generic construction of uc secure oblivious transfer
play

Generic Construction of UC-Secure Oblivious Transfer O. Blazy , - PowerPoint PPT Presentation

Sep 11, 2022 •397 likes •852 views

Generic Construction of UC-Secure Oblivious Transfer O. Blazy , C.Chevalier O. Blazy (Xlim) Generic OT 1 / 20 Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim)

  1. Generic Construction of UC-Secure Oblivious Transfer O. Blazy , C.Chevalier O. Blazy (Xlim) Generic OT 1 / 20

  2. Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 2 / 20

  3. Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 2 / 20

  4. Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 2 / 20

  5. Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 2 / 20

  6. Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 2 / 20

  7. Global Framework 1 Motivation Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 3 / 20

  8. Conditional Actions Oblivious Transfer Database User C ( line ) ← − − − − − − − − − − − − − − − DB [ line ] − − − − − − − − − − − − − − − → � The User learns the value of line but nothing else. � The Database learns nothing. O. Blazy (Xlim) Generic OT 4 / 20

  9. Semantic security Only the requested line should be learned by the User O. Blazy (Xlim) Generic OT 5 / 20

  10. Semantic security Only the requested line should be learned by the User Oblivious The authority should not learn which line was requested O. Blazy (Xlim) Generic OT 5 / 20

  11. Global Framework 1 Cryptographic Tools 2 Encryption Scheme Chameleon Hash Scheme Smooth Projective Hash Function 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 6 / 20

  12. Definition (Encryption Scheme) E = ( Setup , KeyGen , Encrypt , Decrypt ) : Setup ( K ) : param; KeyGen ( param ) : public encryption key pk, private decryption key dk; Encrypt ( pk , m ; r ) : ciphertext c on m ∈ M and pk; Decrypt ( dk , c ) : decrypts c under dk. Indistinguishability under Chosen Ciphertext Attack O. Blazy (Xlim) Generic OT 7 / 20

  13. Definition (Chameleon Hash Scheme) CH = ( Setup , KeyGen , CH , Coll ) : Setup ( K ) : param; KeyGen ( param ) : outputs the chameleon hash key ck and the trapdoor tk; CH ( ck , m ; r ) : Picks r , and outputs the hash a ; Coll ( ck , m , r , m ′ , tk ) : Takes tk, ( m , r ) and m ′ , and outputs r ′ such that CH ( ck , m ; r ) = CH ( ck , m ′ ; r ′ ) . Extra Procedures (Verification) VKeyGen ( ck ) : Outputs vk and vtk. ⊥ or public if publicly verifiable. Valid ( ck , vk , m , a , d , vtk ) : Allows to check that d opens a to m . Collision Resistance ∗ O. Blazy (Xlim) Generic OT 8 / 20

  14. Definition (Chameleon Hash Scheme) CH = ( Setup , KeyGen , CH , Coll ) : Setup ( K ) : param; KeyGen ( param ) : outputs the chameleon hash key ck and the trapdoor tk; CH ( ck , m ; r ) : Picks r , and outputs the hash a and verification value d ; Coll ( ck , m , r , m ′ , tk ) : Takes tk, ( m , r ) and m ′ , and outputs r ′ such that CH ( ck , m ; r ) = CH ( ck , m ′ ; r ′ ) . Extra Procedures (Verification) VKeyGen ( ck ) : Outputs vk and vtk. ⊥ or public if publicly verifiable. Valid ( ck , vk , m , a , d , vtk ) : Allows to check that d opens a to m . Collision Resistance ∗ O. Blazy (Xlim) Generic OT 8 / 20

  15. Definition (Smooth Projective Hash Functions) [CS02] Let { H } be a family of functions: X , domain of these functions L , subset (a language) of this domain such that, for any point x in L , H ( x ) can be computed by using either a secret hashing key hk: H ( x ) = Hash L ( hk ; x ) ; or a public projected key hp: H ′ ( x ) = ProjHash L ( hp ; x , w ) Public mapping hk �→ hp = ProjKG L ( hk , x ) O. Blazy (Xlim) Generic OT 9 / 20

  16. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w O. Blazy (Xlim) Generic OT 10 / 20

  17. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w O. Blazy (Xlim) Generic OT 10 / 20

  18. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w O. Blazy (Xlim) Generic OT 10 / 20

  19. Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Definition Our Generic Construction Security Instantiation 4 Conclusion 5 O. Blazy (Xlim) Generic OT 11 / 20

