Robust Combiners for Oblivious Transfer and Other Primitives - PowerPoint PPT Presentation

About This Presentation
Title:

Robust Combiners for Oblivious Transfer and Other Primitives

Description:

Examples: `physical implementations (noisy channel, quantum ... For all but bit commitment there is a direct construction of a combiner Example: ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 30
Provided by: 8027
Category:

less

Transcript and Presenter's Notes

Title: Robust Combiners for Oblivious Transfer and Other Primitives


1
Robust Combiners for Oblivious Transfer and Other
Primitives
  • Danny Harnik Joe Kilian
    Moni Naor
  • Omer Reingold Alon Rosen

Weizmann Institute of Science
2
Do Not Put All Your Eggs in One Basket
3
Example Encryption
  • Two candidates for encryption algorithms
  • At least one is secure
  • Maybe one is not!
  • Which one to use ???
  • Goal Combine the two into a single algorithm
  • Should be secure even if one is not!
  • We call such a construction a Robust Combiner for
    encryption.

EncryptB
EncryptA
Encrypt
4
Robust Combiners
  • A Robust Combiner for a cryptographic primitive
  • A method for taking two candidate implementations
    of a primitive and producing a single
    implementation so that
  • If at least one candidate is secure then the
    resulting scheme is secure
  • In general (k,n)-robust combiner
  • there are n candidates
  • if at least k secure then the result is secure
  • New name for an old concept

5
Some Previous Appearances
  • Herzberg (05) Tolerant schemes
  • Parallel and cascade constructions as combiners.
  • Combiners for encryptions, one-way functions,
    signatures and more.
  • Emphasis on the efficiency of the combiners.
  • Some examples
  • Asmuth Blakely (81) combine two untrusted
    encryption schemes.
  • Multiple encryption is a type of combiner, dates
    back to Shannon (49)
  • Dodis Katz (05) combiner for CCA2 security.
  • Hohenberger Lysyanskaya (05) combine two
    software implementations.
  • More

6
Combiners in Practice
  • NESSIE portfolio for recommended cryptographic
    primitives advocate use of multiple
    encryptions.
  • TLS (IETF) combine SHA1 MD5 hash functions
  • In order to make the PRF as secure as possible,
    it uses two hash algorithms in a way which should
    guarantee its security if either algorithm
    remains secure

7
Combiners as a Theoretical Tool
  • Robust combiners are a handy tool in the
    construction of primitives.
  • Can get rid of mild non-uniformity in
    constructions
  • If a short hint is all that is needed to
    construct an implementation of P, then go over
    all hints and use a (1,k)-robust P-combiner
  • Example The HILL construction of pseudorandom
    generators from one-way functions
  • Finds a construction with mild non-uniformity
  • Then uses a combiner for PRGs to give a uniform
    construction.

8
Example - Universal Primitives
  • A scheme U is a universal scheme for a primitive
    P if it is guaranteed to be secure under the sole
    assumption that primitive P exists.
  • Levin introduced such a construction for OWFs
    (See Goldreichs book).
  • Key to the universal scheme The existence of
    (1,k)-robust combiners.
  • The idea
  • enumerate all programs of code length log n.
  • Use a (1,n)-combiner for primitive P.
  • If P exists then for large enough n, its program
    is included in the n candidates for the combiner.
  • For large enough n the scheme is secure
  • But
  • Works only for uniform constructions.
  • Yields no information for which n it is safe to
    use the construction

Meaning of universal scheme every proof of
existence is also a constructive one!
  • Need some bound on the running time (achieved by
    a padding argument)

9
This Talk
  • Goal of this talk explore when and for what
    primitives it is possible to obtain combiners and
    when it impossible/harder.
  • Outline
  • One-way functions equivalents
  • Key Agreement
  • Oblivious Transfer
  • Impossibility result for (1,2)-combiner
  • Positive results - (2,3)-combiner
  • On (1,n)-combiners from (1,2)-combiners

