Rafael PassCornell University

Concurrency and

Non-malleability

Goal: Allow a set of distrustful parties to compute any functionality f of their inputs, while preserving:

Correctness

Privacy

Even when no honest majority

Secure Multi-party Computation [Yao,Goldreich-Micali-Wigderson]

The Classic Stand-Alone Model

One set of parties executing a single protocol in isolation.

But, Life is CONCURRENT

Many parties running many different protocol executions.

The Chess-master Problem [DDN’91]

8am:

Lose! Lose!

8pm:

Similar attack on Crypto protocols!

Win at least 1(or draw both)

Man-in-the-middle Attacks

Alice Bob

a5a

bb/5

MIM

Initator ResponderResponder/Initator

MIM controls channel between Alice and Bob

This Talk

• Commitment schemes secure against man-in-the-middle attacks

• Use such commitments to improve SMC– Better round complexity also for stand-alone

security– Concurrent security

Commitment SchemeThe “digital analogue” of sealed envelopes.

Commitment

Reveal

v

v

Sender Receiver

One way functions both sufficient and necessary [N’89, HILL’ 99]

Possible that v’ = v+1

Even though MIM does not know v!

Receiver/Sender

MIM

C(v) C(v’)

Sender Receiver

Messages are arbitrarily interleaved: MIM controls scheduling.

Non-Malleable Commitments [Dolev Dwork Naor’91]

Non-malleability:

Either MIM forwards : v = v’Or v’ is “independent” of v

i j

Receiver/Sender

MIM

C(v’)

Sender Receiver

C(v)

Non-Malleable Commitments [Dolev Dwork Naor’91]

Receiver/Sender

Non-malleability: if then,

v’ is “independent” of v

MIM

C(i,v) C(j, v’)

i j

Sender Receiver

i j

v

Man-in-the-middle execution:

Simulation:

v

j

'v

''v

i j

Non-Malleable Commitments [Dolev Dwork Naor’91, P-Rosen’05]

i j

Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator

v

v 'v

Non-Malleable Commitments

i j

• Important in practice• “Test-bed” for other tasks• Applications to MPC

Non-malleable Commitments

• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds

• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-

Ostrovsky’99,DKO,CF,FF,…,DG]

Without set-up:• [Barak’02]: O(1)-round Subexp CRH + dense crypto:• [P’04,P-Rosen’05]: O(1) rounds using CRH

• [Lin-P’09]: O(1)^log* n round using OWF• [P-Wee’10]: O(1) using Subexp OWF• [Wee’10]: O(log^* n) using OWF

Non BB

NM Amp

Non-malleable Commitments

• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds

• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-

Ostrovsky’99,DKO,CF,FF,…,DG]

Without set-up:

• O(1)-round from CRH or Subexp OWF• O(log^* n) from OWF• Sd• Sd

Thm [Lin-P’11]: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.

• Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable.

• Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.

• Even more excitingly: Vipul Goyal independently proved the same result

• very different techniques• relying on NM amplification

DDN Protocol Idea

Blue does not help Red and vice versa

i = 01…1

• • •

j = 00..1

• • •

C(i,v) C(j, v’)

The Idea:

What if we could run the message scheduling in the head?

Let us focus on non-aborting and synchronizing adversaries.

(never send invalid mess in left exec)

c=C(v)

Com(id,v):

I know v s.t. c=C(v)

OrI have “seen”

sequenceWI-POK

id = 00101

Signature Chains

Consider 2 “fixed-length” signature schemes Sig0, Sig1 (i.e., signatures are always of length n) with keys vk0, vk1.

Def: (s,id) is a signature-chain if for all i, si+1 is a signature of “(i,s0)” using scheme idi

s0 = rs1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0s3 = Sig1(2,s2) id3 = 1s4 = Sig0(3,s3) id4 = 0

Signature Games

You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1 .

Let denote the access pattern to the oracle;– that is i = b if in the i’th iteraction you access oracle b.

Claim: If you output a signature-chain (s,id)

Then, w.h.p, id is a substring of the access pattern .

c=C(v)

Com(id,v):

I know v s.t. c=C(v)

OrI have “seen”

sequence

WI-POK

id = 00101vk0

r0

Sign0(r0)

vk1

r1

Sign1(r1)

c=C(v)

Com(id,v):

WI-POK

id = 00101vk0

r0

Sign0(r0)

vk1

r1

Sign1(r1)

I know v s.t. c=C(v)

OrI know a sig-chain

(s,id) w.r.t id

c=C(v)

WI-POK

vk0

r0

Sign0(r0)

vk1

r1

Sign1(r1)

c=C(v’)

WI-POK

vk’0

r'0

Sign0(r’0)

vk'1

r'1

Sign1(r’1)

w.r.t i

i = 0110.. j = 00..1

w.r.t j

Non-malleabilitythrough dance

Note: sig keys on L and R might be different; we violate sec of sig game for key on R

Dealing with Aborting Adversaries

Problem 1: – MIM will notice that I ask him to sign a signature chain

– Solution: Don’t. Ask him to sign commitments of sigs…(need to add a POK of commitment to prove sig game lemma)

Problem 2:– I might have to “rewind” many times on left to get a single signature– So if I have id = 01011, access pattern on the right is 0*1*0*1*...

– Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…

Dealing with Non-synchronizing Adversaries

Not hard; same technique as in LP’09

Just add more WIPOK…

Will return to this point later.

Main TechniqueExploit rewinding pattern (instead of just location)

Thm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.

Some extensions:

C(i1 ,

1 )C(i2,

2)

C(i n,m

)

C(j 1, 1

’)

C(j2,2’)

C(j3 ,

m ’)

Concurrent Non-Malleable Commitments[P-Rosen’05, Lin-P-Venkitasubramaniam’09]

i1

i2

im

j1

ID

ID

j2

jn

To deal with copying: if ik = jl, then l’ =

Messages are arbitrarily interleaved: MIM controls scheduling.

For any …m and …m the view + values committed to by MIM are indistinguishable.

C(i,)C(j 1

, 1’)

C(j2,2’)

C(j3 ,

m ’)

One-Many Non-Malleability

ij1

ID

j2

jn

Thm [PR’05,LPV’08]: One-many NM Concurrent NM.

Our O(1)-round construction is also concurrent NM

One-Many Non-Malleability

C(i,)

C(j 1, 1

’)

C(j2,2’)

C(j3 ,

m ’)

ij1

ID

j2

jn

C(i,)

C(j 1, 1

’)

C(j2,2’)

C(j3 ,

m ’)

ij1

ID

j2

jn

SAME protocol LEFT and RIGHT!

{views+values}

Robust Non-Malleability w.r.t k-round protocols [Lin-P’09]

C(i,)

C(j 1, 1

’)

C(j2,2’)

C(j3 ,

m ’)

ij1

ID

j2

jn

C(i,)

C(j 1, 1

’)

C(j2,2’)

C(j3 ,

m ’)

ij1

ID

j2

jn

{views+values}

• • •

• • •

• • •

• • •

IF THEN

DEF: Com is “robust” if Robust NM w.r.t 4-round protocols

EASY to satisfy if Com has more than k-rounds!

Original work of [Goldreich-Micali-Wigderson’87]– TDP, n rounds

More Recent: “Stronger assumption, less rounds”– [Katz-Ostrovsky-Smith’02]

• TDP, dense cryptosystems, log n rounds

• TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB

– [P’04]• TDP, CRH, O(1)-round, non-BB

Secure Multi-party Computation [Yao,GMW]

Non-malleability is implicitly used in all these works!

NMC v.s. SMC

Thm [Lin-P-Venkitasubramaniam’09]: TPD + k-round robust NMC O(k)-round SMC

Holds both for stand-alone MPC and UC-SMC (in a number of set-up models)

Corollary: TDP O(1)-round SMC

Back to Concurrent SMC

Running the protocol π in the concurrent setting is

Computing f using a trusted party in the concurrent setting

S simulates the view of A &

the outputs of honest parties are the same in the two worlds

AASS

UC security [Canetti’01]

ππ ππff ff

““as correct & private as”as correct & private as”Both A and S required to be PPT

ZZZZρρ ρρ

UC security [Canetti’01]

ππ ππff ff

ZZZZ

AASS

Simulator S needs to: •“extract” A’s input without disturbing execution with Z

•while ensuring that inputs of honest guys remain hidden.

