Adaptive Oblivious Transfer And Generalization Olivier Blazy, C - - PowerPoint PPT Presentation

adaptive oblivious transfer and generalization
SMART_READER_LITE
LIVE PREVIEW

Adaptive Oblivious Transfer And Generalization Olivier Blazy, C - - PowerPoint PPT Presentation

Mar 01, 2024 612 likes •1.51k views

Adaptive Oblivious Transfer And Generalization Olivier Blazy, C eline Chevalier, Paul Germouty December 5, 2016 O. Blazy, C. Chevalier, P . Germouty December 5, 2016 1 / 31 Oblivious Transfer 1 OLBE: A Natural Generalization 2 Adaptive

slide-1
SLIDE 1

Adaptive Oblivious Transfer And Generalization

Olivier Blazy, C´ eline Chevalier, Paul Germouty December 5, 2016

  • O. Blazy, C. Chevalier, P

. Germouty December 5, 2016 1 / 31

slide-2
SLIDE 2

1

Oblivious Transfer

2

OLBE: A Natural Generalization

3

Adaptive Oblivious Transfer

4

What To Remember

  • O. Blazy, C. Chevalier, P

. Germouty December 5, 2016 2 / 31

slide-3
SLIDE 3

1

Oblivious Transfer

2

OLBE: A Natural Generalization

3

Adaptive Oblivious Transfer

4

What To Remember

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 3 / 31

slide-4
SLIDE 4

Oblivious Transfer

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 4 / 31

slide-5
SLIDE 5

Oblivious Transfer

Server

DB1 DB2 ... DBn

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 4 / 31

slide-6
SLIDE 6

Oblivious Transfer

Server

DB1 DB2 ... DBn

Recipient

Request(i)

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 4 / 31

slide-7
SLIDE 7

Oblivious Transfer

Server

DB1 DB2 ... DBn

Recipient

Request(i) DBi

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 4 / 31

slide-8
SLIDE 8

Oblivious Transfer

Server

DB1 DB2 ... DBn

Recipient

Request(i) DBi

Privacy: S shouldn’t know i and R shouldn’t have any information about other lines.

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 4 / 31

slide-9
SLIDE 9

Identity Based Encryption

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 5 / 31

slide-10
SLIDE 10

Identity Based Encryption

Alice

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 5 / 31

slide-11
SLIDE 11

Identity Based Encryption

Alice Bob

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 5 / 31

slide-12
SLIDE 12

Identity Based Encryption

Alice Bob C

mpk, Bob, m→C

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 5 / 31

slide-13
SLIDE 13

Identity Based Encryption

Alice Bob C

mpk, Bob, m→C usk[Bob],C→m

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 5 / 31

slide-14
SLIDE 14

Identity Based Key Encapsulation Mechanism

Gen(param): generates (mpk, msk) USKGen(msk, id): computes usk[id] Enc(mpk, id): encrypts a key K into C Dec(usk[id], C): decrypts C into K

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 6 / 31

slide-15
SLIDE 15

UC-framework and Security Model

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 7 / 31

slide-16
SLIDE 16

UC-framework and Security Model

Ideal functionality vs real world

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 7 / 31

slide-17
SLIDE 17

UC-framework and Security Model

Ideal functionality vs real world Adaptive corruptions: the adversary can ask for internal state of the recipient at any moment and then play his role.

