Laconic Oblivious Transfer and its Applications Antigoni Polychroniadou (Cornell Tech) Joint work with Chongwon Cho (HRL Laboratories) Divya Gupta (Microsoft Research, India) Nico Dottling, Sanjam Garg, Peihan Miao (University of California, Berkeley)
Secure Communications over the Internet
Secure Communications over the Internet
Introduction of Secure Multi-Party Computation [Yao82,GMW87,BGW88, CCD88…]
Secure Multi-Party Computation f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 Secure computation with Minimal Computational & Communication Complexity x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Semi-Honest x2 y3 y2 x3
Progress on this question via Laconic OT Communication Complexity Computational FHE-based solutions [Gentry09…] RAM-based solutions [OstrovskyShoup97, LuOstrovsky13] Can we achieve best of both worlds? Progress on this question via Laconic OT
Oblivious Transfer (OT) Goal: The Sender should not learn The Receiver should not learn
Fundamental Primitive OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] - OT can be extended [Bea96] efficiently [IKNP03]
Fundamental Primitive OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] -|OTmsg| dependent on the input length of R
#OTs in 2PC S R
#OTs in 2PC S R
#OTs in 2PC S R
#OTs in 2PC . S R
#OTs in 2PC S R
#OTs in 2PC S R + Independent of |D|
Laconic Oblivious Transfer (OT) + Goal: The Sender should not learn The Receiver can only learn if if
Laconic Oblivious Transfer (OT)
Laconic Oblivious Transfer (OT) .
Our Results Laconic Receiver OT with CC essentially independent of the size of input/database D. |OTmsg| depends only on the security parameter |OTmsg| independent of the input length of R
Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 2 Laconic OT Apps 3 4 …
Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [LuOstrovsky13]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GenHalVai10] for RAM programs. 4 … IBE from DDH [DottlingGarg17] More Applications???
RoadMap Construction of Laconic Receiver OT Application to GRAM
Blueprint: Laconic Receiver OT S R Goal: The Sender should not learn The Receiver can only learn if Hash must be collision resistant if
Laconic Receiver OT Step 1: Step 2: Laconic OT for 1-to-2 compression Hash Step 2: Bootstrap Laconic OT for arbitrary compression Hash
Warm up: Laconic OT via Witness Encryption Witness Encryption [Rudich89,…, GGSW13…] : Goal: If semantic security
Warm up: Laconic OT via Witness Encryption WE for S R Security Issue: Since H is compressing then both Solution [HW15,OPWW15]: Somewhere Statistical Binding Hash
Def: Somewhere Stat. Binding (SSB) Hash Tagline: Hash key can be made “statistically binding” in one hidden position. Properties of SSB Hash: Statistically binding at position : uniquely determines Index Hiding: Keys are computationally indistinguishable
Warm up: Laconic OT via Witness Encryption + SSB Hash [HubacekWichs15] Security Issue: Since H is compressing then both
Warm up: Laconic OT via Witness Encryption Using SSBH:
Laconic OT based on Witness Encryption (WE) Laconic OT based on DDH: Fact: Hash Proof Systems (HPS) [CramerShoup02] imply statistical witness encryption [GarGenSahWat13]. Construct WE from HPS for the language (HPS for knowledge of preimage bits)
Bootstrapping Laconic OT Laconic OT for constant compression hash functions Laconic OT for arbitrary compression hash functions
Bootstrapping Laconic OT Merkle Tree: Address location: .
Bootstrapping Laconic OT Compute Merkle tree
Bootstrapping Laconic OT Merkle Tree: Use factor-2 compression LOT .
Bootstrapping Laconic OT Compute Merkle tree
Bootstrapping Laconic OT Merkle Tree: Traversal Circuit: Use garbled circuit Use garbled circuit .
Bootstrapping Laconic OT
Bootstrapping Laconic OT Merkle Tree: Use garbled circuit .
Bootstrapping Laconic OT Compute Merkle tree
GRAM Application
RAM analogue of Yao’s Garble Circuits Communication complexity & Computational complexity grow with where is the running time of GRAM solutions [LO13,…] incur linear overhead in
Definition of GRAM Goal: Correctness: Server computes Security: Nothing else but is revealed to the server (also data access pattern remains hidden UMA vs. full security )
RAM Model … Consider Read-only computations next index next index read bit 1 next index read bit 2 next index CPU step 1 CPU step 2 … Consider Read-only computations
[LO13] GRAM approach … next index next index read bit 1 read bit 2 CPU step 1 CPU step 2 …
[LO13] GRAM approach … Circular Security Issue: Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2 …
Related work on Garbled RAM [LO13, GHLORW14, GLOS15, GLO15,GP16] [CHJV14, BGT14, LP14, KLW15, CH15, CCCLLZ15...]: succinct constructions based on iO
Simple GRAM scheme via Laconic OT App #3 Simple GRAM scheme via Laconic OT Circular Security Issue: Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2 …
Simple GRAM scheme via Laconic OT App #3 Simple GRAM scheme via Laconic OT Security technicality: Compute: Rely on security of Laconic OT Read Location : read bit 1 read bit 2 next index CPU step 1 CPU step 2 …
Multi-Hop HE [GenHalVai10] for RAM programs App. #4 Multi-Hop HE [GenHalVai10] for RAM programs UPDATES
Conclusion Laconic Receiver OT with CC essentially independent of the size of input/database D. (depending at most polynomially in log(|D|)) We achieve something more with the computational cost Updatable Laconic OT
Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 2 Laconic OT Apps 3 4 …
Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [L013]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GHV10] for RAM programs. 4 … IBE from DDH [DottlingGarg17] More Applications???
Thank you!