Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

Concurrency and Non-malleability Rafael Pass Cornell University

advertisement 
Concurrency and
Non-malleability
Rafael Pass
Cornell University
Secure Multi-party Computation
[Yao,Goldreich-Micali-Wigderson]
Goal: Allow a set of distrustful parties to compute
any functionality f of their inputs, while
preserving:
Correctness
Privacy
Even when no honest
majority
The Classic Stand-Alone Model
One set of parties executing a single
protocol in isolation.
But, Life is CONCURRENT
Many parties running many different
protocol executions.
The Chess-master Problem [DDN’91]
8am:
Lose!
8pm:
Lose!
Win at least 1
(or draw both)
Similar attack on Crypto protocols!
Man-in-the-middle Attacks
Responder/Initator
Initator
Responder
a
5a
b
b/5
Alice
MIM
MIM controls channel between Alice and Bob
Bob
This Talk
• Commitment schemes secure against man-inthe-middle attacks
• Use such commitments to improve SMC
– Better round complexity also for stand-alone
security
– Concurrent security
Commitment Scheme
The “digital analogue” of sealed envelopes.
Receiver
Sender
v
Commitment
Reveal
v
One way functions both sufficient and necessary [N’89, HILL’ 99]
MIM
Sender
Receiver/Sender
C(v)
Receiver
C(v’)
Messages are arbitrarily interleaved: MIM controls scheduling.
Possible that v’ = v+1
Even though MIM does not know v!
Non-Malleable Commitments
[Dolev Dwork Naor’91]
MIM
Sender
Receiver/Sender
i
j
C(v)
Receiver
C(v’)
Non-malleability:
Either
Or
MIM forwards : v = v’
v’ is “independent” of v
Non-Malleable Commitments
[Dolev Dwork Naor’91]
MIM
Sender
Receiver/Sender
i
C(i,v)
j
Non-malleability: if i  j
Receiver
C(j, v’)
then,
v’ is “independent” of v
Non-Malleable Commitments
[Dolev Dwork Naor’91, P-Rosen’05]
ij
j
Man-in-the-middle execution:
i
Simulation:
v

j
v'
v
v' '
Non-malleability: For every MIM, there exists a “simulator”, such that value
committed by MIM is indistinguishable from value committed by simulator
Non-Malleable Commitments
i
v
j
v'
v
•
•
•
Important in practice
“Test-bed” for other tasks
Applications to MPC
Non-malleable Commitments
•
Original Work by [DDN’91]
–
–
–
•
OWF
black-box techniques
But: O(log n) rounds
Main question: how many rounds do we need?
With set-up solved: 1-round, OWF: [DiCreczenzo-IshaiOstrovsky’99,DKO,CF,FF,…,DG]
Without set-up:
•
•
[Barak’02]: O(1)-round Subexp CRH + dense crypto:
[P’04,P-Rosen’05]: O(1) rounds using CRH
•
•
•
[Lin-P’09]: O(1)^log* n round using OWF
[P-Wee’10]: O(1) using Subexp OWF
[Wee’10]: O(log^* n) using OWF
Non BB
NM Amp
Non-malleable Commitments
•
Original Work by [DDN’91]
–
–
–
•
OWF
black-box techniques
But: O(log n) rounds
Main question: how many rounds do we need?
With set-up solved: 1-round, OWF: [DiCreczenzo-IshaiOstrovsky’99,DKO,CF,FF,…,DG]
Without set-up:
•
•
O(1)-round from CRH or Subexp OWF
O(log^* n) from OWF
•
•
Sd
Sd
Thm [Lin-P’11]: Assume one-way functions. Then there
exists a O(1)-round non-malleable commitment with a blackbox proof of security.
• Note: Since commitment schemes imply OWF, we have that
unconditionally that any commitments scheme can be turned into
one that is O(1)-round and non-malleable.
• Note: As we shall see, this also weakens assumptions for O(1)round secure multi-party computation.
• Even more excitingly: Vipul Goyal independently
proved the same result
• very different techniques
• relying on NM amplification
DDN Protocol Idea
i = 01…1
C(i,v)
•••
j = 00..1
C(j, v’)
•••
Blue does not help Red and vice versa
The Idea:
What if we could run the message scheduling in the head?
Let us focus on non-aborting and synchronizing adversaries.
(never send invalid mess in left exec)
Com(id,v):
id = 00101
c=C(v)
I know v s.t. c=C(v)
Or
I have “seen”
sequence
WI-POK
Signature Chains
Consider 2 “fixed-length” signature schemes Sig0, Sig1
(i.e., signatures are always of length n) with keys vk0, vk1.
Def: (s,id) is a signature-chain if for all i, si+1 is a
signature of “(i,s0)” using scheme idi
s0
s1
s2
s3
s4
=r
= Sig0(0,s0)
= Sig0(1,s1)
= Sig1(2,s2)
= Sig0(3,s3)
id1
id2
id3
id4
=0
=0
=1
=0
Signature Games
You have given vk0, vk1 and you have access to
signing oracles Sig0, Sig1 .
Let  denote the access pattern to the oracle;
– that is i = b if in the i’th iteraction you access oracle b.
Claim: If you output a signature-chain (s,id)
Then, w.h.p, id is a substring of the access
pattern .
Com(id,v):
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
c=C(v)
I know v s.t. c=C(v)
Or
I have “seen”
sequence
WI-POK
id = 00101
Com(id,v):
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
c=C(v)
I know v s.t. c=C(v)
Or
WI-POK
I know a sig-chain
(s,id)
w.r.t id
id = 00101
i = 0110..
Non-malleability
through dance
j = 00..1
vk0
vk’0
r0
r'0
Sign0(r0)
Sign0(r’0)
vk1
vk'1
r1
r'1
Sign1(r1)
Sign1(r’1)
c=C(v)
c=C(v’)
WI-POK
WI-POK
w.r.t i
w.r.t j
Note: sig keys on L and R might be different; we violate sec of sig game for key on R
Dealing with Aborting Adversaries
Problem 1:
– MIM will notice that I ask him to sign a signature chain
– Solution: Don’t. Ask him to sign commitments of sigs…
(need to add a POK of commitment to prove sig game lemma)
Problem 2:
– I might have to “rewind” many times on left to get a single signature
– So if I have id = 01011, access pattern on the right is 0*1*0*1*...
– Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…
Dealing with Non-synchronizing Adversaries
Not hard; same technique as in LP’09
Just add more WIPOK…
Will return to this point later.
Thm: Assume one-way functions. Then there exists a O(1)round non-malleable commitment with a black-box proof of
security.
Main Technique
Exploit rewinding pattern
(instead of just location)
Some extensions:
Concurrent Non-Malleable Commitments
[P-Rosen’05, Lin-P-Venkitasubramaniam’09]
ID
i1
ID
j1
i2
j2
jn
im
Messages are arbitrarily interleaved: MIM controls scheduling.
To deal with copying: if ik = jl, then al’ =
For any a1, a2,…, am and b1, b2,…, bm the view + values committed to by
MIM are indistinguishable.
One-Many Non-Malleability
ID
i
C(i,a)
j1
j2
jn
Thm [PR’05,LPV’08]: One-many NM  Concurrent NM.
Our O(1)-round construction is also concurrent NM
One-Many Non-Malleability
ID
j1
i C(i,a)
j2
jn
{views+values}

ID
j1
i C(i,b)
j2
jn
SAME protocol LEFT and RIGHT!
Robust Non-Malleability w.r.t k-round protocols
[Lin-P’09]
ID
j1
i C(i,a)
•••
•••
IF

j2
jn
THEN
{views+values}

ID
j1
•••
i C(i,b)
•••
j2
jn
EASY to satisfy if Com has more than k-rounds!
DEF: Com is “robust” if Robust NM w.r.t 4-round protocols
Secure Multi-party Computation [Yao,GMW]
Original work of [Goldreich-Micali-Wigderson’87]
– TDP, n rounds
More Recent: “Stronger assumption, less rounds”
– [Katz-Ostrovsky-Smith’02]
• TDP, dense cryptosystems, log n rounds
• TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB
– [P’04]
• TDP, CRH, O(1)-round, non-BB
Non-malleability is implicitly used in all these works!
NMC v.s. SMC
Thm [Lin-P-Venkitasubramaniam’09]:
TPD + k-round robust NMC  O(k)-round SMC
Corollary: TDP  O(1)-round SMC
Holds both for stand-alone MPC and UC-SMC (in a number of set-up models)
Back to Concurrent SMC
UC security [Canetti’01]
Running the protocol π in the concurrent setting is
Both A and S required to be PPT
“as correct
& private
S simulates
the viewas”
of A
&
Computing f using a trusted
party in the concurrent
the outputs of honest parties are
the same in the two worlds
setting
f
Zρ
Zρ
S
A
f
π
π
UC security [Canetti’01]
Simulator S needs to:
•“extract” A’s input without disturbing
Straight-line extraction
execution with Z
•while ensuring that inputs of honest
“non-malleability”
guys remain hidden.
f
Z
Z
S
A
f
π
π
The State of UC Security
• Secure 2-party computation impossible! [Canetti-KushilevitzLindell’03]
– And even for somewhat weaker models [CanettiFischlin’02,Lindell’03,Lindell’04, Barak-Prabhakaran-Sahai’06]
– Intuition: If S can extract “straight-line” extract inputs, then so can the
attacker.
• Possible: with limited “trusted help”
– Trusted set-up models: Honest majority [BGW88, CCD88, BR89,DM00], CRS
[BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware
[K], …
– Thm [Lin-P-Venkitasubramaniam’09] Use Robust NM Com to get a crisp and
essentially tight characterization (assuming TDP) of when a set-up can be used
to get UC SMC.
• Essentially all known UC SMC result follow as a corollary, with improved
computational assumptions, and round complexity.
• Can mix and match set-ups! [Garg,Goyal,Jain,Sahai, yesterday]
Who can you trust?
Thm (Machiavelli): NO ONE.
Super-Poly Time Simulation (SPS) [P’03]
We
know,
poly-time security
reduction reduction
is impossible
Allow
super-poly-time
security
Still, meaningful in many (most) cases
Possible!
[(P’03), Prabhakaran-Sahai’04, Barak-Sahai’05, Lin-PVenkitasubramaniam’09]
But, using strong hardness assumptions
Z
Z
S
A
Prabhakaran-Sahai’04
Assume “id-based hasfunction”: hard to find a collision w.r.t. id even if you have
oracle access to someone who finds random collisions w.r.t. any other id’ != id.
Simulator S needs to:
•“extract” A’s input without disturbing
execution with Z
•while ensuring that inputs of honest guys
remain hidden.
f
Use collision finding oracle
to extract in super-poly time!
By security of id-based hash
Z
Z
S
A
f
π
π
CCA-Secure Commitments
[Canetti-Lin-P’10]
j1
i
C(x)
A
j1
C(y3)
y3
C(y1)
y1
j1
C(y2)
O
y2
Chosen-Commitment-Attack (CCA) security:
Either A copies the left identifier to the right
Or
LHS is hiding --- view of A indistinguishable
Concurrent Non-Malleable Commitments
j1
i
C(x)
A
j1
C(y1)
y1
j1
C(y3)
C(y2)
y2
y3
O
Non-Malleability
Either A copies the left identifier to the right
Or
view of A + (y1, y2, y3) indistinguishable
CCA security  Conc Non-Malleability
Thm [CLP’10] Existence of OWF implies O(n^)-round
robust CCA-secure commitments
– Need to deal with both NM and “nesting” of executions a la
Concurrent ZK [Dwork-Naor-Sahai’99]
– Rely on original message scheduling technique by [DolevDwork-Naor’91] + ideas behind concurrent ZK simulation of
[Richardson-Kilian’01]
Thm [CLP’10] Robust CCA-secure commitments + OT
implies SPS-secure SMC
Open:
• O(1)-round CCA secure commitments from OWF?
More Open(-ended) Open Question:
• What is the right definition of concurrent security (without trusted
set-up)?
• SPS security provides weak guarantees on the “computational
advantages” gained by an adversary
– Sufficient when security in the ideal model is information-theoretic (or
just sufficiently “strong”)
– But not sufficient to preserve security of “moderately-hard” properties
• “Rewindable TTP” [Goyal-Sahai’08,Goyal-Jain-Ostrovsky’10]
– Need very efficient precise simulations [Micali-P’06]
– Currently best concurrent simulation: omega(1) “rewindings” [Pandey-PSahai-Tseng-Venkitasubramaniam’08]
• Can we compose different security notions?
The Dark Side of Concurrency
Don’t worry: Lower bounds
Lower Bounds using Concurrency
Security Reduction R from breaking B to breaking intractability assum C
C
f(r)
r
O
R
Black-box reduction: RO breaks C whenever O breaks B
For some classic protocols/tasks (sequential WH of classic ZK protocols, active
security of Schnorr’s identification scheme, selective decommitment problem, Chaum’s blind signatures…)
no security reductions are known under ANY 2-round intractability assumption.
Thm [P’11]: If there exists a BB reduction (but potentially non-BB construction)
from a poly-round intractability assumption C, then C can be broken in poly time.
Why concurrency? The reduction can nest it calls to O.
concurrent simulation techniques very useful!
Thank You
Overview of Our Construction
j1
i
C(x)
A
j1
C(y3)
y3
C(y1)
y1
j1
C(y2)
H
y2
Design a protocol s.t. H can be efficiently simulated
Then, Hiding  CCA security
But,
1. A may ask new mesg in LHS---LHS not hiding
anymore
NM
conc. ZK
2. A may nest oracle calls --- extraction time explodes
Secure Multi-party Computation [Yao,GMW]
A set of parties with private inputs.
Wish to jointly compute a function of their inputs while
preserving privacy of inputs (as much as possible)
Security must be preserved even if some of the parties
are malicious.
What’s Next –
Concurrency for General Interaction
What’s Next –
Adaptive Hardness
Consider the Factoring problem:
• Given the product N of 2 random n-bit primes p,q, can you provide
the factorization
Adaptive Factoring Problem:
• Given the product N of 2 random n-bit primes p,q, can you provide
the factorization, if you have access to an oracle that factors all
other N’ that are products of equal-length primes
Are these problems equivalent?
Unknown!
What’s Next –
Adaptive Hardness
Adaptively-hard Commitments [Canetti-Lin-P’10]
• Commitment scheme that remains hiding even if Adv
has access to a decommitment oracle
Implies Non-malleability (and more!)
Thm [CLP’10] Existence of commitments implies O(n^)round Adaptively-hard commitments
Without Trusted Set-up
• Specific tasks and attacks:
– Concurrent Zero-knowledge [Dwork-Naor-Sahai,RichardsonKilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai,Barak’01…]
– Non-malleable Commitments [Dolev-Dwork-Naor’91,…]
• Relaxed notions of security:
– E.g., “super-poly simulation”, “angel-based security”, “input
indistinguishability” [P03,Prabhakaran-Sahai’04,Barak-Sahai’05,MicaliP-Rosen’06,Lin-P-Venkitasubramaniam’09,Canetti-Lin-’P10]
Angel-Based Security
[Prabhakaran-Sahai’04]
Simulator and Adv. receive help from an angel.
Angel: A restricted
super-poly-time oracle
Composable
performing some specific, system-dependent task
e.g. Possible
find collision[Prabhakaran-Sahai’04,
of a CRH as long as the colliding
inputs include
Malkin-Moriatythe id of the requesting party.
But, Yung06,
even stronger
assumptions
Barak-Sahai’S05]
!
Z
S
e.g. Adaptively hard CRH
O
Z
A
O
Zero Knowledge
[Goldwasser-Micali-Rackoff’85]
• Interactive protocol between a Prover and
a Verifier where the Verifier learns
nothing except the proof statement
Prover
Verifier
56
Zero Knowledge
[Goldwasser-Micali-Rackoff’85]
• For every PPT V* (adversary) there is a
PPT simulator S:
Prover
Verifier V*
Simulator S

