Transcript Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation Lecturer: Moni Naor.

Foundations of Cryptography
Lecture 15: Oblivious Transfer and Secure Function Evaluation
Lecturer: Moni Naor
Recap of last week’s lecture
– Malleability vs. Semantic Security
– Chosen Ciphertext Attacks:
• CCA1: Preprocessing (Lunch break)
• Postprocessing
– Approaches for achieving malleability and resistance to
CCA:
• Independent keys
• Proofs of consistency
• Cramer-Shoup Cryptosystem
– Applications
• Interactive Authentication
• Auctions
All combinations are useful
in some circumstances
Combinations
CPA
Attack
Breaking
Semantic
Security
NonMalleability
All implications are proper
CCA1
CCA2
(lunch-time)
(post-processing)
Motivation for Zero-knowledge
• Can turn any protocol that works well when the
parties are benign (but curious) into one that
works well when the parties are malicious
• Need further property: proof of knowledge
– Possible to extract the witness from a successful
prover
Honest but curious model
• Parties follow the protocol
• Never erase information
• General principle: design you protocol assuming the
players are honest-but-curious
• Translate the protocol into one resilient against
malicious players
– Use zero-knowledge (POK) for all language in NP as a
compiler
Secure Function Evaluation (SFE)
• Major and exciting topic of research in last quarter
century
• How to distributively compute a function
f(X1, X2 , …,Xn),
– where Xj known to party j.
– Parties learn only the final output
The Millionaires Problem
x
Alice
Bob
Whose value is greater?
Leak no other information!
y
Ideal Solution for
the Millionaires Problem
x
y
Bob
Alice
x
y
TrustMe
Well ...
Secure Function Evaluation
(Informal) Definition
A protocol is secure if it emulates the
ideal solution
Or
For any adversary there is a comparable one
working in the Ideal Model with similar output
Second Price Auctions - Vickrey
Sealed bid, second price auction:
• Winner is the highest bidder, pays
second highest bid
• Why?
– Bidding true value is a
dominant (and simple) strategy
– Single round simulation of the
English auction
So why isn’t it more popular?
Problems with applying the Revelation Principle
– Utility functions (value of item) contain sensitive information
– Participants might cheat simply to avoid leaking this
information
Hal Varian: “Even if current information can be safeguarded, records of
past behavior can be extremely valuable, since historical data can be used
to estimate the willingness to pay”
“...what should be the appropriate technological and social safeguards to
deal with this problem?”
This lecture: technological safeguards via cryptography
f(X1, X2 , …,Xn) = (i, xj) ,
where xi = maxk xk and xj = maxk  i xk
Major Result [Yao,GMW]
“Any function f that can be evaluated
using polynomial resources can
be securely evaluated using
polynomial resources”
SFE
• Many results depending on
–
–
–
–
Number of players
Means of communication
the power and model of the adversary
how the function is represented
Simulation
A protocol is considered secure if:
• For every adversary (of a certain type)
There exists a simulator that outputs an
indistinguishable ``transcript” .
Example:
• Encryption
• Zero-knowledge
• Next: secure function evaluation
Simulating the ideal model
A protocol is considered secure if:
• For every adversary there exists a simulator
operating in the ``ideal (trusted party) model that
outputs an indistinguishable ``transcript” .
1-out-of 2 Oblivious Transfer
j
Chooser
Sender
Alice
Bob
Yj
Learns
nothing
Y 0, Y 1
Implementations of OT12
• Can be based on most public-key systems
• There are implementations with two rounds of
communication
Oblivious Transfer
1-out-of-N OT
Chooser
Input:
Output:
Sender
 {0,1,…,N-1}
m
The parties learn nothing else:
•Indistinguishable to Sender which  is used
•Chooser learns no other value of m0,…,mN-1
Precise definition?
m0,…,mN-1
The EGL paradigm for OT12
Chooser
Sender
 {0,1}
m0,m1
PK0,PK1 and proof that she
knows only one private key
EPK0(m0), EPK1(m1)
The Bellare-Micali Protocol
Sender
Chooser
 {0,1}
Random C
in the group
m0,m1
Picks a private key k, sends
PK =gk, PK1- =C/PK
E (m0)=(gr0, H[(PK0)r0] m0)
E (m1)=(gr1, H[(PK1)r1 ] m1)
Decrypts m
using k
Picks random
r0, r1
Properties
• Chooser is protected information-theoretically:
PK0 and PK1 are random elements in the group such that
PK0 ¢ PK1 =C
• Chooser cannot know both logg PK0 and logg PK1
– This implies knowing logg C
– If Chooser knows PK: then (PK1-)r1- is an unknown
Diffie-Hellman value
Therefore m1- is computationally protected
Idea
• Chooser gives two ciphertexts - a good and a
bad one - and proves consistency
– Here: make it trivial to verify
• Sender randomizes ciphertexts
– Good ciphertext remains consistent
– Bad ciphertext - maps to random value
– Based on random self-reducibility of DDH
The OT protocol
• Chooser defines x=ga, y=gb, z =gab and z1-  z
– Sends (x,y,z0, z1) to sender.
note that z =xb and y=gb
• Sender
–
–
–
–
Chooses random (r0 ,s0), (r1,s1).
Computes w0 = xs0 .gr0 and w1 = xs1.gr1
encrypts m0 with z0s0.yr0 and m1 with z1s1 . yr1
Sends w0,w1 and encryptions.
• Chooser recovers key as (w)b, decrypts m .
The OT protocol: Properties
• Security:
– Chooser: DDH assumption implies that sender
cannot distinguish between z =gab and z1-.
– Sender: If z1-  gab given (m1- , w1- ) then
z1- s1- .yr1- is uniformly distributed.
• Overhead: O(1) exponentiations.
• Generalization to OT1N without increasing
chooser’s complexity.
Question: how to
do
Secret Sharing
Threshold Secret Sharing - how to split a secret S
into N shares so that
– No k-1 shares yield any information about the secret S
– Any k shares sufficient to reconstruct the secret
Best known example: Shamir’s polynomials based
scheme.
Simplest example 2 out-of 2: choose random
S1 and let S2 = S © S1
Two party Computation
Two party protocol
• Input:
– Sender: Function P (some representation)
– Receiver: X 20,1n
• Output:
– Receiver: P(x) and nothing else about P
– Sender: nothing about x
Representations of P
•
•
•
•
•
•
Boolean circuits [Yao,GMW,…]
Algebraic circuits [BGW,…]
Low deg polynomials [BFKR]
Matrices product over a large field [FKN,IK]
Randomizing polynomials [IK]
Communication Complexity Protocol [NN]
Garbling P
• Input: description of P as a Boolean circuit C over
basis B
• Output:
– Garbled circuit C - tables
– Pairs of garbled inputs
I10 , I11, I20 , I21 , …, In0, In1
– Pairs of Garbled outputs
Z10, Z11, Z20, Z21, …, Zn0, Zn1
Garbling Requirements
For
X 2 0,1n
and Y=P(x) Given
– C - tables
– Selection by X of garbled inputs X = (x1, x2, … xn)
x1
x2
xn
I1 , I2 , …, In 
• Possible to compute selection by y = (y1, y2, … yn)
y1
y2
yn
Z1 , Z2 , …, Zn 
• Impossible to deduce anything about x or y
Sender and Receiver share the output
Garbling
We construct the garbled circuit
• Gate by gate
• Some topological sort (from inputs to outputs)
Start by choosing random values for inputs
I10 , I11 , I20 , I21, … In0 , In1
Let FW: {0,1}2|C|  {0,1}n+1 Let be a pseudo-random
function. |W| =n
Garbled Circuits
Original circuit
i
G1
j
l
G2
k
G3
out
n
m
Garbled Circuits
Garbled values for wires
Wi0,Wi1
G1
Assign
random pairs for
each wire
i
k
Wj0,Wj1
j
Wk0,Wk1
G3
out
Wl0,Wl1
l
G2
n
Wout0,Wout1
Assign random “permutation”
: 0,1  0,1 for each gate
Wm0,Wm1
m
Wn0,Wn1
Tables for a Gate
•
•
•
•
bi, bj are the true values
ci, cj permutated values
bk =G(bi, bj )
If we know (ci, Wibi) and
(cj, Wjbj)
want to know (ck, Wkbk)
Wi0,Wi1 Wj0,Wj1
i
j
G
k
Wk0,Wk1
Typical entry: [(ck, WkG(bi,bj) ) +FWibi(cj,k) + FWjbj(ci,k)]
Translation table for an OR gate
Wi0,Wi1
i
G
k
Wj0,Wj1
j
Wk0,Wk1
Bi Bj
Sender constructs a
translation table from input
values to output values
Table entry
0
1
ENC Wi0,Wj1(Wk1)
1
0
ENC Wi1,Wj0(Wk1)
1
1
ENC Wi1,Wj1(Wk1)
0
0
ENC Wi0,Wj0(Wk0)
Encrypt ( k (bi,bj), WkG(bi,bj) ) with Wibi, Wjbj
The protocol
• Initialization:
– For every wire, Sender assigns random (garbled)
values to the 0/1 values
– For every gate, Sender constructs a table, s.t.
• given garbled values of input wires enables to compute
garbled values of output wire and nothing else
• Computation: receiver obtains garbled values of input
wires of circuit, and propagates them to the output wires
Choosing the garbled Inputs
• For each 1 · j · n run a 1-out-of-2 OT where
– Sender: Ij0, Ij1
– Receiver : Xj
• Sender provides the receiver
– The gates tables,
– A translation table from garbled output values.
• Receiver computes result of P(x)
The world
Factoring is hard
(BG Permutations)
OT
SFE
CCA2 PKE
Trapdoor
permutations
Secret-key
Exchange
Signature
Schemes
One-way
functions
UOWHFs
String
Commitment
Zero-Knowledge
for all of NP
Pseudo-random
generators
Pseudo-random
Permutations
P  NP
CPA Public-key
Pseudo-random
Functions
Shared-key
Encryption (CCA2)
and Authentication
A more refined view
IBE
Trapdoor Permutations
cryptomania
PIR
CCA-Secure PKE
OT
Secret Key
Exchange
Signature
Scheme
Public Key
Encryption
Secure MPC
2 rounds
Shared-key
Encryption and
Authentication
One-way
functions
minicrypt
Computational
Pseudorandomness
ZK Proofs for all of NP
UOWHFs
Efficient online
memory checking
Coin
flipping
Commitment
scheme
Separating the worlds
Trapdoor Permutations
cryptomania
PIR
CCA-Secure PKE
OT
SKE
Signature
Scheme
UOWHFs
Secure MPC
Public Key
Encryption
One-way
functions
Shared-key
Encryption and
Authentication
minicrypt
Computational
Psuedorandomness
Impagliazzo and Rudich 1989:
ZK Proofs for all of NP
there is no blackbox construction
Commitment
Efficient online of OT fromCoin
OWF.
scheme
memory checking
flipping
The Minicrypt = Cryptomania question
“Minicrypt = Cryptomania?” is the most important
problem in complexity and cryptography where
• We do not know the answer
• There is a reasonable chance to resolve it in the
near future
Omer Reingold: NL = L is a contender for the title
What’s next to study?
• IBE/Pairings
• MPC
• UC
What’s next to explore
•
•
•
•
•
A theory of computational and physical Assumptions
A theory of moderate hardness
Compressibility
Privacy in Databases
Humans and cryptography
References
• Y. Lindell and B. Pinkas
A Proof of Yao's Protocol for Secure Two-Party
Computation