Alternative Protocols for Generalized Oblivious Transfer

Similar documents
k Anonymous Private Query Based on Blind Signature and Oblivious Transfer

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Rational Oblivious Transfer

An Overview of Secure Multiparty Computation

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Secure Multiparty Computation

Concurrent Zero Knowledge in Polylogarithmic Rounds. 2 Concurrent Composable Zero Knowledge: The Construction

Verifiably Encrypted Signature Scheme with Threshold Adjudication

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Oblivious Transfer with Adaptive Queries

Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing

1 A Tale of Two Lovers

Single Database Private Information Retrieval Implies Oblivious Transfer

On Robust Combiners for Private Information Retrieval and Other Primitives

Protocols for Authenticated Oblivious Transfer

Yale University Department of Computer Science

MTAT Research Seminar in Cryptography Building a secure aggregation database

A Study of Password Security

Linear (k, n) secret sharing scheme with cheating detection

Secure Multiparty Computation with Minimal Interaction

Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13

An Z-Span Generalized Secret Sharing Scheme

Zero-Knowledge Proof and Authentication Protocols

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

On the Importance of Memory Resources in the Security of Key Exchange Protocols

An Overview of Active Security in Garbled Circuits

Brief Introduction to Provable Security

Homework 3: Solution

An IBE Scheme to Exchange Authenticated Secret Keys

Lecture 9: Zero-Knowledge Proofs

Priced Oblivious Transfer: How to Sell Digital Goods

Lecture 10, Zero Knowledge Proofs, Secure Computation

ZERO KNOWLEDGE UNDENIABLE SIGNATURE SCHEME OVER SEMIGROUP ACTION PROBLEM

Inductive Trace Properties for Computational Security

Exclusion-Freeness in Multi-party Exchange Protocols

A Novel Identity-based Group Signature Scheme from Bilinear Maps

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.

Edge Eavesdropping Games

Hardness of Subgraph and Supergraph Problems in c-tournaments

An Efficient Protocol for Yao s Millionaires Problem

Attribute-based encryption with encryption and decryption outsourcing

Secure Multiparty Computation

CPSC 467b: Cryptography and Computer Security

Security properties of two authenticated conference key agreement protocols

Yuval Ishai Technion

Searchable Encryption. Nuttiiya Seekhao

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

2008 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes

Provable Partial Key Escrow

On the Security of Group-based Proxy Re-encryption Scheme

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Solution to Problem Set 8

More crypto and security

Protocols for Multiparty Coin Toss With Dishonest Majority

Receiver-deniable Public-Key Encryption

Efficient Compilers for Authenticated Group Key Exchange

MULTIPARTY COMPARISON An Improved Multiparty Protocol for Comparison of Secret-shared Values

Computing on Encrypted Data

Delegatability of an Identity Based Strong Designated Verifier Signature Scheme

A Survey of Single-Database PIR: Techniques and Applications

A Complete Characterization of Tolerable Adversary Structures for Secure Point-to-Point Transmissions Without Feedback

David and Goliath Commitments: UC Computation for Asymmetric Parties Using Tamper-Proof Hardware

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Universally Composable Attribute-based Group Key Exchange

The Encoding Complexity of Network Coding

On the Security of a Certificateless Public-Key Encryption

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

One-way Functions are Essential for Single-Server. Private Information Retrieval. then one-way functions exist. 1 Introduction

Correctness: If both parties are honest and follow the protocols, then during the Reveal protocol Bob will learn the value x 0 that Alice wished to co

Plaintext Awareness via Key Registration

Information-Theoretic Private Information Retrieval: A Unified Construction (Extended Abstract)

Extended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity

Introduction to Secure Multi-Party Computation

Group Authentication Using The Naccache-Stern Public-Key Cryptosystem

Almost-everywhere Secure Computation

Secure Multi-Party Computation Without Agreement

Security Analysis of Batch Verification on Identity-based Signature Schemes

Efficiency Improvements for Two-party Secure Computation

Proofs for Key Establishment Protocols

Cryptography from Anonymity

2386 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 6, JUNE 2006

Forward-Secure Signatures for Unbounded Time Periods in Mobile Computing Applications

