Coin Tossing With AMan In The Middle

Boaz Barak

RightLeft

– two party protocol

Middle

• Adversary completely controls communication

• No shared secrets between left & right

• No trusted parties or public information (e.g., no PKI)

“Man In The Middle (MIM) Attack”

Two Unavoidable Adversary StrategiesLeft

Middle Right

Left Session

Right Session

Relaying Strategy - Adversary is transparent

Blocking Strategy - Adversary follows honest strategy independently in each session

Intuitive Goal: Design protocols s.t. adversay is essentially limited to unavoidable strategies.

Example: Commitment SchemeLeft

Middle Right

Left Session

Right Session

Input:

Com. Value:

Com. Value: ’

If Adv. relaying then ’ = If Adv. blocking then ’ independent of

Scheme is non-malleable [DDN91] if either ’ = or and ’ are (computationally) independent

Non-malleability =

Intuitive goal

Comparison: MIM vs. Non-Malleability

MIM Model: Adversary between 2 parties that want to talk to each other. “Preferred” strategy: relaying

NM Model: Two sessions with 2 out of the 4 parties cooperating maliciously. “Preferred” strategy: blocking

• Our goal: construct protocols s.t. adversary is essentially restricted to use either blocking or relaying.

• Technically: same as non-malleabllity [DDN]

• However: we don’t take a “moral stand” which unavoidable strategy is “better”.

Summary

Previous Work*: NM Commit w/ O(log n) rounds [DDN91] NM Zero-Knowledge w/ O(log n) rounds [DDN91]

This Work: NM Commit w/ O(1) rounds NM Zero-Knowledge w/ O(1) rounds Different Techniques (e.g., Non-Black-Box Proof of Security)

Generic transformation from SRS model to plain model.

* See next slide for works in shared reference string (SRS) model

The Shared Random String Model (SRS)

Dealer

r r r

NM Commit w/ 1-round [DIO98,DKOS01] NM Zero-Knowledge w/ 1-round [Sah99,DDOPS01]

ref(r) ref(r)

Our Approach: Convert ref Left

Coin-TossingOutput: rRun ref(r)

Coin-TossingOutput: r’Run ref(r’)

Coin-TossingOutput: r

Run ref(r)

Informal Def: Coin-tossing is Non-Malleable if either

r’=r or r’ is (computationally) random & independent from rIf r’=r : same as in SRS execution!

If r’ indp. from r: formally different from SRS

However, if ref is “Natural” then it is still secure!

Thm: If 9 constant-round NM coin-tossing then 9 constant-round NM commitment scheme and ZK argument.

Middle Right

Our Approach: Convert ref

Coin-TossingOutput: r

Coin-TossingOutput: r’

Informal Def: Coin-tossing is Non-Malleable if either

r’=r or r’ is (computationally) random & independent from rThm: If 9 constant-round NM coin-tossing then9 constant-round NM commitment scheme and ZK argument.

Our Goal: Design a constant-round non-malleable coin-tossing protocol.

Left

Middle Right

Our goal: construct a constant-round NM coin-tossing protocol.

In the paper: we (define and) construct such a protocol.

Now: we solve a related “toy problem” and then an even more related “bigger problem”

Outline

Toy Problem: Design a coin-tossing protocol such that w.h.p. r’rev(r)

Informal Def: Coin-tossing is Non-Malleable if either

r’=r or r’ is (computationally) random & independent from r

rev(r1…rn) = rn rn-1 … r1

Coin-TossingOutput: r

Coin-TossingOutput: r’

Left

Middle Right

A Toy Problem

Left Comm(1)

2

r= 1©2

WIP r=1©2 or r2BOGUS

12R{0,1}n

22R{0,1}n

Output: r

’2

Comm(’1)

r’

Output: r’

’22R{0,1}n

WIP r’=’1©’2 or r’2BOGUS

Thm: w.h.p. r’ rev(r)

Observation: possibly false w/o “BOGUS” condition.

