Coin Tossing With A Man In The Middle Boaz Barak.

Slides:



Advertisements
Similar presentations
Merkle Puzzles Are Optimal
Advertisements

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.
Quantum Software Copy-Protection Scott Aaronson (MIT) |
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On Non-Black-Box Proofs of Security Boaz Barak Princeton.
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
CIS 5371 Cryptography 3b. Pseudorandomness.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Adaptively Secure Broadcast, Revisited
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Modern Cryptographic Topics
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Yi Deng IIE,Chinese Academy of Sciences (Beijing) Joint work with
Carmit Hazay (Bar-Ilan University, Israel)
Derandomization & Cryptography
On the Size of Pairing-based Non-interactive Arguments
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
How to Delegate Computations: The Power of No-Signaling Proofs
On the Efficiency of 2 Generic Cryptographic Constructions
Quantum-security of commitment schemes and hash functions
Fiat-Shamir for Highly Sound Protocols is Instantiable
Emanuele Viola Harvard University June 2005
Example: multi-party coin toss
Impossibility of SNARGs
Emanuele Viola Harvard University October 2005
Presentation transcript:

Coin Tossing With A Man In The Middle Boaz Barak

RightLeft – two party protocol Middle Adversary completely controls communication No shared secrets between left & right No trusted parties or public information (e.g., no PKI) Man In The Middle (MIM) Attack

Two Unavoidable Adversary Strategies LeftMiddleRight Left SessionRight Session Relaying Strategy - Adversary is transparent Blocking Strategy - Adversary follows honest strategy independently in each session Intuitive Goal: Design protocols s.t. adversay is essentially limited to unavoidable strategies.

Example: Commitment Scheme LeftMiddleRight Left SessionRight Session Input: Com. Value: If Adv. relaying then = If Adv. blocking then independent of Scheme is non-malleable [DDN91] if either = or and are (computationally) independent Non-malleability = Intuitive goal

Comparison: MIM vs. Non-Malleability MIM Model: Adversary between 2 parties that want to talk to each other. Preferred strategy: relaying NM Model: Two sessions with 2 out of the 4 parties cooperating maliciously. Preferred strategy: blocking

Our goal: construct protocols s.t. adversary is essentially restricted to use either blocking or relaying. Technically: same as non-malleabllity [DDN] However: we dont take a moral stand which unavoidable strategy is better. Summary

Previous Work * : NM Commit w/ O(log n) rounds [DDN91] NM Zero-Knowledge w/ O(log n) rounds [DDN91] This Work: NM Commit w/ O(1) rounds NM Zero-Knowledge w/ O(1) rounds Different Techniques (e.g., Non-Black-Box Proof of Security) Generic transformation from SRS model to plain model. * See next slide for works in shared reference string (SRS) model

The Shared Random String Model (SRS) Dealer rrr NM Commit w/ 1-round [DIO98,DKOS01] NM Zero-Knowledge w/ 1-round [Sah99,DDOPS01] ref (r)

Our Approach: Convert ref Left Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r If r=r : same as in SRS execution! If r indp. from r: formally different from SRS However, if ref is Natural then it is still secure! Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. MiddleRight

Our Approach: Convert ref Coin-Tossing Output: r Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. Our Goal: Design a constant-round non-malleable coin-tossing protocol. LeftMiddleRight

Our goal: construct a constant-round NM coin- tossing protocol. In the paper: we (define and) construct such a protocol. Now: we solve a related toy problem and then an even more related bigger problem Outline

Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r rev(r 1 …r n ) = r n r n-1 … r 1 Coin-Tossing Output: r LeftMiddleRight A Toy Problem

Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: w.h.p. r rev(r) Observation: possibly false w/o BOGUS condition. MiddleRight A Protocol Solving the Toy Problem

Proof: Suppose that r=rev(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r=rev(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom For every r 2 BOGUS, rev(r) BOGUS r=rev(r) 1 © 2 r=rev(r) BOGUS BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle

A Bigger Problem

Bigger Problem: Design a coin-tossing protocol such that w.h.p. r S(r) for all interesting relations S( ¢ ) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Coin-Tossing Output: r LeftMiddleRight Def: S is interesting if it is decidable in uniform poly-time and 8 r 1) r S(r) (Cant hit S using relaying) 2) Pr y [ y 2 S(r) ] < (|x|) (Cant hit S using blocking) Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) A Bigger Problem Fix (n)=n - 10log n

Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: if Middle is uniform PPT then 8 interesting S Pr[ r 2 S(r) ]=negl(n) MiddleRight Solving the Bigger Problem

Proof: Suppose that r 2 S(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r 2 S(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom w.r.t. uniform PPT For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle BOGUS 2 SUBEXP r BOGUS r 1 © 2 S(r)

Claim 1: A random subset B µ {0,1} n of size n log n satisfies properties 1&2 w.h.p. Claim 2: If 9 sub-exponentially hard OWF then can choose such B using polylog(n) (instead of 2 polylog(n) ) coins. For each n go over all possible coin tosses for choosing B We define BOGUS Å {0,1} n to be the first set that satisfies properties 1&2. Then, BOGUS 2 Dtime(2 polylog(n) ) µ SUBEXP 1. BOGUS is pseudorandom w.r.t. uniform PPT 2. For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: 3. BOGUS 2 SUBEXP Constructing the set BOGUS Claim 3: If 9 sub-exponentially hard OWF then for B µ {0,1} n of size n log n can check in 2 polylog(n) steps if B satisfies properties 1&2.

Additional modifications needed for security against non-uniform adversaries. Security proof involves non-black-box use of adversarys code. Actual NM coin-tossing def follows ideal functionality paradigm. Modifications to protocol needed to satisfy actual def. Some technical difficulties arise with non-syncrhonizing schedules. Can be solved using multiple rewinding opportunities a-la [RK] (similar to [GL]) Beyond the bigger problem

Conclusions & Open Questions First constant-round NM Commit & NM ZK in plain model. Quite general transformation from SRS model to plain MIM model. Another positive application of non-black-box techniques. Generalize to other applications? more parties? Acknowledgements: Alon Rosen

The End

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.