Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.

Slides:



Advertisements
Similar presentations
Dov Gordon & Jonathan Katz University of Maryland.
Advertisements

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Coin Tossing With A Man In The Middle Boaz Barak.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Nir Bitansky and Omer Paneth. Interactive Proofs.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Tutorial on Secure Multi-Party Computation
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.
Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Adaptively Secure Broadcast, Revisited
How to play ANY mental game
CS573 Data Privacy and Security
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Carmit Hazay (Bar-Ilan University, Israel)
On the Size of Pairing-based Non-interactive Arguments
Foundations of Secure Computation
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Course Business I am traveling April 25-May 3rd
Fiat-Shamir for Highly Sound Protocols is Instantiable
Presentation transcript:

Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard

Definitions vs. Protocols Crypto in the 20 th century – protocols -> definitions Crypto in the 21 st century – definitions -> protocols This talk: New definition (input-indistinguishable computation) 1.For secure two-party computation (malicious). 2.Definition is “ simulation free. ” 3.Inspired by witness indistinguishability. New protocol 1.Concurrency without trusted set-up. 2.Standard complexity assumptions. Our motivation is “ protocol driven. ’’ We do not achieve “ holy grail ” of cryptography (yet) … x x

To reach balance: 1.Establish feasibility. 2.Improve efficiency. 3.Weaken hardness assumption. See if can satisfy a stronger definition (stronger adversary)... Modern Crypto Methodology Need to convince that: 1.Definition is meaningful. 2.Adversary is realistic. 3.Assumption is reasonable. Delicate balance Define security (what it means to break the scheme). Specify adversary in terms of: 1.computational power, 2.access to scheme. Construct scheme and prove that breaking it implies solving (assumed) computationally hard problem (e.g. factoring).

YES WELL… If you believe Factoring/DL are hard. IDEAL REAL  PPT B*   PPT S Secure Two-Party Computation Alic e Bob 1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable? … Theorem [Yao, GMW,Kil]: Assuming OT protocol, every efficient two-party function can be securely computed.

1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable? IDEAL REAL  UC/General/Self Composition [C,L03,L04] A B A A A A B B B A B A A A A B B B YES Maybe, if we just had a protocol… Theorem [CKL, L03, L04]: For most “interesting’’ functions definitions of UC/General/Self composition cannot be achieved.

Theorems [CLOS, BCNP, CDPW]: Assuming OT, every efficient two-party function can be securely (UC) computed with some form of trusted set-up. Reference String 1.Meaningful? 2.Realistic? IDEAL REAL  Set-Up Assumptions B A A A B B A A A B

YES in many cases [BS] very sensitive to security parameters [PS] non-standard assumptions Theorems [PS,BS]: Assuming subexp-hardness (and OT), every eff. two-party function can be securely computed with quasi-poly simulator. IDEAL REAL  Super-Polynomial Time Simulation [P03] A B A A A A B B B A B A A A A B B B  PPT B*  P super PT S 1.Is definition meaningful? 2.Is adversary realistic? 3.Is assumption reasonable?

Super-polynomial time simulation (SPS) is very appealing: 1. Yields meaningful security guarantee. 2. Handles a realistic adversary. 3. Has the potential of being realized a. Under standard assumptions. b. Without constraints on security parameters. But coming up with such a protocol is still open. We give a definition that can be realized: a.Under standard assumptions. b.Without constraints on security parameters. c.In face of unbounded number of concurrent executions. Definition: Any protocol (A,B) is secure. Super-Polynomial Time Simulation d. Is (arguably) meaningful for many interesting functions. e. May lead to solution that admits unbounded simulation.

ALL inputs of A compatible with output of B* “EQUALLY LIKELY” To distinguish x 0,x 1 must use y* s.t. F(x 0,y*) ≠ F(x 1,y*) 1.Trivial if single-input per output 2.Generalization of Witness-Indist [FS90] Input-Indistinguishable Computation 1. Correctness. 2. Input-Independence 3. Input-Indistinguishability Privacy What is y*? Implicit input function IN(view B* ) = y* Consider 1.honest A with input x 2.malicious B* with input y 3.B* should get output.

Witness Indistinguishability [FS90] Prover Verifier view(w) = V*’s view of the interaction when P uses w Witness Indistinguishability: for  PPT V*,  w 0, w 1 view(w 0 )  view(w 1 ) WI property “well-behaved’’ under concurrent composition

Interactive Proofs vs. Two-Party Computation V* has no inputB* has input y V* output is 0/1B* output is F(x,y*) P input “hard” to computeA input can be finite P V* A B*

Implicit Input Function Implicit input function IN B : 1.defined on B*’s view of the interaction. 2.Wlog view depends only on x and on randomness of A 3.Well defined for all possible views. Notation: for  PPT B*,  x y* <- IN B (view(x)) Consistency: Output of A = F(x,y*) Output delivery message: there exists a round in protocol s.t. 1.Implicit input is fully defined from view so far, but 2.no “information’’ about output has been released yet. Implicit input and output round are implicit in ideal/real like definitions, but not required explicitly!

