A Framework for Efficient and Composable Oblivious Transfer Chris - - PowerPoint PPT Presentation
A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan 2 Brent Waters 1 1 SRI International 2 MIT CRYPTO 2008 1 / 10 Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. .
Chris Peikert1 Vinod Vaikuntanathan2 Brent Waters1
1SRI International 2MIT
CRYPTO 2008
1 / 10
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” S m0, m1 R mσ σ
2 / 10
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL” S m0, m1 R mσ σ FOT S R mσ m0, m1 σ mσ
2 / 10
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL” ∀ S∗ m0, m1 R mσ σ FOT ∃ S VIEW(S∗) R mσ m0, m1 σ mσ
2 / 10
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL” S m0, m1 ∀ R∗ σ FOT S ∃ R VIEW(R∗) mσ m0, m1 σ mσ
2 / 10
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL” S m0, m1 R mσ σ FOT S R mσ m0, m1 σ mσ ◮ ‘Complete’ for secure computation [Yao82,GMW87,Kil88]
2 / 10
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL” S m0, m1 R mσ σ FOT S R mσ m0, m1 σ mσ ◮ ‘Complete’ for secure computation [Yao82,GMW87,Kil88] ◮ Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]
2 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02]
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08]
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds Will it COMPOSE ? UC framework [Can01] Requires setup [CF01] A crs R1 R2 S Y Z π ρ
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds Will it COMPOSE ? UC framework [Can01] Requires setup [CF01] A crs R1 R2 S Y Z π ρ
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds Will it COMPOSE ? UC framework [Can01] Requires setup [CF01] A crs R1 R2 S Y Z π ρ COMPOSABILITY aids EFFICIENCY
3 / 10
◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds Will it COMPOSE ? UC framework [Can01] Requires setup [CF01] A crs R1 R2 S Y Z π ρ COMPOSABILITY aids EFFICIENCY ◮ Stronger OT variants, specific assumptions, 4+ messages
[JS07,GMY04,DN03,GH08]
3 / 10
Main Attractions ✔ Round-optimal – two messages
4 / 10
Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth
4 / 10
Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup
4 / 10
Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup ✔ Realizable – DDH, QR, DCR, worst-case lattice assumptions
4 / 10
Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup ✔ Realizable – DDH, QR, DCR, worst-case lattice assumptions Bonus Features ◮ Unbounded CRS reuse (JUC framework [CR03]) ◮ Statistical security for either party ◮ Simple & symmetric proof
4 / 10
Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup ✔ Realizable – DDH, QR, DCR, worst-case lattice assumptions Bonus Features ◮ Unbounded CRS reuse (JUC framework [CR03]) ◮ Statistical security for either party ◮ Simple & symmetric proof Conceptual Tools ◮ Messy public keys (‘message-lossy’)
aka ‘meaningless’ [KN08]
◮ New abstraction: Dual-mode cryptosystem
4 / 10
1011 · · · S(m0, m1) R(σ) pk, sk ← Gen(σ) pk0 pk1 pk
5 / 10
1011 · · · S(m0, m1) R(σ) pk, sk ← Gen(σ) pk0 pk1 pk pk0 pk1 pk cb ← Enc(pkb, mb) c0, c1
5 / 10
1011 · · · S(m0, m1) R(σ) pk, sk ← Gen(σ) pk0 pk1 pk pk0 pk1 pk cb ← Enc(pkb, mb) c0, c1 mσ ← Dec(sk, cσ)
5 / 10
1011 · · · S(m0, m1) R(σ) pk, sk ← Gen(σ) pk0 pk1 pk pk0 pk1 pk cb ← Enc(pkb, mb) c0, c1 mσ ← Dec(sk, cσ) Needed: Dual-mode cryptosystem
5 / 10
Decryptable Public Keys Enc(pk, m0)
c
≈ Enc(pk, m1) ◮ Decrypt with sk.
6 / 10
Decryptable Public Keys Enc(pk, m0)
c
≈ Enc(pk, m1) ◮ Decrypt with sk. Messy Public Keys Enc(pk, m0)
s
≈ Enc(pk, m1) ◮ Statistically secure! (Decryption impossible.)
6 / 10
Decryptable Public Keys Enc(pk, m0)
c
≈ Enc(pk, m1) ◮ Decrypt with sk. Messy Public Keys Enc(pk, m0)
s
≈ Enc(pk, m1) ◮ Statistically secure! (Decryption impossible.) Cryptosystems with Messy Keys ◮ Cocks ID-based [Coc01] ◮ Lattice-based [AD97, Reg03, Reg05] ◮ ElGamal, Paillier variants [ElG84,Pai99]
6 / 10
Setup {dec, mes} ∋ mode (crs, trap) crs
c
≈ crs Gen σ skσ, pk pkσ pk1−σ Enc m pkσ Dec skσ m TrapGen sk0, sk1, pk trap pk0 pk1 FindMessy pk∗ trap pk∗
µ
7 / 10
Setup {dec, mes} ∋ mode (crs, trap) crs
c
≈ crs Gen σ skσ, pk pkσ pk1−σ Enc m pkσ Dec skσ m TrapGen sk0, sk1, pk trap pk0 pk1 FindMessy pk∗ trap pk∗
µ
7 / 10
Setup {dec, mes} ∋ mode (crs, trap) crs
c
≈ crs Gen σ skσ, pk pkσ pk1−σ Enc m pkσ Dec skσ m TrapGen sk0, sk1, pk trap pk0 pk1 FindMessy pk∗ trap pk∗
µ
7 / 10
Setup {dec, mes} ∋ mode (crs, trap) crs
c
≈ crs Gen σ skσ, pk pkσ pk1−σ Enc m pkσ Dec skσ m TrapGen sk0, sk1, pk trap pk0 pk1 FindMessy pk∗ trap pk∗
µ
7 / 10
Setup {dec, mes} ∋ mode (crs, trap) crs
c
≈ crs Gen σ skσ, pk pkσ pk1−σ Enc m pkσ Dec skσ m TrapGen sk0, sk1, pk trap pk0 pk1 FindMessy pk∗ trap pk∗
µ
7 / 10
Setup {dec, mes} ∋ mode (crs, trap) crs
c
≈ crs Gen σ skσ, pk pkσ pk1−σ Enc m pkσ Dec skσ m TrapGen sk0, sk1, pk trap pk0 pk1 FindMessy pk∗ trap pk∗
µ
7 / 10
Setup {dec, mes} ∋ mode (crs, trap) crs
c
≈ crs Gen σ skσ, pk pkσ pk1−σ Enc m pkσ Dec skσ m TrapGen sk0, sk1, pk trap pk0 pk1 FindMessy pk∗ trap pk∗
µ
7 / 10
Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT
8 / 10
Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline
1 ∀ real S∗, ∃ ideal S
(TrapGen) REAL(S∗, crs)
s
≈ IDEAL(S)
8 / 10
Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline
1 ∀ real S∗, ∃ ideal S
(TrapGen) REAL(S∗, crs)
s
≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R
(FindMessy) REAL(R∗, crs)
s
≈ IDEAL(R)
8 / 10
Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline
1 ∀ real S∗, ∃ ideal S
(TrapGen) REAL(S∗, crs)
s
≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R
(FindMessy) REAL(R∗, crs)
s
≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗},
(Setup) REAL(P∗, crs)
c
≈ REAL(P∗, crs)
8 / 10
Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline
1 ∀ real S∗, ∃ ideal S
(TrapGen) REAL(S∗, crs)
s
≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R
(FindMessy) REAL(R∗, crs)
s
≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗},
(Setup) REAL(P∗, crs)
c
≈ REAL(P∗, crs) Security in decryption mode (cf. [GOS06]): ✔ REAL(R∗, crs)
c
≈ REAL(R∗, crs)
s
≈ IDEAL(R)
8 / 10
Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline
1 ∀ real S∗, ∃ ideal S
(TrapGen) REAL(S∗, crs)
s
≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R
(FindMessy) REAL(R∗, crs)
s
≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗},
(Setup) REAL(P∗, crs)
c
≈ REAL(P∗, crs) Security in messy mode: ✔ REAL(S∗, crs)
c
≈ REAL(S∗, crs)
s
≈ IDEAL(S)
8 / 10
Cocks Encryption [Coc01] ◮ Global: N = pq ◮ Decryptable keys: secret x ∈ ZN, public y = x2 ∈ QRN. ◮ Messy public key: y ∈ QRN
9 / 10
Cocks Encryption [Coc01] ◮ Global: N = pq ◮ Decryptable keys: secret x ∈ ZN, public y = x2 ∈ QRN. ◮ Messy public key: y ∈ QRN Our Construction Decryption mode Messy mode crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN) trap = √z trap = (p, q)
9 / 10
Cocks Encryption [Coc01] ◮ Global: N = pq ◮ Decryptable keys: secret x ∈ ZN, public y = x2 ∈ QRN. ◮ Messy public key: y ∈ QRN Our Construction Decryption mode Messy mode crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN) trap = √z trap = (p, q) ZN ∋ pk = y y0 = y · z0 y1 = y · z1
9 / 10
Cocks Encryption [Coc01] ◮ Global: N = pq ◮ Decryptable keys: secret x ∈ ZN, public y = x2 ∈ QRN. ◮ Messy public key: y ∈ QRN Our Construction Decryption mode Messy mode crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN) trap = √z trap = (p, q) ZN ∋ pk = y y0 = y · z0 y1 = y · z1 TrapGen: FindMessy: sk0 = √y, sk1 = √y · √z y ∈ QRN
y · z ∈ QRN
9 / 10
1 Adaptive corruptions? (Progress: [GWZ])
10 / 10
1 Adaptive corruptions? (Progress: [GWZ]) 2 Alternate setup? (GUC framework? [CDPW07])
10 / 10
1 Adaptive corruptions? (Progress: [GWZ]) 2 Alternate setup? (GUC framework? [CDPW07]) 3 String OT from QR, lattices? (Note: [BGH07] isn’t messy!)
10 / 10
1 Adaptive corruptions? (Progress: [GWZ]) 2 Alternate setup? (GUC framework? [CDPW07]) 3 String OT from QR, lattices? (Note: [BGH07] isn’t messy!)
FOT Continue End 1
10 / 10