Download presentation
Presentation is loading. Please wait.
1
Oblivious Comparator and its application to Auction Hiroaki Kikuchi Tokai University - Japan
2
English Auction $30 $40 $50 $60 Bidder A Bidder B Bidder C Auctioneer
3
Sealed-bid Auction Bidder A Bidder B Bidder C Auctioneer $70 $20 $50
4
A is $70 B is $20 Issue: Trust in Auctioneer Bidder A Bidder B Bidder C $70 $20
5
Approach: Oblivious Comparator Bidder A Bidder B Bidder C $70 $20 $30 Winner ??? Who win?
6
Contents Introduction for issues in auction and outline of an oblivious comparator Secure Function Evaluation Model, Building blocks and security Completeness Auction Protocol Performance Conclusion
7
Secure Function Evaluation A B C CMP y = ƒ(a, b, c) a b c Target: a+b+c max(a,b,c) highest(A,B,C)
8
Model A B C CMP E[a] E[b] E[c] SiSi E[y] = E[ƒ(a, b, c)] S i+1 = T[E[y]]
![Model A B C CMP E[a] E[b] E[c] SiSi E[y] = E[ƒ(a, b, c)] S i+1 = T[E[y]]](http://images.slideplayer.com./16/5099171/slides/slide_8.jpg "Model A B C CMP E[a] E[b] E[c] SiSi E[y] = E[ƒ(a, b, c)] S i+1 = T[E[y]]")
9
The Idea Logic Circuit with Ciphertext 1. Homomorphic Encryption over GF(2) 2. Logical Operations (AND,NOT) 3. Reed-Muller Expansion 4. State Machine “comparator”
10
1. Homomorphic Encryption Public-key Encryption E[x] Homomorphism over GF(2) a,b in {m 0, m 1 } E[a] x E[b] = E[a b] Indistinguishablity » Given E[m 0 ] and E[m 1 ], hard to figure E[m 0 ] Distributed Threshold Encryption » Key-generation, decryption (t-out-of-n) Verifiable encryption
11
Homomorphism over GF(2) a, bE[a], E[b] a⊕ba⊕bE[a ⊕ b] E E ⊕ x
![Homomorphism over GF(2) a, bE[a], E[b] a⊕ba⊕bE[a ⊕ b] E E ⊕ x](http://images.slideplayer.com./16/5099171/slides/slide_11.jpg "Homomorphism over GF(2) a, bE[a], E[b] a⊕ba⊕bE[a ⊕ b] E E ⊕ x")
12
Example: ElGamal encryption Key Generation p = 2q + 1, g in G of order q public key: y = g x, secret key: x encryption: E[m] = (my r, g r ) decryption: m = (my r )/(g r ) x Plain messages m {1, -1} 1 = false(0), -1 = true (1)
![Example: ElGamal encryption Key Generation p = 2q + 1, g in G of order q public key: y = g x, secret key: x encryption: E[m] = (my r, g r ) decryption: m = (my r )/(g r ) x Plain messages m {1, -1} 1 = false(0), -1 = true (1)](http://images.slideplayer.com./16/5099171/slides/slide_12.jpg "Example: ElGamal encryption Key Generation p = 2q + 1, g in G of order q public key: y = g x, secret key: x encryption: E[m] = (my r, g r ) decryption: m = (my r )/(g r ) x Plain messages m {1, -1} 1 = false(0), -1 = true (1)")
13
EXOR Homomorphism E[a] = (ay r, g r ) E[b] = (by s, g s ) (aby r+s, g r+s ) = E[ab] 1-bit EXOR E[1] x E[1] = E[1]0 0 = 0 E[1] x E[-1] = E[-1]0 1 = 1 E[-1] x E[1] = E[-1]1 0 = 1 E[-1]x E[-1] = E[1]1 1 = 0
![EXOR Homomorphism E[a] = (ay r, g r ) E[b] = (by s, g s ) (aby r+s, g r+s ) = E[ab] 1-bit EXOR E[1] x E[1] = E[1]0 0 = 0 E[1] x E[-1] = E[-1]0 1 = 1 E[-1] x E[1] = E[-1]1 0 = 1 E[-1]x E[-1] = E[1]1 1 = 0](http://images.slideplayer.com./16/5099171/slides/slide_13.jpg "EXOR Homomorphism E[a] = (ay r, g r ) E[b] = (by s, g s ) (aby r+s, g r+s ) = E[ab] 1-bit EXOR E[1] x E[1] = E[1]0 0 = 0 E[1] x E[-1] = E[-1]0 1 = 1 E[-1] x E[1] = E[-1]1 0 = 1 E[-1]x E[-1] = E[1]1 1 = 0")
14
2. Logical Operations Objective Given a ciphertext E[a] (unknown a), player B with a plaintext b whishes to compute » Negation E[~a] » Conjunction E[ab] » Disjunction E[a b] without revealing his secret b.
15
2. Logical Operations Lemma 3.1 (Negation) E[~a] = E[a] x E[m 1 ] = E[a ⊕ -1] Lemma 3.2 (Conjunction) Similarly, E[a 1 a 2 b] and E[a b] are computed.
16
2. Logical Operations Verifiability Attack : (violating definition) » E.g. sending E[random] as E[ab], or E[a] when b = 0.