  20. Oblivious Transfer [Rab81] A user U wants to access a line ℓ in a database D composed of t of them: U learns nothing more than the value of the line ℓ D does not learn which line was accessed by U Correctness: if U request a single line, he learns it Security Notions Oblivious: D does not know learn which line was accessed ; Semantic Security: U does not learn any information about the other lines. O. Blazy (Xlim) Generic OT 12 / 20

  21. Oblivious Transfer [Rab81] A user U wants to access a line ℓ in a database D composed of t of them: U learns nothing more than the value of the line ℓ D does not learn which line was accessed by U Correctness: if U request a single line, he learns it Security Notions Oblivious: D does not know learn which line was accessed ; Semantic Security: U does not learn any information about the other lines. O. Blazy (Xlim) Generic OT 12 / 20

  22. Oblivious Transfer [Rab81] A user U wants to access a line ℓ in a database D composed of t of them: U learns nothing more than the value of the line ℓ D does not learn which line was accessed by U Correctness: if U request a single line, he learns it Security Notions Oblivious: D does not know learn which line was accessed ; Semantic Security: U does not learn any information about the other lines. O. Blazy (Xlim) Generic OT 12 / 20

  23. Generic bit UC Commitment User picks a bit b , random r , d 1 − b ,� s , and computes ( a , d b ) = CH ( ck , b ; r ) He then computes C = Encrypt ( d 0 , d 1 ; � s ) . SPHF Compatibility If the encryption is SPHF friendly, then one can build an SPHF on the language of valid encryption of a chameleon information. L b = { c |∃ d 1 − b , s , Valid ( ck , vk , b , a , d b , vtk ) ∧ c = Encrypt ( d 0 , d 1 ; s ) } O. Blazy (Xlim) Generic OT 13 / 20

  24. Generic bit UC Commitment User picks a bit b , random r , d 1 − b ,� s , and computes ( a , d b ) = CH ( ck , b ; r ) He then computes C = Encrypt ( d 0 , d 1 ; � s ) . SPHF Compatibility If the encryption is SPHF friendly, then one can build an SPHF on the language of valid encryption of a chameleon information. L b = { c |∃ d 1 − b , s , Valid ( ck , vk , b , a , d b , vtk ) ∧ c = Encrypt ( d 0 , d 1 ; s ) } O. Blazy (Xlim) Generic OT 13 / 20

  25. Generic bit UC Commitment User picks a bit b , random r , d 1 − b ,� s , and computes ( a , d b ) = CH ( ck , b ; r ) He then computes C = Encrypt ( d 0 , d 1 ; � s ) . SPHF Compatibility If the encryption is SPHF friendly, then one can build an SPHF on the language of valid encryption of a chameleon information. L b = { c |∃ d 1 − b , s , Valid ( ck , vk , b , a , d b , vtk ) ∧ c = Encrypt ( d 0 , d 1 ; s ) } O. Blazy (Xlim) Generic OT 13 / 20

  26. Generic bit UC Commitment User picks a bit b , random r , d 1 − b ,� s , and computes ( a , d b ) = CH ( ck , b ; r ) He then computes C = Encrypt ( d 0 , d 1 ; � s ) . SPHF Compatibility If the encryption is SPHF friendly, then one can build an SPHF on the language of valid encryption of a chameleon information. L b = { c |∃ d 1 − b , s , Valid ( ck , vk , b , a , d b , vtk ) ∧ c = Encrypt ( d 0 , d 1 ; s ) } O. Blazy (Xlim) Generic OT 13 / 20

  27. Generic 1-out-of- t Oblivious Transfer User U picks ℓ : For each bit, picks random r i , d 1 − ℓ i , i , and computes ( a i , d ℓ i , i ) = CH ( ck , ℓ i ; r i ) He then computes C = Encrypt ( � d ; � s ) and sends C , � a . For each line L j , server S computes hk j , hp j , and H j = Hash L j ( hk j , C ) , M j = H j ⊕ L j and sends M j , hp j . For the line ℓ , user computes H ′ ℓ = ProjHash L ℓ ( hp ℓ , C ,� s ℓ ) , and then L ℓ = M ℓ ⊕ H ′ ℓ O. Blazy (Xlim) Generic OT 14 / 20

  28. Generic 1-out-of- t Oblivious Transfer User U picks ℓ : For each bit, picks random r i , d 1 − ℓ i , i , and computes ( a i , d ℓ i , i ) = CH ( ck , ℓ i ; r i ) He then computes C = Encrypt ( � d ; � s ) and sends C , � a . For each line L j , server S computes hk j , hp j , and H j = Hash L j ( hk j , C ) , M j = H j ⊕ L j and sends M j , hp j . For the line ℓ , user computes H ′ ℓ = ProjHash L ℓ ( hp ℓ , C ,� s ℓ ) , and then L ℓ = M ℓ ⊕ H ′ ℓ O. Blazy (Xlim) Generic OT 14 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng Zhou University of Connecticut Joint work with Juan Garay (AT&T) and Daniel Wichs (NYU) CRYPTO 2009 Outline Background New Approach

789 views • 36 slides
A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan 2 Brent Waters 1 1 SRI International 2 MIT CRYPTO 2008 1 / 10 Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. .

