1 / 36

Rafael Pass Cornell University

Constant-round Non-malleability From Any One-way Function. Rafael Pass Cornell University. Joint work with Huijia (Rachel) Lin. Cryptographic Protocols. “Interactions among mutually distrustful players” Far beyond traditional goal of concealing messages

senona
Télécharger la présentation

Rafael Pass Cornell University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Constant-round Non-malleability From Any One-way Function Rafael PassCornell University Joint work with Huijia (Rachel) Lin

  2. Cryptographic Protocols “Interactions among mutually distrustful players” Far beyond traditional goal of concealing messages • Electronic Auctions without a trusted auctioneer • Correctness: highest bidder wins • Privacy: no other bids are revealed • Electronic Elections without trusted vote counter • Correctness: votes are correctly counted • Privacy: individual votes remain secret • And much more: Electronic payment systems, Authentication protocols, Privacy-preserving data-mining… Secure Multi-party Computation:“Any task that can be securely implemented using a trusted party, can be securely implemented without the trusted party” [Y82, GMW86]

  3. The Classic Stand-Alone Model Alice Bob One set of parties executing a singleprotocol in isolation.

  4. On the Internet: Need Concurrent Security [DDN91,...] Many parties running many different protocol executions.

  5. 8pm: The Chess-master Problem 8am: Lose! Lose!

  6. Similar attack on Crypto protocols!

  7. a a b b Man-in-the-middle Attacks Responder/Initiator Responder Initator Bob Alice MIM Can make use of message from RIGHT in LEFT

  8. Alice: a Alice:a Grrr! Man-in-the-middle Attacks Responder/Initiator Responder Initator You are not Alice! Bob Alice MIM Can make use of message from RIGHT in LEFT

  9. Alice: a Devil:a Bob:b Devil:b Man-in-the-middle Attacks Responder/Initiator Responder Initator Bob Alice MIM Can make use of message from RIGHT in LEFT

  10. Receiver Sender Commitment Commitment Scheme The “digital analogue” of sealed envelopes. • One of the most basic cryptographic tasks. • natural abstraction • many applications (zero-knowledge, coin-tossing, secure computation…) • One way functions both sufficient and necessary[N’89, HILL’ 99] Reveal

  11. C(a) Bidder II C(a) Auctioneer Bidder I Example: Closed Auctions ~ Would like to insure that bids are independent. Bidder II would have loved to set, e.g. a = a + 1. Definition of commitments does not rule this out! For most commitments, can actually create dependency. ~

  12. MIM Sender Receiver/Sender Receiver C(v) C(v’) Possible that v’ = v+1 Even though MIM does not know v!

  13. Non-Malleable Commitments[Dolev Dwork Naor’91] MIM Sender Receiver/Sender Receiver i j C(v) C(v’)

  14. Non-Malleable Commitments[Dolev Dwork Naor’91] MIM Sender Receiver/Sender Receiver i j C(i,v) C(j, v’) i  j Non-malleability: ifthen, v’ is “independent” of v

  15. Non-Malleable Commitments[Dolev Dwork Naor’91] Man-in-the-middle execution: i j i j Simulation: j Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is “indistinguishable” from value committed by simulator

  16. Non-Malleable Commitments[Dolev Dwork Naor’91] i j • Important in practice • “Test-bed” for other tasks • Applications to MPC

  17. DDN: Encoding Names in Messages Initiator Responder Iteration 1 For i = 1 to n: • if IDi = 1 then • REAL exhange, • DUMMYexchange • If IDi = 0 • DUMMYexchange • REAL exchange ID = 010 Iteration 2 Iteration 3 • IDEA: make sure that at some point a MIM needs to either: • speak alone • give REAL when hearing DUMMY

  18. DDN: Encoding Names in Messages Initiator Responder/Initiator Responder ID’ = 110 ID = 010 If ID  ID’, there exist iteration such that MIM gives REAL but receives DUMMY

  19. Non-malleable Commitments Original Work by [DDN’91] Based on any one-way function (OWF) But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: [Barak’02]: O(1)-round Subexp CRH + dense crypto: [P’04,P-Rosen’05]: O(1) rounds using CRH [Lin-P’09]: O(1)^log* n round using OWF [P-Wee’10]: O(1) using Subexp OWF [Wee’10]: O(log^* n) using OWF “Non BB”

  20. Non-malleable Commitments Original Work by [DDN’91] Based on any one-way function (OWF) But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: O(1)-round from CRH or Subexp OWF O(log^* n) from OWF

  21. Main Theorem [Lin-P’10]: Thm:Assume one-way functions. Then there exists a O(1)-round non-malleable commitment. • Note: Since commitment schemes imply OWF, we have thatunconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. • Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.

  22. The Idea: What if we could run “message scheduling in the head”? Let us focus on non-abortingand synchronizing adversaries. (never send invalid messages in left exec)

  23. Com(id,v): id = 00101 c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK

  24. Signature Chains Consider 2 “fixed-length” signature schemes Sig0, Sig1(i.e., signatures are always of length n) with keys vk0, vk1. Def: (s,id) is a signature-chain iffor all i, si+1 is a signature of “(i,s0)” using scheme idi s0 = r s1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0 s3 = Sig1(2,s2) id3 = 1 s4 = Sig0(3,s3) id4 = 0

  25. Signature Games You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1. Let denote the access pattern to the oracle; • that is i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern .

  26. Com(id,v): id = 00101 vk0 r0 Sign0(r0) vk1 r1 Sign1(r1) c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK

  27. Com(id,v): id = 00101 vk0 r0 Sign0(r0) vk1 r1 Sign0(r1) c=C(v) I know v s.t. c=C(v) Or I know a sig-chain (s,id) WI-POK w.r.t id

  28. Non-malleability through dance i = 0110.. j = 00..1 vk0 vk0 r0 r0 Sign0(r0) Sign0(r0) vk1 vk1 r1 r1 Sign1(r1) Sign1(r1) c=C(v) c=C(v) WI-POK WI-POK w.r.t i w.r.t j

  29. Dealing with Aborting Adversaries Problem 1: • MIM will notice that I ask him to sign a signature chain • Solution: Don’t. Ask him to sign commitments of sigs… Problem 2: • I might have to “rewind” many times on left to get a single signature • So if I have id = 01011, access pattern on the right is 0*1*0*1*... • Solution:Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…

  30. Main Theorem Thm:Assume one-way functions. Then there exists a O(1)-round non-malleable commitment. log* vs O(1)? An application

  31. Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacyof inputs (as much as possible) Security must be preserved even if some of the parties are malicious.

  32. Secure Multi-party Computation [Yao,GMW] Original work of [GMW87] • Trapdoor permutations (TDP), n rounds • (e.g., voting with 1M people => 1M rounds) More Recent: “Stronger assumptions, less rounds” • [KOS] • TDP, dense cryptosystems, log n rounds • TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB • [P04] • TDP, CRH, O(1)-round, non-BB Thm: Same assumption as GMW => O(1)-round protocol

  33. What’s Next – Concurrency for General Interaction

  34. What’s Next – Adaptive Hardness Consider the Factoring problem: • Given the product N of 2 random n-bit primes p,q, can you provide the factorization Adaptive Factoring Problem: • Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes Are these problems equivalent? Unknown!

  35. What’s Next – Adaptive Hardness Adaptively-hard Commitments [Canetti-Lin-P’10] • Commitment scheme that remains hiding even if Adv has access to a decommitment oracle Implies Non-malleability (and more!) Thm [CLP’10] Existence of commitments implies O(n^)-round Adaptively-hard commitments

  36. Thank You

More Related