Embed Size (px)
Citation preview
Oblivious Transfer (OT)
Alice (sender) has n secrets Alice wants to give k secrets to
Bob Bob wants the secrets but does not
want Alice to know which secrets he has
Oblivious Transfer 2 to 1
OT basics Use of Modular Arithmetic
OT design Direct Extension of PKE
OT application Secure Function Evaluation Secure Auction
OT – Coin Toss (The basics) Alice generates 2 primes and computes their
product, p, which is sent to Bob Bob Performs primality tests to ensure Alice is
playing fair. Bob guesses a number 0 < n < p as a factor of p Chances are he guesses wrong but Bob computes
m = n^2 mod p and sends this to Alice. Alice knows the original number, p, and she looks
for all numbers less than p that generate a remainder of m. This can be done fairly easily using the Chinese Remainder Theorem
OT – Coin Toss Cont Alice will find at least 1 pair of such numbers,
she will then send 1 of the pairs, p , to Bob. O = n + p. He will then calculate the gcd(O,p) This will yield either a trivial result or a factor
of p which Bob will send to Alice. There is a 50% chance that Alice sends the
nontrivial p to Bob. Bob has a slight advantage in that he picks the
original n, but there is a negligible chance that Bob randomly pick an n that factors p. [Peterson]
Original OT The transfer is somewhat like a simple game
played with a locked box requiring two different keys. A sender transfers the locked box to a recipient, who finds one key that partially unlocks the box. The sender has both keys and, without seeing what the recipient has done, must now pass on one of the two keys. Depending on which key is sent, the recipient will either succeed or fail in opening the box. Although the sender's choice controls the outcome, the sender never knows which choice to make to guarantee a certain result.
The Heart of OT
Sender remains unsure of outcome We want more
Want to share secrets not just have a fair (50% chance) to come out with a prime factor of a number.
OT - PKE Alice generates two public-key/private-key key
pairs. Bob chooses a key in a symmetric encryption
algorithm (3DES, for example). He chooses one of Alice’s public keys and encrypts his DES key with it. He sends the encrypted key to Alice without telling her which of her public keys he used.
Alice decrypts Bob’s key twice, once with each of her private keys. In one of the cases, she uses the correct key and successfully decrypts Bob’s DES key. In the other case, she uses the wrong key and only manages to generate a meaningless heap of bits that nonetheless look like a random DES key.
OT – PKE cont Alice encrypts both of her messages,
each with a different one of the DES keys she generated in the previous step (one real and one meaningless) and sends both of them to Bob.
Bob gets one of Alice’s messages encrypted with the proper DES key and the other one encrypted with the gibberish DES key. When Bob decrypts each of them with his DES key, he can read one of them; the other just looks like gibberish to him.
Conclusion of PKE – OT
Success: Bob now knows one of Alice’s secrets
although doesn’t know which. Disadvantage:
Bob does not know if he has Alice’s first or second secret and has no way of finding out.
Secure Function Evaluation
Application of OT
What is Secure Function Evaluation (SFE)?
Our goal is to compute f(x1, …, xn), the output, while at the same time limiting the information that each party gains about the other parties values (ideally, at the end, each party knows their input, and the output of the function, and no other information about their opponent that isn’t inherent in the function definition)
Some Uses for SFE The Millionaires problem… two millionaires
wish to determine who has the most money with out revealing their exact net worth
Voting f(x1, …, xn) returns 0 if candidate one gets more votes, 1 if candidate two, etc
Auctions f(x1, …, xn) = (i, n) for maximum bid Database computations Database queries
Important Considerations in Defining a SFE system
What type of adversary? (Passive v. Active, Adaptive v. Non-Adaptive)
What type of network are the parties connected to? (Pairwise Secure, Broadcast, Authenticated)
What guarantees do you hope to achieve? (Correctness, Privacy)
Known Results for SFE If Trapdoor Permutations exist:
Any function evaluation can be computed securely against a passive (honest-but-curious) adversary
Any function evaluation can be computed securely against an active adversary controlling at most one half of the parties
SFE over insecure networks: any f can be computed securely against an active
adversary if parties used pairwise channels and there are two-thirds majority of honest parties [BGW, CCD]
any f can be computed securely using a broadcast channel against an active adversary who has corrupted less than half of the parties
Computing a Function Bob and Alice share a Boolean circuit they wish to
compute Alice’s input is a1 b1; Bob’s input is a2 b2
Define a = a1 a2; b = b1 b2
We want a c1, c2 for Alice, Bob, resp., subject to c1 + c2 = (a1 + a2)(b1 + b2)
Alice chooses c1 in {0,1} at random and prepares n possible c2 outputs for bob (based on the n possible secrets Bob might have)
Alice and Bob perform OT and now they have c1 and c2 values subject to the above constraints
Bob and Alice are now able to evaluate any Boolean circuit
Two-Party Secure Function Evaluation A assigns each wire i two random values (Wi
0, Wi1)
