Oblivious Transfer(OT)

Similar documents
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

CS 161 Computer Security

An Overview of Secure Multiparty Computation

CPSC 467: Cryptography and Computer Security

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017

Public Key Cryptography and the RSA Cryptosystem

Key Exchange. Secure Software Systems

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Secure Multiparty Computation

CS 161 Computer Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Chapter 9 Public Key Cryptography. WANG YANG

Chapter 9. Public Key Cryptography, RSA And Key Management

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

ASYMMETRIC CRYPTOGRAPHY

CSC 474/574 Information Systems Security

RSA. Public Key CryptoSystem

Solution of Exercise Sheet 10

CS 161 Computer Security

CS 161 Computer Security

Kurose & Ross, Chapters (5 th ed.)

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

Secure Multiparty Computation

Diffie-Hellman. Part 1 Cryptography 136

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Introduction to Medical Computing

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

PRIVATE BIDDING FOR MOBILE AGENTS

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Public Key Algorithms

1 A Tale of Two Lovers

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Privacy Protected Spatial Query Processing

Encryption 2. Tom Chothia Computer Security: Lecture 3

Public Key Algorithms

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Yale University Department of Computer Science

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Other Topics in Cryptography. Truong Tuan Anh

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS61A Lecture #39: Cryptography

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Uzzah and the Ark of the Covenant

Overview. Public Key Algorithms I

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Eating from the Tree of Ignorance Part 2

CPSC 467b: Cryptography and Computer Security

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Topics. Number Theory Review. Public Key Cryptography

Activity Guide - Public Key Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Protocols for Authenticated Oblivious Transfer

CS 161 Computer Security

Abhijith Chandrashekar and Dushyant Maheshwary

Encryption. INST 346, Section 0201 April 3, 2018

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Password Authenticated Key Exchange by Juggling

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Lecture 1: Perfect Security

CIS 3362 Final Exam 12/4/2013. Name:

CS549: Cryptography and Network Security

Public Key Algorithms

Public-key encipherment concept

CS408 Cryptography & Internet Security

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Public-Key Cryptanalysis

Encrypted Data Deduplication in Cloud Storage

1. Diffie-Hellman Key Exchange

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Lecture 7 - Applied Cryptography

Using Commutative Encryption to Share a Secret

Public Key Cryptography and RSA

Lecture 15: Public Key Encryption: I

Cryptography: More Primitives

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Lecture 10, Zero Knowledge Proofs, Secure Computation

Encryption Providing Perfect Secrecy COPYRIGHT 2001 NON-ELEPHANT ENCRYPTION SYSTEMS INC.

Fair Cryptography. Cryptography CS 507 Erkay Savas Sabanci University

CS3235 Seventh set of lecture slides

Secrets & Lies, Knowledge & Trust. (Modern Cryptography) COS 116 4/20/2006 Instructor: Sanjeev Arora

Key Establishment and Authentication Protocols EECE 412

2 Handout 20: Midterm Quiz Solutions Problem Q-1. On-Line Gambling In class, we discussed a fair coin ipping protocol (see lecture 11). In it, Alice a

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Receiver-deniable Public-Key Encryption

CS Computer Networks 1: Authentication

Transcription:

Oblivious Transfer(OT) Abhishek Gunda, 14807257 Bhargav Reddy, 14468 Sai Harsha Nalluru, 14408 Prof. Shashank Singh, IIT Kanpur April 4, 2018 April 4, 2018 1 / 20

Overview What is Oblivious Transfer Variants of OT 1-out-of-2 Oblivious Transfer Protocol 1-out-of-n Oblivious Transfer Protocol Rabin s Oblivious Transfer Protocol Applications April 4, 2018 2 / 20

What is Oblivious Transfer Definition: In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece has been transferred. April 4, 2018 3 / 20

What is Oblivious Transfer Explanation: Let s think of the following situation with a sender and receiver attempting for a communication. Sender has a list of n strings {x 1, x 2,..., x n } Client wants to learn x i Sender sends all the n strings to the receiver with an underlying constraint to not to let the receiver learn the strings x j, j i This problem, originating with Rabin, where the sender should transfer x i to the client without knowing i, is called oblivious transfer April 4, 2018 4 / 20

Variants of OT 1-out-of-2 Oblivious Transfer Protocol Using DDH Using RSA 1-out-of-n Oblivious Transfer Protocol Rabin s Oblivious Transfer Protocol All the above variants mentioned can be constructed using many encryption protocols Enhanced Trapdoor Permutations, DDH, RSA, Lattices. April 4, 2018 5 / 20