Input-Indistinguishable Computation (A,B) securely computes F w.r.t A if  implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y  output = F(x,y) Input-Independence: for  PPT B*,  x 0, x 1 IN B (view(x 0 ))  IN B (view(x 1 )) Input-Indistinguishability: for  PPT B*,  x 0, x 1 y* <- IN B (view) B* can only “distinguish” x 0 and x 1 when F(x 0,y*) ≠ F(x 1,y*) B* received output in the protocol

Input-Indistinguishable Computation (A,B) securely computes F w.r.t A if  implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y  output = F(x,y) Input-Indist. and Indep.: For  PPT B*,  x 0, x 1 Expt 0 (x 0, x 1 )  Expt 1 (x 0, x 1 ) Expt i (x 0,x 1 ): view  view of B* in execution with A(x i ) y*  IN B (view) If output = true and F(x 0,y*) ≠ F(x 1,y*)  Otherwise (y*,view)

Example Oblivious transfer function. F((s 0,s 1 ),c) = s c (So x= (s 0,s 1 ) and y=c.) Input independence: c is (computationally) independent of (s 0,s 1 ). Input indistinguishability: Given s c* as output, and view((s 0,s 1 )), the input s 1-c* could take any value. Very meaningful.

Concurrent Input Indistinguishable Computation (A,B) securely computes F w.r.t A if  implicit input function IN B s.t. Completeness: in honest execution of (A,B) inputs = x,y  output = F(x,y) Concurrent Inp-Indist. and Indep.: For  PPT B*,  x 0, x 1 Expt 0 (x 0, x 1 )  Exp 1 (x 0, x 1 ) Basic Concurrency: 1.Same Protocol (self composition) 2.  fixed inputs sequences 3.Can be extended to handle arbitrary corruptions.

Composibility Unlike WI (and UC) input-indistiguishability does not compose in general. There exist protocols that are 1.stand-alone input indistinguishable, but 2.not concurrent input indistinguishable (even for two executions). The problem is the potential malleability of (A,B). Any solution must take malleability into consideration. Turns out that insuring non-malleability is sufficient!

Main Theorem Theorem: Suppose there exist (trapdoor) claw-free permutations. Then for any efficient 2-party function F, there exists a concurrent input-indistinguishable protocol for computing F. Trapdoor claw-free permutations: 1.Required for OT, CRH, perfectly hiding commitments. 2.Follow from hardness of Factoring/DL.

Yao’s protocol secure against honest-but-curious. Compile a’ la GMW, but: 1.Instead of normal ZK, NMZK protocols of [P04][PR05] 1.Instructions of NMZK depend on identity of prover. 2.Different provers have different identities. 2.Provable Determinism [LMS04]: once first message sent, only one possible continuation (except for ZK). 3.And some more… Let (A,B) denote resulting protocol. High-Level Idea of Protocol

Lemma: (A,B) is (stand-alone) ideal/real secure. Lemma: Stand-alone ideal/real -> stand-alone inp.-ind. 1.Implicit input is the value fed to trusted party. 2.Requires augmenting outputs of ideal/real w/ input of B*. 3.Relies on existence of output delivery message. 4.B*,D breaking inp.-ind. -> B**,D breaking ideal/real. Lemma: (A,B) stand-alone inp.-ind. -> (A,B) conc. inp.-ind. 1.Implicit inputs same as in stand-alone. 2.Interplay between Hybrid argument and Simulation 3.Mixture of Black-box and Non black-box [PR05]. Analysis

One-many Simulation-Extractable ZK [PR05] B* Left interaction: simulate only one ZK execution. Right interaction: concurrently extract witnesses from many executions. ZK ID ZK ID2 ~ ZK ID1 ~ ZK IDm ~ ww ~ wmwm ~ ww ~ S

(view,y*) Concurrent -> Stand-Alone Assume existence of concurrent adversary B*, and x, x s.t. corresponding EXPT can be distinguished. Construct B** that violates stand-alone inp.-ind. Of (A,B). B* x2x2 x1x1 xmxm x1x1 x2x2 xmxm   -

Concurrent -> Stand-Alone M xixi x1x1 or x i xmxm Using a hybrid argument. Only need to simulate the ZK proof in the ith execution. Requires to extract all y*. B**

Comparison Meaningful definition Realistic adversary Reasonable assumption Stand-Alone YESNOYES UC YES NO SPS [BS] YES* potential YES*YES This work YES**YES

Summary Zero-knowledge (simulation paradigm) seems to have “ hit the wall ” with respect to protocol composition. Maybe [Goldreich Micali Wigderson87] has made us “ too ambitious …” Perhaps we should 1.Give up in meaningfulness of definitions. a)Super polynomial-time simulators [P03, PS04, BS05]. b)Based on indistinguishability [FS90]. 2.Give up in generality of definitions. a)Be meaningful only in specific cases. b)Secure protocols for specific tasks [PR05,BPS06].

Thank You!