Cryptography with OneWay Communication
 3 Citations
 2.7k Downloads
Abstract
There is a large body of work on using noisy communication channels for realizing different cryptographic tasks. In particular, it is known that secure message transmission can be achieved unconditionally using only oneway communication from the sender to the receiver. In contrast, known solutions for more general secure computation tasks inherently require interaction, even when the entire input originates from the sender.
We initiate a general study of cryptographic protocols over noisy channels in a setting where only one party speaks. In this setting, we show that the landscape of what a channel is useful for is much richer. Concretely, we obtain the following results.

Relationships Between Channels. The binary erasure channel (BEC) and the binary symmetric channel (BSC), which are known to be securely reducible to each other in the interactive setting, turn out to be qualitatively different in the setting of oneway communication. In particular, a BEC cannot be implemented from a BSC, and while the erasure probability of a BEC can be manipulated in both directions, the crossover probability of a BSC can only be manipulated in one direction.

Zeroknowledge Proofs and Secure Computation of Deterministic Functions. Oneway communication over BEC or BSC is sufficient for securely realizing any deterministic (possibly reactive) functionality which takes its inputs from a sender and delivers its outputs to a receiver. This provides the first truly noninteractive solutions to the problem of zeroknowledge proofs.

Secure Computation of Randomized Functions. Oneway communication over BEC or BSC cannot be used for realizing general randomized functionalities which take input from a sender and deliver output to a receiver. On the other hand, oneway communication over other natural channels, such as bursty erasure channels, can be used to realize such functionalities. This type of protocols can be used for distributing certified cryptographic keys without revealing the keys to the certification authority.
Keywords
Random Oracle Oblivious Transfer Binary Symmetric Channel Erasure Channel Erasure Probability1 Introduction
The seminal work of Wyner [Wyn75] demonstrated the usefulness of noise for secure communication. Since then, there has been a large body of work on basing various cryptographic primitives, such as key agreement and commitment [BBCM95, BBR88, Mau91, DKS99, WNI03, Wul09, RTWW11], on different types of noisy communication channels.
In 1988, Crépeau and Kilian [CK88] showed that noise in a communication channel can be used to realize essentially everything a cryptographer could wish for. In particular, they showed that any nontrivial binarysymmetric channel (BSC) can be used to realize oblivious transfer (OT) which is sufficient for realizing twoparty secure computation. (More efficient construction were later considered in [KM01, SW02, IKO+11b].) Finally, Crépeau, Morozov and Wolf [CMW04] generalized these results to arbitrary discrete memoryless channels. Other results towards characterizing the types of channels on which OT can be based appeared in [Kil88, DKS99, DFMS04, Wul07, Wul09].
Following the work of Crépeau and Kilian [CK88], the entire body of research on secure twoparty computation over noisy channels requires parties to interact. In contrast, the present paper considers cryptographic protocols which only use oneway communication, namely ones in which only one party speaks. There has been a considerable amount of work on realizing informationtheoretic secure message transmission in this setting. These works are motivated not only by the goal of achieving informationtheoretic security, but also by the goal of efficiency; see [BTV12] for discussion. Our goal is to extend this study to more general cryptographic tasks, including useful special cases of secure twoparty computation in which the input originates from only one party.
1.1 Our Model
We model a channel as an ideal functionality \(\mathcal {C}\). This is done in order to capture the security properties of the channel in a clean way and in order to facilitate the use of composition theorems. A channel provides a communication medium between a sender and a receiver. The sender can invoke the channel \(\mathcal {C}\) on an input of its choice. The channel “based on its nature” processes the input and outputs the processed value to the receiver. The correctness and secrecy requirements of a channel and the protocols we build on top of it can be specified in terms of UC security. For example, consider a binary erasure channel (BEC) parameterized by a probability \(p \in (0,1)\). For this channel, the sender inputs a bit \(x \in \{0,1\}\) and the channel outputs (for the receiver) x with a probability p and \(\bot \) with a probability \(1  p\).^{1} Even for this basic channel, stating the correctness and security properties is nontrivial. Correctness requires that if the sender sends x then the receiver outputs either x or \(\bot \) with the right probability distribution. Security is a bit more involved; it requires that no malicious sender can figure out whether the receiver actually received the sent bit or not, and that a malicious receiver does not learn any partial information about the sent bit in the case of an erasure.
In this work, we consider various such channels. Two other channels that would be of great interest to us are the binary symmetric channel (BSC) and the random oblivious transfer (ROT) channel. A BSC is parameterized by a probability \(p \in (\frac{1}{2},1)\). For this channel, the sent bit is transmitted correctly with probability p and is flipped with probability \(1p\). An ROT channel takes as input two strings \(m_0\) and \(m_1\) from the sender and outputs either \((m_0,\bot )\) or \((\bot ,m_1)\) to the receiver, with equal probability.
1.2 Our Results
We initiate a general study of oneway secure computation (OWSC) protocols over noisy channels in a setting where only one party speaks. Surprisingly, the oneway setting is strikingly different from the interactive setting. In the interactive setting, all finite channels are either trivial, equivalent to secure message transmission, or equivalent to oblivious transfer. On the other hand, in the setting of OWSC, the landscape of what a channel is useful for is much richer. Specifically, we obtain the following results. All the implications have been summarized in Fig. 1.

