Improved OT Extension for Transferring Short Secrets

1. Improved OT Extension for Transferring Short Secrets Vladimir Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion)

2. Secure Computation • Most general problem in cryptography • Moving fast from theory to practice • Major research effort • Improving (asymptotic & concrete) efficiency • Implementation & “Systems’’ issues x y f1(x,y) f2(x,y)

3. State of the Art (Semihonest Setting) THEORY PRACTICE • Constant overhead • [IKOS08,GGH+13] • Optimal comm./round complexity • [GGHR13,AJL+12,LTV12] • ORAM-based SFE • [LO13,GKK+12,GGH+13] • Yao garbled circuit optimizations • [KS08,PSSW09,MNPS04] • [HEKM11,BHKR13] • GMW optimizations • [CHKMR12,SZ13,ALSZ13] • Yao + GMW [KK12]

4. Practical Computational Overhead • Hierarchy of efficiency • FHE >> PKE >> SKE >> one-time pad • “LHS >> RHS” ≈ cost of LHS is, and will probably always be, by orders of magnitude, bigger than cost of RHS. • OT Extension motivated by “PKE >> SKE”

5. Talk Outline • OT Extension • Ishai et al. (IKNP) OT Extension • A New Framework for IKNP

6. PKE >> SKE SKE PKE • E.g: KA, OT, SFE • Hard to implement heuristically • More expensive • E.g: PRG, hash functions • Easy to implement heuristically • Cheaper PKE cannot be black-box reduced toSKE[IR89] • Factor ~ 3-4 orders of magnitude slower • Intel AES-NI instruction set

7. [IR89] ?  + The Next Best Thing: Extending Primitives  • Extending public key encryption is easy • Encrypt payload with symmetric key • Encrypt symmetric key with public key • Huge practical impact • What about extending Oblivious Transfer?

8. Oblivious Transfer (OT) Evaluate each AND gate in the circuit r x0 , x1 ??? xr GMW Used to select one of two “garbled keys” Yao

9. x1 x0 r Cost of OT • No blackboxredn from OT to one-way functions [IR89] • OT length extension is easy: • OT instance extension is possible [B96,IKNP03] • Needs only k “seed” OTs to perform n >> k OTs • Additional n symmetric key (cheap) operations • Huge impact on SFE efficient, black-box s0 G(s0) x0  + r s1 G(s1) x1

10. OT Extension: Prior Work • [Beaver 96]: First OT extension • [Ishai-Kilian-Nissim-Petrank 03] (IKNP) • Random Oracle (RO) model or Correlation robust hash functions (CRHF) • Most practical OT extension • [HIKN08,IPS08,NNOB12]: Malicious adv • [LZ13]: (In)feasibility results for OT extension This work: Improve semihonest IKNP

11. Talk Outline • OT Extension • Ishai et al. (IKNP) OT Extension • A New Framework for IKNP

12. sk sk s1 s2 s1 s2 x2,0 xn,0 x3,0 xn,1 x3,1 x2,1 ...  n r2 r1 r3 rn + O(n)H [IKNP03] Strategy x1,0 x1,1 ...  + O(n)H . . . . Length Extension

13. Sender obtains Q  {0,1}nk qi= ti t1  r t2 tk  r t1 t2 tk t1  r t2  r tk  r qi= ti s 1 0 1 0 1 1 0 0 1 1 1 0 ri=0 ri=1 ... ... s1 s2 sk zi= yi,r  H(ti) i i [IKNP03] Main Reduction Receiver picks T R {0,1}nk Sender picks sR {0,1}k yi,0 = xi,0  H(qi) yi,1 = xi,1  H(qi s) • For 1 i n, Sender sends • For 1 i n, Receiver outputs

14. IKNP Cost • Communication cost of resulting OT(n,L): • Main reduction: 2nLbits • Length extension: 2nkbits • Communication cost of resulting SFE: • [Yao86]: need to transfer keys of length L = k • [GMW87]: L = 1, cost = 2nk+2n, optimal?

15. Talk Outline • OT Extension • Ishai et al (IKNP) OT Extension • A New Framework for IKNP

16. 0 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 1 0 Our Work: A Closer Look at IKNP t2 tk t2  r tk  r t1 t1  r r r r ri=0 ri=1 ... ... ... ; = T T U R

17. 1 1 0 0 1 0 Alternate Point of View k • Row-wise encoding • 0 → 0k • 1 → 1k R= T⊕U r r r ri=0 ri=1 ... n R IKNP uses repetition encoding Can we use other encodings?

18. A Coding Theoretic Framework for IKNP k Suppose use code C • Say ri comes from a larger domain {1,…,m} • Row-wise encoding • ri→C(ri)∈ {0,1}k r1 C(r1) C(r2) r2 n ... C(rn) rn C(R)

19. t1 t2 tk u1 u2 uk r1∈[m] rn∈[m] r2∈[m] ... s1 s2 sk zi= yi,r  H(i, ti) i i A Coding Theoretic Framework for IKNP C(R) = T⊕U Sender obtains Q  {0,1}nk u1 t2 uk q2= t2(C(r2) ⦿s) qn= tn(C(rn) ⦿s) q1= t1(C(r1) ⦿s) ... Bit-wise AND • For 1 in, 1 r m • Sender sends yi,r= xi,r H(i, qi(C(r) ⦿s)) • For 1 i n, Receiver outputs

20. Analysis • Perfect security against malicious sender • Statistical security against semihonest receiver: • No loss unless query H on (i, ti(C(r) ⦿s))for some r • Loss in security: m2-d, where d = min distance of C • Cost of 1-out-of-m OT(n, L): • Communication: (2nk+mnL)bits • OT(n,L)1-out-of-m OT(n/log m, L log m) • Communication: (n/log m)(2k + mL log m) bits

21. Efficiency • Concrete: • Hadamardcodes for encoding • Factor ≈ 2 for 1-out-of-2 OT and GMW for k=256 • Additional optimizations lead to factor ≈ 3.5 • Asymptotic comm. cost per OT: O(k/log k) bits

22. Conclusions • OT Extension motivated by PKE >> SKE • Huge impact on practicality of SFE • Coding theoretic framework for [IKNP03] • RO or “code correlation robust hash functions” • Improvements for GMW, OT, 1-out-of-m OT • Rethink GMW vs. Yao? • Also [KK12], [NNOB12], [SZ13], [ALSZ13]

23. Thank You!

24. The research leading to these results has received funding from the European Union's Seventh Framework Programme(FP7/2007-2013)under grant agreement no. 259426 – ERC – Cryptography and Complexity