Verifiable Distributed Oblivious Transfer and Mobile-agent Security Speaker: Sheng Zhong (joint work with Yang Richard Yang) Yale University

Outline → → Problem Formulation OT → DOT → VDOT VDOT Design –Secret Sharing + One-round OT –Cheater Identification Application in Mobile-agent Security

Problem Formulation Oblivious Transfer (OT) Distributed Oblivious Transfer (DOT): Extension of OT with Distributed Proxy Verifiable Distributed Oblivious Transfer (VDOT): Extension of DOT with Verifiability

Why VDOT? What if a proxy server cheats (deviates from the protocol) ? –Receiver gets wrong shares; cannot recover chosen item correctly. →DOT only works in semi-honest model. → Needs Verifiable DOT = VDOT –Receiver can verify consistency of shares before recovery (i.e., can detect cheating)

Additional Requirement Now Receiver can detect cheating. Then what to do if cheating is detected? –Receiver should identify who has cheated –Receiver should accuse cheater(s) –Public should verify the accusation

Summary of VDOT Security Sender’s privacy: Receiver colluding with τ 1 proxy servers knows nothing about the item not chosen Receiver’s privacy: Sender colluding with τ 2 proxy servers knows nothing about which item is chosen Verifiability of share consistency Verifiability of accusation if cheating is detected

Progress of Talk Problem FormulationProblem Formulation OT → DOT → VDOT → →VDOT Design –Secret Sharing + One-round OT –Cheater Identification Application in Mobile-agent Security

VDOT Design Basic Idea: One-round OT + Secret Sharing –Bellare-Micali OT + Feldman VSS Major difficulty: Allow verification of consistency of both items (but only one item will finally be decrypted) → Need to verify on encrypted shares

Secret Sharing Feldman’s Verifiable Secret Sharing (VSS) –Secret: s –Share: P j =P(j), where P is a poly. with s as the constant term –Commitment to share: P’ j = λ Pj, where λ is a primitive root

Potential Problem in Cheater Identification Receiver only needs τ shares to recover an item. Therefore… –If he can see more shares, maybe these are the shares of the other item → he derives the other item with the help of cheating servers Need to limit the number of shares the receiver sees! –But (uncarefully designed) cheater identification procedure may allow receiver / cheating servers to see more shares

Solution to Potential Problem Re-randomize all shares using randomness whose discrete log is unknown Identify cheaters on these re-randomized shares Use ZK proofs to force honest behavior in re-randomizations See paper for details

Progress of Talk Problem FormulationProblem Formulation OT → DOT → VDOT VDOT Design –Secret Sharing + One-round OT –Cheater Identification → → Application in Mobile-agent Security

Mobile Agent Computation: Architecture (threshold extension of [ACCK2001])

Mobile Agent Computation: Basic Idea [ACCK2001]: apply Yao’s garbled circuits, which needs OT between trusted proxy and receiver. Our proposal: threshold extension. –Replace trusted proxy with group of servers –Needs threshold extension of OT with verifiability. →Use VDOT

Performance: Overhead of Garbled Circuits

Performance: Overhead of VDOT

THANK YOU!