Concurrency and Non-malleability - PowerPoint PPT Presentation

About This Presentation
Title:

Concurrency and Non-malleability

Description:

Title: Concurrency and Non-malleability Author: Rafael Pass Last modified by: Rafael Pass Created Date: 9/6/2002 12:11:36 AM Document presentation format – PowerPoint PPT presentation

Number of Views:166
Avg rating:3.0/5.0
Slides: 64
Provided by: Rafae56
Category:

less

Transcript and Presenter's Notes

Title: Concurrency and Non-malleability


1
Concurrency and Non-malleability
Rafael PassCornell University
2
Secure Multi-party Computation Yao,Goldreich-Mic
ali-Wigderson
Goal Allow a set of distrustful parties to
compute any functionality f of their inputs,
while preserving
Correctness
Privacy
Even when no honest majority
3
The Classic Stand-Alone Model
One set of parties executing a single protocol in
isolation.
4
But, Life is CONCURRENT
Many parties running many different protocol
executions.
5
The Chess-master Problem DDN91
8am
Lose!
Lose!
6
Win at least 1 (or draw both)
Similar attack on Crypto protocols!
7
Man-in-the-middle Attacks
Responder
Responder/Initator
Initator
Bob
Alice
MIM
MIM controls channel between Alice and Bob
8
This Talk
  • Commitment schemes secure against
    man-in-the-middle attacks
  • Use such commitments to improve SMC
  • Better round complexity also for stand-alone
    security
  • Concurrent security

9
Commitment Scheme
  • The digital analogue of sealed envelopes.

Reveal
One way functions both sufficient and necessary
N89, HILL 99
10
MIM
Receiver/Sender
Sender
Receiver
C(v)
C(v)
Messages are arbitrarily interleaved MIM
controls scheduling.
Possible that v v1
Even though MIM does not know v!
11
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(v)
C(v)
Non-malleability Either MIM forwards v
v Or v is independent of v
12
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(i,v)
C(j, v)
i ? j
Non-malleability if then, v is
independent of v
13
Non-Malleable Commitments Dolev Dwork
Naor91, P-Rosen05
Man-in-the-middle execution
i ? j
i
j
Simulation
j
Non-malleability For every MIM, there exists a
simulator, such that value committed by MIM is
indistinguishable from value committed by
simulator
14
Non-Malleable Commitments
i
j
  • Important in practice
  • Test-bed for other tasks
  • Applications to MPC

15
Non-malleable Commitments
  • Original Work by DDN91
  • OWF
  • black-box techniques
  • But O(log n) rounds
  • Main question how many rounds do we need?
  • With set-up solved 1-round, OWF
    DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
  • Without set-up
  • Barak02 O(1)-round Subexp CRH dense crypto
  • P04,P-Rosen05 O(1) rounds using CRH
  • Lin-P09 O(1)log n round using OWF
  • P-Wee10 O(1) using Subexp OWF
  • Wee10 O(log n) using OWF

Non BB
NM Amp
16
Non-malleable Commitments
  • Original Work by DDN91
  • OWF
  • black-box techniques
  • But O(log n) rounds
  • Main question how many rounds do we need?
  • With set-up solved 1-round, OWF
    DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
  • Without set-up
  • O(1)-round from CRH or Subexp OWF
  • O(log n) from OWF
  • Sd
  • Sd

17
Thm Lin-P11 Assume one-way functions. Then
there exists a O(1)-round non-malleable
commitment with a black-box proof of security.
  • Note Since commitment schemes imply OWF, we
    have that unconditionally that any commitments
    scheme can be turned into one that is O(1)-round
    and non-malleable.
  • Note As we shall see, this also weakens
    assumptions for O(1)-round secure multi-party
    computation.
  • Even more excitingly Vipul Goyal independently
    proved the same result
  • very different techniques
  • relying on NM amplification

18
DDN Protocol Idea
i 011
j 00..1
C(i,v)
C(j, v)


Blue does not help Red and vice versa
19
The Idea
What if we could run the message scheduling in
the head?
Let us focus on non-aborting and synchronizing
adversaries.
(never send invalid mess in left exec)
20
Com(id,v)
id 00101
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
21
Signature Chains
  • Consider 2 fixed-length signature schemes
    Sig0, Sig1 (i.e., signatures are always of length
    n) with keys vk0, vk1.
  • Def (s,id) is a signature-chain if for all i,
    si1 is a signature of (i,s0) using scheme idi
  • s0 r
  • s1 Sig0(0,s0) id1 0
  • s2 Sig0(1,s1) id2 0
  • s3 Sig1(2,s2) id3 1
  • s4 Sig0(3,s3) id4 0

