The Simplest Protocol for Oblivious Transfer Tung Chou Technische - - PowerPoint PPT Presentation

The Simplest Protocol for Oblivious Transfer

Tung Chou

Technische Universiteit Eindhoven, The Netherlands

August 24, 2015 Latincrypt 2015, Guadalajara, Mexico Joint work with Claudio Orlandi

2

1

• OTs

Sender Receiver

2

1

• OTs

Sender Receiver OT m0, m1 b mb

1

2

1

• OTs

Sender Receiver OT m0, m1 b mb The Receiver should learn only mb The Sender should learn nothing

1

n

1

• OTs

OT Sender Receiver m0, . . . , mn−1 b mb The Receiver should learn only mb The Sender should learn nothing

2

Secure Multiparty Computation

MPC A B X Y f (X, Y ) f (X, Y ) The parties should learn no more than f (X, Y )

3

Secure Multiparty Computation

MPC A B X Y f (X, Y ) f (X, Y ) The parties should learn no more than f (X, Y )

“OT is complete for secure multiparty computation.”

3

OT Extension

PK

OT Extension

PK SK PK → +

4

OT Extension

PK SK PK → +

• Similar to hybrid encryption
• Still we need base OTs

4

Diffie-Hellman

random x random y xB yB x(yB) = xyB y(xB) = xyB

5

Random-OT

Sender Receiver R-OT k0, . . . , kn−1 b kb The Receiver should learn only kb The Sender gets all ki but nothing about b

6

Our Random-OT construction

random x random y S = xB R = yB + bS ki ← H (x(R − iS)) , ∀i k ← H (yS = xyB)

7

Our Random-OT construction

random x random y S = xB R = yB + bS ki ← H (x(R − iS)) , ∀i k ← H (yS = xyB)

• R uniformly random: privacy for Receiver

7

Our Random-OT construction

random x random y S = xB R = yB + bS ki ← H (x(R − iS)) , ∀i k ← H (yS = xyB)

• R uniformly random: privacy for Receiver
• Square DH: privacy for Sender

7

Our Random-OT construction

random x random y S = xB R = yB + bS ki ← H (x(R − iS)) , ∀i k ← H (yS = xyB)

• R uniformly random: privacy for Receiver
• Square DH: privacy for Sender
• Sender precomputes T = xS

7

Our Random-OT construction

random x random y S = xB R = yB + bS ki ← H (x(R − iS)) , ∀i k ← H (yS = xyB)

• R uniformly random: privacy for Receiver
• Square DH: privacy for Sender
• Sender precomputes T = xS
• H is modeled as RO

7

Our Real-OT Construction

random OT ci = Eki(mi), ∀i mb = Dk(cb)

8

Our Real-OT Construction

random OT ci = Eki(mi), ∀i mb = Dk(cb)

• Encryption scheme:

Ek(m) = k ⊕ (m|0λ)

8

Our Real-OT Construction

random OT ci = Eki(mi), ∀i mb = Dk(cb)

• Encryption scheme:

Ek(m) = k ⊕ (m|0λ) Dk(c = (m′|t) ⊕ k) =

• m′

if t = 0λ FAIL

• therwise

8

The Naor-Pinkas OT

• #exponentiations: n vs. 2 offline (3 online)

9

The Naor-Pinkas OT

• #exponentiations: n vs. 2 offline (3 online)

Rb=0 Rb=1 Rb=2 Rb=3 s1 s2 s3

The Naor-Pinkas OT

• #exponentiations: n vs. 2 offline (3 online)

Rb=0 Rb=1 Rb=2 Rb=3 s1 s2 s3 Rb=3 Rb=2 Rb=1 Rb=0 s s s

9

The Naor-Pinkas OT

• #exponentiations: n vs. 2 offline (3 online)

Rb=0 Rb=1 Rb=2 Rb=3 s1 s2 s3 Rb=3 Rb=2 Rb=1 Rb=0 s s s

• Game-based proof vs. simulation-based proof (UC)

9

The Encryption Scheme

E, D needs to satisfy

• Robustness: Given a set of random keys, it is hard for A to generate

a ciphertext that can be decrypted with more than one key.

• Non-committing: it is possible for a simulator to come up with a

ciphertext which can later be explained as an encryption of any message

10

Base-OT Implementation

• [ALSZ13]: based on MIRACL, used in the SCAPI library

11

Base-OT Implementation

• [ALSZ13]: based on MIRACL, used in the SCAPI library

Our work [ALSZ13] Curve Curve25519 NIST K-283 Constant-time Yes No Million Cycles/OT 0.23 2.47

11

Base-OT Implementation

• [ALSZ13]: based on MIRACL, used in the SCAPI library

Our work [ALSZ13] Curve Curve25519 NIST K-283 Constant-time Yes No Million Cycles/OT 0.23 2.47

• code available at orlandi.dk/simpleOT

11