CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University
Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob should compute z 1 + z 2 = (x 1 +x 2 )(y 1 +y 2 ) How do we compute this? = x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 Alice can compute this Bob can compute this
On the use of computational assumptions How much can we ask users to trust crypto? 1. Necessary (one way functionsare needed for symmetric crypto, public key crypto is probably needed for 2PC) 2. We must believe that some problems are hard (e.g., breaking RSA or breaking AES). But we should not ask for more trust than needed! 3. Construct complex systems based on well studied assumptions. Then prove (via reduction), that any adv that can break property X of system S can be used to solve computational problem P. 4. If we believe problem P to be hard, then we conclude that system S has property X. 3
The Crypto Toolbox Weaker assumption Stronger assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 4
Reduction Proof If: an adversary can break the security (e.g., learn the secret input x) Then: use this adversary as a subroutine to break the security of some hard problem (e.g., RSA) But: the problem is hard So: the protocol must be secure x E(m) x m 5
Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
1-2 OT Receiver b m b 1-2 OT m 0,m 1 Sender Receiver does not learn m 1-b Sender does not learn b
1-2 OT Receiver b m b 1-2 OT m 0,m 1 Sender m b = (1-b) m 0 + b m 1 m b = m 0 + b (m 1 - m 0 )
k-n OT Receiver i 1,,i n m i1,,m in k-n OT Sender m 1,,m n
2PC via 1-n OT Receiver x f(x,y) 1-n OT Sender f(1,y),,f(n,y)
Oblivious Transfer = Receiver b bit multiplication 1-2 OT ab + c Sender (c,a+c)
Short OT à Long OT Receiver k-bit strings Sender b b k b 1-2 OT k 0,k 1 m 0,m 1 poly(k)-bit strings m b =prg(k b ) u b u 0 = prg(k 0 ) m 0, u 1 = prg(k 1 ) m 1
Random OT = OT b m c,r c r 0,r 0,m 1 1 ROT m b =r c x b x 0 = r 0 m 0, x 1 = r 1 m 1 if b=c
Random OT = OT b m c,r c ROT r 0,r 0,m 1 1 d = b c m b =r c x b x 0 = r 0 d m 0, x 1 = r 1 d m 1 Exercise: check that it works!
(R)OT is symmetric bits Sender s 0,s 1 ROT b,y=s b c = s 0 s 1 r 0 = y z = s c, z=r 0 r 1 = b r 0 c r 0,r 1 Exercise: check that it works No communication!
Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
Efficiency Problem: OT requires public key primitives, inherently inefficient
The Crypto Toolbox Weaker assumption Stronger assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 18
Efficiency Problem: OT requires public key primitives, inherently inefficient Solution: OT extension Like hybrid encryption! Start with few (expensive) OT based on PKE Get many (inexpensive) OT using only SKE
OT Extension, Pictorially Starting point: k seed OTs X 0,1 k k X b1,1 U b 1 b k 1-2 OTs X 0 X 1,1 X 1 k n n=poly(k) Input or output? Remember that ROT = OT, it doesn t really make a difference! Remember: OT stretching (see Short OT à Long OT slide earlier) 20
Condition for OT extension X 1 = X 0 c c Problem for active security! 21
OT Extension, Pictorially k X 1 b 1 c U b 1 b k 1-2 COTs X 1 X c k n Correlated OTs n=poly(k) 22
OT Extension, Pictorially U " c %& = " % c & X = b c
OT Extension, Turn your head! U X X U = b c = b c
