Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

Published byCandice Wood Modified over 8 years ago

Similar presentations

Presentation on theme: "Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)"— Presentation transcript:

1 Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

2 Secure Computation Most general problem in cryptography Moving fast from theory to practice – Major research effort Improving (asymptotic & concrete) efficiency Implementation & “Systems’’ issues x f 1 (x,y) y f 2 (x,y)

3 State of the Art (Semihonest Setting) Constant overhead – [IKOS08,GGH + 13] Optimal comm./round complexity – [GGHR13,AJL + 12,LTV12] ORAM-based SFE – [LO13,GKK + 12,GGH + 13] Yao garbled circuit optimizations – [KS08,PSSW09,MNPS04] – [HEKM11,BHKR13] GMW optimizations – [CHKMR12,SZ13,ALSZ13] Yao + GMW [KK12] THEORYPRACTICE

4 Practical Computational Overhead Hierarchy of efficiency FHE >> PKE >> SKE >> one-time pad – “LHS >> RHS” ≈ cost of LHS is, and will probably always be, by orders of magnitude, bigger than cost of RHS. OT Extension motivated by “PKE >> SKE”

5 Talk Outline OT Extension Ishai et al. (IKNP) OT Extension A New Framework for IKNP

6 PKE >> SKE E.g: KA, OT, SFE Hard to implement heuristically – More expensive PKE SKE E.g: PRG, hash functions Easy to implement heuristically – Cheaper Factor ~ 3-4 orders of magnitude slower Intel AES-NI instruction set PKE cannot be black-box reduced to SKE [IR89]

7 The Next Best Thing: Extending Primitives Extending public key encryption is easy – Encrypt payload with symmetric key – Encrypt symmetric key with public key Huge practical impact What about extending Oblivious Transfer?  [IR89]  + ?

8 Oblivious Transfer (OT) Evaluate each AND gate in the circuit x 0, x 1 ??? r xrxr GMW Used to select one of two “garbled keys” Yao

9 Cost of OT No blackbox redn from OT to one-way functions [IR89] OT length extension is easy: OT instance extension is possible [B96,IKNP03] – Needs only k “seed” OTs to perform n >> k OTs – Additional n symmetric key (cheap) operations – Huge impact on SFE r  + x0x0 x1x1 s0s0 s1s1 G(s0) x0G(s0) x0 G(s1) x1G(s1) x1 r efficient, black-box

10 OT Extension: Prior Work [Beaver 96]: First OT extension [Ishai-Kilian-Nissim-Petrank 03] (IKNP) – Random Oracle (RO) model or Correlation robust hash functions (CRHF) – Most practical OT extension [HIKN08,IPS08,NNOB12]: Malicious adv [LZ13]: (In)feasibility results for OT extension This work: Improve semihonest IKNP

11 Talk Outline OT Extension Ishai et al. (IKNP) OT Extension A New Framework for IKNP

12 [IKNP03] Strategy x 1,0 r1r1 x 1,1 x 2,0 x 2,1 r2r2........ x 3,0 x 3,1 r3r3 x n,0 x n,1 rnrn ... n s1s1 s2s2 sksk + O(n)  H ... s1s1 s2s2 sksk + O(n)  H Length Extension

13 [IKNP03] Main Reduction y i,0 = x i,0  H(q i ) y i,1 = x i,1  H(q i  s) i z i = y i,r  H(t i ) i t1t1 t1rt1r... s1s1 s2s2 sksk t2t2 t2rt2r tktk tkrtkr Receiver picks T  R {0,1} n  k Sender picks s  R {0,1} k t1rt1r t2t2... tkrtkr Sender obtains Q  {0,1} n  k q i = t i 11 00 r i =0 11 q i = t i  s 10 01 r i =1 10 For 1  i  n, Sender sends For 1  i  n, Receiver outputs

14 IKNP Cost Communication cost of resulting OT(n,L): – Main reduction: 2nL bits – Length extension: 2nk bits Communication cost of resulting SFE: – [Yao86]: need to transfer keys of length L = k – [GMW87]: L = 1, cost = 2nk + 2n, optimal?

15 Talk Outline OT Extension Ishai et al (IKNP) OT Extension A New Framework for IKNP

16 Our Work: A Closer Look at IKNP r i =0 r i =1 t1rt1r 1 0 t2rt2r 0 1 tkrtkr 1 0... t1t1 1 1 t2t2 0 0 tktk 1 1 ; T U R = T r 0 1 r 0 1 r 0 1

17 Alternate Point of View Row-wise encoding  0 → 0 k  1 → 1 k r i =0 r i =1 r 0 1 r 0 1... r 0 1 R n k IKNP uses repetition encoding Can we use other encodings? R = T⊕U

18 A Coding Theoretic Framework for IKNP Suppose use code C Say r i comes from a larger domain {1,…,m} Row-wise encoding – r i → C(r i ) ∈ {0,1} k... n k C(r1)C(r1) C(R)C(R) C(rn)C(rn) C(r2)C(r2) r1r1 r2r2 rnrn

19 A Coding Theoretic Framework for IKNP i z i = y i,r  H(i, t i ) i t1t1 u1u1... s1s1 s2s2 sksk t2t2 u2u2 tktk ukuk u1u1 t2t2 ukuk Sender obtains Q  {0,1} n  k q 1 = t 1  (C(r 1 ) ⦿s) r 1 ∈[m]r 2 ∈[m] For 1  i  n, 1  r  m Sender sends y i,r = x i,r  H(i, q i  (C(r) ⦿s)) For 1  i  n, Receiver outputs q 2 = t 2  (C(r 2 ) ⦿s) q n = t n  (C(r n ) ⦿s) C(R) = T⊕U r n ∈[m] Bit-wise AND

20 Analysis Cost of 1-out-of-m OT(n, L): – Communication: (2nk+mnL) bits OT(n,L)  1-out-of-m OT(n/log m, L log m) – Communication: (n/log m)(2k + mL log m) bits Perfect security against malicious sender Statistical security against semihonest receiver: – No loss unless query H on (i, t i  (C(r) ⦿s) ) for some r – Loss in security: m2 -d, where d = min distance of C

21 Efficiency Concrete: – Hadamard codes for encoding – Factor ≈ 2 for 1-out-of-2 OT and GMW for k=256 Additional optimizations lead to factor ≈ 3.5 Asymptotic comm. cost per OT: O(k/log k) bits

22 Conclusions OT Extension motivated by PKE >> SKE – Huge impact on practicality of SFE Coding theoretic framework for [IKNP03] – RO or “code correlation robust hash functions” Improvements for GMW, OT, 1-out-of-m OT Rethink GMW vs. Yao? – Also [KK12], [NNOB12], [SZ13], [ALSZ13]

23 Thank You!

24 The research leading to these results has received funding from the European Union's Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity

Download ppt "Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Similar presentations

Ads by Google