1 / 28

Oblivious Comparator and its application to Auction

Oblivious Comparator and its application to Auction. Hiroaki Kikuchi Tokai University - Japan. English Auction. $60. $50. Auctioneer. $40. $30. Bidder C. Bidder B. Bidder A. $70. $20. $50. Sealed-bid Auction. Auctioneer. Bidder C. Bidder B. Bidder A. A is $70 B is $20.

wardjames
Download Presentation

Oblivious Comparator and its application to Auction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oblivious Comparator and its application to Auction Hiroaki Kikuchi Tokai University - Japan

  2. English Auction $60 $50 Auctioneer $40 $30 Bidder C Bidder B Bidder A

  3. $70 $20 $50 Sealed-bid Auction Auctioneer Bidder C Bidder B Bidder A

  4. A is $70 B is $20 Issue: Trust in Auctioneer $70 $20 Bidder C Bidder B Bidder A

  5. Who win? Approach: Oblivious Comparator Winner ??? $70 $20 $30 Bidder C Bidder B Bidder A

  6. Contents • Introduction for issues in auction and outline of an oblivious comparator • Secure Function Evaluation • Model, Building blocks and security • Completeness • Auction Protocol • Performance • Conclusion

  7. Secure Function Evaluation A a b B CMP y = ƒ(a, b, c) Target: a+b+c max(a,b,c) highest(A,B,C) c C

  8. Model Si A E[a] Si+1 = T[E[y]] E[b] B CMP E[y] = E[ƒ(a, b, c)] E[c] C

  9. The Idea • Logic Circuit with Ciphertext • Homomorphic Encryption over GF(2) • Logical Operations (AND,NOT) • Reed-Muller Expansion • State Machine “comparator”

  10. 1. Homomorphic Encryption • Public-key Encryption E[x] • Homomorphism over GF(2) a,b in {m0, m1} E[a] x E[b] = E[a  b] • Indistinguishablity • Given E[m0] and E[m1], hard to figure E[m0] • Distributed Threshold Encryption • Key-generation, decryption (t-out-of-n) • Verifiable encryption

  11. Homomorphism over GF(2) E a, b E[a], E[b] x ⊕ E a⊕b E[a⊕b]

  12. Example: ElGamal encryption • Key Generation p = 2q + 1, g in G of order q public key: y = gx, secret key: x encryption: E[m] = (myr, gr) decryption: m = (myr)/(gr)x • Plain messages m  {1, -1} 1 = false(0), -1 = true (1)

  13. EXOR • Homomorphism E[a] = (ayr, gr) E[b] = (bys, gs) (abyr+s, gr+s) = E[ab] • 1-bit EXOR E[1] x E[1] = E[1] 0  0 = 0 E[1] x E[-1] = E[-1] 0  1 = 1 E[-1] x E[1] = E[-1] 1  0 = 1 E[-1]x E[-1] = E[1] 1  1 = 0

  14. 2. Logical Operations • Objective Given a ciphertext E[a] (unknown a), player B with a plaintext b whishes to compute • Negation E[~a] • Conjunction E[ab] • Disjunction E[ab] without revealing his secret b.

  15. 2. Logical Operations • Lemma 3.1 (Negation) E[~a] = E[a] x E[m1] = E[a ⊕ -1] • Lemma 3.2 (Conjunction) • Similarly, E[a1a2b] and E[ab] are computed.

  16. 2. Logical Operations • Verifiability • Attack: (violating definition) • E.g. sending E[random] as E[ab], or E[a] when b = 0.

  17. 3. Reed-Muller Expansion • Lemma 2.3 Arbitrary n-variable boolean function ƒ(x1,x2,x3) is represented asƒ = a0⊕ a1x1⊕ a2 x2⊕ a3 x3⊕ a4x1x2⊕ a5x1x3⊕ a6x2x3⊕a7x1x2x3 where ai in {0,1} (Boolean)

  18. 3. Reed-Muller Expansion • Lemma 2.1 xy = x ⊕y ⊕xy • Majority function ƒ(x,y,z) = xy  xz  yz = xy  (xz ⊕yz ⊕xzyz) = xy ⊕xz ⊕yz ⊕xyz

  19. 4. State Machine • Oblivious Computer C • Set of states Si={s1,…,sL} • L=2i, S0=∅ • State transition function T • Si=T(Si-1,Ai) • Ai: Sequence of ciphertexts • Decoding function D • Y = D[Sn] Pi C bi Si AND Ai T(Si,Ai) Si+1

  20. E.g. Majority Function PC PB PA C c b a S0 A1={E[a]} T(S0,A1)=S0UA1 S1 S1={∅, E[a]} A2={E[b],E[ab]} A2 T S2 S2=S1UA2 A3={E[ac], E[bc], E[abc]} A3 T S3=S2UA3

  21. Majority Function • Final State • S3={E[a], E[b], E[c],E[ab], E[ac], E[bc], E[abc]} • Decoding function: D • D(S3)=E[ab]xE[ac]xE[bc]xE[abc] =E[ab ⊕ac ⊕ bc ⊕ abc] =E[ab  ac  bc]

  22. Oblivious Comparator (Auction) • K-bit Input A: a = (a2, a1, a0) B: b = (b2, b1, b0) • Output • Winning pricec =max(a,b) = a if a > b b if a < b • Winner w = A if a > bB if a < b

  23. Oblivious Comparator • Flags •  = true if a>b •  = true if a<b •  = true if a  b A: a = (1 0 0) B: b = (1 1 0)    c = i-1  ai ~bi = i-1  ~ai bi = i   i = ~(a)  (i ai  i bi) 0 0 0 1 0 1 1 1 0 1 1 0

  24. n-player Comparison C • Size of S is independent from n S1=c P1 a1 S2=max(c,a1) P2 a2 S3=max(c,a2) Sn=max(c,an)=max(a1,..,an)

  25. Efficiency • k-bit Comparator • Internal state: 2k ciphertext O(2k) • rounds:once for each player O(n) • Bidder • communication: 2k minterms x ciphertexts O(2k) • Computation: 2k ciphertext E[m0] O(2k)

  26. Conclusions • We have proposed • a cryptographic protocol for secure function evaluation, i.e., functionally complete oblivious computer • Round complexity of n • Communication and Computation of O(2k) • Its application to Auction in which auctioneer is able to perform comparison for n bids and determine the winning price and the winner without knowledge of each bid.

  27. Threshold Decryption • Key Generation • Secret ƒ(1), ƒ(2), ƒ(3) • Public key y = gƒ(0) = gƒ(1)1 gƒ(2)2 gƒ(3)3 • Decryption • E[m] = (myr, gr) • m = myr/ (gr)ƒ(1)1 (gr)ƒ(1)1 (gr)ƒ(1)1

  28. Performance First-Price

More Related