OT Extension, Pictorially k U b k 1-2 COTs X c k n n=poly(k) 25
OT Extension, Pictorially n U n 1-2 c X n b COTs k k 26
X= H Break the correlation! Y 0 = H U V b b b Y 1 = H U b 27
Breaking the correlation Using a correlation robust hash function H s.t. 1. {a 0,, a n, H(a 0 + r ),, H(a n + r)} // (a i s, r random) 2. {a 0,, a n, b 0,, b n } // (a i s,b i s random) are computationally indistinguishable 28
OT Extension, Pictorially k n Y 1,1 Y 1 Y 0,1 Y 0 n 1-2 ROTs c 1 c Y c1,1 V k n=poly(k) 29
Recap 0. Strech k OTs from k- to poly(k)=n-bitlong strings 1. Send correction for each pair of messages x i 0,x i 1 s.t., x i 0 x i 1 = c 2. Turn your head (S/R swap roles) 3. The bits of c are the new choice bits 4. Break the correlation: y j 0=H(u j ), y j 1=H(u j b) Not secure against active adversaries 30
Recent Results in OT Extension (seereferences at the end) Active secure OT extension essentially as efficient as passive OT. Asharov et al. Keller et al. The columns of the matrix 0 0 0 c c Can be seen as a simple replica encoding of a bit. Better encodings can be used for better efficiency, see e.g., Kolesnikov et al. Cascudo et al. 1 1 1
Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
Oblivious Linear Evaluation Receiver b ab + c OLE (a,c) Sender Not bits anymore! Could be values in a ring or a field Arithmetic equivalent of OT
n OTs = OLE (Gilboa) Receiver b=(b 0,b 1,,b n-1 ) b i d i =a(2 i b i ) + c i 1-2 OT (c i,a2 i +c i ) Sender a (n bit number) c 0 + +c n-1 =c d 0 + +d n-1 =a(b 0 +2b 1 + +2 n-1 b n-1 )+(c 0 + +c n-1 )=ab+c
Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
Additive (or Linear) Homomorphic Encryption Pailler is a AHE whose security is related to the hardness of factoring Still an important tool in the protocol designer toolbox!
(Simplified) Pailler Public key: N = pq, with p = q Secret key: Φ(N)=(p-1)(q-1) Pailler works mod N 2 Z * N^2 = Z N Z * N Note that due to choice of parameters gcd(φ(n),n)=1
(Simplified) Pailler (c Z N^2 ) ß Encrypt(m Z N ; r Z * N) Output c = α(m) β(r) mod N 2 Where: α(m) takes care of the homomorphism β(r) takes care of security
α(m) For homomorphism α(m Z N ) = (1+mN) mod N 2 For decryption: α(m) efficiently invertible α -1 (y Z N2 ) = y-1 / N // Integer division For homomorphism: α(m 1 ) α(m 2 ) = α(m 1 + m 2 mod N) Exercise: check this!
β(r) For security β(r Z N* ) = r N mod N 2 For decryption: β(r) Φ(N) =1 mod N 2 Assumption for security {β(r) rßz N* } {sßz N^2* } For homomorphism β(r 1 ) β(r 2 ) = β(r 1 r 2 ) Φ(N 2 )=N Φ(N) and x Φ(N^2) =1 mod N 2 for all x in Z N2 *
Putting Things Together Security: Enc pk (m;r) = α(m) β(r) // r unif. in Z N * comp.ind. from distributed identically to α(m) s // s unif. in Z N2 * t // t unif. in Z N2 *
Putting Things Together Homomorphism: Enc pk (m 1 ;r 1 ) Enc pk (m 2 ;r 2 ) = α(m 1 ) β(r 1 ) α(m 2 ) β(r 2 ) = α(m 1 + m 2 mod N) β(r 1 r 2 ) = Enc pk (m 1 + m 2 mod N; r 1 r 2 )
Putting Things Together - Decryption Dec(sk,c): 1. t 1 = c Φ(N) mod N 2 2. t 2 = α -1 (t 1 ) mod N 3. t 3 = t 2 Φ(N) -1 mod N Correctness 1. t 1 = α(m) Φ(N) β(r) Φ(N) = = α(m Φ(N)) 1 2. t 2 = α -1 (α(m Φ(N))) = = m Φ(N) 3. t 3 = m Φ(N) Φ(N) -1 = = m 4. Output m=t 3
