1 / 32

Vipul Goyal Microsoft Research, India

Constant Round Non-Malleable Commitments. Vipul Goyal Microsoft Research, India. Commitment Schemes [Blum’84]. s?. Commitment like a note placed in a combination safe Two properties: hiding and binding Electronic equivalent of such a safe. s. Com( s ). Opening of Com( s). Combination.

francis-frazier
Download Presentation

Vipul Goyal Microsoft Research, India

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Constant Round Non-Malleable Commitments Vipul Goyal Microsoft Research, India

  2. Commitment Schemes [Blum’84] s? • Commitment like a note placed in a combination safe • Two properties: hiding and binding • Electronic equivalent of such a safe s Com(s) Opening of Com(s) Combination Receiver Committer

  3. Contract Bidding: is a commitment sufficient? Com(s) s? Com(s - 1) • Adversary cheats and creates a winning bid

  4. Non-Malleable Commitments • Introduced in the seminal work of Dolev, Dwork and Naor [DDN91] • Important building block towards the bigger goal of designing secure cryptographic protocol for the internet setting • Well studied primitive Picture credit: R. Pass

  5. NM Commitment: Definition[DDN’91, PR’05, LPV’08] • Real World s' s s' • Simulator • Value s’ should be “independent” of s • NMcom requirement:  MiM Simulator committing to same value • No copy: each party has a unique identity/tag (tag based non-malleability) 5

  6. NM com: how to prove s' s Extractor • Say extractor outputs s’ without rewinding the left honest committer • By hiding of com: s’ independent of s • Can easily construct a simulator: commit to 0 on left 6

  7. Result 1 (2011) • This work: Constant round NM commitments using only OWFs • Long line of work [Dolev-Dwork-Naor’91, ..]; previous state of art included several incomparable results • CRHF + NBB simulation [Barak’02, PR’05] • Super constant rounds [DDN’91,.., LP’09, Wee’10] • Non-standard assumptions [PPV’08, Wee’10] • Independent work: Lin-Pass’11 obtained similar result using unrelated ideas • Advantage over LP’11: more “amenable” to BB use of OWF; gives BB construction of MPC

  8. Result 2 (upcoming focs)[joint with Lee, Ostrovsky, Visconti] • Constant round NM com using only a BB use of OWFs • Earlier: no black-box construction of NM com known without relaxing security notion (any rounds, any assumption) • Idea: Instantiate the previous protocol from 2011 using “MPC in the head” ideas [IKOS’07]

  9. Result1: Basic technical contribution L’ >> L L pairs of commitments L’ pairs of commitments challenge (long) challenge (short) open open • Consider a slot (of e.g. PRS preamble, extractable commitments, etc) • Say adv gets small number of commitment pairs on left; gives large number on right • Adversary created at least one commitment pair on right on his own; in fact, can extract from right without rewinding left • Can be seen as making s.p. different for left and right using || repetition • Conceptual similarty to long-short NBB simulation technique of Pass’04

  10. Preliminaries id id’ • Through out the talk: • Only consider synchronizing adversaries • Identities coming from polynomial domain (log length identities) • Assume id’ > id

  11. Starting protocol Generate r, break into r1 to rid using a 2-out-of-id secret sharing Com(r1), . . ., Com(rid) id ch in [id] opening of Com(rch) Receiver Commiter v  r + ZKP of correctness • Identity id from a polynomial sized domain • Learning two shares sufficient to extract v • Identity encoded in length of challenge

  12. Proof of Security id id’ Com(r1), . . ., Com(rid) Com(r’1), . . ., Com(r’id’) ch’ in [id’] ch in [id] Receiver response Commiter response • Protocol secure against non-aborting + synchronizing adversaries • Assume id’ > id throughout the talk (space of chall strings on right bigger) • At least two right chall mapping to same left chall (pigeon hole ) • Gives possibility to get two responses on right and give only one on left

  13. Proof of Security contd.. id id’ Com(r1), . . ., Com(rid) Com(r’1), . . ., Com(r’id’) ch’ in [id’] ch’’ in [id’] ch in [id] Extractor open rch open r’ch’’ Commiter open r’ch’ v  r + ZKP v’  r’ + ZKP • Extractor: Rewind and extract from right w/o rewinding left • Ext experiments to find a collision (ch’, ch’’  ch) • Replays the same left message for ch’’ Extraction successful !!

  14. Initial Protocol • Repeat protocol twice: one with id and one with (n – id) • We get a simple protocol secure against non-aborting adversaries • Repeat sequentially to get security against possibly aborting adversaries • However doesn’t give us a constant round construction 14

  15. (Possibly) Aborting Adversaries id id’ open Extractor Commiter open / abort • Problem: Adv creates a one to one mapping of left and right challenges (Aborts on the remaining right challenges) • No Collisions!!

