Semi-Honest to Malicious Oblivious-Transfer The Black-box Way

1
Semi-Honest to Malicious Oblivious-TransferThe
Black-box Way
Iftach Haitner
Weizmann Institute of Science
2
Why should we reconsider these old constructions?
I have a dream, Lets do Key-agreement from
one-way functions Barak showed that black-box
separations are not that meaningful OK, but
what about GMW, it is not black-box!
mm... But what about Impagliazzo-Rudich
black-box impossibility result? This was in a
different setting. No one broke the black-box
barrier in the setting you are talking about Well
....
3

• Whether non black-box techniques are superior to
  black-box ones?
• Non black-box techniques are typically less
  efficient.
• When using a black-box reduction, the
  round-complexity of ? is independent of the
  exact implementation of the parties of ?

Trapdoor permutations based semi-honest OT
Malicious OT
3
4
(Fully) Black-Box Reductions

• A fully black-box reduction from B to A
• Black-box construction.
• Black-box proof of security. Adversary for
  breaking B ) adversary for breaking A

5
Black-Box Reductions (cont.)

1. Most reductions in cryptography are (fully)
   black-box, e.g., from pseudorandom generators to
   one-way functions.
2. Few non black-box techniques that apply in
   restricted settings (typically using ZK
   proofs).Example from malicious security to
   semi-honest security GMW

5
6
Oblivious Transfer (OT) Rabin 81
(one-out-of-two version EGL 85)
Receiver Index i 2 0,1
Sender bits ?0 and ?1

• Correctness - the receiver learns ?i
• Sender's privacy - the receiver learns nothing
  about ?1-i
• Receiver's privacy - the sender learns nothing
  about i
• Complete for secure function evaluation
  GMW87,K88
• Implied by (enhanced/dense) trapdoor
  permutations, homomorphic encryption,...
  GKL87,H04,K97,S98

6
7
Oblivious Transfer cont.

• Different types of security
• Semihonest adversaries
• Malicious adversaries
• Typical constructions of OT
• Hardness assumption ) semihonest OT
• Using non-black-box techniques ) Malicious OT
• The second reduction is typically inefficient
  (round-wise)

Black-box
7
8
Defensible Privacy IKLP 06

• A natural model of security between semi-honest
  to full-fledged (malicious) security.
• After the protocol ends, the adversary cannot
  simultaneously learn non-permissible information
  and defend its behavior provide input and
  random-coins that justify its behavior.
• Example Defensible OT
• The sender cannot simultaneously learn the index
  i
• and give a valid defense.

8
9
Defensible Privacy cont.

• Let ? (A,B) be a protocol for computing f (fA,
  fB)

• ? is defensibly private for B, if no efficient A
  can simultaneously
• Output a good defense (iA,rA)
• Learn inf (iB) not determined by fA(iA,iB)
• The privacy of B might be violated when A does
  not give a valid defense
• After giving the defense, As privacy might be
  ruined
• Implies semi-honest privacy

9
10
The Usefulness of Defensible Privacy

• Ishai Kushilevitz Lindel Petrank 06
• Enhanced TDP, homomorphic encryption )
  Defensible-OT
• Defensible-OT ) Malicious-OT
• Both reductions are (fully) black-box

Malicious OT
Defensible OT
Semi-Honest OT
TDP
10
11
Defensible-OT ) Malicious-OT IKLP 06
(simplified version)
Def-OT1
Def-OT2
Def-OT3
?
Def-OTn

1. Interact in n defensible OTs using random inputs
2. Verify the defense of half of the OTs
3. Combine the remaining OTs to get the desired OT
   functionality (randomized self reducibility)

12
Our Results

• Main Theorem
• Assuming that OWFs exist, for every
  functionality there exists a fully-black-box
  reduction from defensible privacy to semi-honest
  privacy.
• the functionality has some natural sampling
  property /stronger assumption about the
  semi-honest privacy
• preserves statistical privacy of either of the
  parties
• black-box w.r.t. to the OWF
• Corollaries
• Black-box reduction from malicious OT to
  semi-honest OT
• Black-box reduction from malicious OT to
  dense-TDP, non-trivial PIR, ...
• Black-box reduction from secure function
  evaluation with static malicious adversaries, to
  semi-honest OT.

Imply semi-honest OT
trapdoor perm. homomorphic enc
Defensible OT
black box
12
13
The Reduction

• Given a protocol ? (A,B) for computing f, which
  is semi-honest private for B and a OWF. We
  construct a protocol ?D (AD,BD) which
• computes f
• defensibly private for BD
• preserves the same privacy for AD
• We achieve our main result by applying the above
  reduction twice

13
14
The Reduction cont.

• AD(iA,rA)

BD(iB,(rB, rA))
Proof of Security Privacy of AD - follows by the
hiding of Com Privacy of BD - assume that AD
violates the defensible privacy of BD, we use it
to construct A for breaking the semi-honest
privacy of B (in ?)
14
15
Algorithm A
AD gives a valid defense ) (iA,rA)
Decom(C) ) AD acts as A(iA,rA) ) the emulated B
acts correctly ) ? is a good guess for iB
Emulated interaction with AD
Real interaction with B
AD
B
BD
A
If AD gives a valid defense let (iA,rA)
Decom(C) Otherwise, output a random guess for iB
If AD outputs a valid defense, output ? as the
value of iB Otherwise, output a random guess
The emulated B acts as B does on the real
execution Let ? be ADs guess for iB
16
Summary

• We give a black-box reduction from malicious
  oblivious transfer to semi-honest oblivious
  transfer.
• Supports the conjecture that, in some settings,
  black-box techniques are as strong as
  non-black-box ones.
• Open Questions
• Better understanding of defensible privacy
• Middle step in other reductions?
• Useful in its own sake?
• Characterizing the class of functions for which
  secure evaluation can be black-box reduced to
  semi-honest evaluation?
• randomized self reducibility

16