Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability

So we`re very happy to have Vanishree Rao visiting us this week

advertisement 
>> Melissa Chase: So we're very happy to have Vanishree Rao visiting
us this week. She's a Ph.D. student at UCLA, working Sahai [phonetic]
with Rafail Ostrovsky. And today she's going to tell us about a really
nice work that appeared at TCC this year.
Vanishree Rao: Thank you, Melissa, for having me here. And thank you
all for coming. So here I present revisiting lower and upper bounds
for selective decommitments. It's joint work with Rafail Ostrovsky,
Alessandra Scafuro, and Ivan Visconti Alice. And it was published at
TCC 2013.
It is said the state for a problem statement starting with commitment
schemes, which are one of the most fundamental building blocks in
cryptography, and often referred to as a digital analog of field
envelopes which enable a party called a receiver to receive a
commitment to a value by a party called a sender, and also enables the
sender to keep the committed values hidden until the sender himself
opens it and the property of the sender being committed to one single
value is called binding and the property of the committed value being
hidden is called hiding. And to formalize these properties, for
binding we have a challenger which behaves exactly like an honest
receiver and challenges an adversarial sender to first send a
commitment and then open this commitment into two distinct values.
And we call a commitment scheme to be binding if no adversarial sender
can bring such a challenger with nonnegligible probability. And for
hiding, we have -- we again have a challenger which behaves exactly
like an honest sender and commits to either zero or one chosen
uniformly at random and challenges an adversarial receiver to guess the
committed bit value.
And we call -- and the commitment scheme is set to satisfy hiding if no
adversarial receiver can win against such a challenger with probability
nonnegligibly more than one by two.
With this being the typical notion of hiding and binding, as we shall
soon see, a commitment scheme that satisfies binding also satisfies
binding for multiple receivers, in the sense that no adversarial sender
interacting with multiple receivers can break binding with any of the
receivers.
To see this, assume for contradiction that there exists an adversarial
sender that while interacting with multiple receivers can break binding
with one of the receivers, then we can construct an adversary as double
star which runs as star and all receivers accept a randomly chosen
receiver and it delegates the task of this isolated receiver to an
external challenger.
Now, if S star wins in its game of interacting with multiple receivers
with some nonnegligible property epsilon, then SW star wins its own
game with one single challenger who runs one single receiver with
probability epsilon by N. Here N is usually polynomial. So this is
again nonnegligible. We have arrived at the contradiction.
And on similar lengths we have that a commitment scheme that satisfies
hiding is also hiding for multiple senders in the sense that no
adversarial receiver interacting with multiple senders in commitment
phase transcript can break hiding for any of the senders.
But if R star continues and chooses a subset of the commitments to be
opened, then hiding of the unopened commitments no longer follows from
hiding of one single commitment. The reason is that if we want to
prove an implication set as a commitment scheme that satisfies hiding
or hiding from multiple senders equal validly implies that the
commitment scheme also satisfies hiding for multiple senders with
selective opening.
Then using the earlier argument, what we have to do is given an
adversarial receiver that breaks, that breaks hiding when it interacts
with multiple senders, we have to construct an adversarial receiver RW
star that breaks hiding in the standard motion where it does not
receive any decommitments. But the problem here is that R double star
does not receive any openings for any of these commitments. But it has
to give openings for these commitments.
So what R double star has to do it has to run the senders corresponding
to the commitments that will later be opened, that will later be chosen
by R star to be opened. It has to run all of these senders by itself.
But so this is what it is supposed to do. The R double star code
should look something like this where S1 and all the other ones are
delegated to those senders. But the problem is R double star.
R double star does not know which subset of commitments R star related
open. So the best star double star can do is to choose the subset
uniformly at random, and it can win with probability at best one by two
to the N.
So if this R star wins with probability one by two plus epsilon where
epsilon is nonnegligible, then R double star can win with probability
just one by two plus epsilon by two to the N. So it is only negligibly
more than one by two. So we haven't arrived at the contradiction. So
we do not know whether hiding against one single receiver implies
hiding in this setting.
And this subtlety in the notion was first pointed out by Dwork, Naor,
Reingold and Stockmeyer at Fox 99. And this attack is called selective
opening attack.
Now having looked at what a selective opening attack is, a commitment
scheme is set to secure, said to be secure against selective opening
attacks if there exists a simulator that outputs a multiple session
transcript in such a way that in each session it first outputs a
commitment phase transcript, and then if it decides to open it, then it
is dictated a bit value from an external party to open this commitment
too and then the similarity has to open the already commitment phase
transcript to the dictated bit value. See at most it does not know
what it will get, what bit it will get from the external party. So
it's challenging for the simulator.