Relationships Between Channels. Binary erasure channel (BEC) and binary symmetric channel (BSC), which are known to be securely reducible to each other in the interactive setting, turn out to be qualitatively very different in the setting of oneway communication. In particular, we show that a BEC cannot be implemented given a BSC. Also, somewhat surprisingly, we show that while the erasure probability of a BEC can be manipulated in both directions the probability of correct transmission of a BSC can only be manipulated in one direction.

Deterministic Functions. We show that both BEC and and BSC are sufficient for securely realizing any deterministic (possibly reactive) functionality that takes input from a sender and delivers its output to a receiver with only oneway communication. This provides the first truly noninteractive solution to the problem of zeroknowledge. We extend our results to the Generalized Erasure Channel (GEC) which is a generalization of BEC (see Sect. 3 for formal definition).

Randomized Functions. We show that neither BEC nor BSC can be used (even assuming computational assumptions) for the task of realizing randomized functionalities which take input from a sender and deliver output to a receiver, in the setting of oneway communication. Nonetheless, oneway communications over natural channels, such as bursty erasure channels, can be used to realize such functionalities. This result is obtained by first constructing a random oblivioustransfer channel (ROT) and building on the techniques from [IPS08, IKO+11a]. This provides the first nontrivial feasibility result for securecomputation in a setting where only one party speaks.
1.3 Applications
Oneway secure computation (OWSC) both for deterministic and randomized functionalities enable a number of applications for which there are no known solutions.
Truly Noninteractive ZeroKnowledge. Noninteractive zeroknowledge proof systems (NIZKs) [BFM90, FLS99] are a fundamental tool in cryptography with widespread applications. However, all known constructions rely on a common random string (or a random oracle)^{2} and inherently fail to achieve useful features such as nontransferability or deniability [Pas03]. OWSC for deterministic functions provides the first truly noninteractive solution to the problem of zeroknowledge. This solution does not rely on a shared string between parties or a random oracle and achieves nontransferability and deniability properties. Furthermore, this solution achieves information theoretic and composable security.
Oblivious Certification of Cryptographic Keys. Publickey cryptography relies on the existence of certification authorities (like Verisign) who sign the public keys of different parties. All known implementations of this certification procedure rely on interaction. Our OWSC for randomized functionalities provides for the first candidate to realize this procedure with just oneway communication. More specifically, our protocol allows the certification authority to send a publickey secretkey pair along with a certificate on the public key with just oneway communication. We stress that in this setting the certification authority itself does not learn the secret key of the recipient party, as the randomness used in its generation is derived from the channel. However, if the certificate authority deviates from the protocol, the recipient may detect failure rather than output a pair of keys.
Fair Puzzle Distribution. Consider a Sudoku Puzzle competition where the organizer of the competition would like to generate signed puzzles for all the participants. However the participants do not trust the organizer and would like their challenge Sudoku puzzles to be of the same difficulty. More specifically, we would like to have a mechanism that allows the competition organizer to provide independent puzzles of a prespecified difficulty level (along with a signature on this puzzle) to each of the participants. The participants should be assured not only that the puzzles were generated independently from the correct distribution, but also that the organizers do not have an edge in solving the puzzles they generated (e.g., by generating random solved puzzles). There are no known solutions for this problem in a setting with just oneway communication. Our OWSC protocol for randomized functions gives the first such solution.
2 Preliminaries
Let \(\lambda \) denote a security parameter. We say that a function is negligible in \(\lambda \) if it is asymptotically smaller than the inverse of any fixed polynomial in \(\lambda \). Otherwise, the function is said to be nonnegligible in \(\lambda \). We say that an event happens with overwhelming probability if it happens with probability \(p(\lambda ) = 1\nu (\lambda )\), where \(\nu (\lambda )\) is a negligible function in \(\lambda \). We use [n] to denote the set \(\{1,\ldots , n\}\).
Lemma 1
3 Different Kinds of Channels
In this work, we model a channel as an ideal functionality \(\mathcal {C}\). This is done in order to capture the security properties of a channel in a clean way. A channel provides a (oneway) communication medium between a sender and a receiver. The sender can invoke the channel \(\mathcal {C}\) on an input of its choice. The channel “based on its nature”, processes the input and outputs the processed value to the receiver. The correctness and secrecy requirements of a channel can be specified by a twoparty functionality, which takes an input from the sender, generates some internal randomness, and delivers an output to the receiver. Our formulation of channel functionalities, as well as the security definition of protocols that build on top of them, follow the standard UC framework [Can05]. All of our positive results hold with statistical security, and some of our negative results apply also to the case of computational security. We will consider the following types of channels.
Binary Erasure Channel. The binary erasure channel (BEC) is perhaps the simplest nontrivial channel model considered in the literature. We denote this channel by \(\mathcal {C}_{BEC}^p\). For this channel, the sender inputs a bit \(x \in \{0,1\}\) and the channel outputs (to the receiver) x with a probability p and \(\bot \) with a probability \(1  p\).
Binary Symmetric Channel. The binary symmetric channel (BSC) denoted by \(\mathcal {C}_{BSC}^p\) (for \(p > \frac{1}{2}\)) is a channel in which the sender inputs a bit \(x \in \{0,1\}\) and the channel outputs (for the receiver) x with a probability p and \(1 x\) with a probability \(1  p\).
Generalized Erasure Channel. The generalized erasure channel (GEC) is a generalization of the BEC, where k strings are sent by the sender and some subset of them, determined by a probability distribution \(\mathcal {D}\), is erased. We denote this channel by \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}\). Formally, the functionality takes as input k strings \(x_1, \ldots , x_k \in \{0,1\}^\ell \) from the sender. It samples a string \(s \in \{0,1\}^k\) (which we call the randomness of the channel) according to the distribution \(\mathcal {D}\). If \(s_i = 1\) then set \(y_i = x_i\) and, otherwise, \(y_i=\bot \). The functionality outputs \(y_1,\ldots ,y_k\) to the receiver. We will consider the following special cases of the generalized erasure channel.

\(\ell \)Bit Random Oblivious Transfer. The \(\ell \)bit random oblivious transfer channel (\(\ell \)ROT) denoted by \(\mathcal {C}_{ROT}^{\ell }\) corresponds to the channel \(\mathcal {C}_{GEC}^{2,\ell ,\mathcal {D}_{2,OT}}\), where \(\mathcal {D}_{2,OT}\) is the distribution that outputs a uniformly random value in \(\{01,10\}\). We also consider a pbiased \(\ell \)bit ROT channel denoted by \(\mathcal {C}_{ROT}^{\ell ,p}\) corresponds to the channel \(\mathcal {C}_{GEC}^{2,\ell ,\mathcal {D}_{2,p,OT}}\), where \(\mathcal {D}_{2,p,OT}\) is the distribution that outputs 10 with probability p and 01 with a probability \(1  p\).

\((k,\ell ,p)\)Erasure Channel. The \((k,\ell ,p)\)erasure channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\), where \(\mathcal {D}_{k,p}\) is the distribution that outputs a k bit string s such that, for every \(i \in [k]\), we have \(s_i=1\) with probability p and \(s_i=0\) with probability \(1p\).

\((k,\ell )\)Perfect RedBlue Channel. The \((k,\ell )\)Perfect RedBlue channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,RB}}\), where \(\mathcal {D}_{k,RB}\) is any distribution such that each string in its output space (namely \(\{0,1\}^k\)) may be labeled either \(\mathsf{Red }\) or \(\mathsf{Blue }\) (or none) in a way that \(\Pr [\mathsf{Red }\cup \mathsf{Blue }] = 1\), \(\Pr [\mathsf{Red }] = \Pr [\mathsf{Blue }]\) and \(\forall r \in \mathsf{Red }\) and \(\forall s \subseteq r\) we have that \(s \notin \mathsf{Blue }\) and, similarly, \(\forall b \in \mathsf{Blue }\) and \(\forall c \subseteq b\) we have that \(c \notin \mathsf{Red }\).^{3}

\((k,\ell ,\mu ,\nu ,\eta )\)Statistical RedBlue Channel. The \((k,\ell ,\mu ,\nu ,\eta )\)Statistical RedBlue channel is a relaxed version of the Perfect RedBlue Channel, that corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,\mu ,\nu ,\eta }}\), where \(\mathcal {D}_{k,\mu ,\nu ,\eta }\) is any distribution whose output space can be labelled \(\mathsf{Red }\) and \(\mathsf{Blue }\) such that (i) \(\Pr [\mathsf{Red }\cup \mathsf{Blue }] \ge 1  \mu \), (ii) \(\Pr [\mathsf{Red }]  \Pr [\mathsf{Blue }] \le \nu \), (iii) \(\Pr _{r\in \mathsf{Red }}[\exists s \subseteq r \text{ such } \text{ that } s \in \mathsf{Blue }] \le \eta \), and (iv) \(\Pr _{b\in \mathsf{Blue }}[\exists c \subseteq b \text{ such } \text{ that } c \in \mathsf{Red }] \le \eta \).

\((k,\ell ,b)\)Perfect Bursty Channel. This is an erasure channel where all b erasures appear in a “burst”. Formally, the \((k,\ell ,b)\)Perfect bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b}}\), where \(\mathcal {D}_{k,b}\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the bits in locations \(x+1, x+2, \ldots , x+{b}\) where x is chosen uniformly from \(\{0,\ldots , kb\}\).

\((k,\ell ,b,\sigma )\)Noisy Bursty Channel. This is an erasure channel where erasures still appear in a “burst” but their number \(b'\) is normally distributed around b. Formally, the \((k,\ell ,b,\sigma )\)noisy bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b,\sigma }}\) for typical \(k\gg b\), where \(\mathcal {D}_{k,b,\sigma }\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the bits in locations \(x+1, x+2, \ldots , x+{b'}\) where \(b'\) is sampled from a gaussian and rounded to the closest nonnegative integer \(\le k\) with mean b and standard deviation \(\sigma \) and then x is chosen uniformly from \(\{0,\ldots , kb'\}\).
4 Classification of Functionalities
Below we define the notion of oneway secure computation (OWSC) over a channel \(\mathcal {C}\) (thought of as a nonreactive ideal functionality). We shall refer to such a OWSC scheme as \(OWSC/\mathcal {C}\).

Sender gets an input \(x \in X\).

Sender invokes the channel \(\mathcal {C}\) (possibly multiple instances of the channel) with inputs of its choice. The channel, based on its nature, processes the input value and outputs it to the Receiver.

