Download presentation

Presentation is loading. Please wait.

Published byLorena Surgener Modified over 3 years ago

1
Coin Tossing With A Man In The Middle Boaz Barak

2
RightLeft – two party protocol Middle Adversary completely controls communication No shared secrets between left & right No trusted parties or public information (e.g., no PKI) Man In The Middle (MIM) Attack

3
Two Unavoidable Adversary Strategies LeftMiddleRight Left SessionRight Session Relaying Strategy - Adversary is transparent Blocking Strategy - Adversary follows honest strategy independently in each session Intuitive Goal: Design protocols s.t. adversay is essentially limited to unavoidable strategies.

4
Example: Commitment Scheme LeftMiddleRight Left SessionRight Session Input: Com. Value: If Adv. relaying then = If Adv. blocking then independent of Scheme is non-malleable [DDN91] if either = or and are (computationally) independent Non-malleability = Intuitive goal

5
Comparison: MIM vs. Non-Malleability MIM Model: Adversary between 2 parties that want to talk to each other. Preferred strategy: relaying NM Model: Two sessions with 2 out of the 4 parties cooperating maliciously. Preferred strategy: blocking

6
Our goal: construct protocols s.t. adversary is essentially restricted to use either blocking or relaying. Technically: same as non-malleabllity [DDN] However: we dont take a moral stand which unavoidable strategy is better. Summary

7
Previous Work * : NM Commit w/ O(log n) rounds [DDN91] NM Zero-Knowledge w/ O(log n) rounds [DDN91] This Work: NM Commit w/ O(1) rounds NM Zero-Knowledge w/ O(1) rounds Different Techniques (e.g., Non-Black-Box Proof of Security) Generic transformation from SRS model to plain model. * See next slide for works in shared reference string (SRS) model

8
The Shared Random String Model (SRS) Dealer rrr NM Commit w/ 1-round [DIO98,DKOS01] NM Zero-Knowledge w/ 1-round [Sah99,DDOPS01] ref (r)

9
Our Approach: Convert ref Left Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r If r=r : same as in SRS execution! If r indp. from r: formally different from SRS However, if ref is Natural then it is still secure! Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. MiddleRight

10
Our Approach: Convert ref Coin-Tossing Output: r Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. Our Goal: Design a constant-round non-malleable coin-tossing protocol. LeftMiddleRight

11
Our goal: construct a constant-round NM coin- tossing protocol. In the paper: we (define and) construct such a protocol. Now: we solve a related toy problem and then an even more related bigger problem Outline

12
Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r rev(r 1 …r n ) = r n r n-1 … r 1 Coin-Tossing Output: r LeftMiddleRight A Toy Problem

13
Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: w.h.p. r rev(r) Observation: possibly false w/o BOGUS condition. MiddleRight A Protocol Solving the Toy Problem

14
Proof: Suppose that r=rev(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r=rev(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom For every r 2 BOGUS, rev(r) BOGUS r=rev(r) 1 © 2 r=rev(r) BOGUS BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle

15
A Bigger Problem

16
Bigger Problem: Design a coin-tossing protocol such that w.h.p. r S(r) for all interesting relations S( ¢ ) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Coin-Tossing Output: r LeftMiddleRight Def: S is interesting if it is decidable in uniform poly-time and 8 r 1) r S(r) (Cant hit S using relaying) 2) Pr y [ y 2 S(r) ] < (|x|) (Cant hit S using blocking) Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) A Bigger Problem Fix (n)=n - 10log n

17
Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: if Middle is uniform PPT then 8 interesting S Pr[ r 2 S(r) ]=negl(n) MiddleRight Solving the Bigger Problem

18
Proof: Suppose that r 2 S(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r 2 S(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom w.r.t. uniform PPT For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle BOGUS 2 SUBEXP r BOGUS r 1 © 2 S(r)

19
Claim 1: A random subset B µ {0,1} n of size n log n satisfies properties 1&2 w.h.p. Claim 2: If 9 sub-exponentially hard OWF then can choose such B using polylog(n) (instead of 2 polylog(n) ) coins. For each n go over all possible coin tosses for choosing B We define BOGUS Å {0,1} n to be the first set that satisfies properties 1&2. Then, BOGUS 2 Dtime(2 polylog(n) ) µ SUBEXP 1. BOGUS is pseudorandom w.r.t. uniform PPT 2. For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: 3. BOGUS 2 SUBEXP Constructing the set BOGUS Claim 3: If 9 sub-exponentially hard OWF then for B µ {0,1} n of size n log n can check in 2 polylog(n) steps if B satisfies properties 1&2.

20
Additional modifications needed for security against non-uniform adversaries. Security proof involves non-black-box use of adversarys code. Actual NM coin-tossing def follows ideal functionality paradigm. Modifications to protocol needed to satisfy actual def. Some technical difficulties arise with non-syncrhonizing schedules. Can be solved using multiple rewinding opportunities a-la [RK] (similar to [GL]) Beyond the bigger problem

21
Conclusions & Open Questions First constant-round NM Commit & NM ZK in plain model. Quite general transformation from SRS model to plain MIM model. Another positive application of non-black-box techniques. Generalize to other applications? more parties? Acknowledgements: Alon Rosen

22
The End

Similar presentations

OK

On Non-Black-Box Proofs of Security Boaz Barak Princeton.

On Non-Black-Box Proofs of Security Boaz Barak Princeton.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google