A Framework for Efficient and Composable Oblivious Transfer Chris - PowerPoint PPT Presentation

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan 2 Brent Waters 1 1 SRI International 2 MIT CRYPTO 2008 1 / 10

Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ] “REAL” m 0 , m 1 σ S R m σ 2 / 10

Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ] “REAL” “IDEAL” m 0 , m 1 σ F OT m 0 , m 1 m σ S R σ S R m σ m σ 2 / 10

Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ] “REAL” “IDEAL” m 0 , m 1 σ F OT m 0 , m 1 m σ ∀ S ∗ R σ ∃ S R m σ VIEW ( S ∗ ) m σ 2 / 10

Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ] “REAL” “IDEAL” m 0 , m 1 σ F OT m 0 , m 1 m σ ∀ R ∗ S σ ∃ R S VIEW ( R ∗ ) m σ 2 / 10

Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ] “REAL” “IDEAL” m 0 , m 1 σ F OT m 0 , m 1 m σ S R σ S R m σ m σ ◮ ‘Complete’ for secure computation [Yao82,GMW87,Kil88] 2 / 10

Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. . . ] “REAL” “IDEAL” m 0 , m 1 σ F OT m 0 , m 1 m σ S R σ S R m σ m σ ◮ ‘Complete’ for secure computation [Yao82,GMW87,Kil88] ◮ Feasible: (enhanced) TDPs + zero knowledge [EGL85,GMW86] 2 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds crs Will it COMPOSE ? R 1 π Y UC framework [Can01] A ρ R 2 Requires setup [CF01] Z S 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds crs Will it COMPOSE ? R 1 π Y UC framework [Can01] A ρ R 2 Requires setup [CF01] Z S 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds crs Will it COMPOSE ? R 1 π Y UC framework [Can01] A ρ R 2 Requires setup [CF01] Z S COMPOSABILITY aids EFFICIENCY 3 / 10

Prior Efficient Protocols ◮ Two messages: [NP01,AIR01,Tau05,CS02] – ‘half simulation’ ◮ Full simulation: [Lin08] – blowup, extra rounds ◮ ‘Adaptive selection:’ [CNS07,GH07] – bilinear, many rounds crs Will it COMPOSE ? R 1 π Y UC framework [Can01] A ρ R 2 Requires setup [CF01] Z S COMPOSABILITY aids EFFICIENCY ◮ Stronger OT variants, specific assumptions, 4+ messages [JS07,GMY04,DN03,GH08] 3 / 10

A New OT Framework Main Attractions ✔ Round-optimal – two messages 4 / 10

A New OT Framework Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth 4 / 10

A New OT Framework Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup 4 / 10

A New OT Framework Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup ✔ Realizable – DDH, QR, DCR, worst-case lattice assumptions 4 / 10

A New OT Framework Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup ✔ Realizable – DDH, QR, DCR, worst-case lattice assumptions Bonus Features ◮ Unbounded CRS reuse (JUC framework [CR03] ) ◮ Statistical security for either party ◮ Simple & symmetric proof 4 / 10

A New OT Framework Main Attractions ✔ Round-optimal – two messages ✔ Efficient – computation & bandwidth ✔ Universally composable – static corruption, CRS setup ✔ Realizable – DDH, QR, DCR, worst-case lattice assumptions Bonus Features ◮ Unbounded CRS reuse (JUC framework [CR03] ) ◮ Statistical security for either party ◮ Simple & symmetric proof Conceptual Tools ◮ Messy public keys (‘ me ssage-lo ssy ’) aka ‘meaningless’ [KN08] ◮ New abstraction: Dual-mode cryptosystem 4 / 10

Our Protocol 1011 · · · S ( m 0 , m 1 ) R ( σ ) pk 0 pk , sk ← Gen ( σ ) pk 1 pk 5 / 10

Our Protocol 1011 · · · S ( m 0 , m 1 ) R ( σ ) pk 0 pk , sk ← Gen ( σ ) pk 1 pk 0 pk pk pk 1 c b ← Enc ( pk b , m b ) c 0 , c 1 5 / 10

Our Protocol 1011 · · · S ( m 0 , m 1 ) R ( σ ) pk 0 pk , sk ← Gen ( σ ) pk 1 pk 0 pk pk pk 1 c b ← Enc ( pk b , m b ) c 0 , c 1 m σ ← Dec ( sk , c σ ) 5 / 10

Our Protocol 1011 · · · S ( m 0 , m 1 ) R ( σ ) pk 0 pk , sk ← Gen ( σ ) pk 1 pk 0 pk pk pk 1 c b ← Enc ( pk b , m b ) c 0 , c 1 m σ ← Dec ( sk , c σ ) Needed: Dual-mode cryptosystem 5 / 10

