Presentation on theme: "Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor."— Presentation transcript:
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor
Cryptographic Randomized Response “Randomized Response Technique” [War65] Method for polling stigmatizing questions Idea: Lie with known probability. Specific answers are deniable Aggregate results are still valid Problem: responders may have incentive to cheat E.g., Pre-election polls CRRT [AJL04]: Use cryptographic techniques to prevent cheating Uses ZK, OT or quantum cryptography Requires either computers or quantum equipment
CRRT and AnthropoCryptography Responder’s trust is critical when polling sensitive questions We can’t assume responders have knowledge of computers or cryptography Our protocols must take into account human abilities and limitations: Previous Work Visual Cryptography [NS94] Private computation using a Pez dispenser [BCIK03] “Applied Kid Cryptography” [NNR] Basing Cryptographic Protocols on Tamper-Evident Seals [MN05]
Our Results Protocols for CRRT using scratch-off cards and envelopes Simple enough to be practical Our protocols are secure in Canetti’s UC model Allows secure black-box composition Lower bounds on Implementations of “Strong” CRRT.
Scratch-Off Cards and Envelopes Contain a “sealed” message Can’t read the message without breaking the seal It is evident when the seal is broken Next Time!
p -CRRT: What we would like Assume the answer to the poll is either 0 or 1, p is fixed: ½
p -CRRT: What we can get Assume the answer to the poll is either 0 or 1, p is fixed: ½
Pollster-Immune ¾-CRRT (with Scratch-Off Cards) Alice prepares a card with two rows, each with a 0 and 1 in random order and sends to Bob Bob scratches a random bubble in each row. Then the entire row that has not revealed his choice Scratch random row if identical If a revealed row is invalid, Bob halts; otherwise returns the card to Alice. If there ≠3 scratched bubbles, or if Bob halts, Alice outputs ? otherwise Alice counts the singleton Go “0”s!!!
Pollster-Immune CRRT: “Intuitive Analysis” An honest responder gets her wish with probability ¾ A cheating responder can’t force anything better: Without scratching more than one bubble he has no more information than the honest responder Deciding to scratch another bubble “commits” him to that row (before he gets the information) A cheating reponder can refuse to return the card Pollster will realize this
Responder-Immune 2/3-CRRT (with Envelopes) Bob takes three envelopes. He chooses two at random to contain his choice; the remaining envelope contains the opposite Bob seals the envelopes and sends them to Alice Alice opens a random envelope She shows Bob which one she opened Bob tells Alice which envelope contains the opposite choice
Responder-Immune 2/3-CRRT (with Envelopes) If Bob was honest Alice records the first envelope she opened as her output Alice returns the unopened envelope to Bob If Bob cheated Alice opens all the envelopes If they are not identical, Alice records the first envelope she opened as the output. If they are identical, Alice records their value with prob. 2/3 and the opposite value with prob. 1/3 0 0: 2/3 1: 1/3
Responder-Immune CRRT: “Intuitive Analysis” Bob gets his wish with probability 2/3 Bob can’t cheat at all: If Bob uses three identical envelopes, he will be caught with prob. 1 (then Alice simulates an honest Bob to get her response) If Bob answers Alice’s query incorrectly, she will simply open the envelopes and discover the correct answer herself. Alice can cheat: she can open the envelopes (but will be caught)
Why is Efficient Strong CRRT Hard? CRRT is connected to two well-studied crytpographic tasks: Oblivious Transfer We can build OT from some types of CRRT [Crépeau,Kilian ’88], [DKS ’99], [DFMS ’04] OT is impossible using scratch-off cards (or envelopes) [MN05] Strong Coin Flipping Some types of CRRT imply Strong Coin Flipping Lower bound on the number of rounds required [Cleve ’86]
Rigorous Analysis We define security using “Ideal Functionalities” An Ideal Functionality is a trusted third party We specify the behavior of the functionality The specification explicitly states what the adversary is allowed to do A protocol “realizes” the functionality if any attack against the protocol also works in the “ideal world”
Proofs in the UC (hybrid) Model A protocol securely realizes a target functionality if: There exists an ideal adversary S so that: For any real adversary A, no “environment” Z can distinguish between real world with A and the ideal world with S Environment Machine Z Target Ideal Functionality Dummy “Ideal” Adversary S Dummy input output input output Environment Machine Z Client Ideal Functionality Party input output “Real” Adversary A Party input output
Proofs in the UC (hybrid) Model “Real World” Environment Machine Z Client Ideal Functionality (e.g., Scratch-off card) Party input output “Real” Adversary A Party input output Parties follow protocol (using client functionality) A controls and sees communication of corrupted parties
Proofs in the UC (hybrid) Model “Ideal World” Environment Machine Z Target Ideal Functionality (e.g., CRRT func.) Dummy “Ideal” Adversary S Dummy input output Dummy parties pass their input and output to and from the target functionality S controls and sees communication of corrupted parties input output
Target Ideal Functionality Dummy input output input output Proofs in the UC (hybrid) Model Standard Construction Simulated Client Ideal Functionality Sim. Party input output Simulated “Real” Adversary A Sim. Party input output “Ideal” Adversary S Environment Machine Z
01 01 The Ideal Adversary: Corrupt Pollster Send Begin to CRRT functionality, wait for response v’ Simulate real adversary until it sends card (simulating the scratch-off card functionalities) The ideal adversary knows the values of the sealed bubbles without opening them! CRRT Ideal Functionality Pollster Resp. Begin v v Vote v’ “Real” Adversary
The Ideal Adversary: Corrupt Pollster If exactly one row is bad: if it’s equal to v’, scratch the other row and randomly scratch one bubble in that row. otherwise simulate responder halting “Real Life”Ideal Setting v=1 r=0 v=1 r= ¼ ¼¼¼ ¼: v’=0 ¾: v’= £2£2 £2£2 £2£2 £3£3 £3£3 £2£2
Summary Shown two simple CRRT protocols Evidence that Strong CRRT is hard Sketch of formal UC proof Open questions Complete lower bound on Strong CRRT Strong CRRT using other physical assumptions?
