Presentation is loading. Please wait.

Presentation is loading. Please wait.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Published byMitchell Sheerer Modified over 9 years ago

Similar presentations

Presentation on theme: "Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science."— Presentation transcript:

1 Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science

2 Why should we reconsider these old constructions? I have a dream, Let’s do Key-agreement from one-way functions Barak showed that black- box separations are not that meaningful OK, but what about GMW, it is not black-box! mm... But what about Impagliazzo-Rudich black- box impossibility result? This was in a different setting. No one broke the black-box barrier in the setting you are talking about Well....

3 Whether non black-box techniques are superior to black-box ones? Non black-box techniques are typically less efficient. When using a black-box reduction, the round-complexity of  ‘ is independent of the exact implementation of the parties of  3 Trapdoor permutations based semi-honest OT  - protocol with limited security  ‘  protocol with improved security reduction Malicious OT

4 A fully black-box reduction from B to A: Black-box construction. Black-box proof of security. Adversary for breaking B ) adversary for breaking A (Fully) Black-Box Reductions Adversary for B Adversary for A A B A

5 Black-Box Reductions (cont.) 1. Most reductions in cryptography are (fully) black-box, e.g., from pseudorandom generators to one-way functions. 2. Few “ non black-box ” techniques that apply in restricted settings (typically using ZK proofs). Example: from malicious security to semi- honest security [GMW] 5

6 Oblivious Transfer (OT ) [Rabin 81’] (one-out-of-two version [EGL 85’] ) 1. Correctness - the receiver learns  i 2. Sender's privacy - the receiver learns nothing about  1-i 3. Receiver's privacy - the sender learns nothing about i  Complete for secure function evaluation [GMW87,K88]  Implied by (enhanced/dense) trapdoor permutations, homomorphic encryption,... [GKL87,H04,K97,S98] Sender bits  0 and  1 Receiver Index i 2 {0,1} 6

7 Different types of security Semi – honest adversaries Malicious adversaries Typical constructions of OT: 1. Hardness assumption ) semi – honest OT 2. Using non-black-box techniques ) Malicious OT The second reduction is typically inefficient (round- wise) Oblivious Transfer cont. Black-box 7 e.g., enhanced trapdoor permutations

8 Defensible Privacy [IKLP ’06] A natural model of security between semi-honest to full- fledged (malicious) security. After the protocol ends, the adversary cannot simultaneously learn non-permissible information and defend its behavior – provide input and random-coins that justify its behavior. Example: Defensible OT The sender cannot simultaneously learn the index i and give a valid defense. 8

9 Defensible Privacy cont. Let  = (A,B) be a protocol for computing f = (f A, f B ) 9  is defensibly private for B, if no efficient A * can simultaneously Output a good defense (i A *,r A * ) Learn inf (i B ) not determined by f A (i A *,i B ) The privacy of B might be violated when A does not give a valid defense After giving the defense, A ’ s privacy might be ruined Implies semi-honest privacy A (i A,r A ) B (i B, r B ) A*A*

10 The Usefulness of Defensible Privacy [Ishai Kushilevitz Lindel Petrank ’06] 1. Enhanced TDP, homomorphic encryption ) Defensible-OT 2. Defensible-OT ) Malicious-OT Both reductions are (fully) black-box 10 Semi-Honest OTTDPMalicious OT Defensible OT

11 Defensible-OT ) Malicious-OT [IKLP ’06] (simplified version) 1. Interact in n defensible OTs using random inputs 2. Verify the defense of half of the OT ’ s 3. Combine the remaining OT ’ s to get the desired OT functionality ( “ randomized self reducibility ” ) Sender (  0,  1 ) Receiver i Def-OT 1 Def-OT 2 Def-OT n  Def-OT 3

12 12 trapdoor perm. homomorphic enc Our Results Main Theorem: Assuming that OWFs exist, for every functionality* there exists a fully-black-box reduction from defensible privacy to semi-honest privacy.  the functionality has some natural sampling property / stronger assumption about the semi-honest privacy - preserves statistical privacy of either of the parties - black-box w.r.t. to the OWF Corollaries: Black-box reduction from malicious OT to semi-honest OT Black-box reduction from malicious OT to dense-TDP, non- trivial PIR,... Black-box reduction from secure function evaluation with static malicious adversaries, to semi-honest OT. Defensible OT Imply semi-honest OT black box

13 The Reduction Given a protocol  = (A,B) for computing f, which is semi-honest private for B and a OWF. We construct a protocol  D = (A D,B D ) which computes f defensibly private for B D preserves the same privacy for A D We achieve our main result by applying the above reduction twice 13

14 The Reduction cont. B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` (A(i A, r A © r A `), B(i B, r B ) ) A D (i A,r A ) B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` ( A(i A, r A © r A `), B(i B, r B ) ) 14 Proof of Security Privacy of A D - follows by the hiding of Com Privacy of B D - assume that A D * violates the defensible privacy of B D, we use it to construct A * for breaking the semi-honest privacy of B (in  )

15 If A D * gives a valid defense let (i A *,r A * ) = Decom(C) Otherwise, output a random guess for i B The emulated B acts as B does on the real execution Let  be A D * ’ s guess for i B r A `= r A © r A * ( A D *,B) Algorithm A * Emulated interaction with A D * Real interaction with B AD*AD* C = Com(i A *,r A * ) rA`rA` If A D * outputs a valid defense, output  as the value of i B Otherwise, output a random guess (A(i A *,r A ), B(i B,r B )) Random A D * gives a valid defense ) (i A *,r A * ) = Decom(C) ) A D * acts as A(i A *,r A ) ) the emulated B acts correctly )  is a good guess for i B BBDBD A*A*

16 We give a black-box reduction from malicious oblivious transfer to semi-honest oblivious transfer. Supports the conjecture that, in some settings, black-box techniques are as strong as non-black-box ones. Open Questions: Better understanding of defensible privacy Middle step in other reductions? Useful in its own sake? Characterizing the class of functions for which secure evaluation can be black-box reduced to semi-honest evaluation? randomized self reducibility Summary 16

Download ppt "Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
On Black-Box Separations in Cryptography

On Black-Box Separations in Cryptography
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Similar presentations

Ads by Google