Cryptographically Secure Bloom-Filters

Defining Multi-Party Computation

CPSC 467: Cryptography and Computer Security

A New Dynamic Hash Algorithm in Digital Signature

On the Design of Secure Block Ciphers

Efficiency Optimisation Of Tor Using Diffie-Hellman Chain

Efficient Verification of Input Consistency in Server-Assisted Secure Function Evaluation

Addition of ElGamal Plaintexts

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Simple and Efficient Perfectly-Secure Asynchronous MPC

Privacy Preserving Data Mining Technique and Their Implementation

Verifiable Disclosure of Secrets and Applications (Abstract)

Anonymizable Ring Signature Without Pairing

Oblivious Transfer(OT)

CS408 Cryptography & Internet Security

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Transcription:

Alternative Protocols for Generalized Oblivious Transfer Bhavani Shankar 1, Kannan Srinathan 1, and C. Pandu Rangan 2 1 Center for Security, Theory and Algorithmic Research (C-STAR), International Institute of Information Technology, Hyderabad, 500032, India shankar@research.iiit.ac.in, srinathan@iiit.ac.in 2 Department of Computer Science and Engineering, Indian Institute of Technology, Madras, Chennai, 600036, India rangan@iitm.ernet.in Abstract. Protocols for Generalized Oblivious Transfer(GOT) were introduced by Ishai and Kushilevitz [10]. They built it by reducing GOT protocols to standard 1-out-of-2 oblivious transfer protocols based on private protocols. In our protocols, we provide alternative reduction by using secret sharing schemes instead of private protocols. We therefore show that there exist a natural correspondence between GOT and general secret sharing schemes and thus the techniques and tools developed for the latter can be applied equally well to the former. 1 Introduction The notion of Oblivious transfer (OT) was introduced by Rabin [13] which has proved to be useful tool in the construction of various cryptographic protocols like bit commitment, zero-knowledge proofs, multi-party computations etc [12]. In Rabin s OT protocol, Alice has a list of n strings x 1,x 2...x n and Bob wishes to learn about the string x i. But, Bob does not want to reveal the value of index i and at the same time Alice does not want to reveal any of the x j for which j i. Later, several variations of OT were proposed in the literature [4,8,5,6,9] and some of them were proved to be equivalent by Brassard et. al. [3]. 1-out-of-2 OT introduced by Even et. al. [9] is one among them where Bob is allowed to securely choose a single secret out of a pair of secrets held by Alice. Crepeau [7] showed that Rabin s OT is equivalent to 1-out-of-2 OT. Direct extensions that followed 1-out-of-2 OT are 1-out-of-n OT [1,16] and m-out-of-n OT [14]. To state informally, in an m-out-of-n OT, Bob can receive only m messages out of n messages (n >m) sent by Alice; and Alice has no idea about which ones have been received. Thus, for Alice all messages are equally likely possible for Bob to receive. 1-out-of-n OT is a special case of m-out-of-n OT where m = 1. All the above mentioned variations of OT are analogous to the threshold secret sharing schemes where the number of secrets to be transmitted obliviously is defined by a threshold function. Thus, all the limitations S. Rao et al. (Eds.): ICDCN 2008, LNCS 4904, pp. 304 309, 2008. c Springer-Verlag Berlin Heidelberg 2008

