1 / 29

Robust Combiners for Oblivious Transfer and Other Primitives

Robust Combiners for Oblivious Transfer and Other Primitives. Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen. Weizmann Institute of Science. Do Not Put All Your Eggs in One Basket. Two candidates for encryption algorithms At least one is secure

enrico
Download Presentation

Robust Combiners for Oblivious Transfer and Other Primitives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science

  2. Do Not Put All Your Eggs in One Basket

  3. Two candidates for encryption algorithms At least one is secure Maybe one is not! Which one to use ??? Goal: Combine the two into a single algorithm Should be secure even if one is not! We call such a construction a Robust Combiner for encryption. Example Encryption EncryptB EncryptA Encrypt

  4. Robust Combiners A Robust Combiner for a cryptographic primitive • A method for taking two candidate implementations of a primitive and producing a single implementation so that: • If at least one candidate is secure then the resulting scheme is secure • In general (k,n)-robust combiner: • there are n candidates • if at leastksecure then the result is secure New name for an old concept

  5. Some Previous Appearances • Herzberg (05) – “Tolerant schemes” • Parallel and cascade constructions as combiners. • Combiners for encryptions, one-way functions, signatures and more. • Emphasis on the efficiency of the combiners. Some examples: • Asmuth &Blakely (81) –combine two untrusted encryption schemes. • Multiple encryption is a type of combiner, dates back to Shannon (49) • Dodis & Katz (05) – combiner for CCA2 security. • Hohenberger & Lysyanskaya (05) – combine two software implementations. • More…

  6. Combiners in Practice • NESSIE – portfolio for recommended cryptographic primitives – advocate use of multiple encryptions. • TLS (IETF) – combine SHA1 & MD5 hash functions: “ In order to make the PRF as secure as possible, it uses two hash algorithms in a way which should guarantee its security if either algorithm remains secure”

  7. Combiners as a Theoretical Tool • Robust combiners are a handy tool in the construction of primitives. • Can get rid of mild non-uniformity in constructions: • If a short hint is all that is needed to construct an implementation of P, then go over all hints and use a (1,k)-robust P-combiner • Example: The HILL construction of pseudorandom generators from one-way functions: • Finds a construction with mild non-uniformity • Then uses a combiner for PRGs to give a uniform construction.

  8. Example - Universal Primitives A scheme Uis a universal scheme for a primitive Pif it is guaranteed to be secure under the sole assumption that primitive Pexists. • Levin introduced such a construction for OWFs (See Goldreich’s book). • Key to the universal scheme: The existence of (1,k)-robust combiners. • Theidea: • enumerate all programs of code length log n. • Use a (1,n)-combiner for primitive P. • If P exists then for large enough n, its program is included in the n candidates for the combiner. • For large enough n the scheme is secure • But: • Works only for uniform constructions. • Yields no information for which n it is safe to use the construction Meaning of universal scheme: every proof of existence is also a constructive one! • Need some bound on the running time (achieved by a padding argument)

  9. This Talk • Goal of this talk: explore when and for what primitives it is possible to obtain combiners and when it impossible/harder. • Outline: • One-way functions & equivalents • Key Agreement • Oblivious Transfer • Impossibility result for (1,2)-combiner • Positive results - (2,3)-combiner • On (1,n)-combiners from (1,2)-combiners

  10. FA FB F=G OWF-Combiner G F [HILL] Warm-Up – OWF combiners • One-way functions: • Two candidates FA , FB • The Combiner: F(x,y) = FA(x)|FB(y) • Corollary: Combiners also for “equivalents” of one-way functions. • robust combiners for: • Pseudo-random generators • Pseudo-random functions • Pseudo random permutations • Private Key Encryption • Signatures • Bit commitments* Example: GA GB • This is not always the simplest way!! • For all but bit commitment there is a direct construction of a combiner • Example:An efficient combiner for PRG is : G(x,y) = GA(x)GB(y) • Used by [HILL]…

  11. public channel Alice Bob K K KA KB Eavesdropper K = KA KB Key Agreement (KA) Alice and Bob (who never met before) interact over a public channel. They want to agree on a secret key. • Two candidates for KA • Suppose that Both candidate really reach agreement. • Combiner simply by XOR of the keys • What if functionality is only guaranteed for one candidate ? ?? KAA KAB

