Concurrency and Non-malleability - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Concurrency and Non-malleability

Description:

From Any One-way Function Rafael Pass Cornell University Joint work with Huijia (Rachel) Lin – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 30
Provided by: Rafae156
Category:

less

Transcript and Presenter's Notes

Title: Concurrency and Non-malleability


1
Constant-round Non-malleability From Any One-way
Function
Rafael PassCornell University
Joint work with Huijia (Rachel) Lin
2
Commitment Scheme
  • The digital analogue of sealed envelops.

One of the most basic cryptographic tasks.
Part of essentially all more involved secure
computations Can be constructed from any one way
function. N89, HILL 99
Reveal
3
Right abstraction if
4
But life is

5
MIM
Receiver/Sender
Sender
Receiver
C(v)
C(v)
Possible that v v1
Even though MIM does not know v!
6
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(v)
C(v)
Non-malleability Either MIM forwards v
v Or v is independent of v
7
Non-Malleable Commitments Dolev Dwork
Naor91
MIM
Receiver/Sender
Sender
Receiver
i
j
C(i,v)
C(j, v)
i ? j
Non-malleability if then, v is
independent of v
8
Non-Malleable Commitments Dolev Dwork
Naor91
Man-in-the-middle execution
i ? j
i
j
Simulation
j
Non-malleability For every MIM, there exists a
simulator, such that value committed by MIM is
indistinguishable from value committed by
simulator
9
Non-Malleable Commitments Dolev Dwork
Naor91
i
j
  • Important in practice
  • Test-bed for other tasks
  • Applications to MPC

10
Non-malleable Commitments
  • Original Work by DDN91
  • OWF
  • black-box techniques
  • But O(log n) rounds
  • Main question how many rounds do we need?
  • With set-up solved 1-round, OWF
    DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
  • Without set-up
  • Barak02 O(1)-round Subexp CRH dense crypto
  • P04,P-Rosen05 O(1) rounds using CRH
  • Lin-P09 O(1)log n round using OWF
  • P-Wee10 O(1) using Subexp OWF
  • Wee10 O(log n) using OWF

Non BB
11
Non-malleable Commitments
  • Original Work by DDN91
  • OWF
  • black-box techniques
  • But O(log n) rounds
  • Main question how many rounds do we need?
  • With set-up solved 1-round, OWF
    DiCreczenzo-Ishai-Ostrovsky99,DKO,CF,FF,,DG
  • Without set-up
  • O(1)-round from CRH or Subexp OWF
  • O(log n) from OWF
  • Sd
  • Sd

12
Main Theorem
Thm Assume one-way functions. Then there exists
a O(1)-round non-malleable commitment with a
black-box proof of security.
  • Note Since commitment schemes imply OWF, we
    have that unconditionally that any commitments
    scheme can be turned into one that is O(1)-round
    and non-malleable.
  • Note As we shall see, this also weakens
    assumptions for O(1)-round secure multi-party
    computation.

13
DDN Protocol Idea
i 011
j 00..1
C(i,v)
C(j, v)


Blue does not help Red and vice versa
14
The Idea
What if we could run the message scheduling in
the head?
Let us focus on non-aborting and synchronizing
adversaries.
(never send invalid mess in left exec)
15
Com(id,v)
id 00101
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
16
Signature Chains
  • Consider 2 fixed-length signature schemes
    Sig0, Sig1 (i.e., signatures are always of length
    n) with keys vk0, vk1.
  • Def (s,id) is a signature-chain if for all i,
    si1 is a signature of (i,s0) using scheme idi
  • s0 r
  • s1 Sig0(0,s0) id1 0
  • s2 Sig0(1,s1) id2 0
  • s3 Sig1(2,s2) id3 1
  • s4 Sig0(3,s3) id4 0

17
Signature Games
  • You have given vk0, vk1 and you have access to
    signing oracles Sig0, Sig1 .
  • Let ? denote the access pattern to the oracle
  • that is ?i b if in the ith iteraction you
    access oracle b.
  • Claim If you output a signature-chain (s,id)
  • Then, w.h.p, id is a substring of the access
    pattern ?.

18
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I have seen sequence
WI-POK
19
Com(id,v)
id 00101
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
cC(v)
I know v s.t. cC(v) Or I know a sig-chain (s,id)
WI-POK
w.r.t id
20
Non-malleability through dance
i 0110..
j 00..1
vk0
vk0
r0
r0
Sign0(r0)
Sign0(r0)
vk1
vk1
r1
r1
Sign1(r1)
Sign1(r1)
cC(v)
cC(v)
WI-POK
WI-POK
w.r.t i
w.r.t j
In actual protocol need many seq WIPOK a la
LP09
21
Dealing with Aborting Adversaries
  • Problem 1
  • MIM will notice that I ask him to sign a
    signature chain
  • Solution Dont. Ask him to sign commitments of
    sigs(need to add a POK of commitment to prove
    sig game lemma)
  • Problem 2
  • I might have to rewind many times on left to
    get a single signature
  • So if I have id 01011, access pattern on the
    right is 0101...
  • Solution Use 3 keys (0,1,2) require chain w.r.t
    2id12id22id3

22
Main Theorem
Thm Assume one-way functions. Then there exists
a O(1)-round non-malleable commitment with a
black-box proof of security.
Main Technique Exploit rewinding pattern
(instead of just location)
Some applications
23
Secure Multi-party Computation Yao,GMW
  • A set of parties with private inputs.
  • Wish to jointly compute a function of their
    inputs while preserving privacy of inputs (as
    much as possible)
  • Security must be preserved even if some of the
    parties are malicious.

24
Secure Multi-party Computation Yao,GMW
  • Original work of Goldreich-Micali-Wigderson87
  • TDP, n rounds
  • More Recent Stronger assumption, less rounds
  • Katz-Ostrovsky-Smith03
  • TDP, dense cryptosystems, log n rounds
  • TDP, CRHdense crypto with SubExp sec,
    O(1)-rounds, non-BB
  • P04
  • TDP, CRH, O(1)-round, non-BB

25
NMC v.s. MPC
  • Thm Lin-P-Venkitasubramaniam09
  • TPD k-round robust NMC ? O(k)-round MPC

Holds both for stand-alone MPC and UC-MPC (in a
number of set-up models)
Corollary TDP ? O(1)-round MPC
26
NM ZK
  • Thm Lin-P-Tseng-Venkitasubramaniam10
  • k-round robust NMC ? O(k)-round NMZK

Corollary OWF? O(1)-round NMZK
Can also get Conc NMZK if adding ?(log n) rounds
27
Whats Next Adaptive Hardness
  • Consider the Factoring problem
  • Given the product N of 2 random n-bit primes p,q,
    can you provide the factorization
  • Adaptive Factoring Problem
  • Given the product N of 2 random n-bit primes p,q,
    can you provide the factorization, if you have
    access to an oracle that factors all other N
    that are products of equal-length primes
  • Are these problems equivalent?
  • Unknown!

28
Whats Next Adaptive Hardness
  • Adaptively-hard Commitments Canetti-Lin-P10
  • Commitment scheme that remains hiding even if Adv
    has access to a decommitment oracle
  • Implies Non-malleability (and more!)
  • Thm CLP10 Existence of commitments implies
    O(n?)-round Adaptively-hard commitments

29
Thank You
Write a Comment
User Comments (0)
About PowerShow.com