Laconic Oblivious Transfer and its Applications

Slides:



Advertisements
Similar presentations
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Advertisements

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Verifiable Outsourcing of Computation Ron Rothblum.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Bounded key-dependent message security
Garbling Techniques David Evans
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Carmit Hazay (Bar-Ilan University, Israel)
Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)
Fast Actively Secure OT Extension For Short Secrets
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
MPC and Verifiable Computation on Committed Data
HOP: Hardware makes Obfuscation Practical Kartik Nayak
Committed MPC Multiparty Computation from Homomorphic Commitments
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Verifiable Oblivious Storage
Cryptography Lecture 19.
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Secure Multiparty RAM Computation in Constant Rounds
On the Power of Hybrid Networks in Multi-Party Computation
Four-Round Secure Computation without Setup
Cryptography for Quantum Computers
Multi-Party Computation: Second year
Quantum-security of commitment schemes and hash functions
Malicious-Secure Private Set Intersection via Dual Execution
Fast Secure Computation for Small Population over the Internet
Limits of Practical Sublinear Secure Computation
Two-Round Adaptively Secure Protocols from Standard Assumptions
Cryptography Lecture 15.
Identity Based Encryption from the Diffie-Hellman Assumption
Path Oram An Extremely Simple Oblivious RAM Protocol
CRYP-F02 Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection Peter Scholl (University of Bristol) Michele Orrù (ENS Paris)
A Light-weight Oblivious Transfer Protocol Based on Channel Noise
Presentation transcript:

Laconic Oblivious Transfer and its Applications Antigoni Polychroniadou (Cornell Tech) Joint work with Chongwon Cho (HRL Laboratories) Divya Gupta (Microsoft Research, India) Nico Dottling, Sanjam Garg, Peihan Miao (University of California, Berkeley)

Secure Communications over the Internet

Secure Communications over the Internet

Introduction of Secure Multi-Party Computation [Yao82,GMW87,BGW88, CCD88…]

Secure Multi-Party Computation f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 Secure computation with Minimal Computational & Communication Complexity x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Semi-Honest x2 y3 y2 x3

Progress on this question via Laconic OT Communication Complexity Computational FHE-based solutions [Gentry09…] RAM-based solutions [OstrovskyShoup97, LuOstrovsky13] Can we achieve best of both worlds? Progress on this question via Laconic OT

Oblivious Transfer (OT) Goal: The Sender should not learn The Receiver should not learn

Fundamental Primitive OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] - OT can be extended [Bea96] efficiently [IKNP03]

Fundamental Primitive OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] -|OTmsg| dependent on the input length of R

#OTs in 2PC S R

#OTs in 2PC S R

#OTs in 2PC S R

#OTs in 2PC . S R

#OTs in 2PC S R

#OTs in 2PC S R + Independent of |D|

Laconic Oblivious Transfer (OT) + Goal: The Sender should not learn The Receiver can only learn if if

Laconic Oblivious Transfer (OT)

Laconic Oblivious Transfer (OT) .

Our Results Laconic Receiver OT with CC essentially independent of the size of input/database D. |OTmsg| depends only on the security parameter |OTmsg| independent of the input length of R

Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 2 Laconic OT Apps 3 4 …

Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [LuOstrovsky13]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GenHalVai10] for RAM programs. 4 … IBE from DDH [DottlingGarg17] More Applications???

RoadMap Construction of Laconic Receiver OT Application to GRAM

Blueprint: Laconic Receiver OT S R Goal: The Sender should not learn The Receiver can only learn if Hash must be collision resistant if

Laconic Receiver OT Step 1: Step 2: Laconic OT for 1-to-2 compression Hash Step 2: Bootstrap Laconic OT for arbitrary compression Hash

Warm up: Laconic OT via Witness Encryption Witness Encryption [Rudich89,…, GGSW13…] : Goal: If semantic security

Warm up: Laconic OT via Witness Encryption WE for S R Security Issue: Since H is compressing then both Solution [HW15,OPWW15]: Somewhere Statistical Binding Hash

Def: Somewhere Stat. Binding (SSB) Hash Tagline: Hash key can be made “statistically binding” in one hidden position. Properties of SSB Hash: Statistically binding at position : uniquely determines Index Hiding: Keys are computationally indistinguishable

Warm up: Laconic OT via Witness Encryption + SSB Hash [HubacekWichs15] Security Issue: Since H is compressing then both

Warm up: Laconic OT via Witness Encryption Using SSBH:

Laconic OT based on Witness Encryption (WE) Laconic OT based on DDH: Fact: Hash Proof Systems (HPS) [CramerShoup02] imply statistical witness encryption [GarGenSahWat13]. Construct WE from HPS for the language (HPS for knowledge of preimage bits)

Bootstrapping Laconic OT Laconic OT for constant compression hash functions Laconic OT for arbitrary compression hash functions

Bootstrapping Laconic OT Merkle Tree: Address location: .

Bootstrapping Laconic OT Compute Merkle tree

Bootstrapping Laconic OT Merkle Tree: Use factor-2 compression LOT .

Bootstrapping Laconic OT Compute Merkle tree

Bootstrapping Laconic OT Merkle Tree: Traversal Circuit: Use garbled circuit Use garbled circuit .

Bootstrapping Laconic OT

Bootstrapping Laconic OT Merkle Tree: Use garbled circuit .

Bootstrapping Laconic OT Compute Merkle tree

GRAM Application

RAM analogue of Yao’s Garble Circuits Communication complexity & Computational complexity grow with where is the running time of GRAM solutions [LO13,…] incur linear overhead in

Definition of GRAM Goal: Correctness: Server computes Security: Nothing else but is revealed to the server (also data access pattern remains hidden UMA vs. full security )

RAM Model … Consider Read-only computations next index next index read bit 1 next index read bit 2 next index CPU step 1 CPU step 2 … Consider Read-only computations

[LO13] GRAM approach … next index next index read bit 1 read bit 2 CPU step 1 CPU step 2 …

[LO13] GRAM approach … Circular Security Issue: Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2 …

Related work on Garbled RAM [LO13, GHLORW14, GLOS15, GLO15,GP16] [CHJV14, BGT14, LP14, KLW15, CH15, CCCLLZ15...]: succinct constructions based on iO

Simple GRAM scheme via Laconic OT App #3 Simple GRAM scheme via Laconic OT Circular Security Issue: Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2 …

Simple GRAM scheme via Laconic OT App #3 Simple GRAM scheme via Laconic OT Security technicality: Compute: Rely on security of Laconic OT Read Location : read bit 1 read bit 2 next index CPU step 1 CPU step 2 …

Multi-Hop HE [GenHalVai10] for RAM programs App. #4 Multi-Hop HE [GenHalVai10] for RAM programs UPDATES

Conclusion Laconic Receiver OT with CC essentially independent of the size of input/database D. (depending at most polynomially in log(|D|)) We achieve something more with the computational cost Updatable Laconic OT

Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 2 Laconic OT Apps 3 4 …

Less is More…(Applications of Laconic OT) Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [L013]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GHV10] for RAM programs. 4 … IBE from DDH [DottlingGarg17] More Applications???

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.