Upload
daphne-blair
View
233
Download
2
Tags:
Embed Size (px)
Citation preview
Rafael PassCornell University
Concurrency and
Non-malleability
Goal: Allow a set of distrustful parties to compute any functionality f of their inputs, while preserving:
Correctness
Privacy
Even when no honest majority
Secure Multi-party Computation [Yao,Goldreich-Micali-Wigderson]
The Classic Stand-Alone Model
One set of parties executing a single protocol in isolation.
But, Life is CONCURRENT
Many parties running many different protocol executions.
The Chess-master Problem [DDN’91]
8am:
Lose! Lose!
8pm:
Similar attack on Crypto protocols!
Win at least 1(or draw both)
Man-in-the-middle Attacks
Alice Bob
a5a
bb/5
MIM
Initator ResponderResponder/Initator
MIM controls channel between Alice and Bob
This Talk
• Commitment schemes secure against man-in-the-middle attacks
• Use such commitments to improve SMC– Better round complexity also for stand-alone
security– Concurrent security
Commitment SchemeThe “digital analogue” of sealed envelopes.
Commitment
Reveal
v
v
Sender Receiver
One way functions both sufficient and necessary [N’89, HILL’ 99]
Possible that v’ = v+1
Even though MIM does not know v!
Receiver/Sender
MIM
C(v) C(v’)
Sender Receiver
Messages are arbitrarily interleaved: MIM controls scheduling.
Non-Malleable Commitments [Dolev Dwork Naor’91]
Non-malleability:
Either MIM forwards : v = v’Or v’ is “independent” of v
i j
Receiver/Sender
MIM
C(v’)
Sender Receiver
C(v)
Non-Malleable Commitments [Dolev Dwork Naor’91]
Receiver/Sender
Non-malleability: if then,
v’ is “independent” of v
MIM
C(i,v) C(j, v’)
i j
Sender Receiver
i j
v
Man-in-the-middle execution:
Simulation:
v
j
'v
''v
i j
Non-Malleable Commitments [Dolev Dwork Naor’91, P-Rosen’05]
i j
Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator
v
v 'v
Non-Malleable Commitments
i j
• Important in practice• “Test-bed” for other tasks• Applications to MPC
Non-malleable Commitments
• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds
• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-
Ostrovsky’99,DKO,CF,FF,…,DG]
Without set-up:• [Barak’02]: O(1)-round Subexp CRH + dense crypto:• [P’04,P-Rosen’05]: O(1) rounds using CRH
• [Lin-P’09]: O(1)^log* n round using OWF• [P-Wee’10]: O(1) using Subexp OWF• [Wee’10]: O(log^* n) using OWF
Non BB
NM Amp
Non-malleable Commitments
• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds
• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-
Ostrovsky’99,DKO,CF,FF,…,DG]
Without set-up:
• O(1)-round from CRH or Subexp OWF• O(log^* n) from OWF• Sd• Sd
Thm [Lin-P’11]: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.
• Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable.
• Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.
• Even more excitingly: Vipul Goyal independently proved the same result
• very different techniques• relying on NM amplification
DDN Protocol Idea
Blue does not help Red and vice versa
i = 01…1
• • •
j = 00..1
• • •
C(i,v) C(j, v’)
The Idea:
What if we could run the message scheduling in the head?
Let us focus on non-aborting and synchronizing adversaries.
(never send invalid mess in left exec)
c=C(v)
Com(id,v):
I know v s.t. c=C(v)
OrI have “seen”
sequenceWI-POK
id = 00101
Signature Chains
Consider 2 “fixed-length” signature schemes Sig0, Sig1 (i.e., signatures are always of length n) with keys vk0, vk1.
Def: (s,id) is a signature-chain if for all i, si+1 is a signature of “(i,s0)” using scheme idi
s0 = rs1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0s3 = Sig1(2,s2) id3 = 1s4 = Sig0(3,s3) id4 = 0
Signature Games
You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1 .
