320 likes | 392 Views
Constant Round Non-Malleable Commitments. Vipul Goyal Microsoft Research, India. Commitment Schemes [Blum’84]. s?. Commitment like a note placed in a combination safe Two properties: hiding and binding Electronic equivalent of such a safe. s. Com( s ). Opening of Com( s). Combination.
E N D
Constant Round Non-Malleable Commitments Vipul Goyal Microsoft Research, India
Commitment Schemes [Blum’84] s? • Commitment like a note placed in a combination safe • Two properties: hiding and binding • Electronic equivalent of such a safe s Com(s) Opening of Com(s) Combination Receiver Committer
Contract Bidding: is a commitment sufficient? Com(s) s? Com(s - 1) • Adversary cheats and creates a winning bid
Non-Malleable Commitments • Introduced in the seminal work of Dolev, Dwork and Naor [DDN91] • Important building block towards the bigger goal of designing secure cryptographic protocol for the internet setting • Well studied primitive Picture credit: R. Pass
NM Commitment: Definition[DDN’91, PR’05, LPV’08] • Real World s' s s' • Simulator • Value s’ should be “independent” of s • NMcom requirement: MiM Simulator committing to same value • No copy: each party has a unique identity/tag (tag based non-malleability) 5
NM com: how to prove s' s Extractor • Say extractor outputs s’ without rewinding the left honest committer • By hiding of com: s’ independent of s • Can easily construct a simulator: commit to 0 on left 6
Result 1 (2011) • This work: Constant round NM commitments using only OWFs • Long line of work [Dolev-Dwork-Naor’91, ..]; previous state of art included several incomparable results • CRHF + NBB simulation [Barak’02, PR’05] • Super constant rounds [DDN’91,.., LP’09, Wee’10] • Non-standard assumptions [PPV’08, Wee’10] • Independent work: Lin-Pass’11 obtained similar result using unrelated ideas • Advantage over LP’11: more “amenable” to BB use of OWF; gives BB construction of MPC
Result 2 (upcoming focs)[joint with Lee, Ostrovsky, Visconti] • Constant round NM com using only a BB use of OWFs • Earlier: no black-box construction of NM com known without relaxing security notion (any rounds, any assumption) • Idea: Instantiate the previous protocol from 2011 using “MPC in the head” ideas [IKOS’07]
Result1: Basic technical contribution L’ >> L L pairs of commitments L’ pairs of commitments challenge (long) challenge (short) open open • Consider a slot (of e.g. PRS preamble, extractable commitments, etc) • Say adv gets small number of commitment pairs on left; gives large number on right • Adversary created at least one commitment pair on right on his own; in fact, can extract from right without rewinding left • Can be seen as making s.p. different for left and right using || repetition • Conceptual similarty to long-short NBB simulation technique of Pass’04
Preliminaries id id’ • Through out the talk: • Only consider synchronizing adversaries • Identities coming from polynomial domain (log length identities) • Assume id’ > id
Starting protocol Generate r, break into r1 to rid using a 2-out-of-id secret sharing Com(r1), . . ., Com(rid) id ch in [id] opening of Com(rch) Receiver Commiter v r + ZKP of correctness • Identity id from a polynomial sized domain • Learning two shares sufficient to extract v • Identity encoded in length of challenge
Proof of Security id id’ Com(r1), . . ., Com(rid) Com(r’1), . . ., Com(r’id’) ch’ in [id’] ch in [id] Receiver response Commiter response • Protocol secure against non-aborting + synchronizing adversaries • Assume id’ > id throughout the talk (space of chall strings on right bigger) • At least two right chall mapping to same left chall (pigeon hole ) • Gives possibility to get two responses on right and give only one on left
Proof of Security contd.. id id’ Com(r1), . . ., Com(rid) Com(r’1), . . ., Com(r’id’) ch’ in [id’] ch’’ in [id’] ch in [id] Extractor open rch open r’ch’’ Commiter open r’ch’ v r + ZKP v’ r’ + ZKP • Extractor: Rewind and extract from right w/o rewinding left • Ext experiments to find a collision (ch’, ch’’ ch) • Replays the same left message for ch’’ Extraction successful !!
Initial Protocol • Repeat protocol twice: one with id and one with (n – id) • We get a simple protocol secure against non-aborting adversaries • Repeat sequentially to get security against possibly aborting adversaries • However doesn’t give us a constant round construction 14
(Possibly) Aborting Adversaries id id’ open Extractor Commiter open / abort • Problem: Adv creates a one to one mapping of left and right challenges (Aborts on the remaining right challenges) • No Collisions!!
(Possibly) Aborting Adversaries contd.. L = k.id L’ = k.id’ ch’ in {0,1}L’ ch in {0,1}L Extractor id id’ • Idea: right challenge space exponentially larger than left; see protocol • If id’ > id, then |ch’| - |ch| ≥ k • Collisions guaranteed to exist (else adv aborts with overwhelming prob) • Problem: hard for extractor to find a collision in PPT • Adv, e.g., might apply a CRHF to compute ch from ch’
Final protocol com(r1[0]), …, com(rL[0]) ri = ri[0] ri[1] com(r1[1]), …, com(rL[1]) ch in {0,1}L Send the relevant strings (no openings) L = k.id VM: com(v; r1), …, com(v; rL) ZKP • Need to extract ri for some i • VM = verification message: two purposes
Extractor Description Left commitments: L pairs Right commitments: L’ pairs L’ > L challenge (long) challenge (short) strings (no opening) strings VM + ZK VM + ZK • Extract on right w/o rewinding left • First run everything honestly on left and right (main thread) • Rewind and give a new challenge on right • Give simulated response on left: define unrecovered set • See right response and try to extract • rewind again if required
Extractor Analysis Left coms: L pairs Right coms: L’ pairs ch’ (long) ch (short) Simulated response wrong strings • Worry: if simulated response on left, all new strings asked on right are incorrect/random • Even if one pair of coms on right revealed correct with noticeable prob; we are good!
Dependent set of commitments (on right) Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Intuition: set of right coms created by mauling an unrecovered com on left • Prefix: first message on left + right • Dependent set is defined for a prefix + left ch • Prob over coins after prefix. A com on right belongs to dependent set S if: • [Interesting]: prob of string revealed correctly by M is *noticeable* (run many main threads with this prefix), and, • [Dependent]: prob of string revealed correctly CONDITIONED on left challenge of M being ch is negligible
Bounding dependent set of commitments Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Lemma1: if |S| > L + log2(k); main thread aborted w.h.p. • Proof: • Intuition: some commitment from S on right will be selected by ch’ w.h.p. • M sees ch’, has 2^L choices for ch on left (each choice will define a set S) • Prob that there exists S s.t.ch’ selects NOTHING from it is • 2L / 2L + log2(k) • Regardless of how M chooses ch, a com dependent (on unrecovered set) selected. M will answer incorrectly on right.
Strictly Dependent set of commitments (on right) Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Defined for a given prefix + ch • Prob over coins after prefix. A com on right belongs to strictly dependent set G if: • [Interesting]: prob of string revealed correctly by M is noticeable, and, • [Dependent]: prob of string revealed correctly when simulated response given on left is negligible • To prove: if even one right pair not in G, we are done!
Bounding Strictly Dependent set of commitments Left coms: L pairs Right coms: L’ pairs ch’ ch strings strings • Lemma2: G is a subset of S w.h.p. • Proof: • Relies on hiding of com: say there exists a com in G but not S • [not in S]: Run main thread, noticeable prob of seeing correct string for this com (doesn’t follow from the interesting condition) • [in G]: Now say left response is simulated; neglprob of seeing correct string • [in G]: Say left response is real: again noticeable prob of seeing correct string • Distinguish simulated response from real
Bounding Strictly Dependent set of commitments: details • Lemma2: more details • External party ready to given q response from outside; exactly one guaranteed to be real; rest simulated; q is very large • Hiding says can’t predict with noticeably better than 1/q • Attack: • Select a random com on right as a candidate in G but not S • Run main, then rewind q times using an outside response each time to complete • If string for this com appears in main AND on exactly one other thread, output that response as real
Bounding Strictly Dependent set of commitments: details • Analysis: • Guess for random com correct: 1/2L’ • Run main; say correct string appeared in main thread: prob p1 • Say when given real response, again correct string appears: prob p2 • On simulated resp, correct string appears only with neglprob • Prob of correct guess at least p1.p2.1/2L’ • If q big enough, contradiction!!
Final Remarks • We get obtain constant round NM com (and zero-knowledge) based on OWFs • Implements the ideas from Pass-Rosen’05 (long-short NBB simulation or two slot simulation) using only BB simulation • Hypothesis: Can replace any application of the long-short NBB simulation technique with this protocol (plus Barak’01)
Applications • Theorem [tighter Kilian]: Assume there exist constant round OT. Then there exists constant round MPC • Our techniques also give the first constant round BB MPC using poly time hardness (improvement to IKLP’06, Wee’10) • Protocol is public-coin: useful in some follow up works to construct constant round secure computation protocols [Garg-Goyal-Jain-Sahai’12, Cho-Garg-Ostrovsky’12]
Result2: Black-Box NM com[joint with Lee, Ostrovsky, Visconti] • Previous protocol: has a zero-knowledge proof of consistency in the end • Idea: Instantiate this zero-knowledge using “MPC in the head” ideas; make only a BB use of commitment scheme
“Computation in the head” paradigm[Ishai-Kushilevitz-Ostrovsky-Sahai 2007] • Originally used to improve the communication complexity of zero-knowledge protocols Com(view1), …, com(viewk) Select k/3 coms at random Receiver Sender Open selected views • To prove x in L, emulate k virtual players in head • Inputs are shares of the witness w • Run computation for function f s.t. f(w) = 1 iff x in L • Commit to resulting views • Check output 1 in each view • Check all views are honest/consistent with each other • ZK: k/3 views don’t leak anything • Soundness: to change output lots of players need to cheat
Previous protocol L pairs of commitments • First part: standard statement • Second part: more complex. Need to implement VM in an information theoretic fashion. Use strong extractors and pairwise independent hash functions • Require extension of the computation in the head ideas ch in {0,1}L Send the relevant strings VM: com(v; r1), …, com(v; rL)
Final Remarks • Constant round multi-party coin tossing using only OWFs • Constant Round NM statistically hiding commitments (same asymptotic round complexity) • Open Question: non-interactive non-malleable commitments