Concurrency and Non-malleability

1
Constant-round Non-malleability From Any One-way
Function
Rafael PassCornell University
Joint work with Huijia (Rachel) Lin
2
Commitment Scheme

• The digital analogue of sealed envelops.

One of the most basic cryptographic tasks.
Part of essentially all more involved secure
computations Can be constructed from any one way
function. N89, HILL 99
Reveal
3
Right abstraction if
4
But life is

5
MIM
Receiver/Sender
Sender
Receiver
C(v)
C(v)
Possible that v v1
Even though MIM does not know v!
6
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(v)
C(v)
Non-malleability Either MIM forwards v
v Or v is independent of v
7
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(i,v)
C(j, v)
i ? j
Non-malleability if then, v is
independent of v
8
Non-Malleable Commitments Dolev Dwork
Naor91
Man-in-the-middle execution
i ? j
i
j
Simulation
j
Non-malleability For every MIM, there exists a
simulator, such that value committed by MIM is
indistinguishable from value committed by
simulator
9
Non-Malleable Commitments Dolev Dwork
Naor91
i
j

• Important in practice
• Test-bed for other tasks
• Applications to MPC

10
Non-malleable Commitments

• Original Work by DDN91
• OWF
• black-box techniques
• But O(log n) rounds
• Main question how many rounds do we need?
• With set-up solved 1-round, OWF
  DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
• Without set-up
• Barak02 O(1)-round Subexp CRH dense crypto
• P04,P-Rosen05 O(1) rounds using CRH
• Lin-P09 O(1)log n round using OWF
• P-Wee10 O(1) using Subexp OWF
• Wee10 O(log n) using OWF

Non BB
11
Non-malleable Commitments

• Original Work by DDN91
• OWF
• black-box techniques
• But O(log n) rounds
• Main question how many rounds do we need?
• With set-up solved 1-round, OWF
  DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
• Without set-up
• O(1)-round from CRH or Subexp OWF
• O(log n) from OWF
• Sd
• Sd

12
Main Theorem
Thm Assume one-way functions. Then there exists
a O(1)-round non-malleable commitment with a
black-box proof of security.

• Note Since commitment schemes imply OWF, we
  have that unconditionally that any commitments
  scheme can be turned into one that is O(1)-round
  and non-malleable.

• Note As we shall see, this also weakens
  assumptions for O(1)-round secure multi-party
  computation.

13
DDN Protocol Idea
i 011
j 00..1
C(i,v)
C(j, v)


Blue does not help Red and vice versa
14
The Idea
What if we could run the message scheduling in
the head?
Let us focus on non-aborting and synchronizing
adversaries.
(never send invalid mess in left exec)
15
Com(id,v)
id 00101
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
16
Signature Chains

• Consider 2 fixed-length signature schemes
  Sig0, Sig1 (i.e., signatures are always of length
  n) with keys vk0, vk1.
• Def (s,id) is a signature-chain if for all i,
  si1 is a signature of (i,s0) using scheme idi
• s0 r
• s1 Sig0(0,s0) id1 0
• s2 Sig0(1,s1) id2 0
• s3 Sig1(2,s2) id3 1
• s4 Sig0(3,s3) id4 0

17
Signature Games

• You have given vk0, vk1 and you have access to
  signing oracles Sig0, Sig1 .
• Let ? denote the access pattern to the oracle
• that is ?i b if in the ith iteraction you
  access oracle b.
• Claim If you output a signature-chain (s,id)
• Then, w.h.p, id is a substring of the access
  pattern ?.

18
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
19
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I know a sig-chain (s,id)
WI-POK
w.r.t id
20
Non-malleability through dance
i 0110..
j 00..1
vk0
vk0
r0
r0
Sign0(r0)
Sign0(r0)
vk1
vk1
r1
r1
Sign1(r1)
Sign1(r1)
cC(v)
cC(v)
WI-POK
WI-POK
w.r.t i
w.r.t j
In actual protocol need many seq WIPOK a la
LP09
21
Dealing with Aborting Adversaries

• Problem 1
• MIM will notice that I ask him to sign a
  signature chain
• Solution Dont. Ask him to sign commitments of
  sigs(need to add a POK of commitment to prove
  sig game lemma)
• Problem 2
• I might have to rewind many times on left to
  get a single signature
• So if I have id 01011, access pattern on the
  right is 0101...
• Solution Use 3 keys (0,1,2) require chain w.r.t
  2id12id22id3

22
Main Theorem
Thm Assume one-way functions. Then there exists
a O(1)-round non-malleable commitment with a
black-box proof of security.
Main Technique Exploit rewinding pattern
(instead of just location)
Some applications
23
Secure Multi-party Computation Yao,GMW

• A set of parties with private inputs.
• Wish to jointly compute a function of their
  inputs while preserving privacy of inputs (as
  much as possible)
• Security must be preserved even if some of the
  parties are malicious.

24
Secure Multi-party Computation Yao,GMW

• Original work of Goldreich-Micali-Wigderson87
• TDP, n rounds
• More Recent Stronger assumption, less rounds
• Katz-Ostrovsky-Smith03
• TDP, dense cryptosystems, log n rounds
• TDP, CRHdense crypto with SubExp sec,
  O(1)-rounds, non-BB
• P04
• TDP, CRH, O(1)-round, non-BB

25
NMC v.s. MPC

• Thm Lin-P-Venkitasubramaniam09
• TPD k-round robust NMC ? O(k)-round MPC

Holds both for stand-alone MPC and UC-MPC (in a
number of set-up models)
Corollary TDP ? O(1)-round MPC
26
NM ZK

• Thm Lin-P-Tseng-Venkitasubramaniam10
• k-round robust NMC ? O(k)-round NMZK

Corollary OWF? O(1)-round NMZK
Can also get Conc NMZK if adding ?(log n) rounds
27
Whats Next Adaptive Hardness

• Consider the Factoring problem
• Given the product N of 2 random n-bit primes p,q,
  can you provide the factorization
• Adaptive Factoring Problem
• Given the product N of 2 random n-bit primes p,q,
  can you provide the factorization, if you have
  access to an oracle that factors all other N
  that are products of equal-length primes
• Are these problems equivalent?
• Unknown!

28
Whats Next Adaptive Hardness

• Adaptively-hard Commitments Canetti-Lin-P10
• Commitment scheme that remains hiding even if Adv
  has access to a decommitment oracle
• Implies Non-malleability (and more!)
• Thm CLP10 Existence of commitments implies
  O(n?)-round Adaptively-hard commitments

29
Thank You