Improved OT Extension for Transferring Short Secrets
description
Transcript of Improved OT Extension for Transferring Short Secrets
Improved OT Extension for Transferring Short Secrets
Vladimir Kolesnikov (Bell Labs)Ranjit Kumaresan (Technion)
Secure Computation
• Most general problem in cryptography• Moving fast from theory to practice
– Major research effort • Improving (asymptotic & concrete) efficiency• Implementation & “Systems’’ issues
x
f1(x,y)
y
f2(x,y)
State of the Art (Semihonest Setting)
• Constant overhead– [IKOS08,GGH+13]
• Optimal comm./round complexity– [GGHR13,AJL+12,LTV12]
• ORAM-based SFE– [LO13,GKK+12,GGH+13]
• Yao garbled circuit optimizations– [KS08,PSSW09,MNPS04]– [HEKM11,BHKR13]
• GMW optimizations– [CHKMR12,SZ13,ALSZ13
]
• Yao + GMW [KK12]
THEORY PRACTICE
Practical Computational Overhead
• Hierarchy of efficiency• FHE >> PKE >> SKE >> one-time pad
– “LHS >> RHS” ≈ cost of LHS is, and will probably always be, by orders of magnitude, bigger than cost of RHS.
• OT Extension motivated by “PKE >> SKE”
Talk Outline
• OT Extension
• Ishai et al. (IKNP) OT Extension
• A New Framework for IKNP
PKE >> SKE
• E.g: KA, OT, SFE• Hard to implement
heuristically– More expensive
PKE SKE• E.g: PRG, hash functions• Easy to implement
heuristically– Cheaper
• Factor ~ 3-4 orders of magnitude slower• Intel AES-NI instruction set
PKE cannot be black-box reduced to SKE [IR89]
The Next Best Thing: Extending Primitives
• Extending public key encryption is easy – Encrypt payload with symmetric key– Encrypt symmetric key with public key
• Huge practical impact• What about extending Oblivious Transfer?
[IR89]
+?
Oblivious Transfer (OT)
Evaluate each AND gate in the circuit
x0 , x1
???
r
xr
GMW
Used to select one of two “garbled keys”
Yao
Cost of OT• No blackbox redn from OT to one-way functions [IR89]
• OT length extension is easy:
• OT instance extension is possible [B96,IKNP03]– Needs only k “seed” OTs to perform n >> k OTs– Additional n symmetric key (cheap) operations– Huge impact on SFE
r +x0
x1
s0
s1
G(s0) x0
G(s1) x1
r
efficient,black-box
OT Extension: Prior Work• [Beaver 96]: First OT extension• [Ishai-Kilian-Nissim-Petrank 03] (IKNP)
– Random Oracle (RO) model or Correlation robust hash functions (CRHF)
– Most practical OT extension
• [HIKN08,IPS08,NNOB12]: Malicious adv• [LZ13]: (In)feasibility results for OT extension
This work: Improve semihonest IKNP
Talk Outline
• OT Extension
• Ishai et al. (IKNP) OT Extension
• A New Framework for IKNP
[IKNP03] Strategy
x1,0r1 x1,1
x2,0
x2,1
r2
....
x3,0
x3,1
r3
xn,0
xn,1
rn
...n
s1s2 sk
+ O(n)H
...
s1s2 sk
+ O(n)H
Length Extension
[IKNP03] Main Reduction
yi,0 = xi,0 H(qi) yi,1 = xi,1 H(qi s)
izi= yi,r H(ti)i
t1
t1
r...
s1 s2 sk
t2
t2
rtk
tk
r
Receiver picks T R {0,1}nk
Sender picks s R {0,1}k
t1
rt2 ... tk
r
Sender obtains Q {0,1}nk
qi= ti1 1 0 0ri=0 1 1
qi= ti s1 0 0 1ri=1 1 0
• For 1 i n, Sender sends
• For 1 i n, Receiver outputs
IKNP Cost
• Communication cost of resulting OT(n,L): – Main reduction: 2nL bits– Length extension: 2nk bits
• Communication cost of resulting SFE:– [Yao86]: need to transfer keys of length L = k– [GMW87]: L = 1, cost = 2nk + 2n, optimal?
Talk Outline
• OT Extension
• Ishai et al (IKNP) OT Extension
• A New Framework for IKNP
Our Work: A Closer Look at IKNP
ri=0
ri=1
t1
r
1
0
t2
r
0
1
tk
r
1
0
......t1
1
1
t2
0
0
tk
1
1
;
T U R
= T r
0
1
r
0
1
... r
0
1
Alternate Point of View
• Row-wise encoding 0 → 0k
1 → 1k
ri=0
ri=1
r
0
1
r
0
1
... r
0
1
R
n
k
IKNP uses repetition encoding
Can we use other encodings?
R = T⊕U
A Coding Theoretic Framework for IKNP
Suppose use code C• Say ri comes from a larger
domain {1,…,m}• Row-wise encoding
– ri → C(ri)∈ {0,1}k
...
n
k
C(r1)
C(R)
C(rn)
C(r2)
r1
r2
rn
A Coding Theoretic Framework for IKNP
izi= yi,r H(i, ti)i
t1 u1 ...
s1 s2 sk
t2 u2 tk uk u1 t2 ... uk
Sender obtains Q {0,1}nk
q1= t1(C(r1) s)⦿r1 [∈ m]
r2 [∈ m]
• For 1 i n, 1 r m Sender sends
yi,r = xi,r H(i, qi(C(r) s))⦿• For 1 i n, Receiver outputs
q2= t2(C(r2) s)⦿
qn= tn(C(rn) s)⦿
C(R) = T⊕U
rn [∈ m]
Bit-wise AND
Analysis
• Cost of 1-out-of-m OT(n, L): – Communication: (2nk+mnL) bits
• OT(n,L) 1-out-of-m OT(n/log m, L log m)– Communication: (n/log m)(2k + mL log m) bits
• Perfect security against malicious sender• Statistical security against semihonest receiver:
– No loss unless query H on (i, ti (C(r) s)⦿ ) for some r
– Loss in security: m2-d, where d = min distance of C
Efficiency
• Concrete: – Hadamard codes for encoding– Factor ≈ 2 for 1-out-of-2 OT and GMW for k=256
• Additional optimizations lead to factor ≈ 3.5
• Asymptotic comm. cost per OT: O(k/log k) bits
Conclusions
• OT Extension motivated by PKE >> SKE– Huge impact on practicality of SFE
• Coding theoretic framework for [IKNP03]– RO or “code correlation robust hash functions”
• Improvements for GMW, OT, 1-out-of-m OT• Rethink GMW vs. Yao?
– Also [KK12], [NNOB12], [SZ13], [ALSZ13]
Thank You!
The research leading to these results has received funding from the European Union's Seventh Framework
Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity