Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner iftachh WEIZMANN INSTITUTE.

Implementing Oblivious TransferUsing a Collection of Dense

Trapdoor Permutations

Iftach Haitner

www.wisdom.weizmann.ac.il/~iftachh

WEIZMANNINSTITUTEOF SCIENCE

Talk Overview

Oblivious transfer (OT) Collection of trapdoor

permutations (TDP) Does TDP imply OT? Our result:

dense-TDP implies OT

Oblivious Transfer (OT)[Rabin 81’]

(one-out-of-two version [EGL 85’])

1. Correctness: The receiver learns i

2. Sender's privacy: The receiver learns nothing about 1-i

3. Receiver's privacy: The sender learns nothing about i

Semi-honest model (honest-but-curious) - suffices due to Goldreich, Micali and Wigderson

0 and

1 (w.l.o.g. bits) i 2 {0,1}

Sender Receiver

{0,1}n

D

x

{0,1}n

D

f(x)hard

easy

easy with trapdoor

{0,1}n

D

{0,1}n

D

• Permutation sampler: I(1n) = (,t

• Domain sampler: D() = x 2RD

• Evaluation/ Inversion F(,x) = f(x) , F-1(,t,x) = f-1(x)

• Known Candidates: Rabin’s collection, RSA,…

Does TDP imply OT?

hard

easy with trapdoor

Collection of trapdoor Permutations (TDP)

easy

x f(x)

{f: D ! D}

n = ||

EGL protocol

r0,r1

(,t) à I(1n) • r1-i à D()

• s à D() ri = f(s)

For j = 0,1:

cj = j © b(f-1(rj)) c0,c1 Output: ci © b(s) (= i)

1nSender (0 and 1) Receiver (i)

Correctness

Receiver’s privacy

? Sender's privacy

n is the security parameter of the protocol

b is any hardcore predicate of f

• Knowing the random coins used by the Domain sampler (D), might give information about the pre-image of the element.

– Rabin’s collection original implementation

Therefore the EGL protocol might not satisfy the Sender's privacy requirement.

– Enhanced–TDP [Glodreich 02’]inverting an element is hard, even when the randomness used to produce it is given. Enhanced–TDP ) OT

Our result:Implementing OT using any dense - TDP

{0,1}n

D

9 positive polynomial p s.t. |D| ¢ p(n) > 2n

Enhanced Vs. Dense

• Dense (property) might be considered as a more natural requirement

• Probably easier to verify

• Different approach

might lead to OT based on any TDP

Implementing OT using dense-TDP

Implementing OT using dense-checkable-TDP

checkable-TDP: The existence of domain sampler is not

guaranteed, but there is an efficient way to check whether a given element is inside a permutation domain or not.

OT based on dense-checkable-TDP

r0,r1

(,t) Ã I(1n) 1. s,r1-i 2R {0,1}n

2. if s or r1-i D go back to step 1

3. ri = f(s)

....

….

….

Sender (0 and 1) Receiver (i)

Correctness

Receiver’s privacy

Sender's privacy

Implementing OT using dense-t-checkable-TDP

t-checkable-TDP:

Like checkable-TDP, but the containment test requires the trapdoor.There exists an efficient algorithm A s.t.:A(,t,x) = 1 iff x2 D

OT based on dense-t-checkable-TDP (first try)

r0,r1

(,t) Ã I(1n)

Go

1.s,r1-i 2R {0,1}n

2. if s or r1-iD go back to step 1.

3. ri = f(s)

……

If s or r1-i Drestart

s,r1-i

i

Sender (0 and 1) Receiver (i)

OT based on dense t-checkable-TDP (second try)

(,t) Ã I(1n) 1. s,r1-i 2R {0,1}n

2. ri = f(s)

If r0 or r1 Drestart

For j = 0,1:

cj = j © b(f-1(rj))c0,c1

Output: ci ©b(s) (= i)

r0,r1 (rand.)

Reveal order

Sender (0 and 1) Receiver (i) f(s) ≡ F(,s)

{0,1}n

D

ri

{0,1}n

D

yf-1

f

sf(s) ≡ F(,s)

• The receiver might recover i incorrectly.

ci© b(s) = i © b(f-1(ri)) © b(s) i

• The sender might reveal i.ri might have different distribution than

r1-i

A weak OT based on dense t-checkable-TDP

(,t) Ã I(1n)1. s,r1-i 2R {0,1}n

2. ri = f(s)

r0,r1 (rand.)

If h(s) h(f-

1(ri))

Restart.

If r0 or r1 D

Restart h, h(f-1(r0)), h(f-1(r1))

Reveal order

…

h2R Hn - a collection of hash functions

Sender (0 and 1) Receiver (i)

w.h.p. s f-1(ri)

• w.h.p. Correctness

• w.h.p. Receiver’s privacy

• Sender's privacy is not compromised

For j = 0,1:

cj = j © b(f-1(rj)) …

Our solution:Increase the probability that (after revealing step)

s = f-1(ri)

A “very” weak OT based on any dense-TDP

{0,1}n

D’

D

Can extend any dense-TDP, such that it is still one-to-one and it is t-checkable.

D’ ≡ {x2 {0,1}n | F(,F-1(,t,x)) = x}

1. W.r.t. D’ we have containment test (the collection is t-checkable) x2 D’ iff F(,F-1(,t,x)) = x

2. But the exended f is only weakly one-way.

) Only noticeable Sender's privacy

A weak OT based on dense t-checkable-TDP

(,t) Ã I(1n)1. s,r1-i 2R {0,1}n

2. ri = f(s)

r0,r1 (rand.)

If h(s) h(f-

1(ri))

Restart.

If r0 or r1 D

Restart h, h(f-1(r0)), h(f-1(r1))

Reveal order

…

Sender (0 and 1) Receiver (i)

• w.h.p. Correctness

• w.h.p. Receiver’s privacy

• noticeable Sender's privacy

For j = 0,1:

cj = j © b(f-1(rj)) …

dense-TDP

Weak OT (all the requirements are weak)

Secret sharing (Yao’s XOR lemma)

Weak OT with strong Sender’s privacy

Repeating and using majority rule

Weak OT with strong Correctness and Sender’s privacy

OT

Crepeau and Kilian 88’

For k = 0,1:

k,1, …,k,m-1 2R{0,1}

k,t=

(©1 · j · m-1 k,j) ©k

Output: ©1 · j · m i,j

0,10,20,3…0,m

1,11,21,3…1,m

© ) 0

© ) 1

Sender (0 and 1) Receiver (i)

Further issues• OT based on any TDP?

Seems difficult, as Gertner, Kannan, Malkin, Reingold and Viswanathan 2000 showed that OT cannot be black-box reduced to collection of injective trapdoor one-way functions.

(most likely) OT cannot be black-box reduced to TDP

Acknowledgment:

Oded Goldreich