andrew lindell aladdin knowledge systems and bar-ilan university 04/08/08 cryp-106 efficient...
DESCRIPTION
Insert presenter logo here on slide master Importance of Oblivious Transfer Theory of cryptography » Oblivious transfer is “complete” » Oblivious transfer stands at the center of all protocols for secure computation without an honest majority Protocol constructions » Widely used to construct efficient protocols Including multitude of protocols under the heading of “privacy-preserving data mining” » Efficiency of the oblivious transfer is a bottleneck in the efficiency of many other protocolsTRANSCRIPT
Andrew LindellAladdin Knowledge Systems and Bar-Ilan University04/08/08 CRYP-106
Efficient Fully-Simulatable Efficient Fully-Simulatable Oblivious TransferOblivious Transfer
Insert presenter logo here on slide master
2-out-of-1 Oblivious Transfer A paradoxical protocol
» Inputs:• A sender with two inputs m0,m1
• A receiver with an input bit » Output:
• The receiver obtains m
» Security:• The sender learns nothing
about • The receiver learns only one
message
m0,m1
m
?
? m1-
Insert presenter logo here on slide master
Importance of Oblivious Transfer
Theory of cryptography» Oblivious transfer is “complete”» Oblivious transfer stands at the center of all protocols for
secure computation without an honest majority
Protocol constructions» Widely used to construct efficient protocols
• Including multitude of protocols under the heading of “privacy-preserving data mining”
» Efficiency of the oblivious transfer is a bottleneck in the efficiency of many other protocols
Insert presenter logo here on slide master
Applications
Efficient protocols based on oblivious transfer» Comparing information without leaking it
• One oblivious transfer per bit of input» Oblivious pseudorandom function evaluation
• Application to set intersection and more» Secure auctions» Privacy-preserving data mining
Insert presenter logo here on slide master
Efficient Oblivious Transfer
Most work considers definitions that guarantee privacy only» The sender cannot guess the receiver’s bit with probability
greater than ½» There exists one input message of the sender about which
receiver learns nothing (formalized via indistinguishability)
Highly efficient constructions» Naor-Pinkas: the DDH assumption» Aiello-Ishai-Reingold: homomorphic encryption» And more (see the paper)
Insert presenter logo here on slide master
Simulation-Based Definition of Security
The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]:» Ideal model: parties send inputs to a trusted party, who
computes the function for them» Real model: parties run a real protocol with no trusted help
A protocol is secure if any attack on a real protocol can be carried out in the ideal model» Since no attacks can be carried out in the ideal model,
security is implied
Insert presenter logo here on slide master
The Real Model
m0,m1
Protocol output(should be m)
Insert presenter logo here on slide master
The Ideal Model
m0,m1
m
Perfectly secure
channels
m0,m1
m
Insert presenter logo here on slide master
IDEALREALTrusted party
Protocolinteraction
The Security Definition
For every real adversary A
there exists anadversary S
Insert presenter logo here on slide master
Simulation-Based Definitions
Properties of the definition» Privacy» Independence of inputs» Input extraction (adversary “knows” which input it is using)» Correctness
Insert presenter logo here on slide master
Simulation versus Privacy Only
When is simulation needed?» When oblivious transfer is used as a subprotocol, it is often
necessary to have a protocol that is proven by simulation-based definitions
• Example: efficient general protocol by [Lindell-Pinkas] based on Yao (with security for malicious adversaries)
» Composition: privacy-only definitions can interact “badly” with other protocols
The bad news:» It seems much harder to construct efficient protocols with
simulation-based proofs
Insert presenter logo here on slide master
Protocols with Simulation
Existing protocols» Semi-honest protocols compiled with GMW
• Highly inefficient» Recent protocols of [Camenisch-Neven-Shelat] and [Green-
Hohenberger]• They solve a harder problem of adaptive 1-out-of-N OT• They use less standard assumptions (at least Bilinear
DDH)• Since they use Bilinear maps, exponentiations are more
expensive than for regular DDH
Insert presenter logo here on slide master
Background – the Naor-Pinkas Protocol Receiver
» Computes (ga,gb,gc,gd) where a,b,c,d are random under the following constraint
• If =0, then c = ab• If =1, then d = ab
» Sends the tuple to the sender Sender
» Let (h1,h2,x,y) be the tuple received• Check that x ≠ y• Randomize (h1,h2,x), (h1,h2,y) and derive keys kx and ky