  • O. Blazy, C. Chevalier, P

. Germouty Oblivious Transfer December 5, 2016 7 / 31

slide-18
SLIDE 18

1

Oblivious Transfer

2

OLBE: A Natural Generalization

3

Adaptive Oblivious Transfer

4

What To Remember

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 8 / 31

slide-19
SLIDE 19

The Oblivious Signature Based Envelope Protocol

Server

Info

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 9 / 31

slide-20
SLIDE 20

The Oblivious Signature Based Envelope Protocol

Server

Info

Recipient

C=Commit(σ; ρ)

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 9 / 31

slide-21
SLIDE 21

The Oblivious Signature Based Envelope Protocol

Server

Info

Recipient

C=Commit(σ; ρ) Info ⊕ Mask ⊕ Mask

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 9 / 31

slide-22
SLIDE 22

The Oblivious Signature Based Envelope Protocol

Server

Info

Recipient

C=Commit(σ; ρ) Info ⊕ Mask ⊕ Mask Info ⊕ Mask

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 9 / 31

slide-23
SLIDE 23

The Oblivious Signature Based Envelope Protocol

Server

Info

Recipient

C=Commit(σ; ρ) Info ⊕ Mask ⊕ Mask Info ⊕ Mask Mask computable for the user if and only if C is a commitment of σ

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 9 / 31

slide-24
SLIDE 24

How To Do So: Commitment

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 10 / 31

slide-25
SLIDE 25

How To Do So: Commitment

Commitment: Setup KeyGen Commit Decommit

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 10 / 31

slide-26
SLIDE 26

How To Do So: Commitment

Commitment: Setup KeyGen Commit Decommit Properties: Extractable Equivocable

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 10 / 31

slide-27
SLIDE 27

How To Do So: Commitment

Commitment: Setup KeyGen Commit Decommit Properties: Extractable Equivocable Example: Encryption, Chameleon Hash Function: (KeyGen, CH, Coll)

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 10 / 31

slide-28
SLIDE 28

How To Do So: Commitment

Commitment: Setup KeyGen Commit Decommit Properties: Extractable Equivocable Example: Encryption, Chameleon Hash Function: (KeyGen, CH, Coll) If CH(ck, m; r) = H then coll(ck, tk, H; m′) = r′ s. t. CH(ck, m′; r′) = H

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 10 / 31

slide-29
SLIDE 29

How To Do So: Smooth Projective Hash Function

Functions over a set X and L ⊂ X

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 11 / 31

slide-30
SLIDE 30

How To Do So: Smooth Projective Hash Function

Functions over a set X and L ⊂ X HashKG(L, param) → hk

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 11 / 31

slide-31
SLIDE 31

How To Do So: Smooth Projective Hash Function

Functions over a set X and L ⊂ X HashKG(L, param) → hk ProjKG(hk, (L, param), W) → hp

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 11 / 31

slide-32
SLIDE 32

How To Do So: Smooth Projective Hash Function

Functions over a set X and L ⊂ X HashKG(L, param) → hk ProjKG(hk, (L, param), W) → hp Hash(hk, (L, param), W) → H ∈ G

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 11 / 31

slide-33
SLIDE 33

How To Do So: Smooth Projective Hash Function

Functions over a set X and L ⊂ X HashKG(L, param) → hk ProjKG(hk, (L, param), W) → hp Hash(hk, (L, param), W) → H ∈ G ProjHash(hp, (L, param), W, w) → H′ ∈ G

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 11 / 31

slide-34
SLIDE 34

How To Do So: Smooth Projective Hash Function

Functions over a set X and L ⊂ X HashKG(L, param) → hk ProjKG(hk, (L, param), W) → hp Hash(hk, (L, param), W) → H ∈ G ProjHash(hp, (L, param), W, w) → H′ ∈ G Hash(hk, (L, param), W) = ProjHash(hp, (L, param), W, w). If w is a witness for W ∈ L.

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 11 / 31

slide-35
SLIDE 35

Properties Of SPHF

Smoothness: If W / ∈ L nobody can distinguish a hashed value from a random one.

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 12 / 31

slide-36
SLIDE 36

Properties Of SPHF

Smoothness: If W / ∈ L nobody can distinguish a hashed value from a random one. Pseudo-Randomness: Without w, if W ∈ L it is hard to distinguish a hashed value from a random one.

