Two Round Oblivious Transfer from CDH or LPN Eurocrypt 2020 Nico Döttling Sanjam Garg Mohammad Hajiabadi Daniel Masny Daniel Wichs CISPA Helmholtz Center for Information Security UC Berkeley Visa Research Northeastern University
Oblivious Transfer (OT) Sender S: Receiver R: otr s 0 , s 1 ∈ { 0 , 1 } ∗ c ∈ { 0 , 1 } ots learn s c Security ◮ S does not learn c . ◮ R does not learn s 1 − c 2
Simulation based Security (for Sender S ) For any A, ∃ A ′ s.t. otr ots S ( s 0 , s 1 ) A ≈ c otr c ots s c OT A ( c ) 3
Security for Receiver R Simulation based Security ◮ Same as for Sender ◮ A ′ needs to extract s 0 , s 1 Indistinguishability based Security ◮ weaker than simulation based ◮ malicious S cannot distinguish R ( 0 ) from R ( 1 ) 4
Our Results Sim. Sender, Ind. Receiver Secure OT ( ˜ OT) ⇒ Sim. Secure OT ˜ OT ⇒ 2-round ZK ◮ ˜ OT + 2-round ZK ⇒ Sim. Secure OT ◮ CDH or LPN ⇒ ˜ OT ◮ weaker OT security notions for the sender ◮ CDH or LPN ⇒ weaker notions ◮ generic transformation from weaker notions to ˜ OT 5
Summary ˜ OT from CDH 1. CDH or LPN ⇒ Elementary OT (eOT) 2. Elementary OT ⇒ Search OT (sOT) 3. Search OT ⇒ Indistinguishable OT (iOT) 4. Indistinguishable OT ⇒ ˜ OT 6
˜ CDH ⇒ eOT ⇒ sOT ⇒ iOT ⇒ OT otr ots S → ( s 0 , s 1 ) A → ( y 0 , y 1 ) Elementary OT Security Pr[( y 0 , y 1 ) = ( s 0 , s 1 )] ≤ negl 7
˜ CDH ⇒ eOT ⇒ sOT ⇒ iOT ⇒ OT Bellare, Micali [BM90]: CRS : ( X = g x ) Receiver R ( c ) : Sender S: r ← Z p otr = h 0 h 0 = g r X − c h 1 = h 0 X s ← Z p S = g s ots = S output h s 0 , h s output S r 1 Correctness and Security c = ( h 0 X c ) s = ( g r X − c X c ) s = S r ◮ s c = h s 1 − c = ( h 0 X 1 − c ) s = X ( 1 − 2 c ) s S r ◮ s 1 − c = h s ◮ computing s 0 / s 1 = g xs solves CDH for challenge X , S 8
˜ CDH ⇒ eOT ⇒ sOT ⇒ iOT ⇒ OT otr ots S → ( s 0 , s 1 ) A 1 → ( st , otr ) A 2 ( st , ots , w ) → y w Search OT Security With 1 − negl probability over ( st , otr ) , ∃ w ∈ { 0 , 1 } s.t. Pr ots [ A 2 ( st , ots , w ) = s w ] ≤ negl . Elementary OT ⇒ Search OT Pr ots [ A 2 ( st , ots , w ) = s w ] > 3 4 ⇒ Pr ots [ ∀ w , A 2 ( st , ots , w ) = s w ] > negl . Solution: Amplify hardness (Canetti, Halevi, Steiner [CHS05]) 9
˜ CDH ⇒ eOT ⇒ sOT ⇒ iOT ⇒ OT otr ots b S ( otr , m 0 , m 1 ) → ots 0 A 1 → ( st , otr , m 0 , m 1 ) S ( otr , m 1 − w , uniform ) → ots 1 A 2 ( st , ots b ) → b ′ Indistinguishable OT Security With 1 − negl probability over ( st , otr ) , ∃ w ∈ { 0 , 1 } s.t. | Pr ots [ A 2 ( st , ots 0 ) = 1 ] − Pr ots [ A 2 ( st , ots 1 ) = 1 ] | ≤ negl . Search OT ⇒ Indistinguishable OT Goldreich Levin hardcore predicates [GL89], hybrid argument. 10
˜ CDH ⇒ eOT ⇒ sOT ⇒ iOT ⇒ OT Sender S ( m 0 , m 1 ) : CRS = ( CRS iOT , pk ) Receiver R ( c ) : C [ ct , CRS , m 0 , m 1 ]( c , r ) : ct ct = Enc ( pk , c ; r ) If ( ct = Enc ( pk , c ; r )) c , r { ℓ } Then output m c iOT ℓ c , r Else output ⊥ ˆ (ˆ C , { ℓ } ) ← Garble ( C ) C m c = ˆ C ( ℓ c , r ) Receiver Ind., Sender Sim. Security ◮ ct and iOT do not leak c ◮ Given sk, c can be extracted ◮ Can iOT and ˆ C be simulated without m 1 − c ? 11
Sender’s Simulation based Security Garbled Circuits; Yao [Yao82] ◮ { ℓ } and ˆ C leak m 0 and m 1 . ◮ ℓ c , r , ˆ C only leak m c . Solution: Use independent { ℓ } \ ℓ c , r for ˆ C and iOT. Distinguisher Dependent Simulation; Jain, Kalai, Khurana, Rothblum [JKKR17] ◮ Indistinguishable OT: ∃ w ∈ { 0 , 1 } s.t. ℓ w ≈ c uniform. ◮ We test run the adversary to learn w ∈ { 0 , 1 } . ◮ In the actual simulation, w is consistent with good probability. ◮ We can replace ℓ w ∈ { ℓ } \ ℓ c , r with uniform. 12
Summary Our Results, eprint.iacr.org/2019/414 1. CDH or LPN ⇒ Elementary OT 2. Elementary OT ⇒ Search OT (Hardness Amplification; Canetti, Halevi, Steiner [CHS05]) 3. Search OT ⇒ Indistinguishable OT (Hardcore Predicates; Goldreich, Levin [GL89]) 4. Indistinguishable OT ⇒ ˜ OT (Distinguisher Dependent Simulation; Jain, Kalai, Khurana, Rothblum [JKKR17], Garbled Circuits; Yao [Yao82]) ˜ 5. OT + 2-round ZK ⇒ Sim. Secure OT ( ˜ OT ⇒ 2-round ZK) 13
Recommend
More recommend