Receiver carries out a local computation and outputs f(x) or an error message.
Similarly, we can consider reactive functionality specified by a stateful function \(f: \varSigma \times X \rightarrow \varSigma \times Y\). The Sender of a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme for a stateful function f obtains multiple inputs on the fly. On obtaining an input \(x \in X\), Sender can invoke the channel \(\mathcal {C}\) multiple times and in each execution the Receiver should either output y where \((\sigma ',y) \leftarrow f(\sigma ,x)\) (where \(\sigma \in \varSigma \) is the current state and \(\sigma '\) is the state for the next execution) or an error message. The first execution of the protocol sets the state to \(\epsilon \).
The correctness and secrecy requirements of an OWSC scheme can be specified in terms of an ideal functionality. An \(\mathsf{OWSC }^f/\mathcal {C}\) scheme for f is required to be a secure realization of the following function \(\mathcal {F}_f\) in the \(\mathcal {C}\)hybrid model.

\(\mathcal {F}_f\) accepts \(x \in X\) from the Sender and outputs f(x) to the receiver. If x is a special input error, then it outputs error to the Receiver.
We shall denote the security parameter by \(\lambda \) and require that the sender and the receiver in any scheme run in time polynomial in \(\lambda \) and the size of the circuit computing the function f. Further, for a scheme to be considered secure, we require that the simulation error be at most \(2^{\varOmega (\lambda )}\).
Definition 1
(Completeness for Deterministic Functionalities). A channel \(\mathcal {C}\) is said to be \(\mathsf{OWSC }\) complete for deterministic functionalities, if for every deterministic function \(f: X \rightarrow Y\) there exists a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme that is a UCsecure realization of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}\)hybrid model.
Definition 2
(Completeness for Randomized Functionalities). A channel \(\mathcal {C}\) is said to be \(\mathsf{OWSC }\) complete for randomized functionalities, if for every randomized function \(f: X \rightarrow Y\) there exists a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme that is a UCsecure realization of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}\)hybrid model.
5 Reductions Among Channels

Impossibility Results for \(\mathcal {C}_{ROT}\) . One of the key channels of interest to us is the random oblivious transfer channel. We start by establishing (in Sect. 5.1) that this channel cannot be securely realized out of the most basic channels such as \(\mathcal {C}_{BEC}\) (in fact, from any \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\), where \(\mathcal {D}_{k,p}\) is the distribution that outputs a k bit string s such that, for every \(i \in [k]\), we have \(s_i=1\) with probability p and \(s_i=0\) with probability \(1p\)) and \(\mathcal {C}_{BSC}\). In fullversion, we provide extensions of these results to the computational setting (but ruling out only protocols with negligible error rather than small noticeable error).

Positive Results for \(\mathcal {C}_{ROT}\) . We consider a variety of more structured channels, such as the RedBlue channel and the bursty channel, and give constructions of random oblivious transfer channel from such channels (Sect. 5.2).

Selftransformations for \(\mathcal {C}_{BEC}\) and \(\mathcal {C}_{BSC}\) . We move back to the basic channels (\(\mathcal {C}_{BEC}\) and \(\mathcal {C}_{BSC}\)) and study additional properties of them. Although both these channels do not imply \(\mathcal {C}_{ROT}^1\), they are of a very different nature. We show (in Sect. 5.3) that erasure probabilities of the \(\mathcal {C}_{BEC}\) can be easily manipulated but the flipping probability of \(\mathcal {C}_{BSC}\) is harder to manipulate. In particular, we show that, given a \(\mathcal {C}_{BEC}\), we can construct another \(\mathcal {C}_{BEC}\) with amplified or diminished erasure probabilities. On the other hand, given a \(\mathcal {C}_{BSC}\), we can only construct another \(\mathcal {C}_{BSC}\) with amplified flipping probability. In fact, diminishing the flipping probability turns out to be is impossible.
We remark that all the impossibility results (in this section) are stated in terms of the simulation based notion but hold even for a weaker gamebased security notion. These stronger impossibility results are implied by the proofs and are not spelled out explicitly.
5.1 Impossibility Results for \(\mathcal {C}_{ROT}\)

\(\mathcal {C}_{ROT}^{\ell '}\) (and, in fact, even biasedROT) cannot be noninteractively securely realized from \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\).

\(\mathcal {C}_{BEC}^{p'}\) cannot be noninteractively securely realized from \(\mathcal {C}_{BSC}^p\). It is easy to realize \(\mathcal {C}_{BEC}^{\frac{1}{2}}\) from \(\mathcal {C}_{ROT}^{\ell '}\). Hence, combining with the above result, we also conclude that \(\mathcal {C}_{ROT}^{\ell '}\) cannot be noninteractively securely realized from \(\mathcal {C}_{BSC}^p\).
The following theorem and its proof can be adapted to rule out even \(\mathcal {C}_{ROT}^{\ell ',q}\) for any constant q. We state the result and the proof in the simpler setting where \(q = \frac{1}{2}\).
Theorem 1
\(\exists ~ \varepsilon \in (0,1)\) and \(\ell ' \in \mathbb {Z}^+\) such that \(\forall k,\ell ,p\), the channel \(\mathcal {C}_{ROT}^{\ell '}\) cannot be \(\varepsilon \)securely realized in the \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\) hybrid model even against semihonest adversaries.
We start by giving some intuition for the case of binary erasure channel. The intuition extends to \((k,\ell ,p)\)erasure channels in a natural way. In any protocol for noninteractively realizing \(\mathcal {C}_{ROT}^1\) the sender will need to encode both its inputs \(m_0,m_1\) into its first message. Whether the receiver obtains \(m_0\) or \(m_1\) should depend solely on the random coins of the channel. In other words, erasure of certain bits (or more generally one combination from a list of possible choices) allows the receiver to obtain \(m_0\) while erasure of another combination allows the receiver to learn \(m_1\). The key issue is that a binary erasure channel erases each bit sent by the sender independently with a probability \(1p\). Consider the scenario in which a receiver can obtain \(m_0\) from the received bits. In this scenario, since each bit sent by the sender is treated independently we have that the receiver also obtains \(m_1\) with a large enough probability, contradicting the security of the protocol. Arguing the last step formally is tricky and we rely on the HarrisKleitman inequality for our argument. The full proof appears in the fullversion.
Theorem 2
\(\forall p \in (\frac{1}{2},1)\), \(p' \in (0,1)\) and protocol \(\pi \), \(\exists \varepsilon \) such that \(\pi \) does not \(\varepsilon \)securely realize \(\mathcal {C}_{BEC}^{p'}\) in the \(\mathcal {C}_{BSC}^p\)hybrid model even against semihonest adversaries.
We start by giving some intuition. Any protocol for noninteractively securely realizing \(\mathcal {C}_{BEC}\) will need the sender to encode its input m into its first message. Whether the receiver obtains m or not should depend solely on the random coins of the channel. In other words when certain bits (or, more generally, one combination from a list of possible choices) is flipped then the receiver loses all information about m while flipping another combination allows the receiver to learn m completely. Consider a sequence of hybrid strings between a pair of strings on which the receiver outputs m and \(\bot \) respectively. Among the hybrid strings there must exist two strings that differ in exactly one bit but are such that the receiver’s output on the two differs completely. At this point, we argue that a change of just one bit cannot affect the receiver’s best guess about the sent bit very dramatically, contradicting the security of the protocol. The key technical challenge of the proof lies in proving that this happens with a noticeable probability. The full proof appears in the fullversion.
5.2 Positive Constructions for \(\mathcal {C}_{ROT}\)
We start by presenting a construction of a random oblivious transfer channel in RedBlue channel hybrid model. Our construction provides a solution for any arbitrary RedBlue channel and is inefficient. Furthermore, such a channel in its generality is not very natural. Therefore, we study natural examples of RedBlue channels (and their approximate variants) and attempt at more efficient solutions.
We start by considering the basic setting of an arbitrary RedBlue Channel and prove that it is sufficient to realize a random oblivious transfer channel.
Theorem 3
\(\mathcal {C}_{ROT}^\ell \) can be \(\max \{\mu ,\nu ,\eta \}\)UCsecurely realized (even against malicious adversaries) in the \((k,\ell ',\mu ,\nu ,\eta )\)RedBlue Channel hybrid model where \(\ell ' = \ell \cdot 2^k\).
The proof appears in the fullversion. Note that for the case of perfect RedBlue Channel, we have that \(\mu = \nu = \eta = 0\), and hence \(\mathcal {C}_{ROT}^\ell \) can be perfectlyUCsecurely realized in the \((k,\ell ')\)Perfect RedBlue Channel hybrid model where \(\ell ' = \ell \cdot 2^k\).
Efficient Construction for ROT. We will start by considering the case of perfect bursty channel and show that it can be used to realize ROT. Recall that a \((k,\ell ,b)\)perfect bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b}}\), where \(\mathcal {D}_{k,b}\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the “burst” of bits in locations \(x+1, x+2, \ldots , x+{b}\) which are set to 0, where x is chosen uniformly from \(\{0,\ldots , kb\}\). In this setting we claim that:
Theorem 4
\(\mathcal {C}_{ROT}^\ell \) can be UCsecurely realized (even against malicious adversaries) in the \((k,\ell ,b)\)perfect bursty channel hybrid model when \(b > \frac{k}{2}\) or when b is odd.
Proof
We start by giving the intuition. The key idea is to use Shamir’s secret sharing (with shares of length \(\ell \)) and secret share the first string in the first half and the second string in the second half (with some appropriate threshold). Both when \(b > \frac{k}{2}\) or when b is odd we will have an asymmetry in terms of the deletion pattern. If more terms from the first half are erased then the first string is deleted and, on the other hand, if more terms from the second half get erased then the second string is deleted. If k is odd then our construction will only give a biasedROT but this bias can be corrected using the transformation from Sect. 7. Similarly, we note that in our construction we do not need the distribution over where the burst happens to be uniform. Our protocol can be very easily modified so that this restriction is not crucial. This would however only give biased ROT protocols and this bias will need to be corrected using the transformation from Sect. 7.
Next we give the construction for the case when b is odd. We assume, for simplicity, that k is even and \(t = \frac{k}{2}\). The construction for the setting when k is odd or when b is not necessarily odd but \(k > b/2\) are identical except that the parameters should be adjusted appropriately.
The construction appears in Fig. 2. Since b is odd, either in the first half or in the second half at least \(\lceil b/2\rceil \) of the strings are erased and hence that value remains hidden. On the other hand, in the other half the value can always be computed since at most \(\lfloor b/2\rfloor \) strings are deleted. The proof is identical to the case of RedBlue Channel (proved in the fullversion and is therefore omitted.
Channel with Imprecise Burst. Finally, we consider a bursty erasure channel where the size of burst is not precisely known but comes from roughly a discrete gaussian distribution. Recall that \((k,\ell ,b,\sigma )\)noisy bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b,\sigma }}\), where \(\mathcal {D}_{k,b,\sigma }\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the bits in locations \(x+1, x+2, \ldots , x+{b'}\) where \(b'\) is sampled from a gaussian and rounded to the closest nonnegative integer \(\le k\) with mean b and standard deviation \(\sigma \) and then x is chosen uniformly from \(\{0,\ldots , kb'\}\).
Theorem 5
\(\mathcal {C}_{ROT}^\ell \) can be \(\frac{(1\alpha )b}{k(1+\alpha )b} + \frac{\sigma ^2}{\alpha ^2b^2}\)UCsecurely realized in the \((k,\ell ,b,\sigma )\)noisy bursty channel hybrid model for any constant \(\alpha \in (0,1)\).
Proof
We use the same construction as in Fig. 2 except the threshold parameter \(\theta \) of the Shamir secret sharing. We set it up in a way so that it is possible to obtain \(m_0\) if less than \((1\alpha )b/2\) symbols are erased from the first half. Similarly secret sharing is done for the second half. By Chebyshev’s inequality, the probability that the size of the burst, \(b'\), lies outside the range \(\{(1\alpha )b,\ldots , (1+\alpha )b\}\) is at most \(\frac{\sigma ^2}{\alpha ^2b^2}\) (if \(b'\) is too big the receiver may not learn any value, while if \(b'\) is too small it may learn both values). Assuming this does not happen, then the receiver gets only one of the sent values as long as the burst does not happen “in the middle” (i.e., \((1\alpha )b/2\) symbols are erased from each half). The probability that the burst happens in the middle is at most \(\frac{(1\alpha )b}{k(1+\alpha )b}\).
5.3 Selftransformations for \(\mathcal {C}_{BEC}\) and \(\mathcal {C}_{BSC}\)
In this subsection, we show that any erasure channel can be used to construct a binary erasure channel with any desired erasure probability. On the other hand, the case of BSC is very different. The probability of correct transmission in a BSC channel can be reduced but cannot be increased. Formally,
Theorem 6
\(\forall ~\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}\) such that \(\mathcal {D}\) is not a constant distribution, \(\exists ~ p\) such that \(\mathcal {C}_{BEC}^{p}\) can be (perfectly) UCsecurely realized (even against malicious adversaries) in the \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}\)hybrid model.
Theorem 7
\(\forall p,p'\in (0,1)\) and \(\epsilon > 1\), \(\exists p'' \in [p',\epsilon p']\), such that \(\mathcal {C}_{BEC}^{p''}\) can be (perfectly) UCsecurely realized (even against malicious adversaries) in the \(\mathcal {C}_{BEC}^{p}\)hybrid model.
Theorem 8
\(\forall p\in (\frac{1}{2},1)\) and \(t \in \mathbb {Z}^+\), the channel \(\mathcal {C}_{BSC}^{p'}\) can be (perfectly) UCsecurely realized (even against malicious adversaries) in the \(\mathcal {C}_{BSC}^{p}\)hybrid model where \(p' = \frac{1}{2}+ 2^{t1}\left( p\frac{1}{2}\right) ^t\).
Theorem 9
\(\forall ~ p,p' \in (\frac{1}{2},1), p' > p\) and protocol \(\pi \), \(\exists \varepsilon \) such that \(\pi \) does not \(\varepsilon \)securely realize \(\mathcal {C}_{BSC}^{p'}\) in the \(\mathcal {C}_{BSC}^p\)hybrid model even against semihonest adversaries.
Proofs of the above theorems appear in the fullversion.
6 OWSC Scheme for Deterministic Functionalities
\(\mathsf{OWSC }^{f}/\mathcal {C}\) is a meaningful notion only for those deterministic functions f such that given a value y identifying if there exists an input x such that \(y = f(x)\) is nontrivial (cannot be done in efficiently). This, in particular, rules out all functions with polynomial sized input domains. Furthermore, this notion is useful only in the setting of malicious adversaries because it is trivial to realize this notion in the setting of semihonest adversaries.
We start by noting that a \(\mathsf{OWSC }^{f}/\mathcal {C}\) scheme, for any deterministic function f, can be realized by using a \(\mathsf{OWSC }^{\mathsf {zk}}/\mathcal {C}\) scheme for the zeroknowledge functionality. This can be achieved simply by having the sender send the output to the receiver and along with it prove in zeroknowledge, knowledge of an input x for which f(x) yields the provided output. Here we implicitly assume that besides the channel \(\mathcal {C}\) the sender also has access to an error free channel which can be implemented using \(\mathcal {C}\) itself (with a negligible error). Formally,
Theorem 10
For every deterministic function f, there exists a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme that is a UCsecure realization (even against malicious adversaries) of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}\)hybrid model where \(\mathcal {C}\in \{\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}, \mathcal {C}_{BSC}^p\}\).
As already mentioned, proving the above theorem reduces to the task of realizing a \(\mathsf{OWSC }^{\mathsf {zk}}/\mathcal {C}\) scheme. In our construction, we will make use of oblivious ZKPCPs (see definitions in fullversion).
Lemma 2
There exists a \(\mathsf{OWSC }^{\mathsf {zk}}/\mathcal {C}\) scheme that is a UCsecure realization (even against malicious adversaries) of the zeroknowledge functionality in the \(\mathcal {C}\)hybrid model where \(\mathcal {C}\in \{\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}, \mathcal {C}_{BSC}^p\}\).
We start by giving some intuition. The key idea is to use an erasure channel or a binary symmetric channel to send over multiple instances of independently chosen ZKPCPs and observe the statistical gap that can be created only if valid proofs were sent. However, a number of difficulties arise in realizing this intuition, particularly in our construction from BSC. Below, we provide our construction from erasure channels. The more involved construction from binary symmetric channel is deferred to fullversion.
Hence, except with negligible probability for each \(i \in [k]\), R receives at least c. Given this the completeness of the protocol follows from the completeness of the oblivious ZKPCP.
Soundness. We will construct an extractor \(E'\), that extracts valid witnesses from any cheating prover \(P^*\) that makes the honest verifier accept with nonnegligible probability. We will first describe our extractor \(E'\) and then argue that it indeed works (with overwhelming probability).
Our extractor \(E'\) proceeds as follows. Let \((\pi _1,\pi _2,\ldots , \pi _\ell )\) be the proofs generated by the cheating prover \(P^*\). For every \(i \in [\ell ]\), \(E'\) obtains \(y_i = E(x,\pi _i)\). If \(\exists i^* \in [\ell ]\) such that \(y_{i^*}\in R(x)\) then output \(y_{i^*}\) (breaking ties arbitrarily). If no such \(i^*\) exists then output \(\bot \).
Note that since our extractor \(E'\) failed to extract witness out of \(\pi _i\) for any \(i \in [\ell ]\) we have (by soundness of the ZKPCP) that \(\Pr [V_{\mathsf{oZK }}(x,\pi '_i) = 0] \ge {\kappa }\), for every \(i \in [\ell ]\), where the probability is taken over the random choices of obtaining \(\pi '_i\) from \(\pi _i\). Hence, if \(E'\) outputs \(\bot \) then the verifier must also always reject, except with probability at most \(\le (1  {\kappa })^\ell \), which is negligible for \(\ell = \frac{\lambda }{{\kappa }}\).
ZeroKnowledge. We need to construct a simulator \(\mathcal {S}'\) for our protocol. This construction follows immediately from the \(\nu \)zeroknowledge property of the oblivious ZKPCP.
The full proof for the case of BSC appears in fullversion.
7 \(\mathcal {C}_{ROT}^\ell \) is \(\mathsf{OWSC }\) Complete for Randomized Functionalities
In this section, we describe an OWSC scheme for any randomized function in the \(\mathcal {C}_{ROT}\)hybrid model that uses only a single round of random OTs and no additional interaction. The functionalities considered here provide output to only one party. This result follows directly from [IPS08, Appendix B] and we include the construction and proof in the fullversion for completeness (much of the text have been taken verbatim from [IPS08, Appendix B]). More efficient alternatives have been considered by [IKO+11a] however we consider the simplest feasibility result for our setting.
One technical difference in our setting compared to [IPS08] is in the underlying primitive from which the protocols are constructed. While the protocol in [IPS08] uses a regular 1outofN OT protocol, in our case we only have access to a 1outof2 ROT protocol and need to convert it to a 1outofN ROT protocol. (Recall that the choice about which 1outofN strings the receiver obtains is made by the channel in the ROT protocol.) This however can be done easily using standard techniques and a sketch of the construction has been provided in fullversion.
Theorem 11
For every randomized function f, \(\exists \ell \) and a \(\mathsf{OWSC }^f/\mathcal {C}_{ROT}^\ell \) scheme that is a UCsecure realization (even against malicious adversaries) of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}_{ROT}^\ell \)hybrid model.
\(\epsilon \)secure Variant. We can also use the \(\epsilon \)UC realization of ROT (based on noisy bursty channel as in Theorem 5) in order to obtain a \(\epsilon \cdot r\)UC realization of \(\mathsf{OWSC }^f\) where r is the number of ROT calls made inside our construction. r for our construction is a fixed polynomial in the security parameter \(\lambda \), independent of the size of the function being computed.
Construction Using BiasedROT. The above theorem is stated just for the case of \(\mathcal {C}_{ROT}^\ell \)hybrid model. However we note that the same construction continues to work in the \(\mathcal {C}_{ROT}^{\ell ,p}\)hybrid model, for any constant \(p \in (0,1)\), with one small change. When using the \(\mathcal {C}_{ROT}^{\ell ,p}\) channel, the input provided by the channel for the function evaluation will be biased. This issue can be resolved by using security parameter \(\lambda \) number of independent bits from the channel to obtain each bit for the functionality being evaluated. More specifically, each input bit for the functionality is obtained by taking the exclusive or of \(\lambda \) independent input bits. By the XOR Lemma, we claim that the obtained bits will be close to uniform.
Furthermore, when using the \(\mathcal {C}_{ROT}^{\ell ,p}\)hybrid model, the construction itself does not depend on the precise value of the constant p. Hence, our construction is robust in the sense that it remains secure even if the adversary gets to specify the value of p (within some bounded range).
Footnotes
 1.
In the literature, p sometimes stands for the error probability, while in our paper it is the probability of the “no noise” event.
 2.
The result of Barak and Pass [BP04] is an exception to this. However they only achieve a weaker notion where security is only guaranteed against uniform provers. We, on the other hand, are interested in the standard notion of zeroknowledge.
 3.
Here, again, we identify each \(a\in \{0,1\}^k\) with a subset of [k] in the natural way.
 4.