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 12 / 31

slide-37
SLIDE 37

A Simple Example Of SPHF

Here param contains (g, h) ∈ G

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 13 / 31

slide-38
SLIDE 38

A Simple Example Of SPHF

Here param contains (g, h) ∈ G L = {(g1, h1)|∃α ∈ Zp, g1 = gα ∧ h1 = hα}, w = α.

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 13 / 31

slide-39
SLIDE 39

A Simple Example Of SPHF

Here param contains (g, h) ∈ G L = {(g1, h1)|∃α ∈ Zp, g1 = gα ∧ h1 = hα}, w = α. hk = (λ, µ) ∈ Z2

p

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 13 / 31

slide-40
SLIDE 40

A Simple Example Of SPHF

Here param contains (g, h) ∈ G L = {(g1, h1)|∃α ∈ Zp, g1 = gα ∧ h1 = hα}, w = α. hk = (λ, µ) ∈ Z2

p

hp = gλhµ

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 13 / 31

slide-41
SLIDE 41

A Simple Example Of SPHF

Here param contains (g, h) ∈ G L = {(g1, h1)|∃α ∈ Zp, g1 = gα ∧ h1 = hα}, w = α. hk = (λ, µ) ∈ Z2

p

hp = gλhµ H = gλ

1hµ 1

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 13 / 31

slide-42
SLIDE 42

A Simple Example Of SPHF

Here param contains (g, h) ∈ G L = {(g1, h1)|∃α ∈ Zp, g1 = gα ∧ h1 = hα}, w = α. hk = (λ, µ) ∈ Z2

p

hp = gλhµ H = gλ

1hµ 1

H′ = hpα

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 13 / 31

slide-43
SLIDE 43

SPHF And Implicit Decommitment Achieving OSBE

Server

Info

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 14 / 31

slide-44
SLIDE 44

SPHF And Implicit Decommitment Achieving OSBE

Server

Info

Recipient

C=Commit(σ; ρ)

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 14 / 31

slide-45
SLIDE 45

SPHF And Implicit Decommitment Achieving OSBE

Server

Info

Recipient

C=Commit(σ; ρ) Info ⊕ Mask ⊕Hash(hkLc

σ, Lc

σ, C)

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 14 / 31

slide-46
SLIDE 46

SPHF And Implicit Decommitment Achieving OSBE

Server

Info

Recipient

C=Commit(σ; ρ) Info ⊕ Mask ⊕Hash(hkLc

σ, Lc

σ, C)

hpLc

σ

Info ⊕ProjHash(...; ρ)

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 14 / 31

slide-47
SLIDE 47

Generalization: Oblivious Language Based Envelope

Server Recipient

C=Commit(W; w) Info Info ⊕ Mask ⊕Hash(hkLc

W , Lc

W , C)

hpLc

W

Info ⊕ProjHash(...; w)

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 15 / 31

slide-48
SLIDE 48

Examples

Oblivious Signature Based Envelope

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 16 / 31

slide-49
SLIDE 49

Examples

Oblivious Signature Based Envelope Oblivious Transfer

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 16 / 31

slide-50
SLIDE 50

Oblivious Transfer

Server Recipient

C=Commit(j; ρ) {DBi}i {DBi ⊕Hi}i ⊕Hi = Hash(hkLc

i , Lc

i, C)

{hpLc

i }i

DBj ⊕ProjHash(..., hpj; ρ)

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 17 / 31

slide-51
SLIDE 51

Examples

Oblivious Signature Based Envelope Oblivious Transfer

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 18 / 31

slide-52
SLIDE 52

Examples

Oblivious Signature Based Envelope Oblivious Transfer Conditionned Oblivious Transfer

  • O. Blazy, C. Chevalier, P

. Germouty OLBE: A Natural Generalization December 5, 2016 18 / 31

slide-53
SLIDE 53

1

Oblivious Transfer

2

OLBE: A Natural Generalization

3

Adaptive Oblivious Transfer

4

What To Remember

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 19 / 31

slide-54
SLIDE 54

Be Adaptive

Adaptive in terms of request:

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 20 / 31

slide-55
SLIDE 55

Be Adaptive

Adaptive in terms of request:

Previous works: a new request causes a resent of DB.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 20 / 31

slide-56
SLIDE 56

Be Adaptive

Adaptive in terms of request:

Previous works: a new request causes a resent of DB. This work: a new request after the first one has a logarithmic cost in the size of DB.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 20 / 31

slide-57
SLIDE 57

Be Adaptive

Adaptive in terms of request:

Previous works: a new request causes a resent of DB. This work: a new request after the first one has a logarithmic cost in the size of DB.

