polling with physical envelopes a rigorous analysis of a human–centric protocol
DESCRIPTION
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol. Tal Moran Joint work with Moni Naor. Cryptographic Randomized Response. “Randomized Response Technique” [War65] Method for polling stigmatizing questions Idea: Lie with known probability. - PowerPoint PPT PresentationTRANSCRIPT
Polling With Physical EnvelopesA Rigorous Analysis of aHuman–Centric Protocol
Tal Moran
Joint work with Moni Naor
Cryptographic Randomized Response
“Randomized Response Technique” [War65] Method for polling stigmatizing questions Idea: Lie with known probability.
Specific answers are deniable Aggregate results are still valid
Problem: responders may have incentive to cheat E.g., Pre-election polls
CRRT [AJL04]: Use cryptographic techniques to prevent cheating Uses ZK, OT or quantum cryptography Requires either computers or quantum equipment
CRRT and AnthropoCryptography
Responder’s trust is critical when polling sensitive questions
We can’t assume responders have knowledge of computers or cryptography
Our protocols must take into account human abilities and limitations:
Previous Work Visual Cryptography [NS94] Private computation using a Pez dispenser [BCIK03] “Applied Kid Cryptography” [NNR] Basing Cryptographic Protocols on
Tamper-Evident Seals [MN05]
Our Results
Protocols for CRRT using scratch-off cards and envelopes Simple enough to be practical
Our protocols are secure in Canetti’s UC model Allows secure black-box composition
Lower bounds on Implementations of “Strong” CRRT.
Scratch-Off Cards and Envelopes
Contain a “sealed” message
Can’t read the message without breaking the seal
It is evident when the seal is broken
NextTime!
p-CRRT: What we would like
Assume the answer to the poll is either 0 or 1,p is fixed: ½<p<1
Responder chooses one of two strategies:
1. Result is 0 with prob. p and 1 with prob. 1-p2. Result is 1 with prob. p and 0 with prob. 1-p
Responder cannot influence the output beyond choosing the strategy
The pollster gets no additional information about the strategy chosen beyond the result itself.
p-CRRT: What we can get Assume the answer to the poll is either 0 or 1,
p is fixed: ½<p<1 Responder chooses one of two strategies:
1. Result is 0 with prob. p and 1 with prob. 1-p2. Result is 1 with prob. p and 0 with prob. 1-p
Responder cannot influence the output beyond choosing the strategy; Pollster can learn the strategy, but risks getting caught.
“Responder-Immune” The pollster gets no additional information about the
strategy chosen beyond the result itself; Responder can influence output, but risks getting caught
“Pollster-Immune”
Pollster-Immune ¾-CRRT(with Scratch-Off Cards) Alice prepares a card with two rows,
each with a 0 and 1 in random order and sends to Bob
Bob scratches a random bubble in each row.
Then the entire row that has not revealed his choice Scratch random row if identical
If a revealed row is invalid, Bob halts; otherwise returns the card to Alice.
If there ≠3 scratched bubbles, or if Bob halts, Alice outputs ? otherwise Alice counts the singleton
00 11
0011
Go “0”s!!!
Pollster-Immune CRRT: “Intuitive Analysis” An honest responder gets her
wish with probability ¾
A cheating responder can’t force anything better: Without scratching more than
one bubble he has no more information than the honest responder
Deciding to scratch another bubble “commits” him to that row (before he gets the information)
A cheating reponder can refuse to return the card Pollster will realize this
00 11
0011
00 11
0011
00 11
0011
00 11
0011
Responder-Immune 2/3-CRRT(with Envelopes) Bob takes three envelopes.
He chooses two at random to contain his choice; the remaining envelope contains the opposite
Bob seals the envelopes and sends them to Alice
Alice opens a random envelope She shows Bob which one she
opened
Bob tells Alice which envelope contains the opposite choice
Responder-Immune 2/3-CRRT(with Envelopes) If Bob was honest
Alice records the first envelope she opened as her output
Alice returns the unopened envelope to Bob
If Bob cheated Alice opens all the envelopes If they are not identical, Alice records
the first envelope she opened as the output.
If they are identical, Alice records their value with prob. 2/3 and the opposite value with prob. 1/3
00: 2/31: 1/3
Responder-Immune CRRT: “Intuitive Analysis” Bob gets his wish with probability 2/3 Bob can’t cheat at all:
If Bob uses three identical envelopes, he will be caught with prob. 1 (then Alice simulates an honest Bob to get her response)
If Bob answers Alice’s query incorrectly, she will simply open the envelopes and discover the correct answer herself.
Alice can cheat: she can open the envelopes (but will be
caught)
Why is Efficient Strong CRRT Hard? CRRT is connected to two well-studied crytpographic
tasks:
Oblivious Transfer We can build OT from some types of CRRT
[Crépeau,Kilian ’88], [DKS ’99], [DFMS ’04]
OT is impossible using scratch-off cards (or envelopes)[MN05]
Strong Coin Flipping Some types of CRRT imply Strong Coin Flipping
Lower bound on the number of rounds required [Cleve ’86]
Rigorous Analysis
We define security using “Ideal Functionalities” An Ideal Functionality is a trusted third party We specify the behavior of the functionality The specification explicitly states what the
adversary is allowed to do
A protocol “realizes” the functionality if any attack against the protocol also works in the “ideal world”
Proofs in the UC (hybrid) Model
A protocol securely realizes a target functionality if: There exists an ideal adversary S so that:
For any real adversary A, no “environment” Z can distinguish between real world with A and the ideal world with S
Environment Machine Z
TargetIdeal Functionality
Dummy
“Ideal” Adversary S
Dummy
input
output
input
output
Environment Machine Z
ClientIdeal Functionality
Party
input
output
“Real” Adversary A
Party
input
output
Proofs in the UC (hybrid) Model“Real World”
Environment Machine Z
ClientIdeal Functionality
(e.g., Scratch-off card)
Party
input
output
“Real” Adversary A
Party
input
output
Parties follow protocol (using client functionality)
A controls and sees communication of corrupted parties
Proofs in the UC (hybrid) Model“Ideal World”
Environment Machine Z
TargetIdeal Functionality
(e.g.,CRRT func.)
Dummy
“Ideal” Adversary S
Dummy
input
output
Dummy parties pass their input and output to and from the target functionality
S controls and sees communication of corrupted parties
input
output
TargetIdeal Functionality
Dum
my
Dum
my inpu
t
output
inpu
t
output
Proofs in the UC (hybrid) ModelStandard Construction
SimulatedClientIdeal
FunctionalitySim.Party
input
output
Simulated “Real” Adversary A
Sim.Party
input
output
“Ideal” Adversary S
Environment Machine Z
00 11
0011
The Ideal Adversary: Corrupt Pollster Send Begin to CRRT
functionality, wait for response v’
Simulate real adversary until it sends card (simulating the scratch-off card functionalities) The ideal adversary
knows the values of the sealed bubbles without opening them!
CRRT Ideal
FunctionalityPollster
Resp.
Begin
v
v
Vote
v’
“Real”Adversary
The Ideal Adversary: Corrupt Pollster If exactly one row is bad:
if it’s equal to v’, scratch the other row and randomly scratch one bubble in that row.
otherwise simulate responder halting
00 00
0011
“Real Life” Ideal Setting
v=1
r=0
v=1
r=1
00 000011
00 000011
00 000011
00 110011
00 000011
00 000011
00 000011
¼ ¼ ¼ ¼ ¼: v’=0 ¾: v’=1
00 000011
11 110011
11 110011
11 110011
11 110011
11 110011
11 110011
£2
£2 £2
11 00
0011
00 110011
£3
£3
£2
Summary
Shown two simple CRRT protocols Evidence that Strong CRRT is hard Sketch of formal UC proof
Open questions Complete lower bound on Strong CRRT Strong CRRT using other physical
assumptions?
The End
?? ??
????
The Ideal Adversary: Corrupt Responder
Wait for CRRT functionality to send Vote
Simulate pollster sending a card to the real adversary Note that the ideal
adversary is not committed until the bubbles are actually scratched!
CRRT Ideal
FunctionalityPollster
Resp.
Begin
v
Vote
“Real”Adversary
The Ideal Adversary: Corrupt Responder If Vote=1, the first
bubble scratched in every row will be 1
If Vote=0, the first bubble scratched in every row will be 0
If Vote=‘?’, the simulator chooses a random bit b the first bubble
scratched in the top row will be b
the first bubble scratched in the bottom row will be 1-b
11 00
0011
00 11
0011
00 11
1100
The Ideal Adversary: Corrupt Responder Simulation continues
until the “real” adversary returns the card or halts.
If the card is valid, send Vote v to the functionality (v is the vote corresponding to the card)
If the card is invalid, send Halt to the functionality
CRRT Ideal
FunctionalityPollster
Resp.
Begin
Vote
“Real”Adversary
00 11
1100
0
0
Halt
?
The Ideal Adversary: Corrupt Pollster If both rows are valid,
randomly choose a row to “scratch” Scratch v’ in other row
00 11
0011
“Real Life” Ideal Setting
v=1
00 110011
00 110011
00 110011
00 110011
00 110011
00 110011
00 110011
00 110011
00 110011
00 110011
¼ ¼ ¼ ¼ ¼: v’=0 ¾: v’=1
£2
£2
£3
£3
The Ideal Adversary: Corrupt PollsterIf both rows are bad, simulate
the responder halting This would happen with prob. 1 in
the “real world” as well
00 00
1111
Approaching Strong CRRT
Repeat the pollster-immune CRRT protocol r times The pollster will use the majority of the results If the responder cheats (refuses to return a card), the pollster will
use random bits for the remaining rounds A cheating responder has advantage O(1/√r) over an
honest one Can cheat only once; this will affect the result only if the other
rounds are balanced This occurs with probability O(1/√r)
Using many rounds increases the pollster’s information The basic p-CRRT must have p close to ½ The result is very inefficient (and impractical)
Pollster-Immune p-CRRT(for any rational p=k/n) Alice prepares a card with two columns, one with k 0s and (n-k) 1s,
and the other with k 1s and (n-k) 0s. She sends the card to Bob
Bob scratches a random bubble in each column.
Then the entire row that has not revealed his choice Scratch random row if identical
If a revealed row is invalid, Bob halts; otherwise returns the card to Alice.
If both rows have >1 scratched bubbles, or if Bob halts, Alice outputs ? otherwise Alice outputs the majority value in the singleton’s row
00 11
0000
00 00
1111
11 11
Pollster-Immune p-CRRT:“Intuitive Analysis” Bob gets his wish with probability k/n:
With prob. k2/n2 he uncovers the majority value in both rows, and with prob. k(n-k)/n2=k/n-k2/n2 he uncovers two equal values and chooses the right one.
As in ¾-CRRT, all he can do to cheat is refuse to return the card.
Alice can cheat by: using an invalid row (e.g., all 1s)
She will be caught with prob. ½ This probability can be increased by using multiple cards:
some will be only for verification using two identical rows
Gives only a small advantage when p is near ½
Pollster-Immune ¾-CRRT: Ideal Functionality
Initial State
Forcing response:0
Respondercan choose
Forcing response: 1
Random Coin Toss
Output 0to responder
Output 1to responder
Output ?to responder
Output 0to pollster
Output 1to pollster
Output ? to pollster
Prob. ¼ Prob. ¼
Prob. ½
Received: Begin
Received:Halt
Received:Halt
Received: Vote *
Received: Vote 1
Received:Halt
Received:Halt
Received: Vote 0
Received: Vote *