oblivious comparator and its application to auction hiroaki kikuchi tokai university - japan
Post on 21-Dec-2015
217 Views
Preview:
TRANSCRIPT
Contents Introduction for issues in auction and
outline of an oblivious comparator Secure Function Evaluation
Model, Building blocks and securityCompleteness
Auction ProtocolPerformance
Conclusion
The Idea
Logic Circuit with Ciphertext 1. Homomorphic Encryption over GF(2)
2. Logical Operations (AND,NOT)
3. Reed-Muller Expansion
4. State Machine “comparator”
1. Homomorphic Encryption Public-key Encryption E[x]
Homomorphism over GF(2)
a,b in {m0, m1}E[a] x E[b] = E[a b]
Indistinguishablity » Given E[m0] and E[m1], hard to figure E[m0]
Distributed Threshold Encryption» Key-generation, decryption (t-out-of-n)
Verifiable encryption
Example: ElGamal encryption Key Generation
p = 2q + 1, g in G of order qpublic key: y = gx, secret key: xencryption: E[m] = (myr, gr)decryption: m = (myr)/(gr)x
Plain messagesm {1, -1}1 = false(0), -1 = true (1)
EXOR Homomorphism
E[a] = (ayr, gr)E[b] = (bys, gs) (abyr+s, gr+s) = E[ab]
1-bit EXORE[1] x E[1] = E[1] 0 0 = 0E[1] x E[-1] = E[-1] 0 1 = 1E[-1] x E[1] = E[-1] 1 0 = 1E[-1]x E[-1] = E[1] 1 1 = 0
2. Logical Operations
ObjectiveGiven a ciphertext E[a] (unknown a), player
B with a plaintext b whishes to compute » Negation E[~a]» Conjunction E[ab]» Disjunction E[ab]
without revealing his secret b.
2. Logical Operations
Lemma 3.1 (Negation)E[~a] = E[a] x E[m1] = E[a ⊕ -1]
Lemma 3.2 (Conjunction)
Similarly, E[a1a2b] and E[ab] are computed.
1 if][][
0 if][][
0
0
bmEaE
bmEabE
2. Logical Operations
Verifiability Attack : (violating definition)
» E.g. sending E[random] as E[ab], or E[a] when b = 0.
gG
yMM
gG
ymM
gG
yMM
gG
ymM
PK
ab
bab
a
a
ab
ab
a
a 1
0
0
:),(
3. Reed-Muller Expansion Lemma 2.3
Arbitrary n-variable boolean function ƒ(x1,x2,x3) is represented as
ƒ = a0 ⊕ a1x1 ⊕ a2 x2 ⊕ a3 x3
⊕ a4x1x2 ⊕ a5x1x3 ⊕ a6x2x3
a⊕ 7x1x2x3
where ai in {0,1} (Boolean)
3. Reed-Muller Expansion Lemma 2.1
xy = x y xy⊕ ⊕
Majority function ƒ(x,y,z) = xy xz yz
= xy (xz yz xzyz)⊕ ⊕= xy xz yz xyz⊕ ⊕ ⊕
x y x y⊕ xy x y0 0 0 0 0
0 1 1 0 1
1 0 1 0 1
1 1 0 1 1
AND
4. State Machine
Oblivious Computer C Set of states Si={s1,…,sL}
» L=2i, S0=∅ State transition function T
» Si=T(Si-1,Ai)
» Ai: Sequence of ciphertexts
Decoding function D» Y = D[Sn]
Sibi
CPi
Ai
T(Si,Ai)
Si+1
E.g. Majority Function
S0a
CPA
A1={E[a]} T(S0,A1)=S0UA1
S1={ , ∅ E[a]}
bPBc
PC
S1
A2={E[b],E[ab]}TA2
S2=S1UA2S2
A3A3={E[ac], E[bc], E[abc]}
T
S3=S2UA3
Majority Function
Final StateS3={E[a], E[b], E[c],
E[ab], E[ac], E[bc], E[abc]} Decoding function: D
D(S3)=E[ab]xE[ac]xE[bc]xE[abc] =E[ab ac bc abc]⊕ ⊕ ⊕ =E[ab ac bc]
Oblivious Comparator (Auction)
K-bit InputA: a = (a2, a1, a0)B: b = (b2, b1, b0)
Output Winning price c =max(a,b) = a if a > b b if a < b
Winnerw = A if a > b
B if a < b
Oblivious Comparator
Flags = true if a>b = true if a<b = true if a b
A: a = (1 0 0)
B: b = (1 1 0)
c
0
0
0
1
0
1
1
1
0
1
1
0
= i-1 ai ~bi
= i-1 ~ai bi
= i i
= ~(a) (i ai i bi)
n-player Comparison
C
P1 a1
S1=c
S2=max(c,a1)P2 a2
S3=max(c,a2)
Sn=max(c,an)=max(a1,..,an)
Size of S is independent from n
Efficiency
k-bit ComparatorInternal state : 2k ciphertext O(2k)rounds: once for each player O(n)
Biddercommunication :
2k minterms x ciphertexts O(2k)Computation :
2k ciphertext E[m0] O(2k)
Conclusions
We have proposed a cryptographic protocol for secure function
evaluation, i.e., functionally complete oblivious computer
» Round complexity of n» Communication and Computation of O(2k)
Its application to Auction in which auctioneer is able to perform comparison for n bids and determine the winning price and the winner without knowledge of each bid.
Threshold Decryption
Key GenerationSecret ƒ(1), ƒ(2), ƒ(3)Public key y = gƒ(0) = gƒ(1)1 gƒ(2)2 gƒ(3)3
DecryptionE[m] = (myr, gr)m = myr/ (gr)ƒ(1)1 (gr)ƒ(1)1 (gr)ƒ(1)1
top related