part i
play

(Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven - PowerPoint PPT Presentation

Apr 28, 2023 •399 likes •740 views

Efficient Actively Secure OT Extension: 5 Years Later 1 (Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven and Aarhus University 1 Based on the paper Efficient Actively Secure OT Extension , M. Keller, E. Orsini, P. Scholl CRYPTO

  1. Efficient Actively Secure OT Extension: 5 Years Later 1 (Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven and Aarhus University 1 Based on the paper Efficient Actively Secure OT Extension , M. Keller, E. Orsini, P. Scholl CRYPTO 2015

  2. Oblivious transfer - Definition Oblivious Transfer (OT) is a ubiquitous cryptographic primitive designed to transfer specific data based on the receiver’s choice. m 0 , m 1 m b , b ∈ { 0 , 1 } Sender Receiver No further information should be learned by any party Relevant to this workshop: distribution of keys for GC, Threshold ECDSA, etc.. 2

  3. Extending oblivious transfer - Motivation • Impagliazzo, Rudich [IR98] Black-box separation result → OT is impossible without public-key primitives (?) • Beaver [Beaver96]: OT can be extended 3

  4. OT-extension: 2003-2020 - Y. Ishai, J. Kilian, K. Nissim, E. Petrank “Extending oblivious transfers efficiently”, CRYPTO 2003 - G. Asharov, Y. Lindell, T. Schneider, and M. Zohner More Efficient Oblivious Transfer and Extensions for Faster Secure Computation , ACM CCS 2013 - V. Kolesnikov, R. Kumaresan Improved OT extension for transferring short secrets , CRYPTO 2013 + J. B. Nielsen, P. S. Nordholt, C. Orlandi, and S. S. Burra. A new approach to practical active-secure two-party computation , CRYPTO 2012 + G. Asharov, Y. Lindell, T. Schneider, and M. Zohner More efficient oblivious transfer extensions with security for malicious adversaries , EUROCRYPT 2015 + M. Keller, E. Orsini, P. Scholl Actively Secure OT Extension with Optimal Overhead, CRYPTO 2015 + M. Orr` u, E. Orsini, P. Scholl Actively Secure 1 -out-of- N OT Extension with Application to Private Set Intersection, CT-RSA 2017 x D. Masny, P. Rindal Endemic Oblivious Transfer , CCS 2019 x C. Guo, J. Katz, X. Wang, Y. Yu Efficient and Secure Multiparty Computation from Fixed-Key Block Ciphers , IEEE S&P 2020 * E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, P. Scholl Efficient Pseudorandom Correlation Generators: Silent OT Extension and More, CRYPTO 2019 4

  5. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver OT and COT with uniform message security 5

  6. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT − m b m 0 + ∆ COT − m b Sender Sender Receiver Receiver Endemic security [MR19] 5

  7. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT − m b m 0 + ∆ COT − m b Sender Sender Receiver Receiver Endemic security [MR19] 5

  8. IKNP OT-extension Sender Receiver m 0 ,i , m 1 ,i ∈ { 0 , 1 } k ( x 1 , . . . , x m ) ∈ { 0 , 1 } m Input. i ∈ [ m ] , k ≪ m q i , ∆ t i , x 1. m COT t i ∈ { 0 , 1 } k , i ∈ [ m ] t i = q i + x i · ∆ m x i ,i = H ( t i , i ) + c x i ,i Send: 2. RO c 0 ,i = H ( q i , i ) + m 0 ,i c 1 ,i = H ( q i + ∆ , i ) + m 1 ,i 6

  9. IKNP OT extension - Security • Assuming that Phase 1. of the protocol is passively/actively secure then – IKNP is passively/actively secure when H is a random oracle – For passive security it is enough for H to be a correlation robust hash function [IKNP03] – For active security H has to be a tweakable correlation robust hash function • To achieve active security we need: – Prove that Phase 1 is secure 1. Achieve security against a malicious receiver – Secure instantiation of the building blocks 7

  10. IKNP OT extension - Security • Assuming that Phase 1. of the protocol is passively/actively secure then – IKNP is passively/actively secure when H is a random oracle – For passive security it is enough for H to be a correlation robust hash function [IKNP03] – For active security H has to be a tweakable correlation robust hash function • To achieve active security we need: – Prove that Phase 1 is secure 1. Achieve security against a malicious receiver – Secure instantiation of the building blocks 7

  11. Proctecting against a malicious receiver - Attack   t κ t 1 , 1 + x 1 · ∆ 1 1 ,k + · x 1 · ∆ k . . . q 1 = t 1 + x 1 · ∆   t κ t 2 , 1 + x 2 · ∆ 1 2 ,k + x 2 · ∆ k  . . .  q 2 = t 2 + x 2 · ∆     t κ t 3 , 1 + x 3 · ∆ 1 . . . 3 ,k + tx 3 · ∆ k   q 3 = t 3 + x 3 · ∆     . .   . .  . .  . . .     . . ... .  . .  . . .   .   . .   . .   . . . . .     q m = t m + x m · ∆ t m, 1 + x m · ∆ 1 . . . t m,k + x m · ∆ k 8

  12. Protecting against a malicious receiver - Attack   t κ t 1 , 1 + ∆ 1 q 1 = t 1 + (∆ 1 , 0 , . . . , 0) . . . . . . 1 ,k   t κ t 2 , 2 + ∆ 2  t 2 , 1 . . .  q 2 = t 2 + (0 , ∆ 2 , 0 , . . . , 0) 2 ,k     t κ t 3 , 1 . . . . . .   q 3 = t 3 + (0 , 0 , ∆ 3 , 0 , . . . , 0) 3 ,k     . . .   . . .  . . .  . . .     . . . ... . . .   . . . . .   .   . . .   . . .   . . . . . .     t m,k + ∆ k t m, 1 . . . . . . • c 0 , 1 = H ( q 1 , 1) + m 0 , 1 = H ( t 1 + (∆ 1 , 0 , . . . , 0) , 1) + m 0 , 1 , can extract ∆ 1 • Repeating the attack can recover the entire ∆ and hence all the messages 9

  13. Protecting against a malicious receiver - Consistency check Sender Receiver m 0 ,i , m 1 ,i ∈ { 0 , 1 } k ( x 1 , . . . , x m ) ∈ { 0 , 1 } m Input i ∈ [ m ′ ] , k ≪ m ′ ( x m +1 , . . . , x m ′ ) ∈ { 0 , 1 } m ′ − m , m ′ − m = k + s q i , ∆ m COT − t i , x 1. q i + t i = x i · ∆ t i ∈ { 0 , 1 } k , i ∈ [ m ′ ] Compute q = � i χ i q i and check that Receive χ 1 , . . . , χ m ′ ∈ F 2 k 2. Check t = q + x · ∆ Send t = � i χ i t i and x = � i χ i x i c 0 ,i = H ( q i , i ) + m 0 ,i m x i ,i = H ( t i , i ) + c x i ,i 3. RO c 1 ,i = H ( q i + ∆ , i ) + m 1 ,i 10

  14. Part II: Instantiating the Primitives; and Silent OT Extension 11

  15. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT 12

  16. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT 12

  17. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT Sender Receiver x 1 ∈ { 0 , 1 } Input t , x 1 ∈ { 0 , 1 } k q , ∆ 1. m COT t ∈ { 0 , 1 } k q + t = x 1 · ∆ 2. Check m 0 = H ( q , 1) m x 1 = H ( t , 1) 3. RO m 1 = H ( q + ∆ , 1) 12

  18. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT Sender Receiver x 1 ∈ { 0 , 1 } Input 0 ∈ { 0 , 1 } k q , ∆ 1. m COT 0 , x 1 = 1 q = ∆ 2. Check m 0 = H ( q , 1) m 1 = H ( 0 , 1) 3. RO m 1 = H ( 0 , 1) 12

  19. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT • COT − or ROT − enough for OT and most applications – But not always: e.g. be careful with ROT − and some PSI protocols • If true ROT needed, protocols can be modified: OT-ext coin OT − − − − − → COT − − − → ROT 12

  20. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT • COT − or ROT − enough for OT and most applications – But not always: e.g. be careful with ROT − and some PSI protocols • If true ROT needed, protocols can be modified: OT-ext coin OT − − − − − → COT − − − → ROT 12

  21. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness 13

  22. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness • SHA 256: straightforward, but slow • Fixed-key block cipher, e.g. AES – ≈ 10 x faster – Incorporating index i : can be done with one extra AES call [GKWY20] 13

  23. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness • SHA 256: straightforward, but slow • Fixed-key block cipher, e.g. AES – ≈ 10 x faster – Incorporating index i : can be done with one extra AES call [GKWY20] • What if i is omitted? – Can lead to attack, depending on base OTs [MR19] 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Part 0: Git-ing Started Part 1: Essential Skills Part 2: Introduction to Git Part 3: Advanced

Part 0: Git-ing Started Part 1: Essential Skills Part 2: Introduction to Git Part 3: Advanced

Part 0: Git-ing Started Part 1: Essential Skills Part 2: Introduction to Git Part 3: Advanced Features Part 4: Shells Comic Credit: Randall Munroe, xkcd.com Lab 3: Version Control Part 0: Git-ing Started Part 1: Essential Skills Part 2:

513 views • 37 slides
Introduction Part One: Initial Problem Part Two: Progress Over Six Months Part

Introduction Part One: Initial Problem Part Two: Progress Over Six Months Part

Introduction Part One: Initial Problem Part Two: Progress Over Six Months Part Three: Key Outputs/Deliverables Part Four: What Have We Learned? Part Five: Next Steps Problem is Why spending entities dont execute their

751 views • 26 slides
Outline Part I. Introduction Part II. ML for DI Part III. DI for ML Training data

Outline Part I. Introduction Part II. ML for DI Part III. DI for ML Training data

Outline Part I. Introduction Part II. ML for DI Part III. DI for ML Training data creation Data cleaning Part IV. Conclusions and research directions Successful ML requires Data Integration Large collections of manually

510 views • 15 slides
DMR - Part 2 of 3 May 2, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 -

DMR - Part 2 of 3 May 2, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 -

R A R A Academy on DMR 05/02/2020 Rochester Amateur Radio Association, Inc. DMR - Part 2 of 3 May 2, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 - Steve Verzulli KA1CNF http://rochesterham.org 1 Introduction

734 views • 20 slides
Commercial Dog Breeders Part 8: Housing (Part 2) Introduction Housing Part 1 Housing Part 2

Commercial Dog Breeders Part 8: Housing (Part 2) Introduction Housing Part 1 Housing Part 2

Introductory Course for Commercial Dog Breeders Part 8: Housing (Part 2) Introduction Housing Part 1 Housing Part 2 Specific requirements for Define types of facilities each type of facility: General requirements for Primary

1.12k views • 68 slides
Fusion - Part 3 of 3 May 16, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3

Fusion - Part 3 of 3 May 16, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3

R A R A Academy 05/16/2020 Rochester Amateur Radio Association, Inc. Fusion - Part 3 of 3 May 16, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 - Steve Verzulli KA1CNF http://rochesterham.org 1 Credits I wish thank

379 views • 19 slides
CS 309: Autonomous Intelligent Robotics FRI I Lecture 4: AI Part 2 & C++ Part 2 Instructor:

CS 309: Autonomous Intelligent Robotics FRI I Lecture 4: AI Part 2 & C++ Part 2 Instructor:

CS 309: Autonomous Intelligent Robotics FRI I Lecture 4: AI Part 2 & C++ Part 2 Instructor: Justin Hart http://justinhart.net/teaching/2019_spring_cs309/ Today What is Artificial Intelligence? Part 2 C++ Primer Part 2 Areas

422 views • 27 slides
01 INTR IN TRODUC UCTIO TION PART PE is a LIFE LI LIFE PA PAYT - To Tool to to re reduce

01 INTR IN TRODUC UCTIO TION PART PE is a LIFE LI LIFE PA PAYT - To Tool to to re reduce

01. PART INTRODUCTION AND MAIN OBJECTIVES Our LIFE2015/ENV/PT/609 agenda 02. PART METHODOLOGY 03. PART IMPLEMENTATION ADVISORY BOARD AND PROJECT BOARD MEETING 29-30 January 2018 04. PART CONCLUSION ABOU ABOUT T US 01 INTR IN

716 views • 17 slides
Fundraising 101 Fundraising Class Agenda Part I: Introductions Part II: Traditional Fundraising

Fundraising 101 Fundraising Class Agenda Part I: Introductions Part II: Traditional Fundraising

Fundraising 101 Fundraising Class Agenda Part I: Introductions Part II: Traditional Fundraising Practices Part III: Crowdfunding Basics Part IV: Grantseeking - 360 degree view Part V: Q&A 2 Why Fundraise? 1) Financing your creative practice

618 views • 31 slides
Wind Part 1: How do we measure it? Part 2: What exactly is wind? Part 3: Where is it? PART 1:

Wind Part 1: How do we measure it? Part 2: What exactly is wind? Part 3: Where is it? PART 1:

Wind Part 1: How do we measure it? Part 2: What exactly is wind? Part 3: Where is it? PART 1: Wind speed = Measuring anemometer Wind Wind direction = wind vane given from the direction it came FROM. Wind chill = increased

428 views • 20 slides
Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph Extraction Construction Part 4: Critical Analysis 1 Tutorial Outline 1. Knowledge Graph Primer [Jay] 2.

1.16k views • 66 slides
Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph Extraction Construction Part 4: Critical Analysis 1 Tutorial Outline 1. Knowledge Graph Primer [Jay] 2.

