cGqc;v$mX1h2 _Ck16sO#.8D>(ٳ˕*m~NEFcJ^sɥPY"rcn:b+ۥF_x'ɦTђJJj=jTx.WiFdx;q~Į1۩Զԡ'=7];r3{0$4T7vN!NjFHCUkKXVr!(kcr' lL [)DI"VD>pxo]F;F/ (^s:WlBJ KtLI!4^[5c6>QUϨ`Pik]+jՐr M#^/ؼjۓpb`^j35vߥ'^a0x,I@ny_jGƂ18lnjI4. J[m//w֛!p;|`b?dv-ScW6@#r#ZV*! t>Erd29~fo鼊c2; F3.M#Qy6NjG=}C@Y"7q FWc7'ʇ[)fy/GT5JIIRKt"U!UiVy|3l*rNK@1jMbiۑ>>rܶ^N?n(0}EZ ϧKqQ֞LX7帄#лdTZ/-X&cKJu~ƩST^uR)vUt~A:mnΗ>,7CAKUpB#tI+?cDƶpF?v%a{jI.RȜR_r|%MzpzLHvIUNsj"Ѥ%xU38->cȼ(!/ &_:ڥ'u*^7hr{xN 3YߛQJG}B1]&@yb o1]*%S#5h0rx5 aN(UVJK%и:33"[%-APH<2plן0&S.e`G/k`XW.66!".\uu._t`DbdC{bh|&u. ==FP2nAKg%Rtx5zDǰFJ Jw8Qu| ]N ݳ:!^ I ykW7B` Qy0*_#4>phݮ4Ux1D7H`юحARZYsJ/K=4[^$MUMNX!O1䴊jp"Z'6mLfVҲm[bnSYө( |Q |K֫% nwBfJac7ؖTʜpnۿmd;JI,iV[8m)XQ,)=ݓ6Nct2=jdٙ7+=c8{fU^ۊň\B)_#:/j#wP)z!|g+hДNzR+$MƁ_]L--d3Ui:)$*y`oJ+|U˃zPc1h5S#vGDFl[1{(K.|\>W#p9i Pl.?旷^HAaFGbz1h,.^\<A} ;HsQptYLN2&[}^f`ŉ8I)ЁV9յǵ9&W:mLjvh- id|J!JyKjSPP-Rz!yR;/..yh܄jÙ<֙TYӒR۬6#_QĹ46TG@d$({yVmJoK Ewq mCzn&Jw4{6 w{JMofuJs2%.6dժmKid^yZ>?^! Jba"I`AmD=l!i}0*L=ɔ4P&%,dvN@Y`|)Jc2>:ܸ#Yl7FhQ͙ \@"ayhC.>$ c~bm3ɨ\/%hp7Z' ?ƢwokLGEDR7P9<IENDB`n[l`kKWrPNG IHDRddG ]({V &dg=;#7P2|PN5``d2m_6xq6+߳#=I'gs;m`T{Be;̉k֬ \m$ewpˇlWE-vRR1oG5|'=|ؤjl`T:=GyBŅSUHmRù3.]{f45RN.heosO(?|y~V1(TGDS+6P)&{mG~ǛK"ḙ-L||q+D"wbS!++SdmNPt<ȵ8͙n%N<ݮV8hL >QKPsFre"eƂ|fa 2Aےva2`!TAWm#1 ,X͕Ȧ?V=['Ϲ6WYs@h[Lm,jPr wNb@!Rˇ|"@--YˈG +DJAJVEHEe@1%EҶ+ңčuQ\B.NH$Z\.z% DeUWFEed.@%\r `P'l-]n,R%YQJ&Zh+֓+1KBsyJjWJT};r p:=<\ YuXl:{B1iT*Y?Ĕq.zF[Db#@sseY4Vrg+@r@(A$77?\1#xݻ^+ =y#`*+XfpJÜԱkQ`SudI7*ZKmvGk}Mnf@7MklFsG<ê}vͨaSI˪XT] Yߣ$?%z|fom3/4ٳN!Q{8Fq26{hU6B /wsw%2]BvWN}f coψnv N/A|iji+I~㴄Hak`;c*EQRH;0H:މrЀKڃ n^uwoǦ`CvA3b%"[qF I4r .FѨ/n4j3ǒJdq&֠^jUPDa46b4 B<)2!x% ^}> _}\^^uV\!H$j'ܛ4W~aAJ1C ^"HL_#MM#z\Ey2υ~OK0ux}ǎĂcq *4}"0|199`AaF #33( ɣ}7h4qM1ᓿi͌H` ]KrF6+` H tHtNXc/dH`!N^RJa&XlbdbT8BٕRҢT!E~(F! yavj}Yh$ͶNт0r!@e>z, Ze?Xx@rB`7`(n{n70Gup K@7HH <6 k4x C};k~pȩm?6LGnsy2M;ѹ97j/.ft(taa~9>o SQ7 '֥AmH@I*VZfDFY_OϙEGV&ns5<w oCNE`=dQƺcPɹ:NDdӳnu<[ay|HLLOf+l{YBӀbx_9\رcQKbMJJJJr>O_ηz IA/|YU}1&3*+,fٖ*2 r١l@`%G=$sƶGQ4hFG^e!UQI.vQf2Udx7+0@ `IckZivߥd0 dV/<]@ w|֩z˞GĀ-k2 ߛ!!Ibf/ XcBnuaϞX>z0&ΝO9SgkA `^:v9իW/^|Lȱ-PǻMyg- b2ʏd{,{.7܊K%Z]ذkͩ_թ*IENDB`F* ejV&,՝JFIFC $.' ",#(7),01444'9=82<.342C 2!!22222222222222222222222222222222222222222222222222lx"6!1A"Q2aq#BRbr$!1"AQ2Ba?^Nc &0y懌IU晥W[:n$ϺE`S?bOS癭D&8ScxU@?Z($_4Ia e\b7^ tslƭޕ7:cu[XxR8zS %XnI}/wK.nT⼮Zg%mr [hj`XzƲC=U$aDp{sXkZxbq.8;:ƪ{hvdkG%.pE)T1#9 ]X!ȩq"' 2_֍۲H|6v27y?Zpy ՌڝM.r9?ymK\3=mQ)=?)o.ҎcҍLYJFN2ab'k?$rKbIOn\Q-bF_xƘԊαX|jHVu 9qPKMzBUQ4;*O& @2g@0(P|*[ir[bAES^Iym\ĥcWt<7Y\&,gl"=v?S_當1d(2jV6ݣYTbhtTݻ_;uqR\Z\5ưK8|D@'o8.ħv늏sq0~nkו*smG.hr ql a1Afn欖}JEov>gZˢY֞SyP~F/%.F@쌭+2I:Ha\\r@ :StIh(c=F/ˢ]Mm-!vDO8ӊ)\K(PܰQ'jjc,Q3JOpHbQRFq]>8&+@fIaHz"QXY %?!z+}f7HcGƤw@r3J(K4I+#*1IF &Lh(-]ƑN4 'M( )d;nFwLw~g#jǥ"+H#Hfk ]b1sd(pG5+O5r>44}+W;P3٠F]#[]OG=JFIF``Software: Microsoft OfficeC #%$""!&+7/&)4)!"0A149;>>>%.DIC ;C ;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;Pv"3!1QAaq"#$2rEb$!1A2"4(?w~InJ_cٲne3#RIcfv! kuy'vKP6IPw ɠMK[o#rQ ˨X^ߞLFL6A*~9$4K7A~a9-;sMB5Z1*TL]NHJK+f=09i.Jva7.p^ORX|!F5ůh˔Ҕ*r*̉2ftdW*ȼW0y]&q} BKQcRT$"Pr٠F&PoKiS5mJFIFddDucky<Adobed | !1AQ"a2qB#Rb3rC$c4D%ST5u&6'( !1AQa"q2BRb#C$?xӿO=9ˮ罗LklB吖bI'n3JO#<ޖft ͛^:A%+\;)%,;RY6)zm^SBʪrЀT>ÎU_eCz6wˡ٫'/qP+A/W{3Kg辌Kud|'ۍ/*_W7~wkN,MU PcE,/,'ѝ _k#,T*Iox7~wk휦f4ӊZ vSrƼ_-ߪ]u=.i"c*őq~9UWF[z7L4kYT\".49,+$W~0d+e{M.m2XLy{T|r\jܪ<{InzG۫[yLqa2jZvR67f*2ZrUƾ]tG闶qYt ao,`Br1"n^MRJ}l[MϠU'I-H#_w{:kr*&ۍ W7>w==ȭ6rAMŋq?"FgiZض7> OB]6/eOoo],WO+݈}+.^rRM[ZQҊ}}0sK0zfѬXGhKhpgK1N'*ɝ hh~\#GC"l͕YHمZ(U0 JۄZUb-c?I]]Y]Km1Ar*1Kd39&Еc-i(1Źb:vyӲ*7(Xd˸1LsL`{kE̬|y؊b&*dEsR"f8MsIOpEq9p=ƕ7)l.(HXbb~L,nNaLm\_wI2˒"+A]ًuB)HTDW~kk>c~ ۻg\a`@;pѻIFQ*I6@ٟNyEN"oCH>"Hٲ:S4JLgz9=v $B:Tm@nt6tە)tv{7rX*=EEiڻi5Uy_hȮrR_K]n?A$V*GPW5bjr{6U)&)Q,ر1Z(]FhbHrBi$L 2r37g/.Z_ܾM0å($۳=uMy N'э'q2U_Lj38uW .'5&l&e#b߀l{՜UBw,A'ScxaR~mMvĮ]yGg;iXO뮯Ӭ,zjY3U ލb^ >Uazu9b"H1>mJnc5+w[Y4m>S QRfΰN|HFㅼ1'EfMoOH-[x(7cE|Vaרn-b7Q4VAa^4oQ]qkkyj ꄔ8&I*B6R+ItZ9|b~q6ڦ۶;CO:]ϪBbiV(*piAuv_,l!s=?u(mF뭚CBX2T#pM&KydJ#Gv,J1Zk R,*-$caQom1k\S0jǦ:I",s.V킃 ܖ%ړ2I!tR»>ƸЖUƕpF8%IA=j]w#t -FOk oOvj֞/?0|z]izg.EӋPTOf;=$(g}+?f'IJ3W{kN&}:Wk6&{%y}q!%Hh (]EYDh'.c%c?4aLo%rZ]t[G"r32U@ajjyk3>-Ƥd1MEX!R:)wFXUӚ{vjEպ r <^}֓QT{Mns\cZ;I'Nh8Rh-q'3sHIٿL슈l;+`d4o1rT_k"N2*jFp ¹vD;1#mqLӑ@zo}:TwJNHpSS?vXī*r#%b^//i_6dsһw@@j+b8r9!FMx a[!2wVrZ\+lN~Ppc*bNZ!*6ahP ^R8D!G]JԒ~|l2EԮEjV]RŘx|o~~k]KODYemkiAAn(ơG&y>r,FHO9<''18Tɚ<[9?a]<~skJ>Hm<3XwoMq1;n?r_n->(Ko՚l*,RTܿ_V{SCpȟяBmfA7jQ#xOj&R Y%L鳣H|+aWZ]tLxlN3E7WR412F VJQo$|`S;5_MOF/Tԉ6U_dTg1M[Ox'q$<\%5Ю9mI?&7| +<)@n\x_4u²=lydc$ `c^ꓼf9:1A%nSXĐGA)@^x3U@;[sO~V (l\*fӴp1^b֯,֤hy גNKmcl)`t8c`f6ߜc;µ-[Ai}k$(GUQ1so,0gߘ\juE czܴCӏ;ݎ0#k`OBu짘e3[=N[tZX3Ț6;Sm V*1myb7u]=?8X|X DcҁM+C$hU:I ͉J>Cr6ɤibYij% כU6s"Ɵ(N]kڲqԭ)"ߔ_TrFMR_M>֎7VZ`Q~.VfieUNgevn*gqq_ 0Bw;2-VLM;Ff 3EM$H$#(F(pVԓ<Wa>/SmoӅp%ĠĮP=62jΥ9$\t-m._QMNυ-f'mh%+ʗDGă+wźJj}msذ6SL~sy~Z?7+ O ~.@ўVr^|n QI3NZd6=uDYTwb 5߶%0-ߖy6n60?r6 ^L5*qD=dٶ v'kSaGxè[|5ħ/6xnN%4RV[Nȭ=1}&.FAi߉^CY乌 Q5 +\|6Ï|sյ![V[:Rh#ExP>,]:0J;c= _Q;fB*=xY1yoef`{F/T)+.K1h0@G2>2ѰFgl'V3؉mbũpuIbOK{KU6dZКw18y*8.;2bޚL<59{{qSPSn㷐xeo="r>vLEUc'QiXUMY`2D{$#(VHx< %p_Ue4no_Ε#ŗRBXSF;*1!jD)ю^ݕ1zw?3FIz "y2HbQyv+.SdmcatQ1qq]1/LA}haǨkceP͛LhPlZ45}h"MKq"ǰB#F$i'FIV*=/N^h.Khxe`֯FE 'ar] x2]pp2FwiF &*Z~tuޓ.'61" x"ѵ'#ddaU 1˴so"KwI{ ¾3qw⟘=Y{}4Gtڌ j0Uˀ$`JIԪi6 [OћO"RY6ڼVE+Q?[\mpIg&Wz"y.q̡f`NW8B]#ak[J(ޕ`HHeiOi5=mWLԴ^xi !LؼxdWPM,;╔QBMjj_yBΕXNn,SiJ7h\ \*G[i@Ae>oo@G Fz]$q"fK)Mztbl@feP:U"z] 4i$T\2M(fGב[B%V`|@ȺWz{ĶK%%)J@.vTxm:i8[A4UFCqǽ/:v|p~%m隍;6h'(iE 8$i>5ٟqũ/WzNā"XIeGqT$uh,yʱEF3 xB\{/PHmEq3MC~YY5dHxlV3(|lb5i٭W*K9faFUN]^ٽYլ3co˚lTXQIojxy`5B[8n5icx~;T 9ߔtcx|ϘpRٻ_go5zObK}Y*"6Z{ltW*A#nnt7Q(Wpojs{}4=*hrEd=BYbGڴGU@WK1jw0ͦ6&(s"28KCEf4%[ʴ tsqqmqp)8Nb{$e#^Yy=9SS;$$URC*|W!hU.R}14RC.ziMd-V6DauYH sEyͬ{]^j o=43*F)2n,R8z 9Ieﯬn-eOs]o7FY cfep;MFqpMŨVPC3k>ccfz+;;bx^ߓ5t'Q[ϐy?/˧ß%3SeqV Ϻ^sL :ߺܕ1L~_;醍k=ʔ+h?+ o)*sf9&-㦾JaݿOs~U>eïekp8i]r/ C.|3-TH"lcɛ OÛ~@Ů y=2&^Wɗ()h<p>;syV^q8iOwa'XZge9n{JlNIWYâgq+eɛ50'"d~#y?)y#\NnOԯ N>y?G9LyJ.]>?h+fs+>_h^5Bk\O;Wsʜl_E1M?)ZoE}/ￗ90~S?^kg 8|JܵGOgK'9/ۓwev}>ҳ~ v}?/'! L[)߷iB}M{'^oʸ]ف'G?p8>lF+N iS( /0DAriallacpv00"DTimes New Romanv00 DWingdingsRomanv000DArial Blackmanv00"@DTahomalackmanv00"PDSymbollackmanv00@. @n?" dd@ @@`` k5&H-&H-H 4$#$"$$$$$b$e*wFIt١EZb$_;?ur~09eC4b$[l`kKWr0R$ejV&,՝2 BR$]#[]OG=KR$PoKiS5m&Q0AAP3uki@ip\]ʚ;)+ʚ;g4BdBd$0ppp@<4ddddPh0H<4BdBdP̨0qi___PPT10I ``.(IBM_User.6? %ہ^+=Information-Theoretic Security and Security under Composition>>*\Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)]A3C_,Secure Multiparty ComputationA set of parties with private inputs. Parties wish to jointly compute a function of their inputs so that certain security properties (like privacy, correctness and independence of inputs) are preserved. E.g., secure elections, auctions& Properties must be ensured even if some of the parties maliciously attack the protocol."Xn"7`-Secure Computation TasksExamples: Authentication protocols Online payments Auctions Elections Privacy preserving data mining Essentially any task& * q qb0Defining SecurityThe real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them. Real model: parties run a real protocol with no trusted help. A protocol is secure if any attack on a real protocol can be carried out in the ideal model. Since no attacks can be carried out in the ideal model, security is implied.G_3 & ( D&5C c1The Real Modeld2The Ideal Modele3The Security Definition: f4The Ideal Adversary/SimulatorHow is security proven? The ideal-model adversary is actually a simulator The simulator simulates a real execution, while interacting in the ideal model The simulation looks just like a real execution& Important categories of simulators Black-box versus nonblack-box simulators Rewinding versus non-rewinding simulators Non-rewinding is also called straight-line ZZ#ZSZ-Z#S-. g g5More Details on the DefinitionWhat does it mean that the real and ideal executions look the same ? Perfect security: the distributions are identical Statistical security: the distributions are statistically close Computational security: the distributions are computationally indistinguishablexF5!+9h6Two Basic ModelsInformation-theoretic model Unbounded adversaries Perfect or statistical security Seemingly, no real need for perfection Computational model Polynomial-time adversaries Computational security 6)36)3i7DReal Execution Possible Settings\The stand-alone model A single execution of a single secure protocol (or a single execution under attack) The classic model of computation Security under composition Concurrent self composition: many executions of a single secure protocol Concurrent general composition: many executions of a secure protocol together with arbitrary other protocolsvu - M|KSecurity under CompositionConcurrent self composition Many executions of a single secure protocol look just like many calls to an ideal trusted party [FS,DDN,DNS,RK,& ] Concurrent general composition Many executions of a single secure protocol with an arbitrary other protocol look just like many calls to an ideal trusted party, together with a real arbitrary other protocol [DM,PW,Ca] Modeled by considering an arbitrary protocol that contains subroutine calls to the secure protocol Models the real world the Internet is the arbitrary protocolr____r)>^j8rFeasibility of Secure Computation The Stand-Alone Model :(&&UA fundamental theorem: any multiparty functionality can be securely computed in the stand-alone model: Computational setting: for any number of corruptions and assuming (enhanced) trapdoor permutations [Y86,GMW87] Information theoretic setting: for a 2/3 honest majority (or regular majority given a broadcast channel) [BGW88,CCD88,RB89,B89]ngQ, #bk9tFeasibility of Secure Computation Concurrent Composition ;$&&gAny multiparty problem can be securely computed under concurrent general composition: No honest majority: assuming (enhanced) trapdoor permutations and a common reference string [CLOS02] Honest (or two-thirds) majority: [Ca01] relying on [BGW88,CCD88,RB89,B89] Notice: these are exactly the information-theoretically secure protocols for the stand-alone modelVcV Jl::Information-Theoretically Secure Protocols and Composition;;&jFolklore: information-theoretic protocols are secure under concurrent composition (at the very least, all the known ones have this property) Related folklore: if a protocol is proven secure using a black-box non-rewinding simulator, then it is secure under concurrent composition Note: known information-theoretic protocols use black-box non-rewinding simulationlS ez(m; This WorkUnderstand the conjectured connection between information-theoretic security and security under composition Deepen our understanding of these notions Derive a corollary that simplifies the task of proving security under composition 2l}l|n<Theorem 1: Counter ExampleThere exist protocols that are: Statistically secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator but are not secure under concurrent general composition t : L &o= Theorem 2:BEvery protocol that is: Perfectly secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator is perfectly secure under concurrent general composition [DM00] proved a similar result, but used a strictly more stringent notion of stand-alone security~;bL'bp>CorollariesCorollary 1: [BGW] (error free version) is perfectly secure under concurrent general composition (assuming a two-thirds majority) Corollary 2: It suffices to prove perfect security in the stand-alone model& Note: perfectly secure protocols have an advantage over statistically secure protocols Security under concurrent general composition is obtained for free \'EvA WEq? Theorem 3:eEvery protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator is secure under concurrent self composition with fixed inputs This is a weaker security guarantee, but gives some justification to the folklore The result is of interest for statistical and computational security, and holds for any number of corrupted partiesH@RtRtX Corollary[CCD,RB] are secure under concurrent self composition with fixed inputs Again, the above is a relatively weak security guarantee, but explains/justifies the folklore$; _tBDisturbing Point+It is widely believed that known statistically secure protocol are secure under concurrent general composition We have only proved security under concurrent self composition with fixed inputs Is there an additional property that would make such protocols secure under concurrent general composition?JoQloQMuCDifferent (Simple) PropertyInitial Synchronization Each party announces that it is ready to start Before starting, each party waits to receive notification from all other parties This enables an easy denial of service attack (but this is in some sense impossible to prevent in this model):oovD Theorem 4:2Every protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator, and Has initial synchronization is secure under concurrent general composition This holds for perfect, statistical and computational security (not needed for perfect), and for any number of corrupted partiesi1$&?(wE Corollary*It suffices to prove security in the stand-alone model using black-box straight-line simulation: Given such a protocol, can add initial synchronization and security under concurrent general composition is implied This gives a useful tool, simplifying the task of proving security under compositionLauUau=xFHigh-Level Summary of ResultsCounter-example: Straight-line black-box security does not imply security under concurrent general composition (even if security is statistical) Security under general composition is implied by: Perfect security, straight-line black-box simulation Straight-line black-box simulation, initial synchronization Security under self composition with fixed inputs is implied by: Straight-line black-box simulation2qA#2qA#yGThe Rest of This TalkSProof of counter-example (Theorem 1) Idea behind the proof that perfect-security with black-box straight-line simulation implies security under concurrent general composition (Theorem 2) Idea behind proof that black-box straight-line simulation with initial synchronization implies security under concurrent general composition (Theorem 4)NT (CT#Proof of Counter Example&NThe counter-example utilizes the fact that: In the stand-alone model, inputs are fixed at the beginning In the setting of concurrent general composition, inputs can be determined dynamically, and dependent on other protocols Recall: a protocol is secure in this setting if an execution of an arbitrary protocol with the real secure protocol looks like an execution of the same arbitrary protocol together with ideal calls 8,,V Proof of Counter-Example (cont.)Our counter-example uses a specific function and specific protocol (in the setting of an honest majority) The function: f(x1,x2,x3) = (0,0,0)tyzH Proof of Counter-Example (cont.)jA secure protocol for computing f: P1 and P2 choose random r1 and r2 of length n/2 and send the strings to each other P1 and P2 define r = (r1,r2) and both send r to P3 If P3 receives the same value from both parties and it equals its input, then it outputs 1, otherwise it outputs 0 P2 and P3 both output 0% %T #V%pClaim 1: Security of Protocol in the Stand-Alone Model99&6We assume an honest majority, so at least one of P1 and P2 are honest This implies that the string r received by P3 equals its input with probability at most 2-n/2 Thus, P3 outputs 1 with negligible probability Simulation in this case is easy (and is black-box straight-line) Security obtained is statistical!2+ _{IClaim 2: Insecurity of Protocol under Concurrent General CompositionGG$ &Consider the following arbitrary protocol P that contains a call to f: P1 sends a random s to P3 P1 and P2 send the input 0n to the trusted party computing f, and output whatever they receive back P3 sends the string s to the trusted party as its input for the computation of f, and outputs whatever it receives back Note: in the ideal execution, all honest parties always output 0ZI__A_) ):(1}JClaim 2 (continued)Consider an execution of P together with protocol and a single corrupted party P1: Party P1 waits until it receives r2 from P2 as part of and can define r = (r1,r2) P1 defines s = r and sends s to P3 P3 uses s as its input into and it follows that r equals its input We have that the honest P3 always outputs 1 (instead of 0) Conclusion: is not secure under concurrent general composition:UZZAZ + &c(Rough idea) Proof of Theorem 2 &By contradiction Protocol secure stand alone, not secure in composition with Exist Adv A which can foil the execution of when run with , i.e. not the same as if using a trusted party for f instead of Build a stand-alone adversary A which breaks the stand-alone security of A basically runs A in its belly and simulates all the parties for the communications which relate to , and for it communicates with the real parties and transfers the messages to AD 4-A!*e FdProof of Theorem 2 (cont.)If A simulation for A is good then the stand-alone distribution of is the same as when it is run with Thus, output of in this stand-alone is not the same as the output of ideal execution And we have broken the stand-along execution (contradiction) $`A$e(Complication for A ^Creating a simulation which seemlessly matches the execution of the real with the simulation of For this A has to guess the inputs and random coins of the honest parties low success probability This is why perfect security is crucial, we need the attack to succeed only with non-zero probability Hdd n #NhSProof of Theorem 4Recall the theorem: black-box straight-line simulation + initial synchronization security under concurrent general composition The basic idea: If initial synchronization is used, all of the arbitrary protocol (honest party inputs and random-tapes) until the protocol starts can be auxiliary input in a stand-alone execution The remainder of the proof is like Theorem 2, except that the stand-alone adversary always succeeds (given the appropriate auxiliary input)vAQ0UImportance of Theorem 4[Adds to our understanding of what is needed for obtaining security Black-box straight-line simulation Inability to have inputs depend on randomness of the same execution A useful tool Definitions for obtaining security under composition are complex Using this theorem, it suffices to work in the stand-alone model (and add initial synchronization)tC_g___Cg9cTConclusionsStand-alone security does not imply security under concurrent general composition Even in the information-theoretical model Information-theoretic security does imply some sort of security under composition Black-box straight line statistical suffices for obtaining concurrent self composition with fixed inputs Black-box straight-line perfect suffices for obtaining concurrent general composition Black-box straight-line + initial synchronization suffices for obtaining concurrent general compositionR*Rh5*/#F7hYZProof of Theorem 2We wish to prove that stand-alone perfect security + black-box straight-line simulation security under concurrent general composition Note: relying on previous work, it suffices to consider a single execution of the secure protocol with an arbitrary other protocolX[Proof of Theorem 2 (cont.)