Transcript scws3 6720
Information-Theoretic Security
and Security under
Composition
Eyal Kushilevitz (Technion)
Yehuda Lindell (Bar-Ilan University)
Tal Rabin (IBM T.J. Watson)
Secure Multiparty Computation
A set of parties with private inputs.
Parties wish to jointly compute a function of
their inputs so that certain security properties
(like privacy, correctness and independence
of inputs) are preserved.
E.g., secure elections, auctions…
Properties must be ensured even if some of
the parties maliciously attack the protocol.
Secure Computation Tasks
Examples:
Authentication protocols
Online payments
Auctions
Elections
Privacy preserving data mining
Essentially any task…
Defining Security
The real/ideal model paradigm for defining
security [GMW,GL,Be,MR,Ca]:
Ideal model: parties send inputs to a trusted
party, who computes the function for them.
Real model: parties run a real protocol with no
trusted help.
A protocol is secure if any attack on a real
protocol can be carried out in the ideal model.
Since no attacks can be carried out in the
ideal model, security is implied.
The Real Model
x
y
Protocol output
Protocol output
The Ideal Model
x
f1(x,y)
y
x
y
f1(x,y)
f2(x,y)
f2(x,y)
The Security Definition:
For every real
adversary A
there exists an
adversary S
Protocol
interaction
Trusted party
REAL
IDEAL
The Ideal Adversary/Simulator
How is security proven?
The ideal-model adversary is actually a
simulator
The simulator “simulates” a real execution, while
interacting in the ideal model
The simulation looks just like a real execution…
Important categories of simulators
Black-box versus nonblack-box simulators
Rewinding versus non-rewinding simulators
Non-rewinding is also called “straight-line”
More Details on the Definition
What does it mean that the real and ideal
executions “look the same”?
Perfect security: the distributions are identical
Statistical security: the distributions are
statistically close
Computational security: the distributions are
computationally indistinguishable
Two Basic Models
Information-theoretic model
Unbounded adversaries
Perfect or statistical security
Seemingly, no real need for “perfection”
Computational model
Polynomial-time adversaries
Computational security
Real Execution – Possible Settings
The stand-alone model
A single execution of a single secure protocol
(or a single execution under attack)
The classic model of computation
Security under composition
Concurrent self composition: many executions
of a single secure protocol
Concurrent general composition: many
executions of a secure protocol together with
arbitrary other protocols
Security under Composition
Concurrent self composition
Many executions of a single secure protocol look just
like many calls to an ideal trusted party
[FS,DDN,DNS,RK,…]
Concurrent general composition
Many executions of a single secure protocol with an
arbitrary other protocol look just like many calls to an
ideal trusted party, together with a real arbitrary other
protocol [DM,PW,Ca]
Modeled by considering an arbitrary protocol that
contains “subroutine calls” to the secure protocol
Models the real world – the Internet is the arbitrary
protocol
Feasibility of Secure Computation –
The Stand-Alone Model
A fundamental theorem: any multiparty
functionality can be securely computed in the
stand-alone model:
Computational setting: for any number of
corruptions and assuming (enhanced) trapdoor
permutations [Y86,GMW87]
Information theoretic setting: for a 2/3 honest
majority (or regular majority given a broadcast
channel) [BGW88,CCD88,RB89,B89]
Note: in the case of no honest majority, the security requirements are
not exactly the same (i.e., no fairness or guaranteed output delivery)
Feasibility of Secure Computation –
Concurrent Composition
Any multiparty problem can be securely
computed under concurrent general
composition:
No honest majority: assuming (enhanced)
trapdoor permutations and a common
reference string [CLOS02]
Honest (or two-thirds) majority: [Ca01] relying
on [BGW88,CCD88,RB89,B89]
Notice: these are exactly the informationtheoretically secure protocols for the stand-alone
model
Information-Theoretically Secure
Protocols and Composition
Folklore: information-theoretic protocols are
secure under concurrent composition (at the
very least, all the known ones have this
property)
Related folklore: if a protocol is proven secure
using a black-box non-rewinding simulator,
then it is secure under concurrent
composition
Note: known information-theoretic
protocols use black-box non-rewinding
simulation
This Work
Understand the conjectured connection
between information-theoretic security and
security under composition
Deepen our understanding of these notions
Derive a corollary that simplifies the task of
proving security under composition
Theorem 1: Counter Example
There exist protocols that are:
Statistically secure in the information
theoretical model, as stand-alone
Proven secure using a black-box straightline (non-rewinding) simulator
but are not secure under concurrent general
composition
Theorem 2:
Every protocol that is:
Perfectly secure in the information theoretical
model, as stand-alone
Proven secure using a black-box straightline (non-rewinding) simulator
is perfectly secure under concurrent general
composition
[DM00] proved a similar result, but used a strictly
more stringent notion of stand-alone security
Corollaries
Corollary 1: [BGW] (error free version) is
perfectly secure under concurrent general
composition (assuming a two-thirds majority)
Corollary 2: It suffices to prove perfect
security in the stand-alone model…
Note: perfectly secure protocols have an
advantage over statistically secure protocols
Security under concurrent general composition
is obtained “for free”
Theorem 3:
Every protocol that is:
Proven secure using a black-box straightline (non-rewinding) simulator
is secure under concurrent self composition
with fixed inputs
This is a weaker security guarantee, but gives
some justification to the folklore
The result is of interest for statistical and
computational security, and holds for any
number of corrupted parties
Corollary
[CCD,RB] are secure under concurrent self
composition with fixed inputs
Again, the above is a relatively weak security
guarantee, but explains/justifies the folklore
Disturbing Point
It is widely believed that known statistically
secure protocol are secure under concurrent
general composition
We have only proved security under
concurrent self composition with fixed inputs
Is there an additional property that would
make such protocols secure under concurrent
general composition?
Different (Simple) Property
Initial Synchronization
Each party announces that it is ready to start
Before starting, each party waits to receive
notification from all other parties that they are
ready to start
This enables an easy denial of service attack
(but this is in some sense impossible to
prevent in this model)
Theorem 4:
Every protocol that is:
Proven secure using a black-box straightline (non-rewinding) simulator, and
Has initial synchronization
is secure under concurrent general
composition
This holds for perfect, statistical and
computational security (not needed for perfect),
and for any number of corrupted parties
Corollary
It suffices to prove security in the stand-alone
model using black-box straight-line
simulation:
Given such a protocol, can add initial
synchronization and security under concurrent
general composition is implied
This gives a useful tool, simplifying the task
of proving security under composition
High-Level Summary of Results
Counter-example:
Straight-line black-box security does not imply security
under concurrent general composition (even if security
is statistical)
Security under general composition is implied by:
Perfect security, straight-line black-box simulation
Straight-line black-box simulation, initial
synchronization
Security under self composition with fixed inputs is
implied by:
Straight-line black-box simulation
The Rest of This Talk
Proof of counter-example (Theorem 1)
Idea behind the proof that perfect-security
with black-box straight-line simulation implies
security under concurrent general
composition (Theorem 2)
Discussion about black-box straight-line
simulation with initial synchronization implies
security under concurrent general
composition (Theorem 4)
Proof of Counter Example
The counter-example utilizes the fact that:
In the stand-alone model, inputs are fixed at
the beginning
In the setting of concurrent general
composition, inputs can be determined
dynamically, and dependent on other protocols
Recall: a protocol is secure in this setting if an
execution of an arbitrary protocol with the real secure
protocol looks like an execution of the same arbitrary
protocol together with “ideal calls”
Proof of Counter-Example (cont.)
Our counter-example uses a specific function
and specific protocol (in the setting of an
honest majority)
The function: f(x1,x2,x3) = (0,0,0)
Proof of Counter-Example (cont.)
A secure protocol ρ for computing f:
P1 and P2 choose random r1 and r2 of length n/2
and send the strings to each other
P1 and P2 define r = (r1,r2) and both send r to P3
If P3 receives the same value from both parties
and it equals its input, then it outputs 1,
otherwise it outputs 0
P2 and P3 both output 0
Claim 1: Security of Protocol ρ in the
Stand-Alone Model
We assume an honest majority, so at least
one of P1 and P2 are honest
This implies that the string r received by P3
equals its input with probability at most 2-n/2
Thus, P3 outputs 1 with negligible probability
Simulation in this case is easy (and is black-
box straight-line)
Security obtained is statistical
Claim 2: Insecurity of Protocol ρ under
Concurrent General Composition
Consider the following arbitrary protocol
that contains a “call” to f:
P1 sends a random s to P3
P1 and P2 send the input 0n to the trusted
party computing f, and output whatever they
receive back
P3 sends the string s to the trusted party as its
input for the computation of f, and outputs
whatever it receives back
Note: in the ideal execution, all honest parties
always output 0
Claim 2 (continued)
Consider an execution of together with
protocol ρ and a single corrupted party P1:
Party P1 waits until it receives r2 from P2 as
part of ρ and can define r = (r1,r2)
P1 defines s = r and sends s to P3
P3 uses s as its input into ρ and it follows that r
equals its input
We have that the honest P3 always outputs 1
(instead of 0)
Conclusion: ρ is not secure under concurrent
general composition
(Rough idea) Proof of Theorem 2
By contradiction
Protocol ρ secure stand alone, not secure in composition
with π
Exist Adv A which can foil the execution of ρ when run with
π, i.e. not the same as if using a trusted party for f instead
of ρ
Build a stand-alone adversary Aρ which breaks the standalone security of ρ
Aρ basically runs A in its belly and simulates all the parties
for the communications which relate to π, and for ρ it
communicates with the real parties and transfers the
messages to A
Proof of Theorem 2 (cont.)
If Aρ simulation for A is “good” then the stand-
alone distribution of ρ is the same as when it
is run with π
Thus, output of ρ in this stand-alone is not the
same as the output of ideal execution
And we have broken the stand-along
execution (contradiction)
Complication for Aρ
Creating a simulation which seemlessly
matches the execution of the real ρ with the
simulation of π
For this Aρ has to guess the inputs and
random coins of the honest parties – low
success probability
This is why perfect security is crucial, we need
the attack to succeed only with non-zero
probability
Discussions on Theorem 4
Recall the theorem: black-box straight-line
simulation + initial synchronization security
under concurrent general composition
The basic idea:
Consider the counter example
If initial synchronization is used, all of the
arbitrary protocol (honest party’s inputs and
random-tapes) until the protocol starts can be
auxiliary input in a stand-alone execution
Importance of Theorem 4
Adds to our understanding of what is needed
for obtaining security
Black-box straight-line simulation
Inability to have inputs depend on randomness
of the same execution
A useful tool
Definitions for obtaining security under
composition are complex
Using this theorem, it suffices to work in the
stand-alone model (and add initial
synchronization)
Conclusions
Stand-alone security does not imply security under
concurrent general composition
Even in the information-theoretical model
Information-theoretic security does imply some sort
of security under composition
Black-box straight line statistical suffices for obtaining
concurrent self composition with fixed inputs
Black-box straight-line perfect suffices for obtaining
concurrent general composition
Black-box straight-line + initial synchronization
suffices for obtaining concurrent general composition