  16. (Possibly) Aborting Adversaries contd.. L = k.id L’ = k.id’ ch’ in {0,1}L’ ch in {0,1}L Extractor id id’ • Idea: right challenge space exponentially larger than left; see protocol • If id’ > id, then |ch’| - |ch| ≥ k • Collisions guaranteed to exist (else adv aborts with overwhelming prob) • Problem: hard for extractor to find a collision in PPT • Adv, e.g., might apply a CRHF to compute ch from ch’

  17. Final protocol com(r1[0]), …, com(rL[0]) ri = ri[0]  ri[1] com(r1[1]), …, com(rL[1]) ch in {0,1}L Send the relevant strings (no openings) L = k.id VM: com(v; r1), …, com(v; rL) ZKP • Need to extract ri for some i • VM = verification message: two purposes

  18. Extractor Description Left commitments: L pairs Right commitments: L’ pairs L’ > L challenge (long) challenge (short) strings (no opening) strings VM + ZK VM + ZK • Extract on right w/o rewinding left • First run everything honestly on left and right (main thread) • Rewind and give a new challenge on right • Give simulated response on left: define unrecovered set • See right response and try to extract • rewind again if required

  19. Extractor Analysis Left coms: L pairs Right coms: L’ pairs ch’ (long) ch (short) Simulated response wrong strings • Worry: if simulated response on left, all new strings asked on right are incorrect/random • Even if one pair of coms on right revealed correct with noticeable prob; we are good!

  20. Dependent set of commitments (on right) Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Intuition: set of right coms created by mauling an unrecovered com on left • Prefix: first message on left + right • Dependent set is defined for a prefix + left ch • Prob over coins after prefix. A com on right belongs to dependent set S if: • [Interesting]: prob of string revealed correctly by M is *noticeable* (run many main threads with this prefix), and, • [Dependent]: prob of string revealed correctly CONDITIONED on left challenge of M being ch is negligible

  21. Bounding dependent set of commitments Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Lemma1: if |S| > L + log2(k); main thread aborted w.h.p. • Proof: • Intuition: some commitment from S on right will be selected by ch’ w.h.p. • M sees ch’, has 2^L choices for ch on left (each choice will define a set S) • Prob that there exists S s.t.ch’ selects NOTHING from it is • 2L / 2L + log2(k) • Regardless of how M chooses ch, a com dependent (on unrecovered set) selected. M will answer incorrectly on right.

  22. Strictly Dependent set of commitments (on right) Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Defined for a given prefix + ch • Prob over coins after prefix. A com on right belongs to strictly dependent set G if: • [Interesting]: prob of string revealed correctly by M is noticeable, and, • [Dependent]: prob of string revealed correctly when simulated response given on left is negligible • To prove: if even one right pair not in G, we are done!

  23. Bounding Strictly Dependent set of commitments Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Lemma2: G is a subset of S w.h.p. • Proof: • Relies on hiding of com: say there exists a com in G but not S • [not in S]: Run main thread, noticeable prob of seeing correct string for this com (doesn’t follow from the interesting condition) • [in G]: Now say left response is simulated; neglprob of seeing correct string • [in G]: Say left response is real: again noticeable prob of seeing correct string • Distinguish simulated response from real

  24. Bounding Strictly Dependent set of commitments: details • Lemma2: more details • External party ready to given q response from outside; exactly one guaranteed to be real; rest simulated; q is very large • Hiding says can’t predict with noticeably better than 1/q • Attack: • Select a random com on right as a candidate in G but not S • Run main, then rewind q times using an outside response each time to complete • If string for this com appears in main AND on exactly one other thread, output that response as real

  25. Bounding Strictly Dependent set of commitments: details • Analysis: • Guess for random com correct: 1/2L’ • Run main; say correct string appeared in main thread: prob p1 • Say when given real response, again correct string appears: prob p2 • On simulated resp, correct string appears only with neglprob • Prob of correct guess at least p1.p2.1/2L’ • If q big enough, contradiction!!

  26. Final Remarks • We get obtain constant round NM com (and zero-knowledge) based on OWFs • Implements the ideas from Pass-Rosen’05 (long-short NBB simulation or two slot simulation) using only BB simulation • Hypothesis: Can replace any application of the long-short NBB simulation technique with this protocol (plus Barak’01)

  27. Applications • Theorem [tighter Kilian]: Assume there exist constant round OT. Then there exists constant round MPC • Our techniques also give the first constant round BB MPC using poly time hardness (improvement to IKLP’06, Wee’10) • Protocol is public-coin: useful in some follow up works to construct constant round secure computation protocols [Garg-Goyal-Jain-Sahai’12, Cho-Garg-Ostrovsky’12]

  28. Result2: Black-Box NM com[joint with Lee, Ostrovsky, Visconti] • Previous protocol: has a zero-knowledge proof of consistency in the end • Idea: Instantiate this zero-knowledge using “MPC in the head” ideas; make only a BB use of commitment scheme

  29. “Computation in the head” paradigm[Ishai-Kushilevitz-Ostrovsky-Sahai 2007] • Originally used to improve the communication complexity of zero-knowledge protocols Com(view1), …, com(viewk) Select k/3 coms at random Receiver Sender Open selected views • To prove x in L, emulate k virtual players in head • Inputs are shares of the witness w • Run computation for function f s.t. f(w) = 1 iff x in L • Commit to resulting views • Check output 1 in each view • Check all views are honest/consistent with each other • ZK: k/3 views don’t leak anything • Soundness: to change output lots of players need to cheat

  30. Previous protocol L pairs of commitments • First part: standard statement • Second part: more complex. Need to implement VM in an information theoretic fashion. Use strong extractors and pairwise independent hash functions • Require extension of the computation in the head ideas ch in {0,1}L Send the relevant strings VM: com(v; r1), …, com(v; rL)

  31. Final Remarks • Constant round multi-party coin tossing using only OWFs • Constant Round NM statistically hiding commitments (same asymptotic round complexity) • Open Question: non-interactive non-malleable commitments

  32. Thank You!

More Related