190 likes | 198 Vues
A Light-weight Oblivious Transfer Protocol Based on Channel Noise. Albert Guan. Outline. Introduction Related Work Oblivious Transfer Protocol Comparison Conclusions. Introduction. Design fundamental tools in cryptography Oblivious transfer (OT) Applications
E N D
A Light-weight Oblivious Transfer Protocol Based on Channel Noise Albert Guan
Outline • Introduction • Related Work • Oblivious Transfer Protocol • Comparison • Conclusions
Introduction • Design fundamental tools in cryptography • Oblivious transfer (OT) • Applications • Secure multiparty computation • Private information retrieval
Secure Multiparty Computation • Millionaires problem • Suppose A has wealth x, B has wealth y • They want to know whom is richer • Without revealing their actual wealth f (x, y) = 1, if x > y f (x, y) = 0, otherwise
Secure Multiparty Computation • Parties P1,…,Pn • Parties Pi has private input xi • The parties want to jointly compute a function y = f(x1,…, xn) • Each parties Piknows only y, nothing else.
Private Information Retrieval • Server holds x1, x2,…, xn • User wants to retrieve xi • Server can’t learn which xi is retrieved. • User only learn xi , nothing else.
Definition of the problem • Oblivious-Transfer (OT) • A: sender has two secrets m0 and m1 • B: receiver has choice c • Goal: • B learns only mc, • A doesn’t know c
Security Models • Computationally secure • Attacker does not have enough computing resources to break the system. • If quantum computers are available, most of the commonly used public key cryptosystems (e. g. RSA) can be broken. • Statistically secure • The probability for the attacker to break the system is negligible even with unlimited computing resources. • Our protocol is statistically secure.
Related Work • Rabin's oblivious transfer protocol [Rabin 83] • Based on computational hard problem • Factoring large integer • Computationally secure • Heavy computation • long integer arithmetic
Related Work • Erasure channel model [Imai et al. 06] • receiver either receives the bit or itwas not received • Channel delay model [Cheong et al. 11] • Packets deliver with some delay • Security doesn’t depend on computationally hard problems
Our Work • Design protocols • Security does not depends on computationally hard problems • Only need XOR and hash operations • Suitable for sensors or any devices with low computational power
Our Work • Based on noise in communication channel • Channel noise is a good random source • Unpredictable
Binary Symmetric Channel b, with prob. 1 – p BSp(b) = 1 – b, with prob. p Pr[b’ = 0 | b = 0] = Pr[b’ = 1 | b = 1] = 1 – p Pr[b’ = 1 | b = 0] = Pr[b’ = 0 | b = 1] = p
Oblivious Transfer (OT) Beacon node M = AB X = Y = Z Z = { |1 ≤ i≤ n/2} if |{i| }| < n/4 abort ,, {1, 2,…, n/2} ∩ = ϕ, || = || = n/4 Sc = {i| }
Oblivious Transfer (OT) AB f, , ,
Security of the oblivious transfer protocol Theorem1A has no information about B’s choice c. Proof This follows from the fact that the sets and give Ano information on c since the bits are flipped by the channelindependently.The sender A cannot control the bits received by B.
Security of the oblivious transfer protocol Theorem2B has no information about , the othersecret he does not choose. Proof sincethe secret correspond to the index set , which is contain some inconsistent parity bits, thus B can’t reconstruct the string
Comparison (oblivious transfer) schemeHao’s Cheong’s Crepeau’s Our Message 1 bit 1 bit 1 bit multi-bit Based on noise delay noise noise Overhead O(n²) O(n log n) O(n³) O(n) n : security parameter
Conclusions • Design efficient and lightweight protocols for oblivious transfer. • Security does not depends on computationally hard problems • Suitable for sensors or any devices with low computational power