The Simplest Protocol for Oblivious Transfer Tung Chou Technische - PowerPoint PPT Presentation

The Simplest Protocol for Oblivious Transfer Tung Chou Technische Universiteit Eindhoven, The Netherlands August 24, 2015 Latincrypt 2015, Guadalajara, Mexico Joint work with Claudio Orlandi

� 2 � OTs 1 Sender Receiver

� 2 � OTs 1 m 0 , m 1 b Sender OT Receiver m b 1

� 2 � OTs 1 m 0 , m 1 b Sender OT Receiver m b The Receiver should learn only m b The Sender should learn nothing 1

� n � OTs 1 m 0 , . . . , m n − 1 b Sender OT Receiver m b The Receiver should learn only m b The Sender should learn nothing 2

Secure Multiparty Computation X Y A MPC B f ( X , Y ) f ( X , Y ) The parties should learn no more than f ( X , Y ) 3

Secure Multiparty Computation X Y A MPC B f ( X , Y ) f ( X , Y ) The parties should learn no more than f ( X , Y ) “OT is complete for secure multiparty computation.” 3

OT Extension PK

OT Extension → + PK PK SK 4

OT Extension → + PK PK SK • Similar to hybrid encryption • Still we need base OTs 4

Diffie-Hellman random x xB random y yB x ( yB ) = xyB y ( xB ) = xyB 5

Random-OT b Sender R-OT Receiver k 0 , . . . , k n − 1 k b The Receiver should learn only k b The Sender gets all k i but nothing about b 6

Our Random-OT construction random x S = xB random y R = yB + bS k i ← H ( x ( R − iS )) , ∀ i k ← H ( yS = xyB ) 7

Our Random-OT construction random x S = xB random y R = yB + bS k i ← H ( x ( R − iS )) , ∀ i k ← H ( yS = xyB ) • R uniformly random: privacy for Receiver 7

Our Random-OT construction random x S = xB random y R = yB + bS k i ← H ( x ( R − iS )) , ∀ i k ← H ( yS = xyB ) • R uniformly random: privacy for Receiver • Square DH: privacy for Sender 7

Our Random-OT construction random x S = xB random y R = yB + bS k i ← H ( x ( R − iS )) , ∀ i k ← H ( yS = xyB ) • R uniformly random: privacy for Receiver • Square DH: privacy for Sender • Sender precomputes T = xS 7

Our Random-OT construction random x S = xB random y R = yB + bS k i ← H ( x ( R − iS )) , ∀ i k ← H ( yS = xyB ) • R uniformly random: privacy for Receiver • Square DH: privacy for Sender • Sender precomputes T = xS • H is modeled as RO 7

Our Real-OT Construction random OT c i = E k i ( m i ) , ∀ i m b = D k ( c b ) 8

Our Real-OT Construction random OT c i = E k i ( m i ) , ∀ i m b = D k ( c b ) • Encryption scheme: E k ( m ) = k ⊕ ( m | 0 λ ) 8

Our Real-OT Construction random OT c i = E k i ( m i ) , ∀ i m b = D k ( c b ) • Encryption scheme: E k ( m ) = k ⊕ ( m | 0 λ ) � if t = 0 λ m ′ D k ( c = ( m ′ | t ) ⊕ k ) = FAIL otherwise 8

The Naor-Pinkas OT • #exponentiations: n vs. 2 offline (3 online) 9

The Naor-Pinkas OT • #exponentiations: n vs. 2 offline (3 online) R b =0 s 1 s 2 s 3 R b =1 R b =2 R b =3

The Naor-Pinkas OT • #exponentiations: n vs. 2 offline (3 online) R b =0 s s s s 1 s 2 s 3 R b =0 R b =1 R b =2 R b =3 R b =1 R b =2 R b =3 9

The Naor-Pinkas OT • #exponentiations: n vs. 2 offline (3 online) R b =0 s s s s 1 s 2 s 3 R b =0 R b =1 R b =2 R b =3 R b =1 R b =2 R b =3 • Game-based proof vs. simulation-based proof (UC) 9

The Encryption Scheme E , D needs to satisfy • Robustness: Given a set of random keys, it is hard for A to generate a ciphertext that can be decrypted with more than one key. • Non-committing: it is possible for a simulator to come up with a ciphertext which can later be explained as an encryption of any message 10

Base-OT Implementation • [ALSZ13]: based on MIRACL, used in the SCAPI library 11

Base-OT Implementation • [ALSZ13]: based on MIRACL, used in the SCAPI library Our work [ALSZ13] Curve Curve25519 NIST K-283 Constant-time Yes No Million Cycles/OT 0.23 2.47 11

Base-OT Implementation • [ALSZ13]: based on MIRACL, used in the SCAPI library Our work [ALSZ13] Curve Curve25519 NIST K-283 Constant-time Yes No Million Cycles/OT 0.23 2.47 • code available at orlandi.dk/simpleOT 11