Improved OT Extension for Transferring Short Secrets

Vladimir Kolesnikov (Bell Labs)Ranjit Kumaresan (Technion)

Secure Computation

• Most general problem in cryptography• Moving fast from theory to practice

– Major research effort • Improving (asymptotic & concrete) efficiency• Implementation & “Systems’’ issues

x

f1(x,y)

y

f2(x,y)

State of the Art (Semihonest Setting)

• Constant overhead– [IKOS08,GGH+13]

• Optimal comm./round complexity– [GGHR13,AJL+12,LTV12]

• ORAM-based SFE– [LO13,GKK+12,GGH+13]

• Yao garbled circuit optimizations– [KS08,PSSW09,MNPS04

]– [HEKM11,BHKR13]

• GMW optimizations– [CHKMR12,SZ13,ALSZ1

3]

• Yao + GMW [KK12]

THEORY PRACTICE

Practical Computational Overhead

• Hierarchy of efficiency• FHE >> PKE >> SKE >> one-time pad

– “LHS >> RHS” ≈ cost of LHS is, and will probably always be, by orders of magnitude, bigger than cost of RHS.

• OT Extension motivated by “PKE >> SKE”

Talk Outline

• OT Extension

• Ishai et al. (IKNP) OT Extension

• A New Framework for IKNP

PKE >> SKE

• E.g: KA, OT, SFE• Hard to implement

heuristically– More expensive

PKE SKE• E.g: PRG, hash functions• Easy to implement

heuristically– Cheaper

• Factor ~ 3-4 orders of magnitude slower• Intel AES-NI instruction set

PKE cannot be black-box reduced to SKE [IR89]

The Next Best Thing: Extending Primitives

• Extending public key encryption is easy – Encrypt payload with symmetric key– Encrypt symmetric key with public key

• Huge practical impact• What about extending Oblivious Transfer?

[IR89]

+?

Oblivious Transfer (OT)

Evaluate each AND gate in the circuit

x0 , x1

???

r

xr

GMW

Used to select one of two “garbled keys”

Yao

Cost of OT

• No blackbox redn from OT to one-way functions [IR89]

• OT length extension is easy:

• OT instance extension is possible [B96,IKNP03]– Needs only k “seed” OTs to perform n >> k OTs– Additional n symmetric key (cheap) operations– Huge impact on SFE

r +x0

x1

s0

s1

G(s0) x0

G(s1) x1

r

efficient,black-box

OT Extension: Prior Work• [Beaver 96]: First OT extension• [Ishai-Kilian-Nissim-Petrank 03] (IKNP)

– Random Oracle (RO) model or Correlation robust hash functions (CRHF)

– Most practical OT extension

• [HIKN08,IPS08,NNOB12]: Malicious adv• [LZ13]: (In)feasibility results for OT extension

This work: Improve semihonest IKNP

Talk Outline

• OT Extension

• Ishai et al. (IKNP) OT Extension

• A New Framework for IKNP

[IKNP03] Strategy

x1,0r1 x1,1

x2,0

x2,1

r2

....

x3,0

x3,1

r3

xn,0

xn,1

rn

...n

s1s2 sk

+ O(n)H

...

s1s2 sk

+ O(n)H

Length Extension

[IKNP03] Main Reduction

yi,0 = xi,0 H(qi) yi,1 = xi,1 H(qi s)

izi= yi,r H(ti)i

t1

t1

r...

s1 s2 sk

t2

t2

rtk

tk

r

Receiver picks T R {0,1}nk

Sender picks s R {0,1}k

t1

rt2 ... tk

r

Sender obtains Q {0,1}nk

qi= ti1 1 0 0ri=0 1 1

qi= ti s1 0 0 1ri=1 1 0

• For 1 i n, Sender sends

• For 1 i n, Receiver outputs

IKNP Cost

• Communication cost of resulting OT(n,L): – Main reduction: 2nL bits– Length extension: 2nk bits

• Communication cost of resulting SFE:– [Yao86]: need to transfer keys of length L = k– [GMW87]: L = 1, cost = 2nk + 2n, optimal?

Talk Outline

• OT Extension

• Ishai et al (IKNP) OT Extension

• A New Framework for IKNP

Our Work: A Closer Look at IKNP

ri=0

ri=1

t1

r

1

0

t2

r

0

1

tk

r

1

0

......t1

1

1

t2

0

0

tk

1

1

;

T U R

= T r

0

1

r

0

1

... r

0

1

Alternate Point of View

• Row-wise encoding 0 → 0k

1 → 1k

ri=0

ri=1

r

0

1

r

0

1

... r

0

1

R

n

k

IKNP uses repetition encoding

Can we use other encodings?

R = T⊕U

A Coding Theoretic Framework for IKNP

Suppose use code C• Say ri comes from a larger

domain {1,…,m}• Row-wise encoding

– ri → C(ri)∈ {0,1}k

...

n

k

C(r1)

C(R)

C(rn)

C(r2)

r1

r2

rn

A Coding Theoretic Framework for IKNP

izi= yi,r H(i, ti)i

t1 u1 ...

s1 s2 sk

t2 u2 tk uk u1 t2 ... uk

Sender obtains Q {0,1}nk

q1= t1(C(r1) s)⦿r1 [∈ m]

r2 [∈ m]

• For 1 i n, 1 r m Sender sends

yi,r = xi,r H(i, qi(C(r) s))⦿

• For 1 i n, Receiver outputs

q2= t2(C(r2) s)⦿

qn= tn(C(rn) s)⦿

C(R) = T⊕U

rn [∈ m]

Bit-wise AND

Analysis

• Cost of 1-out-of-m OT(n, L): – Communication: (2nk+mnL) bits

• OT(n,L) 1-out-of-m OT(n/log m, L log m)– Communication: (n/log m)(2k + mL log m) bits

• Perfect security against malicious sender• Statistical security against semihonest receiver:

– No loss unless query H on (i, ti (C(r) s)⦿ ) for some r

– Loss in security: m2-d, where d = min distance of C

Efficiency

• Concrete: – Hadamard codes for encoding– Factor ≈ 2 for 1-out-of-2 OT and GMW for k=256

• Additional optimizations lead to factor ≈ 3.5

• Asymptotic comm. cost per OT: O(k/log k) bits

Conclusions

• OT Extension motivated by PKE >> SKE– Huge impact on practicality of SFE

• Coding theoretic framework for [IKNP03]– RO or “code correlation robust hash functions”

• Improvements for GMW, OT, 1-out-of-m OT• Rethink GMW vs. Yao?

– Also [KK12], [NNOB12], [SZ13], [ALSZ13]

Thank You!

The research leading to these results has received funding from the European Union's Seventh Framework

Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity