360 likes | 446 Views
Constant-round Non-malleability From Any One-way Function. Rafael Pass Cornell University. Joint work with Huijia (Rachel) Lin. Cryptographic Protocols. “Interactions among mutually distrustful players” Far beyond traditional goal of concealing messages
E N D
Constant-round Non-malleability From Any One-way Function Rafael PassCornell University Joint work with Huijia (Rachel) Lin
Cryptographic Protocols “Interactions among mutually distrustful players” Far beyond traditional goal of concealing messages • Electronic Auctions without a trusted auctioneer • Correctness: highest bidder wins • Privacy: no other bids are revealed • Electronic Elections without trusted vote counter • Correctness: votes are correctly counted • Privacy: individual votes remain secret • And much more: Electronic payment systems, Authentication protocols, Privacy-preserving data-mining… Secure Multi-party Computation:“Any task that can be securely implemented using a trusted party, can be securely implemented without the trusted party” [Y82, GMW86]
The Classic Stand-Alone Model Alice Bob One set of parties executing a singleprotocol in isolation.
On the Internet: Need Concurrent Security [DDN91,...] Many parties running many different protocol executions.
8pm: The Chess-master Problem 8am: Lose! Lose!
a a b b Man-in-the-middle Attacks Responder/Initiator Responder Initator Bob Alice MIM Can make use of message from RIGHT in LEFT
Alice: a Alice:a Grrr! Man-in-the-middle Attacks Responder/Initiator Responder Initator You are not Alice! Bob Alice MIM Can make use of message from RIGHT in LEFT
Alice: a Devil:a Bob:b Devil:b Man-in-the-middle Attacks Responder/Initiator Responder Initator Bob Alice MIM Can make use of message from RIGHT in LEFT
Receiver Sender Commitment Commitment Scheme The “digital analogue” of sealed envelopes. • One of the most basic cryptographic tasks. • natural abstraction • many applications (zero-knowledge, coin-tossing, secure computation…) • One way functions both sufficient and necessary[N’89, HILL’ 99] Reveal
C(a) Bidder II C(a) Auctioneer Bidder I Example: Closed Auctions ~ Would like to insure that bids are independent. Bidder II would have loved to set, e.g. a = a + 1. Definition of commitments does not rule this out! For most commitments, can actually create dependency. ~
MIM Sender Receiver/Sender Receiver C(v) C(v’) Possible that v’ = v+1 Even though MIM does not know v!
Non-Malleable Commitments[Dolev Dwork Naor’91] MIM Sender Receiver/Sender Receiver i j C(v) C(v’)
Non-Malleable Commitments[Dolev Dwork Naor’91] MIM Sender Receiver/Sender Receiver i j C(i,v) C(j, v’) i j Non-malleability: ifthen, v’ is “independent” of v
Non-Malleable Commitments[Dolev Dwork Naor’91] Man-in-the-middle execution: i j i j Simulation: j Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is “indistinguishable” from value committed by simulator
Non-Malleable Commitments[Dolev Dwork Naor’91] i j • Important in practice • “Test-bed” for other tasks • Applications to MPC
DDN: Encoding Names in Messages Initiator Responder Iteration 1 For i = 1 to n: • if IDi = 1 then • REAL exhange, • DUMMYexchange • If IDi = 0 • DUMMYexchange • REAL exchange ID = 010 Iteration 2 Iteration 3 • IDEA: make sure that at some point a MIM needs to either: • speak alone • give REAL when hearing DUMMY
DDN: Encoding Names in Messages Initiator Responder/Initiator Responder ID’ = 110 ID = 010 If ID ID’, there exist iteration such that MIM gives REAL but receives DUMMY
Non-malleable Commitments Original Work by [DDN’91] Based on any one-way function (OWF) But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: [Barak’02]: O(1)-round Subexp CRH + dense crypto: [P’04,P-Rosen’05]: O(1) rounds using CRH [Lin-P’09]: O(1)^log* n round using OWF [P-Wee’10]: O(1) using Subexp OWF [Wee’10]: O(log^* n) using OWF “Non BB”
Non-malleable Commitments Original Work by [DDN’91] Based on any one-way function (OWF) But: O(log n) rounds Main question: how many rounds do we need? With “trusted set-up” solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: O(1)-round from CRH or Subexp OWF O(log^* n) from OWF
Main Theorem [Lin-P’10]: Thm:Assume one-way functions. Then there exists a O(1)-round non-malleable commitment. • Note: Since commitment schemes imply OWF, we have thatunconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. • Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.
The Idea: What if we could run “message scheduling in the head”? Let us focus on non-abortingand synchronizing adversaries. (never send invalid messages in left exec)
Com(id,v): id = 00101 c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK
Signature Chains Consider 2 “fixed-length” signature schemes Sig0, Sig1(i.e., signatures are always of length n) with keys vk0, vk1. Def: (s,id) is a signature-chain iffor all i, si+1 is a signature of “(i,s0)” using scheme idi s0 = r s1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0 s3 = Sig1(2,s2) id3 = 1 s4 = Sig0(3,s3) id4 = 0
Signature Games You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1. Let denote the access pattern to the oracle; • that is i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern .
Com(id,v): id = 00101 vk0 r0 Sign0(r0) vk1 r1 Sign1(r1) c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK
Com(id,v): id = 00101 vk0 r0 Sign0(r0) vk1 r1 Sign0(r1) c=C(v) I know v s.t. c=C(v) Or I know a sig-chain (s,id) WI-POK w.r.t id
Non-malleability through dance i = 0110.. j = 00..1 vk0 vk0 r0 r0 Sign0(r0) Sign0(r0) vk1 vk1 r1 r1 Sign1(r1) Sign1(r1) c=C(v) c=C(v) WI-POK WI-POK w.r.t i w.r.t j
Dealing with Aborting Adversaries Problem 1: • MIM will notice that I ask him to sign a signature chain • Solution: Don’t. Ask him to sign commitments of sigs… Problem 2: • I might have to “rewind” many times on left to get a single signature • So if I have id = 01011, access pattern on the right is 0*1*0*1*... • Solution:Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…
Main Theorem Thm:Assume one-way functions. Then there exists a O(1)-round non-malleable commitment. log* vs O(1)? An application
Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacyof inputs (as much as possible) Security must be preserved even if some of the parties are malicious.
Secure Multi-party Computation [Yao,GMW] Original work of [GMW87] • Trapdoor permutations (TDP), n rounds • (e.g., voting with 1M people => 1M rounds) More Recent: “Stronger assumptions, less rounds” • [KOS] • TDP, dense cryptosystems, log n rounds • TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB • [P04] • TDP, CRH, O(1)-round, non-BB Thm: Same assumption as GMW => O(1)-round protocol
What’s Next – Adaptive Hardness Consider the Factoring problem: • Given the product N of 2 random n-bit primes p,q, can you provide the factorization Adaptive Factoring Problem: • Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes Are these problems equivalent? Unknown!
What’s Next – Adaptive Hardness Adaptively-hard Commitments [Canetti-Lin-P’10] • Commitment scheme that remains hiding even if Adv has access to a decommitment oracle Implies Non-malleability (and more!) Thm [CLP’10] Existence of commitments implies O(n^)-round Adaptively-hard commitments