily from the protocol
22 Problem statement: verifiable ASICs Operator V x y proof P P is efficient, but can deviate arbitrarily from the protocol Honest P always convinces V that y = Ψ(x)
23 Problem statement: verifiable ASICs Operator V x y proof P P is efficient, but can deviate arbitrarily from the protocol Honest P always convinces V that y = Ψ(x) V must catch dishonest P except with negligible probability
24 Problem statement: verifiable ASICs Operator V x y proof P P is efficient, but can deviate arbitrarily from the protocol Honest P always convinces V that y = Ψ(x) V must catch dishonest P except with negligible probability P cannot attack or disable V, or communicate with outside world (see paper for more discussion)
25 Problem statement: verifiable ASICs Operator V x y proof P P is efficient, but can deviate arbitrarily from the protocol Honest P always convinces V that y = Ψ(x) V must catch dishonest P except with negligible probability P cannot attack or disable V, or communicate with outside world (see paper for more discussion) Goal: V and P together should outperform Ψ executed in trusted substrate
26 Roadmap 1. Problem statement: verifiable ASICs 2. Probabilistic proof systems, briefly 3. Zebra: a system for verifiable ASICs 4. Implementation and evaluation
27 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover verifier prover program, inputs outputs [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
28 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover verifier prover program, inputs outputs + proof Idea: checking proof should be easier for verifier than executing program [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
29 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover Recent work is in three strands: Interactive arguments [Pepper12, Ginger12, Zaatar13] [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
30 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover Recent work is in three strands: Interactive arguments [Pepper12, Ginger12, Zaatar13] Non-interactive arguments (SNARKs) [PGHR13, BCGTV13, BCTV14] [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
31 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover Recent work is in three strands: Interactive arguments [Pepper12, Ginger12, Zaatar13] Non-interactive arguments (SNARKs) [PGHR13, BCGTV13, BCTV14] Interactive proofs [CMT12, TRMP12, Allspice13, Tha13] [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
32 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover Recent work is in three strands: Interactive arguments [Pepper12, Ginger12, Zaatar13] + Low round complexity + Mild cryptograhic assumptions Non-interactive arguments (SNARKs) [PGHR13, BCGTV13, BCTV14] Interactive proofs [CMT12, TRMP12, Allspice13, Tha13] [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
33 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover Recent work is in three strands: Interactive arguments [Pepper12, Ginger12, Zaatar13] + Low round complexity + Mild cryptograhic assumptions Non-interactive arguments (SNARKs) [PGHR13, BCGTV13, BCTV14] + Public verifiability, zero knowledge Non-falsifiable cryptographic assumptions [GW10] Interactive proofs [CMT12, TRMP12, Allspice13, Tha13] [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
34 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover Recent work is in three strands: Interactive arguments [Pepper12, Ginger12, Zaatar13] + Low round complexity + Mild cryptograhic assumptions Non-interactive arguments (SNARKs) [PGHR13, BCGTV13, BCTV14] + Public verifiability, zero knowledge Non-falsifiable cryptographic assumptions [GW10] Interactive proofs [CMT12, TRMP12, Allspice13, Tha13] + Simple and efficient prover and verifier + Information theoretic guarantees (no crypto) [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
35 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover For all systems, expressiveness is somewhat limited: Arguments (interactive & non-interactive) Computation must be expressed as an arithmetic circuit Interactive proofs Computation must be expressed as an arithmetic circuit [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
36 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover For all systems, expressiveness is somewhat limited: Arguments (interactive & non-interactive) Computation must be expressed as an arithmetic circuit generalized boolean circuit over F p + Interactive proofs Computation must be expressed as an arithmetic circuit [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
37 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover For all systems, expressiveness is somewhat limited: Arguments (interactive & non-interactive) Computation must be expressed as an arithmetic circuit + Arithmetic circuit can have arbitrary connectivity, shape Interactive proofs Computation must be expressed as an arithmetic circuit Arithmetic circuit must be layered, depth width [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
