Concurrency and Non-malleability

1
Concurrency and Non-malleability
Rafael PassCornell University
2
Secure Multi-party Computation Yao,Goldreich-Mic
ali-Wigderson
Goal Allow a set of distrustful parties to
compute any functionality f of their inputs,
while preserving
Correctness
Privacy
Even when no honest majority
3
The Classic Stand-Alone Model
One set of parties executing a single protocol in
isolation.
4
But, Life is CONCURRENT
Many parties running many different protocol
executions.
5
The Chess-master Problem DDN91
8am
Lose!
Lose!
6
Win at least 1 (or draw both)
Similar attack on Crypto protocols!
7
Man-in-the-middle Attacks
Responder
Responder/Initator
Initator
Bob
Alice
MIM
MIM controls channel between Alice and Bob
8
This Talk

• Commitment schemes secure against
  man-in-the-middle attacks
• Use such commitments to improve SMC
• Better round complexity also for stand-alone
  security
• Concurrent security

9
Commitment Scheme

• The digital analogue of sealed envelopes.

Reveal
One way functions both sufficient and necessary
N89, HILL 99
10
MIM
Receiver/Sender
Sender
Receiver
C(v)
C(v)
Messages are arbitrarily interleaved MIM
controls scheduling.
Possible that v v1
Even though MIM does not know v!
11
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(v)
C(v)
Non-malleability Either MIM forwards v
v Or v is independent of v
12
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(i,v)
C(j, v)
i ? j
Non-malleability if then, v is
independent of v
13
Non-Malleable Commitments Dolev Dwork
Naor91, P-Rosen05
Man-in-the-middle execution
i ? j
i
j
Simulation
j
Non-malleability For every MIM, there exists a
simulator, such that value committed by MIM is
indistinguishable from value committed by
simulator
14
Non-Malleable Commitments
i
j

• Important in practice
• Test-bed for other tasks
• Applications to MPC

15
Non-malleable Commitments

• Original Work by DDN91
• OWF
• black-box techniques
• But O(log n) rounds
• Main question how many rounds do we need?
• With set-up solved 1-round, OWF
  DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
• Without set-up
• Barak02 O(1)-round Subexp CRH dense crypto
• P04,P-Rosen05 O(1) rounds using CRH
• Lin-P09 O(1)log n round using OWF
• P-Wee10 O(1) using Subexp OWF
• Wee10 O(log n) using OWF

Non BB
NM Amp
16
Non-malleable Commitments

• Original Work by DDN91
• OWF
• black-box techniques
• But O(log n) rounds
• Main question how many rounds do we need?
• With set-up solved 1-round, OWF
  DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
• Without set-up
• O(1)-round from CRH or Subexp OWF
• O(log n) from OWF
• Sd
• Sd

17
Thm Lin-P11 Assume one-way functions. Then
there exists a O(1)-round non-malleable
commitment with a black-box proof of security.

• Note Since commitment schemes imply OWF, we
  have that unconditionally that any commitments
  scheme can be turned into one that is O(1)-round
  and non-malleable.

• Note As we shall see, this also weakens
  assumptions for O(1)-round secure multi-party
  computation.

• Even more excitingly Vipul Goyal independently
  proved the same result
• very different techniques
• relying on NM amplification

18
DDN Protocol Idea
i 011
j 00..1
C(i,v)
C(j, v)


Blue does not help Red and vice versa
19
The Idea
What if we could run the message scheduling in
the head?
Let us focus on non-aborting and synchronizing
adversaries.
(never send invalid mess in left exec)
20
Com(id,v)
id 00101
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
21
Signature Chains

• Consider 2 fixed-length signature schemes
  Sig0, Sig1 (i.e., signatures are always of length
  n) with keys vk0, vk1.
• Def (s,id) is a signature-chain if for all i,
  si1 is a signature of (i,s0) using scheme idi
• s0 r
• s1 Sig0(0,s0) id1 0
• s2 Sig0(1,s1) id2 0
• s3 Sig1(2,s2) id3 1
• s4 Sig0(3,s3) id4 0

22
Signature Games

• You have given vk0, vk1 and you have access to
  signing oracles Sig0, Sig1 .
• Let ? denote the access pattern to the oracle
• that is ?i b if in the ith iteraction you
  access oracle b.
• Claim If you output a signature-chain (s,id)
• Then, w.h.p, id is a substring of the access
  pattern ?.

