concurrently secure protocols
play

Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT - PowerPoint PPT Presentation

Jun 13, 2023 •125 likes •1.11k views

Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Secure MPC Goal: Allow a set

  1. Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell

  2. Secure MPC

  3. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own

  4. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own

  5. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Correctness What to get---the outputs Privacy What to hide---the private inputs

  6. Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Correctness What to get---the outputs Privacy What to hide---the private inputs Even when no honest majority

  7. Simulation Paradigm REAL IDEAL

  8. Simulation Paradigm REAL IDEAL  “as correct & private as”

  9. Simulation Paradigm REAL IDEAL  “as correct & private as”

  10. Simulation Paradigm REAL IDEAL   A R “as correct & private as”

  11. Simulation Paradigm REAL IDEAL   A I  A R “as correct & private as”

  12. Simulation Paradigm REAL IDEAL Simulator   A I  A R “as correct & private as”

  13. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real

  14. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real Privacy: The simulator can learn whatever the adv learns

  15. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real Privacy: The simulator can learn whatever the adv learns

  16. Simulation Paradigm REAL IDEAL Simulator   A I  A R x 1 y 1 x 2 y 2 x 1 y 1 x 2 y 2 “as correct & private as” Correctness: The output of every player in ideal is the same as in real Privacy: The simulator can learn whatever the adv learns In this talk, we focus on static malicious corruption

  17. The Concurrent Model

  18. The Concurrent Model MANY sets of players executing MANY different protocols all at once [DDN, DNS, GK, Fe, KPR, RK, CKPR, KP, PRS, C...and many others]

  19. The Concurrent Model MANY sets of players executing MANY different protocols all at once [DDN, DNS, GK, Fe, KPR, RK, CKPR, KP, PRS, C...and many others]

  20. Concurrent Security (informally) REAL IDEAL  Many executions of Many executions with different protocols INDEPENDENT trusted parties

  21. Concurrent Security (informally) REAL IDEAL  Universal Composibility (UC) [Can00] Many executions of Many executions with different protocols INDEPENDENT trusted parties

  22. Concurrent Security (informally) REAL IDEAL  Universal Composibility (UC) [Can00] Impossible [CF01, CKF03] Many executions of Many executions with different protocols INDEPENDENT trusted parties

  23. Super Polynomial Time Simulation ( SPS ) REAL IDEAL 

  24. Super Polynomial Time Simulation ( SPS ) REAL IDEAL  — SPS [Pas03, BS05, LPV09, GGJS12]

  25. Super Polynomial Time Simulation ( SPS ) REAL IDEAL  — SPS [Pas03, BS05, LPV09, GGJS12]

  26. Super Polynomial Time Simulation ( SPS ) REAL IDEAL  — SPS [Pas03, BS05, LPV09, GGJS12] — Angel-based Security Model [PS04, MMY06] — UC with super-poly helpers [CLP10]

  27. Super Polynomial Time Simulation ( SPS ) REAL IDEAL Feasibility Results Only  — SPS [Pas03, BS05, LPV09, GGJS12] — Angel-based Security Model [PS04, MMY06] — UC with super-poly helpers [CLP10]

  28. Super Polynomial time (SPS) Security Feasibility Results Only Due to the Non-Black-Box constructions ( Lots of Karp reductions)

  29. Super Polynomial time (SPS) Security Feasibility Results Only Naturally, Solution: Black-box Constructions ( No Karp reductions)

  30. Super Polynomial time (SPS) Security Feasibility Results Only Naturally, Solution: Black-box Constructions ( No Karp reductions) Efficient Protocols

  31. BB MPC Protocols

  32. BB MPC Protocols In the stand alone setting---Solved! O(1) round BB MPC, f/ minimal assumption semi-honest OT [Kil88,IPS08,IKLP06,Hai08,Wee10,Goy11]

  33. BB MPC Protocols In the stand alone setting---Solved! O(1) round BB MPC, f/ minimal assumption semi-honest OT [Kil88,IPS08,IKLP06,Hai08,Wee10,Goy11] In the concurrent setting Only unconditionally secure UC protocols f/ strong set-ups e.g. Ideal OT [Kil88,IPS08], hardware tokens [GISVW10]

  34. BB MPC Protocols In the stand alone setting---Solved! O(1) round BB MPC, f/ minimal assumption semi-honest OT [Kil88,IPS08,IKLP06,Hai08,Wee10,Goy11] In the concurrent setting Only unconditionally secure UC protocols f/ strong set-ups e.g. Ideal OT [Kil88,IPS08], hardware tokens [GISVW10] Can we have BB concurrently secure protocols in the plain model?

  35. Yes! Our Result (informal) : BB construction of concurrently secure MPC protocols • In the plain model • Based on minimal assumption Semi-Honest OT • Security in the UC with super-poly helper model • Implies super-polynomial time simulation security • Closed under universal composition

  36. Yes! Our Result (informal) : BB construction of concurrently secure MPC protocols • In the plain model • Based on minimal assumption Semi-Honest OT • Security in the UC with super-poly helper model • Implies super-polynomial time simulation security • Closed under universal composition How?

  38. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT

  39. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT BB Stand-alone Semi-honest OT SH-OT

  40. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT [IKLP06,Hai08,Wee10,Goy11] BB Stand-Alone Security Stand-alone Semi-honest OT SH-OT

  41. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT This work [IKLP06,Hai08,Wee10,Goy11] BB Stand-Alone Security UC with Super-Poly Helper Stand-alone Semi-honest OT SH-OT

  42. Any Functionality [Kil88,IPS08,GMW87,BGW88]: Unconditional UC-security Ideal Oblivious Transfer Box F OT This work [IKLP06,Hai08,Wee10,Goy11] BB Stand-Alone Security UC with Super-Poly Helper Stand-alone Semi-honest OT SH-OT The main tool: BB CCA-Secure Commitments [CLP10]

  43. CCA-Secure Commitments

  44. CCA-Secure Commitments The commitment analogue of CCA2 encryption.

  45. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) A O C( x ) C(y 1 ) C(y 2 )

  46. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) y 3 A O C( x ) C(y 1 ) y 1 C(y 2 ) y 2 O is a committed-value oracle If valid com, y = the committed value Else if invalid com, y = bot

  47. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) y 3 A O C( x ) C(y 1 ) y 1 C(y 2 ) y 2 O is a committed-value oracle If valid com, y = the committed value Else if invalid com, y = bot Note: Original definition in [CLP10] considers a decommitment oracle. (with black-box construction, we can only achieve the weaker notion.)

  48. CCA-Secure Commitments The commitment analogue of CCA2 encryption. C(y 3 ) y 3 A O C( x ) C(y 1 ) y 1 C(y 2 ) y 2 Chosen-Commitment-Attack (CCA) security: Either A forwards the left commitment to the right LHS is hiding --- view of A indistinguishable Or

  49. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 )

  50. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 ) Non-Malleability Either A copies the left commitment to the right Or x and (y 1 , y 2 , y 3 ) independent --- view of A + (y 1 , y 2 , y 3 ) indistinguishable

  51. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 ) O y 1 y 3 y 2 Non-Malleability Either A copies the left commitment to the right Or x and (y 1 , y 2 , y 3 ) independent --- view of A + (y 1 , y 2 , y 3 ) indistinguishable

  52. Concurrent Non-Malleable Commitments C(y 3 ) A C( x ) C(y 1 ) C(y 2 ) O y 1 y 3 y 2 Non-Malleability Either A copies the left commitment to the right Or x and (y 1 , y 2 , y 3 ) independent --- view of A + (y 1 , y 2 , y 3 ) indistinguishable CCA security  Non-Malleability

  53. Theorem 1: OWF  BB construction of CCA commitments

  54. Theorem 1: OWF  BB construction of CCA commitments Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

  55. Theorem 1: OWF  BB construction of CCA commitments Proof: [CLP10]---Non-BB CCA commitments + [PW08]---BB trapdoor commitments + [CDMW08,09]---Cut & choose for consistency Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

  56. Theorem 1: OWF  BB construction of CCA commitments Proof: [CLP10]---Non-BB CCA commitments + [PW08]---BB trapdoor commitments + [CDMW08,09]---Cut & choose for consistency Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

  57. Theorem 2: CCA commitments + SH-OT  BB implementation of F OT

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against

2.07k views • 85 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons SSH Secure shell (remote login) IPSec IP Security suite, originally for use with IPv6 SSL/TLS Secure Sockets Layer / Transport Layer

322 views • 18 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Yehuda Lindell (BIU) Amos Beimel (BGU BGU) Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty protocols wi without out an honest majority Positive result: 1/p-secure protocols for cons

487 views • 27 slides
OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19 October 2014 Sandra Scott-Hayward, Christopher Kane and Sakir Sezer s.scott-hayward@qub.ac.uk Centre for Secure Information Technologies (CSIT)

359 views • 20 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O.

GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O.

GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O. Levillain GASP 1/39 Agenda Introduction The Need for Robust Parsers A Platform for Binary Parser Generators Animating Protocols Fuzzing

977 views • 74 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati ,

TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati ,

TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati , Mastooreh Salajegheh, Dan Holcomb 1 , Jacob Sorber 2 , Wayne Burleson, Kevin Fu 1 UC Berkeley 2 Dartmouth Collage The Problem Slow Brute Force attacks on

173 views • 6 slides
Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com

Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com

Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com https://nickler.ninja @n1ckler GPG: 36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366 Disclaimer Its not at all certain that a BIP-taproot softfork activates in

375 views • 25 slides
Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa Pankova Roman Jagomgis Peeter Laud 1 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty

641 views • 38 slides
Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Outline Introduction HISPs Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W.

670 views • 41 slides
Simulation Engines TDA571|DIT030 Multimedia and scenegraphs Tommaso Piazza 1 Administrative

Simulation Engines TDA571|DIT030 Multimedia and scenegraphs Tommaso Piazza 1 Administrative

Simulation Engines TDA571|DIT030 Multimedia and scenegraphs Tommaso Piazza 1 Administrative stuff Student Representatives People with orange or red extension IDC | Interaction Design Collegium 2 Introduction Multimedia is

604 views • 59 slides
2 J. Fearnley & M. Zimmermann results in the average (although not in the worst case) than

2 J. Fearnley & M. Zimmermann results in the average (although not in the worst case) than

Playing Muller Games in a Hurry John Fearnley Martin Zimmermann Department of Computer Science Lehrstuhl Informatik 7 University of Warwick, UK RWTH Aachen University, Germany john@dcs.warwick.ac.uk zimmermann@automata.rwth-aachen.de

242 views • 5 slides
Bert De Coensel Supported by Content of presentation Introduction Site selection

Bert De Coensel Supported by Content of presentation Introduction Site selection

Bert De Coensel Supported by Content of presentation Introduction Site selection Audiovisual recordings Site classification Analysis and manipulation Bert De Coensel Urban Soundscapes of the World Urban Sound Symposium

306 views • 27 slides
Main Areas of Research Co-Operative Co-Evolution for Game Design Managing the public perception

Main Areas of Research Co-Operative Co-Evolution for Game Design Managing the public perception

What on Earth is... Co-operative Co-Evolution for Game Design Creative responsibilities Computational Creativity? (from a Computational Creativity Perspective) Simon Colton and Michael Cook Computational Creativity Group Department of

559 views • 4 slides
Two-dimensional gesture mapping for interactive real-time electronic music instruments Thomas

Two-dimensional gesture mapping for interactive real-time electronic music instruments Thomas

Two-dimensional gesture mapping for interactive real-time electronic music instruments Thomas Grill gr@grrrr.org University for Music and Performing Arts, Vienna University of Applied Arts, Vienna Austrian Research Institute for Artificial

466 views • 31 slides
Graph-based analysis of JavaScript source code repositories Gbor Szrnyas Graph Processing

Graph-based analysis of JavaScript source code repositories Gbor Szrnyas Graph Processing

Graph-based analysis of JavaScript source code repositories Gbor Szrnyas Graph Processing devroom @ FOSDEM 2018 JAVASCRIPT Latest standard: ECMAScript 2017 STATIC ANALYSIS Static source code analysis is a software testing approach

1.09k views • 40 slides
Source code documentation template Erica Snider Fermilab June 27, 2017 The objective To the

Source code documentation template Erica Snider Fermilab June 27, 2017 The objective To the

Source code documentation template Erica Snider Fermilab June 27, 2017 The objective To the extent reasonably possible Make the code self describing for people interested in Using it Maintaining it Understanding a result

343 views • 6 slides
Source Code Rejuvenation is not Refactoring Peter Pirkelbauer Damian Dechev Bjarne Stroustrup

Source Code Rejuvenation is not Refactoring Peter Pirkelbauer Damian Dechev Bjarne Stroustrup

Source Code Rejuvenation is not Refactoring Peter Pirkelbauer Damian Dechev Bjarne Stroustrup Texas A&M University SOFSEM 2010 Jan 25 th , 2010 Parasol Lab (Texas A&M) Source Code Rejuvenation is not Refactoring 1 / 18 Programming

401 views • 26 slides

More recommend