Verifiable Distributed Oblivious Transfer and Mobile Agent Security

1
Verifiable Distributed Oblivious Transfer and
Mobile Agent Security

• Sheng Zhong
• (Joint Work with Yang Richard Yang)

2
Problem Formulation

• Mobile Agent A piece of software moving around
  the network, performing a specific task
• Example an agent searching for airline tickets

agent
Internet
3
Problem Formulation (Contd)
Originator
input
output
fun()
4
Security Requirements

• Agent Originators Privacy Originators private
  information (e.g., a buy-it-now price in
  airline-ticket-agent example) in the agent is not
  revealed to hosts
• Hosts Privacy Each hosts private input (e.g.,
  the ask price) and output (e.g., whether to make
  a reservation) to the agent is not revealed to
  other hosts or the originator

5
Solution Framework ACCK01

• Main Idea Use Yaos Garbled Circuit
• Agent is garbled - becomes a blackbox program
  that nobody can read
• Privacy is achieved
• Each host needs to translate I/O of agent to
  complete computation

Translate
(encrypt)
Private Input
Garbled Input
Garbled Output
Private Output
(decrypt)
6
Illustration of Solution Framework
Private Input
Private Output
Input Translation
Output Translation
Garbled Input
Garbled Output
Arrive
Leave
Garbled Agent
7
Need for a Crypto Primitive

• Question How to enable each host to translate
  I/O?
• Output Easy - Supplies translation table to host
• Input Tricky - Must guarantee that only one
  value of input is translated (Dont want host to
  test agent with many possible inputs)

8
Verifiable Distributed Oblivious Transfer (VDOT)

• Introduce a group of proxy servers
• For each input bit Proxy servers hold garbled
  input for 0/1 G(0)/G(1)
• Input bit b ? transfer G(b) to host
• No information about G(1-b) is revealed to host
• No information about b is revealed to proxy
  servers
• Proxy servers cannot cheat host with incorrect
  G(b)

9
VDOT (Contd)

• All the above requirements are satisfied under a
  threshold trust assumption
• VDOT further extends Distributed Oblivious
  Transfer (DOT) NP00, which extends the
  extensively studied Oblivious Transfer (OT)
  Rabin81,
• Difference Consider malicious proxy servers
  instead of semi-honest servers
• Key technical component of our solution

10
Analysis of VDOT Security Requirements

• Input bit b ? transfer G(b) to host
• No information about G(1-b) is revealed to host
• No information about b is revealed to proxy
  servers

1-out-of-2 Oblivious Transfer (OT)

• Detection of Cheating

• Proxy servers cant cheat host w/ incorrect G(b)

• Identification of Cheater

11
Design of VDOT

• First Idea Add Detection of Cheating to
  1-out-of-2 OT
• Choose a distributed variant of Bellare-Micali OT
  BM89 as basis of design
• G(0), G(1) shared among proxy servers
• Transfer shares of G(0), G(1) in encrypted form
• Only shares of G(b) can be decrypted

12
Consistency Verification on Encrypted Shares

• Observation detect cheating detect existence
  of incorrect shares without decrypting any share
• Using variant of Shamir Secret Sharing ?
  existence of incorrect shares inconsistency of
  shares (Why?)

13
Consistency Verification on Encrypted Shares
(Contd)

• Variant of Shamir Secret Sharing based on
  degree-(t-1) polynomial
• Each share a point
• Share is correct point is on polynomial
• Consistent means on same polynomial of
  degree-(t-1)
• Correct shares are all consistent incorrect
  shares are inconsistent with correct ones

14
Illustration of Consistency Verification
Correct share
Incorrect share
15
Achieving Consistency Verification on Encrypted
Shares

• To verify consistency on clear text shares, we
  can use Lagrange interpolation
• Question How can we achieve consistency
  verification on encrypted shares?
• Answer Use Homomorphic property of ElGamal
  Encryption - recall Bellare-Micali OT is based on
  ElGamal Encryption

16
Achieving Consistency Verification on Encrypted
Shares (Contd)
ElGamal Encryption of a Share
For i t1, , n
Need
Consistency verification using Lagrange
interpolation
17
Analysis of Need
Share k among proxy servers using Feldman VSS
share ki private key commitment public key
rj,1rj,2rj,nrj
18
Identification of Cheater

• After Consistency Verification on Encrypted
  Shares What if an inconsistency is found?
• Want Find the cheaters
• Assume of dishonest parties
• Find set S of shares (St) s.t.
• Majority of shares outside S are consistent with
  those in S - let M be the set of all shares
  outside but consistent with S
• Claim 1,2,,n (S ? M) is the set of
  cheaters!

19
Identification of Cheater (Contd)

• Question Why can we make the claim?
• Answer M (n-t)/2 ? S ? M t (n-t)/2
• ? at least t proxy servers in S ? M are honest
• ? the degree-(t-1) polynomial constructed in
  Lagrange interpolation using shares in S is
  correct
• ? all shares in S ? M are correct
• ? the remaining shares belong to cheaters

20
Performance Overhead of Garbled Circuits
21
THANK YOU