Alternative Protocols for Generalized Oblivious Transfer 305 of a threshold schemes used in secret sharing schemes hold here, i.e. there exist access structures that cannot be realized by the above mentioned variations of OT. GOT protocol introduced by Ishai and Kushilevitz[10] is thus a natural generalization of all these variations of OT. In GOT protocol, Alice has n secrets, and wishes to obliviously transfer to Bob a qualified subset A [n] of the secrets as per Bob s choice, where n is a positive integer denoting the number of 1-bit secrets held by Alice. Ishai and Kushilevitz[10] implement GOT by means of parallel invocation of simple 1-outof-2 OT primitive while making use of private protocols. Their model of private protocols consists of n players P 1,P 2,...,P n where each player holds a secret input x i. All the players have access to a common random string. Messages are sent by all the n players to a special player Carol depending upon its input and the common random string. Carol computes a predetermined function using messages received from all the players without learning any additional information about the secret values x 1,x 2,...,x n. We too implement our GOT protocol by parallel invocations of 1-out-of-2 OT, but we greatly reduce the overhead of private protocols by using secret sharing schemes instead of private protocols. Papers that have close resemblance to our work are Kawamoto and Yamamoto s [11] work on secret function sharing schemes(sfss) and Tzeng s [17] work on 1-out-of-n OT. Kawamoto and Yamamoto [11] have shown that an unconditionally secure distributed oblivious transfer protocol can be constructed by combining the SFSS with multi-groups secret sharing scheme [15]. On the other hand, Tzeng [17] work showed how to construct OT protocols using any secret sharing scheme. His schemes are based on computational guarantee (based on decisional Diffie-Hellman problem), whereas our scheme s guarantee is dependent on the security guarantee of the underlying secret sharing scheme. Thus by using secret sharing schemes with different security guarantees, our schemes can provide different security guarantees. Rest of the paper is organized as follows: section 2 covers the required background. In section 3 we give our protocol and its proof of correctness and we conclude the paper in section 4. 2 Preliminaries Definition 1. Access structure [2] Let P = {P 0,P 1,...,P n 1 } be a set of parties. A collection A 2 {P1,P2,...,Pn} is monotone if B A and B C imply C A. An access structure is a monotone collection A of non-empty subsets of {P 1,P 2,...,P n } (that is, A 2 {P1,P2,...,Pn} ). The sets in A are called the authorized sets. A set B is called a minimal set of A if B A, and for every C B it holds that C A.The minimal sets of an access structure uniquely define it. Finally, we freely identify an access structure with its monotone characteristic function f A : {0, 1} n {0, 1}, whose variables are denoted x 0,...,x n.

306 B. Shankar, K. Srinathan, and C.P. Rangan Definition 2. Complement of an access structure Let P = {P 0,P 1,...,P n 1 } be a set of parties. A collection B 2 P is called as a complement of a collection A if { B B B = P A, A A}. Note: Complement of an access structure is uniquely defined by its maximal basis 1 B instead of minimal basis. Also, there can exist common subsets between both access structure A and its complement access structure B. For example, consider P = {1, 2, 3, 4}, A = {{1, 2}, {2, 3}, {3, 4}}. Its complement access structure uniquely defined by its maximal basis B = {{1, 2}, {1, 4}, {3, 4}}. Observe that the subsets {1, 2} and {3, 4} are common to both the structures. Definition 3. Secret Sharing [2] Let S be a finite set of secrets, where S 2. Ann-party secret-sharing scheme Π with secret-domain S is a randomized mapping from S to a set of n-tuples S 0 S 1... S n 1,where S i is called the share-domain of P i. A dealer distributes asecrets S according to Π by first sampling a vector of shares (s 0,...,s n 1 ) from Π(s), and then privately communicating each share s i to the party P i.we say that Π realizes an access structure A 2 {P1,P2,...,Pn} (or the corresponding monotone function f A : {0, 1} n {0, 1}) if the following two requirements hold: 1. Correctness. The secret s can be reconstructed by any authorized subset of parties. That is, for any subset B A(where B = {P i1,...,p i B } ), there exists a reconstruction function Rec B : S i1... S i B S such that for every s S, Pr[Rec B (Π(s) B )=s] =1, where Π(s) B denotes the restriction of Π(s) to its B-entries. 2. Privacy. Every unauthorized subset cannot learn anything about the secret (in the information theoretic sense) from their shares. Formally, for any subset C A, for every two secrets a, b S, and for every possible shares s i : Pi C Pr[Π(a) C = s i ]=Pr[Π(b) Pi C C = s i ]. Pi C Definition 4. Generalized Oblivious protocol A Generalized oblivious protocol P between two players Alice and Bob is said to realize an access structure B if: 1. Bob is able to recover all the secrets chosen from any one of the qualified subsets specified by an access structure. 2. Bob doesn t recover any set of secrets which is not qualified according to the given access structure. 3 Protocol Let σ 1,σ 2,...σ n be the n messages of the (generalized) OT protocol. The qualified set of messages that receiver can receive is specified by an access structure A. 1 The maximal basis of B is defined as the collection {B B calb, X B,X A}.