38 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover For all systems, expressiveness is somewhat limited: Arguments (interactive & non-interactive) Computation must be expressed as an arithmetic circuit + Arithmetic circuit can have arbitrary connectivity, shape layered vs. unlayered Interactive proofs Computation must be expressed as an arithmetic circuit Arithmetic circuit must be layered, depth width [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
39 Probabilistic proof systems, briefly A weak verifier checks the work of a powerful prover For all systems, expressiveness is somewhat limited: Arguments (interactive & non-interactive) Computation must be expressed as an arithmetic circuit + Arithmetic circuit can have arbitrary connectivity, shape depth = 3 width = 8 Interactive proofs Computation must be expressed as an arithmetic circuit Arithmetic circuit must be layered, depth width [Walfish and Blumberg. Verifying computations without reexecuting them: from theoretical possibility to near practicality. CACM, Feb ]
40 Roadmap 1. Problem statement: verifiable ASICs 2. Probabilistic proof systems, briefly 3. Zebra: a system for verifiable ASICs 4. Implementation and evaluation
41 Zebra s starting point: Interactive proofs Zebra is an IP-based protocol [CMT12, Allspice13] (We discuss why not arguments in the paper)
42 Zebra s starting point: Interactive proofs
43 Zebra s starting point: Interactive proofs 1. V sends inputs
44 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y
45 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y
46 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y
47 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y y
48 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires y
49 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P
50 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P, ends up with claim about second-last layer
51 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P, ends up with claim about second-last layer 5. V iterates
52 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P, ends up with claim about second-last layer 5. V iterates
53 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P, ends up with claim about second-last layer 5. V iterates
54 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P, ends up with claim about second-last layer 5. V iterates, ends up with claim about inputs
55 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P, ends up with claim about second-last layer 5. V iterates, ends up with claim about inputs 6. V checks consistency with the inputs
56 Zebra s starting point: Interactive proofs 1. V sends inputs 2. P evaluates circuit, returns output y 3. V constructs polynomial relating y to values of last layer s input wires 4. V cross-examines P, ends up with claim about second-last layer 5. V iterates, ends up with claim about inputs 6. V checks consistency with the inputs V s work is O(depth log width)
57 Pipelined proving in Zebra V questions P about Ψ(x 1 ) s output layer. Ψ(x 1 )
58 Pipelined proving in Zebra V questions P about Ψ(x 1 ) s output layer. Simultaneously, P returns Ψ(x 2 ). Ψ(x 2 ) Ψ(x 1 )
59 Pipelined proving in Zebra V questions P about Ψ(x 1 ) s next layer Ψ(x 1 )
60 Pipelined proving in Zebra V questions P about Ψ(x 1 ) s next layer, and Ψ(x 2 ) s output layer. Ψ(x 1 ) Ψ(x 2 )
61 Pipelined proving in Zebra V questions P about Ψ(x 1 ) s next layer, and Ψ(x 2 ) s output layer. Meanwhile, P returns Ψ(x 3 ). Ψ(x 3 ) Ψ(x 1 ) Ψ(x 2 )
62 Pipelined proving in Zebra This process continues until the pipeline is full. Ψ(x 1 ) Ψ(x 2 ) Ψ(x 3 ) Ψ(x 4 )
63 Pipelined proving in Zebra This process continues until the pipeline is full. Ψ(x 1 ) Ψ(x 2 ) Ψ(x 3 ) Ψ(x 4 ) Ψ(x 5 )
64 Pipelined proving in Zebra This process continues until the pipeline is full. V and P can complete one proof in each time step. Ψ(x 1 ) Ψ(x 2 ) Ψ(x 3 ) Ψ(x 4 ) Ψ(x 5 ) Ψ(x 6 ) Ψ(x 7 ) Ψ(x 8 )
65 Other hardware optimizations V Input (x) queries responses queries responses queries responses Sub-prover, layer d 1 prove.. Sub-prover, layer 1 prove Sub-prover, layer 0 prove P Output (y)
66 Other hardware optimizations Proving machinery Sub-prover circuit P s work is mainly local to each gate
67 Other hardware optimizations Sub-prover circuit Remaining sub-prover machinery gate prover gate prover gate prover gate prover P s work is mainly local to each gate P s design leverages this with gate prover circuits
68 Other hardware optimizations Sub-prover circuit Remaining sub-prover machinery gate prover gate prover gate prover gate prover P s work is mainly local to each gate P s design leverages this with gate prover circuits Gate provers reuse work from previous rounds by maintaining local state
69 Other hardware optimizations Sub-prover circuit Remaining sub-prover machinery gate prover gate prover gate prover gate prover P s work is mainly local to each gate P s design leverages this with gate prover circuits Gate provers reuse work from previous rounds by maintaining local state Further low-level and protocol optimizations (see paper)
70 Architectural challenges and limitations Interaction between V and P requires a lot of bandwidth
71 Architectural challenges and limitations Interaction between V and P requires a lot of bandwidth Zebra uses 3D integration
72 Architectural challenges and limitations Interaction between V and P requires a lot of bandwidth Zebra uses 3D integration IP protocol requires precomputation for most Ψ [Allspice13]
73 Architectural challenges and limitations Interaction between V and P requires a lot of bandwidth Zebra uses 3D integration IP protocol requires precomputation for most Ψ [Allspice13] Zebra amortizes precomputations over many V-P pairs
74 Architectural challenges and limitations Interaction between V and P requires a lot of bandwidth Zebra uses 3D integration IP protocol requires precomputation for most Ψ [Allspice13] Zebra amortizes precomputations over many V-P pairs Several other details (see paper)
75 Roadmap 1. Problem statement: verifiable ASICs 2. Probabilistic proof systems, briefly 3. Zebra: a system for verifiable ASICs 4. Implementation and evaluation
76 Evaluation How does Zebra perform on computations of real world interest? Number theoretic transform Curve25519 point multiplication
77 Evaluation How does Zebra perform on computations of real world interest? Number theoretic transform Curve25519 point multiplication Goal: V and P together should outperform Ψ executed in trusted substrate
78 Implementation and method Zebra s implementation includes a compiler that produces synthesizable Verilog for P two V implementations (software and Verilog) library to generate V s precomputations Verilog simulator extensions to support either hardware and software V interacting with P design
79 Implementation and method Zebra s implementation includes a compiler that produces synthesizable Verilog for P two V implementations (software and Verilog) library to generate V s precomputations Verilog simulator extensions to support either hardware and software V interacting with P design For our evaluation, we build a detailed cost model based on analysis, simulation results, and published chip designs (see paper)
80 Implementation and method Zebra s implementation includes a compiler that produces synthesizable Verilog for P two V implementations (software and Verilog) library to generate V s precomputations Verilog simulator extensions to support either hardware and software V interacting with P design For our evaluation, we build a detailed cost model based on analysis, simulation results, and published chip designs (see paper) Baseline: direct implementation of Ψ in same technology as V Assumption: computation is efficient as an arithmetic circuit
81 Implementation and method Zebra s implementation includes a compiler that produces synthesizable Verilog for P two V implementations (software and Verilog) library to generate V s precomputations Verilog simulator extensions to support either hardware and software V interacting with P design For our evaluation, we build a detailed cost model based on analysis, simulation results, and published chip designs (see paper) Baseline: direct implementation of Ψ in same technology as V Assumption: computation is efficient as an arithmetic circuit Metric: energy required to execute Ψ
82 Number theoretic transform Performance relative to native baseline (higher is better) log 2 (NTT size)
83 Curve25519 point multiplication Performance relative to native baseline (higher is better) Parallel Curve25519 point multiplications
84 Recap Zebra enables verifiable ASICs. + Untrusted P improves the performance of trusted V
85 Recap Zebra enables verifiable ASICs. + Untrusted P improves the performance of trusted V + First built system in the probabilistic proof literature where total cost of V + P is better than baseline
86 Recap Zebra enables verifiable ASICs. + Untrusted P improves the performance of trusted V + First built system in the probabilistic proof literature where total cost of V + P is better than baseline But this improvement is modest
87 Recap Zebra enables verifiable ASICs. + Untrusted P improves the performance of trusted V + First built system in the probabilistic proof literature where total cost of V + P is better than baseline But this improvement is modest, and Zebra has limitations: does not apply to all computations precomputations must be amortized computation needs to be big enough needs large gap between trusted and untrusted technology
88 Recap Zebra enables verifiable ASICs. + Untrusted P improves the performance of trusted V + First built system in the probabilistic proof literature where total cost of V + P is better than baseline But this improvement is modest, and Zebra has limitations: does not apply to all computations precomputations must be amortized computation needs to be big enough needs large gap between trusted and untrusted technology Zebra is a first step there are plenty of improvements to be made!
