Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rafael Pass Cornell University Concurrency and Non-malleability.

Similar presentations


Presentation on theme: "Rafael Pass Cornell University Concurrency and Non-malleability."— Presentation transcript:

1 Rafael Pass Cornell University Concurrency and Non-malleability

2 Goal: Allow a set of distrustful parties to compute any functionality f of their inputs, while preserving: Correctness Privacy Even when no honest majority Secure Multi-party Computation [Yao,Goldreich-Micali-Wigderson]

3 The Classic Stand-Alone Model One set of parties executing a single protocol in isolation.

4 But, Life is CONCURRENT Many parties running many different protocol executions.

5 The Chess-master Problem [DDN’91] 8am: Lose! 8pm:

6 Similar attack on Crypto protocols! Win at least 1 (or draw both)

7 Man-in-the-middle Attacks Alice Bob a 5a b b/5 MIM Initator ResponderResponder/Initator MIM controls channel between Alice and Bob

8 This Talk Commitment schemes secure against man-in- the-middle attacks Use such commitments to improve SMC –Better round complexity also for stand-alone security –Concurrent security

9 Commitment Scheme The “digital analogue” of sealed envelopes. Commitment Reveal Sender Receiver One way functions both sufficient and necessary [N’89, HILL’ 99]

10 Possible that v’ = v+1 Even though MIM does not know v! Receiver/Sender MIM C(v) C(v’) Sender Receiver Messages are arbitrarily interleaved: MIM controls scheduling.

11 Non-Malleable Commitments [Dolev Dwork Naor’91] Non-malleability: Either MIM forwards : v = v’ Or v’ is “independent” of v ij Receiver/Sender MIM C(v’) Sender Receiver C(v)

12 Non-Malleable Commitments [Dolev Dwork Naor’91] Receiver/Sender Non-malleability: if then, v’ is “independent” of v MIM C(i,v) C(j, v’) i  j Sender Receiver ij

13 Man-in-the-middle execution: Simulation: j i  ji  j Non-Malleable Commitments [Dolev Dwork Naor’91, P-Rosen’05] ij Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator

14 Non-Malleable Commitments ij Important in practice “Test-bed” for other tasks Applications to MPC

15 Non-malleable Commitments Original Work by [DDN’91] –OWF –black-box techniques –But: O(log n) rounds Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai- Ostrovsky’99,DKO,CF,FF,…,DG] Without set-up: [Barak’02]: O(1)-round Subexp CRH + dense crypto: [P’04,P-Rosen’05]: O(1) rounds using CRH [Lin-P’09]: O(1)^log* n round using OWF [P-Wee’10]: O(1) using Subexp OWF [Wee’10]: O(log^* n) using OWF Non BB NM Amp

16 Non-malleable Commitments Original Work by [DDN’91] –OWF –black-box techniques –But: O(log n) rounds Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai- Ostrovsky’99,DKO,CF,FF,…,DG] Without set-up: O(1)-round from CRH or Subexp OWF O(log^* n) from OWF Sd

17 Thm [Lin-P’11]: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black- box proof of security. Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. Note: As we shall see, this also weakens assumptions for O(1)- round secure multi-party computation. Even more excitingly: Vipul Goyal independently proved the same result very different techniques relying on NM amplification

18 DDN Protocol Idea Blue does not help Red and vice versa i = 01…1 j = C(i,v) C(j, v’)

19 The Idea: What if we could run the message scheduling in the head? Let us focus on non-aborting and synchronizing adversaries. (never send invalid mess in left exec)

20 c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = 00101

21 Signature Chains Consider 2 “fixed-length” signature schemes Sig 0, Sig 1 (i.e., signatures are always of length n) with keys vk 0, vk 1. Def: (s,id) is a signature-chain if for all i, s i+1 is a signature of “(i,s 0 )” using scheme id i s 0 = r s 1 = Sig 0 (0,s 0 )id 1 = 0 s 2 = Sig 0 (1,s 1 )id 2 = 0 s 3 = Sig 1 (2,s 2 )id 3 = 1 s 4 = Sig 0 (3,s 3 )id 4 = 0

22 Signature Games You have given vk 0, vk 1 and you have access to signing oracles Sig 0, Sig 1. Let  denote the access pattern to the oracle; –that is  i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern .

23 c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 )

24 c=C(v) Com(id,v): WI-POK id = vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) I know v s.t. c=C(v) Or I know a sig-chain (s,id) w.r.t id

25 c=C(v) WI-POK vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) c=C(v’) WI-POK vk’ 0 r' 0 Sign 0 (r’ 0 ) vk' 1 r' 1 Sign 1 (r’ 1 ) w.r.t i i = j = w.r.t j Non-malleability through dance Note: sig keys on L and R might be different; we violate sec of sig game for key on R

26 Dealing with Aborting Adversaries Problem 1: –MIM will notice that I ask him to sign a signature chain –Solution: Don’t. Ask him to sign commitments of sigs… (need to add a POK of commitment to prove sig game lemma) Problem 2: –I might have to “rewind” many times on left to get a single signature –So if I have id = 01011, access pattern on the right is 0*1*0*1*... –Solution: Use 3 keys (0,1,2); require chain w.r.t 2id 1 2id 2 2id 3 …

27 Dealing with Non-synchronizing Adversaries Not hard; same technique as in LP’09 Just add more WIPOK… Will return to this point later.

28 Main Technique Exploit rewinding pattern (instead of just location) Thm: Assume one-way functions. Then there exists a O(1)- round non-malleable commitment with a black-box proof of security. Some extensions:

29 C(i 1,  1 ) C(i 2,  2 ) C(i n,  m ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) Concurrent Non-Malleable Commitments [P-Rosen’05, Lin-P-Venkitasubramaniam’09] i1i1 i2i2 imim j1j1 ID j2j2 jnjn To deal with copying: if i k = j l, then  l ’ =  Messages are arbitrarily interleaved: MIM controls scheduling. For any      …  m and      …  m the view + values committed to by MIM are indistinguishable.

30 C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) One-Many Non-Malleability i j1j1 ID j2j2 jnjn Thm [PR’05,LPV’08]: One-many NM  Concurrent NM. Our O(1)-round construction is also concurrent NM

31 One-Many Non-Malleability C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn SAME protocol LEFT and RIGHT!  {views+values}

32 Robust Non-Malleability w.r.t k-round protocols [Lin-P’09] C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn  {views+values}  IF THEN DEF: Com is “robust” if Robust NM w.r.t 4-round protocols EASY to satisfy if Com has more than k-rounds!

33 Original work of [Goldreich-Micali-Wigderson’87] –TDP, n rounds More Recent: “Stronger assumption, less rounds” –[Katz-Ostrovsky-Smith’02] TDP, dense cryptosystems, log n rounds TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB –[P’04] TDP, CRH, O(1)-round, non-BB Secure Multi-party Computation [Yao,GMW] Non-malleability is implicitly used in all these works!

34 NMC v.s. SMC Thm [Lin-P-Venkitasubramaniam’09]: TPD + k-round robust NMC  O(k)-round SMC Holds both for stand-alone MPC and UC-SMC (in a number of set-up models) Corollary: TDP  O(1)-round SMC

35 Back to Concurrent SMC

36 Running the protocol π in the concurrent setting is Computing f using a trusted party in the concurrent setting S simulates the view of A & the outputs of honest parties are the same in the two worlds A S UC security [Canetti’01] π π π π f f f f “as correct & private as” Both A and S required to be PPTZZ ρ ρ ρ ρ

37 UC security [Canetti’01] π π π π f f f f ZZA S Simulator S needs to: “extract” A’s input without disturbing execution with Z while ensuring that inputs of honest guys remain hidden. Straight-line extraction “non-malleability”

38 The State of UC Security Secure 2-party computation impossible! [Canetti-Kushilevitz- Lindell’03] –And even for somewhat weaker models [Canetti- Fischlin’02,Lindell’03,Lindell’04, Barak-Prabhakaran-Sahai’06] –Intuition: If S can extract “straight-line” extract inputs, then so can the attacker. Possible: with limited “trusted help” –Trusted set-up models: Honest majority [BGW88, CCD88, BR89,DM00], CRS [BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware [K], … –Thm [Lin-P-Venkitasubramaniam’09] Use Robust NM Com to get a crisp and essentially tight characterization (assuming TDP) of when a set-up can be used to get UC SMC. Essentially all known UC SMC result follow as a corollary, with improved computational assumptions, and round complexity. Can mix and match set-ups! [Garg,Goyal,Jain,Sahai, yesterday]

39 Thm (Machiavelli): NO ONE. Who can you trust?

40 A SSZZ Super-Poly Time Simulation (SPS) [P’03] Allow super-poly-time security reduction We know, poly-time security reduction is impossible Possible! [(P’03), Prabhakaran-Sahai’04, Barak-Sahai’05, Lin-P- Venkitasubramaniam’09] But, using strong hardness assumptions Still, meaningful in many (most) cases

41 Prabhakaran-Sahai’04 π π π π f f f f ZZA S Simulator S needs to: “extract” A’s input without disturbing execution with Z while ensuring that inputs of honest guys remain hidden. Assume “id-based hasfunction”: hard to find a collision w.r.t. id even if you have oracle access to someone who finds random collisions w.r.t. any other id’ != id. Use collision finding oracle to extract in super-poly time! By security of id-based hash S

42 CCA-Secure Commitments [Canetti-Lin-P’10] A C( x ) C(y 1 ) O C(y 2 ) C(y 3 ) y1y1 y2y2 y3y3 i j1j1j1j1 j1j1j1j1 j1j1j1j1 Chosen-Commitment-Attack (CCA) security: Either A copies the left identifier to the right Or LHS is hiding --- view of A indistinguishable

43 Concurrent Non-Malleable Commitments A C( x ) C(y 1 ) Non-Malleability Either A copies the left identifier to the right Or view of A + (y 1, y 2, y 3 ) indistinguishable C(y 2 ) C(y 3 ) i j1j1j1j1 j1j1j1j1 j1j1j1j1 CCA security  Conc Non-Malleability O y1y1 y2y2 y3y3

44 Thm [CLP’10] Existence of OWF implies O(n^  )-round robust CCA-secure commitments –Need to deal with both NM and “nesting” of executions a la Concurrent ZK [Dwork-Naor-Sahai’99] –Rely on original message scheduling technique by [Dolev- Dwork-Naor’91] + ideas behind concurrent ZK simulation of [Richardson-Kilian’01] Thm [CLP’10] Robust CCA-secure commitments + OT implies SPS-secure SMC Open: O(1)-round CCA secure commitments from OWF?

45 More Open(-ended) Open Question: What is the right definition of concurrent security (without trusted set-up)? SPS security provides weak guarantees on the “computational advantages” gained by an adversary –Sufficient when security in the ideal model is information-theoretic (or just sufficiently “strong”) –But not sufficient to preserve security of “moderately-hard” properties “Rewindable TTP” [Goyal-Sahai’08,Goyal-Jain-Ostrovsky’10] –Need very efficient precise simulations [Micali-P’06] –Currently best concurrent simulation: omega(1) “rewindings” [Pandey-P- Sahai-Tseng-Venkitasubramaniam’08] Can we compose different security notions?

46 The Dark Side of Concurrency Don’t worry: Lower bounds

47 Lower Bounds using Concurrency Security Reduction R from breaking B to breaking intractability assum C r CRORO Black-box reduction: R O breaks C whenever O breaks B f(r) For some classic protocols/tasks ( sequential WH of classic ZK protocols, active security of Schnorr’s identification scheme, selective decommitment problem, Chaum’s blind signatures… ) no security reductions are known under ANY 2-round intractability assumption. Thm [P’11]: If there exists a BB reduction (but potentially non-BB construction) from a poly-round intractability assumption C, then C can be broken in poly time. Why concurrency? The reduction can nest it calls to O. concurrent simulation techniques very useful!

