48
1 Collusion Free Protocols Joël Alwen
| Date post: | 21-Dec-2015 |
| Category: |
Documents |
| View: | 214 times |
| Download: | 0 times |
1
Collusion Free Protocols
Joël Alwen
2
Parallel Terminology and Goals
Cryptography• Goal: Compute a joint
functionality– How? Protocol.– Private Input
• Players: Honest or Malicious
• Protocol is “good” is indistinguishable from using the ideal functionality.`
Game Theory• Play a game
– How? Strategy.– Type (called game of
incomplete information)
• Players: Rational• Strategies are “good” if
they are stable (i.e. they form an equilibrium because deviations are irrational)
3
Cryptography: Multi-party Computation
“Protocol realizes functionality F”
1) Get Private Input
2) Interact (run protocol )
3) Compute Private Output
1) Get Private Input
2) Send it to “Ideal Functionality” F
3) Receive Private Output
Real PlayersIdeal Players
F
F takes input from players, evaluates the function and hands back the private outputs. It can be probabilistic, and/or reactive with a secret internal state.
4
Many Security Definitions
•GMW - Computational assumptions.
•BGW, CCD, BR - Physical assumptions.
•CFGN – Adaptive corruptions.
•C,CLOS – Universally Composible.
GMW87: Ideal Real Secure “Adversary Power Preservation”
Same Security Paradigm
5
(Traditional) Monolithic Adversary
• All corrupt real parties controlled by one evil puppet master. Ideal counter parts all controlled by one simulator.
is secure if for any evil puppet master their simulator outputs a (fake) view such that:
{FakeView, Ideal-I/O} {View,Real-I/O}
F
View
FakeView
ou
tpu
t
6
Real 2-Adv
Real k-Adv
Poker Example
“ Whatever Adv can Adv can too ”
Learn / Influence
Not Enough !
Ideal k-Adv
Ideal 2-Adv
trust
7
Power Preservation too little if Ideal power too much
NEED NEW SECURITY !
trust
“These aremy
cards”
8
Goal
»No (undetectable) collusion!“Every adversary acts on his own!”
Evil Without Collusion
9
What is a Collusion?
• Intuitively: some “illegal” correlation between players actions or knowledge. In other words a joint computation beyond what is computed by the ideal functionality.
• Example: secretly share information with each other (a.k.a. steganography) – Example: showing your cards to another player in
poker.
• Or coordinate their strategies.– Example: Use pre-arranged randomness in a
commitment. Now it looks correct to a third party but is not hiding for colluder.
10
A New Idea: Individual Adversaries
• Monolithic adversaries already perfectly colluding. So too strong.
• Idea: Corrupt players act separately. Each has their own simulator. Joint “fake views” still remain indistinguishable.
{ {FakeView}, Ideal-I/O} { {View}, Real-I/O}
Intuition: Anything they can compute together with they can also compute with F.
View
FakeView F
ViewView
FakeView
FakeView
11
Applications
• Practical
• Theoretical (Game Theory)
12
Collusions? Who cares?
• Practically: Auctions– Collusions can minimize winning bid
minimizes revenue of auction house.– Example: Spectrum auction of the FCC
• Online Poker House– Two players could share information about
there hand thereby giving them a distinct advantage of the others.
• Enforcing Anonymity?
13
Collusions in Game Theory
• Recall : Nash Equilibria (NE).– Means all unilateral deviations are irrational
• But this is not robust against collusions.– In particular a bilateral deviations might be rational
Equilibria which remain robust against collusions are more desirable (stronger).
• Much research has gone into “realizing” certain games with “cheap talk” (i.e. fully connected network). Recently also robust against deviations by collusions of bounded size. [Hel05, ADHG06, ADH08]
14
Game Theoretic Applications (1)
• Idea: Playing the game means traversing the tree to a leaf. So use some cryptographic protocol to compute the state transition function R of the game.
R : Game State X Move → Game State X Outputs
– Assume is correct, private and fair. Enough? No.
• Goal: Play extensive form game– Game viewed as a state diagram in the
form of a tree– Each level corresponds to the player
whose turn it is.– Edges correspond to moves– Notes to the current game state.
S
Player 1
Move A
Move B
S
Player 2
Move C
Move C
Move D
Move E
15
Bayesian Games
1. Bayesian Games. (Roughly speaking: games where players have an initial secret a.k.a. type.)
• Poker: your cards• Auction: how much you are willing to pay
– If allows collusion then while computing the first call of R corrupt players can (steganographically) exchange their types. Thus in they soon have more information then in the ideal game and so the games are not the same.
must also be collusion free (CF)
16
Game of Imperfect Information
2. Games of Imperfect Information (I.e. games in which players do not perfectly observe the actions of other players.)
– There is at least one node such that at least one player has some uncertainty about which state the game is currently in.
– Example: Five Card Draw (Trading 0-3 cards secretly)
S
Player 1
Move A
Move B
S
Player 2
Move C
Move C
Move D
Move D
– Collusions while running could allow corrupt players to tell each other extra information about their moves.
17
Mediated Games
3. Goal: Play a Mediated Game (MG) with minimal trust.
M=
Idea: Remove mediator. Jointly computed it’s functionality M by via a cryptographic protocol
• Example: Correlated Equilibria (CE) for games of incomplete information [Aum87]
• Example: Playing a NE in a Mediated Games.
18
OK. Let’s do it.
19
“Main Problem”
STEGANOGRAPHYProtocols’ INTRINSIC Private
Communication
20
Entropy Steganography.(provably! [HLA])
Security Entropy[GM]
CommunicationWanted: PROTOCOLS
Unwanted: COLLUSIONS
21
“Model”
Computationally Secure(Encryption+Broadcast)
Physically Secure(Perfect channels)
Collusions Possible Collusions Possible
Traditional ones
Collusions PROVABLY Impossible
Computationally & Physically Secure
[LMPS, LMS]
(Encryption+Broadcast+Envelopes)
Collusions PROVABLY Impossible!
≠
22
Approach 1
• Forced Action
• New Communication Channels
• [LMPS04, LMS05, ILM05, ILM08]
23
STEGANOGRAPHY
“Main Problem”
Verifiable Determinism
“Main Solution”
24
Pre-Processing
Protocol
Verifiable Determinism
25
COLLUSION FREENESS ALWAYS AVAILABLE!
Trapdoor Perms & Envelopes → All Finite Protocols Collusion-Free
Proof: (Semi-Simple) [GMW] + [DMP]
+…
[LMS] THM:
26
ZK ushers in Steganography!
ZK Prove that you are following honest ITMi
This proof requires randomness!
Wanted: Steganographyless ZK
if my ZK proof has 31 0s, I have aces
“Essentially Possible Here”
27
ZK PreprocessingReady for a 3-CNF formula with n
vars0 1
1 0
1 0
1. Commit to n pairs of bitsC(b,R) b=
X1:
X2:
Xn:
L R
…
X1R X2L XnRe.g.,
2. For all triples, OR
1 1 0
3. Interactive ZK Proof (All Commitments Correct)
1X1L X2R XnR 0
SK= corresponding Rs
PK= Public Commitments
2n
8n3
…
28
PUBLIC formula , and a PRIVATE witness, w
1. Specify L/R for each var2. clauses,
1 opening
Everything opened should be 1.
Unique ZK Proof (with PK)
e.g. (X1 X2 X112)
Retrievethe right OR
0 11 0
1 0
L R(X1X2X12)(X2X32X112) … (X3X5X6)
X1:(T)
X2: (F)
X112 :(T)
…For each (PK, , w), ONLY 1 PROOF IS ACCEPTED !
L 1
R 0R 1
For theorems with 1 witness, only 1 proof is accepted!
X1R X2L X112R
29
Information Theoretic Realization
• Crypto: [ILM05,ILM08]– Communication model: Envelopes and Ballot-box
• Players sit at a round table and create, (simultaneously) exchange, permute, open and reseal envelops and super-envelops. Ballot-box provides perfectly secret random permutations.
+ +
30
Verifiable Secure Devices
• Culmination: “Verifiable Secure Devices” [ILM08]– Introduces verifiably “computer”.– First true ideal game emulation.– Avoids “Randomness Pollution”
• Prevents attacks like signaling via aborts conditioned on the value of the random string and prevents the introduction of new equilibria. (exa. CE)
– Can realize any Mediated Game secure with robust-ness against player aborts
• Soft setting: abort is announced but computation continues.
• Hard setting: abort remains secret.
• In both cases some default input is used for aborting user.
31
Problems• Major:
1. If players sit facing each other impossible to avoid side channels. Yet no digital analogues of primitives.
2. If players meet in real life avoid “Randomness Pollution” very difficult.
• Minor: Set of simulators depends on set of adversaries.– Alice and Bob could use to compute any functionality which doesn’t
depend on their views during . • Example: Use to exchange information unrelated to G.• Permitted: Simulators “know” who is corrupt and in which way. (Just not
their secret inputs and views.) • Note, this is not a problem for the game theoretic applications mentioned
above. But…– Better: Simulators independent of remaining set of adversaries.
• Allow for further (or more robust) applications.• Example: Online Poker. Players can no longer use to secretly exchange
phone numbers. (I.e. anonymity can now preserved in .)
32
A New Solution Concept
• Goal: avoid steganography– If colluders can not exchange any extra
information in beyond that in G then simulation if can be done locally when playing only G.
• Idea: channel re-randomize communication– Thus bandwidth of messages in is exactly
controlled.
33
Quick Example: Commitments
• Let c:=Com(m,r) with len(c)≥k• Not CF. To much correlation in real world views.
• Fix: Let Com(c,r’)=c’• Then c’ hides both m and r. So views independent except for bit
“committed”.
cFcom
m “committed”
cFcom
m “committed” Rerand.c’c’
r’
34
Mediated Model• New Communication Model
– Channel (called mediator) modeled as a corruptible Turing Machine (written PM).
F
: Honest parties don’t use blue communication lines. (Corrupt can).
F : Uncorruptable (ideal) functionality
: Mediator honest ideal players separated
Mediator corrupt ideal adversary can perfectly coordinate through mediator but F still correct and private!
35
Security Definition
F
is a collusion free realization of F For all real world players Pi there exists an ideal world simulator Si such that for any set A{1,..,n} of corrupt parties, for all input vectors (x1,..,xn) and all auxiliary input vectors (aux1,..,auxn) it holds that the set {Si}iA of simulators produce fake views of such that:
{ {FakeView}, Ideal-I/O} { {View}, Real-I/O}
is called secure if there is a simulator SM for the mediator PM such that for any A {1,..,n,M} the above equation holds.
36
Dealing with Aborts
• Problem: Aborts can be used for signaling information (round number)
• Solution 1: Aborts not allowed– Easy, clean– OK for some applications
• Example: Games with dominant punishment strategies aborting is never rational.
– Not very robust.
• Solution 2: If any player aborts then all players abort.– Previously used in cryptographic literature– Easy, clean but still not robust
37
Model Aborts Explicitly
• Solution 3: Ideal world has special abort message (“Pi with code j”) sent by Pi or PM and immediately distributed to rest by F.– More complicated– But makes security guarantees explicit.
• PM can force aborts.
• Aborts have more bandwidth then just one bit. Thus “with code j” corresponds real world round number of abort.
– Potentially more robust. • Can now design F which withstands/deals with aborts. • Can realize “soft setting” from ILM08.
38
Authentication• Problem: Mediator can alter original
message or even create fake new ones.– Man-in-the-middle, hijack attacks, etc.
• Solution 1: Assume perfectly authenticated channels. [GMW87, BGW88]– Strong assumption but clean– Requires point to point connections though
39
Authentication Solution• Solution 2: Verifiable Authenticated Channels
– Each message associated with a receipt which can later be verified.
– Messages prefixed by session ID and round number. (Like UC)– Example: Signature (Gen, Sig, Ver) to implement FAC
• m = message, tag = Sig(sid || rid || m)• Mediator send m to recipient and use ZKPoK to prove it knows a
valid tag with expected prefix.– ZK Doesn’t reveal info about tag (Collusion Free)– PoK, Sig M can’t forge messages
FAC
m m: from Stevo
m:
fro
m
Ste
vo
mm, t
t := Sig(sid || rid || m)
SK
m
ZKPoK
Know t s.t. VerVK(t,m) = 1
VK
VKm := “Tea for two?”
Hehehe...
40
Setup Phase
• Goal: Establish signature key file F– Keys should be “honestly” generated to avoid
signaling via bits in VK.
• Idea: Preprocessing phase– Construct F. Distribute F. Begin .
Com(r1)=c
r2
(VKi,SKi) Gen(r1r2) VKi
ZKPoK: Know Dec(c)=r1
s.t. r1r2 generates VKi
F.add(i, VKi)
41
Caveat: Distribute F
• As stated there are only point to point channels. So PM could distribute different copies of F to each player!– Results in forking capability of PM in ideal
world like [BCLPR]
• For simplicity restrict PM to sending same (possibly altered) F’ to all players.– Same as assuming existence of an append
only (by PM ) but publicly viewable BBS where PM publishes F’. [OpenVote, Prêt à Voter, Chaum04, Neff06,…]
42
Still Collusion Free?
• Problem: File F in view of all real world players. How to simulate this independently?
• Solution: Give all simulators read access to common random tape R.– Individual simulation only an issue if mediator honest. (Else
simulators use lines to communicate.)– But if mediator honest then all PKs generated with random string
(coin flipping)– Interpret R=R1 || .. || Rn. Use rewinding to fix output of i-th coin
flipping to Ri. – By soundness of i-th key of all separate simulations will be equal.
• Minimal coordination between simulators.– Compare to previous def: each simulator depends on remaining
set of simulators. Much weaker coordination!
43
CF-Commitments• Goal: CF-realize FCOM functionality.
• Idea: Construct
Fcom
m “stevo
committed”“ste
vo
com
mitte
d”
Fcom
“decommit”From Stevo:
m
Fro
m
Ste
vo:
m
ZKPoK: knowm, r for c
Com(m,r)=c
Com(c,r’)=c’
ZK: know
tag for Dec(c’)ZK: know
tag for Dec(c’)
ZK: know rand r’ s.t. c’ =
Com(Com(m,r),r’)and tag for m
Dec(c)=(m,r)
m
• It randomizes CF• Is extractable Maintain real and ideal I/O distributions• Is equivocable Can simulate commitment phase without m
44
Proof Sketch• Hiding < PM, R> don’t learn m
– Com() hiding & 1st ZKPoK is zero knowledge
• Binding <C, PM > can only open to m.– Com() binding & 2nd ZKPoK is sound
• CF Construct simulator for C and for R.– SC : Extract m from 1st ZKPoK and send to FCOM
– SR : Comit to garbage. Simulate 1st ZKPoK. Get m from FCOM. Simulate 2nd ZKPoK
C =
R =
PM =
Com(m,r)=c
ZKPoK: knowm, r for c
Com(c,r’)=c’
ZK: knowtag for Dec(c’)
Dec(c)=(m,r)
ZK: knowtag for Dec(c’)
m
Commit Phase Decommit Phase
ZK: know rand r’ s.t. c’ =
Com(Com(m,r),r’)and tag for m
45
Secure CF-ZKPoK• Goal: Secure CF realize FZKPoK for 3-COL
Prover P Verifier V
FZKPoK
• Idea: Transform 3-round public coin ZKPoK for 3-COL into secure CF ZKPoK.
G, w
G, Accept/Reject
G,
Acce
pt
/
Reje
ct
Accept w(e) has different coloured endpoints
E : Edge set of G
w : Edge {R,G,B} is a 3-colouring of G
Pcol : Set of permutation over {R,G,B}
G=(V,E)
{Com((w(e)))}eE
$ Pcol
e
Dec((w(e)))
e $ E
46
Secure CF-ZKPoK (2)
GG
v={Com((w(e)))}eE
$ Pcol
v’={Com(v)}
t = Com()
PE
e $ Ee
(e)
Dec((w((e)))
ZKPoK: know tags& decommitmentsfor accepting view.
47
Proof Sketch• Need 3 simulators. One for P, V and PM
• PM honest– SP* based on extractor for 3-COL
• Rewind P* to extract 3-colouring of G = w. Send to FZKPoK
– SV* commit to garbage and use simulator for final ZKPoK to “prove” false theorem.
– Joint fake views have correct distribution• V* sees e but not and P* sees (e)• P* sees and V* sees ’=Com(v)• ZKPoK is zero knowledge for V
• PM corrupt (High level collapses to traditional proof since no more isolation.)– PM extracts keys of honest parties in preprocessing stage.– A={P*, PM, V*}: easy. Simulate complete interaction.– A={PM} or A={PM,V*} : Essentially run SP* against < PM,V*>– A={P*, PM}: run extractor against <P*, PM >
• Notice PM can coordinate perfectly so for arbitrary P* or V* simulated (fake) views have correct joint distribution.
48
Future Work
• Done– Incorporate Environment
• GUC-CF/EUC-CF– equivalence (dummy adversary lemma)
• Composition Theorem• Semi-honest MPC protocol
• In the works………….? – GUC-CF
• Semi-honest Malicious Compiler– Plain Mediated Model
• Sequential composition theorem• MPC protocol
– Forking without “BBS” assumption
