implementing oblivious transfer using a collection of dense trapdoor permutations iftach haitner...
TRANSCRIPT
![Page 1: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/1.jpg)
Implementing Oblivious TransferUsing a Collection of Dense
Trapdoor Permutations
Iftach Haitner
www.wisdom.weizmann.ac.il/~iftachh
WEIZMANNINSTITUTEOF SCIENCE
![Page 2: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/2.jpg)
Talk Overview
Oblivious transfer (OT) Collection of trapdoor
permutations (TDP) Does TDP imply OT? Our result:
dense-TDP implies OT
![Page 3: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/3.jpg)
Oblivious Transfer (OT)[Rabin 81’]
(one-out-of-two version [EGL 85’])
1. Correctness: The receiver learns i
2. Sender's privacy: The receiver learns nothing about 1-i
3. Receiver's privacy: The sender learns nothing about i
Semi-honest model (honest-but-curious) - suffices due to Goldreich, Micali and Wigderson
0 and
1 (w.l.o.g. bits) i 2 {0,1}
Sender Receiver
![Page 4: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/4.jpg)
{0,1}n
D
x
{0,1}n
D
f(x)hard
easy
easy with trapdoor
{0,1}n
D
{0,1}n
D
• Permutation sampler: I(1n) = (,t
• Domain sampler: D() = x 2RD
• Evaluation/ Inversion F(,x) = f(x) , F-1(,t,x) = f-1(x)
• Known Candidates: Rabin’s collection, RSA,…
Does TDP imply OT?
hard
easy with trapdoor
Collection of trapdoor Permutations (TDP)
easy
x f(x)
{f: D ! D}
n = ||
![Page 5: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/5.jpg)
EGL protocol
r0,r1
(,t) à I(1n) • r1-i à D()
• s à D() ri = f(s)
For j = 0,1:
cj = j © b(f-1(rj)) c0,c1 Output: ci © b(s) (= i)
1nSender (0 and 1) Receiver (i)
Correctness
Receiver’s privacy
? Sender's privacy
n is the security parameter of the protocol
b is any hardcore predicate of f
![Page 6: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/6.jpg)
• Knowing the random coins used by the Domain sampler (D), might give information about the pre-image of the element.
– Rabin’s collection original implementation
Therefore the EGL protocol might not satisfy the Sender's privacy requirement.
– Enhanced–TDP [Glodreich 02’]inverting an element is hard, even when the randomness used to produce it is given. Enhanced–TDP ) OT
![Page 7: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/7.jpg)
Our result:Implementing OT using any dense - TDP
{0,1}n
D
9 positive polynomial p s.t. |D| ¢ p(n) > 2n
![Page 8: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/8.jpg)
Enhanced Vs. Dense
• Dense (property) might be considered as a more natural requirement
• Probably easier to verify
• Different approach
might lead to OT based on any TDP
![Page 9: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/9.jpg)
Implementing OT using dense-TDP
Implementing OT using dense-checkable-TDP
checkable-TDP: The existence of domain sampler is not
guaranteed, but there is an efficient way to check whether a given element is inside a permutation domain or not.
![Page 10: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/10.jpg)
OT based on dense-checkable-TDP
r0,r1
(,t) Ã I(1n) 1. s,r1-i 2R {0,1}n
2. if s or r1-i D go back to step 1
3. ri = f(s)
....
….
….
Sender (0 and 1) Receiver (i)
Correctness
Receiver’s privacy
Sender's privacy
![Page 11: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/11.jpg)
Implementing OT using dense-t-checkable-TDP
t-checkable-TDP:
Like checkable-TDP, but the containment test requires the trapdoor.There exists an efficient algorithm A s.t.:A(,t,x) = 1 iff x2 D
![Page 12: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/12.jpg)
OT based on dense-t-checkable-TDP (first try)
r0,r1
(,t) Ã I(1n)
Go
1.s,r1-i 2R {0,1}n
2. if s or r1-iD go back to step 1.
3. ri = f(s)
……
If s or r1-i Drestart
s,r1-i
i
Sender (0 and 1) Receiver (i)
![Page 13: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/13.jpg)
OT based on dense t-checkable-TDP (second try)
(,t) Ã I(1n) 1. s,r1-i 2R {0,1}n
2. ri = f(s)
If r0 or r1 Drestart
For j = 0,1:
cj = j © b(f-1(rj))c0,c1
Output: ci ©b(s) (= i)
r0,r1 (rand.)
Reveal order
Sender (0 and 1) Receiver (i) f(s) ≡ F(,s)
![Page 14: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/14.jpg)
{0,1}n
D
ri
{0,1}n
D
yf-1
f
sf(s) ≡ F(,s)
• The receiver might recover i incorrectly.
ci© b(s) = i © b(f-1(ri)) © b(s) i
• The sender might reveal i.ri might have different distribution than
r1-i
![Page 15: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/15.jpg)
A weak OT based on dense t-checkable-TDP
(,t) Ã I(1n)1. s,r1-i 2R {0,1}n
2. ri = f(s)
r0,r1 (rand.)
If h(s) h(f-
1(ri))
Restart.
If r0 or r1 D
Restart h, h(f-1(r0)), h(f-1(r1))
Reveal order
…
h2R Hn - a collection of hash functions
Sender (0 and 1) Receiver (i)
w.h.p. s f-1(ri)
• w.h.p. Correctness
• w.h.p. Receiver’s privacy
• Sender's privacy is not compromised
For j = 0,1:
cj = j © b(f-1(rj)) …
Our solution:Increase the probability that (after revealing step)
s = f-1(ri)
![Page 16: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/16.jpg)
A “very” weak OT based on any dense-TDP
{0,1}n
D’
D
Can extend any dense-TDP, such that it is still one-to-one and it is t-checkable.
D’ ≡ {x2 {0,1}n | F(,F-1(,t,x)) = x}
1. W.r.t. D’ we have containment test (the collection is t-checkable) x2 D’ iff F(,F-1(,t,x)) = x
2. But the exended f is only weakly one-way.
) Only noticeable Sender's privacy
![Page 17: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/17.jpg)
A weak OT based on dense t-checkable-TDP
(,t) Ã I(1n)1. s,r1-i 2R {0,1}n
2. ri = f(s)
r0,r1 (rand.)
If h(s) h(f-
1(ri))
Restart.
If r0 or r1 D
Restart h, h(f-1(r0)), h(f-1(r1))
Reveal order
…
Sender (0 and 1) Receiver (i)
• w.h.p. Correctness
• w.h.p. Receiver’s privacy
• noticeable Sender's privacy
For j = 0,1:
cj = j © b(f-1(rj)) …
![Page 18: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/18.jpg)
dense-TDP
Weak OT (all the requirements are weak)
Secret sharing (Yao’s XOR lemma)
Weak OT with strong Sender’s privacy
Repeating and using majority rule
Weak OT with strong Correctness and Sender’s privacy
OT
Crepeau and Kilian 88’
![Page 19: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/19.jpg)
For k = 0,1:
k,1, …,k,m-1 2R{0,1}
k,t=
(©1 · j · m-1 k,j) ©k
Output: ©1 · j · m i,j
0,10,20,3…0,m
1,11,21,3…1,m
© ) 0
© ) 1
Sender (0 and 1) Receiver (i)
![Page 20: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/20.jpg)
Further issues• OT based on any TDP?
Seems difficult, as Gertner, Kannan, Malkin, Reingold and Viswanathan 2000 showed that OT cannot be black-box reduced to collection of injective trapdoor one-way functions.
(most likely) OT cannot be black-box reduced to TDP
![Page 21: Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649c7c5503460f9492fe7a/html5/thumbnails/21.jpg)
Acknowledgment:
Oded Goldreich