1 / 21

Constant Round Oblivious Transfer in the Bounded-Storage Model

Constant Round Oblivious Transfer in the Bounded-Storage Model. Yan Zong Ding Danny Harnik Alon Rosen Ronen Shaltiel. The Bounded Storage Model. Alternative cryptographic setting: “ Mainstream Cryptography ” : Assume parties are time bounded (run in polynomial time).

thu
Download Presentation

Constant Round Oblivious Transfer in the Bounded-Storage Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Constant Round Oblivious Transfer in the Bounded-Storage Model Yan Zong Ding Danny Harnik Alon Rosen Ronen Shaltiel

  2. The Bounded Storage Model Alternative cryptographic setting: • “Mainstream Cryptography”: Assume parties are time bounded (run in polynomial time). • This model: Assume parties have bounded storage.

  3. Alice Bob Malicious party Bounded Storage Model - the setting [Maurer 92] • A long random string R is transmitted. • Honest parties store small portions of R. • Parties interact. • Malicious adversary allowed to store almost all of R. • Random string is no longer available. • Bound is only at end of transmit stage. A long random string R of length N A long random string R of length N Stores ¾N bits (Arbitrary function of R)

  4. The bounded storage model • Most of the research so far focused on: • Key agreement [Mau93,CM97]. • Private-key encryption [Mau92,CM97,AR99,ADR02,DR02,DM02,Lu02, Vad03]. • This talk about Oblivious Transfer (OT) • An interesting and very well studied primitive in cryptography, e.g. [Rab81,EGL85,GMW87, Kil88, CK88, Cre88, BM89, BBCS91, Bea96, Cac98, DKS99, NP01 …] • In BSM model: [CCM97, Din01, HCR02]

  5. Alice holds two secrets s0,s1. Bob holds a “choice bit”c. A long string R is transmitted. After OT protocol: Bob gets sc. Bob* doesn’t learn s1-c. Alice* does not learn c. Alice Bob Bob* Alice* OT in the bounded storage model A definition s0,s1 c A long random string R of length N sc

  6. OT in the bounded storage model Previous works Paper Rounds Storage [CCM97]* NΩ(1) N2/3+δ [Ding01]** Ω(log N ∙ log 1/ε) N1/2+δ Here 5 messages N1/2+ δ • Other Improvements: • Exponentially small ε • Can pass longer secrets • Lower communication • Low probability of abort ** Slightly weaker model.

  7. Coming up… • A basic protocol (which requires too much storage). • Use a setup protocol to reduce the storage. • Interactive Hashing.

  8. Alice Bob R0 R1 Use R0 to hide s0 Use R1 to hide s1 High-entropy source Bob* A basic protocol for OT R1 is a high entropy source to me • A long random string R=(R0,R1) is transmitted. • Bob remembers Rc.(½N bits). • Alice remembers all of R. • Idea: Use R0 and R1to hide secrets. • Bob can recover sc. • Malicious Bob doesn’t know both R0 and R1. • Has entropy about one of the secrets. • Method: Use Randomness Extractors. “There must be an extractor here!” s0,s1 c Stores ¾N bits

  9. Extract randomness from distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the adversary knows the seed. Relation to BSM pointed out by [CM97,Lu02,Vad03]. Extractor seed random output Randomness Extractors [NZ93] high entropy distribution

  10. Extractor Extractor Y1 Y0 Alice R0 R1 Z0 Z1 Use R0 to hide s0 Use R1 to hide s1 High-entropy source Bob* A basic protocol for OT Can’t learn both secrets • Malicious Bob doesn’t know both R0 and R1. • Has entropy about one of the secrets. • Method: Use Randomness Extractors. • Alice sends random seeds Y0,Y1for extractor. • Secrets masked by outputs of extractor. s0,s1 c s0 s1 Uniform from Bob*’s point of view.

  11. Alice Bob Basic Protocol – Too much storage Solution – use setup protocol • After R is transmitted. The parties store small subsets and engage in a setup protocol. • Setup protocol: parties agree on short (NΩ(1)) substrings R0,R1 s.t. • Functionality: • Alice knows R0,R1. • Bob knows Rc. • Security • Bob* has a lot of entropy on R1-c. • Alice* does not know c. • Run Basic protocol on R0,R1. A long random string R of length N R0 R1 Basic Protocol

  12. Alice Bob Position of her set Basic idea for setup protocol: Follow key-agreement [CM97] • Alice and Bob store random subsets of R. • Alice sends the position of her set. • W is the positions of the intersecting subset. Known only to Bob. • Agree on two sets R0,R1 • Both are in Alice’s set. • Rc= W • Bob has high-entropy about R1-c. • Alice doesn’t learn c A long random string R of length N W Stores N½ Stores N½ R1 R0 “Agree on two sets R0,R1“ Called Interactive Hashing.

  13. Basic protocol for OT, but requires a lot of storage. Run a setup protocol to reduce the storage. A component in this protocol is an “interactive hashing” protocol. Alice Bob The story so far: A summary of the OT protocol s0,s1 c A long random string R of length N Setup Protocol Basic Protocol Interactive hashing Extractors

  14. Sources of improvements • Previous constructions can be viewed as complicated versions of this outline. • Using modern Extractors (and Samplers) improves most parameters (e.g. storage, communication, output length). • Does not get a constant number of rounds - Bottleneck is the interactive hashing protocol. • [CCM97] use the protocol from [NOVY92] which takes linearly many rounds. • We present a new 4-round Interactive hashing protocol using almost t-wise independent permutations. Note: The new protocol only applies to the information theoretic setting

  15. Bob holds an input W. At the end of the protocol both parties agree on R0,R1 s.t. Honest Bob: W=Rc R1-c is uniform in Alice’s set. Alice does not know c. Malicious Bob: Cannot know both strings, has high-entropy about one of the strings. Alice Bob Interactive Hashing W R0,R1 Note: This has got nothing to do with the bounded storage model. Such a protocol exists for unbounded parties.

  16. Let H be a family of 2-to-1 pair-wise ind. hash functions h:{0,1}n{0,1}n-1. Alice sends a random hash function h. Bob sends h(W). The two pre-images of h(W) are R0,R1. hR H Alice Bob h(W) Bob* A naïve implementation of Interactive Hashing choose W after I see h W One is W the other uniformly distributed (because of pair-wise independence). But Bob may choose Wafter he sees h!

  17. Send h gradually ! Alice sends “portions” of her hash function in exchange to “portions” of Bob replies. Consider W as an n bit vector. h is an n-1xn matrix A with full rank and h(w) = Aw. Send a row of A at each round (instead of all at once). Requires n-1 rounds. Alice n Bob A n-1 Interactive Hashing in [CCM97]: The NOVY-protocol W A1 A2 A3 Aw

  18. h = g ◦ P P is an almost t-wise ind. Permutation on n bits (e.g. [Gow]). g is a 2-to-1 pair-wise ind. hash on 1/4n bits. Alice sends P to Bob who replies with P(w)1…3/4n . Alice sends g to Bob who replies with g(P(w)3/4n…n). Requires 4 messages. W W Alice Bob This Paper: 4 Message Interactive Hashing P P g g h(w)

  19. Main result: A constant round protocol for OT in the bounded storage model. Contributions: Simplifying and improving the previous protocols using randomness extractors. A new constant round protocol for interactive hashing. Alice Bob Wrapping up s0,s1 c A long random string R of length N Setup Protocol Basic Protocol Interactive hashing Extractors

  20. Further Issues • We also came up with a 3-message protocol. • N½ is a lower bound on storage [DM04]. • Open Questions: • Can we mix the bounded storage model and standard cryptography? • How do protocols compose in the bounded storage model? • Can our new constant round Interactive-Hashing protocol replace NOVY in computational applications.

  21. Thank You

More Related