A Framework for Efficient and Composable Oblivious...
Transcript of A Framework for Efficient and Composable Oblivious...
-
A Framework forEfficient and Composable
Oblivious Transfer
Chris Peikert1 Vinod Vaikuntanathan2 Brent Waters1
1SRI International
2MIT
CRYPTO 2008
1 / 10
-
Oblivious Transfer
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL”
“IDEAL”
S
m0, m1
R
mσ
σ
FOT
S R
mσ
m 0,m
1
σ
mσ
I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]
2 / 10
-
Oblivious Transfer
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL”
S
m0, m1
R
mσ
σ
FOT
S R
mσm 0,m
1
σ
mσ
I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]
2 / 10
-
Oblivious Transfer
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL”
∀ S∗
m0, m1
R
mσ
σ
FOT
∃ S
VIEW(S∗)
R
mσm 0,m
1
σ
mσ
I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]
2 / 10
-
Oblivious Transfer
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL”
S
m0, m1
∀ R∗
σ
FOT
S ∃ R
VIEW(R∗) mσm 0,m
1
σ
mσ
I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]
2 / 10
-
Oblivious Transfer
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL”
S
m0, m1
R
mσ
σ
FOT
S R
mσm 0,m
1
σ
mσ
I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]
I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]
2 / 10
-
Oblivious Transfer
[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]
“REAL” “IDEAL”
S
m0, m1
R
mσ
σ
FOT
S R
mσm 0,m
1
σ
mσ
I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]
2 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02]
– ‘half simulation’
I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’
I Full simulation: [Lin08]
– blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08]
– blowup, extra rounds
I ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra rounds
I ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds
Will it COMPOSE ?
UC framework [Can01]
Requires setup [CF01]
A
crs
R1
R2
S
Y
Z
π
ρ
COMPOSABILITY aids EFFICIENCY
I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]
3 / 10
-
A New OT FrameworkMain Attractions
4 Round-optimal – two messages
4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions
Bonus FeaturesI Unbounded CRS reuse (JUC framework [CR03])I Statistical security for either partyI Simple & symmetric proof
Conceptual ToolsI Messy public keys (‘message-lossy’) aka ‘meaningless’ [KN08]I New abstraction: Dual-mode cryptosystem
4 / 10
-
A New OT FrameworkMain Attractions
4 Round-optimal – two messages4 Efficient – computation & bandwidth
4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions
Bonus FeaturesI Unbounded CRS reuse (JUC framework [CR03])I Statistical security for either partyI Simple & symmetric proof
Conceptual ToolsI Messy public keys (‘message-lossy’) aka ‘meaningless’ [KN08]I New abstraction: Dual-mode cryptosystem
4 / 10
-
A New OT FrameworkMain Attractions
4 Round-optimal – two messages4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup
4 Realizable – DDH, QR, DCR, worst-case lattice assumptions
Bonus FeaturesI Unbounded CRS reuse (JUC framework [CR03])I Statistical security for either partyI Simple & symmetric proof
Conceptual ToolsI Messy public keys (‘message-lossy’) aka ‘meaningless’ [KN08]I New abstraction: Dual-mode cryptosystem
4 / 10
-
A New OT FrameworkMain Attractions
4 Round-optimal – two messages4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions
Bonus FeaturesI Unbounded CRS reuse (JUC framework [CR03])I Statistical security for either partyI Simple & symmetric proof
Conceptual ToolsI Messy public keys (‘message-lossy’) aka ‘meaningless’ [KN08]I New abstraction: Dual-mode cryptosystem
4 / 10
-
A New OT FrameworkMain Attractions
4 Round-optimal – two messages4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions
Bonus FeaturesI Unbounded CRS reuse (JUC framework [CR03])I Statistical security for either partyI Simple & symmetric proof
Conceptual ToolsI Messy public keys (‘message-lossy’) aka ‘meaningless’ [KN08]I New abstraction: Dual-mode cryptosystem
4 / 10
-
A New OT FrameworkMain Attractions
4 Round-optimal – two messages4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions
Bonus FeaturesI Unbounded CRS reuse (JUC framework [CR03])I Statistical security for either partyI Simple & symmetric proof
Conceptual ToolsI Messy public keys (‘message-lossy’) aka ‘meaningless’ [KN08]I New abstraction: Dual-mode cryptosystem
4 / 10
-
Our Protocol
1011 · · ·
S(m0,m1) R(σ)
pk, sk← Gen(σ)pk0pk1
pkpk0pk1
pk
cb ← Enc(pkb, mb)
c0, c1
mσ ← Dec(sk, cσ)
Needed: Dual-mode cryptosystem
5 / 10
-
Our Protocol
1011 · · ·
S(m0,m1) R(σ)
pk, sk← Gen(σ)pk0pk1
pkpk0pk1
pk
cb ← Enc(pkb, mb)
c0, c1
mσ ← Dec(sk, cσ)
Needed: Dual-mode cryptosystem
5 / 10
-
Our Protocol
1011 · · ·
S(m0,m1) R(σ)
pk, sk← Gen(σ)pk0pk1
pkpk0pk1
pk
cb ← Enc(pkb, mb)
c0, c1
mσ ← Dec(sk, cσ)
Needed: Dual-mode cryptosystem
5 / 10
-
Our Protocol
1011 · · ·
S(m0,m1) R(σ)
pk, sk← Gen(σ)pk0pk1
pkpk0pk1
pk
cb ← Enc(pkb, mb)
c0, c1
mσ ← Dec(sk, cσ)
Needed: Dual-mode cryptosystem
5 / 10
-
Messy EncryptionDecryptable Public Keys
Enc(pk, m0)c≈ Enc(pk, m1)
I Decrypt with sk.
