Oblivious Transfer(OT)

Transcription

1 Oblivious Transfer(OT) Abhishek Gunda, Bhargav Reddy, Sai Harsha Nalluru, Prof. Shashank Singh, IIT Kanpur April 4, 2018 April 4, / 20

2 Overview What is Oblivious Transfer Variants of OT 1-out-of-2 Oblivious Transfer Protocol 1-out-of-n Oblivious Transfer Protocol Rabin s Oblivious Transfer Protocol Applications April 4, / 20

3 What is Oblivious Transfer Definition: In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece has been transferred. April 4, / 20

4 What is Oblivious Transfer Explanation: Let s think of the following situation with a sender and receiver attempting for a communication. Sender has a list of n strings {x 1, x 2,..., x n } Client wants to learn x i Sender sends all the n strings to the receiver with an underlying constraint to not to let the receiver learn the strings x j, j i This problem, originating with Rabin, where the sender should transfer x i to the client without knowing i, is called oblivious transfer April 4, / 20

5 Variants of OT 1-out-of-2 Oblivious Transfer Protocol Using DDH Using RSA 1-out-of-n Oblivious Transfer Protocol Rabin s Oblivious Transfer Protocol All the above variants mentioned can be constructed using many encryption protocols Enhanced Trapdoor Permutations, DDH, RSA, Lattices. April 4, / 20

6 1-out-of-2 Oblivious Transfer Protocol Using DDH(Decisional Diffie-Hellman): As already discussed in the class we know the following assumption under DDH over a group G of order q with generator g: {(g, g a, g b, g ab )} {(g, g a, g b, g c )} where a,b,c Z q are random April 4, / 20

7 1-out-of-2 Oblivious Transfer Protocol (DDH) Receiver chooses a random a σ from Z q the a σ here acts as the secret key in the communication Receiver computes h σ = g aσ and share it with the sender. Let m be a message to be send by the sender is encrypted as the following: c=(u,v)=(g r, h r σm) and random r from Z q The cipher received at the receiver side is decrypted using the following method: m = v u = hr σm aσ (g r ) = hr σm aσ (g aσ ) = hr σm r hσ r April 4, / 20

8 1-out-of-2 Oblivious Transfer Protocol (DDH) April 4, / 20

9 1-out-of-2 Oblivious Transfer Protocol Alice sees only two public keys, which are two random group elements (and so learns nothing about σ) Bob knows only one private key and so learns only x σ More efficient version of the previous algorithm: Instead of Alice computing two El Gamal encryptions, she can reduce the exponentiation by choosing only one random r to that of choosing (r,s) and can send (u, v 0, v 1 ) to Bob. In this way, we have reduced about 25 percent of the computation. April 4, / 20

10 1-out-of-2 Oblivious Transfer Protocol(DDH) April 4, / 20

11 1-out-of-2 Oblivious Transfer Protocol Points to Ponder: In this protocol sender cannot cheat. As for the receiver if he can choose both h 0 and h 1 instead of a single chosen one he can decrypt the both ciphers received from the sender. The above ambiguity can be rectified using the following procedure: At the start of protocol implementation sender sends a random group element w from G. After computing the h σ the receiver is constrained to choose h 1 σ such that h σ h 1 σ = w which eliminates the threat of receiver knowing both the generated public keys. April 4, / 20

12 1-out-of-2 Oblivious Transfer Protocol Using RSA: Alice has two messages m 0, m 1, and wants to send exactly one of them to Bob. Bob does not want Alice to know which one he receives. Alice generates an RSA key pair, comprising the modulus N, the public exponent e and the private exponent d. She also generates two random values, x 0, x 1 and sends them to Bob along with her public modulus and exponent. April 4, / 20

13 1-out-of-2 Oblivious Transfer Protocol (RSA) Figure: Taken from Wikipedia April 4, / 20

14 1-out-of-n Oblivious Transfer Protocol Definition:A 1-out-of-n oblivious transfer protocol can be defined as a natural generalization of a 1-out-of-2 oblivious transfer protocol. Specifically, a sender has n messages, and the receiver has an index i, and the receiver wishes to receive the i-th among the sender s messages, without the sender learning i, while the sender wants to ensure that the receiver receive only one of the n messages. April 4, / 20

15 Rabin s Oblivious Transfer Protocol Oblivious transfer (OT) was introduced by Michael Rabin in He invented a protocol with some curious properties and published it in a tech report. In this protocol, a sender will send a message to the receiver with probability 1/2. Rabins scheme was later named 1 2-OT because of this probability. April 4, / 20

16 Rabin s Oblivious Transfer Protocol The scheme works as follows: The sender encrypts the message m using Rabin encryption protocol involving n The sender (S) finds two large primes p, q and finds their product n = pq and reveals n to the receiver (R). R chooses a random x Z n and sends t = x 2 mod n to S. S computes s = t sends it to R. If s = ±x, then R learns nothing, if s = ±y then R can learn (p, q) by finding GCD(x + s, n) or GCD(x s, n) which can be used to decrypt the cipher The case that S chooses s = ±x and the case that s = ±y are equally likely to occur, so R will learn (p, q) with probability 1/2. S will not know if R learned the secret or learned nothing. April 4, / 20

17 Applications Privacy-Preserving Applications April 4, / 20

18 Applications Privacy-Preserving Face Recognition April 4, / 20

19 References Susan Hohenberger - Special Topics in Theoretical Cryptography Oblivious transfer - Wikipedia Efficient Oblivious Transfer Extensions and Applications Oblivious Transfer, a lecture given by Prof. Yehuda Lindell Of Bar-Ilan University Boaz Barak - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Prof. Rafail Ostrovsky - Foundations of Cryptography April 4, / 20

20 The End April 4, / 20