corresponding to 0 and 1 Used as pseudo-random keys (e.g. 80 bits)
Wire values denoted as ai (0 or 1) A assigns a “garble” function to each wire: i: ai ->
ci
(Wibi,ci) denotes the garbled value of wire i
Gate function denoted as ak=g(ai,aj) A creates a table Tg which enables computation of
garbled output of g: (Wkbk,ck) from garbled inputs
(Wibi,ci) and (Wj
bj,cj)
Two-Party Secure Function Evaluation The table does not disclose any information about the
output of g for other inputs Does not reveal input or output values Assume |FK(x)| = |Wk
bk|+1 The table contains n entries:
For B to use the table B knows (Wi
bi,ci), (Wjbj,cj)
Finds (ci,cj) in the table Performs XOR with entry in the table to compute
garbled output (Wkg(bi,bj),ck)
Recall that A xor B xor C xor B xor C = A Garbled output from garbled inputs and table
Two-Party Secure Function Evaluation
For each input wire, B and A engage in oblivious transfer A is the sender, B is the chooser
A sends the gate tables to B A sends a translation table from the
garbled values of the output wires to output bits
By the end of the oblivious transfer stages, B has enough information to compute f(x)
Two-Party Secure Function Evaluation Security of gates
Every masking value (FW(ci)) is used only once Without knowledge of the correct key, masking values
look random Overhead
Communication is performed in one back and forth round
A can prepare the circuit in advance (one table for each of m gates)
Computation: one oblivious transfer for each input bit (n)
A and B must perform n exponentiations B must evaluate f
Negligible compared to oblivious transfer
SFE - Fairplay
Fairplay consists of two parts: a language SFDL (Secure Function
Definition Language) that describes the SFE paradigm
a compiler that creates a one-pass Boolean circuit in a language called SHDL (Secure Hardware Definition Language)
Bob and Alice then are able to securely evaluate the circuit
Compiling SFDL
SFDL is compiled into a Boolean circuit using an SFDL – SHDL compiler.
The SHDL circuit must have “obliviousness” built in to it: No registers, loops, gotos Every gate used exactly once For array indexing a multiplexer is built
with all values of i hardwired in
And Finally… There are Alice
and Bob programs who take as input a SHDL circuit and carry out the secure computation protocol
SFDL Program Structure First one must declare global constants and
types, followed by a sequence of functions. Functions must precede any functions that call
it. Recursion and global variables are forbidden. The last function must be the output function. Variable assignments are as one would expect,
operators include addition, subtraction, Boolean operators, and standard comparison operators.
If-then and if-then-else are supported All loops must have a definite number of
iterations that are known in advance.
SFDL Compiler Reads in SFDL program, transforms it,
outputs program in SHDL format. Compiler performs the following steps:
Parsing Function inlining and loop unfolding Transformation into single-bit operations Array access handling Single variable assignments Optimization (in terms of circuit size)
And Then… An oblivious transfer is needed for every
input wire of the circuit. Bob sends m “garbled” circuits to Alice,
Alice randomly chooses one circuit to be evaluated, and Bob reveals remaining m-1 circuits. Bob can be caught cheating with probability 1-1/m.
The two implemented OT methods are based on the Diffie-Hellman problem.
Results Authors performed
tests on four functions: AND – bitwise and on
Alice and Bob’s inputs Billionaires – 32 bit input
for Bob and Alice, which it compares
Keyed Database Search – Bob has a keyed database, Alice retrieves items by specifying its key
Median – finds median of two sorted arrays
What’s the Point? Secure Auction System GOAL:
Keep bids secret from auctioneer Auctioneer only needs to know
identification of highest bidder clearing price
Need a third entity “Auction issuer” Create protocol where neither auctioneer nor auction
issuer have full information about bidders and bids Assumption: auctioneer and auction issuer do not
collude
Auctions Auction consists of three types of entities
Bidders, auctioneer, auction issuer Protocol
Auctioneer advertises details of auction Rules, times, AI
AI creates an encryption scheme for each bidder to use
Bidders submit encrypted bids to the auctioneer, using the AI’s encryption scheme
AI generates a program to compute the outcome of the auction based upon the encrypted bids, then sends circuit and output translation table to auctioneer
Auctioneer uses inputs and program to compute outcome of auction
Secure Function Evaluation for Auctions Auctioneer must compute f(x1,…,xn) = result of auction =
<i,p> i = winner p = clearing price
AI constructs circuit to compute auction result and garbles it
Auctioneer advertises auction and AI’s public key (P. OT) Each bidder engages in a 1-of-2 proxy oblivious transfer
(for each bit) AI is sender (garbled input bit value-pairs) Bidder is the chooser Auctioneer is proxy
Note that the auction issuer doesn’t receive any inputs Auctioneer computes outcome of auction
AI provides output translation table
Future Work
Improve performance Security against malicious parties Fair termination Reactive secure computation Integrating other SFE primitives Multi-party computation
Acknowledgments
By Dahlia Malkhi, Noam Nisan, Benny Pinkas, and Yaron Sella (SFE)
Ivars Peterson (OT – Coin Toss)
