Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adaptively Secure Broadcast, Revisited

Published byHomer Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Adaptively Secure Broadcast, Revisited"— Presentation transcript:

1 Adaptively Secure Broadcast, Revisited
Juan A. Garay (AT&T), Jonathan Katz (UMD), Ranjit Kumaresan (UMD), Hong-Sheng Zhou (UMD) The title of my talk is ‘…’ I’m …, and this is joint work with ….

2 Talk Outline Preliminaries The Hirt-Zikas result [HZ10] Here:
Broadcast Simulation-based security The Hirt-Zikas result [HZ10] Adaptive attacks on broadcast protocols Impossibility of adaptively secure broadcast! Here: (Re)examining their communication model Is adaptively secure broadcast possible? We first start by introducing broadcast and notions of security under which bcast protocols are analyzed - broadcast was historically studied in the static setting, using property-based definitions - surprisingly, [HZ10] showed that existing protocols are insecure against adaptive attacks - in fact, they prove impossibility of adaptively secure broadcast - Is this true? If so, what does that say about the feasibility of adaptively secure MPC? - looking more closely at their model, we observe that it is a worst-case model where adaptive corruptions can happen in the middle of a round... (explain their model, explain why this is different from the usual "atomic" model, and why the atomic model seems more realistic). - so is adaptively secure broadcast possible in the atomic model? - We show that it is...(describe the protocol) - As described, the protocol uses UC commitments. But this will require additional setup like a CRS, as well as strong crypto assumptions. Is that necessary? Note that a CRS is not needed in the static case, and OWF suffice there. - In fact, a weaker variant of commitment suffices for us...

3 Broadcast [PSL80,LSP82] Message m If the sender is honest, then all
Bcast fundamental cryptographic network primitive Very closely related to byzantine agreement. Correctness on the left Agreement on the right m2 m3 m2 m3 If the sender is honest, then all parties output the sender’s message All honest parties always output the same message

4 Modeling the Problem Adversary model Communication model
Centralized byzantine adversary Corrupts at most t out of n parties Static or adaptive adversary Static: parties corrupted before execution begins Adaptive: parties corrupted during protocol execution Communication model Point-to-point, secure and authenticated channels Synchronous network The bcast problem has been typically studied in a byzantine adversarial setting, where the centralized adv can corrupt at most some threshold param t out of n parties. The corruption could be either static or adaptive (how to talk about erasure?) The typical communication model assumes parties connected pairwise by … in an underlying synchronous network (more details on the network model soon…)

5 Prior Work Unconditional security iff t < n/3 [PSL80, LSP82, …]
Computational security for t < n [PSL80, DS83, …] Assuming a public-key infrastructure (PKI) and digital signatures Most prior work focus on “property-based” notions of security There’s been a long line of work in broadcast. It is now well-known that we can get broadcast with unconditional security …., If we want a higher fault-tolerance, then we can still obtain broadcast provided an initial setup phase. Typically in a computational model, it is known how to obtain bcast for arbit number of corruptions. Point out that most prior work focuses on ‘’prop….

6 Simulation-Based Security
Awkward or difficult to define adaptive security using property-based definitions “If the sender is honest, then…” – but what if the sender starts honest and is later corrupted? Cleaner definitions using the simulation paradigm (Side benefits: secure composition; security under concurrent executions) In this work, we are concerned with an alternate security model called simulation-based security. Number of benefits when working in this model. For e.g., Furthermore, Other side benefits include -secure composition (so important for broadcast since higher protocols typically designed assuming “broadcast channel”

7 The Simulation Paradigm [GMW87]
A short pictorial representation for the simulation paradigm On the left is real execution Parties interact with themselves Real world as happening in the network On the right is … (this is the most secure model that one can imagine) Parties interact only with trusted party - e.g., the trusted third party might be realizing broadcast/ it might running an auction protocol No network, no interaction amongst themselves Intuitively the most secure model that can be imagined Ideal-world with a trusted third party carrying out task Real-world cryptographic protocol

8 The Simulation Paradigm (cont’d)
For every adversary who is active on the left, we have an ideal world adversary on the right - Impossible to say which is the left execution and which is the right The views of the parties are indistinguishable REAL IDEAL

