Keyword Search and Oblivious Pseudo-Random Functions

Similar documents
Benny Pinkas Bar Ilan University

Extending Oblivious Transfers Efficiently

On the Cryptographic Complexity of the Worst Functions

Additive Conditional Disclosure of Secrets

Oblivious Evaluation of Multivariate Polynomials. and Applications

Introduction to Cryptography Lecture 13

Are you the one to share? Secret Transfer with Access Structure

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Communication Complexity and Secure Function Evaluation

Evaluating 2-DNF Formulas on Ciphertexts

Secure Multi-Party Computation

Efficient Set Intersection with Simulation-Based Security

Oblivious Keyword Search

Distributed Oblivious RAM for Secure Two-Party Computation

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Yuval Ishai Technion

Rate-Limited Secure Function Evaluation: Definitions and Constructions

i-hop Homomorphic Encryption Schemes

Single Database Private Information Retrieval with Logarithmic Communication

Secure Computation. Unconditionally Secure Multi- Party Computation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Generalized Oblivious Transfer by Secret Sharing

On i-hop Homomorphic Encryption

4-3 A Survey on Oblivious Transfer Protocols

ECS 189A Final Cryptography Spring 2011

Robust Password- Protected Secret Sharing

Technion - Computer Science Department - Ph.D. Thesis PHD

Report on PIR with Low Storage Overhead

5PM: Secure Pattern Matching

Multiparty Computation

From Secure MPC to Efficient Zero-Knowledge

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Founding Cryptography on Smooth Projective Hashing

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

Efficient Private Matching and Set Intersection

Constant-Round Private Database Queries

Lecture 28: Public-key Cryptography. Public-key Cryptography

The Computational Complexity Column

Secure Arithmetic Computation with Constant Computational Overhead

Machine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser

On Homomorphic Encryption and Secure Computation

Foundations of Homomorphic Secret Sharing

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

Lattice-Based Non-Interactive Arugment Systems

Linear Multi-Prover Interactive Proofs

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

Lecture 38: Secure Multi-party Computation MPC

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Statistical WI (and more) in Two Messages

Introduction to Cryptography. Lecture 8

Efficient Public-Key Distance Bounding

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 10: Zero-Knowledge Proofs

Physically Uncloneable Functions in the Universal Composition Framework. Christina Brzuska Marc Fischlin Heike Schröder Stefan Katzenbeisser

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Honest-Verifier Private Disjointness Testing without Random Oracles

1 Secure two-party computation

An Unconditionally Secure Protocol for Multi-Party Set Intersection

Perfect Secure Computation in Two Rounds

Foundations of Homomorphic Secret Sharing

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

One-Round Secure Computation and Secure Autonomous Mobile Agents

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

A New Approach to Practical Active-Secure Two-Party Computation

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Introduction to Modern Cryptography Lecture 11

Perfectly-Crafted Swiss Army Knives in Theory

Primary-Secondary-Resolver Membership Proof Systems

Error-Tolerant Combiners for Oblivious Primitives

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Distinguisher-Dependent Simulation in Two Rounds and its Applications

Winter 2011 Josh Benaloh Brian LaMacchia

Homomorphic Secret Sharing for Low Degree Polynomials

Point Obfuscation and 3-round Zero-Knowledge

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits

c Copyright 2016 Caleb Horst

Probabilistically Checkable Arguments

Fast and Private Computation of Cardinality of Set Intersection and Union *

Computing on Encrypted Data

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Private Projections & Variants

Efficient 3-Party Distributed ORAM

Notes on Zero Knowledge

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Constraining Pseudorandom Functions Privately

k-nearest Neighbor Classification over Semantically Secure Encry

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs

Cryptographical Security in the Quantum Random Oracle Model

Question 1. The Chinese University of Hong Kong, Spring 2018

Fundamental MPC Protocols

Privacy-Preserving Data Imputation

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Transcription:

Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1

Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server: x 1,x 2,,x n Client: 1 j n Output: Server: nothing Client: x j X 1 j X j X 2 X 3 X 4 X n Privacy: Server Client learns nothing about j learns nothing about x i for i j 4 Well-studied, good solutions: O(n) overhead 2

Background: Private Information Retrieval (PIR) Private Information Retrieval (PIR) [CGKS,KO] Client hides which element retrieved Client can learn more than a single x j o(n) communication, O(N) computation Symmetric Private Information Retrieval (SPIR) [GIKM,NP] PIR in which client learns only x j Hence, privacy for both client and server OT with sublinear communication 3

Motivation: Sometimes, OT is not enough Bob ( Application Service Provider ) Advises merchants on credit card fraud Keeps list of fraudulent card numbers Alice ( Merchant ) Received a credit card, wants to check if fraudulent Wants to hide credit-card details from Bob, vice-versa Use OT? Table of 10 16 2 53 entries, 1 if fraudulent, 0 otherwise? 4

Keyword Search (KS): definition Input: Server: database X={ (x i,p i ) }, 1 i N x i is a keyword p i is the payload (e.g. number of a corrupt card) (e.g. why card is corrupt) Client: search word w (e.g. credit card number) Output: Server: nothing Client: p i if i : x i = w otherwise nothing Server: Client: Client output: (x 1,p 1 ) (x 2,p 2 ) (x n,p n ) w (x j,p j ) iff w=x j 5

Keyword Search from data structures? [KO,CGN] Take any efficient query-able data structure Hash table, search tree, trie, etc. Replace direct query with OT / PIR Achieves client privacy We re done? 6

Keyword Search from hashing + OT [KO] (x 1, p 1 ) (x 2, p 2 ) (x N, p N ) Use hash function H to map (x i,p i ) to bin H(x i ) Client uses OT to read bin H(w) Multiple per bin: One per bin, N bins: One per bin, >> N bins: no server privacy: client gets > 1 elt no server privacy: H leaks info not efficient 7

Keyword Search Variants Multiple queries Adaptive queries Allowing setup Malicious parties Prior Work OT + Hashing = KS without server privacy [KO] Add server privacy using trie and many rounds [CGN] Adaptive KS [OK] But, setup with linear communication, RO model, one-more-rsa-inversion assumption 8

Keyword Search: Results Specific protocols for KS One-time KS based on OPE (homomorphic encryption) First 1-round KS with sublinear communication Adaptive KS by generic reduction Semi-private KS + oblivious PRFs New notions and constructions of OPRFs Fully-adaptive (DDH- or factoring-specific) T-time adaptive (black-box use of OT) 9

Keyword Search based on Oblivious Evaluation of Polynomials 10

Specific KS protocols using polynomials Tool: Oblivious Polynomial Evaluation (OPE) [NP] C w P(w) S P(x) = Σa i x i Privacy: Server: nothing about w. Client: nothing but P(w) 11

1-round KS protocol using polynomials OPE implementation based on homomorphic encryption Given E(x), E(y), can compute E(x+y), E(c x), w/o secret key Server defines on input X={(x i,p i )}, Z(x) = r P(x) + Q(x), with fresh random r x i If x i X : 0 + p i 0 k If x i X : rand Client/server run OPE of Z(w), overhead O(N) C sends: E(w), E(w 2 ),, E(w d ), PK S returns: E(r Σp i w i + Σq i w i ) = E(r P(w) + Q(w)) = E(Z(w)) 12

Reducing the overhead using hashing (x 1, p 1 ) (x 2, p 2 ) (x N, p N ) Z 1 m Z 2 public hash function H m independent of X L bins Fresh random r for Z j (x) = r P j (x) + Q j (x) Client sends input for L OPE s of degree m Server has E(Z 1 (w)),,e(z L (w)) Client uses PIR to obtain OPE output from bin H(w) Comm: O(m = log N) + PIR overhead (polylog N) Comp: O(N) server, O(m = log N) client 13

What about malicious parties? Efficient 1 round protocol for non-adaptive KS Only consider privacy: server need not commit or know DB Similar relaxation used before in like contexts (PIR, OT) Privacy against a malicious server? Server only sees client s interaction in an OT / PIR protocol Malicious clients? Message in OPE might not correspond to polynomial values Can enforce correct behavior with about same overhead 1 OPE of degree-m polynomials m OPEs of linear poly s 14

