A Novel Unconditionally Secure Oblivious ... - Semantic Scholar

Download PDF
0 downloads 0 Views 357KB Size Report
Comment
Nov 22, 2009 - Step 2: Receiver computes m2i, 0 ≤ i ≤ k defined as, m20. ∆. = m1g. rR1. R. − rR2 and m2i. ∆. = x i g. rR3. R. , for 1 ≤ i ≤ k, and sends them to ...
ISBN 978-952-5726-06-0 Proceedings of the 2009 International Workshop on Information Security and Application (IWISA 2009) Qingdao, China, November 21-22, 2009

A Novel Unconditionally Secure Oblivious Polynomial Evaluation Protocol H. Vanishree1 and Koshy George2 1

P.E.S. Institute of Technology, Bangalore, India email: [email protected]

2

P.E.S. Institute of Technology, Bangalore, India email: [email protected]

Abstract—Oblivious polynomial evaluation is a protocol involving two parties, a sender whose input is a polynomial P , and a receiver whose input is a value x. At the end of the protocol, the receiver learns P (x) and nothing more about P , while the sender remains oblivious of both x and P (x). It is used as a primitive in many applications including protocols for private comparison of data, for mutually authenticated key exchange based on (possibly weak) passwords, and for anonymous coupons. In this paper, we describe a novel unconditionally secure oblivious polynomial evaluation protocol.

Keywords—Multi-Party

Computation,

Oblivious

Transfer, Oblivious Polynomial Evaluation.

there exists such a (polynomially computable) protocol with which, a receiver who knows x and a sender who knows y, can jointly compute the value of f (x, y) in a way that does not reveal to each side more information than can be deduced from f (x, y). One such function, which is an important application of OT, is Oblivious Polynomial Evaluation (OPE), introduced by Naor and Pinkas [17]. In an OPE problem the input of the sender is a polynomial P of degree k over some field F. The receiver can get the value P (x) for any element x ∈ F without learning anything else about the P and without revealing to the sender any information about x.

I. I NTRODUCTION

Note that any function from m bits to m bits can be

In a Multi-Party Computation (MPC) protocol [7],

represented as a polynomial over a finite field GF (2m ),

there are a number of participants and each hold some

but its degree could go as high as 2m − 1. So one would

private data. The participants want to compute the value of

like to focus on those functions that can be represented by

a public function at the point that corresponds to the data

low degree polynomials. This turns out to have several in-

that they hold. With a secure MPC protocol, no participant

teresting applications [9, 11, 17]. The scheme proposed in

can learn information about the private data of the other

[17] is much more efficient than the conventional way of

participants that could not have been deduced from the

going through oblivious circuit evaluation protocols, but

description of the public function and the result of the

its security is based on two assumptions. One assumption

global calculation. One of the prominent primitives of

is the existence of a secure OT protocol while the other,

MPC is Oblivious Transfer (OT) [1, 2, 3, 4, 5, 11, 14].

a new one, is the intractability of a Noisy Polynomial

OT protocols serve as building blocks in the solution of

Interpolation problem. It was later shown in [3] that this

other MPC problems [15, 16].

new assumption may be much weaker than expected and

One of the most profound achievements of research

suggested the use of a possibly stronger intractability

in foundations of cryptography in the direction of OT is

assumption on a Polynomial Reconstruction Problem. The

that for every polynomially computable function f (. ,. )

protocol presented in [9] is based on an assumption that

© 2009 ACADEMY PUBLISHER AP-PROC-CS-09CN004

450

the Decisional Diffie-Hellman (DDH) assumption also holds over the group Zn2 , where n is the product of two large primes. Contrary to the well studied DDH over Zn , the hardness of this problem in this new setting is

rR1 −1 Step 6: Receiver computes P (x) as, m5 (gR ) = rR1 rR1 −1 P (x)gR (gR ) = P (x).

B. Security Analysis The security requirements of an OPE protocol can be

yet to be studied.

divided into Receiver’s privacy and Sender’s privacy.

In this paper, a novel OPE protocol is proposed.

Theorem 1: Receiver gets unconditional privacy.

II. P ROPOSED P ROTOCOL

Proof: As the random elements chosen by Receiver

A. Problem Statement

are kept secret all through the protocol, Sender remains

The problem of OPE is formally defined by specifying

oblivious of x. This is because, for any probabilistic

the input and output for its functionality as a two party

polynomial time B  executing Sender’s part, for any x

protocol run between a receiver and a sender over a field

and x in F, the views that B  sees in case Receiver’s

F as follows:

input is x and in case the receiver’s input is x are

Definition 1: :

unconditionally indistinguishable.

Input: – Sender: A kth degree polynomial P over a finite k field F: P (α) = i=0 ai αi . – Receiver: A value x ∈ F.

Theorem 2: Sender gets unconditional privacy. Proof: Sender obscures P using gSrS which is randomly chosen. This evidently follows from the fact that, for every

Output:

probabilistic polynomial-time machine A substituting

– Sender: Nothing.

Receiver, there exists a probabilistic polynomial-time

– Receiver: P (x).

machine A that plays Receiver’s role in the ideal

Initialization: Sender chooses an arbitrary generator

implementation, such that the view of A and the output

of F, gS , and a random element rS ∈ F. Receiver

of A are unconditionally indistinguishable.

also chooses an arbitrary generator, gR , and three random elements rR1 , rR2 , rR3 ∈ F. All computations of the

Comment: The description of the protocol with the

protocol are done in F.

generators, as is evident from the security analysis of the

Protocol: ∆

Step 1: Sender computes m1 defined as, m1 = a0 gSrS , and sends it to Receiver. ∆

rR1 rR3 m20 = m1 gR − rR2 and m2i = xi gR , for 1 ≤ i ≤ k,

and sends them to Sender. ∆

Step 3: Sender computes m3 defined as, m3 = k rS k i rR3 i=1 ai m2i = gS ( i=1 ai x )gR , and sends it to Receiver. ∆

Step 4: Receiver computes m4 defined as, m4 = rR3 −1 rR1 m3 (gR ) gR rS k m4 = gS ( i=1

+ rR2 , and sends it to Sender. Clearly, i

ai x

rR1 )gR

of description of the finite field elements and does not in any way dictate the security of the protocol. As each

Step 2: Receiver computes m2i , 0 ≤ i ≤ k defined as, ∆

protocol, is only to conform to the conventional method

+ rR2 .

party is oblivious of the arbitrary generator and random elements chosen by the other party, the random powers of the generators in the protocol can be replaced by the corresponding random elements in the field themselves. C. Complexity Analysis The cost of most of the previously proposed OPE protocols mainly depends on the number of exponentiations in the finite field. Following from the aforementioned



=

comment, the major computation step in the protocol boils

(gSrS )−1 (m20 + m4 ) and sends them to Receiver. Clearly, k rR1 rR1 m5 = (gSrS )−1 (a0 gSrS gR − rR2 + gSrS ( i=1 ai xi )gR + rR1 rR2 ) = P (x)gR .

down to multiplications in the finite field. Hence, for every

Step 5: Sender computes m5 defined as, m5

451

invocation of the protocol, Sender essentially performs k k + 1 multiplications and Receiver, i=1 log2 i + k + 2

multiplications, and each of them performs one inverse

ous transfer”, in Proceedings of SAC ’02, 2595: 291−309,

operation in the finite field.

2002. [5] C. Cachin, C. Crepeau, and J. Marcil, “OT with

III. A PPLICATIONS OF OPE

a memory-bounded receiver”, in Proceedings of 39th

There are two major applications of an OPE proto-

Annual Symposium on FOCS ’98, IEEE, pp. 493−502,

col. One is whenever k-wise independence can replace

1998.

full independence or pseudo-randomness [8, 11]. Such

[6] Y. C. Chang and C. J. Lu, “Oblivious polynomial

property is required, for example, for the application of

evaluation and oblivious neural learning”, in Theoretical

constructing anonymous coupons that enable anonymous

Computer Science 341(1), pp. 39−54, 2005.

usage of limited resources (e.g., for constructing an

[7] W. Du and Z. Zhan, “A practical approach to solve Se-

anonymous complaint box). The other type of applications

cure Multi-party Computation problems”, in Proceedings

uses OPE for comparing information without leaking it,

of Workshop on New Security Paradigms ACM Press, pp.

or preserving anonymity when Receiver must compute

127−135, 2002.

the value of a polynomial at a certain point. Applications

[8] S. Even, O. Goldreich, and A. Lempel, “A Randomized

of this nature include a protocol that allows reliable and

Protocol for Signing Contracts”, in Communications of

privacy preserving metering [9].

the ACM 28, pp. 637−647, 1985. [9] N. Gilboa, “Two party RSA key generation”, in

IV. C ONCLUSIONS

CRYPTO 1999, pp. 116−129, 1999.

A novel oblivious polynomial evaluation protocol

[10] O. Goldreich, M. Sudan, and R. Rubinfeld, “Learning

is proposed in this paper. Analyses show that the

Polynomials with Queries: The Highly Noisy Case”, in

protocol provides unconditional security as against

Proc. 36th FOCS, pp. 294−303, 1995.

the computational security provided by the previously

[11] Y. Ishai and E. Kushilevitz, “Randomizing polyno-

existing protocols. The main computational bottleneck

mials: a new representation with applications to round-

of the existing constructions is the OT protocol, the

efficient secure computation”, in STOC 2000, 2000.

computational cost of which is essentially exponentiations

[12] A. Kiayias and M. Yung, “Directions in Polynomial

in finite fields. As another major asset of the protocol,

Reconstruction Based Cryptography”, in IEICE Transac-

this overhead is obviated and hence the protocol is

tions, E87-A(5): 978−985, May 5, 2004.

proved to be more efficient.

[13] A.K. Lenstra, H.W. Lenstra, and L. Lovasz, “Factoring Polynomials with Rational coefficients”, in

References

Mathematische Ann., pp. 513−534, 1982.

[1] M. Bellare and S. Micali, “Non-interactive oblivious

[14] M. O. Rabin, “How to exchange secrets by oblivious

transfer and applications”, in Proceedings of Advances in

transfer”, Tech. Memo TR-81, Aiken Computation Labo-

Cryptology - CRYPTO ’89, 435: 547−557, 1989.

ratory, 1981.

[2] C. H. Bennett, G. Brassard, C. Cr’epeau, and M.-

[15] H. Lipmaa, “An oblivious transfer protocol with log-

H. Skubiszewska, “Practical quantum oblivious transfer”,

squared communication”, in Proceedings of 8th ISC ’05,

in Proceedings of Advances in Cryptology - CRYPTO

3650: 314−328, 2005.

’91,576: 351−366, 1991.

[16] Y. Mu, J. Zhang, and V. Varadharajan, “m out of n

[3] D. Bleichenbacher and P. Nguyen, “Noisy polynomial

oblivious transfer”, in Proceedings of the 7th ACISP ’02

interpolation and noisy chinese remaindering”, in EURO-

2384: 395−405, 2002.

CRYPT 2000, pp. 53−69, 2000.

[17] M. Naor and B. Pinkas, “Oblivious Transfer and

[4] C. Blundo, P. D’Arco, A. D. Santis, and D. Stinson,

Polynomial Evaluation”, in Proc. of the 31st STOC,

“New results on unconditionally secure distributed oblivi-

Atlanta, GA, pp. 245−254, May 1-4, 1999 .

452