Let denote the access pattern to the oracle;– that is i = b if in the i’th iteraction you access oracle b.
Claim: If you output a signature-chain (s,id)
Then, w.h.p, id is a substring of the access pattern .
c=C(v)
Com(id,v):
I know v s.t. c=C(v)
OrI have “seen”
sequence
WI-POK
id = 00101vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
c=C(v)
Com(id,v):
WI-POK
id = 00101vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
I know v s.t. c=C(v)
OrI know a sig-chain
(s,id) w.r.t id
c=C(v)
WI-POK
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
c=C(v’)
WI-POK
vk’0
r'0
Sign0(r’0)
vk'1
r'1
Sign1(r’1)
w.r.t i
i = 0110.. j = 00..1
w.r.t j
Non-malleabilitythrough dance
Note: sig keys on L and R might be different; we violate sec of sig game for key on R
Dealing with Aborting Adversaries
Problem 1: – MIM will notice that I ask him to sign a signature chain
– Solution: Don’t. Ask him to sign commitments of sigs…(need to add a POK of commitment to prove sig game lemma)
Problem 2:– I might have to “rewind” many times on left to get a single signature– So if I have id = 01011, access pattern on the right is 0*1*0*1*...
– Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…
Dealing with Non-synchronizing Adversaries
Not hard; same technique as in LP’09
Just add more WIPOK…
Will return to this point later.
Main TechniqueExploit rewinding pattern (instead of just location)
Thm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.
Some extensions:
C(i1 ,
1 )C(i2,
2)
C(i n,m
)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
Concurrent Non-Malleable Commitments[P-Rosen’05, Lin-P-Venkitasubramaniam’09]
i1
i2
im
j1
ID
ID
j2
jn
To deal with copying: if ik = jl, then l’ =
Messages are arbitrarily interleaved: MIM controls scheduling.
For any …m and …m the view + values committed to by MIM are indistinguishable.
C(i,)C(j 1
, 1’)
C(j2,2’)
C(j3 ,
m ’)
One-Many Non-Malleability
ij1
ID
j2
jn
Thm [PR’05,LPV’08]: One-many NM Concurrent NM.
Our O(1)-round construction is also concurrent NM
One-Many Non-Malleability
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
SAME protocol LEFT and RIGHT!
{views+values}
Robust Non-Malleability w.r.t k-round protocols [Lin-P’09]
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
{views+values}
• • •
• • •
• • •
• • •
IF THEN
DEF: Com is “robust” if Robust NM w.r.t 4-round protocols
EASY to satisfy if Com has more than k-rounds!
Original work of [Goldreich-Micali-Wigderson’87]– TDP, n rounds
More Recent: “Stronger assumption, less rounds”– [Katz-Ostrovsky-Smith’02]
• TDP, dense cryptosystems, log n rounds
• TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB
– [P’04]• TDP, CRH, O(1)-round, non-BB
Secure Multi-party Computation [Yao,GMW]
Non-malleability is implicitly used in all these works!
NMC v.s. SMC
Thm [Lin-P-Venkitasubramaniam’09]: TPD + k-round robust NMC O(k)-round SMC
Holds both for stand-alone MPC and UC-SMC (in a number of set-up models)
Corollary: TDP O(1)-round SMC
Back to Concurrent SMC
Running the protocol π in the concurrent setting is
Computing f using a trusted party in the concurrent setting
S simulates the view of A &
the outputs of honest parties are the same in the two worlds
AASS
UC security [Canetti’01]
ππ ππff ff
““as correct & private as”as correct & private as”Both A and S required to be PPT
ZZZZρρ ρρ
UC security [Canetti’01]
ππ ππff ff
ZZZZ
AASS
Simulator S needs to: •“extract” A’s input without disturbing execution with Z
•while ensuring that inputs of honest guys remain hidden.
Straight-line extraction
“non-malleability”
The State of UC Security• Secure 2-party computation impossible! [Canetti-Kushilevitz-Lindell’03]
– And even for somewhat weaker models [Canetti-Fischlin’02,Lindell’03,Lindell’04, Barak-Prabhakaran-Sahai’06]
– Intuition: If S can extract “straight-line” extract inputs, then so can the attacker.
