A Framework for Efficient and Composable Oblivious...

Transcript of A Framework for Efficient and Composable Oblivious...

A Framework forEfficient and Composable

Oblivious Transfer

Chris Peikert1 Vinod Vaikuntanathan2 Brent Waters1

1SRI International

2MIT

CRYPTO 2008

1 / 10
Oblivious Transfer

[R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ]

“REAL”

“IDEAL”

S

m0, m1

R

mσ

σ

FOT

S R

mσ

m 0,m

1

σ

mσ

I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]

2 / 10
Oblivious Transfer


“REAL” “IDEAL”

S

m0, m1

R

mσ

σ

FOT

S R

mσm 0,m

1

σ

mσ


2 / 10
Oblivious Transfer



∀ S∗

m0, m1

R

mσ

σ

FOT

∃ S

VIEW(S∗)

R

mσm 0,m

1

σ

mσ


2 / 10
Oblivious Transfer



S

m0, m1

∀ R∗

σ

FOT

S ∃ R

VIEW(R∗) mσm 0,m

1

σ

mσ


2 / 10
Oblivious Transfer



S

m0, m1

R

mσ

σ

FOT

S R

mσm 0,m

1

σ

mσ

I ‘Complete’ for secure computation [Yao82,GMW87,Kil88]

I Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86]

2 / 10
Oblivious Transfer



S

m0, m1

R

mσ

σ

FOT

S R

mσm 0,m

1

σ

mσ


2 / 10
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02]

– ‘half simulation’

I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds

Will it COMPOSE ?

UC framework [Can01]

Requires setup [CF01]

A

crs

R1

R2

S

Y

Z

π

ρ

COMPOSABILITY aids EFFICIENCY

I Stronger OT variants, specific assumptions, 4+ messages[JS07,GMY04,DN03,GH08]

3 / 10
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’

I Full simulation: [Lin08]

– blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08]

– blowup, extra rounds

I ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra rounds

I ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10
Prior Efficient ProtocolsI Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’I Full simulation: [Lin08] – blowup, extra roundsI ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10

Will it COMPOSE ?



A

crs

R1

R2

S

Y

Z

π

ρ



3 / 10
A New OT FrameworkMain Attractions

4 Round-optimal – two messages

4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions

Bonus FeaturesI Unbounded CRS reuse (JUC framework [CR03])I Statistical security for either partyI Simple & symmetric proof

Conceptual ToolsI Messy public keys (‘message-lossy’) aka ‘meaningless’ [KN08]I New abstraction: Dual-mode cryptosystem

4 / 10

4 Round-optimal – two messages4 Efficient – computation & bandwidth

4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions



4 / 10

4 Round-optimal – two messages4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup

4 Realizable – DDH, QR, DCR, worst-case lattice assumptions



4 / 10

4 Round-optimal – two messages4 Efficient – computation & bandwidth4 Universally composable – static corruption, CRS setup4 Realizable – DDH, QR, DCR, worst-case lattice assumptions



4 / 10




4 / 10




4 / 10
Our Protocol

1011 · · ·

S(m0,m1) R(σ)

pk, sk← Gen(σ)pk0pk1

pkpk0pk1

pk

cb ← Enc(pkb, mb)

c0, c1

mσ ← Dec(sk, cσ)

Needed: Dual-mode cryptosystem

5 / 10
Our Protocol

1011 · · ·

S(m0,m1) R(σ)


pkpk0pk1

pk

cb ← Enc(pkb, mb)

c0, c1



5 / 10
Our Protocol

1011 · · ·

S(m0,m1) R(σ)


pkpk0pk1

pk

cb ← Enc(pkb, mb)

c0, c1



5 / 10
Our Protocol

1011 · · ·

S(m0,m1) R(σ)


pkpk0pk1

pk

cb ← Enc(pkb, mb)

c0, c1



5 / 10
Messy EncryptionDecryptable Public Keys

Enc(pk, m0)c≈ Enc(pk, m1)

I Decrypt with sk.

Messy Public Keys

Enc(pk, m0)s≈ Enc(pk, m1)

I Statistically secure! (Decryption impossible.)

Cryptosystems with Messy KeysI Cocks ID-based [Coc01]

I Lattice-based [AD97, Reg03, Reg05]

I ElGamal, Paillier variants [ElG84,Pai99]

6 / 10


I Decrypt with sk.

Messy Public Keys






6 / 10


I Decrypt with sk.

Messy Public Keys






6 / 10
Dual-Mode Cryptosystem

Setup{dec,mes} 3 mode (crs, trap)

crsc≈ crs

Genσ skσ, pkpkσpk1−σ

Encm

pkσ

Dec

skσ

m

TrapGen sk0, sk1, pk

trap

pk0pk1

FindMessypk∗

trap

pk∗µ

7 / 10


crsc≈ crs


Encm

pkσ

Dec

skσ

m


trap

pk0pk1

FindMessypk∗

trap

pk∗µ

7 / 10


crsc≈ crs


Encm

pkσ

Dec

skσ

m


trap

pk0pk1

FindMessypk∗

trap

pk∗µ

7 / 10


crsc≈ crs


Encm

pkσ

Dec

skσ

m


trap

pk0pk1

FindMessypk∗

trap

pk∗µ

7 / 10


crsc≈ crs


Encm

pkσ

Dec

skσ

m


trap

pk0pk1

FindMessypk∗

trap

pk∗µ

7 / 10


crsc≈ crs


Encm

pkσ

Dec

skσ

m


trap

pk0pk1

FindMessypk∗

trap

pk∗µ

7 / 10


crsc≈ crs


Encm

pkσ

Dec

skσ

m


trap

pk0pk1

FindMessypk∗

trap

pk∗µ

7 / 10
Security

Main TheoremDual-mode cryptosystem =⇒ 2-message UC-secure OT

Proof Outline

1 ∀ real S∗, ∃ ideal S (TrapGen)REAL(S∗, crs)

s≈ IDEAL(S)

2 ∀ real R∗, ∃ ideal R (FindMessy)REAL(R∗, crs)

s≈ IDEAL(R)

3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)

REAL(P∗, crs)c≈ REAL(P∗, crs)

8 / 10
Security


Proof Outline1 ∀ real S∗, ∃ ideal S (TrapGen)

REAL(S∗, crs)s≈ IDEAL(S)


s≈ IDEAL(R)

3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)


8 / 10
Security





s≈ IDEAL(R)

3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)


8 / 10
Security





s≈ IDEAL(R)

3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)


8 / 10
Security





s≈ IDEAL(R)

3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)


Security in decryption mode (cf. [GOS06]):

4 REAL(R∗, crs)c≈ REAL(R∗, crs)

s≈ IDEAL(R)

8 / 10
Security





s≈ IDEAL(R)

3 ∀ real P∗ ∈ {R∗, S∗}, (Setup)


Security in messy mode:

4 REAL(S∗, crs)c≈ REAL(S∗, crs)

s≈ IDEAL(S)

8 / 10
Quadratic Residuosity ConstructionCocks Encryption [Coc01]

I Global: N = pqI Decryptable keys: secret x ∈ ZN , public y = x2 ∈ QRN .I Messy public key: y 6∈ QRN

Our Construction

Decryption mode Messy mode

crs = (N, z ∈ QRN) crs = (N, z ∈ JN\QRN)trap =

√z trap = (p, q)

ZN 3 pk = yy0 = y · z0

y1 = y · z1

TrapGen: FindMessy:

sk0 =√

y, sk1 =√

y · √z y 6∈ QRN or y · z 6∈ QRN

9 / 10


Our Construction



√z trap = (p, q)

ZN 3 pk = yy0 = y · z0

y1 = y · z1

TrapGen: FindMessy:

sk0 =√

y, sk1 =√


9 / 10


Our Construction



√z trap = (p, q)

ZN 3 pk = yy0 = y · z0

y1 = y · z1

TrapGen: FindMessy:

sk0 =√

y, sk1 =√


9 / 10


Our Construction



√z trap = (p, q)

ZN 3 pk = yy0 = y · z0

y1 = y · z1

TrapGen: FindMessy:

sk0 =√

y, sk1 =√

y · √z y 6∈ QRN or y · z 6∈ QRN9 / 10
Some Open Problems

1 Adaptive corruptions? (Progress: [GWZ])

2 Alternate setup? (GUC framework? [CDPW07])

3 String OT from QR, lattices? (Note: [BGH07] isn’t messy!)

FOTContinue

End1

END

10 / 10
Some Open Problems




FOTContinue

End1

END

10 / 10
Some Open Problems




FOTContinue

End1

END

10 / 10
Some Open Problems




FOTContinue

End1

END10 / 10

A Framework for Efficient and Composable Oblivious...

Documents

Transcript of A Framework for Efficient and Composable Oblivious...