23
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
24
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I know a sig-chain (s,id)
WI-POK
w.r.t id
25
Non-malleability through dance
i 0110..
j 00..1
vk0
vk0
r0
r'0
Sign0(r0)
Sign0(r0)
vk1
vk'1
r1
r'1
Sign1(r1)
Sign1(r1)
cC(v)
cC(v)
WI-POK
WI-POK
w.r.t i
w.r.t j
Note sig keys on L and R might be different we
violate sec of sig game for key on R
26
Dealing with Aborting Adversaries

• Problem 1
• MIM will notice that I ask him to sign a
  signature chain
• Solution Dont. Ask him to sign commitments of
  sigs(need to add a POK of commitment to prove
  sig game lemma)
• Problem 2
• I might have to rewind many times on left to
  get a single signature
• So if I have id 01011, access pattern on the
  right is 0101...
• Solution Use 3 keys (0,1,2) require chain w.r.t
  2id12id22id3

27
Dealing with Non-synchronizing Adversaries

• Not hard same technique as in LP09
• Just add more WIPOK
• Will return to this point later.

28
Thm Assume one-way functions. Then there exists
a O(1)-round non-malleable commitment with a
black-box proof of security.
Main Technique Exploit rewinding pattern
(instead of just location)
Some extensions
29
Concurrent Non-Malleable CommitmentsP-Rosen05,
Lin-P-Venkitasubramaniam09
ID
ID
i1
C(i1,a1)
C(j1,a1)
j1
C(i2,a2)
C(j2,a2)
i2
j2
jn
C(j3,am)
C(in,am)
im
Messages are arbitrarily interleaved MIM
controls scheduling.
To deal with copying if ik jl, then al ?
For any a1, a2,, am and b1, b2,, bm the view
values committed to by MIM are indistinguishable.
30
One-Many Non-Malleability
ID
C(j1,a1)
j1
C(i,a)
C(j2,a2)
i
j2
jn
C(j3,am)
Thm PR05,LPV08 One-many NM ? Concurrent NM.
Our O(1)-round construction is also concurrent NM
31
One-Many Non-Malleability
ID
C(j1,a1)
j1
C(j2,a2)
i
C(i,a)
j2
C(j3,am)
jn
ID
C(j1,b1)
j1
C(j2,b2)
i
C(i,b)
j2
C(j3,bm)
jn
SAME protocol LEFT and RIGHT!
32
Robust Non-Malleability w.r.t k-round protocols
Lin-P09
ID
C(j1,a1)
j1
C(j2,a2)
i
C(i,a)
j2
C(j3,am)
jn
THEN
ID
C(j1,b1)
j1
C(j2,b2)
i
C(i,b)
j2
C(j3,bm)
jn
EASY to satisfy if Com has more than k-rounds!
DEF Com is robust if Robust NM w.r.t 4-round
protocols
33
Secure Multi-party Computation Yao,GMW

• Original work of Goldreich-Micali-Wigderson87
• TDP, n rounds
• More Recent Stronger assumption, less rounds
• Katz-Ostrovsky-Smith02
• TDP, dense cryptosystems, log n rounds
• TDP, CRHdense crypto with SubExp sec,
  O(1)-rounds, non-BB
• P04
• TDP, CRH, O(1)-round, non-BB

Non-malleability is implicitly used in all these
works!
34
NMC v.s. SMC

• Thm Lin-P-Venkitasubramaniam09
• TPD k-round robust NMC ? O(k)-round SMC

Corollary TDP ? O(1)-round SMC
Holds both for stand-alone MPC and UC-SMC (in a
number of set-up models)
35
Back to Concurrent SMC
36
UC security Canetti01
Running the protocol p in the concurrent setting
is Computing f using a trusted party in the
concurrent setting
Both A and S required to be PPT
as correct private as
S simulates the view of A the outputs
of honest parties are the same in the two worlds
?
?
A
S
37
UC security Canetti01

• Simulator S needs to
• extract As input without disturbing execution
  with Z
• while ensuring that inputs of honest guys remain
  hidden.

Straight-line extraction
non-malleability
A
S
38
The State of UC Security

• Secure 2-party computation impossible!
  Canetti-Kushilevitz-Lindell03
• And even for somewhat weaker models
  Canetti-Fischlin02,Lindell03,Lindell04,
  Barak-Prabhakaran-Sahai06
• Intuition If S can extract straight-line
  extract inputs, then so can the attacker.
• Possible with limited trusted help
• Trusted set-up models Honest majority BGW88,
  CCD88, BR89,DM00, CRS BFM,CLOS, PKI BCNP,
  Timing model DNS,KLP, Tamper-proof Hardware
  K,
• Thm Lin-P-Venkitasubramaniam09 Use Robust NM
  Com to get a crisp and essentially tight
  characterization (assuming TDP) of when a set-up
  can be used to get UC SMC.
• Essentially all known UC SMC result follow as a
  corollary, with improved computational
  assumptions, and round complexity.
• Can mix and match set-ups! Garg,Goyal,Jain,Sahai,
  yesterday

39
Who can you trust?
40
Super-Poly Time Simulation (SPS) P03
Allow super-poly-time security reduction
We know, poly-time security reduction is
impossible
Still, meaningful in many (most) cases
Possible! (P03), Prabhakaran-Sahai04,
Barak-Sahai05, Lin-P-Venkitasubramaniam09
But, using strong hardness assumptions
S
S
A
41
Prabhakaran-Sahai04

• Assume id-based hasfunction hard to find a
  collision w.r.t. id even if you have oracle
  access to someone who finds random collisions
  w.r.t. any other id ! id.

• Simulator S needs to
• extract As input without disturbing execution
  with Z
• while ensuring that inputs of honest guys remain
  hidden.

Use collision finding oracle to extract in
super-poly time!
By security of id-based hash
A
S
S
42
CCA-Secure CommitmentsCanetti-Lin-P10
j1
C(y3)
y3
j1
i
A
O
C(x)
C(y1)
j1
y1
C(y2)
y2
Chosen-Commitment-Attack (CCA) security Either
A copies the left identifier to the right Or
LHS is hiding --- view of A indistinguishable
43
Concurrent Non-Malleable Commitments
j1
C(y3)
j1
i
A
C(x)
C(y1)
j1
C(y2)
O
y1
y2
y3
Non-Malleability Either A copies the left
identifier to the right Or view of A (y1,
y2, y3) indistinguishable
CCA security ? Conc Non-Malleability
44

• Thm CLP10 Existence of OWF implies
  O(n?)-round robust CCA-secure commitments
• Need to deal with both NM and nesting of
  executions a la Concurrent ZK Dwork-Naor-Sahai99
  
• Rely on original message scheduling technique by
  Dolev-Dwork-Naor91 ideas behind concurrent
  ZK simulation of Richardson-Kilian01
• Thm CLP10 Robust CCA-secure commitments OT
  implies SPS-secure SMC

• Open
• O(1)-round CCA secure commitments from OWF?

45

• More Open(-ended) Open Question
• What is the right definition of concurrent
  security (without trusted set-up)?
• SPS security provides weak guarantees on the
  computational advantages gained by an adversary
• Sufficient when security in the ideal model is
  information-theoretic (or just sufficiently
  strong)
• But not sufficient to preserve security of
  moderately-hard properties
• Rewindable TTP Goyal-Sahai08,Goyal-Jain-Ostrov
  sky10
• Need very efficient precise simulations
  Micali-P06
• Currently best concurrent simulation omega(1)
  rewindings Pandey-P-Sahai-Tseng-Venkitasubraman
  iam08
• Can we compose different security notions?

46
The Dark Side of Concurrency
Dont worry Lower bounds
47
Lower Bounds using Concurrency

• Security Reduction R from breaking B to breaking
  intractability assum C

C
RO
f(r)
r
Black-box reduction RO breaks C whenever O
breaks B
For some classic protocols/tasks (sequential WH
of classic ZK protocols, active security of
Schnorrs identification scheme, selective
decommitment problem, Chaums blind signatures)
no security reductions are known under ANY
2-round intractability assumption.
Thm P11 If there exists a BB reduction (but
potentially non-BB construction) from a
poly-round intractability assumption C, then C
can be broken in poly time.
Why concurrency? The reduction can nest it calls
to O. concurrent simulation techniques very
useful!
48
Thank You
49
Overview of Our Construction
j1
C(y3)
y3
j1
i
A
H
C(x)
C(y1)
j1
C(y2)
y1
y2
by Rewidnings
Design a protocol s.t. H can be efficiently
simulated Then, Hiding ? CCA security
But, 1. A may ask new mesg in LHS---LHS not
hiding anymore 2. A may nest oracle calls ---
extraction time explodes
NM
conc. ZK
50
Secure Multi-party Computation Yao,GMW

• A set of parties with private inputs.
• Wish to jointly compute a function of their
  inputs while preserving privacy of inputs (as
  much as possible)
• Security must be preserved even if some of the
  parties are malicious.

51
Whats Next Concurrency for General Interaction
52
Whats Next Adaptive Hardness

• Consider the Factoring problem
• Given the product N of 2 random n-bit primes p,q,
  can you provide the factorization
• Adaptive Factoring Problem
• Given the product N of 2 random n-bit primes p,q,
  can you provide the factorization, if you have
  access to an oracle that factors all other N
  that are products of equal-length primes
• Are these problems equivalent?
• Unknown!

53
Whats Next Adaptive Hardness

• Adaptively-hard Commitments Canetti-Lin-P10
• Commitment scheme that remains hiding even if Adv
  has access to a decommitment oracle
• Implies Non-malleability (and more!)
• Thm CLP10 Existence of commitments implies
  O(n?)-round Adaptively-hard commitments

54
Without Trusted Set-up

• Specific tasks and attacks
• Concurrent Zero-knowledge Dwork-Naor-Sahai,Richar
  dson-Kilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai
  ,Barak01
• Non-malleable Commitments Dolev-Dwork-Naor91,
• Relaxed notions of security
• E.g., super-poly simulation, angel-based
  security, input indistinguishability
  P03,Prabhakaran-Sahai04,Barak-Sahai05,Micali-P-
  Rosen06,Lin-P-Venkitasubramaniam09,Canetti-Lin-
  P10

55
Angel-Based Security Prabhakaran-Sahai04
Simulator and Adv. receive help from an angel.
Angel A restricted super-poly-time
oracle performing some specific, system-dependent
task e.g. find collision of a CRH as long as the
colliding inputs include the id of the requesting
party.
Composable
Possible Prabhakaran-Sahai04,
Malkin-Moriaty-Yung06, Barak-SahaiS05!
But, even stronger assumptions e.g. Adaptively
hard CRH
O
O
S
A
56
Zero Knowledge Goldwasser-Micali-Rackoff85

• Interactive protocol between a Prover and a
  Verifier where the Verifier learns nothing except
  the proof statement

57
Zero Knowledge Goldwasser-Micali-Rackoff85

• For every PPT V (adversary) there is a PPT
  simulator S

?
Indistinguishable
58
Concurrent ZK (cZK) Dwork-Naor-Sahai01
Prover
Verifier V
View of V with Prover
?
View generated by S
59
Classic ZK Protocol Feige-Shamir90
INIT Commit to random secret s
Slot Proof of Know of s
60
Classic ZK Protocol Feige-Shamir90
Slot Proof of Know of s
2nd time Extract s
What about cZK?
61
Concurrent Zero Knowledge
3 nested sessions
rewinding here gt redo work of nested sessions
Takes time O(2 nestings) KPR00
62
Richardson-Killian
INIT

• Need to extract s for every session.
• Easier if there are more slots.
• Cannot nest inside all slots
• Rewinding any one slot extracts s.

END
63
Concurrent Zero-knowledge

• A set of parties with private inputs.
• Wish to jointly compute a function of their
  inputs while preserving privacy of inputs (as
  much as possible)
• Security must be preserved even if some of the
  parties are malicious.