Achieving Oblivious Transfer Capacity of Generalized Erasure Channels in the Malicious Model

5566 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 8, AUGUST 2011

Achieving Oblivious Transfer Capacity ofGeneralized Erasure Channels in the Malicious Model

Adriana C. B. Pinto, Rafael Dowsley, Kirill Morozov, and Anderson C. A. Nascimento

Abstract—Information-theoretically secure string oblivioustransfer (OT) can be constructed based on discrete memorylesschannel (DMC). The oblivious transfer capacity of a channel char-acterizes—similarly to the (standard) information capacity—howefficiently it can be exploited for secure oblivious transfer ofstrings. The OT capacity of a generalized erasure channel(GEC)—which is a combination of a (general) DMC with theerasure channel—has been established by Ahlswede and Csizarat ISIT’07 in the case of passive adversaries. In this paper, wepresent the protocol that achieves this capacity against maliciousadversaries for GEC with erasure probability at least 1/2. Ourconstruction is based on the protocol of Crépeau and Savvidesfrom Eurocrypt’06 which uses interactive hashing (IH). We solvean open question posed by the above paper, by basing it upon aconstant round IH scheme (previously proposed by Ding et al. atTCC’04). As a side result, we show that the Ding et al. IH protocolcan deal with transmission errors.

Index Terms—Generalized erasure channel, information-the-oretic security, interactive hashing, oblivious transfer, oblivioustransfer capacity.

I. INTRODUCTION

O BLIVIOUS transfer (OT) is one of the central crypto-graphic primitives, since it implies secure two-party (and

multiparty) computation [12], [19], [24]. It was initially pro-posed in different flavors by Wiesner [33] and Rabin [29], butboth flavors were later shown to be equivalent by Crépeau [9]. Inthis work, we will consider the one-out-of-two string oblivioustransfer, string-OT, in which Alice transmits two input strings

and Bob uses a choice bit to choose thestring that he will receive. This protocol ensures that a dis-honest Alice cannot learn , while a dishonest Bob cannot learnboth and .

Manuscript received November 23, 2009; revised October 05, 2010; acceptedNovember 30, 2010. Date of current version July 29, 2011.

A. C. B. Pinto and A. C. A. Nascimento are with the Department ofElectrical Engineering, University of Brasilia Campus Universitário DarcyRibeiro, Brasília, CEP: 70910-900, Brazil (e-mail: [email protected],[email protected]).

R. Dowsley was with the Department of Electrical Engineering, Universityof Brasilia, Brasília, CEP: 70910-900, Brazil. He is now with the ComputerScience and Engineering Department, University of California at San Diego(UCSD), La Jolla, CA 92093 USA (e-mail: [email protected]).

K. Morozov was with the Research Center for Information Security, NationalInstitute of Advanced Industrial Science and Technology (AIST), Japan. He isnow with the Faculty of Mathematics, Kyushu University, Fukuoka 819-0395,Japan (e-mail: [email protected]).

Communicated by K. M. Martin, Associate Editor for Complexity and Cryp-tography.

Digital Object Identifier 10.1109/TIT.2011.2158898

The potential of noisy channels for implementing informa-tion-theoretically secure cryptographic protocols was first notedby the pioneering work of Wyner [34], with respect to secret keyagreement. Crépeau and Kilian proved that noisy channels canbe used to implement oblivious transfer [11]. This result waslater improved in [10], [13], [25], [26], and [32].

The question of determining the optimal rate at which obliv-ious transfer can be implemented using a noisy channel (i.e., theoblivious transfer capacity of the channel) was raised by Nasci-mento and Winter in [26]. They also characterized the noise re-sources that provide strictly positive oblivious transfer capacity.Imai et al. [21] obtained the oblivious transfer capacity of theerasure channels. Ahlswede and Csiszár [1] proved new boundson those capacities and also obtained the oblivious transfer ca-pacity of the generalized erasure channels (GECs) in the passiveadversary model (where the players always follow the protocol).The related notion of commitment capacity was proposed byImai et al. in [22].

