Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | lorena-surgener |
View: | 217 times |
Download: | 1 times |
Coin Tossing With AMan In The Middle
Boaz Barak
RightLeft
– two party protocol
Middle
• Adversary completely controls communication
• No shared secrets between left & right
• No trusted parties or public information (e.g., no PKI)
“Man In The Middle (MIM) Attack”
Two Unavoidable Adversary StrategiesLeft
Middle Right
Left Session
Right Session
Relaying Strategy - Adversary is transparent
Blocking Strategy - Adversary follows honest strategy independently in each session
Intuitive Goal: Design protocols s.t. adversay is essentially limited to unavoidable strategies.
Example: Commitment SchemeLeft
Middle Right
Left Session
Right Session
Input:
Com. Value:
Com. Value: ’
If Adv. relaying then ’ = If Adv. blocking then ’ independent of
Scheme is non-malleable [DDN91] if either ’ = or and ’ are (computationally) independent
Non-malleability =
Intuitive goal
Comparison: MIM vs. Non-Malleability
MIM Model: Adversary between 2 parties that want to talk to each other. “Preferred” strategy: relaying
NM Model: Two sessions with 2 out of the 4 parties cooperating maliciously. “Preferred” strategy: blocking
• Our goal: construct protocols s.t. adversary is essentially restricted to use either blocking or relaying.
• Technically: same as non-malleabllity [DDN]
• However: we don’t take a “moral stand” which unavoidable strategy is “better”.
Summary
Previous Work*: NM Commit w/ O(log n) rounds [DDN91] NM Zero-Knowledge w/ O(log n) rounds [DDN91]
This Work: NM Commit w/ O(1) rounds NM Zero-Knowledge w/ O(1) rounds Different Techniques (e.g., Non-Black-Box Proof of Security)
Generic transformation from SRS model to plain model.
* See next slide for works in shared reference string (SRS) model
The Shared Random String Model (SRS)
Dealer
r r r
NM Commit w/ 1-round [DIO98,DKOS01] NM Zero-Knowledge w/ 1-round [Sah99,DDOPS01]
ref(r) ref(r)
Our Approach: Convert ref Left
Coin-TossingOutput: rRun ref(r)
Coin-TossingOutput: r’Run ref(r’)
Coin-TossingOutput: r
Run ref(r)
Informal Def: Coin-tossing is Non-Malleable if either
r’=r or r’ is (computationally) random & independent from rIf r’=r : same as in SRS execution!
If r’ indp. from r: formally different from SRS
However, if ref is “Natural” then it is still secure!
Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument.
Middle Right
Our Approach: Convert ref
Coin-TossingOutput: r
Coin-TossingOutput: r’
Informal Def: Coin-tossing is Non-Malleable if either
r’=r or r’ is (computationally) random & independent from rThm: If 9 constant-round NM coin-tossing then9 constant-round NM commitment scheme and ZK argument.
Our Goal: Design a constant-round non-malleable coin-tossing protocol.
Left
Middle Right
Our goal: construct a constant-round NM coin-tossing protocol.
In the paper: we (define and) construct such a protocol.
Now: we solve a related “toy problem” and then an even more related “bigger problem”
Outline
Toy Problem: Design a coin-tossing protocol such that w.h.p. r’rev(r)
Informal Def: Coin-tossing is Non-Malleable if either
r’=r or r’ is (computationally) random & independent from r
rev(r1…rn) = rn rn-1 … r1
Coin-TossingOutput: r
Coin-TossingOutput: r’
Left
Middle Right
A Toy Problem
Left Comm(1)
2
r= 1©2
WIP r=1©2 or r2BOGUS
12R{0,1}n
22R{0,1}n
Output: r
’2
Comm(’1)
r’
Output: r’
’22R{0,1}n
WIP r’=’1©’2 or r’2BOGUS
Thm: w.h.p. r’ rev(r)
Observation: possibly false w/o “BOGUS” condition.
MiddleRight
A Protocol Solving the Toy Problem
Proof: Suppose that r’=rev(r) with non-neg prob.
Comm(1)
2
r= 1©2
WIP r=1©2 or r2BOGUS
12R{0,1}n
’2
Comm(’1)
r’=rev(r)
’22R{0,1}n
WIP r’=’1©’2 or r’2BOGUS
r2R BOGUS
• BOGUS is pseudorandom• For every r2 BOGUS, rev(r)BOGUS
• r’=rev(r) ’1©’2• r’=rev(r)BOGUS
BOGUS properties:
Left Right
WIP r=1©2 or r2BOGUS
Middle
A Bigger Problem
Bigger Problem: Design a coin-tossing protocol such that w.h.p. r’ S(r) for all interesting relations S(¢)
Informal Def: Coin-tossing is Non-Malleable if either
r’=r or r’ is (computationally) random & independent from r
Coin-TossingOutput: r
Coin-TossingOutput: r’
Left
Middle Right
Def: S is interesting if it is decidable in uniform poly-time and 8 r 1) rS(r) (Can’t hit S using relaying)2) Pry[ y2S(r) ] < (|x|) (Can’t hit S using blocking)
Toy Problem: Design a coin-tossing protocol such that w.h.p. r’rev(r)
A Bigger Problem
Fix(n)=n- 10log n
Left Comm(1)
2
r= 1©2
WIP r=1©2 or r2BOGUS
12R{0,1}n
22R{0,1}n
Output: r
’2
Comm(’1)
r’
Output: r’
’22R{0,1}n
WIP r’=’1©’2 or r’2BOGUS
Thm: if Middle is uniform PPT then8 interesting S Pr[ r’2S(r) ]=negl(n)
MiddleRight
Solving the Bigger Problem
Proof: Suppose that r’2S(r) with non-neg prob.
Comm(1)
2
r= 1©2
WIP r=1©2 or r2BOGUS
12R{0,1}n
’2
Comm(’1)
r’2 S(r)
’22R{0,1}n
WIP r’=’1©’2 or r’2BOGUS
r2R BOGUS
• BOGUS is pseudorandom w.r.t. uniform PPT• For every r2 BOGUS and interesting S, S(r)ÅBOGUS=;
BOGUS properties:
Left Right
WIP r=1©2 or r2BOGUS
Middle
• BOGUS2SUBEXP
• rBOGUS
• r’ ’1©’2 S(r)
Claim 1: A random subset Bµ{0,1}n of size nlog n satisfies properties 1&2 w.h.p.
Claim 2: If 9 sub-exponentially hard OWF then can choose such B using polylog(n) (instead of 2polylog(n)) coins.
For each n go over all possible coin tosses for choosing B We define BOGUS Å {0,1}n to be the first set that satisfies properties 1&2. Then, BOGUS 2 Dtime(2polylog(n)) µ SUBEXP
1. BOGUS is pseudorandom w.r.t. uniform PPT2. For every r2 BOGUS and interesting S, S(r)ÅBOGUS=;
BOGUS properties:
3. BOGUS2SUBEXP
Constructing the set BOGUS
Claim 3: If 9 sub-exponentially hard OWF then for B µ {0,1}n of size nlog n can check in 2polylog(n) steps if B satisfies properties 1&2.
• Additional modifications needed for security against non-uniform adversaries. Security proof involves non-black-box use of adversary’s code.
• Actual NM coin-tossing def follows “ideal functionality” paradigm. Modifications to protocol needed to satisfy actual def.
• Some technical difficulties arise with “non-syncrhonizing” schedules. Can be solved using multiple rewinding opportunities a-la [RK] (similar to [GL])
Beyond the bigger problem
Conclusions & Open Questions
First constant-round NM Commit & NM ZK in plain model.
Quite general transformation from SRS model to plain MIM model.
Another positive application of non-black-box techniques.
Generalize to other applications? more parties?
Acknowledgements: Alon Rosen
The End