Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improved OT Extension for Transferring Short Secrets

Published byBarbra Hutchinson Modified over 6 years ago

Similar presentations

Presentation on theme: "Improved OT Extension for Transferring Short Secrets"— Presentation transcript:

1 Improved OT Extension for Transferring Short Secrets
Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

2 Secure Computation Most general problem in cryptography
x y f1(x,y) f2(x,y) Most general problem in cryptography Moving fast from theory to practice Major research effort Improving (asymptotic & concrete) efficiency Implementation & “Systems’’ issues This work motivated by secure computation Not only asymp but also concrete… especially those which are composable with one another… Work in this area also addresses implementation and systems issues

3 State of the Art (Semihonest Setting)
THEORY PRACTICE Constant overhead [IKOS08,GGH+13] Optimal comm./round complexity [GGHR13,AJL+12,LTV12] ORAM-based SFE [LO13,GKK+12,GGH+13] Yao garbled circuit optimizations [KS08,PSSW09,MNPS04] [HEKM11,BHKR13] GMW optimizations [CHKMR12,SZ13,ALSZ13] Yao + GMW [KK12] There are several remarkable results both in theory and practice of SFE in the last 5 years… On the theory side, we have amazing results--- it is possible to construct sfe with constant overhead over insecure evaluation… Or via breakthrough FHE result, we can get optimal communication comp up to poly(k) overheads or even ORAM based SFE which breaks away from circuit-based Sfe paradigm… On the practical side, we have several neat tricks, both algorithmic and at the systems level, developed for optimizing constructions based on Yao garbled circuits --- now you can garble the AES circuit in 637mu-secs… we have several implementations of Yao or gmw… and some algorithmic techniques that are hybrids of Yao and GMW constructions. Note that fastest impl. Still uses techniques from 80s inspite of major interest in implementations and amazing theoretical results

4 Practical Computational Overhead
Hierarchy of efficiency FHE >> PKE >> SKE >> one-time pad “LHS >> RHS” ≈ cost of LHS is, and will probably always be, by orders of magnitude, bigger than cost of RHS. OT Extension motivated by “PKE >> SKE” Well one obvious reason is that the hidden constants in theoretical results is very high. But there also appears to be an hierarchy of complexity among primitives, namely fhe > pke > … where greater than means the cost of Lhs is, and will … The topic of the talk ot ext is motivated by the difference in efficiency between pke and ske.

5 Talk Outline OT Extension Ishai et al. (IKNP) OT Extension
A New Framework for IKNP First, we give a more detailed motivation for otext Then, we give a high level desc of the most eff ot ext of ishai et al., and observe some properties of their const. Finally, we will propose a new coding theoretic framework which generalizes their construction…

6 PKE >> SKE SKE PKE PKE cannot be black-box reduced to SKE [IR89]
E.g: KA, OT, SFE Hard to implement heuristically More expensive E.g: PRG, hash functions Easy to implement heuristically Cheaper PKE cannot be black-box reduced to SKE [IR89] AES-256???? Or AES-128????? public key primitives such as key agreement, oblivious transfer are typically harder to implement heuristically in the sense that most standard constr are algebraic in nature, so there are better cryptanalytic attacks (and they are getting better), and so the security parameters are bigger and are more expensive… On the other hand, symmetric key primitives such as pseudorandom gen, collision resistant hash functions, are more unstructured, and relatively easy to implement heuristically, we can have competitions and select the best candidate etc, the parameters are smaller, and are more cheaper.. There is also a theoretical separation between PKE and SKE due to impag-rud On the practical side, public key primtives, say enc are typically factor 3-4 orders of magnitude slower. If you invest in resources may be you can do better… but for some widely used sym key ops like AES, Intel even provides a special AES-NI instruction set to speed up AES Factor ~ 3-4 orders of magnitude slower Intel AES-NI instruction set

7 The Next Best Thing: Extending Primitives
[IR89] + ? Extending public key encryption is easy Encrypt payload with symmetric key Encrypt symmetric key with public key Huge practical impact What about extending Oblivious Transfer? of course we cannot get public key primitives from sym. Key prim. But what if we only need to invest in a few instances of public key primitives and sym key stuff to derives many many instances instances of public key primtives? We call this “extension of a primitive” This we can certainly do for the case of public key encryption, also IBE, broadcast enc.. Encrypt payload with sym key,… Huge impact on our everyday use… It is natural to ask whether such extension is possible for other public key primitives, say OT… (also IBE, broadcast encryption)

