Pownie
/
crying_computers_prep
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Done with oblivious transfer

This commit is contained in:
Alexander Munch-Hansen 2019-12-14 18:35:59 +01:00
parent f56bbe4e7e
commit 34717a3dcc
2 changed files with 793 additions and 283 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

920
notes.html
View File

File diff suppressed because it is too large Load Diff

156
notes.org
View File

@ -61,6 +61,7 @@
5) Run subproto: $e \leftarrow Open([e])$
6) Run subproto: $[z] = [w] \oplus e \cdot [x] \oplus d \cdot [y] \oplus e \cdot d$
- *Putting all of this together*: The circuit has /L/ wires; $x^1, ..., x^L$, there is only one output wire; $x^L$. First Alice and Bob run the subproto Share for each of the 2n input wires in the circuit; Then for each layer in the circuit $1,\dots,d$ alice and bob securely evaluate all gates at that layer using the subprotos XOR and AND and gates can only get input from gates at a lower level. Eventually, the value at the output wire will be ready and it can be opened to Alice, $(x, \perp) \leftarrow OpenTo(A, [x^L])$.
- OT can be used to remove the trusted dealer from BeDOZa.
**** Analysis TODO!
- We consider only semi-honest (or passive) at this point and this function is deterministic, so it's enough to prove that the output is correct and the view of a corrupted party can be simulated.
- *Correctness*: All gates are trivially correct, apart from AND: $$ w \oplus e \cdot x \oplus d \cdot y \oplus e \cdot d = uv \oplus (xy \oplus vx) \oplus (xy \oplus uy) \oplus (xy \oplus vx \oplus uy \oplus uv) = xy$.
@ -116,3 +117,158 @@
3) $\{accept, reject\} \leftarrow ver(k,t,m)$: Output accept if $t' = \alpha \cdot m + \beta$, reject ow.
*** BeDOZa
- Works with an $m$-homomorphic MAC scheme, so likely just bring this up for the last topic, which only has one paper otherwise!
* Oblivious Transfer
** Curriculum
- Definition and applications.
- Protocols with passive security (from public-key encryption with random looking keys).
- The GMW compiler (3 steps: zero-knowledge proofs, coin-flip into the well, input commitment) and how to use it to construct active secure oblivious transfers - OR -
- Explicit constructions of active secure oblivious transfer in the common reference string (PVW protocol).
** Introduction
- Main variant of Oblivious Transfer (OT) is the /1-out-of-2/ OT or (2 1)-OT for short. It's described by the functional functionality:
1) Alice inputs a choice bit $b \in \{0,1\}$
2) Bob inputs two messages $m_0, m_1$
3) Alice learns $z = m_b$
- A secure OT should not let Alice learn anything about unchosen bit and Bob should not learn which bit Alice desires.
- /1-out-of-n/ is exactly what it sounds like.
+ /1-out-of-n/ OT directly implies single two-party secure computation for some function $f(x,y)$ for $x <= n$, as Bob can create his messages $M_0, ..., M_{n-1}$ as $M_i = f(i,y)$, using his own input $y$ and Alice will then use $x$ as the choice bit, giving her $M_i$ for $i=x$, $f(x,y)$.
- OT can be used to remove the trusted dealer from BeDOZa.
+ Specifically, for the multiplication (AND) gate, the trusted dealer had to samle bits $u_a,v_a,u_b,v_b,w_b$, had to compute $w_a = (u_a \oplus u_b) \cdot (v_a \oplus v_b) \oplus w_b and then send all the subscript $A$ to Alice and vice versa for Bob.
