Fast Actively Secure OT Extension for Short Secrets Ajith Suresh IISc, Bangalore, India Date : 28 February 2017 (Joint work with Arpita Patra and Pratik Sarkar (IISc))
Outline of this presentation Oblivious Transfer (OT) OT Extension The protocol of KK13 Our Actively Secure OT Extension Protocol Ajith Suresh | NDSS 2017 Feb 28, 2017 2
Oblivious Transfer (OT) Bob does not know σ Alice does not know x 1- σ x 0 σ 1-out-of-2 OT x 1 x σ (x 0 , x 1 ) σ = 0 or 1 1 out of n OT: The sender has n messages instead of two (Brassard et. al. [87]) OT is complete for MPC (Kilian [88]) Ajith Suresh | NDSS 2017 Feb 28, 2017 3
OT Extension [Beaver 96] OT cannot be based on symmetric-key primitives alone [IR89] Small no. of “base” OTs + symmetric-key operations = Large no. of OTs OT 1 OT 1 k OTs poly(k) OTs OT 2 OT OT 2 Extension @ cheap SKE OT k OT poly(k) Minimizes the cost of OT in an amortized sense. Ajith Suresh | NDSS 2017 Feb 28, 2017 4
KK13 OT Extension Sender Receiver x 1,1 , … , x 1,n R = (r 1 , … , r m ) x 2,1 , … , x 2,n m …………… …… 1-out-of-n OT x m,1 , … , x m,n x 1,r1 , x 2,r2 , … , x m,rm Ajith Suresh | NDSS 2017 Feb 28, 2017 5
KK13 OT Extension R = (r 1 , … , r m ) Sender Receiver s i t i C i : i th WH Codeword q 1 t 1 c r1 Base q 2 t 2 c r2 Q = S {0,1} k OT T = D = … t i d i … q i … q m t m c rm m x k m x k m x k q i = t i ( C ri ⦿ S ) Matrix A a i : i th row a j : j th column y i ,1 = x i , 1 H ( i , q i ( C 1 ⦿ S )) ………………………………………. y i , r , … , y i , n z i = y i , ri H ( i , t i ) y i ,r = x i , r H ( i , q i ( C r ⦿ S )) ……………………………………… y i ,n = x i , n H ( i , q i ( C n ⦿ S )) H – Random Oracle Mask Ajith Suresh | NDSS 2017 Feb 28, 2017 6
Malicious Attack in KK13 Adversary sets the D matrix as follows : c 1 with first bit flipped D = The 1 st mask in the 1 st OT will be of the form: H ( 1 , q 1 ( C 1 ⦿ S)) = H ( 1 , t 1 ( D 1 C 1 )⦿ S) q i = t i ( C ri ⦿ S ) = H ( 1 , t 1 ( [ 1 , 0, … , 0 ] ⦿ S ) ) = H ( 1 , t 1 [ s 1 ,0, … , 0 ] ) Given prior knowledge on x 1,1 , adversary can find s 1 with two queries to H Ajith Suresh | NDSS 2017 Feb 28, 2017 7
Formulating the problem 1 st mask in the 1 st 1-out-of-n OT : H ( 1 , q 1 ( C 1 ⦿ S)) = H ( 1 , t 1 ( ( C r1 C 1 ) ⦿ S ) H ( 1 , q 1 ( C 1 ⦿ S)) = H ( 1 , t 1 ( ( D 1 C 1 ) ⦿ S ) Hamming weight ≥ k/2 (Walsh - Hadamard Codes) Requirement : Ensure that rows of D matrix are codewords q i = t i ( C ri ⦿ S ) Ajith Suresh | NDSS 2017 Feb 28, 2017 8
Our Actively Secure OT Extension Protocol Base OTs Added Phase Consistency Checks Sending Masked Inputs Ajith Suresh | NDSS 2017 Feb 28, 2017 9
Implementation Results Comparison with KK13 Communication Complexity : • 0.028% overhead Runtime : 3% - 6% overhead • ( in both LAN and WAN) Ajith Suresh | NDSS 2017 Feb 28, 2017 10
THANK YOU Questions ?? Ajith Suresh | NDSS 2017 Feb 28, 2017 11
References G. Brassard, C. Crepeau, and J.M. Robert. All-or-nothing disclosure of secrets . In CRYPTO 86, pp. 234- 1. 238, 1987. Donald Beaver. Correlated pseudo randomness and the complexity of private computations . In STOC, 2. pages 479-488, 1996. S. Even, O. Goldreich, and A. Lempel. A randomized protocol for signing contracts . C. ACM, 28:637-647, 3. 1985. Y . Ishai, J. Kilian, K. Nissim, and E. Petrank. Extending oblivious transfers efficiently . In Dan Boneh, 4. editor, Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 145-161. Springer, August 2003.Transfer (OT) V. Kolesnikov and R. Kumaresan. Improved OT Extension for Transferring Short Secrets . In Advances in 5. Cryptology-CRYPTO 2013 (pp. 54-70). Springer Berlin Heidelberg Marcel Keller, Emmanuela Orsini, and Peter Scholl. Actively secure OT extension with optimal overhead . 6. In Thomas Ristenpart, Rosario Gennaro, and Matthew Robshaw, editors, CRYPTO 2015, Santa Barbara, CA, USA, August 16-20, 2015. Springer, Berlin, Germany. Andrew Chi-Chi Yao. Protocols for secure computations (extended abstract). In FOCS, pages 160-164, 7. 1982. Ajith Suresh | NDSS 2017 Feb 28, 2017 12
Recommend
More recommend