(Step 1: construct a simulator for the setting of concurrent general composition Need to deal with the messages of the secure protocol and the arbitrary protocol P The messages of the arbitrary protocol P are sent between the real adversary and the external parties The messages of the secure protocol are dealt with by the stand-alone simulator for the secure protocol (that is guaranteed to exist)PEP6(dc\(Step 1 Graphically ]Proof of Theorem 2 (cont.)Step 2: prove that this simulator meets the requirements By contradiction, assume that the real adversary causes the output to be different This implies that there must be a difference between the output of a real execution of the secure protocol and the ideal output This adversary is then used to contradict the stand-alone security of the protocolB9*9k^(Step 2 Graphically _Proof of Theorem 2 (cont.)nThe entire arbitrary protocol is internally simulated by a stand-alone adversary attacking the secure protocol The stand-alone adversary plays the honest parties for the arbitrary protocol; otherwise the real honest parties are invoked If this simulation is good , then the result is the same as in the setting of concurrent general composition By the contradicting assumption, this will imply failure of the stand-alone simulator for LoZIZRG`8Step 2 (cont.) Graphically aProof of Theorem 2 (cont.)0Problem: In order for the stand-alone adversary to simulate the arbitrary protocol, it needs to guess the honest parties inputs and random tapes This guess must lead to the same inputs that the real honest parties use in the secure protocol What is the chance of this happening?J & W2`&bProof of Theorem 2 (cont.)4Almost nothing! In general, the probability of guessing correctly is exponentially small The main point of the proof: The protocol is perfectly secure This implies that the adversary cannot succeed with even an exponentially small probability But, we constructed an adversary that succeeds with exponentially small probability Conclusion: the stand-alone simulator fails with this adversary; contradiction.IPIEf ` fff33` 3KI3ff` 33ff` /p` 3%*3|` Jy3fff3f` 3ff3̙` 33ff33` DDyq3f` ̙3n` w3ff` }ff>?" dd@,3?nKd@ P nA@F`d n?" dd@ @@``PR" @ ` `2p>>~v@( 6J #"`` = @* 6T #"`` ` B*(T X "X Nhd#"`P 20 6d#"`U 00 S"UY * c$<"YW * c$h%"YU * c$P" * S#"`SV 00 S|/"Y * c$;"X * <ؤ #"` ` T Click to edit Master title style! !$ 0L " `p RClick to edit Master text styles Second level Third level Fourth level Fifth level! S 6 #"`^ ` >*H 0h ? }ffD<___PPT10.. 07 Pixel _ W P( bT " TE d #" 20 c$@E "9)e 00b e #"e S0"ie 00 S4"9) 00 S"0 00 S"?e 00 SE ") 00 S"?G 00 S,"oG 00 S"9G 00 S쟆"iA 00 Sh"A? 00 6 #"`` ` >* 6D #"`` @* 6, #"`` ` B* 0 "P T Click to edit Master title style! ! 0Զ " P W#Click to edit Master subtitle style$ $H 0h ? }ffD<___PPT10.. 07G ` 3Wo+ff3̙` 33f33̙3` ! <yxG`wglZff` yE[AQpff3k` 31m̙3f` 3333̙3` O~̙Zƺ` ffff̙` ǵfZƺ` fff3fZ̙>?" dd@*?nZd@`K `7@d` n?" dd@ @@``PR @ ` `0p>>ph ( T ` "` 6AE " 20\ }` "}` 6dDE "}` 20B s*DjJ"`,$D 0 6$HE "@`E T Click to edit Master title style! !$ 0~E "@`E RClick to edit Master text styles Second level Third level Fourth level Fifth level! S 0E #"`b@ E >* 0E #"``@ E @* 0ЋE "``E @* `B s*D"H 0h ? 3333̙3___PPT10i. 3l+D=' = @B + Layers ! ( ,T " 68=C "P 20L\ " <|;C "p 20 <lCC "0 `s 20hB s*Dp"p\ Pp "Pp 6THC "pPp 20B s*D"p,$0 6HKC "`@C T Click to edit Master title style! ! 6MC " `@ C W#Click to edit Master subtitle style$ $ 0QC #"`b?C >* 0lUC #"``Aa C @* 0ZC #"```C @* H 0h ? 3333̙380___PPT10. 3l} $( r S4ME @E r S yE `@ E H 0h ? 3333̙3___PPT10i.e+D=' = @B + <( ~ s*@` ~ s*U@` H 0h ? 3333___PPT10i.H@5??+D=' = @B + <( ~ s*@` ~ s*$@` H 0h ? 3333___PPT10i.+D=' = @B + @6( ~ s*\C @` C x c$XC @`C H 0h ? 3333___PPT10i.pl&"+D=' = @B + P. ( ~ s*8@` fAuser&laptop XB 0DjJ` P XB 0DjJX H XB 0DjJX H XB 0DjJX H ^B 6Do` PP <C p|P 3x <C + AProtocol outputRB s*DRB s*D <LC p 3y <lC AProtocol outputRB s*DJJRB s*DJJF X @ b lACopy of laptop 0 ` " bAblue-icon(XH 0h ? 3333___PPT10i.)kR+D=' = @B + &`( ~ s*C @` C < C @T` 3x <lC P 0p Of1(x,y), RB @ s*D` <tC 3y <PC 7@ Of2(x,y), RB s*DaaRB s*DP <C 1xRB s*D <C Mf1(x,y)*RB @ s*D @ <C 1y @ <C v w Mf2(x,y)*RB s*DP RB s*Dpp RB s*D F X 7@ b lA Copy of laptop 0 `C " bA blue-icon(XC d c<A user&laptopc#X c0A judge H 0h ? 3333___PPT10i.0R+D=' = @B +p LDp( L X #Ls b NA Copy of laptop"` 0 `C " DA blue-icon"`(XC L X #% b NA Copy of laptop"` 0 `C " DA blue-icon"`(XC r 6C U BC "`S` 9IDEALB$ BC "`S 8REALB$ @ BC "`I C ? Trusted partyBB `D?? 0@B fZD?? 0@ BC "` c NProtocol interaction FB 3rD??` ` B 0DoP @,$D 0nz 0 0,$D0 B<C "` :`N pp0 pp0ZB s*DԔppZB s*DԔp p0x c$ C @` C ZA judgemR C r c<A user&laptop"`2 r c<A user&laptop"`=> u z . n . n ,$D0 B ZC ??. iFor every real adversary A20 BFV C&A hacker n z S S ,$D0 ZC ??S ithere exists an adversary S20 BFX C(Ahacker3:T H 0h ? 3333 ___PPT10 .pq*o+"DDx ' = @B D3 ' = @BA?%,( <+O%,( <+Dj' =%(D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-s6Bwipe(left)*<3<*D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*D' =%(D' =4@BBBB%(D' =1:Bhidden*o3>+B#style.visibility<*%(D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*+ 6( ~ s*B @` B x c$B @B H 0h ? 3333___PPT10i.c+D=' = @B + <( ~ s*)@` ~ s**@` H 0h ? 3333___PPT10i.H!w+D=' = @B +} $( r S@` r S`@` H 0h ? 3333̙3___PPT10i.e`+D=' = @B +} $( r S>@` r S?@` H 0h ? 3333̙3___PPT10i.ez$+D=' = @B +} @$( @r @ SH@` r @ S$s@ H @0h ? 3333̙3___PPT10i.3e@+D=' = @B + y( r S4@` r S@` M <<~py* Note: in the case of no honest majority, the security requirements are not exactly the same (i.e., no fairness or guaranteed output delivery)8gH 0h ? 3333̙3___PPT10i. e|O+D=' = @B + 0( x c$h@` x c$|@` H 0h ? 3333̙3___PPT10i. e|O+D=' = @B +} $( r S@` r SH@` H 0h ? 3333̙3___PPT10i."e+D=' = @B +} $( r S @` r S @` H 0h ? 3333̙3___PPT10i.&ezZ+D=' = @B +} $( r S@` r S8B @` H 0h ? 3333̙3___PPT10i.'e 6+D=' = @B + \( x c$!@` c$!@`<$D0 H 0h ? 3333̙3___PPT10n.'e 6+YDB' = @B D' = @BA?%,( <+O%,( <+D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*C%(+} $( r S.@` r S(@` H 0h ? 3333̙3___PPT10i.'eЩ+D=' = @B + 00( x c$T9@` x c$P:@` H 0h ? 3333̙3___PPT10i.'e 6+D=' = @B + 0( x c$TF@` x c$(G@` H 0h ? 3333̙3___PPT10i.(eyr+D=' = @B + pP( r SB @` B S +B#style.visibility<*,%(+} $( r S=@` r S@ @` H 0h ? 3333̙3___PPT10i.*e+D=' = @B + $0( $x $ c$@ @` @ x $ c$ @ @`@ H $0h ? 3333̙3___PPT10i.'e 6+D=' = @B +} ($( (r ( SDg@` r ( Sl_@` H (0h ? 3333̙3___PPT10i.*e~q+D=' = @B +} ,$( ,r , Spb@` r , S|(@ @` @ H ,0h ? 3333̙3___PPT10i.*epW+D=' = @B +} 0$( 0r 0 Ss@` r 0 St@` H 00h ? 3333̙3___PPT10i.+e@+D=' = @B + <( ~ s*,@` ~ s*r@` H 0h ? }ff___PPT10i.Z@K| +D=' = @B +} l$( lr l StU@ @` @ r l SpV@ @`@ H l0h ? 3333̙3___PPT10i.f+D=' = @B +} 4$( 4r 4 S(@` r 4 S$@ H 40h ? 3333̙3___PPT10i.0e J+D=' = @B + @<( ~ s*ܯ@` ~ s*@` H 0h ? }ff___PPT10i.Z-Ng+D=' = @B +} 8$( 8r 8 S@` r 8 S@` H 80h ? 3333̙3___PPT10i.1eK+D=' = @B +} <$( <r < S@` r < S@` H <0h ? 3333̙3___PPT10i.2e+D=' = @B + 6( ~ s*pN@` L x c$# `N H 0h ? }ff___PPT10i.YB7+D=' = @B + <( ~ s*N@` N ~ s*#@`N H 0h ? }ff___PPT10i.Y]uA+D=' = @B + <( ~ s*~@` ~ ~ s*~@`~ H 0h ? }ff___PPT10i.Ye+D=' = @B + `0( `x ` c$"C @` C x ` c$#C @`C H `0h ? 3333̙3___PPT10i.4ex+D=' = @B +} h$( hr h SX@` r h ST@` H h0h ? 3333̙3___PPT10i.OeA+D=' = @B +} d$( dr d Sc@` r d Sd@` H d0h ? 3333̙3___PPT10i.Oe9J+D=' = @B +Qh`P( 3WGfd̙ԔԔ?Thank you! Impactc H 0h ? 3333̙3___PPT10i.`+D=' = @B + `\( x c$T#@` # c$̟#@`<$D0# H 0h ? 3333̙3___PPT10n.4ex+YDB' = @B D' = @BA?%,( <+O%,( <+D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(+ p\( x c$-#@` # c$3#@`<$D0# H 0h ? 3333̙3^V___PPT106.Me@o+YD ' = @B D' = @BA?%,( <+O%,( <+D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*P%(D' =%(Dh' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(+ 4( x c$XE#@` # <TP# 2@ @Real Execution <[# .@ AIdeal ExecutionRB s*Do@@fz F ,$D0` 0p BZC# "Honest partieslB <D)p@plB <D) @ <t# ci 6 <X#~e 6PN . . <p#u JReal adversary A`2 0.Kz = =,$D0`2 0\NT ff #ff <4~pg \ JReal adversary A`2 0ff ` 0L BZ~ "Honest partieslB <D)88 lB <D)p0p <d~pW 6P <\=L 4 <= Simulator S <B u= = Trusted partylB <D)Zr <ğP 5fH 0h ? 3333̙3___PPT10.qb+M]D~' = @B D9' = @BA?%,( <+O%,( <+D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(+2 \( x c$w@` c$~@`<$D0 H 0h ? 3333̙3___PPT10.Me+YD' = @B Du' = @BA?%,( <+O%,( <+D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*9%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*c%(+A ##<( jz |b > b |>,$D0`2 0i^>`2 0i|b ZB s*D>.^B < 6 H :`"F$x c$@~@` ~ <~ 2@ @Real Execution <h~ .@ AIdeal ExecutionRB s*Do@@0F F ` 0p BZ~ "Honest partieslB <D)p@plB <D) @ <~ ci 4 <~~e 6PN . . <xMu JReal adversary A`2 0.F = =`2 0\NT ff #ff <PMpg \ JReal adversary A`2 0ff ` 0L BZM "Honest partieslB <D)88 lB <D) 0 <tM og 6P <,ML 4 <#M Simulator S ! <6M u= = Trusted partylB " <D)Zr # <HMP 5fH 0h ? 3333̙3=5___PPT10.qb+ CD' = @B D' = @BA?%,( <+O%,( <+D' =%(D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*+2 \( x c$TM@` M c$ZM@`<$D0M H 0h ? 3333̙3___PPT10.Mep!+YD' = @B Du' = @BA?%,( <+O%,( <+D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*o%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*\%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*\%(+ !!z( T #B CDEF&io @`"< jD,$D0N BiC$DEF&ioii(($$i@`"< j6 ,$@0x c$oM@` M <htM 2@ @Real Execution <vM .@ AIdeal ExecutionRB s*Do@@2F F ` 0p BZM "Honest partieslB <D)p@plB <D) @ <,vM ci 6 <M~e 6PN . . <$Mu JReal adversary A`2 0.F = =`2 0\NT ff #ff <Mpg \ JReal adversary A`2 0ff ` 0L BZ$M "Honest partieslB <D)88 lB <D)p0p <MpW 6P <ML 4 <M Simulator S <M u= = Trusted partylB <D)Zr <MP 5f ! <M. BStand-alone adversary attacking *"H 0h ? 3333̙3ph___PPT10H.qb+pD' = @B D' = @BA?%,( <+O%,( <+D' =%(D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*+ \( x c$N@` N c$XlM@`<$D0N H 0h ? 3333̙3___PPT10n.Ne)+YDB' = @B D' = @BA?%,( <+O%,( <+D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(+J \( x c$N@` N c$,N@`<$@0N H 0h ? 3333̙3&___PPT10 .Ne\+ED ' = @B D ' = @BA?%,( <+O%,( <+DL' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*Yv%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*v%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*K%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*K%(+r0uTuDVL\PxǼb?e| (","$s*,t27U:<k?AIN2>Q@[`%^G//ceJkt-g!SZVXS5,( /0DAriallacpv00"DTimes New Romanv00 DWingdingsRomanv000DArial Blackmanv00"@DTahomal0ArialTimes New Roman WingdingsArial BlackTahomaSymbolPixelLayers>Information-Theoretic Security and Security under CompositionSecure Multiparty ComputationSecure Computation TasksDefining SecurityThe Real ModelThe Ideal ModelThe Security Definition:The Ideal Adversary/SimulatorMore Details on the DefinitionTwo Basic Models%Real Execution – Possible SettingsSecurity under Composition<Feasibility of Secure Computation – The Stand-Alone Model=Feasibility of Secure Computation – Concurrent Composition;Information-Theoretically Secure Protocols and Composition This WorkTheorem 1: Counter ExampleTheorem 2:CorollariesTheorem 3: CorollaryDisturbing PointDifferent (Simple) PropertyTheorem 4: CorollaryHigh-Level Summary of ResultsThe Rest of This TalkProof of Counter Example!Proof of Counter-Example (cont.)!Proof of Counter-Example (cont.):Claim 1: Security of Protocol ρ in the Stand-Alone ModelHClaim 2: Insecurity of Protocol ρ under Concurrent General CompositionClaim 2 (continued) (Rough idea) Proof of Theorem 2Proof of Theorem 2 (cont.)Complication for Aρ Discussions on Theorem 4Importance of Theorem 4Conclusions Slide 40Fonts UsedDesign Template Slide Titles(orem _IBM_USERIBM_USERem 2 (coRoot EntrydO)pLlPicturesxCurrent UserO2SummaryInformation(anv00"PDSymbollackmanv00@. @n?" dd@ @@`` k5&H-&H-H 4$#$"$$$$$b$e*wFIt١EZb$_;?ur~09eC4b$[l`kKWr0R$ejV&,՝2 BR$]#[]OG=KR$PoKiS5m&Q0AAP3uki@ip\]R ʚ;N+ʚ;g43d3d$0ppp@<4ddddPh0H<4BdBdP̨0qi___PPT10I ``.(IBM_User.6? %"^+=Information-Theoretic Security and Security under Composition>>*\Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)]A3C_,Secure Multiparty ComputationA set of parties with private inputs. Parties wish to jointly compute a function of their inputs so that certain security properties (like privacy, correctness and independence of inputs) are preserved. E.g., secure elections, auctions& Properties must be ensured even if some of the parties maliciously attack the protocol."Xn"7`-Secure Computation TasksExamples: Authentication protocols Online payments Auctions Elections Privacy preserving data mining Essentially any task& * q qb0Defining SecurityThe real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them. Real model: parties run a real protocol with no trusted help. A protocol is secure if any attack on a real protocol can be carried out in the ideal model. Since no attacks can be carried out in the ideal model, security is implied.G_3 & ( D&5C c1The Real Modeld2The Ideal Modele3The Security Definition: f4The Ideal Adversary/SimulatorHow is security proven? The ideal-model adversary is actually a simulator The simulator simulates a real execution, while interacting in the ideal model The simulation looks just like a real execution& Important categories of simulators Black-box versus nonblack-box simulators Rewinding versus non-rewinding simulators Non-rewinding is also called straight-line ZZ#ZSZ-Z#S-. g g5More Details on the DefinitionWhat does it mean that the real and ideal executions look the same ? Perfect security: the distributions are identical Statistical security: the distributions are statistically close Computational security: the distributions are computationally indistinguishablexF5!+9h6Two Basic ModelsInformation-theoretic model Unbounded adversaries Perfect or statistical security Seemingly, no real need for perfection Computational model Polynomial-time adversaries Computational security 6)36)3i7DReal Execution Possible Settings\The stand-alone model A single execution of a single secure protocol (or a single execution under attack) The classic model of computation Security under composition Concurrent self composition: many executions of a single secure protocol Concurrent general composition: many executions of a secure protocol together with arbitrary other protocolsvu - M|KSecurity under CompositionConcurrent self composition Many executions of a single secure protocol look just like many calls to an ideal trusted party [FS,DDN,DNS,RK,& ] Concurrent general composition Many executions of a single secure protocol with an arbitrary other protocol look just like many calls to an ideal trusted party, together with a real arbitrary other protocol [DM,PW,Ca] Modeled by considering an arbitrary protocol that contains subroutine calls to the secure protocol Models the real world the Internet !"#$%&'()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0N236789:;<=>?@ABCDEFGHMOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}Root EntrydO)TiPicturesxCurrent UserO8SummaryInformation(PowerPoint Document(=DocumentSummaryInformation83ackmanv00"PDSymbollackmanv00@. @n?" dd@ @@`` k5&H-&H-H 4$#$"$$$$$b$e*wFIt١EZb$_;?ur~09eC4b$[l`kKWr0R$ejV&,՝2 BR$]#[]OG=KR$PoKiS5m&Q0AAP3uki@ip\]ʚ;)+ʚ;g4BdBd$0ppp@<4ddddPh0H<4BdBdP̨0qi___PPT10I ``.(IBM_User.6? %^+=Information-Theoretic Security and Security under Composition>>*\Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)]A3C_,Secure Multiparty ComputationA set of parties with private inputs. Parties wish to jointly compute a function of their inputs so that certain security properties (like privacy, correctness and independence of inputs) are preserved. E.g., secure elections, auctions& Properties must be ensured even if some of the parties maliciously attack the protocol."Xn"7`-Secure Computation TasksExamples: Authentication protocols Online payments Auctions Elections Privacy preserving data mining Essentially any task& * q qb0Defining SecurityThe real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them. Real model: parties run a real protocol with no trusted help. A protocol is secure if any attack on a real protocol can be carried out in the ideal model. Since no attacks can be carried out in the ideal model, security is implied.G_3 & ( D&5C c1The Real Modeld2The Ideal Modele3The Security Definition: f4The Ideal Adversary/SimulatorHow is security proven? The ideal-model adversary is actually a simulator The simulator simulates a real execution, while interacting in the ideal model The simulation looks just like a real execution& Important categories of simulators Black-box versus nonblack-box simulators Rewinding versus non-rewinding simulators Non-rewinding is also called straight-line ZZ#ZSZ-Z#S-. g g5More Details on the DefinitionWhat does it mean that the real and ideal executions look the same ? Perfect security: the distributions are identical Statistical security: the distributions are statistically close Computational security: the distributions are computationally indistinguishablexF5!+9h6Two Basic ModelsInformation-theoretic model Unbounded adversaries Perfect or statistical security Seemingly, no real need for perfection Computational model Polynomial-time adversaries Computational security 6)36)3i7DReal Execution Possible Settings\The stand-alone model A single execution of a single secure protocol (or a single execution under attack) The classic model of computation Security under composition Concurrent self composition: many executions of a single secure protocol Concurrent general composition: many executions of a secure protocol together with arbitrary other protocolsvu - M|KSecurity under CompositionConcurrent self composition Many executions of a single secure protocol look just like many calls to an ideal trusted party [FS,DDN,DNS,RK,& ] Concurrent general composition Many executions of a single secure protocol with an arbitrary other protocol look just like many calls to an ideal trusted party, together with a real arbitrary other protocol [DM,PW,Ca] Modeled by considering an arbitrary protocol that contains subroutine calls to the secure protocol Models the real world the Internet is the arbitrary protocolr____r)>^j8rFeasibility of Secure Computation The Stand-Alone Model :(&&UA fundamental theorem: any multiparty functionality can be securely computed in the stand-alone model: Computational setting: for any number of corruptions and assuming (enhanced) trapdoor permutations [Y86,GMW87] Information theoretic setting: for a 2/3 honest majority (or regular majority given a broadcast channel) [BGW88,CCD88,RB89,B89]ngQ, #bk9tFeasibility of Secure Computation Concurrent Composition ;$&&gAny multiparty problem can be securely computed under concurrent general composition: No honest majority: assuming (enhanced) trapdoor permutations and a common reference string [CLOS02] Honest (or two-thirds) majority: [Ca01] relying on [BGW88,CCD88,RB89,B89] Notice: these are exactly the information-theoretically secure protocols for the stand-alone modelVcV Jl::Information-Theoretically Secure Protocols and Composition;;&jFolklore: information-theoretic protocols are secure under concurrent composition (at the very least, all the known ones have this property) Related folklore: if a protocol is proven secure using a black-box non-rewinding simulator, then it is secure under concurrent composition Note: known information-theoretic protocols use black-box non-rewinding simulationlS ez(m; This WorkUnderstand the conjectured connection between information-theoretic security and security under composition Deepen our understanding of these notions Derive a corollary that simplifies the task of proving security under composition 2l}l|n<Theorem 