MTAT Cryptology II. Oblivious Transfer. Sven Laur University of Tartu

Hasonló dokumentumok
Construction of a cube given with its centre and a sideline

On The Number Of Slim Semimodular Lattices

Using the CW-Net in a user defined IP network

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet Nonparametric Tests

Supporting Information

Dependency preservation

Mapping Sequencing Reads to a Reference Genome

Utasítások. Üzembe helyezés

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet. Nonparametric Tests. Petra Petrovics.

Cashback 2015 Deposit Promotion teljes szabályzat

Angol Középfokú Nyelvvizsgázók Bibliája: Nyelvtani összefoglalás, 30 kidolgozott szóbeli tétel, esszé és minta levelek + rendhagyó igék jelentéssel

Efficient symmetric key private authentication

Computer Architecture

Genome 373: Hidden Markov Models I. Doug Fowler

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet. Hypothesis Testing. Petra Petrovics.

Create & validate a signature

Block cipher modes. - five standardized modes (operation, properties)

Block cipher modes. Cryptographic Protocols (EIT ICT MSc) Dr. Levente Buttyán

Performance Modeling of Intelligent Car Parking Systems

Local fluctuations of critical Mandelbrot cascades. Konrad Kolesko

Can/be able to. Using Can in Present, Past, and Future. A Can jelen, múlt és jövő idejű használata

ANGOL NYELVI SZINTFELMÉRŐ 2012 A CSOPORT. to into after of about on for in at from

Ensemble Kalman Filters Part 1: The basics

GEOGRAPHICAL ECONOMICS B

A modern e-learning lehetőségei a tűzoltók oktatásának fejlesztésében. Dicse Jenő üzletfejlesztési igazgató

Phenotype. Genotype. It is like any other experiment! What is a bioinformatics experiment? Remember the Goal. Infectious Disease Paradigm

There is/are/were/was/will be

Cloud computing. Cloud computing. Dr. Bakonyi Péter.

Relative Clauses Alárendelő mellékmondat


Teszt topológia E1/1 E1/0 SW1 E1/0 E1/0 SW3 SW2. Kuris Ferenc - [HUN] Cisco Blog -

Lecture 11: Genetic Algorithms

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet Factor Analysis

Lopocsi Istvánné MINTA DOLGOZATOK FELTÉTELES MONDATOK. (1 st, 2 nd, 3 rd CONDITIONAL) + ANSWER KEY PRESENT PERFECT + ANSWER KEY

INTELLIGENT ENERGY EUROPE PROGRAMME BUILD UP SKILLS TRAINBUD. Quality label system

SQL/PSM kurzorok rész

TestLine - Angol teszt Minta feladatsor

ANGOL NYELVI SZINTFELMÉRŐ 2013 A CSOPORT. on of for from in by with up to at

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Néhány folyóiratkereső rendszer felsorolása és példa segítségével vázlatos bemutatása Sasvári Péter

Budapest By Vince Kiado, Klösz György

EXKLUZÍV AJÁNDÉKANYAGOD A Phrasal Verb hadsereg! 2. rész

Cloud computing Dr. Bakonyi Péter.

(NGB_TA024_1) MÉRÉSI JEGYZŐKÖNYV

MATEMATIKA ANGOL NYELVEN MATHEMATICS

FAMILY STRUCTURES THROUGH THE LIFE CYCLE

3. MINTAFELADATSOR KÖZÉPSZINT. Az írásbeli vizsga időtartama: 30 perc. III. Hallott szöveg értése

Bevezetés a kvantum-informatikába és kommunikációba 2015/2016 tavasz

Statistical Inference

Word and Polygon List for Obtuse Triangular Billiards II

Probabilistic Analysis and Randomized Algorithms. Alexandre David B2-206

Sebastián Sáez Senior Trade Economist INTERNATIONAL TRADE DEPARTMENT WORLD BANK

Please stay here. Peter asked me to stay there. He asked me if I could do it then. Can you do it now?

Eladni könnyedén? Oracle Sales Cloud. Horváth Tünde Principal Sales Consultant március 23.

A logaritmikus legkisebb négyzetek módszerének karakterizációi

ANGOL NYELV KÖZÉPSZINT SZÓBELI VIZSGA I. VIZSGÁZTATÓI PÉLDÁNY

ANGOL NYELV KÖZÉPSZINT SZÓBELI VIZSGA I. VIZSGÁZTATÓI PÉLDÁNY

Számítógéppel irányított rendszerek elmélete. Gyakorlat - Mintavételezés, DT-LTI rendszermodellek

Az Open Data jogi háttere. Dr. Telek Eszter

EN United in diversity EN A8-0206/445. Amendment

OLYMPICS! SUMMER CAMP

Cluster Analysis. Potyó László

FORGÁCS ANNA 1 LISÁNYI ENDRÉNÉ BEKE JUDIT 2

STUDENT LOGBOOK. 1 week general practice course for the 6 th year medical students SEMMELWEIS EGYETEM. Name of the student:

KERÜLETI DIÁKHETEK VERSENYKIÍRÁS 2017.

Magyar ügyek az Európai Unió Bírósága előtt Hungarian cases before the European Court of Justice

KÖZGAZDASÁGI ALAPISMERETEK (ELMÉLETI GAZDASÁGTAN) ANGOL NYELVEN BASIC PRINCIPLES OF ECONOMY (THEORETICAL ECONOMICS)

Ültetési és öntözési javaslatok. Planting and watering instructions

T Á J É K O Z T A T Ó. A 1108INT számú nyomtatvány a webcímen a Letöltések Nyomtatványkitöltő programok fülön érhető el.

Tudományos Ismeretterjesztő Társulat

Nemzetközi Kenguru Matematikatábor

(c) 2004 F. Estrada & A. Jepson & D. Fleet Canny Edges Tutorial: Oct. 4, '03 Canny Edges Tutorial References: ffl imagetutorial.m ffl cannytutorial.m

Választási modellek 3

This document has been provided by the International Center for Not-for-Profit Law (ICNL).

SAJTÓKÖZLEMÉNY Budapest július 13.

MATEMATIKA ANGOL NYELVEN

Üzleti élet Nyitás. Nagyon hivatalos, a címzettnek meghatározott rangja van, aminek szerepelnie kell

Minta ANGOL NYELV KÖZÉPSZINT SZÓBELI VIZSGA II. Minta VIZSGÁZTATÓI PÉLDÁNY

Statistical Dependence

Üzleti élet Nyitás. Nagyon hivatalos, a címzettnek meghatározott rangja van, aminek szerepelnie kell

Unit 10: In Context 55. In Context. What's the Exam Task? Mediation Task B 2: Translation of an informal letter from Hungarian to English.

NYOMÁSOS ÖNTÉS KÖZBEN ÉBREDŐ NYOMÁSVISZONYOK MÉRÉTECHNOLÓGIAI TERVEZÉSE DEVELOPMENT OF CAVITY PRESSURE MEASUREMENT FOR HIGH PRESURE DIE CASTING

Lexington Public Schools 146 Maple Street Lexington, Massachusetts 02420

Smaller Pleasures. Apróbb örömök. Keleti lakk tárgyak Répás János Sándor mûhelyébõl Lacquerware from the workshop of Répás János Sándor

Longman Exams Dictionary egynyelvű angol szótár nyelvvizsgára készülőknek

PIACI HIRDETMÉNY / MARKET NOTICE

USER MANUAL Guest user

First experiences with Gd fuel assemblies in. Tamás Parkó, Botond Beliczai AER Symposium

EN United in diversity EN A8-0206/482. Amendment

It Could be Worse. tried megpróbált while miközben. terrifying. curtain függöny

Széchenyi István Egyetem

Mr. Adam Smith Smith's Plastics 8 Crossfield Road Selly Oak Birmingham West Midlands B29 1WQ

Abigail Norfleet James, Ph.D.

A rosszindulatú daganatos halálozás változása 1975 és 2001 között Magyarországon

PAST ÉS PAST PERFECT SUBJUNCTIVE (múlt idejű kötőmód)

Ellenőrző lista. 2. Hálózati útvonal beállítások, kapcsolatok, névfeloldások ellenőrzése: WebEC és BKPR URL-k kliensről történő ellenőrzése.

Correlation & Linear Regression in SPSS

2. Local communities involved in landscape architecture in Óbuda

EN United in diversity EN A8-0206/419. Amendment

Contact us Toll free (800) fax (800)

Átírás:

MTAT.07.003 Cryptology II Oblivious Transfer Sven Laur University of Tartu

Ideal implementation b x 0, x 1 b x 0, x 1 x b Ideal ( 2 1) -OT The protocol is always carried out between a client P 1 and a sender P 2. The server P 2 has a database of two elements x 0,x 1 M. The client P 1 can fetch either x 0 or x 1 so that the server P 2 cannot detect which element is fetched. The client should not learn anything more than x b. Moreover, the client should be always aware of his or her choice b. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 1

How to handle large databases? Theorem. 1-out-of-2 l oblivious transfer protocol for k-bit strings can be implemented using 1-out-of-2 oblivious transfer protocol for 2 l k-bit strings. Simplified proof To encode x 00,...,x 11, generate uniformly matrices Y and Z such that x 00 x 01 x 10 x 11 = y 00 y 01 y 10 y 11 z 00 z 01 z 10 z 11 Next the client uses 1-out-of-2 oblivious transfer twice. First, the client must fetch the correct column of Y. Second, the client must fetch the correct row of Z. Even a malicious client can learn only a single entry x ab and he or she must be aware of the location ab. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 2

Solution to the millionaires problem Let w 1,w 2 {1,...,n} be the total wealth of two millionaires. Then one of them can find out who is richer and nothing more with the help of oblivious transfer protocol. The construction was first published by Yao (1982). The first millionaire creates an n-element table of possible answers 1 2 n w 1 > 1 w 1 > 2 w 1 > n The second millionaire fetches the w 2 th entry from the table and thus learns the value w 1 > w 2. The protocol is secure only if the first millionaire behaves semi-honestly. This construction can be generalised for all functions with small input range. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 3

Multiplication Oblivious transfer Theorem. Given an ideal multiplication protocol, we can implement 1-outof-2 oblivious transfer. Given an ideal 1-out-of-2 oblivious transfer protocol we can implement multiplication over Z 2 in the semihonest model. Clarification Observe that x b = (1 b)x 0 + bx 1 and thus any multiplication protocol that provides shares is sufficient to implement oblivious transfer. Oblivious transfer is sufficient to implement multiplication, since the sender can use columns of the multiplication table as the input. Kilian proved in 1988 that zero-knowledge proofs and commitments can be constructed using only oblivious transfer protocol. Hence, we can use commitment and zero knowledge proofs to eliminate malicious behaviour. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 4

Homomorphic Oblivious Transfer

Homomorphic encryption A public key cryptosystem (Gen, Enc, Dec) is an additively homomorphic cryptosystem if for any two message m 1,m 2 M the distributions Enc pk (m 1 ) Enc pk (m 2 ) Enc pk (m 1 + m 2 ) coincide even if we fix a ciphertext Enc pk (m 1 ). Multiplying a ciphertext Enc pk (m) with a newly generated Enc pk (0) completely destroys all extra information besides the value m. We can compute also crypto-compute multiplication Enc pk (m 1 ) m2 Enc pk (0) Enc pk (m 1 m 2 ). MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 5

Famous examples The Goldwasser-Micali cryptosystem is additively homomorphic over Z 2. The lifted ElGamal cryptosystem is additively homomorphic over Z p Enc pk (m) = Enc pk (g m ) = (g r,g m y r ) Dec sk (c 1,c 2 ) = log g [Dec(c 1, c 2 )] = log g [ c2 c x 1 For obvious reason, the decryption rule Dec sk ( ) can be efficiently computed for few ciphertexts or otherwise the cryptosystem would not be secure. The Paillier cryptosystem uses lifting with together with a trapdoor that allows us to efficiently compute discrete logarithms. The corresponding message space is Z n where n is RSA modulus. ] MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 6