1.02k views • 50 slides
Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H.

Perfectly S Secure O Oblivious A s Algorithms s in t the M Multi-Server S Setting T-H. Hubert Chan, Jonathan Katz, Ka Kartik Nay ayak, Antigoni Polychroniadou, Elaine Shi Defini De ning ng an n Obl Oblivious us RAM Example request

812 views • 33 slides
Secure indexes and other oblivious search structures (Privaatne otsing: indeksid ning

Secure indexes and other oblivious search structures (Privaatne otsing: indeksid ning

Secure indexes and other oblivious search structures (Privaatne otsing: indeksid ning alternatiivid) Sven Laur swen@math.ut.ee Helsinki University of Technology Basic motivation Secure storage problem Client Alice does not have skills for

428 views • 16 slides
ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim

ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim

ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim Hila Zarosim TCC 2013 Obli i Oblivious Transfer T f The other message message remains secret to the the receiver Obli i Oblivious

757 views • 38 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without

SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without

SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without revealing which Intuitive property: OT transfer partial A:up, B:down A up I need just information All 2 of one them! But cant

432 views • 20 slides
Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai Eyal K ushilevitz Rafail O

Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai Eyal K ushilevitz Rafail O

Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai Eyal K ushilevitz Rafail O strovsky Manoj P rabhakaran Amit S ahai Jrg W ullschleger Tuesday, August 23, 2011 Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai

1.25k views • 95 slides
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim

Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation?

431 views • 25 slides
Optimistic Fair Priced Oblivious Transfer A. Rial B. Preneel Katholieke Universiteit Leuven -

Optimistic Fair Priced Oblivious Transfer A. Rial B. Preneel Katholieke Universiteit Leuven -

Motivation Efficient Priced Oblivious Transfer Optimistic Fair POT Optimistic Fair Priced Oblivious Transfer A. Rial B. Preneel Katholieke Universiteit Leuven - ESAT-COSIC IBBT Africacrypt 2010 A. Rial Optimistic Fair POT Motivation

1.08k views • 78 slides
A Practical Oblivious Map Data Structure with Secure Deletion and History Independence Daniel S.

A Practical Oblivious Map Data Structure with Secure Deletion and History Independence Daniel S.

Intro vORAM HIRB Results A Practical Oblivious Map Data Structure with Secure Deletion and History Independence Daniel S. Roche Adam J. Aviv Seung Geol Choi Computer Science Department United States Naval Academy Annapolis, Maryland, USA

395 views • 37 slides
More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad Asharov Hebrew University Yehuda Lindell Bar-Ilan University Thomas Schneider Darmstadt Michael Zohner Darmstadt EUROCRYPT 2015 From Theory to

498 views • 37 slides
The Simplest Protocol for Oblivious Transfer Tung Chou Technische Universiteit Eindhoven, The

The Simplest Protocol for Oblivious Transfer Tung Chou Technische Universiteit Eindhoven, The

The Simplest Protocol for Oblivious Transfer Tung Chou Technische Universiteit Eindhoven, The Netherlands August 24, 2015 Latincrypt 2015, Guadalajara, Mexico Joint work with Claudio Orlandi 2 OTs 1 Sender Receiver 2 OTs

930 views • 28 slides
k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits Fabrice Benhamouda Huijia (Rachel) Lin IBM Research / Columbia University, US University of California, Santa Barbara, US Eurocrypt 2018, May 1,

1.03k views • 85 slides
Experimental realisation of quantum oblivious transfer Ryan Amiri 1 , Robert Strek 2 , Michal

Experimental realisation of quantum oblivious transfer Ryan Amiri 1 , Robert Strek 2 , Michal

Experimental realisation of quantum oblivious transfer Ryan Amiri 1 , Robert Strek 2 , Michal Miuda 2 , Ladislav Mita 2 , Jr., Miloslav Duek 2 , Petros Wallden 3 , and Erika Andersson 1 1 SUPA, Institute of Photonics and Quantum Sciences,

