Oblivious Transfer (OT) - PowerPoint PPT Presentation

About This Presentation
Title:

Oblivious Transfer (OT)

Description:

... computed securely using a broadcast channel against an active adversary who has ... A is the sender, B is the chooser. A sends the gate tables to B ... – PowerPoint PPT presentation

Number of Views:414
Avg rating:3.0/5.0
Slides: 32
Provided by: mar8241
Learn more at: https://www.cise.ufl.edu
Category:

less

Transcript and Presenter's Notes

Title: Oblivious Transfer (OT)


1
Oblivious Transfer (OT)
  • Alice (sender) has n secrets
  • Alice wants to give k secrets to Bob
  • Bob wants the secrets but does not want Alice to
    know which secrets he has

2
Oblivious Transfer 2 to 1
  • OT basics
  • Use of Modular Arithmetic
  • OT design
  • Direct Extension of PKE
  • OT application
  • Secure Function Evaluation
  • Secure Auction

3
OT Coin Toss (The basics)
  • Alice generates 2 primes and computes their
    product, p, which is sent to Bob
  • Bob Performs primality tests to ensure Alice is
    playing fair.
  • Bob guesses a number 0 lt n lt p as a factor of p
  • Chances are he guesses wrong but Bob computes m
    n2 mod p and sends this to Alice.
  • Alice knows the original number, p, and she looks
    for all numbers less than p that generate a
    remainder of m. This can be done fairly easily
    using the Chinese Remainder Theorem

4
OT Coin Toss Cont
  • Alice will find at least 1 pair of such numbers,
    she will then send 1 of the pairs, p , to Bob.
  • O n p. He will then calculate the gcd(O,p)
  • This will yield either a trivial result or a
    factor of p which Bob will send to Alice.
  • There is a 50 chance that Alice sends the
    nontrivial p to Bob.
  • Bob has a slight advantage in that he picks the
    original n, but there is a negligible chance that
    Bob randomly pick an n that factors p. Peterson

5
Original OT
  • The transfer is somewhat like a simple game
    played with a locked box requiring two different
    keys. A sender transfers the locked box to a
    recipient, who finds one key that partially
    unlocks the box. The sender has both keys and,
    without seeing what the recipient has done, must
    now pass on one of the two keys. Depending on
    which key is sent, the recipient will either
    succeed or fail in opening the box. Although the
    sender's choice controls the outcome, the sender
    never knows which choice to make to guarantee a
    certain result.

6
The Heart of OT
  • Sender remains unsure of outcome
  • We want more
  • Want to share secrets not just have a fair (50
    chance) to come out with a prime factor of a
    number.

7
OT - PKE
  • Alice generates two public-key/private-key key
    pairs.
  • Bob chooses a key in a symmetric encryption
    algorithm (3DES, for example). He chooses one of
    Alices public keys and encrypts his DES key with
    it. He sends the encrypted key to Alice without
    telling her which of her public keys he used.
  • Alice decrypts Bobs key twice, once with each of
    her private keys. In one of the cases, she uses
    the correct key and successfully decrypts Bobs
    DES key. In the other case, she uses the wrong
    key and only manages to generate a meaningless
    heap of bits that nonetheless look like a random
    DES key.

8
OT PKE cont
  • Alice encrypts both of her messages, each with a
    different one of the DES keys she generated in
    the previous step (one real and one meaningless)
    and sends both of them to Bob.
  • Bob gets one of Alices messages encrypted with
    the proper DES key and the other one encrypted
    with the gibberish DES key. When Bob decrypts
    each of them with his DES key, he can read one of
    them the other just looks like gibberish to him.

9
Conclusion of PKE OT
  • Success
  • Bob now knows one of Alices secrets although
    doesnt know which.
  • Disadvantage
  • Bob does not know if he has Alices first or
    second secret and has no way of finding out.

10
Secure Function Evaluation
  • Application of OT

11
What is Secure Function Evaluation (SFE)?
  • Our goal is to compute f(x1, , xn), the output,
    while at the same time limiting the information
    that each party gains about the other parties
    values (ideally, at the end, each party knows
    their input, and the output of the function, and
    no other information about their opponent that
    isnt inherent in the function definition)

12
Some Uses for SFE
  • The Millionaires problem two millionaires wish
    to determine who has the most money with out
    revealing their exact net worth
  • Voting f(x1, , xn) returns 0 if candidate one
    gets more votes, 1 if candidate two, etc
  • Auctions f(x1, , xn) (i, n) for maximum bid
  • Database computations
  • Database queries

13
Important Considerations in Defining a SFE system
  • What type of adversary? (Passive v. Active,
    Adaptive v. Non-Adaptive)
  • What type of network are the parties connected
    to? (Pairwise Secure, Broadcast, Authenticated)
  • What guarantees do you hope to achieve?
    (Correctness, Privacy)

14
Known Results for SFE
  • If Trapdoor Permutations exist
  • Any function evaluation can be computed securely
    against a passive (honest-but-curious) adversary
  • Any function evaluation can be computed securely
    against an active adversary controlling at most
    one half of the parties
  • SFE over insecure networks
  • any f can be computed securely against an active
    adversary if parties used pairwise channels and
    there are two-thirds majority of honest parties
    BGW, CCD
  • any f can be computed securely using a broadcast
    channel against an active adversary who has
    corrupted less than half of the parties

15
Computing a Function
  • Bob and Alice share a Boolean circuit they wish
    to compute
  • Alices input is a1 b1 Bobs input is a2 b2
  • Define a a1 Ã… a2 b b1 Ã… b2
  • We want a c1, c2 for Alice, Bob, resp., subject
    to c1 c2 (a1 a2)(b1 b2)
  • Alice chooses c1 in 0,1 at random and prepares
    n possible c2 outputs for bob (based on the n
    possible secrets Bob might have)
  • Alice and Bob perform OT and now they have c1 and
    c2 values subject to the above constraints
  • Bob and Alice are now able to evaluate any
    Boolean circuit

16
Two-Party Secure Function Evaluation
  • A assigns each wire i two random values (Wi0,
    Wi1) corresponding to 0 and 1
  • Used as pseudo-random keys (e.g. 80 bits)
  • Wire values denoted as ai (0 or 1)
  • A assigns a garble function to each wire pi
    ai -gt ci
  • (Wibi,ci) denotes the garbled value of wire i
  • Gate function denoted as akg(ai,aj)
  • A creates a table Tg which enables computation of
    garbled output of g (Wkbk,ck) from garbled
    inputs (Wibi,ci) and (Wjbj,cj)

17
Two-Party Secure Function Evaluation
  • The table does not disclose any information about
    the output of g for other inputs
  • Does not reveal input or output values
  • Assume FK(x) Wkbk1
  • The table contains n entries
  • For B to use the table
  • B knows (Wibi,ci), (Wjbj,cj)
  • Finds (ci,cj) in the table
  • Performs XOR with entry in the table to compute
    garbled output (Wkg(bi,bj),ck)
  • Recall that A xor B xor C xor B xor C A
  • Garbled output from garbled inputs and table

18
Two-Party Secure Function Evaluation
  • For each input wire, B and A engage in oblivious
    transfer
  • A is the sender, B is the chooser
  • A sends the gate tables to B
  • A sends a translation table from the garbled
    values of the output wires to output bits
  • By the end of the oblivious transfer stages, B
    has enough information to compute f(x)

19
Two-Party Secure Function Evaluation
  • Security of gates
  • Every masking value (FW(ci)) is used only once
  • Without knowledge of the correct key, masking
    values look random
  • Overhead
  • Communication is performed in one back and forth
    round
  • A can prepare the circuit in advance (one table
    for each of m gates)
  • Computation one oblivious transfer for each
    input bit (n)
  • A and B must perform n exponentiations
  • B must evaluate f
  • Negligible compared to oblivious transfer

