Abstract
A \((\gamma ,\delta )\)-elastic channel is a binary symmetric channel between a sender and a receiver where the error rate of an honest receiver is \(\delta \) while the error rate of a dishonest receiver lies within the interval \([\gamma , \delta ]\). In this paper, we show that from any non-trivial elastic channel (i.e., \(0<\gamma<\delta <\frac{1}{2}\)) we can implement oblivious transfer with information-theoretic security. This was previously (Khurana et al., Eurocrypt 2016) only known for a subset of these parameters. Our technique relies on a new way to exploit protocols for information-theoretic key agreement from noisy channels. We also show that information-theoretically secure commitments where the receiver commits follow from any non-trivial elastic channel.
Keywords
1 Introduction
In this paper we consider oblivious transfer (OT), a well known two-party cryptographic primitive. In oblivious transfer, a sender has two messages and a receiver chooses to learn one of them. The receiver gains no information about the other message, while the sender does not know which of the messages the receiver has learned. Oblivious transfer is an important primitive because it is sufficient for information-theoretic secure computation [Kil88].
However, information-theoretic secure computation and therefore oblivious transfer are well known to be impossible if sender and receiver communicate in the plain model, without additional resources. Therefore, several alternative models have been studied where information-theoretically secure oblivious transfer is possible because we assume additional resources.
One such assumption is the existence of a noisy channel between the sender and the receiver. It was shown in [CK88] that binary symmetric channels are in fact enough to realize oblivious transfer. A binary symmetric channel is one where each bit sent is flipped with a certain probability, known as the error rate of the channel. More efficient constructions, and different variants of noisy channels, were provided in subsequent papers, such as [BCS96, Cré97, DKS99, DFMS04, CMW05, CS06, PDMN11, IKO+11].
In particular, it was realized that it is problematic to assume that we are given a noisy channel with known and fixed parameters, such that the OT protocol we construct is allowed to depend on the parameter values. One reason for this is that it can be very hard to reliably estimate the parameters of a real channel. Another, more serious problem is that by fixing the parameters we are implicitly assuming that the adversary cannot change them. This is clearly unrealistic, and was the main motivation for introducing unfair noisy channels (UNC) in [DKS99]. In this model, the channel is a binary symmetric channel where, however, an adversary who corrupts one of the two parties can also choose the error rate to be within some range \([\gamma , \delta ]\). For \(\delta \ge 2\gamma (1-\gamma )\), the channel is easily seen to be trivial (it can be simulated from noiseless communication). It was shown in [DKS99] that information-theoretically secure oblivious transfer follows from UNC for a certain subset of the possible non-trivial parameter choices, while information-theoretically secure commitments follow from any non-trivial UNC.
Elastic channels (EC), a relaxation of unfair noisy channels, have been introduced in [KMS16]. For an EC, the noise can only be reduced by an adversary who corrupts the receiver. More precisely, given \(0\le \gamma <\delta \le 1/2\), a \((\gamma ,\delta )\)-elastic channel is one where the communication between the sender and an honest receiver has error rate \(\delta \), but a dishonest receiver may reduce this to be in the interval \([\gamma ,\delta ]\). Clearly, in this setting, \(\delta =1/2\) would correspond to a channel where all information is lost for the honest receiver, while \(\gamma =0\) would yield a channel where a dishonest receiver has full information about the messages sent by the sender. We cannot implement oblivious transfer in either case, and hence these channels are deemed trivial.
It was shown in [KMS16] that commitments where the sender commits follow from any non-trivial EC, and that oblivious transfer follow from EC for a certain subset of parameters, which is larger than in the case of an UNC. More specifically, they show that \(\delta \le \ell (\gamma )\) where \(\ell (\gamma ):=\left( 1+(4\gamma (1-\gamma ))^{-1/2}\right) ^{-1}\) is sufficient.
It is of course interesting that going from UNC to EC allows a larger range of parameters from which we can get OT. However, for both channels, we are still left with a “grey area” of parameter values where we do not know if OT is possible. One might say that we still do not know if an EC is fundamentally and qualitatively different from a UNC as far as OT is concerned. Moreover, for commitments, we know that we can have the sender commit, but since an EC is asymmetric w.r.t what corrupted senders and receivers can do, it is not clear that we can get commitments where the receiver commits for any non-trivial EC.
