Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 213 times |
Download: | 0 times |
Rafael PassCornell University
Constant-round Non-malleability
From Any One-way Function
Joint work with Huijia (Rachel) Lin
Commitment SchemeThe “digital analogue” of sealed envelops.
Commitment
Reveal
v
v
Sender Receiver
One of the most basic cryptographic tasks.
Part of essentially all more involved secure computations
Can be constructed from any one way function. [N’89, HILL’ 99]
“Right” abstraction if:
Alice Bob
But life is:
Possible that v’ = v+1
Even though MIM does not know v!
Receiver/Sender
MIM
C(v) C(v’)
Sender Receiver
Non-Malleable Commitments [Dolev Dwork Naor’91]
Non-malleability:
Either MIM forwards : v = v’Or v’ is “independent” of v
i j
Receiver/Sender
MIM
C(v’)
Sender Receiver
C(v)
Non-Malleable Commitments [Dolev Dwork Naor’91]
Receiver/Sender
Non-malleability: if then,
v’ is “independent” of v
MIM
C(i,v) C(j, v’)
i j
Sender Receiver
i j
v
Man-in-the-middle execution:
Simulation:
v
j
'v
''v
i j
Non-Malleable Commitments [Dolev Dwork Naor’91]
i j
Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator
v
v 'v
Non-Malleable Commitments [Dolev Dwork Naor’91]
i j
• Important in practice• “Test-bed” for other tasks• Applications to MPC
Non-malleable Commitments
• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds
• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-
Ostrovsky’99,DKO,CF,FF,…,DG]
Without set-up:• [Barak’02]: O(1)-round Subexp CRH + dense crypto:• [P’04,P-Rosen’05]: O(1) rounds using CRH
• [Lin-P’09]: O(1)^log* n round using OWF• [P-Wee’10]: O(1) using Subexp OWF• [Wee’10]: O(log^* n) using OWF
Non BB
Non-malleable Commitments
• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds
• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-
Ostrovsky’99,DKO,CF,FF,…,DG]
Without set-up:
• O(1)-round from CRH or Subexp OWF• O(log^* n) from OWF• Sd• Sd
Main TheoremThm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.
• Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable.
• Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.
DDN Protocol Idea
Blue does not help Red and vice versa
i = 01…1
• • •
j = 00..1
• • •
C(i,v) C(j, v’)
The Idea:
What if we could run the message scheduling in the head?
Let us focus on non-aborting and synchronizing adversaries.
(never send invalid mess in left exec)
c=C(v)
Com(id,v):
I know v s.t. c=C(v)
OrI have “seen”
sequenceWI-POK
id = 00101
Signature Chains
Consider 2 “fixed-length” signature schemes Sig0, Sig1 (i.e., signatures are always of length n) with keys vk0, vk1.
Def: (s,id) is a signature-chain if for all i, si+1 is a signature of “(i,s0)” using scheme idi
s0 = rs1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0s3 = Sig1(2,s2) id3 = 1s4 = Sig0(3,s3) id4 = 0
Signature Games
You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1 .
Let denote the access pattern to the oracle;– that is i = b if in the i’th iteraction you access oracle b.
Claim: If you output a signature-chain (s,id)
Then, w.h.p, id is a substring of the access pattern .
c=C(v)
Com(id,v):
I know v s.t. c=C(v)
OrI have “seen”
sequence
WI-POK
id = 00101vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
c=C(v)
Com(id,v):
WI-POK
id = 00101vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
I know v s.t. c=C(v)
OrI know a sig-chain
(s,id) w.r.t id
c=C(v)
WI-POK
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
c=C(v)
WI-POK
vk0
r0
Sign0(r0)
vk1
r1
Sign1(r1)
w.r.t i
i = 0110.. j = 00..1
w.r.t j
Non-malleabilitythrough dance
* In actual protocol need “many” seq WIPOK a la [LP‘09]
Dealing with Aborting Adversaries
Problem 1: – MIM will notice that I ask him to sign a signature chain
– Solution: Don’t. Ask him to sign commitments of sigs…(need to add a POK of commitment to prove sig game lemma)
Problem 2:– I might have to “rewind” many times on left to get a single signature– So if I have id = 01011, access pattern on the right is 0*1*0*1*...
– Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…
Main Theorem
Main TechniqueExploit rewinding pattern (instead of just location)
Thm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.
Some applications
Secure Multi-party Computation [Yao,GMW]
A set of parties with private inputs.
Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)
Security must be preserved even if some of the parties are malicious.
Original work of [Goldreich-Micali-Wigderson’87]– TDP, n rounds
More Recent: “Stronger assumption, less rounds”– [Katz-Ostrovsky-Smith’03]
• TDP, dense cryptosystems, log n rounds
• TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB
– [P’04]• TDP, CRH, O(1)-round, non-BB
Secure Multi-party Computation [Yao,GMW]
NMC v.s. MPC
Thm [Lin-P-Venkitasubramaniam’09]: TPD + k-round “robust” NMC O(k)-round MPC
Holds both for stand-alone MPC and UC-MPC (in a number of set-up models)
Corollary: TDP O(1)-round MPC
NM ZK
Thm [Lin-P-Tseng-Venkitasubramaniam’10]: k-round “robust” NMC O(k)-round NMZK
Corollary: OWF O(1)-round NMZK
Can also get Conc NMZK if adding ω(log n) rounds
What’s Next – Adaptive Hardness
Consider the Factoring problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization
Adaptive Factoring Problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes
Are these problems equivalent?
Unknown!
Adaptively-hard Commitments [Canetti-Lin-P’10]• Commitment scheme that remains hiding even if Adv has access to a decommitment oracle
Implies Non-malleability (and more!)
Thm [CLP’10] Existence of commitments implies O(n^)-round Adaptively-hard commitments
What’s Next – Adaptive Hardness
Thank You