constant round oblivious transfer in the bounded-storage model
DESCRIPTION
Constant Round Oblivious Transfer in the Bounded-Storage Model. Yan Zong Ding Danny Harnik Alon Rosen Ronen Shaltiel. The Bounded Storage Model. Alternative cryptographic setting: “ Mainstream Cryptography ” : Assume parties are time bounded (run in polynomial time). - PowerPoint PPT PresentationTRANSCRIPT
Constant Round Oblivious Transfer in the Bounded-
Storage Model
Yan Zong DingDanny HarnikAlon Rosen
Ronen Shaltiel
The Bounded Storage Model
Alternative cryptographic setting: “Mainstream Cryptography”:
Assume parties are time bounded (run in polynomial time).
This model: Assume parties have bounded storage.
A long random string R of length N
Bounded Storage Model - the setting [Maurer 92]
A long random string R is transmitted.
Honest parties store small portions of R.
Parties interact.
Malicious adversary allowed to store almost all of R.
Random string is no longer available.
Bound is only at end of transmit stage.
A long random string R of length N
Alice
Bob
Malicious party
Stores ¾N bits
(Arbitrary function of R)
The bounded storage model
Most of the research so far focused on: Key agreement [Mau93,CM97]. Private-key encryption
[Mau92,CM97,AR99,ADR02,DR02,DM02,Lu02, Vad03].
This talk about Oblivious Transfer (OT) An interesting and very well studied
primitive in cryptography, e.g. [Rab81,EGL85,GMW87, Kil88, CK88, Cre88, BM89, BBCS91, Bea96, Cac98, DKS99, NP01 …]
In BSM model: [CCM97, Din01, HCR02]
OT in the bounded storage model A definition
Alice holds two secrets s0,s1.
Bob holds a “choice bit” c.
A long string R is transmitted.
After OT protocol: Bob gets sc. Bob* doesn’t learn s1-c. Alice* does not learn c.
Alice
Bob
s0,s1 c
sc
A long random string R of length N
Bob *Alice *
OT in the bounded storage model Previous works
N1/2+ δ5 messagesHere
N1/2+δ Ω(log N ∙ log 1/ε)[Ding01]**
N2/3+δNΩ(1)[CCM97]*
StorageRoundsPaper
** Slightly weaker model. Other Improvements:
Exponentially small ε Can pass longer secrets Lower communication Low probability of abort
Coming up…
A basic protocol (which requires too much storage).
Use a setup protocol to reduce the storage.
Interactive Hashing.
Use R1 to hide s1Use R0 to hide s0
A basic protocol for OT A long random string
R=(R0,R1) is transmitted. Bob remembers Rc.
(½N bits). Alice remembers all of
R.
Idea: Use R0 and R1 to hide secrets.
Bob can recover sc. Malicious Bob doesn’t
know both R0 and R1. Has entropy about one of
the secrets.
Method: Use Randomness Extractors.
Alice
BobBob*
R0 R1
s0,s1 c
Stores ¾N bits
R1 is a high entropy
source to me
High-entropy source
“There must be an extractor
here!”
Randomness Extractors [NZ93]
Extract randomness from distributions which contain sufficient (min)-entropy.
Use a short seed of truly random bits.
Output is (close to) uniform even when the adversary knows the seed.
Relation to BSM pointed out by [CM97,Lu02,Vad03].
high entropy distribution
Extractor seed
random output
Bob*
A basic protocol for OT Malicious Bob doesn’t
know both R0 and R1. Has entropy about one
of the secrets.
Method: Use Randomness Extractors. Alice sends random
seeds Y0,Y1 for extractor.
Secrets masked by outputs of extractor.
Alice
R0 R1
s0,s1 c
Extractor Y0
Z0
Extractor Y1
Z1
s0 s1
Can’t learn both
secrets
Uniform from Bob*’s point of view.
Use R0 to hide s0Use R1 to hide s1
High-entropy source
A long random string R of length N
Basic Protocol – Too much storage Solution – use setup
protocol After R is transmitted. The
parties store small subsets and engage in a setup protocol.
