Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Similar documents
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

1 Number Theory Basics

Multiparty Computation

Computing on Encrypted Data

ECS 189A Final Cryptography Spring 2011

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

Introduction to Cryptography. Lecture 8

Lecture 1: Introduction to Public key cryptography

SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

1 Basic Number Theory

Lecture 22: RSA Encryption. RSA Encryption

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Oblivious Transfer (OT) and OT Extension

Lecture 28: Public-key Cryptography. Public-key Cryptography

ASYMMETRIC ENCRYPTION

Lattice-Based Non-Interactive Arugment Systems

Provable security. Michel Abdalla

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Secure Arithmetic Computation with Constant Computational Overhead

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

Benny Pinkas Bar Ilan University

Lecture 18: Message Authentication Codes & Digital Signa

Extending Oblivious Transfers Efficiently

Lecture 38: Secure Multi-party Computation MPC

Multi-Party Computation with Conversion of Secret Sharing

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Public-Key Encryption: ElGamal, RSA, Rabin

Additive Conditional Disclosure of Secrets

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Keyword Search and Oblivious Pseudo-Random Functions

8 Elliptic Curve Cryptography

Introduction to Cryptography Lecture 13

Security of Symmetric Primitives under Incorrect Usage of Keys

Introduction to Modern Cryptography Lecture 11

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Yuval Ishai Technion

Fully Homomorphic Encryption

Notes for Lecture 17

Public Key Cryptography

Lecture Notes 20: Zero-Knowledge Proofs

Secure Equality and Greater-Than Tests with Sublinear Online Complexity

Oblivious Evaluation of Multivariate Polynomials. and Applications

Lecture 11: Key Agreement

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Introduction to Cybersecurity Cryptography (Part 4)

i-hop Homomorphic Encryption Schemes

Scribe for Lecture #5

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lecture Note 3 Date:

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

1 Indistinguishability for multiple encryptions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Cybersecurity Cryptography (Part 4)

Are you the one to share? Secret Transfer with Access Structure

Cryptography IV: Asymmetric Ciphers

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Commitment Schemes and Zero-Knowledge Protocols (2011)

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Foundations of Homomorphic Secret Sharing

Post-quantum security models for authenticated encryption

Error-Tolerant Combiners for Oblivious Primitives

4-3 A Survey on Oblivious Transfer Protocols

Pseudorandom Generators

Public Key Cryptography

A New Approach to Practical Active-Secure Two-Party Computation

Machine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser

Lattice Based Crypto: Answering Questions You Don't Understand

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Fully Homomorphic Encryption from LWE

Evaluating 2-DNF Formulas on Ciphertexts

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

An Overview of Homomorphic Encryption

Theory of Computation Chapter 12: Cryptography

Lecture Notes, Week 6

Eliminating Quadratic Slowdown in Two-Prime RSA Function Sharing

The Theory and Applications of Homomorphic Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

1 Cryptographic hash functions

On the CCA1-Security of Elgamal and Damgård s Elgamal

Lecture 15 - Zero Knowledge Proofs

1 Secure two-party computation

Lecture 3,4: Multiparty Computation

16 Fully homomorphic encryption : Construction

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Efficient Set Intersection with Simulation-Based Security

Transcription:

CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University

Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob should compute z 1 + z 2 = (x 1 +x 2 )(y 1 +y 2 ) How do we compute this? = x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 Alice can compute this Bob can compute this

On the use of computational assumptions How much can we ask users to trust crypto? 1. Necessary (one way functionsare needed for symmetric crypto, public key crypto is probably needed for 2PC) 2. We must believe that some problems are hard (e.g., breaking RSA or breaking AES). But we should not ask for more trust than needed! 3. Construct complex systems based on well studied assumptions. Then prove (via reduction), that any adv that can break property X of system S can be used to solve computational problem P. 4. If we believe problem P to be hard, then we conclude that system S has property X. 3

The Crypto Toolbox Weaker assumption Stronger assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 4

Reduction Proof If: an adversary can break the security (e.g., learn the secret input x) Then: use this adversary as a subroutine to break the security of some hard problem (e.g., RSA) But: the problem is hard So: the protocol must be secure x E(m) x m 5

Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings

1-2 OT Receiver b m b 1-2 OT m 0,m 1 Sender Receiver does not learn m 1-b Sender does not learn b

1-2 OT Receiver b m b 1-2 OT m 0,m 1 Sender m b = (1-b) m 0 + b m 1 m b = m 0 + b (m 1 - m 0 )

k-n OT Receiver i 1,,i n m i1,,m in k-n OT Sender m 1,,m n

2PC via 1-n OT Receiver x f(x,y) 1-n OT Sender f(1,y),,f(n,y)

Oblivious Transfer = Receiver b bit multiplication 1-2 OT ab + c Sender (c,a+c)

Short OT à Long OT Receiver k-bit strings Sender b b k b 1-2 OT k 0,k 1 m 0,m 1 poly(k)-bit strings m b =prg(k b ) u b u 0 = prg(k 0 ) m 0, u 1 = prg(k 1 ) m 1

Random OT = OT b m c,r c r 0,r 0,m 1 1 ROT m b =r c x b x 0 = r 0 m 0, x 1 = r 1 m 1 if b=c

Random OT = OT b m c,r c ROT r 0,r 0,m 1 1 d = b c m b =r c x b x 0 = r 0 d m 0, x 1 = r 1 d m 1 Exercise: check that it works!

