1 / 31

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol. Tal Moran Joint work with Moni Naor. Cryptographic Randomized Response. “Randomized Response Technique” [War65] Method for polling stigmatizing questions Idea: Lie with known probability.

keaton
Download Presentation

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Polling With Physical EnvelopesA Rigorous Analysis of aHuman–Centric Protocol Tal Moran Joint work with Moni Naor

  2. Cryptographic Randomized Response • “Randomized Response Technique” [War65] • Method for polling stigmatizing questions • Idea: Lie with known probability. • Specific answers are deniable • Aggregate results are still valid • Problem: responders may have incentive to cheat • E.g., Pre-election polls • CRRT [AJL04]: Use cryptographic techniques to prevent cheating • Uses ZK, OT or quantum cryptography • Requires either computers or quantum equipment

  3. CRRT and AnthropoCryptography • Responder’s trust is critical when polling sensitive questions • We can’t assume responders have knowledge of computers or cryptography • Our protocols must take into account human abilities and limitations: • Previous Work • Visual Cryptography [NS94] • Private computation using a Pez dispenser [BCIK03] • “Applied Kid Cryptography” [NNR] • Basing Cryptographic Protocols onTamper-Evident Seals [MN05]

  4. Our Results • Protocols for CRRT using scratch-off cards and envelopes • Simple enough to be practical • Our protocols are secure in Canetti’s UC model • Allows secure black-box composition • Lower bounds on Implementations of “Strong” CRRT.

  5. Scratch-Off Cards and Envelopes • Contain a “sealed” message • Can’t read the message without breaking the seal • It is evident when the seal is broken Next Time!

  6. p-CRRT: What we would like • Assume the answer to the poll is either 0 or 1,p is fixed: ½<p<1 • Responder chooses one of two strategies: • Result is 0 with prob. p and 1 with prob. 1-p • Result is 1 with prob. p and 0 with prob. 1-p • Responder cannot influence the output beyond choosing the strategy • The pollster gets no additional information about the strategy chosen beyond the result itself.

  7. p-CRRT: What we can get • Assume the answer to the poll is either 0 or 1,p is fixed: ½<p<1 • Responder chooses one of two strategies: • Result is 0 with prob. p and 1 with prob. 1-p • Result is 1 with prob. p and 0 with prob. 1-p • Responder cannot influence the output beyond choosing the strategy; Pollster can learn the strategy, but risks getting caught. • “Responder-Immune” • The pollster gets no additional information about the strategy chosen beyond the result itself; Responder can influence output, but risks getting caught • “Pollster-Immune”

  8. Pollster-Immune ¾-CRRT(with Scratch-Off Cards) • Alice prepares a card with two rows, each with a 0 and 1 in random order and sends to Bob • Bob scratches a random bubble in each row. • Then the entire row that has not revealed his choice • Scratch random row if identical • If a revealed row is invalid, Bob halts; otherwise returns the card to Alice. • If there ≠3 scratched bubbles, or if Bob halts, Alice outputs ? • otherwise Alice counts the singleton  0 1 1 0 Go “0”s!!!

  9. Pollster-Immune CRRT: “Intuitive Analysis” • An honest responder gets her wish with probability ¾ • A cheating responder can’t force anything better: • Without scratching more than one bubble he has no more information than the honest responder • Deciding to scratch another bubble “commits” him to that row (before he gets the information) • A cheating reponder can refuse to return the card • Pollster will realize this 0 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0

  10. Responder-Immune 2/3-CRRT(with Envelopes) • Bob takes three envelopes. • He chooses two at random to contain his choice; the remaining envelope contains the opposite • Bob seals the envelopes and sends them to Alice • Alice opens a random envelope • She shows Bob which one she opened • Bob tells Alice which envelope contains the opposite choice

  11. Responder-Immune 2/3-CRRT(with Envelopes) • If Bob was honest • Alice records the first envelope she opened as her output • Alice returns the unopened envelope to Bob • If Bob cheated • Alice opens all the envelopes • If they are not identical, Alice records the first envelope she opened as the output. • If they are identical, Alice records their value with prob. 2/3 and the opposite value with prob. 1/3 0: 2/31: 1/3 0

  12. Responder-Immune CRRT: “Intuitive Analysis” • Bob gets his wish with probability 2/3 • Bob can’t cheat at all: • If Bob uses three identical envelopes, he will be caught with prob. 1 (then Alice simulates an honest Bob to get her response) • If Bob answers Alice’s query incorrectly, she will simply open the envelopes and discover the correct answer herself. • Alice can cheat: • she can open the envelopes (but will be caught)

  13. Why is Efficient Strong CRRT Hard? • CRRT is connected to two well-studied crytpographic tasks: • Oblivious Transfer • We can build OT from some types of CRRT[Crépeau,Kilian ’88], [DKS ’99], [DFMS ’04] • OT is impossible using scratch-off cards (or envelopes)[MN05] • Strong Coin Flipping • Some types of CRRT imply Strong Coin Flipping • Lower bound on the number of rounds required [Cleve ’86]

  14. Rigorous Analysis • We define security using “Ideal Functionalities” • An Ideal Functionality is a trusted third party • We specify the behavior of the functionality • The specification explicitly states what the adversary is allowed to do • A protocol “realizes” the functionality if any attack against the protocol also works in the “ideal world”

  15. Environment Machine Z Environment Machine Z “Ideal” Adversary S “Real” Adversary A input input Party Dummy Target Ideal Functionality Client Ideal Functionality output output   input input Dummy Party output output Proofs in the UC (hybrid) Model • A protocol securely realizes a target functionality if: • There exists an ideal adversary S so that: • For any real adversary A, no “environment” Z can distinguish between real world with A and the ideal world with S

  16. Proofs in the UC (hybrid) Model “Real World” • Parties follow protocol (using client functionality) • A controls and sees communication of corrupted parties Environment Machine Z “Real” Adversary A input Party Client Ideal Functionality (e.g., Scratch-off card) output  input Party output

  17. Proofs in the UC (hybrid) Model “Ideal World” • Dummy parties pass their input and output to and from the target functionality • S controls and sees communication of corrupted parties Environment Machine Z “Ideal” Adversary S input Dummy Target Ideal Functionality(e.g., CRRT func.) output  input Dummy output

  18. Proofs in the UC (hybrid) Model Standard Construction Environment Machine Z “Ideal” Adversary S Dummy Dummy  Simulated “Real” Adversary A output output input input input Sim.Party SimulatedClient IdealFunctionality output Target Ideal Functionality  input Sim.Party output

  19. 0 1 1 0 The Ideal Adversary: Corrupt Pollster • Send Begin to CRRT functionality, wait for response v’ • Simulate real adversary until it sends card (simulating the scratch-off card functionalities) • The ideal adversary knows the values of the sealed bubbles without opening them! Pollster Begin CRRT Ideal Functionality v’ Vote v “Real” Adversary Resp. v

  20. 1 1 1 1 1 0 0 0 1 0 0 0 1 0 0 0 0 1 0 1 0 0 0 1 1 1 1 0 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 £2 £2 £2 £2 £3 £3 The Ideal Adversary: Corrupt Pollster • If exactly one row is bad: • if it’s equal to v’, scratch the other row and randomly scratch one bubble in that row. • otherwise simulate responder halting           ¼ ¼ ¼ ¾: v’=1 ¼ ¼: v’=0

  21. Summary • Shown two simple CRRT protocols • Evidence that Strong CRRT is hard • Sketch of formal UC proof • Open questions • Complete lower bound on Strong CRRT • Strong CRRT using other physical assumptions?

  22. The End

  23. ? ? ? ? The Ideal Adversary: Corrupt Responder • Wait for CRRT functionality to send Vote • Simulate pollster sending a card to the real adversary • Note that the ideal adversary is not committed until the bubbles are actually scratched! Pollster Begin CRRT Ideal Functionality Vote “Real” Adversary Resp. v

  24. The Ideal Adversary: Corrupt Responder • If Vote=1, the first bubble scratched in every row will be 1 • If Vote=0, the first bubble scratched in every row will be 0 • If Vote=‘?’, the simulator chooses a random bit b • the first bubble scratched in the top row will be b • the first bubble scratched in the bottom row will be 1-b 1 0 1 0 0 1 1 0 0 1 0 1

  25. 0 1 0 1 The Ideal Adversary: Corrupt Responder • Simulation continues until the “real” adversary returns the card or halts. • If the card is valid, send Votev to the functionality (v is the vote corresponding to the card) • If the card is invalid, send Halt to the functionality Pollster Begin CRRT Ideal Functionality 0 ? Vote 0 Halt “Real” Adversary Resp.

  26. 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 £2 £2 £3 £3 The Ideal Adversary: Corrupt Pollster • If both rows are valid, randomly choose a row to “scratch” • Scratch v’ in other row 0 1 1 0 ¼ ¼ ¼ ¾: v’=1 ¼ ¼: v’=0

  27. 0 0 1 1 The Ideal Adversary: Corrupt Pollster • If both rows are bad, simulate the responder halting • This would happen with prob. 1 in the “real world” as well

  28. Approaching Strong CRRT • Repeat the pollster-immune CRRT protocol r times • The pollster will use the majority of the results • If the responder cheats (refuses to return a card), the pollster will use random bits for the remaining rounds • A cheating responder has advantage O(1/√r) over an honest one • Can cheat only once; this will affect the result only if the other rounds are balanced • This occurs with probability O(1/√r) • Using many rounds increases the pollster’s information • The basic p-CRRT must have p close to ½ • The result is very inefficient (and impractical)

  29. Pollster-Immune p-CRRT(for any rational p=k/n) • Alice prepares a card with two columns, one with k0s and (n-k)1s, and the other with k 1s and (n-k) 0s. • She sends the card to Bob • Bob scratches a random bubble in each column. • Then the entire row that has not revealed his choice • Scratch random row if identical • If a revealed row is invalid, Bob halts; otherwise returns the card to Alice. • If both rows have >1 scratched bubbles, or if Bob halts, Alice outputs ? • otherwise Alice outputs the majority value in the singleton’s row 0 0 1 1 0 1 0 0 1 1

  30. Pollster-Immune p-CRRT:“Intuitive Analysis” • Bob gets his wish with probability k/n: • With prob. k2/n2 he uncovers the majority value in both rows, and with prob. k(n-k)/n2=k/n-k2/n2 he uncovers two equal values and chooses the right one. • As in ¾-CRRT, all he can do to cheat is refuse to return the card. • Alice can cheat by: • using an invalid row (e.g., all 1s) • She will be caught with prob. ½ • This probability can be increased by using multiple cards: some will be only for verification • using two identical rows • Gives only a small advantage when p is near ½

  31. Pollster-Immune ¾-CRRT: Ideal Functionality Initial State Received: Begin Random Coin Toss Prob. ¼ Prob. ¼ Prob. ½ Output 0to responder Output?to responder Output 1to responder Forcing response:0 Respondercan choose Forcing response: 1 Received:Halt Received:Halt Received:Halt Received:Halt Received: Vote * Received: Vote 0 Received: Vote 1 Received: Vote * Output 0to pollster Output ?to pollster Output 1to pollster

More Related