non malleable primitives why and how
play

Non-Malleable Primitives Why and How The case of Commitments - PDF document

Sep 07, 2022 •313 likes •532 views

Non-Malleable Primitives Why and How The case of Commitments Rafail Ostrovsky (UCLA, USA) Giuseppe Persiano (Univ. Salerno ITALY) Ivan Visconti (Univ. Salerno ITALY) Commitment Schemes Com m m, Open m Ver Properties:

  1. Non-Malleable Primitives Why and How The case of Commitments Rafail Ostrovsky (UCLA, USA) Giuseppe Persiano (Univ. Salerno – ITALY) Ivan Visconti (Univ. Salerno – ITALY) Commitment Schemes Com m m, Open m ◊ Ver Properties: –Binding: after giving the safe to Alice, Bob cannot alter the message m written inside –Hiding: Alice cannot determine m until she learns the combination 2 1

  2. Commitment Schemes Com m m, Open m ◊ Ver Properties: – Statitical Binding: there is no way to open Com in two different ways 3 Commitment Schemes Com m m, Open m ◊ Ver Properties: –Statistical Hiding: actually the transcript of the commitment phase does not encode any specific message (in the information theoretic sense), thus Com can be potentially opened to any message 4 2

  3. Commitment Schemes Com m m, Open m ◊ Ver Very useful, but often we need more..... 5 Auction Phase I: commit to bid b 1 Com 1 b 2 Com 2 6 3

  4. Auction Phase II: reveal bid Open b 1 Open b 2 7 Man-in-the-Middle (MiM) Attack Com m Com’ Open m Open m’ m m and m’ could be related 8 4

  5. Man-in-the-Middle (MiM) Attack we should define commitment schemes that remain secure under such attacks 9 Non-Malleable Commitments with respect to commitment: • the message m’ encoded in the commitment of MiM should not be related to the message m encoded in the commitment of the sender • it does make sense in case of statistical binding • it does not make sense in case of statistical hiding with respect to opening: • the MiM Adversary should not be able to produce a commitment such that the message m’ opened by MiM is related to the message m opened by the committer • it does make sense in case of statistical binding • it does make sense in case of statistical hiding 10 5

  6. State-of-the-Art (constant round) NM commitments with respect to commitment: • C ommon R eference S tring model: of course! [several papers] • Plain model: [PR05] (non - b lack- b o x techniques); NM commitments with respect to opening: • CRS model: of course! [many papers] • Plain model: [PR05] (non - b lack- b o x techniques); 11 Our Setting: the Plain Model We focus on: constant - r ound NM commitments in the plain model… … therefore we consider the [PR05] paper We are still discussing the definitions, therefore let’s give a more careful look at the [PR05] definitions and results 12 6

  7. Statistically Hiding NM Commitments with respect to opening [PR05] Junk View m’ m m is known to the simulator just before the <real game> decommitment phase 13 Statistically Binding NM Commitments with respect to commitment [PR05] <Junk> View m’ <real game> no opening ?? 14 7

  8. Statistically Hiding NM Commitments with respect to opening [PR05] <Junk> View m’ m m is known to the simulator just before the <real game> decommitment phase 15 Statistically Binding NM Commitments with respect to commitment [PR05] <Junk> View m’ <real game> no opening ?? 16 8

  9. Statistically Binding NM Commitments [ derived from PR05] with respect to opening <Junk> View m’ m m is known to the simulator just before the <real game> decommitment phase 17 Statistically Binding NM Commitments [ derived from PR05] with respect to opening <Junk> View m’ m now the simulator should also be able to open to m the committed junk 18 9

  10. Ok let’s look at the PR05 construction Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R open the commitment of m Simulator : it commits to junk and uses the simulator of NMZK argument of knowledge. No way of opening the commitment of junk to a given message! 19 Ok let’s look at the PR05 construction Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R open the commitment of m 20 10

  11. Statistically Hiding NM w.r.t opening Commitment Phase: C � R send a statistically hiding commitment of m Decommitment Phase: C � R send m C � R use a statistical NMZK argument of knowledge for proving that m is the committed message Simulator : it commits to junk and during the decommitment phase it uses the simulator of NMZK argument of knowledge. 21 Statistically Hiding NM w.r.t opening Commitment Phase: C � R send a statistically hiding commitment of m Decommitment Phase: C � R send m C � R use a statistical NMZK argument of knowledge for proving that m is the committed message 22 11

  12. Our commitment (based on [PR05] constructions): NM both with respect to commitment and to opening Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R send m C � R use a statistical NMZK argument of knowledge for proving that m is the committed message Simulator: it commits to junk and uses twice the simulator of the NMZK argument of knowledge. 23 Concurrent Man-in-the-Middle (MiM) Attack <Com> <Com’> <m> <Open> <m> <Open> <m’> <m> <m> and <m’> could be related 24 12

  13. Auction on the Internet � Same MIM Adversary maybe involved in several concurrent auctions � Still want commitments be independent from the ones of other players 25 Statistically Binding Concurrent NM Commitments with respect to commitment [PR05b] <Junk> View <m’> no opening ?? 26 13

  14. Let’s look at the PR05b construction Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R open the commitment of m 27 Let’s look at the PR05b construction Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R open the commitment of m let’s try again our fix for the standalone case, maybe it works again… 28 14

  15. Our commitment (based on [PR05] constructions): NM both with respect to commitment and to opening Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R send m C � R use a statistical NMZK argument of knowledge for proving that m is the committed message Simulator: it commits to junk and uses twice the simulator of the NMZK argument of knowledge. WHEN CONCURRENCY IS ALLOWED, THE SIMULATOR DOES NOT WORK ANYMORE !!! 29 Our commitment (based on [PR05] constructions): NM both with respect to commitment and to opening Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R send m C � R use a statistical NMZK argument of knowledge for proving that m is the committed message Simulator: it commits to junk and uses twice the simulator of the NMZK argument of knowledge. In [PR05b] there is no concurrent NM commitment with respect to opening, thus there is no additional technique that can be exploited for a new fix !!! 30 15

  16. Our commitment (based on [PR05] constructions): NM both with respect to commitment and to opening Commitment Phase: C � R send a statistically binding commitment of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: C � R send m C � R use a statistical NMZK argument of knowledge for proving that m is the committed message m Simulator: it commits to junk and uses twice the simulator of the NMZK argument of knowledge. Concurrent NM commitment with respect to opening is actually left as an important open problem by PR05b !!! 31 Our Result We show: a constant- r ound concurrent NM commitment scheme in the plain model… the scheme is NM both with respect to commitment and with respect to opening 32 16

  17. Our Commitment Scheme Commitment Phase: R � C send TWO statistically binding commitments of random messages r,s R � C use a statistical NMZK argument of knowledge for proving knowledge of one of the two committed messages C � R send a statistically binding commitment Com of m C � R use a statistical NMZK argument of knowledge for proving knowledge of the committed message 33 Our Commitment Scheme Decommitment Phase: R � S open r and s C � R send m C � R use a statistical NMZK argument of knowledge for proving that m is the committed message in Com OR r is the committed message in Com OR s is the committed message in Com 34 17

  18. Properties Binding. By the statistical binding of the used commitment scheme, and by the soundness of the NMZK argument system, the binding property can only by violated if the prover committed to either r or s. However this can be reduced for breaking the hiding property of the commitment scheme. 35 Properties Hiding. It follows from the statistical ZK property and from the hiding of the used commitment scheme. 36 18

Recommend

CASTER ASSEMBLY SCALE 1 : 1 DRAWN 1/26/2010 swaters A A CHECKED TITLE QA CASTER ASSEMBLY

CASTER ASSEMBLY SCALE 1 : 1 DRAWN 1/26/2010 swaters A A CHECKED TITLE QA CASTER ASSEMBLY

4 3 2 1 PARTS LIST ITEM QTY PART NUMBER MATERIAL 1 1 TOP PLATE MALLEABLE IRON 2 2 AXLE SUPPORT MALLEABLE IRON 3 1 AXLE SAE 1020 4 2 BUSHING BRONZE 5 1 WHEEL MALLEABLE IRON B B CASTER ASSEMBLY SCALE 1 : 1 DRAWN

434 views • 7 slides
Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 Non-malleable cryptography Twenty years ago, saw a strong emphasis on

1.6k views • 145 slides
Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao

Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao

Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao Liu Yiannis Tselekounis Edin. &amp; FAU CRYPTO 2018 Outline Introduction to non-malleable codes Adversarial model, motivation Results,

772 views • 55 slides
Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives

Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives

Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives Xiangyong Ouyang * , David Nellans , Robert Wipfel , David Flynn , D. K. Panda * d * D id Fl D K P * The Ohio State University

335 views • 29 slides
Spreadsheets: an Introduction to utilized the notion of a malleable matrix to develop the

Spreadsheets: an Introduction to utilized the notion of a malleable matrix to develop the

From word munching to number crunching In 1978 Harvard grad student Dan Bricklin Spreadsheets: an Introduction to utilized the notion of a malleable matrix to develop the first computer spreadsheet program Excel Vastly expanded

185 views • 7 slides
Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for

Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for

Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for Active Internet Topology Mapping: Toward High-Frequency Characterization, Beverly, R., Berger, A., Xie, G., IMC 2010. Demonstrated the ability of

1.2k views • 80 slides
RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes

RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes

RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes Primitive Attributes Two different methods of attaching attributes to primitives: Graphics state attributes inherited by the primitive from the

318 views • 19 slides
A Case for Malleable Thread-Level Linear Algebra Libraries: The LU Factorization with Partial

A Case for Malleable Thread-Level Linear Algebra Libraries: The LU Factorization with Partial