Efficient RAM and control flow in verifiable outsourced computation
Efficient RAM and control flow in verifiable outsourced computation Riad S. Wahby, Srinath Setty, Zuocheng Ren, Andrew J. Blumberg, and Michael Walfish New York University The University of Texas at Austin
More informationImplementations of probabilistic proofs for verifiable outsourcing: survey and next steps
Implementations of probabilistic proofs for verifiable outsourcing: survey and next steps Srinath Setty Microsoft Research (Thanks to Michael Walfish for some of the slides.) without executing f, can check
More informationMaking verifiable computation a systems problem
Making verifiable computation a systems problem Michael Walfish The University of Texas at Austin From a systems perspective, it is an exciting time for this area! When we started there were no implementations
More informationPCPs and Succinct Arguments
COSC 544 Probabilistic Proof Systems 10/19/17 Lecturer: Justin Thaler PCPs and Succinct Arguments 1 PCPs: Definitions and Relationship to MIPs In an MIP, if a prover is asked multiple questions by the
More informationSlalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramèr (joint work with Dan Boneh) Stanford security lunch June 13 th Trusted execution of ML: 3 motivating
More informationSlalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramèr (joint work with Dan Boneh) Intel, Santa Clara August 30 th 2018 Trusted execution of ML: 3 motivating
More informationVerifying computations without reexecuting them: from theoretical possibility to near practicality
Electronic Colloquium on Computational Complexity, Report No. 165 (2013) Verifying computations without reexecuting them: from theoretical possibility to near practicality Michael Walfish and Andrew J.
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationIncentivized Delivery Network of IoT Software Updates Based on Proofs-of-Distribution
Incentivized Delivery Network of IoT Software Updates Based on Proofs-of-Distribution Oded Leiba, Yechiav Yitzchak, Ron Bitton, Asaf Nadler, Asaf Shabtai Ben-Gurion University of the Negev IoT Units (billions)
More informationFunctional Programming in Hardware Design
Functional Programming in Hardware Design Tomasz Wegrzanowski Saarland University Tomasz.Wegrzanowski@gmail.com 1 Introduction According to the Moore s law, hardware complexity grows exponentially, doubling
More informationVerifiable Computation with Massively Parallel Interactive Proofs
Verifiable Computation with Massively Parallel Interactive Proofs Justin Thaler, Mike Roberts, Michael Mitzenmacher, and Hanspeter Pfister Harvard University, School of Engineering and Applied Sciences
More informationvsql: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases
vsql: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos and Charalampos Papamanthou Verifiable Databases client SQL database
More informationOverview. CSE372 Digital Systems Organization and Design Lab. Hardware CAD. Two Types of Chips
Overview CSE372 Digital Systems Organization and Design Lab Prof. Milo Martin Unit 5: Hardware Synthesis CAD (Computer Aided Design) Use computers to design computers Virtuous cycle Architectural-level,
More informationPCH Framework for IP Runtime Security Verification
PCH Framework for IP Runtime Security Verification Xiaolong Guo, Raj Gautam Dutta, Jiaji He, and Yier Jin Department of Electrical and Computer Engineering, University of Florida School of Microelectronics,
More informationPinocchio: Nearly Practical Verifiable Computation. Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova
Pinocchio: Nearly Practical Verifiable Computation Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Presentated by Phd@ECE,UMD Hui Zhang wayne.huizhang@gmail.com Introduction Outsourcing complex computation
More informationVerifying computations with state (extended version) *
Verifying computations with state (extended version) * Benjamin Braun, Ariel J. Feldman, Zuocheng Ren, Srinath Setty, Andrew J. Blumberg, and Michael Walfish The University of Texas at Austin University
More informationProgram Representations (1)
Program Representations (1) Bar-Ilan Winter School on Verifiable Computation Class 7 January 5, 2016 Michael Walfish Dept. of Computer Science, Courant Institute, NYU Let s clarify a few things from class
More informationOverview of Verifiable Computing Techniques Providing Private and Public Verification
Overview of Verifiable Computing Techniques Providing Private and Public D5.8 Document Identification Date May 4, 2016 Status Final Version 1.0 Related WP WP5 Document Reference Related Deliverable(s)
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationCS 151 Complexity Theory Spring Final Solutions. L i NL i NC 2i P.
CS 151 Complexity Theory Spring 2017 Posted: June 9 Final Solutions Chris Umans 1. (a) The procedure that traverses a fan-in 2 depth O(log i n) circuit and outputs a formula runs in L i this can be done
More informationFinal report: Non-Interactive Zero Knowledge Protocol for Verifiable Computing
Final report: Non-Interactive Zero Knowledge Protocol for Verifiable Computing Part A abstract description of the project: In this project we implemented a zero knowledge protocol for verifiable computing.
More informationMemory Bandwidth and Low Precision Computation. CS6787 Lecture 9 Fall 2017
Memory Bandwidth and Low Precision Computation CS6787 Lecture 9 Fall 2017 Memory as a Bottleneck So far, we ve just been talking about compute e.g. techniques to decrease the amount of compute by decreasing
More informationVlad Kolesnikov Bell Labs
Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on Privacy and Security for Big Data Apr 25, 2017 You are near Starbucks; here is a special Legislation may require user consent each time
More informationLecture 7. s.t. e = (u,v) E x u + x v 1 (2) v V x v 0 (3)
COMPSCI 632: Approximation Algorithms September 18, 2017 Lecturer: Debmalya Panigrahi Lecture 7 Scribe: Xiang Wang 1 Overview In this lecture, we will use Primal-Dual method to design approximation algorithms
More informationUnderstanding Sources of Inefficiency in General-Purpose Chips
Understanding Sources of Inefficiency in General-Purpose Chips Rehan Hameed Wajahat Qadeer Megan Wachs Omid Azizi Alex Solomatnikov Benjamin Lee Stephen Richardson Christos Kozyrakis Mark Horowitz GP Processors
More informationCS261: A Second Course in Algorithms Lecture #16: The Traveling Salesman Problem
CS61: A Second Course in Algorithms Lecture #16: The Traveling Salesman Problem Tim Roughgarden February 5, 016 1 The Traveling Salesman Problem (TSP) In this lecture we study a famous computational problem,
More informationRTL Coding General Concepts
RTL Coding General Concepts Typical Digital System 2 Components of a Digital System Printed circuit board (PCB) Embedded d software microprocessor microcontroller digital signal processor (DSP) ASIC Programmable
More informationAdam Chlipala University of California, Berkeley ICFP 2006
Modular Development of Certified Program Verifiers with a Proof Assistant Adam Chlipala University of California, Berkeley ICFP 2006 1 Who Watches the Watcher? Program Verifier Might want to ensure: Memory
More informationA VARIETY OF ICS ARE POSSIBLE DESIGNING FPGAS & ASICS. APPLICATIONS MAY USE STANDARD ICs or FPGAs/ASICs FAB FOUNDRIES COST BILLIONS
architecture behavior of control is if left_paddle then n_state
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationAnnotations For Sparse Data Streams
Annotations For Sparse Data Streams Justin Thaler, Simons Institute, UC Berkeley Joint Work with: Amit Chakrabarti, Dartmouth Graham Cormode, University of Warwick Navin Goyal, Microsoft Research India
More informationImproving Logic Obfuscation via Logic Cone Analysis
Improving Logic Obfuscation via Logic Cone Analysis Yu-Wei Lee and Nur A. Touba Computer Engineering Research Center University of Texas, Austin, TX 78712 ywlee@utexas.edu, touba@utexas.edu Abstract -
More informationAnalyzing Bitcoin Security. Philippe Camacho
Analyzing Bitcoin Security Philippe Camacho philippe.camacho@dreamlab.net Universidad Católica, Santiago de Chile 15 of June 2016 Bitcoin matters Map Blockchain Design Known Attacks Security Models Double
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationMemory Bandwidth and Low Precision Computation. CS6787 Lecture 10 Fall 2018
Memory Bandwidth and Low Precision Computation CS6787 Lecture 10 Fall 2018 Memory as a Bottleneck So far, we ve just been talking about compute e.g. techniques to decrease the amount of compute by decreasing
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il
More informationThe Efficient Server Audit Problem, Deduplicated Re-execution, and the Web
The Efficient Server Audit Problem, Deduplicated Re-execution, and the Web Cheng Tan, Lingfan Yu, Joshua B. Leners*, and Michael Walfish NYU Department of Computer Science, Courant Institute *Two Sigma