MiddleRight

A Protocol Solving the Toy Problem

Proof: Suppose that r’=rev(r) with non-neg prob.

Comm(1)

2

r= 1©2

WIP r=1©2 or r2BOGUS

12R{0,1}n

’2

Comm(’1)

r’=rev(r)

’22R{0,1}n

WIP r’=’1©’2 or r’2BOGUS

r2R BOGUS

• BOGUS is pseudorandom• For every r2 BOGUS, rev(r)BOGUS

• r’=rev(r) ’1©’2• r’=rev(r)BOGUS

BOGUS properties:

Left Right

WIP r=1©2 or r2BOGUS

Middle

A Bigger Problem

Bigger Problem: Design a coin-tossing protocol such that w.h.p. r’ S(r) for all interesting relations S(¢)

Informal Def: Coin-tossing is Non-Malleable if either

r’=r or r’ is (computationally) random & independent from r

Coin-TossingOutput: r

Coin-TossingOutput: r’

Left

Middle Right

Def: S is interesting if it is decidable in uniform poly-time and 8 r 1) rS(r) (Can’t hit S using relaying)2) Pry[ y2S(r) ] < (|x|) (Can’t hit S using blocking)

Toy Problem: Design a coin-tossing protocol such that w.h.p. r’rev(r)

A Bigger Problem

Fix(n)=n- 10log n

Left Comm(1)

2

r= 1©2

WIP r=1©2 or r2BOGUS

12R{0,1}n

22R{0,1}n

Output: r

’2

Comm(’1)

r’

Output: r’

’22R{0,1}n

WIP r’=’1©’2 or r’2BOGUS

Thm: if Middle is uniform PPT then8 interesting S Pr[ r’2S(r) ]=negl(n)

MiddleRight

Solving the Bigger Problem

Proof: Suppose that r’2S(r) with non-neg prob.

Comm(1)

2

r= 1©2

WIP r=1©2 or r2BOGUS

12R{0,1}n

’2

Comm(’1)

r’2 S(r)

’22R{0,1}n

WIP r’=’1©’2 or r’2BOGUS

r2R BOGUS

• BOGUS is pseudorandom w.r.t. uniform PPT• For every r2 BOGUS and interesting S, S(r)ÅBOGUS=;

BOGUS properties:

Left Right

WIP r=1©2 or r2BOGUS

Middle

• BOGUS2SUBEXP

• rBOGUS

• r’ ’1©’2 S(r)

Claim 1: A random subset Bµ{0,1}n of size nlog n satisfies properties 1&2 w.h.p.

Claim 2: If 9 sub-exponentially hard OWF then can choose such B using polylog(n) (instead of 2polylog(n)) coins.

For each n go over all possible coin tosses for choosing B We define BOGUS Å {0,1}n to be the first set that satisfies properties 1&2. Then, BOGUS 2 Dtime(2polylog(n)) µ SUBEXP

1. BOGUS is pseudorandom w.r.t. uniform PPT2. For every r2 BOGUS and interesting S, S(r)ÅBOGUS=;

BOGUS properties:

3. BOGUS2SUBEXP

Constructing the set BOGUS

Claim 3: If 9 sub-exponentially hard OWF then for B µ {0,1}n of size nlog n can check in 2polylog(n) steps if B satisfies properties 1&2.

• Additional modifications needed for security against non-uniform adversaries. Security proof involves non-black-box use of adversary’s code.

• Actual NM coin-tossing def follows “ideal functionality” paradigm. Modifications to protocol needed to satisfy actual def.

• Some technical difficulties arise with “non-syncrhonizing” schedules. Can be solved using multiple rewinding opportunities a-la [RK] (similar to [GL])

Beyond the bigger problem

Conclusions & Open Questions

First constant-round NM Commit & NM ZK in plain model.

Quite general transformation from SRS model to plain MIM model.

Another positive application of non-black-box techniques.

Generalize to other applications? more parties?

Acknowledgements: Alon Rosen

The End