Some applications and protocols Internet Casino Identity-based - - PowerPoint PPT Presentation

APPLICATIONS AND PROTOCOLS

Mihir Bellare UCSD 1

Some applications and protocols

• Internet Casino
• Commitment
• Shared coin flips
• Threshold cryptography
• Forward security
• Program obfuscation
• Zero-knowledge
• Certified e-mail
• Electronic voting
• Auctions
• Identity-based encryption
• Functional encryption
• Fully-homomorphic encryption
• Searchable encryption
• Oblivious transfer
• Garbling schemes
• Secure computation
• Group signatures
• Aggregate signatures

Mihir Bellare UCSD 2

Internet Casino: Protocol G1

Player Casino $1, G

• T

$

{1, 2, . . . , 100} if G = T then d $200 else d $0 T, d

• Would you play?

Expected value of d is $200( 1

100) = $2 > $1 so probability theory says that

the player will earn money by playing.

Mihir Bellare UCSD 3

Problem: Casino can cheat

Player Casino $1, G

• T

$

{1, 2, . . . , 100}\{G} d $0 T, d

• Mihir Bellare

UCSD 4

Internet Casino: Protocol G2

Player Casino $1

• T

$

{1, 2, . . . , 100} T

• G
• if G = T then d $200

else d $0 d

• But now player can always win by setting G = T. No casino would do this!

Mihir Bellare UCSD 5

Internet Casino problem

Player and Casino need to exchange G, T so that

• Casino cannot choose T as a function of G.
• Player cannot choose G as a function of T.

How do we resolve this Catch-22 situation?

Mihir Bellare UCSD 6

”Internet” Casino: Protocol G3

G G Casino T

$

{1, 2, . . . , 100} T if G = T then d $200 d else d $0 G Player $1, is a locked safe containing a piece of paper with G written on it. is a key to open the safe.

Mihir Bellare UCSD 7

“Internet” Casino: Protocol G3

G G Casino T

$

{1, 2, . . . , 100} T if G = T then d $200 d else d $0 G Player $1,

• Casino cannot choose T as a function of G because, without the key,

it cannot see G.

• Player cannot choose G as a function of T because, by putting it in

the safe, she is committed to it in the first move.

Mihir Bellare UCSD 8

Internet Casino Protocol using cryptography

Player Casino K

$

{0, 1}128 C H(KkG) C

• T

$

{1, 2, . . . , 100} T

• G, K
• if (H(KkG) = C and G =T)

then d $99 else d $0 d

• Here H is a cryptographic hash function. More generally one can use a

primitive called a committment scheme.

Mihir Bellare UCSD 9

Commitment Schemes

A commitment scheme CS = (P, C, V) is a triple of algorithms C C P π V K M 0/1 Parameter generation algorithm P is run once by a trusted party to produce public parameters π. In Internet Casino M Data being commited G C Commital K Decommital key

Mihir Bellare UCSD 10

Security properties

• Hiding: A commital C generated via (C, K)

$

C(π, M) should not reveal information about M. = C does not reveal M.

• Binding: It should be hard to find C, M0, M1, K0, K1 such that

M0 6= M1 but V(π, C, M0, K0) = V(π, C, M1, K1) = 1. K0 C C K1 M0 M1

Mihir Bellare UCSD 11

Internet Casino Protocol using a commitment scheme

Player Casino (C, K)

$

C(π, G) C

• T

$

{1, 2, . . . , 100} T

• G, K
• if (V(π, C, G, K) = 1 and G =T)

then d $99 else d $0 d

• Mihir Bellare

UCSD 12

Hiding Formally

Let CS = (P, C, V) be a commitment scheme and A an adversary. Game HIDECS procedure Initialize π

$

P; b

$

{0, 1} return π procedure LR(M0, M1) (C, K)

$

C(π, Mb) return C procedure Finalize(b0) return (b = b0) The hiding-advantage of A is Advhide

CS (A) = 2 · Pr

h HIDEA

CS ) true

i 1.