Messy Encryption Decryptable Public Keys c Enc ( pk , m 0 ) ≈ Enc ( pk , m 1 ) ◮ Decrypt with sk . 6 / 10

Messy Encryption Decryptable Public Keys c Enc ( pk , m 0 ) ≈ Enc ( pk , m 1 ) ◮ Decrypt with sk . Messy Public Keys s Enc ( pk , m 0 ) ≈ Enc ( pk , m 1 ) ◮ Statistically secure! (Decryption impossible.) 6 / 10

Messy Encryption Decryptable Public Keys c Enc ( pk , m 0 ) ≈ Enc ( pk , m 1 ) ◮ Decrypt with sk . Messy Public Keys s Enc ( pk , m 0 ) ≈ Enc ( pk , m 1 ) ◮ Statistically secure! (Decryption impossible.) Cryptosystems with Messy Keys ◮ Cocks ID-based [Coc01] ◮ Lattice-based [AD97, Reg03, Reg05] ◮ ElGamal, Paillier variants [ElG84,Pai99] 6 / 10

Dual-Mode Cryptosystem { dec , mes } ∋ mode ( crs , trap ) Setup c crs ≈ crs pk σ sk σ pk σ m m Gen sk σ , pk Enc Dec σ pk 1 − σ trap trap pk 0 pk ∗ TrapGen sk 0 , sk 1 , pk pk ∗ FindMessy µ pk 1 7 / 10

Dual-Mode Cryptosystem { dec , mes } ∋ mode ( crs , trap ) Setup c crs ≈ crs pk σ sk σ pk σ m m Gen sk σ , pk Enc Dec σ pk 1 − σ trap trap pk 0 pk ∗ TrapGen sk 0 , sk 1 , pk pk ∗ FindMessy µ pk 1 7 / 10

Dual-Mode Cryptosystem { dec , mes } ∋ mode ( crs , trap ) Setup c crs ≈ crs pk σ sk σ pk σ m m Gen sk σ , pk Enc Dec σ pk 1 − σ trap trap pk 0 pk ∗ TrapGen sk 0 , sk 1 , pk pk ∗ FindMessy µ pk 1 7 / 10

Dual-Mode Cryptosystem { dec , mes } ∋ mode ( crs , trap ) Setup c crs ≈ crs pk σ sk σ pk σ m m Gen sk σ , pk Enc Dec σ pk 1 − σ trap trap pk 0 pk ∗ TrapGen sk 0 , sk 1 , pk pk ∗ FindMessy µ pk 1 7 / 10

Dual-Mode Cryptosystem { dec , mes } ∋ mode ( crs , trap ) Setup c crs ≈ crs pk σ sk σ pk σ m m Gen sk σ , pk Enc Dec σ pk 1 − σ trap trap pk 0 pk ∗ TrapGen sk 0 , sk 1 , pk pk ∗ FindMessy µ pk 1 7 / 10

Dual-Mode Cryptosystem { dec , mes } ∋ mode ( crs , trap ) Setup c crs ≈ crs pk σ sk σ pk σ m m Gen sk σ , pk Enc Dec σ pk 1 − σ trap trap pk 0 pk ∗ TrapGen sk 0 , sk 1 , pk pk ∗ FindMessy µ pk 1 7 / 10

Dual-Mode Cryptosystem { dec , mes } ∋ mode ( crs , trap ) Setup c crs ≈ crs pk σ sk σ pk σ m m Gen sk σ , pk Enc Dec σ pk 1 − σ trap trap pk 0 pk ∗ TrapGen sk 0 , sk 1 , pk pk ∗ FindMessy µ pk 1 7 / 10

Security Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT 8 / 10

Security Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline 1 ∀ real S ∗ , ∃ ideal S (TrapGen) s REAL ( S ∗ , crs ) ≈ IDEAL ( S ) 8 / 10

Security Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline 1 ∀ real S ∗ , ∃ ideal S (TrapGen) s REAL ( S ∗ , crs ) ≈ IDEAL ( S ) 2 ∀ real R ∗ , ∃ ideal R (FindMessy) s REAL ( R ∗ , crs ) ≈ IDEAL ( R ) 8 / 10

Security Main Theorem Dual-mode cryptosystem = ⇒ 2-message UC-secure OT Proof Outline 1 ∀ real S ∗ , ∃ ideal S (TrapGen) s REAL ( S ∗ , crs ) ≈ IDEAL ( S ) 2 ∀ real R ∗ , ∃ ideal R (FindMessy) s REAL ( R ∗ , crs ) ≈ IDEAL ( R ) 3 ∀ real P ∗ ∈ { R ∗ , S ∗ } , (Setup) c REAL ( P ∗ , crs ) ≈ REAL ( P ∗ , crs ) 8 / 10