Our Contribution: In this paper, we show that the ratesachieved in [1] against passive players can actually be achievedeven against malicious ones (i.e., those that can arbitrarily de-viate from the protocol). As the upper bounds proved in [1] forthe case of passive players still hold against active ones, we thusestablish the oblivious transfer capacity of the generalized era-sure channels [1] in the malicious adversary model. Moreover,we prove security of our protocols using definitions by Crépeauand Wullschleger [15], which are known to imply sequentialcomposability.

The main tool for obtaining our results is interactive hashing(IH), originally introduced by Ostrovsky et al. [28]. Our solutionis based on the protocol proposed by Savvides [31] (buildingon the results of [14]) for oblivious transfer from erasure chan-nels that employs information-theoretic interactive hashing [5]as a subprotocol. However, instead of directly adapting Sav-vides’ solution to our scenario, we show that it is possible touse the constant round interactive hashing protocol by Ding etal. [17]. Hereby, we obtain the constant round oblivious transferprotocol, thus answering an open question posed by [31].

Outline of the Paper: The paper is organized as follows: InSection II, we establish our notation, provide some facts that weuse in the remaining part of this paper and introduce the constantround interactive hashing protocol that we used. In Section III,we present definitions of the generalized erasure channel andoblivious transfer security. We also state our main result aboutthe oblivious transfer capacity of those channels. Finally, inSection IV, we present our protocol, its security proof and showthat it achieves the oblivious transfer capacity.

0018-9448/$26.00 © 2011 IEEE

PINTO et al.: ACHIEVING OBLIVIOUS TRANSFER CAPACITY OF GENERALIZED ERASURE CHANNELS IN THE MALICIOUS MODEL 5567

II. PRELIMINARIES

A. Notation

We will denote by calligraphic letters the domains ofrandom variables and other sets, by the cardinality ofa set , by upper case letters the random variables and bylower case letters one realization of the random variable.For a random variable over , we denote its probabilitydistribution by with . Fora joint probability distribution , let

denote the marginal probability

distribution and let denote the condi-tional probability distribution if . We writefor a random variable uniformly distributed over .

If and are two bit strings of the same dimension, we denoteby their bitwise XOR. The logarithms used in this paperare in base 2. The entropy of is denoted by and themutual information between and by . We write

for and for the set of all subsets ,where . For and , wewrite for the restriction of to the positions in the subset

. Similarly for a set , is the subset of consisting of theelements determined by .

B. Strong Extractors and Leftover-Hash Lemma

The statistical distance between two probability distributionsand over the same domain is

For a finite alphabet , the min-entropy of a random variableis defined as

Its conditional version, defined over with finite alphabet is

We define now the notion of strong randomness extractors[18], [27]. Let denote a vector uniformly chosen from

.

Definition 1 (Strong Randomness Extractors): Letbe a probabilistic poly-

nomial time function which uses bits of randomness. We saythat is an efficient —strong extractor if for allprobability distributions with and such that

, we have that .Strong extractors can extract at most

bits of nearly random bits [30] and this optimal bound isachieved by universal hash function [6] that we define below.

Definition 2 (Universal Hash Function): A class of func-tions is 2-universal if, for any distinct ,the probability that is at most whenis chosen uniformly at random from .

The leftover-hash lemma (similarly the privacy-amplificationlemma) [3], [4], [18], [20], [23] guarantees that the universalhash functions allow us to extract bits.

Lemma 1 (Leftover-Hash Lemma): Assume that a classof functions is 2-universal. Then forselected uniformly at random from we have that

In particular, universal hash functions are —strongextractor when .

C. Encoding Scheme of Subsets

Cover showed [8] that there is an efficiently computableone to one mapping for every integer .Hence, we can encode the set in bit strings of length

(see [5, Sec. 3.1] for more details). Neverthe-less, the strings that represent valid encodings may constituteonly slightly more than a half of all strings. We use here themodified encoding of [31, Sec. 4.2.1] in which each string

encodes the same subset as , which isalways a valid encoding in the original scheme [5].

