Verifiable Homomorphic Oblivious Transfer and Private Equality Test - - PowerPoint PPT Presentation

verifiable homomorphic oblivious transfer and private
SMART_READER_LITE
LIVE PREVIEW

Verifiable Homomorphic Oblivious Transfer and Private Equality Test - - PowerPoint PPT Presentation

Jan 01, 2024 590 likes •891 views

Verifiable Homomorphic Oblivious Transfer and Private Equality Test Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/helger Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 1 Overview of

slide-1
SLIDE 1

Verifiable Homomorphic Oblivious Transfer and Private Equality Test

Helger Lipmaa

Helsinki University of Technology

http://www.tcs.hut.fi/˜helger

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 1

slide-2
SLIDE 2

Overview of This Talk

  • What are Oblivious Transfer and Private Equality Test?
  • Building Block: Affine Cryptosystems
  • New (Verifiable) Homomorphic Oblivious Transfer protocols
  • New (Verifiable) Homomorphic Private Equality Tests
  • Application: Proxy Verifiable HPET and Auctions

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 2

slide-3
SLIDE 3

Overview of This Talk

  • What are Oblivious Transfer and Private Equality Test?
  • Building Block: Affine Cryptosystems
  • New (Verifiable) Homomorphic Oblivious Transfer protocols
  • New (Verifiable) Homomorphic Private Equality Tests
  • Application: Proxy Verifiable HPET and Auctions

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 3

slide-4
SLIDE 4

n

1

  • Oblivious Transfer
  • Sender has private input, database µ = (µ1, . . . , µn)
  • Chooser has private input, index σ ∈ [1, n]
  • Chooser and Sender participate in the two-party protocol
  • Chooser has private output µσ
  • Nothing more will be leaked. If σ ∈ [1, n], chooser gets garbage
  • Numerous applications in cryptography

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 4

slide-5
SLIDE 5

Verifiable

n

1

  • Oblivious Transfer
  • Sender has private input, database µ = (µ1, . . . , µn)
  • Chooser has private input, index σ ∈ [1, n]
  • Chooser and Sender participate in the two-party protocol
  • Chooser has private output µσ and commitments to µi for i ∈ [1, n]
  • Nothing more will be leaked
  • Numerous applications in cryptography

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 5

slide-6
SLIDE 6

Verifiable

n

1

  • Oblivious Transfer
  • Sender has private input, database µ = (µ1, . . . , µn)
  • Chooser has private input, index σ ∈ [1, n]
  • Chooser and Sender participate in the two-party protocol
  • Chooser has private output µσ and commitments to µi for i ∈ [1, n]
  • Nothing more will be leaked. If σ ∈ [1, n], chooser gets garbage
  • Numerous applications in cryptography

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 6

slide-7
SLIDE 7

Private Equality Test

  • Sender has private input, WSen
  • Chooser has private input, WCho
  • Chooser and Sender participate in the two-party protocol
  • Chooser has private output [WSen = WCho] (one bit)
  • Nothing more will be leaked.

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 7

slide-8
SLIDE 8

Verifiable Private Equality Test

  • Sender has private input, WSen
  • Chooser has private input, WCho
  • Chooser and Sender participate in the two-party protocol
  • Chooser has private output [WSen = WCho] (one bit) and a commit-

ment to WSen

  • Nothing more will be leaked

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 8

slide-9
SLIDE 9

Overview of This Talk

  • What are Oblivious Transfer and Private Equality Test?
  • Building Block: Affine Cryptosystems
  • New (Verifiable) Homomorphic Oblivious Transfer protocols
  • New (Verifiable) Homomorphic Private Equality Tests
  • Application: Proxy Verifiable HPET and Auctions

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 9

slide-10
SLIDE 10

Affine Cryptosystems, 1/4

  • A public-key cryptosystem is a triple Π = (GΠ, E, D) of key genera-

tion, encryption and decryption algorithms

  • Denote the plaintext space by MΠ(x), where x is the private key
  • RΠ(x) is the randomness space and CΠ(x) is the ciphertext space
  • Π is homomorphic:

EK(m1; r1)EK(m2; r2) = EK(m1 + m2; r1 ◦ r2)

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 10

slide-11
SLIDE 11

Affine Cryptosystems, 2/4

  • For two random variables (distributions) X and Y over discrete support

U, define their statistical difference as

∆ (X||Y ) := max

S⊆U | Pr[X ∈ S] − Pr[Y ∈ S]| .

  • Π is ε-affine if there exist two PPT algorithms (S, T), s.t. for any pair
  • f private and public keys (x, K),

max

a,b∈MΠ(x),a=0 ∆

  • S(1k, K)a + b||T(1k, K)
  • ≤ εk .

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 11

slide-12
SLIDE 12

Affine Cryptosystems, 3/4

  • Π is perfectly affine if it is 0-affine and statistically affine if it is

(1/2 − ε)-affine.

  • Π is computationally affine if it is affine w.r.t. any a, b that can be effi-

ciently generated

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 12

slide-13
SLIDE 13

Affine Cryptosystems, 4/4

  • Π is perfectly affine if MΠ(x) is a cyclic group of known order
  • Π is computationally affine if MΠ(x) is a cyclic group, where it is hard

for the decrypter to factor |MΠ(x)|

  • If decrypter can factor MΠ(x) then Π is not affine!
  • Perfectly affine: ElGamal
  • Computationally affine:

⋆ Damg˚ ard-Jurik [DJ03], Bresson-Catalano-Pointcheval

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 13

slide-14
SLIDE 14

Overview of This Talk

  • What are Oblivious Transfer and Private Equality Test?
  • Building Block: Affine Cryptosystems
  • New (Verifiable) Homomorphic Oblivious Transfer protocols
  • New (Verifiable) Homomorphic Private Equality Tests
  • Application: Proxy Verifiable HPET and Auctions

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 14

slide-15
SLIDE 15

Aiello-Ishai-Reingold OT Protocol AIR

Assume that Π = (GΠ, E, D; S, T) is a perfectly affine homomorphic cryptosystem

Chooser Sender

c ← EK(σ; r) r ←R RΠ(x) (x, K) ← GΠ(x) (K, c) For i ∈ [1, n] do si ← Z|MΠ(x)| ri ← RΠ(x) ci ← EK(µi + si(i − σ); rsi ◦ ri) (c1, . . . , cn) µσ ← DK(cσ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 15

slide-16
SLIDE 16

The New Homomorphic OT Protocol HOT

Assume that Π = (GΠ, E, D; S, T) is an affine homomorphic cryptosys- tem

Chooser Sender

c ← EK(σ; r) r ←R RΠ(x) (x, K) ← GΠ(x) (K, c) For i ∈ [1, n] do si ← Z|MΠ(x)| ri ← RΠ(x) ci ← EK(µi + si(i − σ); rsi ◦ ri) (c1, . . . , cn) µσ ← DK(cσ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 16

slide-17
SLIDE 17

Comparison

  • When Π is perfectly affine, HOT=AIR: perfect sender-privacy
  • When Π is computationally affine: computational sender-privacy

⋆ AIR was not defined for composite |MΠ(x)|

  • If Π is not affine, sender-privacy can be trivially broken

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 17

slide-18
SLIDE 18

Weak sender-privacy

  • There are many homomorphic cryptosystems that are not affine
  • It would be nice to extend HOT to such PKCs
  • Idea: weaken the security requirement

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 18

slide-19
SLIDE 19

n

1

  • Oblivious Transfer: Weak Security
  • Sender has private input, database µ = (µ1, . . . , µn). Chooser has

private input, index σ ∈ [1, n]

  • Chooser has private output µσ
  • Nothing more will be leaked
  • If σ ∈ [1, n], chooser gets some information about one element µi,

i ∈ [1, n]

  • Sufficient in many applications (i.e., pay per view)

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 19

slide-20
SLIDE 20

Weak Sender-Privacy of HOT

  • Theorem. HOT is weakly sender-private if the smallest prime divisor of

|MΠ(x)| is ≥ n.

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 20

slide-21
SLIDE 21

Weak Sender-Privacy of HOT

  • Theorem. HOT is weakly sender-private if the smallest prime divisor of

|MΠ(x)| is ≥ n. Π Security Weak security ElGamal Perfect Perfect DJ03 Computational Perfect DJ01 — Perfect Paillier — Perfect Naccache-Stern — Perfect (possibly) Okamoto-Uchiyama — Perfect (possibly)

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 21

slide-22
SLIDE 22

Verifiable Homomorphic OT Protocol VHOT

Assume that Π = (GΠ, E, D; S, T) is an affine homomorphic cryp- tosystem, Γ = (GΓ, C) is a homomorphic commitment scheme,

tr : MΠ(x) → RΓ(˜

x) and retrieve : C ˜

K(m; 1) → m Chooser Sender

c ← EK(σ; r) r ←R RΠ(x) (x, K) ← GΠ(1k), (˜ x, ˜ K) ← GΓ(1k) (K, ˜ K, c) µσ ← retrieve(cσ · C ˜

K(0; tr(DK(vσ))−1))

mi ← T(1k, K), si ← S(1k, K) ri ← RΠ(x) ci ← C ˜

K(µi; tr(mi))

vi ← EK(mi + si(i − σ); rsi ◦ ri) (c1, v1, . . . , cn, vn) For i ∈ [1, n] do Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 22

slide-23
SLIDE 23

Security of the VHOT protocol

  • Perfectly sender-private when Γ is perfectly hiding, tr is injection,

|MΠ| = |RΓ| is a prime

  • Statistically

sender-private when Γ is statistically hiding, |MΠ| ≈ |RΓ|, . . .

  • Perfect privacy: Π is ElGamal and Γ is Pedersen (with the same plain-

text group) Drawback: retrieve : gm → m involves computation of discrete loga- rithm (ok if m is known to be small)

  • Statistical privacy: Π is ElGamal and Γ is CGHN [CGHN01], then

retrieve is an efficient function

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 23

slide-24
SLIDE 24

VHOT: Comparison with Previous Work

  • The only previous two-round verifiable

n

1

  • OT was by Ambainis,

Jakobsson and Lipmaa [AJL04]

  • AJL was statistically private and retrieve was inefficient
  • VHOT with suitable Π and Γ is either perfectly private or has efficient

retrieve

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 24

slide-25
SLIDE 25

Homomorphic PET

Chooser Sender

r ←R RΠ(x) (x, K) ← GΠ(x) (K, c) For i ∈ [1, n] do c ← EK(WChog; r) s ← S(1k, K) r′ ← RΠ(x) c′ ← EK(s(WSen − WCho)g; rs ◦ r′) c′ WCho = WSen iff DK(c′) = 0 Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 25

slide-26
SLIDE 26

Homomorphic PET: Discussion

  • Sender/chooser-private under the same settings as the HOT protocol
  • Can be made verifiable

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 26

slide-27
SLIDE 27

Proxy verifiable HPET and Application

  • Proxy setting: P acts as an intermediate proxy between the chooser

and several senders. Importantly, P will not get to know whether WCho = WSeni without the help of Cho

  • Application in the auctions [LAN02] where the bidders had to prove

in ZK that their bid was/wasn’t equal to the highest bid: with proxy verifiable HPET, they can do it before they or the auctioneer gets to know the highest bid

  • Therefore, a bidder or the auctioneer cannot discontinue the payment

enforcement procedure when the results are not to his or her likings

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 27

slide-28
SLIDE 28

Conclusions

  • HOT: extension of the AIR OT protocol to a wider variety of settings
  • Definition of affine cryptosystems
  • Weak security fot OT protocols: sufficient in many applications
  • New efficient verifiable OT protocol
  • 2-round PET protocol, and its verifiable variant
  • Proxy verifiable PET protocol, and an application

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 28

slide-29
SLIDE 29

Questions?

?

Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 29