Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin."— Presentation transcript:

1 Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin

2 “Interactions among mutually distrustful players” Far beyond traditional goal of concealing messages –Electronic Auctions without a trusted auctioneer Correctness: highest bidder wins Privacy: no other bids are revealed –Electronic Elections without trusted vote counter Correctness: votes are correctly counted Privacy: individual votes remain secret –And much more: Electronic payment systems, Authentication protocols, Privacy-preserving data-mining… Cryptographic Protocols Secure Multi-party Computation : “Any task that can be securely implemented using a trusted party, can be securely implemented without the trusted party” [Y82, GMW86]

3 The Classic Stand-Alone Model AliceBob One set of parties executing a single protocol in isolation.

4 On the Internet: Need Concurrent Security [DDN91,...] Many parties running many different protocol executions.

5 The Chess-master Problem 8am: Lose! 8pm:

6 Similar attack on Crypto protocols!

7 Man-in-the-middle Attacks Alice Bob a a b b MIM Initator ResponderResponder/Initiator Can make use of message from RIGHT in LEFT

8 Man-in-the-middle Attacks Alice Bob Alice: a Grrr! MIM Initator ResponderResponder/Initiator You are not Alice! Can make use of message from RIGHT in LEFT

9 Man-in-the-middle Attacks Alice Bob Alice: a Devil:a Bob:b Devil:b MIM Initator ResponderResponder/Initiator Can make use of message from RIGHT in LEFT

10 Commitment Scheme The “digital analogue” of sealed envelopes. Commitment Reveal Sender Receiver One of the most basic cryptographic tasks. natural abstraction many applications (zero-knowledge, coin-tossing, secure computation…) One way functions both sufficient and necessary [N’89, HILL’ 99]

11 Example: Closed Auctions C(  ) Auctioneer Bidder I Bidder II Would like to insure that bids are independent. Bidder II would have loved to set, e.g.  =  + 1. Definition of commitments does not rule this out! For most commitments, can actually create dependency. C(  ) ~ ~

12 Possible that v’ = v+1 Even though MIM does not know v! Receiver/Sender MIM C(v) C(v’) Sender Receiver

13 Non-Malleable Commitments [Dolev Dwork Naor’91] ij Receiver/Sender MIM C(v’) Sender Receiver C(v)

14 Non-Malleable Commitments [Dolev Dwork Naor’91] Receiver/Sender Non-malleability: if then, v’ is “independent” of v MIM C(i,v) C(j, v’) i  j Sender Receiver ij

15 Man-in-the-middle execution: Simulation: j i  ji  j Non-Malleable Commitments [Dolev Dwork Naor’91] ij Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is “indistinguishable” from value committed by simulator

16 Non-Malleable Commitments [Dolev Dwork Naor’91] ij Important in practice “Test-bed” for other tasks Applications to MPC

17 DDN: Encoding Names in Messages Initiator Responder ID = 010 For i = 1 to n: if ID i = 1 then –REAL exhange, –DUMMY exchange If ID i = 0 –DUMMY exchange –REAL exchange Iteration 1 Iteration 2 Iteration 3 IDEA: make sure that at some point a MIM needs to either: speak alone give REAL when hearing DUMMY

18 InitiatorResponder ID = 010 ID’ = 110 Responder/Initiator If ID  ID’, there exist iteration such that MIM gives REAL but receives DUMMY DDN: Encoding Names in Messages

19 Non-malleable Commitments Original Work by [DDN’91] –Based on any one-way function (OWF) –But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: [Barak’02]: O(1)-round Subexp CRH + dense crypto: [P’04,P-Rosen’05]: O(1) rounds using CRH [Lin-P’09]: O(1)^log* n round using OWF [P-Wee’10]: O(1) using Subexp OWF [Wee’10]: O(log^* n) using OWF “Non BB”

20 Non-malleable Commitments Original Work by [DDN’91] –Based on any one-way function (OWF) –But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: O(1)-round from CRH or Subexp OWF O(log^* n) from OWF

21 Main Theorem [Lin-P’10]: Thm: Assume one-way functions. Then there exists a O(1)- round non-malleable commitment. Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.

22 The Idea: What if we could run “message scheduling in the head”? Let us focus on non-aborting and synchronizing adversaries. (never send invalid messages in left exec)

23 c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = 00101

24 Signature Chains Consider 2 “fixed-length” signature schemes Sig 0, Sig 1 (i.e., signatures are always of length n) with keys vk 0, vk 1. Def: (s,id) is a signature-chain if for all i, s i+1 is a signature of “(i,s 0 )” using scheme id i s 0 = r s 1 = Sig 0 (0,s 0 )id 1 = 0 s 2 = Sig 0 (1,s 1 )id 2 = 0 s 3 = Sig 1 (2,s 2 )id 3 = 1 s 4 = Sig 0 (3,s 3 )id 4 = 0

25 Signature Games You have given vk 0, vk 1 and you have access to signing oracles Sig 0, Sig 1. Let  denote the access pattern to the oracle; –that is  i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern .

26 c=C(v) Com(id,v): I know v s.t. c=C(v) Or I have “seen” sequence WI-POK id = 00101 vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 )

27 c=C(v) Com(id,v): WI-POK id = 00101 vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 0 (r 1 ) I know v s.t. c=C(v) Or I know a sig-chain (s,id) w.r.t id

28 c=C(v) WI-POK vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) c=C(v) WI-POK vk 0 r0r0 Sign 0 (r 0 ) vk 1 r1r1 Sign 1 (r 1 ) w.r.t i i = 0110.. j = 00..1 w.r.t j Non-malleability through dance

29 Dealing with Aborting Adversaries Problem 1: –MIM will notice that I ask him to sign a signature chain –Solution: Don’t. Ask him to sign commitments of sigs… Problem 2: –I might have to “rewind” many times on left to get a single signature –So if I have id = 01011, access pattern on the right is 0*1*0*1*... –Solution: Use 3 keys (0,1,2); require chain w.r.t 2id 1 2id 2 2id 3 …

30 Main Theorem An application Thm: Assume one-way functions. Then there exists a O(1)- round non-malleable commitment. log* vs O(1)?

31 Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible) Security must be preserved even if some of the parties are malicious.

32 Original work of [GMW87] –Trapdoor permutations (TDP), n rounds –(e.g., voting with 1M people => 1M rounds) More Recent: “Stronger assumptions, less rounds” –[KOS] TDP, dense cryptosystems, log n rounds TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB –[P04] TDP, CRH, O(1)-round, non-BB Secure Multi-party Computation [Yao,GMW] Thm: Same assumption as GMW => O(1)-round protocol

33 What’s Next – Concurrency for General Interaction

34 What’s Next – Adaptive Hardness Consider the Factoring problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization Adaptive Factoring Problem: Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes Are these problems equivalent? Unknown!

35 Adaptively-hard Commitments [Canetti-Lin-P’10] Commitment scheme that remains hiding even if Adv has access to a decommitment oracle Implies Non-malleability (and more!) Thm [CLP’10] Existence of commitments implies O(n^  )- round Adaptively-hard commitments What’s Next – Adaptive Hardness

36 Thank You

Download ppt "Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.

Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Rafael Pass Cornell University Concurrency and Non-malleability.

Rafael Pass Cornell University Concurrency and Non-malleability.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.

Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

Similar presentations

Ads by Google