1: Counter ExampleThere exist protocols that are: Statistically secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator but are not secure under concurrent general composition t : L &o= Theorem 2:BEvery protocol that is: Perfectly secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator is perfectly secure under concurrent general composition [DM00] proved a similar result, but used a strictly more stringent notion of stand-alone security~;bL'bp>CorollariesCorollary 1: [BGW] (error free version) is perfectly secure under concurrent general composition (assuming a two-thirds majority) Corollary 2: It suffices to prove perfect security in the stand-alone model& Note: perfectly secure protocols have an advantage over statistically secure protocols Security under concurrent general composition is obtained for free \'EvA WEq? Theorem 3:eEvery protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator is secure under concurrent self composition with fixed inputs This is a weaker security guarantee, but gives some justification to the folklore The result is of interest for statistical and computational security, and holds for any number of corrupted partiesH@RtRtX Corollary[CCD,RB] are secure under concurrent self composition with fixed inputs Again, the above is a relatively weak security guarantee, but explains/justifies the folklore$; _tBDisturbing Point+It is widely believed that known statistically secure protocol are secure under concurrent general composition We have only proved security under concurrent self composition with fixed inputs Is there an additional property that would make such protocols secure under concurrent general composition?JoQloQMuCDifferent (Simple) Property#Initial Synchronization Each party announces that it is ready to start Before starting, each party waits to receive notification from all other parties that they are ready to start This enables an easy denial of service attack (but this is in some sense impossible to prevent in this model):oopvD Theorem 4:2Every protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator, and Has initial synchronization is secure under concurrent general composition This holds for perfect, statistical and computational security (not needed for perfect), and for any number of corrupted partiesi1$&?(wE Corollary*It suffices to prove security in the stand-alone model using black-box straight-line simulation: Given such a protocol, can add initial synchronization and security under concurrent general composition is implied This gives a useful tool, simplifying the task of proving security under compositionLauUau=xFHigh-Level Summary of ResultsCounter-example: Straight-line black-box security does not imply security under concurrent general composition (even if security is statistical) Security under general composition is implied by: Perfect security, straight-line black-box simulation Straight-line black-box simulation, initial synchronization Security under self composition with fixed inputs is implied by: Straight-line black-box simulation2qA#2qA#yGThe Rest of This TalkSProof of counter-example (Theorem 1) Idea behind the proof that perfect-security with black-box straight-line simulation implies security under concurrent general composition (Theorem 2) Idea behind proof that black-box straight-line simulation with initial synchronization implies security under concurrent general composition (Theorem 4)NT (CT#Proof of Counter Example&NThe counter-example utilizes the fact that: In the stand-alone model, inputs are fixed at the beginning In the setting of concurrent general composition, inputs can be determined dynamically, and dependent on other protocols Recall: a protocol is secure in this setting if an execution of an arbitrary protocol with the real secure protocol looks like an execution of the same arbitrary protocol together with ideal calls 8,,V Proof of Counter-Example (cont.)Our counter-example uses a specific function and specific protocol (in the setting of an honest majority) The function: f(x1,x2,x3) = (0,0,0)tyzH Proof of Counter-Example (cont.)jA secure protocol for computing f: P1 and P2 choose random r1 and r2 of length n/2 and send the strings to each other P1 and P2 define r = (r1,r2) and both send r to P3 If P3 receives the same value from both parties and it equals its input, then it outputs 1, otherwise it outputs 0 P2 and P3 both output 0% %T #V%pClaim 1: Security of Protocol in the Stand-Alone Model99&6We assume an honest majority, so at least one of P1 and P2 are honest This implies that the string r received by P3 equals its input with probability at most 2-n/2 Thus, P3 outputs 1 with negligible probability Simulation in this case is easy (and is black-box straight-line) Security obtained is statistical!2+ _{IClaim 2: Insecurity of Protocol under Concurrent General CompositionGG$ &Consider the following arbitrary protocol P that contains a call to f: P1 sends a random s to P3 P1 and P2 send the input 0n to the trusted party computing f, and output whatever they receive back P3 sends the string s to the trusted party as its input for the computation of f, and outputs whatever it receives back Note: in the ideal execution, all honest parties always output 0ZI__A_) ):(1}JClaim 2 (continued)Consider an execution of P together with protocol and a single corrupted party P1: Party P1 waits until it receives r2 from P2 as part of and can define r = (r1,r2) P1 defines s = r and sends s to P3 P3 uses s as its input into and it follows that r equals its input We have that the honest P3 always outputs 1 (instead of 0) Conclusion: is not 51secure under concurrent general composition:UZZAZ + &c(Rough idea) Proof of Theorem 2 &By contradiction Protocol secure stand alone, not secure in composition with Exist Adv A which can foil the execution of when run with , i.e. not the same as if using a trusted party for f instead of Build a stand-alone adversary A which breaks the stand-alone security of A basically runs A in its belly and simulates all the parties for the communications which relate to , and for it communicates with the real parties and transfers the messages to AD 4-A!*e FdProof of Theorem 2 (cont.)If A simulation for A is good then the stand-alone distribution of is the same as when it is run with Thus, output of in this stand-alone is not the same as the output of ideal execution And we have broken the stand-along execution (contradiction) $`A$e(Complication for A ^Creating a simulation which seemlessly matches the execution of the real with the simulation of For this A has to guess the inputs and random coins of the honest parties low success probability This is why perfect security is crucial, we need the attack to succeed only with non-zero probability Hdd \ #SProof of Theorem 4Recall the theorem: black-box straight-line simulation + initial synchronization security under concurrent general composition The basic idea: If initial synchronization is used, all of the arbitrary protocol (honest party inputs and random-tapes) until the protocol starts can be auxiliary input in a stand-alone execution The remainder of the proof is like Theorem 2, except that the stand-alone adversary always succeeds (given the appropriate auxiliary input)vAQ0UImportance of Theorem 4[Adds to our understanding of what is needed for obtaining security Black-box straight-line simulation Inability to have inputs depend on randomness of the same execution A useful tool Definitions for obtaining security under composition are complex Using this theorem, it suffices to work in the stand-alone model (and add initial synchronization)tC_g___Cg9cTConclusionsStand-alone security does not imply security under concurrent general composition Even in the information-theoretical model Information-theoretic security does imply some sort of security under composition Black-box straight line statistical suffices for obtaining concurrent self composition with fixed inputs Black-box straight-line perfect suffices for obtaining concurrent general composition Black-box straight-line + initial synchronization suffices for obtaining concurrent general compositionR*Rh5*/#F7hYZProof of Theorem 2We wish to prove that stand-alone perfect security + black-box straight-line simulation security under concurrent general composition Note: relying on previous work, it suffices to consider a single execution of the secure protocol with an arbitrary other protocolX[Proof of Theorem 2 (cont.)(Step 1: construct a simulator for the setting of concurrent general composition Need to deal with the messages of the secure protocol and the arbitrary protocol P The messages of the arbitrary protocol P are sent between the real adversary and the external parties The messages of the secure protocol are dealt with by the stand-alone simulator for the secure protocol (that is guaranteed to exist)PEP6(dc\(Step 1 Graphically ]Proof of Theorem 2 (cont.)Step 2: prove that this simulator meets the requirements By contradiction, assume that the real adversary causes the output to be different This implies that there must be a difference between the output of a real execution of the secure protocol and the ideal output This adversary is then used to contradict the stand-alone security of the protocolB9*9k^(Step 2 Graphically _Proof of Theorem 2 (cont.)nThe entire arbitrary protocol is internally simulated by a stand-alone adversary attacking the secure protocol The stand-alone adversary plays the honest parties for the arbitrary protocol; otherwise the real honest parties are invoked If this simulation is good , then the result is the same as in the setting of concurrent general composition By the contradicting assumption, this will imply failure of the stand-alone simulator for LoZIZRG`8Step 2 (cont.) Graphically aProof of Theorem 2 (cont.)0Problem: In order for the stand-alone adversary to simulate the arbitrary protocol, it needs to guess the honest parties inputs and random tapes This guess must lead to the same inputs that the real honest parties use in the secure protocol What is the chance of this happening?J & W2`&bProof of Theorem 2 (cont.)4Almost nothing! In general, the probability of guessing correctly is exponentially small The main point of the proof: The protocol is perfectly secure This implies that the adversary cannot succeed with even an exponentially small probability But, we constructed an adversary that succeeds with exponentially small probability Conclusion: the stand-alone simulator fails with this adversary; contradiction.IPIE} $( r S=@` r S@ @` H 0h ? 3333̙3___PPT10i.*e+D=' = @B +r]uwC9zF( /0DAriallacpv00"DTimes New Romanv00 DWingdingsRomanv000DArial Blackmanv00"@DTahomalackm !"#$%&'()*+,-./012456789:;<=>?@ABCDEFGHIJKLMNOh+'0lhp ,8 DPXPRandomness Extraction and Key Derivation Using the CBC, Cascade and HMAC ModesTal RabinPixelIBM_USER161Microsoft PowerPoint@+@PTfy@ oibG g }0--$--'̙--$--'33--$lll--'--$qqq--'33--%l--'--$:[[::--'33--%EKK--'@Times New Roman-. 332 Information,."System$-@Times New Roman-. 33 2 -.-@Times New Roman-. 33$2 Theoretic Security $ .-@Times New Roman-. 33$2 pand Security under .-@Times New Roman-. 332 QComposition',.-@"Arial-. "2 !Eyal Kushilevitz ( .-@"Arial-. 2 JTechnion .-@"Arial-. 2 ) .-@"Arial-. $2 Yehuda Lindell (Bar .-@"Arial-. 2 1- .-@"Arial-. 2 >Ilan University) .-@"Arial-. 302 OTal Rabin (IBM T.J. Watson) % .-՜.+,0 kOn-screen ShowIBM( is the arbitrary protocolr____r)>^j8rFeasibility of Secure Computation The Stand-Alone Model :(&&UA fundamental theorem: any multiparty functionality can be securely computed in the stand-alone model: Computational setting: for any number of corruptions and assuming (enhanced) trapdoor permutations [Y86,GMW87] Information theoretic setting: for a 2/3 honest majority (or regular majority given a broadcast channel) [BGW88,CCD88,RB89,B89]ngQ, #bk9tFeasibility of Secure Computation Concurrent Composition ;$&&gAny multiparty problem can be securely computed under concurrent general composition: No honest majority: assuming (enhanced) trapdoor permutations and a common reference string [CLOS02] Honest (or two-thirds) majority: [Ca01] relying on [BGW88,CCD88,RB89,B89] Notice: these are exactly the information-theoretically secure protocols for the stand-alone modelVcV Jl::Information-Theoretically Secure Protocols and Composition;;&jFolklore: information-theoretic protocols are secure under concurrent composition (at the very least, all the known ones have this property) Related folklore: if a protocol is proven secure using a black-box non-rewinding simulator, then it is secure under concurrent composition Note: known information-theoretic protocols use black-box non-rewinding simulationlS ez(m; This WorkUnderstand the conjectured connection between information-theoretic security and security under composition Deepen our understanding of these notions Derive a corollary that simplifies the task of proving security under composition 2l}l|n<Theorem 1: Counter ExampleThere exist protocols that are: Statistically secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator but are not secure under concurrent general composition t : L &o= Theorem 2:BEvery protocol that is: Perfectly secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator is perfectly secure under concurrent general composition [DM00] proved a similar result, but used a strictly more stringent notion of stand-alone security~;bL'bp>CorollariesCorollary 1: [BGW] (error free version) is perfectly secure under concurrent general composition (assuming a two-thirds majority) Corollary 2: It suffices to prove perfect security in the stand-alone model& Note: perfectly secure protocols have an advantage over statistically secure protocols Security under concurrent general composition is obtained for free \'EvA WEq? Theorem 3:eEvery protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator is secure under concurrent self composition with fixed inputs This is a weaker security guarantee, but gives some justification to the folklore The result is of interest for statistical and computational security, and holds for any number of corrupted partiesH@RtRtX Corollary[CCD,RB] are secure under concurrent self composition with fixed inputs Again, the above is a relatively weak security guarantee, but explains/justifies the folklore$; _tBDisturbing Point+It is widely believed that known statistically secure protocol are secure under concurrent general composition We have only proved security under concurrent self composition with fixed inputs Is there an additional property that would make such protocols secure under concurrent general composition?JoQloQMuCDifferent (Simple) Property#Initial Synchronization Each party announces that it is ready to start Before starting, each party waits to receive notification from all other parties that they are ready to start This enables an easy denial of service attack (but this is in some sense impossible to prevent in this model):oovD Theorem 4:2Every protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator, and Has initial synchronization is secure under concurrent general composition This holds for perfect, statistical and computational security (not needed for perfect), and for any number of corrupted partiesi1$&?(wE Corollary*It suffices to prove security in the stand-alone model using black-box straight-line simulation: Given such a protocol, can add initial synchronization and security under concurrent general composition is implied This gives a useful tool, simplifying the task of proving security under compositionLauUau=xFHigh-Level Summary of ResultsCounter-example: Straight-line black-box security does not imply security under concurrent general composition (even if security is statistical) Security under general composition is implied by: Perfect security, straight-line black-box simulation Straight-line black-box simulation, initial synchronization Security under self composition with fixed inputs is implied by: Straight-line black-box simulation2qA#2qA#yGThe Rest of This TalkMProof of counter-example (Theorem 1) Idea behind the proof that perfect-security with black-box straight-line simulation implies security under concurrent general composition (Theorem 2) Discussion about black-box straight-line simulation with initial synchronization implies security under concurrent general composition (Theorem 4)NN (CT#Proof of Counter Example&NThe counter-example utilizes the fact that: In the stand-alone model, inputs are fixed at the beginning In the setting of concurrent general composition, inputs can be determined dynamically, and dependent on other protocols Recall: a protocol is secure in this setting if an execution of an arbitrary protocol with the real secure protocol looks like an execution of the same arbitrary protocol together with ideal calls 8,,V Proof of Counter-Example (cont.)Our counter-example uses a specific function and specific protocol (in the setting of an honest majority) The function: f(x1,x2,x3) = (0,0,0)tyzH Proof of Counter-Example (cont.)jA secure protocol for computing f: P1 and P2 choose random r1 and r2 of length n/2 and send the strings to each other P1 and P2 define r = (r1,r2) and both send r to P3 If P3 receives the same value from both parties and it equals its input, then it outputs 1, otherwise it outputs 0 P2 and P3 both output 0% %T #V%pClaim 1: Security of Protocol in the Stand-Alone Model99&6We assume an honest majority, so at least one of P1 and P2 are honest This implies that the string r received by P3 equals its input with probability at most 2-n/2 Thus, P3 outputs 1 with negligible probability Simulation in this case is easy (and is black-box straight-line) Security obtained is statistical!2+ _{IClaim 2: Insecurity of Protocol under Concurrent General CompositionGG$ &Consider the following arbitrary protocol P that contains a call to f: P1 sends a random s to P3 P1 and P2 send the input 0n to the trusted party computing f, and output whatever they receive back P3 sends the string s to the trusted party as its input for the computation of f, and outputs whatever it receives back Note: in the ideal execution, all honest parties always output 0ZI__A_) ):(1}JClaim 2 (continued)Consider an execution of P together with protocol and a single corrupted party P1: Party P1 waits until it receives r2 from P2 as part of and can define r = (r1,r2) P1 defines s = r and sends s to P3 P3 uses s as its input into and it follows that r equals its input We have that the honest P3 always outputs 1 (instead of 0) Conclusion: is not secure under concurrent general composition:UZZAZ + &c(Rough idea) Proof of Theorem 2 &By contradiction Protocol secure stand alone, not secure in composition with Exist Adv A which can foil the execution of when run with , i.e. not the same as if using a trusted party for f instead of Build a stand-alone adversary A which breaks the stand-alone security of A basically runs A in its belly and simulates all the parties for the communications which relate to , and for it communicates with the real parties and transfers the messages to AD 4-A!*e FdProof of Theorem 2 (cont.)If A simulation for A is good then the stand-alone distribution of is the same as when it is run with Thus, output of in this stand-alone is not the same as the output of ideal execution And we have broken the stand-along execution (contradiction) $`A$e(Complication for A ^Creating a simulation which seemlessly matches the execution of the real with the simulation of For this A has to guess the inputs and random coins of the honest parties low success probability This is why perfect security is crucial, we need the attack to succeed only with non-zero probability Hdd \ #SDiscussions on Theorem 4Recall the theorem: black-box straight-line simulation + initial synchronization security under concurrent general composition The basic idea: Consider the counter example If initial synchronization is used, all of the arbitrary protocol (honest party s inputs and random-tapes) until the protocol starts can be auxiliary input in a stand-alone executionjQ0UImportance of Theorem 4[Adds to our understanding of what is needed for obtaining security Black-box straight-line simulation Inability to have inputs depend on randomness of the same execution A useful tool Definitions for obtaining security under composition are complex Using this theorem, it suffices to work in the stand-alone model (and add initial synchronization)tC_g___Cg9cTConclusionsStand-alone security does not imply security under concurrent general composition Even in the information-theoretical model Information-theoretic security does imply some sort of security under composition Black-box straight line statistical suffices for obtaining concurrent self composition with fixed inputs Black-box straight-line perfect suffices for obtaining concurrent general composition Black-box straight-line + initial synchronization suffices for obtaining concurrent general compositionR*Rh5*/#F7hYZProof of Theorem 2We wish to prove that stand-alone perfect security + black-box straight-line simulation security under concurrent general composition Note: relying on previous work, it suffices to consider a single execution of the secure protocol with an arbitrary other protocolX[Proof of Theorem 2 (cont.)(Step 1: construct a simulator for the setting of concurrent general composition Need to deal with the messages of the secure protocol and the arbitrary protocol P The messages of the arbitrary protocol P are sent between the real adversary and the external parties The messages of the secure protocol are dealt with by the stand-alone simulator for the secure protocol (that is guaranteed to exist)PEP6(dc\(Step 1 Graphically ]Proof of Theorem 2 (cont.)Step 2: prove that this simulator meets the requirements By contradiction, assume that the real adversary causes the output to be different This implies that there must be a difference between the output of a real execution of the secure protocol and the ideal output This adversary is then used to contradict the stand-alone security of the protocolB9*9k^(Step 2 Graphically _Proof of Theorem 2 (cont.)nThe entire arbitrary protocol is internally simulated by a stand-alone adversary attacking the secure protocol The stand-alone adversary plays the honest parties for the arbitrary protocol; otherwise the real honest parties are invoked If this simulation is good , then the result is the same as in the setting of concurrent general composition By the contradicting assumption, this will imply failure of the stand-alone simulator for LoZIZRG`8Step 2 (cont.) Graphically aProof of Theorem 2 (cont.)0Problem: In order for the stand-alone adversary to simulate the arbitrary protocol, it needs to guess the honest parties inputs and random tapes This guess must lead to the same inputs that the real honest parties use in the secure protocol What is the chance of this happening?J & W2`&bProof of Theorem 2 (cont.)4Almost nothing! In general, the probability of guessing correctly is exponentially small The main point of the proof: The protocol is perfectly secure This implies that the adversary cannot succeed with even an exponentially small probability But, we constructed an adversary that succeeds with exponentially small probability Conclusion: the stand-alone simulator fails with this adversary; contradiction.IPIE} 0$( 0r 0 Ss@` r 0 St@` H 00h ? 3333̙3___PPT10i.+e@+D=' = @B + `0( `x ` c$"C @` C x ` c$#C @`C H `0h ? 3333̙3___PPT10i.4ex+D=' = @B +rRzy % G.zy( /0DAriallacHv00"DTimes New Romanv00 DWingdingsRomanv000DArial Blackmanv00"@DTahomalackmanv00"PDSymbollackmanv00@. @n?" dd@ @@`` ,&H-&H-H 4$#$"$$$$$b$e*wFIt١EZb$_;?ur~09eC4b$[l`kKWr0R$ejV&,՝2 BR$]#[]OG=KR$PoKiS5m&Q0AAP3uki@ip\]R ʚ;N+ʚ;g4,d,d$0ppp@<4ddddPh0dH<4BdBdP̨0qi___PPT10I ``.(IBM_User.6? %\j^+=Information-Theoretic Security and Security under Composition>>*\Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)]A3C_,Secure Multiparty ComputationA set of parties with private inputs. Parties wish to jointly compute a function of their inputs so that certain security properties (like privacy, correctness and independence of inputs) are preserved. E.g., secure elections, auctions& Properties must be ensured even if some of the parties maliciously attack the protocol."Xn"7`-Secure Computation TasksExamples: Authentication protocols Online payments Auctions Elections Privacy preserving data mining Essentially any task& * q qb0Defining SecurityThe real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: Ideal model: parties send inputs to a trusted party, who computes the function for them. Real model: parties run a real protocol with no trusted help. A protocol is secure if any attack on a real protocol can be carried out in the ideal model. Since no attacks can be carried out in the ideal model, security is implied.G_3 & ( D&5C c1The Real Modeld2The Ideal Modele3The Security Definition: f4The Ideal Adversary/SimulatorHow is security proven? The ideal-model adversary is actually a simulator The simulator simulates a real execution, while interacting in the ideal model The simulation looks just like a real execution& Important categories of simulators Black-box versus nonblack-box simulators Rewinding versus non-rewinding simulators Non-rewinding is also called straight-line ZZ#ZSZ-Z#S-. g g5More Details on the DefinitionWhat does it mean that the real and ideal executions look the same ? Perfect security: the distributions are identical Statistical security: the distributions are statistically close Computational security: the distributions are computationally indistinguishablexF5!+9h6Two Basic ModelsInformation-theoretic model Unbounded adversaries Perfect or statistical security Seemingly, no real need for perfection Computational model Polynomial-time adversaries Computational security 6)36)3i7DReal Execution Possible Settings\The stand-alone model A single execution of a single secure protocol (or a single execution under attack) The classic model of computation Security under composition Concurrent self composition: many executions of a single secure protocol Concurrent general composition: many executions of a secure protocol together with arbitrary other protocolsvu - M|KSecurity under CompositionConcurrent self composition Many executions of a single secure protocol look just like many calls to an ideal trusted party [FS,DDN,DNS,RK,& ] Concurrent general composition Many executions of a single secure protocol with an arbitrary other protocol look just like many calls to an ideal trusted party, together with a real arbitrary other protocol [DM,PW,Ca] Modeled by considering an arbitrary protocol that contains subroutine calls to the secure protocol Models the real world the Internet is the arbitrary protocolr____r)>^j8rFeasibility of Secure Computation The Stand-Alone Model :(&&UA fundamental theorem: any multiparty functionality can be securely computed in the stand-alone model: Computational setting: for any number of corruptions and assuming (enhanced) trapdoor permutations [Y86,GMW87] Information theoretic setting: for a 2/3 honest majority (or regular majority given a broadcast channel) [BGW88,CCD88,RB89,B89]ngQ, #bk9tFeasibility of Secure Computation Concurrent Composition ;$&&gAny multiparty problem can be securely computed under concurrent general composition: No honest majority: assuming (enhanced) trapdoor permutations and a common reference string [CLOS02] Honest (or two-thirds) majority: [Ca01] relying on [BGW88,CCD88,RB89,B89] Notice: these are exactly the information-theoretically secure protocols for the stand-alone modelVcV Jl::Information-Theoretically Secure Protocols and Composition;;&jFolklore: information-theoretic protocols are secure under concurrent composition (at the very least, all the known ones have this property) Related folklore: if a protocol is proven secure using a black-box non-rewinding simulator, then it is secure under concurrent composition Note: known information-theoretic protocols use black-box non-rewinding simulationlS ez(m; This WorkUnderstand the conjectured connection between information-theoretic security and security under composition Deepen our understanding of these notions Derive a corollary that simplifies the task of proving security under composition 2l}l|n<Theorem 1: Counter ExampleThere exist protocols that are: Statistically secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator but are not secure under concurrent general composition t : L &o= Theorem 2:BEvery protocol that is: Perfectly secure in the information theoretical model, as stand-alone Proven secure using a black-box straight-line (non-rewinding) simulator is perfectly secure under concurrent general composition [DM00] proved