>>: What's the definition, are you committing to the same value in all
of the commitments?
Vanishree Rao:
No.
>>: Different ones?
Vanishree Rao: It's different ones. The distribution of bits will be
dictated by -- you can formalize the distribution of these messages,
these messages that will be committed using this party.
And what we require here is that the entire transcript has to be
indistinguishable from the real world view of the adversary. Let me
know if you have any questions at this point in time.
>>: So the idea here is you have like -- you have many independent
parties and you're all committing and then the adversaries you have to
open yours you have to open yours, the other ones still hidden
[indiscernible].
Vanishree Rao:
Right.
>>: Greg's question, do you know if they all were the same message,
that would be the scenario but then the -- you imply this.
Vanishree Rao: Hiding I think implies the situation where the messages
are uniformly chosen. So I think there are some ways to -- but it gets
harder when the messages are correlated, because it does not know what
to open to here. One of the difficulties is the correlation between
the messages.
>>: You have a bunch of parties who have some subtly related messages
to the alphabet and we have transfers.
Vanishree Rao:
Right.
>>: If they were independent would it be --
Vanishree Rao: If they are independent, then -- so there are some
other notions of subtly opening attack. This being simulation-based
definition, there is other notion called indistinguishability based
definitions. I think if it is uniformly random, I think it should -but I'll have to verify. I once thought about it and I think it turns
out that if it is uniformly independently chosen then
indistinguishability is implied by just natural hiding.
>>: The scheme is by it's hiding condition within the additional
security. Is this still an issue? Do the attacks still happen?
Vanishree Rao: So it's still an issue. And we don't know how to prove
this. It intuitively feels it shouldn't be a problem but we don't know
how to prove security in this setting. Because you need -- you want
simulator to be able to open it in the way the external party asks you
to open.
Any more questions? Okay. We call the security definition to be
purely black box. If the simulator uses the adversary in a completely
black box manner in the sense that it doesn't use the specifics of the
code of the adversary, and also the commitment scheme has to use an
underlying primitive such as maybe a one-way permutation or one-way
function also in a black box manner. And for the purpose of this talk
we shall only focus on black box notion of security for subtlety
opening attacks.
Now that we have looked at some general notion of security. Security
is often studied under various forms of composition. The first and
simplest one being parallel composition where the adversary first
interacts with all the senders parallelly in commitment phase
transcript.
And then it will choose a subset of the commitments and then it will
play the decommitment phase transcript parallelly for the chosen
subset. And this was first studied again by Dwork, Naor, Reingold and
Stockmeyer in '99.
And on the other hand highest in complexity is fully concurrent SOA
composition where an adversary can arbitrarily interleave commitment
and decommitment phase messages while adaptively choosing the subset of
the commitments to be opened. This was first studied at Xiao at TCC
2011.
And at middle ground between parallel and fully concurrent SOA
composition is concurrent with the barrier SOA computation wherein the
adversary, an adversary first interacts, first arbitrarily interleaves
all commitment phase messages. And then only after having completed
all the commitment phase messages it chooses a subset of the
commitments to be opened adaptively while playing the decommitment
phase messages also arbitrarily. And this was studied by Bellare
Hofheinz Yilek in 2009 and Hofheinz in 2011.
Before we go ahead and see why we should study security of commitment
schemes here is a bit nomenclature for the rest of the talk, because a
commitment scheme and XY scheme, if its commitment phase runs in X
rounds and the decommitment phase runs in wide rounds, the one round is
just one shot message from one party to the other party.
And a main
commitment
where some
the larger
significance of SOS secure commitment schemes is that
schemes are often used as sub protocols in a larger protocol
of the commitments are asked to be opened. And security of
protocols realized on hiding of the unopened messages.
For example, MTC. And this interesting problem has attracted much
attention in the past and it's gotten in some rich literature, not only
for -- security for commitment schemes but also for public key
encryption schemes and identity-based encryption schemes. But for the
purposes of this talk we shall only focus on SOA security of commitment
schemes.
>>: When we're talking about it at some point then I don't -- just -Vanishree Rao: Say, for example, let's consider even if you don't want
to go to MTC, it's a perfect example of hidden knowledge, you can see
the Hamiltonian city protocol.
