Download presentation
Presentation is loading. Please wait.
Published byLambert Fowler Modified over 6 years ago
1
Laconic Oblivious Transfer and its Applications
Antigoni Polychroniadou (Cornell Tech) Joint work with Chongwon Cho (HRL Laboratories) Divya Gupta (Microsoft Research, India) Nico Dottling, Sanjam Garg, Peihan Miao (University of California, Berkeley)
2
Secure Communications over the Internet
3
Secure Communications over the Internet
4
Introduction of Secure Multi-Party Computation
[Yao82,GMW87,BGW88, CCD88…]
5
Secure Multi-Party Computation
f(x1, x2, x3, x4) = (y1, y2 ,y3 ,y4 ) x1 Secure computation with Minimal Computational & Communication Complexity x1 x1 y4 y1 x4 Goal: Correctness: Everyone computes f(x1,…,x4) Security: Nothing else but the output is revealed Adversary PPT Semi-Honest x2 y3 y2 x3
6
Progress on this question via Laconic OT
Communication Complexity Computational FHE-based solutions [Gentry09…] RAM-based solutions [OstrovskyShoup97, LuOstrovsky13] Can we achieve best of both worlds? Progress on this question via Laconic OT
7
Oblivious Transfer (OT)
Goal: The Sender should not learn The Receiver should not learn
8
Fundamental Primitive
OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] - OT can be extended [Bea96] efficiently [IKNP03]
9
Fundamental Primitive
OT is complete Necessary & sufficient for MPC [Kilian88] OT requires PKE type assumptions - Enhanced trapdoor permutations DDH, RSA, Lattices 2PC involves executions of multiple OTs - OT can be extended [Beaver96] efficiently [IshKilNisPet03] -|OTmsg| dependent on the input length of R
10
#OTs in 2PC S R
11
#OTs in 2PC S R
12
#OTs in 2PC S R
13
#OTs in 2PC . S R
14
#OTs in 2PC S R
15
#OTs in 2PC S R + Independent of |D|
16
Laconic Oblivious Transfer (OT)
+ Goal: The Sender should not learn The Receiver can only learn if if
17
Laconic Oblivious Transfer (OT)
18
Laconic Oblivious Transfer (OT)
.
19
Our Results Laconic Receiver OT with CC essentially independent of the size of input/database D. |OTmsg| depends only on the security parameter |OTmsg| independent of the input length of R
20
Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 2 Laconic OT Apps 3 4 …
21
Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IshKusOstPraSah11] on large Inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [LuOstrovsky13]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GenHalVai10] for RAM programs. 4 … IBE from DDH [DottlingGarg17] More Applications???
22
RoadMap Construction of Laconic Receiver OT Application to GRAM
23
Blueprint: Laconic Receiver OT
S R Goal: The Sender should not learn The Receiver can only learn if Hash must be collision resistant if
24
Laconic Receiver OT Step 1: Step 2:
Laconic OT for 1-to-2 compression Hash Step 2: Bootstrap Laconic OT for arbitrary compression Hash
25
Warm up: Laconic OT via Witness Encryption
Witness Encryption [Rudich89,…, GGSW13…] : Goal: If semantic security
26
Warm up: Laconic OT via Witness Encryption
WE for S R Security Issue: Since H is compressing then both Solution [HW15,OPWW15]: Somewhere Statistical Binding Hash
27
Def: Somewhere Stat. Binding (SSB) Hash
Tagline: Hash key can be made “statistically binding” in one hidden position. Properties of SSB Hash: Statistically binding at position : uniquely determines Index Hiding: Keys are computationally indistinguishable
28
Warm up: Laconic OT via Witness Encryption + SSB Hash [HubacekWichs15]
Security Issue: Since H is compressing then both
29
Warm up: Laconic OT via Witness Encryption
Using SSBH:
30
Laconic OT based on Witness Encryption (WE)
Laconic OT based on DDH: Fact: Hash Proof Systems (HPS) [CramerShoup02] imply statistical witness encryption [GarGenSahWat13]. Construct WE from HPS for the language (HPS for knowledge of preimage bits)
31
Bootstrapping Laconic OT
Laconic OT for constant compression hash functions Laconic OT for arbitrary compression hash functions
32
Bootstrapping Laconic OT
Merkle Tree: Address location: .
33
Bootstrapping Laconic OT
Compute Merkle tree
34
Bootstrapping Laconic OT
Merkle Tree: Use factor-2 compression LOT .
35
Bootstrapping Laconic OT
Compute Merkle tree
36
Bootstrapping Laconic OT
Merkle Tree: Traversal Circuit: Use garbled circuit Use garbled circuit .
37
Bootstrapping Laconic OT
38
Bootstrapping Laconic OT
Merkle Tree: Use garbled circuit .
39
Bootstrapping Laconic OT
Compute Merkle tree
40
GRAM Application
41
RAM analogue of Yao’s Garble Circuits
Communication complexity & Computational complexity grow with where is the running time of GRAM solutions [LO13,…] incur linear overhead in
42
Definition of GRAM Goal: Correctness: Server computes
Security: Nothing else but is revealed to the server (also data access pattern remains hidden UMA vs. full security )
43
RAM Model … Consider Read-only computations next index next index
read bit 1 next index read bit 2 next index CPU step 1 CPU step 2 … Consider Read-only computations
44
[LO13] GRAM approach … next index next index read bit 1 read bit 2 CPU
step 1 CPU step 2 …
45
[LO13] GRAM approach … Circular Security Issue:
Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2 …
46
Related work on Garbled RAM
[LO13, GHLORW14, GLOS15, GLO15,GP16] [CHJV14, BGT14, LP14, KLW15, CH15, CCCLLZ15...]: succinct constructions based on iO
47
Simple GRAM scheme via Laconic OT
App #3 Simple GRAM scheme via Laconic OT Circular Security Issue: Rely on security of 2nd garbled circuit Read Location : Rely on security of PRF read bit 1 read bit 2 next index CPU step 1 CPU step 2 …
48
Simple GRAM scheme via Laconic OT
App #3 Simple GRAM scheme via Laconic OT Security technicality: Compute: Rely on security of Laconic OT Read Location : read bit 1 read bit 2 next index CPU step 1 CPU step 2 …
49
Multi-Hop HE [GenHalVai10] for RAM programs
App. #4 Multi-Hop HE [GenHalVai10] for RAM programs UPDATES
50
Conclusion Laconic Receiver OT with CC essentially independent of the size of input/database D. (depending at most polynomially in log(|D|)) We achieve something more with the computational cost Updatable Laconic OT
51
Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 2 Laconic OT Apps 3 4 …
52
Less is More…(Applications of Laconic OT)
Non-Interactive Secure Computation (NISC) [IKOPS11] on large inputs in the circuit model 1 APPLICATION 2 NISC on Large input in the RAM model 2 APPLICATION 3 Very Simple solution for GRAM without the circularity issue of [L013]. Laconic OT Apps 3 APPLICATION 4 Multi-Hop Homomorphic Encryption [GHV10] for RAM programs. 4 … IBE from DDH [DottlingGarg17] More Applications???
53
Thank you!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.