View generated by S
View of V* with Prover
Indistinguishable
57
Concurrent ZK (cZK)
[Dwork-Naor-Sahai’01]
Prover
Verifier V*
View of V* with Prover
Simulator S

View generated by S
58
Classic ZK Protocol [Feige-Shamir’90]
INIT: Commit to random secret σ
Prover
Slot
Proof of Know of σ
Verifier
END: Modified proof
where σ is a trapdoor:
WI x \in L or I know σ
59
Classic ZK Protocol [Feige-Shamir’90]
INIT: Commit to random secret σ
Simulator
Slot
2nd time:
Rewind Slot
Extract σ
Proof of Know of σ
Verifier V*
END: Give proof using σ
What about cZK?
60
Concurrent Zero Knowledge
3 nested
sessions
Verifier V*
rewinding here
=> redo work of nested
sessions
Simulator
61
Takes time O(2# nestings) [KPR’00]
Richardson-Killian
INIT
• Need to extract σ
for every session.
• Easier if there are
more slots.
slots
– Cannot “nest” inside
all slots
• Rewinding any one
slot extracts σ.
END
62
Concurrent Zero-knowledge
A set of parties with private inputs.
Wish to jointly compute a function of their inputs while
preserving privacy of inputs (as much as possible)
Security must be preserved even if some of the parties
are malicious.
Related documents
Constant-round Non-malleability From Any One-way Function Rafael Pass Cornell University
Constant-round Non-malleability From Any One-way Function Rafael Pass Cornell University
WEEKLY SCHEDULE PLANNING
WEEKLY SCHEDULE PLANNING
Team Reflection: Developing a Clear and Compelling
Team Reflection: Developing a Clear and Compelling
Our commitment to taking action in a changing climate
Our commitment to taking action in a changing climate
FileNewTemplate
FileNewTemplate
Download
advertisement