More informationHaTCh: State-of-the-Art in Hardware Trojan Detection
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 9a HaTCh follows http://arxiv.org/abs/1605.08413 and https://eprint.iacr.org/2014/943.pdf HaTCh: State-of-the-Art in Hardware Trojan Detection Marten
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationVerifying computations with state
Verifying computations with state Benjamin Braun, Ariel J. Feldman, Zuocheng Ren, Srinath Setty, Andrew J. Blumberg, and Michael Walfish The University of Texas at Austin University of Pennsylvania Abstract
More informationRecursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data
Recursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data Nir Bitansky nirbitan@tau.ac.il Tel Aviv University Alessandro Chiesa alexch@csail.mit.edu MIT Ran Canetti canetti@tau.ac.il Boston
More informationRational Oblivious Transfer
Rational Oblivious Transfer Xiong Fan xfan@cs.umd.edu Kartik Nayak kartik1507@gmail.com May 14, 2014 Abstract Oblivious transfer is widely used in secure multiparty computation. In this paper, we propose
More information- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06
Information: - Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06 - Presentation is after: Abhi Shelat (fast two-party secure computation with minimal
More informationProgrammable Logic Devices HDL-Based Design Flows CMPE 415
HDL-Based Design Flows: ASIC Toward the end of the 80s, it became difficult to use schematic-based ASIC flows to deal with the size and complexity of >5K or more gates. HDLs were introduced to deal with
More informationDigital System Design Lecture 2: Design. Amir Masoud Gharehbaghi
Digital System Design Lecture 2: Design Amir Masoud Gharehbaghi amgh@mehr.sharif.edu Table of Contents Design Methodologies Overview of IC Design Flow Hardware Description Languages Brief History of HDLs
More informationFormal methods for software security
Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationACL2 Challenge Problem: Formalizing BitCryptol April 20th, John Matthews Galois Connections
ACL2 Challenge Problem: Formalizing BitCryptol April 20th, 2005 John Matthews Galois Connections matthews@galois.com Roadmap SHADE verifying compiler Deeply embedding Cryptol semantics in ACL2 Challenge
More informationNon-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers
Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers Rosario Gennaro Craig Gentry Bryan Parno February 1, 2010 bstract Verifiable Computation enables a computationally weak
More informationEfficient Data Structures for Tamper-Evident Logging
Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice University Everyone has logs Tamper evident solutions Current commercial solutions Write only hardware appliances
More informationChapter 1 Overview of Digital Systems Design
Chapter 1 Overview of Digital Systems Design SKEE2263 Digital Systems Mun im/ismahani/izam {munim@utm.my,e-izam@utm.my,ismahani@fke.utm.my} February 8, 2017 Why Digital Design? Many times, microcontrollers
More informationHardware/Software Partitioning for SoCs. EECE Advanced Topics in VLSI Design Spring 2009 Brad Quinton
Hardware/Software Partitioning for SoCs EECE 579 - Advanced Topics in VLSI Design Spring 2009 Brad Quinton Goals of this Lecture Automatic hardware/software partitioning is big topic... In this lecture,
More informationLecture 6: Arithmetic and Threshold Circuits
IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Advanced Course on Computational Complexity Lecture 6: Arithmetic and Threshold Circuits David Mix Barrington and Alexis Maciel July
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationEfficient Private Information Retrieval
Efficient Private Information Retrieval K O N S T A N T I N O S F. N I K O L O P O U L O S T H E G R A D U A T E C E N T E R, C I T Y U N I V E R S I T Y O F N E W Y O R K K N I K O L O P O U L O S @ G
More informationSecure Multi-Party Computation Without Agreement
Secure Multi-Party Computation Without Agreement Shafi Goldwasser Department of Computer Science The Weizmann Institute of Science Rehovot 76100, Israel. shafi@wisdom.weizmann.ac.il Yehuda Lindell IBM