A Case for Malleable Thread-Level Linear Algebra Libraries: The LU Factorization with Partial Pivoting Sandra Cataln, Jose R. Herrero, Enrique S. Quintana-Ort, Rafael Rodrguez-Snchez, Robert van de Geijn BLIS Retreat, 19-20th September

361 views • 25 slides
The Case for Malleable Stream Architectures Christopher Batten 1 , 3 , Hidetaka Aoki 2 , Krste

The Case for Malleable Stream Architectures Christopher Batten 1 , 3 , Hidetaka Aoki 2 , Krste

The Case for Malleable Stream Architectures Christopher Batten 1 , 3 , Hidetaka Aoki 2 , Krste Asanovi c 3 1 Department of Electrical Engineering and Computer Science Massachusetts Institute of Technology, Cambridge, MA 2 Central Research

535 views • 10 slides
Energy-saving Operation in Foundry Kenji SHI OTANI Ishikawa Malleable CO., LTD Company Profile

Energy-saving Operation in Foundry Kenji SHI OTANI Ishikawa Malleable CO., LTD Company Profile

Energy-saving Operation in Foundry Kenji SHI OTANI Ishikawa Malleable CO., LTD Company Profile Establishment May, 1953 Capital 48 Millions JPY President Tetsuo SHIOTANI Number of employees 134 Business Casting Sec.

310 views • 12 slides
Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness Extractors Story So Far Basic primitives for secure communication: Shared-Key Public-Key SKE PKE Encryption MAC

498 views • 17 slides
Non-malleable codes in the split-state model Divesh Aggarwal, Yevgeniy Dodis , Tomasz Kazana,

Non-malleable codes in the split-state model Divesh Aggarwal, Yevgeniy Dodis , Tomasz Kazana,

Non-malleable codes in the split-state model Divesh Aggarwal, Yevgeniy Dodis , Tomasz Kazana, Shachar Lovett, Maciej Obremski New York University Tampering Experiment f Enc Dec m* m c c* (Real) g m g (m) (Ideal) Consider a

1.06k views • 81 slides
Succinct Malleable NIZKs and an Application to Compact Shuffles Melissa Chase (MSR Redmond)

Succinct Malleable NIZKs and an Application to Compact Shuffles Melissa Chase (MSR Redmond)

Succinct Malleable NIZKs and an Application to Compact Shuffles Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 Proofs of proofs 2 Proofs of proofs Suppose

1.47k views • 121 slides
Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F .

Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F .

Introduction Primitives Extraction Problems Conclusion Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F . Le Breton and W. Puech LIRMM, Montpellier, France C4W, Montpellier, France LSIS, Arles,

1.04k views • 57 slides
Project Overview TRS High Level Architecture Specification Language and Synthesis ISA

Project Overview TRS High Level Architecture Specification Language and Synthesis ISA

MIT9904-04 Malleable Architectures for Adaptive Computing Arvind, Rudolph and Devadas Project Overview TRS High Level Architecture Specification Language and Synthesis ISA Cache Malleable Architectures Specification

165 views • 3 slides
Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi

Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi

Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi Mu, Guomin Yang , Willy Susilo, Fuchun Guo and Mingwu Zhang Asiacrypt 2016, Hanoi Outline n Background n Cryptographic Reverse Firewall n Part

639 views • 52 slides
Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio Faonio Gianluca Brian Maciej Obremski IMDEA Software Institute Sapienza University of Rome National University of Singapore Madrid, Spain Rome,

1.02k views • 74 slides
2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc.

2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc.

Week 4 Part 2 Introduction to 2D Graphics &amp; Java 2D 2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc. Primitives are created by using mathematical equations Can be zoomed infinitively, moved

569 views • 22 slides
Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable Codes Dana Dachman-Soled University of Maryland Joint work with: Mukul Kulkarni and Aria Shahverdi, University of Maryland Talk is also based on

572 views • 35 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe Institute of Technology TCRC 89 &quot;Invasive Computing&quot; ATPS 2015 No faster CPUs, only more of them More cores means slower cores M. B. Taylor,

531 views • 25 slides
Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Chapter 6 User-Defined Primitives 1 Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6 User-Defined Primitives 2 Page 229 //3-input AND gate as a udp primitive udp_and3 (z1, x1, x2,

619 views • 42 slides
2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines,

2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines,

2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines, curves, etc. Primitives are created by using mathematical equations Introduction to 2D Graphics &amp; Java 2D Can be zoomed infinitively, moved

197 views • 6 slides
Malleable task-graph scheduling with a practical speed-up model Loris Marchal 1 Bertrand Simon 1

Malleable task-graph scheduling with a practical speed-up model Loris Marchal 1 Bertrand Simon 1

Malleable task-graph scheduling with a practical speed-up model Loris Marchal 1 Bertrand Simon 1 Oliver Sinnen 2 Frdric Vivien 1 1: CNRS, INRIA, ENS Lyon and Univ. Lyon, FR. 2: Univ. Auckland, NZ. New Challenges in Scheduling Theory

596 views • 47 slides

More recommend