Information-Theoretic Security and Security under Composition

1
Information-Theoretic Security and Security under
Composition

• Eyal Kushilevitz (Technion)
• Yehuda Lindell (Bar-Ilan University)
• Tal Rabin (IBM T.J. Watson)

2
Secure Multiparty Computation

• A set of parties with private inputs.
• Parties wish to jointly compute a function of
  their inputs so that certain security properties
  (like privacy, correctness and independence of
  inputs) are preserved.
• E.g., secure elections, auctions
• Properties must be ensured even if some of the
  parties maliciously attack the protocol.

3
Secure Computation Tasks

• Examples
• Authentication protocols
• Online payments
• Auctions
• Elections
• Privacy preserving data mining
• Essentially any task

4
Defining Security

• The real/ideal model paradigm for defining
  security GMW,GL,Be,MR,Ca
• Ideal model parties send inputs to a trusted
  party, who computes the function for them.
• Real model parties run a real protocol with no
  trusted help.
• A protocol is secure if any attack on a real
  protocol can be carried out in the ideal model.
• Since no attacks can be carried out in the ideal
  model, security is implied.

5
The Real Model
x
y
Protocol output
Protocol output
6
The Ideal Model
x
y
y
x
f1(x,y)
f2(x,y)
f2(x,y)
f1(x,y)
7
The Security Definition
Protocol interaction
Trusted party
IDEAL
REAL
8
The Ideal Adversary/Simulator

• How is security proven?
• The ideal-model adversary is actually a simulator
• The simulator simulates a real execution, while
  interacting in the ideal model
• The simulation looks just like a real execution
• Important categories of simulators
• Black-box versus nonblack-box simulators
• Rewinding versus non-rewinding simulators
• Non-rewinding is also called straight-line

9
More Details on the Definition

• What does it mean that the real and ideal
  executions look the same?
• Perfect security the distributions are identical
• Statistical security the distributions are
  statistically close
• Computational security the distributions are
  computationally indistinguishable

10
Two Basic Models

• Information-theoretic model
• Unbounded adversaries
• Perfect or statistical security
• Seemingly, no real need for perfection
• Computational model
• Polynomial-time adversaries
• Computational security

11
Real Execution Possible Settings

• The stand-alone model
• A single execution of a single secure protocol
  (or a single execution under attack)
• The classic model of computation
• Security under composition
• Concurrent self composition many executions of a
  single secure protocol
• Concurrent general composition many executions
  of a secure protocol together with arbitrary
  other protocols

12
Security under Composition

• Concurrent self composition
• Many executions of a single secure protocol look
  just like many calls to an ideal trusted party
  FS,DDN,DNS,RK,
• Concurrent general composition
• Many executions of a single secure protocol with
  an arbitrary other protocol look just like many
  calls to an ideal trusted party, together with a
  real arbitrary other protocol DM,PW,Ca
• Modeled by considering an arbitrary protocol that
  contains subroutine calls to the secure
  protocol
• Models the real world the Internet is the
  arbitrary protocol

13
Feasibility of Secure Computation The
Stand-Alone Model

• A fundamental theorem any multiparty
  functionality can be securely computed in the
  stand-alone model
• Computational setting for any number of
  corruptions and assuming (enhanced) trapdoor
  permutations Y86,GMW87
• Information theoretic setting for a 2/3 honest
  majority (or regular majority given a broadcast
  channel) BGW88,CCD88,RB89,B89

Note in the case of no honest majority, the
security requirements are not exactly the same
(i.e., no fairness or guaranteed output delivery)
14
Feasibility of Secure Computation Concurrent
Composition

• Any multiparty problem can be securely computed
  under concurrent general composition
• No honest majority assuming (enhanced) trapdoor
  permutations and a common reference string
  CLOS02
• Honest (or two-thirds) majority Ca01 relying
  on BGW88,CCD88,RB89,B89
• Notice these are exactly the information-theoreti
  cally secure protocols for the stand-alone model

