Composition of Cryptographic Protocols - Feasibility Muthu - PowerPoint PPT Presentation

Composition of Cryptographic Protocols - Feasibility Muthu Venkitasubramaniam University of Rochester Some slides borrowed from Manoj, Huijia, Abhishek and Rafael

Secure Multi-party Computation [Yao,Goldreich-Micali-Wigderson] Goal: Allow a set of distrustful parties to compute any functionality f of their inputs, while preserving: Correctness Privacy Even when no honest majority

Real World / Ideal World Paradigm Step 1: Specify goal as an functionality f performed by an ideal trusted service GOAL = CORRECTNESS + PRIVACY Step 2: Security defined via protocol emulation in ideal world (a.k.a simulation) » … $ S " A f REAL IDEAL

Examples of Goals / Functionalities F comp F ZK 1. Receive x from A and y from B 1. Receive x,w from A 2. Output b= (x > y) to A and B 2. Output b=R(x,w) to B F COIN F OT 1. Toss coin c 1. Receive s 0 ,s 1 from A and b from B 2. Output c to A and B 2. Output s b to B

Secure Minimum Spanning Tree [BS,sV] Goal: Securely compute MST over the union of their edges G=(V,E 0 ) G=(V,E 1 )

Secure Minimum Spanning Tree [BS,sV] Goal: Securely compute MST over the union of their edges e 1 e 1 F comp L/R L/R Winner announces its edge e i e j F comp L/R L/R G=(V,E 0 ) G=(V,E 1 ) Winner announces its edge e 1 ,e 2 ,…,e n1 e 1 ,e 2 ,…,e n1 • Suppose, we have secure protocol for F comp • Replace calls F comp to with secure protocol to get protocol for MST • Does this mean this new protocol is secure?

The Classic Stand-Alone Model One set of parties executing a single protocol in isolation

But, Life is CONCURRENT Many parties running many different protocol executions

The Chess-master Problem 8am: 8pm: Lose! Lose!

Win at least 1 (or draw both) What makes it hard? • Concurrency • Scheduling • Unawarness

Same attack on protocols a 5a b b/5 Bob Alice E.g., real attacks on OpenSSL implementation [B’98]

A fundamental question: Composition Protocol B Protocol A Protocol C Is security preserved under protocol composition?

Security under composition Why Care? 1. Composition occurs in real life ---Need concurrent security “Concurrently Chosen Message Concurrent ZK 2. Composition occurs in system design Secure” MPC Attack Secure ---Want modular, simpler, solutions Multi-instance Non-Malleable Sequential WH 3. Better understanding of security notions Security Commitments ---Various applications MPC PKE Signature Commitments ZK WH ….

Concurrent Security » Trusted party Protocol Executions REAL IDEAL

UC Security [C01] The UC Composition Theorem: The UC Composition Theorem: Running the protocol π in the concurrent setting is Both A and S required to be PPT If If π UC-implements F comp and π UC-implements f and S simulates the view of A “as correct & private as” ρ f UC-implements G, ρ f UC-implements MST, Computing f using a trusted party in the concurrent setting then ρ π UC-implements G. then ρ π UC-implements MST. & the outputs of honest parties are the same in the two worlds Z Z ρ ρ A S π π f f

UC Security [C01] The UC Composition Theorem: Running the protocol π in the concurrent setting is Both A and S required to be PPT If π UC-implements f and S simulates the view of A “as correct & private as” ρ f UC-implements G, Computing f using a trusted party in the concurrent setting then ρ π UC-implements G. & the outputs of honest parties are the same in the two worlds The strongest model of composition 1. Concurrent Security 2. Modular analysis Theorem [CF, CKL, L]: It is impossible to mmmm…. Nothing! achieve concurrent security for all “non- trivial functionalities”

Self-Composition P1 P2 / P1 P1 P2 P2 An unbounded number of instances of the same protocol Examples: Self-Composable MPC …. Non-Malleable Encryption Concurrent Non-Malleable (NM) ZK CMA-secure signature Password authenticated key exchange (PAKE)

Impossibility Results Impossibility of General Impossibility of Self Composition Composition

Chosen Protocol Attack for OT [BPS06,AGJPS12,GKOV12] 𝐺 "# 𝑡 ' , 𝑡 ) 𝑐 Real Adv can learn honest party’s input, but Simulator cannot 𝑡 * input (s 0 , s 1 ) input b Impossibility of General Composition: $ For every 𝜌 "# , there exists 𝜌 "# such that $ 𝜌 "# ∘ 𝜌 "# breaks security of 𝜌 "#

Chosen Protocol Attack: Real World $ 𝜌 "# 𝝆 𝑷𝑼 𝝆 𝑷𝑼 ( 𝑡 ' , 𝑡 ) ) if output is 𝑡 * 𝑐, 𝑡 ' , 𝑡 ) 𝑡 ' , 𝑡 ) Attack: Eve plays man-in-the-middle to learn (𝑡 ' , 𝑡 ) )

Chosen Protocol Attack: Ideal World 𝐺 "# $ 𝜌 "# 𝑐 $ 𝑡 * 2 𝝆 𝑷𝑼 ( 𝑡 ' , 𝑡 ) ) if output is 𝑡 * 𝑐, 𝑡 ' , 𝑡 ) 𝑡 ' , 𝑡 ) ) Attack Fails: With probability ≈ 4 , Eve will ask for 𝒕 𝟐8𝒄

From Impossibility of General Composition to Impossibility of Self-Composition $ ) Want: Multiple Executions of 𝜌 "# only (no 𝜌 "# 𝐻𝐷 ) . with Garbled Circuits . Replace . computing his Next-Message Functions 𝐻𝐷 < Give Garbled Circuits to Eve as Aux. Input

Problem: Who gets the GC Keys? Eve should have keys to execute GCs on Alice’s messages, but can’t give her ALL keys 𝑡 ' , 𝑡 ) 𝐻𝐷 ) . . 𝝆 𝑷𝑼 . 𝐻𝐷 < {𝐻𝐷 > } Keys Eve needs to run extra 𝜌 "# executions with Alice to get “necessary” keys

More Details Concurrent OT Executions 𝐺 "# Keys 𝐵 ) 𝑡 ' , 𝑡 ) 𝐵 ) 𝐵 ) 𝐻𝐷 ) 𝐶 ) Impossibility extends to all “non-trivial” functions 𝐻𝐷 ) Keys . Keys 𝐵 ) 𝜌 "# . by a reduction (in the concurrent setting) to OT . [AGJPS12,GKOV12] 𝐶 ) . . . 𝐻𝐷 < {𝐻𝐷 > } Keys 𝑡 ' , 𝑡 ) Real World: Eve executes GCs one-by-one to learn 𝑡 ' , 𝑡 ) Ideal World: Attack fails as before due to security of GCs

What can we implement with Concurrent Security? Theorem [CF, CKL, L]: It is impossible to achieve concurrent security for all “non- trivial functionalities” SOLUTION: Get some “limited” help from a trusted party

Limited Trusted Help Tamper Proof Hardware Model Common Reference String (CRS)

Feasible in weaker models ! Honest Majority Timing [DM00,BGW88,BR89] [DNS98,G06,LKP05] Tamper Proof Hardware Public-Key Infrastructure [K07,NW07,CGS08,MS08] [JSI96,DN03,BCNP04,DNO10] Common Reference String Augmented CRS (GUC) [BFM88,D00,CLOS02,MGY03, [CDPW07] GO07,CPS07,DNO10] Concurrent Security in a Generalized UC model

Intuition of Constructions General Composition Self Composition

Generalized UC [LPV09] IDEAL Z x y ⌃ F F 1. Augmented z=F (x,y) z=F(x,y) Real World A framework of models 2. Multi-session • Embeds most weaker models Ideal/Real World G • Close to UC, leverage previous results Z REAL

Concurrent MPC in Generalized UC Compilation for UC by [GMW87,BMR90,CLOS02,Pas04] assuming Semi-Honest OT Implement multi-session ZK functionality x, w R(x, w) ⌃ P x’, w’ R(x’, w’) V F ZK x’’, w’’ R(x’’, w’’)

Implement multi-session ZK functionality x, w R(x, w) ⌃ P x’, w’ R(x’, w’) V F ZK x’’, w’’ R(x’’, w’’) » Design a “special” ZK protocol (P,V), s.t. Z

x, w ⌃ x, w R(x, w) F ZK Simulate w/o witness (ZK) ⌃ x, w R(x, w) F ZK Extract witness (AOK) Z S(E) S w1 wk Concurrent ZKAOK (Concurrent Simulation-Extractability) Extract witnesses from adv even when receiving simulated proofs

Z S S(E) w1 wk Concurrent ZKAOK Extract witnesses from adv even when receiving simulated proofs Have been studied a LOT ! rewinding in Concurrent ZK [DNS98,RK99,PRS02…] Straight-line non-black-box simulation [Bar01…] Non-BB

Z S S(E) w1 wk Concurrent ZKAOK Extract witnesses from adv even when receiving simulated proofs How to get straight-line simulation? By giving S certain SUPER-POWER over Adv = The ability to get a trapdoor + UC-puzzle Non-Malleability

Z S S(E) Sound! w1 wk Concurrent ZKAOK Extract witnesses from adv even when receiving simulated proofs Compilation from ZKA to ZKAOK [BL02,PR03,Pas04,DNO10,MPR10,LPV13] ⌃ X true or false X F WZK A weaker notion: Fully concurrent ZKA (conc. simulation soundness) Adv cannot cheat even when receiving simulated proofs

Z S Sound! A weaker notion: Fully concurrent ZKA Adv cannot cheat even when receiving simulated proofs Decompose Concurrent Simulation Security against MIM attacks ç UC-puzzles ç Non-Malleable Commitment

Concurrent MPC in Generalized UC Unified Framework [LPV09,LPV12] assuming SH-OT against C Sim UC-puzzle NM Commitment How to Cook Up Concurrent Security One-Way Func in Your Favorite Model X (CRS,PKA,SPS…)? 1. Instantiate a UC-puzzle using model X 2. Plug in

Common Reference String Preprocessing: Trusted Party samples a distribution D and s s publishes it Protocol Execution: Parties exchange messages s s THEOREM [CLOS02]: Every goal can be implemented with concurrent security in the CRS model.

PUZZLE (in CRS) solution Challenger Solver Property 1: Hard to solve with trusted setup Property 2: Easy to solve by controlling setup in an undetectable way