Move the problem to the recipient side:

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 20 / 31

slide-58
SLIDE 58

Be Adaptive

Adaptive in terms of request:

Previous works: a new request causes a resent of DB. This work: a new request after the first one has a logarithmic cost in the size of DB.

Move the problem to the recipient side:

Sends the full encrypted DB to R

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 20 / 31

slide-59
SLIDE 59

Be Adaptive

Adaptive in terms of request:

Previous works: a new request causes a resent of DB. This work: a new request after the first one has a logarithmic cost in the size of DB.

Move the problem to the recipient side:

Sends the full encrypted DB to R Do an OT with the keys used to encrypt.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 20 / 31

slide-60
SLIDE 60

OT On IBE Keys: A Blind IBE

Server Recipient

C=Commit(j; ρ) {usk[i]}i {usk[i] ⊕Hi}i ⊕Hi = Hash(hkLc

i , Lc

i, C)

{hpLc

i }i

usk[j] ⊕ProjHash(..., hpj; ρ)

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 21 / 31

slide-61
SLIDE 61

OT On IBE-Keys: A Blind IBE

  • Authority

busk[id] usk[id] id BlindUSKGen(msk, C; t) C Commit(id; ρ) Recover(busk[id], ρ) User

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 22 / 31

slide-62
SLIDE 62

BIBE Generic Construction

1

User: C = Encryptcca(id; ρ)

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 23 / 31

  • Authority

busk[id] usk[id] id BlindUSKGen(msk, C; t) C Commit(id; ρ) Recover(busk[id], ρ) User

slide-63
SLIDE 63

BIBE Generic Construction

1

User: C = Encryptcca(id; ρ)

2

For every id′ S computes:

(usk[id′], (hkid′, hpid′)) for SPHF on Lc

id′

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 23 / 31

  • Authority

busk[id] usk[id] id BlindUSKGen(msk, C; t) C Commit(id; ρ) Recover(busk[id], ρ) User

slide-64
SLIDE 64

BIBE Generic Construction

1

User: C = Encryptcca(id; ρ)

2

For every id′ S computes:

(usk[id′], (hkid′, hpid′)) for SPHF on Lc

id′

Hid′

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 23 / 31

  • Authority

busk[id] usk[id] id BlindUSKGen(msk, C; t) C Commit(id; ρ) Recover(busk[id], ρ) User

slide-65
SLIDE 65

BIBE Generic Construction

1

User: C = Encryptcca(id; ρ)

2

For every id′ S computes:

(usk[id′], (hkid′, hpid′)) for SPHF on Lc

id′

Hid′

Sends (hpid′, usk[id′] ⊕ KDF(Hid′)) for every id′

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 23 / 31

  • Authority

busk[id] usk[id] id BlindUSKGen(msk, C; t) C Commit(id; ρ) Recover(busk[id], ρ) User

slide-66
SLIDE 66

BIBE Generic Construction

1

User: C = Encryptcca(id; ρ)

2

For every id′ S computes:

(usk[id′], (hkid′, hpid′)) for SPHF on Lc

id′

Hid′

Sends (hpid′, usk[id′] ⊕ KDF(Hid′)) for every id′

3

User computes H′

id = ProjHash(hpid, (Lc id, param), C, ρ)

Recovers usk[id]

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 23 / 31

  • Authority

busk[id] usk[id] id BlindUSKGen(msk, C; t) C Commit(id; ρ) Recover(busk[id], ρ) User

slide-67
SLIDE 67

3-flow-Adaptive Oblivious Transfer

Database Preparation: Data encryption, usk computation, channel key generation.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 24 / 31

slide-68
SLIDE 68

3-flow-Adaptive Oblivious Transfer

Database Preparation: Data encryption, usk computation, channel key generation. Index query on s: Secure channel creation, s commitment computation (keeping rand).

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 24 / 31

slide-69
SLIDE 69

3-flow-Adaptive Oblivious Transfer

Database Preparation: Data encryption, usk computation, channel key generation. Index query on s: Secure channel creation, s commitment computation (keeping rand). IBE input msk: BlindUSKGen computation, blind key transmission.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 24 / 31

slide-70
SLIDE 70

3-flow-Adaptive Oblivious Transfer

Database Preparation: Data encryption, usk computation, channel key generation. Index query on s: Secure channel creation, s commitment computation (keeping rand). IBE input msk: BlindUSKGen computation, blind key transmission. Data recovery: usk[s] computation (using rand), data recovering.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 24 / 31

slide-71
SLIDE 71

3-flow-Adaptive Oblivious Transfer

Database Preparation: Data encryption, usk computation, channel key generation. Index query on s: Secure channel creation, s commitment computation (keeping rand). IBE input msk: BlindUSKGen computation, blind key transmission. Data recovery: usk[s] computation (using rand), data recovering. Almost...

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 24 / 31

slide-72
SLIDE 72

What About The Communication Cost?

Server Recipient

C=Commit(j; ρ) {usk[i]}i {usk[i] ⊕Hi}i ⊕Hi = Hash(hkLc

i , Lc

i, C)

{hpLc

i }i

usk[j] ⊕ProjHash(..., hpj; ρ)

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 25 / 31

slide-73
SLIDE 73

Issue With The Communication Cost

Problem: need as many languages as the number of identities. ⇒ communication cost linear in the size of the database.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 26 / 31

slide-74
SLIDE 74

Issue With The Communication Cost

Problem: need as many languages as the number of identities. ⇒ communication cost linear in the size of the database. Solution: fragment identities into bits. ⇒ communication cost logarithmic in the size of the database.

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 26 / 31

slide-75
SLIDE 75

Affine IBE

usk[id] = usk[0] ⊕

i

usk[i, idi]

  • Example with id = 0010

usk[0] usk[1, 0] usk[1, 1] usk[2, 0] usk[3, 0] usk[4, 0] usk[2, 1] usk[3, 1] usk[4, 1]

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 27 / 31

slide-76
SLIDE 76

Affine IBE

usk[id] = usk[0] ⊕

i

usk[i, idi]

  • Example with id = 0010

usk[0] usk[1, 0] usk[1, 1] usk[2, 0] usk[3, 0] usk[4, 0] usk[2, 1] usk[3, 1] usk[4, 1] usk[0]

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 27 / 31

slide-77
SLIDE 77

Affine IBE

usk[id] = usk[0] ⊕

i

usk[i, idi]

  • Example with id = 0010

usk[0] usk[1, 0] usk[1, 1] usk[2, 0] usk[3, 0] usk[4, 0] usk[2, 1] usk[3, 1] usk[4, 1] usk[0] usk[1, 0]

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 27 / 31

slide-78
SLIDE 78

Affine IBE

usk[id] = usk[0] ⊕

i

usk[i, idi]

  • Example with id = 0010

usk[0] usk[1, 0] usk[1, 1] usk[2, 0] usk[3, 0] usk[4, 0] usk[2, 1] usk[3, 1] usk[4, 1] usk[0] usk[1, 0] usk[2, 0]

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 27 / 31

slide-79
SLIDE 79

Affine IBE

usk[id] = usk[0] ⊕

i

usk[i, idi]

  • Example with id = 0010

usk[0] usk[1, 0] usk[1, 1] usk[2, 0] usk[3, 0] usk[4, 0] usk[2, 1] usk[3, 1] usk[4, 1] usk[0] usk[1, 0] usk[2, 0] usk[3, 1]

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 27 / 31

slide-80
SLIDE 80

Affine IBE

usk[id] = usk[0] ⊕

i

usk[i, idi]

  • Example with id = 0010

usk[0] usk[1, 0] usk[1, 1] usk[2, 0] usk[3, 0] usk[4, 0] usk[2, 1] usk[3, 1] usk[4, 1] usk[0] usk[1, 0] usk[2, 0] usk[3, 1] usk[4, 0]

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 27 / 31

slide-81
SLIDE 81

Fragmented BIBE Construction

2

For all i, b S computes:

(usk[i, b], (hki,b, hpi,b)) for SPHF on Lc

i,b

Hi,b Z = usk[0] ⊖

i zi

  • Sends (Z, hpi,b, usk[i, b] ⊕ KDF(Hi,b)⊕ zi) for each (i, b)
  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 28 / 31

slide-82
SLIDE 82

Fragmented BIBE Construction

2

For all i, b S computes:

(usk[i, b], (hki,b, hpi,b)) for SPHF on Lc

i,b

Hi,b Z = usk[0] ⊖

i zi

  • Sends (Z, hpi,b, usk[i, b] ⊕ KDF(Hi,b)⊕ zi) for each (i, b)

3

User computes H′

i,b = ProjHash(hpi,b, (Lc i,b, param), C, ρ)

Recovers usk[id] =

i(usk[i, idi]⊕ zi)

  • ⊕ Z
  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 28 / 31

slide-83
SLIDE 83

An Affine IBKEM Scheme

Gen : Yi

$

← Z2

p, Zi = Y ⊤ i

· A, y′

$

← Z2

p, z′ = y′⊤ · A,

⇒ mpk = (gA

1 , gZi 1 , gz′ 1 ), msk =(Yi, y′)

USKGen: s

$

← Zp, t = Bs, w = (Y0 + hi(idi)Yi)t + y′, ⇒ usk[id] = (gt

2, gw 2 )

Enc(mpk, id): r

$

← Zp, c0 = Ar, c1 = (Z0 + hi(idi)Zi) · r, ⇒ K = z′ · r,C = (gc0

1 , gc1 1 ), sk = gK T

Dec(usk[id], id, C): sk =e(gc0

1 , gt 2)·e(gc1 1 , gw 2 )−1

  • O. Blazy, C. Chevalier, P

. Germouty Adaptive Oblivious Transfer December 5, 2016 29 / 31

slide-84
SLIDE 84

1

Oblivious Transfer

2

OLBE: A Natural Generalization

3

Adaptive Oblivious Transfer

4

What To Remember

  • O. Blazy, C. Chevalier, P

. Germouty What To Remember December 5, 2016 30 / 31

slide-85
SLIDE 85

The Talk In One Slide

  • O. Blazy, C. Chevalier, P

. Germouty What To Remember December 5, 2016 31 / 31

slide-86
SLIDE 86

The Talk In One Slide

{OSBE, OT} ⊂ OLBE

  • O. Blazy, C. Chevalier, P

. Germouty What To Remember December 5, 2016 31 / 31

slide-87
SLIDE 87

The Talk In One Slide

{OSBE, OT} ⊂ OLBE Affine IBE + OT ⇒ Fragmented BIBE

  • O. Blazy, C. Chevalier, P

. Germouty What To Remember December 5, 2016 31 / 31

slide-88
SLIDE 88

The Talk In One Slide

{OSBE, OT} ⊂ OLBE Affine IBE + OT ⇒ Fragmented BIBE Fragmented BIBE + UC folklore ⇒ UC secure Adaptive OT

  • O. Blazy, C. Chevalier, P

. Germouty What To Remember December 5, 2016 31 / 31