part i
play

(Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven - PowerPoint PPT Presentation

Efficient Actively Secure OT Extension: 5 Years Later 1 (Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven and Aarhus University 1 Based on the paper Efficient Actively Secure OT Extension , M. Keller, E. Orsini, P. Scholl CRYPTO


  1. Efficient Actively Secure OT Extension: 5 Years Later 1 (Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven and Aarhus University 1 Based on the paper Efficient Actively Secure OT Extension , M. Keller, E. Orsini, P. Scholl CRYPTO 2015

  2. Oblivious transfer - Definition Oblivious Transfer (OT) is a ubiquitous cryptographic primitive designed to transfer specific data based on the receiver’s choice. m 0 , m 1 m b , b ∈ { 0 , 1 } Sender Receiver No further information should be learned by any party Relevant to this workshop: distribution of keys for GC, Threshold ECDSA, etc.. 2

  3. Extending oblivious transfer - Motivation • Impagliazzo, Rudich [IR98] Black-box separation result → OT is impossible without public-key primitives (?) • Beaver [Beaver96]: OT can be extended 3

  4. OT-extension: 2003-2020 - Y. Ishai, J. Kilian, K. Nissim, E. Petrank “Extending oblivious transfers efficiently”, CRYPTO 2003 - G. Asharov, Y. Lindell, T. Schneider, and M. Zohner More Efficient Oblivious Transfer and Extensions for Faster Secure Computation , ACM CCS 2013 - V. Kolesnikov, R. Kumaresan Improved OT extension for transferring short secrets , CRYPTO 2013 + J. B. Nielsen, P. S. Nordholt, C. Orlandi, and S. S. Burra. A new approach to practical active-secure two-party computation , CRYPTO 2012 + G. Asharov, Y. Lindell, T. Schneider, and M. Zohner More efficient oblivious transfer extensions with security for malicious adversaries , EUROCRYPT 2015 + M. Keller, E. Orsini, P. Scholl Actively Secure OT Extension with Optimal Overhead, CRYPTO 2015 + M. Orr` u, E. Orsini, P. Scholl Actively Secure 1 -out-of- N OT Extension with Application to Private Set Intersection, CT-RSA 2017 x D. Masny, P. Rindal Endemic Oblivious Transfer , CCS 2019 x C. Guo, J. Katz, X. Wang, Y. Yu Efficient and Secure Multiparty Computation from Fixed-Key Block Ciphers , IEEE S&P 2020 * E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, P. Scholl Efficient Pseudorandom Correlation Generators: Silent OT Extension and More, CRYPTO 2019 4

  5. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver OT and COT with uniform message security 5

  6. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT − m b m 0 + ∆ COT − m b Sender Sender Receiver Receiver Endemic security [MR19] 5

  7. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT − m b m 0 + ∆ COT − m b Sender Sender Receiver Receiver Endemic security [MR19] 5

  8. IKNP OT-extension Sender Receiver m 0 ,i , m 1 ,i ∈ { 0 , 1 } k ( x 1 , . . . , x m ) ∈ { 0 , 1 } m Input. i ∈ [ m ] , k ≪ m q i , ∆ t i , x 1. m COT t i ∈ { 0 , 1 } k , i ∈ [ m ] t i = q i + x i · ∆ m x i ,i = H ( t i , i ) + c x i ,i Send: 2. RO c 0 ,i = H ( q i , i ) + m 0 ,i c 1 ,i = H ( q i + ∆ , i ) + m 1 ,i 6

  9. IKNP OT extension - Security • Assuming that Phase 1. of the protocol is passively/actively secure then – IKNP is passively/actively secure when H is a random oracle – For passive security it is enough for H to be a correlation robust hash function [IKNP03] – For active security H has to be a tweakable correlation robust hash function • To achieve active security we need: – Prove that Phase 1 is secure 1. Achieve security against a malicious receiver – Secure instantiation of the building blocks 7

  10. IKNP OT extension - Security • Assuming that Phase 1. of the protocol is passively/actively secure then – IKNP is passively/actively secure when H is a random oracle – For passive security it is enough for H to be a correlation robust hash function [IKNP03] – For active security H has to be a tweakable correlation robust hash function • To achieve active security we need: – Prove that Phase 1 is secure 1. Achieve security against a malicious receiver – Secure instantiation of the building blocks 7

