Adaptively Secure Broadcast, Revisited

Slides:



Advertisements
Similar presentations
Dov Gordon & Jonathan Katz University of Maryland.
Advertisements

Secret Sharing Protocols [Sha79,Bla79]
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Reusable Anonymous Return Channels
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1/29 A Game-Theoretic Framework for Analyzing Trust-Inference Protocols Bobby Bhattacharjee Jonathan Katz Ruggero Morselli University of Maryland (Work.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Stanford vs. UC: The Big Game A. Datta, A. Derek, J. C. Mitchell, A. Ramanathan & A. Scedrov August 16, 2005.
Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 6: Synchronous Byzantine.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
Tutorial on Secure Multi-Party Computation
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Collusion-Free Multiparty Computation in the Mediated Model
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark ECRYPT Autumn School, Bertinoro Wednesday, October.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.
Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Universally Composable Authentication and Key-exchange with Global PKI Ran Canetti (TAU and BU) Daniel Shahaf (TAU) Margarita Vald(TAU) PKC2016 Taipei,
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Carmit Hazay (Bar-Ilan University, Israel)
Cryptographic Hash Function
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Expected Constant-Round Protocols for Broadcast
Cryptography Lecture 26.
Presentation transcript:

Adaptively Secure Broadcast, Revisited Juan A. Garay (AT&T), Jonathan Katz (UMD), Ranjit Kumaresan (UMD), Hong-Sheng Zhou (UMD) The title of my talk is ‘…’ I’m …, and this is joint work with ….

Talk Outline Preliminaries The Hirt-Zikas result [HZ10] Here: Broadcast Simulation-based security The Hirt-Zikas result [HZ10] Adaptive attacks on broadcast protocols Impossibility of adaptively secure broadcast! Here: (Re)examining their communication model Is adaptively secure broadcast possible? We first start by introducing broadcast and notions of security under which bcast protocols are analyzed - broadcast was historically studied in the static setting, using property-based definitions - surprisingly, [HZ10] showed that existing protocols are insecure against adaptive attacks - in fact, they prove impossibility of adaptively secure broadcast - Is this true? If so, what does that say about the feasibility of adaptively secure MPC? - looking more closely at their model, we observe that it is a worst-case model where adaptive corruptions can happen in the middle of a round... (explain their model, explain why this is different from the usual "atomic" model, and why the atomic model seems more realistic). - so is adaptively secure broadcast possible in the atomic model? - We show that it is...(describe the protocol) - As described, the protocol uses UC commitments. But this will require additional setup like a CRS, as well as strong crypto assumptions. Is that necessary? Note that a CRS is not needed in the static case, and OWF suffice there. - In fact, a weaker variant of commitment suffices for us...

Broadcast [PSL80,LSP82] Message m If the sender is honest, then all Bcast fundamental cryptographic network primitive Very closely related to byzantine agreement. Correctness on the left Agreement on the right m2 m3 m2 m3 If the sender is honest, then all parties output the sender’s message All honest parties always output the same message

Modeling the Problem Adversary model Communication model Centralized byzantine adversary Corrupts at most t out of n parties Static or adaptive adversary Static: parties corrupted before execution begins Adaptive: parties corrupted during protocol execution Communication model Point-to-point, secure and authenticated channels Synchronous network The bcast problem has been typically studied in a byzantine adversarial setting, where the centralized adv can corrupt at most some threshold param t out of n parties. The corruption could be either static or adaptive (how to talk about erasure?) The typical communication model assumes parties connected pairwise by … in an underlying synchronous network (more details on the network model soon…)

Prior Work Unconditional security iff t < n/3 [PSL80, LSP82, …] Computational security for t < n [PSL80, DS83, …] Assuming a public-key infrastructure (PKI) and digital signatures Most prior work focus on “property-based” notions of security There’s been a long line of work in broadcast. It is now well-known that we can get broadcast with unconditional security …., If we want a higher fault-tolerance, then we can still obtain broadcast provided an initial setup phase. Typically in a computational model, it is known how to obtain bcast for arbit number of corruptions. Point out that most prior work focuses on ‘’prop….