+ This dealer can be replaced by a (4 1)-OT protocol:
1) Alice samples random bits $u_A, v_A$ and inputs $i=2 \cdot u_a + v_a$ to the OT
2) Bob samples $u_B, v_B, w_B$ and inputs to the OT: $$M_0 = (0 \oplus u_B) \cdot (0 \oplus v_B) \oplus w_B$$ $$M_1 = (0 \oplus u_B) \cdot (1 \oplus v_B) \oplus w_B$$ $$M_0 = (1 \oplus u_B) \cdot (0 \oplus v_B) \oplus w_B$$ $$M_0 = (1 \oplus u_B) \cdot (1 \oplus v_B) \oplus w_B$$
3) Alice then sets $w_A = M_i$
- There exists something called *Random OT*, which is a randomized functionality where parties have no input. The functionality samples random bits $b,s_0,s_1$ and outputs $(b,z=s_b$ to Alice and $s_0,s_1$ to Bob.
** OT from Public Key Crypto
*** With passive security and pseudorandom public keys
- The Public-key Encryption Scheme (PKE) has pseudorandom public-keys. Then the following OT-protocol has passive security:
+ *Choose*: Alice (who has a choice bit b) generates a public key $pk_b$ with a secret key $sk_b$ and samples another random string $pk_{1-b}$ whose secret key she does not know. She sends $(pk_0, pk_1)$ to Bob.
+ *Transfer*: Bob (with messages $m_0,m_1$) creates two ciphertexts $c_0,c_1$ where $c_i$ is an encryption of $m_i$ under $pk_i$. He sends $(c_0,c_1)$ to Alice.
+ *Retrieve*: Alice can only decrypt $c_b$, as she only knows $sk_b$. She learns $m_b$.
- Since keys are pseudorandom, Bob can not distinguish between the fake PK and the real one. Alice does not know the sk for the fake pk and thus she can not decrypt the undesired message.
*** Passive security with oblivious key generation
- It is not required that public keys are pseudorandom, but merely that there should be an alternative way of generating the public-keys such that:
1) Public keys generated like this looks like regular pks
2) It is not possible to learn the sk corresponding to the pks generated like this.
+ Note that we can't simply let Alice erase the sk after having computed the pk. It might not be easy to securely erase data and there is no way to verify that Alice has properly erased it. A passive party has to follow the protocol correctly, but is still allowed to look at their view and learn from this. If they have a secret key, they are allowed to use this!
- A PKE with /oblivious key generation/ is a regular *IND-CPA-secure* PKE defined by three algos *Gen, Enc, Dec*, but with an additional algo /oblivious generation/ or *OGen*. OGen outputs strings which look like regular pks. OGen must satisfy:
1) Let b be a random bit, $pk_0 \leftarrow Gen(sk)$ is the regular pk gen algo and $pk_1 \leftarrow OGen(r)$ is the oblivious pk gen algo, where sk and r are chosen uni randomly. Then no PPT algo D, s.t. $D(pk_b) = b$ with prob larger than 1/2 (Should this not HAVE to be 1/2? Otherwise if it fails with larger prob, you can just reverse the answer???)
2) It is possible to *efficiently invert* $pk \leftarrow OGen(r)$, which is denoted $r \leftarrow OGen^{-1}(pk)$
- These two props imply it's infeasible to find sk corresponding to obliviously generated pks, even if you know the randomness used to generate it;
3) There exists no PPT algo A, which can output $sk \leftarrow A(r)$ s.t. $Gen(sk) = OGen(r)$.
- $OGen^{-1}$ must be able to "explain" real pks, as if they were generated by OGen, since a distinguisher can check if $$OGen(OGen^{-1}(pk)) = pk$$ This will apply to keys generated with OGen and thus it must also apply to keys generated by regular Gen, otherwise these two would not be indistinguishable. Therefore it must also hold that: $$OGen(OGen^{-1}(Gen(sk))) = Gen(sk)$$
- However, as (Gen, Enc, Dec) is a secure scheme, then it MUST be hard to compute sk from pk generated with Gen, so $pk \leftarrow Gen(sk)$ has to be a one-way function. Thus, a contradiction; if there is an A who can break property 3, then we can invert $pk <- Gen(sk)$ by computing $$sk <- A(OGen^{-1}(pk))$$.
- Thus, for the OT protocol to be secure, we need more. The encryption scheme is still IND-CPA secure, even if encryptions are performed using a pk which is the output from OGen, even if the adversary knows the randomness used by OGen to generate that specific key.
4) For all m; let b be a random bit, $m_0 = m$, $m_1$ is a random uniform message and $pk <- OGen(r)$, then there exists no PPT algo D s.t. $D(r, Enc(pk,m_b)) = b$ with prob significantly larger than 1/2.
+ This can be proven using property 1, 2 and that PKE is IND-CPA
*** Constructing Oblivious Key Gen
- Not all functions admit an oblivious sampler, which is due to http://cs.au.dk/~orlandi/asiacrypt-draft.pdf
- Think of a pseudorandom generator PRG, which expands n-bit long seed s into a 2n bit long string y=PRG(s). A trivial sampler for PRG is the identity function which maps 2n bit strings into 2n bit strings. This function is invertible and the security of the PRG implies that the output of the PRG is indistinguishable from uniformly random 2n-bit strings.
**** El Gamal sampler
- Given the description of a group where DDH assumption is believed to hold, (G,g,q), where g is gen for G and q is order of G, ElGamal is described:
+ *Gen(sk):* Input secret key $sk = \alpha \in Z_q$, compute h = g^{\alpha}$ and out $pk = (g,h)$
+ *$Enc_{pk}(m)$:* Input message $m \in G$, sample random $r \in Z_q$, parse $pk = (g,h)$, output $C = (g^r, m \cdot h^r)$
+ *$Dec_{sk}(C)$:* parse C as $(c_1, c_2)$. Output $m = c_2 \cdot c_1^{-\alpha}$.
- We thus need to construct $OGen(r)$ which outputs $pk = (g,h)$ which is invertible and indistinguishable from $Gen$. If we pick a group where DDH is assumed to be hard, the multiplicative subgroup of order q of $Z^*_p$, where $p = 2q+1$. Now to gen a random element, we use the random string $r$ to sample $s$ between $1$ and $p$ and output $h = s^2 \mod p$. This process is invertible, since it is easy to compute square roots modulo a prime), and we can check that $h$ is distributed uni-randomly among elements of order q, as required.
*** The protocol
- *Choose:* Alice with choice bit b:
1) Samples random $sk, r$
2) Gens $pk_b <- Gen(sk)$, $pk_{1-b} <- OGen(r)$
3) Sends $(pk_0, pk_1)$ to Bob
- *Transfer Phase:* Bob with $m_0,m_1$:
1) Computes $c_0 = Enc_{pk_0}(m_0,r_0)$ and $c_1 = Enc_{pk_1}(m_1,r_1)$, using random $r_0,r_1$
2) Sends $(c_0, c_1)$ to Alice
- *Retrieve Phase:* Alice outputs $m_b <- Dec(sk, c_b)$
** The GWM-Compiler
- Uses two tools from CPT, commitments and ZK-PoK
*** Note on commitments
- Hiding, Binding
- Simple protocol based on DL:
1) R chooses random $h$ which gens $G$
2) S wants to commit to a value $x \in Z_q$. S chooses random $r \in Z_q$, computes $c = g^x h^r$ and sends $c$ to $R$
3) S sends $R$ $(x',r')$. If $c = g^{x'}h^{r'}$, $R$ outputs $x^'$ or $turnstile$ ow.
- Is unconditionally hiding, as $h^r$ is uni random in $G$.
- Is comp binding as given two pairs $(x,r),(x',r')$, one can compute the DL of $h$ in base $g$.
*** Note on ZK
- Use ideal ZK-functionalities, i.e. a model where parties have access to ideal boxes which on common input $x$ and private input $w$ from one of the parties outputs $R(x,w)$. This kind of box can in practice be replaced with any of the ZK protocols for NP-complete languages from CPT.
+ Such as Graph Nonisomorphism
*** The compiler
- We can build passive OT using any PKE scheme with OGen
+ Is only passive though, as Alice could just sample both PKs using Gen. Bob would not know this, as OGen and Gen should be indistinguishable from each other.
- Simply adding a ZK proof that some $r$ is used to generate either key.