Consider a subset of encoded by strings in , ac-cording to the above scheme. Since each subset correspond toeither 1 or 2 strings in , this scheme can at most doublethe fraction of the strings that map to the subset of interest. Thisfact is formalized and proved in [31, Lemma 4.1].

D. Interactive Hashing

Interactive hashing [28] is a cryptographic primitive betweentwo players, the sender (Bob) and the receiver (Alice). It takesas input a string from Bob, and produces as outputtwo -bit strings, one of which is and the other is .Let the two output strings be and , according to lexico-graphic order. There exists a such that . Theoutput strings are available to both Bob and Alice. Interactivehashing has, briefly and informally, the following properties: a)The cheating Alice cannot tell which of was Bob’s input(as long as and are a priori equally likely to be the input),and b) at least one of is effectively beyond the controlof the cheating Bob. We will focus on the information-theoreticvariant of IH, which originates from [5].

Definition 3 (Security of Interactive Hashing ): An interac-tive hashing protocol is secure for Bob if for every unboundedstrategy of Alice ( ), and every , if , are the outputsof the protocol between an honest Bob with input and

, then the distributions View

and View are identical, whereView is Alice’s view of the protocol when Bob’sinput is . An interactive hashing protocol is ( )-secure forAlice if for every of size at most and everyunbounded strategy of Bob ( ), if , are the outputs ofthe protocol, then


where the probability is taken over the coin tosses of Alice andBob. An interactive hashing protocol is ( )-secure if it is se-cure for Bob and ( )-secure for Alice.

Let be such that . If the distribution ofthe string over the randomness of the two parties is -closeto uniform on all strings not equal to , then the protocol iscalled -uniform interactive hashing.

Constant Round Interactive Hashing: We present the con-stant round IH protocol of [17, Sec. 5.4]. One of the principaltools used in this protocol is -almost -wise independent per-mutation. Let be a -wise independent permutation, then when

is applied in any points in , behaves as a trulyrandom permutation. In an -almost -wise independent permu-tations , the distribution on any points has statistical distanceat most to the distribution induced on these points by a trulyrandom permutation. A 2-wise independent permutation can bebuilt choosing , (the strings areidentified with the field ) and defining the permutationby (see, e.g., [17, Sec. 5.2] for a survey).

Another tool used in this protocol is the 2–1 hash function.Let : be a 2-1 hash function. Then, foreach output of there are exactly 2 preimages. Notice that toconstruct a 2-wise independent 2–1 hash function, one can takea 2-wise independent function and omit the last bit of its output.

Let the set have size . Note that wethink of as a subset whose strings have some particular prop-erty and the sender’s input to IH is . Then, theparameters of the protocol are and , also we set and

, where . The protocol uses the fol-lowing tools:

• A family of -almost -wise independent permutations: ;

• A family of 2-wise independent 2-1 hash functions :;

• A family (induced by and ) of 2-1 hash functions :defined as

where denotes the bit of .Let Bob be the sender and Alice be the receiver. Bob has the

input .

Protocol 1:1) Alice chooses and sends the description of to

Bob.2) Bob computes , where is the bit of

, and sends the bits to Alice.3) Alice chooses and sends the description of to

Bob.4) Bob computes and sends to Alice.5) Both compute and output such that

.It has been shown in [17, Sec. 5.4] that for all

such that , the above protocol is a-secure -uniform interactive hashing

protocol for .

III. OBLIVIOUS TRANSFER PROTOCOLS

In the so-called one-out-of-two string oblivious transfer(String OT), Alice inputs two strings and Bobinputs a bit called the choice bit. Bob receives and remainsignorant about , while Alice remains ignorant about Bob’schoice. In this work, we assume that the inputs are uniformlyrandom. It can be done without loss of generality due to the(very efficient) randomized self-reduction of OT [2, Sec. 3.2].

We assume a malicious (a.k.a. active) adversary that can havean arbitrary behavior. The players are connected by a noiselesschannel and by a generalized erasure channel [1] (which, looselyspeaking, is a combination of a discrete memoryless channel andthe erasure channel).