Mihir Bellare UCSD 13

Binding Formally

Let CS = (P, C, V) be a commitment scheme and A an adversary. Game BINDCS procedure Initialize π

$

P return π procedure Finalize(C, M0, M1, K0, K1) v0 V(π, C, M0, K0) v1 V(π, C, M1, K1) return (v0 = v1 = 1 and M0 6= M1) The binding-advantage of A is Advbind

CS (A) = Pr

h BINDA

CS ) true

i .

Mihir Bellare UCSD 14

Commitment from symmetric encryption

Let SE = (K, E, D) be an IND-CPA-secure symmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where P returns π = ε and Alg C(π, M) K

$

K; C

$

EK(M) return (C, K) Alg V(π, C, M, K) if DK(C) = M then return 1 else return 0 Is this secure?

Mihir Bellare UCSD 15

Commitment from symmetric encryption

Let SE = (K, E, D) be an IND-CPA-secure symmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where P returns π = ε and Alg C(π, M) K

$

K; C

$

EK(M) return (C, K) Alg V(π, C, M, K) if DK(C) = M then return 1 else return 0 Is this secure?

• Certainly hiding since SE is IND-CPA.

Mihir Bellare UCSD 16

Commitment from symmetric encryption

Let SE = (K, E, D) be an IND-CPA-secure symmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where P returns π = ε and Alg C(π, M) K

$

K; C

$

EK(M) return (C, K) Alg V(π, C, M, K) if DK(C) = M then return 1 else return 0 Is this secure?

• Certainly hiding since SE is IND-CPA.
• But need not be binding: it may be possible to find C, M0, M1, K0, K1

such that DK0(C) = M0 and DK1(C) = M1. Exercise: Show such a binding-violating attack when SE is the CBC$ scheme.

Mihir Bellare UCSD 17

Surfacing randomness in asymmetric encryption

Let AE = (K, E, D) be an asymmetric encryption scheme. Then Epk(M; K) is the result of encrypting M with coins (randomness) set to K. Thus, the following processes return the same thing: C

$

Epk(M) Return C K

$

Coins(pk) ; C Epk(M; K) Return C Here Coins(pk) is the space from which the randomness (coins) are drawn. Example: With the SRSA scheme, Coins((N, e)) = Z⇤

N and

Alg EN,e(M; K) Ca K e mod N Cs H(K) M return (Ca, Cs) Alg EN,e(M) K

$

Z⇤

N

Ca K e mod N Cs H(K) M return (Ca, Cs)

Mihir Bellare UCSD 18

Commitment from public key encryption

Let AE = (K, E, D) be an IND-CPA-secure asymmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where Alg P (pk, sk)

$

K π pk return π Alg C(pk, M) K

$

Coins(pk) C Epk(M; K) return (C, K) Alg V(pk, C, M, K) if K 62 Coins(pk) then return 0 if Epk(M; K) = C then return 1 else return 0 Is this secure?

Mihir Bellare UCSD 19

Commitment from public key encryption

Let AE = (K, E, D) be an IND-CPA-secure asymmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where Alg P (pk, sk)

$

K π pk return π Alg C(pk, M) K

$

Coins(pk) C Epk(M; K) return (C, K) Alg V(pk, C, M, K) if K 62 Coins(pk) then return 0 if Epk(M; K) = C then return 1 else return 0 Is this secure?

• Certainly hiding since AE is IND-CPA.

Mihir Bellare UCSD 20

Commitment from public key encryption

Let AE = (K, E, D) be an IND-CPA-secure asymmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where Alg P (pk, sk)

$

K π pk return π Alg C(pk, M) K

$

Coins(pk) C Epk(M; K) return (C, K) Alg V(pk, C, M, K) if K 62 Coins(pk) then return 0 if Epk(M; K) = C then return 1 else return 0 Is this secure?

• Certainly hiding since AE is IND-CPA.
• Binding too since C has only one decryption relative to pk, namely

M = Dsk(C).