10
Warm-Up OWF combiners
  • One-way functions
  • Two candidates FA , FB
  • The Combiner F(x,y) FA(x)FB(y)
  • Corollary Combiners also for equivalents of
    one-way functions.
  • robust combiners for
  • Pseudo-random generators
  • Pseudo-random functions
  • Pseudo random permutations
  • Private Key Encryption
  • Signatures
  • Bit commitments

Example
GA
GB
  • This is not always the simplest way!!
  • For all but bit commitment there is a direct
    construction of a combiner
  • ExampleAn efficient combiner for PRG is G(x,y)
    GA(x)?GB(y)
  • Used by HILL

11
Key Agreement (KA)
  • Alice and Bob (who never met before) interact
    over a public channel.
  • They want to agree on a secret key.
  • Two candidates for KA
  • Suppose that Both candidate really reach
    agreement.
  • Combiner simply by XOR of the keys
  • What if functionality is only guaranteed for one
    candidate ?

??
KAA
KAB
12
Key Agreement (cont.)
  • In general, only one candidate is guaranteed to
    be a KA.
  • Security ?
  • Functionality
  • Solution in two stages
  • Run an offline functionality test for each
    candidate.
  • One party simulates the candidate poly(n) times
    (playing both sides)
  • Only if agreement is reached in all instances
    then use candidate.
  • Otherwise agree on 0n
  • Run the XOR combiner
  • Guaranteed agreement with prob 1-1/n
  • Use Error Correcting Code to reach full
    agreement.
  • One side chooses key and divides it into shares
  • The above key agreement is run for each share
  • With overwhelming prob both sides end with same
    key
  • Notes
  • The KA combiner preserves the number of rounds
  • 2 message KA is equivalent to (semantically
    secure) Public Key Encryption
  • ? Robust combiner for PKE

13
Secure Computation
  • We have simple and black-box robust combiners for
    many cryptographic tasks for both private key and
    public key cryptography.
  • What about secure function evaluation (SFE)?
  • In particular, is there a (1,2)-robust combiner
    for the Oblivious Transfer (OT) protocol Rabin
    81
  • Consider the task of voting.
  • Idea for implementation
  • Use electronic ballots from several vendors.
  • Combine them to assure security.
  • OT protocol
  • Bob gets sc.
  • Bob doesnt learn s1-c.
  • Alice does not learn c.
  • OT is complete for SFE !

c
s0,s1
sc
14
Finding OT-Combiners seems hard
  • Want to show an impossibility result but
  • If OT exists, then a combiner can simply ignore
    the candidates and run the OT.
  • We are interested in combiners that rely on the
    candidates security.
  • Consider Black Box Combiners.
  • The candidates are given in a BB manner (as
    oracles)
  • The proof is BB!
  • Breaking the combiner allows
    breaking of both candidates
  • Situation more delicate with
    interactive primitives.

A
B
CMB
15
Interactive protocols Third Party Black Box
Combiners
  • A Third Party Black Box combiner can only execute
    a candidate scheme in its entirety
  • In a call to a candidate, each party gives its
    secret to a trusted third party and gets its
    output
  • additional messages may be exchanged
  • Models the OT as a separate entity. Examples
  • physical implementations (noisy channel,
    quantum)
  • Trusted parties
  • Does not allow arbitrary access to the OT
  • Either to the transcript or to the program
  • Advantages efficiency and generality
  • Downside Too restrictive. In such a reduction,
    OT does not even imply OWFs
  • Theorem There exists no third party BB combiner
    for OT

16
Interactive protocols Transparent Black Box
Combiners
  • We attempt to capture a wider notion of
    combiners.
  • Combiners that can also access the transcript.
  • An interactive protocol is generated using 2
    oracles.
  • a next message oracle (create the next message to
    be sent given the history)
  • An output oracle (generates the local output
    given the transcript)
  • A Transparent Black Box combiner
  • Every time a next message call is invoked then
    this message is sent to the other party.
  • Models using the candidate in the context of the
    protocol.
  • Theorem There exists no transparent BB Combiner
    for OT

17
Impossibility of OT-combiners Some Intuition
  • Consider two naïve implementations of OT
  • OTA the sender gives the receiver s0 and s1
  • Unconditionally secure for the receiver
  • OTB the receiver gives the sender c and the
    latter sends sc
  • Unconditionally secure for the sender
  • What if we apply the combiner on OTA and OTB
  • Do we get an unconditional implementation of OT?
  • Impossible

18
OT transparent black box impossibility
  • Theorem For every transparent BB combiner for OT
    there exists a world in which it can be broken.
  • Broken Either the sender can guess c with
    probability ¾ or the receiver can guess both s0
    and s1 with probability ¾
  • More precisely
  • We show two worlds such that every transparent BB
    OT-combiner is broken in one of them.
  • In general we will be considering the
    honest-but-curious model

19
The two worlds
OTB (f1B,f2B,RECB)
OTA (f1A,f2A,RECA)
  • Good OT via oracles (f1 ,f2, Rec)
  • f1 and f2 length tripling random functions,
    recovery function Rec
  • The protocol
  • Receiver m1 f1(RandR, c)
  • Sender m2 (RandS, s0, s1 m1)
  • Receiver Rec(m2, RandR) sc
  • This is a good implementation of OT (even in
    the presence of a PSPACE-complete oracle)
  • If there is access to f1-1 and f2-1 then this
    implementation is broken
  • World 1
  • OTA and OTB implemented by separate oracles.
  • Contains a PSPACE-complete oracle
  • OTA reveals everything to the sender (access to
    f1A-1 and f2A-1)
  • World 2
  • OTA and OTB
  • Contains a PSPACE-complete oracle
  • OTB reveals everything to the receiver

20
The protocol OTCOMB
  • Consider the OT-combiner taking OTA and OTB as
    candidates.
  • Call this protocol OTCOMB
  • OTCOMB looks exactly the same in world1 and
    world2.
  • OTCOMB should be a secure OT in both worlds.
  • Since one of the OTs is good in each of the
    worlds.
  • Goal show an attack on OTCOMB in at least one of
    the worlds.
  • This would be a contradiction!
  • World 1
  • OTA and OTB implemented by separate oracles.
  • Contains a PSPACE-complete oracle
  • OTA reveals everything to the sender (access to
    f1A-1 and f2A-1)
  • World 2
  • OTA and OTB
  • Contains a PSPACE-complete oracle
  • OTB reveals everything to the receiver

21
The Bare World
  • The bare world contains only a PSPACE-complete
    oracle (no oracles for OT).
  • We give a simulation of OTCOMB in this world,
    called OTBARE.
  • Notice that OTCOMB is well defined as long as we
    plug in implementations of OTA and OTB
  • The idea for OTBARE
  • the sender handles the OTA calls
  • the receiver handles the OTB calls.
  • For example
  • The receiver wants to query OTA,
  • He instead asks the sender this query.
  • The sender chooses random values as answers for
    queries to f1A, f2A. (this imitates the real
    oracle)
  • The sender also records all his answers, giving
    him the ability to correctly answer queries to
    RecA.

22
No OT in the Bare World
  • OTBARE cannot be secure since there is no crypto
    with a PSPACE oracle!
  • More precisely
  • For every execution of OTBARE either the sender
    learns c or the receiver learns both secrets
    (using the PSPACE-complete oracle).
  • The point these attacks can be translated to
    attacks on OTCOMB in one of the two worlds!

