Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.

Published byGabriel Cain Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov."— Presentation transcript:

1 Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov

2 Proprietary © Alcatel-Lucent 2009 2 Secure Function Evaluation y x Learn: F(x,y) Variety of known techniques Garbled Circuit (aided computation under encryption) Alice encrypts wire signals and truth tables Given active wire key, Bob decrypts part of truth table and obtains next wire key

3 Proprietary © Alcatel-Lucent 2009 3 Input: b Input: secrets s 0, s 1 Learn: Learn: nothing Oblivious Transfer (OT) sbsb  Basic primitive for Secure Function Evaluation

4 Proprietary © Alcatel-Lucent 2009 4 Model  Alice sends a tamper-resistant token T to Bob  Alice and Bob want to compute securely  In this work:  T is stateless k k

5 Proprietary © Alcatel-Lucent 2009 5 Simple OT b counter ++ F k (counter,b) s 0 © F k (counter,0), s 1 © F k (counter,1) A few of efficient techniques exist; all require keeping state on T A few techniques for SFE with stateless tokens, but inefficient sbsb k

6 Proprietary © Alcatel-Lucent 2009 6 Our idea b,x v =F k b (x) k 0,k 1 1. Bob can obtain at most one preimage (under k 0 or k 1 ) for any v 2. x is random ) v is random v does not leak which of k 0, k 1 was used Use Strong (invertible) PRPG F

7 Proprietary © Alcatel-Lucent 2009 7 Protocol for semi-honest T b,x v =F k b (x) k 0,k 1 e 0 = F -1 k 0 (v) e 1 = F -1 k 1 (v) E e 0 (s 0 ), E e 1 (s 1 ) v Not every encryption E will do OTP does not work: guess s 0, get e 0, check F k 0 (e 0 ) = v Theorem: Secure with malicious A, B and semi-honest T if E is CPA. x 2 R D b

8 Proprietary © Alcatel-Lucent 2009 8 Protocol for covert A,T and malicious B Need to hide B’s input from T Easy: Ask T for both b, 1-b Need to prevent side channels from T to A (via v) Randomly test T’s responses (aka Cut-and-Choose) By asking A to reveal keys k 0,k 1 used by T (before A saw v) Theorem: Secure with Covert A,T and Malicious B. k 0, k 1 cannot be used for “live” OT T derives k 0 =F kinit0 (y), k 1 =F kinit1 (y) from y given by Bob y 2 D T is for testingwill not be executed by A y : 2 D T is for “live”will not be opened by A D T unpredictable to T b,x v =F k b (x) k 0,k 1 x 2 R D

9 Proprietary © Alcatel-Lucent 2009 9 Summary  Efficient protocols for OT with stateless tokens  6 SPRPG calls with semi-honest T  27 SPRPG calls with covert T   with semi-honest T is concurrently composable   with covert T is sequentially composable

Download ppt "Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.

ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Similar presentations

Ads by Google