Improved OT Extension for Transferring Short Secrets
Vladimir Kolesnikov (Bell Labs)Ranjit Kumaresan (Technion)
Secure Computation
• Most general problem in cryptography• Moving fast from theory to practice
– Major research effort • Improving (asymptotic & concrete) efficiency• Implementation & “Systems’’ issues
x
f1(x,y)
y
f2(x,y)
State of the Art (Semihonest Setting)
• Constant overhead– [IKOS08,GGH+13]
• Optimal comm./round complexity– [GGHR13,AJL+12,LTV12]
• ORAM-based SFE– [LO13,GKK+12,GGH+13]
• Yao garbled circuit optimizations– [KS08,PSSW09,MNPS04
]– [HEKM11,BHKR13]
• GMW optimizations– [CHKMR12,SZ13,ALSZ1
3]
• Yao + GMW [KK12]
THEORY PRACTICE
Practical Computational Overhead
• Hierarchy of efficiency• FHE >> PKE >> SKE >> one-time pad
– “LHS >> RHS” ≈ cost of LHS is, and will probably always be, by orders of magnitude, bigger than cost of RHS.
• OT Extension motivated by “PKE >> SKE”
Talk Outline
• OT Extension
• Ishai et al. (IKNP) OT Extension
• A New Framework for IKNP
PKE >> SKE
• E.g: KA, OT, SFE• Hard to implement
heuristically– More expensive
PKE SKE• E.g: PRG, hash functions• Easy to implement
heuristically– Cheaper
• Factor ~ 3-4 orders of magnitude slower• Intel AES-NI instruction set
PKE cannot be black-box reduced to SKE [IR89]
The Next Best Thing: Extending Primitives
• Extending public key encryption is easy – Encrypt payload with symmetric key– Encrypt symmetric key with public key
• Huge practical impact• What about extending Oblivious Transfer?
[IR89]
+?
Oblivious Transfer (OT)
Evaluate each AND gate in the circuit
x0 , x1
???
r
xr
GMW
Used to select one of two “garbled keys”
Yao
Cost of OT
• No blackbox redn from OT to one-way functions [IR89]
• OT length extension is easy:
• OT instance extension is possible [B96,IKNP03]– Needs only k “seed” OTs to perform n >> k OTs– Additional n symmetric key (cheap) operations– Huge impact on SFE
r +x0
x1
s0
s1
G(s0) x0
G(s1) x1
r
efficient,black-box
OT Extension: Prior Work• [Beaver 96]: First OT extension• [Ishai-Kilian-Nissim-Petrank 03] (IKNP)
– Random Oracle (RO) model or Correlation robust hash functions (CRHF)
– Most practical OT extension
• [HIKN08,IPS08,NNOB12]: Malicious adv• [LZ13]: (In)feasibility results for OT extension
This work: Improve semihonest IKNP
Talk Outline
• OT Extension
• Ishai et al. (IKNP) OT Extension
• A New Framework for IKNP
[IKNP03] Strategy
x1,0r1 x1,1
x2,0
x2,1
r2
....
x3,0
x3,1
r3
xn,0
xn,1
rn
...n
s1s2 sk
+ O(n)H
...
s1s2 sk
+ O(n)H
Length Extension
[IKNP03] Main Reduction
yi,0 = xi,0 H(qi) yi,1 = xi,1 H(qi s)
izi= yi,r H(ti)i
t1
t1
r...
s1 s2 sk
t2
t2
rtk
tk
r
Receiver picks T R {0,1}nk
Sender picks s R {0,1}k
t1
rt2 ... tk
r
Sender obtains Q {0,1}nk
qi= ti1 1 0 0ri=0 1 1
qi= ti s1 0 0 1ri=1 1 0
• For 1 i n, Sender sends
• For 1 i n, Receiver outputs
IKNP Cost
• Communication cost of resulting OT(n,L): – Main reduction: 2nL bits– Length extension: 2nk bits
• Communication cost of resulting SFE:– [Yao86]: need to transfer keys of length L = k– [GMW87]: L = 1, cost = 2nk + 2n, optimal?
Talk Outline
• OT Extension
• Ishai et al (IKNP) OT Extension
• A New Framework for IKNP
Our Work: A Closer Look at IKNP
ri=0
ri=1
t1
r
1
0
t2
r
0
1
tk
r
1
0
......t1
1
1
t2
0
0
tk
1
1
;
T U R
= T r
0
1
r
0
1
... r
0
1
Alternate Point of View
• Row-wise encoding 0 → 0k
1 → 1k
ri=0
ri=1
r
0
1
r
0
1
... r
0
1
R
n
k
IKNP uses repetition encoding
Can we use other encodings?
R = T⊕U
A Coding Theoretic Framework for IKNP
Suppose use code C• Say ri comes from a larger
domain {1,…,m}• Row-wise encoding
– ri → C(ri)∈ {0,1}k
...
n
k
C(r1)
C(R)
C(rn)
C(r2)
r1
r2
rn
A Coding Theoretic Framework for IKNP
izi= yi,r H(i, ti)i
t1 u1 ...
s1 s2 sk
t2 u2 tk uk u1 t2 ... uk
Sender obtains Q {0,1}nk
q1= t1(C(r1) s)⦿r1 [∈ m]
r2 [∈ m]
• For 1 i n, 1 r m Sender sends
yi,r = xi,r H(i, qi(C(r) s))⦿
• For 1 i n, Receiver outputs
q2= t2(C(r2) s)⦿
qn= tn(C(rn) s)⦿
C(R) = T⊕U
rn [∈ m]
Bit-wise AND
Analysis
• Cost of 1-out-of-m OT(n, L): – Communication: (2nk+mnL) bits
• OT(n,L) 1-out-of-m OT(n/log m, L log m)– Communication: (n/log m)(2k + mL log m) bits
• Perfect security against malicious sender• Statistical security against semihonest receiver:
– No loss unless query H on (i, ti (C(r) s)⦿ ) for some r
– Loss in security: m2-d, where d = min distance of C
Efficiency
• Concrete: – Hadamard codes for encoding– Factor ≈ 2 for 1-out-of-2 OT and GMW for k=256
• Additional optimizations lead to factor ≈ 3.5
• Asymptotic comm. cost per OT: O(k/log k) bits
Conclusions
• OT Extension motivated by PKE >> SKE– Huge impact on practicality of SFE
• Coding theoretic framework for [IKNP03]– RO or “code correlation robust hash functions”
• Improvements for GMW, OT, 1-out-of-m OT• Rethink GMW vs. Yao?
– Also [KK12], [NNOB12], [SZ13], [ALSZ13]
Thank You!
The research leading to these results has received funding from the European Union's Seventh Framework
Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity
Recommended