17
3. Reed-Muller Expansion Lemma 2.3 Arbitrary n-variable boolean function ƒ(x 1,x 2,x 3 ) is represented as ƒ = a 0 ⊕ a 1 x 1 ⊕ a 2 x 2 ⊕ a 3 x 3 ⊕ a 4 x 1 x 2 ⊕ a 5 x 1 x 3 ⊕ a 6 x 2 x 3 ⊕ a 7 x 1 x 2 x 3 where a i in {0,1} (Boolean)
18
3. Reed-Muller Expansion Lemma 2.1 x y = x ⊕ y ⊕ xy Majority function ƒ(x,y,z) = xy xz yz = xy (xz ⊕ yz ⊕ xzyz) = xy ⊕ xz ⊕ yz ⊕ xyz xy x ⊕ y xy x y 00000 01101 10101 11011
19
AND 4. State Machine Oblivious Computer C Set of states Si={s 1,…,s L } » L=2 i, S 0 = ∅ State transition function T » S i =T(S i-1,A i ) » A i : Sequence of ciphertexts Decoding function D » Y = D[S n ] SiSi bibi CPiPi AiAi T(S i,A i ) S i+1
20
E.g. Majority Function S0S0 a CPAPA A 1 ={E[a]} T(S 0,A 1 )=S 0 UA 1 S 1 ={ ∅, E[a]} b PBPB c PCPC S1S1 A 2 ={E[b],E[ab]} T A2A2 S 2 =S 1 UA 2 S2S2 A3A3 A 3 ={E[ac], E[bc], E[abc]} T S 3 =S 2 UA 3
21
Majority Function Final State S 3 ={E[a], E[b], E[c], E[ab], E[ac], E[bc], E[abc]} Decoding function: D D(S 3 )=E[ab]xE[ac]xE[bc]xE[abc] =E[ab ⊕ ac ⊕ bc ⊕ abc] =E[ab ac bc]
![Majority Function Final State S 3 ={E[a], E[b], E[c], E[ab], E[ac], E[bc], E[abc]} Decoding function: D D(S 3 )=E[ab]xE[ac]xE[bc]xE[abc] =E[ab ⊕ ac ⊕ bc ⊕ abc] =E[ab ac bc]](http://images.slideplayer.com./16/5099171/slides/slide_21.jpg "Majority Function Final State S 3 ={E[a], E[b], E[c], E[ab], E[ac], E[bc], E[abc]} Decoding function: D D(S 3 )=E[ab]xE[ac]xE[bc]xE[abc] =E[ab ⊕ ac ⊕ bc ⊕ abc] =E[ab ac bc]")
22
Oblivious Comparator (Auction) K-bit Input A: a = (a2, a1, a0) B: b = (b2, b1, b0) Output Winning price c =max(a,b) = a if a > b b if a < b Winner w = A if a > b B if a < b
23
Oblivious Comparator Flags = true if a>b = true if a<b = true if a b A: a = (1 0 0) B: b = (1 1 0) cc 00010001 01110111 01100110 = i-1 a i ~b i = i-1 ~a i b i = i i = ~ (a) ( i a i i b i )
24
n-player Comparison C P1 a1a1 S 1 =c S 2 =max(c,a 1 ) P2 a2a2 S 3 =max(c,a 2 ) S n =max(c,a n )=max(a 1,..,a n ) Size of S is independent from n
25
Efficiency k-bit Comparator Internal state : 2 k ciphertextO(2 k ) rounds: once for each player O(n) Bidder communication : 2 k minterms x ciphertexts O(2 k ) Computation : 2 k ciphertext E[m 0 ]O(2 k )
![Efficiency k-bit Comparator Internal state : 2 k ciphertextO(2 k ) rounds: once for each player O(n) Bidder communication : 2 k minterms x ciphertexts O(2 k ) Computation : 2 k ciphertext E[m 0 ]O(2 k )](http://images.slideplayer.com./16/5099171/slides/slide_25.jpg "Efficiency k-bit Comparator Internal state : 2 k ciphertextO(2 k ) rounds: once for each player O(n) Bidder communication : 2 k minterms x ciphertexts O(2 k ) Computation : 2 k ciphertext E[m 0 ]O(2 k )")
26
Conclusions We have proposed a cryptographic protocol for secure function evaluation, i.e., functionally complete oblivious computer » Round complexity of n » Communication and Computation of O(2 k ) Its application to Auction in which auctioneer is able to perform comparison for n bids and determine the winning price and the winner without knowledge of each bid.
27
Threshold Decryption Key Generation Secret ƒ(1), ƒ(2), ƒ(3) Public key y = g ƒ(0) = g ƒ(1) 1 g ƒ(2) 2 g ƒ(3) 3 Decryption E[m] = (my r, g r ) m = my r / (g r ) ƒ(1) 1 (g r ) ƒ(1) 1 (g r ) ƒ(1) 1
![Threshold Decryption Key Generation Secret ƒ(1), ƒ(2), ƒ(3) Public key y = g ƒ(0) = g ƒ(1) 1 g ƒ(2) 2 g ƒ(3) 3 Decryption E[m] = (my r, g r ) m = my r / (g r ) ƒ(1) 1 (g r ) ƒ(1) 1 (g r ) ƒ(1) 1](http://images.slideplayer.com./16/5099171/slides/slide_27.jpg "Threshold Decryption Key Generation Secret ƒ(1), ƒ(2), ƒ(3) Public key y = g ƒ(0) = g ƒ(1) 1 g ƒ(2) 2 g ƒ(3) 3 Decryption E[m] = (my r, g r ) m = my r / (g r ) ƒ(1) 1 (g r ) ƒ(1) 1 (g r ) ƒ(1) 1")
28
Performance biddersauctioneers roundsbandwidth#roundsbandwidth KHT98 1O(2 k )m1 Sako99 1O(1)mmk/2O(n) MS99 k/2O(1)1nk/2O(1) Proposed 1O(2 k )1n First-Price
Similar presentations
![1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’](/16/5002757/big_thumb.jpg "1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’>")