How to Multiply with Pailler Receiver Sender pk, B = Enc pk (b;r) D = c a Enc pk (c;s) d=dec sk (D)=ab+c mod N
How to Multiply with Pailler Receiver Sender pk, B = Enc pk (b;r) D = c a Enc pk (c;s) Privacy for Alice: B Enc pk (0;r) due to IND-CPA of Pailler Privacy for Bob? Alice knows the secret key! But due to homomorphism of Pailler {sk,d} {sk,enc pk (ab+c;t)} d=dec sk (D)=ab+c mod N
Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
Slide by Satrajit Gosh OLE from Noisy Encodings (Ishai et al. [IPS09], generalizing [NP06]) Noisy Encodings Encode: Takes! # $, outputs a set % and encoding & # ' Eval: Takes (, * # $ and the encoding &, outputs an encoding + Decode: Takes an encoding + and the set %, outputs, =!( + *
OLE from Noisy Encodings Encode(a) 1. Pick a polynomial " of degree ) 1 with " 0 = (, evaluate at & = 4) positions 1 n '( - " 1 " 2 " & 2. Pick a random error + vector - with 3 = 2) + 1 non-zero elements, 5 = 6 7 6 = 8 0 -. - / 0-0 3. Add the two together 0 0 Slide by Satrajit Gosh m=1 for simplicity 2 A 1 -. " & Assumption - Pseudorandomness 9 ;<=>?7 @ B <
Slide by Satrajit Gosh OLE from Noisy Encodings Eval(v,b,r) 1. Pick a polynomial ' of degree - 1 with ' 0 =,, evaluate at & = 4- positions 1 & +, 2 '(1) '(2) '(2)! 1 # $! & 2. Pick a polynomial 9 of degree 2-2 with : 0 = 8, evaluate at & = 4- positions 1 n + 3. +++++++++++++++++++++++++++++++++++++++++++++ : 1 : 2 : & 8 5 3 1 4# $ 3 &
Slide by Satrajit Gosh OLE from Noisy Encodings Decode(w,L) 1. Ignore all $ & #! 1 '( )! + 2. Interpolate the polynomial!(-) and output! 0 = 12 + 4 6! 1! 2! +
Slide by Satrajit Gosh OLE from Noisy Encodings / + ', ) +., # -3)456(/) #! $ " -OT $ & $ -./0(., ', )) 7 86)456 $ &, # (= /' + )) Constant overhead per multiplication!* *using packed secret sharing
Summary OT properties Symmetric ROT and OT equivalence OT can be stretched OT extension Passive security Multiplication protocols Gilboa (OT-based) #OTs = #bits (works on anyring) AHE (Pailler) Noisy Encoding (works for fields) #OTs independent on bitlength
Primary References Cryptographic Computing, lecture notes, http://orlandi.dk/crycom (with theory and programming exercises) Extending Oblivious Transfers Efficiently (Ishai et al.) A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System (Damgård et al.) Public-Key CryptosystemsBased on Composite Degree Residuosity Classes (Paillier) Secure Arithmetic Computation with No Honest Majority (Ishai et al.) Two Party RSA Key Generation (Gilboa) Extending Oblivious Transfers Efficiently - How to get Robustness Almost for Free (Nielsen)
Other References Oblivious Polynomial Evaluation (Naor et al.) More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries (Asharov et al.) ActivelySecure OT Extension with Optimal Overhead (Keller et al.) Improved OT Extension for Transferring Short Secrets (Kolesnikov et al.) Efficient Batched Oblivious PRF with Applications to Private Set Intersection (Kolesnikov et al.) ActivelySecure OT-Extension from q-arylinear Codes (Cascudo et al.) Maliciously Secure Oblivious Linear Function Evaluation with Constant Overhead (Ghosh et al.) MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer (Keller et al.) A New Approach to Practical Active-Secure Two-Party Computation (Nielsen et al.)