Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn...

Post on 15-Jan-2016

219 views 0 download

Tags:

Transcript of Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn...

Oblivious Transferbased on the

McEliece Assumptions

Rafael Dowsley Jeroen van der Graaf

Jörn Müller-Quade

Anderson C. A. Nascimento

University of Brasilia

Encryption DecryptionPlaintext Ciphertext Plaintext

Key Key

However, there are other (more challenging) tasks to be dealt with in cryptology…

Secure Multi (Two)-Party Computations.

They want to know if there exists mutual interest between them.

However, they do not want to reveal an uncorresponded love.

F(X,Y)= X AND Y

X AND Y=1 I love you

X AND Y=0 Get away!

The players must learn the answer but should get no extra knowledge on each other’s input, besides what can be computed from his/her input and the output itself.

The Millionaires Problem

Two millionaires want to know who is the richest one between them.

However, they are not willing to reveal the amount of their wealth.

Secure Two Party Computations

Bob

X Y

F(X,Y)

Alice should know nothing about F(X,Y) besides what can be computed from X.

Bob should know nothing about X besides what can be computed from F(X,Y)

If both players are honest Bob should receive F(X,Y)

Alice

An Ideal Protocol

Bob

Trusted Third Party

XY

F(X,Y)F(X,Y)

Security and Adversarial Models

• A protocol is secure if anything an adversary obtains in the real protocol can also be obtained in the ideal model.

• Honest-but-Curious Adversary: Follows the protocol, but otherwise tries to obtain as much information on the other player input as possible

• Malicious: Can deviate from the protocol in an arbitrary way (spit on your face, stick a finger in your eye, etc.)

Oblivious Transfer

b0, b1 c

bc

Joe Kilian: Founding Cryptography on Oblivious Transfer. STOC 88: 20-31

Oblivious Transfer

b0,b1 c

bcc bc

Oblivious Transfer

b0,b1 c

bc

Oblivious Transfer is an important primitive, butno quantum resistant implementation is known.

Oblivious Transfer

b0,b1 c

bc

Oblivious Transfer is an important primitive, butno quantum resistant implementation is known

Here we give an oblivious transfer protocol basedon assumptions from coding theory, which is

computationally secure for Alice andfor Bob.

Here we give an oblivious transfer protocol basedon assumptions from coding theory, which is

computationally secure for Alice andfor Bob.

Relationship to PKC

• OT and PKC do not imply each other in general.

McEliece

Error Correcting Codes

m mc c‘

Random linear codes are good, but difficult to decode.

McEliece

Error Correcting Codes

m mc c‘

Random linear codes are good, but difficult to decode.

NP compete

McEliece

Error Correcting Codes

m mc c‘

Random linear codes are good, but difficult to decode.

McEliece turned this into a public key scheme McEliece turned this into a public key scheme

Goppa Codes

Goppa codes are algebraic geometry codes with gooderror correction properties.

Scrambled Goppa Codes

G SP

G‘ looks like a generator matrix of a random code

= G‘. .

The McEliece Cryptosystem

Secret key:

Public key:

GS

P

G‘

, ,

The McEliece Cryptosystem

Encrypt:

Decrypt:

S-1P-1

G‘ . + e = c

c .

m

=m

errorcorrectionprocedure

random error vectorwith t errors

The McEliece Assumptions

• A scrambled Goppa code matrix is indistiguishable from a random matrix

• Decoding a random linear code is hard on average

We will turn this into an oblivious transfer scheme We will turn this into an oblivious transfer scheme

Two Steps

• Semi-honest adversary

• Active adversary

To later cope with the active adversary we need a commitment scheme from the McEliece assumption.

Secure commitment schemes give us zero knowledge proofs!

Alice puts a bit bin a strong box

b

Alice gives this box to Bob. She cannot change b

Later Alice can unveil b to Bob

b

Bit Commitment

A commitment scheme is said to be secure if it is binding, concealing and correct:

•Binding: the probability that Alice can successfully open two different commitments is negligible.

•Concealing: Bob gets at most negligible information on the information Alice commits to before the opening phase.

•Correct: The probability that honest Alice fails to open a commitment is negligible in a security parameter n.

Commitments from McElieceSimple:

Commit = encryptUnveil = reveal the error vector e

Commitments from McElieceSimple:

To achieve information theoretic security for Bobwe need a statistically hiding commitment.

Commit = encryptUnveil = reveal the error vector e

Commitments from McElieceSimple:

To achieve information theoretic security for Bobwe need a statistically hiding commitment.

The McEliece cryptosystem yields a one-way-function andstatistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]

The McEliece cryptosystem yields a one-way-function andstatistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]

Commit = encryptUnveil = reveal the error vector e

The protocol for semi honest adversary

Random matrix Q Q

The protocol for semi honest adversary

Random matrix Q Q

McEliecematrix GG, GQ

The protocol for semi honest adversary

Random matrix Q Q

McEliecematrix GG, GQ

Order depends on choice

The protocol for semi honest adversary

Random matrix Q Q

McEliecematrix GG, GQ

Encryptsm0, m1 c0, c1

The protocol for semi honest adversary

Random matrix Q Q

McEliecematrix GG, GQ

Encryptsm0, m1 c0, c1

can decryptonly one

An Active Attack

Given Q can one find P and P‘ with Q = PP‘such that both have reasonableerror correcting properties?

We could not exclude this...

Bob could be able to obtain both...

An Actively Secure Protocol

• We perform the protocol twice (with random inputs): Bob commits to G, and in one of the protocols Alice will ask Bob to unveil and check if he cheated.

• The cheating probability for Bob is 50%, but this can be made arbitrarily small by repetition...

• More efficient than Goldreich‘s compiler.

Interactive Hashing

• We want Bob to send two matrices to Alice one he can decode efficiently and one which is random.

• Interactive hashing could yield a more efficient solution...

• We have a different reduction to a protocol secure against active cheaters based on BR Commitments (a generalized version).

• Yields committed oblivious transfer!

Conclusions

• OT based on McElice Cryptosystem

• Secure against quantum computers (?)

• Maybe an application for interactive hashing.