ISBN 978-952-5726-06-0 Proceedings of the 2009 International Workshop on Information Security and Application (IWISA 2009) Qingdao, China, November 21-22, 2009
A Novel Unconditionally Secure Oblivious Polynomial Evaluation Protocol H. Vanishree1 and Koshy George2 1
P.E.S. Institute of Technology, Bangalore, India email:
[email protected]
2
P.E.S. Institute of Technology, Bangalore, India email:
[email protected]
Abstract—Oblivious polynomial evaluation is a protocol involving two parties, a sender whose input is a polynomial P , and a receiver whose input is a value x. At the end of the protocol, the receiver learns P (x) and nothing more about P , while the sender remains oblivious of both x and P (x). It is used as a primitive in many applications including protocols for private comparison of data, for mutually authenticated key exchange based on (possibly weak) passwords, and for anonymous coupons. In this paper, we describe a novel unconditionally secure oblivious polynomial evaluation protocol.
Keywords—Multi-Party
Computation,
Oblivious
Transfer, Oblivious Polynomial Evaluation.
there exists such a (polynomially computable) protocol with which, a receiver who knows x and a sender who knows y, can jointly compute the value of f (x, y) in a way that does not reveal to each side more information than can be deduced from f (x, y). One such function, which is an important application of OT, is Oblivious Polynomial Evaluation (OPE), introduced by Naor and Pinkas [17]. In an OPE problem the input of the sender is a polynomial P of degree k over some field F. The receiver can get the value P (x) for any element x ∈ F without learning anything else about the P and without revealing to the sender any information about x.
I. I NTRODUCTION
Note that any function from m bits to m bits can be
In a Multi-Party Computation (MPC) protocol [7],
represented as a polynomial over a finite field GF (2m ),
there are a number of participants and each hold some
but its degree could go as high as 2m − 1. So one would
private data. The participants want to compute the value of
like to focus on those functions that can be represented by
a public function at the point that corresponds to the data
low degree polynomials. This turns out to have several in-
that they hold. With a secure MPC protocol, no participant
teresting applications [9, 11, 17]. The scheme proposed in
can learn information about the private data of the other
[17] is much more efficient than the conventional way of
participants that could not have been deduced from the
going through oblivious circuit evaluation protocols, but
description of the public function and the result of the
its security is based on two assumptions. One assumption
global calculation. One of the prominent primitives of
is the existence of a secure OT protocol while the other,
MPC is Oblivious Transfer (OT) [1, 2, 3, 4, 5, 11, 14].
a new one, is the intractability of a Noisy Polynomial
OT protocols serve as building blocks in the solution of
Interpolation problem. It was later shown in [3] that this
other MPC problems [15, 16].
new assumption may be much weaker than expected and
One of the most profound achievements of research
suggested the use of a possibly stronger intractability
in foundations of cryptography in the direction of OT is
assumption on a Polynomial Reconstruction Problem. The
that for every polynomially computable function f (. ,. )
protocol presented in [9] is based on an assumption that
© 2009 ACADEMY PUBLISHER AP-PROC-CS-09CN004
450
the Decisional Diffie-Hellman (DDH) assumption also holds over the group Zn2 , where n is the product of two large primes. Contrary to the well studied DDH over Zn , the hardness of this problem in this new setting is
rR1 −1 Step 6: Receiver computes P (x) as, m5 (gR ) = rR1 rR1 −1 P (x)gR (gR ) = P (x).
B. Security Analysis The security requirements of an OPE protocol can be
yet to be studied.
divided into Receiver’s privacy and Sender’s privacy.
In this paper, a novel OPE protocol is proposed.
Theorem 1: Receiver gets unconditional privacy.
II. P ROPOSED P ROTOCOL
Proof: As the random elements chosen by Receiver
A. Problem Statement
are kept secret all through the protocol, Sender remains
The problem of OPE is formally defined by specifying
oblivious of x. This is because, for any probabilistic
the input and output for its functionality as a two party
polynomial time B executing Sender’s part, for any x
protocol run between a receiver and a sender over a field
and x in F, the views that B sees in case Receiver’s
F as follows:
input is x and in case the receiver’s input is x are
Definition 1: :
unconditionally indistinguishable.
Input: – Sender: A kth degree polynomial P over a finite k field F: P (α) = i=0 ai αi . – Receiver: A value x ∈ F.
Theorem 2: Sender gets unconditional privacy. Proof: Sender obscures P using gSrS which is randomly chosen. This evidently follows from the fact that, for every
Output:
probabilistic polynomial-time machine A substituting
– Sender: Nothing.
Receiver, there exists a probabilistic polynomial-time
– Receiver: P (x).
machine A that plays Receiver’s role in the ideal
Initialization: Sender chooses an arbitrary generator
implementation, such that the view of A and the output
of F, gS , and a random element rS ∈ F. Receiver
of A are unconditionally indistinguishable.
also chooses an arbitrary generator, gR , and three random elements rR1 , rR2 , rR3 ∈ F. All computations of the
Comment: The description of the protocol with the
protocol are done in F.
generators, as is evident from the security analysis of the
Protocol: ∆
Step 1: Sender computes m1 defined as, m1 = a0 gSrS , and sends it to Receiver. ∆
rR1 rR3 m20 = m1 gR − rR2 and m2i = xi gR , for 1 ≤ i ≤ k,
and sends them to Sender. ∆
Step 3: Sender computes m3 defined as, m3 = k rS k i rR3 i=1 ai m2i = gS ( i=1 ai x )gR , and sends it to Receiver. ∆
Step 4: Receiver computes m4 defined as, m4 = rR3 −1 rR1 m3 (gR ) gR rS k m4 = gS ( i=1
+ rR2 , and sends it to Sender. Clearly, i
ai x
rR1 )gR
of description of the finite field elements and does not in any way dictate the security of the protocol. As each
Step 2: Receiver computes m2i , 0 ≤ i ≤ k defined as, ∆
protocol, is only to conform to the conventional method
+ rR2 .
party is oblivious of the arbitrary generator and random elements chosen by the other party, the random powers of the generators in the protocol can be replaced by the corresponding random elements in the field themselves. C. Complexity Analysis The cost of most of the previously proposed OPE protocols mainly depends on the number of exponentiations in the finite field. Following from the aforementioned
∆
=
comment, the major computation step in the protocol boils
(gSrS )−1 (m20 + m4 ) and sends them to Receiver. Clearly, k rR1 rR1 m5 = (gSrS )−1 (a0 gSrS gR − rR2 + gSrS ( i=1 ai xi )gR + rR1 rR2 ) = P (x)gR .
down to multiplications in the finite field. Hence, for every
Step 5: Sender computes m5 defined as, m5
451
invocation of the protocol, Sender essentially performs k k + 1 multiplications and Receiver, i=1 log2 i + k + 2
multiplications, and each of them performs one inverse
ous transfer”, in Proceedings of SAC ’02, 2595: 291−309,
operation in the finite field.
2002. [5] C. Cachin, C. Crepeau, and J. Marcil, “OT with
III. A PPLICATIONS OF OPE
a memory-bounded receiver”, in Proceedings of 39th
There are two major applications of an OPE proto-
Annual Symposium on FOCS ’98, IEEE, pp. 493−502,
col. One is whenever k-wise independence can replace
1998.
full independence or pseudo-randomness [8, 11]. Such
[6] Y. C. Chang and C. J. Lu, “Oblivious polynomial
property is required, for example, for the application of
evaluation and oblivious neural learning”, in Theoretical
constructing anonymous coupons that enable anonymous
Computer Science 341(1), pp. 39−54, 2005.
usage of limited resources (e.g., for constructing an
[7] W. Du and Z. Zhan, “A practical approach to solve Se-
anonymous complaint box). The other type of applications
cure Multi-party Computation problems”, in Proceedings
uses OPE for comparing information without leaking it,
of Workshop on New Security Paradigms ACM Press, pp.
or preserving anonymity when Receiver must compute
127−135, 2002.
the value of a polynomial at a certain point. Applications
[8] S. Even, O. Goldreich, and A. Lempel, “A Randomized
of this nature include a protocol that allows reliable and
Protocol for Signing Contracts”, in Communications of
privacy preserving metering [9].
the ACM 28, pp. 637−647, 1985. [9] N. Gilboa, “Two party RSA key generation”, in
IV. C ONCLUSIONS
CRYPTO 1999, pp. 116−129, 1999.
A novel oblivious polynomial evaluation protocol
[10] O. Goldreich, M. Sudan, and R. Rubinfeld, “Learning
is proposed in this paper. Analyses show that the
Polynomials with Queries: The Highly Noisy Case”, in
protocol provides unconditional security as against
Proc. 36th FOCS, pp. 294−303, 1995.
the computational security provided by the previously
[11] Y. Ishai and E. Kushilevitz, “Randomizing polyno-
existing protocols. The main computational bottleneck
mials: a new representation with applications to round-
of the existing constructions is the OT protocol, the
efficient secure computation”, in STOC 2000, 2000.
computational cost of which is essentially exponentiations
[12] A. Kiayias and M. Yung, “Directions in Polynomial
in finite fields. As another major asset of the protocol,
Reconstruction Based Cryptography”, in IEICE Transac-
this overhead is obviated and hence the protocol is
tions, E87-A(5): 978−985, May 5, 2004.
proved to be more efficient.
[13] A.K. Lenstra, H.W. Lenstra, and L. Lovasz, “Factoring Polynomials with Rational coefficients”, in
References
Mathematische Ann., pp. 513−534, 1982.
[1] M. Bellare and S. Micali, “Non-interactive oblivious
[14] M. O. Rabin, “How to exchange secrets by oblivious
transfer and applications”, in Proceedings of Advances in
transfer”, Tech. Memo TR-81, Aiken Computation Labo-
Cryptology - CRYPTO ’89, 435: 547−557, 1989.
ratory, 1981.
[2] C. H. Bennett, G. Brassard, C. Cr’epeau, and M.-
[15] H. Lipmaa, “An oblivious transfer protocol with log-
H. Skubiszewska, “Practical quantum oblivious transfer”,
squared communication”, in Proceedings of 8th ISC ’05,
in Proceedings of Advances in Cryptology - CRYPTO
3650: 314−328, 2005.
’91,576: 351−366, 1991.
[16] Y. Mu, J. Zhang, and V. Varadharajan, “m out of n
[3] D. Bleichenbacher and P. Nguyen, “Noisy polynomial
oblivious transfer”, in Proceedings of the 7th ACISP ’02
interpolation and noisy chinese remaindering”, in EURO-
2384: 395−405, 2002.
CRYPT 2000, pp. 53−69, 2000.
[17] M. Naor and B. Pinkas, “Oblivious Transfer and
[4] C. Blundo, P. D’Arco, A. D. Santis, and D. Stinson,
Polynomial Evaluation”, in Proc. of the 31st STOC,
“New results on unconditionally secure distributed oblivi-
Atlanta, GA, pp. 245−254, May 1-4, 1999 .
452