Setup protocol: parties agree on short (NΩ(1)) substrings R0,R1 s.t.
Functionality: Alice knows R0,R1. Bob knows Rc.
Security Bob* has a lot of entropy on R1-
c. Alice* does not know c.
Run Basic protocol on R0,R1.
Alice
Bob
R0
Basic Protocol
R1
A long random string R of length N
Basic idea for setup protocol: Follow key-agreement
[CM97]
Alice and Bob store random subsets of R.
Alice sends the position of her set.
W is the positions of the intersecting subset. Known only to Bob.
Agree on two sets R0,R1
Both are in Alice’s set.
Rc = W Bob has high-entropy about R1-
c. Alice doesn’t learn c
Alice
Bob
Stores N½ Stores N½
W
Position of her set
“Agree on two sets R0,R1 “
Called Interactive Hashing.
R0R1
Setup Protocol
The story so far: A summary of the OT protocol
Basic protocol for OT, but requires a lot of storage.
Run a setup protocol to reduce the storage.
A component in this protocol is an “interactive hashing” protocol.
Alice
Bob
s0,s1 c
A long random string R of length N
Basic Protocol
Interactive hashingExtractors
Sources of improvements
Previous constructions can be viewed as complicated versions of this outline.
Using modern Extractors (and Samplers) improves most parameters (e.g. storage, communication, output length).
Does not get a constant number of rounds - Bottleneck is the interactive hashing protocol.
[CCM97] use the protocol from [NOVY92] which takes linearly many rounds.
We present a new 4-round Interactive hashing protocol using almost t-wise independent permutations.
Note: The new protocol
only applies to the
information theoretic
setting
Bob holds an input W. At the end of the
protocol both parties agree on R0,R1 s.t. Honest Bob:
W=Rc R1-c is uniform in Alice’s set. Alice does not know c.
Malicious Bob: Cannot know both strings, has high-entropy about one of the strings.
Note: This has got nothing to do with the bounded storage model.
Such a protocol exists for unbounded parties.
Interactive Hashing
Alice
Bob
W
R0,R1
A naïve implementation of Interactive Hashing
Let H be a family of 2-to-1 pair-wise ind. hash functions h:{0,1}n{0,1}n-1.
Alice sends a random hash function h.
Bob sends h(W).
The two pre-images of h(W) are R0,R1.
Alice
Bob
WhR H
h(W)
One is W the other uniformly distributed (because of pair-wise independence).
But Bob may choose W after he sees h!
Bob *
choose W after I see h
Interactive Hashing in [CCM97]:
The NOVY-protocol Send h gradually ! Alice sends “portions” of her
hash function in exchange to “portions” of Bob replies.
Consider W as an n bit vector.
h is an n-1xn matrix A with full rank and h(w) = Aw.
Send a row of A at each round (instead of all at once).
Requires n-1 rounds.
Alice
Bob
W
A
n
n-1
Aw
A1
A2
A3
This Paper: 4 Message Interactive
Hashing h = g ◦ P
P is an almost t-wise ind. Permutation on n bits (e.g. [Gow]).
g is a 2-to-1 pair-wise ind. hash on 1/4n bits.
Alice sends P to Bob who replies with P(w)1…3/4n .
Alice sends g to Bob who replies with g(P(w)3/4n…n).
Requires 4 messages.
Alice
Bob
P
g
P
g
WW
h(w)
Setup Protocol
Wrapping up Main result:
A constant round protocol for OT in the bounded storage model.
Contributions: Simplifying and
improving the previous protocols using randomness extractors.
A new constant round protocol for interactive hashing.
Alice
Bob
s0,s1 c
A long random string R of length N
Basic Protocol
Interactive hashingExtractors
Further Issues We also came up with a 3-message
protocol. N½ is a lower bound on storage [DM04]. Open Questions:
Can we mix the bounded storage model and standard cryptography?
How do protocols compose in the bounded storage model?
Can our new constant round Interactive-Hashing protocol replace NOVY in computational applications.
Thank You