  11. Proctecting against a malicious receiver - Attack   t κ t 1 , 1 + x 1 · ∆ 1 1 ,k + · x 1 · ∆ k . . . q 1 = t 1 + x 1 · ∆   t κ t 2 , 1 + x 2 · ∆ 1 2 ,k + x 2 · ∆ k  . . .  q 2 = t 2 + x 2 · ∆     t κ t 3 , 1 + x 3 · ∆ 1 . . . 3 ,k + tx 3 · ∆ k   q 3 = t 3 + x 3 · ∆     . .   . .  . .  . . .     . . ... .  . .  . . .   .   . .   . .   . . . . .     q m = t m + x m · ∆ t m, 1 + x m · ∆ 1 . . . t m,k + x m · ∆ k 8

  12. Protecting against a malicious receiver - Attack   t κ t 1 , 1 + ∆ 1 q 1 = t 1 + (∆ 1 , 0 , . . . , 0) . . . . . . 1 ,k   t κ t 2 , 2 + ∆ 2  t 2 , 1 . . .  q 2 = t 2 + (0 , ∆ 2 , 0 , . . . , 0) 2 ,k     t κ t 3 , 1 . . . . . .   q 3 = t 3 + (0 , 0 , ∆ 3 , 0 , . . . , 0) 3 ,k     . . .   . . .  . . .  . . .     . . . ... . . .   . . . . .   .   . . .   . . .   . . . . . .     t m,k + ∆ k t m, 1 . . . . . . • c 0 , 1 = H ( q 1 , 1) + m 0 , 1 = H ( t 1 + (∆ 1 , 0 , . . . , 0) , 1) + m 0 , 1 , can extract ∆ 1 • Repeating the attack can recover the entire ∆ and hence all the messages 9

  13. Protecting against a malicious receiver - Consistency check Sender Receiver m 0 ,i , m 1 ,i ∈ { 0 , 1 } k ( x 1 , . . . , x m ) ∈ { 0 , 1 } m Input i ∈ [ m ′ ] , k ≪ m ′ ( x m +1 , . . . , x m ′ ) ∈ { 0 , 1 } m ′ − m , m ′ − m = k + s q i , ∆ m COT − t i , x 1. q i + t i = x i · ∆ t i ∈ { 0 , 1 } k , i ∈ [ m ′ ] Compute q = � i χ i q i and check that Receive χ 1 , . . . , χ m ′ ∈ F 2 k 2. Check t = q + x · ∆ Send t = � i χ i t i and x = � i χ i x i c 0 ,i = H ( q i , i ) + m 0 ,i m x i ,i = H ( t i , i ) + c x i ,i 3. RO c 1 ,i = H ( q i + ∆ , i ) + m 1 ,i 10

  14. Part II: Instantiating the Primitives; and Silent OT Extension 11

  15. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT 12

  16. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT 12

  17. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT Sender Receiver x 1 ∈ { 0 , 1 } Input t , x 1 ∈ { 0 , 1 } k q , ∆ 1. m COT t ∈ { 0 , 1 } k q + t = x 1 · ∆ 2. Check m 0 = H ( q , 1) m x 1 = H ( t , 1) 3. RO m 1 = H ( q + ∆ , 1) 12

  18. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT Sender Receiver x 1 ∈ { 0 , 1 } Input 0 ∈ { 0 , 1 } k q , ∆ 1. m COT 0 , x 1 = 1 q = ∆ 2. Check m 0 = H ( q , 1) m 1 = H ( 0 , 1) 3. RO m 1 = H ( 0 , 1) 12

  19. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT • COT − or ROT − enough for OT and most applications – But not always: e.g. be careful with ROT − and some PSI protocols • If true ROT needed, protocols can be modified: OT-ext coin OT − − − − − → COT − − − → ROT 12

  20. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT • COT − or ROT − enough for OT and most applications – But not always: e.g. be careful with ROT − and some PSI protocols • If true ROT needed, protocols can be modified: OT-ext coin OT − − − − − → COT − − − → ROT 12

  21. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness 13

  22. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness • SHA 256: straightforward, but slow • Fixed-key block cipher, e.g. AES – ≈ 10 x faster – Incorporating index i : can be done with one extra AES call [GKWY20] 13

  23. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness • SHA 256: straightforward, but slow • Fixed-key block cipher, e.g. AES – ≈ 10 x faster – Incorporating index i : can be done with one extra AES call [GKWY20] • What if i is omitted? – Can lead to attack, depending on base OTs [MR19] 13

Recommend


More recommend