Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Published byColleen Leblanc Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation."— Presentation transcript:

1 Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation

2 Recap of last week’s lecture –Malleability vs. Semantic Security –Chosen Ciphertext Attacks: CCA1: Preprocessing (Lunch break) Postprocessing –Approaches for achieving malleability and resistance to CCA: Independent keys Proofs of consistency Cramer-Shoup Cryptosystem –Applications Interactive Authentication Auctions

3 Combinations Attack Breaking CCA1 (lunch-time) CCA2 (post-processing) CPA Semantic Security Non- Malleability All implications are proper All combinations are useful in some circumstances

4 Motivation for Zero-knowledge Can turn any protocol that works well when the parties are benign (but curious) into one that works well when the parties are malicious Need further property: proof of knowledge – Possible to extract the witness from a successful prover

5 Honest but curious model Parties follow the protocol Never erase information General principle: design you protocol assuming the players are honest-but-curious Translate the protocol into one resilient against malicious players –Use zero-knowledge (POK) for all language in NP as a compiler

6 Secure Function Evaluation (SFE) Major and exciting topic of research in last quarter century How to distributively compute a function f(X 1, X 2, …,X n ), –where X j known to party j. –Parties learn only the final output

7 The Millionaires Problem Alice x Whose value is greater? Bob y Leak no other information!

8 Ideal Solution for the Millionaires Problem TrustMe y x Well... Alice x Bob y

9 Secure Function Evaluation (Informal) Definition For any adversary there is a comparable one working in the Ideal Model with similar output Or A protocol is secure if it emulates the ideal solution

10 Second Price Auctions - Vickrey So why isn’t it more popular? Sealed bid, second price auction: Winner is the highest bidder, pays second highest bid Why? –Bidding true value is a dominant (and simple) strategy –Single round simulation of the English auction

11 Problems with applying the Revelation Principle –Utility functions (value of item) contain sensitive information –Participants might cheat simply to avoid leaking this information Hal Varian: “Even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay” “...what should be the appropriate technological and social safeguards to deal with this problem?” This lecture: technological safeguards via cryptography f(X 1, X 2, …,X n ) = (i, x j ), where x i = max k x k and x j = max k  i x k

12 Major Result [Yao,GMW] “ Any function f that can be evaluated using polynomial resources can be securely evaluated using polynomial resources”

13 SFE Many results depending on –Number of players –Means of communication –the power and model of the adversary –how the function is represented

14 Simulation A protocol is considered secure if: For every adversary (of a certain type) There exists a simulator that outputs an indistinguishable ``transcript”. Example: Encryption Zero-knowledge Next: secure function evaluation

15 Simulating the ideal model A protocol is considered secure if: For every adversary there exists a simulator operating in the ``ideal (trusted party) model that outputs an indistinguishable ``transcript”.

16 1-out-of 2 Oblivious Transfer Learns nothing YjYj Alice j Bob Y 0, Y 1 ChooserSender

17 Implementations of OT 1 2 Can be based on most public-key systems There are implementations with two rounds of communication

18 Oblivious Transfer 1-out-of-N OT   {0,1,…,N-1 } m 0,…,m N-1 mm Input: Output: The parties learn nothing else: Indistinguishable to Sender which  is used Chooser learns no other value of m 0,…,m N-1 Precise definition? SenderChooser

19 The EGL paradigm for OT 1 2 PK 0,PK 1 and proof that she knows only one private key E PK 0 (m 0 ), E PK 1 (m 1 ) Sender Chooser m 0,m 1   {0,1}

20 The Bellare-Micali Protocol   {0,1} m 0,m 1 Picks a private key k, sends PK  =g k, PK 1-  =C/PK  E (m 0 )=(g r 0, H[(PK 0 ) r 0 ]  m 0 ) E (m 1 )=(g r 1, H[(PK 1 ) r 1 ]  m 1 ) Random C in the group Decrypts m  using k Sender Chooser Picks random r 0, r 1

21 Properties Chooser is protected information-theoretically: PK 0 and PK 1 are random elements in the group such that PK 0 ¢ PK 1 =C Chooser cannot know both log g PK 0 and log g PK 1 –This implies knowing log g C –If Chooser knows PK  : then (PK 1-  ) r 1-  is an unknown Diffie-Hellman value Therefore m 1-  is computationally protected

22 Idea Chooser gives two ciphertexts - a good and a bad one - and proves consistency –Here: make it trivial to verify Sender randomizes ciphertexts –Good ciphertext remains consistent –Bad ciphertext - maps to random value –Based on random self-reducibility of DDH

23 The OT protocol Chooser defines x=g a, y=g b, z  =g ab and z 1-   z  –Sends ( x,y,z 0, z 1 ) to sender. note that z  =x b and y=g b Sender –Chooses random (r 0,s 0 ), (r 1,s 1 ). –Computes w 0 = x s 0. g r 0 and w 1 = x s 1. g r 1 –encrypts m 0 with z 0 s 0. y r 0 and m 1 with z 1 s 1. y r 1 –Sends w 0,w 1 and encryptions. Chooser recovers key as (w  ) b, decrypts m .

24 The OT protocol: Properties Security: –Chooser: DDH assumption implies that sender cannot distinguish between z  =g ab and z 1- . –Sender: If z 1-   g ab given (m 1- , w 1-  ) then z 1 -  s 1 - . y r 1 -  is uniformly distributed. Overhead: O(1) exponentiations. Generalization to OT 1 N without increasing chooser’s complexity. Question: how to do

25 Secret Sharing Threshold Secret Sharing - how to split a secret S into N shares so that – No k-1 shares yield any information about the secret S – Any k shares sufficient to reconstruct the secret Best known example: Shamir’s polynomials based scheme. Simplest example 2 out-of 2: choose random S 1 and let S 2 = S © S 1

26 Two party Computation Two party protocol Input: –Sender: Function P (some representation) –Receiver: X 2  0,1  n Output: –Receiver: P(x) and nothing else about P –Sender: nothing about x

27 Representations of P Boolean circuits [Yao,GMW,…] Algebraic circuits [BGW,…] Low deg polynomials [BFKR] Matrices product over a large field [FKN,IK] Randomizing polynomials [IK] Communication Complexity Protocol [NN]

28 Garbling P BInput: description of P as a Boolean circuit C over basis B Output: C –Garbled circuit C - tables – Pairs of garbled inputs  I 1 0, I 1 1 ,  I 2 0, I 2 1 , …,  I n 0, I n 1  –Pairs of Garbled outputs  Z 1 0, Z 1 1 ,  Z 2 0, Z 2 1 , …,  Z n 0, Z n 1 

29 Garbling Requirements For X 2  0,1  n and Y =P(x) Given –C –C - tables – Selection by X of garbled inputs X = (x 1, x 2, … x n )  I 1 x 1, I 2 x 2, …, I n x n  Possible to compute selection by y = (y 1, y 2, … y n )  Z 1 y 1, Z 2 y 2, …, Z n y n  Impossible to deduce anything about x or y Sender and Receiver share the output

30 Garbling We construct the garbled circuit Gate by gate Some topological sort (from inputs to outputs) Start by choosing random values for inputs  I 1 0, I 1 1 ,  I 2 0, I 2 1 , …  I n 0, I n 1  Let F W : {0,1} 2|C|  {0,1} n+1 Let be a pseudo-random function. |W| =n

31 Garbled Circuits Original circuit i j k G1G1 lm n G2G2 out G3G3

32 ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G1 G1 lm n W l 0,W l 1 W m 0,W m 1 W n 0,W n 1 G2G2 out W out 0,W out 1 G3G3 Garbled Circuits Garbled values for wires Assign random pairs for each wire Assign random “permutation”  :  0,1    0,1  for each gate

33 Tables for a Gate b i, b j are the true values c i, c j permutated values b k =G(b i, b j ) If we know (c i, W i b i ) and (c j, W j b j ) want to know (c k, W k b k ) ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G Typical entry: [(c k, W k G(b i,b j ) ) +F W i b i (c j,k) + F W j b j (c i, k)]

34 Translation table for an OR gate ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 G Encrypt (  k (b i,b j ), W k G(b i,b j ) ) with W i b i, W j b j Sender constructs a translation table from input values to output values

35 The protocol Initialization: –For every wire, Sender assigns random (garbled) values to the 0/1 values –For every gate, Sender constructs a table, s.t. given garbled values of input wires enables to compute garbled values of output wire and nothing else Computation: receiver obtains garbled values of input wires of circuit, and propagates them to the output wires

36 Choosing the garbled Inputs For each 1 · j · n run a 1-out-of-2 OT where –Sender:  I j 0, I j 1  –Receiver : X j Sender provides the receiver –The gates tables, –A translation table from garbled output values. Receiver computes result of P (x)

37 The world Pseudo-random generators Signature Schemes UOWHFs One-way functions String Commitment Zero-Knowledge for all of NP Pseudo-random Permutations Pseudo-random Functions Shared-key Encryption ( CCA2 ) and Authentication Trapdoor permutations CPA Public-key Factoring is hard (BG Permutations) P  NP CCA2 PKE OTSFE Secret-key Exchange

38 A more refined view OT Public Key Encryption CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor Permutations One-way functions Computational Pseudorandomness 2 rounds Secret Key Exchange IBE

39 Separating the worlds OT Public Key Encryption SKE CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor Permutations One-way functions Computational Psuedorandomness Impagliazzo and Rudich 1989: there is no blackbox construction of OT from OWF.

40 The Minicrypt = Cryptomania question “Minicrypt = Cryptomania?” is the most important problem in complexity and cryptography where We do not know the answer There is a reasonable chance to resolve it in the near future Omer Reingold: NL = L is a contender for the title

41 What’s next to study? IBE/Pairings MPC UC What’s next to explore A theory of computational and physical Assumptions A theory of moderate hardness Compressibility Privacy in Databases Humans and cryptography

42 References Y. Lindell and B. Pinkas A Proof of Yao's Protocol for Secure Two-Party Computation

Download ppt "Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.

Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Similar presentations

Ads by Google