Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
ObliviousTransfer(OT)andOTExtension
ArpitaPatra
©Arpita Patra
SchoolonSecureMultipartyComputation
Roadmap
o ObliviousTransfer
o OTExtension
- IKNPOTextension
- Constructionfrom`special’PKE
o TracingthejourneyofOTextensionandsomeopenquestions
ObliviousTransfer
S Rm0
m1
b
mb
b=? m1-b =?
- Complete forMPC
- Usedinbothtraditionalapproaches:Yao(perinput)andGMW(perANDgate)
- OTformsthebasisformostofthepracticalMPCs/2PCs,specialpurposeproblemsPSI
- OTsareintrinsicallyexpensive- usuallybasedonpublickeyprimitives
- AESCircuit:MillionsofANDgates
SettingthestageforOTExtension
- Smallno.Xàmanyno.X
o PRG: TrulyRandomshortSeedà huge(pseudo-)randomstring
o HybridEncryption(HE): oneinstanceofPKEàmanyinstancesofPKE@SKEoperations
- X(task/object):executing/generatingXisnotveryefficient
sÎR {0,1}k PRG(s)Î {0,1}p(k)
PKE
PKE
PKE
PKE
PRG
HE
OTExtension:Fromsmalltomany
OT1
OT2
OTk
OT1
OT2
OT3
OTp(k)SKEoperations
>OTExtisnotpossibleinformationtheoretically[Bea96]
>OTExtimpliesOWF[LZ13]
OTExtension
k:securityparameter
FirstworktotellusaboutOTExt
RoadmapforBuildingOTExtension[IKNP03]
OT1
OT2
OTk
OT1
OT2
OT3
OTm
kbitinputs
OT1
OT2
OTk
m(=poly(k))>kbitinputs
lbitinputs
x10x11x20x21
x30x31
xm0xm1
b1
b2
b3
bm
x1b1
x2b2
xmbm
x3b3
DomainExtension OTExtensionkOTswithkbitinputs
kOTswithm>kbitinputs
mOTswithm>kbitinputs
OT
kbitinputs
mbitinputs
TransformationI:DomainExtension
k0k1
b
kbP0 P1
m0
m1
y0=G(k0)+m0
y1 =G(k1)+m1
y0,y1 mb =G(kb)+yb
RoadmapforBuildingOTExtension[IKNP03]
OT1
OT2
OTk
OT1
OT2
OT3
OTm
kbitinputs
OT1
OT2
OTk
m(=poly(k))>kbitinputs
lbitinputs
x10x11x20x21
x30x31
xm0xm1
b1
b2
b3
bm
x1b1
x2b2
xmbm
x3b3
DomainExtension OTExtensionkOTswithkbitinputs
kOTswithm>kbitinputs
mOTswithm>kbitinputs
TransformationII:OTExtension
B=[b1,…bm]P0 P1
T=T1T2.Tm
Q=Q1=T1(ifb1 =0)/ T1+S(otherwise)Q2=T2(ifb2 =0)/ T2+S(otherwise)
Qm=Tm(ifbm =0)/ Tm+S(otherwise)
RandomS isknowntoP0only |Ti| =k
x10 b1
x11
xm0 bm
xm1
OT1
OTm
TransformationII:OTExtension
B=[b1,…bm]
P0 P1
y10=Q1 +x10y11 =Q1+S+x11
(y10,y11)……..(ym0,ym1)
x1 b1 =T1 +y1 b1
x10x11x20x21
xm0xm1
ym0=Qm +xm0
ym1 =Qm+S+xm1xm bm =Tm +ym bm
There’saBug!
T=T1T2.Tm
Q=Q1=T1(ifb1 =0)/ T1+S(otherwise)Q2=T2(ifb2 =0)/ T2+S(otherwise)
Qm=Tm(ifbm =0)/ Tm+S(otherwise)
TransformationII:OTExtension
B=[b1,…bm]
P0 P1
(y10,y11)……..(ym0,ym1)
CorrelationRobustH:[m]× {0,1}k ->{0,1}l
y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11
ym0=H(m,Qm)+xm0
ym1 =H(m,Qm+S)+xm1
GivenrandomandindependentS,T1….. Tm,thejointdistribution{H(T1+S),….H(Tm+S),T1…..Tm }mustbepseudo-random
CryptographicHashfunction:SHA1/2/3,RC4
x1 b1 =H(1,T1)+y1 b1
xm bm =H(m,Tm)+ym bm
T=T1T2.Tm
Q=Q1=T1(ifb1 =0)/ T1+S(otherwise)Q2=T2(ifb2 =0)/ T2+S(otherwise)
Qm=Tm(ifbm =0)/ Tm+S(otherwise)
x10x11x20x21
xm0xm1
TransformationII:OTExtension
B=[b1,…bm]
P0 P1
x10x11x20x21
xm0xm1
x1b1
x2b2
xmbm
RandomS isknowntoP0only |Ti| =k
T=T1T2.Tm
Q=Q1=T1(ifb1 =0)/ T1+S(otherwise)Q2=T2(ifb2 =0)/ T2+S(otherwise)
Qm=Tm(ifbm =0)/ Tm+S(otherwise)
TransformationII:OTExtension
B=[b1,…bm]
P0 P1OT1
s1
Q1
T1
T1 +B
OT2
OTk
Tisa{0,1}m.kmatrixT=[T1,…..Tk]T=T1
T2.Tm
T2
T2 +B
Tk
Tk +B
s2
sk
Q2
Qk
Qisa{0,1}m.kmatrixQ=[Q1,…..Qk]Q=Q1
Q2.Qm
mbitinputs
x10x11x20x21
xm0xm1
TransformationII:OTExtension
B=[b1,…bm]
P0 P1OT1
s1
Q1
T1
T1 +B
OT2
OTk
Tisa{0,1}m.kmatrixT=[T1,…..Tk]T=T1
T2.Tm
T2
T2 +B
Tk
Tk +B
s2
sk
Q2
Qk
Q=Q1=T1(ifb1 =0)/ T1+S(otherwise)
T[1,1] +s1
Q2=T2(ifb2 =0)/ T2+S(otherwise)
Qm=Tm(ifbm =0)/ Tm+S(otherwise)
T[1,2] +s2
T[1,k] +sk
T[1,1]
T[1,2]
T[1,k]
TransformationII:Puttingeverythingtogether
B=[b1,…bm]
P0 P1
y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11
(y10,y11)……..(ym0,ym1)
x1 b1 =H(1,T1)+y1 b1
OT1s1
Q1
T1
T1 +B
OT2
OTk
Tisa{0,1}m.kmatrixT=[T1,…..Tk]T=T1
T2.Tk
T2
T2 +B
Tk
Tk +B
s2
sk
Q2
Qk
Qisa{0,1}m.kmatrixQ=[Q1,…..Qk]Q=Q1
Q2.Qk
ym0=H(m,Qm)+xm0
ym1 =H(1,Qm+S)+xm1
xm bm =H(m,Tm)+ym bm
x10x11x20x21
xm0xm1
RoadmapforBuildingOTExtension[IKNP03]
OT1
OT2
OTk
OT1
OT2
OT3
OTm
kbitinputs
OT1
OT2
OTk
m(=poly(k))>kbitinputs
lbitinputs
x10x11x20x21
x30x31
xm0xm1
b1
b2
b3
bm
x1b1
x2b2
xmbm
x3b3
DomainExtension OTExtensionkOTswithkbitinputs
kOTswithm>kbitinputs
mOTswithm>kbitinputs
SecurityForReceiver
B=[b1,…bm]
P0 P1
y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11
(y10,y11)……..(ym0,ym1)
x1 b1 =H(1,T1)+y1 b1
x10x11x20x21
xm0xm1
OT1s1
Q1
T1
T1 +B
OT2
OTk
Tisa{0,1}m.kmatrixT=[T1,…..Tk]T=T1
T2.Tk
T2
T2 +B
Tk
Tk +B
s2
sk
Q2
Qk
Qisa{0,1}m.kmatrixQ=[Q1,…..Qk]Q=Q1
Q2.Qk
ym0=H(m,Qm)+xm0
ym1 =H(1,Qm+S)+xm1
xm bm =H(m,Tm)+ym bm
Reducestothesender’ssecurityofOT1…OTk
SecurityForSender
B=[b1,…bm]
P0 P1
y10=H(1,Q1)+x10y11 =H(1,Q1+S)+x11
(y10,y11)……..(ym0,ym1)
x1 b1 =H(1,T1)+y1 b1
OT1s1
Q1
T1
T1 +B
OT2
OTk
Tisa{0,1}m.kmatrixT=[T1,…..Tk]T=T1
T2.Tk
T2
T2 +B
Tk
Tk +B
s2
sk
Q2
Qk
Qisa{0,1}m.kmatrixQ=[Q1,…..Qk]Q=Q1
Q2.Qk
ym0=H(m,Qm)+xm0
ym1 =H(1,Qm+S)+xm1
xm bm =H(m,Tm)+ym bm
Reducestothereceiver’ssecurityofOT1…OTk
ReducestothesecurityofH
[IKNP03]: YuvalIshai,JoeKilian,Kobbi Nissim,andErez Petrank.Extendingoblivioustransfersefficiently.InCRYPTO,pages145–161,2003.