>>: I'm sorry?
Vanishree Rao: Hamiltonian protocol where the prover will commit to a
graph and a permutation of the graph and also the permutation and then
later he will be asked to open either the permuted graph or the
permitted graph or the cycle, either the cycle in the permitted, cycle
in the permitted graph or the permitted graph and the permutation.
So here you are -- all these are sent as a commitment, right? These
graphs and the permutations and permitted graphs in cycles, they are
committed in the first round.
And in the next round you would ask only some of the commitments to be
opened. What you want is the other ones to be hidden. But in there we
do not need subtly opening attacks, secure commitment schemes, because
we don't need this much security as much as simulation-based security.
So this is something more that we're asking for but these situations
arise was the point.
So I can tell you some of the applications of selectivity opening
attack secured. The one quick thing is you can construct a zero
knowledge protocol with preprocessing. So if you just want to run a
zero knowledge protocol, then the number of rounds is, if you are
looking to raise the number of franks [phonetic] then one of the
earlier works was to run a preprocessing phase and then send -- first
in the preprocessing phase and then give a proof.
So that was one of the approaches earlier for zero knowledge protocols.
And in that work, the resulting scheme was kind of restrictive in the
sense that the security it assured was the verifier could not abort
some subset of the protocols. But what we can do is we can achieve
more security in that area, and we can also give better around
complexity. But the specific constructions that we give of run
complexity because of the specific instructions that we give in this
work.
And two of the state-of-the-art results in this area are by Bellare and
Hofheinz in 2009 and Hofheinz in 2011 who constructed nonconstant round
concurrent with bad year [phonetic] SOA scheme based on nonblack box
user one-way permutations. And they're also sure if we use black box
for underlying primitives then it's impossible to construct
noninteractive schemes, even if you just focus on parallel SOA
composition, and even if you allow the simulator to use the adversary
in a nonblack box. And this brings us to a natural question, whether
it's possible to construct an SOA scheme based on black box use of
underlying primitives. And if yes, with what best drawn complexity.
And this is the question that we focus on in our paper. And we
solve -- and we answer the feasibility question affirmatively and the
round optimality question as 3-1 by showing construction of 3-1 SOA
secure scheme by relying an earlier nonresult that 2-1 scheme, SOA
secure scheme is impossible from TCC 2011. And a summary of some of
our main results is they give a construction of 3-1 secure, 3-1
concurring with barrier SOA secure scheme based on black box use of
trap door commitments and towards using a weaker primitive we show how
to construct a scheme by incurring two extra rounds in the commitment
phase.
You see that both are constructions are proven secure only in the
concurrent barrier setting but not in the fully concurrent setting.
And we show that this is the best one, this is the most optimal one one
could have hoped for because it shows that it's impossible to construct
a scheme that is secure in the fully concurrent setting in the number
of rounds you use and underlying primitive that you use even if you use
the underlying primitive in a non-black box manner.
>>:
[indiscernible].
Vanishree Rao:
happens.
Not yet.
That's important.
We don't know what
And we also show that unfortunately when our results are put in
contrast with the results of Xiao TCC 2011, our results contradict the
results of Xiao. Mainly our construction of a 3-1 secure concurrent
with barrier SOA secure scheme contradicts his impossibility result on
the existence of 3-1 secure schemes. And the reason -- they show in
the proof is that their proof, the schemes that looked that were
restricted those were the senders spoke first and in our construction
the receivers speaks first.
And we also show that there is a contradiction, there is an issue in
his proof for achieving fully concurrent SOA secure scheme with our
impossibility result. And we also show that there are issues in the
proofs of security for other constructions, namely a forward one
construction based on black Box one-way primitives and T plus 3-1
scheme based on black box use of T1 statistically hiding commitment
scheme.
See that even if it is statistically hiding,
prove that it is secure or not. You have to
And more specifically the issues were in the
subtlety opening attacks, and there's also a
for his 4-1 construction.
you don't know how to
do something more, right?
proof of hiding and
showing a proof of binding
I'd also like to mention that after our results were archived, Xiao
showed a different proof of hiding against selectivity opening attacks
for his steepest 3-1 construction. Although we'll not be able to go
over all of the results, I'll pick one result, which is a 5-1
construction and how to build it ground up.
So what we have here is a black box exists one way permutations, what
we'd like to build is a 5-1 scheme that satisfies binding and hiding
against selectivity opening attacks.
We know that one way permutations already imply noninteractive
commitment schemes so we know how to get binding.
Now, in order to also achieve hiding against selectivity opening
attacks, instead of the sender sending the commitment just once, make
him send the commitment twice, to the same better. And then let the
sender and the receiver run the coin flipping protocol and let the
outcome of the coin flipping protocol indicate which of the commitments
he should open. Right? Now, with this to a chief this what we want is
a simulator, what a simulator can do is to commit to 0 and 1 in the
random order and if it has to open to zero, then it would bias the coin
flipping value to open to zero and if it opens to 1 it will find the
protocol accordingly.
But there is a problem. Now, it seems that we are able to achieve
hiding against selectivity opening attacks but there's a problem, which
is binding is normal holding, because even an adversarial sender can
commit to both 0 and one. Depending on the outcome of the coin
flipping protocol, they're open to 0 or 1, because these happened with
non -- both of them happened with nonnegligible probability.
point he can open to 1, some point he can open to 0.
Some
Now, to fix it, we use some curtain choose statistics. Namely what we
do is instead of the sender committing to just one pair of commitments,
let him commit to N pairs of commitments. And instead of the coin
flipping protocol outputting just one bit let it output N bits and let
the outcome of the coin flipping protocol dictate which of the
commitments in each pair the sender has to open.
Now, with this, we can show that the previous problem of binding will
not happen here, because the outcome of the coin flipping there was
just two. And here it could know which of the -- which outcome it
could get. But here it does not know which outcome it could get,
because there are exponentially many outcomes.
And earlier he could just put 1 and 0 and he could consistently open it
up to either 1 and 0. But here, in order to consistently open,
according to this, he has to exactly put 0 in the exact places and 1 in
exact places. And it cannot predict it because there are exponentially
many possibilities here. Right?
Okay. It will turn out that the total number of rounds is six rounds
if you look at the coin flipping protocols details. But what we need
is noninteractive decommitment. But if you just look at it, we do not
have noninteractive decommitment for the following reasons yet. Note
that for the receiver, for the simulator to work, after it commits to
both 1 and 0 in each pair, it has to know which bit it has to open to
in order to bias the coin flipping protocol accordingly.
There is a simple solution to it, which is instead of the sender
opening always ask for the outcome of the coin flipping protocol. Give
it a little more lenience and say it could also open as per the
complement of the outcome of the coin flipping protocol. And in that
event what simulator can do is it will each first in both pair like
before commit to 1 to o in that random order and it would run the
protocol and bias the outcome of the protocol to point to committing to
the same bit. Either all to 0 or all to 1. And then if it has to open
to 0, then it would open according to the outcome of the coin flipping
protocol. And if it has to open to 1 it would open according to the
complement of the outcome of the coin flipping protocol. And that's
one of our constructions. There are a lot of subtleties, but there are
some techniques that I'd like to show here.
To conclude, we have constructed front of the fully black box SOA
secure commitment schemes, and we have pointed out issues in
[inaudible] our TCC 2011 results, it significantly changed the state of
the art. Thank you.
[applause]
>> Melissa Chase:
Any more questions?
>>: I was going to ask how does this compare to the -- do you have a
side that has some files?
>>:
Yeah,
converted that.
Vanishree Rao: So none of our results relate to nonblack box in this.
We only focused on black box constructions. So even impossibility
results don't hold here because.
>>:
You guys did construction from the date that, like --
Vanishree Rao: Subtlety opening attacks secure, I think they should be
generally with nonblack techniques more efficient. The construction
of -- I know the construction's for public encryption schemes. They're
very, very simple. They're just based on chapter permutations. So
lots of trap door implementations.
I don't know how simple the constructions of nonblack box commitment
schemes are.
>> Melissa Chase:
[applause]
Let's thank the speaker again.
Related documents
Artificial and Natural Ecosystems
Artificial and Natural Ecosystems
Team Reflection: Developing a Clear and Compelling
Team Reflection: Developing a Clear and Compelling
Word Study – Lesson 17
Word Study – Lesson 17
Video Data Hiding using Forbidden Zone and
Video Data Hiding using Forbidden Zone and
Day 1 - Elementary Math
Day 1 - Elementary Math
Our commitment to taking action in a changing climate
Our commitment to taking action in a changing climate
FileNewTemplate
FileNewTemplate
software requirements - IEEE Final Year Projects
software requirements - IEEE Final Year Projects
How Many are Hiding?
How Many are Hiding?
Proposed method
Proposed method
Download
advertisement