1 / 34

Rafael Pass Cornell University

Concurrency and Non-malleability. Rafael Pass Cornell University. Joint work with Huijia (Rachel) Lin. Protocols. “Interactions among mutually distrustful players” Authentication, Key-exchange, Privacy-preserving Data mining, Fault/Attack-tolerant distributed computation.

sydnee-case
Download Presentation

Rafael Pass Cornell University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Concurrency and Non-malleability Rafael PassCornell University Joint work with Huijia (Rachel) Lin

  2. Protocols “Interactions among mutually distrustful players” Authentication, Key-exchange, Privacy-preserving Data mining, Fault/Attack-tolerant distributed computation Secure Multiparty Computation [GMW’89]

  3. The Classic Stand-Alone Model Alice Bob One set of parties executing a singleprotocol in isolation.

  4. On the Internet: Need Concurrent Security [DDN91,...] Many parties running many different protocol executions.

  5. 8pm: The Chess-master Problem 8am: Lose! Lose!

  6. Similar attack on Crypto protocols!

  7. a 5a b b/5 Man-in-the-middle Attacks Responder/Initator Responder Initator Bob Alice MIM MIM controls channel between Alice and Bob

  8. The State of Concurrent Security • Concurrently secure 2-party computation impossible using “standard” definition of “UC-security” [Can’02] • And even for somewhat weaker models [CF,L03,L04] • Possible: with limited “trusted help” • Trusted set-up models: CRS [BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware [K], …

  9. Without Trusted Set-up • Relaxed notions of security: • E.g., “super-poly simulation”, “angel-based security” [P03,PS04,BS05,LPV09,CLP10] • Specific tasks and attacks: • Non-malleable Commitments [DDN91,…] • Concurrent Zero-knowledge [DNS,RK,KP,PRS,…] • Identifying properties that make protocols resists specific concurrent attacks: • Parallel repetition of arguments [BIN’99,PV’07,HPPW’09,H’09,CL’10,…] • “For what classes of (single-prover) computationally-sound proofs does parallel-repetition reduce the soundness error” TODAY A lot of interplay between different veins of research!

  10. Receiver Sender Commitment Commitment Scheme The “digital analogue” of sealed envelops. One of the most basic cryptographic tasks. Part of essentially all more involved secure computations Can be constructed from any one way function. [N’89, HILL’ 99] Reveal

  11. What about man-in-the-middle attacks? MIM Sender Receiver/Sender Receiver C(v) C(v’) Possible that v’ = v+1 Even though MIM does not know v!

  12. Non-Malleable Commitments[Dolev Dwork Naor’91] MIM Sender Receiver/Sender Receiver i j C(v) C(v’) Non-malleability: Either MIM forwards : v = v’ Orv’ is “independent” of v

  13. Non-Malleable Commitments[Dolev Dwork Naor’91] MIM Sender Receiver/Sender Receiver i j C(i,v) C(j, v’) i  j Non-malleability: ifthen, v’ is “independent” of v

  14. Non-Malleable Commitments[Dolev Dwork Naor’91] Man-in-the-middle execution: i j i j Simulation: j Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator

  15. Non-Malleable Commitments[Dolev Dwork Naor’91] i j • Important in practice • “Test-bed” for other tasks • Applications to MPC

  16. Non-malleable Commitments • Original Work by [DDN’91] • OWF • black-box techniques • But: O(log n) rounds • Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: • [Barak’02]: O(1)-round Subexp CRH + dense crypto: • [P’04,P-Rosen’05]: O(1) rounds using CRH • [Lin-P’09]: O(1)^log* n round using OWF • [P-Wee’10]: O(1) using Subexp OWF • [Wee’10]: O(log^* n) using OWF Non BB

  17. Non-malleable Commitments • Original Work by [DDN’91] • OWF • black-box techniques • But: O(log n) rounds • Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DIO’99,DKO,CF,FF,…,DG] Without set-up: • O(1)-round from CRH or Subexp OWF • O(log^* n) from OWF • Sd • Sd Can we get O(1)-round NMC from OWF?

  18. Main Theorem [Lin-P’10]: Thm:Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security. • Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable. • Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.

  19. DDN Protocol Idea i = 01…1 j = 00..1 C(i,v) C(j, v’) • • • • • • Bluedoes not help Red and vice versa

  20. The Idea: What if we could run the message scheduling in the head? Let us focus on non-abortingand synchronizing adversaries. (never send invalid mess in left exec)

  21. Com(id,v): id = 00101 c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK

  22. Signature Chains Consider 2 “fixed-length” signature schemes Sig0, Sig1(i.e., signatures are always of length n) with keys vk0, vk1. Def: (s,id) is a signature-chain iffor all i, si+1 is a signature of “(i,s0)” using scheme idi s0 = r s1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0 s3 = Sig1(2,s2) id3 = 1 s4 = Sig0(3,s3) id4 = 0

  23. Signature Games You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1. Let denote the access pattern to the oracle; • that is i = b if in the i’th iteraction you access oracle b. Claim: If you output a signature-chain (s,id) Then, w.h.p, id is a substring of the access pattern .

  24. Com(id,v): id = 00101 vk0 r0 Sign0(r0) vk1 r1 Sign0(r1) c=C(v) I know v s.t. c=C(v) Or I have “seen” sequence WI-POK

  25. Com(id,v): id = 00101 vk0 r0 Sign0(r0) vk1 r1 Sign0(r1) c=C(v) I know v s.t. c=C(v) Or I know a sig-chain (s,id) WI-POK w.r.t id

  26. Non-malleability through dance i = 0110.. j = 00..1 vk0 vk0 r0 r0 Sign0(r0) Sign0(r0) vk1 vk1 r1 r1 Sign0(r1) Sign0(r1) c=C(v) c=C(v) WI-POK WI-POK w.r.t i w.r.t j * In actual protocol need “many” seq WIPOK a la [LP’10]

  27. Dealing with Aborting Adversaries Problem 1: • MIM will notice that I ask him to sign a signature chain • Solution: Don’t. Ask him to sign commitments of sigs… Problem 2: • I might have to “rewind” many times on left to get a single signature • So if I have id = 01011, access pattern on the right is 0*1*0*1*... • Solution:Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…

  28. Main Theorem Thm:Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security. Some applications

  29. Secure Multi-party Computation [Yao,GMW] A set of parties with private inputs. Wish to jointly compute a function of their inputs while preserving privacyof inputs (as much as possible) Security must be preserved even if some of the parties are malicious.

  30. Secure Multi-party Computation [Yao,GMW] Original work of [GMW87] • TDP, n rounds More Recent: “Stronger assumption, less rounds” • [KOS] • TDP, dense cryptosystems, log n rounds • TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB • [P04] • TDP, CRH, O(1)-round, non-BB

  31. NMC v.s. MPC Holds both for stand-alone MPC and UC-MPC (in a number of set-up models) Corollary: TDP  O(1)-round MPC Thm [LPV09]: TPD + k-round “robust” NMC  O(k)-round MPC

  32. What’s Next? CCA-secure Commitments [CLP’10] • Hiding even if Adv has access to a decommitment oracle • n-round assuming OWF

  33. Joint work with Rachel (Huijia) Lin Hire her!

  34. Thank You

More Related