Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science

Why should we reconsider these old constructions? I have a dream, Let’s do Key-agreement from one-way functions Barak showed that black- box separations are not that meaningful OK, but what about GMW, it is not black-box! mm... But what about Impagliazzo-Rudich black- box impossibility result? This was in a different setting. No one broke the black-box barrier in the setting you are talking about Well....

Whether non black-box techniques are superior to black-box ones? Non black-box techniques are typically less efficient. When using a black-box reduction, the round-complexity of  ‘ is independent of the exact implementation of the parties of  3 Trapdoor permutations based semi-honest OT  - protocol with limited security  ‘  protocol with improved security reduction Malicious OT

A fully black-box reduction from B to A: Black-box construction. Black-box proof of security. Adversary for breaking B ) adversary for breaking A (Fully) Black-Box Reductions Adversary for B Adversary for A A B A

Black-Box Reductions (cont.) 1. Most reductions in cryptography are (fully) black-box, e.g., from pseudorandom generators to one-way functions. 2. Few “ non black-box ” techniques that apply in restricted settings (typically using ZK proofs). Example: from malicious security to semi- honest security [GMW] 5

Oblivious Transfer (OT ) [Rabin 81’] (one-out-of-two version [EGL 85’] ) 1. Correctness - the receiver learns  i 2. Sender's privacy - the receiver learns nothing about  1-i 3. Receiver's privacy - the sender learns nothing about i  Complete for secure function evaluation [GMW87,K88]  Implied by (enhanced/dense) trapdoor permutations, homomorphic encryption,... [GKL87,H04,K97,S98] Sender bits  0 and  1 Receiver Index i 2 {0,1} 6

Different types of security Semi – honest adversaries Malicious adversaries Typical constructions of OT: 1. Hardness assumption ) semi – honest OT 2. Using non-black-box techniques ) Malicious OT The second reduction is typically inefficient (round- wise) Oblivious Transfer cont. Black-box 7 e.g., enhanced trapdoor permutations

Defensible Privacy [IKLP ’06] A natural model of security between semi-honest to full- fledged (malicious) security. After the protocol ends, the adversary cannot simultaneously learn non-permissible information and defend its behavior – provide input and random-coins that justify its behavior. Example: Defensible OT The sender cannot simultaneously learn the index i and give a valid defense. 8

Defensible Privacy cont. Let  = (A,B) be a protocol for computing f = (f A, f B ) 9  is defensibly private for B, if no efficient A * can simultaneously Output a good defense (i A *,r A * ) Learn inf (i B ) not determined by f A (i A *,i B ) The privacy of B might be violated when A does not give a valid defense After giving the defense, A ’ s privacy might be ruined Implies semi-honest privacy A (i A,r A ) B (i B, r B ) A*A*

The Usefulness of Defensible Privacy [Ishai Kushilevitz Lindel Petrank ’06] 1. Enhanced TDP, homomorphic encryption ) Defensible-OT 2. Defensible-OT ) Malicious-OT Both reductions are (fully) black-box 10 Semi-Honest OTTDPMalicious OT Defensible OT

Defensible-OT ) Malicious-OT [IKLP ’06] (simplified version) 1. Interact in n defensible OTs using random inputs 2. Verify the defense of half of the OT ’ s 3. Combine the remaining OT ’ s to get the desired OT functionality ( “ randomized self reducibility ” ) Sender (  0,  1 ) Receiver i Def-OT 1 Def-OT 2 Def-OT n  Def-OT 3

12 trapdoor perm. homomorphic enc Our Results Main Theorem: Assuming that OWFs exist, for every functionality* there exists a fully-black-box reduction from defensible privacy to semi-honest privacy.  the functionality has some natural sampling property / stronger assumption about the semi-honest privacy - preserves statistical privacy of either of the parties - black-box w.r.t. to the OWF Corollaries: Black-box reduction from malicious OT to semi-honest OT Black-box reduction from malicious OT to dense-TDP, non- trivial PIR,... Black-box reduction from secure function evaluation with static malicious adversaries, to semi-honest OT. Defensible OT Imply semi-honest OT black box

The Reduction Given a protocol  = (A,B) for computing f, which is semi-honest private for B and a OWF. We construct a protocol  D = (A D,B D ) which computes f defensibly private for B D preserves the same privacy for A D We achieve our main result by applying the above reduction twice 13

The Reduction cont. B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` (A(i A, r A © r A `), B(i B, r B ) ) A D (i A,r A ) B D (i B,(r B, r A ’ )) C = Com(i A,r A ) rA`rA` ( A(i A, r A © r A `), B(i B, r B ) ) 14 Proof of Security Privacy of A D - follows by the hiding of Com Privacy of B D - assume that A D * violates the defensible privacy of B D, we use it to construct A * for breaking the semi-honest privacy of B (in  )

If A D * gives a valid defense let (i A *,r A * ) = Decom(C) Otherwise, output a random guess for i B The emulated B acts as B does on the real execution Let  be A D * ’ s guess for i B r A `= r A © r A * ( A D *,B) Algorithm A * Emulated interaction with A D * Real interaction with B AD*AD* C = Com(i A *,r A * ) rA`rA` If A D * outputs a valid defense, output  as the value of i B Otherwise, output a random guess (A(i A *,r A ), B(i B,r B )) Random A D * gives a valid defense ) (i A *,r A * ) = Decom(C) ) A D * acts as A(i A *,r A ) ) the emulated B acts correctly )  is a good guess for i B BBDBD A*A*

We give a black-box reduction from malicious oblivious transfer to semi-honest oblivious transfer. Supports the conjecture that, in some settings, black-box techniques are as strong as non-black-box ones. Open Questions: Better understanding of defensible privacy Middle step in other reductions? Useful in its own sake? Characterizing the class of functions for which secure evaluation can be black-box reduced to semi-honest evaluation? randomized self reducibility Summary 16