part i
play

(Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven - PowerPoint PPT Presentation

Apr 28, 2023 •399 likes •740 views

Efficient Actively Secure OT Extension: 5 Years Later 1 (Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven and Aarhus University 1 Based on the paper Efficient Actively Secure OT Extension , M. Keller, E. Orsini, P. Scholl CRYPTO

  1. Efficient Actively Secure OT Extension: 5 Years Later 1 (Part I) Emmanuela Orsini and Peter Scholl imec-COSIC, KU Leuven and Aarhus University 1 Based on the paper Efficient Actively Secure OT Extension , M. Keller, E. Orsini, P. Scholl CRYPTO 2015

  2. Oblivious transfer - Definition Oblivious Transfer (OT) is a ubiquitous cryptographic primitive designed to transfer specific data based on the receiver’s choice. m 0 , m 1 m b , b ∈ { 0 , 1 } Sender Receiver No further information should be learned by any party Relevant to this workshop: distribution of keys for GC, Threshold ECDSA, etc.. 2

  3. Extending oblivious transfer - Motivation • Impagliazzo, Rudich [IR98] Black-box separation result → OT is impossible without public-key primitives (?) • Beaver [Beaver96]: OT can be extended 3

  4. OT-extension: 2003-2020 - Y. Ishai, J. Kilian, K. Nissim, E. Petrank “Extending oblivious transfers efficiently”, CRYPTO 2003 - G. Asharov, Y. Lindell, T. Schneider, and M. Zohner More Efficient Oblivious Transfer and Extensions for Faster Secure Computation , ACM CCS 2013 - V. Kolesnikov, R. Kumaresan Improved OT extension for transferring short secrets , CRYPTO 2013 + J. B. Nielsen, P. S. Nordholt, C. Orlandi, and S. S. Burra. A new approach to practical active-secure two-party computation , CRYPTO 2012 + G. Asharov, Y. Lindell, T. Schneider, and M. Zohner More efficient oblivious transfer extensions with security for malicious adversaries , EUROCRYPT 2015 + M. Keller, E. Orsini, P. Scholl Actively Secure OT Extension with Optimal Overhead, CRYPTO 2015 + M. Orr` u, E. Orsini, P. Scholl Actively Secure 1 -out-of- N OT Extension with Application to Private Set Intersection, CT-RSA 2017 x D. Masny, P. Rindal Endemic Oblivious Transfer , CCS 2019 x C. Guo, J. Katz, X. Wang, Y. Yu Efficient and Secure Multiparty Computation from Fixed-Key Block Ciphers , IEEE S&P 2020 * E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, P. Scholl Efficient Pseudorandom Correlation Generators: Silent OT Extension and More, CRYPTO 2019 4

  5. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver OT and COT with uniform message security 5

  6. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT − m b m 0 + ∆ COT − m b Sender Sender Receiver Receiver Endemic security [MR19] 5

  7. OT, Correlated OT and Random OT m 0 b m 0 b m 1 OT m b m 0 + ∆ COT m b Sender Sender Receiver Receiver Standard OT and COT functionality (Sender chosen message) m 0 m 0 b b m 1 ROT − m b m 0 + ∆ COT − m b Sender Sender Receiver Receiver Endemic security [MR19] 5

  8. IKNP OT-extension Sender Receiver m 0 ,i , m 1 ,i ∈ { 0 , 1 } k ( x 1 , . . . , x m ) ∈ { 0 , 1 } m Input. i ∈ [ m ] , k ≪ m q i , ∆ t i , x 1. m COT t i ∈ { 0 , 1 } k , i ∈ [ m ] t i = q i + x i · ∆ m x i ,i = H ( t i , i ) + c x i ,i Send: 2. RO c 0 ,i = H ( q i , i ) + m 0 ,i c 1 ,i = H ( q i + ∆ , i ) + m 1 ,i 6

  9. IKNP OT extension - Security • Assuming that Phase 1. of the protocol is passively/actively secure then – IKNP is passively/actively secure when H is a random oracle – For passive security it is enough for H to be a correlation robust hash function [IKNP03] – For active security H has to be a tweakable correlation robust hash function • To achieve active security we need: – Prove that Phase 1 is secure 1. Achieve security against a malicious receiver – Secure instantiation of the building blocks 7

  10. IKNP OT extension - Security • Assuming that Phase 1. of the protocol is passively/actively secure then – IKNP is passively/actively secure when H is a random oracle – For passive security it is enough for H to be a correlation robust hash function [IKNP03] – For active security H has to be a tweakable correlation robust hash function • To achieve active security we need: – Prove that Phase 1 is secure 1. Achieve security against a malicious receiver – Secure instantiation of the building blocks 7

  11. Proctecting against a malicious receiver - Attack   t κ t 1 , 1 + x 1 · ∆ 1 1 ,k + · x 1 · ∆ k . . . q 1 = t 1 + x 1 · ∆   t κ t 2 , 1 + x 2 · ∆ 1 2 ,k + x 2 · ∆ k  . . .  q 2 = t 2 + x 2 · ∆     t κ t 3 , 1 + x 3 · ∆ 1 . . . 3 ,k + tx 3 · ∆ k   q 3 = t 3 + x 3 · ∆     . .   . .  . .  . . .     . . ... .  . .  . . .   .   . .   . .   . . . . .     q m = t m + x m · ∆ t m, 1 + x m · ∆ 1 . . . t m,k + x m · ∆ k 8

  12. Protecting against a malicious receiver - Attack   t κ t 1 , 1 + ∆ 1 q 1 = t 1 + (∆ 1 , 0 , . . . , 0) . . . . . . 1 ,k   t κ t 2 , 2 + ∆ 2  t 2 , 1 . . .  q 2 = t 2 + (0 , ∆ 2 , 0 , . . . , 0) 2 ,k     t κ t 3 , 1 . . . . . .   q 3 = t 3 + (0 , 0 , ∆ 3 , 0 , . . . , 0) 3 ,k     . . .   . . .  . . .  . . .     . . . ... . . .   . . . . .   .   . . .   . . .   . . . . . .     t m,k + ∆ k t m, 1 . . . . . . • c 0 , 1 = H ( q 1 , 1) + m 0 , 1 = H ( t 1 + (∆ 1 , 0 , . . . , 0) , 1) + m 0 , 1 , can extract ∆ 1 • Repeating the attack can recover the entire ∆ and hence all the messages 9

  13. Protecting against a malicious receiver - Consistency check Sender Receiver m 0 ,i , m 1 ,i ∈ { 0 , 1 } k ( x 1 , . . . , x m ) ∈ { 0 , 1 } m Input i ∈ [ m ′ ] , k ≪ m ′ ( x m +1 , . . . , x m ′ ) ∈ { 0 , 1 } m ′ − m , m ′ − m = k + s q i , ∆ m COT − t i , x 1. q i + t i = x i · ∆ t i ∈ { 0 , 1 } k , i ∈ [ m ′ ] Compute q = � i χ i q i and check that Receive χ 1 , . . . , χ m ′ ∈ F 2 k 2. Check t = q + x · ∆ Send t = � i χ i t i and x = � i χ i x i c 0 ,i = H ( q i , i ) + m 0 ,i m x i ,i = H ( t i , i ) + c x i ,i 3. RO c 1 ,i = H ( q i + ∆ , i ) + m 1 ,i 10

  14. Part II: Instantiating the Primitives; and Silent OT Extension 11

  15. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT 12

  16. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT 12

  17. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT Sender Receiver x 1 ∈ { 0 , 1 } Input t , x 1 ∈ { 0 , 1 } k q , ∆ 1. m COT t ∈ { 0 , 1 } k q + t = x 1 · ∆ 2. Check m 0 = H ( q , 1) m x 1 = H ( t , 1) 3. RO m 1 = H ( q + ∆ , 1) 12

  18. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT Sender Receiver x 1 ∈ { 0 , 1 } Input 0 ∈ { 0 , 1 } k q , ∆ 1. m COT 0 , x 1 = 1 q = ∆ 2. Check m 0 = H ( q , 1) m 1 = H ( 0 , 1) 3. RO m 1 = H ( 0 , 1) 12

