andrew lindell aladdin knowledge systems and bar-ilan university 04/08/08 cryp-106 efficient...

Andrew LindellAladdin Knowledge Systems and Bar-Ilan University04/08/08 CRYP-106

Efficient Fully-Simulatable Efficient Fully-Simulatable Oblivious TransferOblivious Transfer

Insert presenter logo here on slide master

2-out-of-1 Oblivious Transfer A paradoxical protocol

» Inputs:• A sender with two inputs m0,m1

• A receiver with an input bit » Output:

• The receiver obtains m

» Security:• The sender learns nothing

about • The receiver learns only one

message

m0,m1

m

?

? m1-


Importance of Oblivious Transfer

Theory of cryptography» Oblivious transfer is “complete”» Oblivious transfer stands at the center of all protocols for

secure computation without an honest majority

Protocol constructions» Widely used to construct efficient protocols

• Including multitude of protocols under the heading of “privacy-preserving data mining”

» Efficiency of the oblivious transfer is a bottleneck in the efficiency of many other protocols


Applications

Efficient protocols based on oblivious transfer» Comparing information without leaking it

• One oblivious transfer per bit of input» Oblivious pseudorandom function evaluation

• Application to set intersection and more» Secure auctions» Privacy-preserving data mining


Efficient Oblivious Transfer

Most work considers definitions that guarantee privacy only» The sender cannot guess the receiver’s bit with probability

greater than ½» There exists one input message of the sender about which

receiver learns nothing (formalized via indistinguishability)

Highly efficient constructions» Naor-Pinkas: the DDH assumption» Aiello-Ishai-Reingold: homomorphic encryption» And more (see the paper)


Simulation-Based Definition of Security

The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]:» Ideal model: parties send inputs to a trusted party, who

computes the function for them» Real model: parties run a real protocol with no trusted help

A protocol is secure if any attack on a real protocol can be carried out in the ideal model» Since no attacks can be carried out in the ideal model,

security is implied


The Real Model

m0,m1

Protocol output(should be m)


The Ideal Model

m0,m1

m

Perfectly secure

channels

m0,m1

m


IDEALREALTrusted party

Protocolinteraction

The Security Definition

For every real adversary A

there exists anadversary S


Simulation-Based Definitions

Properties of the definition» Privacy» Independence of inputs» Input extraction (adversary “knows” which input it is using)» Correctness


Simulation versus Privacy Only

When is simulation needed?» When oblivious transfer is used as a subprotocol, it is often

necessary to have a protocol that is proven by simulation-based definitions

• Example: efficient general protocol by [Lindell-Pinkas] based on Yao (with security for malicious adversaries)

» Composition: privacy-only definitions can interact “badly” with other protocols

The bad news:» It seems much harder to construct efficient protocols with

simulation-based proofs


Protocols with Simulation

Existing protocols» Semi-honest protocols compiled with GMW

• Highly inefficient» Recent protocols of [Camenisch-Neven-Shelat] and [Green-

Hohenberger]• They solve a harder problem of adaptive 1-out-of-N OT• They use less standard assumptions (at least Bilinear

DDH)• Since they use Bilinear maps, exponentiations are more

expensive than for regular DDH


Background – the Naor-Pinkas Protocol Receiver

» Computes (ga,gb,gc,gd) where a,b,c,d are random under the following constraint

• If =0, then c = ab• If =1, then d = ab

» Sends the tuple to the sender Sender

» Let (h1,h2,x,y) be the tuple received• Check that x ≠ y• Randomize (h1,h2,x), (h1,h2,y) and derive keys kx and ky

• Encrypt m0 with kx and m1 with ky

Receiver» Derive appropriate key and decrypt m


Background – the Naor-Pinkas Protocol Security in case of a corrupt sender

» Sender cannot know if c=ab or d=ab, because this means solving the DDH problem

• Recall (ga,gb,gab) is indistinguishable from (ga,gb,gr)

