Download presentation
Presentation is loading. Please wait.
Published byGabriel Cain Modified over 9 years ago
1
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov
2
Proprietary © Alcatel-Lucent 2009 2 Secure Function Evaluation y x Learn: F(x,y) Variety of known techniques Garbled Circuit (aided computation under encryption) Alice encrypts wire signals and truth tables Given active wire key, Bob decrypts part of truth table and obtains next wire key
3
Proprietary © Alcatel-Lucent 2009 3 Input: b Input: secrets s 0, s 1 Learn: Learn: nothing Oblivious Transfer (OT) sbsb Basic primitive for Secure Function Evaluation
4
Proprietary © Alcatel-Lucent 2009 4 Model Alice sends a tamper-resistant token T to Bob Alice and Bob want to compute securely In this work: T is stateless k k
5
Proprietary © Alcatel-Lucent 2009 5 Simple OT b counter ++ F k (counter,b) s 0 © F k (counter,0), s 1 © F k (counter,1) A few of efficient techniques exist; all require keeping state on T A few techniques for SFE with stateless tokens, but inefficient sbsb k
6
Proprietary © Alcatel-Lucent 2009 6 Our idea b,x v =F k b (x) k 0,k 1 1. Bob can obtain at most one preimage (under k 0 or k 1 ) for any v 2. x is random ) v is random v does not leak which of k 0, k 1 was used Use Strong (invertible) PRPG F
7
Proprietary © Alcatel-Lucent 2009 7 Protocol for semi-honest T b,x v =F k b (x) k 0,k 1 e 0 = F -1 k 0 (v) e 1 = F -1 k 1 (v) E e 0 (s 0 ), E e 1 (s 1 ) v Not every encryption E will do OTP does not work: guess s 0, get e 0, check F k 0 (e 0 ) = v Theorem: Secure with malicious A, B and semi-honest T if E is CPA. x 2 R D b
8
Proprietary © Alcatel-Lucent 2009 8 Protocol for covert A,T and malicious B Need to hide B’s input from T Easy: Ask T for both b, 1-b Need to prevent side channels from T to A (via v) Randomly test T’s responses (aka Cut-and-Choose) By asking A to reveal keys k 0,k 1 used by T (before A saw v) Theorem: Secure with Covert A,T and Malicious B. k 0, k 1 cannot be used for “live” OT T derives k 0 =F kinit0 (y), k 1 =F kinit1 (y) from y given by Bob y 2 D T is for testingwill not be executed by A y : 2 D T is for “live”will not be opened by A D T unpredictable to T b,x v =F k b (x) k 0,k 1 x 2 R D
9
Proprietary © Alcatel-Lucent 2009 9 Summary Efficient protocols for OT with stateless tokens 6 SPRPG calls with semi-honest T 27 SPRPG calls with covert T with semi-honest T is concurrently composable with covert T is sequentially composable
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.