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationIndistinguishable Proofs of Work or Knowledge
Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Michael J. Fischer Lecture 4 September 11, 2017 CPSC 467, Lecture 4 1/23 Analyzing Confidentiality of Cryptosystems Secret ballot elections Information protection Adversaries
More informationvsql: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases
2017 IEEE Symposium on Security and Privacy vsql: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases Yupeng Zhang, Daniel Genkin,, Jonathan Katz, Dimitrios Papadopoulos, and Charalampos
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationToday. Lecture 4: Last time. The EM algorithm. We examine clustering in a little more detail; we went over it a somewhat quickly last time
Today Lecture 4: We examine clustering in a little more detail; we went over it a somewhat quickly last time The CAD data will return and give us an opportunity to work with curves (!) We then examine
More informationINDUSTRIAL ZERO-KNOWLEDGE PROVING SYSTEM
INDUSTRIAL ZERO-KNOWLEDGE PROVING SYSTEM INTRODUCTION Consider what we might mean by the term industrial proving system. The broad functionality is clear. An organization, motivated by the competing aims
More informationMulti-Party 2 Computation Part 1
ECRYPT.NET Cloud Summer School Multi-Party 2 Computation Part 1 Claudio Orlandi, Aarhus University Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables
More informationDesign Verification Lecture 01
M. Hsiao 1 Design Verification Lecture 01 Course Title: Verification of Digital Systems Professor: Michael Hsiao (355 Durham) Prerequisites: Digital Logic Design, C/C++ Programming, Data Structures, Computer
More informationOutline. Proof Carrying Code. Hardware Trojan Threat. Why Compromise HDL Code?
Outline Proof Carrying Code Mohammad Tehranipoor ECE6095: Hardware Security & Trust University of Connecticut ECE Department Hardware IP Verification Hardware PCC Background Software PCC Description Software
More informationArchitecture and Partitioning - Architecture
Architecture and Partitioning - Architecture Architecture Management, Marketing and Senior Project Engineers work together to define product requirements. The product requirements will set cost, size and
More informationPricing of Derivatives by Fast, Hardware-Based Monte-Carlo Simulation
Pricing of Derivatives by Fast, Hardware-Based Monte-Carlo Simulation Prof. Dr. Joachim K. Anlauf Universität Bonn Institut für Informatik II Technische Informatik Römerstr. 164 53117 Bonn E-Mail: anlauf@informatik.uni-bonn.de
More informationAdvanced FPGA Design Methodologies with Xilinx Vivado
Advanced FPGA Design Methodologies with Xilinx Vivado Alexander Jäger Computer Architecture Group Heidelberg University, Germany Abstract With shrinking feature sizes in the ASIC manufacturing technology,
More informationThe design of a programming language for provably correct programs: success and failure
The design of a programming language for provably correct programs: success and failure Don Sannella Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh http://homepages.inf.ed.ac.uk/dts
More informationAn Interface Specification Language for Automatically Analyzing Cryptographic Protocols
An Interface Specification Language for Automatically Analyzing Cryptographic Protocols Internet Society Symposium on Network and Distributed System Security February 10-11, 1997 San Diego Princess Resort,
More informationTesting & Verification of Digital Circuits ECE/CS 5745/6745. Hardware Verification using Symbolic Computation
Testing & Verification of Digital Circuits ECE/CS 5745/6745 Hardware Verification using Symbolic Computation Instructor: Priyank Kalla (kalla@ece.utah.edu) 3 Credits Mon, Wed 1:25-2:45pm, WEB 2250 Office
More informationMasking vs. Multiparty Computation: How Large is the Gap for AES?
Masking vs. Multiparty Computation: How Large is the Gap for AES? Vincent Grosso 1, François-Xavier Standaert 1, Sebastian Faust 2. 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium.
