vipul goyal microsoft research, india
DESCRIPTION
Constant Round Non-Malleable Commitments. Vipul Goyal Microsoft Research, India. Commitment Schemes [Blum’84]. s?. Commitment like a note placed in a combination safe Two properties: hiding and binding Electronic equivalent of such a safe. s. Com( s ). Opening of Com( s). Combination. - PowerPoint PPT PresentationTRANSCRIPT
1
Vipul Goyal Microsoft Research,
India
Constant Round Non-Malleable Commitments
2
Commitment Schemes [Blum’84]
Com(s)
CombinationReceiverCommitter
s?s?
s
• Commitment like a note placed in a combination safe• Two properties: hiding and binding• Electronic equivalent of such a safe
Opening of Com(s)
3
Contract Bidding: is a commitment sufficient?
Com(s)
• Adversary cheats and creates a winning bid
s?s?Com(s - 1)
4
Non-Malleable Commitments
• Introduced in the seminal work of Dolev, Dwork and Naor [DDN91]
Picture credit: R. Pass
• Important building block towards the bigger goal of designing secure cryptographic protocol for the internet setting
• Well studied primitive
5
NM Commitment: Definition[DDN’91, PR’05, LPV’08]
5
• Value s’ should be “independent” of s• NMcom requirement: MiM Simulator committing to
same value• No copy: each party has a unique identity/tag (tag based
non-malleability)
s s'
s'
Real World
Simulator
66
• Say extractor outputs s’ without rewinding the left honest committer
• By hiding of com: s’ independent of s• Can easily construct a simulator: commit to 0 on left
s s'
NM com: how to prove
Extractor
7
Result 1 (2011)
• This work: Constant round NM commitments using only OWFs
• Long line of work [Dolev-Dwork-Naor’91, ..]; previous state of art included several incomparable results – CRHF + NBB simulation [Barak’02, PR’05]– Super constant rounds [DDN’91,.., LP’09, Wee’10]– Non-standard assumptions [PPV’08, Wee’10]
• Independent work: Lin-Pass’11 obtained similar result using unrelated ideas– Advantage over LP’11: more “amenable” to BB use of OWF; gives
BB construction of MPC
8
Result 2 (upcoming focs)[joint with Lee, Ostrovsky, Visconti]
• Constant round NM com using only a BB use of OWFs
• Earlier: no black-box construction of NM com known without relaxing security notion (any rounds, any assumption)
• Idea: Instantiate the previous protocol from 2011 using “MPC in the head” ideas [IKOS’07]
9
Result1: Basic technical contribution
L pairs of commitments
challenge (short)
open
• Consider a slot (of e.g. PRS preamble, extractable commitments, etc)
• Say adv gets small number of commitment pairs on left; gives large number on right
• Adversary created at least one commitment pair on right on his own; in fact, can extract from right without rewinding left
• Can be seen as making s.p. different for left and right using || repetition
• Conceptual similarty to long-short NBB simulation technique of Pass’04
L’ pairs of commitments
challenge (long)
open
L’ >> L
Preliminaries
• Through out the talk:
• Only consider synchronizing adversaries
• Identities coming from polynomial domain (log length identities)
• Assume id’ > id
id id’
11
Starting protocol
Com(r1), . . ., Com(rid)
ch in [id]
opening of Com(rch) Receiver
Commiter
• Identity id from a polynomial sized domain
• Learning two shares sufficient to extract v
• Identity encoded in length of challenge
v r + ZKP of correctness
id
Generate r, break into r1 to rid using a 2-out-of-id secret sharing
12
Proof of Security
Com(r1), . . ., Com(rid)
ch in [id]
response ReceiverCommiter
• Protocol secure against non-aborting + synchronizing adversaries
• Assume id’ > id throughout the talk (space of chall strings on right bigger)
• At least two right chall mapping to same left chall (pigeon hole )
• Gives possibility to get two responses on right and give only one on left
idCom(r’1), . . ., Com(r’id’)
ch’ in [id’]
response
id’
13
Proof of Security contd..
Com(r1), . . ., Com(rid)
ch in [id]
open rch ExtractorCommiter
• Extractor: Rewind and extract from right w/o rewinding left
• Ext experiments to find a collision (ch’, ch’’ ch)
• Replays the same left message for ch’’
v r + ZKP
idCom(r’1), . . ., Com(r’id’)
ch’ in [id’]
open r’ch’
v’ r’ + ZKP
id’
ch’’ in [id’]
open r’ch’’
Extraction successful !!
14
Initial Protocol
14
• Repeat protocol twice: one with id and one with (n – id)
• We get a simple protocol secure against non-aborting adversaries
• Repeat sequentially to get security against possibly aborting adversaries
• However doesn’t give us a constant round construction
15
(Possibly) Aborting Adversaries
open ExtractorCommiter
• Problem: Adv creates a one to one mapping of left and right challenges (Aborts on the remaining right challenges)
• No Collisions!!
id
open / abort
id’
16
(Possibly) Aborting Adversaries contd..
ch in {0,1}L
Extractor
• Idea: right challenge space exponentially larger than left; see protocol
• If id’ > id, then |ch’| - |ch| ≥ k
• Collisions guaranteed to exist (else adv aborts with overwhelming prob)
• Problem: hard for extractor to find a collision in PPT
• Adv, e.g., might apply a CRHF to compute ch from ch’
id
ch’ in {0,1}L’
id’
L = k.id L’ = k.id’
17
Final protocol
ch in {0,1}L
Send the relevant strings(no openings)
• Need to extract ri for some i
• VM = verification message: two purposes
VM: com(v; r1), …, com(v; rL)L = k.id
ZKP
com(r1[0]), …, com(rL[0])
com(r1[1]), …, com(rL[1])
ri = ri[0] ri[1]
18
Extractor Description
challenge (short)
strings (no opening)
• Extract on right w/o rewinding left
• First run everything honestly on left and right (main thread)
• Rewind and give a new challenge on right
• Give simulated response on left: define unrecovered set
• See right response and try to extract
• rewind again if required
L’ > LLeft commitments: L pairs
challenge (long)
Right commitments: L’ pairs
strings
VM + ZK VM + ZK
19
Extractor Analysis
ch (short)
Simulated response
• Worry: if simulated response on left, all new strings asked on right are incorrect/random
• Even if one pair of coms on right revealed correct with noticeable prob; we are good!
Left coms: L pairs
ch’ (long)
Right coms: L’ pairs
wrong strings
20
Dependent set of commitments (on right)
Left coms: L pairs
ch’
Right coms: L’ pairs
• Intuition: set of right coms created by mauling an unrecovered com on left
• Prefix: first message on left + right
• Dependent set is defined for a prefix + left ch
• Prob over coins after prefix. A com on right belongs to dependent set S if:
1. [Interesting]: prob of string revealed correctly by M is *noticeable* (run many main threads with this prefix), and,
2. [Dependent]: prob of string revealed correctly CONDITIONED on left challenge of M being ch is negligible
ch
strings strings
21
Bounding dependent set of commitments
Left coms: L pairs
ch’
Right coms: L’ pairs
ch
• Lemma1: if |S| > L + log2(k); main thread aborted w.h.p.
Proof:
• Intuition: some commitment from S on right will be selected by ch’ w.h.p.
• M sees ch’, has 2^L choices for ch on left (each choice will define a set S)
• Prob that there exists S s.t. ch’ selects NOTHING from it is
2L / 2L + log2(k)
• Regardless of how M chooses ch, a com dependent (on unrecovered set) selected. M will answer incorrectly on right.
strings strings
22
Strictly Dependent set of commitments (on right)
Left coms: L pairs
ch’
Right coms: L’ pairs
• Defined for a given prefix + ch
• Prob over coins after prefix. A com on right belongs to strictly dependent set G if:
1. [Interesting]: prob of string revealed correctly by M is noticeable, and,
2. [Dependent]: prob of string revealed correctly when simulated response given on left is negligible
• To prove: if even one right pair not in G, we are done!
ch
strings strings
23
Bounding Strictly Dependent set of commitments
Left coms: L pairs
ch’
Right coms: L’ pairs
ch
strings strings
• Lemma2: G is a subset of S w.h.p.
Proof:
• Relies on hiding of com: say there exists a com in G but not S
• [not in S]: Run main thread, noticeable prob of seeing correct string for this com (doesn’t follow from the interesting condition)
• [in G]: Now say left response is simulated; negl prob of seeing correct string
• [in G]: Say left response is real: again noticeable prob of seeing correct string
Distinguish simulated response from real
24
Bounding Strictly Dependent set of commitments: details
Lemma2: more details
•External party ready to given q response from outside; exactly one guaranteed to be real; rest simulated; q is very large
•Hiding says can’t predict with noticeably better than 1/q
Attack:
•Select a random com on right as a candidate in G but not S
•Run main, then rewind q times using an outside response each time to complete
•If string for this com appears in main AND on exactly one other thread, output that response as real
25
Bounding Strictly Dependent set of commitments: details
Analysis:
•Guess for random com correct: 1/2L’
•Run main; say correct string appeared in main thread: prob p1
•Say when given real response, again correct string appears: prob p2
•On simulated resp, correct string appears only with negl prob
•Prob of correct guess at least p1.p2.1/2L’
•If q big enough, contradiction!!
Final Remarks
• We get obtain constant round NM com (and zero-knowledge) based on OWFs
• Implements the ideas from Pass-Rosen’05 (long-short NBB simulation or two slot simulation) using only BB simulation
• Hypothesis: Can replace any application of the long-short NBB simulation technique with this protocol (plus Barak’01)
Applications
• Theorem [tighter Kilian]: Assume there exist constant round OT. Then there exists constant round MPC
• Our techniques also give the first constant round BB MPC using poly time hardness (improvement to IKLP’06, Wee’10)
• Protocol is public-coin: useful in some follow up works to construct constant round secure computation protocols [Garg-Goyal-Jain-Sahai’12, Cho-Garg-Ostrovsky’12]
28
Result2: Black-Box NM com[joint with Lee, Ostrovsky, Visconti]
• Previous protocol: has a zero-knowledge proof of consistency in the end
• Idea: Instantiate this zero-knowledge using “MPC in the head” ideas; make only a BB use of commitment scheme
“Computation in the head” paradigm[Ishai-Kushilevitz-Ostrovsky-Sahai 2007]
• Originally used to improve the communication complexity of zero-knowledge protocols
Sender Receiver
• To prove x in L, emulate k virtual players in head
• Inputs are shares of the witness w
• Run computation for function f s.t. f(w) = 1 iff x in L
• Commit to resulting views
Com(view1), …, com(viewk)
Select k/3 coms at random
Open selected views
• Check output 1 in each view• Check all views are
honest/consistent with each other• ZK: k/3 views don’t leak anything• Soundness: to change output lots
of players need to cheat
30
Previous protocol
ch in {0,1}L
Send the relevant strings
VM: com(v; r1), …, com(v; rL)
L pairs of commitments
• First part: standard statement
• Second part: more complex. Need to implement VM in an information theoretic fashion. Use strong extractors and pairwise independent hash functions
• Require extension of the computation in the head ideas
31
Final Remarks
• Constant round multi-party coin tossing using only OWFs
• Constant Round NM statistically hiding commitments (same asymptotic round complexity)
• Open Question: non-interactive non-malleable commitments
32
Thank You!