Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation
Recap of last week’s lecture –Malleability vs. Semantic Security –Chosen Ciphertext Attacks: CCA1: Preprocessing (Lunch break) Postprocessing –Approaches for achieving malleability and resistance to CCA: Independent keys Proofs of consistency Cramer-Shoup Cryptosystem –Applications Interactive Authentication Auctions
Combinations Attack Breaking CCA1 (lunch-time) CCA2 (post-processing) CPA Semantic Security Non- Malleability All implications are proper All combinations are useful in some circumstances
Motivation for Zero-knowledge Can turn any protocol that works well when the parties are benign (but curious) into one that works well when the parties are malicious Need further property: proof of knowledge – Possible to extract the witness from a successful prover
Honest but curious model Parties follow the protocol Never erase information General principle: design you protocol assuming the players are honest-but-curious Translate the protocol into one resilient against malicious players –Use zero-knowledge (POK) for all language in NP as a compiler
Secure Function Evaluation (SFE) Major and exciting topic of research in last quarter century How to distributively compute a function f(X 1, X 2, …,X n ), –where X j known to party j. –Parties learn only the final output
The Millionaires Problem Alice x Whose value is greater? Bob y Leak no other information!
Ideal Solution for the Millionaires Problem TrustMe y x Well... Alice x Bob y
Secure Function Evaluation (Informal) Definition For any adversary there is a comparable one working in the Ideal Model with similar output Or A protocol is secure if it emulates the ideal solution
Second Price Auctions - Vickrey So why isn’t it more popular? Sealed bid, second price auction: Winner is the highest bidder, pays second highest bid Why? –Bidding true value is a dominant (and simple) strategy –Single round simulation of the English auction
Problems with applying the Revelation Principle –Utility functions (value of item) contain sensitive information –Participants might cheat simply to avoid leaking this information Hal Varian: “Even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay” “...what should be the appropriate technological and social safeguards to deal with this problem?” This lecture: technological safeguards via cryptography f(X 1, X 2, …,X n ) = (i, x j ), where x i = max k x k and x j = max k i x k
Major Result [Yao,GMW] “ Any function f that can be evaluated using polynomial resources can be securely evaluated using polynomial resources”
SFE Many results depending on –Number of players –Means of communication –the power and model of the adversary –how the function is represented
Simulation A protocol is considered secure if: For every adversary (of a certain type) There exists a simulator that outputs an indistinguishable ``transcript”. Example: Encryption Zero-knowledge Next: secure function evaluation
Simulating the ideal model A protocol is considered secure if: For every adversary there exists a simulator operating in the ``ideal (trusted party) model that outputs an indistinguishable ``transcript”.
1-out-of 2 Oblivious Transfer Learns nothing YjYj Alice j Bob Y 0, Y 1 ChooserSender
Implementations of OT 1 2 Can be based on most public-key systems There are implementations with two rounds of communication
Oblivious Transfer 1-out-of-N OT {0,1,…,N-1 } m 0,…,m N-1 mm Input: Output: The parties learn nothing else: Indistinguishable to Sender which is used Chooser learns no other value of m 0,…,m N-1 Precise definition? SenderChooser
The EGL paradigm for OT 1 2 PK 0,PK 1 and proof that she knows only one private key E PK 0 (m 0 ), E PK 1 (m 1 ) Sender Chooser m 0,m 1 {0,1}
The Bellare-Micali Protocol {0,1} m 0,m 1 Picks a private key k, sends PK =g k, PK 1- =C/PK E (m 0 )=(g r 0, H[(PK 0 ) r 0 ] m 0 ) E (m 1 )=(g r 1, H[(PK 1 ) r 1 ] m 1 ) Random C in the group Decrypts m using k Sender Chooser Picks random r 0, r 1
Properties Chooser is protected information-theoretically: PK 0 and PK 1 are random elements in the group such that PK 0 ¢ PK 1 =C Chooser cannot know both log g PK 0 and log g PK 1 –This implies knowing log g C –If Chooser knows PK : then (PK 1- ) r 1- is an unknown Diffie-Hellman value Therefore m 1- is computationally protected
Idea Chooser gives two ciphertexts - a good and a bad one - and proves consistency –Here: make it trivial to verify Sender randomizes ciphertexts –Good ciphertext remains consistent –Bad ciphertext - maps to random value –Based on random self-reducibility of DDH
The OT protocol Chooser defines x=g a, y=g b, z =g ab and z 1- z –Sends ( x,y,z 0, z 1 ) to sender. note that z =x b and y=g b Sender –Chooses random (r 0,s 0 ), (r 1,s 1 ). –Computes w 0 = x s 0. g r 0 and w 1 = x s 1. g r 1 –encrypts m 0 with z 0 s 0. y r 0 and m 1 with z 1 s 1. y r 1 –Sends w 0,w 1 and encryptions. Chooser recovers key as (w ) b, decrypts m .
The OT protocol: Properties Security: –Chooser: DDH assumption implies that sender cannot distinguish between z =g ab and z 1- . –Sender: If z 1- g ab given (m 1- , w 1- ) then z 1 - s 1 - . y r 1 - is uniformly distributed. Overhead: O(1) exponentiations. Generalization to OT 1 N without increasing chooser’s complexity. Question: how to do
Secret Sharing Threshold Secret Sharing - how to split a secret S into N shares so that – No k-1 shares yield any information about the secret S – Any k shares sufficient to reconstruct the secret Best known example: Shamir’s polynomials based scheme. Simplest example 2 out-of 2: choose random S 1 and let S 2 = S © S 1
Two party Computation Two party protocol Input: –Sender: Function P (some representation) –Receiver: X 2 0,1 n Output: –Receiver: P(x) and nothing else about P –Sender: nothing about x
Representations of P Boolean circuits [Yao,GMW,…] Algebraic circuits [BGW,…] Low deg polynomials [BFKR] Matrices product over a large field [FKN,IK] Randomizing polynomials [IK] Communication Complexity Protocol [NN]
Garbling P BInput: description of P as a Boolean circuit C over basis B Output: C –Garbled circuit C - tables – Pairs of garbled inputs I 1 0, I 1 1 , I 2 0, I 2 1 , …, I n 0, I n 1 –Pairs of Garbled outputs Z 1 0, Z 1 1 , Z 2 0, Z 2 1 , …, Z n 0, Z n 1
Garbling Requirements For X 2 0,1 n and Y =P(x) Given –C –C - tables – Selection by X of garbled inputs X = (x 1, x 2, … x n ) I 1 x 1, I 2 x 2, …, I n x n Possible to compute selection by y = (y 1, y 2, … y n ) Z 1 y 1, Z 2 y 2, …, Z n y n Impossible to deduce anything about x or y Sender and Receiver share the output
Garbling We construct the garbled circuit Gate by gate Some topological sort (from inputs to outputs) Start by choosing random values for inputs I 1 0, I 1 1 , I 2 0, I 2 1 , … I n 0, I n 1 Let F W : {0,1} 2|C| {0,1} n+1 Let be a pseudo-random function. |W| =n
Garbled Circuits Original circuit i j k G1G1 lm n G2G2 out G3G3
ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G1 G1 lm n W l 0,W l 1 W m 0,W m 1 W n 0,W n 1 G2G2 out W out 0,W out 1 G3G3 Garbled Circuits Garbled values for wires Assign random pairs for each wire Assign random “permutation” : 0,1 0,1 for each gate
Tables for a Gate b i, b j are the true values c i, c j permutated values b k =G(b i, b j ) If we know (c i, W i b i ) and (c j, W j b j ) want to know (c k, W k b k ) ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G Typical entry: [(c k, W k G(b i,b j ) ) +F W i b i (c j,k) + F W j b j (c i, k)]
Translation table for an OR gate ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G Encrypt ( k (b i,b j ), W k G(b i,b j ) ) with W i b i, W j b j Sender constructs a translation table from input values to output values
The protocol Initialization: –For every wire, Sender assigns random (garbled) values to the 0/1 values –For every gate, Sender constructs a table, s.t. given garbled values of input wires enables to compute garbled values of output wire and nothing else Computation: receiver obtains garbled values of input wires of circuit, and propagates them to the output wires
Choosing the garbled Inputs For each 1 · j · n run a 1-out-of-2 OT where –Sender: I j 0, I j 1 –Receiver : X j Sender provides the receiver –The gates tables, –A translation table from garbled output values. Receiver computes result of P (x)
The world Pseudo-random generators Signature Schemes UOWHFs One-way functions String Commitment Zero-Knowledge for all of NP Pseudo-random Permutations Pseudo-random Functions Shared-key Encryption ( CCA2 ) and Authentication Trapdoor permutations CPA Public-key Factoring is hard (BG Permutations) P NP CCA2 PKE OTSFE Secret-key Exchange
A more refined view OT Public Key Encryption CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor Permutations One-way functions Computational Pseudorandomness 2 rounds Secret Key Exchange IBE
Separating the worlds OT Public Key Encryption SKE CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor Permutations One-way functions Computational Psuedorandomness Impagliazzo and Rudich 1989: there is no blackbox construction of OT from OWF.
The Minicrypt = Cryptomania question “Minicrypt = Cryptomania?” is the most important problem in complexity and cryptography where We do not know the answer There is a reasonable chance to resolve it in the near future Omer Reingold: NL = L is a contender for the title
What’s next to study? IBE/Pairings MPC UC What’s next to explore A theory of computational and physical Assumptions A theory of moderate hardness Compressibility Privacy in Databases Humans and cryptography
References Y. Lindell and B. Pinkas A Proof of Yao's Protocol for Secure Two-Party Computation