Alternative Protocols for Generalized Oblivious Transfer 307 Let B be a complement access structure to A. SHARE and RECOVER are the sharing and reconstruction algorithms of a secret sharing scheme respectively for an access structure B. We give an information theoretic reduction from oblivious transfer on an access structure A to 1-out-of-2 oblivious transfer using a secret sharing scheme on access structure B. Our protocol is as follows: 1. Alice selects n random values x 1,x 2,...x n uniformly chosen from a finite field and computes y i = σ i x i. 2. Alice chooses a random secret s uniformly chosen from a finite field and applies the SHARE algorithm to get n shares s 1,s 2,...s n. 3. Alice and Bob execute 1-out-of-2 OT protocol n times, with the messages (s 1,y 1 ), (s 2,y 2 ),... (s n,y n ) respectively. 4. Let A Abe the set of messages that Bob wishes to receive. For each i, if i A then Bob picks y i, else he picks the share s i. 5. Bob executes RECOVER algorithm to obtain secret s and sends it back to Alice. 6. Alice verifies whether Bob has correctly computed the secret s. If it is correct, she sends x 1,x 2,...x n to Bob else she aborts the protocol. 7. Bob computes σ i = x i y i for each i in A. Theorem 1. Bob can recover any of the qualified subsets defined by the access structure A. Proof. We prove by contradiction. For the rest of the proof, we assume i to be some positive value less than or equal to n. Suppose Bob is unable to recover a valid secret σ i defined accordingly by a qualified set A A. It is either due to x i or y i missing or both. Consider each of the cases individually: 1. x i is missing: This implies that Bob has send an invalid secret s to Alice for Alice to refuse to send the values x 1,x 2,...,x n. By the correctness of the RECOVER algorithm, it implies that Bob recovers unqualified set of shares to construct the secret s. But from the security of the underlying 1-out-of-2 OT, we know that Bob recovers a valid set of shares A A, if and only if he recovers a valid set of shares B B 2. Therefore, Bob cannot posses share y i. Hence a contradiction. 2. y i is missing: This contradicts the basic assumption of 1-out-of-2 OT that Bob would be able to recover either of the secret s i or y i as per his choice. Hence a contradiction. 3. Both x i and y i are missing: By the similar argument as before, one can vacuously prove that it can occur only when the underlying 1-out-of-2 OT is incorrect. Hence a contradiction. Theorem 2. Bob cannot recover any subset of secrets that is not qualified according to the access structure A. 2 In third step of the protocol, Bob would be able to recover either y i or s i for i, 1 i n but not both.