x10x11x20x21
xm0xm1
IKNPandItsSuccessors
SKEoperations
OTExtension
k:securityparameter
Semi-honest:IKNP,ALSZ13
Active:NNOB,ALSZ15,KOS15
KK13andItsSuccessors
OTExtension
k:securityparameter
Semi-honest:KK13
Active:PSS17,OOS17
x1x2…..xn
r
xr
r=? xr’ =? UsedinPSI,PIRetc
OTStudyGroup
OTExtension- RecentAdvances[KK13]:Fromk1-out-2OTstom1-out-of-nOTs
Mostefficientinsemi-honestsetting
UsesWalsh-HadamardCode
Semi-honest
[KOS15]:MostefficientmaliciouslysecureIKNP
[PSS17]:MostefficientmaliciouslysecureKK13
Active/Malicious
OTfromCPA-securePKEwithPublicKeySamplability[EvenGoldreichLempel85]
Apublic-keyencryptionschemeisacollectionof3PPTalgorithmsP =(Gen,Enc,Dec)
Gen1k pk,sk Syntax:(pk,sk)¬ Gen(1k)
EncmÎM c
pk
Syntax:c¬ Encpk(m)
Randomizedalgo
Decc m
sk Syntax:m:=Decsk(c)
Exceptwithanegligibleprobabilityover(pk,sk)outputbyGen(1k),werequirethefollowingforevery(legal)plaintextm
Decsk(Encpk(m)):=m
RandomizedAlgo
Deterministic(w.l.o.g)
CPASecurity
P =(Gen,Enc,Dec)
IcanbreakP Letmeverify
m0,m1,|m0|=|m1|
Gen(1k)c¬ Encpk(mb)
b’Î {0,1}
(Attacker’sguessaboutencryptedmessage)
GameOutput
1--- attackerwon 0--- attackerlost
Indistinguishabilityexperiment PubK(k)A,P
cpa
PPTA
pk,sk
pk
Inthereal-world,everyoneincludingtheattackerwillhavethepublickeypk
P isCPA-secureifforeveryPPTattackerA takingpartintheaboveexperiment,theprobabilitythatAwinstheexperimentisatmostnegligiblybetterthan½
½ +negl(k)Pr PubK(k)A,P
cpa=1 £
PKEwithPublicKeySamplability
Apublic-keyencryptionschemeisacollectionof5PPTalgorithmsP =(Gen,Enc,Dec,oGen,fGen)
oGen1k pk,r Syntax:(pk,r)¬ oGen(1k)
fGenpk:
(pk,sk)¬ Gen(1k)
r’ Syntax:r’¬ fGen(pk)
(pk,r’)and(pk,r)lookindistinguishable
KeySamplability
P =(Gen,Enc,Dec, oGen,fGen)
IcanbreakP
b’Î {0,1}
GameOutput
1--- attackerwon 0--- attackerlost
Indistinguishabilityexperiment PubK(k)A,P
ksamp
PPTA
(pk,sk)¬Gen(1k)
r¬fGen(pk)
(pk,r)
P iskey-samplableifforeveryPPTattackerA takingpartintheaboveexperiment,theprobabilitythatAwinstheexperimentisatmostnegligiblybetterthan½
½ +negl(n)Pr PubK(k)A,P
ksamp=1 £
(pk,r)¬oGen(1k)
1-out-of-2ObliviousTransfer
S Rm0m1
b
(pkb,skb)¬ Gen(1k)
(pk1-b,r1-b)¬ oGen(1k)
(pk0,pk1)
c0¬ Encpk0(m0)
c1¬ Encpk1(m1) (c0,c1)
mb¬ Decskb(mb)
b=? m1-b =?
- OTsareintrinsicallyexpensive- usuallybasedonpublickeyprimitives
- AESCircuit:MillionsofANDgates
ElGamalPKE
Encpk(m)
c1=gy forrandomy
c2 =hy..m
c=(c1,c2)
Decsk(c)
c2 /(c1)x =c2 .[(c1)x]-1Gen(1k)
(G,o,q,g)
h=gx. Forrandomx
pk=(G,o,q,g,h),sk =x
TransformationII:OTExtension
B=[b1,…bm]
P0 P1
(y10,y11)……..(ym0,ym1)
r1 b1 =T1 +y1 b1
r10r11r20r21
rm0rm1
T=[T1T2.Tk]
rm bm =Tm +ym bm
Q=[Q1=T1(ifb1 =0)/ T1+S(otherwise)
Q2=T2(ifb2 =0)/ T2+S(otherwise)
Qm=Tm(ifbm =0)/ Tm+S(otherwise)]
RandomFunctionH:[m]× {0,1}k ->{0,1}l
y10=H(1,Q1)+r10y11 =H(1,Q1+S)+r11
ym0=H(m,Qm)+rm0
ym1 =H(m,Qm+S)+rm1
Everytimequeryaninput:sameoutputNewinput:outputiscompletelyrandomintherangeEveryROisCorrelation-Robust(HR)Hashfunction
AlittlediversiontoROModel
RandomFunctionH:[m]× {0,1}k ->{0,1}l
>>Loveandhaterelationshipwiththismodel
>>ManyprotocolshaveproofinROmodelwhichotherwisedoesnothaveanyproof.
>>ProtocolanalyzedforSecurity:HashfunctionsreplacedwithRObox.
>>Proofisforanygood?:ExistenceofsuchaproofimpliestherealprotocolgowrongonlywhenhashfunctiondoesnotsimulateRO.Someproofbetterthannoproof
>>Realprotocol:ROreplacedwithhashfunctions
>>Examples:RSA-OEAP(practicallyinuse).CCA-secureextensionofRSA
>>Findingproofunderrelativelyrealisticassumption(e.g.CR)thanROhasbeenverychallengingandconsideredtobegreatachievement!!