• Encrypt m0 with kx and m1 with ky
Receiver» Derive appropriate key and decrypt m
Insert presenter logo here on slide master
Background – the Naor-Pinkas Protocol Security in case of a corrupt sender
» Sender cannot know if c=ab or d=ab, because this means solving the DDH problem
• Recall (ga,gb,gab) is indistinguishable from (ga,gb,gr)
Security in case of a corrupt receiver» Sender checks that x ≠ y» Therefore, only one of (h1,h2,x) and (h1,h2,y) is a DH tuple» The randomization on the DH tuple can be reproduced by the
receiver to get the output» The randomization on the non-DH tuple results in a uniformly
distributed key that the receiver knows nothing about
Insert presenter logo here on slide master
Simulating the Naor-Pinkas Protocol Security in case of a corrupt sender
» In order to simulate in ideal model, need to extract the sender’s input
» Information-theoretically, only one message can be obtained» Rewinding the sender doesn’t help because the sender’s input
can depend on the receiver’s first message
Security in case of a corrupt receiver» Needs to be able to extract the receiver’s input» In this case, can be achieved with zero-knowledge proof of
knowledge of Discrete log
Insert presenter logo here on slide master
Solving the Problem of a Corrupt Sender
We need to be able to extract the sender’s input» Instead of sending (h1,h2,x,y), send
• (h1,x1,y1) and (h2,x2,y2) where one is a DH tuple and the other is not
» The simulator makes both tuples DH and extracts both inputs
» The sender cannot tell the difference (due to the DDH assumption)
Insert presenter logo here on slide master
A Corrupt Receiver
What about a corrupt receiver?» It can also make both tuples be DH» Solution: have the receiver prove that only one tuple is DH
using a zero-knowledge proof of knowledge• The simulator for a corrupt sender can still send two DH
tuples by “cheating” in the ZK• The simulator for a corrupt receiver extracts the
receiver’s input from the proof of knowledge
Insert presenter logo here on slide master
An Efficient Zero-Knowledge Proof
We use cut and choose for this task» The receiver sends s pairs of tuples
• The DH and non-DH tuples are ordered randomly» The sender asks it to open ½ and then checks that all
opened pairs have one DH and one non-DH tuple» The receiver sends a reordering
• If =0, then all DH tuples are first• If =1, then all DH tuples are second
» The sender randomizes all and:• Encrypts m0 with all the keys from the first set• Encrypts m1 with all the keys from the second set
Insert presenter logo here on slide master
The Cut and Choose
m0,m1
[(ga1,gb1,gr1),(ga1,gb1,ga1b1)][(ga2,gb2,ga2b2),(ga2,gb2,gr2)][(ga3,gb3,gr3),(ga3,gb3,ga3b3)][(ga4,gb4,gr4),(ga4,gb4,ga4b4)]
(1,4)(a1,b1,r1,a4,b4,r4)
[(ga2,gb2,ga2b2),(ga2,gb2,gr2)][(ga3,gb3,gr3),(ga3,gb3,ga3b3)][(ga3,gb3,ga3b3),(ga3,gb3,gr3)]
Randomize and encrypt
Insert presenter logo here on slide master
A Corrupt Receiver
Main observation:» If any of the unopened tuples has one non-DH tuple, then
the randomization will prevent the receiver from receiving one of the messages
» Therefore, in order to cheat:• All of the opened pairs must have one DH and one non-
DDH• All of the unopened pairs must both be DH
» Since the cut and choose is chosen randomly, this can occur with probability 2-s only
• Important: s can be made small (between 20 and 40)
Insert presenter logo here on slide master
Extensions
Smooth projective hashing» A generalization of DDH and other assumptions» Includes N-residuosity and Quadratic residuosity» A generalization of Naor-Pinkas to smooth projective
hashing was shown by [Kalai]» Our protocol can be based on her generalization
Homomorphic encryption» Similar ideas can be used to obtain a protocol that is secure
using any homomorphic encryption scheme
Insert presenter logo here on slide master
Efficiency
The Most Efficient Instantiation» The DDH protocol, using Elliptic curves
Comparison to Naor-Pinkas» Requires s times the work and communication» For s = 40, this is significant, but by far the best
Insert presenter logo here on slide master
Summary
Efficient protocols for oblivious transfer» A significant but reasonable cost
Achieve full simulation» With a rigorous proof of security
This reduces the bottleneck of oblivious transfer
The future:» Reduce to a constant number of exponentiations?
Insert presenter logo here on slide master
Legal Notice
© Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved.Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks
of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.
You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin.
Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.