Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

Published byIlene Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)"— Presentation transcript:

1 Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

2 Secure Multiparty Computation A set of parties with private inputs. Parties wish to jointly compute a function of their inputs so that certain security properties (like privacy, correctness and independence of inputs) are preserved. E.g., secure elections, auctions… Properties must be ensured even if some of the parties maliciously attack the protocol.

3 Secure Computation Tasks Examples: Authentication protocols Online payments Auctions Elections Privacy preserving data mining Essentially any task…

4 Defining Security The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them. Real model: parties run a real protocol with no trusted help. A protocol is secure if any attack on a real protocol can be carried out in the ideal model. Since no attacks can be carried out in the ideal model, security is implied.

5 The Real Model x Protocol output y

6 The Ideal Model x f 1 (x,y) y f 2 (x,y) x f 1 (x,y) y f 2 (x,y)

7 IDEALREAL Trusted party Protocol interaction  The Security Definition: For every real adversary A there exists an adversary S

8 The Ideal Adversary/Simulator How is security proven? The ideal-model adversary is actually a simulator The simulator “simulates” a real execution, while interacting in the ideal model The simulation looks just like a real execution… Important categories of simulators Black-box versus nonblack-box simulators Rewinding versus non-rewinding simulators Non-rewinding is also called “straight-line”

9 More Details on the Definition What does it mean that the real and ideal executions “look the same”? Perfect security: the distributions are identical Statistical security: the distributions are statistically close Computational security: the distributions are computationally indistinguishable

10 Two Basic Models Information-theoretic model Unbounded adversaries Perfect or statistical security Seemingly, no real need for “perfection” Computational model Polynomial-time adversaries Computational security

11 Real Execution – Possible Settings The stand-alone model A single execution of a single secure protocol (or a single execution under attack) The classic model of computation Security under composition Concurrent self composition: many executions of a single secure protocol Concurrent general composition: many executions of a secure protocol together with arbitrary other protocols

12 Security under Composition Concurrent self composition Many executions of a single secure protocol look just like many calls to an ideal trusted party [FS,DDN,DNS,RK,…] Concurrent general composition Many executions of a single secure protocol with an arbitrary other protocol look just like many calls to an ideal trusted party, together with a real arbitrary other protocol [DM,PW,Ca] Modeled by considering an arbitrary protocol that contains “subroutine calls” to the secure protocol Models the real world – the Internet is the arbitrary protocol

13 Feasibility of Secure Computation – The Stand-Alone Model A fundamental theorem: any multiparty functionality can be securely computed in the stand-alone model: Computational setting: for any number of corruptions and assuming (enhanced) trapdoor permutations [Y86,GMW87] Information theoretic setting: for a 2/3 honest majority (or regular majority given a broadcast channel) [BGW88,CCD88,RB89,B89] Note: in the case of no honest majority, the security requirements are not exactly the same (i.e., no fairness or guaranteed output delivery)

14 Feasibility of Secure Computation – Concurrent Composition Any multiparty problem can be securely computed under concurrent general composition: No honest majority: assuming (enhanced) trapdoor permutations and a common reference string [CLOS02] Honest (or two-thirds) majority: [Ca01] relying on [BGW88,CCD88,RB89,B89] Notice: these are exactly the information- theoretically secure protocols for the stand-alone model

15 Information-Theoretically Secure Protocols and Composition Folklore: information-theoretic protocols are secure under concurrent composition (at the very least, all the known ones have this property) Related folklore: if a protocol is proven secure using a black-box non-rewinding simulator, then it is secure under concurrent composition Note: known information-theoretic protocols use black-box non-rewinding simulation

16 This Work Understand the conjectured connection between information-theoretic security and security under composition Deepen our understanding of these notions Derive a corollary that simplifies the task of proving security under composition

17 Theorem 1: Counter Example There exist protocols that are: Statistically secure in the information theoretical model, as stand-alone Proven secure using a black-box straight- line (non-rewinding) simulator but are not secure under concurrent general composition

18 Theorem 2: Every protocol that is: Perfectly secure in the information theoretical model, as stand-alone Proven secure using a black-box straight- line (non-rewinding) simulator is perfectly secure under concurrent general composition [DM00] proved a similar result, but used a strictly more stringent notion of stand-alone security

19 Corollaries Corollary 1: [BGW] (error free version) is perfectly secure under concurrent general composition (assuming a two-thirds majority) Corollary 2: It suffices to prove perfect security in the stand-alone model… Note: perfectly secure protocols have an advantage over statistically secure protocols Security under concurrent general composition is obtained “for free”

20 Theorem 3: Every protocol that is: Proven secure using a black-box straight- line (non-rewinding) simulator is secure under concurrent self composition with fixed inputs This is a weaker security guarantee, but gives some justification to the folklore The result is of interest for statistical and computational security, and holds for any number of corrupted parties

21 Corollary [CCD,RB] are secure under concurrent self composition with fixed inputs Again, the above is a relatively weak security guarantee, but explains/justifies the folklore

22 Disturbing Point It is widely believed that known statistically secure protocol are secure under concurrent general composition We have only proved security under concurrent self composition with fixed inputs Is there an additional property that would make such protocols secure under concurrent general composition?

23 Different (Simple) Property Initial Synchronization Each party announces that it is ready to start Before starting, each party waits to receive notification from all other parties that they are ready to start This enables an easy denial of service attack (but this is in some sense impossible to prevent in this model)

24 Theorem 4: Every protocol that is: Proven secure using a black-box straight- line (non-rewinding) simulator, and Has initial synchronization is secure under concurrent general composition This holds for perfect, statistical and computational security (not needed for perfect), and for any number of corrupted parties

25 Corollary It suffices to prove security in the stand-alone model using black-box straight-line simulation: Given such a protocol, can add initial synchronization and security under concurrent general composition is implied This gives a useful tool, simplifying the task of proving security under composition

26 High-Level Summary of Results Counter-example: Straight-line black-box security does not imply security under concurrent general composition (even if security is statistical) Security under general composition is implied by: Perfect security, straight-line black-box simulation Straight-line black-box simulation, initial synchronization Security under self composition with fixed inputs is implied by: Straight-line black-box simulation

27 The Rest of This Talk Proof of counter-example (Theorem 1) Idea behind the proof that perfect-security with black-box straight-line simulation implies security under concurrent general composition (Theorem 2) Discussion about black-box straight-line simulation with initial synchronization implies security under concurrent general composition (Theorem 4)

28 Proof of Counter Example The counter-example utilizes the fact that: In the stand-alone model, inputs are fixed at the beginning In the setting of concurrent general composition, inputs can be determined dynamically, and dependent on other protocols Recall: a protocol is secure in this setting if an execution of an arbitrary protocol with the real secure protocol looks like an execution of the same arbitrary protocol together with “ideal calls”

29 Proof of Counter-Example (cont.) Our counter-example uses a specific function and specific protocol (in the setting of an honest majority) The function: f(x 1,x 2,x 3 ) = (0,0,0)

30 Proof of Counter-Example (cont.) A secure protocol ρ for computing f: P 1 and P 2 choose random r 1 and r 2 of length n/2 and send the strings to each other P 1 and P 2 define r = (r 1,r 2 ) and both send r to P 3 If P 3 receives the same value from both parties and it equals its input, then it outputs 1, otherwise it outputs 0 P 2 and P 3 both output 0

31 Claim 1: Security of Protocol ρ in the Stand-Alone Model We assume an honest majority, so at least one of P 1 and P 2 are honest This implies that the string r received by P 3 equals its input with probability at most 2 -n/2 Thus, P 3 outputs 1 with negligible probability Simulation in this case is easy (and is black- box straight-line) Security obtained is statistical

32 Claim 2: Insecurity of Protocol ρ under Concurrent General Composition Consider the following arbitrary protocol  that contains a “call” to f: P 1 sends a random s to P 3 P 1 and P 2 send the input 0 n to the trusted party computing f, and output whatever they receive back P 3 sends the string s to the trusted party as its input for the computation of f, and outputs whatever it receives back Note: in the ideal execution, all honest parties always output 0

33 Claim 2 (continued) Consider an execution of  together with protocol ρ and a single corrupted party P 1 : Party P 1 waits until it receives r 2 from P 2 as part of ρ and can define r = (r 1,r 2 ) P 1 defines s = r and sends s to P 3 P 3 uses s as its input into ρ and it follows that r equals its input We have that the honest P 3 always outputs 1 (instead of 0) Conclusion: ρ is not secure under concurrent general composition

34 (Rough idea) Proof of Theorem 2 By contradiction Protocol ρ secure stand alone, not secure in composition with π Exist Adv A which can foil the execution of ρ when run with π, i.e. not the same as if using a trusted party for f instead of ρ Build a stand-alone adversary Aρ which breaks the stand- alone security of ρ A ρ basically runs A in its belly and simulates all the parties for the communications which relate to π, and for ρ it communicates with the real parties and transfers the messages to A

35 Proof of Theorem 2 (cont.) If A ρ simulation for A is “good” then the stand- alone distribution of ρ is the same as when it is run with π Thus, output of ρ in this stand-alone is not the same as the output of ideal execution And we have broken the stand-along execution (contradiction)

36 Complication for A ρ Creating a simulation which seemlessly matches the execution of the real ρ with the simulation of π For this A ρ has to guess the inputs and random coins of the honest parties – low success probability This is why perfect security is crucial, we need the attack to succeed only with non-zero probability

37 Discussions on Theorem 4 Recall the theorem: black-box straight-line simulation + initial synchronization  security under concurrent general composition The basic idea: Consider the counter example If initial synchronization is used, all of the arbitrary protocol (honest party’s inputs and random-tapes) until the protocol starts can be auxiliary input in a stand-alone execution

38 Importance of Theorem 4 Adds to our understanding of what is needed for obtaining security Black-box straight-line simulation Inability to have inputs depend on randomness of the same execution A useful tool Definitions for obtaining security under composition are complex Using this theorem, it suffices to work in the stand-alone model (and add initial synchronization)

39 Conclusions Stand-alone security does not imply security under concurrent general composition Even in the information-theoretical model Information-theoretic security does imply some sort of security under composition Black-box straight line statistical suffices for obtaining concurrent self composition with fixed inputs Black-box straight-line perfect suffices for obtaining concurrent general composition Black-box straight-line + initial synchronization suffices for obtaining concurrent general composition

40

Download ppt "Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)"

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google