For the first time, I started to learn something related to cryptography. The main research direction in the future includes privacy computing, that is, machine learning algorithms under privacy protection.
0 give a practical example
Citing the example mentioned in the detailed explanation of the blog OT (Oblivious Transfer, inadvertently transferred) protocol
, we consider the situation of 1-out-of-2 Oblivious Transfer here: a travel agency has travel materials for two attractions A and B, Xiao Wang wants to go to A I hope to purchase relevant information from a travel agency for visiting scenic spots. But Xiao Wang is very concerned about his personal privacy and does not want to disclose the destination to the travel agency. Therefore, both parties hope that this transaction can meet the following privacy conditions:
(1) Xiao Wang does not want to disclose the information "I am going to A scenic spot" to the travel agency;
(2) The travel agency only hopes to sell the information of A scenic spot that Xiao Wang paid for , without disclosing the information of scenic spot B that Xiao Wang did not purchase.
Under normal circumstances (in clear text), this privacy condition seems to be unsatisfactory: as long as the travel agency gives Xiao Wang the information of scenic spot A, he must know the information that "Xiao Wang is going to scenic spot A"; All the information was directly selected by Xiao Wang, but this leaked the privacy of the travel agency's information.
The Oblivious Transfer (OT) to be introduced in this article can allow transactions to be concluded under such "impossible conditions". In short, in the OT protocol, the travel agency encrypts all the information it owns with an encryption algorithm and parameters agreed upon by both parties, and then sends it to Xiao Wang, who can decrypt the information of the scenic spot A from the ciphertext. However, the data of the B scenic spot cannot be decrypted.
1 Standard Oblivious Transfer (OT)
The following figure shows the data flow form of OT:
Deterministic function: parties can choose what the input is, such as sender input m 0 m_0m0and m 1 m_1m1, receiver input ccc , then getmc m_cmc。
2 Random Oblivious Transfer (ROT)
The following figure shows the data flow form of ROT:
Randomness function: choose m 0 m_0 uniformlym0、 m 1 m_1 m1and mc m_cmc, instead of the sender and receiver choosing the input by themselves like standard OT.
The general process of ROT can be described as follows:
3 One Time Pad encryption method (one-time encryption)
- Generate a random number random.
- Encrypt plaintext plaintext, get ciphertext = plaintext ⊕ \oplus⊕ random.
- Different randoms need to be produced each time to prevent plaintext leakage.
4 ROT => OT
Beaver Derandomization theory: through the pre-Random OT to greatly reduce the calculation overhead of standard OT.
The approximate calculation process is as follows:
x 0 ⊕ r 0 x_0\oplus r_0 x0⊕r0That is to use random number r 0 r_0r0Encrypt real input data x 0 x_0x0, the encryption method is the one time pad mentioned above for XOR (exclusive OR) encryption.
It should be noted that, as shown in the figure above, when the sender input of OT in online mode is the same as the simulated input of sender in random OT in offline mode, in encryption mode: x 0 ⊕ r 0 x_0\oplus r_0x0⊕r0and x 1 ⊕ r 1 x_1\oplus r_1x1⊕r1. Otherwise, it should be x 1 ⊕ r 0 x_1\oplus r_0x1⊕r0and x 0 ⊕ r 1 x_0\oplus r_1x0⊕r1。
This process is also called the offline/online method of 2PC:
- Offline: In the preprocessing stage, the real input has not been seen yet, and many random OTs are generated.
- Online: The sender and receiver actually start the interaction stage, and the OT input is determined. Using Beaver's trick can easily randomize offline OT.
To put it more simply, before OT actually sees the input data, we first use ROT for preprocessing to generate a lot of random OTs, and then when we see the real input data, we only use simple XOR to greatly speed up the operation. speed.
The figure below considers whether the sender input is the same when online and offline, and a new dd is involvedd parameter:
5 Why is it expensive to do OT directly?
The reason for the high OT overhead is not mentioned above. In fact, it involves the specific algorithm to realize OT, such as: OT based on DH key exchange and OT based on RSA encryption. Generally speaking, the specific OT implementation algorithm requires exponential operation, so the calculation overhead is relatively large.
Here is a brief understanding of the calculation method of RSA encryption and decryption (no specific principles involved):
6 Implementation Algorithm of OT
OT (version 1) initialization based on RSA encryption
: (1) sender has two copies of data M 0 M_0M0and M 1 M_1M1, also has the public key (for encryption) EEE and private key (for decryption)DDD , with random numberx 0 x_0x0and x 1 x_1x1.
(2) The receiver has a random number kkk and the index iiof the desired numberi , also has the public key (for encryption)EEE。
Algorithm steps:
(1) The receiver first performs kkk to encrypt:E ( k ) E(k)E ( k ) , and then add the random number corresponding to sender:E ( k ) + xi E(k)+x_iE(k)+xi, send this result to the sender. Ensure that the sender cannot see the index ii selected by the receiverWhat is i , since xi x_ixiand E ( k ) E(k)E ( k ) kneaded together
(2) sender usesE ( k ) + xi E(k)+x_iE(k)+xiSubtract your own two random numbers and decrypt: k 0 = D ( E ( k ) + xi − x 0 ) k_0=D(E(k)+x_i-x_0)k0=D(E(k)+xi−x0) andk 1 = D ( E ( k ) + xi − x 1 ) k_1=D(E(k)+x_i-x_1)k1=D(E(k)+xi−x1) . Here either k 0 = k k_0=kk0=k ork 1 = k k_1=kk1=k
(3) sender willk 0 k_0k0and k 1 k_1k1Add your own original data: M 0 ′ = M 0 + k 0 M_0'=M_0+k_0M0′=M0+k0and M 1 ′ = M 1 + k 1 M_1'=M_1+k_1M1′=M1+k1, and send the two results to the receiver. Here either M 0 ′ = M 0 + k M_0'=M_0+kM0′=M0+k orM 1 ′ = M 1 + k M_1'=M_1+kM1′=M1+k ensures that the receiver cannot see the specific data of the sender, becauseM i M_iMisum ki k_ikiKnead together
(4) receiver calculation result P i = M i ′ − k P_i=M_i'-kPi=Mi′−k . Here either P 0 = M 0 P_0=M_0P0=M0Either P 1 = M 1 P_1 = M_1P1=M1, that is, only the data that the receiver wants can be decrypted
The blue font indicates the explanation of the information security guarantee of both parties, and the red font indicates the explanation of the value in the encryption process.
OT based on RSA encryption (version 2)
OT (Introduction to Practical Secure Multiparty Computation) Based on Public Key Cryptography
OT based on public key encryption
Reference materials:
OT (Oblivious Transfer, inadvertent transmission) protocol detailed
explanation RSA introduction
OT Extension - Beaver De-randomization Theorem
Cryptography Academic Lecture | Professor Mike Rosulek gave a lecture on inadvertent transmission and its extension
Techniques in OT extension: https://nishkum.github .io/files/OT_extension.pdf