22
Signature Games
  • You have given vk0, vk1 and you have access to
    signing oracles Sig0, Sig1 .
  • Let ? denote the access pattern to the oracle
  • that is ?i b if in the ith iteraction you
    access oracle b.
  • Claim If you output a signature-chain (s,id)
  • Then, w.h.p, id is a substring of the access
    pattern ?.

23
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
24
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I know a sig-chain (s,id)
WI-POK
w.r.t id
25
Non-malleability through dance
i 0110..
j 00..1
vk0
vk0
r0
r'0
Sign0(r0)
Sign0(r0)
vk1
vk'1
r1
r'1
Sign1(r1)
Sign1(r1)
cC(v)
cC(v)
WI-POK
WI-POK
w.r.t i
w.r.t j
Note sig keys on L and R might be different we
violate sec of sig game for key on R
26
Dealing with Aborting Adversaries
  • Problem 1
  • MIM will notice that I ask him to sign a
    signature chain
  • Solution Dont. Ask him to sign commitments of
    sigs(need to add a POK of commitment to prove
    sig game lemma)
  • Problem 2
  • I might have to rewind many times on left to
    get a single signature
  • So if I have id 01011, access pattern on the
    right is 0101...
  • Solution Use 3 keys (0,1,2) require chain w.r.t
    2id12id22id3

27
Dealing with Non-synchronizing Adversaries
  • Not hard same technique as in LP09
  • Just add more WIPOK
  • Will return to this point later.

28
Thm Assume one-way functions. Then there exists
a O(1)-round non-malleable commitment with a
black-box proof of security.
Main Technique Exploit rewinding pattern
(instead of just location)
Some extensions
29
Concurrent Non-Malleable CommitmentsP-Rosen05,
Lin-P-Venkitasubramaniam09
ID
ID
i1
C(i1,a1)
C(j1,a1)
j1
C(i2,a2)
C(j2,a2)
i2
j2
jn
C(j3,am)
C(in,am)
im
Messages are arbitrarily interleaved MIM
controls scheduling.
To deal with copying if ik jl, then al ?
For any a1, a2,, am and b1, b2,, bm the view
values committed to by MIM are indistinguishable.
30
One-Many Non-Malleability
ID
C(j1,a1)
j1
C(i,a)
C(j2,a2)
i
j2
jn
C(j3,am)
Thm PR05,LPV08 One-many NM ? Concurrent NM.
Our O(1)-round construction is also concurrent NM
31
One-Many Non-Malleability
ID
C(j1,a1)
j1
C(j2,a2)
i
C(i,a)
j2
C(j3,am)
jn
ID
C(j1,b1)
j1
C(j2,b2)
i
C(i,b)
j2
C(j3,bm)
jn
SAME protocol LEFT and RIGHT!
32
Robust Non-Malleability w.r.t k-round protocols
Lin-P09
ID
C(j1,a1)
j1
C(j2,a2)
i
C(i,a)
j2
C(j3,am)
jn
THEN
ID
C(j1,b1)
j1
C(j2,b2)
i
C(i,b)
j2
C(j3,bm)
jn
EASY to satisfy if Com has more than k-rounds!
DEF Com is robust if Robust NM w.r.t 4-round
protocols
33
Secure Multi-party Computation Yao,GMW
  • Original work of Goldreich-Micali-Wigderson87
  • TDP, n rounds
  • More Recent Stronger assumption, less rounds
  • Katz-Ostrovsky-Smith02
  • TDP, dense cryptosystems, log n rounds
  • TDP, CRHdense crypto with SubExp sec,
    O(1)-rounds, non-BB
  • P04
  • TDP, CRH, O(1)-round, non-BB

Non-malleability is implicitly used in all these
works!
34
NMC v.s. SMC
  • Thm Lin-P-Venkitasubramaniam09
  • TPD k-round robust NMC ? O(k)-round SMC

Corollary TDP ? O(1)-round SMC
Holds both for stand-alone MPC and UC-SMC (in a
number of set-up models)
35
Back to Concurrent SMC
36
UC security Canetti01
Running the protocol p in the concurrent setting
is Computing f using a trusted party in the
concurrent setting
Both A and S required to be PPT
as correct private as
S simulates the view of A the outputs
of honest parties are the same in the two worlds
?
?
A
S
37
UC security Canetti01
  • Simulator S needs to
  • extract As input without disturbing execution
    with Z
  • while ensuring that inputs of honest guys remain
    hidden.

Straight-line extraction
non-malleability
A
S
38
The State of UC Security
  • Secure 2-party computation impossible!
    Canetti-Kushilevitz-Lindell03
  • And even for somewhat weaker models
    Canetti-Fischlin02,Lindell03,Lindell04,
    Barak-Prabhakaran-Sahai06
  • Intuition If S can extract straight-line
    extract inputs, then so can the attacker.
  • Possible with limited trusted help
  • Trusted set-up models Honest majority BGW88,
    CCD88, BR89,DM00, CRS BFM,CLOS, PKI BCNP,
    Timing model DNS,KLP, Tamper-proof Hardware
    K,
  • Thm Lin-P-Venkitasubramaniam09 Use Robust NM
    Com to get a crisp and essentially tight
    characterization (assuming TDP) of when a set-up
    can be used to get UC SMC.
  • Essentially all known UC SMC result follow as a
    corollary, with improved computational
    assumptions, and round complexity.
  • Can mix and match set-ups! Garg,Goyal,Jain,Sahai,
    yesterday

39
Who can you trust?
40
Super-Poly Time Simulation (SPS) P03
Allow super-poly-time security reduction
We know, poly-time security reduction is
impossible
Still, meaningful in many (most) cases
Possible! (P03), Prabhakaran-Sahai04,
Barak-Sahai05, Lin-P-Venkitasubramaniam09
But, using strong hardness assumptions
S
S
A
41
Prabhakaran-Sahai04
  • Assume id-based hasfunction hard to find a
    collision w.r.t. id even if you have oracle
    access to someone who finds random collisions
    w.r.t. any other id ! id.
  • Simulator S needs to
  • extract As input without disturbing execution
    with Z
  • while ensuring that inputs of honest guys remain
    hidden.

Use collision finding oracle to extract in
super-poly time!
By security of id-based hash
A
S
S
42
CCA-Secure CommitmentsCanetti-Lin-P10
j1
C(y3)
y3
j1
i
A
O
C(x)
C(y1)
j1
y1
C(y2)
y2
Chosen-Commitment-Attack (CCA) security Either
A copies the left identifier to the right Or
LHS is hiding --- view of A indistinguishable
43
Concurrent Non-Malleable Commitments
j1
C(y3)
j1
i
A
C(x)
C(y1)
j1
C(y2)
O
y1
y2
y3
Non-Malleability Either A copies the left
identifier to the right Or view of A (y1,
y2, y3) indistinguishable
CCA security ? Conc Non-Malleability
44
  • Thm CLP10 Existence of OWF implies
    O(n?)-round robust CCA-secure commitments
  • Need to deal with both NM and nesting of
    executions a la Concurrent ZK Dwork-Naor-Sahai99
  • Rely on original message scheduling technique by
    Dolev-Dwork-Naor91 ideas behind concurrent
    ZK simulation of Richardson-Kilian01
  • Thm CLP10 Robust CCA-secure commitments OT
    implies SPS-secure SMC
  • Open
  • O(1)-round CCA secure commitments from OWF?

45
  • More Open(-ended) Open Question
  • What is the right definition of concurrent
    security (without trusted set-up)?
  • SPS security provides weak guarantees on the
    computational advantages gained by an adversary
  • Sufficient when security in the ideal model is
    information-theoretic (or just sufficiently
    strong)
  • But not sufficient to preserve security of
    moderately-hard properties
  • Rewindable TTP Goyal-Sahai08,Goyal-Jain-Ostrov
    sky10
  • Need very efficient precise simulations
    Micali-P06
  • Currently best concurrent simulation omega(1)
    rewindings Pandey-P-Sahai-Tseng-Venkitasubraman
    iam08
  • Can we compose different security notions?

46
The Dark Side of Concurrency
Dont worry Lower bounds
47
Lower Bounds using Concurrency
  • Security Reduction R from breaking B to breaking
    intractability assum C

C
RO
f(r)
r
Black-box reduction RO breaks C whenever O
breaks B
For some classic protocols/tasks (sequential WH
of classic ZK protocols, active security of
Schnorrs identification scheme, selective
decommitment problem, Chaums blind signatures)
no security reductions are known under ANY
2-round intractability assumption.
Thm P11 If there exists a BB reduction (but
potentially non-BB construction) from a
poly-round intractability assumption C, then C
can be broken in poly time.
Why concurrency? The reduction can nest it calls
to O. concurrent simulation techniques very
useful!
48
Thank You
49
Overview of Our Construction
j1
C(y3)
y3
j1
i
A
H
C(x)
C(y1)
j1
C(y2)
y1
y2
by Rewidnings
Design a protocol s.t. H can be efficiently
simulated Then, Hiding ? CCA security
But, 1. A may ask new mesg in LHS---LHS not
hiding anymore 2. A may nest oracle calls ---
extraction time explodes
NM
conc. ZK
50
Secure Multi-party Computation Yao,GMW
  • A set of parties with private inputs.
  • Wish to jointly compute a function of their
    inputs while preserving privacy of inputs (as
    much as possible)
  • Security must be preserved even if some of the
    parties are malicious.

51
Whats Next Concurrency for General Interaction
52
Whats Next Adaptive Hardness
  • Consider the Factoring problem
  • Given the product N of 2 random n-bit primes p,q,
    can you provide the factorization
  • Adaptive Factoring Problem
  • Given the product N of 2 random n-bit primes p,q,
    can you provide the factorization, if you have
    access to an oracle that factors all other N
    that are products of equal-length primes
  • Are these problems equivalent?
  • Unknown!

53
Whats Next Adaptive Hardness
  • Adaptively-hard Commitments Canetti-Lin-P10
  • Commitment scheme that remains hiding even if Adv
    has access to a decommitment oracle
  • Implies Non-malleability (and more!)
  • Thm CLP10 Existence of commitments implies
    O(n?)-round Adaptively-hard commitments

54
Without Trusted Set-up
  • Specific tasks and attacks
  • Concurrent Zero-knowledge Dwork-Naor-Sahai,Richar
    dson-Kilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai
    ,Barak01
  • Non-malleable Commitments Dolev-Dwork-Naor91,
  • Relaxed notions of security
  • E.g., super-poly simulation, angel-based
    security, input indistinguishability
    P03,Prabhakaran-Sahai04,Barak-Sahai05,Micali-P-
    Rosen06,Lin-P-Venkitasubramaniam09,Canetti-Lin-
    P10

55
Angel-Based Security Prabhakaran-Sahai04
Simulator and Adv. receive help from an angel.
Angel A restricted super-poly-time
oracle performing some specific, system-dependent
task e.g. find collision of a CRH as long as the
colliding inputs include the id of the requesting
party.
Composable
Possible Prabhakaran-Sahai04,
Malkin-Moriaty-Yung06, Barak-SahaiS05!
But, even stronger assumptions e.g. Adaptively
hard CRH
O
O
S
A
56
Zero Knowledge Goldwasser-Micali-Rackoff85
  • Interactive protocol between a Prover and a
    Verifier where the Verifier learns nothing except
    the proof statement

57
Zero Knowledge Goldwasser-Micali-Rackoff85
  • For every PPT V (adversary) there is a PPT
    simulator S

?
Indistinguishable
58
Concurrent ZK (cZK) Dwork-Naor-Sahai01
Prover
Verifier V
View of V with Prover
?
View generated by S
59
Classic ZK Protocol Feige-Shamir90
INIT Commit to random secret s
Slot Proof of Know of s
60
Classic ZK Protocol Feige-Shamir90
Slot Proof of Know of s
2nd time Extract s
What about cZK?
61
Concurrent Zero Knowledge
3 nested sessions
rewinding here gt redo work of nested sessions
Takes time O(2 nestings) KPR00
62
Richardson-Killian
INIT
  • Need to extract s for every session.
  • Easier if there are more slots.
  • Cannot nest inside all slots
  • Rewinding any one slot extracts s.

END
63
Concurrent Zero-knowledge
  • A set of parties with private inputs.
  • Wish to jointly compute a function of their
    inputs while preserving privacy of inputs (as
    much as possible)
  • Security must be preserved even if some of the
    parties are malicious.
Write a Comment
User Comments (0)
About PowerShow.com