“tiny ot” – part 2 - biu · 5th bar-ilan winter school on cryptography advances in practical...
TRANSCRIPT
![Page 1: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/1.jpg)
5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation
Claudio Orlandi, Aarhus University
“Tiny OT” – Part 2
A New (4 years old) Approach to Practical Active-Secure Two-Party Computation
![Page 2: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/2.jpg)
2
(𝑟𝐴, 𝑟𝐵) ← 𝐷
rA rB
x y
f(x,y)
Tru
sted
Dea
ler
![Page 3: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/3.jpg)
3
rA rB
On
line
Ph
ase
Pre
pro
cess
ing
3
rA rB
x y
f(x,y)
![Page 4: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/4.jpg)
TinyOT authenticated bits • [x] = ( (xA,kA,mA) , (xB, kB, mB) ) s.t.
– mB = kA + xB ∆A (symmetric for mA)
– ∆A, ∆B is the same for all wires.
– MACs, keys are k-bit strings.
• Very similar to Oblivious Transfer – Sender has two messages u0,u1
– Receiver has a bit b and learns ub
– Set u0=k, u1=k+∆, b=x then ub=k+x∆
![Page 5: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/5.jpg)
Two probems:
• Efficiency: OT requires public key primitives, inherently efficient
![Page 6: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/6.jpg)
More efficient Less efficient
OTP >> SKE >> PKE >> FHE >> Obfuscation
The Crypto Toolbox
6
Weaker assumption Stronger assumption
![Page 7: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/7.jpg)
Two probems:
• Efficiency: OT requires public key primitives, inherently efficient
• Security: If we authenticated more than one bit, how do we make sure Bob uses the same value ∆?
• Two birds with one stone! Next hour: Active secure OT extension!
![Page 8: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/8.jpg)
Authenticated Bits
8
OT
x (kx, kx+∆)
mx = kx + x∆
OT
y (ky, ky+∆)
my = ky + y∆
kz = kx + ky
mz =kz+z∆
“[z]=[x]+[y]”
“z=Open(B,[z])”
z = x + y
z,mz
mz = mx+ my
![Page 9: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/9.jpg)
Authenticated Bits
9
OT
x (kx, kx+∆)
mx = kx + x∆
OT
y (ky, ky+∆+e)
my = ky + y∆ +ey
kz = kx + ky
mz =kz+z∆ +ey
“[z]=[x]+[y]”
“z=Open(B,[z])”
z,mz
z = x + y mz = mx+ my
Bob learns y (and therefore x)! (should only learn XOR)
![Page 10: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/10.jpg)
Part 2: Active Secure OT Extension
• Warmup: OT properties
• Recap: Passive Secure OT Extension
• Active Secure OT Extension
![Page 11: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/11.jpg)
OT
1-2 OT
b
xb
x0,x1
Receiver Sender
• xb = x0 + b(x0 +x1)
• xb = (1+b) x0 + b x1
![Page 12: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/12.jpg)
OT = AND
1-2 OT
b
ab + c
(a,a+c)
Receiver Sender
Bits
![Page 13: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/13.jpg)
Stretching OT
Receiver Sender
1-2 OT
b
kb
k0,k1
(u0, u1)=(prg(k0)+m0), prg(k1)+m1))
mb=prg(kb)+ub
b
poly(k)-bit strings
m0,m1
k-bit strings
![Page 14: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/14.jpg)
Random OT = OT
ROT c,rc r0,r1
(x0, x1)=((r0 + m0), (r1 + m1)) mb=rc + xb
b m0,m1
if b=c
![Page 15: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/15.jpg)
Random OT = OT
ROT c,rc r0,r1
b m0,m1
(x0, x1)= (r0+d+ m0),
(r1+d + m1))
d = b + c
Exercise: check that it works!
mb=rc + xb
![Page 16: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/16.jpg)
(R)OT is symmetric Sender
bits
ROT s0,s1 b,y=sb
c, z=rc r0,r1
c = s0 + s1
z = s0
No communication!
r0 = y
r1 = b + r0
Exercise: check that it works
![Page 17: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/17.jpg)
Part 2: Active Secure OT Extension
• Warmup: OT properties
• Recap: Passive Secure OT Extension
• Active Secure OT Extension
![Page 18: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/18.jpg)
OT Extension
• OT pro(v/b)ably requires public-key primitivies
– OT extension ≈ hybrid encryption
– Start from k “real” OTs
– Turn them into poly(k) OTs using only few symmetric primitives per OT
18
![Page 19: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/19.jpg)
X0
X1
b
U
k
k
k
k
k
OT Extension, Pictorially
19
1-2 OTs
n
n=poly(k)
Remember: OT stretching
Xb1,1
x0,1
x1,1
b1
![Page 20: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/20.jpg)
Condition for OT extension
20
X0
X1
⊕
Γ … Γ
=
Problem for active security!
