Rafael Pass Cornell University Concurrency and Non-malleability

Goal: Allow a set of distrustful parties to compute any functionality f of their inputs, while preserving: Correctness Privacy Even when no honest majority Secure Multi-party Computation [Yao,Goldreich-Micali-Wigderson]

The Classic Stand-Alone Model One set of parties executing a single protocol in isolation.

But, Life is CONCURRENT Many parties running many different protocol executions.

The Chess-master Problem [DDN’91] 8am: Lose! 8pm:

Similar attack on Crypto protocols! Win at least 1 (or draw both)

Man-in-the-middle Attacks Alice Bob a 5a b b/5 MIM Initator ResponderResponder/Initator MIM controls channel between Alice and Bob

This Talk Commitment schemes secure against man-in- the-middle attacks Use such commitments to improve SMC –Better round complexity also for stand-alone security –Concurrent security

Commitment Scheme The “digital analogue” of sealed envelopes. Commitment Reveal Sender Receiver One way functions both sufficient and necessary [N’89, HILL’ 99]

Possible that v’ = v+1 Even though MIM does not know v! Receiver/Sender MIM C(v) C(v’) Sender Receiver Messages are arbitrarily interleaved: MIM controls scheduling.

Non-Malleable Commitments [Dolev Dwork Naor’91] Non-malleability: Either MIM forwards : v = v’ Or v’ is “independent” of v ij Receiver/Sender MIM C(v’) Sender Receiver C(v)

Non-Malleable Commitments [Dolev Dwork Naor’91] Receiver/Sender Non-malleability: if then, v’ is “independent” of v MIM C(i,v) C(j, v’) i  j Sender Receiver ij

Man-in-the-middle execution: Simulation: j i  ji  j Non-Malleable Commitments [Dolev Dwork Naor’91, P-Rosen’05] ij Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator

Non-Malleable Commitments ij Important in practice “Test-bed” for other tasks Applications to MPC

Non-malleable Commitments Original Work by [DDN’91] –OWF –black-box techniques –But: O(log n) rounds Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai- Ostrovsky’99,DKO,CF,FF,…,DG] Without set-up: [Barak’02]: O(1)-round Subexp CRH + dense crypto: [P’04,P-Rosen’05]: O(1) rounds using CRH [Lin-P’09]: O(1)^log* n round using OWF [P-Wee’10]: O(1) using Subexp OWF [Wee’10]: O(log^* n) using OWF Non BB NM Amp

Non-malleable Commitments Original Work by [DDN’91] –OWF –black-box techniques –But: O(log n) rounds Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai- Ostrovsky’99,DKO,CF,FF,…,DG] Without set-up: O(1)-round from CRH or Subexp OWF O(log^* n) from OWF Sd

Thm [Lin-P’11]: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black- box proof of security. Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. Note: As we shall see, this also weakens assumptions for O(1)- round secure multi-party computation. Even more excitingly: Vipul Goyal independently proved the same result very different techniques relying on NM amplification

DDN Protocol Idea Blue does not help Red and vice versa i = 01…1 j = C(i,v) C(j, v’)

The Idea: What if we could run the message scheduling in the head? Let us focus on non-aborting and synchronizing adversaries. (never send invalid mess in left exec)

c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = 00101

Signature Chains Consider 2 “fixed-length” signature schemes Sig 0, Sig 1 (i.e., signatures are always of length n) with keys vk 0, vk 1. Def: (s,id) is a signature-chain if for all i, s i+1 is a signature of “(i,s 0 )” using scheme id i s 0 = r s 1 = Sig 0 (0,s 0 )id 1 = 0 s 2 = Sig 0 (1,s 1 )id 2 = 0 s 3 = Sig 1 (2,s 2 )id 3 = 1 s 4 = Sig 0 (3,s 3 )id 4 = 0

Signature Games You have given vk 0, vk 1 and you have access to signing oracles Sig 0, Sig 1. Let  denote the access pattern to the oracle; –that is  i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern .

c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 )

c=C(v) Com(id,v): WI-POK id = vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) I know v s.t. c=C(v) Or I know a sig-chain (s,id) w.r.t id

c=C(v) WI-POK vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) c=C(v’) WI-POK vk’ 0 r' 0 Sign 0 (r’ 0 ) vk' 1 r' 1 Sign 1 (r’ 1 ) w.r.t i i = j = w.r.t j Non-malleability through dance Note: sig keys on L and R might be different; we violate sec of sig game for key on R

Dealing with Aborting Adversaries Problem 1: –MIM will notice that I ask him to sign a signature chain –Solution: Don’t. Ask him to sign commitments of sigs… (need to add a POK of commitment to prove sig game lemma) Problem 2: –I might have to “rewind” many times on left to get a single signature –So if I have id = 01011, access pattern on the right is 0*1*0*1*... –Solution: Use 3 keys (0,1,2); require chain w.r.t 2id 1 2id 2 2id 3 …

Dealing with Non-synchronizing Adversaries Not hard; same technique as in LP’09 Just add more WIPOK… Will return to this point later.