a similar result, but used a strictly more stringent notion of stand-alone security~;bL'bp>CorollariesCorollary 1: [BGW] (error free version) is perfectly secure under concurrent general composition (assuming a two-thirds majority) Corollary 2: It suffices to prove perfect security in the stand-alone model& Note: perfectly secure protocols have an advantage over statistically secure protocols Security under concurrent general composition is obtained for free \'EvA WEq? Theorem 3:eEvery protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator is secure under concurrent self composition with fixed inputs This is a weaker security guarantee, but gives some justification to the folklore The result is of interest for statistical and computational security, and holds for any number of corrupted partiesH@RtRtX Corollary[CCD,RB] are secure under concurrent self composition with fixed inputs Again, the above is a relatively weak security guarantee, but explains/justifies the folklore$; _tBDisturbing Point+It is widely believed that known statistically secure protocol are secure under concurrent general composition We have only proved security under concurrent self composition with fixed inputs Is there an additional property that would make such protocols secure under concurrent general composition?JoQloQMuCDifferent (Simple) Property#Initial Synchronization Each party announces that it is ready to start Before starting, each party waits to receive notification from all other parties that they are ready to start This enables an easy denial of service attack (but this is in some sense impossible to prevent in this model):oovD Theorem 4:2Every protocol that is: Proven secure using a black-box straight-line (non-rewinding) simulator, and Has initial synchronization is secure under concurrent general composition This holds for perfect, statistical and computational security (not needed for perfect), and for any number of corrupted partiesi1$&?(wE Corollary*It suffices to prove security in the stand-alone model using black-box straight-line simulation: Given such a protocol, can add initial synchronization and security under concurrent general composition is implied This gives a useful tool, simplifying the task of proving security under compositionLauUau=xFHigh-Level Summary of ResultsCounter-example: Straight-line black-box security does not imply security under concurrent general composition (even if security is statistical) Security under general composition is implied by: Perfect security, straight-line black-box simulation Straight-line black-box simulation, initial synchronization Security under self composition with fixed inputs is implied by: Straight-line black-box simulation2qA#2qA#yGThe Rest of This TalkMProof of counter-example (Theorem 1) Idea behind the proof that perfect-security with black-box straight-line simulation implies security under concurrent general composition (Theorem 2) Discussion about black-box straight-line simulation with initial synchronization implies security under concurrent general composition (Theorem 4)NN (CT#Proof of Counter Example&NThe counter-example utilizes the fact that: In the stand-alone model, inputs are fixed at the beginning In the setting of concurrent general composition, inputs can be determined dynamically, and dependent on other protocols Recall: a protocol is secure in this setting if an execution of an arbitrary protocol with the real secure protocol looks like an execution of the same arbitrary protocol together with ideal calls 8,,V Proof of Counter-Example (cont.)Our counter-example uses a specif !"#$%&'()*+,-./0ic function and specific protocol (in the setting of an honest majority) The function: f(x1,x2,x3) = (0,0,0)tyzH Proof of Counter-Example (cont.)jA secure protocol for computing f: P1 and P2 choose random r1 and r2 of length n/2 and send the strings to each other P1 and P2 define r = (r1,r2) and both send r to P3 If P3 receives the same value from both parties and it equals its input, then it outputs 1, otherwise it outputs 0 P2 and P3 both output 0% %T #V%pClaim 1: Security of Protocol in the Stand-Alone Model99&6We assume an honest majority, so at least one of P1 and P2 are honest This implies that the string r received by P3 equals its input with probability at most 2-n/2 Thus, P3 outputs 1 with negligible probability Simulation in this case is easy (and is black-box straight-line) Security obtained is statistical!2+ _{IClaim 2: Insecurity of Protocol under Concurrent General CompositionGG$ &Consider the following arbitrary protocol P that contains a call to f: P1 sends a random s to P3 P1 and P2 send the input 0n to the trusted party computing f, and output whatever they receive back P3 sends the string s to the trusted party as its input for the computation of f, and outputs whatever it receives back Note: in the ideal execution, all honest parties always output 0ZI__A_) ):(1}JClaim 2 (continued)Consider an execution of P together with protocol and a single corrupted party P1: Party P1 waits until it receives r2 from P2 as part of and can define r = (r1,r2) P1 defines s = r and sends s to P3 P3 uses s as its input into and it follows that r equals its input We have that the honest P3 always outputs 1 (instead of 0) Conclusion: is not secure under concurrent general composition:UZZAZ + &c(Rough idea) Proof of Theorem 2 &By contradiction Protocol secure stand alone, not secure in composition with Exist Adv A which can foil the execution of when run with , i.e. not the same as if using a trusted party for f instead of Build a stand-alone adversary A which breaks the stand-alone security of A basically runs A in its belly and simulates all the parties for the communications which relate to , and for it communicates with the real parties and transfers the messages to AD 4-A!*e FdProof of Theorem 2 (cont.)If A simulation for A is good then the stand-alone distribution of is the same as when it is run with Thus, output of in this stand-alone is not the same as the output of ideal execution And we have broken the stand-along execution (contradiction) $`A$e(Complication for A ^Creating a simulation which seemlessly matches the execution of the real with the simulation of For this A has to guess the inputs and random coins of the honest parties low success probability This is why perfect security is crucial, we need the attack to succeed only with non-zero probability Hdd \ #SDiscussions on Theorem 4Recall the theorem: black-box straight-line simulation + initial synchronization security under concurrent general composition The basic idea: Consider the counter example If initial synchronization is used, all of the arbitrary protocol (honest party s inputs and random-tapes) until the protocol starts can be auxiliary input in a stand-alone executionjQ0UImportance of Theorem 4[Adds to our understanding of what is needed for obtaining security Black-box straight-line simulation Inability to have inputs depend on randomness of the same execution A useful tool Definitions for obtaining security under composition are complex Using this theorem, it suffices to work in the stand-alone model (and add initial synchronization)tC_g___Cg9cTConclusionsStand-alone security does not imply security under concurrent general composition Even in the information-theoretical model Information-theoretic security does imply some sort of security under composition Black-box straight line statistical suffices for obtaining concurrent self composition with fixed inputs Black-box straight-line perfect suffices for obtaining concurrent general composition Black-box straight-line + initial synchronization suffices for obtaining concurrent general compositionR*Rh5*/#F7hY P. ( ~ s*L@` fAuser&laptop XB 0DjJ` P XB 0DjJX H XB 0DjJX H XB 0DjJX H ^B 6Do` PP <HHp|P 3x <P+ AProtocol outputRB s*DRB s*D <Tp 3y <W AProtocol outputRB s*DJJRB s*DJJF X @ b lACopy of laptop 0 ` " bAblue-icon(XH 0h ? 3333___PPT10i.)kR+D=' = @B + &`( ~ s*K@` <`@T` 3x <LdP 0p Of1(x,y), RB @ s*D` <i 3y << 7@ Of2(x,y), RB s*DaaRB s*DP <,p 1xRB s*D <t Mf1(x,y)*RB @ s*D @ <\y 1y @ <,~ v w Mf2(x,y)*RB s*DP RB s*Dpp RB s*D F X 7@ b lA Copy of laptop 0 ` " bA blue-icon(Xd c<A user&laptopc#X c0A judge H 0h ? 3333___PPT10i.0R+D=' = @B + ^Vp( L X #Ls b NA Copy of laptop"` 0 ` " DA blue-icon"`(XL X #% b NA Copy of laptop"` 0 ` " DA blue-icon"`(X 6 U B("`S` 9IDEALB$ B"`S 8REALB$ @ B"`I C ? Trusted partyBB `D?? 0@B fZD?? 0@ B"` c NProtocol interaction FB 3rD??` ` B 0DoP @,$D 0nz 0 0,$D0 B\"` :`N pp0 pp0ZB s*DԔppZB s*DԔp p0x c$D@` ZA judgemR r c<A user&laptop"`2 r c<A user&laptop"`=> u z . n . n ,$D0 B Z??. iFor every real adversary A20 BFV C&A hacker n z S S ,$D0 Z??S ithere exists an adversary S20 BFX C(Ahacker3:T H 0h ? 3333 ___PPT10 .pq*o+"DDx ' = @B D3 ' = @BA?%,( <+O%,( <+Dj' =%(D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-s6Bwipe(left)*<3<*D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*D' =%(D' =4@BBBB%(D' =1:Bhidden*o3>+B#style.visibility<*%(D' =%(D+' =4@BB BB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =-g6Bfade*<3<*+rc0(Y !"#$%&'()*+,-./0N25M6789:;<=>?@ABCDEFGHOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./051 !"#$%&'()*+,-./012456789:;<=>?@ABCDEFGHIJKLMNont.):Claim 1: Security of Protocol ρ in the Stand-Alone ModelHClaim 2: Insecurity of Protocol ρ under Concurrent General CompositionClaim 2 (continued) (Rough idea) Proof of Theorem 2Proof of Theorem 2 (cont.)Complication for Aρ Discussions on Theorem 4Importance of Theorem 4Conclusions Slide 40Fonts UsedDesign Template Slide Titles(orem_dlewisdlewisSERem 2 (co