8 Oblivious Transfer (OT)
x0 , x1 ??? r xr GMW Used to select one of two “garbled keys” Yao OT is perhaps the simplest nontrivial primitive. In the OT problem, we have a sender Alice with two inputs x0,x1, and a receiver Bob with a selection bit b. At the end of the protocol, Bob learns the alice input corresponding to its selection bit and nothing else, while Alice does not learn any info about b. OT is an important building block of SFE… in Yao, OT is used to select one of two garbled keys while in GMW OT is used to evaluate each AND gate in the circuit… %%%%%%%%%%%%%%%%%%%%%%%%%%% OT can also act as a miniprotocol that allows parties to get additive shares of the product of their inputs. This alt formulation of OT explains its use in GMW, namely to evaluate AND gates Evaluate each AND gate in the circuit

9 Cost of OT  + No blackbox redn from OT to one-way functions [IR89]
OT length extension is easy: OT instance extension is possible [B96,IKNP03] Needs only k “seed” OTs to perform n >> k OTs Additional n symmetric key (cheap) operations Huge impact on SFE r + x0 x1 s0 s1 G(s0) x0 G(s1) x1 efficient, black-box As we saw earlier, OT is costlier than symmetric key ops. But if we have a way to get Ots on short strings, say of length security parameters, then by a standard use of PRG we can efficiently get Ots on long strings… This is called OT length extension. The more nontrivial problem is to do OT “instance” extension, which is what we mean when we say OT extension in the rest of the talk, where we are given few instances of OT and we extend it to many instances of OT. From prior work, we know that OT extension is indeed possible. Starting with k “seed” Ots it is possible to obtain n Ots for n=poly(k) by just using additional n sym key ops… Because we cut down the number of pub key ops from n to k, OT extension naturally has had a huge impact on SFE… all current implementations of generic SFE rely on OT extension

10 OT Extension: Prior Work
[Beaver 96]: First OT extension [Ishai-Kilian-Nissim-Petrank 03] (IKNP) Random Oracle (RO) model or Correlation robust hash functions (CRHF) Most practical OT extension [HIKN08,IPS08,NNOB12]: Malicious adv [LZ13]: (In)feasibility results for OT extension Beaver in 96 gave the first construction for ot extension. His observation was that secure evaluation of a garbled circuit of a PRG can be used to generate more Ots.. 10 years ago at crypto 2003, ishai et al. presented an OT extension that remains the most practical construction so far… In an ideal model that provides k seed OTs their const can be black box reduced to RO or a special type of hash functions known as correlation robust hash fun. In later years, there has been other work on improving the effficiency in the malicious case, and on increasing our understanding of OT extension and when it’s possible. In this work, we will improve semihonest IKNP, both in asymp and concrete terms (ASYMPTOTIC IMP ONLY over IKNP) This work: Improve semihonest IKNP

11 Talk Outline OT Extension Ishai et al. (IKNP) OT Extension
A New Framework for IKNP In the next part of the talk we give a high level desc of the most eff ot ext of ishai et al., and observe some properties of their const. We will actually use slides from Yuval Ishai’s talk at Crypto 10 years ago…

12 [IKNP03] Strategy   ... ... + O(n)H . + O(n)H s1 s2 sk x1,0 r1
Length Extension x2,0 x2,1 r2 x3,0 x3,1 r3 The first and the main step of IKNP Is the reduction of n Ots to >> k Ots on n-bit long strings << Where k is the secuirty parameter, plus a linear number of invocations of the random oracle H… As we already saw before, we can efficiently reduce Ots on long strings to Ots on k-bit strings So we’ll focus on the main step of IKNP next . xn,0 xn,1 rn

13 [IKNP03] Main Reduction ... ... yi,0 = xi,0  H(qi)
Receiver picks T R {0,1}nk Sender picks s R {0,1}k t1 r t2 ... tk Sender obtains Q  {0,1}nk t1 r ... s1 s2 sk t2 tk qi= ti 1 ri=0 qi= ti s 1 ri=1 We start by letting the receiver pick a random n by k matrix T and the sender pick a random k-bit row vector s. Now the sender and recver engage in k Ots where their roles are reversed. The receiver prepares k pairs of n-bit strings where the first string in each pair is the corresponding column of T and the second is this colun masked with its selection vector r. The sender acting as receiver, uses its random vector s to select one string from each of the k pairs At the end of this stage, the sender obtains a k-tuple of n-bit strings, which can be viewed as a matrix Q. So let’s switch to the dual view, and look at rows instead of columns. How does the i-th row of Q look like? This depends on the receiver’s i-th selection bit. If ri is 0, then in each of the k pairs we have identical bits, and so the ith row of Q will be equal to the i-th row of T On the other hand, if r_i is 1, then in each of the k pairs we will have different bits, so that the i-th row of Q is obtained by taking the XOR of the i-th row of T with the sender’s random selections s Note that the receiver knows t_i but knows nothing about s. This means that in the first case, it knows q_i but knows nothing about q_i + s, and in the second case it knows q_i+s which is t_i and nothing about q_i Then to turn this unpredictability to indistinguishability, we generate our masks by applying RO on the values q_i and q_i +s. This ensures that the receiver learns exactly one of the two sender inputs. yi,0 = xi,0  H(qi) yi,1 = xi,1  H(qi s) For 1 i n, Sender sends For 1 i n, Receiver outputs i zi= yi,r  H(ti)

14 IKNP Cost Communication cost of resulting OT(n,L):
Main reduction: 2nL bits Length extension: 2nk bits Communication cost of resulting SFE: [Yao86]: need to transfer keys of length L = k [GMW87]: L = 1, cost = 2nk + 2n, optimal? The IKNP protocol is elegant, simple, and efficient to the point that it’s not clear why there’s any hope for improvement. Let’s focus on their communicationc cost. For realizing n instances of OT where the sender inputs are of length L, the cost of the length extension is 2nk bits, and the cost of the main reduction is 2nL bits… Recall that in Yao we need to transfer keys of length L = k, so cost of the two reductions are identical In GMW, we need only bit Ots… somewhat surprisingly the communication cost of OT extension is clearly dominated by cost of the length extension, rather than the main reduction Aha, may be we can use some arbitraging tricks to further reduce the cost?

15 Talk Outline OT Extension Ishai et al (IKNP) OT Extension
A New Framework for IKNP In the last part of the talk, we will propose a new coding theoretic framework for IKNP…

16 Our Work: A Closer Look at IKNP
= T r 1 ... ... t1 1 t2 tk t1 r 1 t2 tk ... ri=0 ri=1 ; First we take a closer look at the main reduction step of IKNP. In this the receiver generates a random matrix T, and forms another matrix U whose cols are simply cols of T xored with selection vector r In other words, U = T xor R where R is the matrix whose colums are all identical to the selection vector T U

17 Alternate Point of View
k n R = T⊕U r 1 ... ri=0 ri=1 Row-wise encoding 0 → 0k 1 → 1k If we take a dual-view of R and look row-wise, we see that the i-th row consists of k copies of the bit r_i That is, there is a row-wise encoding which maps 0 to o^k and 1 to 1^k. In other words, at some basic level, IKNP uses “repetition encoding”… Aha, can we use more sophisticated encodings? After all, the repetition encoding is the most trivial and a low-rate encoding IKNP uses repetition encoding R Can we use other encodings?

18 A Coding Theoretic Framework for IKNP
C(r1) Suppose use code C Say ri comes from a larger domain {1,…,m} Row-wise encoding ri → C(ri)∈ {0,1}k r2 C(r2) ... Suppose the receiver’s i-th selection r_i comes from the domain {1,..m} Then we use encoding C that maps elements from 1,through m to k bit strings… to map r_i to k-bit string C(r_i), and we generate the matrix C( r_i ) What happens when we try to generalize IKNP using this observation… rn C(rn) C(R)

19 A Coding Theoretic Framework for IKNP
C(R) = T⊕U Sender obtains Q  {0,1}nk t1 u1 ... s1 s2 sk t2 u2 tk uk u1 t2 uk r1∈[m] q1= t1(C(r1) ⦿s) r2∈[m] q2= t2(C(r2) ⦿s) ... qn= tn(C(rn) ⦿s) rn∈[m] So the receiver constructs C( R ) using his selection vector r. Then it shares this matrix to obtain matrices T and U As before, the sender chooses a random string of length k as its input. In each of the k seed Ots the receiver acts as sender to transfer a column of T or U. The sender obtains output some matrix Q. In the original IKNP constr, we saw that the i-th row of Q, namely q_i is either t_i or t_i + s… Now we get q_i to be t_i + (c(R ) bitwise-ANDed with s… not terrible complicated. As a sanity check note that if when C is repetition encoding, then when r = 0, we have q_i = t_i and when r=1 we get q_i = t_i + s… The masks are generated as before, except now the sender generates m masks…, and the receiver unmasks the right input using t_i,.. Again as before… Effectively, we have increased the cost of the main reduction from 2nL to mnL, and also obtained 1-out-of-m OT rahter than 1-out-of-2 OT Bit-wise AND For 1 i n, 1 r m Sender sends yi,r = xi,r  H(i, qi(C(r) ⦿s)) For 1 i n, Receiver outputs i zi= yi,r  H(i, ti)

20 Analysis Perfect security against malicious sender
Statistical security against semihonest receiver: No loss unless query H on (i, ti (C(r) ⦿s)) for some r Loss in security: m2-d, where d = min distance of C Cost of 1-out-of-m OT(n, L): Communication: (2nk+mnL) bits OT(n,L)  1-out-of-m OT(n/log m, L log m) Communication: (n/log m)(2k + mL log m) bits Note Throughout the protocol the sender only receives matrix Q which delivers random independent shares. Infact it can be easily shown that the construction is perfectly secure against a malicious sender in the RO model in the MAIN reduction. (In the main reduction) there is no loss of security Against a SEMIHONEST receiver, unless H is queried on t_i \xor c(r) bit-wise ANDed with s. The probability that this event happens is m2^{-d} where d is the min dist of C when C Is a LINEAR CODE. Note that our main reduction actually allows us to get 1-out-of-m OT… the result cost of the main redn is nmL while the cost of length extension is the same 2nk as in IKNP. This happens to be BETTER than previous results which would reduce 1-out-of-m OT to 1-out-of-2 OT and then use OT extension… Now to obtain n instance of 1-out-of-2 OT from n/log m instances of 1-out-of-m OT where the sender inputs are slightly longs. This is a std transformation… Then, we can derive the comm cost of OT as a function of m…. Now this gives us freedom to choose m such that the comm cost is minimized. (The comp cost also decreases by a factor log m)

21 Efficiency Concrete: Asymptotic comm. cost per OT: O(k/log k) bits
Hadamard codes for encoding Factor ≈ 2 for 1-out-of-2 OT and GMW for k=256 Additional optimizations lead to factor ≈ 3.5 Asymptotic comm. cost per OT: O(k/log k) bits The resulting efficiency improvements are as follows. Using hadamard encoding instead of repetition encoding we can obtain up to factor 5 improvement for 1-out-of-m OT, and factor 2 OT as well for MPC… additional optimizations in the implementation of the LENGTH EXTENSION reduction, also independently discovered by Asharov et al. appearing in CCS this year, We also get asymptotic factor log k imp over IKNP Hadamard codes: Factor log k for bit-OT, MPC Algebraic Geometry codes: Factor log m for 1-out-of-m OT

22 Conclusions OT Extension motivated by PKE >> SKE
Huge impact on practicality of SFE Coding theoretic framework for [IKNP03] RO or “code correlation robust hash functions” Improvements for GMW, OT, 1-out-of-m OT Rethink GMW vs. Yao? Also [KK12], [NNOB12], [SZ13], [ALSZ13] We wrap up with a Review of the talk OT ext is motivated by … Then we proposed a coding… This results in Improvements I’d like to end the talk by raising the issue of rethinking GMW vs. Yao… Large percentage of recent imp. esp. in malicious setting use Yao… but there have been some recent works, including this one, which propose algorithmic and/or system-level improvements…

23 Thank You!

24 The research leading to these results has received funding from the European Union's Seventh Framework Programme (FP7/ ) under grant agreement no.  – ERC – Cryptography and Complexity

Download ppt "Improved OT Extension for Transferring Short Secrets"

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
CSEP 590tv: Quantum Computing

CSEP 590tv: Quantum Computing
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion.

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Secure Computation Lecture 11-12 Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.

Secure Computation Lecture Arpita Patra. Recap >> MPC with dishonest majority over Boolean circuit- [GMW87] > Oblivious Transfer (from CPA secure.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google