Messy Public Keys
Enc(pk, m0)s≈ Enc(pk, m1)
I Statistically secure! (Decryption impossible.)
Cryptosystems with Messy KeysI Cocks ID-based [Coc01]
I Lattice-based [AD97, Reg03, Reg05]
I ElGamal, Paillier variants [ElG84,Pai99]
6 / 10
-
Messy EncryptionDecryptable Public Keys
Enc(pk, m0)c≈ Enc(pk, m1)
I Decrypt with sk.
Messy Public Keys
Enc(pk, m0)s≈ Enc(pk, m1)
I Statistically secure! (Decryption impossible.)
Cryptosystems with Messy KeysI Cocks ID-based [Coc01]
I Lattice-based [AD97, Reg03, Reg05]
I ElGamal, Paillier variants [ElG84,Pai99]
6 / 10
-
Messy EncryptionDecryptable Public Keys
Enc(pk, m0)c≈ Enc(pk, m1)
I Decrypt with sk.
Messy Public Keys
Enc(pk, m0)s≈ Enc(pk, m1)
I Statistically secure! (Decryption impossible.)
Cryptosystems with Messy KeysI Cocks ID-based [Coc01]
I Lattice-based [AD97, Reg03, Reg05]
I ElGamal, Paillier variants [ElG84,Pai99]
6 / 10
-
Dual-Mode Cryptosystem
Setup{dec,mes} 3 mode (crs, trap)
crsc≈ crs
Genσ skσ, pkpkσpk1−σ
Encm
pkσ
Dec
skσ
m
TrapGen sk0, sk1, pk
trap
pk0pk1
FindMessypk∗
trap
pk∗µ
7 / 10
-
Dual-Mode Cryptosystem
Setup{dec,mes} 3 mode (crs, trap)
crsc≈ crs
Genσ skσ, pkpkσpk1−σ
Encm
pkσ
Dec
skσ
m
TrapGen sk0, sk1, pk
trap
pk0pk1
FindMessypk∗
trap
pk∗µ
7 / 10
-
Dual-Mode Cryptosystem
Setup{dec,mes} 3 mode (crs, trap)
crsc≈ crs
Genσ skσ, pkpkσpk1−σ
Encm
pkσ
Dec
skσ
m
TrapGen sk0, sk1, pk
trap
pk0pk1
FindMessypk∗
trap
pk∗µ
7 / 10
-
Dual-Mode Cryptosystem
Setup{dec,mes} 3 mode (crs, trap)
crsc≈ crs
Genσ skσ, pkpkσpk1−σ
Encm
pkσ
Dec
skσ
m
TrapGen sk0, sk1, pk
trap
pk0pk1
FindMessypk∗
trap
pk∗µ
7 / 10
-
Dual-Mode Cryptosystem
Setup{dec,mes} 3 mode (crs, trap)
crsc≈ crs
Genσ skσ, pkpkσpk1−σ
Encm
pkσ
Dec
skσ
m
TrapGen sk0, sk1, pk
trap
pk0pk1
FindMessypk∗
trap
pk∗µ
7 / 10
-
Dual-Mode Cryptosystem
Setup{dec,mes} 3 mode (crs, trap)
crsc≈ crs
Genσ skσ, pkpkσpk1−σ
Encm
pkσ
Dec
skσ
m
TrapGen sk0, sk1, pk
trap
pk0pk1
FindMessypk∗
trap
pk∗µ
7 / 10
-
Dual-Mode Cryptosystem
Setup{dec,mes} 3 mode (crs, trap)
crsc≈ crs
Genσ skσ, pkpkσpk1−σ
Encm
pkσ
Dec
skσ
m
TrapGen sk0, sk1, pk
trap
pk0pk1
FindMessypk∗
trap
pk∗µ
7 / 10
-
Security
Main TheoremDual-mode cryptosystem =⇒ 2-message UC-secure OT
Proof Outline
1 ∀ real S∗, ∃ ideal S (TrapGen)REAL(S∗, crs)
s≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R (FindMessy)REAL(R∗, crs)
s≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)
REAL(P∗, crs)c≈ REAL(P∗, crs)
8 / 10
-
Security
Main TheoremDual-mode cryptosystem =⇒ 2-message UC-secure OT
Proof Outline1 ∀ real S∗, ∃ ideal S (TrapGen)
REAL(S∗, crs)s≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R (FindMessy)REAL(R∗, crs)
s≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)
REAL(P∗, crs)c≈ REAL(P∗, crs)
8 / 10
-
Security
Main TheoremDual-mode cryptosystem =⇒ 2-message UC-secure OT
Proof Outline1 ∀ real S∗, ∃ ideal S (TrapGen)
REAL(S∗, crs)s≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R (FindMessy)REAL(R∗, crs)
s≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)
REAL(P∗, crs)c≈ REAL(P∗, crs)
8 / 10
-
Security
Main TheoremDual-mode cryptosystem =⇒ 2-message UC-secure OT
Proof Outline1 ∀ real S∗, ∃ ideal S (TrapGen)
REAL(S∗, crs)s≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R (FindMessy)REAL(R∗, crs)
s≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)
REAL(P∗, crs)c≈ REAL(P∗, crs)
8 / 10
-
Security
Main TheoremDual-mode cryptosystem =⇒ 2-message UC-secure OT
Proof Outline1 ∀ real S∗, ∃ ideal S (TrapGen)
REAL(S∗, crs)s≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R (FindMessy)REAL(R∗, crs)
s≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)
REAL(P∗, crs)c≈ REAL(P∗, crs)
Security in decryption mode (cf. [GOS06]):
4 REAL(R∗, crs)c≈ REAL(R∗, crs)
s≈ IDEAL(R)
8 / 10
-
Security
Main TheoremDual-mode cryptosystem =⇒ 2-message UC-secure OT
Proof Outline1 ∀ real S∗, ∃ ideal S (TrapGen)
REAL(S∗, crs)s≈ IDEAL(S)
2 ∀ real R∗, ∃ ideal R (FindMessy)REAL(R∗, crs)
s≈ IDEAL(R)
3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)
REAL(P∗, crs)c≈ REAL(P∗, crs)
Security in messy mode:
4 REAL(S∗, crs)c≈ REAL(S∗, crs)
s≈ IDEAL(S)
8 / 10
-
Quadratic Residuosity ConstructionCocks Encryption [Coc01]
I Global: N = pqI Decryptable keys: secret x ∈ ZN , public y = x2 ∈ QRN .I Messy public key: y 6∈ QRN
Our Construction
Decryption mode Messy mode
crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN)trap =
√z trap = (p, q)
ZN 3 pk = yy0 = y · z0
y1 = y · z1
TrapGen: FindMessy:
sk0 =√
y, sk1 =√
y · √z y 6∈ QRN or y · z 6∈ QRN
9 / 10
-
Quadratic Residuosity ConstructionCocks Encryption [Coc01]
I Global: N = pqI Decryptable keys: secret x ∈ ZN , public y = x2 ∈ QRN .I Messy public key: y 6∈ QRN
Our Construction
Decryption mode Messy mode
crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN)trap =
√z trap = (p, q)
ZN 3 pk = yy0 = y · z0
y1 = y · z1
TrapGen: FindMessy:
sk0 =√
y, sk1 =√
y · √z y 6∈ QRN or y · z 6∈ QRN
9 / 10
-
Quadratic Residuosity ConstructionCocks Encryption [Coc01]
I Global: N = pqI Decryptable keys: secret x ∈ ZN , public y = x2 ∈ QRN .I Messy public key: y 6∈ QRN
Our Construction
Decryption mode Messy mode
crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN)trap =
√z trap = (p, q)
ZN 3 pk = yy0 = y · z0
y1 = y · z1
TrapGen: FindMessy:
sk0 =√
y, sk1 =√
y · √z y 6∈ QRN or y · z 6∈ QRN
9 / 10
-
Quadratic Residuosity ConstructionCocks Encryption [Coc01]
I Global: N = pqI Decryptable keys: secret x ∈ ZN , public y = x2 ∈ QRN .I Messy public key: y 6∈ QRN
Our Construction
Decryption mode Messy mode
crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN)trap =
√z trap = (p, q)
ZN 3 pk = yy0 = y · z0
y1 = y · z1
TrapGen: FindMessy:
sk0 =√
y, sk1 =√
y · √z y 6∈ QRN or y · z 6∈ QRN9 / 10
-
Some Open Problems
1 Adaptive corruptions? (Progress: [GWZ])
2 Alternate setup? (GUC framework? [CDPW07])
3 String OT from QR, lattices? (Note: [BGH07] isn’t messy!)
FOTContinue
End1
END
10 / 10
-
Some Open Problems
1 Adaptive corruptions? (Progress: [GWZ])
2 Alternate setup? (GUC framework? [CDPW07])
3 String OT from QR, lattices? (Note: [BGH07] isn’t messy!)
FOTContinue
End1
END
10 / 10
-
Some Open Problems
1 Adaptive corruptions? (Progress: [GWZ])
2 Alternate setup? (GUC framework? [CDPW07])
3 String OT from QR, lattices? (Note: [BGH07] isn’t messy!)
FOTContinue
End1
END
10 / 10
-
Some Open Problems
1 Adaptive corruptions? (Progress: [GWZ])
2 Alternate setup? (GUC framework? [CDPW07])
3 String OT from QR, lattices? (Note: [BGH07] isn’t messy!)
FOTContinue
End1
END10 / 10