Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Published byJocelin Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

2 slide 2 Reminder: Oblivious Transfer AB b 0, b 1 bibi i = 0 or 1 A inputs two bits, B inputs the index of one of A’s bits B learns his chosen bit, A learns nothing –A does not learn which bit B has chosen –B does not learn the value of the bit that he did not choose Generalizes to bitstrings, M instead of 2, etc.

3 slide 3 Reminder: Semi-Honest OT Protocol uAssume the existence of some family of one-way trapdoor permutations A B Chooses his input i (0 or 1) Chooses random x, y not i Computes y i =F(x) Chooses a one-way permutation F; T is a trapdoor, H is the hard-core bit of F F y 0, y 1 b 0  H(T(y 0 )), b 1  H(T(y 1 )) Computes b i =m i  H(x) How do we force malicious B to follow the protocol and pick y not i randomly?

4 slide 4 OT With Malicious Parties (Attempt) AB Chooses his input i (0 or 1) Picks random x Sets y i =F(x) Sets y not i =y’  y’’ Chooses a one-way permutation F; T is a trapdoor, H is the hard-core bit of F F, y’’ y 0, y 1 b 0  H(T(y 0 )), b 1  H(T(y 1 )) Computes b i =m i  H(x) Picks random y’ Commit(y’) Picks random y’’ c ZK proof that  i s.t. c=commit(y not i  y’’) m0m0 m1m1

5 slide 5 Proving Security for Chooser uChooser in this protocol gives out much more information than in the original protocol Commitment to a random value ZK proof that he used this value in computing y not i uTo prove security for Chooser, construct a simulator for Sender’s view (details omitted) Main idea: distribution of {c,y 0,y 1 } is independent of the bit i indicating Chooser’s choice Intuition: commitment c hides all information about y’ Intuition: Chooser’s proof is zero-knowledge, thus there exists a simulator for Sender’s view of the proof

6 slide 6 Proof of Sender Security (Attempt) Sim Cheating B F, y’’ y 0, y 1 b i  H(T(y i )), random m not i c Pick random F, y’’ mimi uSimulating malicious Chooser’s view of protocol Ideal OT functionality bibi B’s input bit i ZK proof that, for some j, c=commit(y’), y not j =y’  y’’ What if B cheated and used a different bit j in real protocol?! B will detect the difference between real protocol and simulation if i  j B’s input bit i Sim must extract bit j that B is using as his real choice

7 slide 7 Extracting Chooser’s Bit (Sketch!) Sim Cheating B F, y’’ y 0, y 1 b k  H(T(z k )), random m not k c Pick random F, y’’ mkmk Ideal OT functionality bkbk B’s input bit i rewind B F, z’’ z 0, z 1 One of y 0,y 1 is equal to y’  y’’ One of z 0,z 1 is equal to y’  z’’ There is a unique pair of bits (j,k) such that y not j  y’’ = z not k  z’’ = y’ Simulator learns k! ZK proof that, for some j, c=commit(y’), y not j =y’  y’’ ZK proof that, for some k, c=commit(y’), z not k =y’  z’’ Must be same y’ because commitment is binding

8 slide 8 ZK proof that  i s.t. c=commit(y not i  y’’) So, Is This Protocol Secure? AB Chooses his input i (0 or 1) Picks random x Sets y i =F(x) Sets y not i =y’  y’’ Chooses a one-way permutation F; T is a trapdoor, H is the hard-core bit of F F, y’’ y 0, y 1 b 0  H(T(y 0 )), b 1  H(T(y 1 )) Computes b i =m i  H(x) Picks random y’ Commit(y’) Picks random y’’ c m0m0 m1m1

9 slide 9 ZK proof that  i s.t. c=commit(y not i  y’’) Oops! A Chooses his input i (0 or 1) Picks random x Sets y i =y’  y’’ Sets y not i =y’  y’’ Chooses a one-way permutation F; T is a trapdoor, H is the hard-core bit of F F, y’’ y 0, y 1 b 0  H(T(y)), b 1  H(T(y)) Picks random y’ Commit(y’) Picks random y’’ c This is true, so proof passes! Note that y 0 =y 1 =y If these values are the same, B learns that b 0 = b 1 Would he be able to learn this in the ideal world? This proof is NOT enough for security against malicious chooser Cheating B

10 slide 10 OT Protocol with Malicious Parties AB Chooses his input i (0 or 1) Picks random x Sets y i = F(x) Sets y not i =y’  y’’ Chooses a one-way permutation F; T is a trapdoor, H is the hard-core bit of F F, y’’ y 0, y 1 b 0  H(T(y 0 )), b 1  H(T(y 1 )) Computes b i =m i  H(x) Picks random y’ Commit(y’) Picks random y’’ c ZKPK(y’,x,i) s.t. c=commit(y’), y i =F(x), y not i =y’  y’’ B proves that he executed previous steps correctly m0m0 m1m1 Can A learn y’, x or i from this proof?

11 slide 11 Proving Sender Security Sim Cheating B F, y’’ y 0, y 1 b i  H(T(y i )), random m not i c Pick random F, y’’ mimi uSimulating malicious Chooser’s view of protocol bibi ZKPK(y’,x,i) such that c=commit(y’), y i =F(x), y not i =y’  y’’ Because this is a ZK proof of knowledge, there is an extractor that allows simulator to extract y’, x and i (but ZKPK proof system must be secure against a malicious verifier – why?) Ideal OT functionality

12 slide 12 Naor-Pinkas Oblivious Transfer S C Choice: bit  Chooses random k Sets PK  =g k, PK 1-  =C/PK  C PK 0 g r, m 0  Hash((PK 0 ) r,0), m 1  Hash((PK 1 ) r,1) Computes (g r ) k = (PK  ) r and decrypts m  Messages m 0 and m 1 Chooser does not know discrete log of C Setting: order-q subgroup of Z*p, p is prime, q divides p-1 g is a generator group for which CDH assumption holds Chooses random r, computes PK 1 Chooser knows discrete log either for PK 0, or for PK 1, but not both Chooser does not know the discrete log of PK 1- , thus cannot distinguish between a random value g z and (PK 1-  ) r - why?

13 slide 13 1-out-of-4 Oblivious Transfer AB b 1,b 2,b 3,b 4 bibi i=1,2,3 or 4 Very similar to 1-out-of-2 oblivious transfer How to construct a 1-out-of-4 OT protocol given an 1-out- of-2 protocol?

14 slide 14 Boolean Circuits uAlice and Bob want to compute function f(a,b) Assume for now Alice and Bob are semi-honest uFirst, convert the function into a boolean circuit uNext, parties securely share their inputs ANDORAND NOT ORAND Alice’s inputs x 1 … x n Bob’s inputs x n+1 … x 2n

15 slide 15 Input Sharing AB Random r 1 … r n Let b i =r i uAfter this exchange, for all inputs x i … x i = a i  b i Alice still doesn’t know Bob’s inputs, and vice versa This is information-theoretically secure Knows x 1 … x n Knows x n+1 … x 2n Let a i = x i  r i for 1  i  n Random r n+1 … r 2n Let a i =r i for n+1  i  2n Let b i =x i  r i

16 slide 16 Evaluating an AND Gate Inputs x 1 and x 2 are shared between Alice and Bob –x 1 =a 1  b 1, x 2 =a 2  b 2 At the end of the protocol, Alice learns bit c 1 and Bob learns bit c 2 such that… –Bits c 1,2 are “random” –c 1  c 2 = x 1  x 2 = (a 1  b 1 )  (a 2  b 2 ) Output of the gate is shared between A and B just like the inputs AND x1x1 z Alice Bob x2x2 Knows a 1, a 2 Knows b 1, b 2 c1c1 c2c2

17 slide 17 Use Oblivious Transfer AB c 1  (a 1  a 2 ) c2c2 In every case, c 1  c 2 = (a 1  b 1 )  (a 2  b 2 ) = x 1  x 2 Can use similar tricks for other gate types Why do I give the ideal functionality only, not the actual protocol? Pick random c 1 c 1  (a 1  a 2 ) 1 if b 1 =b 2 =0 2 if b 1 =1, b 2 =0 3 if b 1 =0, b 2 =1 4 if b 1 =b 2 =1

18 slide 18 Is Secure OT Enough? uWe saw an oblivious transfer protocol which is secure even if parties are malicious Chooser commits to his input and proves in zero knowledge that he performed his computations correctly uSuppose each gate of the circuit is evaluated using an oblivious transfer protocol which is secure with malicious parties… uDo we obtain a protocol for securely computing any function with malicious parties?

19 slide 19 Oops! uWhen output of Gate 1 is used as input into Gate 2, both parties must use the same pair of bits that was obtained from evaluating Gate 1 (why?) Gate 1 x1x1 Alice Bob x2x2 c1c1 c2c2 Gate 2 c2c2 c1c1 The input bit on each wire is shared between Alice and Bob

20 slide 20 Security with Malicious Parties uDetails omitted (this is less than a sketch!) uIntuition: every party commits to its inputs and proves in ZK that it did its computation correctly This includes proving that output of one OT protocol is consistent with input of another OT protocol uMain advantage: secure building blocks compose into secure protocols Each building block (commitment, OT, etc.) is indistinguishable from its ideal functionality (IF) IFs can be composed without comprosiming security Can build a secure protocol from secure primitives

21 slide 21 Issues uParallel composition of zero-knowledge proofs does not work in general One proof is zero-knowledge, but two proofs executed concurrently are no longer zero-knowledge uHow can cryptographic primitives be formulated as secure multi-party problems? Many protocols use encryption, digital signatures, etc. uAdaptive corruptions: adversary may corrupt an honest party in the middle of protocol execution Proofs with “rewinding” don’t work any more (why?)

22 slide 22 ZKPK of Discrete Log uSuppose we have some ZK protocol  for proving knowledge of discrete log uHere is another protocol  ’ PV V Tries to guess w  P 1 if guessed correctly Probability of this is negligible Run  with V as prover If convinced, send w 0 if guessed incorrectly Run  with P as prover  ’ is a sound zero-knowledge protocol of discrete-log knowledge (why?) Knows w s.t. g w =uKnows u Knows w s.t. g w =u Knows u It’s important that w is unique (why?)

23 slide 23 This protocol is clearly NOT zero-knowledge (why?) Concurrent Composition uV runs two instances of protocol  ’ in parallel V Replays P 2 ’s messages to P 1 and P 1 ’s messages to P 2 P1P1 1 (i.e., “I know w”) Effectively, P 2 who knows w convinced P 1, but P 1 thinks he was convinced by V Run  with V as prover Convinced! Run  with P 2 as prover Knows w s.t. g w =u Knows u P2P2 Knows w s.t. g w =u 0 (i.e., “I don’t know w”) w Cheating verifier learns w!

24 slide 24 SMC In This Course This is how much we cover in this class

25 slide 25 To Learn More

Download ppt "Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions

Similar presentations

Ads by Google