Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion."— Presentation transcript:

1 Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion

2 Motivation x y f(x,y) How (in)efficient is generic secure computation? mythTHIS WORK sftp f.txt don ’ t even think about it garbled circuit method O(|x|) pub. O(|f|) sym. k pub. O(|f|+|x|) sym.

3 Motivation x y f 1 (x,y)f 2 (x,y) db 1 db 2 client-db server-fn client-fn server-db

4 Efficiency of Secure Computation Sometimes can use special structure of given functionality. Otherwise need to resort to generic techniques. How (in)efficient is generic secure computation? mythTHIS WORK sftp f.txt don ’ t even think about it garbled circuit method O(|x|) pub. O(|f|) sym. k pub. O(|f|+|x|) sym.

5 Road Map Cryptographic primitives Reductions Extending primitives Extending OT ’ s

6 A Taxonomy of Primitives Symmetric encryption Commitment PRG Collision resistant hashing Public-key encryption Key agreement Oblivious transfer Secure function evaluation here you go r u kidding? check this out nice try … crack this!!! hmmm … here you go r u kidding? check this out crack this!!! r u kidding? 

7 Symmetric encryption Commitment PRG Collision resistant hashing Public-key encryption Key agreement Oblivious transfer Secure function evaluation easy to implement heuristically (numerous candidates, may rely on “ structureless ” functions) very cheap in practice hard to implement heuristically (few candidates, rely on specific algebraic structures) more expensive by orders of magnitude Major challenge: bridge efficiency gap

8 Reductions in Cryptography Motivated by –minimizing assumptions –gaining efficiency Reduction from Y to X: a mapping f such that if A implements X then f(A) implements Y. –Cannot be ruled out when Y is believed to exist. Black-box reduction: –f(A) makes a black-box use of A; –Black-box proof of security: Adversary breaking f(A) can be used as a black box to break A. Almost all known reductions are black-box. –Non-black-box reductions are inefficient in practice.

9 Can be reduced to ? Impagliazzo-Rudich [IR89] : No black-box reduction exists. –In fact, even a random oracle unlikely to yield

10 Extending Primitives  [IR]  + ? Extending Y using X: Realizing n instances of Y by making k (black-box) calls to Y, k<n arbitrary use of X Want: k << n black-box use of X.

11 The Case of Encryption  + m1m1 m2m2 mnmn m1m1 m2m2 mnmn Extending PKE is easy… Huge impact on our everyday use of encryption. This work: Establish a similar result for remaining tasks. Public-key encryption Key agreement Symmetric encryption Commitment PRG Collision resistant hashing Oblivious transfer Secure function evaluation Oblivious transfer Secure function evaluation efficient, black-box

12 Oblivious Transfer (OT) Several equivalent flavors [Rab81,EGL86,BCR87] -OT: Formally defined as an instance of secure 2-party computation: –OT(r, ) = (x r,  ) Extensively used in –general secure computation protocols [Yao86,GV87,Kil88,GMW88] Yao’s protocol: # of OT’s = # of input bits –special-purpose protocols Auctions [NPS99], shared RSA [BF97,Gil99], information retrieval [NP99], data mining [LP00,CIKRRW01],… Receiver r  {0,1} Sender x 0,x 1  {0,1} l xrxr ???

13 Cost of OT OT is at least as expensive as key-agreement. –OT’s form the efficiency bottleneck in many protocols. –“OT count” has become a common efficiency measure. –Some amortization was obtained in [NP01]. Cost of OT is pretty much insensitive to l –Most direct OT implementations give l = security parameter “for free” –Handle larger l via use of a PRG r  + x0x0 x1x1 s0s0 s1s1 G(s0) x0G(s0) x0 G(s1) x1G(s1) x1 r efficient, black-box

14 Extending Oblivious Transfers Beaver ‘96: OT can be extended using a PRG!! –Thm. If PRG exists, then k OT’s can be extended to n=k c OT’s. However: –Extension makes a non-black-box use of underlying PRG. –Numerous PRG invocations –Huge communication complexity –Unlikely to be better than direct OT implementations Can OT be extended via a black-box reduction?  + ? OT

15 Our Result efficient, black-box = random oracle = new type of hash function or  + OT

16 Strategy x 1,0 r1r1 x 1,1 x 2,0 x 2,1 r2r2........ x 3,0 x 3,1 r3r3 x n,0 x n,1 rnrn ... n s1s1 s2s2 sksk + O(n)  H ... s1s1 s2s2 sksk + O(n)  H Already saw

17 Notation M mimi mjmj n k

18 y i,0 = x i,0  q i y i,1 = x i,1  q i  s i z i = y i,r  t i i The Basic Protocol t1t1 t1rt1r... s1s1 s2s2 sksk t2t2 t2rt2r tktk tkrtkr Receiver picks T  R {0,1} n  k Sender picks s  R {0,1} k t1rt1r t2t2... tkrtkr Sender obtains Q  {0,1} n  k q i = t i 11 00 r i =0 11 q i = t i  s 10 01 r i =1 10 For 1  i  n, Sender sends y i,0 = x i,0  H(i, q i ) y i,1 = x i,1  H(i, q i  s) For 1  i  n, Receiver outputs i z i = y i,r  H(i, t i ) i

19 y i,0 = x i,0  H(i, q i ) y i,1 = x i,1  H(i, q i  s) i z i = y i,r  H(i, t i ) i Security Receiver picks T  R {0,1} n  k Sender picks s  R {0,1} k q i = t i r i =0 q i = t i  s r i =1 For 1  i  n, Sender sends For 1  i  n, Receiver outputs Sender obtains Q  {0,1} n  k Sender learns nothing Q is uniformly random Receiver learns no additional info except w/neg prob. Must query H on (i, t i  s)

20 Attack by a Malicious Receiver 00000000000000 10000001000000... s1s1 s2s2 sksk 00000000000000 01000000100000 00000000000000 00010000001000 q i = { Receiver can easily learn s i given a-priori knowledge of x i,0 –Recover mask H(i,q i ) = y i,0  x i,0 –Find s i by querying H e i, s i =1 0, s i =0

21 Handling Malicious Receivers Call Receiver well-behaved if each pair of rows are either identical or complementary. Security proof goes through as long as Receiver is well-behaved. Good behavior can be easily enforced via a cut-and- choose technique: –Run  copies of the protocol using random inputs –Sender challenges Receiver to reveal the pairs it used in  /2 of the executions. Aborts if inconsistency is found. –Remaining executions are combined.

22 Efficiency Basic protocol is extremely efficient –Seed of k OT’s –Very few invocations of H per OT. Cut-and-choose procedure multiplies costs by   –Receiver gets away with cheating w/prob  2 -  /2 –very small  suffices if some penalty is associated with cheating Optimizations –Different cut-and-choose approach eliminates factor  overhead to seed. –“Online” version, where the number n of OT’s is not known in advance.

23 Eliminating the Random Oracle h:{0,1} k  {0,1} l is correlation robust if f s (t) :  h(s  t) is a weak PRF. –(t 1, …,t n, h(s  t 1 ), …, h(s  t n )) is pseudorandom. Correlation robust h can be used to instantiate H. Is this a reasonable primitive? –simple definition –satisfied by a random function –many efficient candidates (SHA1, MD5, AES, …) s s s s s s s s s s h h h h h h h h h h

24 Conclusions OT’s can be efficiently extended by making an efficient black-box use of a “symmetric” primitive. –Theoretical significance Advances our understanding of relations between primitives –Practical significance Amortized cost of OT can be made much lower than previously thought. Significant even if OT did not exist: Initial seed of OT’s can be implemented by physical means, or using multi-party computation. Big potential impact on efficiency of secure computations

25 Further Research Assumptions –Can OT be extended using OWF as a black-box? –Study correlation robustness Efficiency –Improve efficiency in malicious case Scope –Obtain similar results for primitives which do not efficiently reduce to OT Practical implications –Has generic secure computation come to term?

Download ppt "Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science.

1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science.

Similar presentations

Ads by Google