Aiello-Ishai-Reingold oblivious transfer b x 0,x 1 (pk, sk) Gen c Enc pk (b) m b Dec sk (d b ) pk, c d 0,d 1 Halt if c / C r 0,r 1 u M d 0 c r 0 Enc pk (x 0 ) d 1 ( c r1 Enc pk (1)) Enc pk (x 1 ) If (Gen, Enc,Dec) be an additively homomorphic cryptosystem then d 0 Enc pk (b) r0 Enc pk (x 0 ) Enc pk (x 0 + br 0 ), d 1 Enc pk (b 1) r1 Enc pk (x 1 ) Enc pk ( x1 + (b 1)r 1 ). If the message space has prime order then br 0 has uniform distribution if b 0 and (b 1)r 1 has uniform distribution if b 1. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 7

Security in the semi-honest model Lemma 1. If the cryptosystem is additively homomorphic over Z p, then for any t-time semi-honestly corrupted receiver P 1 there exists t + O(1)-time ideal world adversary P 1 such that the joint output distributions are identical in the real and ideal world. Proof For fixed value b, the messages received by P 1 have the following distribution: d b = Enc pk (x b ) and d b 1 = Enc pk (m) where m M. Given x b from the trusted third party, we can perfectly simulate the reply in the real world. Since the output of P 2 is in both worlds the joint output distribution coincides in both worlds. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 8

Security in the semi-honest model Lemma 2. If the cryptosystem is (t, ε)-ind-cpa secure, then for any τ-time semi-honestly corrupted sender P 2 there exists (τ +O(1))-time ideal world adversary P 2 such that the joint output distributions in the real and ideal world are (t τ,ε)-indistinguishable. Proof The sender receives an encryption of b that we cannot simulate, since the trusted third party sends only to P 2. However, we can replace c with Enc pk (0). Since P 1 outputs m b in both worlds then the output distributions must be (t τ, ε)-indistinguishable. Otherwise, we can construct a new adversary A from the participant P 2 and the output distinguisher B that wins the IND-CPA game. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 9

Interpretation of the results Semi-honest receiver can carry out only the attacks that are possible against ideal implementation. The only benefit the receiver may gain in the real world is a marginal O(1) speed-up compared to the ideal world. Let us consider a specific security goal. Then any of those can be formalised as a predicate B( ) that indicates whether P 2 was successful or not. Lemma 2 indicates that is we consider specific (t τ)-time security goals B( ), then for any τ-time semi-honest sender P 2 Pr [P 2 wins] Pr [P 2 wins] + ε where P 2 is (τ + O(1))-time adversary. In other words, P 2 can achieve only marginal increase ε in success and a marginal O(1) speed-up. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 10

Security against malicious receivers Lemma 3. If the cryptosystem is additively homomorphic over Z p and validity of the public key can be tested, then for any t-time maliciously corrupted receiver P 1 there exists unbounded ideal world adversary P 1 such that the joint output distributions are identical in the real and ideal world. Proof Given a valid public key pk we can always find the corresponding secret key by looking through all valid (pk,sk) pairs. Hence, we can decrypt c and find out the true input of P 1. If b / {0, 1} then the received messages d 0 and d 1 are both random encryptions. Thus we can always perfectly simulate the replies. Other steps in the proof are analogous. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 11

Interpretation of the results Lemma 3 indicates that for each real world attack there is a matching ideal world attack. Hence, the adversary can learn nothing that cannot be computed form the intended output m b. However, the participation in the real world protocol might give a huge computational speedup compared to the ideal world. Hence, participation in the protocol might help P 1 to compute intractable functions from m b. For example, if m b is an encryption, then the protocol might reveal the underlying message. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 12

How to achieve tight security guarantees? If the receiver proves in zero-knowledge that he knows the secret key sk that corresponds to pk then the possible speedup becomes marginal. We can extract secret key by rewinding ZkPok pk [ sk : (sk,pk) Gen]. The simulation becomes efficient if we learn the secret key sk. If the sender is assumed to be semi-honest and the protocol uses the ElGamal encryption, then we can use the Schnorr protocol. To handle malicious senders, we must convert the corresponding sigma protocol pok y [ x : g x = y] to zero-knowledge proof of knowledge. ZkPok y [ x : g x = y] = pok y [ x : g x = y] + coin flipping protocol Fortunately, we can reuse the same key in many protocol instances. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 13

Security against malicious senders To handle a malicious sender, we must extract x 0 and x 1 from P 2. We can add zero-knowledge proofs of knowledge ZkPok [d 0 (x 0, x 1 ) and d 1 (x 0,x 1 ) are correctly formed] and then we can construct the necessary simulator. One possibility is to commit x 0 and x 1 and then execute ZkPok [commitments are properly formed] and then continue with the certified computation protocol. As a result, we get a protocol with enormous computational overhead. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 14

Output consistency b x 0, x 1 b x 0,x 1 Trusted b,x 0, x 1 Halting Third 0/1 H Party conditions x b If the sender first commits pairs (0, x 0 ) and (1, x 1 ) and the oblivious transfer protocol is used to reveal the corresponding decommitment strings, then the malicious sender cannot alter the outputs without getting caught. The sender can still cause selective halting. Cheating behaviour is detectable with high probability. Public complaints reveal information about receiver inputs. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 15

Complete security vs output consistency Both security levels reveal cheating with high probability: Complete security makes all deviations from the protocol that could alter the outcome for some receiver input detectable. Output consistency makes all deviations from the protocol that alter the output for this particular receiver input detectable. Complete security has large computational overhead. Certified computations require extensive amount of extra steps. Output-consistent computations have moderate computational overhead. Commitments are relatively easy to compute. Selective halting can cause privacy issues. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 16

Bellare-Micali Protocol

Vanilla protocol (pk b,sk b ) Gen pk 1 b pk pk 1 b b x 0,x 1 pk pk 0,pk 1 d 0,d 1 (pk, sk) Gen Halt if pk 0 pk 1 pk d 0 Enc pk0 (x 0 ) d 1 Enc pk1 (x 1 ) m b Dec skb (d b ) The protocol works under the assumption that all possible public keys form a group and the distribution of public keys is uniform. The ElGamal cryptosystem has such a public key space. Since the public key pk 1 b is with correct distribution the corresponding ciphertext d 1 b is undecipherable. The protocol can tolerate unbounded senders. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 17

Security in the semi-honest model Lemma. If the public keys are uniformly distributed over some group, then for any t-time semi-honestly corrupted sender P 2 there exists t + O(1)-time ideal world adversary P 2 such that the joint output distributions are identical in the real and ideal world. Proof In the simulator, we can first compute public keys (pk 0, sk 0 ) Gen and (pk 1, sk 1 ) Gen and then set the final key pk pk 0 pk 1. As a result, we can decrypt d 0 and d 1 and send the corresponding messages x 0 and x 1 to trusted third party. The simulation is perfect. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 18

Security in the semi-honest model Lemma. If the public keys are uniformly distributed over some group and the cryptosystem is (t, ε)-ind-cpa secure, then for any τ-time semi-honestly corrupted receiver P 1 there exists τ + O(1)-time ideal world adversary P 1 such that the joint output distributions in the real and ideal world are (t τ, ε)-indistinguishable. Proof We can simulate the reply d b with Enc pkb (x b ) and d 1 b Enc pk1 b (0). As pk 1 b can be taken from the IND-CPA game and the message pk defined as pk pk 0 pk 1, any distinguisher B together with P 1 form a successful IND-CPA adversary. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 19

How to strengthen the protocol? Security against malicious receivers: Sigma protocol that proves that P 1 knows one secret key sk b is sufficient. If the protocol uses the ElGamal encryption, then we can use Schnorr protocol to prove pok y0,y 1 [ x : g x = y 0 g x = y 1 ]. Security against malicious senders: If we do not care about efficiency, then we can always generate (pk 0, sk 0 ) Gen and find sk 1 by exchaustive search. To get efficient simulation, we can always use certified computations. For instance, P 1 and P 2 can jointly generate random coins for pk so that only P 2 learns them but he or she can certify the correctness of pk. MTAT.07.003 Cryptology II, Oblivious Transfer, 13 May, 2009 20

2025 © DocPlayer.hu Adatvédelmi irányelvek | Szolgáltatási feltételek | Visszajelzés