Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.

Slides:



Advertisements
Similar presentations
Merkle Puzzles Are Optimal
Advertisements

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Coin Tossing With A Man In The Middle Boaz Barak.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Rafael Pass Cornell University Concurrency and Non-malleability.
Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Adaptively Secure Broadcast, Revisited
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Collusion-Free Multiparty Computation in the Mediated Model
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Carmit Hazay (Bar-Ilan University, Israel)
Derandomization & Cryptography
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Two-Round Adaptively Secure Protocols from Standard Assumptions
Presentation transcript:

Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin

Commitment Scheme The “digital analogue” of sealed envelops. Commitment Reveal Sender Receiver One of the most basic cryptographic tasks. Part of essentially all more involved secure computations Can be constructed from any one way function. [N’89, HILL’ 99]

“Right” abstraction if: AliceBob

But life is:

Possible that v’ = v+1 Even though MIM does not know v! Receiver/Sender MIM C(v) C(v’) Sender Receiver

Non-Malleable Commitments [Dolev Dwork Naor’91] Non-malleability: Either MIM forwards : v = v’ Or v’ is “independent” of v ij Receiver/Sender MIM C(v’) Sender Receiver C(v)

Non-Malleable Commitments [Dolev Dwork Naor’91] Receiver/Sender Non-malleability: if then, v’ is “independent” of v MIM C(i,v) C(j, v’) i  j Sender Receiver ij

Man-in-the-middle execution: Simulation: j i  ji  j Non-Malleable Commitments [Dolev Dwork Naor’91] ij Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator

Non-Malleable Commitments [Dolev Dwork Naor’91] ij Important in practice “Test-bed” for other tasks Applications to MPC

Non-malleable Commitments Original Work by [DDN’91] –OWF –black-box techniques –But: O(log n) rounds Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai- Ostrovsky’99,DKO,CF,FF,…,DG] Without set-up: [Barak’02]: O(1)-round Subexp CRH + dense crypto: [P’04,P-Rosen’05]: O(1) rounds using CRH [Lin-P’09]: O(1)^log* n round using OWF [P-Wee’10]: O(1) using Subexp OWF [Wee’10]: O(log^* n) using OWF Non BB

Non-malleable Commitments Original Work by [DDN’91] –OWF –black-box techniques –But: O(log n) rounds Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai- Ostrovsky’99,DKO,CF,FF,…,DG] Without set-up: O(1)-round from CRH or Subexp OWF O(log^* n) from OWF Sd

Main Theorem Thm: Assume one-way functions. Then there exists a O(1)- round non-malleable commitment with a black-box proof of security. Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. Note: As we shall see, this also weakens assumptions for O(1)- round secure multi-party computation.

DDN Protocol Idea Blue does not help Red and vice versa i = 01…1 j = C(i,v) C(j, v’)

The Idea: What if we could run the message scheduling in the head? Let us focus on non-aborting and synchronizing adversaries. (never send invalid mess in left exec)

c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = 00101

Signature Chains Consider 2 “fixed-length” signature schemes Sig 0, Sig 1 (i.e., signatures are always of length n) with keys vk 0, vk 1. Def: (s,id) is a signature-chain if for all i, s i+1 is a signature of “(i,s 0 )” using scheme id i s 0 = r s 1 = Sig 0 (0,s 0 )id 1 = 0 s 2 = Sig 0 (1,s 1 )id 2 = 0 s 3 = Sig 1 (2,s 2 )id 3 = 1 s 4 = Sig 0 (3,s 3 )id 4 = 0

Signature Games You have given vk 0, vk 1 and you have access to signing oracles Sig 0, Sig 1. Let  denote the access pattern to the oracle; –that is  i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern .

c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 )

c=C(v) Com(id,v): WI-POK id = vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) I know v s.t. c=C(v) Or I know a sig-chain (s,id) w.r.t id

c=C(v) WI-POK vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) c=C(v) WI-POK vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) w.r.t i i = j = w.r.t j Non-malleability through dance * In actual protocol need “many” seq WIPOK a la [LP‘09]

Dealing with Aborting Adversaries Problem 1: –MIM will notice that I ask him to sign a signature chain –Solution: Don’t. Ask him to sign commitments of sigs… (need to add a POK of commitment to prove sig game lemma) Problem 2: –I might have to “rewind” many times on left to get a single signature –So if I have id = 01011, access pattern on the right is 0*1*0*1*... –Solution: Use 3 keys (0,1,2); require chain w.r.t 2id 1 2id 2 2id 3 …

Main Theorem Main Technique Exploit rewinding pattern (instead of just location) Thm: Assume one-way functions. Then there exists a O(1)- round non-malleable commitment with a black-box proof of security. Some applications

Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible) Security must be preserved even if some of the parties are malicious.

Original work of [Goldreich-Micali-Wigderson’87] –TDP, n rounds More Recent: “Stronger assumption, less rounds” –[Katz-Ostrovsky-Smith’03] TDP, dense cryptosystems, log n rounds TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB –[P’04] TDP, CRH, O(1)-round, non-BB Secure Multi-party Computation [Yao,GMW]

NMC v.s. MPC Thm [ Lin-P-Venkitasubramaniam’09 ]: TPD + k-round “robust” NMC  O(k)-round MPC Holds both for stand-alone MPC and UC-MPC (in a number of set-up models) Corollary: TDP  O(1)-round MPC

NM ZK Thm [ Lin-P-Tseng-Venkitasubramaniam’10 ]: k-round “robust” NMC  O(k)-round NMZK Corollary: OWF  O(1)-round NMZK Can also get Conc NMZK if adding ω(log n) rounds

What’s Next – Adaptive Hardness Consider the Factoring problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization Adaptive Factoring Problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes Are these problems equivalent? Unknown!

Adaptively-hard Commitments [Canetti-Lin-P’10] Commitment scheme that remains hiding even if Adv has access to a decommitment oracle Implies Non-malleability (and more!) Thm [CLP’10] Existence of commitments implies O(n^  )- round Adaptively-hard commitments What’s Next – Adaptive Hardness

Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.