Semi-Honest to Malicious Oblivious-Transfer The Black-box Way - PowerPoint PPT Presentation

About This Presentation
Title:

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way

Description:

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science – PowerPoint PPT presentation

Number of Views:96
Avg rating:3.0/5.0
Slides: 17
Provided by: csTauAcI53
Category:

less

Transcript and Presenter's Notes

Title: Semi-Honest to Malicious Oblivious-Transfer The Black-box Way


1
Semi-Honest to Malicious Oblivious-TransferThe
Black-box Way
Iftach Haitner
Weizmann Institute of Science
2
Why should we reconsider these old constructions?
I have a dream, Lets do Key-agreement from
one-way functions Barak showed that black-box
separations are not that meaningful OK, but
what about GMW, it is not black-box!
mm... But what about Impagliazzo-Rudich
black-box impossibility result? This was in a
different setting. No one broke the black-box
barrier in the setting you are talking about Well
....
3
  • Whether non black-box techniques are superior to
    black-box ones?
  • Non black-box techniques are typically less
    efficient.
  • When using a black-box reduction, the
    round-complexity of ? is independent of the
    exact implementation of the parties of ?

Trapdoor permutations based semi-honest OT
Malicious OT
3
4
(Fully) Black-Box Reductions
  • A fully black-box reduction from B to A
  • Black-box construction.
  • Black-box proof of security. Adversary for
    breaking B ) adversary for breaking A

5
Black-Box Reductions (cont.)
  1. Most reductions in cryptography are (fully)
    black-box, e.g., from pseudorandom generators to
    one-way functions.
  2. Few non black-box techniques that apply in
    restricted settings (typically using ZK
    proofs).Example from malicious security to
    semi-honest security GMW

5
6
Oblivious Transfer (OT) Rabin 81
(one-out-of-two version EGL 85)
Receiver Index i 2 0,1
Sender bits ?0 and ?1
  • Correctness - the receiver learns ?i
  • Sender's privacy - the receiver learns nothing
    about ?1-i
  • Receiver's privacy - the sender learns nothing
    about i
  • Complete for secure function evaluation
    GMW87,K88
  • Implied by (enhanced/dense) trapdoor
    permutations, homomorphic encryption,...
    GKL87,H04,K97,S98

6
7
Oblivious Transfer cont.
  • Different types of security
  • Semihonest adversaries
  • Malicious adversaries
  • Typical constructions of OT
  • Hardness assumption ) semihonest OT
  • Using non-black-box techniques ) Malicious OT
  • The second reduction is typically inefficient
    (round-wise)

Black-box
7
8
Defensible Privacy IKLP 06
  • A natural model of security between semi-honest
    to full-fledged (malicious) security.
  • After the protocol ends, the adversary cannot
    simultaneously learn non-permissible information
    and defend its behavior provide input and
    random-coins that justify its behavior.
  • Example Defensible OT
  • The sender cannot simultaneously learn the index
    i
  • and give a valid defense.

8
9
Defensible Privacy cont.
  • Let ? (A,B) be a protocol for computing f (fA,
    fB)
  • ? is defensibly private for B, if no efficient A
    can simultaneously
  • Output a good defense (iA,rA)
  • Learn inf (iB) not determined by fA(iA,iB)
  • The privacy of B might be violated when A does
    not give a valid defense
  • After giving the defense, As privacy might be
    ruined
  • Implies semi-honest privacy

9
10
The Usefulness of Defensible Privacy
  • Ishai Kushilevitz Lindel Petrank 06
  • Enhanced TDP, homomorphic encryption )
    Defensible-OT
  • Defensible-OT ) Malicious-OT
  • Both reductions are (fully) black-box

Malicious OT
Defensible OT
Semi-Honest OT
TDP
10
11
Defensible-OT ) Malicious-OT IKLP 06
(simplified version)
Def-OT1
Def-OT2
Def-OT3
?
Def-OTn
  1. Interact in n defensible OTs using random inputs
  2. Verify the defense of half of the OTs
  3. Combine the remaining OTs to get the desired OT
    functionality (randomized self reducibility)

12
Our Results
  • Main Theorem
  • Assuming that OWFs exist, for every
    functionality there exists a fully-black-box
    reduction from defensible privacy to semi-honest
    privacy.
  • the functionality has some natural sampling
    property /stronger assumption about the
    semi-honest privacy
  • preserves statistical privacy of either of the
    parties
  • black-box w.r.t. to the OWF
  • Corollaries
  • Black-box reduction from malicious OT to
    semi-honest OT
  • Black-box reduction from malicious OT to
    dense-TDP, non-trivial PIR, ...
  • Black-box reduction from secure function
    evaluation with static malicious adversaries, to
    semi-honest OT.

Imply semi-honest OT
trapdoor perm. homomorphic enc
Defensible OT
black box
12
13
The Reduction
  • Given a protocol ? (A,B) for computing f, which
    is semi-honest private for B and a OWF. We
    construct a protocol ?D (AD,BD) which
  • computes f
  • defensibly private for BD
  • preserves the same privacy for AD
  • We achieve our main result by applying the above
    reduction twice

13
14
The Reduction cont.
  • AD(iA,rA)

BD(iB,(rB, rA))
Proof of Security Privacy of AD - follows by the
hiding of Com Privacy of BD - assume that AD
violates the defensible privacy of BD, we use it
to construct A for breaking the semi-honest
privacy of B (in ?)
14
15
Algorithm A
AD gives a valid defense ) (iA,rA)
Decom(C) ) AD acts as A(iA,rA) ) the emulated B
acts correctly ) ? is a good guess for iB
Emulated interaction with AD
Real interaction with B
AD
B
BD
A
If AD gives a valid defense let (iA,rA)
Decom(C) Otherwise, output a random guess for iB
If AD outputs a valid defense, output ? as the
value of iB Otherwise, output a random guess
The emulated B acts as B does on the real
execution Let ? be ADs guess for iB
16
Summary
  • We give a black-box reduction from malicious
    oblivious transfer to semi-honest oblivious
    transfer.
  • Supports the conjecture that, in some settings,
    black-box techniques are as strong as
    non-black-box ones.
  • Open Questions
  • Better understanding of defensible privacy
  • Middle step in other reductions?
  • Useful in its own sake?
  • Characterizing the class of functions for which
    secure evaluation can be black-box reduced to
    semi-honest evaluation?
  • randomized self reducibility

16
Write a Comment
User Comments (0)
About PowerShow.com