+ $x = (pk_0,pk_1)$, $w=r$, the relation would accept if $(pk_0 = OGen(r) \text{ or } pk_1 = OGen(r))$. This can be attacked, by computing $pk_0 = Gen(sk_0), pk_1 = Gen(sk_1), r=OGen^{-1}(pk_0)$ s.t. $pk_0 = OGen(r)$, and then use $r$ for the ZK proof.
- Issue arises as Alice can choose her own randomness, however, on the other hand we can not let Bob choose this for her either.
- *Coin flip into the well* is a fix for this. Essentialy, it allows Bob to participate, without having access to the end result. Bob will choose some $r_B$ and Alice will choose some $r_A$ and these can be XORed, when Bob sends $r_B$ to Alice.
1) Alice choose random string $r_A$ and randomness $s$ for the commitment scheme. She computes $c = Com(r_A, s)$ and sends $c$ to Bob.
2) Bob choose random $r_B$ and sends this to Alice.
3) Alice computes $r = r_A \oplus r_B$ and $s$, Bob has $(c,r_B)$ in the end.
- Finally, $r$ is random, $c$ is hiding, so Bob can not base $r_B$ on $r_A$ and c is also binding, so Alice can not choose a new $r_A$.
- Now Alice can compute $pk_b = Gen(sk)$, $pk_{1-b} = OGen(r)$ using the $r$ from the coinflipping protocol. Alice will then send $(pk_0, pk_1)$ to Bob and Alice and Bob will then use ZK box for the following relation: $x = (pk_0, pk_1, c, r_B)$, witness $w = (r,s)$ and the relation outputs $1$ if: $c = Com(r \oplus r_B, s) \text{ and } (pk_0 = OGen(r) \text{ or } pk_1 = OGen(r))$.
- This addition suffices to make the aforementioned protocol actively secure. It is not always enough though, as such, a third step might be required.
*** The fucking-up protocol
- Proto
1) Alice gens $pk^1_b = Gen(sk^1)$ and $pk^1_{1-b} = OGen(r^1)$ and sends $(pk^1_0, pk^1_1)$ to Bob
2) Bob computes $e^1_0 = Enc(pk^1_0, m_0), e^1_1 = Enc(pk^1_1, m_1)$. Sends $(e^1_0, e^1_1)$ to Alice
3) Alice gens $pk^2_b = Gen(sk^2)$ and $pk^2_{1-b} = OGen(r^2)$ and sends $(pk^2_0, pk^2_1)$ to Bob
4) Bob computes $e^2_0 = Enc(pk^2_0, m_0), e^2_1 = Enc(pk^2_1, m_1)$. Sends $(e^2_0, e^2_1)$ to Alice
5) Alice outputs $m_b = Dec(sk^1, e^1_b)$
- So the protocol simply runs two copies of the original protocol /using the same inputs/. This protocol is still secure against passive corruption. If we simply compile this the same way as before (so only two steps), we get something which is not actively secure:
1) Run coin-flip proto; Alice gets $(r,s)$, parse $r = (r^1, r^2)$, bob gets $(c, r_B)$
2) Alice gens $pk^1_{1-b} = OGen(r^1)$, sends ($pk^1_0, pk^1_1)$ to Bob.
3) Alice and Bob runs ZK proof where Alice proves that $(pk^1_0 = OGen(r^1) \text{ or } pk^1_1 = OGen(r^1))$
4) Bob computes and sends $(e^1_0,e^1_1)$
5) Alice gens $pk^2_{1-b} = OGen(r^2)$, sends ($pk^2_0, pk^2_1)$ to Bob.
6) Alice and Bob runs ZK proof where Alice proves that $(pk^2_0 = OGen(r^2) \text{ or } pk^2_1 = OGen(r^2))$
7) Bob computes and sends $(e^2_0,e^2_1)$
- Clearly not secure, as Alice can change which bit she is interested between step 2 and 5. This results in her having Bob encrypt both $m_0$ and $m_1$ using the actual encryption key, so she can learn both.
