Helger Lipmaa University of Tartu, Estonia

Slides:



Advertisements
Similar presentations
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Advertisements

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Evaluation of Multivariate Polynomials
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Cryptography Lecture 8 Stefan Dziembowski
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
Chapter eight: Authentication Protocols 2013 Term 2.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
On the Size of Pairing-based Non-interactive Arguments
MPC and Verifiable Computation on Committed Data
Some slides borrowed from Philippe Golle, Markus Jacobson
Authenticated encryption
Group theory exercise.
Digital Signature Schemes and the Random Oracle Model
Course Business I am traveling April 25-May 3rd
Cryptographic protocols 2014, Lecture 8 multi-round and multi-party
Cryptographic protocols 2015, Lecture 14 Garbled Circuits
Cryptographic protocols 2014, Lecture 6
Cryptographic protocols 2016, Lecture 12 Sigma protocols
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
cryptographic protocols 2016, lecture 13 Sigma protocols for DL
Cryptographic protocols 2016, Lecture 9 multi-party computation
Cryptographic protocols 2016, Lecture 3 Key Exchange, CDH, DDH
Cryptographic protocols 2015, Lecture 3 Key Exchange, CDH, DDH
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Efficient Short-Password Key Exchange (ESP-KE)
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Cryptographic protocols 2016, Lecture 8 multi-round protocols
Diffie/Hellman Key Exchange
The power of Pairings towards standard model security
Oblivious Transfer.
Cryptography Lecture 24.
Differential Privacy (1)
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Helger Lipmaa University of Tartu, Estonia Cryptographic protocols 2016, Lecture 11 Malicious model. Idea of zero knowledge Helger Lipmaa University of Tartu, Estonia

Up to now Introduction to the field Secure computation protocols Can do "everything'' but not necessarily efficiently Big assumption: parties follow protocol

this time Why semihonest model is not sufficient Malicious model: desiderata Example protocols and problems Short introduction to zero knowledge "Conceptual" lecture - few really technical details

reminder: general model x1 f1(x1,...,xn) xn x2 fn(x1,...,xn) f2(x1,...,xn) Protocol x4 x3 f4(x1,...,xn) f3(x1,...,xn)

security: semi-honest model Adversary sees protocol messages and inputs/outputs of some parties. Goal: deduce information about inputs/outputs of anybody else x1 f1(x1,...,xn) xn x2 fn(x1,...,xn) f2(x1,...,xn) Protocol x4 x3 f4(x1,...,xn) f3(x1,...,xn)

security: malicious model Adversary sees and modifies protocol messages and inputs/outputs of some parties. Goal: deduce information about inputs/outputs of anybody else and/or change their outputs (undetected) x1 f1(x1,...,xn) xn x2 fn(x1,...,xn) f2(x1,...,xn) Protocol x4 x3 f4(x1,...,xn) f3(x1,...,xn)

security goals and models Privacy: no more information is revealed than necessary Correctness: parties obtain correct outputs Semihonest model/passive security: assuming everybody is semi-honest Malicious model/active security: even if some parties are malicious Note: correctness in semihonest model is "easy"

malicious vs semihonest Malicious model is much more complicated Parties can behave arbitrarily, still need security Attacks can be surprising/unpredicted even if getting passive security is trivial Guaranteeing active security: often costly

Concrete protocols We will now see a few concrete protocols and possible attacks Needed to get some intuition We use this intuition to somewhat-formalize malicious model

reminder: (2, 1)-CPIR protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f0,f1) fi∈{0,1}L M←Dec(d) d M = (f1 - f0) x + f0 = fx

quiz: what can bad alice do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ not send anything send an non-ciphertext encrypt x that does not come from a valid domain create a valid ciphertext without even knowing what she encrypted ... M←Dec(d) d M = (f1 - f0) x + f0 = fx

what can alice do? r←ℤn* c←Enc(x; r) r'←ℤn* Protocol c pk pk,sk d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ not send anything cannot protect against it --- but then Alice will just not get her output send a non-ciphertext with most cryptosystems, Bob can efficiently detect it M←Dec(d) d M = (f1 - f0) x + f0 = fx

quiz: what can bad alice do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ encrypt x that does not come from a valid domain // x is not Boolean if Alice encrypts x = 2L: M = (f1 - f0) 2L + f0 since fi ∈ {0, 1}L then Alice can recover from M first f0 and then f1 Corollary. Alice can completely break Bob's privacy by encrypting wrong input M←Dec(d) d M = (f1 - f0) x + f0 = fx Somewhat non-intuitive that Alice can break privacy

quiz: what can bad alice do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ create a valid ciphertext without even knowing what she encrypted This does not matter with Paillier: she knows secret key and thus can decrypt her message With Elgamal: she will not learn more than by "just encrypting 2L" However, this attack is relevant with some other protocols M←Dec(d) d M = (f1 - f0) x + f0 = fx

quiz: what can bad bob do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ not send anything send a non-ciphertext use incorrect database but correct linear function send encryption of wrong linear function ... M←Dec(d) d M = (f1 - f0) x + f0 = fx

quiz: what can bad bob do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ not send anything Alice can detect it but she can do nothing about it It is one of the attacks we cannot protect against even theoretically M←Dec(d) d M = (f1 - f0) x + f0 = fx

quiz: what can bad bob do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ send a non-ciphertext Easy to detect by Alice with practically all cryptosystems M←Dec(d) d M = (f1 - f0) x + f0 = fx

quiz: what can bad bob do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ use incorrect database but correct linear function Alice obtains Fx where F is a wrong database Second attack against which we cannot protect even theoretically: Bob enters wrong inputs M←Dec(d) d M = (f1 - f0) x + f0 = fx

quiz: what can bad bob do? Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c f₁ - f₀ · Enc(f0; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ send encryption of wrong linear function For example, M = 0 (no dependence on x) Here, this attack is equal to the previous attack in severity M = ax + b = CPIR with database (b, a + b) But there exist applications where this attack is more severe M←Dec(d) d M = (f1 - f0) x + f0 = fx

ideal model Trusted third party TTP a b a ∈ S1 b ∈ S2 fa(a, b)

ideal model Trusted third party TTP a* b* a ∈ S1 b ∈ S2 fa(a*, b*) Can be wrong Trusted third party TTP a* b* a ∈ S1 b ∈ S2 fa(a*, b*) If no abort: fb(a*, b*) else send "abort" Possible attacks in ideal model: either party aborts after seeing their output either party sends wrong inputs however, the same wrong inputs have to be used consistently throughout the protocol Abort or no abort

real model: security Protocol a* b* a ∈ S1 b ∈ S2 fa(a*, b*) Can be wrong Protocol a* b* a ∈ S1 b ∈ S2 If no abort: fb(a*, b*) else send "abort" fa(a*, b*) Goal: (under a cryptographic assumption) the only possible attacks should be the two attacks that are also possible in the ideal model Abort or no abort

Even if inputs are wrong they should be consistently wrong remarks Only need to protect security of an honest user, so we say consider honest Alice and her security against malicious Bob Everything we said generalises to the case of multiple parties Def. A cryptographic protocol implements a functionality securely if only the following two attacks are possible: any of the parties aborts protocol in the middle some parties run the protocol but on wrong inputs Even if inputs are wrong they should be consistently wrong

recall: homomorphic e-voting Tallier: sees anonymous ciphertext, can decrypt Vote collector: sees who sent which ciphertext, cannot decrypt pk pk sk Enc(f(ci)) Enc(Σf(ci)) Σf(ci) ci∈{0,...,C - 1} complete tally can be computed from this efficiently

quiz: malicious voter pk pk sk Enc(f(ci)) Enc(Σf(ci)) Σf(ci) Tallier: sees anonymous ciphertext, can decrypt Vote collector: sees who sent which ciphertext, cannot decrypt pk pk sk Enc(f(ci)) Enc(Σf(ci)) Σf(ci) ci∈{0,...,C - 1} Voter can: not vote or vote for a "wrong candidate" (= attack in ideal model) Voter computer can also cheat (won't have a separate slide) Can encrypt invalid encoding: Enc (10 f(ci)) - 10 votes for his favorite candidate Enc ((V + 1) f (ci)) - makes tally invalid Enc (-f (cj)) (possible due malleability) - to be different from voter vj ...

Malleability: Auctions Auctions: encrypt your bid, highest bidder wins Alice encrypts c ← Enc (bidAlice) Bob computes d ← c · Enc (1; r) = Enc(bidAlice + 1) Bob wins, with minimal possible bid

Malleability: random coin Goal: // toss a random coin to decide on something encrypt random x, y ∈ {0, 1} output is z = x ⊕ y = x + y - 2xy Alice: encrypts c ← Enc (x) Honest Bob: encrypts d ← Enc (y) Attack: Bob chooses any z ∈ {0, 1}, sets d ← c(1 - 2z) · Enc (z; r) y = (1 - 2z) x + z = x + z - 2xz = x ⊕ z, thus really z = x ⊕ y

quiz: malicious vote collector Tallier: sees anonymous ciphertext, can decrypt Vote collector: sees who sent which ciphertext, cannot decrypt pk pk sk Enc(f(ci)) Enc(Σf(ci)) Σf(ci) ci∈{0,...,C - 1} Can abort protocol (= attack in ideal model) Can forward anything to tallier: drop some votes, insert some votes just encrypt "Putin won 100%" encrypt invalid value (makes tally incorrect) ...

quiz: malicious tallier Tallier: sees anonymous ciphertext, can decrypt Vote collector: sees who sent which ciphertext, cannot decrypt pk pk sk Enc(f(ci)) Enc(Σf(ci)) Σf(ci) ci∈{0,...,C - 1} Can abort protocol (= attack in ideal model) Can output wrong plaintext: Putin won 100% invalid tally something plainly unbelievable...

quiz: main problem Question: what is the main problem with this voting protocol? Answer: unaccountability Not possible to make sure there was cheating who cheated

Ideas for improvements Do not use encodings f (ci) but just encrypt ci Voter sends Enc (ci). If its incorrect, then her vote does not count Additional benefit: With encodings, need to use Paillier since encoding is sparse. Without encoding can use Elgamal How? Obviously then we need to use other tricks Recall that we need to separate the guy who can connect voters to ciphertexts from the guy who can decrypt

mixnet based voting: idea Encrypted votes are "shuffled" by a mixserver More precisely, shuffled and blinded There is usually more than one mixserver Mixservers cannot decrypt, but the first mixserver can connect voters to ciphertexts After final mixing, the resulting ciphertext vector is threshold-decrypted and tally is published

mixnet based e-voting pk pk pk Ci=Enc(ci) Ci’=Cπ(i) · Enc(0; ri) sk: threshold pk pk {ci} in some order π: random permutation ri - random randomizers π': random permutation ri' - random randomizers

mixnet: security properties pk Ci=Enc(ci) Ci’=Cπ(i) · Enc(0; ri) Ci''=C'π'(i) · Enc(0; ri') sk: threshold pk pk Voter can: not vote or vote for a "wrong candidate", ... (=attack in ideal model) If voter computer does it, then it is a different thing Can encrypt invalid encoding: but then his vote is not valid / not counted at the end, so this is ok {ci} in some order π: random permutation ψ: random permutation

mixnet: security properties pk Ci=Enc(ci) Ci’=Cπ(i) · Enc(0; ri) Ci''=C'π'(i) · Enc(0; ri') sk: threshold pk pk Can abort the protocol (= attack in the ideal model) Can output invalid ciphertexts: too few, too many, not all are ciphertexts - easy to detect output is not a shuffle: for no permutation π and for no randomizer ri it holds that Ci’=Cπ(i) · Enc(0; ri) {ci} in some order π: random permutation ψ: random permutation

mixnet: security properties pk Ci=Enc(ci) Ci’=Cπ(i) · Enc(0; ri) Ci''=C'π'(i) · Enc(0; ri') sk: threshold pk pk Can abort the protocol (=attack in ideal model) Can output invalid plaintexts: too few, too many - easy to detect ci is not the decryption of Ci'', for at least one i {ci} in some order π: random permutation ψ: random permutation

note E-voting as other complex real-life protocols have many entities of different functionalities and capabilities/goals We already omitted some entities here for simplicity Voter computer, PKI (provision of public keys), the Internet (service provider?)

how to get security? First idea: let the mixserver publish π and all ri. Then verify that the output is correct. let the voter to publish his vote and ciphertext randomizer. Check they are also correct. Bad for privacy such secret value, revealing of which proves correct action, is called a witness

Second idea Do not reveal the witness Instead let the party to prove that such a witness exists so that the proof does not reveal any side information apart from that Zero-knowledge proof

remark: authentication If this idea sounds crazy, think about authentication pk, sk pk I am The Doctor Prove it! sk ZK proof of knowledge of sk

ZK proof: short definition Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejects ZK proof satisfies the following security requirements: Completeness: honest V accepts honest P Soundness: honest V does not accept malicious P* Zero-knowledge: malicious V* learns from the proof with a honest P that P is honest and nothing else formal definitions are much more complicated, see the next lecture

recall: homomorphic e-voting Tallier: sees anonymous ciphertext, can decrypt Vote collector: sees who sent which ciphertext, cannot decrypt pk pk sk Enc(f(ci)) Enc(Σf(ci)) Σf(ci) ci∈{0,...,C - 1}

recall: homomorphic e-voting no need for ZK proof (product of public ciphertexts) Tallier: sees anonymous ciphertext, can decrypt Vote collector: sees who sent which ciphertext, cannot decrypt pk pk sk Enc(f(ci)) Enc(Σf(ci)) + ZK proof that the plaintext is f(ci) for some i Σf(ci) + ZK proof that decryption was correct ci∈{0,...,C - 1}

recall: mixnet based e-voting pk Ci=Enc(ci) Ci’=Cπ(i) · Enc(0; ri) Ci''=C'π'(i) · Enc(0; ri') sk: threshold pk pk + ZK proof that the the shuffle is correct + ZK proof that decryption was correct {ci} in some order π: random permutation ri - random randomizers π’: random permutation ri' - random randomizers

Easy exercise. Note: tallier knows sk note on difficulty Some ZK proofs are obviously much more complex than others Proof of correct decryption: with Paillier, tallier can not only compute m but also r proof = (m, r) Proof of correct shuffle: ??? Easy exercise. Note: tallier knows sk

General protocol design Design a passively secure protocol I.e., a protocol that achieves correctness/privacy given participants follow it ... take any protocol we have seen up to now Make it secure in the malicious model by adding ZK proofs to all messages of course this needs "some" care

study outcomes Semihonest vs malicious model Ideal model and our goal in the real model Some protocols and how they can be subverted by malicious parties Idea: ZK proofs

next lecture More information about ZK proofs Initial study: special type of ZK proofs, called Σ-protocols