270 likes | 420 Views
A Game-Theoretic Perspective on Oblivious Transfer . Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.). 2012.5.8 Crypto Seminar @ Kyusyu University. Cryptography and Game Theory.
E N D
A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.) 2012.5.8 Crypto Seminar @ Kyusyu University
Cryptography and Game Theory • Cryptography:Design protocols in the presence of adversaries • Game theory:Study the behavior of rational players
Cryptography and Game Theory • Cryptography:Design protocols in the presence of adversaries • Game theory:Study the behavior of rational players • Rational cryptography:Design cryptographic protocols for rational players • Rational Secret Sharing [HT04, GK06, ADG+06, KN08a, KN08b, MS09, OPRV09, FKN10, AL11]
Asharov, Canetti, Hazay (Eurocrypt 2011) • Game-theoretically characterize properties of two-party protocols • Protocol π satisfies a “certain” property A “certain” game defined by π has a “certain” solution concept with “certain” utility functions • Properties: Correctness, Privacy, Fairness • Adversary model: Fail-stop adversaries • Equivalent defs. for correctness and privacy • New def. for fairness
This work • Game-theoretically characterize properties of “two-message” Oblivious Transfer (OT) • Advantages compared to [ACH11] • Game between two rational players • Essentially played by a single player in [ACH11] • Characterize correctness and privacy by a single game • Malicious adversaries
Oblivious Transfer • A protocol between sender S and receiver R • Correctness: After running the protocol,R obtains xc and S obtains nothing (or ⊥) • Privacy • Privacy for S: R learns nothing about x1-c • Privacy for R: S learns nothing about c OT c ∈ {0,1} x0, x1 ・・・ ・・・ R ⊥ xc S
Why “two-message” OT ? Two-message OT Msg1 c ∈ {0,1} x0, x1 R ⊥ xc S Msg2
Why “two-message” OT ? Two-message OT • IND based privacy fits for GT framework • Utility is high Prediction is correct • Exit IND based privacyfor two-message OT Msg1 c ∈ {0,1} x0, x1 R ⊥ xc S Msg2
Our results • Protocol π for two-message OT satisfies “correctness” and “privacy” A “certain” game defined by π has a “certain” solution concept with “certain” utility functions
Our results • Protocol π for two-message OT satisfies “correctness” and “privacy” A “certain” game defined by π has a “certain” solution concept with “certain” utility functions A game Gameπ defined by π has a Nash equilibriumwith utility functions U = (US, UR)
Cryptographic Correctness of OT • Protocol π = (S, R) Correctness • ∀ x0, x1 ∈ {0,1}*s.t. |x0| = |x1|, c ∈ {0,1},Pr[ outputR(S(x0, x1), R(c)) = xc ] ≥ 1 − negl
Cryptographic Privacy of two-message OT Privacy for R • ∀ PPT S*and x0, x1 ∈ {0,1}*, {viewS*(S*(x0, x1), R(0))} =c {viewS*(S*(x0, x1), R(1))} Privacy for S • ∃ a function Choice: {0,1}* {0,1}s.t.∀ determ. poly-time R*, x0, x1, x, z ∈ {0,1}*, c ∈ {0,1}, {viewR*(S(X0), R*(c, z))} =c {viewR*(S(X1), R*(c, z))}where X0 = (x0, x1), and X1 = (x0, x) if Choice(R*, c, z) = 0, X1 = (x, x1) otherwise • Choice indicates the choice bit of R*
Gameπ • Protocol: π = (Sπ, Rπ), Input: x0, x1, x, z ∈ {0,1}*, c ∈ {0,1}Players: Sender (S, GS), Receiver (R, GR) • Gameπ((S, GS), (R, GR), Choice, x0, x1, x, c, zS, zR): • X0 = (x0, x1), X1= (x0, x) if Choice(R, c, z) = 0, X1 = (x, x1) o.w. • b R {0, 1} and set zto be empty if R = Rπ • Execute (S(Xb), R(c, z)) ( outputR)Set fin = 1 Protocol finished without abort • GS guesses c from viewS ( guessS) GR guesses b from viewR ( guessR) • Output (fin, outputR, guessS, guessR)
Utility functions U = (US, UR) • US((S, GS), (R, GR))= (− αS)・( Pr[ guessR = b ] − 1/2 )+ βS・( Pr[fin=0 ∨ (fin=1 ∧ outputR = xc)] − 1) + γS・( Pr[ guessS = c ] − 1/2 ) • αS, βS, γS are some positive constants • US is low if GR’s guess is correct or finish w/o abort and output is incorrector GS’s guess is incorrect • UR((S, GS), (R, GR))= (− αR)・( Pr[ guessS= c ] − 1/2 )+ βR・( Pr[ fin=0 ∨ (fin=1 ∧ outputR = xc)] − 1) + γR・( Pr[ guessR= b ] − 1/2 )
