Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Vipul Goyal Microsoft Research, India Secure Composition of Cryptographic Protocols.

Similar presentations

Presentation on theme: "1 Vipul Goyal Microsoft Research, India Secure Composition of Cryptographic Protocols."— Presentation transcript:


2 1 Vipul Goyal Microsoft Research, India Secure Composition of Cryptographic Protocols

3 2 Secure Computation Protocols [Yao86, GMW87] x1x1 x2x2 x3x3 x4x4 f(x 1,x 2,x 3,x 4 ) No information other than f(x 1,x 2,x 3,x 4 )

4 3 Secure Computation Protocols contd.. General positive results [Yao86, GMW87]: secure protocols can be constructed for any poly-time computable functionality Designing cryptographic protocols was a difficult and error prone task: these results show that the design can in fact be automated Secure computation: vibrant research area for the past two decades; large body of published literature

5 4 Concurrent Security The classical results are only in the standalone setting; only one protocol execution Network setting: possibility of man-in-the-middle attack

6 5 General Concurrent Setting A Very realistic setting: for e.g., protocols running over Internet

7 6 Concurrent Security: Model view

8 7 Concurrent Security Strong and far reaching impossibility results in plain model We will later show example of an attack over protocols in the concurrent setting [CF01, Lin03a, Lin03b, CKL03, Lin04, BPS06]

9 8 Talk Overview Chosen protocol attack to break security in the concurrent setting Natural way of constructing concurrent protocols and the main problem that arises The general paradigm to construct concurrent protocols Multiple ideal call model Prediction paradigm Resettable computation protocols Conclusion and open problems

10 9 Chosen Protocol Attack Consider any protocol π for ZK (AOK) functionality: prover proves it knows w Another protocol π chosen according to π. In π: If party1 can successfully prove knowledge of w (which a verifier of π would accept), party2 gives out w itself: mutual authentication They are both secure standalone. Note that adv can get w in the real world. π w π

11 10 Chosen Protocol Attack: Ideal World Adv has no way of proving the statement when π replaced by ideal execution Shows impossiblity of such a π even when only 2 executions π w 0/1

12 11 Concurrent Self Composition Now say just a single protocol π (multiple copies running); still define π as earlier (not executed over the network) Idea: We will eliminate party2 of π by converting it into a bunch of garbled circuits and giving to adv Take the next message function of party2 in different rounds, construct GC and give to Adv (as aux input) w π.... π

13 12 Concurrent Self Composition: Problem Problem: Who has the GC keys? Bob should have it Adv needs to perform OT with Bob to execute the GC w π.... π

14 ZK + OT functionality [BPS06] Mode 1: plain ZK functionality Mode 2: plain OT functionality 1 or 2, input

15 14 Concurrent Self Composition Adv gets the message to be fed to GC; puts this execution of π on hold Starts another concurrent session of π in the OT mode; gets the relevant wire keys; evaluates GC Adv still cant get w from GCs in the ideal world (even given aux input): real world has msg of ZK mode but not ideal π.... π m m

16 15 Getting Positive Results: General Paradigm

17 16 Simulators in Standalone Setting Simulator: Rewind and Extract Adv input Query TP to get output Continue This way, can argue adv learns no more than output S A F Extract X A XAXA F(X A, X H )

18 17 Understanding Concurrent Setting Simulator would again extract input by rewinding (in the concurrent setting), query TP and continue Any type of rewinding by the simulator is a fundamental problem

19 18 Main Problem: Specific Adversary S A F.... Say Sim rewinds blue session anywhere The inner session executed twice fully from the beginning Adv may choose a different input each time

20 19 Main Problem Contd.. S A F.... How does the adversary get the outputs and continue in green session? Allowed to query F only once per real world session

21 20 More Details Adversary controls scheduling of messages arbitrary interleaving : a session s 1 may contain another session s 2 S A m 1,1 m 2,1 m 2,2 m 2,3 m 1,2 m 1,3 Our simulation is based on rewinding During simulation, S may rewind past s 2 while simulating s 1 A may change input every time s 2 is re-executed Sim can only query once per session; adv may keep aborting and all rewinds may fail; real concern m' 1,1 m' 2,1 m' 2,2 m' 2,3 m' 1,2 S extracts advs input in each session F Extract X A Extract X A X A XAXA F(X A, X H ) XAXA

22 21 The General Paradigm The key to a positive result lies in overcoming this problem (differently in different settings) Protocol very natural (similar to GMW paradigm): Take a protocol providing security against semi-honest adversary Compile it with concurrent ZK (For stronger notions, compiling with concurrent non- malleable zero-knowledge [Barak-Prabhakaran-Sahai06] may be necessary) Keep in mind: Need to successfully rewind at least once (in each session) to extract

23 22 The Multiple Call Model

24 23 Relaxed Security Notion Allow multiple calls per session in the ideal world Problem goes away, simulator can continue If a session executed multiple times with different inputs, just query the TP multiple times for it; get output; continue In particular, positive result known with (expected) constant number of ideal calls per real world session [G-Jain-Ostrovsky10]

25 24 The Security Guarantee Normal security guarantee: adv learns no more than one output on an input of its choice New security guarantee: learns no more than a few outputs on inputs of its choice Guarantee still meaningful: adv cant learn input or an arbitrary function of the input e.g., if the functionality only gives out signatures on even numbers, adv cant get signature on an odd number

26 25 Concurrent password based key exchange A positive result in this model directly leads to the first concurrent PAKE in the plain model [G-Jain- Ostrovsky10] Any construction in this model shown to satisfy Goldreich-Lindell01 definition of PAKE More general: settings of authentication/access control Say adv succeeds in guessing only with negl probability. Situation remains same even if you allow constant (or even poly) guesses

27 26 Open Problem What if simulator only allowed to make strict constant number of calls per session (rather than expected) Efficiency related questions: round complexity / communication complexity

28 27 The Prediction Paradigm

29 28 Prediction Paradigm [G11] Now we stick to the standard definition; positive results hard to come by High level idea: How do we get the output w/o querying TP? We try to predict Can argue prediction important in some sense to get a result in the plain model; if you cant predict, no secure protocol exists for that functionality

30 29 Single Input Setting: Minimal Clean Model of CSC Various clients, concurrently interacting with a server, holding a single fixed input x Server Clients x y1y1 ynyn x1..xnx1..xn f(x, y 1 ) f(x, y n )

31 30 Positive Results in this Setting Almost all functionalities can be securely realized in the single input setting –Plain model, standard definition More precisely: all except where ideal functionality behaves as a (worst case hard) PRF

32 31 Positive result implications: Examples Private database search: Server holds dbase with k entries, clients holds predicates Server entry 1 entry 2. entry k f 1 (.) f n (.) gets entry i if f 1 (entry i ) = 1 Immediately gives concurrent private information retrieval, keyword search / pattern matching, etc

33 32 Examples contd.. Privacy preserving data-mining: secure set intersection, computing the k-th ranked element, etc We get concurrently secure protocols for all these functionalities of special interest Password based key exchange: (only) previous result [GJO10] was according to a weaker definition of [GL01], strict improvement

34 33 Prior to this result Only known result in the plain model, (fully) concurrent setting: zero-knowledge functionality [DNS98, RK99, …]

35 34 Prediction paradigm: Example S A F.... Sim can rewind several times/ at several places; problem Try to predict output and complete at least one rewinding FAIL: if Adv keeps aborting everywhere; Adv may have aux

36 35 PAKE Example S A TP answers whether or not given password is correct (P A = P H ) Can predict correctly (with noticeable probability) with at most 1 failed rewinding Sim rewinds; extracts in green session; cant query TP Simply predicts the output to be 0 (wrong password) Extract P A PHPH

37 36 PAKE Example S A Simply predicts the output to be 0 (wrong password) Rewinding strategy failure => predicted output distinguishable (from correct) Output must have been 1, P A must be the correct password!! Now sim can in fact execute the protocol honestly!!! PHPH

38 37 Previous Works Results on concurrent ZK can be seen as a special case of this paradigm (nothing to predict; output is known) Bounded concurrent setting: special case where prediction required only in bounded number of rewindings

39 38 Open Problems Round Complexity: very high; large polynomial depending upon the input size; functionality; security parameter …. Extend results beyond the single input setting: lot to gain if the prediction paradigm can be generalized