(R)OT is symmetric bits Sender s 0,s 1 ROT b,y=s b c = s 0 s 1 r 0 = y z = s c, z=r 0 r 1 = b r 0 c r 0,r 1 Exercise: check that it works No communication!

Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings

Efficiency Problem: OT requires public key primitives, inherently inefficient

The Crypto Toolbox Weaker assumption Stronger assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 18

Efficiency Problem: OT requires public key primitives, inherently inefficient Solution: OT extension Like hybrid encryption! Start with few (expensive) OT based on PKE Get many (inexpensive) OT using only SKE

OT Extension, Pictorially Starting point: k seed OTs X 0,1 k k X b1,1 U b 1 b k 1-2 OTs X 0 X 1,1 X 1 k n n=poly(k) Input or output? Remember that ROT = OT, it doesn t really make a difference! Remember: OT stretching (see Short OT à Long OT slide earlier) 20

Condition for OT extension X 1 = X 0 c c Problem for active security! 21

OT Extension, Pictorially k X 1 b 1 c U b 1 b k 1-2 COTs X 1 X c k n Correlated OTs n=poly(k) 22

OT Extension, Pictorially U " c %& = " % c & X = b c

OT Extension, Turn your head! U X X U = b c = b c

OT Extension, Pictorially k U b k 1-2 COTs X c k n n=poly(k) 25

OT Extension, Pictorially n U n 1-2 c X n b COTs k k 26

X= H Break the correlation! Y 0 = H U V b b b Y 1 = H U b 27

Breaking the correlation Using a correlation robust hash function H s.t. 1. {a 0,, a n, H(a 0 + r ),, H(a n + r)} // (a i s, r random) 2. {a 0,, a n, b 0,, b n } // (a i s,b i s random) are computationally indistinguishable 28

OT Extension, Pictorially k n Y 1,1 Y 1 Y 0,1 Y 0 n 1-2 ROTs c 1 c Y c1,1 V k n=poly(k) 29

Recap 0. Strech k OTs from k- to poly(k)=n-bitlong strings 1. Send correction for each pair of messages x i 0,x i 1 s.t., x i 0 x i 1 = c 2. Turn your head (S/R swap roles) 3. The bits of c are the new choice bits 4. Break the correlation: y j 0=H(u j ), y j 1=H(u j b) Not secure against active adversaries 30

Recent Results in OT Extension (seereferences at the end) Active secure OT extension essentially as efficient as passive OT. Asharov et al. Keller et al. The columns of the matrix 0 0 0 c c Can be seen as a simple replica encoding of a bit. Better encodings can be used for better efficiency, see e.g., Kolesnikov et al. Cascudo et al. 1 1 1

Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings

Oblivious Linear Evaluation Receiver b ab + c OLE (a,c) Sender Not bits anymore! Could be values in a ring or a field Arithmetic equivalent of OT

n OTs = OLE (Gilboa) Receiver b=(b 0,b 1,,b n-1 ) b i d i =a(2 i b i ) + c i 1-2 OT (c i,a2 i +c i ) Sender a (n bit number) c 0 + +c n-1 =c d 0 + +d n-1 =a(b 0 +2b 1 + +2 n-1 b n-1 )+(c 0 + +c n-1 )=ab+c

Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings

Additive (or Linear) Homomorphic Encryption Pailler is a AHE whose security is related to the hardness of factoring Still an important tool in the protocol designer toolbox!

(Simplified) Pailler Public key: N = pq, with p = q Secret key: Φ(N)=(p-1)(q-1) Pailler works mod N 2 Z * N^2 = Z N Z * N Note that due to choice of parameters gcd(φ(n),n)=1

(Simplified) Pailler (c Z N^2 ) ß Encrypt(m Z N ; r Z * N) Output c = α(m) β(r) mod N 2 Where: α(m) takes care of the homomorphism β(r) takes care of security

α(m) For homomorphism α(m Z N ) = (1+mN) mod N 2 For decryption: α(m) efficiently invertible α -1 (y Z N2 ) = y-1 / N // Integer division For homomorphism: α(m 1 ) α(m 2 ) = α(m 1 + m 2 mod N) Exercise: check this!

β(r) For security β(r Z N* ) = r N mod N 2 For decryption: β(r) Φ(N) =1 mod N 2 Assumption for security {β(r) rßz N* } {sßz N^2* } For homomorphism β(r 1 ) β(r 2 ) = β(r 1 r 2 ) Φ(N 2 )=N Φ(N) and x Φ(N^2) =1 mod N 2 for all x in Z N2 *

Putting Things Together Security: Enc pk (m;r) = α(m) β(r) // r unif. in Z N * comp.ind. from distributed identically to α(m) s // s unif. in Z N2 * t // t unif. in Z N2 *

Putting Things Together Homomorphism: Enc pk (m 1 ;r 1 ) Enc pk (m 2 ;r 2 ) = α(m 1 ) β(r 1 ) α(m 2 ) β(r 2 ) = α(m 1 + m 2 mod N) β(r 1 r 2 ) = Enc pk (m 1 + m 2 mod N; r 1 r 2 )

Putting Things Together - Decryption Dec(sk,c): 1. t 1 = c Φ(N) mod N 2 2. t 2 = α -1 (t 1 ) mod N 3. t 3 = t 2 Φ(N) -1 mod N Correctness 1. t 1 = α(m) Φ(N) β(r) Φ(N) = = α(m Φ(N)) 1 2. t 2 = α -1 (α(m Φ(N))) = = m Φ(N) 3. t 3 = m Φ(N) Φ(N) -1 = = m 4. Output m=t 3

How to Multiply with Pailler Receiver Sender pk, B = Enc pk (b;r) D = c a Enc pk (c;s) d=dec sk (D)=ab+c mod N

How to Multiply with Pailler Receiver Sender pk, B = Enc pk (b;r) D = c a Enc pk (c;s) Privacy for Alice: B Enc pk (0;r) due to IND-CPA of Pailler Privacy for Bob? Alice knows the secret key! But due to homomorphism of Pailler {sk,d} {sk,enc pk (ab+c;t)} d=dec sk (D)=ab+c mod N

Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings

Slide by Satrajit Gosh OLE from Noisy Encodings (Ishai et al. [IPS09], generalizing [NP06]) Noisy Encodings Encode: Takes! # $, outputs a set % and encoding & # ' Eval: Takes (, * # $ and the encoding &, outputs an encoding + Decode: Takes an encoding + and the set %, outputs, =!( + *

OLE from Noisy Encodings Encode(a) 1. Pick a polynomial " of degree ) 1 with " 0 = (, evaluate at & = 4) positions 1 n '( - " 1 " 2 " & 2. Pick a random error + vector - with 3 = 2) + 1 non-zero elements, 5 = 6 7 6 = 8 0 -. - / 0-0 3. Add the two together 0 0 Slide by Satrajit Gosh m=1 for simplicity 2 A 1 -. " & Assumption - Pseudorandomness 9 ;<=>?7 @ B <

Slide by Satrajit Gosh OLE from Noisy Encodings Eval(v,b,r) 1. Pick a polynomial ' of degree - 1 with ' 0 =,, evaluate at & = 4- positions 1 & +, 2 '(1) '(2) '(2)! 1 # $! & 2. Pick a polynomial 9 of degree 2-2 with : 0 = 8, evaluate at & = 4- positions 1 n + 3. +++++++++++++++++++++++++++++++++++++++++++++ : 1 : 2 : & 8 5 3 1 4# $ 3 &

Slide by Satrajit Gosh OLE from Noisy Encodings Decode(w,L) 1. Ignore all $ & #! 1 '( )! + 2. Interpolate the polynomial!(-) and output! 0 = 12 + 4 6! 1! 2! +

Slide by Satrajit Gosh OLE from Noisy Encodings / + ', ) +., # -3)456(/) #! $ " -OT $ & $ -./0(., ', )) 7 86)456 $ &, # (= /' + )) Constant overhead per multiplication!* *using packed secret sharing

Summary OT properties Symmetric ROT and OT equivalence OT can be stretched OT extension Passive security Multiplication protocols Gilboa (OT-based) #OTs = #bits (works on anyring) AHE (Pailler) Noisy Encoding (works for fields) #OTs independent on bitlength

Primary References Cryptographic Computing, lecture notes, http://orlandi.dk/crycom (with theory and programming exercises) Extending Oblivious Transfers Efficiently (Ishai et al.) A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System (Damgård et al.) Public-Key CryptosystemsBased on Composite Degree Residuosity Classes (Paillier) Secure Arithmetic Computation with No Honest Majority (Ishai et al.) Two Party RSA Key Generation (Gilboa) Extending Oblivious Transfers Efficiently - How to get Robustness Almost for Free (Nielsen)

Other References Oblivious Polynomial Evaluation (Naor et al.) More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries (Asharov et al.) ActivelySecure OT Extension with Optimal Overhead (Keller et al.) Improved OT Extension for Transferring Short Secrets (Kolesnikov et al.) Efficient Batched Oblivious PRF with Applications to Private Set Intersection (Kolesnikov et al.) ActivelySecure OT-Extension from q-arylinear Codes (Cascudo et al.) Maliciously Secure Oblivious Linear Function Evaluation with Constant Overhead (Ghosh et al.) MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer (Keller et al.) A New Approach to Practical Active-Secure Two-Party Computation (Nielsen et al.)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback