First ish
This commit is contained in:
=
parent
0cfd7781ba
commit
0fa180911b
|
|
@ -0,0 +1,62 @@
|
|||
* Protocols with Trusted Dealer (week 2 & 3)
|
||||
** Intro
|
||||
- We assume we have a trusted dealer, which is just a third party whom we can trust to not cheat. The main idea is that this trusted dealer will be used within some subprotocol within the larger protocol, such that the trusted dealer does not necessarily know what goes on, he does not learn your input and he is required to get unconditional security within 2PC.
|
||||
** Protocols with Passive Sec
|
||||
*** OTTT
|
||||
- Easy to explain and go through, which is why we will use this to illustrate the concepts
|
||||
**** Security of passive OTTT
|
||||
*Alice*
|
||||
- We need to construct a simulator that, given the input and output, is computationally indistinguishable from the views.
|
||||
- The views for OTTT are defined as: $$ view_A = \{x, (r,M_A), (v, z_B) \} $$ and $$ view_B = \{y, (s, M_B), u \}$$
|
||||
- According to the book, as this is a deterministic function, we can look at the distribution of outputs and the views separately.
|
||||
- *Alice*:
|
||||
1) The simulator gets as input $x \in \{0,1\}^n$ and $z \in \{0,1\}$
|
||||
2) Sample uniformly a random $z_B \in \{0,1\}$, a random $v \in \{0,1\}^n$ and a random $r \in \{0,1\}^n$
|
||||
3) Construct M_A : \forall (i,j) \neq (x+r,v): choose $M_A[i,j] \in \{0,1\}$ uniformly at random. Define $M_A[x+r,v] = z \oplus z_B$.
|
||||
- In both the simulated and real case, the values $r, v$ and $M_A[i,j]$ for all $(i,j) \neq (u,v)$ are chosen uni-randomly.
|
||||
- The pair $(M_A[u,v], z_B) is in both cases a pair of random bits s.t. $z = M_A[u,v] \oplus z_B$
|
||||
|
||||
*Bob* TODO
|
||||
1) The simulator gets as input $y \in \{0,1\}^n$ and $z \in \{0,1\}$
|
||||
2) Compute $u \in_R
|
||||
|
||||
*** Others
|
||||
- We have BeDOZa but due to the time limit on this, I will not go through it, but we can save it for after the presentation.
|
||||
** Enhancing OTTT
|
||||
*** How does OTTT fail for Active Corruptions
|
||||
**** Alice
|
||||
- What does Alice send to Bob? Only the value $u$, which is just $x+r \mod 2^n$. Thus, if she instead sends a value $u'$ s.t. $u' = u + e$ where $e$ is some error, we can essentially transform this into $x+r+e \mod 2^n = (x+e)+r \mod 2^n$ and show that the change in value $u$ just corresponds to using the different input $x+e$. Thus, this is a case of what is known as Input Substitution, which is completely allowed.
|
||||
- Thus, she can not really do anything to learn the input of Bob
|
||||
**** Bob
|
||||
- Bob sends value $v$ to Alice, which is also just input substitution
|
||||
- He can choose not to send anything, but in this case he learns nothing apart from $u$ and we do not mind, as $u$ hides the input of Alice. Furthermore, this can be noticed by Alice, by letting her abort after some predetermined time, if we assume a synchronised channel. Bob can also send an invalid message. This can however be efficiently checked by Alice and can just let her output $z = f(x, y_0)$ for some default input $y_0$, if this is the case.
|
||||
- Bob can however also send a wrong value $z'_b$ of $z_b$. If he sends a wrong bit, it must be the case that he sends $z_b \oplus 1$, which makes honest Alice output $z' = z \oplus 1 = f(x,y) \oplus 1$. If we assume that Alice and Bob are computing a function $f(x,y) = 0$, then we can break correctness by forcing Alice to instead output $1$. Thus, what we need to fix, is enforcing the value of $z_b$ to be correct.
|
||||
*** How can this be fixed?
|
||||
- Message Authentication Codes
|
||||
**** MACs
|
||||
- Brief recap
|
||||
- MAC schemes are three algorithms: (Gen, Tag, Ver).
|
||||
- Gen produces some key $k$ which is used to create a tag on a message, $t <- Tag(k,x)$ and Ver will verify if this tag is correct, given a tag and a message: $Ver(k,t,x)$, thus outputting either reject or accept.
|
||||
- Security is based on if an adversary can efficiently create a tag for a message he has not seen already.
|
||||
**** The fix
|
||||
- *The dealer* does the following:
|
||||
1) Choose two shifts $r \in \{0,1\}^n$ and $s \in \{0,1\}^n$ *uniformly at random*
|
||||
2) Choose matrix $M_B \in \{0,1\}^{2^n \times 2^n}$ *uniformly at random*
|
||||
3) Compute a matrix $M_A$ s.t. $M_A[i,j] = M_B[i,j] \oplus T[i-r \mod 2^n, j-s \mod 2^n]$
|
||||
4) Generate $2^{2n}$ keys for a $(1, \epsilon)$-secure MAC i.e. \forall i,j \in {0,1}^n define $K[i,j] \leftarrow Gen()$.
|
||||
5) Generate MACs for values in $M_B$; i.e. \forall i,j \in {0,1}^{n} define $T[i,j] \leftarrow Tag(K[i,j], M_B[i,j])$.
|
||||
6) Output $(r, M_A, K)$ to Alice and $(s, M_B, T)$ to Bob.
|
||||
- *The protocol*:
|
||||
1) Alice computes $u = x+r \mod 2^n$ again and sends this to Bob
|
||||
2) Bob computes $v = y+s \mod 2^n$, $z_B = M_B[u,v]$ and $t_B = T[u,v]$ and then sends $(v, z_B, t_B)$ to Alice
|
||||
3) If $ver(z_B, t_B, K[u,v]) = reject$ or no valid message is received, Alice outputs $f(x, y_0) = z$, else $z = M_A[u,v] \oplus z_B$.
|
||||
**** Security
|
||||
- This is no longer strictly deterministic, most likely since the MAC scheme fails with probability epsilon, thus we have to show this works for the joint probability of the views and the output.
|
||||
- The proof is a reduction to breaking the underlying MAC scheme, if we can break the OTTT protocol.
|
||||
- *The simulator*:
|
||||
1) Sample random $s, M_B$, generate keys $K$ for the MAC scheme and compute MACs $T = Tag(K, M_B)$ (for all entrances) and send $(s, M_B, T)$ to Bob (so the simulator replaces the trusted dealer).
|
||||
2) Sample a random $u$ and send it to Bob (replacing the honest Alice)
|
||||
3) If Bob does not output anything or output an invalid message, or output a triple $(v', z'_B, t'_B)$ s.t. $z'_B \neq M_B[u,v]$, the simulator inputs $y_0$ to the ideal func. Else the sim inputs $y = v' - s$ to the ideal func.
|
||||
- *Proof*:
|
||||
1) /The view of Bob/ is distributed as the normal scheme, since $M_B, r$ are uni-random in both experiments and $u = x+r$ with random $r$ in the actual protocol, $u$ is also random.
|
||||
2) The output of Alice is distributed identically, except for the case where corrupt Bob sends a triple s.t. $ver(K[u,v], t'_B, z'_B) = accept$ meanwhile $z'_B \neq M_B[u,v]$: in which case the real Alice would output $f(x,y) \oplus 1$ as previously discussed, but the ideal Alice would output $f(x,y_0)$. This Bob can however be turned into an adversary for the underlying MAC scheme, which is assumed to be secure, thus completing the proof.
|
||||
Loading…
Reference in New Issue