Theorem 7 only guarantees a channel \(\mathcal {C}_{BEC}^{p'}\) with \(p'\) close enough to p. We will use the value \(\frac{1}{2}\) for concreteness but any value close enough to \(\frac{1}{2}\), say in the range \(\frac{1}{2}\) to \(\frac{51}{100}\), will suffice as well.
References
 [Ajt10]Ajtai, M.: Oblivious RAMs without cryptogrpahic assumptions. In: Schulman, L.J. (ed.) 42nd Annual ACM Symposium on Theory of Computing, pp. 181–190. ACM Press, Cambridge (2010)Google Scholar
 [BBCM95]Bennett, C.H., Brassard, G., Crepeau, C., Maurer, U.M.: Generalized privacy amplification. IEEE Trans. Inf. Theory 41(6), 1915–1923 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
 [BBR88]Bennett, C.H., Brassard, G., Robert, J.M.: Privacy amplification by public discussion. SIAM J. Comput. 17(2), 210–229 (1988)MathSciNetCrossRefGoogle Scholar
 [BCR86]Brassard, G., Crépeau, C., Robert, J.M.: Information theoretic reductions among disclosure problems. In: FOCS, pp. 168–173 (1986)Google Scholar
 [BFM90]Blum, M., Feldman, P., Micali, S.: Proving security against chosen cyphertext attacks. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 256–268. Springer, Heidelberg (1990) CrossRefGoogle Scholar
 [BGW88]BenOr, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic faulttolerant distributed computation. In: Proceedings of the 20th STOC, pp. 1–10. ACM (1988)Google Scholar
 [BP04]Barak, B., Pass, R.: On the possibility of onemessage weak zeroknowledge. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 121–132. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 [BTV12]Bellare, M., Tessaro, S., Vardy, A.: Semantic security for the wiretap channel. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 294–311. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 [Can01]Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Electronic Colloquium on Computational Complexity (ECCC) TR01016 (2001). (Previous version “A unified framework for analyzing security of protocols” availabe at the ECCC archive TR01016. Extended abstract in FOCS 2001)Google Scholar
 [Can05]Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2005). Revised version of [Can01]Google Scholar
 [CK88]Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions (extended abstract). In: FOCS, pp. 42–52 (1988)Google Scholar
 [CMW04]Crépeau, C., Morozov, K., Wolf, S.: Efficient unconditional oblivious transfer from almost any noisy channel. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 47–59. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 [DFMS04]Damgård, I.B., Fehr, S., Morozov, K., Salvail, L.: Unfair noisy channels and oblivious transfer. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 355–373. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 [DKS99]Damgård, I.B., Kilian, J., Salvail, L.: On the (Im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 56. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 [FLS99]Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 [GMW87]Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: ACM (ed.) Proceedings of the 19th STOC, pp. 218–229. ACM (1987). (See [Gol04 Chap. 7] for more details)Google Scholar
 [Gol04]Goldreich, O.: Foundations of Cryptography: Basic Applications. Cambridge University Press, Cambridge (2004)CrossRefGoogle Scholar
 [Har60]Harris, T.E.: A lower bound for the critical probability in a certain percolation process. Proc. Cambridge Phil. Soc. 56, 13–20 (1960)CrossRefzbMATHGoogle Scholar
 [IKO+11a]Ishai, Y., Kushilevitz, E., Ostrovsky, R., Prabhakaran, M., Sahai, A.: Efficient noninteractive secure computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 406–425. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 [IKO+11b]Ishai, Y., Kushilevitz, E., Ostrovsky, R., Prabhakaran, M., Sahai, A., Wullschleger, J.: Constantrate oblivious transfer from noisy channels. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 667–684. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 [IPS08]Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 [ISW03]Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 [Kil88]Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)Google Scholar
 [Kle66]Kleitman, D.J.: Families of nondisjoint subsets. J. Combin. Theory 1, 153–155 (1966)MathSciNetCrossRefzbMATHGoogle Scholar
 [KM01]Korjik, V., Morozov, K.: Generalized oblivious transfer protocols based on noisy channels. In: Gorodetski, V.I., Skormin, V.A., Popyack, L.J. (eds.) MMMACNS 2001. LNCS, vol. 2052, p. 219. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 [Liu]Liu, H.: M400 msci project  discrete isoperimetric inequalitiesGoogle Scholar
 [Mau91]Maurer, U.M.: Perfect cryptographic security from partially independent channels. In: STOC, pp. 561–571 (1991)Google Scholar
 [Mau02]Maurer, U.M.: Secure multiparty computation made simple. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 14–28. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 [Pas03]Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 [RTWW11]Wullschleger, J., Ranellucci, S., Tapp, A., Winkler, S.: On the efficiency of bit commitment reductions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 520–537. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 [SW02]Stebila, D., Wolf, S.: Efficient oblivious transfer from any nontrivial binarysymmetric channel. In: 2002 IEEE International Symposium on Information Theory, Proceedings, p. 293 (2002)Google Scholar
 [Wik13]Wikipedia. Binomial distribution (2013). Accessed 17 October 2013Google Scholar
 [WNI03]Winter, A.J., Nascimento, A.C.A., Imai, H.: Commitment capacity of discrete memoryless channels. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 35–51. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 [Wul07]Wullschleger, J.: Oblivioustransfer amplification. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 555–572. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 [Wul09]Wullschleger, J.: Oblivious transfer from weak noisy channels. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 332–349. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 [Wyn75]Wyner, A.D.: The wiretap channel. Bell Syst. Tech. J. 54(8), 1334–1387 (1975)MathSciNetCrossRefGoogle Scholar