Nash equilibrium • Protocol (S, R) is aNash equilibrium for Gameπ ∃ Choice s.t. ∀ PPT GS, GR, S*, (determ.) R*, ∀ x0, x1, x, z ∈ {0,1}*, c ∈ {0,1}, US((S*,GS), (R,GR)) ≤ US((S,GS), (R,GR)) + negl and UR((S,GS), (R*,GR)) ≤ UR((S,GS), (R,GR)) + negl
Game-theoretic characterization • Main Theorem:Protocol π = (Sπ, Rπ) for two-message OT satisfies cryptographic correctnessand privacyif and only ifπ = (Sπ, Rπ)is a Nash equilibrium for Gameπwith utility functions U = (US, UR)
Proof (“Crypto Game”) Assume π is not game-theoretically secure π = (Sπ, Rπ) is not NE for Gameπ ∀Choice, ∃GS*, GR*, S*, R*, x0, x1, x, z, cs.t. • Case 1: US((S*,GS), (Rπ,GR)) > US((Sπ,GS), (Rπ,GR)) + εS or • Case 2: UR((Sπ,GS), (R*,GR)) > UR((Sπ,GS), (Rπ,GR)) + εR
Proof (“Crypto Game”) • Case 1: US((S*,GS), (Rπ,GR)) > US((Sπ,GS), (Rπ,GR)) + εS • Recall thatUS((Sπ, GS), (Rπ, GR))= (− αS)・( Pr[ guessR = b ] − 1/2 )+ βS・( Pr[ fin=0 ∨ (fin=1 ∧ outputR = xc)] − 1) + γS・( Pr[ guessS = c ] − 1/2 ) • When Sπ S*Case 1-a: Pr[ guessR = b ] is lowerCase 1-b: Pr[ fin=0 ∨ (fin=1 ∧ outputR = xc)] is higherCase 1-c: Pr[ guessS = c ] is higher
Proof (“Crypto Game”) • Case 1-a: Pr[ guessR = b ] is lower Since Pr[ guessR = b ] ≤ 1/2 + negl when S*, (Rπ, GR) breaks the privacy for S • Case 1-b: Pr[fin=0 ∨ (fin=1 ∧ outputR=xc)] is higher Pr[fin=0 ∨ (fin=1 ∧ outputR=xc)] < 1 −ε when Sπ Not cryptographically correct • Case 1-c: Pr[ guessS = c ] is higher Pr[ guessS = c ] ≠ 1/2 ± neglwhen S* (S*, GS) breaks the privacy for R
Proof (“Game Crypto”) Assume π is not cryptographically secure • Case 1: Not cryptographically correct • Case 2: Cryptographically correct • Case 2-a: Not private for S when Rπ • Case 2-b: Private for S when Rπ, not private for R • Case 2-c: Private for R, not private for S when R*
Proof (“Game Crypto”) • Case 1: Not cryptographically correct ∃ x0, x1, c s.t.Pr[ outputR = xc] < 1 − ε1 US((Sπ, GS), (Rπ, GR)) < − βS・ε1 US((Sdef, GS), (Rπ, GR)) = 0 US is higher when Sπ Sdef • Sdef: Abort before start • Pr[fin=0 ∨ (fin=1 ∧ outputR=xc)] is higherwhen Sπ Sdef
Proof (“Game Crypto”) • Case 2: Cryptographically correct • Case 2-a: Not private for S when Rπ ∃ D1 who distinguishes viewRπ US((Sπ, GS), (Rπ, GR)) < −αS・ε2US((Sstop, GS), (Rπ, GR)) = 0 (when GR uses D1) US is higher when Sπ Sstop • Sstop: Abort after receiving a message • Pr[ guessR = b ] is higher when Sπ Sstop
Proof (“Game Crypto”) • Case 2: Cryptographically correct • Case 2-b: Private for S when Rπ, not for R ∃ S* and D2 who distinguishes viewS* ∃ D2who distinguishes viewSπ (since two-message OT) UR((Sπ,GS), (Rπ,GR)) < −αR・ε3UR((Sπ,GS), (Rdef,GR)) = 0 (when GSuses D2) • Rdef: Abort before start • Pr[ guessS = c ] is higher when Rπ Rdef
Proof (“Game Crypto”) • Case 2: Cryptographically correct • Case 2-c: Private for R, not for S when R* ∃ R* and D3who distinguishes viewR* UR((Sπ,GS), (Rπ,GR)) < neglUR((Sπ,GS), (R*,GR)) = γR・ε4(when GRuses D3) UR is higher when Rπ R* • Pr[ guessR = b ] is higher when Rπ R*
Notes • Main theorem holds even ifγS = 0 or βR = 0 • US((S, GS), (R, GR))= (− αS)・( Pr[ guessR = b ] − 1/2 )+ βS・( Pr[ fin=0 ∨ (fin=1 ∧ outputR = xc)] − 1) + γS・( Pr[ guessS = c ] − 1/2 ) • UR((S, GS), (R, GR))= (− αR)・( Pr[ guessS = c ] − 1/2 )+ βR・( Pr[ fin=0 ∨ (fin=1 ∧ outputR = xc)] − 1) + γR・( Pr[ guessR = b ] − 1/2 )
Conclusions (1/2) • Game-theoretically characterize “two-message” OT Protocol π = (Sπ, Rπ) for two-message OT satisfies cryptographic correctness and privacy π = (Sπ, Rπ) is a Nash equilibrium for Gameπ with utility functions U = (US, UR) • Advantages compared to [ACH ‘11] • Game between two rational players • Characterize correctness and privacy by a single game • Malicious adversaries
Conclusions (2/2) • The first step toward understanding how OT protocols work for rational players • Future work • Characterize OT with the ideal/real simulation-based security • Characterize other protocols • Explore good examples of rational cryptography