Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer
Insert presenter logo here on slide master 2-out-of-1 Oblivious Transfer A paradoxical protocol » Inputs: A sender with two inputs m 0,m 1 A receiver with an input bit » Output: The receiver obtains m » Security: The sender learns nothing about The receiver learns only one message m0,m1m0,m1 mm ? ? m 1-
Insert presenter logo here on slide master Importance of Oblivious Transfer Theory of cryptography » Oblivious transfer is “complete” » Oblivious transfer stands at the center of all protocols for secure computation without an honest majority Protocol constructions » Widely used to construct efficient protocols Including multitude of protocols under the heading of “privacy-preserving data mining” » Efficiency of the oblivious transfer is a bottleneck in the efficiency of many other protocols
Insert presenter logo here on slide master Applications Efficient protocols based on oblivious transfer » Comparing information without leaking it One oblivious transfer per bit of input » Oblivious pseudorandom function evaluation Application to set intersection and more » Secure auctions » Privacy-preserving data mining
Insert presenter logo here on slide master Efficient Oblivious Transfer Most work considers definitions that guarantee privacy only » The sender cannot guess the receiver’s bit with probability greater than ½ » There exists one input message of the sender about which receiver learns nothing (formalized via indistinguishability) Highly efficient constructions » Naor-Pinkas: the DDH assumption » Aiello-Ishai-Reingold: homomorphic encryption » And more (see the paper)
Insert presenter logo here on slide master Simulation-Based Definition of Security The real/ideal model paradigm for defining security [GMW,GL,Be,MR,Ca]: » Ideal model: parties send inputs to a trusted party, who computes the function for them » Real model: parties run a real protocol with no trusted help A protocol is secure if any attack on a real protocol can be carried out in the ideal model » Since no attacks can be carried out in the ideal model, security is implied
Insert presenter logo here on slide master The Real Model m 0,m 1 Protocol output (should be m )
Insert presenter logo here on slide master The Ideal Model m 0,m 1 mm Perfectly secure channels m 0,m 1 mm
Insert presenter logo here on slide master IDEAL REAL Trusted party Protocol interaction The Security Definition For every real adversary A there exists an adversary S
Insert presenter logo here on slide master Simulation-Based Definitions Properties of the definition » Privacy » Independence of inputs » Input extraction (adversary “knows” which input it is using) » Correctness
Insert presenter logo here on slide master Simulation versus Privacy Only When is simulation needed? » When oblivious transfer is used as a subprotocol, it is often necessary to have a protocol that is proven by simulation- based definitions Example: efficient general protocol by [Lindell-Pinkas] based on Yao (with security for malicious adversaries) » Composition: privacy-only definitions can interact “badly” with other protocols The bad news: » It seems much harder to construct efficient protocols with simulation-based proofs
Insert presenter logo here on slide master Protocols with Simulation Existing protocols » Semi-honest protocols compiled with GMW Highly inefficient » Recent protocols of [Camenisch-Neven-Shelat] and [Green- Hohenberger] They solve a harder problem of adaptive 1-out-of-N OT They use less standard assumptions (at least Bilinear DDH) Since they use Bilinear maps, exponentiations are more expensive than for regular DDH
Insert presenter logo here on slide master Background – the Naor-Pinkas Protocol Receiver » Computes (g a,g b,g c,g d ) where a,b,c,d are random under the following constraint If =0, then c = ab If =1, then d = ab » Sends the tuple to the sender Sender » Let (h 1,h 2,x,y) be the tuple received Check that x ≠ y Randomize (h 1,h 2,x), (h 1,h 2,y) and derive keys k x and k y Encrypt m 0 with k x and m 1 with k y Receiver » Derive appropriate key and decrypt m
Insert presenter logo here on slide master Background – the Naor-Pinkas Protocol Security in case of a corrupt sender » Sender cannot know if c=ab or d=ab, because this means solving the DDH problem Recall (g a,g b,g ab ) is indistinguishable from (g a,g b,g r ) Security in case of a corrupt receiver » Sender checks that x ≠ y » Therefore, only one of (h 1,h 2,x) and (h 1,h 2,y) is a DH tuple » The randomization on the DH tuple can be reproduced by the receiver to get the output » The randomization on the non-DH tuple results in a uniformly distributed key that the receiver knows nothing about
Insert presenter logo here on slide master Simulating the Naor-Pinkas Protocol Security in case of a corrupt sender » In order to simulate in ideal model, need to extract the sender’s input » Information-theoretically, only one message can be obtained » Rewinding the sender doesn’t help because the sender’s input can depend on the receiver’s first message Security in case of a corrupt receiver » Needs to be able to extract the receiver’s input » In this case, can be achieved with zero-knowledge proof of knowledge of Discrete log
Insert presenter logo here on slide master Solving the Problem of a Corrupt Sender We need to be able to extract the sender’s input » Instead of sending (h 1,h 2,x,y), send (h 1,x 1,y 1 ) and (h 2,x 2,y 2 ) where one is a DH tuple and the other is not » The simulator makes both tuples DH and extracts both inputs » The sender cannot tell the difference (due to the DDH assumption)
Insert presenter logo here on slide master A Corrupt Receiver What about a corrupt receiver? » It can also make both tuples be DH » Solution: have the receiver prove that only one tuple is DH using a zero-knowledge proof of knowledge The simulator for a corrupt sender can still send two DH tuples by “cheating” in the ZK The simulator for a corrupt receiver extracts the receiver’s input from the proof of knowledge
Insert presenter logo here on slide master An Efficient Zero-Knowledge Proof We use cut and choose for this task » The receiver sends s pairs of tuples The DH and non-DH tuples are ordered randomly » The sender asks it to open ½ and then checks that all opened pairs have one DH and one non-DH tuple » The receiver sends a reordering If =0, then all DH tuples are first If =1, then all DH tuples are second » The sender randomizes all and: Encrypts m 0 with all the keys from the first set Encrypts m 1 with all the keys from the second set
Insert presenter logo here on slide master The Cut and Choose m 0,m 1 [(g a1,g b1,g r1 ),(g a1,g b1,g a1b1 )] [(g a2,g b2,g a2b2 ),(g a2,g b2,g r2 )] [(g a3,g b3,g r3 ),(g a3,g b3,g a3b3 )] [(g a4,g b4,g r4 ),(g a4,g b4,g a4b4 )] (1,4) (a 1,b 1,r 1,a 4,b 4,r 4 ) [(g a2,g b2,g a2b2 ),(g a2,g b2,g r2 )] [(g a3,g b3,g r3 ),(g a3,g b3,g a3b3 )] [(g a3,g b3,g a3b3 ),(g a3,g b3,g r3 )] Randomize and encrypt
Insert presenter logo here on slide master A Corrupt Receiver Main observation: » If any of the unopened tuples has one non-DH tuple, then the randomization will prevent the receiver from receiving one of the messages » Therefore, in order to cheat: All of the opened pairs must have one DH and one non- DDH All of the unopened pairs must both be DH » Since the cut and choose is chosen randomly, this can occur with probability 2 -s only Important: s can be made small (between 20 and 40)
Insert presenter logo here on slide master Extensions Smooth projective hashing » A generalization of DDH and other assumptions » Includes N-residuosity and Quadratic residuosity » A generalization of Naor-Pinkas to smooth projective hashing was shown by [Kalai] » Our protocol can be based on her generalization Homomorphic encryption » Similar ideas can be used to obtain a protocol that is secure using any homomorphic encryption scheme
Insert presenter logo here on slide master Efficiency The Most Efficient Instantiation » The DDH protocol, using Elliptic curves Comparison to Naor-Pinkas » Requires s times the work and communication » For s = 40, this is significant, but by far the best
Insert presenter logo here on slide master Summary Efficient protocols for oblivious transfer » A significant but reasonable cost Achieve full simulation » With a rigorous proof of security This reduces the bottleneck of oblivious transfer The future: » Reduce to a constant number of exponentiations?
Insert presenter logo here on slide master Legal Notice © Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved. Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks of Aladdin Knowledge Systems Ltd. covered by patents other patents pending. You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin. Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.