Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.

Rafael PassCornell University

Constant-round Non-malleability

From Any One-way Function

Joint work with Huijia (Rachel) Lin

Commitment SchemeThe “digital analogue” of sealed envelops.

Commitment

Reveal

v

v

Sender Receiver

One of the most basic cryptographic tasks.

Part of essentially all more involved secure computations

Can be constructed from any one way function. [N’89, HILL’ 99]

“Right” abstraction if:

Alice Bob

But life is:

Possible that v’ = v+1

Even though MIM does not know v!

Receiver/Sender

MIM

C(v) C(v’)

Sender Receiver

Non-Malleable Commitments [Dolev Dwork Naor’91]

Non-malleability:

Either MIM forwards : v = v’Or v’ is “independent” of v

i j

Receiver/Sender

MIM

C(v’)

Sender Receiver

C(v)

Non-Malleable Commitments [Dolev Dwork Naor’91]

Receiver/Sender

Non-malleability: if then,

v’ is “independent” of v

MIM

C(i,v) C(j, v’)

i j

Sender Receiver

i j

v

Man-in-the-middle execution:

Simulation:

v

j

'v

''v

i j

Non-Malleable Commitments [Dolev Dwork Naor’91]

i j

Non-malleability: For every MIM, there exists a “simulator”, such that value committed by MIM is indistinguishable from value committed by simulator

v

v 'v

Non-Malleable Commitments [Dolev Dwork Naor’91]

i j

• Important in practice• “Test-bed” for other tasks• Applications to MPC

Non-malleable Commitments

• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds

• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-

Ostrovsky’99,DKO,CF,FF,…,DG]

Without set-up:• [Barak’02]: O(1)-round Subexp CRH + dense crypto:• [P’04,P-Rosen’05]: O(1) rounds using CRH

• [Lin-P’09]: O(1)^log* n round using OWF• [P-Wee’10]: O(1) using Subexp OWF• [Wee’10]: O(log^* n) using OWF

Non BB

Non-malleable Commitments

• Original Work by [DDN’91]– OWF– black-box techniques– But: O(log n) rounds

• Main question: how many rounds do we need? With set-up solved: 1-round, OWF: [DiCreczenzo-Ishai-

Ostrovsky’99,DKO,CF,FF,…,DG]

Without set-up:

• O(1)-round from CRH or Subexp OWF• O(log^* n) from OWF• Sd• Sd

Main TheoremThm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.

• Note: Since commitment schemes imply OWF, we have that unconditionally that any commitments scheme can be turned into one that is O(1)-round and non-malleable.

• Note: As we shall see, this also weakens assumptions for O(1)-round secure multi-party computation.

DDN Protocol Idea

Blue does not help Red and vice versa

i = 01…1

• • •

j = 00..1

• • •

C(i,v) C(j, v’)

The Idea:

What if we could run the message scheduling in the head?

Let us focus on non-aborting and synchronizing adversaries.

(never send invalid mess in left exec)

c=C(v)

Com(id,v):

I know v s.t. c=C(v)

OrI have “seen”

sequenceWI-POK

id = 00101

Signature Chains

Consider 2 “fixed-length” signature schemes Sig0, Sig1 (i.e., signatures are always of length n) with keys vk0, vk1.

Def: (s,id) is a signature-chain if for all i, si+1 is a signature of “(i,s0)” using scheme idi

s0 = rs1 = Sig0(0,s0) id1 = 0 s2 = Sig0(1,s1) id2 = 0s3 = Sig1(2,s2) id3 = 1s4 = Sig0(3,s3) id4 = 0

Signature Games

You have given vk0, vk1 and you have access to signing oracles Sig0, Sig1 .

Let denote the access pattern to the oracle;– that is i = b if in the i’th iteraction you access oracle b.

Claim: If you output a signature-chain (s,id)

Then, w.h.p, id is a substring of the access pattern .

c=C(v)

Com(id,v):

I know v s.t. c=C(v)

OrI have “seen”

sequence

WI-POK

id = 00101vk0

r0

Sign0(r0)

vk1

r1

Sign1(r1)

c=C(v)

Com(id,v):

WI-POK

id = 00101vk0

r0

Sign0(r0)

vk1

r1

Sign1(r1)

I know v s.t. c=C(v)

OrI know a sig-chain

(s,id) w.r.t id

c=C(v)

WI-POK

vk0

r0

Sign0(r0)

vk1

r1

Sign1(r1)

c=C(v)

WI-POK

vk0

r0

Sign0(r0)

vk1

r1

Sign1(r1)

w.r.t i

i = 0110.. j = 00..1

w.r.t j

Non-malleabilitythrough dance

* In actual protocol need “many” seq WIPOK a la [LP‘09]

Dealing with Aborting Adversaries

Problem 1: – MIM will notice that I ask him to sign a signature chain

– Solution: Don’t. Ask him to sign commitments of sigs…(need to add a POK of commitment to prove sig game lemma)

Problem 2:– I might have to “rewind” many times on left to get a single signature– So if I have id = 01011, access pattern on the right is 0*1*0*1*...

– Solution: Use 3 keys (0,1,2); require chain w.r.t 2id12id22id3…

Main Theorem

Main TechniqueExploit rewinding pattern (instead of just location)

Thm: Assume one-way functions. Then there exists a O(1)-round non-malleable commitment with a black-box proof of security.

Some applications

Secure Multi-party Computation [Yao,GMW]

A set of parties with private inputs.

Wish to jointly compute a function of their inputs while preserving privacy of inputs (as much as possible)

Security must be preserved even if some of the parties are malicious.

Original work of [Goldreich-Micali-Wigderson’87]– TDP, n rounds

More Recent: “Stronger assumption, less rounds”– [Katz-Ostrovsky-Smith’03]

• TDP, dense cryptosystems, log n rounds

• TDP, CRH+dense crypto with SubExp sec, O(1)-rounds, non-BB

– [P’04]• TDP, CRH, O(1)-round, non-BB

Secure Multi-party Computation [Yao,GMW]

NMC v.s. MPC

Thm [Lin-P-Venkitasubramaniam’09]: TPD + k-round “robust” NMC O(k)-round MPC

Holds both for stand-alone MPC and UC-MPC (in a number of set-up models)

Corollary: TDP O(1)-round MPC

NM ZK

Thm [Lin-P-Tseng-Venkitasubramaniam’10]: k-round “robust” NMC O(k)-round NMZK

Corollary: OWF O(1)-round NMZK

Can also get Conc NMZK if adding ω(log n) rounds

What’s Next – Adaptive Hardness

Consider the Factoring problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization

Adaptive Factoring Problem:• Given the product N of 2 random n-bit primes p,q, can you provide the factorization, if you have access to an oracle that factors all other N’ that are products of equal-length primes

Are these problems equivalent?

Unknown!

Adaptively-hard Commitments [Canetti-Lin-P’10]• Commitment scheme that remains hiding even if Adv has access to a decommitment oracle

Implies Non-malleability (and more!)

Thm [CLP’10] Existence of commitments implies O(n^)-round Adaptively-hard commitments

What’s Next – Adaptive Hardness

Thank You