48 Thank You

49 Overview of Our Construction A C( x ) C(y 1 ) Design a protocol s.t. H can be efficiently simulated Then, Hiding  CCA security H C(y 2 ) C(y 3 ) y1y1 y2y2 y3y3 i j1j1j1j1 j1j1j1j1 j1j1j1j1 But, 1. A may ask new mesg in LHS---LHS not hiding anymore 2. A may nest oracle calls --- extraction time explodes by Rewidnings NM conc. ZK

50 Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible) Security must be preserved even if some of the parties are malicious.

51 What’s Next – Concurrency for General Interaction

52 What’s Next – Adaptive Hardness Consider the Factoring problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization Adaptive Factoring Problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes Are these problems equivalent? Unknown!

53 Adaptively-hard Commitments [Canetti-Lin-P’10] Commitment scheme that remains hiding even if Adv has access to a decommitment oracle Implies Non-malleability (and more!) Thm [CLP’10] Existence of commitments implies O(n^  )- round Adaptively-hard commitments What’s Next – Adaptive Hardness

54 Without Trusted Set-up Specific tasks and attacks: –Concurrent Zero-knowledge [Dwork-Naor-Sahai,Richardson- Kilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai,Barak’01…] –Non-malleable Commitments [Dolev-Dwork-Naor’91,…] Relaxed notions of security: –E.g., “super-poly simulation”, “angel-based security”, “input indistinguishability” [P03,Prabhakaran-Sahai’04,Barak-Sahai’05,Micali- P-Rosen’06,Lin-P-Venkitasubramaniam’09,Canetti-Lin-’P10]

55 A SZZ Angel-Based Security [Prabhakaran-Sahai’04] Angel: A restricted super-poly-time oracle performing some specific, system-dependent task e.g. find collision of a CRH as long as the colliding inputs include the id of the requesting party. Possible [Prabhakaran-Sahai’04, Malkin-Moriaty- Yung06, Barak-Sahai’S05] ! But, even stronger assumptions e.g. Adaptively hard CRH Simulator and Adv. receive help from an angel. O O Composable

56 Interactive protocol between a Prover and a Verifier where the Verifier learns nothing except the proof statement 56 Prover Verifier Zero Knowledge [Goldwasser-Micali-Rackoff’85]

57 For every PPT V* (adversary) there is a PPT simulator S: Simulator S  Prover Verifier V* View of V* with Prover View generated by S 57 Indistinguishable

58 Concurrent ZK (cZK) [Dwork-Naor-Sahai’01] Simulator S View generated by S  View of V* with Prover ProverVerifier V* 58

59 Classic ZK Protocol [Feige-Shamir’90] ProverVerifier INIT: Commit to random secret σ END: Modified proof where σ is a trapdoor: WI x \in L or I know σ 59 Slot Proof of Know of σ

60 Verifier V* INIT: Commit to random secret σ Slot Proof of Know of σ END: Give proof using σ Simulator 60 Rewind Slot 2 nd time: Extract σ What about cZK? Classic ZK Protocol [Feige-Shamir’90]

61 Concurrent Zero Knowledge 61 rewinding here => redo work of nested sessions 3 nested sessions Takes time O(2 # nestings ) [KPR’00] Verifier V* Simulator

62 Richardson-Killian Need to extract σ for every session. Easier if there are more slots. –Cannot “nest” inside all slots Rewinding any one slot extracts σ. 62 slots END INIT

63 Concurrent Zero-knowledge A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible) Security must be preserved even if some of the parties are malicious.


Download ppt "Rafael Pass Cornell University Concurrency and Non-malleability."

Similar presentations


Ads by Google