Verifiable Shuffle - PowerPoint PPT Presentation

About This Presentation
Title:

Verifiable Shuffle

Description:

Constructing Non-Malleable Commitments Vipul Goyal Microsoft Research, India * – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 31
Provided by: Steve2188
Category:

less

Transcript and Presenter's Notes

Title: Verifiable Shuffle


1
Constructing Non-Malleable Commitments
Vipul Goyal Microsoft Research, India
2
Commitment Schemes Blum84
s?
s
Com(s)
Combination
Opening of Com(s)
Receiver
Committer
  • Commitment like a note placed in a combination
    safe
  • Two properties hiding and binding
  • Electronic equivalent of such a safe

3
Contract Bidding
s
Com(s)
s?
?
  • Legitimate businessman doesnt want to leak his
    bid (during bidding phase), need crypto

4
Constructing Commitment Scheme
  • Discrete log assumption given (g, ga), a is hard
    to compute
  • DDH assumption given (g, ga, gb), any
    information about gab is hard to compute
  • Observe that given (g, ga, gb), gab, although
    hard to compute, is fixed and unique

5
ElGamal Commitment Scheme
  • DDH assumption given (g, ga, gb), any
    information about gab is hard to compute

Generate a,b randomly
g, ga, gb, s.gab
s
a, b
Receiver
Committer
  • After commitment phase s hidden gab reqd to get
    s
  • Binding a, b unique given commitment phase,
    hence s unique

5
6
Contract Bidding is a commitment sufficient?
Com(s)
s?
Com(0.99s)
  • Adversary still cheats and creates a winning bid

7
Hiding doesnt imply Non-malleability
ga, gb, s.gab
a, b
ga, gb, 0.99.s.gab
Committer
Receiver
a, b
  • Simply multiply the last string by 99/100
  • Design of non-malleable commitments not an easy
    problem

7
8
Non-Malleable Commitments
  • Introduced in the seminal work of Dolev, Dwork
    and Naor DDN91
  • Important building block towards the bigger goal
    of designing secure cryptographic protocol for
    the internet setting
  • -gtSeveral parties, some corrupt, trying to break
    sec of an honest party, well established goal to
    construct secure protocols
  • -gt NMcom useful building blocks

Picture credit R. Pass
9
Outline of the Talk
  • Plan for the rest of the talk
  • Problem statement Definition
  • An informal idea of our new technique
  • Some formal details
  • Results / Prior works

10
NM Commitment Definition
s
s'
  • Problem Adversary doesnt know s, doesnt know
    s, just tweaks and copies (and ensures a
    relation between the two)
  • Definition Adversary should know what it
    committed to (in particular s) else fails

10
11
NM Commitment Definition
s
s'
  • Proof of non-malleability by contradiction
  • s known s unknown (hiding)
  • Hence, s cant depend on s (throwing away left
    session)

11
12
Ideas behind our Scheme
s
  • Commitment stage to have multiple rounds of
    interaction
  • Use a normal commitment scheme Com and convert
    into non-malleable

12
13
Our Protocol Intuitive Overview
14
First Idea every committer commits differently
25
ID 25
75
s
  • Different committers have different identities
    (say 1 to 100) identities public
  • Two stages
  • one with label ID
  • one with 100 - ID

14
15
Key Idea every committer commits differently
Com(s), Com(s), (25 times)
ID 25
Com(s), Com(s) (75 times)
s
  • In each stage, use Com
  • commit to the same s many times in parallel
    depending on the label (using fresh randomness)
  • To open, open all of them, receiver verifies

15
16
Man-in-the-middle Scenario
25
75
37
25
63
37
  • Lets look at left and right interactions
  • At least one stage where right label gt left label

16
17
Man-in-the-middle Scenario
k commitments to s
k commitments to s
s
s'
. . .
?
Problem Adversary creates several commitments on
right using one on the left
  • Recall need to prove adv knows s
  • k gt k Adv has to give more commitments than he
    gets
  • At least one commitment prepared on his own?