?? ?? The Ideal Adversary: Corrupt Responder Wait for CRRT functionality to send Vote Simulate pollster sending a card to the real adversary Note that the ideal adversary is not committed until the bubbles are actually scratched! CRRT Ideal Functionality Pollster Resp. Begin v Vote “Real” Adversary
The Ideal Adversary: Corrupt Responder If Vote=1, the first bubble scratched in every row will be 1 If Vote=0, the first bubble scratched in every row will be 0 If Vote=‘?’, the simulator chooses a random bit b the first bubble scratched in the top row will be b the first bubble scratched in the bottom row will be 1-b
The Ideal Adversary: Corrupt Responder Simulation continues until the “real” adversary returns the card or halts. If the card is valid, send Vote v to the functionality (v is the vote corresponding to the card) If the card is invalid, send Halt to the functionality CRRT Ideal Functionality Pollster Resp. Begin Vote “Real” Adversary Halt ?
The Ideal Adversary: Corrupt Pollster If both rows are valid, randomly choose a row to “scratch” Scratch v’ in other row “Real Life”Ideal Setting v= ¼ ¼¼¼ ¼: v’=0 ¾: v’=1 £2£2 £2£2 £3£3 £3£3
The Ideal Adversary: Corrupt Pollster If both rows are bad, simulate the responder halting This would happen with prob. 1 in the “real world” as well 00 11
Approaching Strong CRRT Repeat the pollster-immune CRRT protocol r times The pollster will use the majority of the results If the responder cheats (refuses to return a card), the pollster will use random bits for the remaining rounds A cheating responder has advantage O(1/√r) over an honest one Can cheat only once; this will affect the result only if the other rounds are balanced This occurs with probability O(1/√r) Using many rounds increases the pollster’s information The basic p-CRRT must have p close to ½ The result is very inefficient (and impractical)
Pollster-Immune p-CRRT (for any rational p=k/n) Alice prepares a card with two columns, one with k 0s and (n-k) 1s, and the other with k 1s and (n-k) 0s. She sends the card to Bob Bob scratches a random bubble in each column. Then the entire row that has not revealed his choice Scratch random row if identical If a revealed row is invalid, Bob halts; otherwise returns the card to Alice. If both rows have >1 scratched bubbles, or if Bob halts, Alice outputs ? otherwise Alice outputs the majority value in the singleton’s row
Pollster-Immune p-CRRT: “Intuitive Analysis” Bob gets his wish with probability k/n: With prob. k 2 /n 2 he uncovers the majority value in both rows, and with prob. k(n-k)/n 2 =k/n-k 2 /n 2 he uncovers two equal values and chooses the right one. As in ¾-CRRT, all he can do to cheat is refuse to return the card. Alice can cheat by: using an invalid row (e.g., all 1s) She will be caught with prob. ½ This probability can be increased by using multiple cards: some will be only for verification using two identical rows Gives only a small advantage when p is near ½
Pollster-Immune ¾-CRRT: Ideal Functionality Initial State Forcing response: 0 Responder can choose Forcing response: 1 Random Coin Toss Output 0 to responder Output 1 to responder Output ? to responder Output 0 to pollster Output 1 to pollster Output ? to pollster Prob. ¼ Prob. ½ Received: Begin Received: Halt Received: Vote * Received: Vote 1 Received: Halt Received: Vote 0 Received: Vote *