Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science.

Similar presentations


Presentation on theme: "1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science."— Presentation transcript:

1 1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science

2 2 Do Not Put All Your Eggs in One Basket

3 3 Example Encryption Two candidates for encryption algorithms At least one is secure Maybe one is not! Which one to use ??? Goal: Combine the two into a single algorithm Should be secure even if one is not! We call such a construction a Robust Combiner for encryption. Encrypt A Encrypt Encrypt B

4 4 Robust Combiners A Robust Combiner for a cryptographic primitive A method for taking two candidate implementations of a primitive and producing a single implementation so that: If at least one candidate is secure then the resulting scheme is secure In general (k,n)- robust combiner: there are n candidates if at least k secure then the result is secure New name for an old concept

5 5 Some Previous Appearances Herzberg (05) – “Tolerant schemes” –Parallel and cascade constructions as combiners. –Combiners for encryptions, one-way functions, signatures and more. –Emphasis on the efficiency of the combiners. Some examples: Asmuth &Blakely (81) –combine two untrusted encryption schemes. Multiple encryption is a type of combiner, dates back to Shannon (49) Dodis & Katz (05) – combiner for CCA2 security. Hohenberger & Lysyanskaya (05) – combine two software implementations. More …

6 6 Combiners in Practice NESSIE – portfolio for recommended cryptographic primitives – advocate use of multiple encryptions. TLS (IETF) – combine SHA1 & MD5 hash functions: “ In order to make the PRF as secure as possible, it uses two hash algorithms in a way which should guarantee its security if either algorithm remains secure ”

7 7 Combiners as a Theoretical Tool Robust combiners are a handy tool in the construction of primitives. Can get rid of mild non-uniformity in constructions: –If a short hint is all that is needed to construct an implementation of P, then go over all hints and use a (1,k)- robust P -combiner Example: The HILL construction of pseudorandom generators from one-way functions: –Finds a construction with mild non-uniformity –Then uses a combiner for PRGs to give a uniform construction.

8 8 Example - Universal Primitives UP P A scheme U is a universal scheme for a primitive P if it is guaranteed to be secure under the sole assumption that primitive P exists. Levin introduced such a construction for OWFs (See Goldreich’s book). Key to the universal scheme: The existence of (1,k) -robust combiners. The idea: – enumerate all programs of code length log n. –Use a (1,n) -combiner for primitive P. –If P exists then for large enough n, its program is included in the n candidates for the combiner. –For large enough n the scheme is secure Need some bound on the running time (achieved by a padding argument) Meaning of universal scheme: every proof of existence is also a constructive one! But: Works only for uniform constructions. Yields no information for which n it is safe to use the construction

9 9 This Talk Goal of this talk : explore when and for what primitives it is possible to obtain combiners and when it impossible/harder. Outline: –One-way functions & equivalents –Key Agreement –Oblivious Transfer Impossibility result for (1,2)-combiner Positive results - (2,3)-combiner –On (1,n)-combiners from (1,2)-combiners

10 10 One-way functions: –Two candidates F A, F B –The Combiner: F(x,y) = F A (x)|F B (y) Corollary: Combiners also for “equivalents” of one-way functions. robust combiners for: –Pseudo-random generators –Pseudo-random functions –Pseudo random permutations –Private Key Encryption –Signatures –Bit commitments* Warm-Up – OWF combiners GAGA GBGB FAFA FBFB F=G F OWF-Combiner G [HILL] Example: This is not always the simplest way!! For all but bit commitment there is a direct construction of a combiner Example:An efficient combiner for PRG is : G (x,y) = G A (x)  G B (y) –Used by [HILL]…

11 11 Key Agreement (KA) Alice and Bob (who never met before) interact over a public channel. They want to agree on a secret key. Two candidates for KA Suppose that Both candidate really reach agreement. Combiner simply by XOR of the keys What if functionality is only guaranteed for one candidate ? Alice Bob Eavesdropper public channel KK ?? KA A KA B KAKA KBKB K = K A  K B

12 12 Key Agreement (cont.) In general, only one candidate is guaranteed to be a KA. –Security  –Functionality … Solution in two stages: 1.Run an offline functionality test for each candidate. –One party simulates the candidate poly(n) times (playing both sides) Only if agreement is reached in all instances then use candidate. –Otherwise agree on 0 n –Run the XOR combiner –Guaranteed agreement with prob 1-1/n 2.Use Error Correcting Code to reach full agreement. –One side chooses key and divides it into shares –The above key agreement is run for each share –With overwhelming prob both sides end with same key KA A KA B KAKA KBKB K = K A  K B Notes: The KA combiner preserves the number of rounds 2 message KA is equivalent to (semantically secure) Public Key Encryption  Robust combiner for PKE

13 13 Secure Computation We have simple and black-box robust combiners for many cryptographic tasks for both private key and public key cryptography. What about secure function evaluation (SFE)? In particular, is there a (1,2)- robust combiner for the Oblivious Transfer (OT) protocol [Rabin 81] Alice Bob s 0,s 1 c scsc OT protocol: Bob gets s c. Bob doesn’t learn s 1-c. Alice does not learn c. OT is complete for SFE ! Consider the task of voting. Idea for implementation: Use electronic ballots from several vendors. Combine them to assure security.

14 14 Finding OT-Combiners seems hard Want to show an impossibility result but: –If OT exists, then a combiner can simply ignore the candidates and run the OT. We are interested in combiners that rely on the candidate’s security. Consider Black Box Combiners. –The candidates are given in a BB manner (as oracles) – The proof is BB! Breaking the combiner allows breaking of both candidates Situation more delicate with interactive primitives. A B CMB

15 15 Interactive protocols – Third Party Black Box Combiners A Third Party Black Box combiner can only execute a candidate scheme `in its entirety’ –In a call to a candidate, each party gives its secret to a trusted third party and gets its output –additional messages may be exchanged Models the OT as a separate entity. Examples: –`physical’ implementations (noisy channel, quantum…) –Trusted parties Does not allow arbitrary access to the OT –Either to the transcript or to the program Advantages: efficiency and generality Downside: Too restrictive. In such a reduction, OT does not even imply OWFs… Theorem: There exists no third party BB combiner for OT

16 16 Interactive protocols – Transparent Black Box Combiners We attempt to capture a wider notion of combiners. –Combiners that can also access the transcript. An interactive protocol is generated using 2 oracles. –a next message oracle (create the next message to be sent given the history) –An output oracle (generates the local output given the transcript) A Transparent Black Box combiner: –Every time a next message call is invoked then this message is sent to the other party. Models using the candidate in the context of the protocol. Theorem: There exists no transparent BB Combiner for OT

17 17 Impossibility of OT-combiners… Some Intuition Consider two naïve `implementations’ of OT OT A : the sender gives the receiver s 0 and s 1 –Unconditionally secure for the receiver OT B : the receiver gives the sender c and the latter sends s c –Unconditionally secure for the sender What if we apply the combiner on OT A and OT B Do we get an unconditional implementation of OT? –Impossible…

18 18 OT transparent black box impossibility Theorem: For every transparent BB combiner for OT there exists a world in which it can be broken. Broken = Either the sender can guess c with probability ¾ or the receiver can guess both s 0 and s 1 with probability ¾ More precisely: –We show two worlds such that every transparent BB OT- combiner is broken in one of them. In general we will be considering the honest-but-curious model

19 19 The two worlds Good OT via oracles ( f 1, f 2, Rec ): f 1 and f 2 length tripling random functions, recovery function Rec The protocol: –Receiver: m 1 = f 1 (Rand R, c) –Sender: m 2 = (Rand S, s 0, s 1 m 1 ) –Receiver: Rec(m 2, Rand R )= s c This is a good `implementation’ of OT (even in the presence of a PSPACE-complete oracle) If there is access to f 1 -1 and f 2 -1 then this implementation is broken World 1 : –OT A and OT B implemented by separate oracles. –Contains a PSPACE-complete oracle –OT A reveals everything to the sender (access to f 1A -1 and f 2A -1 ) World 2 : –OT A and OT B –Contains a PSPACE-complete oracle –OT B reveals everything to the receiver OT A = (f 1A,f 2A,REC A ) OT B = (f 1B,f 2B,REC B )

20 20 The protocol OT COMB Consider the OT-combiner taking OT A and OT B as candidates. Call this protocol OT COMB : OT COMB looks exactly the same in world1 and world2. OT COMB should be a secure OT in both worlds. –Since one of the OTs is good in each of the worlds. Goal: show an attack on OT COMB in at least one of the worlds. This would be a contradiction! World 1 : –OT A and OT B implemented by separate oracles. –Contains a PSPACE-complete oracle –OT A reveals everything to the sender (access to f 1A -1 and f 2A -1 ) World 2 : –OT A and OT B –Contains a PSPACE-complete oracle –OT B reveals everything to the receiver

21 21 The Bare World The bare world contains only a PSPACE- complete oracle (no oracles for OT). We give a simulation of OT COMB in this world, called OT BARE. –Notice that OT COMB is well defined as long as we plug in implementations of OT A and OT B – The idea for OT BARE : the sender handles the OT A calls the receiver handles the OT B calls. For example: –The receiver wants to query OT A, –He instead asks the sender this query. –The sender chooses random values as answers for queries to f 1A, f 2A. (this imitates the real oracle) –The sender also records all his answers, giving him the ability to correctly answer queries to Rec A.

22 22 No OT in the Bare World OT BARE c annot be secure since there is no crypto with a PSPACE oracle! More precisely : –For every execution of OT BARE either the sender learns c or the receiver learns both secrets (using the PSPACE-complete oracle). The point: these attacks can be translated to attacks on OT COMB in one of the two worlds!

23 23 No OT in the Bare World Corrolary: –If sender in the bare world learns c then sender of corresponding OT COMB in world 1 also learns c. –If receiver in the bare world learns both secrets then receiver of OT COMB in world 2 learns both secrets. Altogether: every execution is broken in one of the two worlds… OT BARE OT COMB View of sender View of sender in World 1 View of receiver View of receiver in World 2 Includes: sender ’ s inputs & coins all messages all queries + answers to OT A (since he simulates OT A ) Includes: sender ’ s inputs & coins all messages all queries + answers to OT A (since he has inverter to OT A and due to tranparency of the combiner)

24 24 (2,3)- Robust OT-Combiner Define 2 constructions, R and S (from Crepeau & Kilian 89). Both have OT functionality. Also: R takes 2 candidates for OT. Outcome is: –Secure for the receiver if at least one candidate is secure for receiver. –Secure for sender only if both are secure for sender. S takes 3 candidates for OT. Outcome is: –secure for the receiver if all 3 are secure. –Secure for sender if at least one is secure. Define –OT AB = R(OT A,OT B ) –OT AC = R(OT A,OT C ) –OT BC = R(OT B,OT C ) The (2,3 )-combiner is defined as S(OT AB, OT AC, OT BC )

25 25 (1,K) -Combiner from (1,2) -Combiner Existence of (1,2) -combiner is necessary for (1,k) -combiners to exist. When are they sufficient? Natural approach: –Organize the k schemes in a binary tree with k leaves. –Each node runs the (1,2)- combiner with its siblings as candidates. –Outcome is secure if at least one leaf is secure. Need to ensure running time is polynomial. –If (1,2)- combiner runs in time m  (candidates time), –total running time is m Ω(log k) If m is a constant then total time is polynomial and the tree construction works. If (1,2) -combiner for OT is found it will not likely be that efficient…

26 26 (1,K) -Combiner for OT from (1,2) -Combiner for OT Theorem: Any (1,2)-combiner for OT can be used for a (1,k)-combiner for OT. Solution: use the (2,3)-combiner for OT which runs in time ~6  (candidates time). –Divide the k candidates into 3 groups of size 2/3k. –Each candidate should appear in at least two groups. –Recursively run a (1,2/3k)- combiner on each group. –The 3 outcomes are combined using the (2,3)- combiner. Running time is polynomial. –If (1,2)- combiner runs in time n d, total running time is 18 Ω(log k) n d.

27 27 Summary for OT Combiners Negative No transparent BB robust combiners for OT Positive OT given hardness of discrete log or factoring. –Since the security of one of the sides is unconditional There are (2,3)-robust OT-combiner simple and third party black box. (1,2)-combiners for OT suffice for a universal OT scheme. Main open problem: combiners for OT ???? (perhaps non-black-box)…

28 28 Main open problem: Non-black box combiners for OT Approaches for non-BB: –Use the circuit of a function Examples: ZK for NP, garbled circuits (Yao) –Use the program of the adversary Example: Barak’s public coin ZK Attempt with garbled circuits: –consider the circuit for OT A –The sender garbles this circuit fixing s 0 and s 1 and its randomness Rand S –Let the receiver evaluates his output bit on inputs c and Rand R using OT B at the input gates. –Fails when OT B is insecure…

29 29 Open Problems – Commitments For computationally hiding commitment know only via full reduction to one-way functions –Inefficient and requires the transcript What about information hiding commitments? –Not known to be equivalent to OWFs (one-way permutations are needed in NOVY)* Negative: Third party BB impossibility for both commitments. Positive: –Simple (2,3)-combiners (Herzberg) –If one sides security is guaranteed, then easy (e.g. string commitments that are very short (kilian 92))

30 30 Open Problems Characterize functions where BB combiners exist Efficiency issues: can you get a one-way hash function without concatenation –Especially relevant given recent developments..


Download ppt "1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science."

Similar presentations


Ads by Google