Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.)

Published byReynold Bruce Modified over 8 years ago

Similar presentations

Presentation on theme: "A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.)"— Presentation transcript:

1 A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.) 2012.5.8 Crypto Seminar @ Kyusyu University

2 Cryptography and Game Theory Cryptography: Design protocols in the presence of adversaries Game theory: Study the behavior of rational players

3 Cryptography and Game Theory Cryptography: Design protocols in the presence of adversaries Game theory: Study the behavior of rational players Rational cryptography: Design cryptographic protocols for rational players Rational Secret Sharing [HT04, GK06, ADG + 06, KN08a, KN08b, MS09, OPRV09, FKN10, AL11]

4 Asharov, Canetti, Hazay (Eurocrypt 2011) Game-theoretically characterize properties of two-party protocols Protocol π satisfies a “certain” property  A “certain” game defined by π has a “certain” solution concept with “certain” utility functions Properties: Correctness, Privacy, Fairness Adversary model: Fail-stop adversaries Equivalent defs. for correctness and privacy New def. for fairness

5 This work Game-theoretically characterize properties of “two-message” Oblivious Transfer (OT) Advantages compared to [ACH11] 1. Game between two rational players Essentially played by a single player in [ACH11] 2. Characterize correctness and privacy by a single game 3. Malicious adversaries

6 Oblivious Transfer A protocol between sender S and receiver R Correctness: After running the protocol, R obtains x c and S obtains nothing (or ⊥ ) Privacy Privacy for S: R learns nothing about x 1-c Privacy for R: S learns nothing about c x 0, x 1 c ∈ {0,1} xcxc ⊥ S R OT ・・・

7 Why “two-message” OT ? Two-message OT x 0, x 1 c ∈ {0,1} xcxc ⊥ S R Msg1 Msg2

8 Why “two-message” OT ? Two-message OT IND based privacy fits for GT framework Utility is high  Prediction is correct Exit IND based privacy for two-message OT x 0, x 1 c ∈ {0,1} xcxc ⊥ S R Msg1 Msg2

9 Our results Protocol π for two-message OT satisfies “correctness” and “privacy”  A “certain” game defined by π has a “certain” solution concept with “certain” utility functions

10 Our results Protocol π for two-message OT satisfies “correctness” and “privacy”  A “certain” game defined by π has a “certain” solution concept with “certain” utility functions  A game Game π defined by π has a Nash equilibrium with utility functions U = (U S, U R )

11 Cryptographic Correctness of OT Protocol π = (S, R) Correctness ∀ x 0, x 1 ∈ {0,1} * s.t. |x 0 | = |x 1 |, c ∈ {0,1}, Pr[ output R (S(x 0, x 1 ), R(c)) = x c ] ≥ 1 − negl

12 Cryptographic Privacy of two-message OT Privacy for R ∀ PPT S* and x 0, x 1 ∈ {0,1}*, {view S* (S*(x 0, x 1 ), R(0))} = c {view S* (S*(x 0, x 1 ), R(1))} Privacy for S ∃ a function Choice: {0,1}*  {0,1} s.t. ∀ determ. poly-time R*, x 0, x 1, x, z ∈ {0,1}*, c ∈ {0,1}, {view R* (S(X 0 ), R*(c, z))} = c {view R* (S(X 1 ), R*(c, z))} where X 0 = (x 0, x 1 ), and X 1 = (x 0, x) if Choice(R*, c, z) = 0, X 1 = (x, x 1 ) otherwise Choice indicates the choice bit of R*

13 Game π Protocol: π = (S π, R π ), Input: x 0, x 1, x, z ∈ {0,1} *, c ∈ {0,1} Players: Sender (S, G S ), Receiver (R, G R ) Game π ((S, G S ), (R, G R ), Choice, x 0, x 1, x, c, z S, z R ): 1. X 0 = (x 0, x 1 ), X 1 = (x 0, x) if Choice(R, c, z) = 0, X 1 = (x, x 1 ) o.w. 2. b  R {0, 1} and set z to be empty if R = R π 3. Execute (S(X b ), R(c, z)) (  output R ) Set fin = 1  Protocol finished without abort 4. G S guesses c from view S (  guess S ) G R guesses b from view R (  guess R ) 5. Output (fin, output R, guess S, guess R )

14 Utility functions U = (U S, U R ) U S ((S, G S ), (R, G R )) = (− α S ) ・ ( Pr[ guess R = b ] − 1/2 ) + β S ・ ( Pr[ fin=0 ∨ (fin=1 ∧ output R = x c )] − 1) + γ S ・ ( Pr[ guess S = c ] − 1/2 ) α S, β S, γ S are some positive constants U S is low if G R ’s guess is correct or finish w/o abort and output is incorrect or G S ’s guess is incorrect U R ((S, G S ), (R, G R )) = (− α R ) ・ ( Pr[ guess S = c ] − 1/2 ) + β R ・ ( Pr[ fin=0 ∨ (fin=1 ∧ output R = x c )] − 1) + γ R ・ ( Pr[ guess R = b ] − 1/2 )

15 Nash equilibrium Protocol (S, R) is a Nash equilibrium for Game π  ∃ Choice s.t. ∀ PPT G S, G R, S*, (determ.) R*, ∀ x 0, x 1, x, z ∈ {0,1} *, c ∈ {0,1}, U S ((S*,G S ), (R,G R )) ≤ U S ((S,G S ), (R,G R )) + negl and U R ((S,G S ), (R*,G R )) ≤ U R ((S,G S ), (R,G R )) + negl

16 Game-theoretic characterization Main Theorem: Protocol π = (S π, R π ) for two-message OT satisfies cryptographic correctness and privacy if and only if π = (S π, R π ) is a Nash equilibrium for Game π with utility functions U = (U S, U R )

17 Proof (“Crypto  Game”) Assume π is not game-theoretically secure  π = (S π, R π ) is not NE for Game π  ∀ Choice, ∃ G S *, G R *, S*, R*, x 0, x 1, x, z, c s.t. Case 1: U S ((S*,G S ), (R π,G R )) > U S ((S π,G S ), (R π,G R )) + ε S or Case 2: U R ((S π,G S ), (R*,G R )) > U R ((S π,G S ), (R π,G R )) + ε R

18 Proof (“Crypto  Game”) Case 1: U S ((S*,G S ), (R π,G R )) > U S ((S π,G S ), (R π,G R )) + ε S Recall that U S ((S π, G S ), (R π, G R )) = (− α S ) ・ ( Pr[ guess R = b ] − 1/2 ) + β S ・ ( Pr[ fin=0 ∨ (fin=1 ∧ output R = x c )] − 1) + γ S ・ ( Pr[ guess S = c ] − 1/2 ) When S π  S* Case 1-a: Pr[ guess R = b ] is lower Case 1-b: Pr[ fin=0 ∨ (fin=1 ∧ output R = x c )] is higher Case 1-c: Pr[ guess S = c ] is higher

19 Proof (“Crypto  Game”) Case 1-a: Pr[ guess R = b ] is lower  Since Pr[ guess R = b ] ≤ 1/2 + negl when S*, (R π, G R ) breaks the privacy for S Case 1-b: Pr[fin=0 ∨ (fin=1 ∧ output R =x c )] is higher  Pr[fin=0 ∨ (fin=1 ∧ output R =x c )] < 1 − ε when S π  Not cryptographically correct Case 1-c: Pr[ guess S = c ] is higher  Pr[ guess S = c ] ≠ 1/2 ± negl when S*  (S*, G S ) breaks the privacy for R

20 Proof (“Game  Crypto”) Assume π is not cryptographically secure  Case 1: Not cryptographically correct Case 2: Cryptographically correct Case 2-a: Not private for S when R π Case 2-b: Private for S when R π, not private for R Case 2-c: Private for R, not private for S when R*

21 Proof (“Game  Crypto”) Case 1: Not cryptographically correct  ∃ x 0, x 1, c s.t. Pr[ output R = x c ] < 1 − ε 1  U S ((S π, G S ), (R π, G R )) < − β S ・ ε 1 U S ((S def, G S ), (R π, G R )) = 0  U S is higher when S π  S def S def : Abort before start Pr[fin=0 ∨ (fin=1 ∧ output R =x c )] is higher when S π  S def

22 Proof (“Game  Crypto”) Case 2: Cryptographically correct Case 2-a: Not private for S when R π  ∃ D 1 who distinguishes view Rπ  U S ((S π, G S ), (R π, G R )) < − α S ・ ε 2 U S ((S stop, G S ), (R π, G R )) = 0 (when G R uses D 1 )  U S is higher when S π  S stop S stop : Abort after receiving a message Pr[ guess R = b ] is higher when S π  S stop

23 Proof (“Game  Crypto”) Case 2: Cryptographically correct Case 2-b: Private for S when R π, not for R  ∃ S* and D 2 who distinguishes view S*  ∃ D 2 who distinguishes view Sπ (since two-message OT)  U R ((S π,G S ), (R π,G R )) < − α R ・ ε 3 U R ((S π,G S ), (R def,G R )) = 0 (when G S uses D 2 ) R def : Abort before start Pr[ guess S = c ] is higher when R π  R def

24 Proof (“Game  Crypto”) Case 2: Cryptographically correct Case 2-c: Private for R, not for S when R*  ∃ R* and D 3 who distinguishes view R*  U R ((S π,G S ), (R π,G R )) < negl U R ((S π,G S ), (R *,G R )) = γ R ・ ε 4 (when G R uses D 3 )  U R is higher when R π  R* Pr[ guess R = b ] is higher when R π  R*

25 Notes Main theorem holds even if γ S = 0 or β R = 0 U S ((S, G S ), (R, G R )) = (− α S ) ・ ( Pr[ guess R = b ] − 1/2 ) + β S ・ ( Pr[ fin=0 ∨ (fin=1 ∧ output R = x c )] − 1) + γ S ・ ( Pr[ guess S = c ] − 1/2 ) U R ((S, G S ), (R, G R )) = (− α R ) ・ ( Pr[ guess S = c ] − 1/2 ) + β R ・ ( Pr[ fin=0 ∨ (fin=1 ∧ output R = x c )] − 1) + γ R ・ ( Pr[ guess R = b ] − 1/2 )

26 Conclusions (1/2) Game-theoretically characterize “two-message” OT Protocol π = (S π, R π ) for two-message OT satisfies cryptographic correctness and privacy  π = (S π, R π ) is a Nash equilibrium for Game π with utility functions U = (U S, U R ) Advantages compared to [ACH ‘11] 1. Game between two rational players 2. Characterize correctness and privacy by a single game 3. Malicious adversaries

27 Conclusions (2/2) The first step toward understanding how OT protocols work for rational players Future work Characterize OT with the ideal/real simulation-based security Characterize other protocols Explore good examples of rational cryptography

Download ppt "A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.)"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
 1. Introduction to game theory and its solutions.  2. Relate Cryptography with game theory problem by introducing an example.  3. Open questions and.

 1. Introduction to game theory and its solutions.  2. Relate Cryptography with game theory problem by introducing an example.  3. Open questions and.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Similar presentations

Ads by Google