Mihir Bellare UCSD 21

Commitment from hashing

Let H be a hash function and CS = (P, C, V) the commitment scheme where P returns π = ε and Alg C(π, M) C H(M); K M return (C, K) Alg V(π, C, M, K) return (C = H(M) and M = K) This is

Mihir Bellare UCSD 22

Commitment from hashing

Let H be a hash function and CS = (P, C, V) the commitment scheme where P returns π = ε and Alg C(π, M) C H(M); K M return (C, K) Alg V(π, C, M, K) return (C = H(M) and M = K) This is

• Binding if H is collision-resistant.

Mihir Bellare UCSD 23

Commitment from hashing

Let H be a hash function and CS = (P, C, V) the commitment scheme where P returns π = ε and Alg C(π, M) C H(M); K M return (C, K) Alg V(π, C, M, K) return (C = H(M) and M = K) This is

• Binding if H is collision-resistant.
• But not hiding. For example in the Internet Casino M = G 2 {1, ...,

100} so given C = H(M) the casino can recover M via for i = 1, ..., 100 do if H(i) = C then return i

Mihir Bellare UCSD 24

Commitment from hashing

A better scheme is CS = (P, C, V) where P returns π = ε and Alg C(π, M) K

$

{0, 1}128 C H(K||M) return (C, K) Alg VH(π, C, M, K) return (H(K||M) = C)

Mihir Bellare UCSD 25

Commitment schemes usage

Commitment schemes are very broadly and widely used across all kinds of protocol design and in particular to construct zero-knowledge proofs.

Mihir Bellare UCSD 26

Flipping a common coin

• Alice and Bob are getting divorced
• They want to decide who keeps the Lexus
• They aggree to flip a coin, but
• Alice is in NY and Bob is in LA

Protocol CF1: Alice Bob c

$

{0, 1} c

• Mihir Bellare

UCSD 27

Flipping a common coin

• Alice and Bob are getting divorced
• They want to decide who keeps the Lexus
• They aggree to flip a coin, but
• Alice is in NY and Bob is in LA

Protocol CF1: Alice Bob c

$

{0, 1} c

• Bob is not too smart but he doesn’t like it...

Can you help them out?

Mihir Bellare UCSD 28

Protocol CF2

Let CS = (P, C, V) be a commitment scheme. Alice Bob a

$

{0, 1} (C, K)

$

C(π, a) C

• b

$

{0, 1} b

• a, K
• if V(π, C, a, K) = 1 then

c a b c a b else c ? c is the common coin. Neither party can control it.

Mihir Bellare UCSD 29

Protocol CF3: Concrete instantiation of CF2

Alice Bob a

$

{0, 1} ; K

$

{0, 1}128 C H(Kka) C

• b

$

{0, 1} b

• a, K
• if H(Kka) = C then

c a b c a b else c ? c is the common coin. Neither party can control it. H is a cryptographic hash function.

Mihir Bellare UCSD 30

Secure summation

Suppose we have n parties 1, ..., n Party i has an integer xi The parties want to know the value of f (x1, .., xn) = x1 + ... + xn

Mihir Bellare UCSD 31

Secure summation

Suppose we have n parties 1, ..., n Party i has an integer xi The parties want to know the value of f (x1, .., xn) = x1 + ... + xn Easy: Let

• Party i send xi to party 1 (2  i  n)
• Party 1 computes f (x1, .., xn) = x1 + ... + xn and broadcasts it

Mihir Bellare UCSD 32

Secure summation

Suppose we have n parties 1, ..., n Party i has an integer xi The parties want to know the value of f (x1, .., xn) = x1 + ... + xn Easy: Let

• Party i send xi to party 1 (2  i  n)
• Party 1 computes f (x1, .., xn) = x1 + ... + xn and broadcasts it

What they don’t like about this: Party 1 now knows everyone’s values Privacy constraint: Party i does not wish to reveal xi

Mihir Bellare UCSD 33

Secure summation

Party i has input xi (1  i  n). The parties want to know f (x1, .., xn) = x1 + ... + xn but do not want to reveal their inputs in the process. Scenarios:

• xi = score of student i on midterm exam
• xi = salary of employee i
• xi 2 {0, 1} = vote of voter i on proposition X on ballot

Mihir Bellare UCSD 34

The model and goal

Parties i, j are connected via a secure channel (1  i, j  n). Privacy and authenticity of messages sent over channel are guaranteed. The parties will exchange messages to arrive at f (x1, ..., xn). If i 6= j then, at the end of the protocol, party i should not know xj. For example you, as player i, enter xi into some app on your cellphone which then communicates with the cellphones of the other parties. At the end, the sum shows up on your screen. Take your phone apart and examine all memory contents and you still will not discover xj for j 6= i.