15
Information-Theoretically Secure Protocols and
Composition

• Folklore information-theoretic protocols are
  secure under concurrent composition (at the very
  least, all the known ones have this property)
• Related folklore if a protocol is proven secure
  using a black-box non-rewinding simulator, then
  it is secure under concurrent composition
• Note known information-theoretic protocols use
  black-box non-rewinding simulation

16
This Work

• Understand the conjectured connection between
  information-theoretic security and security under
  composition
• Deepen our understanding of these notions
• Derive a corollary that simplifies the task of
  proving security under composition

17
Theorem 1 Counter Example

• There exist protocols that are
• Statistically secure in the information
  theoretical model, as stand-alone
• Proven secure using a black-box straight-line
  (non-rewinding) simulator
• but are not secure under concurrent general
  composition

18
Theorem 2

• Every protocol that is
• Perfectly secure in the information theoretical
  model, as stand-alone
• Proven secure using a black-box straight-line
  (non-rewinding) simulator
• is perfectly secure under concurrent general
  composition
• DM00 proved a similar result, but used a
  strictly more stringent notion of stand-alone
  security

19
Corollaries

• Corollary 1 BGW (error free version) is
  perfectly secure under concurrent general
  composition (assuming a two-thirds majority)
• Corollary 2 It suffices to prove perfect
  security in the stand-alone model
• Note perfectly secure protocols have an
  advantage over statistically secure protocols
• Security under concurrent general composition is
  obtained for free

20
Theorem 3

• Every protocol that is
• Proven secure using a black-box straight-line
  (non-rewinding) simulator
• is secure under concurrent self composition with
  fixed inputs
• This is a weaker security guarantee, but gives
  some justification to the folklore
• The result is of interest for statistical and
  computational security, and holds for any number
  of corrupted parties

21
Corollary

• CCD,RB are secure under concurrent self
  composition with fixed inputs
• Again, the above is a relatively weak security
  guarantee, but explains/justifies the folklore

22
Disturbing Point

• It is widely believed that known statistically
  secure protocol are secure under concurrent
  general composition
• We have only proved security under concurrent
  self composition with fixed inputs
• Is there an additional property that would make
  such protocols secure under concurrent general
  composition?

23
Different (Simple) Property

• Initial Synchronization
• Each party announces that it is ready to start
• Before starting, each party waits to receive
  notification from all other parties that they are
  ready to start
• This enables an easy denial of service attack
  (but this is in some sense impossible to prevent
  in this model)

24
Theorem 4

• Every protocol that is
• Proven secure using a black-box straight-line
  (non-rewinding) simulator, and
• Has initial synchronization
• is secure under concurrent general composition
• This holds for perfect, statistical and
  computational security (not needed for perfect),
  and for any number of corrupted parties

25
Corollary

• It suffices to prove security in the stand-alone
  model using black-box straight-line simulation
• Given such a protocol, can add initial
  synchronization and security under concurrent
  general composition is implied
• This gives a useful tool, simplifying the task of
  proving security under composition

26
High-Level Summary of Results

• Counter-example
• Straight-line black-box security does not imply
  security under concurrent general composition
  (even if security is statistical)
• Security under general composition is implied by
• Perfect security, straight-line black-box
  simulation
• Straight-line black-box simulation, initial
  synchronization
• Security under self composition with fixed inputs
  is implied by
• Straight-line black-box simulation

27
The Rest of This Talk

• Proof of counter-example (Theorem 1)
• Idea behind the proof that perfect-security with
  black-box straight-line simulation implies
  security under concurrent general composition
  (Theorem 2)
• Discussion about black-box straight-line
  simulation with initial synchronization implies
  security under concurrent general composition
  (Theorem 4)

28
Proof of Counter Example

• The counter-example utilizes the fact that
• In the stand-alone model, inputs are fixed at the
  beginning
• In the setting of concurrent general composition,
  inputs can be determined dynamically, and
  dependent on other protocols
• Recall a protocol is secure in this setting if
  an execution of an arbitrary protocol with the
  real secure protocol looks like an execution of
  the same arbitrary protocol together with ideal
  calls

29
Proof of Counter-Example (cont.)

• Our counter-example uses a specific function and
  specific protocol (in the setting of an honest
  majority)
• The function f(x1,x2,x3) (0,0,0)

30
Proof of Counter-Example (cont.)

• A secure protocol ? for computing f
• P1 and P2 choose random r1 and r2 of length n/2
  and send the strings to each other
• P1 and P2 define r (r1,r2) and both send r to
  P3
• If P3 receives the same value from both parties
  and it equals its input, then it outputs 1,
  otherwise it outputs 0
• P2 and P3 both output 0

31
Claim 1 Security of Protocol ? in the
Stand-Alone Model

• We assume an honest majority, so at least one of
  P1 and P2 are honest
• This implies that the string r received by P3
  equals its input with probability at most 2-n/2
• Thus, P3 outputs 1 with negligible probability
• Simulation in this case is easy (and is black-box
  straight-line)
• Security obtained is statistical

32
Claim 2 Insecurity of Protocol ? under
Concurrent General Composition

• Consider the following arbitrary protocol?? that
  contains a call to f
• P1 sends a random s to P3
• P1 and P2 send the input 0n to the trusted party
  computing f, and output whatever they receive
  back
• P3 sends the string s to the trusted party as its
  input for the computation of f, and outputs
  whatever it receives back
• Note in the ideal execution, all honest parties
  always output 0

33
Claim 2 (continued)

• Consider an execution of?? together with protocol
  ? and a single corrupted party P1
• Party P1 waits until it receives r2 from P2 as
  part of ? and can define r (r1,r2)
• P1 defines s r and sends s to P3
• P3 uses s as its input into ? and it follows that
  r equals its input
• We have that the honest P3 always outputs 1
  (instead of 0)
• Conclusion ? is not secure under concurrent
  general composition

34
(Rough idea) Proof of Theorem 2

• By contradiction
• Protocol ? secure stand alone, not secure in
  composition with p
• Exist Adv A which can foil the execution of ?
  when run with p, i.e. not the same as if using a
  trusted party for f instead of ?
• Build a stand-alone adversary A? which breaks
  the stand-alone security of ?
• A? basically runs A in its belly and simulates
  all the parties for the communications which
  relate to p, and for ? it communicates with the
  real parties and transfers the messages to A

35
Proof of Theorem 2 (cont.)

• If A? simulation for A is good then the
  stand-alone distribution of ? is the same as when
  it is run with p
• Thus, output of ? in this stand-alone is not the
  same as the output of ideal execution
• And we have broken the stand-along execution
  (contradiction)

36
Complication for A?

• Creating a simulation which seemlessly matches
  the execution of the real ? with the simulation
  of p
• For this A? has to guess the inputs and random
  coins of the honest parties low success
  probability
• This is why perfect security is crucial, we need
  the attack to succeed only with non-zero
  probability

37
Discussions on Theorem 4

• Recall the theorem black-box straight-line
  simulation initial synchronization ? security
  under concurrent general composition
• The basic idea
• Consider the counter example
• If initial synchronization is used, all of the
  arbitrary protocol (honest partys inputs and
  random-tapes) until the protocol starts can be
  auxiliary input in a stand-alone execution

38
Importance of Theorem 4

• Adds to our understanding of what is needed for
  obtaining security
• Black-box straight-line simulation
• Inability to have inputs depend on randomness of
  the same execution
• A useful tool
• Definitions for obtaining security under
  composition are complex
• Using this theorem, it suffices to work in the
  stand-alone model (and add initial
  synchronization)

39
Conclusions

• Stand-alone security does not imply security
  under concurrent general composition
• Even in the information-theoretical model
• Information-theoretic security does imply some
  sort of security under composition
• Black-box straight line statistical suffices for
  obtaining concurrent self composition with fixed
  inputs
• Black-box straight-line perfect suffices for
  obtaining concurrent general composition
• Black-box straight-line initial synchronization
  suffices for obtaining concurrent general
  composition

40
Thank you!