9 Universally Composable Security [Can01]
Environment Concurrent Composition There is a stronger extension of the simulation paradigm - study security of concurrent executions of protocols - Multiple protocols running on the left, multiple protocols running on the right (here we have shown only one execution) - concurrent security + composable security. -- Composability is important because broadcast protocols are typically used as a subroutine in other larger protocols REAL IDEAL

10 The Broadcast Functionality
Functionality FBC : FBC receives m from the sender; D FBC sends m to all recipients. For broadcast, how to define the trusted third party in the simulation paradigm? Simple intuitive 2 step definition Adaptive security in this model? -corruption of sender for e.g., could happen after TTP receives

11 Adaptively Secure Broadcast?
Hirt-Zikas ’10: Adaptive attacks on all existing broadcast protocols All existing broadcast protocols are not adaptively secure Recently [HZ] show adaptive attacks on all existing protocols. Surprising Missed by property based definitions Real attacks on broadcast protocols Not just something that arises due to definitional issues

12 An Adaptive Attack Later… 1st round Message v Message v’ v’ v’ v' v’
Short animated look at the [HZ] adaptive attack First round message of sender received by the adv Depending on received m, adv decides to corrupt sender - subsequently behave as honest sender for the remainder of the protocol v' v’ 1st round Later…

13 Adaptively Secure Broadcast?
Hirt-Zikas ’10: Adaptive attacks on all existing broadcast protocols Adaptively secure broadcast is impossible for t > n/2 The attack shown previously worked on all existing protocols In fact, using the simplest idea behind the attack, they even give an impossibility result when t > n/2 Raises a lot of questions: - No adaptively secure broadcast channel !! - What about secure computation protocols ?? 13

14 Communication Model: A Closer Look
More justification animation Clarify that multi-send does not solve the problem of broadcast slide 17: this slide is the key to the whole talk, in some sense. I'm not sure it is entirely clear. Bullet 1a sounds like the standard rushing model (which we also assume). Bullet 1b is unclear: the corruption is *only* interesting when it's a sender (so I wouldn't write "incl. sender"). The impossibility result relies on the ability to corrupt in the middle of a round, and to change a message that was sent and not yet received. You could probably illustrate this with an animation. For our network model, we don't require that all parties get their messages at the same time. We just need to view sending messages in a round as "atomic": i.e., the honest sender puts n-1 messages (one to each party) on the respective channels, and the adversary cannot receive a message, then corrupt the sender, and then change a message he already sent. [HZ10] model “Atomic delivery model” Adversary can corrupt sender & change its messages in the same round. Crucial for their impossibility result Sender’s messages cannot be changed once sent [Can00,LLR02,…] No corruption “in the middle of a round”

15 Is Adaptive Security Possible?
Is adaptively secure broadcast possible for t > n/2 if we assume “atomic” message delivery? Note: [HZ10] attacks work on known protocols even in this model Yes! Adaptively secure broadcast is possible for t < n [HZ] work in the left model. We want to work in the right model. Now that we are in the right model with atomic msg delivery, can we get adap.sec.bcast? Short answer given by us is yes. Indeed it is possible to get adap.sec.bcast for arbit # corruptions -however, variants of the [HZ10] adaptive attack still work. --sender corrupted in 2nd round, and behaves honestly with a diff mesg starting from round 2 --sender detected as corrupt, and typically correctness is not guaranteed for such senders

16 Relaxed Broadcast Functionality FRBC [HZ10] FRBC receives m from the sender; D FRBC sends m to the adversary D The adversary decides whether to corrupt the sender; if it does, the adversary may change m to any desired value D FRBC sends m to all recipients Imp subroutine in our protocol: relaxed broadcast functionality -same as fbc (1st and 4th) with the 2 highlighted modifications -adv learns m and gets a chance to corrupt sender and change value Exactly captures the effect of the HZ attack. -who also prove that existing protocols… Existing protocols (e.g., [DS83]) give adaptively secure relaxed broadcast for t < n

17 Commitments Hiding: m hidden from Bob
Alice (message m) Bob m m Another gadget that we use in our constructions is secure commitments. -fundamental 2 or multi party primitive in secure computation -2 phase --commit --open -hiding -binding Hiding: m hidden from Bob Binding: Alice can open commitment only to m

