Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.

Slides:



Advertisements
Similar presentations
Perfect Non-interactive Zero-Knowledge for NP
Advertisements

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Multiparty Computations on Bitcoin
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CIS 5371 Cryptography 3b. Pseudorandomness.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Tutorial on Secure Multi-Party Computation
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Adaptively Secure Broadcast, Revisited
How to play ANY mental game
CS573 Data Privacy and Security
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
6.897: Advanced Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest.
Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.
IPAM ’06 Tutorial Security and Composition of Cryptographic Protocols Ran Canetti IBM Research.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
6.897: Selected Topics in Cryptography Lectures 13 and 14 Lecturers: Ran Canetti, Ron Rivest Scribes?
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturers: Ran Canetti, Ron Rivest Scribes?
6.897: Selected Topics in Cryptography Lectures 9 and 10 Lecturers: Ran Canetti, Ron Rivest Scribes?
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Carmit Hazay (Bar-Ilan University, Israel)
6.897: Selected Topics in Cryptography Lectures 7 and 8
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Course Business I am traveling April 25-May 3rd
Cryptography for Quantum Computers
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Two-Round Adaptively Secure Protocols from Standard Assumptions
Presentation transcript:

Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal Rabin, Amit Sahai

Nice sun …

yeah...

You know, I’m richer than you. You know, I’m richer than you.

No way. How much are you worth?

I won’t tell you… How much are you worth?

You tell first!

No, you tell first! No, you tell first!

No, you tell first! No, you tell first!

I have X $ I have X $ is X>Y? I have Y $ I have Y $

I have X $ I have X $ is X>Y? I have Y $ I have Y $ The millionaires problem [Yao82]

Secure Computation A set of parties with private inputs. Parties wish to jointly compute a function of their inputs so that: –Privacy: each party receives its output and nothing else. –Correctness: the output is correctly computed Properties must be ensured even if some of the parties maliciously attack the protocol.

Feasibility of Secure Computation Any multi-party functionality can be securely computed assuming an honest majority [BGW88,CCD88,RB89] Any multi-party functionality can be securely computed for any number of corrupted parties, assuming trapdoor permutations [Y86,GMW87]

However… Above-mentioned feasibility relates to stand-alone model of computation only. –In this model, one set of parties executes a single protocol in isolation. But, does this capture security in real adversarial settings (e.g., the Internet)?

General Adversarial Setting Network with many executions taking place concurrently Arbitrary protocols co-exist but are not aware of each other. Possibly related inputs used in different executions (malleability problems, etc.) Feasibility needs to be re-evaluated for this setting.

Universally Composable (UC) security A framework for obtaining security in a general, multi-execution adversarial setting [C01]. Methodology: –Protocols are analyzed as stand-alone –Security in the multi-execution setting is derived via a composition theorem UC security guarantees security even in arbitrary, multi-protocol settings.

Secure Computation: Traditional definitions The ideal model simulation paradigm [Goldreich-Micali-Wigderson87] : Ideal model: parties send inputs to a trusted party, who computes the function and sends the outputs. Real model: parties run the protocol with no trusted help. A protocol is secure if the adversary can do no more harm in the real model than in the ideal model. –More formally: the outputs of the real and ideal executions are indistinguishable. ( Many formalizations, e.g. [Goldwasser-Levin90,Micali-Rogaway91, Beaver91, Canetti93, Pfitzmann-Waidner94,Canetti00, Dodis-Micali00, Pfitzmann-Schunter-Waidner00] ),

UC Definition Introduces an additional adversarial entity called the environment Z. Z provides inputs to the parties, reads their outputs and interacts with the adversary throughout the execution. Z represents the external environment, and acts an an interactive distinguisher.

UC real model Protocol interaction Arbitrary interaction writes inputs/ reads outputs Environment

UC ideal model Environment Trusted party (ideal functionality) Arbitrary interaction writes inputs/ reads outputs

UC Security A protocol is UC secure if for every real-model adversary A, there exists an ideal-model adversary S, such that no Z can distinguish between a real execution with A and an ideal execution with S.

