Rafael Pass Cornell University Concurrency and Non-malleability.
-
Upload
daphne-blair -
Category
Documents
-
view
222 -
download
2
Transcript of Rafael Pass Cornell University Concurrency and Non-malleability.
![Page 1: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/1.jpg)
Rafael PassCornell University
Concurrency and
Non-malleability
![Page 2: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/2.jpg)
Goal: Allow a set of distrustful parties to compute any functionality f of their inputs, while preserving:
Correctness
Privacy
Even when no honest majority
Secure Multi-party Computation [Yao,Goldreich-Micali-Wigderson]
![Page 3: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/3.jpg)
The Classic Stand-Alone Model
One set of parties executing a single protocol in isolation.
![Page 4: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/4.jpg)
But, Life is CONCURRENT
Many parties running many different protocol executions.
![Page 5: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/5.jpg)
The Chess-master Problem [DDN’91]
8am:
Lose! Lose!
8pm:
![Page 6: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/6.jpg)
Similar attack on Crypto protocols!
Win at least 1(or draw both)
![Page 7: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/7.jpg)
Man-in-the-middle Attacks
Alice Bob
a5a
bb/5
MIM
Initator ResponderResponder/Initator
MIM controls channel between Alice and Bob
![Page 8: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/8.jpg)
This Talk
• Commitment schemes secure against man-in-the-middle attacks
• Use such commitments to improve SMC– Better round complexity also for stand-alone
security– Concurrent security
![Page 9: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/9.jpg)
Commitment SchemeThe “digital analogue” of sealed envelopes.
Commitment
Reveal
v
v
Sender Receiver
One way functions both sufficient and necessary [N’89, HILL’ 99]
![Page 10: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/10.jpg)
Possible that v’ = v+1
Even though MIM does not know v!
Receiver/Sender
MIM
C(v) C(v’)
Sender Receiver
Messages are arbitrarily interleaved: MIM controls scheduling.
![Page 11: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/11.jpg)
Non-Malleable Commitments [Dolev Dwork Naor’91]
Non-malleability:
Either MIM forwards : v = v’Or v’ is “independent” of v
i j
Receiver/Sender
MIM
C(v’)
Sender Receiver
C(v)
![Page 12: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/12.jpg)
Non-Malleable Commitments [Dolev Dwork Naor’91]
Receiver/Sender
Non-malleability: if then,
v’ is “independent” of v
MIM
C(i,v) C(j, v’)
i j
Sender Receiver
i j
![Page 13: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/13.jpg)
v
Man-in-the-middle execution:
Simulation:
v
j
'v
''v
i j
Non-Malleable Commitments [Dolev Dwork Naor’91, P-Rosen’05]
i j
Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator
![Page 14: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/14.jpg)
v
v 'v
Non-Malleable Commitments
i j
• Important in practice• “Test-bed” for other tasks• Applications to MPC
![Page 15: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/15.jpg)
Non-malleable Commitments
• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds
• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-
Ostrovsky’99,DKO,CF,FF,…,DG]
Without set-up:• [Barak’02]: O(1)-round Subexp CRH + dense crypto:• [P’04,P-Rosen’05]: O(1) rounds using CRH
• [Lin-P’09]: O(1)^log* n round using OWF• [P-Wee’10]: O(1) using Subexp OWF• [Wee’10]: O(log^* n) using OWF
Non BB
NM Amp
![Page 16: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/16.jpg)
Non-malleable Commitments
• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds
• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-
Ostrovsky’99,DKO,CF,FF,…,DG]
Without set-up:
• O(1)-round from CRH or Subexp OWF• O(log^* n) from OWF• Sd• Sd
![Page 17: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/17.jpg)
Thm [Lin-P’11]: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.
• Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable.
• Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.
• Even more excitingly: Vipul Goyal independently proved the same result
• very different techniques• relying on NM amplification
![Page 18: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/18.jpg)
DDN Protocol Idea
Blue does not help Red and vice versa
i = 01…1
• • •
j = 00..1
• • •
C(i,v) C(j, v’)
![Page 19: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/19.jpg)
The Idea:
What if we could run the message scheduling in the head?
Let us focus on non-aborting and synchronizing adversaries.
(never send invalid mess in left exec)
![Page 20: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/20.jpg)
c=C(v)
Com(id,v):
I know v s.t. c=C(v)
OrI have “seen”
sequenceWI-POK
id = 00101
![Page 21: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/21.jpg)
Signature Chains
Consider 2 “fixed-length” signature schemes Sig0, Sig1 (i.e., signatures are always of length n) with keys vk0, vk1.
Def: (s,id) is a signature-chain if for all i, si+1 is a signature of “(i,s0)” using scheme idi
s0 = rs1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0s3 = Sig1(2,s2) id3 = 1s4 = Sig0(3,s3) id4 = 0
![Page 22: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/22.jpg)
Signature Games
You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1 .
Let denote the access pattern to the oracle;– that is i = b if in the i’th iteraction you access oracle b.
Claim: If you output a signature-chain (s,id)
Then, w.h.p, id is a substring of the access pattern .
![Page 23: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/23.jpg)
c=C(v)
Com(id,v):
I know v s.t. c=C(v)
OrI have “seen”
sequence
WI-POK
id = 00101vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
![Page 24: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/24.jpg)
c=C(v)
Com(id,v):
WI-POK
id = 00101vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
I know v s.t. c=C(v)
OrI know a sig-chain
(s,id) w.r.t id
![Page 25: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/25.jpg)
c=C(v)
WI-POK
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
c=C(v’)
WI-POK
vk’0
r'0
Sign0(r’0)
vk'1
r'1
Sign1(r’1)
w.r.t i
i = 0110.. j = 00..1
w.r.t j
Non-malleabilitythrough dance
Note: sig keys on L and R might be different; we violate sec of sig game for key on R
![Page 26: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/26.jpg)
Dealing with Aborting Adversaries
Problem 1: – MIM will notice that I ask him to sign a signature chain
– Solution: Don’t. Ask him to sign commitments of sigs…(need to add a POK of commitment to prove sig game lemma)
Problem 2:– I might have to “rewind” many times on left to get a single signature– So if I have id = 01011, access pattern on the right is 0*1*0*1*...
– Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…
![Page 27: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/27.jpg)
Dealing with Non-synchronizing Adversaries
Not hard; same technique as in LP’09
Just add more WIPOK…
Will return to this point later.
![Page 28: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/28.jpg)
Main TechniqueExploit rewinding pattern (instead of just location)
Thm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.
Some extensions:
![Page 29: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/29.jpg)
C(i1 ,
1 )C(i2,
2)
C(i n,m
)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
Concurrent Non-Malleable Commitments[P-Rosen’05, Lin-P-Venkitasubramaniam’09]
i1
i2
im
j1
ID
ID
j2
jn
To deal with copying: if ik = jl, then l’ =
Messages are arbitrarily interleaved: MIM controls scheduling.
For any …m and …m the view + values committed to by MIM are indistinguishable.
![Page 30: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/30.jpg)
C(i,)C(j 1
, 1’)
C(j2,2’)
C(j3 ,
m ’)
One-Many Non-Malleability
ij1
ID
j2
jn
Thm [PR’05,LPV’08]: One-many NM Concurrent NM.
Our O(1)-round construction is also concurrent NM
![Page 31: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/31.jpg)
One-Many Non-Malleability
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
SAME protocol LEFT and RIGHT!
{views+values}
![Page 32: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/32.jpg)
Robust Non-Malleability w.r.t k-round protocols [Lin-P’09]
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
C(i,)
C(j 1, 1
’)
C(j2,2’)
C(j3 ,
m ’)
ij1
ID
j2
jn
{views+values}
• • •
• • •
• • •
• • •
IF THEN
DEF: Com is “robust” if Robust NM w.r.t 4-round protocols
EASY to satisfy if Com has more than k-rounds!
![Page 33: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/33.jpg)
Original work of [Goldreich-Micali-Wigderson’87]– TDP, n rounds
More Recent: “Stronger assumption, less rounds”– [Katz-Ostrovsky-Smith’02]
• TDP, dense cryptosystems, log n rounds
• TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB
– [P’04]• TDP, CRH, O(1)-round, non-BB
Secure Multi-party Computation [Yao,GMW]
Non-malleability is implicitly used in all these works!
![Page 34: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/34.jpg)
NMC v.s. SMC
Thm [Lin-P-Venkitasubramaniam’09]: TPD + k-round robust NMC O(k)-round SMC
Holds both for stand-alone MPC and UC-SMC (in a number of set-up models)
Corollary: TDP O(1)-round SMC
![Page 35: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/35.jpg)
Back to Concurrent SMC
![Page 36: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/36.jpg)
Running the protocol π in the concurrent setting is
Computing f using a trusted party in the concurrent setting
S simulates the view of A &
the outputs of honest parties are the same in the two worlds
AASS
UC security [Canetti’01]
ππ ππff ff
““as correct & private as”as correct & private as”Both A and S required to be PPT
ZZZZρρ ρρ
![Page 37: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/37.jpg)
UC security [Canetti’01]
ππ ππff ff
ZZZZ
AASS
Simulator S needs to: •“extract” A’s input without disturbing execution with Z
•while ensuring that inputs of honest guys remain hidden.
Straight-line extraction
“non-malleability”
![Page 38: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/38.jpg)
The State of UC Security• Secure 2-party computation impossible! [Canetti-Kushilevitz-Lindell’03]
– And even for somewhat weaker models [Canetti-Fischlin’02,Lindell’03,Lindell’04, Barak-Prabhakaran-Sahai’06]
– Intuition: If S can extract “straight-line” extract inputs, then so can the attacker.
• Possible: with limited “trusted help”
– Trusted set-up models: Honest majority [BGW88, CCD88, BR89,DM00], CRS [BFM,CLOS], PKI [BCNP], Timing model [DNS,KLP], Tamper-proof Hardware [K], …
– Thm [Lin-P-Venkitasubramaniam’09] Use Robust NM Com to get a crisp and essentially tight characterization (assuming TDP) of when a set-up can be used to get UC SMC.
• Essentially all known UC SMC result follow as a corollary, with improved computational assumptions, and round complexity.
• Can mix and match set-ups! [Garg,Goyal,Jain,Sahai, yesterday]
![Page 39: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/39.jpg)
Who can you trust?
![Page 40: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/40.jpg)
AASSSS
ZZZZ
Super-Poly Time Simulation (SPS) [P’03]
Allow super-poly-time security reductionWe know, poly-time security reduction is impossible
Possible! [(P’03), Prabhakaran-Sahai’04, Barak-Sahai’05, Lin-P-
Venkitasubramaniam’09]
But, using strong hardness assumptions
Still, meaningful in many (most) cases
![Page 41: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/41.jpg)
Prabhakaran-Sahai’04
ππ ππff ff
ZZZZ
AASS
Simulator S needs to: •“extract” A’s input without disturbing execution with Z
•while ensuring that inputs of honest guys remain hidden.
Assume “id-based hasfunction”: hard to find a collision w.r.t. id even if you have oracle access to someone who finds random collisions w.r.t. any other id’ != id.
Use collision finding oracle to extract in super-poly time!
By security of id-based hash
SS
![Page 42: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/42.jpg)
CCA-Secure Commitments[Canetti-Lin-P’10]
AC(x)C(x) C(y1)C(y1) OOC(y2)C(y2)
C(y3)C(y3)
y1
y2
y3ii jj11
jj11
jj11
Chosen-Commitment-Attack (CCA) security:
Either A copies the left identifier to the rightOr LHS is hiding --- view of A indistinguishable
![Page 43: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/43.jpg)
Concurrent Non-Malleable Commitments
AC(x)C(x) C(y1)C(y1)
Non-Malleability
Either A copies the left identifier to the right
Or view of A + (y1, y2, y3) indistinguishable
C(y2)C(y2)
C(y3)C(y3)
ii jj11
jj11
jj11
CCA security Conc Non-Malleability
OOy1 y2 y3
![Page 44: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/44.jpg)
Thm [CLP’10] Existence of OWF implies O(n^)-round robust CCA-secure commitments– Need to deal with both NM and “nesting” of executions a la Concurrent ZK [Dwork-Naor-Sahai’99]– Rely on original message scheduling technique by [Dolev-Dwork-Naor’91] + ideas behind concurrent ZK simulation of [Richardson-Kilian’01]
Thm [CLP’10] Robust CCA-secure commitments + OT implies SPS-secure SMC
Open: •O(1)-round CCA secure commitments from OWF?
![Page 45: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/45.jpg)
More Open(-ended) Open Question:
• What is the right definition of concurrent security (without trusted set-up)?
• SPS security provides weak guarantees on the “computational advantages” gained by an adversary– Sufficient when security in the ideal model is information-theoretic (or just sufficiently “strong”)– But not sufficient to preserve security of “moderately-hard” properties
• “Rewindable TTP” [Goyal-Sahai’08,Goyal-Jain-Ostrovsky’10]– Need very efficient precise simulations [Micali-P’06]– Currently best concurrent simulation: omega(1) “rewindings” [Pandey-P-Sahai-Tseng-Venkitasubramaniam’08]
• Can we compose different security notions?
![Page 46: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/46.jpg)
The Dark Side of Concurrency
Don’t worry: Lower bounds
![Page 47: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/47.jpg)
Lower Bounds using ConcurrencySecurity Reduction R from breaking B to breaking intractability assum C
rC RO
Black-box reduction: RO breaks C whenever O breaks B
f(r)
For some classic protocols/tasks (sequential WH of classic ZK protocols, active
security of Schnorr’s identification scheme, selective decommitment problem, Chaum’s blind signatures…) no security reductions are known under ANY 2-round intractability assumption.
Thm [P’11]: If there exists a BB reduction (but potentially non-BB construction)from a poly-round intractability assumption C, then C can be broken in poly time.
Why concurrency? The reduction can nest it calls to O. concurrent simulation techniques very useful!
![Page 48: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/48.jpg)
Thank You
![Page 49: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/49.jpg)
Overview of Our Construction
AC(x)C(x) C(y1)C(y1)
Design a protocol s.t. H can be efficiently simulated
Then, Hiding CCA security
HHC(y2)C(y2)
C(y3)C(y3)
y1
y2
y3ii jj11
jj11
jj11
But,1. A may ask new mesg in LHS---LHS not hiding anymore
2. A may nest oracle calls --- extraction time explodes
by Rewidnings
by Rewidnings
NM
conc. ZK
![Page 50: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/50.jpg)
Secure Multi-party Computation [Yao,GMW]
A set of parties with private inputs.
Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)
Security must be preserved even if some of the parties are malicious.
![Page 51: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/51.jpg)
What’s Next – Concurrency for General Interaction
![Page 52: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/52.jpg)
What’s Next – Adaptive Hardness
Consider the Factoring problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization
Adaptive Factoring Problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes
Are these problems equivalent?
Unknown!
![Page 53: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/53.jpg)
Adaptively-hard Commitments [Canetti-Lin-P’10]• Commitment scheme that remains hiding even if Adv has access to a decommitment oracle
Implies Non-malleability (and more!)
Thm [CLP’10] Existence of commitments implies O(n^)-round Adaptively-hard commitments
What’s Next – Adaptive Hardness
![Page 54: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/54.jpg)
Without Trusted Set-up
• Specific tasks and attacks:– Concurrent Zero-knowledge [Dwork-Naor-Sahai,Richardson-
Kilian,Kilian-Petrank,Prabhakaran-Rosen-Sahai,Barak’01…]– Non-malleable Commitments [Dolev-Dwork-Naor’91,…]
• Relaxed notions of security:– E.g., “super-poly simulation”, “angel-based security”, “input
indistinguishability” [P03,Prabhakaran-Sahai’04,Barak-Sahai’05,Micali-P-Rosen’06,Lin-P-Venkitasubramaniam’09,Canetti-Lin-’P10]
![Page 55: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/55.jpg)
AASS
ZZZZ
Angel-Based Security [Prabhakaran-Sahai’04]
Angel: A restricted super-poly-time oracleperforming some specific, system-dependent task
e.g. find collision of a CRH as long as the colliding inputs include the id of the requesting party.
Possible [Prabhakaran-Sahai’04, Malkin-Moriaty-Yung06, Barak-Sahai’S05]! But, even stronger assumptions
e.g. Adaptively hard CRH
Simulator and Adv. receive help from an angel.
OO OO
Composable
![Page 56: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/56.jpg)
• Interactive protocol between a Prover and a Verifier where the Verifier learns nothing except the proof statement
56
Prover Verifier
Zero Knowledge [Goldwasser-Micali-Rackoff’85]
![Page 57: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/57.jpg)
Zero Knowledge [Goldwasser-Micali-Rackoff’85]
• For every PPT V* (adversary) there is a PPT simulator S:
Simulator S
Prover Verifier V*
View of V* with Prover View generated by S
57
Indistinguishable
![Page 58: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/58.jpg)
Concurrent ZK (cZK) [Dwork-Naor-Sahai’01]
Simulator S
View generated by S
View of V* with Prover
Prover Verifier V*
58
![Page 59: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/59.jpg)
Classic ZK Protocol [Feige-Shamir’90]
Prover Verifier
INIT: Commit to random secret σ
END: Modified proof where σ is a trapdoor:WI x \in L or I know σ
59
SlotProof of Know of σ
![Page 60: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/60.jpg)
Verifier V*
INIT: Commit to random secret σ
SlotProof of Know of σ
END: Give proof using σ
Simulator
60
Rewind Slot2nd time: Extract σ
What about cZK?What about cZK?
Classic ZK Protocol [Feige-Shamir’90]
![Page 61: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/61.jpg)
Concurrent Zero Knowledge
61
rewinding here => redo work of nested
sessions
3 nested sessions
Takes time O(2# nestings) [KPR’00]
Verifier V*
Simulator
![Page 62: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/62.jpg)
Richardson-Killian
• Need to extract σ for every session.
• Easier if there are more slots. – Cannot “nest” inside
all slots
• Rewinding any one slot extracts σ.
62
slots
END
INIT
![Page 63: Rafael Pass Cornell University Concurrency and Non-malleability.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c745503460f9492715f/html5/thumbnails/63.jpg)
Concurrent Zero-knowledge
A set of parties with private inputs.
Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)
Security must be preserved even if some of the parties are malicious.