![Page 21: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/21.jpg)
OT Extension, Pictorially
21
k
1-2 OTs
X0
b
U
k
k
k
n
n=poly(k)
Γ
![Page 22: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/22.jpg)
OT Extension, Pictorially
U
=
X0
b
⊕
Γ
𝑏 ⊗ Γ 𝑖𝑗 = 𝑏𝑖 ⋅ Γ𝑗
![Page 23: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/23.jpg)
OT Extension, Turn your head!
U
=
X0
⊕
V
Y0
⊕ =
b Γ
∆
c
![Page 24: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/24.jpg)
OT Extension, Pictorially
24
V
k
∆
Y0
k
n n=
poly
(k)
c
n
1-2 OTs
![Page 25: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/25.jpg)
OT Extension, Pictorially
25
k
1-2 OTs
X0
b
U
k
k
k
n
n=poly(k)
Γ
![Page 26: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/26.jpg)
Defining Y1
26
Y0
∆
Y1
∆ ∆
⊕ =
∆
![Page 27: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/27.jpg)
OT Extension, Pictorially
27
V
k
Y0
k
n
n=p
oly
(k)
c
n
1-2 OTs
Y1
Yc1
,1
Y0
,1
Y1
,1
c1
![Page 28: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/28.jpg)
Finishing Up
• Problem: (Y0, Y1) not random!
• Solution: just hash each row – Y’0 = H(Y0) – Y’1 = H(Y1)
• Using a correlation robust hash function H s.t. 1. {a0, …, an, H(a0+ ∆ ), …, H(an+ ∆)} 2. {a0, …, an, b0, …, bn} // (ai’s,bi’s random)
are computationally indistinguishable
28
![Page 29: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/29.jpg)
OT Extension, Pictorially
29
H(V
)
k’
H(Y
1 ) k’
n
n
1-2 OTs
H(Y
0 )
n=p
oly
(k)
c
![Page 30: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/30.jpg)
Recap
0. Strech k OTs from k- to poly(k)=n-bitlong strings
1. Set each pair of messages xi0,xi
1 s.t., xi0 ⊕ xi
1 = Γ
2. Turn your head (S/R swap roles)
3. The bits of c=Γ are the new choice bits
4. The new messages are of the form yj0, yj
1=yj0⊕∆
5. Break the correlation: y’j0=H(yj
0), y’j1=H(yj
1)
• Not secure against active adversaries 30
![Page 31: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/31.jpg)
Part 2: Active Secure OT Extension
• Warmup: OT properties
• Recap: Passive Secure OT Extension
• Active Secure OT Extension
![Page 32: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/32.jpg)
Active Security
1. Set each pair of messages xi0,xi
1 s.t., xi0 ⊕ xi
1 = Γ
32
• How to force Bob to use same value?
• “Cut-and-choose”
– Start with ≈2k OTs
– Pair them at random (destroys half)
– Check if the same Γ was used
– abort otherwise
![Page 33: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/33.jpg)
The Equality BOX
• Output ok if equal
• abort/reveal all if different
EQ
x
ok/abort
y
ok/abort
![Page 34: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/34.jpg)
The Equality BOX
EQ
x
ok/abort
y
ok/abort
H(x,r)
x,r
y
![Page 35: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/35.jpg)
Pair and check
35
OT
b1 (x1, x1+Γ)
u1=x1+b1Γ
OT
b5 (x5, x5+Γ)
u5=x5+b5Γ
d=b1+b5
EQ
u1+u5
ok
x1+x5+dΓ
ok
![Page 36: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/36.jpg)
Analysis
• Ok if both honest – 𝑢𝑖 = 𝑥𝑖 + 𝑏𝑖Γi
– 𝑢𝑖 + 𝑢𝑖 = 𝑥𝑖 + 𝑥𝑗 + 𝑏𝑖 + 𝑏𝑗 Γ if Γ𝑖 = Γ𝑗 = Γ – Throw away OT j and keep i for later use
• Why use EQ?
– Alice needs to prove 𝑑 is correct too!
– Else: corrputed Alice sends d = 1 + 𝑏𝑖 + 𝑏𝑗… – …learns two MACs with same key – …learns Γ – …protocol brekas down completely
![Page 37: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/37.jpg)
Corrupted Bob
37
OT
b1 (x1, x1+Γ+e1)
u1=x1+b1Γ+b1e1
OT
b5 (x5, x5+Γ+e5)
u5=x5+b5Γ+b5e5
d=b1+b5
EQ
u1+u5
ok
x1+x5+dΓ+b1e1+b5e5
ok
![Page 38: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/38.jpg)
Three cases
• No error: 𝑒𝑖 = 𝑒𝑗 = 0
– Bob always pass the check and learns nothing
• One error: 𝑒𝑖 ≠ 0, 𝑒𝑗 = 0
– Bob pass the test if guess 𝑏𝑖 correctly
– 50% abort, 50% Bob learns 𝑏𝑖
• Canceling errors: 𝑒𝑖 = 𝑒𝑗 ≠ 0
– Bob always pass the test
– Can be simulated by leaking bit 𝑏𝑖
For simplicity ∀ 𝑖 𝑒𝑖 ∈ {0, 𝑒∗}
![Page 39: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/39.jpg)
Simulating
39
OT
b1 (x1, x1+Γ+e)
u1=x1+b1Γ
OT
b5 (x5, x5+Γ+e)
u5=x5+b5Γ
d=b1+b5
EQ
u1+u5
ok
x1+x5+dΓ+de
ok
![Page 40: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/40.jpg)
Simulating
40
OT
b1 (x’1, x’1+Γ)
u1=x1+b1Γ
OT
b5 (x’5, x’5+Γ)
u5=x5+b5Γ
d=b1+b5
EQ
u1+u5
ok
x’1+x’5+dΓ
ok
Where x’i = xi + bie
![Page 41: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/41.jpg)
Three cases
• No error: 𝑒𝑖 = 𝑒𝑗 = 0
– Bob always pass the check and learns nothing
• One error: 𝑒𝑖 ≠ 0, 𝑒𝑗 = 0
– Bob pass the test if guess 𝑏𝑖 correctly
– 50% abort, 50% Bob learns 𝑏𝑖
• Canceling errors: 𝑒𝑖 = 𝑒𝑗 ≠ 0
– Bob always pass the test
– Can be simulated by leaking bit 𝑏𝑖
For simplicity ∀ 𝑖 𝑒𝑖 ∈ {0, 𝑒∗}
![Page 42: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/42.jpg)
e=0
e=e*
0+0=0
e+0≠0
e+e=0
No abort, no leak
Abort with pr. ½, 1 bit leaked
No abort, 1 bit leaked
2n
n
![Page 43: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/43.jpg)
How many bits does Bob learn? • Define game:
– Choose how many e ≠ 0. Abort loses
– Receive bi for all i in yellow and red
– Guess entire vector b. Wrong guess loses
• Define leak L < n + log(pr. Bob wins the game) – Win = not abort + correct guess
– Pr(not abort) = 2-#yellow
– Pr(correct guess) = 2-#green
• L = n - #yellow - #green = #red
![Page 44: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/44.jpg)
e=0
e=e*
0+0=0
e+0≠0
e+e=0
2n
n/4
n/2
n/4
Optimal strategy
n = 4/3k L < k/3
![Page 45: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/45.jpg)
Finishing up…
![Page 46: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/46.jpg)
OT Extension, Pictorially
46
k
1-2 OTs
X0
b
U
4/3 k
k
4/3 k
n
n=poly(k)
Γ
b
b
1/3k
4/3 k
![Page 47: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/47.jpg)
OT Extension, Pictorially
47
V
4/3 k
∆
Y0
4/3k
n n=
poly
(k)
c
n
1-2 OTs
∆ ∆ Leak!
![Page 48: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/48.jpg)
Solutions
• OT Extension: –Hash the leak away!
• Authenticated Bits (need linear relation) –Universal hash…
(multiply with random matrix A)
–…or do nothing! (MAC still secure with k unknown bits!)
![Page 49: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/49.jpg)
TinyOT authenticated bits
• [x] = ( (xA,kA,mA) , (xB, kB, mB) ) s.t. – mB = kA + xB ∆A (symmetric for mA)
– ∆A, ∆B is the same for all wires (where the adversary knows at most L bit).
– MACs, keys are k-bit strings.
![Page 50: “Tiny OT” – Part 2 - BIU · 5th Bar-Ilan Winter School on Cryptography Advances in Practical Multiparty Computation Claudio Orlandi, Aarhus University “Tiny OT” – Part](https://reader035.vdocuments.mx/reader035/viewer/2022071001/5fbe6183ab91f102c40bffeb/html5/thumbnails/50.jpg)
Authenticated Bits/OT Extension
1. Run (2+2µ)n OTs with constant difference Γ
2. Cut-and-choose and throw away half OTs
3. Turn your head (OT extension)
Authenticated Bits
4. Deal with µ-leaked bits with universal hash
(or don’t).
OT Extension
4. Deal with µ-leaked bits with cryptographic hash.