Straight-line extraction

“non-malleability”

The State of UC Security• Secure 2-party computation impossible! [Canetti-Kushilevitz-Lindell’03]

– And even for somewhat weaker models [Canetti-Fischlin’02,Lindell’03,Lindell’04, Barak-Prabhakaran-Sahai’06]

– Intuition: If S can extract “straight-line” extract inputs, then so can the attacker.

• Possible: with limited “trusted help”

– Trusted set-up models: Honest majority [BGW88, CCD88, BR89,DM00], CRS [BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware [K], …

– Thm [Lin-P-Venkitasubramaniam’09] Use Robust NM Com to get a crisp and essentially tight characterization (assuming TDP) of when a set-up can be used to get UC SMC.

• Essentially all known UC SMC result follow as a corollary, with improved computational assumptions, and round complexity.

• Can mix and match set-ups! [Garg,Goyal,Jain,Sahai, yesterday]

Who can you trust?

AASSSS

ZZZZ

Super-Poly Time Simulation (SPS) [P’03]

Allow super-poly-time security reductionWe know, poly-time security reduction is impossible

Possible! [(P’03), Prabhakaran-Sahai’04, Barak-Sahai’05, Lin-P-

Venkitasubramaniam’09]

But, using strong hardness assumptions

Still, meaningful in many (most) cases

Prabhakaran-Sahai’04

ππ ππff ff

ZZZZ

AASS

Simulator S needs to: •“extract” A’s input without disturbing execution with Z

•while ensuring that inputs of honest guys remain hidden.

Assume “id-based hasfunction”: hard to find a collision w.r.t. id even if you have oracle access to someone who finds random collisions w.r.t. any other id’ != id.

Use collision finding oracle to extract in super-poly time!

By security of id-based hash

SS

CCA-Secure Commitments[Canetti-Lin-P’10]

AC(x)C(x) C(y1)C(y1) OOC(y2)C(y2)

C(y3)C(y3)

y1

y2

y3ii jj11

jj11

jj11

Chosen-Commitment-Attack (CCA) security:

Either A copies the left identifier to the rightOr LHS is hiding --- view of A indistinguishable

Concurrent Non-Malleable Commitments

AC(x)C(x) C(y1)C(y1)

Non-Malleability

Either A copies the left identifier to the right

Or view of A + (y1, y2, y3) indistinguishable

C(y2)C(y2)

C(y3)C(y3)

ii jj11

jj11

jj11

CCA security Conc Non-Malleability

OOy1 y2 y3

Thm [CLP’10] Existence of OWF implies O(n^)-round robust CCA-secure commitments– Need to deal with both NM and “nesting” of executions a la Concurrent ZK [Dwork-Naor-Sahai’99]– Rely on original message scheduling technique by [Dolev-Dwork-Naor’91] + ideas behind concurrent ZK simulation of [Richardson-Kilian’01]

Thm [CLP’10] Robust CCA-secure commitments + OT implies SPS-secure SMC

Open: •O(1)-round CCA secure commitments from OWF?

More Open(-ended) Open Question:

• What is the right definition of concurrent security (without trusted set-up)?

• SPS security provides weak guarantees on the “computational advantages” gained by an adversary– Sufficient when security in the ideal model is information-theoretic (or just sufficiently “strong”)– But not sufficient to preserve security of “moderately-hard” properties

• “Rewindable TTP” [Goyal-Sahai’08,Goyal-Jain-Ostrovsky’10]– Need very efficient precise simulations [Micali-P’06]– Currently best concurrent simulation: omega(1) “rewindings” [Pandey-P-Sahai-Tseng-Venkitasubramaniam’08]

• Can we compose different security notions?

The Dark Side of Concurrency

Don’t worry: Lower bounds

Lower Bounds using ConcurrencySecurity Reduction R from breaking B to breaking intractability assum C

rC RO

Black-box reduction: RO breaks C whenever O breaks B

f(r)

For some classic protocols/tasks (sequential WH of classic ZK protocols, active

security of Schnorr’s identification scheme, selective decommitment problem, Chaum’s blind signatures…) no security reductions are known under ANY 2-round intractability assumption.

Thm [P’11]: If there exists a BB reduction (but potentially non-BB construction)from a poly-round intractability assumption C, then C can be broken in poly time.

Why concurrency? The reduction can nest it calls to O. concurrent simulation techniques very useful!

Thank You

Overview of Our Construction

AC(x)C(x) C(y1)C(y1)

Design a protocol s.t. H can be efficiently simulated

Then, Hiding CCA security

HHC(y2)C(y2)

C(y3)C(y3)

y1

y2

y3ii jj11

jj11

jj11

But,1. A may ask new mesg in LHS---LHS not hiding anymore

2. A may nest oracle calls --- extraction time explodes

by Rewidnings

by Rewidnings

NM

conc. ZK

Secure Multi-party Computation [Yao,GMW]

A set of parties with private inputs.

Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)

Security must be preserved even if some of the parties are malicious.

What’s Next – Concurrency for General Interaction

What’s Next – Adaptive Hardness

Consider the Factoring problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization

Adaptive Factoring Problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes

Are these problems equivalent?

Unknown!

Adaptively-hard Commitments [Canetti-Lin-P’10]• Commitment scheme that remains hiding even if Adv has access to a decommitment oracle

Implies Non-malleability (and more!)

Thm [CLP’10] Existence of commitments implies O(n^)-round Adaptively-hard commitments

What’s Next – Adaptive Hardness

Without Trusted Set-up

• Specific tasks and attacks:– Concurrent Zero-knowledge [Dwork-Naor-Sahai,Richardson-

Kilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai,Barak’01…]– Non-malleable Commitments [Dolev-Dwork-Naor’91,…]

• Relaxed notions of security:– E.g., “super-poly simulation”, “angel-based security”, “input

indistinguishability” [P03,Prabhakaran-Sahai’04,Barak-Sahai’05,Micali-P-Rosen’06,Lin-P-Venkitasubramaniam’09,Canetti-Lin-’P10]

AASS

ZZZZ

Angel-Based Security [Prabhakaran-Sahai’04]

Angel: A restricted super-poly-time oracleperforming some specific, system-dependent task

e.g. find collision of a CRH as long as the colliding inputs include the id of the requesting party.

Possible [Prabhakaran-Sahai’04, Malkin-Moriaty-Yung06, Barak-Sahai’S05]! But, even stronger assumptions

e.g. Adaptively hard CRH

Simulator and Adv. receive help from an angel.

OO OO

Composable

• Interactive protocol between a Prover and a Verifier where the Verifier learns nothing except the proof statement

56

Prover Verifier

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

• For every PPT V* (adversary) there is a PPT simulator S:

Simulator S

Prover Verifier V*

View of V* with Prover View generated by S

57

Indistinguishable

Concurrent ZK (cZK) [Dwork-Naor-Sahai’01]

Simulator S

View generated by S

View of V* with Prover

Prover Verifier V*

58

Classic ZK Protocol [Feige-Shamir’90]

Prover Verifier

INIT: Commit to random secret σ

END: Modified proof where σ is a trapdoor:WI x \in L or I know σ

59

SlotProof of Know of σ

Verifier V*

INIT: Commit to random secret σ

SlotProof of Know of σ

END: Give proof using σ

Simulator

60

Rewind Slot2nd time: Extract σ

What about cZK?What about cZK?

Classic ZK Protocol [Feige-Shamir’90]

Concurrent Zero Knowledge

61

rewinding here => redo work of nested

sessions

3 nested sessions

Takes time O(2# nestings) [KPR’00]

Verifier V*

Simulator

Richardson-Killian

• Need to extract σ for every session.

• Easier if there are more slots. – Cannot “nest” inside

all slots

• Rewinding any one slot extracts σ.

62

slots

END

INIT

Concurrent Zero-knowledge

A set of parties with private inputs.

Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)

Security must be preserved even if some of the parties are malicious.