Oblivious transfer and Garbled circuits
2016-06-20 19:18
381 查看
Oblivious transfer
OT是指发送方sender传输给接收方receiver n个数据,但是不知道receiver收到了n中的哪一个,而receiver也只能解码其中一个。假如需要k个数据,那么至少需要k次interaction。In cryptography, an oblivious transfer protocol (often abbreviated OT) is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece (if any) has been transferred.
1-2 oblivious transfer
In a 1-2 oblivious transfer protocol, the sender has two messages m0 and m1, and the receiver has a bit b, and the receiver wishes to receive mb, without the sender learning b, while the sender wants to ensure that the receiver receives only one of the two messages. The protocol of Even, Goldreich, and Lempel (which the authors attribute partially to Silvio Micali), is general, but can be instantiated using RSA encryption as follows.Protocol of Even, Goldreich, and Lempel
Alice has two messages, m0,m1, and wants to send exactly one of them to Bob, but does not want to know which one Bob receives.Alice generates an RSA key pair, comprising the modulus N, the public exponent e and the private exponent d. She also generates two random values, x0,x1 and sends them to Bob along with her public modulus and exponent.
Bob picks b to be either 0 or 1(基于想要m0还是m1). He generates a random value k and sends xb by computing v=(xb+ke)modN to Alice.
Alice doesn’t know (and hopefully cannot determine) which of x0 and x1 Bob chose. She applies both of her random values and comes up with two possible values for k: k0=(v−x0)dmodN and k1=(v−x1)dmodN. One of these will be equal to k and can be correctly decrypted by Bob (but not Alice), while the other will produce a meaningless random value that does not reveal any information about k. She combines the two secret messages with each of the possible keys, m′0=m0+k0 and m′1=m1+k1, and sends them both to Bob.
Bob knows which of the two messages can be unblinded with k, so he is able to compute exactly one of the messages mb=m′b−k. 但是不知道另外一个消息,所以每次只能获取一个消息。
Garbled circuits
Yao’s garbled circuit is a method Proposed by Andy Yao in 1986 for Secure multiparty computation.AND gate
Now we describe a protocol for securely computing f(a; b). Because f is poly-time computable, we can write a circuit that computes f. For every wire, w, in the circuit, attach two keys, kw0 and kw1 . Intuitively, we use the first key when w carries the value 0, and the second when w carries the value 1.For example, say we had an AND gate with input wires x and y, and output wire z. Then the gate would store the following 4 elements in its table:
-Enckx0(Encky0(kz0))
-Enckx0(Encky1(kz0))
-Enckx1(Encky0(kz0))
-Enckx1(Encky1(kz1))
Three problems to be solved:
-this table must be permuted.
-how does Bob know whether he successfully decrypted an entry? To solve this problem, we can add an extra column to the table which contains a MAC of the proper key-pair.
-Bob needs to know the key values for all of his input wires, but Alice cannot know which key values Bob is asking for. Similarly, Alice cannot send all the key values to Bob, or else (because he is curious) he will evalute the circuit on morevalues than intended, and learn something about Alice’s input. To solve this problem, we just need to use 1/2 Oblivious Transfer.
The entire protocol:
Alice write a garbled circuit to compute f, and hardcodes her input (resulting in a new garbled circuit that depends only on input from Bob). Then, for each remaining wire, Alice assigns a key pair kw0 and kw1 . To each logic gate, she assigns a table denoted as above. Each table entry consists of the correct key encrypted sequentially, followed by a MAC to authenticate that the two correct keys were used to decrypt. Each MAC uses the same key. Alice sends over the entire garbled circuit to Bob.Bob requests the correct keys for his input using 1/2-Oblivious Transfer
Alice sends the correct keys for Bob’s input using 1/2-Oblivious Transfer
Bob evaluates the garbled circuit using the keys he received from Alice and shares the value with Alice.
应用
Arx: A strongly Encrypted Database System
Ref
http://www.cs.cornell.edu/courses/cs6830/2009fa/scribes/lecture24.pdfhttps://en.wikipedia.org/wiki/Oblivious_transfer
相关文章推荐
- MySQL 安全事宜
- Patrol 7 架构下?的处理方法
- 清除IE分级审查密码
- 华为路由器密码恢复
- 注册表导出管理员密码文件
- 路由器版本与密码恢复
- 密码知识教程一
- 密码破解全教程
- 通过批处理修改FTP账号和密码
- redis中修改配置文件中的端口号 密码方法
- 更改Mysql root用户密码
- C#判断密码强度的方法
- C#使用伪随机数实现加密用户密码的方法
- Mysql5.6 忘记root密码的解决办法
- C#修改及重置电脑密码DirectoryEntry实现方法
- MySql5.5忘记root密码怎么办
- C#实现在控制台输入密码显示星号的方法
- Mysql忘记root密码怎么办
- 深入密码加salt原理的分析
- C++实现将简单密码译回原文的方法