Download presentation

Presentation is loading. Please wait.

Published byMitchell Sheerer Modified over 2 years ago

1
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science

2
Why should we reconsider these old constructions? I have a dream, Let’s do Key-agreement from one-way functions Barak showed that black- box separations are not that meaningful OK, but what about GMW, it is not black-box! mm... But what about Impagliazzo-Rudich black- box impossibility result? This was in a different setting. No one broke the black-box barrier in the setting you are talking about Well....

3
Whether non black-box techniques are superior to black-box ones? Non black-box techniques are typically less efficient. When using a black-box reduction, the round-complexity of ‘ is independent of the exact implementation of the parties of 3 Trapdoor permutations based semi-honest OT - protocol with limited security ‘ protocol with improved security reduction Malicious OT

4
A fully black-box reduction from B to A: Black-box construction. Black-box proof of security. Adversary for breaking B ) adversary for breaking A (Fully) Black-Box Reductions Adversary for B Adversary for A A B A

5
Black-Box Reductions (cont.) 1. Most reductions in cryptography are (fully) black-box, e.g., from pseudorandom generators to one-way functions. 2. Few “ non black-box ” techniques that apply in restricted settings (typically using ZK proofs). Example: from malicious security to semi- honest security [GMW] 5

6
Oblivious Transfer (OT ) [Rabin 81’] (one-out-of-two version [EGL 85’] ) 1. Correctness - the receiver learns i 2. Sender's privacy - the receiver learns nothing about 1-i 3. Receiver's privacy - the sender learns nothing about i Complete for secure function evaluation [GMW87,K88] Implied by (enhanced/dense) trapdoor permutations, homomorphic encryption,... [GKL87,H04,K97,S98] Sender bits 0 and 1 Receiver Index i 2 {0,1} 6

7
Different types of security Semi – honest adversaries Malicious adversaries Typical constructions of OT: 1. Hardness assumption ) semi – honest OT 2. Using non-black-box techniques ) Malicious OT The second reduction is typically inefficient (round- wise) Oblivious Transfer cont. Black-box 7 e.g., enhanced trapdoor permutations

8
Defensible Privacy [IKLP ’06] A natural model of security between semi-honest to full- fledged (malicious) security. After the protocol ends, the adversary cannot simultaneously learn non-permissible information and defend its behavior – provide input and random-coins that justify its behavior. Example: Defensible OT The sender cannot simultaneously learn the index i and give a valid defense. 8

9
Defensible Privacy cont. Let = (A,B) be a protocol for computing f = (f A, f B ) 9 is defensibly private for B, if no efficient A * can simultaneously Output a good defense (i A *,r A * ) Learn inf (i B ) not determined by f A (i A *,i B ) The privacy of B might be violated when A does not give a valid defense After giving the defense, A ’ s privacy might be ruined Implies semi-honest privacy A (i A,r A ) B (i B, r B ) A*A*

10
The Usefulness of Defensible Privacy [Ishai Kushilevitz Lindel Petrank ’06] 1. Enhanced TDP, homomorphic encryption ) Defensible-OT 2. Defensible-OT ) Malicious-OT Both reductions are (fully) black-box 10 Semi-Honest OTTDPMalicious OT Defensible OT

11
Defensible-OT ) Malicious-OT [IKLP ’06] (simplified version) 1. Interact in n defensible OTs using random inputs 2. Verify the defense of half of the OT ’ s 3. Combine the remaining OT ’ s to get the desired OT functionality ( “ randomized self reducibility ” ) Sender ( 0, 1 ) Receiver i Def-OT 1 Def-OT 2 Def-OT n Def-OT 3

12
12 trapdoor perm. homomorphic enc Our Results Main Theorem: Assuming that OWFs exist, for every functionality* there exists a fully-black-box reduction from defensible privacy to semi-honest privacy. the functionality has some natural sampling property / stronger assumption about the semi-honest privacy - preserves statistical privacy of either of the parties - black-box w.r.t. to the OWF Corollaries: Black-box reduction from malicious OT to semi-honest OT Black-box reduction from malicious OT to dense-TDP, non- trivial PIR,... Black-box reduction from secure function evaluation with static malicious adversaries, to semi-honest OT. Defensible OT Imply semi-honest OT black box

13
The Reduction Given a protocol = (A,B) for computing f, which is semi-honest private for B and a OWF. We construct a protocol D = (A D,B D ) which computes f defensibly private for B D preserves the same privacy for A D We achieve our main result by applying the above reduction twice 13

14
The Reduction cont. B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` (A(i A, r A © r A `), B(i B, r B ) ) A D (i A,r A ) B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` ( A(i A, r A © r A `), B(i B, r B ) ) 14 Proof of Security Privacy of A D - follows by the hiding of Com Privacy of B D - assume that A D * violates the defensible privacy of B D, we use it to construct A * for breaking the semi-honest privacy of B (in )

15
If A D * gives a valid defense let (i A *,r A * ) = Decom(C) Otherwise, output a random guess for i B The emulated B acts as B does on the real execution Let be A D * ’ s guess for i B r A `= r A © r A * ( A D *,B) Algorithm A * Emulated interaction with A D * Real interaction with B AD*AD* C = Com(i A *,r A * ) rA`rA` If A D * outputs a valid defense, output as the value of i B Otherwise, output a random guess (A(i A *,r A ), B(i B,r B )) Random A D * gives a valid defense ) (i A *,r A * ) = Decom(C) ) A D * acts as A(i A *,r A ) ) the emulated B acts correctly ) is a good guess for i B BBDBD A*A*

16
We give a black-box reduction from malicious oblivious transfer to semi-honest oblivious transfer. Supports the conjecture that, in some settings, black-box techniques are as strong as non-black-box ones. Open Questions: Better understanding of defensible privacy Middle step in other reductions? Useful in its own sake? Characterizing the class of functions for which secure evaluation can be black-box reduced to semi-honest evaluation? randomized self reducibility Summary 16

Similar presentations

OK

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on trade fairs Ppt on coordinate geometry for class 9 download Ppt on applied operational research notes Download free ppt on solar system Ppt on earth dam breach S tv do ppt online Download ppt on journal ledger and trial balance Ppt on natural disaster in hindi language Ppt on business etiquettes training dogs Ppt on turbo c compiler