- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06

Similar documents
Faster Private Set Intersection based on OT Extension

Michael Zohner (TU Darmstadt)

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Michael Zohner (TU Darmstadt)

Michael Zohner (TU Darmstadt)

Practical Secure Two-Party Computation and Applications

Rational Oblivious Transfer

Yuval Ishai Technion

Private Set Intersection for Unequal Set Sizes with Mobile Applications

Chameleon: A Hybrid Secure Computation Framework for Machine Learning Applications

Secure Multiparty Computation

Secure Multiparty Computation

2018: Problem Set 1

Introduction to Secure Multi-Party Computation

An Overview of Active Security in Garbled Circuits

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Vlad Kolesnikov Bell Labs

Secure Multiparty RAM Computation in Constant Rounds,

Secure Set Intersection with Untrusted Hardware Tokens

Blind Machine Learning

Ad-Hoc Secure Two-Party Computation on Mobile Devices using Hardware Tokens

Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices

Actively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model

Phasing: Private Set Intersection using Permutation-based Hashing

1 A Tale of Two Lovers

An Overview of Secure Multiparty Computation

from circuits to RAM programs in malicious-2pc

Kiss, Ágnes; Liu, Jian; Schneider, Thomas ; Asokan, N.; Pinkas, Benny Private Set Intersection for Unequal Set Sizes with Mobile Applications

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Implementation Techniques

Multi-Party 2 Computation Part 1

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Secure Two-Party Computation: Generic Approach and Exploiting Specific Properties of Functions Approach

The Challenges of Distributing Distributed Cryptography. Ari Juels Chief Scientist, RSA

Secure Multi-Party Computation

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority

Protocols for Authenticated Oblivious Transfer

Oblivious Transfer(OT)

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Blind Seer: Scalable Private DB Querying

More crypto and security

Outsourcing Secure Two-Party Computation as a Black Box

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina

Secure Outsourced Garbled Circuit Evaluation for Mobile Devices

Private Set Intersection for Unequal Set Sizes with Mobile Applications

The IPS Compiler: Optimizations, Variants and Concrete Efficiency

Lecture 10, Zero Knowledge Proofs, Secure Computation

Security Protections for Mobile Agents

D1.1 State of the Art Analysis of MPC Techniques and Frameworks

Simple, Black-Box Constructions of Adaptively Secure Protocols

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

2.1 Basic Cryptography Concepts

T Cryptography and Data Security

Privacy-Preserving Interdomain Routing at Internet Scale (Full Version)

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Efficient Cryptographic Protocols: Secure Two-Party Computation and Refereed Delegation of Computation

RSA. Public Key CryptoSystem

SCAPI. The Secure Computation Application Programming Interface Yehuda Lindell. Bar-Ilan University

Malicious-Client Security in Blind Seer: A Scalable Private DBMS

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Making and Breaking Ciphers

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

User Authentication. Modified By: Dr. Ramzi Saifan

General Secure Function Evaluation Using Standard Trusted Computing Hardware

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Defining Multi-Party Computation

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Alex J. Malozemoff. University of Maryland

PCF: A Portable Circuit Format for Scalable Two-Party Secure Computation

arxiv: v1 [cs.cr] 2 Jan 2019

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Lecture 1 Applied Cryptography (Part 1)

Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity

Cryptography Functions

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

ABSTRACT. Ebrahim M. Songhori

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Cryptographic Concepts

Formal Methods and Cryptography

Efficient Maliciously Secure Multiparty Computation for RAM

Efficient Verification of Input Consistency in Server-Assisted Secure Function Evaluation

CSC 5930/9010 Cloud S & P: Cloud Primitives

Anonymity. Assumption: If we know IP address, we know identity

Cryptography. Summer Term 2010

A Systematic Approach to Practically Efficient General Two-Party Secure Function Evaluation Protocols and Their Modular Design

Privacy-Preserving Distributed Linear Regression on High-Dimensional Data

Optimized Honest-Majority MPC for Malicious Adversaries - Breaking the 1 Billion-Gate Per Second Barrier

Secret Key Cryptography

Cryptography CS 555. Topic 1: Course Overview & What is Cryptography

An architecture for practical actively secure MPC with dishonest majority

Foundations of Cryptography CS Shweta Agrawal

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Multi-Theorem Preprocessing NIZKs from Lattices

Founding Cryptography on Tamper-Proof Hardware Tokens

Efficient Two Party and Multi Party Computation against Covert Adversaries

Transcription:

Information: - Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06 - Presentation is after: Abhi Shelat (fast two-party secure computation with minimal assumptions) - Presentation is before: Nigel Smart (An architecture for practical actively secure MPC with dishonest majority) - BF Private Set-Intersection protocol is 2 sessions after us 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 1

More Efficient Oblivious Transfer and Extensions for Faster Secure Computation Gilad Asharov Yehuda Lindell Cryptography Research Group Bar-Ilan University Thomas Schneider Michael Zohner Engineering Cryptographic Protocols Group TU Darmstadt 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 2

1-out-of-2 Oblivious Transfer (OT) Sender Alice Receiver Bob - Input: Alice holds two strings (x 0, x 1 ), Bob holds a choice bit r - Output: Bob receives x r but learns nothing about x 1-r, Alice learns nothing about r 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 3

Motivation - OT is basis of many generic secure computation protocols - Yao's garbled circuits protocol [Yao86]: one OT per input - Goldreich-Micali-Wigderson [GMW87]: one OT per AND gate - Several special purpose protocols directly use OT: - Set-Intersection [DCW13] - Biometric identification [BCP13] - We focus on semi-honest (passive) adversaries - Enables highly efficient protocols 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 4

OT via Public-Key Cryptography - Several protocols for OT exist that use public-key cryptography - e.g., by [NP01] in random-oracle and standard model - Other protocols exist that require weaker security assumptions - Impagliazzo and Rudich [IR86] proved that OT requires public-key cryptography - Since public-key cryptography is expensive, OT was believed inefficient 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 5

OT Extensions - OT extensions use secret-key cryptography to efficiently extend OT - OT on long strings by exchanging short seeds [Beaver96] - Many OTs extended from few real OTs [IKNP03] - Similar to hybrid encryption, where symmetric key is encrypted using public-key cryptography 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 6

Our Contributions - Optimizations for the OT extension protocol of [IKNP03] - Algorithmic optimizations => less computation - Protocol optimizations => less communication - Specific OT functionalities for more efficient secure computation - An open source OT extension implementation 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 7

OT Extension of [IKNP03] (1) For each OT i : - Alice holds m pairs of l-bit messages (x i,0, x i,1 ) - Bob holds m-bit string r and obtains x i,r i 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 8

OT Extension of [IKNP03] (2) - Alice and Bob perform k real OTs on random seeds with reverse roles (k is symmetric security parameter) 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 9

OT Extension of [IKNP03] (3) - Bob obliviously transfers a random m x k bit matrix T - The matrix is masked with the seeds of the real OTs 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 10

OT Extension of [IKNP03] (4) - The V and T matrices are transposed - Alice masks her inputs and obliviously sends them to Bob - H is a correlation robust function (instantiated with a hash function) 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 11

Computation Complexity of OT Extension 1 Per OT: # PRG evaluations 2 2 # H evaluations 1 Time distribution for 10 Mio. OTs (in 21s): 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 12

Algorithmic Optimization Efficient Bit-Matrix Transposition - Naive matrix transposition performs mk load/process/store operations - Eklundh's algorithm reduces number of operations to O(m log 2 k) swaps - Use CPU register to swap multiple bit-values in parallel - O(m/r log 2 k) for register size r (e.g, r = 64) - Time for transposing the m x k bit matrix is reduced by factor 9 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 13

Algorithmic Optimization Parallelized OT Extension - OT extension can easily be parallelized by splitting the T matrix into sub-matrices - Since each column is independent of the next, OT is highly parallelizable 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 14

Communication Complexity of OT Extension Per OT: 2l Bits sent by 2k 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 15

Protocol Optimization General OT Extension (G-OT) - Instead of using a random T matrix, we derice it from s j,0 : - Reduces data Bob sends by factor 2 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 16

Specific OT Functionalities - Secure computation protocols often require a specific OT functionality - Yao's garbled circuits with free XOR [KS08] requires correlated inputs - GMW with multiplication triples can use random inputs - We introduce two OT functionalities for secure computation protocols: - Correlated OT: random x 0 and x 1 = x 0 - Random OT: random x 0 and x 1 Correlated OT Random OT 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 17

Specific OT Functionalities Correlated OT Extension (C-OT) - Choose x i,0 as random output of H - Compute x i,1 as x i,0 i to obliviously transfer correlated values - Reduces data Alice sends by factor 2 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 18

Specific OT Functionalities Random OT Extension (R-OT) - Choose x i,0 and x i,1 as random outputs of H - Removes last communication step 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 19

Empirical Performance Evaluation Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - Performance evaluation of 10 million OT extensions on 80-bit strings - Two network types: Gigabit LAN and WiFi 802.11g 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 20

Empirical Performance Evaluation Original Implementation Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - C++ code of [SZ13] implementing OT extension of [IKNP03] 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 21

Empirical Performance Evaluation Efficient Matrix Transposition Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - Efficient matrix transposition => improved computation - Only decreases runtime in LAN where computation is the bottleneck 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 22

Empirical Performance Evaluation General Oblivious Transfer Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - Generate T from seeds => improved communication (Bob Alice) - WiFi runtime decreases only slightly, since communication Alice Bob becomes the bottleneck 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 23

Empirical Performance Evaluation Correlated Oblivious Transfer Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - Correlated OT => improved communication (Alice Bob) - WiFi runtime decreases by factor 2 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 24

Empirical Performance Evaluation Random Oblivious Transfer Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - Random OT => improved communication (Alice Bob) - WiFi runtime does not decrease since communication Bob Alice becomes the bottleneck 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 25

Empirical Performance Evaluation Parallelized Oblivious Transfer Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - Parallel OT extension with 2 and 4 threads => improved computation - LAN runtime decreases linear in # of threads - WiFi runtime remains the same (communication is the bottleneck) 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 26

Empirical Performance Evaluation Conclusion Gigabit LAN WiFi 802.11g 30 Runtime (s) 25 20 15 10 5 0 Orig EMT G-OT C-OT R-OT 2T 4T - LAN profits mostly from improved computation - WiFi profits from improved communication - Communication has become the bottleneck for OT extension 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 27

Summary - Communication has become the bottleneck for OT - New OT functionalities for more efficient secure computation - Correlated OT for correlated values - Random OT for random values - Our OT implementation is available at http://encrypto.de/code/otextension - A Java wrapper will be available in SCAPI 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 28

More Efficient Oblivious Transfer and Extensions for Faster Secure Computation Thanks for your attention. Questions? Contact: http://encrypto.de 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 29

Protocol Overview Special Purpose Protocols Generic Protocols Arithmetic Circuit Boolean Circuit Homomorphic Encryption Yao GMW OT Public Key Crypto >> Symmetric Crypto >> One-Time Pad 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 30

Generating Multiplication Triples via R-OT - A multiplication triple has the form (a 1 a 2 ) (b 1 b 2 ) = c 1 c 2 =(a 1 b 1 ) ( a 1 b 2 ) ( a 2 b 1 ) ( a 2 b 2 ) - P 1 and P 2 generate a multiplication using two R-OTs as follows: 1) P 2 chooses a 2 R {0,1} 2) P 1 and P 2 perform a random OT, where P 1 gets (x 1,x 2 ) and P 2 gets x a 2 3) P 1 computes b 1 = x 1 x 2 4) P 1 and P 2 repeat steps 1-3 with reverse roles to get a 1 and b 2 5) P i computes c i = (a i b i ) x 1 x ai 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 31

Efficient OT without Random Oracles TODO: Outline the protocol steps for the proposed base-ot 29.10.13 More Effiicient Oblivious Transfer Michael Zohner Slide 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback