Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Slides:



Advertisements
Similar presentations
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Advertisements

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Completeness in Two-Party Secure Computation – A Computational View
Session 4 Asymmetric ciphers.
1 Adapted from Oded Goldreich’s course lecture notes.
Oblivious Transfer based on the McEliece Assumptions
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.
On Testing Computability by small Width OBDDs Oded Goldreich Weizmann Institute of Science.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
The RSA Algorithm Rocky K. C. Chang, March
How to play ANY mental game
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
Completeness in Two-Party Secure Computation Revisited Danny Harnik Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science AT&T IAS.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Introduction to Quantum Key Distribution
Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz University of California, Berkeley.
Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.
Verifiable Distributed Oblivious Transfer and Mobile-agent Security Speaker: Sheng Zhong (joint work with Yang Richard Yang) Yale University.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
Introduction to Randomized Algorithms and the Probabilistic Method
Randomness and Computation
Zero Knowledge Anupam Datta CMU Fall 2017
Laconic Oblivious Transfer and its Applications
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
ICS 454 Principles of Cryptography
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
ICS 454 Principles of Cryptography
Malicious-Secure Private Set Intersection via Dual Execution
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Oblivious Transfer.
On Derandomizing Algorithms that Err Extremely Rarely
Oded Goldreich Weizmann Institute of Science
A Light-weight Oblivious Transfer Protocol Based on Channel Noise
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE OF SCIENCE

Talk Overview  Oblivious transfer (OT)  Collection of trapdoor permutations (TDP)  Does TDP imply OT?  Our result: dense-TDP implies OT

Oblivious Transfer (OT )[Rabin 81’] (one-out-of-two version [EGL 85’] ) 1.Correctness: The receiver learns  i 2.Sender's privacy: The receiver learns nothing about  1-i 3.Receiver's privacy: The sender learns nothing about i Semi-honest model (honest-but-curious) - suffices due to Goldreich, Micali and Wigderson  0 and  1 (w.l.o.g. bits) i 2 {0,1} Sender Receiver

{0,1} n DD x DD f  (x) hard easy easy with trapdoor {0,1} n DD DD Permutation sampler: I (1 n ) = ( ,t  Domain sampler: D(  ) = x 2 R D  Evaluation/ Inversion F( ,x) = f  (x), F -1 ( ,t,x) = f  -1 (x) Known Candidates: Rabin’s collection, RSA,… Does TDP imply OT? hard easy with trapdoor Collection of trapdoor Permutations (TDP) easy x f  (x) {f  : D  ! D  } n = |  |

 EGL protocol r 0,r 1 ( ,t) à I (1 n ) r 1-i à D(  ) s à D(  ) r i = f  (s) For j = 0,1: c j =  j © b(f  -1 (r j )) c 0,c 1 Output: c i © b(s) (=  i ) 1n1n Sender (  0 and  1 ) Receiver (i) Correctness Receiver’s privacy ?Sender's privacy n is the security parameter of the protocol b is any hardcore predicate of f 

Knowing the random coins used by the Domain sampler (D), might give information about the pre-image of the element. –Rabin’s collection original implementation Therefore the EGL protocol might not satisfy the Sender's privacy requirement. –Enhanced–TDP [Glodreich 02’] inverting an element is hard, even when the randomness used to produce it is given. Enhanced–TDP ) OT

Our result: Implementing OT using any dense - TDP {0,1} n DD 9 positive polynomial p s.t.  |D  | ¢ p(n) > 2 n

Enhanced Vs. Dense Dense (property) might be considered as a more natural requirement Probably easier to verify Different approach might lead to OT based on any TDP

Implementing OT using dense-TDP Implementing OT using dense-checkable-TDP checkable-TDP: The existence of domain sampler is not guaranteed, but there is an efficient way to check whether a given element is inside a permutation domain or not.

OT based on dense-checkable-TDP r 0,r 1  ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.if s or r 1-i  D  go back to step 1 3.r i = f  (s).... …. Sender (  0 and  1 ) Receiver (i) Correctness Receiver’s privacy Sender's privacy

Implementing OT using dense-t-checkable-TDP t-checkable-TDP: Like checkable-TDP, but the containment test requires the trapdoor. There exists an efficient algorithm A s.t.: A( ,t,x) = 1 iff x 2 D 

OT based on dense- t-checkable-TDP (first try) r 0,r 1 ( ,t) Ã I (1 n ) Go 1.s,r 1-i 2 R {0,1} n 2.if s or r 1-i  D  go back to step r i = f  (s)  … … If s or r 1-i  D  restart s,r 1-i i Sender (  0 and  1 ) Receiver (i)

OT based on dense t-checkable-TDP (second try) ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.r i = f  (s)  If r 0 or r 1  D  restart For j = 0,1: c j =  j © b(f  -1 (r j )) c 0,c 1 Output: c i © b(s) (=  i ) r 0,r 1 (rand.) Reveal order Sender (  0 and  1 ) Receiver (i) f  (s) ≡ F( ,s)

{0,1} n DD riri DD y f  -1 f  s f  (s) ≡ F( ,s) The receiver might recover  i incorrectly. c i © b(s) =  i © b(f  -1 (r i )) © b(s)   i The sender might reveal i. r i might have different distribution than r 1-i

A weak OT based on dense t-checkable-TDP ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.r i = f  (s)  r 0,r 1 (rand.) If h(s)  h(f -1  (r i )) Restart. If r 0 or r 1  D  Restart h, h(f  -1 (r 0 )), h(f  -1 (r 1 )) Reveal order … h 2 R H n - a collection of hash functions Sender (  0 and  1 ) Receiver (i) w.h.p. s  f  -1 (r i ) w.h.p. Correctness w.h.p. Receiver’s privacy Sender's privacy is not compromised For j = 0,1: c j =  j © b(f  -1 (r j )) … Our solution: Increase the probability that (after revealing step) s = f  -1 (r i )

A “very” weak OT based on any dense-TDP {0,1} n D’D’ DD Can extend any dense-TDP, such that it is still one- to-one and it is t-checkable. D  ’ ≡ {x 2 {0,1} n | F( ,F -1 ( ,t,x)) = x} 1.W.r.t. D  ’ we have containment test (the collection is t-checkable) x 2 D  ’ iff F( ,F -1 ( ,t,x)) = x 2.But the exended f  is only weakly one-way. ) Only noticeable Sender's privacy

A weak OT based on dense t-checkable-TDP ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.r i = f  (s)  r 0,r 1 (rand.) If h(s)  h(f -1  (r i )) Restart. If r 0 or r 1  D  Restart h, h(f  -1 (r 0 )), h(f  -1 (r 1 )) Reveal order … Sender (  0 and  1 ) Receiver (i) w.h.p. Correctness w.h.p. Receiver’s privacy noticeable Sender's privacy For j = 0,1: c j =  j © b(f  -1 (r j )) …

dense-TDP Weak OT (all the requirements are weak) Secret sharing (Yao’s XOR lemma) Weak OT with strong Sender’s privacy Repeating and using majority rule Weak OT with strong Correctness and Sender’s privacy OT Crepeau and Kilian 88’

For k = 0,1:  k,1, …,  k,m-1 2 R {0,1}  k,t = ( © 1 · j · m-1  k,j ) ©  k Output: © 1 · j · m  i,j  0,1  0,2  0,3 …  0,m  1,1  1,2  1,3 …  1,m © )  0 © )  1 Sender (  0 and  1 ) Receiver (i)

Further issues OT based on any TDP? Seems difficult, as Gertner, Kannan, Malkin, Reingold and Viswanathan 2000 showed that OT cannot be black-box reduced to collection of injective trapdoor one-way functions. (most likely) OT cannot be black-box reduced to TDP

Acknowledgment: Oded Goldreich