40 39 Resettable Computation Protocols

41 40 Typical Secure Computation Protocol x1x1 x2x2 x3x3 x4x4 f(x 1,x 2,x 3,x 4 )

42 41 Resettable (Prover) Zero Knowledge Prover Verifier 1 R, W [Cannetti-Goldreich-Goldwasser-Micali00] Resettable zero- knowledge arguments exist under standard cryptographic assumptions Verifier 2 Statement: x in L

43 42 Resettable Prover ZK and Concurrent ZK Resettable prover ZK is also concurrent ZK Prover Verifier

44 43 Resettable Verifier Zero Knowledge Verifier R [Barak-Goldreich-Goldwasser-Lindell01] Resettable Verifier zero-knowledge arguments exist under standard cryptographic assumptions Prover 1 W1W1 Prover 2 W2W2

45 44 Other Works Studying Resettable Model [Micali-Reyzin (Eurocrypt 2001)], [Bellare-Fishlin- Goldwasser-Micali (Eurocrypt 2001)], [Micali- Reyzin (Crypto 2001)], [Barak-Lindell-Vadhan (FOCS 2003)], [Zhao-Ding-Lee-Zhu (Eurocrypt 2003)], [Yung-Zhao (Eurocrypt 2007)], [Deng-Lin (Eurocrypt 2007)] Consider only zero-knowledge (or closely related) functionalities

46 45 Question Do there exist functionalities other than zero knowledge for which resettably secure protocols are possible?

47 46 Resettable Secure Computation [G-Sahai09, G-Maji11] General completeness theorem: For every (PPT computable) two party functionality, there is a resettably secure protocol [G-Sahai09]: Setting involves a smartcard and a user. User can reset the smartcard anytime. Protocol insecure if smartcard can reset user [G-Maji11]: general setting; any number of parties can be reset by the adv anytime Build on the techniques of simultaneous resettable ZK by Deng-G-Sahai09

48 47 Stateful Computation 0x0 0x0a3c0x0a3c387 0x0a3c3870fb 0x0a4c1833a1

49 48 Stateless Computation F m2m2 F(m 2 ) m 2 F(m 2 ) Parties in the protocol can be made stateless Parties dont need to maintain state about any execution, can help in preventing DoS attacks, etc

50 49 Impossibility of Concurrently Secure Protocols Resettable Protocols are Concurrently Secure too Far reaching impossibility results [Lin03, Lin04, BPS06] ruling out concurrently secure protocols for a large class of functionalities Are we stuck?

51 50 Model Adversarial user has the power to reset and interact with the smartcard as many times as it wants (in the real model) Simulation only possible if an equivalent power given in the ideal model Thus, in the ideal model, adv user given the power to reset the ideal functionality and interact many times

52 51 Ideal Model: Resettable 2pc Both parties send their inputs x 1 and x 2 to TP TP computes result f(x 1, x 2 ) and sends it to the adversary Unless adversary aborts, TP sends f(x 1, x 2 ) to the honest party The adversary can signal reset to the trusted party. Ideal world comes back to the initial state where adv can choose a different input (and get another output) Thus: we have solved the problem of multiple calls

53 52 Open Problems Round Complexity: Current protocols have polynomial round complexity Assumptions: What can we do without assuming NIZKs? –Even for weaker notions General study of using same / correlated randomness, or, same / correlated state in cryptographic protocols

54 53 General Technique: Other Applications Super-polynomial simulation [Garg-G-Jain- Sahai11] Input indistinguishable computation [Garg- G-Jain-Sahai11]

55 54 Conclusion and Open Problems Most of the protocols have round complexity anywhere from super log to a large polynomial Round Complexity: could be improved for many protocols if we could resolve the problem of constant round concurrent ZK (and concurrent NM ZK) What is the right notion of concurrent security which is still achievable? Seems several incomparable notions

56 55 Conclusion and Open Problems Nice thing: for many of these notions, the protocols are now very similar (based on compiling with C-ZK or CNMZK) Can we understand what is the security guarantee that the protocol achieves: of course can list all the models in which it is secure one by one. But we believe that the world is more beautiful than that.

57 56 Thank You!

Download ppt "1 Vipul Goyal Microsoft Research, India Secure Composition of Cryptographic Protocols."

Similar presentations

Ads by Google