More informationCryptographically Sound Implementations for Typed Information-Flow Security
FormaCrypt, Nov 30. 2007 Cryptographically Sound Implementations for Typed Information-Flow Security Cédric Fournet Tamara Rezk Microsoft Research INRIA Joint Centre http://msr-inria.inria.fr/projects/sec/cflow
More informationTrojan-tolerant Hardware & Supply Chain Security in Practice
Trojan-tolerant Hardware & Supply Chain Security in Practice Who we are Vasilios Mavroudis Doctoral Researcher, UCL Dan Cvrcek CEO, Enigma Bridge George Danezis Professor, UCL Petr Svenda CTO, Enigma Bridge
More informationTHE globalization of the semiconductor supply chain
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017 405 Eliminating the Hardware-Software Boundary: A Proof-Carrying Approach for Trust Evaluation on Computer Systems
More informationArgon2 for password hashing and cryptocurrencies
Argon2 for password hashing and cryptocurrencies Alex Biryukov, Daniel Dinu, Dmitry Khovratovich University of Luxembourg 2nd April 2016 Motivation Password-based authentication Keyless password authentication:
More informationLecture 4a. CMOS Fabrication, Layout and Simulation. R. Saleh Dept. of ECE University of British Columbia
Lecture 4a CMOS Fabrication, Layout and Simulation R. Saleh Dept. of ECE University of British Columbia res@ece.ubc.ca 1 Fabrication Fabrication is the process used to create devices and wires. Transistors
More informationBounded-Concurrent Secure Two-Party Computation Without Setup Assumptions
Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions Yehuda Lindell IBM T.J.Watson Research 19 Skyline Drive, Hawthorne New York 10532, USA lindell@us.ibm.com ABSTRACT In this paper
More informationAn Automated Tool for Evaluating Hardware Trojans and Detection Methods
Int'l Conf. Security and Management SAM'16 213 An Automated Tool for Evaluating Hardware Trojans and Detection Methods Nicholas Houghton, Samer Moein, Fayez Gebali, and T. Aaron Gulliver Department of
More informationVerilog. What is Verilog? VHDL vs. Verilog. Hardware description language: Two major languages. Many EDA tools support HDL-based design
Verilog What is Verilog? Hardware description language: Are used to describe digital system in text form Used for modeling, simulation, design Two major languages Verilog (IEEE 1364), latest version is
More informationSecuring FPGA-Based Obsolete Component Replacement for Legacy Systems
Securing FPGA-Based Obsolete Component Replacement for Legacy Systems Zhiming Zhang 1, Laurent Njilla 2, Charles Kamhoua 3, Kevin Kwiat 2, and Qiaoyan Yu 1 1 Department of Electrical and Computer Engineering,
More information"On the Capability and Achievable Performance of FPGAs for HPC Applications"
"On the Capability and Achievable Performance of FPGAs for HPC Applications" Wim Vanderbauwhede School of Computing Science, University of Glasgow, UK Or in other words "How Fast Can Those FPGA Thingies
More informationNotes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange
COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public
More informationFPGA introduction 2008
FPGA introduction 2008 ecos is a registered trademark of ecoscentric Limited Øyvind Harboe, General Manager, Zylin AS What is an FPGA? Field Programmable Gate Array Not necessarily reprogrammable (anti-fuse,
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationImplementing MATLAB Algorithms in FPGAs and ASICs By Alexander Schreiber Senior Application Engineer MathWorks
Implementing MATLAB Algorithms in FPGAs and ASICs By Alexander Schreiber Senior Application Engineer MathWorks 2014 The MathWorks, Inc. 1 Traditional Implementation Workflow: Challenges Algorithm Development
More informationEE 466/586 VLSI Design. Partha Pande School of EECS Washington State University
EE 466/586 VLSI Design Partha Pande School of EECS Washington State University pande@eecs.wsu.edu Lecture 18 Implementation Methods The Design Productivity Challenge Logic Transistors per Chip (K) 10,000,000.10m
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationBounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority
Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority Rafael Pass Massachusetts Institute of Technology pass@csail.mit.edu June 4, 2004 Abstract We show how to securely realize any
More informationLecture 12. Algorand
Lecture 12 Algorand Proof-of-Stake Virtual Mining Proof of Stake Bitcoin uses proof of work to address sybil attacks and implement consensus Philosophy: Chance of winning in a block mining round proportional
More informationESE534: Computer Organization. Previously. Today. Preclass. Why Registers? Latches, Registers
ESE534: Computer Organization Previously Day 4: January 25, 2012 Sequential Logic (FSMs, Pipelining, FSMD) Boolean Logic Gates Arithmetic Complexity of computations E.g. area and delay for addition 1 2
More informationA Security Infrastructure for Trusted Devices
Infrastructure () A Security Infrastructure for Trusted Devices Mahalingam Ramkumar Mississippi State University, MS Nasir Memon Polytechnic University, Brooklyn, NY January 31, 2005 Infrastructure ()
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More information