Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets he has

Oblivious Transfer 2 to 1 OT basics Use of Modular Arithmetic OT design Direct Extension of PKE OT application Secure Function Evaluation Secure Auction

OT – Coin Toss (The basics) Alice generates 2 primes and computes their product, p, which is sent to Bob Bob Performs primality tests to ensure Alice is playing fair. Bob guesses a number 0 < n < p as a factor of p Chances are he guesses wrong but Bob computes m = n^2 mod p and sends this to Alice. Alice knows the original number, p, and she looks for all numbers less than p that generate a remainder of m. This can be done fairly easily using the Chinese Remainder Theorem

OT – Coin Toss Cont Alice will find at least 1 pair of such numbers, she will then send 1 of the pairs, p, to Bob. O = n + p. He will then calculate the gcd(O,p) This will yield either a trivial result or a factor of p which Bob will send to Alice. There is a 50% chance that Alice sends the nontrivial p to Bob. Bob has a slight advantage in that he picks the original n, but there is a negligible chance that Bob randomly pick an n that factors p. [Peterson]

Original OT The transfer is somewhat like a simple game played with a locked box requiring two different keys. A sender transfers the locked box to a recipient, who finds one key that partially unlocks the box. The sender has both keys and, without seeing what the recipient has done, must now pass on one of the two keys. Depending on which key is sent, the recipient will either succeed or fail in opening the box. Although the sender's choice controls the outcome, the sender never knows which choice to make to guarantee a certain result.

The Heart of OT Sender remains unsure of outcome We want more Want to share secrets not just have a fair (50% chance) to come out with a prime factor of a number.

OT - PKE Alice generates two public-key/private-key key pairs. Bob chooses a key in a symmetric encryption algorithm (3DES, for example). He chooses one of Alice’s public keys and encrypts his DES key with it. He sends the encrypted key to Alice without telling her which of her public keys he used. Alice decrypts Bob’s key twice, once with each of her private keys. In one of the cases, she uses the correct key and successfully decrypts Bob’s DES key. In the other case, she uses the wrong key and only manages to generate a meaningless heap of bits that nonetheless look like a random DES key.

OT – PKE cont Alice encrypts both of her messages, each with a different one of the DES keys she generated in the previous step (one real and one meaningless) and sends both of them to Bob. Bob gets one of Alice’s messages encrypted with the proper DES key and the other one encrypted with the gibberish DES key. When Bob decrypts each of them with his DES key, he can read one of them; the other just looks like gibberish to him.

Conclusion of PKE – OT Success: Bob now knows one of Alice’s secrets although doesn’t know which. Disadvantage: Bob does not know if he has Alice’s first or second secret and has no way of finding out.

Secure Function Evaluation Application of OT

What is Secure Function Evaluation (SFE)? Our goal is to compute f(x 1, …, x n ), the output, while at the same time limiting the information that each party gains about the other parties values (ideally, at the end, each party knows their input, and the output of the function, and no other information about their opponent that isn’t inherent in the function definition)

Some Uses for SFE The Millionaires problem… two millionaires wish to determine who has the most money with out revealing their exact net worth Voting f(x 1, …, x n ) returns 0 if candidate one gets more votes, 1 if candidate two, etc Auctions f(x 1, …, x n ) = (i, n) for maximum bid Database computations Database queries

Important Considerations in Defining a SFE system What type of adversary? (Passive v. Active, Adaptive v. Non-Adaptive) What type of network are the parties connected to? (Pairwise Secure, Broadcast, Authenticated) What guarantees do you hope to achieve? (Correctness, Privacy)

Known Results for SFE If Trapdoor Permutations exist: Any function evaluation can be computed securely against a passive (honest-but-curious) adversary Any function evaluation can be computed securely against an active adversary controlling at most one half of the parties SFE over insecure networks: any f can be computed securely against an active adversary if parties used pairwise channels and there are two-thirds majority of honest parties [BGW, CCD] any f can be computed securely using a broadcast channel against an active adversary who has corrupted less than half of the parties

Computing a Function Bob and Alice share a Boolean circuit they wish to compute Alice’s input is a 1 b 1 ; Bob’s input is a 2 b 2 Define a = a 1  a 2 ; b = b 1  b 2 We want a c 1, c 2 for Alice, Bob, resp., subject to c 1 + c 2 = (a 1 + a 2 )(b 1 + b 2 ) Alice chooses c 1 in {0,1} at random and prepares n possible c 2 outputs for bob (based on the n possible secrets Bob might have) Alice and Bob perform OT and now they have c 1 and c 2 values subject to the above constraints Bob and Alice are now able to evaluate any Boolean circuit

Two-Party Secure Function Evaluation A assigns each wire i two random values (W i 0, W i 1 ) corresponding to 0 and 1 Used as pseudo-random keys (e.g. 80 bits) Wire values denoted as a i (0 or 1) A assigns a “garble” function to each wire:  i : a i -> c i (W i bi,c i ) denotes the garbled value of wire i Gate function denoted as a k =g(a i,a j ) A creates a table T g which enables computation of garbled output of g: (W k bk,c k ) from garbled inputs (W i bi,c i ) and (W j bj,c j )

Two-Party Secure Function Evaluation The table does not disclose any information about the output of g for other inputs Does not reveal input or output values Assume |F K (x)| = |W k bk |+1 The table contains n entries: For B to use the table B knows (W i bi,c i ), (W j bj,c j ) Finds (c i,c j ) in the table Performs XOR with entry in the table to compute garbled output (W k g(bi,bj),c k ) Recall that A xor B xor C xor B xor C = A Garbled output from garbled inputs and table

Two-Party Secure Function Evaluation For each input wire, B and A engage in oblivious transfer A is the sender, B is the chooser A sends the gate tables to B A sends a translation table from the garbled values of the output wires to output bits By the end of the oblivious transfer stages, B has enough information to compute f(x)

Two-Party Secure Function Evaluation Security of gates Every masking value (F W (c i )) is used only once Without knowledge of the correct key, masking values look random Overhead Communication is performed in one back and forth round A can prepare the circuit in advance (one table for each of m gates) Computation: one oblivious transfer for each input bit (n) A and B must perform n exponentiations B must evaluate f Negligible compared to oblivious transfer

SFE - Fairplay Fairplay consists of two parts: a language SFDL (Secure Function Definition Language) that describes the SFE paradigm a compiler that creates a one-pass Boolean circuit in a language called SHDL (Secure Hardware Definition Language) Bob and Alice then are able to securely evaluate the circuit

Compiling SFDL SFDL is compiled into a Boolean circuit using an SFDL – SHDL compiler. The SHDL circuit must have “obliviousness” built in to it: No registers, loops, gotos Every gate used exactly once For array indexing a multiplexer is built with all values of i hardwired in

And Finally… There are Alice and Bob programs who take as input a SHDL circuit and carry out the secure computation protocol

SFDL Program Structure First one must declare global constants and types, followed by a sequence of functions. Functions must precede any functions that call it. Recursion and global variables are forbidden. The last function must be the output function. Variable assignments are as one would expect, operators include addition, subtraction, Boolean operators, and standard comparison operators. If-then and if-then-else are supported All loops must have a definite number of iterations that are known in advance.

SFDL Compiler Reads in SFDL program, transforms it, outputs program in SHDL format. Compiler performs the following steps: Parsing Function inlining and loop unfolding Transformation into single-bit operations Array access handling Single variable assignments Optimization (in terms of circuit size)

And Then… An oblivious transfer is needed for every input wire of the circuit. Bob sends m “garbled” circuits to Alice, Alice randomly chooses one circuit to be evaluated, and Bob reveals remaining m-1 circuits. Bob can be caught cheating with probability 1-1/m. The two implemented OT methods are based on the Diffie-Hellman problem.

Results Authors performed tests on four functions: AND – bitwise and on Alice and Bob’s inputs Billionaires – 32 bit input for Bob and Alice, which it compares Keyed Database Search – Bob has a keyed database, Alice retrieves items by specifying its key Median – finds median of two sorted arrays

What’s the Point? Secure Auction System GOAL: Keep bids secret from auctioneer Auctioneer only needs to know identification of highest bidder clearing price Need a third entity “Auction issuer” Create protocol where neither auctioneer nor auction issuer have full information about bidders and bids Assumption: auctioneer and auction issuer do not collude

Auctions Auction consists of three types of entities Bidders, auctioneer, auction issuer Protocol Auctioneer advertises details of auction Rules, times, AI AI creates an encryption scheme for each bidder to use Bidders submit encrypted bids to the auctioneer, using the AI’s encryption scheme AI generates a program to compute the outcome of the auction based upon the encrypted bids, then sends circuit and output translation table to auctioneer Auctioneer uses inputs and program to compute outcome of auction

Secure Function Evaluation for Auctions Auctioneer must compute f(x 1,…,x n ) = result of auction = i = winner p = clearing price AI constructs circuit to compute auction result and garbles it Auctioneer advertises auction and AI’s public key (P. OT) Each bidder engages in a 1-of-2 proxy oblivious transfer (for each bit) AI is sender (garbled input bit value-pairs) Bidder is the chooser Auctioneer is proxy Note that the auction issuer doesn’t receive any inputs Auctioneer computes outcome of auction AI provides output translation table

Future Work Improve performance Security against malicious parties Fair termination Reactive secure computation Integrating other SFE primitives Multi-party computation

Acknowledgments By Dahlia Malkhi, Noam Nisan, Benny Pinkas, and Yaron Sella (SFE) Ivars Peterson (OT – Coin Toss)