Rafael PassCornell University

Concurrency and

Non-malleability

Joint work with Huijia (Rachel) Lin

“Interactions among mutually distrustful players”

Authentication, Key-exchange, Privacy-preserving Data mining,

Fault/Attack-tolerant distributed computation

Protocols

Secure Multiparty Computation [GMW’89]

The Classic Stand-Alone Model

Alice Bob

One set of parties executing a single protocol in isolation.

On the Internet: Need Concurrent Security [DDN91,...]

Many parties running many different protocol executions.

The Chess-master Problem

8am:

Lose! Lose!

8pm:

Similar attack on Crypto protocols!

Man-in-the-middle Attacks

Alice Bob

a5a

bb/5

MIM

Initator ResponderResponder/Initator

MIM controls channel between Alice and Bob

The State of Concurrent Security

• Concurrently secure 2-party computation impossible using “standard” definition of “UC-security” [Can’02]

– And even for somewhat weaker models [CF,L03,L04]

• Possible: with limited “trusted help”

– Trusted set-up models: CRS [BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware [K], …

Without Trusted Set-up

• Relaxed notions of security:– E.g., “super-poly simulation”, “angel-based security”

[P03,PS04,BS05,LPV09,CLP10]

• Specific tasks and attacks:– Non-malleable Commitments [DDN91,…]– Concurrent Zero-knowledge [DNS,RK,KP,PRS,…]

• Identifying properties that make protocols resists specific concurrent attacks:– Parallel repetition of arguments [BIN’99,PV’07,HPPW’09,H’09,CL’10,…]– “For what classes of (single-prover) computationally-sound proofs does

parallel-repetition reduce the soundness error”

A lot of interplay between different veins of research!

TODAY

Commitment SchemeThe “digital analogue” of sealed envelops.

Commitment

Reveal

v

v

Sender Receiver

One of the most basic cryptographic tasks.

Part of essentially all more involved secure computations

Can be constructed from any one way function. [N’89, HILL’ 99]

Possible that v’ = v+1

Even though MIM does not know v!

What about man-in-the-middle attacks?

Receiver/Sender

MIM

C(v) C(v’)

Sender Receiver

Non-Malleable Commitments [Dolev Dwork Naor’91]

Non-malleability:

Either MIM forwards : v = v’Or v’ is “independent” of v

i j

Receiver/Sender

MIM

C(v’)

Sender Receiver

C(v)

Non-Malleable Commitments [Dolev Dwork Naor’91]

Receiver/Sender

Non-malleability: if then,

v’ is “independent” of v

MIM

C(i,v) C(j, v’)

i j

Sender Receiver

i j

v

Man-in-the-middle execution:

Simulation:

v

j

'v

''v

i j

Non-Malleable Commitments [Dolev Dwork Naor’91]

i j

Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator

v

v 'v

Non-Malleable Commitments [Dolev Dwork Naor’91]

i j

• Important in practice• “Test-bed” for other tasks• Applications to MPC

Non-malleable Commitments

• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds

• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG]

Without set-up:• [Barak’02]: O(1)-round Subexp CRH + dense crypto:• [P’04,P-Rosen’05]: O(1) rounds using CRH

• [Lin-P’09]: O(1)^log* n round using OWF• [P-Wee’10]: O(1) using Subexp OWF• [Wee’10]: O(log^* n) using OWF

Non BB

Non-malleable Commitments

• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds

• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG]

Without set-up:

• O(1)-round from CRH or Subexp OWF• O(log^* n) from OWF• Sd• SdCan we get O(1)-round NMC from OWF?

Main Theorem [Lin-P’10]:Thm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.

• Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable.

• Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.

DDN Protocol Idea

Blue does not help Red and vice versa

i = 01…1

• • •

j = 00..1

• • •

C(i,v) C(j, v’)

The Idea:

What if we could run the message scheduling in the head?

Let us focus on non-aborting and synchronizing adversaries.

(never send invalid mess in left exec)

c=C(v)

Com(id,v):

I know v s.t. c=C(v)

OrI have “seen”

sequenceWI-POK

id = 00101

Signature Chains

Consider 2 “fixed-length” signature schemes Sig0, Sig1 (i.e., signatures are always of length n) with keys vk0, vk1.

Def: (s,id) is a signature-chain if for all i, si+1 is a signature of “(i,s0)” using scheme idi

s0 = rs1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0s3 = Sig1(2,s2) id3 = 1s4 = Sig0(3,s3) id4 = 0

Signature Games

You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1 .

Let denote the access pattern to the oracle;– that is i = b if in the i’th iteraction you access oracle b.

Claim: If you output a signature-chain (s,id)

Then, w.h.p, id is a substring of the access pattern .

c=C(v)

Com(id,v):

I know v s.t. c=C(v)

OrI have “seen”

sequence

WI-POK

id = 00101vk0

r0

Sign0(r0)

vk1

r1

Sign0(r1)

c=C(v)

Com(id,v):

WI-POK

id = 00101vk0

r0

Sign0(r0)

vk1

r1

Sign0(r1)

I know v s.t. c=C(v)

OrI know a sig-chain

(s,id) w.r.t id

c=C(v)

WI-POK

vk0

r0

Sign0(r0)

vk1

r1

Sign0(r1)

c=C(v)

WI-POK

vk0

r0

Sign0(r0)

vk1

r1

Sign0(r1)

w.r.t i

i = 0110.. j = 00..1

w.r.t j

Non-malleabilitythrough dance

* In actual protocol need “many” seq WIPOK a la [LP’10]

Dealing with Aborting Adversaries

Problem 1: – MIM will notice that I ask him to sign a signature chain

– Solution: Don’t. Ask him to sign commitments of sigs…

Problem 2:– I might have to “rewind” many times on left to get a single signature– So if I have id = 01011, access pattern on the right is 0*1*0*1*...

– Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…

Main Theorem

Some applications

Thm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.

Secure Multi-party Computation [Yao,GMW]

A set of parties with private inputs.

Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)

Security must be preserved even if some of the parties are malicious.

Original work of [GMW87]– TDP, n rounds

More Recent: “Stronger assumption, less rounds”– [KOS]

• TDP, dense cryptosystems, log n rounds

• TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB

– [P04]• TDP, CRH, O(1)-round, non-BB

Secure Multi-party Computation [Yao,GMW]

NMC v.s. MPC

Thm [LPV09]: TPD + k-round “robust” NMC O(k)-round MPC

Holds both for stand-alone MPC and UC-MPC (in a number of set-up models)

Corollary: TDP O(1)-round MPC

What’s Next?

CCA-secure Commitments [CLP’10]• Hiding even if Adv has access to a decommitment oracle• n-round assuming OWF

Joint work with Rachel (Huijia) Lin

Hire her!

Thank You