More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Transcription

1 Moe Efficient Oblivious Tansfe Extensions with Secuity fo Malicious Advesaies Gilad Ashaov Yehuda Lindell Thomas Schneide Michael Zohne Hebew Univesity Ba-Ilan Univesity Damstadt Damstadt EUROCRYPT 2015

2 Fom Theoy to Pactice [Yao82,Yao86,GMW87,BGW88,CCD88,RB89, ] Secue computation becomes pactical! [MNPS04,LP07,LPS08,PSSW09,KSS12,FN13,SS13,LR14,HKK+14, FJN14,NNOB12,LOS14,DZ13,DLT14,DCW13,JKO13]

3 1-out-of-2 Oblivious Tansfe Sende Receive INPUT: Sende holds two stings (x0,x1), Receive holds OUTPUT: Sende leans nothing, Receive leans x,

4 Oblivious Tansfe and Secue Computation OT is a basic ingedient in (almost) all potocols fo secue computation Potocols based on Gabled Cicuits (Yao): 1 OT pe input [LP07,LPS08,PSSW09,KSS12,FN13,SS13,LR14,HKK+14,FJN14] Potocols based on GMW: 1+ OT pe AND-gate TinyOT [NNOB12,LOS14] MiniMac potocols [DZ13,DLT14]

5 How Many OT s? The AES cicuit: Uses 2 19 OTs (when evaluated with TinyOT) The PSI cicuit: (fo b=32,n=2 16 ) Uses 2 30 OTs (when evaluated with TinyOT) Using [PeiketVaikuntanathanWates08]: 350 OTs pe second 1M (2 20 ) OTs > 45 minutes(!) 1G (2 30 ) OTs > minutes > 1 month [ChouOlandi15] OTs pe second (?)

6 OT Extensions Small amount of base OTs (secuity paamete) + (cheap) pivate-key cypto Many OTs

7 OT Extension and Related Wok Intoduced in [Beave96] Ishai, Kilian, Nissim, Petank [IKNP03] Extending Oblivious Tansfe Efficiently Optimizations semi-honest: [KK13, ALSZ13] Optimizations malicious: [La14,NNOB12,HIKN08,Nie07]

8 This Wok Efficient potocol fo OT extension, malicious advesay, based on IKNP It outpefoms all pevious constuctions Optimizations, implementation This Talk: IKNP potocol Ou potocol, its secuity (Implementation) and pefomance

9 Extending OT Efficiently 1 [IKNP03] 1 Semi-honest

10 IKNP - Idea m Many OTs expensive

11 IKNP - Idea m k Few OTs of long stings m Many OTs

12 IKNP - Implementation k k Few Shot OTs k + long messages m Many OTs m

13 In Pactice [ALSZ,CCS13] k k Few Shot OTs + long messages m Many OTs Implementation: see SCAPI

14 IKNP {x 0, x 1 } m j j j=1 = ( 1,..., m ) s = (s 1,...,s l ) k 1 s 1,...,k l s l Base OTs {k 0,k 1 } l i i i=1 Q u 1,...,u l u i = G(k i 0 ) G(k i 1 ) T * * y j 0 = x j 0 H (q j ) y j 1 = x j 1 H (q j s) y j 0, y j 1

15 When Moving to Malicious The potocol is aleady secue with espect to malicious Sende The Receive sends many messages of the same fom u 1,...,u l u i = G(k i 0 ) G(k i 1 ) Secuity against malicious Receive: we must guaantee that it uses the same value in these messages

16 {x 0, x 1 } m j j j=1 The Potocol = ( 1,..., m ) Base OTs u 1,...,u l u i = G(k i 0 ) G(k i 1 ) Q T Consistency Check of y j 0 = x j 0 H (q j ) y j 1 = x j 1 H (q j s) y j 0, y j 1

17 The Consistency Checks

18 Consistency Check u i = G(k i 0 ) G(k i 1 ) u j = G(k j 0 ) G(k j 1 )

19 Consistency Check u i = G(k i 0 ) G(k i 1 ) u j = G(k j 0 ) G(k j 1 ) u i = t i 0 t i 1 u j = t j 0 t j 1 u i u j = t i 0 t i 1 t j 0 t j 1 u i u j t i s i t j s j? = t i 1 s i t j 1 s j H(u i u j t i s i t j s j )? = H(t i 1 s i t j 1 s j )

20 Consistency Check h 0,0 i, j = H (t 0 i t 0 j ) h 0,1 i, j = H (t 0 i t 1 j ) h 1,0 i, j = H (t 1 i t 0 j ) h 1,1 i, j = H (t 1 i t 1 j ) Fo evey pai (i,j) u 1,...,u l {h 0,0,h 0,1,h 1,0,h 1,1 } i, j i, j i, j i, j i, j Alice checks that evey pai (i,j): 1 s h i,1 s j i, j? = H (u i u j s t i s i t j j ) s h i,s j s i, j? = H (t i s i t j j )

21 Does it wok? Ou check is not sound: The advesay can still send u i, u j, with i j But, it takes a isk Effectively, in ode to pass the veification of (i,j) it has to guess eithe si o sj Ou check guaantees the following: If the advesay ties to cheat with u i, u j it gets caught with pobability 1/2!

22 Consistency Check Receive cannot cheat in many messages with each cheat - one bit of s is leaked s is the secet key of the sende Solution - incease the size of s k k ρ l 2 But wait you have amount of checks Do we eally need this huge amount of checks? l

23 How many checks do we eally need?

24 How many checks do we eally need?

25 How many checks do we eally need?

26 How many checks do we eally need?

27 The needed popety: Fo any lage enough" set of bad vetices (> p=40 ), thee exists p-matching with the good vetices

28 How many checks do we eally need?

29 How many checks do we eally need? 1 2 4

30 How many checks do we eally need? 1 2 4

31 How Many Checks? The needed popety: Fo any lage enough" set of bad vetices (> p=40 ), thee exists p-matching with the good vetices We show that andom d-egula gaph satisfies the above (fo appopiate set of paametes) Fo k=128, p= base OTs, complete gaph: base OTs, d=2, checks: base OTs, d=3, checks: 531 Covet: (168 base OTs) pobability 1/2, just andom 7 checks!

32 Instantiation of H [IKNP] assumes that H is Coelation-Robust Sometimes, in ode to gain moe efficiency, potocols need some stonge popeties of H, and so it is assumed to be a Random-Oacle Coelation-obustness is much moe plausible assumption than andom-oacle We have some leakage of s, and so H is assumed to be Min-Entopy Coelation Robustness

33 Pefomance

34 Empiical Evaluation Benchmak: 2 23 =8M OTs Local scenaio (LAN): Two seves in the same oom (netwok with low latency and high bandwidth) 12 sec (190 base OTs, 380 checks) Cloud scenaio (WAN): Two seves in diffeent continents (netwok with high latency and low bandwidth) 64 sec (174 base OTs, 696 checks)

35 Compaison - LAN Setting

36 Compaison - WAN setting

37 Conclusions Moe efficient OT extension - moe efficient potocols fo MPC Optimized OT extension potocol, malicious advesay Combination of theoy and pactice Thank You!