School on Secure Multiparty Computation - IIT Bombaymp/crypto/mpc2017/slides/day2/arpita-OT.pdf ·...

ObliviousTransfer(OT)andOTExtension

ArpitaPatra

©Arpita Patra

SchoolonSecureMultipartyComputation

Roadmap

o ObliviousTransfer

o OTExtension

- IKNPOTextension

- Constructionfrom`special’PKE

o TracingthejourneyofOTextensionandsomeopenquestions

ObliviousTransfer

S Rm0

m1

b

mb

b=? m1-b =?

- Complete forMPC

- Usedinbothtraditionalapproaches:Yao(perinput)andGMW(perANDgate)

- OTformsthebasisformostofthepracticalMPCs/2PCs,specialpurposeproblemsPSI

- OTsareintrinsicallyexpensive- usuallybasedonpublickeyprimitives

- AESCircuit:MillionsofANDgates

SettingthestageforOTExtension

- Smallno.Xàmanyno.X

o PRG: TrulyRandomshortSeedà huge(pseudo-)randomstring

o HybridEncryption(HE): oneinstanceofPKEàmanyinstancesofPKE@SKEoperations

- X(task/object):executing/generatingXisnotveryefficient

sÎR {0,1}k PRG(s)Î {0,1}p(k)

PKE

PKE

PKE

PKE

PRG

HE

OTExtension:Fromsmalltomany

OT1

OT2

OTk

OT1

OT2

OT3

OTp(k)SKEoperations

>OTExtisnotpossibleinformationtheoretically[Bea96]

>OTExtimpliesOWF[LZ13]

OTExtension

k:securityparameter

FirstworktotellusaboutOTExt

RoadmapforBuildingOTExtension[IKNP03]

OT1

OT2

OTk

OT1

OT2

OT3

OTm

kbitinputs

OT1

OT2

OTk

m(=poly(k))>kbitinputs

lbitinputs

x10x11x20x21

x30x31

xm0xm1

b1

b2

b3

bm

x1b1

x2b2

xmbm

x3b3

DomainExtension OTExtensionkOTswithkbitinputs

kOTswithm>kbitinputs

mOTswithm>kbitinputs

OT

kbitinputs

mbitinputs

TransformationI:DomainExtension

k0k1

b

kbP0 P1

m0

m1

y0=G(k0)+m0

y1 =G(k1)+m1

y0,y1 mb =G(kb)+yb


OT1

OT2

OTk

OT1

OT2

OT3

OTm

kbitinputs

OT1

OT2

OTk


lbitinputs

x10x11x20x21

x30x31

xm0xm1

b1

b2

b3

bm

x1b1

x2b2

xmbm

x3b3




TransformationII:OTExtension

B=[b1,…bm]P0 P1

T=T1T2.Tm

Q=Q1=T1(ifb1 =0)/ T1+S(otherwise)Q2=T2(ifb2 =0)/ T2+S(otherwise)

Qm=Tm(ifbm =0)/ Tm+S(otherwise)

RandomS isknowntoP0only |Ti| =k

x10 b1

x11

xm0 bm

xm1

OT1

OTm


B=[b1,…bm]

P0 P1

y10=Q1 +x10y11 =Q1+S+x11

(y10,y11)……..(ym0,ym1)

x1 b1 =T1 +y1 b1

x10x11x20x21

xm0xm1

ym0=Qm +xm0

ym1 =Qm+S+xm1xm bm =Tm +ym bm

There’saBug!

T=T1T2.Tm




B=[b1,…bm]

P0 P1

(y10,y11)……..(ym0,ym1)

CorrelationRobustH:[m]× {0,1}k ->{0,1}l

y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11

ym0=H(m,Qm)+xm0

ym1 =H(m,Qm+S)+xm1

GivenrandomandindependentS,T1….. Tm,thejointdistribution{H(T1+S),….H(Tm+S),T1…..Tm }mustbepseudo-random

CryptographicHashfunction:SHA1/2/3,RC4

x1 b1 =H(1,T1)+y1 b1

xm bm =H(m,Tm)+ym bm

T=T1T2.Tm



x10x11x20x21

xm0xm1


B=[b1,…bm]

P0 P1

x10x11x20x21

xm0xm1

x1b1

x2b2

xmbm

RandomS isknowntoP0only |Ti| =k

T=T1T2.Tm




B=[b1,…bm]

P0 P1OT1

s1

Q1

T1

T1 +B

OT2

OTk

Tisa{0,1}m.kmatrixT=[T1,…..Tk]T=T1

T2.Tm

T2

T2 +B

Tk

Tk +B

s2

sk

Q2

Qk

Qisa{0,1}m.kmatrixQ=[Q1,…..Qk]Q=Q1

Q2.Qm

mbitinputs

x10x11x20x21

xm0xm1


B=[b1,…bm]

P0 P1OT1

s1

Q1

T1

T1 +B

OT2

OTk


T2.Tm

T2

T2 +B

Tk

Tk +B

s2

sk

Q2

Qk

Q=Q1=T1(ifb1 =0)/ T1+S(otherwise)

T[1,1] +s1

Q2=T2(ifb2 =0)/ T2+S(otherwise)


T[1,2] +s2

T[1,k] +sk

T[1,1]

T[1,2]

T[1,k]

TransformationII:Puttingeverythingtogether

B=[b1,…bm]

P0 P1

y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11

(y10,y11)……..(ym0,ym1)

x1 b1 =H(1,T1)+y1 b1

OT1s1

Q1

T1

T1 +B

OT2

OTk


T2.Tk

T2

T2 +B

Tk

Tk +B

s2

sk

Q2

Qk


Q2.Qk

ym0=H(m,Qm)+xm0

ym1 =H(1,Qm+S)+xm1


x10x11x20x21

xm0xm1


OT1

OT2

OTk

OT1

OT2

OT3

OTm

kbitinputs

OT1

OT2

OTk


lbitinputs

x10x11x20x21

x30x31

xm0xm1

b1

b2

b3

bm

x1b1

x2b2

xmbm

x3b3




SecurityForReceiver

B=[b1,…bm]

P0 P1

y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11

(y10,y11)……..(ym0,ym1)

x1 b1 =H(1,T1)+y1 b1

x10x11x20x21

xm0xm1

OT1s1

Q1

T1

T1 +B

OT2

OTk


T2.Tk

T2

T2 +B

Tk

Tk +B

s2

sk

Q2

Qk


Q2.Qk

ym0=H(m,Qm)+xm0

ym1 =H(1,Qm+S)+xm1


Reducestothesender’ssecurityofOT1…OTk

SecurityForSender

B=[b1,…bm]

P0 P1

y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11

(y10,y11)……..(ym0,ym1)

x1 b1 =H(1,T1)+y1 b1

OT1s1

Q1

T1

T1 +B

OT2

OTk


T2.Tk

T2

T2 +B

Tk

Tk +B

s2

sk

Q2

Qk


Q2.Qk

ym0=H(m,Qm)+xm0

ym1 =H(1,Qm+S)+xm1


Reducestothereceiver’ssecurityofOT1…OTk

ReducestothesecurityofH

[IKNP03]: YuvalIshai,JoeKilian,Kobbi Nissim,andErez Petrank.Extendingoblivioustransfersefficiently.InCRYPTO,pages145–161,2003.

x10x11x20x21

xm0xm1

IKNPandItsSuccessors

SKEoperations

OTExtension

k:securityparameter

Semi-honest:IKNP,ALSZ13

Active:NNOB,ALSZ15,KOS15

KK13andItsSuccessors

OTExtension

k:securityparameter

Semi-honest:KK13

Active:PSS17,OOS17

x1x2…..xn

r

xr

r=? xr’ =? UsedinPSI,PIRetc

OTStudyGroup

OTExtension- RecentAdvances[KK13]:Fromk1-out-2OTstom1-out-of-nOTs

Mostefficientinsemi-honestsetting

UsesWalsh-HadamardCode

Semi-honest

[KOS15]:MostefficientmaliciouslysecureIKNP

[PSS17]:MostefficientmaliciouslysecureKK13

Active/Malicious

OTfromCPA-securePKEwithPublicKeySamplability[EvenGoldreichLempel85]

Apublic-keyencryptionschemeisacollectionof3PPTalgorithmsP =(Gen,Enc,Dec)

Gen1k pk,sk Syntax:(pk,sk)¬ Gen(1k)

EncmÎM c

pk

Syntax:c¬ Encpk(m)

Randomizedalgo

Decc m

sk Syntax:m:=Decsk(c)

Exceptwithanegligibleprobabilityover(pk,sk)outputbyGen(1k),werequirethefollowingforevery(legal)plaintextm

Decsk(Encpk(m)):=m

RandomizedAlgo

Deterministic(w.l.o.g)

CPASecurity

P =(Gen,Enc,Dec)

IcanbreakP Letmeverify

m0,m1,|m0|=|m1|

Gen(1k)c¬ Encpk(mb)

b’Î {0,1}

(Attacker’sguessaboutencryptedmessage)

GameOutput

1--- attackerwon 0--- attackerlost

Indistinguishabilityexperiment PubK(k)A,P

cpa

PPTA

pk,sk

pk

Inthereal-world,everyoneincludingtheattackerwillhavethepublickeypk

P isCPA-secureifforeveryPPTattackerA takingpartintheaboveexperiment,theprobabilitythatAwinstheexperimentisatmostnegligiblybetterthan½

½ +negl(k)Pr PubK(k)A,P

cpa=1 £

PKEwithPublicKeySamplability

Apublic-keyencryptionschemeisacollectionof5PPTalgorithmsP =(Gen,Enc,Dec,oGen,fGen)

oGen1k pk,r Syntax:(pk,r)¬ oGen(1k)

fGenpk:

(pk,sk)¬ Gen(1k)

r’ Syntax:r’¬ fGen(pk)

(pk,r’)and(pk,r)lookindistinguishable

KeySamplability

P =(Gen,Enc,Dec, oGen,fGen)

IcanbreakP

b’Î {0,1}

GameOutput

1--- attackerwon 0--- attackerlost

Indistinguishabilityexperiment PubK(k)A,P

ksamp

PPTA

(pk,sk)¬Gen(1k)

r¬fGen(pk)

(pk,r)

P iskey-samplableifforeveryPPTattackerA takingpartintheaboveexperiment,theprobabilitythatAwinstheexperimentisatmostnegligiblybetterthan½

½ +negl(n)Pr PubK(k)A,P

ksamp=1 £

(pk,r)¬oGen(1k)

1-out-of-2ObliviousTransfer

S Rm0m1

b

(pkb,skb)¬ Gen(1k)

(pk1-b,r1-b)¬ oGen(1k)

(pk0,pk1)

c0¬ Encpk0(m0)

c1¬ Encpk1(m1) (c0,c1)

mb¬ Decskb(mb)

b=? m1-b =?

- OTsareintrinsicallyexpensive- usuallybasedonpublickeyprimitives

- AESCircuit:MillionsofANDgates

ElGamalPKE

Encpk(m)

c1=gy forrandomy

c2 =hy..m

c=(c1,c2)

Decsk(c)

c2 /(c1)x =c2 .[(c1)x]-1Gen(1k)

(G,o,q,g)

h=gx. Forrandomx

pk=(G,o,q,g,h),sk =x


B=[b1,…bm]

P0 P1

(y10,y11)……..(ym0,ym1)

r1 b1 =T1 +y1 b1

r10r11r20r21

rm0rm1

T=[T1T2.Tk]

rm bm =Tm +ym bm

Q=[Q1=T1(ifb1 =0)/ T1+S(otherwise)

Q2=T2(ifb2 =0)/ T2+S(otherwise)

Qm=Tm(ifbm =0)/ Tm+S(otherwise)]

RandomFunctionH:[m]× {0,1}k ->{0,1}l

y10=H(1,Q1)+r10y11 =H(1,Q1+S)+r11

ym0=H(m,Qm)+rm0

ym1 =H(m,Qm+S)+rm1

Everytimequeryaninput:sameoutputNewinput:outputiscompletelyrandomintherangeEveryROisCorrelation-Robust(HR)Hashfunction

AlittlediversiontoROModel

RandomFunctionH:[m]× {0,1}k ->{0,1}l

>>Loveandhaterelationshipwiththismodel

>>ManyprotocolshaveproofinROmodelwhichotherwisedoesnothaveanyproof.

>>ProtocolanalyzedforSecurity:HashfunctionsreplacedwithRObox.

>>Proofisforanygood?:ExistenceofsuchaproofimpliestherealprotocolgowrongonlywhenhashfunctiondoesnotsimulateRO.Someproofbetterthannoproof

>>Realprotocol:ROreplacedwithhashfunctions

>>Examples:RSA-OEAP(practicallyinuse).CCA-secureextensionofRSA

>>Findingproofunderrelativelyrealisticassumption(e.g.CR)thanROhasbeenverychallengingandconsideredtobegreatachievement!!

School on Secure Multiparty Computation - IIT Bombaymp/crypto/mpc2017/slides/day2/arpita-OT.pdf ·...

Documents

Transcript of School on Secure Multiparty Computation - IIT Bombaymp/crypto/mpc2017/slides/day2/arpita-OT.pdf ·...