Verifiable Distributed Oblivious Transfer and Mobileagent Security

1
Verifiable Distributed Oblivious Transfer and
Mobile-agent Security

• Speaker Sheng Zhong
• (joint work with Yang Richard Yang)
• Yale University

2
Outline

• ? Problem Formulation
• OT ? DOT ? VDOT
• VDOT Design
• Secret Sharing One-round OT
• Cheater Identification
• Application in Mobile-agent Security

3
Problem Formulation

• Oblivious Transfer (OT)
• Distributed Oblivious Transfer (DOT)
• Extension of OT with Distributed Proxy
• Verifiable Distributed Oblivious Transfer (VDOT)
• Extension of DOT with Verifiability

4
(No Transcript)
5
(No Transcript)
6
Why VDOT?

• What if a proxy server cheats (deviates from the
  protocol) ?
• Receiver gets wrong shares cannot recover chosen
  item correctly.
• ?DOT only works in semi-honest model.
• ? Needs Verifiable DOT VDOT
• Receiver can verify consistency of shares before
  recovery (i.e., can detect cheating)

7
Additional Requirement

• Now Receiver can detect cheating. Then what to do
  if cheating is detected?
• Receiver should identify who has cheated
• Receiver should accuse cheater(s)
• Public should verify the accusation

8
Summary of VDOT Security

• Senders privacy Receiver colluding with t1
  proxy servers knows nothing about the item not
  chosen
• Receivers privacy Sender colluding with t2
  proxy servers knows nothing about which item is
  chosen
• Verifiability of share consistency
• Verifiability of accusation if cheating is
  detected

9
Progress of Talk

• Problem Formulation
• OT ? DOT ? VDOT
• ?VDOT Design
• Secret Sharing One-round OT
• Cheater Identification
• Application in Mobile-agent Security

10
VDOT Design

• Basic Idea
• One-round OT Secret Sharing
• Bellare-Micali OT Feldman VSS
• Major difficulty Allow verification of
  consistency of both items (but only one item
  will finally be decrypted)
• ? Need to
• verify on encrypted shares

11
Secret Sharing

• Feldmans Verifiable Secret Sharing (VSS)
• Secret s
• Share PjP(j), where P is a poly. with s as the
  constant term
• Commitment to share Pj?Pj, where ? is a
  primitive root

12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
Potential Problem in Cheater Identification

• Receiver only needs t shares to recover an item.
  Therefore
• If he can see more shares, maybe these are the
  shares of the other item ? he derives the other
  item with the help of cheating servers
• Need to limit the number of shares the receiver
  sees!
• But (uncarefully designed) cheater identification
  procedure may allow receiver / cheating servers
  to see more shares

17
Solution to Potential Problem

• Re-randomize all shares using randomness whose
  discrete log is unknown
• Identify cheaters on these re-randomized shares
• Use ZK proofs to force honest behavior in
  re-randomizations
• See paper for details

18
Progress of Talk

• Problem Formulation
• OT ? DOT ? VDOT
• VDOT Design
• Secret Sharing One-round OT
• Cheater Identification
• ? Application in Mobile-agent Security

19
Mobile Agent Computation Architecture (threshold
extension of ACCK2001)
20
Mobile Agent ComputationBasic Idea

• ACCK2001 apply Yaos garbled circuits, which
  needs OT between trusted proxy and receiver.
• Our proposal threshold extension.
• Replace trusted proxy with group of servers
• Needs threshold extension of OT with
  verifiability.
• ?Use VDOT

21
Performance Overhead of Garbled Circuits
22
Performance Overhead of VDOT
23

• THANK YOU!