Main Technique Exploit rewinding pattern (instead of just location) Thm: Assume one-way functions. Then there exists a O(1)- round non-malleable commitment with a black-box proof of security. Some extensions:

C(i 1,  1 ) C(i 2,  2 ) C(i n,  m ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) Concurrent Non-Malleable Commitments [P-Rosen’05, Lin-P-Venkitasubramaniam’09] i1i1 i2i2 imim j1j1 ID j2j2 jnjn To deal with copying: if i k = j l, then  l ’ =  Messages are arbitrarily interleaved: MIM controls scheduling. For any      …  m and      …  m the view + values committed to by MIM are indistinguishable.

C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) One-Many Non-Malleability i j1j1 ID j2j2 jnjn Thm [PR’05,LPV’08]: One-many NM  Concurrent NM. Our O(1)-round construction is also concurrent NM

One-Many Non-Malleability C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn SAME protocol LEFT and RIGHT!  {views+values}

Robust Non-Malleability w.r.t k-round protocols [Lin-P’09] C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn C(i,  ) C(j 1,  1 ’) C(j 2,  2 ’) C(j 3,  m ’) i j1j1 ID j2j2 jnjn  {views+values}  IF THEN DEF: Com is “robust” if Robust NM w.r.t 4-round protocols EASY to satisfy if Com has more than k-rounds!

Original work of [Goldreich-Micali-Wigderson’87] –TDP, n rounds More Recent: “Stronger assumption, less rounds” –[Katz-Ostrovsky-Smith’02] TDP, dense cryptosystems, log n rounds TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB –[P’04] TDP, CRH, O(1)-round, non-BB Secure Multi-party Computation [Yao,GMW] Non-malleability is implicitly used in all these works!

NMC v.s. SMC Thm [Lin-P-Venkitasubramaniam’09]: TPD + k-round robust NMC  O(k)-round SMC Holds both for stand-alone MPC and UC-SMC (in a number of set-up models) Corollary: TDP  O(1)-round SMC

Back to Concurrent SMC

Running the protocol π in the concurrent setting is Computing f using a trusted party in the concurrent setting S simulates the view of A & the outputs of honest parties are the same in the two worlds A S UC security [Canetti’01] π π π π f f f f “as correct & private as” Both A and S required to be PPTZZ ρ ρ ρ ρ

UC security [Canetti’01] π π π π f f f f ZZA S Simulator S needs to: “extract” A’s input without disturbing execution with Z while ensuring that inputs of honest guys remain hidden. Straight-line extraction “non-malleability”

The State of UC Security Secure 2-party computation impossible! [Canetti-Kushilevitz- Lindell’03] –And even for somewhat weaker models [Canetti- Fischlin’02,Lindell’03,Lindell’04, Barak-Prabhakaran-Sahai’06] –Intuition: If S can extract “straight-line” extract inputs, then so can the attacker. Possible: with limited “trusted help” –Trusted set-up models: Honest majority [BGW88, CCD88, BR89,DM00], CRS [BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware [K], … –Thm [Lin-P-Venkitasubramaniam’09] Use Robust NM Com to get a crisp and essentially tight characterization (assuming TDP) of when a set-up can be used to get UC SMC. Essentially all known UC SMC result follow as a corollary, with improved computational assumptions, and round complexity. Can mix and match set-ups! [Garg,Goyal,Jain,Sahai, yesterday]

Thm (Machiavelli): NO ONE. Who can you trust?

A SSZZ Super-Poly Time Simulation (SPS) [P’03] Allow super-poly-time security reduction We know, poly-time security reduction is impossible Possible! [(P’03), Prabhakaran-Sahai’04, Barak-Sahai’05, Lin-P- Venkitasubramaniam’09] But, using strong hardness assumptions Still, meaningful in many (most) cases

Prabhakaran-Sahai’04 π π π π f f f f ZZA S Simulator S needs to: “extract” A’s input without disturbing execution with Z while ensuring that inputs of honest guys remain hidden. Assume “id-based hasfunction”: hard to find a collision w.r.t. id even if you have oracle access to someone who finds random collisions w.r.t. any other id’ != id. Use collision finding oracle to extract in super-poly time! By security of id-based hash S

CCA-Secure Commitments [Canetti-Lin-P’10] A C( x ) C(y 1 ) O C(y 2 ) C(y 3 ) y1y1 y2y2 y3y3 i j1j1j1j1 j1j1j1j1 j1j1j1j1 Chosen-Commitment-Attack (CCA) security: Either A copies the left identifier to the right Or LHS is hiding --- view of A indistinguishable

Concurrent Non-Malleable Commitments A C( x ) C(y 1 ) Non-Malleability Either A copies the left identifier to the right Or view of A + (y 1, y 2, y 3 ) indistinguishable C(y 2 ) C(y 3 ) i j1j1j1j1 j1j1j1j1 j1j1j1j1 CCA security  Conc Non-Malleability O y1y1 y2y2 y3y3

Thm [CLP’10] Existence of OWF implies O(n^  )-round robust CCA-secure commitments –Need to deal with both NM and “nesting” of executions a la Concurrent ZK [Dwork-Naor-Sahai’99] –Rely on original message scheduling technique by [Dolev- Dwork-Naor’91] + ideas behind concurrent ZK simulation of [Richardson-Kilian’01] Thm [CLP’10] Robust CCA-secure commitments + OT implies SPS-secure SMC Open: O(1)-round CCA secure commitments from OWF?

More Open(-ended) Open Question: What is the right definition of concurrent security (without trusted set-up)? SPS security provides weak guarantees on the “computational advantages” gained by an adversary –Sufficient when security in the ideal model is information-theoretic (or just sufficiently “strong”) –But not sufficient to preserve security of “moderately-hard” properties “Rewindable TTP” [Goyal-Sahai’08,Goyal-Jain-Ostrovsky’10] –Need very efficient precise simulations [Micali-P’06] –Currently best concurrent simulation: omega(1) “rewindings” [Pandey-P- Sahai-Tseng-Venkitasubramaniam’08] Can we compose different security notions?

The Dark Side of Concurrency Don’t worry: Lower bounds

Lower Bounds using Concurrency Security Reduction R from breaking B to breaking intractability assum C r CRORO Black-box reduction: R O breaks C whenever O breaks B f(r) For some classic protocols/tasks ( sequential WH of classic ZK protocols, active security of Schnorr’s identification scheme, selective decommitment problem, Chaum’s blind signatures… ) no security reductions are known under ANY 2-round intractability assumption. Thm [P’11]: If there exists a BB reduction (but potentially non-BB construction) from a poly-round intractability assumption C, then C can be broken in poly time. Why concurrency? The reduction can nest it calls to O. concurrent simulation techniques very useful!

Thank You

Overview of Our Construction A C( x ) C(y 1 ) Design a protocol s.t. H can be efficiently simulated Then, Hiding  CCA security H C(y 2 ) C(y 3 ) y1y1 y2y2 y3y3 i j1j1j1j1 j1j1j1j1 j1j1j1j1 But, 1. A may ask new mesg in LHS---LHS not hiding anymore 2. A may nest oracle calls --- extraction time explodes by Rewidnings NM conc. ZK

Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible) Security must be preserved even if some of the parties are malicious.

What’s Next – Concurrency for General Interaction

What’s Next – Adaptive Hardness Consider the Factoring problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization Adaptive Factoring Problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes Are these problems equivalent? Unknown!

Adaptively-hard Commitments [Canetti-Lin-P’10] Commitment scheme that remains hiding even if Adv has access to a decommitment oracle Implies Non-malleability (and more!) Thm [CLP’10] Existence of commitments implies O(n^  )- round Adaptively-hard commitments What’s Next – Adaptive Hardness

Without Trusted Set-up Specific tasks and attacks: –Concurrent Zero-knowledge [Dwork-Naor-Sahai,Richardson- Kilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai,Barak’01…] –Non-malleable Commitments [Dolev-Dwork-Naor’91,…] Relaxed notions of security: –E.g., “super-poly simulation”, “angel-based security”, “input indistinguishability” [P03,Prabhakaran-Sahai’04,Barak-Sahai’05,Micali- P-Rosen’06,Lin-P-Venkitasubramaniam’09,Canetti-Lin-’P10]

A SZZ Angel-Based Security [Prabhakaran-Sahai’04] Angel: A restricted super-poly-time oracle performing some specific, system-dependent task e.g. find collision of a CRH as long as the colliding inputs include the id of the requesting party. Possible [Prabhakaran-Sahai’04, Malkin-Moriaty- Yung06, Barak-Sahai’S05] ! But, even stronger assumptions e.g. Adaptively hard CRH Simulator and Adv. receive help from an angel. O O Composable

Interactive protocol between a Prover and a Verifier where the Verifier learns nothing except the proof statement 56 Prover Verifier Zero Knowledge [Goldwasser-Micali-Rackoff’85]

For every PPT V* (adversary) there is a PPT simulator S: Simulator S  Prover Verifier V* View of V* with Prover View generated by S 57 Indistinguishable

Concurrent ZK (cZK) [Dwork-Naor-Sahai’01] Simulator S View generated by S  View of V* with Prover ProverVerifier V* 58

Classic ZK Protocol [Feige-Shamir’90] ProverVerifier INIT: Commit to random secret σ END: Modified proof where σ is a trapdoor: WI x \in L or I know σ 59 Slot Proof of Know of σ

Verifier V* INIT: Commit to random secret σ Slot Proof of Know of σ END: Give proof using σ Simulator 60 Rewind Slot 2 nd time: Extract σ What about cZK? Classic ZK Protocol [Feige-Shamir’90]

Concurrent Zero Knowledge 61 rewinding here => redo work of nested sessions 3 nested sessions Takes time O(2 # nestings ) [KPR’00] Verifier V* Simulator

Richardson-Killian Need to extract σ for every session. Easier if there are more slots. –Cannot “nest” inside all slots Rewinding any one slot extracts σ. 62 slots END INIT

Concurrent Zero-knowledge A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible) Security must be preserved even if some of the parties are malicious.