More Efficient Oblivious Transfer Extensions with Security for - - PowerPoint PPT Presentation

more efficient oblivious transfer extensions with
SMART_READER_LITE
LIVE PREVIEW

More Efficient Oblivious Transfer Extensions with Security for - - PowerPoint PPT Presentation

Apr 21, 2023 123 likes •501 views

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad Asharov Hebrew University Yehuda Lindell Bar-Ilan University Thomas Schneider Darmstadt Michael Zohner Darmstadt EUROCRYPT 2015 From Theory to

slide-1
SLIDE 1

More Efficient 
 Oblivious Transfer Extensions with Security for Malicious Adversaries

Gilad Asharov Hebrew University Yehuda Lindell Bar-Ilan University Thomas Schneider Darmstadt Michael Zohner Darmstadt

EUROCRYPT 2015

slide-2
SLIDE 2

From Theory to Practice

Secure computation becomes practical!


[MNPS04,LP07,LPS08,PSSW09,KSS12,FN13,SS13,LR14,HKK+14, FJN14,NNOB12,LOS14,DZ13,DLT14,DCW13,JKO13]

[Yao82,Yao86,GMW87,BGW88,CCD88,RB89,…]

slide-3
SLIDE 3

1-out-of-2 Oblivious Transfer

  • INPUT: Sender holds two strings (x0,x1), Receiver holds r
  • OUTPUT: Sender learns nothing, Receiver learns xr,

Receiver Sender

slide-4
SLIDE 4
  • OT is a basic ingredient in (almost) all protocols for

secure computation

  • Protocols based on Garbled Circuits (Yao):


1 OT per input


[LP07,LPS08,PSSW09,KSS12,FN13,SS13,LR14,HKK+14,FJN14]

  • Protocols based on GMW: 


1+ OT per AND-gate
 TinyOT [NNOB12,LOS14] MiniMac protocols [DZ13,DLT14]

Oblivious Transfer and Secure Computation

slide-5
SLIDE 5

How Many OT’s?

  • The AES circuit: Uses 219 OTs 


(when evaluated with TinyOT)

  • The PSI circuit: (for b=32,n=216) Uses 230 OTs 


(when evaluated with TinyOT)

  • Using [PeikertVaikuntanathanWaters08]: 350 OTs per second
  • 1M (220) OTs > 45 minutes(!)
  • 1G (230) OTs > 45000 minutes > 1 month…
  • [ChouOrlandi15] - 10000 OTs per second (?)
slide-6
SLIDE 6

Many OTs

OT Extensions

+

(cheap) private-key crypto

Small amount of base OTs

(security parameter)

slide-7
SLIDE 7

OT Extension and Related Work

  • Introduced in [Beaver96]
  • Ishai, Kilian, Nissim, Petrank [IKNP03]


“Extending Oblivious Transfer Efficiently”

  • Optimizations semi-honest: [KK13, ALSZ13]
  • Optimizations malicious:

[Lar14,NNOB12,HIKN08,Nie07]

slide-8
SLIDE 8

This Work

  • Efficient protocol for OT extension, malicious

adversary, based on IKNP

  • It outperforms all previous constructions
  • Optimizations, implementation
  • This Talk:
  • IKNP protocol
  • Our protocol, its security
  • (Implementation) and performance
slide-9
SLIDE 9

Extending OT Efficiently1 


[IKNP03]

1Semi-honest

slide-10
SLIDE 10

IKNP - Idea

m Many 
 OTs expensive

slide-11
SLIDE 11

IKNP - Idea

Few OTs of long strings

k m m Many 
 OTs

slide-12
SLIDE 12

IKNP - Implementation

Few Short
 OTs


k k m Many 
 OTs m long 
 messages

+

k

slide-13
SLIDE 13

In Practice [ALSZ,CCS13]

Few Short
 OTs


k k

+

long 
 messages Many 
 OTs m

Implementation: see SCAPI
 https://github.com/cryptobiu/scapi

slide-14
SLIDE 14

ui = G(ki

0)⊕G(ki 1)⊕ r

IKNP

{x j

0,x j 1} j=1 m

r = (r

1,...,r m)

u1,...,uℓ

T

Q

*

yj

0,yj 1

yj

0 = x j 0 ⊕ H(q j)

yj

1 = x j 1 ⊕ H(q j ⊕ s)

*

Base OTs

{ki

0,ki 1}i=1 ℓ

s = (s1,...,sℓ)

k1

s1,...,kℓ sℓ

slide-15
SLIDE 15
  • The protocol is already secure with respect to

malicious Sender

  • The Receiver sends many messages of the same form
  • Security against malicious Receiver: we must

guarantee that it uses the same value r in these messages

When Moving to Malicious

ui = G(ki

0)⊕G(ki 1)⊕ r

u1,...,uℓ

slide-16
SLIDE 16

The Protocol

{x j

0,x j 1} j=1 m

r = (r

1,...,r m)

Base OTs

T

ui = G(ki

0)⊕G(ki 1)⊕ r

u1,...,uℓ

Q

yj

0,yj 1

yj

0 = x j 0 ⊕ H(q j)

yj

1 = x j 1 ⊕ H(q j ⊕ s)

Consistency Check of r

slide-17
SLIDE 17

The Consistency Checks

slide-18
SLIDE 18

Consistency Check

ui = G(ki

0)⊕G(ki 1)⊕ r

u j = G(k j

0)⊕G(k j 1)⊕ r

slide-19
SLIDE 19

Consistency Check

ui ⊕ u j = ti

0 ⊕ ti 1 ⊕ t j 0 ⊕ t j 1

ui = ti

0 ⊕ ti 1 ⊕ r

u j = t j

0 ⊕ t j 1 ⊕ r

ui ⊕ u j ⊕ ti

si ⊕ t j sj ? = ti 1−si ⊕ t j 1−sj

H(ui ⊕ u j ⊕ ti

si ⊕ t j sj ) ? = H(ti 1−si ⊕ t j 1−sj )

ui = G(ki

0)⊕G(ki 1)⊕ r

u j = G(k j

0)⊕G(k j 1)⊕ r

slide-20
SLIDE 20

hi, j

1−si,1−sj ? = H(ui ⊕ u j ⊕ ti si ⊕ t j sj )

hi, j

si,sj ? = H(ti si ⊕ t j sj )

Alice checks that every pair (i,j):

Consistency Check

hi, j

0,0 = H(ti 0 ⊕ t j 0)

hi, j

0,1 = H(ti 0 ⊕ t j 1)

hi, j

1,0 = H(ti 1 ⊕ t j 0)

hi, j

1,1 = H(ti 1 ⊕ t j 1)

For every pair (i,j)

u1,...,uℓ {hi, j

0,0,hi, j 0,1,hi, j 1,0,hi, j 1,1}i, j

slide-21
SLIDE 21

Does it work?

  • Our check is not sound:
  • The adversary can still send ui, uj, with ri ≠ rj
  • But, it takes a risk…
  • Effectively, in order to pass the verification of (i,j)

it has to guess either si or sj

  • Our check guarantees the following:


If the adversary tries to cheat with ui, uj
 it gets caught with probability 1/2!

slide-22
SLIDE 22
  • But wait… you have amount of checks


Do we really need this huge amount of checks?

Consistency Check

  • Receiver cannot cheat in many messages
  • with each cheat - one bit of s is leaked
  • s is the “secret key” of the sender
  • Solution - increase the size of s

k k

ρ

ℓ2

slide-23
SLIDE 23

How many checks do we really need?

r1 r12 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11

slide-24
SLIDE 24

How many checks do we really need?

r1 r12 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11

slide-25
SLIDE 25

How many checks do we really need?

r r r r r r r7 r r r10 r r3

slide-26
SLIDE 26

How many checks do we really need?

r r r r r r r7 r r r10 r r3

slide-27
SLIDE 27

r r r r r r r7 r r r10 r r3

The needed property:
 For any “large enough" set of bad vertices 
 (> p=40 ), there exists p-matching with the good vertices

slide-28
SLIDE 28

How many checks do we really need?

r1 r12 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11

slide-29
SLIDE 29

How many checks do we really need?

r1 r r2 r r4 r r r r r r r

slide-30
SLIDE 30

How many checks do we really need?

r1 r r2 r r4 r r r r r r r

slide-31
SLIDE 31

How Many Checks?

  • We show that random d-regular graph satisfies the above

(for appropriate set of parameters)

  • For k=128, p=40
  • 168 base OTs, complete graph: 14028
  • 190 base OTs, d=2, checks: 380
  • 177 base OTs, d=3, checks: 531
  • Covert: (168 base OTs) probability 1/2, just random 7

checks! The needed property:
 For any “large enough" set of bad vertices 
 (> p=40 ), there exists p-matching with the good vertices

slide-32
SLIDE 32

Instantiation of H

  • [IKNP] assumes that H is Correlation-Robust
  • Sometimes, in order to gain more efficiency,

protocols need some stronger properties of H, and so it is assumed to be a Random-Oracle

  • Correlation-robustness is much more plausible

assumption than random-oracle

  • We have some leakage of s, and so H is assumed

to be Min-Entropy Correlation Robustness

slide-33
SLIDE 33

Performance

slide-34
SLIDE 34

Empirical Evaluation

  • Benchmark: 223=8M OTs
  • Local scenario (LAN): 


Two servers in the same room


(network with low latency and high bandwidth)


12 sec (190 base OTs, 380 checks)

  • Cloud scenario (WAN): 


Two servers in different continents


(network with high latency and low bandwidth)


64 sec (174 base OTs, 696 checks)

slide-35
SLIDE 35

Comparison - LAN Setting

slide-36
SLIDE 36

Comparison - WAN setting

slide-37
SLIDE 37

Conclusions

  • More efficient OT extension - more efficient

protocols for MPC

  • Optimized OT extension protocol, malicious

adversary

  • Combination of theory and practice

Thank You!