verifiable homomorphic oblivious transfer and private
play

Verifiable Homomorphic Oblivious Transfer and Private Equality Test - PowerPoint PPT Presentation

Jan 01, 2024 •590 likes •891 views

Verifiable Homomorphic Oblivious Transfer and Private Equality Test Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/helger Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 1 Overview of

  1. Verifiable Homomorphic Oblivious Transfer and Private Equality Test Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/˜helger Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 1

  2. Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 2

  3. Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 3

  4. � n � -Oblivious Transfer 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) • Chooser has private input, index σ ∈ [1 , n ] • Chooser and Sender participate in the two-party protocol • Chooser has private output µ σ • Nothing more will be leaked. If σ �∈ [1 , n ] , chooser gets garbage • Numerous applications in cryptography Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 4

  5. � n � Verifiable -Oblivious Transfer 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) • Chooser has private input, index σ ∈ [1 , n ] • Chooser and Sender participate in the two-party protocol • Chooser has private output µ σ and commitments to µ i for i ∈ [1 , n ] • Nothing more will be leaked • Numerous applications in cryptography Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 5

  6. � n � Verifiable -Oblivious Transfer 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) • Chooser has private input, index σ ∈ [1 , n ] • Chooser and Sender participate in the two-party protocol • Chooser has private output µ σ and commitments to µ i for i ∈ [1 , n ] • Nothing more will be leaked. If σ �∈ [1 , n ] , chooser gets garbage • Numerous applications in cryptography Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 6

  7. Private Equality Test • Sender has private input, W Sen • Chooser has private input, W Cho • Chooser and Sender participate in the two-party protocol • Chooser has private output [ W Sen = W Cho ] (one bit) • Nothing more will be leaked. Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 7

  8. Verifiable Private Equality Test • Sender has private input, W Sen • Chooser has private input, W Cho • Chooser and Sender participate in the two-party protocol • Chooser has private output [ W Sen = W Cho ] (one bit) and a commit- ment to W Sen • Nothing more will be leaked Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 8

  9. Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 9

  10. Affine Cryptosystems, 1/4 • A public-key cryptosystem is a triple Π = ( G Π , E, D ) of key genera- tion, encryption and decryption algorithms • Denote the plaintext space by M Π ( x ) , where x is the private key • R Π ( x ) is the randomness space and C Π ( x ) is the ciphertext space • Π is homomorphic: E K ( m 1 ; r 1 ) E K ( m 2 ; r 2 ) = E K ( m 1 + m 2 ; r 1 ◦ r 2 ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 10

  11. Affine Cryptosystems, 2/4 • For two random variables (distributions) X and Y over discrete support U , define their statistical difference as ∆ ( X || Y ) := max S ⊆ U | Pr[ X ∈ S ] − Pr[ Y ∈ S ] | . • Π is ε -affine if there exist two PPT algorithms ( S, T ) , s.t. for any pair of private and public keys ( x, K ) , � S (1 k , K ) a + b || T (1 k , K ) � max ≤ ε k . a,b ∈M Π ( x ) ,a � =0 ∆ Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 11

  12. Affine Cryptosystems, 3/4 • Π is perfectly affine if it is 0 -affine and statistically affine if it is (1 / 2 − ε ) -affine. • Π is computationally affine if it is affine w.r.t. any a, b that can be effi- ciently generated Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 12

  13. Affine Cryptosystems, 4/4 • Π is perfectly affine if M Π ( x ) is a cyclic group of known order • Π is computationally affine if M Π ( x ) is a cyclic group, where it is hard for the decrypter to factor |M Π ( x ) | • If decrypter can factor M Π ( x ) then Π is not affine! • Perfectly affine: ElGamal • Computationally affine: ⋆ Damg˚ ard-Jurik [DJ03], Bresson-Catalano-Pointcheval Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 13

  14. Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 14

  15. Aiello-Ishai-Reingold OT Protocol AIR Assume that Π = ( G Π , E, D ; S, T ) is a perfectly affine homomorphic cryptosystem Chooser Sender ( x, K ) ← G Π ( x ) r ← R R Π ( x ) c ← E K ( σ ; r ) ( K, c ) For i ∈ [1 , n ] do s i ← Z |M Π ( x ) | r i ← R Π ( x ) c i ← E K ( µ i + s i ( i − σ ); r s i ◦ r i ) ( c 1 , . . . , c n ) µ σ ← D K ( c σ ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 15

  16. The New Homomorphic OT Protocol HOT Assume that Π = ( G Π , E, D ; S, T ) is an affine homomorphic cryptosys- tem Chooser Sender ( x, K ) ← G Π ( x ) r ← R R Π ( x ) c ← E K ( σ ; r ) ( K, c ) For i ∈ [1 , n ] do s i ← Z |M Π ( x ) | r i ← R Π ( x ) c i ← E K ( µ i + s i ( i − σ ); r s i ◦ r i ) ( c 1 , . . . , c n ) µ σ ← D K ( c σ ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 16