Mihir Bellare UCSD 35

Setup for secure communication protocol

Let N be such that x1, ..., xn 2 ZN = {0, ..., N 1}. Let M = nN. Let S denote x1 + ... + xn. We will compute S mod M, which is just S since x1 + ... + xn  n(N 1) < M

Mihir Bellare UCSD 36

Protocol step 1: secret sharing

For i = 1, ..., n party i

• Picks xi,1, ..., xi,n 2 ZM at random subject to xi,1 + ... + xi,n ⌘ xi

(mod M)

• Sends xi,j to party j over secure channel (1  j  n)

2 6 6 4 x1,1 x1,2 x1,3 x1,4 x2,1 x2,2 x2,3 x2,4 x3,1 x3,2 x3,3 x3,4 x4,1 x4,2 x4,3 x4,4 3 7 7 5 ! x1 ! x2 ! x3 ! x4 Observation: xi,j is a random number unrelated to xi so party j has no information about xi (i 6= j)

Mihir Bellare UCSD 37

Protocol step 2,3: Column sums and conclusion

2 6 6 4 x1,1 x1,2 x1,3 x1,4 x2,1 x2,2 x2,3 x2,4 x3,1 x3,2 x3,3 x3,4 x4,1 x4,2 x4,3 x4,4 3 7 7 5 ! x1 ! x2 ! x3 ! x4 # # # # C1 C2 C3 C4 For j = 1, ..., n party j

• Computes Cj = (x1,j + x2,j + ... + xn,j) mod M
• Sends Cj to party i (1  i  n)

Observation: S ⌘ (C1 + · · · + Cn) (mod M). So each party can compute S (C1 + ... + Cn) mod M

Mihir Bellare UCSD 38

Security of the protocol

2 6 6 4 x1,1 x1,2 x1,3 x1,4 x2,1 x2,2 x2,3 x2,4 x3,1 x3,2 x3,3 x3,4 x4,1 x4,2 x4,3 x4,4 3 7 7 5 ! x1 ! x2 ! x3 ! x4 # # # # c1 c2 c3 c4 At end of protocol, party 1 knows (1) x1, and the first-row entries of the matrix (2) the sum S = x1 + x2 + x3 + x4 (3) c1, c2, c3, c4 (4) the first column entries x1,1, x2,1, x3,1, x4,1. Claims:

• Party 1 learn nothing about x4
• Even if parties 1, 2 pool their information, they learn nothing about x4
• ...

Mihir Bellare UCSD 39

Secure summation project

Project: Analyze and prove secure the summation protocol: (1) Give a game based definition of privacy (2) Prove that the protocol meets it.

Mihir Bellare UCSD 40

Secure Computation

Parties 1, ..., n Party i has private input xi They want to compute f (x1, ..., xn) Fact: For any function f , there is a n/2 - private protocol to compute it. A protocol is t-private if any t parties, getting together, cannot figure out anything about the input of the other parties other than implied by the value of f (x1, ..., xn). The protocol views f as a circuit (program) and computes it gate (instruction) by gate (instruction). Enormous body of research.

Mihir Bellare UCSD 41

Zero-Knowledge Proofs [GMR]

A zero-knowledge (ZK) proof allows you to

• Convince Bob your claim is true
• Without revealing anything beyond that

For example: You claim to have Bob is What is not revealed A solution to the homework problem Another student The solution The password for this ac- count The server The password A proof that P 6= NP The Clay Institute The proof

Mihir Bellare UCSD 42