Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Slides:



Advertisements
Similar presentations
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Advertisements

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions
Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Tutorial on Secure Multi-Party Computation
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
How to play ANY mental game
CS573 Data Privacy and Security
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study.
Page 1 Efficient Two-Party Secure Computation on Committed Inputs Stanislaw Jarecki, UC Irvine Vitaly Shmatikov, UT Austin.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Lecturer: Moni Naor Weizmann Institute of Science
Cryptography for Quantum Computers
Cryptography Lecture 25.
Cryptography Lecture 21.
Cryptography Lecture 23.
Presentation transcript:

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation

Recap of last week’s lecture –Malleability vs. Semantic Security –Chosen Ciphertext Attacks: CCA1: Preprocessing (Lunch break) Postprocessing –Approaches for achieving malleability and resistance to CCA: Independent keys Proofs of consistency Cramer-Shoup Cryptosystem –Applications Interactive Authentication Auctions

Combinations Attack Breaking CCA1 (lunch-time) CCA2 (post-processing) CPA Semantic Security Non- Malleability All implications are proper All combinations are useful in some circumstances

Motivation for Zero-knowledge Can turn any protocol that works well when the parties are benign (but curious) into one that works well when the parties are malicious Need further property: proof of knowledge – Possible to extract the witness from a successful prover

Honest but curious model Parties follow the protocol Never erase information General principle: design you protocol assuming the players are honest-but-curious Translate the protocol into one resilient against malicious players –Use zero-knowledge (POK) for all language in NP as a compiler

Secure Function Evaluation (SFE) Major and exciting topic of research in last quarter century How to distributively compute a function f(X 1, X 2, …,X n ), –where X j known to party j. –Parties learn only the final output

The Millionaires Problem Alice x Whose value is greater? Bob y Leak no other information!

Ideal Solution for the Millionaires Problem TrustMe y x Well... Alice x Bob y

Secure Function Evaluation (Informal) Definition For any adversary there is a comparable one working in the Ideal Model with similar output Or A protocol is secure if it emulates the ideal solution

Second Price Auctions - Vickrey So why isn’t it more popular? Sealed bid, second price auction: Winner is the highest bidder, pays second highest bid Why? –Bidding true value is a dominant (and simple) strategy –Single round simulation of the English auction

Problems with applying the Revelation Principle –Utility functions (value of item) contain sensitive information –Participants might cheat simply to avoid leaking this information Hal Varian: “Even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay” “...what should be the appropriate technological and social safeguards to deal with this problem?” This lecture: technological safeguards via cryptography f(X 1, X 2, …,X n ) = (i, x j ), where x i = max k x k and x j = max k  i x k

Major Result [Yao,GMW] “ Any function f that can be evaluated using polynomial resources can be securely evaluated using polynomial resources”

SFE Many results depending on –Number of players –Means of communication –the power and model of the adversary –how the function is represented

Simulation A protocol is considered secure if: For every adversary (of a certain type) There exists a simulator that outputs an indistinguishable ``transcript”. Example: Encryption Zero-knowledge Next: secure function evaluation

Simulating the ideal model A protocol is considered secure if: For every adversary there exists a simulator operating in the ``ideal (trusted party) model that outputs an indistinguishable ``transcript”.

1-out-of 2 Oblivious Transfer Learns nothing YjYj Alice j Bob Y 0, Y 1 ChooserSender

Implementations of OT 1 2 Can be based on most public-key systems There are implementations with two rounds of communication

Oblivious Transfer 1-out-of-N OT   {0,1,…,N-1 } m 0,…,m N-1 mm Input: Output: The parties learn nothing else: Indistinguishable to Sender which  is used Chooser learns no other value of m 0,…,m N-1 Precise definition? SenderChooser

The EGL paradigm for OT 1 2 PK 0,PK 1 and proof that she knows only one private key E PK 0 (m 0 ), E PK 1 (m 1 ) Sender Chooser m 0,m 1   {0,1}

The Bellare-Micali Protocol   {0,1} m 0,m 1 Picks a private key k, sends PK  =g k, PK 1-  =C/PK  E (m 0 )=(g r 0, H[(PK 0 ) r 0 ]  m 0 ) E (m 1 )=(g r 1, H[(PK 1 ) r 1 ]  m 1 ) Random C in the group Decrypts m  using k Sender Chooser Picks random r 0, r 1

Properties Chooser is protected information-theoretically: PK 0 and PK 1 are random elements in the group such that PK 0 ¢ PK 1 =C Chooser cannot know both log g PK 0 and log g PK 1 –This implies knowing log g C –If Chooser knows PK  : then (PK 1-  ) r 1-  is an unknown Diffie-Hellman value Therefore m 1-  is computationally protected

Idea Chooser gives two ciphertexts - a good and a bad one - and proves consistency –Here: make it trivial to verify Sender randomizes ciphertexts –Good ciphertext remains consistent –Bad ciphertext - maps to random value –Based on random self-reducibility of DDH

The OT protocol Chooser defines x=g a, y=g b, z  =g ab and z 1-   z  –Sends ( x,y,z 0, z 1 ) to sender. note that z  =x b and y=g b Sender –Chooses random (r 0,s 0 ), (r 1,s 1 ). –Computes w 0 = x s 0. g r 0 and w 1 = x s 1. g r 1 –encrypts m 0 with z 0 s 0. y r 0 and m 1 with z 1 s 1. y r 1 –Sends w 0,w 1 and encryptions. Chooser recovers key as (w  ) b, decrypts m .

