Download presentation

Presentation is loading. Please wait.

Published byLorena Surgener Modified over 3 years ago

1
Coin Tossing With A Man In The Middle Boaz Barak

2
RightLeft – two party protocol Middle Adversary completely controls communication No shared secrets between left & right No trusted parties or public information (e.g., no PKI) Man In The Middle (MIM) Attack

3
Two Unavoidable Adversary Strategies LeftMiddleRight Left SessionRight Session Relaying Strategy - Adversary is transparent Blocking Strategy - Adversary follows honest strategy independently in each session Intuitive Goal: Design protocols s.t. adversay is essentially limited to unavoidable strategies.

4
Example: Commitment Scheme LeftMiddleRight Left SessionRight Session Input: Com. Value: If Adv. relaying then = If Adv. blocking then independent of Scheme is non-malleable [DDN91] if either = or and are (computationally) independent Non-malleability = Intuitive goal

5
Comparison: MIM vs. Non-Malleability MIM Model: Adversary between 2 parties that want to talk to each other. Preferred strategy: relaying NM Model: Two sessions with 2 out of the 4 parties cooperating maliciously. Preferred strategy: blocking

6
Our goal: construct protocols s.t. adversary is essentially restricted to use either blocking or relaying. Technically: same as non-malleabllity [DDN] However: we dont take a moral stand which unavoidable strategy is better. Summary

7
Previous Work * : NM Commit w/ O(log n) rounds [DDN91] NM Zero-Knowledge w/ O(log n) rounds [DDN91] This Work: NM Commit w/ O(1) rounds NM Zero-Knowledge w/ O(1) rounds Different Techniques (e.g., Non-Black-Box Proof of Security) Generic transformation from SRS model to plain model. * See next slide for works in shared reference string (SRS) model

8
The Shared Random String Model (SRS) Dealer rrr NM Commit w/ 1-round [DIO98,DKOS01] NM Zero-Knowledge w/ 1-round [Sah99,DDOPS01] ref (r)

9
Our Approach: Convert ref Left Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r If r=r : same as in SRS execution! If r indp. from r: formally different from SRS However, if ref is Natural then it is still secure! Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. MiddleRight

10
Our Approach: Convert ref Coin-Tossing Output: r Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. Our Goal: Design a constant-round non-malleable coin-tossing protocol. LeftMiddleRight

11
Our goal: construct a constant-round NM coin- tossing protocol. In the paper: we (define and) construct such a protocol. Now: we solve a related toy problem and then an even more related bigger problem Outline

12
Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r rev(r 1 …r n ) = r n r n-1 … r 1 Coin-Tossing Output: r LeftMiddleRight A Toy Problem

13
Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: w.h.p. r rev(r) Observation: possibly false w/o BOGUS condition. MiddleRight A Protocol Solving the Toy Problem

14
Proof: Suppose that r=rev(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r=rev(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom For every r 2 BOGUS, rev(r) BOGUS r=rev(r) 1 © 2 r=rev(r) BOGUS BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle

15
A Bigger Problem

16
Bigger Problem: Design a coin-tossing protocol such that w.h.p. r S(r) for all interesting relations S( ¢ ) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Coin-Tossing Output: r LeftMiddleRight Def: S is interesting if it is decidable in uniform poly-time and 8 r 1) r S(r) (Cant hit S using relaying) 2) Pr y [ y 2 S(r) ] < (|x|) (Cant hit S using blocking) Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) A Bigger Problem Fix (n)=n - 10log n

17
Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: if Middle is uniform PPT then 8 interesting S Pr[ r 2 S(r) ]=negl(n) MiddleRight Solving the Bigger Problem

18
Proof: Suppose that r 2 S(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r 2 S(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom w.r.t. uniform PPT For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle BOGUS 2 SUBEXP r BOGUS r 1 © 2 S(r)

19
Claim 1: A random subset B µ {0,1} n of size n log n satisfies properties 1&2 w.h.p. Claim 2: If 9 sub-exponentially hard OWF then can choose such B using polylog(n) (instead of 2 polylog(n) ) coins. For each n go over all possible coin tosses for choosing B We define BOGUS Å {0,1} n to be the first set that satisfies properties 1&2. Then, BOGUS 2 Dtime(2 polylog(n) ) µ SUBEXP 1. BOGUS is pseudorandom w.r.t. uniform PPT 2. For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: 3. BOGUS 2 SUBEXP Constructing the set BOGUS Claim 3: If 9 sub-exponentially hard OWF then for B µ {0,1} n of size n log n can check in 2 polylog(n) steps if B satisfies properties 1&2.

20
Additional modifications needed for security against non-uniform adversaries. Security proof involves non-black-box use of adversarys code. Actual NM coin-tossing def follows ideal functionality paradigm. Modifications to protocol needed to satisfy actual def. Some technical difficulties arise with non-syncrhonizing schedules. Can be solved using multiple rewinding opportunities a-la [RK] (similar to [GL]) Beyond the bigger problem

21
Conclusions & Open Questions First constant-round NM Commit & NM ZK in plain model. Quite general transformation from SRS model to plain MIM model. Another positive application of non-black-box techniques. Generalize to other applications? more parties? Acknowledgements: Alon Rosen

22
The End

Similar presentations

OK

Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on earthquake in hindi Ppt on food subsidy in india Ppt on ic fabrication steps Ppt on statistics and probability questions Ppt on market friendly state for retirees Ppt on area of parallelogram and triangles Ppt on intellectual property law Mobile ip seminar ppt on 4g Ppt on bodybuilding diet Ppt on electrical power transmission