• Possible: with limited “trusted help”
– Trusted set-up models: Honest majority [BGW88, CCD88, BR89,DM00], CRS [BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware [K], …
– Thm [Lin-P-Venkitasubramaniam’09] Use Robust NM Com to get a crisp and essentially tight characterization (assuming TDP) of when a set-up can be used to get UC SMC.
• Essentially all known UC SMC result follow as a corollary, with improved computational assumptions, and round complexity.
• Can mix and match set-ups! [Garg,Goyal,Jain,Sahai, yesterday]
Who can you trust?
AASSSS
ZZZZ
Super-Poly Time Simulation (SPS) [P’03]
Allow super-poly-time security reductionWe know, poly-time security reduction is impossible
Possible! [(P’03), Prabhakaran-Sahai’04, Barak-Sahai’05, Lin-P-
Venkitasubramaniam’09]
But, using strong hardness assumptions
Still, meaningful in many (most) cases
Prabhakaran-Sahai’04
ππ ππff ff
ZZZZ
AASS
Simulator S needs to: •“extract” A’s input without disturbing execution with Z
•while ensuring that inputs of honest guys remain hidden.
Assume “id-based hasfunction”: hard to find a collision w.r.t. id even if you have oracle access to someone who finds random collisions w.r.t. any other id’ != id.
Use collision finding oracle to extract in super-poly time!
By security of id-based hash
SS
CCA-Secure Commitments[Canetti-Lin-P’10]
AC(x)C(x) C(y1)C(y1) OOC(y2)C(y2)
C(y3)C(y3)
y1
y2
y3ii jj11
jj11
jj11
Chosen-Commitment-Attack (CCA) security:
Either A copies the left identifier to the rightOr LHS is hiding --- view of A indistinguishable
Concurrent Non-Malleable Commitments
AC(x)C(x) C(y1)C(y1)
Non-Malleability
Either A copies the left identifier to the right
Or view of A + (y1, y2, y3) indistinguishable
C(y2)C(y2)
C(y3)C(y3)
ii jj11
jj11
jj11
CCA security Conc Non-Malleability
OOy1 y2 y3
Thm [CLP’10] Existence of OWF implies O(n^)-round robust CCA-secure commitments– Need to deal with both NM and “nesting” of executions a la Concurrent ZK [Dwork-Naor-Sahai’99]– Rely on original message scheduling technique by [Dolev-Dwork-Naor’91] + ideas behind concurrent ZK simulation of [Richardson-Kilian’01]
Thm [CLP’10] Robust CCA-secure commitments + OT implies SPS-secure SMC
Open: •O(1)-round CCA secure commitments from OWF?
More Open(-ended) Open Question:
• What is the right definition of concurrent security (without trusted set-up)?
• SPS security provides weak guarantees on the “computational advantages” gained by an adversary– Sufficient when security in the ideal model is information-theoretic (or just sufficiently “strong”)– But not sufficient to preserve security of “moderately-hard” properties
• “Rewindable TTP” [Goyal-Sahai’08,Goyal-Jain-Ostrovsky’10]– Need very efficient precise simulations [Micali-P’06]– Currently best concurrent simulation: omega(1) “rewindings” [Pandey-P-Sahai-Tseng-Venkitasubramaniam’08]
• Can we compose different security notions?
The Dark Side of Concurrency
Don’t worry: Lower bounds
Lower Bounds using ConcurrencySecurity Reduction R from breaking B to breaking intractability assum C
rC RO
Black-box reduction: RO breaks C whenever O breaks B
f(r)
For some classic protocols/tasks (sequential WH of classic ZK protocols, active
security of Schnorr’s identification scheme, selective decommitment problem, Chaum’s blind signatures…) no security reductions are known under ANY 2-round intractability assumption.