20
SFE - Fairplay
  • Fairplay consists of two parts
  • a language SFDL (Secure Function Definition
    Language) that describes the SFE paradigm
  • a compiler that creates a one-pass Boolean
    circuit in a language called SHDL (Secure
    Hardware Definition Language)
  • Bob and Alice then are able to securely evaluate
    the circuit

21
Compiling SFDL
  • SFDL is compiled into a Boolean circuit using an
    SFDL SHDL compiler.
  • The SHDL circuit must have obliviousness built
    in to it
  • No registers, loops, gotos
  • Every gate used exactly once
  • For array indexing a multiplexer is built with
    all values of i hardwired in

22
And Finally
  • There are Alice and Bob programs who take as
    input a SHDL circuit and carry out the secure
    computation protocol

23
SFDL Program Structure
  • First one must declare global constants and
    types, followed by a sequence of functions.
  • Functions must precede any functions that call
    it.
  • Recursion and global variables are forbidden.
  • The last function must be the output function.
  • Variable assignments are as one would expect,
    operators include addition, subtraction, Boolean
    operators, and standard comparison operators.
  • If-then and if-then-else are supported
  • All loops must have a definite number of
    iterations that are known in advance.

24
SFDL Compiler
  • Reads in SFDL program, transforms it, outputs
    program in SHDL format.
  • Compiler performs the following steps
  • Parsing
  • Function inlining and loop unfolding
  • Transformation into single-bit operations
  • Array access handling
  • Single variable assignments
  • Optimization (in terms of circuit size)

25
And Then
  • An oblivious transfer is needed for every input
    wire of the circuit.
  • Bob sends m garbled circuits to Alice, Alice
    randomly chooses one circuit to be evaluated, and
    Bob reveals remaining m-1 circuits. Bob can be
    caught cheating with probability 1-1/m.
  • The two implemented OT methods are based on the
    Diffie-Hellman problem.

26
Results
  • Authors performed tests on four functions
  • AND bitwise and on Alice and Bobs inputs
  • Billionaires 32 bit input for Bob and Alice,
    which it compares
  • Keyed Database Search Bob has a keyed database,
    Alice retrieves items by specifying its key
  • Median finds median of two sorted arrays

27
Whats the Point?
  • Secure Auction System
  • GOAL
  • Keep bids secret from auctioneer
  • Auctioneer only needs to know
  • identification of highest bidder
  • clearing price
  • Need a third entity
  • Auction issuer
  • Create protocol where neither auctioneer nor
    auction issuer have full information about
    bidders and bids
  • Assumption auctioneer and auction issuer do not
    collude

28
Auctions
  • Auction consists of three types of entities
  • Bidders, auctioneer, auction issuer
  • Protocol
  • Auctioneer advertises details of auction
  • Rules, times, AI
  • AI creates an encryption scheme for each bidder
    to use
  • Bidders submit encrypted bids to the auctioneer,
    using the AIs encryption scheme
  • AI generates a program to compute the outcome of
    the auction based upon the encrypted bids, then
    sends circuit and output translation table to
    auctioneer
  • Auctioneer uses inputs and program to compute
    outcome of auction

29
Secure Function Evaluation for Auctions
  • Auctioneer must compute f(x1,,xn) result of
    auction lti,pgt
  • i winner
  • p clearing price
  • AI constructs circuit to compute auction result
    and garbles it
  • Auctioneer advertises auction and AIs public key
    (P. OT)
  • Each bidder engages in a 1-of-2 proxy oblivious
    transfer (for each bit)
  • AI is sender (garbled input bit value-pairs)
  • Bidder is the chooser
  • Auctioneer is proxy
  • Note that the auction issuer doesnt receive any
    inputs
  • Auctioneer computes outcome of auction
  • AI provides output translation table

30
Future Work
  • Improve performance
  • Security against malicious parties
  • Fair termination
  • Reactive secure computation
  • Integrating other SFE primitives
  • Multi-party computation

31
Acknowledgments
  • By Dahlia Malkhi, Noam Nisan, Benny Pinkas, and
    Yaron Sella (SFE)
  • Ivars Peterson (OT Coin Toss)
Write a Comment
User Comments (0)
About PowerShow.com