752 views • 29 slides
Two Round Oblivious Transfer from CDH or LPN Eurocrypt 2020 Nico Dttling Sanjam Garg Mohammad

Two Round Oblivious Transfer from CDH or LPN Eurocrypt 2020 Nico Dttling Sanjam Garg Mohammad

Two Round Oblivious Transfer from CDH or LPN Eurocrypt 2020 Nico Dttling Sanjam Garg Mohammad Hajiabadi Daniel Masny Daniel Wichs CISPA Helmholtz Center for Information Security UC Berkeley Visa Research Northeastern University

425 views • 13 slides
Hi Matlab Grader homework, emailed Thursday, 1 (of 9) homeworks Due 21 April, Binary graded. 2

Hi Matlab Grader homework, emailed Thursday, 1 (of 9) homeworks Due 21 April, Binary graded. 2

Announcements Hi Matlab Grader homework, emailed Thursday, 1 (of 9) homeworks Due 21 April, Binary graded. 2 this week Jupyter homework?: translate matlab to Jupiter, TA Harshul h6gupta@eng.ucsd.edu or me I would like this to happen. GPU

404 views • 18 slides
Cohen-Kaplansky Domains Stefan Bock Jim Coykendall Clemson University Chris Spicer Morningside

Cohen-Kaplansky Domains Stefan Bock Jim Coykendall Clemson University Chris Spicer Morningside

Introduction Cohen-Kaplansky (CK) Domains Cohen-Kaplansky Domains Stefan Bock Jim Coykendall Clemson University Chris Spicer Morningside College April 17, 2016 Stefan BockJim CoykendallClemson UniversityChris SpicerMorningside College

556 views • 22 slides
Why p in Fuzzy Clustering? Our Explanation Proof Kehinde Akinola, Ahnaf Farhan, and Vladik

Why p in Fuzzy Clustering? Our Explanation Proof Kehinde Akinola, Ahnaf Farhan, and Vladik

Formulation of the . . . Why p in Fuzzy Clustering? Our Explanation Proof Kehinde Akinola, Ahnaf Farhan, and Vladik Kreinovich Home Page Title Page University of Texas at El Paso El Paso, TX 79968, USA

128 views • 8 slides
Clustering Albert Bifet May 2012 COMP423A/COMP523A Data Stream Mining Outline 1. Introduction

Clustering Albert Bifet May 2012 COMP423A/COMP523A Data Stream Mining Outline 1. Introduction

Clustering Albert Bifet May 2012 COMP423A/COMP523A Data Stream Mining Outline 1. Introduction 2. Stream Algorithmics 3. Concept drift 4. Evaluation 5. Classification 6. Ensemble Methods 7. Regression 8. Clustering 9. Frequent Pattern

260 views • 22 slides
The TAU 2014 Contest Removing Pessimism during Timing Analysis

The TAU 2014 Contest Removing Pessimism during Timing Analysis

The TAU 2014 Contest Removing Pessimism during Timing Analysis Jin Hu Debjit Sinha Igor Keller IBM Corp. IBM Corp. Cadence [Speaker] Sponsors: 1

621 views • 27 slides
On Allocating Cache Resources to Content Providers Weibo Chu, Mostafa Dehghan, Don Towsley,

On Allocating Cache Resources to Content Providers Weibo Chu, Mostafa Dehghan, Don Towsley,

3rd ACM Conference on Information-Centric Networking (ICN 2016) On Allocating Cache Resources to Content Providers Weibo Chu, Mostafa Dehghan, Don Towsley, Zhi-Li Zhang wbchu@nwpu.edu.cn Northwestern Polytechnical University 3rd ACM Conference

494 views • 16 slides
Mining Association Rules Mining Association Rules Additional Measures of rule interestingness

Mining Association Rules Mining Association Rules Additional Measures of rule interestingness

Mining Association Rules Mining Association Rules What is Association rule mining Apriori Algorithm Mining Association Rules Mining Association Rules Additional Measures of rule interestingness Advanced Techniques 1 2 What Is

357 views • 15 slides
Holomorphic functions associated with indeterminate rational moment problems Adhemar Bultheel 1 ,

Holomorphic functions associated with indeterminate rational moment problems Adhemar Bultheel 1 ,

Holomorphic functions associated with indeterminate rational moment problems Adhemar Bultheel 1 , Erik Hendriksen 2 , Olav Nj astad 3 1 Dept. Computer Science, KU Leuven 2 Nieuwkoop, The Netherlands 3 Mathematics, Univ. Trondheim Puerto de la

645 views • 42 slides

More recommend