Introduction to Cryptography Lecture 13

Similar documents
Secure Computation. Unconditionally Secure Multi- Party Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Multiparty Computation

Lecture 14: Secure Multiparty Computation

CPSC 467b: Cryptography and Computer Security

Introduction to Modern Cryptography Lecture 11

ECash and Anonymous Credentials

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Lecture 3,4: Multiparty Computation

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Oblivious Evaluation of Multivariate Polynomials. and Applications

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Multi-Party Computation with Conversion of Secret Sharing

CPSC 467: Cryptography and Computer Security

Multiparty Computation (MPC) Arpita Patra

Lecture 38: Secure Multi-party Computation MPC

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Secret Sharing CPT, Version 3

CPSC 467: Cryptography and Computer Security

From Secure MPC to Efficient Zero-Knowledge

Theory of Computation Chapter 12: Cryptography

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

An Unconditionally Secure Protocol for Multi-Party Set Intersection

1 Secure two-party computation

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

ECS 189A Final Cryptography Spring 2011

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

1 Number Theory Basics

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Lecture Notes, Week 10

Notes on Zero Knowledge

Secret sharing schemes

Introduction to Modern Cryptography. Benny Chor

Multiparty Computation, an Introduction

Katz, Lindell Introduction to Modern Cryptrography

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

Lecture 3: Interactive Proofs and Zero-Knowledge

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

Lecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008

CPSC 467b: Cryptography and Computer Security

Uncloneable Quantum Money

Benny Pinkas Bar Ilan University

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Computing on Encrypted Data

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Round-Efficient Multi-party Computation with a Dishonest Majority

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lecture 10: Zero-Knowledge Proofs

March 19: Zero-Knowledge (cont.) and Signatures

Security Protocols and Application Final Exam

Secure Multi-Party Computation

Unconditionally Secure Multiparty Set Intersection Re-Visited

On Achieving the Best of Both Worlds in Secure Multiparty Computation

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Efficient General-Adversary Multi-Party Computation

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

CPSC 467: Cryptography and Computer Security

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Entanglement and information

1 Basic Number Theory

An Efficient Protocol for Fair Secure Two-Party Computation

Introduction to Cryptography. Lecture 8

The Laws of Cryptography Zero-Knowledge Protocols

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Authentication. Chapter Message Authentication

Secure Multiparty Computation from Graph Colouring

Divisible E-cash Made Practical

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Public-Key Cryptosystems CHAPTER 4

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture Notes 20: Zero-Knowledge Proofs

Introduction to Modern Cryptography. Benny Chor

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Discrete Mathematics and Probability Theory Summer 2014 James Cook Midterm 1 (Version B)

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Cryptographic Protocols FS2011 1

Introduction to Modern Cryptography. Benny Chor

Question 1. The Chinese University of Hong Kong, Spring 2018

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptology. Vilius Stakėnas autumn

A New Approach to Practical Active-Secure Two-Party Computation

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 11. Error Correcting Codes Erasure Errors

George Danezis Microsoft Research, Cambridge, UK

Cryptographical Security in the Quantum Random Oracle Model

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Exam Security January 19, :30 11:30

Transcription:

Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1

Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2

Simple electronic checks A payment protocol: Sign a document transferring money from your account to another account This document goes to your bank The bank verifies that this is not a copy of a previous check The bank checks your balance The bank transfers the sum Problems: Requires online access to the bank (to prevent reusage) Expensive. The transaction is traceable (namely, the bank knows about the transaction between you and Alice). June 5, 2011 Introduction to Cryptography, Benny Pinkas page 3

First try at a payment protocol Withdrawal User gets bank signature on {I am a $100 bill, #1234} Bank deducts $100 from user s account Payment User gives the signature to a merchant Merchant verifies the signature, and checks online with the bank to verify that this is the first time that it is used. Problems: As before, online access to the bank, and lack of anonymity. Advantage: The bank doesn t have to check online whether there is money in the user s account. In fact, there is no real need for the signature, since the bank checks its own signature. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 4

Anonymous cash via blind signatures In order to preserve payer s anonymity the bank signs the bill without seeing it (e.g. like signing on a carbon paper) RSA Blind signatures (Chaum) RSA signature: (H(m)) 1/e mod n Blind RSA signature: Alice sends Bob (r e H(m)) mod n, where r is a random value. Bob computes (r e H(m)) 1/e = r H(m) 1/e mod n, and sends to Alice. Alice divides by r and computes H(m) 1/e mod n Problem: Alice can get Bob to sign anything, Bob does not know what he is signing. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 5

Enabling the bank to verify the signed value cut and choose protocol Suppose Alice wants to sign a $20 bill. A $20 bill is defined as H(random index,$20). Alice sends to bank 100 different $20 bills for blind signature. The bank chooses 99 of these and asks Alice to unblind them (divide by the corresponding r values). It verifies that they are all $20 bills. The bank blindly signs the remaining bill and gives it to Alice. Alice can use the bill without being identified by the bank. If Alice tries to cheat she is caught with probability 99/100. 100 can be replaced by any parameter m. But we would like to have an exponentially small cheating probability. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 6

Exponentially small cheating probability Define that a $20 bill in a new way: The bill is valid if it is the RSA signature of the multiplication of 50 values of the form H(x), (where x= random index,$20 ). The withdrawal protocol: Alice sends to the Bank z 1, z 2,, z 100 (where z i = r i e H(x i )). The Bank asks Alice to reveal ½ of the values z i = r i e H(x i ). The Bank verifies them and extracts the e th root of the multiplication of all the other 50 values. Alice divides the results by the multiplication of the corresponding r i values. Payment: Alice sends the signed bill and reveals the 50 preimage values. The merchant sends them to the bank which verifies that they haven t been used before. Alice can only cheat if she guesses the 50 locations in which she will be asked to unblind the z i s, which happens with probability ~2-100. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 7

Online vs. offline digital cash We solved the anonymity problem, while verifying that Alice can only get signatures on bills of the right value. The bills can still be duplicated Merchants must check with the bank whenever they get a new bill, to verify that it wasn t used before. A new idea: During the payment protocol the user is forced to encode a random identity string (RIS) into the bill If the bill is used twice, the RIS reveals the user s identity and she loses her anonymity. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 8

Offline digital cash Withdrawal protocol: Alice prepares 100 bills of the form {I am a $20 bill, #1234, y 1,y 1,y 2,y 2,,y m,y m } S.t. i y i =H(x i ), y i =H(x i ), and it holds that x i x i =Alice s id, where H() is a collision resistant function. Alice blinds these bills and sends to the bank. The bank asks her to unblind 99 bills and show their x i,x i values, and checks their validity. (Alternatively, as in the previous example, Alice can do a check with fails with only an exponential probability.) The bank signs the remaining blinded bill. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 9

Offline digital cash Payment protocol: Alice gives a signed bill to the vendor {I am a $20 bill, #1234, y 1,y 1,y 2,y 2,,y m,y m } The vendor verifies the signature, and if it is valid sends to Alice a random bit string b=b 1 b 2 b m of length m. i if b i =0 Alice returns x i, otherwise (b i =1) she returns x I The vendor checks that y i =H(x i ) or y i =H(x i ) (depending on b i ). If this check is successful it accepts the bill. (Note that Alice s identity is kept secret.) Note that the merchant does not need to contact the bank during the payment protocol. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 10

Offline digital cash The merchant must deposit the bill in the bank. It cannot use the bill to pay someone else. Because it cannot answer challenges b* different than the challenge b it sent to Alice. How can the bank detect double spenders? Suppose two merchants M and M * receive the same bill With very high probability, they ask Alice different queries b,b* There is an index i for which b i =0, b* i =1. Therefore M receives x i and M* receives x i. When they deposit the bills, the bank receives x i and x* i, and can compute x i x i =Alice s id. June 5, 2011 Introduction to Cryptography, Benny Pinkas page 11

Secure multi-party computation Problem statement: n players P 1, P 2,, P n Player P i has input x i There is a known function f(x 1,,x n )= (y 1, y n ) Goals: P i should learn y i, and nothing else (except for what can be computed from x i and y i ) This property should also hold for coalitions of corrupt parties (e.g., P 1,,P n/3 should learn nothing but x 1,,x n/3,y 1,,y n/3 ) Security should hold even against malicious parties Examples January 19, 2007 page 12

More on MPC Generality: MPC is extremely general, covers almost all protocol problems. We will define a protocol, which tells each party which messages to send to other parties. Adversaries: Semi-honest vs. malicious Semi-honest ( honest but curious ) follow the protocol but try to deduce information from it Malicious adversaries can behave arbitrarily Static (decide in advance which parties to corrupt) vs. adaptive (decide on the fly which parties to corrupt) Unbounded vs. probabilistic polynomial-time January 19, 2007 page 13

Defining security It is not sufficient to list the desired properties that the protocol should satisfy How can we be sure that we covered all properties? Basic security definition: comparison to an ideal scenario In the ideal scenario there is a trusted party which receives x 1,,x n, computes the function and sends y i to P i. The real protocol is secure if its execution reveals no more than in the ideal scenario. The actual definition is much more complicated, in particular if we consider multiple invocations of the same protocol. January 19, 2007 page 14

What is known Information theoretic scenario: Semi-honest, adaptive adversary: any function can be computed iff adversary controls up to t<n/2 parties. Malicious, adaptive adversary: any function can be computed iff adversary controls up to t<n/3 parties. If broadcast is available, can withstand up to t<n/2. Cryptographic scenario: Semi-honest, adaptive, polynomial-time adversary: assuming one-way trapdoor permutations exist, any function can be computed if t<n. Malicious, adaptive, polynomial-time adversary: assuming one-way trapdoor permutations exist, any function can be computed if t<n/2. January 19, 2007 page 15