  12. KAA KAB KA KB K = KA KB Key Agreement (cont.) • In general, only one candidate is guaranteed to be a KA. • Security  • Functionality … Solution in two stages: • Run an offline functionality test for each candidate. • One party simulates the candidate poly(n) times (playing both sides) • Only if agreement is reached in all instances then use candidate. • Otherwise agree on 0n • Run the XOR combiner • Guaranteed agreement with prob 1-1/n • Use Error Correcting Code to reach full agreement. • One side chooses key and divides it into shares • The above key agreement is run for each share • With overwhelming prob both sides end with same key • Notes: • The KA combiner preserves the number of rounds • 2 message KA is equivalent to (semantically secure) Public Key Encryption •  Robust combiner for PKE

  13. Alice Bob Secure Computation • We have simple and black-box robust combiners for many cryptographic tasks for both private key and public key cryptography. • What about secure function evaluation (SFE)? • In particular, is there a (1,2)-robust combiner for the Oblivious Transfer (OT) protocol[Rabin 81] • Consider the task of voting. • Idea for implementation: • Use electronic ballots from several vendors. • Combine them to assure security. • OT protocol: • Bob gets sc. • Bob doesn’t learns1-c. • Alice does not learn c. • OT is complete for SFE ! c s0,s1 sc

  14. Finding OT-Combiners seems hard • Want to show an impossibility result but: • If OT exists, then a combiner can simply ignore the candidates and run the OT. • We are interested in combiners that rely on the candidate’s security. • Consider Black Box Combiners. • The candidates are given in a BB manner (as oracles) • The proof is BB! • Breaking the combiner allows breaking of both candidates • Situation more delicate with interactive primitives. A B CMB

  15. Interactive protocols –Third Party Black Box Combiners • A Third Party Black Box combiner can only execute a candidate scheme `in its entirety’ • In a call to a candidate, each party gives its secret to a trusted third party and gets its output • additional messages may be exchanged • Models the OT as a separate entity. Examples: • `physical’ implementations (noisy channel, quantum…) • Trusted parties • Does not allow arbitrary access to the OT • Either to the transcript or to theprogram • Advantages: efficiency and generality • Downside: Too restrictive. In such a reduction, OT does not even imply OWFs… • Theorem: There exists no third party BB combiner for OT

  16. Interactive protocols –Transparent Black Box Combiners • We attempt to capture a wider notion of combiners. • Combiners that can also access the transcript. • An interactive protocol is generated using 2 oracles. • a next message oracle (create the next message to be sent given the history) • An output oracle (generates the local output given the transcript) • A Transparent Black Box combiner: • Every time a next message call is invoked then this message is sent to the other party. • Models using the candidate in the context of the protocol. • Theorem: There exists no transparent BB Combiner for OT

  17. Impossibility of OT-combiners… Some Intuition • Consider two naïve `implementations’ of OT • OTA: the sender gives the receiver s0 and s1 • Unconditionally secure for the receiver • OTB: the receiver gives the sender c and the latter sends sc • Unconditionally secure for the sender What if we apply the combiner on OTA and OTB • Do we get an unconditional implementation of OT? • Impossible…

  18. OT transparent black box impossibility • Theorem: For every transparent BB combiner for OT there exists a world in which it can be broken. • Broken = Either the sender can guess c with probability ¾ or the receiver can guess both s0 and s1 with probability ¾ • More precisely: • We show two worlds such that every transparent BB OT-combiner is broken in one of them. In general we will be considering the honest-but-curious model

  19. Good OT via oracles (f1 ,f2,Rec): f1 and f2 length tripling random functions, recovery function Rec The protocol: Receiver: m1 = f1(RandR, c) Sender: m2 = (RandS, s0, s1 m1) Receiver: Rec(m2, RandR)= sc This is a good `implementation’ of OT (even in the presence of a PSPACE-complete oracle) If there is access to f1-1 and f2-1 then this implementation is broken World 1: OTA andOTB implemented by separate oracles. Contains a PSPACE-complete oracle OTAreveals everything to the sender (access tof1A-1 and f2A-1) World 2: OTAandOTB Contains a PSPACE-complete oracle OTBreveals everything to the receiver The two worlds OTB = (f1B,f2B,RECB) OTA = (f1A,f2A,RECA)

  20. Consider the OT-combiner taking OTA and OTB as candidates. Call this protocol OTCOMB: OTCOMB looks exactly the same in world1 and world2. OTCOMBshould be a secure OT in both worlds. Since one of the OTs is good in each of the worlds. Goal: show an attack on OTCOMB in at least one of the worlds. This would be a contradiction! World 1: OTA andOTB implemented by separate oracles. Contains a PSPACE-complete oracle OTAreveals everything to the sender (access tof1A-1 and f2A-1) World 2: OTAandOTB Contains a PSPACE-complete oracle OTBreveals everything to the receiver The protocol OTCOMB

  21. The Bare World • The bare world contains only a PSPACE-complete oracle (no oracles for OT). • We give a simulation of OTCOMBin this world, called OTBARE. • Notice thatOTCOMB is well defined as long as we plug in implementations of OTA and OTB – The idea for OTBARE : • the sender handles the OTA calls • the receiver handles the OTB calls. For example: • The receiver wants to query OTA, • He instead asks the sender this query. • The sender chooses random values as answers for queries to f1A, f2A. (this imitates the real oracle) • The sender also records all his answers, giving him the ability to correctly answer queries to RecA.

  22. No OT in the Bare World • OTBARE cannot be secure since there is no crypto with a PSPACE oracle! • More precisely: • For every execution of OTBARE either the sender learns c or the receiver learns both secrets (using the PSPACE-complete oracle). • The point: these attacks can be translated to attacks on OTCOMB in one of the two worlds!

  23. No OT in the Bare World OTCOMB OTBARE • Corrolary: • If sender in the bare world learns c then sender of corresponding OTCOMB in world 1 also learns c. • If receiver in the bare world learns both secrets then receiver of OTCOMB in world 2 learns both secrets. • Altogether: every execution is broken in one of the two worlds… View of sender in World 1 View of sender View of receiver in World 2 View of receiver • Includes: • sender’s inputs & coins • all messages • all queries + answers to OTA (since he simulates OTA) • Includes: • sender’s inputs & coins • all messages • all queries + answers to OTA (since he has inverter to OTAand due to tranparency of the combiner)

  24. (2,3)-Robust OT-Combiner Define 2 constructions, R and S (from Crepeau & Kilian 89). Both have OT functionality. Also: • R takes 2 candidates for OT. Outcome is: • Secure for the receiver if at least one candidate is secure for receiver. • Secure for sender only if both are secure for sender. • S takes 3 candidates for OT. Outcome is: • secure for the receiver if all 3 are secure. • Secure for sender if at least one is secure. • Define • OTAB = R(OTA,OTB) • OTAC = R(OTA,OTC) • OTBC = R(OTB,OTC) • The (2,3)-combiner is defined as S(OTAB, OTAC, OTBC)

  25. (1,K)-Combiner from (1,2)-Combiner Existence of (1,2)-combiner is necessary for (1,k)-combiners to exist. • When are they sufficient? • Natural approach: • Organize the k schemes in a binary tree with k leaves. • Each node runs the (1,2)-combiner with its siblings as candidates. • Outcome is secure if at least one leaf is secure. • Need to ensure running time is polynomial. • If (1,2)-combiner runs in time m(candidates time), • total running time is mΩ(log k) • If m isa constant then total time is polynomial and the tree construction works. • If (1,2)-combiner for OT is found it will not likely be that efficient…

  26. (1,K)-Combiner for OT from (1,2)-Combiner for OT Theorem: Any (1,2)-combiner for OT can be used for a (1,k)-combiner for OT. Solution: use the (2,3)-combiner for OT which runs in time ~6(candidates time). • Divide the k candidates into 3 groups of size 2/3k. • Each candidate should appear in at least two groups. • Recursively run a (1,2/3k)-combiner on each group. • The 3 outcomes are combined using the (2,3)-combiner. • Running time is polynomial. • If (1,2)-combiner runs in time nd, total running time is 18Ω(log k)nd .

  27. Summary for OT Combiners Negative • No transparent BB robust combiners for OT Positive • OT given hardness of discrete log or factoring. • Since the security of one of the sides is unconditional • There are (2,3)-robust OT-combiner simple and third party black box. • (1,2)-combiners for OT suffice for a universal OT scheme. • Main open problem: combiners for OT ???? (perhaps non-black-box)…

  28. Main open problem: Non-black box combiners for OT • Approaches for non-BB: • Use the circuit of a function • Examples: ZK for NP, garbled circuits (Yao) • Use the program of the adversary • Example: Barak’s public coin ZK • Attempt with garbled circuits: • consider the circuit for OTA • The sender garbles this circuit • fixing s0 and s1 and its randomness RandS • Let the receiver evaluates his output bit • on inputs c and RandR using OTB at the input gates. • Fails when OTB is insecure…

  29. Open Problems – Commitments • For computationally hiding commitment know only via full reduction to one-way functions • Inefficient and requires the transcript • What about information hiding commitments? • Not known to be equivalent to OWFs (one-way permutations are needed in NOVY)* • Negative: Third party BB impossibility for both commitments. • Positive: • Simple (2,3)-combiners (Herzberg) • If one sides security is guaranteed, then easy (e.g. string commitments that are very short (kilian 92))

More Related