Simulation-Based Security Awkward or difficult to define adaptive security using property-based definitions “If the sender is honest, then…” – but what if the sender starts honest and is later corrupted? Cleaner definitions using the simulation paradigm (Side benefits: secure composition; security under concurrent executions) In this work, we are concerned with an alternate security model called simulation-based security. Number of benefits when working in this model. For e.g., Furthermore, Other side benefits include -secure composition (so important for broadcast since higher protocols typically designed assuming “broadcast channel”

The Simulation Paradigm [GMW87] A short pictorial representation for the simulation paradigm On the left is real execution Parties interact with themselves Real world as happening in the network On the right is … (this is the most secure model that one can imagine) Parties interact only with trusted party - e.g., the trusted third party might be realizing broadcast/ it might running an auction protocol No network, no interaction amongst themselves Intuitively the most secure model that can be imagined Ideal-world with a trusted third party carrying out task Real-world cryptographic protocol

The Simulation Paradigm (cont’d) ≈ For every adversary who is active on the left, we have an ideal world adversary on the right - Impossible to say which is the left execution and which is the right The views of the parties are indistinguishable REAL IDEAL

Universally Composable Security [Can01] Environment ≈ Concurrent Composition There is a stronger extension of the simulation paradigm - study security of concurrent executions of protocols - Multiple protocols running on the left, multiple protocols running on the right (here we have shown only one execution) - concurrent security + composable security. -- Composability is important because broadcast protocols are typically used as a subroutine in other larger protocols REAL IDEAL

The Broadcast Functionality Functionality FBC : FBC receives m from the sender; D FBC sends m to all recipients. For broadcast, how to define the trusted third party in the simulation paradigm? Simple intuitive 2 step definition Adaptive security in this model? -corruption of sender for e.g., could happen after TTP receives

Adaptively Secure Broadcast? Hirt-Zikas ’10: Adaptive attacks on all existing broadcast protocols All existing broadcast protocols are not adaptively secure Recently [HZ] show adaptive attacks on all existing protocols. Surprising Missed by property based definitions Real attacks on broadcast protocols Not just something that arises due to definitional issues

An Adaptive Attack Later… 1st round Message v Message v’ v’ v’ v' v’ Short animated look at the [HZ] adaptive attack First round message of sender received by the adv Depending on received m, adv decides to corrupt sender - subsequently behave as honest sender for the remainder of the protocol v' v’ 1st round Later…

Adaptively Secure Broadcast? Hirt-Zikas ’10: Adaptive attacks on all existing broadcast protocols Adaptively secure broadcast is impossible for t > n/2 The attack shown previously worked on all existing protocols In fact, using the simplest idea behind the attack, they even give an impossibility result when t > n/2 Raises a lot of questions: - No adaptively secure broadcast channel !! - What about secure computation protocols ?? 13

Communication Model: A Closer Look More justification animation Clarify that multi-send does not solve the problem of broadcast slide 17: this slide is the key to the whole talk, in some sense. I'm not sure it is entirely clear. Bullet 1a sounds like the standard rushing model (which we also assume). Bullet 1b is unclear: the corruption is *only* interesting when it's a sender (so I wouldn't write "incl. sender"). The impossibility result relies on the ability to corrupt in the middle of a round, and to change a message that was sent and not yet received. You could probably illustrate this with an animation. For our network model, we don't require that all parties get their messages at the same time. We just need to view sending messages in a round as "atomic": i.e., the honest sender puts n-1 messages (one to each party) on the respective channels, and the adversary cannot receive a message, then corrupt the sender, and then change a message he already sent. [HZ10] model “Atomic delivery model” Adversary can corrupt sender & change its messages in the same round. Crucial for their impossibility result Sender’s messages cannot be changed once sent [Can00,LLR02,…] No corruption “in the middle of a round”

Is Adaptive Security Possible? Is adaptively secure broadcast possible for t > n/2 if we assume “atomic” message delivery? Note: [HZ10] attacks work on known protocols even in this model Yes! Adaptively secure broadcast is possible for t < n [HZ] work in the left model. We want to work in the right model. Now that we are in the right model with atomic msg delivery, can we get adap.sec.bcast? Short answer given by us is yes. Indeed it is possible to get adap.sec.bcast for arbit # corruptions -however, variants of the [HZ10] adaptive attack still work. --sender corrupted in 2nd round, and behaves honestly with a diff mesg starting from round 2 --sender detected as corrupt, and typically correctness is not guaranteed for such senders

Relaxed Broadcast Functionality FRBC [HZ10] FRBC receives m from the sender; D FRBC sends m to the adversary D The adversary decides whether to corrupt the sender; if it does, the adversary may change m to any desired value D FRBC sends m to all recipients Imp subroutine in our protocol: relaxed broadcast functionality -same as fbc (1st and 4th) with the 2 highlighted modifications -adv learns m and gets a chance to corrupt sender and change value Exactly captures the effect of the HZ attack. -who also prove that existing protocols… Existing protocols (e.g., [DS83]) give adaptively secure relaxed broadcast for t < n

