Extension for Short Secrets Ajith Suresh IISc, Bangalore, India - - PowerPoint PPT Presentation
Fast Actively Secure OT Extension for Short Secrets Ajith Suresh IISc, Bangalore, India Date : 28 February 2017 (Joint work with Arpita Patra and Pratik Sarkar (IISc)) Outline of this presentation Oblivious Transfer (OT) OT Extension
Ajith Suresh IISc, Bangalore, India Date : 28 February 2017 (Joint work with Arpita Patra and Pratik Sarkar (IISc))
Oblivious Transfer (OT) OT Extension The protocol of KK13 Our Actively Secure OT Extension Protocol
Feb 28, 2017 Ajith Suresh | NDSS 2017 2
Outline of this presentation
Feb 28, 2017 Ajith Suresh | NDSS 2017 3
Oblivious Transfer (OT)
(x0, x1) σ = 0 or 1
Bob does not know σ
Alice does not know x1-σ x0 x1 xσ σ
1-out-of-2 OT
1 out of n OT: The sender has n messages instead of two (Brassard et. al. [87])
Feb 28, 2017 Ajith Suresh | NDSS 2017 4
OT Extension [Beaver 96]
OT cannot be based on symmetric-key primitives alone [IR89] Small no. of “base” OTs + symmetric-key operations = Large no. of OTs Minimizes the cost of OT in an amortized sense.
k OTs poly(k) OTs
OT Extension
@ cheap SKE OT1 OT2 OTk OT1 OT2 OTpoly(k)
Feb 28, 2017 Ajith Suresh | NDSS 2017 5
KK13 OT Extension
Sender Receiver
x1,1 , … , x1,n x2,1 , … , x2,n …………… xm,1 , … , xm,n
R = (r1 , … , rm) ……
x1,r1, x2,r2, … , xm,rm
m 1-out-of-n OT
yi,r , … , yi,n
zi = yi,ri H(i, ti)
yi,1 = xi,1 H(i, qi(C1 ⦿ S)) ………………………………………. yi,r = xi,r H(i, qi(Cr ⦿ S)) ……………………………………… yi,n= xi,n H(i, qi(Cn ⦿ S))
Feb 28, 2017 Ajith Suresh | NDSS 2017 6
KK13 OT Extension
Sender Receiver qi = ti(Cri ⦿ S) T =
m x k
D =
m x k
Q =
m x k
cr1 cr2 … crm
S {0,1}k
t1 t2 … tm q1 q2 … qm
Base OT
ti ti di qi si
H – Random Oracle
Matrix A ai : ith row aj : jth column R = (r1 , … , rm)
Mask
Ci : ith WH Codeword
Feb 28, 2017 Ajith Suresh | NDSS 2017 7
Malicious Attack in KK13
Given prior knowledge on x1,1, adversary can find s1 with
two queries to H
D =
Adversary sets the D matrix as follows : The 1st mask in the 1st OT will be of the form:
H(1, q1 (C1 ⦿ S)) = H(1, t1 (D1 C1 )⦿ S) = H(1, t1 ( [ 1, 0, … , 0 ] ⦿ S ) ) = H(1, t1 [ s1 ,0, … , 0 ] ) c1 with first bit flipped
Feb 28, 2017 Ajith Suresh | NDSS 2017 8
Formulating the problem
H(1, q1 (C1 ⦿ S)) = H(1, t1 ( (Cr1 C1 ) ⦿ S )
1st mask in the 1st 1-out-of-n OT :
H(1, q1 (C1 ⦿ S)) = H(1, t1 ( (D1 C1 ) ⦿ S ) Requirement : Ensure that rows of D matrix are codewords Hamming weight ≥ k/2 (Walsh - Hadamard Codes)
Feb 28, 2017 Ajith Suresh | NDSS 2017 9
Our Actively Secure OT Extension Protocol
Base OTs Sending Masked Inputs Added Phase Consistency Checks
Feb 28, 2017 Ajith Suresh | NDSS 2017 10
Implementation Results
Comparison with KK13
0.028% overhead
(in both LAN and WAN)
Feb 28, 2017 Ajith Suresh | NDSS 2017 11
Feb 28, 2017 Ajith Suresh | NDSS 2017 12
References
1.
238, 1987.
2.
Donald Beaver. Correlated pseudo randomness and the complexity of private computations. In STOC, pages 479-488, 1996.
3.
1985.
4.
Y . Ishai, J. Kilian, K. Nissim, and E. Petrank. Extending oblivious transfers efficiently. In Dan Boneh, editor, Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 145-161. Springer, August 2003.Transfer (OT)
5.
Cryptology-CRYPTO 2013 (pp. 54-70). Springer Berlin Heidelberg
6.
Marcel Keller, Emmanuela Orsini, and Peter Scholl. Actively secure OT extension with optimal overhead. In Thomas Ristenpart, Rosario Gennaro, and Matthew Robshaw, editors, CRYPTO 2015, Santa Barbara, CA, USA, August 16-20, 2015. Springer, Berlin, Germany.
7.
Andrew Chi-Chi Yao. Protocols for secure computations (extended abstract). In FOCS, pages 160-164, 1982.