Applications of Verifiable Privacy-Preserving Computing

Table of Links

Abstract & Introduction

Preliminaries

Zero-knowledge proofs and verifiable computing

Privacy-preserving computations

Requirements: an application’s perspective

Verifiable, privacy-preserving computing

Open challenges and future directions

Conclusion & References

5. Requirements: an application’s perspective

In this section, we discuss how verifiability is combined with privacy-preserving computing in practical settings that are frequently observed for verifiability and/or privacypreserving computations. We discuss two frequent scenarios: verifiable outsourcing and blockchain; and two use cases showing specific requirements: e-voting and genomics. These were the most frequently observed scenarios and use cases in existing literature.

For each application we summarize the domain-specific requirements and efficiency trade-offs, that answer RQ2 when combined. Each property has a specific mark X assigned, that will be used for reference in subsequent sections.

5.1. Verifiable outsourcing

One of the first and most straightforward applications of verifiable PETs is that of verifiable outsourcing, where a (group of) data owner(s) outsource(s) a costly computation to a computing party with more resources. This computing party produces a computation result as well as a ZKP, trusted execution environment (TEE) attestation, or MAC to guarantee correctness. When the used verification method allows for verification that is more efficient than the original computation, the scheme is considered efficient.

Pinocchio [21] was one of the first efficient ZKP schemes for general computations, making it practical for verifiable outsourcing. Since then, many new ZKPs schemes with better efficiency or security have been constructed, e.g., [22], [25], [49], [50].

However, when applying these schemes directly, they do not provide data privacy in most use cases, even though this is a necessity when computing over private data distributed over multiple parties. Since, in most cases, only the clients that outsource their computation need to be able to guarantee correctness, public verifiability is often not necessary.

Most importantly, verifiable outsourcing is only beneficial when the verification (and/or preprocessing) time of the clients is significantly smaller than the time it would take to compute the outcome by themselves, i.e., the solution should be efficient.

5.2. Blockchain

Blockchain was introduced as a platform to realize decentralized online currency, but has since become a much broader platform. The recent surge in blockchain and DLT applications, such as dApps, has also had significant impact on the development of new ZKP schemes, an important solution for verifiability.

However, blockchain applications also frequently rely upon ZKPs to provide applications that guarantee correctness, whilst maintaining privacy. Examples of such applications range from private monetary transactions, e.g., Zerocash [7], Zether [26], and others [51], [52], to private smart contracts, e.g., Hawk [53], and decentralized private computation (DPC), e.g., ZEXE [54].

Due to the decentralized nature of blockchain, with a lack of central authority to guarantee correctness over private data, verifiable computing methods are a logical, and often unavoidable, solution. For most blockchain applications, regular verifiability will often not be sufficient. Since every (future) connected party must be able to verify any message posted to the blockchain, public verifiability is a necessary requirement.

To prevent scaling issues in blockchain applications, developers attempt to keep verification times low, and onchain messages as small as possible. Therefore, solutions that sacrifice prover time for lower verification times and sublinear (or constant) sized verification messages are favorable. Finally, we note that interactive protocols are, generally speaking, not suitable for distributed ledgers as that would require direct communication, conflicting the principles of DLT. Since non-interactivity is a prerequisite for public verifiability, we do not include this requirement by itself.

5.3. Verifiable privacy-preserving genomics

Usage of privacy-preserving computations in genomics has taken a big leap in the past decade [55], [56], [57] and even led to a yearly competition on human genome privacy [58], [59], [60], with specific tracks on the use of PETs and blockchain.

The first application of verifiable computing in the genomic domain is discussed in [61], as far as we are aware. Specifically, the authors propose the use of HE and homomorphic MACs to outsource computation of the disease susceptibility (DS) score to a third party in a privacypreserving and verifiable manner. The increase in efficient methods for verifiable computing in recent years, has also led to the first solutions in this domain.

A method to perform an elastic net regression among multiple parties in a privacy-preserving manner, by outsourcing the computation to a pair of non-colluding cloud providers, is proposed in [62]. Correctness of the result is guaranteed by verifying that the evaluation of the final gradient is close to zero.

[63] presents a solution for evaluating secure count or top-k queries on multi-source genomic data. All data is encrypted using an additively homomorphic encryption scheme and shared with two non-colluding cloud providers. The cloud parties evaluate the query, with privacy of query, input data, and result, and use MACs to guarantee correctness. [64] presents a verifiable homomorphic secret sharing scheme for evaluating polynomials of low degree. Verifiable genomic analyses, and verifiable computations on outsourced data are mentioned as possible use cases.

Lastly, [65] computes the minor allele frequency (MAF) score over multi-source data in a blockchain setting. The more expensive computations, those on additively HE ciphertexts, are performed off-chain, ZKPs are used to guarantee correctness thereof.

It is clear that the use cases in genomics are very diverse and have different requirements regarding efficiency or which parties can verify. However, it is abundantly clear that genomic data requires strong privacy guarantees. Due to the long-livedness of genomic data, i.e., a person’s genome also reveals significant private information on their family and descendants, store-now-decrypt-later attacks form a serious risk, especially at the dawn of practical quantum computing [66]. The use of post-quantum secure solutions should therefore be seriously considered for any work in the genomic domain.

5.4. Verifiable e-voting

An electronic voting system allows a population to cast their votes using electronic rather than physical means. The need for data privacy follows directly from the fact that, in general, elections and voting processes require voter privacy. Using verifiability techniques to make elections completely verifiable by the general public has been a topic of active research for many years, e.g., [67], [68].

The developments in blockchain and more efficient ZKPs have led to many new proposals for e-voting solutions. [69] discusses the use of NIZK proofs to make threshold homomorphic encryption-based voting secure. A novel SNARK-friendly, additively-homomorphic verifiable encryption scheme is proposed and applied to verify vote validity is presented in [9]. Recently, [70] proposes an end-to-end verifiable and secret election scheme, based on NIZKs and MPC. Blockchains and cloud servers can both be used to store the secure ballots.

It is easy to see that public verifiability is a requirement in verifiable e-voting schemes. Next to this, trust is one of the most important factors to guarantee that e-voting schemes are to be adopted in practice [71]. It may therefore make sense, to only use solutions that are post-quantum secure and rely on standard assumptions to improve the level of trust, potentially at the cost of some efficiency.