Presentation is loading. Please wait.

Presentation is loading. Please wait.

Laconic Oblivious Transfer and its Applications

Published byLambert Fowler Modified over 6 years ago

Similar presentations

Presentation on theme: "Laconic Oblivious Transfer and its Applications"— Presentation transcript:

1 Laconic Oblivious Transfer and its Applications
Antigoni Polychroniadou (Cornell Tech) Joint work with Chongwon Cho (HRL Laboratories) Divya Gupta (Microsoft Research, India) Nico Dottling, Sanjam Garg, Peihan Miao (University of California, Berkeley)

2 Secure Communications over the Internet

3 Secure Communications over the Internet

4 Introduction of Secure Multi-Party Computation
[Yao82,GMW87,BGW88, CCD88…]

5 Secure Multi-Party Computation
f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 Secure computation with Minimal Computational & Communication Complexity x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Semi-Honest x2 y3 y2 x3

6 Progress on this question via Laconic OT
Communication Complexity Computational FHE-based solutions [Gentry09…] RAM-based solutions [OstrovskyShoup97, LuOstrovsky13] Can we achieve best of both worlds? Progress on this question via Laconic OT

7 Oblivious Transfer (OT)
Goal: The Sender should not learn The Receiver should not learn

8 Fundamental Primitive
OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] - OT can be extended [Bea96] efficiently [IKNP03]

9 Fundamental Primitive
OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] -|OTmsg| dependent on the input length of R

10 #OTs in 2PC S R

11 #OTs in 2PC S R

12 #OTs in 2PC S R

13 #OTs in 2PC . S R

14 #OTs in 2PC S R

15 #OTs in 2PC S R + Independent of |D|

16 Laconic Oblivious Transfer (OT)
+ Goal: The Sender should not learn The Receiver can only learn if if

17 Laconic Oblivious Transfer (OT)

18 Laconic Oblivious Transfer (OT)
.

19 Our Results Laconic Receiver OT with CC essentially independent of the size of input/database D. |OTmsg| depends only on the security parameter |OTmsg| independent of the input length of R

20 Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 2 Laconic OT Apps 3 4

21 Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [LuOstrovsky13]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GenHalVai10] for RAM programs. 4 IBE from DDH [DottlingGarg17] More Applications???

22 RoadMap Construction of Laconic Receiver OT Application to GRAM

23 Blueprint: Laconic Receiver OT
S R Goal: The Sender should not learn The Receiver can only learn if Hash must be collision resistant if

24 Laconic Receiver OT Step 1: Step 2:
Laconic OT for 1-to-2 compression Hash Step 2: Bootstrap Laconic OT for arbitrary compression Hash

25 Warm up: Laconic OT via Witness Encryption
Witness Encryption [Rudich89,…, GGSW13…] : Goal: If semantic security

26 Warm up: Laconic OT via Witness Encryption
WE for S R Security Issue: Since H is compressing then both Solution [HW15,OPWW15]: Somewhere Statistical Binding Hash

27 Def: Somewhere Stat. Binding (SSB) Hash
Tagline: Hash key can be made “statistically binding” in one hidden position. Properties of SSB Hash: Statistically binding at position : uniquely determines Index Hiding: Keys are computationally indistinguishable

28 Warm up: Laconic OT via Witness Encryption + SSB Hash [HubacekWichs15]
Security Issue: Since H is compressing then both

29 Warm up: Laconic OT via Witness Encryption
Using SSBH:

30 Laconic OT based on Witness Encryption (WE)
Laconic OT based on DDH: Fact: Hash Proof Systems (HPS) [CramerShoup02] imply statistical witness encryption [GarGenSahWat13]. Construct WE from HPS for the language (HPS for knowledge of preimage bits)

31 Bootstrapping Laconic OT
Laconic OT for constant compression hash functions Laconic OT for arbitrary compression hash functions

32 Bootstrapping Laconic OT
Merkle Tree: Address location: .

33 Bootstrapping Laconic OT
Compute Merkle tree

34 Bootstrapping Laconic OT
Merkle Tree: Use factor-2 compression LOT .

35 Bootstrapping Laconic OT
Compute Merkle tree

36 Bootstrapping Laconic OT
Merkle Tree: Traversal Circuit: Use garbled circuit Use garbled circuit .

37 Bootstrapping Laconic OT

38 Bootstrapping Laconic OT
Merkle Tree: Use garbled circuit .

39 Bootstrapping Laconic OT
Compute Merkle tree

40 GRAM Application

41 RAM analogue of Yao’s Garble Circuits
Communication complexity & Computational complexity grow with where is the running time of GRAM solutions [LO13,…] incur linear overhead in

42 Definition of GRAM Goal: Correctness: Server computes
Security: Nothing else but is revealed to the server (also data access pattern remains hidden UMA vs. full security )

43 RAM Model … Consider Read-only computations next index next index
read bit 1 next index read bit 2 next index CPU step 1 CPU step 2 Consider Read-only computations

44 [LO13] GRAM approach … next index next index read bit 1 read bit 2 CPU
step 1 CPU step 2

45 [LO13] GRAM approach … Circular Security Issue:
Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2

46 Related work on Garbled RAM
[LO13, GHLORW14, GLOS15, GLO15,GP16] [CHJV14, BGT14, LP14, KLW15, CH15, CCCLLZ15...]: succinct constructions based on iO

47 Simple GRAM scheme via Laconic OT
App #3 Simple GRAM scheme via Laconic OT Circular Security Issue: Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2

48 Simple GRAM scheme via Laconic OT
App #3 Simple GRAM scheme via Laconic OT Security technicality: Compute: Rely on security of Laconic OT Read Location : read bit 1 read bit 2 next index CPU step 1 CPU step 2

49 Multi-Hop HE [GenHalVai10] for RAM programs
App. #4 Multi-Hop HE [GenHalVai10] for RAM programs UPDATES

50 Conclusion Laconic Receiver OT with CC essentially independent of the size of input/database D. (depending at most polynomially in log(|D|)) We achieve something more with the computational cost Updatable Laconic OT

51 Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 2 Laconic OT Apps 3 4

52 Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [L013]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GHV10] for RAM programs. 4 IBE from DDH [DottlingGarg17] More Applications???

53 Thank you!

Download ppt "Laconic Oblivious Transfer and its Applications"

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions

Similar presentations

Ads by Google