Security in case of a corrupt receiver» Sender checks that x ≠ y» Therefore, only one of (h1,h2,x) and (h1,h2,y) is a DH tuple» The randomization on the DH tuple can be reproduced by the

receiver to get the output» The randomization on the non-DH tuple results in a uniformly

distributed key that the receiver knows nothing about


Simulating the Naor-Pinkas Protocol Security in case of a corrupt sender

» In order to simulate in ideal model, need to extract the sender’s input

» Information-theoretically, only one message can be obtained» Rewinding the sender doesn’t help because the sender’s input

can depend on the receiver’s first message

Security in case of a corrupt receiver» Needs to be able to extract the receiver’s input» In this case, can be achieved with zero-knowledge proof of

knowledge of Discrete log


Solving the Problem of a Corrupt Sender

We need to be able to extract the sender’s input» Instead of sending (h1,h2,x,y), send

• (h1,x1,y1) and (h2,x2,y2) where one is a DH tuple and the other is not

» The simulator makes both tuples DH and extracts both inputs

» The sender cannot tell the difference (due to the DDH assumption)


A Corrupt Receiver

What about a corrupt receiver?» It can also make both tuples be DH» Solution: have the receiver prove that only one tuple is DH

using a zero-knowledge proof of knowledge• The simulator for a corrupt sender can still send two DH

tuples by “cheating” in the ZK• The simulator for a corrupt receiver extracts the

receiver’s input from the proof of knowledge


An Efficient Zero-Knowledge Proof

We use cut and choose for this task» The receiver sends s pairs of tuples

• The DH and non-DH tuples are ordered randomly» The sender asks it to open ½ and then checks that all

opened pairs have one DH and one non-DH tuple» The receiver sends a reordering

• If =0, then all DH tuples are first• If =1, then all DH tuples are second

» The sender randomizes all and:• Encrypts m0 with all the keys from the first set• Encrypts m1 with all the keys from the second set


The Cut and Choose

m0,m1

[(ga1,gb1,gr1),(ga1,gb1,ga1b1)][(ga2,gb2,ga2b2),(ga2,gb2,gr2)][(ga3,gb3,gr3),(ga3,gb3,ga3b3)][(ga4,gb4,gr4),(ga4,gb4,ga4b4)]

(1,4)(a1,b1,r1,a4,b4,r4)

[(ga2,gb2,ga2b2),(ga2,gb2,gr2)][(ga3,gb3,gr3),(ga3,gb3,ga3b3)][(ga3,gb3,ga3b3),(ga3,gb3,gr3)]

Randomize and encrypt


A Corrupt Receiver

Main observation:» If any of the unopened tuples has one non-DH tuple, then

the randomization will prevent the receiver from receiving one of the messages

» Therefore, in order to cheat:• All of the opened pairs must have one DH and one non-

DDH• All of the unopened pairs must both be DH

» Since the cut and choose is chosen randomly, this can occur with probability 2-s only

• Important: s can be made small (between 20 and 40)


Extensions

Smooth projective hashing» A generalization of DDH and other assumptions» Includes N-residuosity and Quadratic residuosity» A generalization of Naor-Pinkas to smooth projective

hashing was shown by [Kalai]» Our protocol can be based on her generalization

Homomorphic encryption» Similar ideas can be used to obtain a protocol that is secure

using any homomorphic encryption scheme


Efficiency

The Most Efficient Instantiation» The DDH protocol, using Elliptic curves

Comparison to Naor-Pinkas» Requires s times the work and communication» For s = 40, this is significant, but by far the best


Summary

Efficient protocols for oblivious transfer» A significant but reasonable cost

Achieve full simulation» With a rigorous proof of security

This reduces the bottleneck of oblivious transfer

The future:» Reduce to a constant number of exponentiations?


Legal Notice

© Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved.Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks

of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.

You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin.

Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.

http://www.aladdin.com/patents

andrew lindell aladdin knowledge systems and bar-ilan university 04/08/08 cryp-106 efficient...

Documents