Download presentation

Presentation is loading. Please wait.

Published byMitchell Sheerer Modified over 2 years ago

1
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science

2
Why should we reconsider these old constructions? I have a dream, Let’s do Key-agreement from one-way functions Barak showed that black- box separations are not that meaningful OK, but what about GMW, it is not black-box! mm... But what about Impagliazzo-Rudich black- box impossibility result? This was in a different setting. No one broke the black-box barrier in the setting you are talking about Well....

3
Whether non black-box techniques are superior to black-box ones? Non black-box techniques are typically less efficient. When using a black-box reduction, the round-complexity of ‘ is independent of the exact implementation of the parties of 3 Trapdoor permutations based semi-honest OT - protocol with limited security ‘ protocol with improved security reduction Malicious OT

4
A fully black-box reduction from B to A: Black-box construction. Black-box proof of security. Adversary for breaking B ) adversary for breaking A (Fully) Black-Box Reductions Adversary for B Adversary for A A B A

5
Black-Box Reductions (cont.) 1. Most reductions in cryptography are (fully) black-box, e.g., from pseudorandom generators to one-way functions. 2. Few “ non black-box ” techniques that apply in restricted settings (typically using ZK proofs). Example: from malicious security to semi- honest security [GMW] 5

6
Oblivious Transfer (OT ) [Rabin 81’] (one-out-of-two version [EGL 85’] ) 1. Correctness - the receiver learns i 2. Sender's privacy - the receiver learns nothing about 1-i 3. Receiver's privacy - the sender learns nothing about i Complete for secure function evaluation [GMW87,K88] Implied by (enhanced/dense) trapdoor permutations, homomorphic encryption,... [GKL87,H04,K97,S98] Sender bits 0 and 1 Receiver Index i 2 {0,1} 6

7
Different types of security Semi – honest adversaries Malicious adversaries Typical constructions of OT: 1. Hardness assumption ) semi – honest OT 2. Using non-black-box techniques ) Malicious OT The second reduction is typically inefficient (round- wise) Oblivious Transfer cont. Black-box 7 e.g., enhanced trapdoor permutations

8
Defensible Privacy [IKLP ’06] A natural model of security between semi-honest to full- fledged (malicious) security. After the protocol ends, the adversary cannot simultaneously learn non-permissible information and defend its behavior – provide input and random-coins that justify its behavior. Example: Defensible OT The sender cannot simultaneously learn the index i and give a valid defense. 8

9
Defensible Privacy cont. Let = (A,B) be a protocol for computing f = (f A, f B ) 9 is defensibly private for B, if no efficient A * can simultaneously Output a good defense (i A *,r A * ) Learn inf (i B ) not determined by f A (i A *,i B ) The privacy of B might be violated when A does not give a valid defense After giving the defense, A ’ s privacy might be ruined Implies semi-honest privacy A (i A,r A ) B (i B, r B ) A*A*

10
The Usefulness of Defensible Privacy [Ishai Kushilevitz Lindel Petrank ’06] 1. Enhanced TDP, homomorphic encryption ) Defensible-OT 2. Defensible-OT ) Malicious-OT Both reductions are (fully) black-box 10 Semi-Honest OTTDPMalicious OT Defensible OT

11
Defensible-OT ) Malicious-OT [IKLP ’06] (simplified version) 1. Interact in n defensible OTs using random inputs 2. Verify the defense of half of the OT ’ s 3. Combine the remaining OT ’ s to get the desired OT functionality ( “ randomized self reducibility ” ) Sender ( 0, 1 ) Receiver i Def-OT 1 Def-OT 2 Def-OT n Def-OT 3

12
12 trapdoor perm. homomorphic enc Our Results Main Theorem: Assuming that OWFs exist, for every functionality* there exists a fully-black-box reduction from defensible privacy to semi-honest privacy. the functionality has some natural sampling property / stronger assumption about the semi-honest privacy - preserves statistical privacy of either of the parties - black-box w.r.t. to the OWF Corollaries: Black-box reduction from malicious OT to semi-honest OT Black-box reduction from malicious OT to dense-TDP, non- trivial PIR,... Black-box reduction from secure function evaluation with static malicious adversaries, to semi-honest OT. Defensible OT Imply semi-honest OT black box

13
The Reduction Given a protocol = (A,B) for computing f, which is semi-honest private for B and a OWF. We construct a protocol D = (A D,B D ) which computes f defensibly private for B D preserves the same privacy for A D We achieve our main result by applying the above reduction twice 13

14
The Reduction cont. B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` (A(i A, r A © r A `), B(i B, r B ) ) A D (i A,r A ) B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` ( A(i A, r A © r A `), B(i B, r B ) ) 14 Proof of Security Privacy of A D - follows by the hiding of Com Privacy of B D - assume that A D * violates the defensible privacy of B D, we use it to construct A * for breaking the semi-honest privacy of B (in )

15
If A D * gives a valid defense let (i A *,r A * ) = Decom(C) Otherwise, output a random guess for i B The emulated B acts as B does on the real execution Let be A D * ’ s guess for i B r A `= r A © r A * ( A D *,B) Algorithm A * Emulated interaction with A D * Real interaction with B AD*AD* C = Com(i A *,r A * ) rA`rA` If A D * outputs a valid defense, output as the value of i B Otherwise, output a random guess (A(i A *,r A ), B(i B,r B )) Random A D * gives a valid defense ) (i A *,r A * ) = Decom(C) ) A D * acts as A(i A *,r A ) ) the emulated B acts correctly ) is a good guess for i B BBDBD A*A*

16
We give a black-box reduction from malicious oblivious transfer to semi-honest oblivious transfer. Supports the conjecture that, in some settings, black-box techniques are as strong as non-black-box ones. Open Questions: Better understanding of defensible privacy Middle step in other reductions? Useful in its own sake? Characterizing the class of functions for which secure evaluation can be black-box reduced to semi-honest evaluation? randomized self reducibility Summary 16

Similar presentations

OK

1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.

1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google