- Is fixed by having Alice also commit to her input bit.
1) Alice with input $b$ choosen random $r_A,s,t$, computes $c = Com(r_A,s)$ and $d = Com(b,t)$. Sends $(c,d)$ to Bob.
2) Alice and Bob perform ZK proof where $x = (c,d)$, $w = (b,r_A,s,t)$ and $R(x,w)=1$ if $c = Com(r_A,s) \text{ or } d = Com(b,t)$.
3) Bob choose $r_B$ and sends to Alice
4) Alice computes $r = r_A \oplus r_B$, choose random $sk$ and computes $pk_b = Gen(sk)$ and $pk_{1-b} = OGen(r)$. Sends $(pk_0,pk_1)$ to Bob
5) Alice and Bob perform another ZK proof; $x = (c,d,r_B,pk_0,pk_1)$, $w = (b,r_A,s,t)$, $R(x,w) = 1$ if: $c = Com(r \oplus r_B, s) \text{ and } d = Com(b,t) \text{ and } pk_{1-b} = OGen(r_A \oplus r_B)$. Note that the final and can be computed due to the simulator learning the witness.
6) Bob sends $(e_0,e_1)$ to Alice, $e_i = Enc(pk_i,m_i)$.
7) Alice outputs $m_b = Dec(sk, e_b)$.
- The protocol is proven secure against an actively corrupted Alice by constructing a simulator. Remember that in the hybrid model the simulator simulates all calls to the ZK box. In other words, every time Alice inputs something to the ZK box the simulator learns w. The simulator uses the corrupted A as a subroutine and works as follows:
1) S receives $(c,d)$ from A
2) S receives $w = (b,r_A,s,t)$ from A
3) S sends random $r_B$ to A
4) S receives $(pk_0, pk_1)$ from A
5) S receives $w' = (b', r'_A, s', t')$ from A
6) If $w' \neq w$ or $pk_{1-b} \neq OGen(r_A \oplus r_B)$ (which we have access to through the witness), then abort. O.w. sim inputs $b$ to the ideal func and learns $m_b$.
7) The sim computes $e_b = Enc(pk_b, m_b)$ and $e_{1-b} = Enc(pk_{1-b}, 0)$ (we don't know the other message, but since the Enc system is neat, we're guchi) and outputs the view for Alice $(b,t,r,s,r_B,e_0,e_1)$.
- Informally, there are only two differences from the view of the simulator and of Alice;
1) The simulation aborts if $w' \neq w$ while real proto continues as long as $Com(b',t') = Com(b,t)$ and $Com(r'_A,s') = Com(r_A,s)$. However, if this happens in the protocol, then A can be used to break the binding property of $Com$, thus reaching a contradiction of $Com$ being a nice.
2) In the sim, $e_{1-b} = Enc(pk_{1-b},0)$, while in the proto $e_{1-b} = Enc(pk_{1-b}, m_{1-b})$. If the distinguisher succeeds, then we can break the IND-CPA (chosen plaintext attack) security of the underlying scheme.
1) Receive pk from the ind-cpa challenger
2) Query the ind-cpa challenger with messages (case 0) $m_{1-b}$ and (case 1) $0$ and receive a challenge text $e^*$
3) Construct a simulated view where $r_B = r_A \oplus OGen^{-1}(pk)$ and $e_{1-b} = e^*$ and give these to the distinguisher. If the distinguisher thinks the view is from a real proto, guess case 0, o.w. guess case 1.
** Efficient Active Secure OT
- GMW compiler has massive overhead and leads to very inefficient protocols
- Thus, we have to come up with another way of making sure that Alice does not know the secret key of the fake public key.
*** El Gamal based encryption scheme
- (G,g,q) is a group where DDH is hard
- *Key gen*: PKs are for group elements $(g,h,u,v)$ and sk is $x \in Z_q$ s.t. $u = g^x$, $v = h^x$.
- *Enc*: To encrypt $m \in G$, choose random $r,s \in_R Z_q$ and out $(c,d) = (g^r h^s, m \cdot u^r v^s)$
- *Dec*: $m = d \cdot c^{-x}$, so like El Gamal
- What on the face of earth is this proof? Something with no one knowing if the pk is a DDH tuple
*** The active secure OT proto
- We assume existence of a trust dealer who can output a common random string to both parties. This dealer can be replaced with a secure coin-flipping protocol
- *Setup*: Use group $(G,g,q)$ with order $q$, gen by $g$. Trusted Dealer outputs four random group elements: $crs = (g_0,h_0,g_1,h_1)$ to Alice and Bob
- *Choose*: Alice with input $b \in \{0,1\}$, samples $x \in_R Z_q$, computes $(u,v) = (g^x_b, h^x_b)$, sends $(u,v)$ to Bob.
- *Transfer*: Bob with $m_0, m_1 \in G$ defines $pk_0 = (g_0, h_0, u,v)$ and $pk_1 = (g_1,h_1,u,v)$, samples $r_0,s_0,r_1,s_1 \in_R Z_q$ and computes: $e_0 = Enc(pk_0,m_0;r_0,s_0)$ and $e_1 = Enc(pk_1,m_1;r_1,s_1)$ and sends these to Alice
- *Retrieve*: Alice computes $m_b = Dec(x,e_b)$.
- Neither Alice nor Bob can determine if $(g_0,h_0,g_1,h_1)$ is a DDH tuple or not
- if $(g_0,h_0,g_1,h_1)$ is not a DDH tuple, then at most one of $pk_0,pk_1$ is a DDH tuple, which implies that the encryption using the wrong key is information-theoretically secure.
- If $(g_0,h_0,g_1,h_1)$ is a DDH tuple, then $(u,v)$ perfectly hides choice bit $b$; if $(g_0,h_0,g_1,h_1)$ is a DDH tuple, then $h_0 = g^\alpha_0$ and $h_1 = g^\alpha_1$, with the same $\alpha$, meaning that given $(u,v)$ there exists $x_0,x_1$ s.t. $(u,v) = (g^{x_0}_0,h^{x_0}_0) = (g^{x_1}_1,h^{x_1}_1)$
*** Formal proof
- When Alice is corrupted:
1) The sim choose $crs$ as a non-DDH tuple, it gens $(g_0,h_0,g_1,h_1)$ s.t. $h_0 = g^{\alpha_0}_0$, $h_1 = g^{\alpha_1}_1$, s.t. $\alpha_0 \neq \alpha_1$.
2) The sim extracts input bit of Alice from $(u,v)$ by finding $b$ s.t. $v = u^{\alpha_b}$ and if no such $b$ exists s.t. the relation holds, set $b=0$.
3) The sim inputs $b$ to the ideal func and learns $m_b$, defines $m_{1-b} = 0$. Sim sends $(Enc(pk_0,m_0), Enc(pk_1,m_1))$ to corrupt Alice
- This sim is statistically indistinguishable from the protocol as most $crs$ are not a DDH tuple, in which case encryptions under $pk_{1-b}$ are perfectly secure
- When Bob is corrupted:
1) The sim choose $crs$ as a DDH tuple, it gens $(g_0,h_0,g_1,h_1)$ s.t. $h_0 = g^{\alpha}_0$, $h_1 = g^{\alpha}_1$, and $g_1 = g^\beta_0
2) The sim computes random $x_1$ and $(u,v) = (g^{x_1}_1, h^{x_1}_1)$. The sim also defines $x_0 = x_1 \cdot \beta$, now $(u,v) = (g^{x_0}_0, h^{x_0}_0)$ due to the definition of $x_0$.
3) The sim receives $(e_0,e_1)$ from corrupt Bob, compute $m_0 = Dec(x_0,e_0)$ and $m_1 = Dec(x_1, e_1)$ and inputs them to ideal func.
- View of Bob in sim is computationally indistinguishable from proto, only diff is the distribution of the crs.
- Showing that output of the honest Alice in the sim, is identical to the output of the honest alice in the proto, is left out of the proof.