1-out-of-2 Oblivious Transfer Protocol Using DDH(Decisional Diffie-Hellman): As already discussed in the class we know the following assumption under DDH over a group G of order q with generator g: {(g, g a, g b, g ab )} {(g, g a, g b, g c )} where a,b,c Z q are random April 4, 2018 6 / 20

1-out-of-2 Oblivious Transfer Protocol (DDH) Receiver chooses a random a σ from Z q the a σ here acts as the secret key in the communication Receiver computes h σ = g aσ and share it with the sender. Let m be a message to be send by the sender is encrypted as the following: c=(u,v)=(g r, h r σm) and random r from Z q The cipher received at the receiver side is decrypted using the following method: m = v u = hr σm aσ (g r ) = hr σm aσ (g aσ ) = hr σm r hσ r April 4, 2018 7 / 20

1-out-of-2 Oblivious Transfer Protocol (DDH) April 4, 2018 8 / 20

1-out-of-2 Oblivious Transfer Protocol Alice sees only two public keys, which are two random group elements (and so learns nothing about σ) Bob knows only one private key and so learns only x σ More efficient version of the previous algorithm: Instead of Alice computing two El Gamal encryptions, she can reduce the exponentiation by choosing only one random r to that of choosing (r,s) and can send (u, v 0, v 1 ) to Bob. In this way, we have reduced about 25 percent of the computation. April 4, 2018 9 / 20

1-out-of-2 Oblivious Transfer Protocol(DDH) April 4, 2018 10 / 20

1-out-of-2 Oblivious Transfer Protocol Points to Ponder: In this protocol sender cannot cheat. As for the receiver if he can choose both h 0 and h 1 instead of a single chosen one he can decrypt the both ciphers received from the sender. The above ambiguity can be rectified using the following procedure: At the start of protocol implementation sender sends a random group element w from G. After computing the h σ the receiver is constrained to choose h 1 σ such that h σ h 1 σ = w which eliminates the threat of receiver knowing both the generated public keys. April 4, 2018 11 / 20

1-out-of-2 Oblivious Transfer Protocol Using RSA: Alice has two messages m 0, m 1, and wants to send exactly one of them to Bob. Bob does not want Alice to know which one he receives. Alice generates an RSA key pair, comprising the modulus N, the public exponent e and the private exponent d. She also generates two random values, x 0, x 1 and sends them to Bob along with her public modulus and exponent. April 4, 2018 12 / 20

1-out-of-2 Oblivious Transfer Protocol (RSA) Figure: Taken from Wikipedia April 4, 2018 13 / 20

1-out-of-n Oblivious Transfer Protocol Definition:A 1-out-of-n oblivious transfer protocol can be defined as a natural generalization of a 1-out-of-2 oblivious transfer protocol. Specifically, a sender has n messages, and the receiver has an index i, and the receiver wishes to receive the i-th among the sender s messages, without the sender learning i, while the sender wants to ensure that the receiver receive only one of the n messages. April 4, 2018 14 / 20

Rabin s Oblivious Transfer Protocol Oblivious transfer (OT) was introduced by Michael Rabin in 1981. He invented a protocol with some curious properties and published it in a tech report. In this protocol, a sender will send a message to the receiver with probability 1/2. Rabins scheme was later named 1 2-OT because of this probability. April 4, 2018 15 / 20

Rabin s Oblivious Transfer Protocol The scheme works as follows: The sender encrypts the message m using Rabin encryption protocol involving n The sender (S) finds two large primes p, q and finds their product n = pq and reveals n to the receiver (R). R chooses a random x Z n and sends t = x 2 mod n to S. S computes s = t sends it to R. If s = ±x, then R learns nothing, if s = ±y then R can learn (p, q) by finding GCD(x + s, n) or GCD(x s, n) which can be used to decrypt the cipher The case that S chooses s = ±x and the case that s = ±y are equally likely to occur, so R will learn (p, q) with probability 1/2. S will not know if R learned the secret or learned nothing. April 4, 2018 16 / 20

Applications Privacy-Preserving Applications April 4, 2018 17 / 20

Applications Privacy-Preserving Face Recognition April 4, 2018 18 / 20

References Susan Hohenberger - Special Topics in Theoretical Cryptography Oblivious transfer - Wikipedia Efficient Oblivious Transfer Extensions and Applications Oblivious Transfer, a lecture given by Prof. Yehuda Lindell Of Bar-Ilan University Boaz Barak - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Prof. Rafail Ostrovsky - Foundations of Cryptography April 4, 2018 19 / 20

The End April 4, 2018 20 / 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback