Скачать презентацию Strong Conditional Oblivious Transfer and Computing on Intervals Скачать презентацию Strong Conditional Oblivious Transfer and Computing on Intervals

70f1def5add9baae7611da0f84bbdf1d.ppt

  • Количество слайдов: 12

Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto

Motivation for the Greater Than Predicate HAHA!! I’ll set y : = x – Motivation for the Greater Than Predicate HAHA!! I’ll set y : = x – 0. 01 A: I would like to buy tickets to Cheju Island. B: My prices are so low, I cannot tell them! Tell me how much money you have (x), and if it’s more than my price (y), I’d sell it to you for y. A: We better securely evaluate Greater Than (GT). GT Uses: Auction systems Secure database mining Computational Geometry

Previous work on GT n n n Yao’s Two Millionaires Yao’s Garbled Circuit Rogaway, Previous work on GT n n n Yao’s Two Millionaires Yao’s Garbled Circuit Rogaway, 1991 Naor, Pinkas, Sumner, 1999 Lindell, Pinkas, 2004 Sander, Young, Yung, 1999 Fischlin, 2001 Many others

Our Model A: Let’s do it in one round – I hate waiting! B: Our Model A: Let’s do it in one round – I hate waiting! B: Let’s be Semi-Honest. That means we will not deviate from our protocol. We can, however, try to learn things we aren’t supposed to by observing our communication. A: Also, I will have unlimited computation power. B: That sounds complicated. Most efficient solutions won’t work (e. g. garbled circuit).

Tools – Homomorphic Encryption scheme, such that: Given E(m 1), E(m 2) and public Tools – Homomorphic Encryption scheme, such that: Given E(m 1), E(m 2) and public key, allows to compute E(m 1 2) m We will need: • Additively homomorphic ( +) schemes = • Large plaintext group The Paillier scheme satisfies our requirements

Oblivious Transfer (OT) Input: bit b Learn: sb Input: secrets s 0, s 1 Oblivious Transfer (OT) Input: bit b Learn: sb Input: secrets s 0, s 1 Learn: nothing

Strong Conditional OT (SCOT) Input: x Learn: s. Q(x, y) Predicate Q(x, y) Input: Strong Conditional OT (SCOT) Input: x Learn: s. Q(x, y) Predicate Q(x, y) Input: y, secrets s 0, s 1 Learn: nothing

Q-SCOT Is a generalization of: n n n COT of Di Crescenzo, Ostrovsky, Rajagopalan, Q-SCOT Is a generalization of: n n n COT of Di Crescenzo, Ostrovsky, Rajagopalan, 1999 OT Secure evaluation of Q(x, y)

The GT-SCOT Protocol x 1, …, xn s 0, s 1, y 1, …, The GT-SCOT Protocol x 1, …, xn s 0, s 1, y 1, …, yn pub, pri x 1, …, xn pub x©y = (x-y)2 =x-2 xy+y f=001001 =0001249 -1 = -1 -1 0 1 3 8 r ( -1) = r 1 r 2 0 r 3 r 4 r 5 d+r ( -1) = t 1 t 2 di t 3 t 4 t 5 ( ) sj 1 19 18 r 6 t 6 x 1, …, xn pub d = x 1 -y 1, …, xn-yn f = x 1©y 1, …, xn©yn : 0 = 0, i = 2 i-1+fi : i = di + ri ( i -1) 0… 38 … 37 … : i = ½ ((s 1 -s 0) i+s 1+s 0) r 7 … t 7 … ( )

Interval-SCOT x x 1, x 2, s 0, s 1 2 DS a 1 Interval-SCOT x x 1, x 2, s 0, s 1 2 DS a 1 2 R D S GT-SCOT(a 1|a 2 ? x

Union of Intervals-SCOT x I 1, …, Ik, s 0, s 1 2 DS Union of Intervals-SCOT x I 1, …, Ik, s 0, s 1 2 DS I-SCOT(s 11|s 10 ? x 2 I 1) I-SCOT(sk 1|sk 0 ? x 2 Ik) i si? s 1 = i si 1 s 1 -s 0 = si 1 -si 0

Conclusions n n General and composable definition of SCOT solutions (GT, I, UI) ¡ Conclusions n n General and composable definition of SCOT solutions (GT, I, UI) ¡ ¡ ¡ Simple and composable Orders of magnitude improvement in communication (loss in computational efficiency in some cases) Especially efficient for transferring larger secrets ( e. g. ¼ 1000 bits )