Polling With Physical EnvelopesA Rigorous Analysis of aHuman–Centric Protocol

Tal Moran

Joint work with Moni Naor

Cryptographic Randomized Response

“Randomized Response Technique” [War65] Method for polling stigmatizing questions Idea: Lie with known probability.

Specific answers are deniable Aggregate results are still valid

Problem: responders may have incentive to cheat E.g., Pre-election polls

CRRT [AJL04]: Use cryptographic techniques to prevent cheating Uses ZK, OT or quantum cryptography Requires either computers or quantum equipment

CRRT and AnthropoCryptography

Responder’s trust is critical when polling sensitive questions

We can’t assume responders have knowledge of computers or cryptography

Our protocols must take into account human abilities and limitations:

Previous Work Visual Cryptography [NS94] Private computation using a Pez dispenser [BCIK03] “Applied Kid Cryptography” [NNR] Basing Cryptographic Protocols on

Tamper-Evident Seals [MN05]

Our Results

Protocols for CRRT using scratch-off cards and envelopes Simple enough to be practical

Our protocols are secure in Canetti’s UC model Allows secure black-box composition

Lower bounds on Implementations of “Strong” CRRT.

Scratch-Off Cards and Envelopes

Contain a “sealed” message

Can’t read the message without breaking the seal

It is evident when the seal is broken

NextTime!

p-CRRT: What we would like

Assume the answer to the poll is either 0 or 1,p is fixed: ½<p<1

Responder chooses one of two strategies:

1. Result is 0 with prob. p and 1 with prob. 1-p2. Result is 1 with prob. p and 0 with prob. 1-p

Responder cannot influence the output beyond choosing the strategy

The pollster gets no additional information about the strategy chosen beyond the result itself.

p-CRRT: What we can get Assume the answer to the poll is either 0 or 1,

p is fixed: ½<p<1 Responder chooses one of two strategies:

1. Result is 0 with prob. p and 1 with prob. 1-p2. Result is 1 with prob. p and 0 with prob. 1-p

Responder cannot influence the output beyond choosing the strategy; Pollster can learn the strategy, but risks getting caught.

“Responder-Immune” The pollster gets no additional information about the

strategy chosen beyond the result itself; Responder can influence output, but risks getting caught

“Pollster-Immune”

Pollster-Immune ¾-CRRT(with Scratch-Off Cards) Alice prepares a card with two rows,

each with a 0 and 1 in random order and sends to Bob

Bob scratches a random bubble in each row.

Then the entire row that has not revealed his choice Scratch random row if identical

If a revealed row is invalid, Bob halts; otherwise returns the card to Alice.

If there ≠3 scratched bubbles, or if Bob halts, Alice outputs ? otherwise Alice counts the singleton

00 11

0011

Go “0”s!!!

Pollster-Immune CRRT: “Intuitive Analysis” An honest responder gets her

wish with probability ¾

A cheating responder can’t force anything better: Without scratching more than

one bubble he has no more information than the honest responder

Deciding to scratch another bubble “commits” him to that row (before he gets the information)

A cheating reponder can refuse to return the card Pollster will realize this

00 11

0011

00 11

0011

00 11

0011

00 11

0011

Responder-Immune 2/3-CRRT(with Envelopes) Bob takes three envelopes.

He chooses two at random to contain his choice; the remaining envelope contains the opposite

Bob seals the envelopes and sends them to Alice

Alice opens a random envelope She shows Bob which one she

opened

Bob tells Alice which envelope contains the opposite choice

Responder-Immune 2/3-CRRT(with Envelopes) If Bob was honest

Alice records the first envelope she opened as her output

Alice returns the unopened envelope to Bob

If Bob cheated Alice opens all the envelopes If they are not identical, Alice records

the first envelope she opened as the output.

If they are identical, Alice records their value with prob. 2/3 and the opposite value with prob. 1/3

00: 2/31: 1/3

Responder-Immune CRRT: “Intuitive Analysis” Bob gets his wish with probability 2/3 Bob can’t cheat at all:

If Bob uses three identical envelopes, he will be caught with prob. 1 (then Alice simulates an honest Bob to get her response)

If Bob answers Alice’s query incorrectly, she will simply open the envelopes and discover the correct answer herself.

Alice can cheat: she can open the envelopes (but will be

caught)

Why is Efficient Strong CRRT Hard? CRRT is connected to two well-studied crytpographic

tasks:

Oblivious Transfer We can build OT from some types of CRRT

[Crépeau,Kilian ’88], [DKS ’99], [DFMS ’04]

OT is impossible using scratch-off cards (or envelopes)[MN05]

Strong Coin Flipping Some types of CRRT imply Strong Coin Flipping

Lower bound on the number of rounds required [Cleve ’86]

Rigorous Analysis

We define security using “Ideal Functionalities” An Ideal Functionality is a trusted third party We specify the behavior of the functionality The specification explicitly states what the

adversary is allowed to do

A protocol “realizes” the functionality if any attack against the protocol also works in the “ideal world”

Proofs in the UC (hybrid) Model

A protocol securely realizes a target functionality if: There exists an ideal adversary S so that:

For any real adversary A, no “environment” Z can distinguish between real world with A and the ideal world with S

Environment Machine Z

TargetIdeal Functionality

Dummy

“Ideal” Adversary S

Dummy

input

output

input

output

Environment Machine Z

ClientIdeal Functionality

Party

input

output

“Real” Adversary A

Party

input

output

Proofs in the UC (hybrid) Model“Real World”

Environment Machine Z

ClientIdeal Functionality

(e.g., Scratch-off card)

Party

input

output

“Real” Adversary A

Party

input

output

Parties follow protocol (using client functionality)

A controls and sees communication of corrupted parties

Proofs in the UC (hybrid) Model“Ideal World”

Environment Machine Z

TargetIdeal Functionality

(e.g.,CRRT func.)

Dummy

“Ideal” Adversary S

Dummy

input

output

Dummy parties pass their input and output to and from the target functionality

S controls and sees communication of corrupted parties

input

output

TargetIdeal Functionality

Dum

my

Dum

my inpu

t

output

inpu

t

output

Proofs in the UC (hybrid) ModelStandard Construction

SimulatedClientIdeal

FunctionalitySim.Party

input

output

Simulated “Real” Adversary A

Sim.Party

input

output

“Ideal” Adversary S

Environment Machine Z

00 11

0011

The Ideal Adversary: Corrupt Pollster Send Begin to CRRT

functionality, wait for response v’

Simulate real adversary until it sends card (simulating the scratch-off card functionalities) The ideal adversary

knows the values of the sealed bubbles without opening them!

CRRT Ideal

FunctionalityPollster

Resp.

Begin

v

v

Vote

v’

“Real”Adversary

The Ideal Adversary: Corrupt Pollster If exactly one row is bad:

if it’s equal to v’, scratch the other row and randomly scratch one bubble in that row.

otherwise simulate responder halting

00 00

0011

“Real Life” Ideal Setting

v=1

r=0

v=1

r=1

00 000011

00 000011

00 000011

00 110011

00 000011

00 000011

00 000011

¼ ¼ ¼ ¼ ¼: v’=0 ¾: v’=1

00 000011

11 110011

11 110011

11 110011

11 110011

11 110011

11 110011

£2

£2 £2

11 00

0011

00 110011

£3

£3

£2

Summary

Shown two simple CRRT protocols Evidence that Strong CRRT is hard Sketch of formal UC proof

Open questions Complete lower bound on Strong CRRT Strong CRRT using other physical

assumptions?

The End

?? ??

????

The Ideal Adversary: Corrupt Responder

Wait for CRRT functionality to send Vote

Simulate pollster sending a card to the real adversary Note that the ideal

adversary is not committed until the bubbles are actually scratched!

CRRT Ideal

FunctionalityPollster

Resp.

Begin

v

Vote

“Real”Adversary

The Ideal Adversary: Corrupt Responder If Vote=1, the first

bubble scratched in every row will be 1

If Vote=0, the first bubble scratched in every row will be 0

If Vote=‘?’, the simulator chooses a random bit b the first bubble

scratched in the top row will be b

the first bubble scratched in the bottom row will be 1-b

11 00

0011

00 11

0011

00 11

1100

The Ideal Adversary: Corrupt Responder Simulation continues

until the “real” adversary returns the card or halts.

If the card is valid, send Vote v to the functionality (v is the vote corresponding to the card)

If the card is invalid, send Halt to the functionality

CRRT Ideal

FunctionalityPollster

Resp.

Begin

Vote

“Real”Adversary

00 11

1100

0

0

Halt

?

The Ideal Adversary: Corrupt Pollster If both rows are valid,

randomly choose a row to “scratch” Scratch v’ in other row

00 11

0011

“Real Life” Ideal Setting

v=1

00 110011

00 110011

00 110011

00 110011

00 110011

00 110011

00 110011

00 110011

00 110011

00 110011

¼ ¼ ¼ ¼ ¼: v’=0 ¾: v’=1

£2

£2

£3

£3

The Ideal Adversary: Corrupt PollsterIf both rows are bad, simulate

the responder halting This would happen with prob. 1 in

the “real world” as well

00 00

1111

Approaching Strong CRRT

Repeat the pollster-immune CRRT protocol r times The pollster will use the majority of the results If the responder cheats (refuses to return a card), the pollster will

use random bits for the remaining rounds A cheating responder has advantage O(1/√r) over an

honest one Can cheat only once; this will affect the result only if the other

rounds are balanced This occurs with probability O(1/√r)

Using many rounds increases the pollster’s information The basic p-CRRT must have p close to ½ The result is very inefficient (and impractical)

Pollster-Immune p-CRRT(for any rational p=k/n) Alice prepares a card with two columns, one with k 0s and (n-k) 1s,

and the other with k 1s and (n-k) 0s. She sends the card to Bob

Bob scratches a random bubble in each column.

Then the entire row that has not revealed his choice Scratch random row if identical

If a revealed row is invalid, Bob halts; otherwise returns the card to Alice.

If both rows have >1 scratched bubbles, or if Bob halts, Alice outputs ? otherwise Alice outputs the majority value in the singleton’s row

00 11

0000

00 00

1111

11 11

Pollster-Immune p-CRRT:“Intuitive Analysis” Bob gets his wish with probability k/n:

With prob. k2/n2 he uncovers the majority value in both rows, and with prob. k(n-k)/n2=k/n-k2/n2 he uncovers two equal values and chooses the right one.

As in ¾-CRRT, all he can do to cheat is refuse to return the card.

Alice can cheat by: using an invalid row (e.g., all 1s)

She will be caught with prob. ½ This probability can be increased by using multiple cards:

some will be only for verification using two identical rows

Gives only a small advantage when p is near ½

Pollster-Immune ¾-CRRT: Ideal Functionality

Initial State

Forcing response:0

Respondercan choose

Forcing response: 1

Random Coin Toss

Output 0to responder

Output 1to responder

Output ?to responder

Output 0to pollster

Output 1to pollster

Output ? to pollster

Prob. ¼ Prob. ¼

Prob. ½

Received: Begin

Received:Halt

Received:Halt

Received: Vote *

Received: Vote 1

Received:Halt

Received:Halt

Received: Vote 0

Received: Vote *