Definition 4 (Generalized Erasure Channel [1]): A discretememoryless channel will be called the gener-alized erasure channel if the output alphabet can be decom-posed as such that does not depend on ,if . For a GEC, we denote ,

, , where is the sum of for (notdepending on ).

We will use the security definition of String OT from [15].In particular, this definition implies that the String OT protocol,which satisfies it, is sequentially composable. The following no-tions and the theorem come from [15]. The statistical informa-tion of and given is defined as

A -hybrid protocol consists of a pair of algorithmsthat can interact by means of two-way message ex-

change and have access to some functionality . A pair of al-gorithms is admissible for protocol if at leastone of the parties is honest, that is, if at least one of the equali-ties and is true. Let denote .

Theorem 1: A protocol securely realizes String OT (forstrings of dimension ) with an error of at most if for everyadmissible pair of algorithms for protocol andfor all inputs , produces outputs such that thefollowing conditions are satisfied:

• (Correctness) If both parties are honest, then and.

• (Security for Alice) If Alice is honest, then we haveand there exists a random variable distributed

according to , such that and.

• (Security for Bob) If Bob is honest, we haveand .

The protocol is secure if is negligible in the security parameter.If the GEC is used times, the oblivious transfer rate of the

protocol is given by .The oblivious transfer capacity [26] is the supremum of the

achievable rates when the protocol is secure. In this work, weconsidered the oblivious transfer capacity of the generalized era-sure channel when the adversaries are malicious.

Theorem 2: For a generalized erasure channel with ,the oblivious transfer capacity in the case of malicious adver-


saries is where is the Shannon capacityof the discrete memoryless channel .

In the next section, we prove the direct part. The conversefollows from the fact that is not possible to achieve greater obliv-ious transfer rates even when only passive adversaries are con-sidered [1].

IV. STRING OT PROTOCOL BASED ON GEC

Now, we present our protocol for string oblivious transferfrom generalized erasure channel. It is based on the protocolfor String OT from the erasure channel [31, Protocol 5.1].

Protocol 2:1) Alice and Bob select a (typically very small) positive con-

stant and set .2) Alice randomly chooses according to the probability

distribution that achieves the Shannon capacity of andsends to Bob through the GEC.

3) Bob receives the string and collects the good (those cor-responding to ) and the bad (those corresponding to

) positions in sets and , respectively. He abortsif .

4) Bob chooses and , where. He decodes into a subset of car-

dinality (out of ) using the encoding scheme ofSection II-C. Bob then defines two disjoint sets and

of cardinality . consists only of positions from, chosen randomly and without repetition. has po-

sitions from (defining the subset ) and the remainingpositions are chosen from , randomly and without rep-etition. Bob sends the descriptions of and to Alice.

5) Alice checks that no position is repeated in the sets and, otherwise she aborts.

6) Bob sends to Alice using interactive hashing (Protocol1). Let be the output strings, let , be the cor-responding subsets of cardinality and let besuch that .

7) Bob announces as well as and .8) Alice checks if and are jointly typical for

a discrete memoryless channel (see theappendix) with her input on these positions. If they are notjointly typical, Alice aborts.

9) Alice chooses randomly 2-universal hash functions(with

such that the output length is integer). She computesand . She also randomly chooses 2-uni-

versal hash functions , whereand

such that the output length is integer. She sends, and the descriptions of , , , to

Bob. Alice outputs and .10) Bob computes all possible that are jointly typical with

and satisfy . If there exists exactlyone such , Bob outputs . Otherwise, heoutputs .

Remark 1: Since in Step 10 Bob uses the output of universalhash functions to correct errors, the above protocol is not com-putationally efficient. However, this suffices for our result as weonly claim possibility of achieving the OT capacity.

Theorem 3: The above string oblivious transfer protocol issecure.

Correctness: When Alice and Bob are honest, Bob doesnot obtain the correct output either if he aborts in Step 3, or ifhe does not obtain exactly in Step 10. By the Cher-noff bound [7], the probability that Bob aborts in Step 3 is anegligible function of . Bob does not obtain exactly

either if is not jointly typical with (which ac-cording to the definition of joint typicality occurs only withprobability negligible in ), or if there exists another thatis both jointly typical with and has .However, the number of that are jointly typical with isupper bounded by (for and suf-ficiently large), so the leftover-hash lemma guarantees that for

sufficiently large with overwhelming probability the output ofon these is not equal to . As all the failure prob-

abilities are negligible in , the protocol meets the correctnessrequirement.

Security for Bob: Since in GEC, every input symbol iserased (i.e., ends up in ) with probability independentof , Alice does not know which input symbols were erased.Hence, the distribution of is independent of fromAlice’s point of view. Another point where Bob uses to gen-erate messages to Alice is in Step 7. Upon receiving , Alicecan correctly guess if and only if she can correctly guess ,but the security of interactive hashing protocol guarantees thatthe view of Alice is the same for and , except withnegligible probability. Remember that Alice’s views in the IHprotocol are identical. Also, the IH protocol is uni-form, as mentioned in Section II-D. However, is negligible,since , that follows by applying Stir-ling’s approximation. This implies that the probability thatis nonuniform in (and hence the probability thatAlice’s views are not identical) is negligible.

Finally, note that no matter what the malicious Alice actuallysends in Step 9, Bob will not abort. In particular, this preventsreaction attacks. Therefore, the distribution of Alice’s view ofthe protocol does not depend on with overwhelming proba-bility.

Security for Alice: Our proof follows the lines of Savvides’proof [31, Sec. 5.1]. We first present some definitions.

Definition 5: Let be the number of positions containedin such that the corresponding output at this position was anerasure.

Definition 6: is called good for if ,otherwise it is called bad for .

There are two cases to consider: i) both and aregreater than or equal to ; ii) either or is lessthan . We will prove the security for Alice in each case. Forthe first case we need the following two lemmas from [31, Sec.5.1] which follow from the Chernoff bound, the union boundand the properties of the encoding scheme used.


Lemma 2: Let be a set of cardinality such that. Then the fraction of subsets of cardinality that are

good for satisfies .

Lemma 3: Let be sets of cardinality such thatand . Then the fraction of strings

that decode to subsets that are good for either or isno larger than .

Since the fraction of the strings that are goodfor either or is no larger than , we can setthe security parameter of the interactive hashing protocol to

. Therefore, we have thatand so, by the

security of the interactive hashing protocol, the probability thatBob gets both and to be good for either or is anegligible function of . Then, with overwhelming probability,one of the sets (w.l.o.g. ) will have .

We know by Lemma 4 (in the appendix), that if two longstrings are not jointly typical at a randomly chosen (according toa uniform distribution) linear fraction of positions, this impliesthe non-joint-typicality of these long strings. Therefore, Bobsucceeds in the test of Step 8 (i.e., finds jointly typicalwith Alice’s input) only if he correctly guesses ’s values forthe bad positions that are jointly typical with Alice’s input. For

sufficiently large, there are at most () sequences of ’s values that are jointly typical with Alice’s

input, and there are at least typical sequencesfor the ’s values, so the probability that Bob succeeds in the testis less thanwhich is a negligible function of . As all the possibilities of Bobcheating successfully in the protocol occur only with negligibleprobability, the protocol is secure for Alice in the case that both

and are at least .We now analyze the security if either or is less

than (w.l.o.g. we assume that ). By the Cher-noff bound, we have that with overwhelmingprobability. Since only positions were not used in

, then andso . Since more than

positions from are erasures and Alice only sendsbits of information about in Step

9, we have that View, where View denotes all the infor-

mation that Bob knows. So the property of the 2-universal hashfunction for extracting

bits of information (with ) follows from theleftover-hash lemma. Therefore, Bob has only negligible infor-mation about , and the security follows for the case that either

or is less than .

A. Achieving the Oblivious Transfer Capacity

For sufficiently large, , and can be made arbitrarilysmall without compromising the security of the protocol. So thelimit of strings lengths can go to

that is equal to since the probability distri-bution of in the protocol is the one that achieves the Shannoncapacity of the channel . So the limit of oblivious transfer

rate can go to for sufficiently large, thusproving the direct part of the theorem 2.