  19. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT • COT − or ROT − enough for OT and most applications – But not always: e.g. be careful with ROT − and some PSI protocols • If true ROT needed, protocols can be modified: OT-ext coin OT − − − − − → COT − − − → ROT 12

  20. � Instantiating the Base OTs [Masny-Rindal 19] Some instantiations allow corrupt parties to bias random-OT outputs → ( COT − , ROT − or OT) OT-ext • (OT or OT − ) − − − − OT-ext • ( OT or OT − ) − − − − → ROT • COT − or ROT − enough for OT and most applications – But not always: e.g. be careful with ROT − and some PSI protocols • If true ROT needed, protocols can be modified: OT-ext coin OT − − − − − → COT − − − → ROT 12

  21. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness 13

  22. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness • SHA 256: straightforward, but slow • Fixed-key block cipher, e.g. AES – ≈ 10 x faster – Incorporating index i : can be done with one extra AES call [GKWY20] 13

  23. Instantiating the hash function H ( x, i ) [GKWY 20] Security requirement: form of correlation robustness • SHA 256: straightforward, but slow • Fixed-key block cipher, e.g. AES – ≈ 10 x faster – Incorporating index i : can be done with one extra AES call [GKWY20] • What if i is omitted? – Can lead to attack, depending on base OTs [MR19] 13

Recommend

Part 0: Git-ing Started Part 1: Essential Skills Part 2: Introduction to Git Part 3: Advanced

Part 0: Git-ing Started Part 1: Essential Skills Part 2: Introduction to Git Part 3: Advanced

Part 0: Git-ing Started Part 1: Essential Skills Part 2: Introduction to Git Part 3: Advanced Features Part 4: Shells Comic Credit: Randall Munroe, xkcd.com Lab 3: Version Control Part 0: Git-ing Started Part 1: Essential Skills Part 2:

513 views • 37 slides
Introduction Part One: Initial Problem Part Two: Progress Over Six Months Part

Introduction Part One: Initial Problem Part Two: Progress Over Six Months Part

Introduction Part One: Initial Problem Part Two: Progress Over Six Months Part Three: Key Outputs/Deliverables Part Four: What Have We Learned? Part Five: Next Steps Problem is Why spending entities dont execute their

751 views • 26 slides
Outline Part I. Introduction Part II. ML for DI Part III. DI for ML Training data

Outline Part I. Introduction Part II. ML for DI Part III. DI for ML Training data

Outline Part I. Introduction Part II. ML for DI Part III. DI for ML Training data creation Data cleaning Part IV. Conclusions and research directions Successful ML requires Data Integration Large collections of manually

510 views • 15 slides
DMR - Part 2 of 3 May 2, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 -

DMR - Part 2 of 3 May 2, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 -

R A R A Academy on DMR 05/02/2020 Rochester Amateur Radio Association, Inc. DMR - Part 2 of 3 May 2, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 - Steve Verzulli KA1CNF http://rochesterham.org 1 Introduction

734 views • 20 slides
Commercial Dog Breeders Part 8: Housing (Part 2) Introduction Housing Part 1 Housing Part 2

Commercial Dog Breeders Part 8: Housing (Part 2) Introduction Housing Part 1 Housing Part 2

Introductory Course for Commercial Dog Breeders Part 8: Housing (Part 2) Introduction Housing Part 1 Housing Part 2 Specific requirements for Define types of facilities each type of facility: General requirements for Primary

1.12k views • 68 slides
Fusion - Part 3 of 3 May 16, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3

Fusion - Part 3 of 3 May 16, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3

R A R A Academy 05/16/2020 Rochester Amateur Radio Association, Inc. Fusion - Part 3 of 3 May 16, 2020 Part 1 - Mike Moore KC2NM Part 2 - Rich Hoffarth K2AXP Part 3 - Steve Verzulli KA1CNF http://rochesterham.org 1 Credits I wish thank

379 views • 19 slides
CS 309: Autonomous Intelligent Robotics FRI I Lecture 4: AI Part 2 & C++ Part 2 Instructor:

CS 309: Autonomous Intelligent Robotics FRI I Lecture 4: AI Part 2 & C++ Part 2 Instructor:

CS 309: Autonomous Intelligent Robotics FRI I Lecture 4: AI Part 2 & C++ Part 2 Instructor: Justin Hart http://justinhart.net/teaching/2019_spring_cs309/ Today What is Artificial Intelligence? Part 2 C++ Primer Part 2 Areas

422 views • 27 slides
01 INTR IN TRODUC UCTIO TION PART PE is a LIFE LI LIFE PA PAYT - To Tool to to re reduce

01 INTR IN TRODUC UCTIO TION PART PE is a LIFE LI LIFE PA PAYT - To Tool to to re reduce

01. PART INTRODUCTION AND MAIN OBJECTIVES Our LIFE2015/ENV/PT/609 agenda 02. PART METHODOLOGY 03. PART IMPLEMENTATION ADVISORY BOARD AND PROJECT BOARD MEETING 29-30 January 2018 04. PART CONCLUSION ABOU ABOUT T US 01 INTR IN

716 views • 17 slides
Fundraising 101 Fundraising Class Agenda Part I: Introductions Part II: Traditional Fundraising

Fundraising 101 Fundraising Class Agenda Part I: Introductions Part II: Traditional Fundraising

Fundraising 101 Fundraising Class Agenda Part I: Introductions Part II: Traditional Fundraising Practices Part III: Crowdfunding Basics Part IV: Grantseeking - 360 degree view Part V: Q&A 2 Why Fundraise? 1) Financing your creative practice

618 views • 31 slides
Wind Part 1: How do we measure it? Part 2: What exactly is wind? Part 3: Where is it? PART 1:

Wind Part 1: How do we measure it? Part 2: What exactly is wind? Part 3: Where is it? PART 1:

Wind Part 1: How do we measure it? Part 2: What exactly is wind? Part 3: Where is it? PART 1: Wind speed = Measuring anemometer Wind Wind direction = wind vane given from the direction it came FROM. Wind chill = increased

428 views • 20 slides
Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph Extraction Construction Part 4: Critical Analysis 1 Tutorial Outline 1. Knowledge Graph Primer [Jay] 2.

1.16k views • 66 slides
Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph

Part 1: Knowledge Graphs Part 2: Part 3: Knowledge Graph Extraction Construction Part 4: Critical Analysis 1 Tutorial Outline 1. Knowledge Graph Primer [Jay] 2.

869 views • 71 slides
The heartful PRESENTER Influence minds and win hearts Contents 04 PART 1 INTRODUCTION 06

The heartful PRESENTER Influence minds and win hearts Contents 04 PART 1 INTRODUCTION 06

The heartful PRESENTER Influence minds and win hearts Contents 04 PART 1 INTRODUCTION 06 PART 2 BODY LANGUAGE 08 PART 3 VOICE MODULATION 11 PART 4 POWER OF PAUSE 14 PART 5 PRESENCE 16 PART 6 EMPATHY THe

755 views • 17 slides
Project Presentation TAKING COOPERATION FORWARD 1 PROLINE-CE: THE PROJECT Part 1 Part 2 Part 3

Project Presentation TAKING COOPERATION FORWARD 1 PROLINE-CE: THE PROJECT Part 1 Part 2 Part 3

PROLINE-CE Project Presentation TAKING COOPERATION FORWARD 1 PROLINE-CE: THE PROJECT Part 1 Part 2 Part 3 Part 4 Funding Facts & Figures Objectives & Structure & Programme Timeline Partnership T arget groups Goals

429 views • 20 slides
Influence Identification on Independent Cascade Model

Influence Identification on Independent Cascade Model

Influence Identification on Independent Cascade Model Part 1 Introduction Part 2 Related Work Part 3 Algorithm Part 4 Experiment Part 5 Conclusion Part 6 References

723 views • 33 slides
Taking Zu as an Example Contents Introduction PART 1 Previous Studies PART 2 Data

Taking Zu as an Example Contents Introduction PART 1 Previous Studies PART 2 Data

Lexical Semantic Evolution of Polysemous Words in Ancient Chinese Taking Zu as an Example Contents Introduction PART 1 Previous Studies PART 2 Data Collection & Analysis PART 3 Conclusion & Future Work PART 4 2 Introduction

698 views • 20 slides
Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2 Part 2 Introduction to centralized control Independent joint decentralized control may prove inadequate when the user requires high task

673 views • 36 slides
Webinar Series: Evaluating and Sharing Your Librarys Impact Part 1: Part 3: Part 2: April

Webinar Series: Evaluating and Sharing Your Librarys Impact Part 1: Part 3: Part 2: April

Webinar Series: Evaluating and Sharing Your Librarys Impact Part 1: Part 3: Part 2: April 24 October 3 August 14 Linda Kara Reuter Melissa Hofschire Bowles-Terry User-centered Assessment: Digging into Take Action: Using

832 views • 43 slides
Webinar Series: Evaluating and Sharing Your Librarys Impact Part 1: Part 3: Part 2: April

Webinar Series: Evaluating and Sharing Your Librarys Impact Part 1: Part 3: Part 2: April

Webinar Series: Evaluating and Sharing Your Librarys Impact Part 1: Part 3: Part 2: April 24 October 3 August 14 Linda Kara Reuter Melissa Hofschire Bowles-Terry User-centered Assessment: Digging into Take Action: Using

1.11k views • 61 slides
10 GHz (Microwave), up North Part #1 Part #2 Part #3 Promotion Activities Planning Parts 2

10 GHz (Microwave), up North Part #1 Part #2 Part #3 Promotion Activities Planning Parts 2

10 GHz (Microwave), up North Part #1 Part #2 Part #3 Promotion Activities Planning Parts 2 & 3 Presented at the NTMS Microwave Mini-conference on Nov. 9 th 2013 by Jim Froemke K0MHC/rover 1 10 GHz DXpedition to the Great Lakes 3 4

693 views • 45 slides
CS188 Outline Were done with Part I: Search and Planning! Part II: Probabilistic

CS188 Outline Were done with Part I: Search and Planning! Part II: Probabilistic

CS188 Outline Were done with Part I: Search and Planning! Part II: Probabilistic Reasoning Diagnosis Speech recognition Tracking objects Robot mapping Genetics Error correcting codes lots more! Part

530 views • 18 slides
PROCESS SKID PACKAGES INDEX Part I : The Company, Quality System & Certification Part

PROCESS SKID PACKAGES INDEX Part I : The Company, Quality System & Certification Part

PROCESS SKID PACKAGES INDEX Part I : The Company, Quality System & Certification Part II : Euroguarco Manufacturing & Supply Part III : Engineering Activities Part IV: Pressure Equipment Part V: Instrumentation Packages

560 views • 40 slides
FY17 CONSOLIDATED RESULTS UNIPOL AND UNIPOLSAI Bologna, 23 March 2018 2 PART 1 PART 2 PART 3

FY17 CONSOLIDATED RESULTS UNIPOL AND UNIPOLSAI Bologna, 23 March 2018 2 PART 1 PART 2 PART 3

FY17 CONSOLIDATED RESULTS UNIPOL AND UNIPOLSAI Bologna, 23 March 2018 2 PART 1 PART 2 PART 3 Consolidated Insurance Banking Business results Business Non-Life Life PART 4 PART 5 PART 6 Investments Dividend proposal

430 views • 30 slides
Outline Overview Part I: Emacs ESS tutorial, UseR! 2011 meeting part II: ESS Stephen Eglen

Outline Overview Part I: Emacs ESS tutorial, UseR! 2011 meeting part II: ESS Stephen Eglen

Outline Overview Part I: Emacs ESS tutorial, UseR! 2011 meeting part II: ESS Stephen Eglen Part III: Sweave Part IV: Org mode 2011-08-15 Advanced topics Part V Future steps / Q & A session / open discussion End Aims of the tutorial

847 views • 26 slides

More recommend