Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

Download Report

Transcript Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) 

Improved OT Extension for
Transferring Short Secrets
Vladimir Kolesnikov (Bell Labs)
Ranjit Kumaresan (Technion)
Secure Computation
x
y
f1(x,y)
f2(x,y)
• Most general problem in cryptography
• Moving fast from theory to practice
– Major research effort
• Improving (asymptotic & concrete) efficiency
• Implementation & “Systems’’ issues
State of the Art (Semihonest Setting)
THEORY
• Constant overhead
– [IKOS08,GGH+13]
• Optimal comm./round
complexity
– [GGHR13,AJL+12,LTV12]
• ORAM-based SFE
– [LO13,GKK+12,GGH+13]
PRACTICE
• Yao garbled circuit
optimizations
– [KS08,PSSW09,MNPS04]
– [HEKM11,BHKR13]
• GMW optimizations
– [CHKMR12,SZ13,ALSZ13]
• Yao + GMW [KK12]
Practical Computational Overhead
• Hierarchy of efficiency
• FHE >> PKE >> SKE >> one-time pad
– “LHS >> RHS” ≈ cost of LHS is, and will probably
always be, by orders of magnitude, bigger than cost
of RHS.
• OT Extension motivated by “PKE >> SKE”
Talk Outline
• OT Extension
• Ishai et al. (IKNP) OT Extension
• A New Framework for IKNP
PKE >> SKE
PKE
• E.g: KA, OT, SFE
• Hard to implement
heuristically
– More expensive
SKE
• E.g: PRG, hash functions
• Easy to implement
heuristically
– Cheaper
PKE cannot be black-box reduced to SKE [IR89]
• Factor ~ 3-4 orders of magnitude slower
• Intel AES-NI instruction set
The Next Best Thing: Extending Primitives
[IR89]

?

+
• Extending public key encryption is easy
– Encrypt payload with symmetric key
– Encrypt symmetric key with public key
• Huge practical impact
• What about extending Oblivious Transfer?
Oblivious Transfer (OT)
r
x0 , x1
???
Yao
Used to select one of two
“garbled keys”
xr
GMW
Evaluate each AND gate
in the circuit
Cost of OT
• No blackbox redn from OT to one-way functions [IR89]
• OT length extension is easy:
r
x0
x1
efficient,
black-box

r
s0
s1
+
G(s0) x0
G(s1) x1
• OT instance extension is possible [B96,IKNP03]
– Needs only k “seed” OTs to perform n >> k OTs
– Additional n symmetric key (cheap) operations
– Huge impact on SFE
OT Extension: Prior Work
• [Beaver 96]: First OT extension
• [Ishai-Kilian-Nissim-Petrank 03] (IKNP)
– Random Oracle (RO) model or Correlation robust
hash functions (CRHF)
– Most practical OT extension
• [HIKN08,IPS08,NNOB12]: Malicious adv
• [LZ13]: (In)feasibility results for OT extension
This work: Improve semihonest IKNP
Talk Outline
• OT Extension
• Ishai et al. (IKNP) OT Extension
• A New Framework for IKNP
[IKNP03] Strategy
s1
r1
r2
r3
s2
sk
x1,0
x1,1
s1
x2,0
x2,1
x3,0

n
...
x3,1
...
.
rn
xn,0

s2
sk
...
+ O(n)H
Length Extension
xn,1
+ O(n)H
[IKNP03] Main Reduction
Receiver picks T R {0,1}nk
Sender picks s R {0,1}k
Sender obtains Q  {0,1}nk
ri=0
1 1
0 0
1 1
qi= ti
ri=1
1 0
0 1
1 0
qi= ti s
t1
t2
tk
t1


t1

r
s1
t2

r
s2
...
tk
r
r
t2
...
tk

r
sk
• For 1 i n, Sender sends yi,0 = xi,0  H(qi)
yi,1 = xi,1  H(qi s)
• For 1 i n, Receiver outputs
zi= yi,ri  H(ti)
i
IKNP Cost
• Communication cost of resulting OT(n,L):
– Main reduction: 2nL bits
– Length extension: 2nk bits
• Communication cost of resulting SFE:
– [Yao86]: need to transfer keys of length L = k
– [GMW87]: L = 1, cost = 2nk + 2n, optimal?
Talk Outline
• OT Extension
• Ishai et al (IKNP) OT Extension
• A New Framework for IKNP
Our Work: A Closer Look at IKNP
ri=0
1 0
1
1 0
1
0 0
0
ri=1
1 0
1
0 1
0
1 1
1
t1 t2
tk
t1 t2
...
T
tk
;


r r
...
U

r
= TÅ
r r
R
...
r
Alternate Point of View
k
ri=0
0 0
0
ri=1
1 1
1
r r
...
R
r
R = T⊕U
n
• Row-wise encoding
 0 → 0k
 1 → 1k
IKNP uses repetition encoding
Can we use other encodings?
A Coding Theoretic Framework for IKNP
k
Suppose use code C
r1
C(r1)
r2
C(r2)
• Say ri comes from a larger
domain {1,…,m}
• Row-wise encoding
– ri → C(ri)∈ {0,1}k
...
rn
C(rn)
C(R)
n
A Coding Theoretic Framework for IKNP
C(R) = T⊕U
Sender obtains Q  {0,1}nk
r1∈[m]
q1= t1(C(r1) ⦿s)
r2∈[m]
q2= t2(C(r2) ⦿s)
t1 u 1
t2 u 2
...
tk u k
u 1 t2
...
uk
qn= tn(C(rn) ⦿s)
rn∈[m]
s1
s2
sk
Bit-wise AND
• For 1 i n, 1 r m
yi,r = xi,r  H(i, qi(C(r) ⦿s))
Sender sends
• For 1 i n, Receiver outputs
zi= yi,ri  H(i, tii)
Analysis
• Perfect security against malicious sender
• Statistical security against semihonest receiver:
– No loss unless query H on (i, ti (C(r) ⦿s)) for some r
– Loss in security: m2-d, where d = min distance of C
• Cost of 1-out-of-m OT(n, L):
– Communication: (2nk+mnL) bits
• OT(n,L)  1-out-of-m OT(n/log m, L log m)
– Communication: (n/log m)(2k + mL log m) bits
Efficiency
• Concrete:
– Hadamard codes for encoding
– Factor ≈ 2 for 1-out-of-2 OT and GMW for k=256
• Additional optimizations lead to factor ≈ 3.5
• Asymptotic comm. cost per OT: O(k/log k) bits
Conclusions
• OT Extension motivated by PKE >> SKE
– Huge impact on practicality of SFE
• Coding theoretic framework for [IKNP03]
– RO or “code correlation robust hash functions”
• Improvements for GMW, OT, 1-out-of-m OT
• Rethink GMW vs. Yao?
– Also [KK12], [NNOB12], [SZ13], [ALSZ13]
Thank You!
The research leading to these results has received
funding from the European Union's Seventh Framework
Programme (FP7/2007-2013) under grant agreement
no. 259426 – ERC – Cryptography and Complexity