Constant-round Non-malleability From Any One-way Function Rafael Pass Cornell University
advertisement
Constant-round Non-malleability From Any One-way Function Rafael Pass Cornell University Joint work with Huijia (Rachel) Lin Cryptographic Protocols “Interactions among mutually distrustful players” Far beyond traditional goal of concealing messages – Electronic Auctions without a trusted auctioneer • Correctness: highest bidder wins • Privacy: no other bids are revealed – Electronic Elections without trusted vote counter • Correctness: votes are correctly counted • Privacy: individual votes remain secret – And much more: Electronic payment systems, Authentication protocols, Privacy-preserving data-mining… Secure Multi-party Computation: “Any task that can be securely implemented using a trusted party, can be securely implemented without the trusted party” [Y82, GMW86] The Classic Stand-Alone Model Alice Bob One set of parties executing a single protocol in isolation. On the Internet: Need Concurrent Security [DDN91,...] Many parties running many different protocol executions. The Chess-master Problem 8am: Lose! 8pm: Lose! Similar attack on Crypto protocols! Man-in-the-middle Attacks Responder/Initiator Initator Responder a a b b Alice MIM Can make use of message from RIGHT in LEFT Bob Man-in-the-middle Attacks Initator Responder/Initiator Responder Alice: a Alice:a Grrr! You are not Alice! Alice MIM Can make use of message from RIGHT in LEFT Bob Man-in-the-middle Attacks Initator Responder/Initiator Responder Alice: a Devil:a Bob:b Devil:b Alice MIM Can make use of message from RIGHT in LEFT Bob Commitment Scheme The “digital analogue” of sealed envelopes. Receiver Sender v Commitment One of the most basic cryptographic tasks. • natural abstraction • many applications (zero-knowledge, coin-tossing, secure computation…) Reveal v One way functions both sufficient and necessary [N’89, HILL’ 99] Example: Closed Auctions Bidder II Auctioneer Bidder I Would like to insure that bids are independent. ~ Bidder II would have loved to set, e.g. a = a + 1. Definition of commitments does not rule this out! For most commitments, can actually create dependency. MIM Sender Receiver/Sender C(v) Receiver C(v’) Possible that v’ = v+1 Even though MIM does not know v! Non-Malleable Commitments [Dolev Dwork Naor’91] MIM Sender Receiver/Sender i C(v) j Receiver C(v’) Non-Malleable Commitments [Dolev Dwork Naor’91] MIM Sender Receiver/Sender i C(i,v) j Non-malleability: if i j Receiver C(j, v’) then, v’ is “independent” of v Non-Malleable Commitments [Dolev Dwork Naor’91] ij j Man-in-the-middle execution: i Simulation: v j v' v v' ' Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is “indistinguishable” from value committed by simulator Non-Malleable Commitments [Dolev Dwork Naor’91] i v j v' v • • • Important in practice “Test-bed” for other tasks Applications to MPC DDN: Encoding Names in Messages Initiator Responder Iteration 1 ID = 010 Iteration 2 For i = 1 to n: • if IDi = 1 then – REAL exhange, – DUMMY exchange • If IDi = 0 Iteration 3 – DUMMY exchange – REAL exchange IDEA: make sure that at some point a MIM needs to either: • speak alone • give REAL when hearing DUMMY DDN: Encoding Names in Messages Initiator ID = 010 Responder/Initiator Responder ID’ = 110 If ID ID’, there exist iteration such that MIM gives REAL but receives DUMMY Non-malleable Commitments • Original Work by [DDN’91] – – • Based on any one-way function (OWF) But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: • • [Barak’02]: O(1)-round Subexp CRH + dense crypto: [P’04,P-Rosen’05]: O(1) rounds using CRH • • • [Lin-P’09]: O(1)^log* n round using OWF [P-Wee’10]: O(1) using Subexp OWF [Wee’10]: O(log^* n) using OWF “Non BB” Non-malleable Commitments • Original Work by [DDN’91] – – • Based on any one-way function (OWF) But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: • • O(1)-round from CRH or Subexp OWF O(log^* n) from OWF Main Theorem [Lin-P’10]: Thm: Assume one-way functions. Then there exists a O(1)round non-malleable commitment. • Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. • Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation. The Idea: What if we could run “message scheduling in the head”? Let us focus on non-aborting and synchronizing adversaries. (never send invalid messages in left exec) Com(id,v): id = 00101 c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK Signature Chains Consider 2 “fixed-length” signature schemes Sig0, Sig1 (i.e., signatures are always of length n) with keys vk0, vk1. Def: (s,id) is a signature-chain if for all i, si+1 is a signature of “(i,s0)” using scheme idi s0 s1 s2 s3 s4 =r = Sig0(0,s0) = Sig0(1,s1) = Sig1(2,s2) = Sig0(3,s3) id1 id2 id3 id4 =0 =0 =1 =0 Signature Games You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1 . Let denote the access pattern to the oracle; – that is i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern . Com(id,v): vk0 r0 Sign0(r0) vk1 r1 Sign1(r1) c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = 00101 Com(id,v): vk0 r0 Sign0(r0) vk1 r1 Sign0(r1) c=C(v) I know v s.t. c=C(v) Or WI-POK I know a sig-chain (s,id) w.r.t id id = 00101 i = 0110.. Non-malleability through dance j = 00..1 vk0 vk0 r0 r0 Sign0(r0) Sign0(r0) vk1 vk1 r1 r1 Sign1(r1) Sign1(r1) c=C(v) c=C(v) WI-POK WI-POK w.r.t i w.r.t j Dealing with Aborting Adversaries Problem 1: – MIM will notice that I ask him to sign a signature chain – Solution: Don’t. Ask him to sign commitments of sigs… Problem 2: – I might have to “rewind” many times on left to get a single signature – So if I have id = 01011, access pattern on the right is 0*1*0*1*... – Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3… Main Theorem Thm: Assume one-way functions. Then there exists a O(1)round non-malleable commitment. log* vs O(1)? An application Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible) Security must be preserved even if some of the parties are malicious. Secure Multi-party Computation [Yao,GMW] Original work of [GMW87] – Trapdoor permutations (TDP), n rounds – (e.g., voting with 1M people => 1M rounds) More Recent: “Stronger assumptions, less rounds” – [KOS] • TDP, dense cryptosystems, log n rounds • TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB – [P04] • TDP, CRH, O(1)-round, non-BB Thm: Same assumption as GMW => O(1)-round protocol What’s Next – Concurrency for General Interaction What’s Next – Adaptive Hardness Consider the Factoring problem: • Given the product N of 2 random n-bit primes p,q, can you provide the factorization Adaptive Factoring Problem: • Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes Are these problems equivalent? Unknown! What’s Next – Adaptive Hardness Adaptively-hard Commitments [Canetti-Lin-P’10] • Commitment scheme that remains hiding even if Adv has access to a decommitment oracle Implies Non-malleability (and more!) Thm [CLP’10] Existence of commitments implies O(n^)round Adaptively-hard commitments Thank You