Keyword Search based on Oblivious Evaluation of Pseudo-Random Functions 15

Semi-Private Keyword Search Goal: Obtain KS from semi-private KS + OPRF Semi-Private Keyword Search (PERKY [CGN]) Provides privacy for client but not for server Similar privacy to that of PIR Examples Send database to client: O(N) communication Hash-based solutions + PIR to obtain bin Use any fancy data structure + PIR to query 16

Oblivious Evaluation of Pseudo-Random Functions Pseudo-Random Function: F k : {0,1} n {0,1} n Keyed by k (chooses a specific instantiation of F ) Without k, the output of F k cannot be distinguished from that of a random function Oblivious evaluation of a PRF (OPRF) C x k S F k (x) Client: PRF output, nothing about k Server: Nothing 17

KS from Semi-Private KS + OPRF (x 1, p 1 ) (x 2, p 2 ) (x N, p N ) S chooses k, defining F k ( ) (x i, p i ) X, Let x i p i F k (x i ) Let (x i, p i ) (x i, p i p i ) (x 1, p 1 ) (x 2, p 2 ) (x N, p N ) Client key, payload masked by PRF Uses OPRF to compute x p F k (w ) Uses semi-private KS to obtain ( x i, p i ) where x i = x If entry in database, recovers p i = p i p 18

KS from Semi-Private KS + OPRF (x 1, p 1 ) (x 2, p 2 ) (x N, p N ) S chooses k, defining F k ( ) (x i, p i ) X, Let x i p i F k (x i ) Let (x i, p i ) (x i, p i p i ) (x 1, p 1 ) (x 2, p 2 ) (x N, p N ) Security key, payload masked by PRF Preserved even if client obtains all pseudo-database Requires that client can t determine output of OPRF other than at inputs from legitimate queries 19

Weaker OPRF definition suffices for KS Strong OPRF: Secure 2PC of PRF functionality No info leaked about key k for arbitrary f k, other than what follows from legitimate queries Same OPRF on multiple inputs w/o losing server privacy Relaxed OPRF: No info about outputs of random f k, other than what follows from legitimate queries Does not preclude learning partial info about k Query set size bounded by t for t-time OPRFs Indistinguishability: Outputs on unqueried inputs cannot be distinguished from outputs of random function 20

Other results: constructions of OPRF OPRF based on non-black-box OT [Y,GMW] OPRF based on specific assumptions [NP] E.g., based on DDH or factoring Fully adaptive Quite efficient OPRF based on black-box OT Uses relaxed definition of OPRF Good for up to t adaptive queries 21

OPRF based on DDH [ scaled up NP] The Naor-Reingold PRF: Key k = [ a 1,, a L ] Input x = x 1 x 2 x 3 x L F k ( x) g^ ( 1a = x = Pseudorandom based on DDH i i ) OT 1 2 x 1 =0 OT 1 2 r 1 a 1 r 1 r 2 a 2 r 2 x 2 =1 OPRF based on PRF + OT ( g Server: [ a 1,, a L ], [ r 1,, r L ] Client: x = x 1 x 2 x 3 x L L OT s: r i if x i = 0, a i r i otherwise 1/ r 1... r m ) ( r 1 )...( a m r m ) = a x i = 1 i g (x) = F k OT 2 1 r L a L r L g^(1 / r 1 r 2 r L ) x L =1 22

Relaxed OPRF based on OT Server key: L x 2t matrix a 0,0 a 0,2t Client input: x = { x 1, x 2,, x L } F k ( x) = g i, x i Client gets L keys using OT 1 2t After t calls, learns t L keys a L,0 Map inputs to locations in L-dimensions using a (t+2)-wise independent, secret mapping h Client first obliviously computes h(x), then F(h(x)) Learns t of 2t keys in L dimensions Probability that other value uses these keys is (1/2) L 23

Conclusions Keyword search is an important tool We show: Efficient constructions based on OPE Generic reduction to OPRF + semi-private KS Fully-adaptive based on DDH Black-box reduction via OT, yet only good for t invoc s Open problem: Black-box reduction to OT good for poly invoc s? 24

Thanks. 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback