Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/ ~iftachh WEIZMANN INSTITUTE OF SCIENCE
Jan 14, 2016
Implementing Oblivious TransferUsing a Collection of Dense
Trapdoor Permutations
Iftach Haitner
www.wisdom.weizmann.ac.il/~iftachh
WEIZMANNINSTITUTEOF SCIENCE
Talk Overview
Oblivious transfer (OT) Collection of trapdoor
permutations (TDP) Does TDP imply OT? Our result:
dense-TDP implies OT
Oblivious Transfer (OT)[Rabin 81’]
(one-out-of-two version [EGL 85’])
1. Correctness: The receiver learns i
2. Sender's privacy: The receiver learns nothing about 1-i
3. Receiver's privacy: The sender learns nothing about i
Semi-honest model (honest-but-curious) - suffices due to Goldreich, Micali and Wigderson
0 and
1 (w.l.o.g. bits) i 2 {0,1}
Sender Receiver
{0,1}n
D
x
{0,1}n
D
f(x)hard
easy
easy with trapdoor
{0,1}n
D
{0,1}n
D
• Permutation sampler: I(1n) = (,t
• Domain sampler: D() = x 2RD
• Evaluation/ Inversion F(,x) = f(x) , F-1(,t,x) = f-1(x)
• Known Candidates: Rabin’s collection, RSA,…
Does TDP imply OT?
hard
easy with trapdoor
Collection of trapdoor Permutations (TDP)
easy
x f(x)
{f: D ! D}
n = ||
EGL protocol
r0,r1
(,t) à I(1n) • r1-i à D()
• s à D() ri = f(s)
For j = 0,1:
cj = j © b(f-1(rj)) c0,c1 Output: ci © b(s) (= i)
1nSender (0 and 1) Receiver (i)
Correctness
Receiver’s privacy
? Sender's privacy
n is the security parameter of the protocol
b is any hardcore predicate of f
• Knowing the random coins used by the Domain sampler (D), might give information about the pre-image of the element.
– Rabin’s collection original implementation
Therefore the EGL protocol might not satisfy the Sender's privacy requirement.
– Enhanced–TDP [Glodreich 02’]inverting an element is hard, even when the randomness used to produce it is given. Enhanced–TDP ) OT
Our result:Implementing OT using any dense - TDP
{0,1}n
D
9 positive polynomial p s.t. |D| ¢ p(n) > 2n
Enhanced Vs. Dense
• Dense (property) might be considered as a more natural requirement
• Probably easier to verify
• Different approach
might lead to OT based on any TDP
Implementing OT using dense-TDP
Implementing OT using dense-checkable-TDP
checkable-TDP: The existence of domain sampler is not
guaranteed, but there is an efficient way to check whether a given element is inside a permutation domain or not.
OT based on dense-checkable-TDP
r0,r1
(,t) Ã I(1n) 1. s,r1-i 2R {0,1}n
2. if s or r1-i D go back to step 1
3. ri = f(s)
....
….
….
Sender (0 and 1) Receiver (i)
Correctness
Receiver’s privacy
Sender's privacy
Implementing OT using dense-t-checkable-TDP
t-checkable-TDP:
Like checkable-TDP, but the containment test requires the trapdoor.There exists an efficient algorithm A s.t.:A(,t,x) = 1 iff x2 D
OT based on dense-t-checkable-TDP (first try)
r0,r1
(,t) Ã I(1n)
Go
1.s,r1-i 2R {0,1}n
2. if s or r1-iD go back to step 1.
3. ri = f(s)
……
If s or r1-i Drestart
s,r1-i
i
Sender (0 and 1) Receiver (i)
OT based on dense t-checkable-TDP (second try)
(,t) Ã I(1n) 1. s,r1-i 2R {0,1}n
2. ri = f(s)
If r0 or r1 Drestart
For j = 0,1:
cj = j © b(f-1(rj))c0,c1
Output: ci ©b(s) (= i)
r0,r1 (rand.)
Reveal order
Sender (0 and 1) Receiver (i) f(s) ≡ F(,s)
{0,1}n
D
ri
{0,1}n
D
yf-1
f
sf(s) ≡ F(,s)
• The receiver might recover i incorrectly.
ci© b(s) = i © b(f-1(ri)) © b(s) i
• The sender might reveal i.ri might have different distribution than
r1-i
A weak OT based on dense t-checkable-TDP
(,t) Ã I(1n)1. s,r1-i 2R {0,1}n
2. ri = f(s)
r0,r1 (rand.)
If h(s) h(f-
1(ri))
Restart.
If r0 or r1 D
Restart h, h(f-1(r0)), h(f-1(r1))
Reveal order
…
h2R Hn - a collection of hash functions
Sender (0 and 1) Receiver (i)
w.h.p. s f-1(ri)
• w.h.p. Correctness
• w.h.p. Receiver’s privacy
• Sender's privacy is not compromised
For j = 0,1:
cj = j © b(f-1(rj)) …
Our solution:Increase the probability that (after revealing step)
s = f-1(ri)
A “very” weak OT based on any dense-TDP
{0,1}n
D’
D
Can extend any dense-TDP, such that it is still one-to-one and it is t-checkable.
D’ ≡ {x2 {0,1}n | F(,F-1(,t,x)) = x}
1. W.r.t. D’ we have containment test (the collection is t-checkable) x2 D’ iff F(,F-1(,t,x)) = x
2. But the exended f is only weakly one-way.
) Only noticeable Sender's privacy
A weak OT based on dense t-checkable-TDP
(,t) Ã I(1n)1. s,r1-i 2R {0,1}n
2. ri = f(s)
r0,r1 (rand.)
If h(s) h(f-
1(ri))
Restart.
If r0 or r1 D
Restart h, h(f-1(r0)), h(f-1(r1))
Reveal order
…
Sender (0 and 1) Receiver (i)
• w.h.p. Correctness
• w.h.p. Receiver’s privacy
• noticeable Sender's privacy
For j = 0,1:
cj = j © b(f-1(rj)) …
dense-TDP
Weak OT (all the requirements are weak)
Secret sharing (Yao’s XOR lemma)
Weak OT with strong Sender’s privacy
Repeating and using majority rule
Weak OT with strong Correctness and Sender’s privacy
OT
Crepeau and Kilian 88’
For k = 0,1:
k,1, …,k,m-1 2R{0,1}
k,t=
(©1 · j · m-1 k,j) ©k
Output: ©1 · j · m i,j
0,10,20,3…0,m
1,11,21,3…1,m
© ) 0
© ) 1
Sender (0 and 1) Receiver (i)
Further issues• OT based on any TDP?
Seems difficult, as Gertner, Kannan, Malkin, Reingold and Viswanathan 2000 showed that OT cannot be black-box reduced to collection of injective trapdoor one-way functions.
(most likely) OT cannot be black-box reduced to TDP
Acknowledgment:
Oded Goldreich