Presentation is loading. Please wait.

Presentation is loading. Please wait.

Coin Tossing With A Man In The Middle Boaz Barak.

Published byLorena Surgener Modified over 10 years ago

Similar presentations

Presentation on theme: "Coin Tossing With A Man In The Middle Boaz Barak."— Presentation transcript:

1 Coin Tossing With A Man In The Middle Boaz Barak

2 RightLeft – two party protocol Middle Adversary completely controls communication No shared secrets between left & right No trusted parties or public information (e.g., no PKI) Man In The Middle (MIM) Attack

3 Two Unavoidable Adversary Strategies LeftMiddleRight Left SessionRight Session Relaying Strategy - Adversary is transparent Blocking Strategy - Adversary follows honest strategy independently in each session Intuitive Goal: Design protocols s.t. adversay is essentially limited to unavoidable strategies.

4 Example: Commitment Scheme LeftMiddleRight Left SessionRight Session Input: Com. Value: If Adv. relaying then = If Adv. blocking then independent of Scheme is non-malleable [DDN91] if either = or and are (computationally) independent Non-malleability = Intuitive goal

5 Comparison: MIM vs. Non-Malleability MIM Model: Adversary between 2 parties that want to talk to each other. Preferred strategy: relaying NM Model: Two sessions with 2 out of the 4 parties cooperating maliciously. Preferred strategy: blocking

6 Our goal: construct protocols s.t. adversary is essentially restricted to use either blocking or relaying. Technically: same as non-malleabllity [DDN] However: we dont take a moral stand which unavoidable strategy is better. Summary

7 Previous Work * : NM Commit w/ O(log n) rounds [DDN91] NM Zero-Knowledge w/ O(log n) rounds [DDN91] This Work: NM Commit w/ O(1) rounds NM Zero-Knowledge w/ O(1) rounds Different Techniques (e.g., Non-Black-Box Proof of Security) Generic transformation from SRS model to plain model. * See next slide for works in shared reference string (SRS) model

8 The Shared Random String Model (SRS) Dealer rrr NM Commit w/ 1-round [DIO98,DKOS01] NM Zero-Knowledge w/ 1-round [Sah99,DDOPS01] ref (r)

9 Our Approach: Convert ref Left Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Coin-Tossing Output: r Run ref (r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r If r=r : same as in SRS execution! If r indp. from r: formally different from SRS However, if ref is Natural then it is still secure! Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. MiddleRight

10 Our Approach: Convert ref Coin-Tossing Output: r Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument. Our Goal: Design a constant-round non-malleable coin-tossing protocol. LeftMiddleRight

11 Our goal: construct a constant-round NM coin- tossing protocol. In the paper: we (define and) construct such a protocol. Now: we solve a related toy problem and then an even more related bigger problem Outline

12 Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r rev(r 1 …r n ) = r n r n-1 … r 1 Coin-Tossing Output: r LeftMiddleRight A Toy Problem

13 Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: w.h.p. r rev(r) Observation: possibly false w/o BOGUS condition. MiddleRight A Protocol Solving the Toy Problem

14 Proof: Suppose that r=rev(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r=rev(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom For every r 2 BOGUS, rev(r) BOGUS r=rev(r) 1 © 2 r=rev(r) BOGUS BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle

15 A Bigger Problem

16 Bigger Problem: Design a coin-tossing protocol such that w.h.p. r S(r) for all interesting relations S( ¢ ) Informal Def: Coin-tossing is Non-Malleable if either r=r or r is (computationally) random & independent from r Coin-Tossing Output: r LeftMiddleRight Def: S is interesting if it is decidable in uniform poly-time and 8 r 1) r S(r) (Cant hit S using relaying) 2) Pr y [ y 2 S(r) ] < (|x|) (Cant hit S using blocking) Toy Problem: Design a coin-tossing protocol such that w.h.p. r rev(r) A Bigger Problem Fix (n)=n - 10log n

17 Left Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 2 R {0,1} n Output: r 2 Comm( 1 ) r Output: r 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS Thm: if Middle is uniform PPT then 8 interesting S Pr[ r 2 S(r) ]=negl(n) MiddleRight Solving the Bigger Problem

18 Proof: Suppose that r 2 S(r) with non-neg prob. Comm( 1 ) 2 r= 1 © 2 WIP r= 1 © 2 or r 2 BOGUS 1 2 R {0,1} n 2 Comm( 1 ) r 2 S(r) 2 2 R {0,1} n WIP r= 1 © 2 or r 2 BOGUS r 2 R BOGUS BOGUS is pseudorandom w.r.t. uniform PPT For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: Left Right WIP r= 1 © 2 or r 2 BOGUS Middle BOGUS 2 SUBEXP r BOGUS r 1 © 2 S(r)

19 Claim 1: A random subset B µ {0,1} n of size n log n satisfies properties 1&2 w.h.p. Claim 2: If 9 sub-exponentially hard OWF then can choose such B using polylog(n) (instead of 2 polylog(n) ) coins. For each n go over all possible coin tosses for choosing B We define BOGUS Å {0,1} n to be the first set that satisfies properties 1&2. Then, BOGUS 2 Dtime(2 polylog(n) ) µ SUBEXP 1. BOGUS is pseudorandom w.r.t. uniform PPT 2. For every r 2 BOGUS and interesting S, S(r) Å BOGUS= ; BOGUS properties: 3. BOGUS 2 SUBEXP Constructing the set BOGUS Claim 3: If 9 sub-exponentially hard OWF then for B µ {0,1} n of size n log n can check in 2 polylog(n) steps if B satisfies properties 1&2.

20 Additional modifications needed for security against non-uniform adversaries. Security proof involves non-black-box use of adversarys code. Actual NM coin-tossing def follows ideal functionality paradigm. Modifications to protocol needed to satisfy actual def. Some technical difficulties arise with non-syncrhonizing schedules. Can be solved using multiple rewinding opportunities a-la [RK] (similar to [GL]) Beyond the bigger problem

21 Conclusions & Open Questions First constant-round NM Commit & NM ZK in plain model. Quite general transformation from SRS model to plain MIM model. Another positive application of non-black-box techniques. Generalize to other applications? more parties? Acknowledgements: Alon Rosen

22 The End

Download ppt "Coin Tossing With A Man In The Middle Boaz Barak."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On Non-Black-Box Proofs of Security Boaz Barak Princeton.

On Non-Black-Box Proofs of Security Boaz Barak Princeton.
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Similar presentations

Ads by Google