869 views • 71 slides
The heartful PRESENTER Influence minds and win hearts Contents 04 PART 1 INTRODUCTION 06

The heartful PRESENTER Influence minds and win hearts Contents 04 PART 1 INTRODUCTION 06

The heartful PRESENTER Influence minds and win hearts Contents 04 PART 1 INTRODUCTION 06 PART 2 BODY LANGUAGE 08 PART 3 VOICE MODULATION 11 PART 4 POWER OF PAUSE 14 PART 5 PRESENCE 16 PART 6 EMPATHY THe

755 views • 17 slides
Project Presentation TAKING COOPERATION FORWARD 1 PROLINE-CE: THE PROJECT Part 1 Part 2 Part 3

Project Presentation TAKING COOPERATION FORWARD 1 PROLINE-CE: THE PROJECT Part 1 Part 2 Part 3

PROLINE-CE Project Presentation TAKING COOPERATION FORWARD 1 PROLINE-CE: THE PROJECT Part 1 Part 2 Part 3 Part 4 Funding Facts & Figures Objectives & Structure & Programme Timeline Partnership T arget groups Goals

429 views • 20 slides
Influence Identification on Independent Cascade Model

Influence Identification on Independent Cascade Model

Influence Identification on Independent Cascade Model Part 1 Introduction Part 2 Related Work Part 3 Algorithm Part 4 Experiment Part 5 Conclusion Part 6 References

723 views • 33 slides
Taking Zu as an Example Contents Introduction PART 1 Previous Studies PART 2 Data

Taking Zu as an Example Contents Introduction PART 1 Previous Studies PART 2 Data

Lexical Semantic Evolution of Polysemous Words in Ancient Chinese Taking Zu as an Example Contents Introduction PART 1 Previous Studies PART 2 Data Collection & Analysis PART 3 Conclusion & Future Work PART 4 2 Introduction

698 views • 20 slides
s t strts

s t strts

s r rs r t s t strts s

338 views • 10 slides
Space geodetic techniques for remote sensing the ionosphere Harald Schuh 1,2 , Mahdi Alizadeh 1 ,

Space geodetic techniques for remote sensing the ionosphere Harald Schuh 1,2 , Mahdi Alizadeh 1 ,

Space geodetic techniques for remote sensing the ionosphere Harald Schuh 1,2 , Mahdi Alizadeh 1 , Jens Wickert 2 , Christina Arras 2 1. Institute of Geodesy and Geoinformation Science, Technische Universitt Berlin (TU Berlin) 2. Dept. 1

698 views • 37 slides
Muon Collider background rejection in ILCroot Si VXD and Tracker detectors N. Terentiev

Muon Collider background rejection in ILCroot Si VXD and Tracker detectors N. Terentiev

Muon Collider background rejection in ILCroot Si VXD and Tracker detectors N. Terentiev (Carnegie Mellon U./Fermilab) MAP 2014 Winter Collaboration Meeting Dec. 3-7, 2014 SLAC Outline New MARS 1.5 TeV Muon Collider (MC) background

469 views • 23 slides
DO NOT OPEN THIS YET! Please read the following carefully: 1. Fill in your name (Last, First) and

DO NOT OPEN THIS YET! Please read the following carefully: 1. Fill in your name (Last, First) and

Physics 115A Spring 2014 R. J. Wilkes EXAM 3 DO NOT take an extra copy; only enough for 1 per person! DO NOT OPEN THIS YET! Please read the following carefully: 1. Fill in your name (Last, First) and student ID number on your mark- sense

373 views • 12 slides
PAPER DISCUSSION: Adding Regular Expressions to Graph Reachability and Pattern Queries Xilun Wu

PAPER DISCUSSION: Adding Regular Expressions to Graph Reachability and Pattern Queries Xilun Wu

PAPER DISCUSSION: Adding Regular Expressions to Graph Reachability and Pattern Queries Xilun Wu Purdue University Contribution Describe reachability queries and graph pattern queries in a subset of Regular Expression . (Tractable) Define

593 views • 28 slides
BSM roni Theory-treat, Nov 2019 Improved Limits on Millicharged Particles Using the ArgoNeuT

BSM roni Theory-treat, Nov 2019 Improved Limits on Millicharged Particles Using the ArgoNeuT

BSM roni Theory-treat, Nov 2019 Improved Limits on Millicharged Particles Using the ArgoNeuT Experiment at Fermilab R. Acciarri, 1 C. Adams, 2 J. Asaadi, 3 B. Baller, 1 T. Bolton, 4 C. Bromberg, 5 F. Cavanna, 1 D. Edmunds, 5 R.S. Fitzpatrick, 6

142 views • 10 slides
Translation and rotation in the plane Miguel Vargas Material taken form the book: J. C. Latombe,

Translation and rotation in the plane Miguel Vargas Material taken form the book: J. C. Latombe,

Translation and rotation in the plane Miguel Vargas Material taken form the book: J. C. Latombe, Robot motion planning. 1/8 The setup The setup 2 . The working space is W = The robot A is line segment of length d , with endpoints P and Q .

512 views • 8 slides
Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of

Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of

Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of Michigan 0.2 2 0.0 1 0 0.2 1 0.4 2 0.6 1.5 1.0 0.5 0.0 0.5 1.0 1.5 2 1 0 1 2 joint with Daniel Plaumann, Rainer Sinn, and David

523 views • 41 slides

More recommend