An MPC protocol for semi-honest parties We will show a construction in the unconditional security scenario, against semi-honest, adaptive adversaries which control up to t<n/2 parties. The basic idea: Any input value can be shared between the n participants, such that no t of them can reconstruct it. It is possible to make computations on shared values. Initial step: Write the function as an arithmetic circuit modulo a prime number p. January 19, 2007 page 16

Arithmetic circuits Circuits where Wires transfer values defined over a field Gates implement + and * Note that arithmetic circuits can be much more compact than combinatorial (Boolean) circuits (with AND and OR gates). For example, for computing a+b or a b. Any Boolean circuit can be implemented as a arithmetic circuit True is represented as 1, false as 0. AND(x,y) is implemented as x*y OR(x,y) is implemented as x+y-x*y NOT(x) is implemented as 1-x January 19, 2007 page 17

t-out-of-n secret sharing Shamir s secret sharing scheme: Choose a large prime and work in the field Zp. The secret S is an element in the field. Define a polynomial P of degree t-1 by choosing random coefficients a 1,,a t-1 and defining P(x) = a t-1 x t-1 + +a 1 x+s. The share of party j is ( j, P(j) ). January 19, 2007 page 18

An MPC protocol for n semi-honest parties, secure against t<n/2 parties. Each party P i has an input x i. The first step of the protocol: Each P i generates a (t+1)-out-of-n sharing of its input x i Namely, chooses a random polynomial f i () over Z p* such that f i (0)=x i. Any subset of t shares does not leak any information about x i t+1 shares enable to reconstruct x i using polynomial interpolation Every P i sends to each P j (j i) the value f i (j) The protocol continues by induction from the input wires to the output wires. We will show that for every gate, if the parties know shares of the input values, they can compute shares of the output values. January 26, 2007 page 19

Computation stage All parties participate in the computation of every gate Addition gate: c= a+b The parties must generate a sharing of c. Namely, there should be a polynomial f c () of degree t, such that f c () is random except for f c (0)=c (Note that defining f c (x)=f a (x)+f b (x) will be fine) Each P i must receive the share c i =f c (i) The protocol: Each player P i already has shares of a and b. Namely, P i has shares a i =f a (i) and b i =f b (i) of polynomials f a () and f b () of degree t, for which f a (0)=a and f b (0)=b. P i sets c i =a i +b i = f a (i)+f b (i) = f c (i) No communication is needed for this computation. January 26, 2007 page 20

Output phase Easier to describe than the protocol for multiplication gates Output wires If output wire y i must be learned by P i, then all parties send it their shares of y i. P i reconstructs the secret and learns the output value.

Computation stage: multiplication gate Each player P i already has shares a i =f a (i) and b i =f b (i). Needs to have a share d i of d=a b. First attempt: P i sets d i =a i b i = f d (i). Obtains a share of f a () f b () Indeed, f d (0) = d = a b. But f d () is of degree 2t and not t. If we do this twice, the degree becomes 4t>n and n parties will not be able to reconstruct the secret. January 26, 2007 page 22

Computing multiplication gates P i sets d i =a i b i = f d (i). f d (i) is of degree 2t < n. We know the values of (Lagrange) coefficients r 1,..,r n such that d=f d (0)=a b = r 1 f d (1)+ +r n f d (n) = r 1 d 1 + +r n d n. Each P i creates a random polynomial g i of degree t such that g i (0)=d i. Consider G(x)= i=1n r i g i (x) This a polynomial of degree t. G(0) = i=1n r i g i (0) = i=1n r i d i = d. Now, if only we could provide each P j with G(j)= i=1n r i g i (j) January 26, 2007 page 23

Computing multiplication gates P i sends to every P j the value g i (j) Every P j receives g 1 (j),,g n (j), and computes G j = i=1 n r i g i (j) = G(j) This is the desired share of a b: it is a value of the polynomial G(x)= i=1n r i g i (x), of degree t, for which G(0)= a b. January 26, 2007 page 24

Computing the entire circuit The parties do this computation for every gate Opening the outputs At the end of the circuit, for each output y j which should be known to P j, it holds that the parties hold shares of a polynomial f(x) of degree t such that f(0)=y j. Each party P i sends f(i) to P j. P j interpolates f(0)=y j. January 26, 2007 page 25

Properties Correctness: straightforward Privacy: For every set of t players, it holds that all values they see in the protocol are shares of (t+1)-outof-n secret sharing schemes. Therefore all their t shares are uniformly distributed. The proof needs to make sure that this property holds even if adversary gets shares of a,b, and a b Overhead: O(n 2 ) messages for every multiplication gate. Number of communication rounds is linear in the depth of the circuit (where only multiplication gates are counted). January 26, 2007 page 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback