Strong Conditional Oblivious Transfer and Computing on Intervals Vladimir Kolesnikov Joint work with Ian F. Blake University of Toronto
Motivation for the Greater Than Predicate HAHA!! I’ll set y : = x – 0. 01 A: I would like to buy tickets to Cheju Island. B: My prices are so low, I cannot tell them! Tell me how much money you have (x), and if it’s more than my price (y), I’d sell it to you for y. A: We better securely evaluate Greater Than (GT). GT Uses: Auction systems Secure database mining Computational Geometry
Previous work on GT n n n Yao’s Two Millionaires Yao’s Garbled Circuit Rogaway, 1991 Naor, Pinkas, Sumner, 1999 Lindell, Pinkas, 2004 Sander, Young, Yung, 1999 Fischlin, 2001 Many others
Our Model A: Let’s do it in one round – I hate waiting! B: Let’s be Semi-Honest. That means we will not deviate from our protocol. We can, however, try to learn things we aren’t supposed to by observing our communication. A: Also, I will have unlimited computation power. B: That sounds complicated. Most efficient solutions won’t work (e. g. garbled circuit).
Tools – Homomorphic Encryption scheme, such that: Given E(m 1), E(m 2) and public key, allows to compute E(m 1 2) m We will need: • Additively homomorphic ( +) schemes = • Large plaintext group The Paillier scheme satisfies our requirements
Oblivious Transfer (OT) Input: bit b Learn: sb Input: secrets s 0, s 1 Learn: nothing
Strong Conditional OT (SCOT) Input: x Learn: s. Q(x, y) Predicate Q(x, y) Input: y, secrets s 0, s 1 Learn: nothing
Q-SCOT Is a generalization of: n n n COT of Di Crescenzo, Ostrovsky, Rajagopalan, 1999 OT Secure evaluation of Q(x, y)
The GT-SCOT Protocol x 1, …, xn s 0, s 1, y 1, …, yn pub, pri x 1, …, xn pub x©y = (x-y)2 =x-2 xy+y f=001001 =0001249 -1 = -1 -1 0 1 3 8 r ( -1) = r 1 r 2 0 r 3 r 4 r 5 d+r ( -1) = t 1 t 2 di t 3 t 4 t 5 ( ) sj 1 19 18 r 6 t 6 x 1, …, xn pub d = x 1 -y 1, …, xn-yn f = x 1©y 1, …, xn©yn : 0 = 0, i = 2 i-1+fi : i = di + ri ( i -1) 0… 38 … 37 … : i = ½ ((s 1 -s 0) i+s 1+s 0) r 7 … t 7 … ( )
Interval-SCOT x x 1, x 2, s 0, s 1 2 DS a 1 2 R D S GT-SCOT(a 1|a 2 ? x<x 1) GT-SCOT(b 1|b 2 ? x<x 2) ai+bj s 0 = a 1+b 1 = a 2+b 2 s 1 = a 2+b 1
Union of Intervals-SCOT x I 1, …, Ik, s 0, s 1 2 DS I-SCOT(s 11|s 10 ? x 2 I 1) I-SCOT(sk 1|sk 0 ? x 2 Ik) i si? s 1 = i si 1 s 1 -s 0 = si 1 -si 0
Conclusions n n General and composable definition of SCOT solutions (GT, I, UI) ¡ ¡ ¡ Simple and composable Orders of magnitude improvement in communication (loss in computational efficiency in some cases) Especially efficient for transferring larger secrets ( e. g. ¼ 1000 bits )
Скачать презентацию Strong Conditional Oblivious Transfer and Computing on Intervals
70f1def5add9baae7611da0f84bbdf1d.ppt