  17. Comparison • When Π is perfectly affine, HOT=AIR: perfect sender-privacy • When Π is computationally affine: computational sender-privacy ⋆ AIR was not defined for composite |M Π ( x ) | • If Π is not affine, sender-privacy can be trivially broken Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 17

  18. Weak sender-privacy • There are many homomorphic cryptosystems that are not affine • It would be nice to extend HOT to such PKCs • Idea: weaken the security requirement Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 18

  19. � n � -Oblivious Transfer: Weak Security 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) . Chooser has private input, index σ ∈ [1 , n ] • Chooser has private output µ σ • Nothing more will be leaked • If σ �∈ [1 , n ] , chooser gets some information about one element µ i , i ∈ [1 , n ] • Sufficient in many applications (i.e., pay per view) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 19

  20. Weak Sender-Privacy of HOT Theorem. HOT is weakly sender-private if the smallest prime divisor of |M Π ( x ) | is ≥ n . Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 20

  21. Weak Sender-Privacy of HOT Theorem. HOT is weakly sender-private if the smallest prime divisor of |M Π ( x ) | is ≥ n . Π Security Weak security ElGamal Perfect Perfect DJ03 Computational Perfect DJ01 — Perfect Paillier — Perfect Naccache-Stern — Perfect (possibly) Okamoto-Uchiyama — Perfect (possibly) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 21

  22. Verifiable Homomorphic OT Protocol VHOT Assume that Π = ( G Π , E, D ; S, T ) is an affine homomorphic cryp- tosystem, Γ = ( G Γ , C ) is a homomorphic commitment scheme, tr : M Π ( x ) → R Γ (˜ x ) and retrieve : C ˜ K ( m ; 1) �→ m Chooser Sender x, ˜ ( x, K ) ← G Π (1 k ) , (˜ K ) ← G Γ (1 k ) r ← R R Π ( x ) c ← E K ( σ ; r ) ( K, ˜ K, c ) m i ← T (1 k , K ) , s i ← S (1 k , K ) For i ∈ [1 , n ] do r i ← R Π ( x ) c i ← C ˜ K ( µ i ; tr ( m i )) v i ← E K ( m i + s i ( i − σ ); r s i ◦ r i ) ( c 1 , v 1 , . . . , c n , v n ) K (0; tr ( D K ( v σ )) − 1 )) µ σ ← retrieve ( c σ · C ˜ Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 22

  23. Security of the VHOT protocol • Perfectly sender-private when Γ is perfectly hiding, tr is injection, |M Π | = |R Γ | is a prime • Statistically sender-private when Γ is statistically hiding, |M Π | ≈ |R Γ | , . . . • Perfect privacy: Π is ElGamal and Γ is Pedersen (with the same plain- text group) Drawback: retrieve : g m → m involves computation of discrete loga- rithm (ok if m is known to be small) • Statistical privacy: Π is ElGamal and Γ is CGHN [CGHN01], then retrieve is an efficient function Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 23

Recommend

July 23, 2016 STM 2016 Outline Background Additively homomorphic encryption Beacon

July 23, 2016 STM 2016 Outline Background Additively homomorphic encryption Beacon

July 23, 2016 STM 2016 Outline Background Additively homomorphic encryption Beacon search by Oblivious transfer Genome sequence search Overview of the proposed method Recursive oblivious transfer Burrows Wheeler

974 views • 70 slides
Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non

Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non

Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non Committing Encryption Chunhua Su*, Tadashi Araragi $ , Takashi Nishide *, Kouichi Sakurai* *Department of Computer Science and Communication

260 views • 6 slides
A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan 2 Brent Waters 1 1 SRI International 2 MIT CRYPTO 2008 1 / 10 Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. .

1.02k views • 50 slides
Generic Construction of UC-Secure Oblivious Transfer O. Blazy , C.Chevalier O. Blazy (Xlim)

Generic Construction of UC-Secure Oblivious Transfer O. Blazy , C.Chevalier O. Blazy (Xlim)

Generic Construction of UC-Secure Oblivious Transfer O. Blazy , C.Chevalier O. Blazy (Xlim) Generic OT 1 / 20 Global Framework 1 Cryptographic Tools 2 1-out-of- t Oblivious Transfer 3 Instantiation 4 Conclusion 5 O. Blazy (Xlim)

852 views • 45 slides
Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24,

Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24,

Differentially Private Oblivious RAM Sameer Wagh , Paul Cuff , Prateek Mittal July 24, 2019 Princeton University, Renaissance Technologies Introduction: Oblivious RAM Access data privately from private database. 1

898 views • 55 slides
ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim

ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim

ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim Hila Zarosim TCC 2013 Obli i Oblivious Transfer T f The other message message remains secret to the the receiver Obli i Oblivious

757 views • 38 slides
SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without

SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without

SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without revealing which Intuitive property: OT transfer partial A:up, B:down A up I need just information All 2 of one them! But cant

432 views • 20 slides
Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai Eyal K ushilevitz Rafail O

Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai Eyal K ushilevitz Rafail O

Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai Eyal K ushilevitz Rafail O strovsky Manoj P rabhakaran Amit S ahai Jrg W ullschleger Tuesday, August 23, 2011 Constant-Rate Oblivious Transfer from Noisy Channels Yuval I shai

1.25k views • 95 slides
Optimistic Fair Priced Oblivious Transfer A. Rial B. Preneel Katholieke Universiteit Leuven -

Optimistic Fair Priced Oblivious Transfer A. Rial B. Preneel Katholieke Universiteit Leuven -

Motivation Efficient Priced Oblivious Transfer Optimistic Fair POT Optimistic Fair Priced Oblivious Transfer A. Rial B. Preneel Katholieke Universiteit Leuven - ESAT-COSIC IBBT Africacrypt 2010 A. Rial Optimistic Fair POT Motivation

1.08k views • 78 slides
Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng Zhou University of Connecticut Joint work with Juan Garay (AT&T) and Daniel Wichs (NYU) CRYPTO 2009 Outline Background New Approach

789 views • 36 slides
Enhanced Tally Scheme for the DEMOS End-2- End Verifiable E-voting Thomas Souliotis 1

Enhanced Tally Scheme for the DEMOS End-2- End Verifiable E-voting Thomas Souliotis 1

Enhanced Tally Scheme for the DEMOS End-2- End Verifiable E-voting Thomas Souliotis 1 Table of Contents Background Public Key Cryptography Zero Knowledge Proofs Homomorphic Encryption DEMOS Introduction

492 views • 34 slides
More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries Gilad Asharov Hebrew University Yehuda Lindell Bar-Ilan University Thomas Schneider Darmstadt Michael Zohner Darmstadt EUROCRYPT 2015 From Theory to

498 views • 37 slides
The Simplest Protocol for Oblivious Transfer Tung Chou Technische Universiteit Eindhoven, The

The Simplest Protocol for Oblivious Transfer Tung Chou Technische Universiteit Eindhoven, The

The Simplest Protocol for Oblivious Transfer Tung Chou Technische Universiteit Eindhoven, The Netherlands August 24, 2015 Latincrypt 2015, Guadalajara, Mexico Joint work with Claudio Orlandi 2 OTs 1 Sender Receiver 2 OTs

930 views • 28 slides
k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits Fabrice Benhamouda Huijia (Rachel) Lin IBM Research / Columbia University, US University of California, Santa Barbara, US Eurocrypt 2018, May 1,

1.03k views • 85 slides
Experimental realisation of quantum oblivious transfer Ryan Amiri 1 , Robert Strek 2 , Michal

Experimental realisation of quantum oblivious transfer Ryan Amiri 1 , Robert Strek 2 , Michal

Experimental realisation of quantum oblivious transfer Ryan Amiri 1 , Robert Strek 2 , Michal Miuda 2 , Ladislav Mita 2 , Jr., Miloslav Duek 2 , Petros Wallden 3 , and Erika Andersson 1 1 SUPA, Institute of Photonics and Quantum Sciences,

752 views • 29 slides
Two Round Oblivious Transfer from CDH or LPN Eurocrypt 2020 Nico Dttling Sanjam Garg Mohammad

Two Round Oblivious Transfer from CDH or LPN Eurocrypt 2020 Nico Dttling Sanjam Garg Mohammad

Two Round Oblivious Transfer from CDH or LPN Eurocrypt 2020 Nico Dttling Sanjam Garg Mohammad Hajiabadi Daniel Masny Daniel Wichs CISPA Helmholtz Center for Information Security UC Berkeley Visa Research Northeastern University

425 views • 13 slides
Adaptive Oblivious Transfer And Generalization Olivier Blazy, C eline Chevalier, Paul Germouty

Adaptive Oblivious Transfer And Generalization Olivier Blazy, C eline Chevalier, Paul Germouty

Adaptive Oblivious Transfer And Generalization Olivier Blazy, C eline Chevalier, Paul Germouty December 5, 2016 O. Blazy, C. Chevalier, P . Germouty December 5, 2016 1 / 31 Oblivious Transfer 1 OLBE: A Natural Generalization 2 Adaptive

1.51k views • 88 slides
Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic Encryption Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all x,y G,

1.79k views • 165 slides
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T RAMR & D AN B ONEH ICLR, New Orleans May 7 th 2019 2 Securely outsourcing ML inference with hardware isolation - Intel SGX input X -

554 views • 10 slides
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramr (joint work with Dan Boneh) Intel, Santa Clara August 30 th 2018 Trusted execution of ML: 3 motivating scenarios 1. Outsourced ML Data

781 views • 21 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion & UCLA Secure ComputaGon Approaches Classical

342 views • 33 slides

More recommend