Adaptively Secure Broadcast, Revisited

Juan A. Garay (AT&T), Jonathan Katz (UMD), Ranjit Kumaresan (UMD), Hong-Sheng Zhou (UMD)

Talk OutlinePreliminaries

Broadcast Simulation-based security

The Hirt-Zikas result [HZ10] Adaptive attacks on broadcast protocols Impossibility of adaptively secure broadcast!

Here: (Re)examining their communication model Is adaptively secure broadcast possible?

Broadcast [PSL80,LSP82]

If the sender is honest, then all parties output the sender’s message

All honest parties always output the same message

Message m

m1

m2

m4

m3

m1

m2

m4

m3

Modeling the ProblemAdversary model

Centralized byzantine adversary

Corrupts at most t out of n parties

Static or adaptive adversary Static: parties corrupted

before execution begins Adaptive: parties corrupted

during protocol execution

Communication model

Point-to-point, secure and authenticated channels

Synchronous network

Prior Work

Unconditional security iff t < n/3 [PSL80, LSP82, …]

Computational security for t < n [PSL80, DS83, …] Assuming a public-key infrastructure (PKI) and digital signatures

Most prior work focus on “property-based” notions of security

Simulation-Based Security

Awkward or difficult to define adaptive security using property-based definitions “If the sender is honest, then…” – but what if the sender starts honest

and is later corrupted?

Cleaner definitions using the simulation paradigm

(Side benefits: secure composition; security under concurrent executions)

The Simulation Paradigm [GMW87]

Ideal-world with a trusted third partycarrying out task

Real-world cryptographic protocol

The Simulation Paradigm (cont’d)

≈

REAL IDEAL

REAL

Universally Composable Security [Can01]

IDEAL

≈

Environment

Concurrent Composition

The Broadcast Functionality Functionality FBC :

1. FBC receives m from the sender;

2. D FBC sends m to all recipients.

Adaptively Secure Broadcast?

Hirt-Zikas ’10:Adaptive attacks on all existing broadcast protocols

All existing broadcast protocols are not adaptively secure

An Adaptive Attack

1st round Later…

Message v

v’

v'

v’

v’

Message v’

Adaptively Secure Broadcast?

Hirt-Zikas ’10:Adaptive attacks on all existing broadcast protocols

Adaptively secure broadcast is impossible for t > n/2

Communication Model: A Closer Look

Adversary can corrupt sender & change its messages in the same round.

Crucial for their impossibility result

Sender’s messages cannot be changed once sent [Can00,LLR02,…]

No corruption “in the middle of a round”

“Atomic delivery model”[HZ10] model

Is Adaptive Security Possible? Is adaptively secure broadcast possible for t > n/2 if we assume

“atomic” message delivery?• Note: [HZ10] attacks work on known protocols even in this model

Yes! Adaptively secure broadcast is possible for t < n

Relaxed Broadcast

Functionality FRBC [HZ10]

1. FRBC receives m from the sender;

2. D FRBC sends m to the adversary

3. D The adversary decides whether to corrupt the sender; if it does, the adversary may change m to any desired value

4. D FRBC sends m to all recipientsExisting protocols (e.g., [DS83]) give

adaptively secure relaxed broadcast for t < n

Commitments

m

m

Alice (message m) Bob

Hiding: m hidden from Bob

Binding: Alice can open commitment only to m

Our Broadcast Protocol

1. Sender sends commitment to m using FRBC

2. Sender sends the decommitment to each receiver via point-to-point channels

3. Each receiver broadcasts the decommitment they received using FRBC

4. All players agree on the first valid decommitment, and output the corresponding message

m

Avoiding Adaptive Attacks

1. Sender sends commitment to m using FRBC

2. Sender sends the decommitment to each receiver via point-to-point channels

3. Each receiver broadcasts the decommitment they received using FRBC

4. All players agree on the first valid decommitment, and output the corresponding message

m

Adversary learns nothing about m

All honest parties receive the decommitment

Even if the sender is corrupted, the committed value cannot be changed

Simulation 1. Sender sends commitment to m using FRBC

2. Simulator gets m from FBC and generates a decommitment to m; it then sends this to all parties via point-to-point channels

3. Each receiver broadcasts decommitment viaFRBC

4. All players agree on a valid decommitment, and output the corresponding message

m

Simulator sends dummy commitments

UC commitments allow simulator to open com to any m

Setup Assumptions?As written, we use UC commitments

UC commitment require additional setup assumptions + stronger cryptographic assumptions that we would like to avoid!

In fact, honest-binding commitments sufficeBinding once the sender acts honestly during the commit phaseCan be realized with no additional setup, based on OWF Example based on Pedersen’s commitment:

Honest senderInput mChoose h,xcom = (h, gmhx)

Simulator(No input)Choose r,ycom = (gr, gy)

EquivocationOn input mSet x = (y-m)/rOutput (gr,x)

Our Result (Summarized)

Assuming a PKI and digital signatures,there exists a (universally composable) broadcast protocol

secure against adaptive corruption of any t < n parties

Applications to Secure ComputationProtocols for secure computation typically designed/analyzed

assuming a broadcast channel Plug in a protocol that realizes FBC security when run over a point-to-

point network

Can we use a protocol realizing FRBC instead?

Better efficiency…?Secure computation in [HZ10] network model?

We observe that FRBC suffices for most specific constructions

Messages broadcast are always commitments to some value

SummaryAdaptively secure broadcast for t < n

Assuming the ‘standard’ synchronous communication model

Our result:Matches the threshold for statically secure broadcastRequires no additional setup or assumptionsCan be safely used within arbitrary other protocols

Thank You