18 Our Broadcast Protocol
1. Sender sends commitment to m using FRBC 2. Sender sends the decommitment to each receiver via point-to-point channels 3. Each receiver broadcasts the decommitment they received using FRBC 4. All players agree on the first valid decommitment, and output the corresponding message m Based on the two gadgets, ready to show protocol 4 stages – explain out Key: one honest party receives honest decom from honest sender Step 4: every honest party receives this honest decom

19 Avoiding Adaptive Attacks
1. Sender sends commitment to m using FRBC 2. Sender sends the decommitment to each receiver via point-to-point channels 3. Each receiver broadcasts the decommitment they received using FRBC 4. All players agree on the first valid decommitment, and output the corresponding message m Adversary learns nothing about m All honest parties receive the decommitment Reiterate key point: one honest player gets honest sender’s decom -(when the dealer starts out honest) the dealer's message is committed after stage 2 (even if the adversary corrupts the dealer at that point). -Then you can mention that this raises a problem: the dealer is not committed after stage 1 (since the adversary can corrupt the dealer and then send no valid decommitments). Even though this is not a fundamental problem -- since the adversary has to make its decision of whether to corrupt the dealer without knowing the dealer's message -- it is a problem for the simulator who has to give the commitment before knowing the dealer's message. Even if the sender is corrupted, the committed value cannot be changed

20 Simulation Simulator sends dummy commitments
1. Sender sends commitment to m using FRBC 2. Simulator gets m from FBC and generates a decommitment to m; it then sends this to all parties via point-to-point channels 3. Each receiver broadcasts decommitment viaFRBC 4. All players agree on a valid decommitment, and output the corresponding message m Simulator sends dummy commitments UC commitments allow simulator to open com to any m In the simulation, once the first stage is completed the simulator will have to send commitments on messages that he doesn’t know Still the simulation can be completed using UC coms which allow sim to open the broadcasted com to any message

21 Setup Assumptions? As written, we use UC commitments
UC commitment require additional setup assumptions + stronger cryptographic assumptions that we would like to avoid! In fact, honest-binding commitments suffice Binding once the sender acts honestly during the commit phase Can be realized with no additional setup, based on OWF Example based on Pedersen’s commitment: -showed a protocol with UC com, which require --additional setup --stronger crypto assumptions Traditional bcast protocols require no further setup! -motivated to look for solutions which require no additional setup Propose a variant of std com called honest binding -can be realized with no additional setup -as name suggests, binding for a sender that is honest in the com phase --sufficient to avoid adaptive attacks (just semihonest com is not good enough for this!) --note: no binding for dishonest sender, but that’s ok ---honest-binding com can be used by dishonest sender ----two different decom later bcasted ---- but everyone knows com has 2 decoms and they choose the first one Honest sender Input m Choose h,x com = (h, gmhx) Simulator (No input) Choose r,y com = (gr, gy) Equivocation On input m Set x = (y-m)/r Output (gr,x)

22 Our Result (Summarized)
Assuming a PKI and digital signatures, there exists a (universally composable) broadcast protocol secure against adaptive corruption of any t < n parties Main result -no setup -arbit corruptions -adap sec

23 Applications to Secure Computation
Protocols for secure computation typically designed/analyzed assuming a broadcast channel Plug in a protocol that realizes FBC  security when run over a point-to- point network Can we use a protocol realizing FRBC instead? Better efficiency…? Secure computation in [HZ10] network model? We observe that FRBC suffices for most specific constructions Messages broadcast are always commitments to some value -Composition – typically designed or analyzed assuming channel --replace fbc by a protocol, and get composition security -we also have frbc which is --more efficient --necessary for secure computation in [HZ10], where adap bcast is impossible --in fact, frbc is sufficient for certain constructions ---bcast mesg are coms ---in both [HZ] as well as our atomic model

24 Summary Adaptively secure broadcast for t < n Our result:
Assuming the ‘standard’ synchronous communication model Our result: Matches the threshold for statically secure broadcast Requires no additional setup or assumptions Can be safely used within arbitrary other protocols Investigate the asb problem in std. sync n/w And we showed a asb protocol that -gets the best threshold, i.e., secure against arbit corruption -no additional setup -safe for composition

25 Thank You

Download ppt "Adaptively Secure Broadcast, Revisited"

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Similar presentations

Ads by Google