UC Security Environment ? IDEALREAL Protocol interaction Trusted party (ideal functionality)

Example: The ZK functionality (for relation R) 1.Receive (P,V,x,w) from P 2.Receive (V,P,x) from V 3.Send (P,x,R(x,w)) to V Note: V is assured that it accepts only if R(x,w)=1 (soundness) P is assured that V learns nothing but R(x,w) (Zero-Knowledge)

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from C, record x, and send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V. Note: V is assured that the value it received in step 2 was fixed in step 1. P is assured that V learns nothing about x before it is opened.

Example: The Oblivious Transfer functionality 1.Receive (“send”,v 1,…,v n ) from A 2.Receive (“get”,i) from B 3. Send v i to B. Note: A is assured that B learns only one value out of v1,…,vn B is assured that A learns nothing

Universal Composition: 1. Present the composition operation 2. State the composition theorem

The composition operation (Originates with [Micali-Rogaway91]) Start with: Protocol F that uses ideal calls to F Protocol that securely realizes F Construct the composed protocol : Each call to F is replaced with an invocation of. Each value returned from is treated as coming from F. Note: In F parties call many copies of F.  In many copies of run concurrently.

The composition operation (single call to F) F 

F 

The composition operation (multiple calls to F) F  F F

The universal composition theorem: [C. 01] Protocol “emulates” protocol F. (That is, for any adversary A there exists an adversary A` such that no Z can tell whether it is interacting with (, A) or with ( F,A`).) Corollary: If F securely realizes functionality G then so does. (Weaker composition theorems were proven in e.g. [Micali-Rogaway91, Canetti00, Dodis-Micali00, Pfitzmann-Schunter-Waidner00].)

Implications of the UC theorem 1.Can design and analyze protocols in a modular way: –Partition a given task T to simpler sub-tasks T 1 …T k –Construct protocols for realizing T 1 …T k. –Construct a protocol for T assuming ideal access to T 1 …T k. –Use the composition theorem to obtain a protocol for T from scratch. (Analogous to subroutine composition for correctness of programs, but with an added security guarantee.)

Implications of the UC theorem 2.Assume protocol securely realizes ideal functionality F. Can deduce security of in any multi-execution environment: As far as the environment is concerned, interacting with (multiple copies of) is equivalent to interacting with (multiple copies of) F.

Questions: How to write ideal functionalities that adequately capture known/new tasks? do Are known protocols UC-secure? (Do these protocols realize the ideal functionalities associated with the corresponding tasks?) How to design UC-secure protocols? zcyk02]

Existence results: Honest majority Multiparty protocols with honest majority: Thm: Can realize any functionality [C. 01]. (e.g. use the protocols of [BenOr-Goldwasser-Wigderson88, Rabin-BenOr89,Canetti-Feige-Goldreich-Naor96] ).

Two-party functionalities Known protocols do not work. (“black-box simulation with rewinding” cannot be used). Many interesting functionalities (commitment, ZK, coin tossing, etc.) cannot be realized in plain model. More impossibility results in [Canetti-Kushilevitz-Lindell03]. In the “common random string model” can do: –UC Commitment [Canetti-Fischlin01,Canetti-Lindell-Ostrovsky-Sahai02, Damgard-Nielsen02, Damgard-Groth03]. –UC Zero-Knowledge [CF01, DeSantis et.al. 01] –Any two-party functionality [CLOS02] (Generalizes to any multiparty functionality with any number of faults.)

Two-party functionalities Known protocols do not work. (“black-box simulation with rewinding” cannot be used). Many interesting functionalities (commitment, ZK, coin tossing, etc.) cannot be realized in plain model. More impossibility results in [Canetti-Kushilevitz-Lindell03]. In the “common random string model” can do: –UC Commitment [Canetti-Fischlin01,Canetti-Lindell-Ostrovsky-Sahai02, Damgard-Nielsen02, Damgard-Groth03]. –UC Zero-Knowledge [CF01, DeSantis et.al. 01] –Any two-party functionality [CLOS02] (Generalizes to any multiparty functionality with any number of faults.)

Secure computation: The [GMW87] paradigm 1) Construct a protocol secure against semi-honest adversaries (who follow the protocol specification): 2) Construct a compiler that transforms protocols secure in the semi-honest model to protocols secure against malicious adversaries.

The [GMW87] paradigm: Semi-honest parties 1) Represent the ideal functionality as a Boolean circuit (state represented as “feedback lines”) 2) Each party shares its input bits among all others (using a simple sum scheme) 3) The parties evaluate the circuit gate by gate. Each gate evaluation needs 1-out-of-4 oblivious transfer between any pair of parties. 4) Output lines are revealed to the corresponding parties. Shares of “feedback lines” kept. -Works even in the UC model (using known protocols).

[GMW87] Protocol Compilation Aim: force the malicious parties to follow the protocol specification. How? –Parties commit to inputs –Parties commit to uniform random tapes (use secure coin-tossing to ensure uniformity) –Parties use zero-knowledge protocols to prove that every message sent is according to the protocol (and consistent with the committed input and random-tape).

Constructing a UC “[ GMW87] compiler” Problem: In [GMW87], both commitment and ZK are not UC. General approach to solution: –Construct UC commitment protocols –Construct UC ZK protocols –Construct a GMW compiler given access to the ideal Commitment and ZK functionalities. Use the composition theorem to deduce security

Constructing UC commitment Roughly speaking, need to make sure that the ideal model simulator can: –Extract the committed value from a corrupted committer. –Generate commitments that can be opened in multiple ways. –Explain internal state of committer upon corruption.

Constructing UC commitment ( [CF01] ) To obtain equivocability: – Let {f 0,f 1 } be a trapdoor claw-free permutation pair –Commitment Scheme: CRS: {f 0,f 1 } To commit to bit b, send f b (r). To open, send b,r –Simulator knows trapdoors {f 0 -1,f 1 -1 }, thus can equivocate: find r 0,r 1 s.t. f 0 (r 0 )=f 1 (r 1 )=y, send y. But: Not extractable…

Constructing UC commitment ( [CF01] ) To add extractability: –Let (E,D) be a CCA encryption scheme –Commitment Scheme: CRS: {f 0,f 1 }, E To commit to b, send f b (r),E(r’,r). To open, send b,r,r’. –Simulator knows D, can decrypt and extract b. But: lost equivocability…

Constructing UC commitment ( [CF01] ) To restore equivocability: –Scheme: CRS: {f 0,f 1 }, E To commit to b, send f b (r),E(r’,r),E(r’’,0). To open, send b,r,r’. (Don’t send r’’.) –To extract, simulator decrypts the encryption –To equivocate, simulator chooses r 0,r 1 such that f 0 (r 0 )=f 1 (r 1 )=y and sends y,E(r’,r 0 ),E(r’’,r 1 ). To avoid copying, add sender identity: send y,E(r’,id,r 0 ),E(r’’,id,r 1 ). To be adaptively secure, use E where ciphertexts are pseudorandom.

Constructing UC commitment ( [CF01] ) To restore equivocability: –Scheme: CRS: {f 0,f 1 }, E To commit to b, send f b (r),E(r’,r),E(r’’,0). To open, send b,r,r’. (Don’t send r’’.) –To extract, simulator decrypts the encryption –To equivocate, simulator chooses r 0,r 1 such that f 0 (r 0 )=f 1 (r 1 )=y and sends y,E(r’,r 0 ),E(r’’,r 1 ). To avoid copying, add sender identity: send y,E(r’,id,r 0 ),E(r’’,id,r 1 ). To be adaptively secure, use E where ciphertexts are pseudorandom.

Constructing UC commitment [CF01] scheme: –Needs trapdoor claw free pairs –Needs CCA encryption with p.r. ciphertexts [CLOS02] improvements: –Replace c.f.p. with the [FLS] equivocable commitment based on any OWF. –Use double encryption, where internal scheme is CCA secure and external is CPA secure with p.r. ciphertexts. (Can do from any t.d.p.)

Constructing UC ZK Run any 3-round ZK protocol for NP, using the ideal commitment functionality [CF01]. Can use also “robust NIZKPOK” [DDOPS01] (non adaptive).

[GMW87] Protocol Compilation Aim: force the malicious parties to follow the protocol specification. How? –Parties commit to inputs –Parties commit to uniform random tapes (use secure coin-tossing to ensure uniformity) –Parties use zero-knowledge protocols to prove that every message sent is according to the protocol (and consistent with the committed input and random-tape).

[GMW87] Protocol Compilation Aim: force the malicious parties to follow the protocol specification. How? –Parties commit to inputs –Parties commit to uniform random tapes (use secure coin-tossing to ensure uniformity) –Parties use zero-knowledge protocols to prove that every message sent is according to the protocol (and consistent with the committed input and random-tape). Problem: If ideal commitment is used, there is no commitment string to prove statements on…

The “Commit&Prove” primitive Define a single primitive where parties can: –Commit to values –Prove “in ZK” statements regarding the committed values

The Commit&Prove functionality (for relation R) 1.Upon receiving (“commit”,C,V,w) from C, record w, and send (C, “receipt”) to V. 2.Upon receiving (“prove”,x) from C, send (C,x,R(x,w)) to V. Note: V is assured that the value x it received in step 2 stands in the relation with some value w that C provided earlier P is assured that V learns nothing in addition to x and R(x,w). Given access to ideal C&P, can do the [GMW87] compiler without computational assumptions.

The Commit&Prove functionality (for relation R) 1.Upon receiving (“commit”,C,V,w) from C, record w, and send (C, “receipt”) to V. 2.Upon receiving (“prove”,x) from C, send (C,x,R(x,w)) to V. Note: V is assured that the value x it received in step 2 stands in the relation with some value w that C provided earlier P is assured that V learns nothing in addition to x and R(x,w). Given access to ideal C&P, can do the [GMW87] compiler without computational assumptions.

Realizing “Commit&Prove” (given ideal ZK) Let COM be a perfectly binding commitment scheme. To commit to w, C sends (“prove”,C,V,COM(r;w),(w,r)) to ZK Rc, where R c ={(c,(w,r)) : a=COM(r;w)} Upon receiving (C,a,1) from ZK Rc, V outputs (C,”receipt”)

Realizing “Commit&Prove” (given ideal ZK) Let COM be a perfectly binding commitment scheme. To commit to w, C sends (“prove”,C,V,COM(r;w),(w,r)) to ZK Rc, where R c ={(a,(w,r)) : a=COM(r;w)}. Upon receiving (C,a,1) from ZK Rc, V outputs (C,”receipt”). To give x and prove R(x,w), C sends (“prove”,C,V,(x,a),(w,r)) to ZK Rv, where R v ={((x,a),(w,r)) : a=COM(r;w) & R(x,w)}. Upon receiving (C,x,a,b) from ZK Rv, V outputs (C,x,b).

Extension to multiparty Generalize all primitives (Comm, ZK, C&P) to the case of multiple verifiers Realize using a broadcast channel Can implement broadcast channels in an asynchronous network with any number of faults. (This is due to the fact that we don’t require parties to terminate.)

Extension to multiparty Generalize all primitives (Comm, ZK, C&P) to the case of multiple verifiers Realize using a broadcast channel Can implement broadcast channels in an asynchronous network with any number of faults. (This is due to the fact that we don’t require parties to terminate.)

Recycling the CRS (while preserving modularity) In present formalization, each commitment needs a separate copy of the CRS. If we want to have multiple commitments use the same CRS, need to analyze them together, thus losing modularity. Can get around this problem using “universal composition with joint state” (JUC) [CR03].

Summary Motivated the need for composability as a basic requirement in cryptography. Presented the UC framework and composition theorem Sketched how to realize any functionality in a UC way, with any number of faults.