The OT protocol: Properties Security: –Chooser: DDH assumption implies that sender cannot distinguish between z  =g ab and z 1- . –Sender: If z 1-   g ab given (m 1- , w 1-  ) then z 1 -  s 1 - . y r 1 -  is uniformly distributed. Overhead: O(1) exponentiations. Generalization to OT 1 N without increasing chooser’s complexity. Question: how to do

Secret Sharing Threshold Secret Sharing - how to split a secret S into N shares so that – No k-1 shares yield any information about the secret S – Any k shares sufficient to reconstruct the secret Best known example: Shamir’s polynomials based scheme. Simplest example 2 out-of 2: choose random S 1 and let S 2 = S © S 1

Two party Computation Two party protocol Input: –Sender: Function P (some representation) –Receiver: X 2  0,1  n Output: –Receiver: P(x) and nothing else about P –Sender: nothing about x

Representations of P Boolean circuits [Yao,GMW,…] Algebraic circuits [BGW,…] Low deg polynomials [BFKR] Matrices product over a large field [FKN,IK] Randomizing polynomials [IK] Communication Complexity Protocol [NN]

Garbling P BInput: description of P as a Boolean circuit C over basis B Output: C –Garbled circuit C - tables – Pairs of garbled inputs  I 1 0, I 1 1 ,  I 2 0, I 2 1 , …,  I n 0, I n 1  –Pairs of Garbled outputs  Z 1 0, Z 1 1 ,  Z 2 0, Z 2 1 , …,  Z n 0, Z n 1 

Garbling Requirements For X 2  0,1  n and Y =P(x) Given –C –C - tables – Selection by X of garbled inputs X = (x 1, x 2, … x n )  I 1 x 1, I 2 x 2, …, I n x n  Possible to compute selection by y = (y 1, y 2, … y n )  Z 1 y 1, Z 2 y 2, …, Z n y n  Impossible to deduce anything about x or y Sender and Receiver share the output

Garbling We construct the garbled circuit Gate by gate Some topological sort (from inputs to outputs) Start by choosing random values for inputs  I 1 0, I 1 1 ,  I 2 0, I 2 1 , …  I n 0, I n 1  Let F W : {0,1} 2|C|  {0,1} n+1 Let be a pseudo-random function. |W| =n

Garbled Circuits Original circuit i j k G1G1 lm n G2G2 out G3G3

ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G1 G1 lm n W l 0,W l 1 W m 0,W m 1 W n 0,W n 1 G2G2 out W out 0,W out 1 G3G3 Garbled Circuits Garbled values for wires Assign random pairs for each wire Assign random “permutation”  :  0,1    0,1  for each gate

Tables for a Gate b i, b j are the true values c i, c j permutated values b k =G(b i, b j ) If we know (c i, W i b i ) and (c j, W j b j ) want to know (c k, W k b k ) ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G Typical entry: [(c k, W k G(b i,b j ) ) +F W i b i (c j,k) + F W j b j (c i, k)]

Translation table for an OR gate ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G Encrypt (  k (b i,b j ), W k G(b i,b j ) ) with W i b i, W j b j Sender constructs a translation table from input values to output values

The protocol Initialization: –For every wire, Sender assigns random (garbled) values to the 0/1 values –For every gate, Sender constructs a table, s.t. given garbled values of input wires enables to compute garbled values of output wire and nothing else Computation: receiver obtains garbled values of input wires of circuit, and propagates them to the output wires

Choosing the garbled Inputs For each 1 · j · n run a 1-out-of-2 OT where –Sender:  I j 0, I j 1  –Receiver : X j Sender provides the receiver –The gates tables, –A translation table from garbled output values. Receiver computes result of P (x)

The world Pseudo-random generators Signature Schemes UOWHFs One-way functions String Commitment Zero-Knowledge for all of NP Pseudo-random Permutations Pseudo-random Functions Shared-key Encryption ( CCA2 ) and Authentication Trapdoor permutations CPA Public-key Factoring is hard (BG Permutations) P  NP CCA2 PKE OTSFE Secret-key Exchange

A more refined view OT Public Key Encryption CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor Permutations One-way functions Computational Pseudorandomness 2 rounds Secret Key Exchange IBE

Separating the worlds OT Public Key Encryption SKE CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor Permutations One-way functions Computational Psuedorandomness Impagliazzo and Rudich 1989: there is no blackbox construction of OT from OWF.

The Minicrypt = Cryptomania question “Minicrypt = Cryptomania?” is the most important problem in complexity and cryptography where We do not know the answer There is a reasonable chance to resolve it in the near future Omer Reingold: NL = L is a contender for the title

What’s next to study? IBE/Pairings MPC UC What’s next to explore A theory of computational and physical Assumptions A theory of moderate hardness Compressibility Privacy in Databases Humans and cryptography

References Y. Lindell and B. Pinkas A Proof of Yao's Protocol for Secure Two-Party Computation