17
18
Prevent Replication use Interaction
Com(s1), Com(s2)
s
b in 1,2
opening of Com(sb)
Receiver
Commiter
open remaining Com
  • s1 and s2 secret shares of s s1 ? s2 s
  • Scheme still hiding binding

19
Prevent Replication contd..
Com(s1), Com(s2)
1
opening of Com(s1)
1
. .
  • Gets only one opening from left
  • Might need to open both

2
?
19
20
Overall Idea
Com(s11), Com(s21)
Com(s1ID), Com(s2ID)
ch1
chID
. . .
open
open
Proof all commitments same
ID
  • Formal Analysis next

20
21
Our Protocol Concrete Details
22
Concept of Rewinding
  • A central concept in the formal analysis of
    crypto protocols
  • To prove adversary knows a string s
  • just run the adversary many times from different
    points (called rewinding the adversary machine)
  • observe protocol messages
  • compute string s and output

23
Our Protocol
for i in ID
s
Com(s1i), Com(s2i)
chi
open schii
ID
  • For all i, s1i ? s2i s
  • Hence, two shares for any i sufficient to recover
    s
  • Identity encoded in length of challenge ( ID)

23
24
Proof of Security
L-id
R-id
Com(ls1i), Com(ls2i)
Com(rs1i), Com(rs2i)
R-ch
R-ch with R-id length
L-ch
L-ch with L-id length
open chosen shares
open chosen shares
rs
ls
  • To prove security
  • Need to rewind the adversary and recover the
    secret rs
  • Cant rewind honest party on the left
  • Idea run protocol once, then
  • rewind adversary, give a different challenge
    R-ch
  • see response and recover rs
  • Problem Cant rewind left honest party cant
    given chosen shares to adv

25
Proof of Security
L-id
R-id
Com(ls1i), Com(ls2i)
Com(rs1i), Com(rs2i)
R-ch with R-id length
L-ch with L-id length
Receiver
open chosen shares
open chosen shares
Commiter
  • Assume identities from small domain
    (logarthmic)
  • Assume R-id gt L-id
  • At least two right chall mapping to same left
    chall (pigeon hole )
  • Gives possibility to get two responses on right
    and give only one on left

26
Proof of Security
L-id
R-id
Com(ls1i), Com(ls2i)
Com(rs1i), Com(rs2i)
R-ch with R-id length
L-ch with L-id length
Receiver
open chosen shares
open chosen shares
Commiter
  • Experiment to find a collision (R-ch, R-ch ?
    L-ch)
  • Replay the same reply in the left execution
  • Reply in the right execution enables recovery of
    rs

Extraction successful !!
27
Final Construction
  • This construction
  • Only works for identities coming from a
    logarithmic domain (need to find a collision)
  • Assumes that the adversary always gives correct
    answers
  • The ideas presented here dont directly extend to
    the general case
  • Final construction
  • Gives constant round non-malleable commitments
    for general adversaries
  • relies on a fair bit of probability/combinatorial
    analysis

28
Prior Work
  • Long line of prior works on non-malleable
    commitments Dolev-Dwork-Naor91, Barak02,
    Pass-Rosen05,., Wee10
  • All previous constructions either
  • very inefficient (used heavy PCP machinery), or,
  • Non-standard assumptions
  • This work avoids PCP machinery uses only OWF

29
Other Contributions in this Work
  • Techniques in this work allow us to solve several
    other connected open problems
  • Constant round oblivious transfer -gt constant
    round secure multi-party computation
  • Black-box constant round non-malleable
    zero-knowledge
  • Follow up works using / improving our
    construction in various direction
    Jain-Pandey12, Goyal-Lee-Ostrovsky-Visconti12,
    Garg-Goyal-Jain-Sahai12

30
Thank You!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Verifiable Shuffle" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!