Additive Conditional Disclosure of Secrets

Similar documents
MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

From Secure MPC to Efficient Zero-Knowledge

Keyword Search and Oblivious Pseudo-Random Functions

Entity Authentication

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Notes on Zero Knowledge

ECS 189A Final Cryptography Spring 2011

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

March 19: Zero-Knowledge (cont.) and Signatures

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

ASYMMETRIC ENCRYPTION

1 Number Theory Basics

Lecture 38: Secure Multi-party Computation MPC

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

CPA-Security. Definition: A private-key encryption scheme

Are you the one to share? Secret Transfer with Access Structure

Lecture 3: Interactive Proofs and Zero-Knowledge

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Lecture 22: RSA Encryption. RSA Encryption

Benny Pinkas Bar Ilan University

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Chapter 11 : Private-Key Encryption

Security Protocols and Application Final Exam

Lecture 2: Perfect Secrecy and its Limitations

Lecture 28: Public-key Cryptography. Public-key Cryptography

Cryptographic Protocols FS2011 1

Cryptography in the Multi-string Model

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Multiparty Computation

Oblivious Evaluation of Multivariate Polynomials. and Applications

Computing on Encrypted Data

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

4-3 A Survey on Oblivious Transfer Protocols

Lecture Notes 20: Zero-Knowledge Proofs

Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!

Efficient Public-Key Distance Bounding

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

On Homomorphic Encryption and Secure Computation

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Chapter 2 : Perfectly-Secret Encryption

1 Secure two-party computation

Notes for Lecture 17

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Theoretical Cryptography, Lectures 18-20

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Interactive Zero-Knowledge with Restricted Random Oracles

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Security Implications of Quantum Technologies

Lecture 1: Introduction to Public key cryptography

Strong Security Models for Public-Key Encryption Schemes

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 14: Secure Multiparty Computation

Katz, Lindell Introduction to Modern Cryptrography

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Statistical WI (and more) in Two Messages

On Achieving the Best of Both Worlds in Secure Multiparty Computation

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

14 Diffie-Hellman Key Agreement

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Introduction to Modern Cryptography Lecture 11

k-round MPC from k-round OT via Garbled Interactive Circuits

Rate-Limited Secure Function Evaluation: Definitions and Constructions

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Lecture 5, CPA Secure Encryption from PRFs

Introduction to Cryptology. Lecture 2

Introduction to Cryptography. Lecture 8

6.080/6.089 GITCS Apr 15, Lecture 17

Network Oblivious Transfer

Proofs of Retrievability via Fountain Code

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

By the way, = = 693 (mod 1823) and ord(3) = 911. I list the commands I used in Mathematica to solve this problem here.

El Gamal A DDH based encryption scheme. Table of contents

Digital Signatures. p1.

Great Theoretical Ideas in Computer Science

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Efficient Set Intersection with Simulation-Based Security

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Symmetric Encryption

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Chosen-Ciphertext Security (I)

Lightweight Zero-Knowledge Proofs for Crypto-Computing Protocols

Founding Cryptography on Smooth Projective Hashing

Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption

Secure Computation. Unconditionally Secure Multi- Party Computation

ECash and Anonymous Credentials

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Homework 3 Solutions

Transcription:

Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology

Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x, y) y TCS Forum talk, November 19, 2004 1

Standard goals of secure two-party computation The inputs and outputs should remain private: Charlie should learn nothing except x and f 1 (x, y). Lucy should learn nothing except y and f 2 (x, y). The outputs should be correct: Charlie should really obtain f 1 (x, y). Lucy should really obtain f 2 (x, y). The protocol should be fair: Charlie and Lucy should both obtain outputs or none of them. TCS Forum talk, November 19, 2004 2

Secure evaluation of intersection cardinality Charlie Lucy Characteristic vector Characteristic vector x = (x 1, x 2,..., x n ). y = (y 1, y 2,..., y n ). Compute (pk, sk) Gen. Form a vector c = (E(x 1 ), E(x 2 ),..., E(x n )). Output Dec(d) = X Y pk c d Store the public key pk. Compute answer d = c y 1 1 cy 2 2 cy n n E(0) = E(x 1 y 1 + x 2 y 2 + x n y n ). Output TCS Forum talk, November 19, 2004 3

What if Charlie is malicious? If Charlie sends invalid vector c = (E(1),E(2),E(4),...E(2 n )), then the return value d = E(1y 1 + 2y 2 + 4y 3 + + 2 n y n ) and Charlie can reveal Dec(d) = y n... y 2 y 1 = y. TCS Forum talk, November 19, 2004 4

Standard way to achieve privacy and correctness 1. Device a protocol Π that is secure in semihonest model: + Both parties follow the protocol, but try to extract additional information 2. Extend the protocol Π by forcing semihonest behaviour: + Both parties commit their inputs x and y. + For each message m i of the protocol Π the sender adds a zeroknowledge proof PK(m i ) that m i was correctly formed. TCS Forum talk, November 19, 2004 5

Extended protocol x f 1 (x, y) Com(x) Com(y) m 1 PK(m 1 )..... f 2 (x, y) y TCS Forum talk, November 19, 2004 6

Some properties of extended protocols Standard zero-knowledge proofs have at least four rounds: The extended protocol has a large communicational overhead. The extended protocol has a large overhead in rounds. We can use non-interactive zero-knowledge proofs (NIZK): + Proofs will be relatively short binary strings. + The number of rounds do not increase. The security properties of NIZK are essentially unknown. All proofs are valid in the random oracle model. All proofs are valid in the common reference string model. TCS Forum talk, November 19, 2004 7

What if correctness is infeasible? x f 1 (x, y) m 1 m2 m r 1 mr y TCS Forum talk, November 19, 2004 8

When correctness requirement is questionable? Lucy s input might be so large that ZK proofs are huge. Charlie computes a predicate P(x, y) and there are wild cards y 0 : x P(x, y 0 ) = 0 y 1 : x P(x, y 1 ) = 1. External reasons force Lucy to act in a semihonest way, for example commercial reputation, laws forced by government organisations. TCS Forum talk, November 19, 2004 9

Informal definition of privacy Charlie should learn f 1 (x, y) only if + input x is in the valid range X; + all messages m i follow protocol specification. Charlie should learn nothing if x / X or some m i is malformed. Lucy should learn f 2 (x, y) =, i.e. nothing. x f 1 (x, y) y TCS Forum talk, November 19, 2004 10

Binding conditional disclosure of secrets (CDS) s m i CDS1(m i ) CDS2(m i ) x, m 1,..., m i m 1,..., m i 1...... s {0,1}n Charlie learns secret s only if the message m i is formed correctly. TCS Forum talk, November 19, 2004 11

Additive conditional disclosure of secrets (ACDS) s E(x) x CDS1(m i ) CDS2(m i )...... s {0,1}n Charlie learns secret s only if the input x is in valid set X. TCS Forum talk, November 19, 2004 12

Consider a keyed list access ACDS from oblivious transfer Charlie Sally y 1 s y 2. s. y i y i. s. s Charlie invokes oblivious transfer protocol to retrieve: L[y i ] = s if y i X, L[y i ] = if y i / X. y k TCS Forum talk, November 19, 2004 13

Simple ACDS protocol Charlie Sally Input x. Compute (pk, sk) Gen. pk Secret s and set of valid values X = {y 1,..., y k }. Store the public key pk. Send a query c = E(x) For x = y i0 output Dec(d i0 ) = s c Compute answers d i = (c E( y i )) t i E(s) d 1,...,d k = E(t i (x y i ) + s) Output E(x) TCS Forum talk, November 19, 2004 14

Spectacular failure of homomorphic OT The message space of Pallier encryption scheme is Z p q for primes p, q P. If Charlie sends E(x) such that x y 1 mod p and x y 2 mod q then Dec(d 1 ) t 1 (x y 1 ) + s mod pq Dec(d 1 ) s mod p Dec(d 2 ) t 1 (x y 2 ) + s mod pq Dec(d 2 ) s mod q and Charlie can restore secret even if x / X. TCS Forum talk, November 19, 2004 15

What is wrong here!? If gcd(x y i, pq) = 1 then every thing is OK Pr [Dec(d i ) = t i (x y i ) + s = u] = 1 pq. Otherwise we have a distribution with large steps. s s + p s + 2p s + (q 1)p Pr Z p q TCS Forum talk, November 19, 2004 16

Information-theoretical solution We choose many different shifts for a single s and send s+ instead. Then large bumps cancel out. If is such a set that the distribution mod p and mod q is close to uniform, then is close to uniform. t i (x y i ) + s +, t i Z p q x y i TCS Forum talk, November 19, 2004 17

Precise construction We choose l such that desired security level. m2 l 2 min{p,q} 2 λ, where k = X and 2 λ is The message space reduces s {0, 1} l. The random shifts are = { 0,2 l,2 2 l,3 2 l,... r 2 l}, r 2 l < pq < (r + 1)2 l. Charlie can restore s (Dec(d i0 ) mod pq) mod 2 l s + mod 2 l s mod 2 l. TCS Forum talk, November 19, 2004 18

Computationally secure solution Information theoretical solution has a low throughput. We can use roughly 25% 40% of the message space size for the standard Pallier encryption scheme with 512 bit primes. If we require only computational privacy we can do significantly better. Trivial solution ( E IT encoded key k ) and SymEnc k (s) Can compress it all into a single encryption? Cleverly encoded 128 bit key k SymEnc k (s) TCS Forum talk, November 19, 2004 19

Now recall the idea of CDS s m i CDS1(m i ) CDS2(m i ) x, m 1,..., m i m 1,..., m i 1...... s {0,1}n Charlie learns secret s only if the message m i is formed correctly. TCS Forum talk, November 19, 2004 20

Privacy through binding CDS m 1, m 3,..., m... r 1 x f 1 (x, y) CDS1(m 1 ) m 2,CDS2(m 1 ) CDS1(m r 1 ) CDS2(m r 1 ) m r s r 1 m 1 m2 m r 1 mr y s 1, s 3,..., s... r 1 TCS Forum talk, November 19, 2004 21

Formal specification In the semihonest protocol Π Charlie sends messages m 1, m 3,..., m r 1. Secure transformation For each odd message m i Charlie and Lucy execute a binding CDS scheme such that Charlie obtains a secret s i iff m i is valid; Lucy can compute message m i from protocol transcript. Lucy uses restored m i and follows the original protocol Π. Lucy sends m r s 1 s r 1 as last message. Charlie can restore m r iff m 1, m 3,..., m r 1 were correctly formed. TCS Forum talk, November 19, 2004 22

Alternative viewpoint to padding schemes in ACDS We used special kind of padding scheme to prevent malicious behaviour. Plaintext awareness transformations use also padding that fix a very restricted input format. Actually, the constructed padding schemes achieve plain-text awareness under very restricted conditions. Adversary is allowed to: do homomorphic operations; choose a random cryptogram; choose a random cryptogram of p; choose a random cryptogram of q; TCS Forum talk, November 19, 2004 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback