Download presentation

Presentation is loading. Please wait.

Published byYahir Tonkinson Modified over 2 years ago

1
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive UC from New Notions of Non-Malleability 15 years of UC-Security [Canetti00] 25 years of Adaptive Security [Beaver89] dynamic Joint with Dana Dachman-Soled, Maryana Raykova, Tal Malkin

2
How can we achieve semi-honest 2-party computation? YAO O(1)-rnd ^

3
IDEALREAL ARAR AIAI x 2 y 2 x2y2x2y2 Security by Comparison x 1 y 1 “as correct & private as” Correctness: The output of every player is the same in real and ideal Mesgs Privacy: Mesgs can be generated from the simulator’s input & output Simulator

4
IDEALREAL Concurrent Security many executions of different protocols many executions with independent trusted parties

5
Arbitrary network REAL WORLDIDEAL WORLD Universal Composability [C] ARAR AIAI Simulate messages without honest input Independence of executions

6
Theorem [CF, CKL, L]: It is impossible to achieve UC-security for all “non-trivial functionalities” What can we implement with UC- Security? SOLUTION: Get some “limited” help from a trusted party OR Relax definition of security

7
… … Static Corruption Adaptive Corruption corrupt in the beginning corrupt adaptively during execution

8
Stronger definition of security Static security does not imply adaptive security Implies leakage resilience* [BCH12,NVZ13] Relevant to cloud security [RTSS09] Adaptively co-locate VMs Side channel attacks Why Adaptive Security?

9
— Common Reference String [CLOS02,DN02,DG03,CPS07] — Public Key Registration [BCNP04] Trusted Setups General Results in Adaptive UC-Security? Relaxed Security — Super-Poly Time Simulation (SPS) [BS05] What about Static UC-Security?

10
— Common Reference String [CLOS02,DN02,DG03,CPS07,DNO10] — Public Key Registration [BCNP04,DNO10] — Tamper-Proof Hardware [Kat07,CGS08,GISVW10] — Timing Model [DNS98,KLP05] Trusted Setups What about Static UC-Security? Relaxed Security — Super-Poly Time Simulation (SPS) [Pas03, BS05, GGJS12] — Angel-based Security Model [PS04, MMY06,CLP10] — Bounded (Player) Concurrent [Barak] — Non-Uniform Simulation [LPV09]

11
— A unified framework to achieve security in any setup under minimal trusted infrastructure [LPV09] — Can achieve security assuming only SA-OT [DNO10,LPV12] Static Security : State of the Art Adaptive Security : — Construction only in a few trusted setups — Constructions based on specific assumptions such as dense cryptosystems, trapdoor simulatable PKE — Require independent setups for every pair of parties, e.g sunspots [CPS07]

12
UC-puzzle Simulation Trusted Setup Stand-Alone Non-malleabilty Stand-Alone Non-malleabilty One-Way Functions Non-malleability UC-Security Achieving UC-Security - Static Case [LPV09] Puzzle

13
Static Security : Static OT Puzzle Static UC Static UC This work: When, and at what cost, can Adaptive UC security be acheived? Achieving UC-Security - Static Case [LPV09,LPV12] NMC

14
Static Security : Ideally… Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC NMC ?

15
Static Security : Our Work Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC NMC ?

16
Static Security : Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC Simul. PKE Our Work NMC ?

17
Static Security : Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC Simul. PKE Our Work NMC NM*

18
Adaptive Security : Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC Simul. PKE Our Work Simulatable Public Key Encryption [DN00] Oblivious Sampling of Public Keys/Ciphertexts Invertable randomness for oblivious algs. => Non-commiting Encryption [CFGN96,DN00] NM*

19
Assuming existence of simulatable PKE, Adaptive UC-security is achievable in any setup that admits an Adaptive Puzzle Main Theorem Previous results - simple corollaries Improved complexity assumptions New models – non-uniform, bounded conc.

20
UC-puzzle Adap. Simulation Trusted Setup Adap. Non-malleability Adaptive UC-Security Achieving UC-Security - Adaptive Case Cannot decouple! stand alone adaptivity requires setup

21
UC-puzzle Adap. Simulation Trusted Setup Adap. Non-malleability Adaptive UC-Security Achieving UC-Security - Adaptive Case Adap. UC-Puzzle [LPV09] TODAY

22
Commitment Scheme The “digital analogue” of sealed envelopes. Com(v) Decommitment phase Sender/committer Receiver Hiding: The commitment hides the committed value Commitment phase d Binding: The commitment can only open to one value

23
Com(u) MIM Attack on Commitments [DDN91] Receiver/Sender Sender Receiver Com(u+1) Man in the Middle MIM ”mauls” left commitment into another to a related value

24
Non-Malleable w.r.t commitment [DDN91, PR05, LPV08] i j ≠ i IDEAL REAL Ci(u)Ci(u)Cj(v)Cj(v) Simulator MIM Output v’ = v C j ( v’ ) Can construct O(1) round concurrent NMC w.r.t commitment based on OWFs [LP12,Goy12]

25
Non-Malleable w.r.t opening [CIO98,FF00,PR05] i j ≠ i IDEAL REAL Ci(u)Ci(u)Cj(v)Cj(v) MIM C j ( v’ ) u v u v' Simulator Can construct O(1) round stand-alone NMC w.r.t opening based on CRHs for sychronized adversaries [PR05]

26
What we need? C i3 ( w ) C j1 ( v ) MIM w v C i1 ( u ) u C i2 ( t ) t C i4 ( x ) x C i5 ( y ) y C j2 ( v’ ) v' C j3 ( u’ ) u' Concurrent Non-Malleable Commitments w.r.t opening Adaptively Secure

27
Concurrent Non-Malleable Commitments w.r.t opening Adaptively Secure MIM C i1 ( u ) u C i2 ( w ) w C j ( v’ ) v' … … Simulator u w C j ( v’ ) v' … … v’ Relaxation: Left commitments are i.i.d samples

28
Main Lemma: Assuming OWFs and Puzzle, O(n)-round Adaptively-secure Conc. NMC w.r.t opening and i.i.d samples No additional trusted infrastructure to achieve non-malleability! A single CRS/URS/sunspot is sufficient same gains as static case Relaxation: Left commitments are i.i.d samples “What is a few rounds of communication between friends”

29
i.e., Receiving Green does not help giving Orange and vice versa Non-Malleable Sub-protocols Ingredient I – Scheduling [DDN]

30
Can rewind the right without rewinding the left! Id = 0Id = 1

31
Simulation Soundness Challenger Solver No Malicious Solver can output trapdoor after interaction TRAPDOOR NP-statement Concurrent Adversary Challenger A, Simulator S that simulates all puzzles indistinguishably while extracting the trapdoor Puzzle NP-witness UC-

32
Ingredient II – Instance Based Comm. [LZ09] W/O Trapdoor: Commitment is binding With Trapdoor: Reveal it to 0 and 1 UC-Puzzle NP-statement UC-Puzzle NP-statement Hamiltonian Circuit Scheme: Commit to adjacency matrix Commit 0 : Commit to true adjacency matrix Commit 1 : Commit to a simple cycle Equivocate : Commit to true adjacency matrix

33
Application: Conc. NM Coin Tossing ANMCOM(r) r' r Coin toss output = r+r’ IDEA FOR UC-COM: Create two URS Sender to Receiver (URS1) – equivocate (using OWF) Receiver to Sender (URS2) – extract (using sim PKE)

34
Main Theorem Assuming existence of sim. PKE and Adap.UC Puzzle, Adaptive UC-security is achievable Assuming existence of OWFs and Adap.UC Puzzle, O(n)-round Adaptively-secure Concurrent NMC w.r.t opening and i.i.d samples Main Lemma UC-Puzzle: Hard for Adversary to solve in real world Easy for Simulator to obtain trapdoor

35
— Common Reference String [CLOS02,CPS07,CDPW07,DNO10] — Public Key Registration [BCNP04,DNO10] — Tamper-Proof Hardware [Kat07,CGS08,GISVW10] — Timing Model [DNS98,KLP05] Trusted Setups Corollaries Relaxed Security — Super-Poly Time Simulation (SPS) [Pas03, BS05, GGJS12] — Angel-based Security Model [PS04, MMY06,CLP10] — Bounded (Player) Concurrent [Barak, Goyal1, Goyal2] — Non-Uniform Simulation [LPV09] ✓ ✓ ✓ ✓ ✓ ✓ ✓

36
Adaptive UC Security Sim. PKE and Puzzle O(nd)-rounds (d = depth(C)) Not Everything! [IKOS10] Static vs Adaptive Static UC Security AssumptionsSA-OT and Puzzle NECESS. And SUFF. RoundsO(1)-rounds What can we compute? Any PPT computation

37
Conclusion Characterize when Adaptive UC is achievable Next… Reduce complexity assumptions – trapdoor simulatable PKE are suff. for NCE [CDMW09] – improve round complexity [Recent] UC-Adaptive Security in O(d)-rounds [V14] Angel Based UC-Security [PS04,CLP10,…] – reasonable model without any setup – implies SPS – linear-blowup in rounds with black-box tech. [GS12]

38
How can we achieve semi-honest 2-party computation? O(1)-rnd adaptive ^ … still open

39
THANKS

Similar presentations

OK

Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.

Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on cross multiplication method of linear equations Ppt on wifi networking concepts Ppt on noun in hindi language Ppt on diode family matters Ppt on electricity for class 10th exam Ppt on national integration Ppt on the road not taken robert Ppt on x ray crystallography Ppt on 21st century skills common Ppt on maintenance of diesel engine