308 B. Shankar, K. Srinathan, and C.P. Rangan Proof. We prove by contradiction. Suppose that Bob s algorithm is a probabilistic polynomial time that outputs {σ i } i A for any A Awith non-negligible probability. To correctly reconstruct the secret s of Alice, Bob requires all {s i } i B for any B B. Otherwise it is infeasible to know the value of secret s, whose security follows from the security of underlying secret sharing scheme. The only way in which Bob can get {σ i } i B for any B / Bis to get both the input of Alice in the third step of the above protocol, which is infeasible since it depends on the underlying 1-out-of-2 OT protocol. Theorem 3. Alice has no information of which qualified set of secrets defined by A is recovered by Bob. Proof. In the third step of the protocol, Alice and Bob execute 1-out-of-2 OT for n rounds. From the security of the underlying 1-out-of-2 OT protocol, for each round i Alice has no information whether s i or y i is been recovered by Bob. Thus, even at the end of the n invocations, Alice has no idea about the set of shares s i and y i recovered by Bob. Thus, the privacy of Bob follows from the secrecy of which set of shares he recovers. 4 Conclusion Oblivious Transfer proved to be very useful tool in the construction of the cryptographic protocol. Similarly, generalized oblivious transfer (GOT) is also expected to be very useful in the construction of cryptographic protocols. For instance, GOT has important applications in E-Commerce. Suppose that Alice wants to buy some goods from a shopkeeper, but does not want to revealto the shopkeeper what set of goods he intends to buy. Whereas the shopkeeper wants to make sure that total cost of the goods that Alice buys is no more than what Alice claims. This can be easily implemented using GOT, where the GOT s access structure contains all possible combinations of goods whose total price does not exceed a specified value. GOT has many other such useful applications. Characterizing the exact lower bounds for GOT in terms of communication and computation is an interesting open problem. Acknowledgements We thank the anonymous reviewers for their useful feedback. References 1. Aiello, B., Ishai, Y., Reingold, O.: Priced oblivious transfer: How to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, Springer, Heidelberg (2001) 2. Beimel, Ishai.: On the power of nonlinear secret-sharing. In: SCT: Annual Conference on Structure in Complexity Theory (2001)

Alternative Protocols for Generalized Oblivious Transfer 309 3. Brassard, G., Crépeau, C., Robert, J.M.: Information theoretic reduction among disclosure problems. In: 27th IEEE Symposium on Foundations of Computer Science, Toronto, Ontario, pp. 168 173 (1986) 4. Cachin, C.: On the foundations of oblivious transfer. In: Nyberg, K. (ed.) EURO- CRYPT 1998. LNCS, vol. 1403, Springer, Heidelberg (1998) 5. Cachin, C., Crepeau, C., Marcil, J.: Oblivious transfer with a memory-bounded receiver. In: IEEE Symposium on Foundations of Computer Science, pp. 493 502 (1998) 6. Cachin, C., Crepeau, C., Marcil, J.: Oblivious transfer in the bounded storage model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 493 502. Springer, Heidelberg (2001) 7. Crepeau, C.: An equivalence between two flavors of oblivious transfer. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, Springer, Heidelberg (1988) 8. Crepeau, C.: Quantum oblivious transfer. Journal of Modern Optics 41(12), 2455 2466 (1994) 9. Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. In: Advances in Cryptology: Proceedings of Crypto 1982, pp. 205 210 (1982) 10. Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applications. In: Israel Symposium on Theory of Computing Systems, pp. 174 184 (1997) 11. Kawamoto, Y., Yamamoto, H.: Secret function sharing schemes and their applications to the oblivious transfer. In: IEEE International Symposium on Information Theory, 2003, IEEE, Los Alamitos (2003) 12. Kilian, J.: Founding crytpography on oblivious transfer. In: Proceedings of the twentieth annual ACM symposium on Theory of computing, pp. 20 31 (1988) 13. Rabin, M.O.: How to exchange secrets by oblivious transfer. In: Technical Report TR-81, Harvard University (1981) 14. Mu, Y., Zhang, J., Varadharajan, V.: m out of n oblivious transfer. In: Batten, L.M., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 3 5. Springer, Heidelberg (2002) 15. Naor, M., Pinkas, B.: Distributed oblivious transfer. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006, pp. 205 219. Springer, Heidelberg (2000) 16. Santis, A.D., Persiano, G.: Public-randomness in public-key cryptography. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, Springer, Heidelberg (1991) 17. Tzeng, W.-G.: Efficient 1-out-of-n oblivious transfer schemes with universally usable parameters. IEEE Trans. Comput. 53(2), 232 240 (2004)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback