Presentation is loading. Please wait.

Presentation is loading. Please wait.

Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.

Published byYahir Tonkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive."— Presentation transcript:

1 Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive UC from New Notions of Non-Malleability 15 years of UC-Security [Canetti00] 25 years of Adaptive Security [Beaver89] dynamic Joint with Dana Dachman-Soled, Maryana Raykova, Tal Malkin

2 How can we achieve semi-honest 2-party computation? YAO O(1)-rnd ^

3 IDEALREAL ARAR  AIAI x 2 y 2 x2y2x2y2 Security by Comparison x 1 y 1 “as correct & private as” Correctness: The output of every player is the same in real and ideal Mesgs Privacy: Mesgs can be generated from the simulator’s input & output Simulator

4 IDEALREAL Concurrent Security  many executions of different protocols many executions with independent trusted parties

5 Arbitrary network REAL WORLDIDEAL WORLD  Universal Composability [C] ARAR AIAI Simulate messages without honest input Independence of executions

6 Theorem [CF, CKL, L]: It is impossible to achieve UC-security for all “non-trivial functionalities” What can we implement with UC- Security? SOLUTION: Get some “limited” help from a trusted party OR Relax definition of security

7 … … Static Corruption Adaptive Corruption corrupt in the beginning corrupt adaptively during execution

8 Stronger definition of security  Static security does not imply adaptive security Implies leakage resilience* [BCH12,NVZ13] Relevant to cloud security [RTSS09]  Adaptively co-locate VMs  Side channel attacks Why Adaptive Security?

9 — Common Reference String [CLOS02,DN02,DG03,CPS07] — Public Key Registration [BCNP04] Trusted Setups General Results in Adaptive UC-Security? Relaxed Security — Super-Poly Time Simulation (SPS) [BS05] What about Static UC-Security?

10 — Common Reference String [CLOS02,DN02,DG03,CPS07,DNO10] — Public Key Registration [BCNP04,DNO10] — Tamper-Proof Hardware [Kat07,CGS08,GISVW10] — Timing Model [DNS98,KLP05] Trusted Setups What about Static UC-Security? Relaxed Security — Super-Poly Time Simulation (SPS) [Pas03, BS05, GGJS12] — Angel-based Security Model [PS04, MMY06,CLP10] — Bounded (Player) Concurrent [Barak] — Non-Uniform Simulation [LPV09]

11 — A unified framework to achieve security in any setup under minimal trusted infrastructure [LPV09] — Can achieve security assuming only SA-OT [DNO10,LPV12] Static Security : State of the Art Adaptive Security : — Construction only in a few trusted setups — Constructions based on specific assumptions such as dense cryptosystems, trapdoor simulatable PKE — Require independent setups for every pair of parties, e.g sunspots [CPS07]

12 UC-puzzle Simulation Trusted Setup Stand-Alone Non-malleabilty Stand-Alone Non-malleabilty One-Way Functions Non-malleability UC-Security Achieving UC-Security - Static Case [LPV09] Puzzle

13 Static Security : Static OT Puzzle Static UC Static UC This work: When, and at what cost, can Adaptive UC security be acheived? Achieving UC-Security - Static Case [LPV09,LPV12] NMC

14 Static Security : Ideally… Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC NMC ?

15 Static Security : Our Work Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC NMC ?

16 Static Security : Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC Simul. PKE Our Work NMC ?

17 Static Security : Adaptive Security : Static OT Puzzle Static UC Static UC Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC Simul. PKE Our Work NMC NM*

18 Adaptive Security : Adap. OT Adap. Puzzle Adap. Puzzle Adap. UC Adap. UC Simul. PKE Our Work Simulatable Public Key Encryption [DN00] Oblivious Sampling of Public Keys/Ciphertexts Invertable randomness for oblivious algs. => Non-commiting Encryption [CFGN96,DN00] NM*

19 Assuming existence of simulatable PKE, Adaptive UC-security is achievable in any setup that admits an Adaptive Puzzle Main Theorem Previous results - simple corollaries Improved complexity assumptions New models – non-uniform, bounded conc.

20 UC-puzzle Adap. Simulation Trusted Setup Adap. Non-malleability Adaptive UC-Security Achieving UC-Security - Adaptive Case Cannot decouple! stand alone adaptivity requires setup

21 UC-puzzle Adap. Simulation Trusted Setup Adap. Non-malleability Adaptive UC-Security Achieving UC-Security - Adaptive Case Adap. UC-Puzzle [LPV09] TODAY

22 Commitment Scheme The “digital analogue” of sealed envelopes. Com(v) Decommitment phase Sender/committer Receiver Hiding: The commitment hides the committed value Commitment phase d Binding: The commitment can only open to one value

23 Com(u) MIM Attack on Commitments [DDN91] Receiver/Sender Sender Receiver Com(u+1) Man in the Middle MIM ”mauls” left commitment into another to a related value

24 Non-Malleable w.r.t commitment [DDN91, PR05, LPV08] i j ≠ i IDEAL REAL Ci(u)Ci(u)Cj(v)Cj(v)  Simulator  MIM Output v’ = v C j ( v’ ) Can construct O(1) round concurrent NMC w.r.t commitment based on OWFs [LP12,Goy12]

25 Non-Malleable w.r.t opening [CIO98,FF00,PR05] i j ≠ i IDEAL REAL Ci(u)Ci(u)Cj(v)Cj(v)  MIM C j ( v’ ) u v u v'  Simulator Can construct O(1) round stand-alone NMC w.r.t opening based on CRHs for sychronized adversaries [PR05]

26 What we need? C i3 ( w ) C j1 ( v )  MIM w v C i1 ( u ) u C i2 ( t ) t C i4 ( x ) x C i5 ( y ) y C j2 ( v’ ) v' C j3 ( u’ ) u' Concurrent Non-Malleable Commitments w.r.t opening Adaptively Secure

27 Concurrent Non-Malleable Commitments w.r.t opening Adaptively Secure  MIM C i1 ( u ) u C i2 ( w ) w C j ( v’ ) v' … …  Simulator u w C j ( v’ ) v' … … v’  Relaxation: Left commitments are i.i.d samples

28 Main Lemma: Assuming OWFs and Puzzle, O(n)-round Adaptively-secure Conc. NMC w.r.t opening and i.i.d samples No additional trusted infrastructure to achieve non-malleability! A single CRS/URS/sunspot is sufficient same gains as static case Relaxation: Left commitments are i.i.d samples “What is a few rounds of communication between friends”

29 i.e., Receiving Green does not help giving Orange and vice versa Non-Malleable Sub-protocols Ingredient I – Scheduling [DDN]

30 Can rewind the right without rewinding the left! Id = 0Id = 1

31 Simulation Soundness Challenger Solver No Malicious Solver can output trapdoor after interaction TRAPDOOR NP-statement  Concurrent Adversary Challenger A,  Simulator S that simulates all puzzles indistinguishably while extracting the trapdoor Puzzle NP-witness UC-

32 Ingredient II – Instance Based Comm. [LZ09] W/O Trapdoor: Commitment is binding With Trapdoor: Reveal it to 0 and 1 UC-Puzzle NP-statement UC-Puzzle NP-statement Hamiltonian Circuit Scheme: Commit to adjacency matrix Commit 0 : Commit to true adjacency matrix Commit 1 : Commit to a simple cycle Equivocate : Commit to true adjacency matrix

33 Application: Conc. NM Coin Tossing ANMCOM(r) r' r Coin toss output = r+r’ IDEA FOR UC-COM: Create two URS Sender to Receiver (URS1) – equivocate (using OWF) Receiver to Sender (URS2) – extract (using sim PKE)

34 Main Theorem Assuming existence of sim. PKE and Adap.UC Puzzle, Adaptive UC-security is achievable Assuming existence of OWFs and Adap.UC Puzzle, O(n)-round Adaptively-secure Concurrent NMC w.r.t opening and i.i.d samples Main Lemma UC-Puzzle: Hard for Adversary to solve in real world Easy for Simulator to obtain trapdoor

35 — Common Reference String [CLOS02,CPS07,CDPW07,DNO10] — Public Key Registration [BCNP04,DNO10] — Tamper-Proof Hardware [Kat07,CGS08,GISVW10] — Timing Model [DNS98,KLP05] Trusted Setups Corollaries Relaxed Security — Super-Poly Time Simulation (SPS) [Pas03, BS05, GGJS12] — Angel-based Security Model [PS04, MMY06,CLP10] — Bounded (Player) Concurrent [Barak, Goyal1, Goyal2] — Non-Uniform Simulation [LPV09] ✓ ✓ ✓ ✓ ✓ ✓ ✓

36 Adaptive UC Security Sim. PKE and Puzzle O(nd)-rounds (d = depth(C)) Not Everything! [IKOS10] Static vs Adaptive Static UC Security AssumptionsSA-OT and Puzzle NECESS. And SUFF. RoundsO(1)-rounds What can we compute? Any PPT computation

37 Conclusion Characterize when Adaptive UC is achievable Next… Reduce complexity assumptions – trapdoor simulatable PKE are suff. for NCE [CDMW09] – improve round complexity [Recent] UC-Adaptive Security in O(d)-rounds [V14] Angel Based UC-Security [PS04,CLP10,…] – reasonable model without any setup – implies SPS – linear-blowup in rounds with black-box tech. [GS12]

38 How can we achieve semi-honest 2-party computation? O(1)-rnd adaptive ^ … still open

39 THANKS

Download ppt "Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

Similar presentations

Ads by Google