APPENDIX

TYPICAL SEQUENCES

The following definitions follow largely the book of Csiszárand Körner [16].

Definition 7: For a probability distribution on andthe -typical sequences form the set

with the number denoting the number of symbols inthe string .

The type of is the probability distribution. Then, .

Properties 1:1) ;

2) ;

3) ;

with the constant . See [16] formore details.

Extending this concept to the conditional -typical sequences,we have:

Definition 8: Consider a channel and an inputstring . For , the conditional -typical sequencesform the set

where are the sets of positions in the string where .Properties 2:

1) ;

2) ;3)

;

with the constant and theconditional entropy . See [16] formore details.

It is a well know fact that if and are conditional -typ-ical according the definition 8, then

We now prove the following lemma:Lemma 4: Let be a discrete memoryless

channel and , be the input and outputstrings of this channel. Let be a random subset of suchthat , . Let and be the restrictions of

and to the positions in the set . If and are condi-tional -typical, then and are conditional -typical forany and large enough.


Proof: By hypothesis and are conditional -typical,so for every symbols and we have that

for a large enough .Given the conditional -typical strings and , the proba-

bility of selecting one pair with the specific values and forthe substrings and is . We have that

Therefore, by the Chernoff bound [7], for large enough withoverwhelming probability the number of pairs of and in thesubstrings and , , is limited by

for any . Making we have that the substringsand are conditional -typical.

ACKNOWLEDGMENT

We would like to thank George Savvides and the anonymousreviewers for their helpful comments.

REFERENCES

[1] R. Ahlswede and I. Csiszár, “On oblivious transfer capacity,” in Proc.ISIT 2007, pp. 2061–2064.

[2] D. Beaver, “Precomputing oblivious transfer,” in Proc. CRYPTO, D.Coppersmith, Ed., 1995, vol. 963, Lecture Notes in Computer Science,pp. 97–109.

[3] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “General-ized privacy amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp.1915–1923, Nov. 1995.

[4] C. H. Bennett, G. Brassard, and J. Robert, “Privacy amplification bypublic discussion,” SIAM J. Comput., vol. 17, no. 2, pp. 210–229, 1988.

[5] C. Cachin, C. Crépeau, and J. Marcil, “Oblivious transfer with amemory-bounded receiver,” in Proc. 39th IEEE Annu. Symp. Found.Comput. Sci., 1998, pp. 493–502.

[6] J. L. Carter and M. N. Wegman, “Universal classes of hash functions,”J. Comput. Syst. Sci., vol. 18, pp. 143–154, 1979.

[7] H. Chernoff, “A measure of asymptotic efficiency for tests of a hypoth-esis based on the sum of observations,” Ann. Math. Statistics, vol. 23,pp. 493–507, 1952.

[8] T. M. Cover, “Enumerative source encoding,” IEEE Trans. Inf. Theory,vol. IT-19, no. 1, pp. 73–77, Jan. 1975.

[9] C. Crépeau, “Equivalence between two flavours of oblivious transfers,”in Proc. CRYPTO ’87, vol. 293, Lecture Notes in Computer Science,pp. 350–354.

[10] C. Crépeau, “Efficient cryptographic protocols based on noisy chan-nels,” in Proc. EUROCRYPT 1997, pp. 306–317.

[11] C. Crépeau and J. Kilian, “Achieving oblivious transfer using weak-ened security assumptions (extended abstract),” in Proc. FOCS 1988,pp. 42–52.

[12] C. Crépeau and J. van de Graaf, “A. tapp. Committed oblivioustransfer and private multi-party computation,” in Proc. CRYPTO 1995,pp. 110–123.

[13] C. Crépeau and K. Morozov, “S. wolf. Efficient unconditional obliv-ious transfer from almost any noisy channel,” in Proc. SCN 2004, vol.3352, Lecture Notes in Computer Science, pp. 47–59.

[14] C. Crépeau and G. Savvides, “Optimal reductions between oblivioustransfers using interactive hashing,” in Proc. EUROCRYPT 2006, vol.4004, Lecture Notes in Computer Science, pp. 201–221.

[15] C. Crépeau and J. Wullschleger, “Statistical security conditions fortwo-party secure function evaluation,” in Proc. ICITS 2008, vol. 5155,Lecture Notes in Computer Science, pp. 86–99.

[16] I. Csiszár and J. Körner, Information Theory: Coding Theorems forDiscrete Memoryless Channels. New York: Academic, 1981.

[17] Y. Z. Ding, D. Harnik, A. Rosen, and R. Shaltiel, “Constant-roundoblivious transfer in the bounded storage model,” J. Cryptology, vol.20, pp. 165–202, 2007.

[18] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors:How to generate strong keys from biometrics and other noisy data,”SIAM J. Comput., vol. 38, no. 1, pp. 97–139, 2008.

[19] O. Goldreich, S. Micali, and A. Wigderson, “How to play any mentalgame, or: A completeness theorem for protocols with honest majority,”in Proc. 19th ACM STOC, 1997, pp. 20–31.

[20] J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby, “A pseudorandomgenerator from any one-way function,” SIAM J. Comput., vol. 28, no.4, pp. 1364–1396, 1999.

[21] H. Imai, K. Morozov, and A. C. A. Nascimento, “On the oblivioustransfer capacity of the erasure channel,” in Proc. 2006 IEEE Int. Symp.Inf. Theory, pp. 1428–1431.

[22] H. Imai, A. C. A. Nascimento, and A. Winter, “Commitment capacityof discrete memoryless channels,” in Proc. IMA Int. Conf. 2003, pp.35–51.

[23] R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generationfrom one-way functions (extended abstracts),” in Proc. STOC 1989, pp.12–24.

[24] J. Kilian, “Founding cryptography on oblivious transfer,” in Proc.STOC 1988, pp. 20–31.

[25] V. Korjik and K. Morozov, “Generalized oblivious transfer protocolsbased on noisy channels,” in Proc. MMM ACNS 2001, vol. 2052, Lec-ture Notes in Computer Science, pp. 219–229.

[26] A. C. A. Nascimento and A. Winter, “On the oblivious-transfer ca-pacity of noisy resources,” IEEE Trans. Inf. Theory, vol. 54, no. 6, pp.2572–2581, Jun. 2008.

[27] N. Nisan and D. Zuckerman, “Randomness is linear in space,” J.Comput. Syst. Sci., vol. 52, no. 1, pp. 43–53, 1996.

[28] R. Ostrovsky, R. Venkatesan, and M. Yung, “Fair games against anall-powerful adversary,” in AMS DIMACS Series in Discrete Math-ematics and Theoretical Computer Science. Providence, RI: Amer.Math. Soc., 1993, pp. 155–169.

[29] M. O. Rabin, “How to exchange secrets by oblivious transfer,” AikenComputation Laboratory, Harvard Univ., Tech. Rep. TR-81, 1981, .

[30] J. Radhakrishnan and A. Ta-Shma, “Bounds for dispersers, extractors,and depthtwo superconcentrators,” SIAM J. Discrete Math., vol. 13, no.1, pp. 2–24, 2000.

[31] G. Savvides, “Interactive hashing and reductions between oblivioustransfer variants,” Ph.D. dissertation, School of Computer Science,McGill Univ., Montreal, QC, Canada, 2007.

[32] D. Stebila and S. Wolf, “Efficient oblivious transfer from any non-trivial binary-symmetric channel,” in Proc. IEEE Int. Symp. Inf. Theory(ISIT), Lausanne, Switzerland, Jun./Jul. 2002, p. 293.

[33] S. Wiesner, “Conjugate coding,” ACM SIGACT News, vol. 15, no. 1,pp. 78–88, 1983.

[34] A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, pp.1355–1387, 1975.

Authors’ photographs and biographies not available at the time of publication.

Achieving Oblivious Transfer Capacity of Generalized Erasure Channels in the Malicious Model

Documents

Transcript of Achieving Oblivious Transfer Capacity of Generalized Erasure Channels in the Malicious Model