23
No OT in the Bare World
OTBARE
OTCOMB
View of sender in World 1
View of sender
View of receiver in World 2
View of receiver
  • Includes
  • senders inputs coins
  • all messages
  • all queries answers to OTA (since he simulates
    OTA)
  • Includes
  • senders inputs coins
  • all messages
  • all queries answers to OTA (since he has
    inverter to OTA and due to tranparency of the
    combiner)
  • Corrolary
  • If sender in the bare world learns c then sender
    of corresponding OTCOMB in world 1 also learns
    c.
  • If receiver in the bare world learns both secrets
    then receiver of OTCOMB in world 2 learns both
    secrets.
  • Altogether every execution is broken in one of
    the two worlds

24
(2,3)-Robust OT-Combiner
  • Define 2 constructions, R and S (from Crepeau
    Kilian 89). Both have OT functionality. Also
  • R takes 2 candidates for OT. Outcome is
  • Secure for the receiver if at least one candidate
    is secure for receiver.
  • Secure for sender only if both are secure for
    sender.
  • S takes 3 candidates for OT. Outcome is
  • secure for the receiver if all 3 are secure.
  • Secure for sender if at least one is secure.
  • Define
  • OTAB R(OTA,OTB)
  • OTAC R(OTA,OTC)
  • OTBC R(OTB,OTC)
  • The (2,3)-combiner is defined as S(OTAB, OTAC,
    OTBC)

25
(1,K)-Combiner from (1,2)-Combiner
  • Existence of (1,2)-combiner is necessary for
    (1,k)-combiners to exist.
  • When are they sufficient?
  • Natural approach
  • Organize the k schemes in a binary tree with k
    leaves.
  • Each node runs the (1,2)-combiner with its
    siblings as candidates.
  • Outcome is secure if at least one leaf is secure.
  • Need to ensure running time is polynomial.
  • If (1,2)-combiner runs in time m?(candidates
    time),
  • total running time is mO(log k)
  • If m is a constant then total time is polynomial
    and the tree construction works.
  • If (1,2)-combiner for OT is found it will not
    likely be that efficient

26
(1,K)-Combiner for OT from (1,2)-Combiner for OT
  • Theorem Any (1,2)-combiner for OT can be used
    for a (1,k)-combiner for OT.
  • Solution use the (2,3)-combiner for OT which
    runs in time 6?(candidates time).
  • Divide the k candidates into 3 groups of size
    2/3k.
  • Each candidate should appear in at least two
    groups.
  • Recursively run a (1,2/3k)-combiner on each
    group.
  • The 3 outcomes are combined using the
    (2,3)-combiner.
  • Running time is polynomial.
  • If (1,2)-combiner runs in time nd,
  • total running time is 18O(log k)nd .

27
Summary for OT Combiners
  • Negative
  • No transparent BB robust combiners for OT
  • Positive
  • OT given hardness of discrete log or factoring.
  • Since the security of one of the sides is
    unconditional
  • There are (2,3)-robust OT-combiner
  • simple and third party black box.
  • (1,2)-combiners for OT suffice for a universal OT
    scheme.
  • Main open problem combiners for OT ????
  • (perhaps non-black-box)

28
Main open problem Non-black box combiners for OT
  • Approaches for non-BB
  • Use the circuit of a function
  • Examples ZK for NP, garbled circuits (Yao)
  • Use the program of the adversary
  • Example Baraks public coin ZK
  • Attempt with garbled circuits
  • consider the circuit for OTA
  • The sender garbles this circuit
  • fixing s0 and s1 and its randomness RandS
  • Let the receiver evaluates his output bit
  • on inputs c and RandR using OTB at the input
    gates.
  • Fails when OTB is insecure

29
Open Problems Commitments
  • For computationally hiding commitment know only
    via full reduction to one-way functions
  • Inefficient and requires the transcript
  • What about information hiding commitments?
  • Not known to be equivalent to OWFs (one-way
    permutations are needed in NOVY)
  • Negative Third party BB impossibility for both
    commitments.
  • Positive
  • Simple (2,3)-combiners (Herzberg)
  • If one sides security is guaranteed, then easy
    (e.g. string commitments that are very short
    (kilian 92))

30
Open Problems
  • Characterize functions where BB combiners exist
  • Efficiency issues can you get a one-way hash
    function without concatenation
  • Especially relevant given recent developments..
Write a Comment
User Comments (0)
About PowerShow.com