Thm [P’11]: If there exists a BB reduction (but potentially non-BB construction)from a poly-round intractability assumption C, then C can be broken in poly time.
Why concurrency? The reduction can nest it calls to O. concurrent simulation techniques very useful!
Thank You
Overview of Our Construction
AC(x)C(x) C(y1)C(y1)
Design a protocol s.t. H can be efficiently simulated
Then, Hiding CCA security
HHC(y2)C(y2)
C(y3)C(y3)
y1
y2
y3ii jj11
jj11
jj11
But,1. A may ask new mesg in LHS---LHS not hiding anymore
2. A may nest oracle calls --- extraction time explodes
by Rewidnings
by Rewidnings
NM
conc. ZK
Secure Multi-party Computation [Yao,GMW]
A set of parties with private inputs.
Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)
Security must be preserved even if some of the parties are malicious.
What’s Next – Concurrency for General Interaction
What’s Next – Adaptive Hardness
Consider the Factoring problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization
Adaptive Factoring Problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes
Are these problems equivalent?
Unknown!
Adaptively-hard Commitments [Canetti-Lin-P’10]• Commitment scheme that remains hiding even if Adv has access to a decommitment oracle
Implies Non-malleability (and more!)
Thm [CLP’10] Existence of commitments implies O(n^)-round Adaptively-hard commitments
What’s Next – Adaptive Hardness
Without Trusted Set-up
• Specific tasks and attacks:– Concurrent Zero-knowledge [Dwork-Naor-Sahai,Richardson-
Kilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai,Barak’01…]– Non-malleable Commitments [Dolev-Dwork-Naor’91,…]
• Relaxed notions of security:– E.g., “super-poly simulation”, “angel-based security”, “input
indistinguishability” [P03,Prabhakaran-Sahai’04,Barak-Sahai’05,Micali-P-Rosen’06,Lin-P-Venkitasubramaniam’09,Canetti-Lin-’P10]
AASS
ZZZZ
Angel-Based Security [Prabhakaran-Sahai’04]
Angel: A restricted super-poly-time oracleperforming some specific, system-dependent task
e.g. find collision of a CRH as long as the colliding inputs include the id of the requesting party.
Possible [Prabhakaran-Sahai’04, Malkin-Moriaty-Yung06, Barak-Sahai’S05]! But, even stronger assumptions
e.g. Adaptively hard CRH
Simulator and Adv. receive help from an angel.
OO OO
Composable
• Interactive protocol between a Prover and a Verifier where the Verifier learns nothing except the proof statement
56
Prover Verifier
Zero Knowledge [Goldwasser-Micali-Rackoff’85]
Zero Knowledge [Goldwasser-Micali-Rackoff’85]
• For every PPT V* (adversary) there is a PPT simulator S:
Simulator S
Prover Verifier V*
View of V* with Prover View generated by S
57
Indistinguishable
Concurrent ZK (cZK) [Dwork-Naor-Sahai’01]
Simulator S
View generated by S
View of V* with Prover
Prover Verifier V*
58
Classic ZK Protocol [Feige-Shamir’90]
Prover Verifier
INIT: Commit to random secret σ
END: Modified proof where σ is a trapdoor:WI x \in L or I know σ
59
SlotProof of Know of σ
Verifier V*
INIT: Commit to random secret σ
SlotProof of Know of σ
END: Give proof using σ
Simulator
60
Rewind Slot2nd time: Extract σ
What about cZK?What about cZK?
Classic ZK Protocol [Feige-Shamir’90]
Concurrent Zero Knowledge
61
rewinding here => redo work of nested
sessions
3 nested sessions
Takes time O(2# nestings) [KPR’00]
Verifier V*
Simulator
Richardson-Killian
• Need to extract σ for every session.
• Easier if there are more slots. – Cannot “nest” inside
all slots
• Rewinding any one slot extracts σ.
62
slots
END
INIT
Concurrent Zero-knowledge
A set of parties with private inputs.
Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)
Security must be preserved even if some of the parties are malicious.