Commitments Hiding: m hidden from Bob Alice (message m) Bob m m Another gadget that we use in our constructions is secure commitments. -fundamental 2 or multi party primitive in secure computation -2 phase --commit --open -hiding -binding Hiding: m hidden from Bob Binding: Alice can open commitment only to m

Our Broadcast Protocol 1. Sender sends commitment to m using FRBC 2. Sender sends the decommitment to each receiver via point-to-point channels 3. Each receiver broadcasts the decommitment they received using FRBC 4. All players agree on the first valid decommitment, and output the corresponding message m Based on the two gadgets, ready to show protocol 4 stages – explain out Key: one honest party receives honest decom from honest sender Step 4: every honest party receives this honest decom

Avoiding Adaptive Attacks 1. Sender sends commitment to m using FRBC 2. Sender sends the decommitment to each receiver via point-to-point channels 3. Each receiver broadcasts the decommitment they received using FRBC 4. All players agree on the first valid decommitment, and output the corresponding message m Adversary learns nothing about m All honest parties receive the decommitment Reiterate key point: one honest player gets honest sender’s decom -(when the dealer starts out honest) the dealer's message is committed after stage 2 (even if the adversary corrupts the dealer at that point). -Then you can mention that this raises a problem: the dealer is not committed after stage 1 (since the adversary can corrupt the dealer and then send no valid decommitments). Even though this is not a fundamental problem -- since the adversary has to make its decision of whether to corrupt the dealer without knowing the dealer's message -- it is a problem for the simulator who has to give the commitment before knowing the dealer's message. Even if the sender is corrupted, the committed value cannot be changed

Simulation Simulator sends dummy commitments 1. Sender sends commitment to m using FRBC 2. Simulator gets m from FBC and generates a decommitment to m; it then sends this to all parties via point-to-point channels 3. Each receiver broadcasts decommitment viaFRBC 4. All players agree on a valid decommitment, and output the corresponding message m Simulator sends dummy commitments UC commitments allow simulator to open com to any m In the simulation, once the first stage is completed the simulator will have to send commitments on messages that he doesn’t know Still the simulation can be completed using UC coms which allow sim to open the broadcasted com to any message

Setup Assumptions? As written, we use UC commitments UC commitment require additional setup assumptions + stronger cryptographic assumptions that we would like to avoid! In fact, honest-binding commitments suffice Binding once the sender acts honestly during the commit phase Can be realized with no additional setup, based on OWF Example based on Pedersen’s commitment: -showed a protocol with UC com, which require --additional setup --stronger crypto assumptions Traditional bcast protocols require no further setup! -motivated to look for solutions which require no additional setup Propose a variant of std com called honest binding -can be realized with no additional setup -as name suggests, binding for a sender that is honest in the com phase --sufficient to avoid adaptive attacks (just semihonest com is not good enough for this!) --note: no binding for dishonest sender, but that’s ok ---honest-binding com can be used by dishonest sender ----two different decom later bcasted ---- but everyone knows com has 2 decoms and they choose the first one Honest sender Input m Choose h,x com = (h, gmhx) Simulator (No input) Choose r,y com = (gr, gy) Equivocation On input m Set x = (y-m)/r Output (gr,x)

Our Result (Summarized) Assuming a PKI and digital signatures, there exists a (universally composable) broadcast protocol secure against adaptive corruption of any t < n parties Main result -no setup -arbit corruptions -adap sec

Applications to Secure Computation Protocols for secure computation typically designed/analyzed assuming a broadcast channel Plug in a protocol that realizes FBC  security when run over a point-to- point network Can we use a protocol realizing FRBC instead? Better efficiency…? Secure computation in [HZ10] network model? We observe that FRBC suffices for most specific constructions Messages broadcast are always commitments to some value -Composition – typically designed or analyzed assuming channel --replace fbc by a protocol, and get composition security -we also have frbc which is --more efficient --necessary for secure computation in [HZ10], where adap bcast is impossible --in fact, frbc is sufficient for certain constructions ---bcast mesg are coms ---in both [HZ] as well as our atomic model

Summary Adaptively secure broadcast for t < n Our result: Assuming the ‘standard’ synchronous communication model Our result: Matches the threshold for statically secure broadcast Requires no additional setup or assumptions Can be safely used within arbitrary other protocols Investigate the asb problem in std. sync n/w And we showed a asb protocol that -gets the best threshold, i.e., secure against arbit corruption -no additional setup -safe for composition

Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.