Oblivious Transfer and Secure Multiparty Computation Brett Hemenway September 11th 2013 Introduction Oblivious Transfer Circuit Garbling Secure Computation from Secret Sharing Applications of MPC The Satellite Problem Conjunction Analysis: Overview Specific Calculations Integration Doing The Computation Securely Extras Cryptographic Assumptions Constructing Oblivious Transfer The Millionaire's Problem An example of secure two-party computation I Two Millionaires want to determine who is richer, without revealing their wealth [Yao82] I They want a secure computation of a comparison (<) gate I More generally, how can two (or more) parties compute a function while keeping their inputs private? Solving the Millionaire's Problem I If there is a family of one-way trapdoor permutations, F, f : X ! Y for f 2 F e.g. f (x) = xe mod N (the RSA function) I and a hash function H : X ! Z I Then there is a simple solution to the Millionaire's Problem I We assume Alice's wealth is a, Bob's is b, and there is an a priori upper bound m > max(a; b). BobAlice fr gm−1 $ i fi=0 −1 x X y a xi = f (y + i) for i = 0;:::; m − 1 b y = f (x) − b x0 ::: xb ::: xm−1 if H(x) = rb then a > b $ −1 x X−1 xb = f (y + b) = f ((f (x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b H(xi + 1) for i = 0;:::; a ri = H(xi ) for i = a + 1;:::; m − 1 m−1 y fri gi=0 r0 ::: rb ::: rm−1 a > b ) rb = H(x) Solving the Millionaire's Problem Alice a f ; f −1 $ F f AliceBob fr gm−1 $ i i=0 −1 x X y a xi = f (y + i) for i = 0;:::; m − 1 b y = f (x) − b x0 ::: xb ::: xm−1 if H(x) = rb then a > b −1 −−11 $ xb = f (y + b)f =; ff ((fF(x) − b) + b) = x if H(x) 6= rb then a ≤ b H(xi + 1) for i = 0;:::; a ri = H(xi ) for i = a + 1;:::; m − 1 m−1 fri gfi=0 r0 ::: rb ::: rm−1 a > b ) rb = H(x) Solving the Millionaire's Problem Bob f b x $ X y = f (x) − b y AliceBob m−1 $ fri gfi=0 a x X b y = f (x) − b if H(x) = rb then a > b $ −1 x −X−11 $ xb = f (y + b)f =; ff ((fF(x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b H(xi + 1) for i = 0;:::; a ri = H(xi ) for i = a + 1;:::; m − 1 m−1 y fri gfi=0 r0 ::: rb ::: rm−1 a > b ) rb = H(x) Solving the Millionaire's Problem Alice −1 y a xi = f (y + i) for i = 0;:::; m − 1 x0 ::: xb ::: xm−1 AliceBob m−1 $ fri gfi=0 a x X b y = f (x) − b if H(x) = rb then a > b $ xf ; f −X1 $ F if H(xy)=6=fr(bxthen) − ba ≤ b H(xi + 1) for i = 0;:::; a ri = H(xi ) for i = a + 1;:::; m − 1 m−1 y fri gfi=0 r0 ::: rb ::: rm−1 a > b ) rb = H(x) Solving the Millionaire's Problem Alice −1 y a xi = f (y + i) for i = 0;:::; m − 1 x0 ::: xb ::: xm−1 −1 −1 xb = f (y + b) = f ((f (x) − b) + b) = x AliceBob m−1 $ fri gfi=0 a x X b y = f (x) − b if H(x) = rb then a > b $ −1 x −X−11 $ xb = f (y + b)f =; ff ((fF(x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b m−1 y fri gfi=0 Solving the Millionaire's Problem Alice −1 y a xi = f (y + i) for i = 0;:::; m − 1 x0 ::: xb ::: xm−1 H(xi + 1) for i = 0;:::; a ri = H(xi ) for i = a + 1;:::; m − 1 r0 ::: rb ::: rm−1 a > b ) rb = H(x) AliceBob m−1 $ fri gfi=0 a x X b y = f (x) − b if H(x) = rb then a > b $ −1 x −X−11 $ xb = f (y + b)f =; ff ((fF(x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b y f a > b ) rb = H(x) Solving the Millionaire's Problem Alice −1 y a xi = f (y + i) for i = 0;:::; m − 1 x0 ::: xb ::: xm−1 H(xi + 1) for i = 0;:::; a ri = H(xi ) for i = a + 1;:::; m − 1 m−1 fri gi=0 r0 ::: rb ::: rm−1 AliceBob f −1 y a xi = f (y + i) for i = 0;:::; m − 1 b x0 ::: xb ::: xm−1 $ −1 x −X−11 $ xb = f (y + b)f =; ff ((fF(x) − b) + b) = x y = f (x) − b H(xi + 1) for i = 0;:::; a ri = H(xi ) for i = a + 1;:::; m − 1 m−1 y fri gfi=0 r0 ::: rb ::: rm−1 a > b ) rb = H(x) Solving the Millionaire's Problem Bob m−1 fri g $ i=0 x X b y = f (x) − b if H(x) = rb then a > b if H(x) 6= rb then a ≤ b Secure Multiparty Computation I Cryptographic tools exist that allow a group of participants to securely calculate any function of their joint inputs. I Cryptography removes the need for a trusted third party Privacy is defined in a simulation paradigm I A protocol is secure if there is a simulator that, when given only the output of the protocol can simulate an execution of the protocol that is indistinguishable from the real protocol. I This ensures that nothing beyond the output of the protocol is learned I In the Millionaire's Problem revealing whose salary is higher leaks information. A secure protocol should leak nothing more. Standard technique: first build protocols in the Semi-Honest model. Then use standard tools (e.g. Zero-Knowledge proofs) to force participants to follow the protocol Security Models Definition (Semi-Honest Adversaries) Semi-Honest (Honest-But-Curious) adversaries I always follow whatever protocol they are asked to perform I always send well-formed messages I try to learn other participants' secrets by looking at their own transcript in the protocol Definition (Malicious Adversaries) Malicious adversaries are: I allowed to deviate from the protocol I allowed to send mal-formed messages I allowed to behave in any way Security Models Definition (Semi-Honest Adversaries) Semi-Honest (Honest-But-Curious) adversaries I always follow whatever protocol they are asked to perform I always send well-formed messages I try to learn other participants' secrets by looking at their own transcript in the protocol Definition (Malicious Adversaries) Malicious adversaries are: I allowed to deviate from the protocol I allowed to send mal-formed messages I allowed to behave in any way Standard technique: first build protocols in the Semi-Honest model. Then use standard tools (e.g. Zero-Knowledge proofs) to force participants to follow the protocol Methods of Secure MPC Protocol Assumption Players Reference Yao's Garbled Circuit OT 2 [Yao82, Yao86] GMW OT 2+ [GMW87] BGW/CCD Honest Majority 3+ [BOGW88, CCD88] FHE Lattice Problems 2+ [Gen09] Methods of Secure MPC Protocol Assumption Players Reference Yao's Garbled Circuit OT 2 [Yao82, Yao86] GMW OT 2+ [GMW87] BGW/CCD Honest Majority 3+ [BOGW88, CCD88] FHE Lattice Problems 2+ [Gen09] Introduction Oblivious Transfer Circuit Garbling Secure Computation from Secret Sharing Applications of MPC The Satellite Problem Conjunction Analysis: Overview Specific Calculations Integration Doing The Computation Securely Extras Cryptographic Assumptions Constructing Oblivious Transfer I S learns nothing about b I R learns nothing about X1−b Oblivious Transfer Sender Receiver x0 b OT x1 xb Oblivious Transfer Sender Receiver x0 b OT x1 xb I S learns nothing about b I R learns nothing about X1−b Facts About OT I Introduced by Rabin [Rab81], Even, Goldreich and Lempel [EGL85] I OT is equivalent to random OT [Cr´e88] I OT is symmetric [WW06] I OT is \complete" for secure multiparty computation [Kil88, IPS08] I Black-box construction of OT from one-way permutations implies P 6= NP [IR89] I Perfect OT cannot be constructed using quantum mechanics [Lo97] I OTs can be extended under computational assumptions[IKNP03] I OTs cannot be extended using quantum mechanics [SSS09, WW10] + I OT impies PKE, but not vice-versa [GKM 00] I Constructions: I PIR [CMO00] I DDH [NP01] I Projective hash proofs[Kal05, HK07] I Blind signatures (requires RO) [CNS07] I Bilinear assumptions [GH07] I Dual-mode encryption [PVW08] + I Noisy Channels [IKO 11] 8 w $ [j j] > G (β0; β1) < w βb = g $ 9 > k0; k1 [jGj] : β1−b = r > k0 > α0 = g > > k1 = ((α0; γ0); (α1; γ1)) α1 = g k0 x0 > γ0 = h0 g > > k1 x1 > γ1 = h g ; 1 −w xb = 1 iff γb · αb = g OT From The DDH Assumption Blind Generation of El-Gamal Public-keys a b ab a b c (g; g ; g ; g ) ≈c (g; g ; g ; g ) x0; x1 b Sender Receiver $ 9 k0; k1 [jGj] > k0 > α0 = g > > k1 = ((α0; γ0); (α1; γ1)) α1 = g k0 x0 > γ0 = h0 g > > k1 x1 > γ1 = h g ; 1 −w xb = 1 iff γb · αb = g OT From The DDH Assumption Blind Generation of El-Gamal Public-keys a b ab a b c (g; g ; g ; g ) ≈c (g; g ; g ; g ) x0; x1 b Sender Receiver 8 w $ [j j] > G (β0; β1) < w βb = g > : β1−b = r −w xb = 1 iff γb · αb = g OT From The DDH Assumption Blind Generation of El-Gamal Public-keys a b ab a b c (g; g ; g ; g ) ≈c (g; g ; g ; g ) x0; x1 b Sender Receiver 8 w $ [j j] > G (β0; β1) < w βb = g $ 9 > k0; k1 [jGj] : β1−b = r > k0 > α0 = g > > k1 = ((α0; γ0); (α1; γ1)) α1 = g k0 x0 > γ0 = h0 g > > k1 x1 ;> γ1 = h1 g OT From The DDH Assumption Blind Generation of El-Gamal Public-keys a b ab a b c (g; g ; g ; g ) ≈c (g; g ; g ; g ) x0; x1 b Sender Receiver 8 w $ [j j] > G (β0; β1) < w βb = g $ 9 > k0; k1 [jGj] : β1−b = r > k0 > α0 = g > > k1 = ((α0; γ0); (α1; γ1)) α1 = g k0 x0 > γ0 = h0 g > > k1 x1 > γ1 = h g ; 1 −w xb = 1 iff γb · αb = g Oblivious Transfer Sender Receiver x0 b OT x1 xb I S learns nothing about b I R learns nothing about X1−b Random Oblivious Transfer Sender Receiver x0 b OT x1 xb I S learns nothing about b I R learns nothing about X1−b Sender Receiver y0 c ROT y1 yc d b ⊕ c Idea: use Random OT on z0 = x0 ⊕ yrandomd values(z0; z as1) a one-time z1 = x1 ⊕ y1−dpad to blind real OT zb ⊕ yc y0; y1 generated at random if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d Random OT + 3 Bits Communication = OT Precomputing OT Sender Receiver b x0 x1 OT xb Sender Receiver y0 c ROT y1 yc d b ⊕ c z0 = x0 ⊕ yd (z0; z1) z1 = x1 ⊕ y1−d zb ⊕ yc y0; y1 generated at random if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d Random OT + 3 Bits Communication = OT Precomputing OT Sender Receiver b x0 x1 OT Idea: use Random OT on random values as a one-time pad to blind real OT xb OT d b ⊕ c Idea: use Random OT on z0 = x0 ⊕ yrandomd values(z0; z as1) a one-time z1 = x1 ⊕ y1−dpad to blind