Our Contribution. In this paper, we make progress on the above questions. First, we close the gap left open in [KMS16] and show that information theoretically secure oblivious transfer follows from any non-trivial EC. Along the way, we also construct commitments where the receiver commits, from any non-trivial EC.
Our main technical contribution is a new way to exploit a certain type of key agreement protocol towards implementing OT. More specifically, we consider a key agreement protocol between two parties (Alice and Bob) in the following model: Alice can send messages to Bob through a binary symmetric channel C with error rate \(\delta \), and the adversary Eve will receive what Alice sends via an independent binary symmetric channel with error rate \(\gamma '\in [\gamma ,\delta ]\). On top of this, Alice and Bob may also communicate via a public error-free channel. Several key agreement protocols exist in this model [Mau93]. The main idea is to use the public channel to identify transmissions where Alice and Bob are more likely to agree on what was sent on the noisy channel. Because Eve’s channel is independent, this may create a situation where Eve has a disadvantage compared to Bob, even if her noise rate is initially smaller.
In this work, we consider key agreement protocols that are secure in the usual sense: Alice and Bob agree on the output, and Eve gets essentially no information on the key. But in addition, we require an extra property we call emulatability: We can replace Bob by a “fake” Bob’, who gets no information on what Alice sends on the noisy channel (but Eve gets information with error rate \(\gamma '\) as usual). Still, Bob’ can complete the conversation on the public channel such that neither Alice nor Eve can distinguish Bob’ from Bob. As we explain later, we can modify the key agreement protocol presented in [Mau93, Sect. 5] so that it is emulatable. We show that an oblivious transfer protocol secure against semi-honest adversaries can be constructed from any emulatable key agreement protocol. Furthermore, by using information-theoretic commitments where the committing party is the receiver (which can be constructed from any non-trivial EC, as we will show) we can upgrade our protocol to achieve security against a malicious receiver too. Finally, we show how to achieve security against a malicious sender in the case where our emulatable key agreement protocol is the one mentioned above.
Technical Overview. To give an intuition of how our protocol works, consider first the case of semi-honest security where a semi-honest receiver reduces the error rate to the minimal value \(\gamma \) (which is without loss of generality).
We turn an emulatable key agreement (KA) protocol as described above into an OT protocol as follows. The sender and the receiver engage in two independent instances (indexed respectively by 0 and 1) of the key agreement protocol above. In both cases, the sender from the OT protocol takes the role of Alice in the KA protocol, while the receiver does the following: in the instance of the KA protocol corresponding to his selection bit b, he acts as Bob would, while in the other instance, he acts as Bob’ (so in particular his actions are independent of what he receives from the sender on the EC). Finally Alice sends her messages \(m_0\), \(m_1\) one-time padded respectively with \(k_0\) and \(k_1\), each of these keys obtained in the corresponding key agreement protocol.
Now, an honest receiver will learn \(m_b\) as he should, which follows from correctness of the KA protocol. Second, a corrupt sender cannot learn the choice bit b. This follows from the emulatability property of the KA protocol: the sender cannot distinguish in which of the two instances she is interacting with the real Bob. Finally, a corrupt receiver cannot learn \(m_{1-b}\). This follows from the fact that, in the instance of the KA corresponding to \(1-b\), the view of the receiver is the same as the view of Eve, namely he sees everything Alice sends with error rate \(\gamma \), and he sees the public discussion (the fact that he generates that discussion himself by running Bob’ makes no difference). One can then show that emulatability implies that this view is distributed identically to the case where Eve watches Alice interact with Bob, and the usual definition of key agreement security guarantees that this is independent from the exchanged key \(k_{1-b}\).
Security in the malicious case is more involved. First, we need to ensure that the malicious receiver follows the protocol. It turns out to be sufficient that the receiver proves that for one of the KA instances, the messages he sends on the public channel are generated by Bob’, of course without revealing which one. To this end we can use the fact that commitments where the committing party is the receiver also follow from any EC (see below) and, via a known reduction, zero-knowledge proofs on committed values follow as well. Thus, we are doing something very similar to the GMW compiler. As a result we get a protocol that is secure against a semi-honest sender and a malicious receiver.
To further protect against a malicious sender, we execute many instances of the OT. The receiver checks the statistics of what he receives on the EC and discards instances that are too far from what he expects to see from an honest sender. This creates a protocol where the sender will (at least sometimes) have non-trivial uncertainty about the choice bit. We can now use standard techniques to clean this up to get a secure OT.
As for our construction on receiver commitments from any non-trivial EC, we observe that the commitment protocol from [DKS99] (that was designed for a UNC) can be modified to work for an EC. All we essentially have to do is to choose the parameters correctly. On the one hand, handling an EC is harder because \(\delta \) and \(\gamma \) are much further apart than for a UNC, however, on the other hand an EC is easier because one party has to live with the large noise rate even if he is corrupt. Intuitively, the observation is that these two issues balance each out so that (almost) the same protocol still works.
Outline. In Sect. 2 we define the basic functionalities we will deal with for the remainder of the paper, namely oblivious transfer and the elastic channel. In Sect. 3, we introduce the notion of emulatable key agreement, as well as a protocol that implements it. Emulatable key agreement is used in Sect. 4 to implement an OT protocol that is secure against semi-honest adversaries. This protocol is then used in Sect. 5 in the construction of a protocol secure against a malicious receiver. Finally, in Sect. 6 we present a construction that builds upon the one of Sect. 5 to obtain security against malicious adversaries.
2 Preliminaries
2.1 Security Model
We prove our protocols secure in the Universal Composability framework introduced in [Can01]. This model is explained in Appendix A.
2.2 Oblivious Transfer
Oblivious transfer is a two-party primitive where one party (the sender) inputs two messages and the other party (the receiver) chooses to receive one—and only one—of them. Crucially, the sender does not learn the receiver’s choice, and the receiver does not learn the message it did not choose. This primitive is formalized in the figure below. Note that the description includes an adversary \(\mathcal {A}\), which can corrupt parties.
2.3 Elastic Channel
A \((\gamma ,\delta )\)-elastic channel, as introduced in [KMS16], is a binary symmetric channel with crossover probability \(\delta \) where a receiver that has been corrupted by the adversary can choose to reduce the crossover probability to a level \(\nu \) with \(\gamma \le \nu \le \delta \). In the functionality below, we define a more general version where the channel is composed by \(\ell \) binary symmetric channels (all with crossover probability \(\nu \)).
3 Emulatable Key Agreement
Key agreement is the problem where two parties, Alice and Bob, want to establish a common key (a random element from \(\{0,1\}^\ell \)) so that an eavesdropper Eve has no information about this key. In other words, the goal is to implement the following functionality \(\mathcal {F}_{\mathtt {KA}}\).Footnote 1
In this section, we consider the scenario in which Alice can communicate to Bob via a wiretap channel \(\mathcal {F}_{\mathtt {C}}\) where each bit is flipped (independently) with probability \(\delta \). Eve can obtain another noisy version of this communication, where each bit is flipped with probability \(\gamma \) and this noise is independent from Bob’s. Furthermore, there is a feedback public channel \(\mathcal {F}_{\mathtt {Pub}}\) through which Alice and Bob can communicate.
In this setting, we are interested in key agreement protocols with an additional property that we call emulatability. A key agreement protocol \(\pi \) is emulatable if, in addition to implementing the key agreement functionality as it should, the role of Bob can be simulated by some entity \(\mathcal {E}\), the emulator, that learns no information about the messages transmitted through \(\mathcal {F}_{\mathtt {C}}\), other than their lengths, and neither Alice nor Eve can distinguish whether Alice is interacting with Bob or with \(\mathcal {E}\).
We formalize this below. We first define a functionality \(\mathcal {F}_{\mathtt {DC}}\) that models a dummy channel whose task is to erase every information sent through the channel \(\mathcal {F}_{\mathtt {C}}\) except for the length of the messages.
Definition 1
A key agreement protocol \(\pi \) between Alice and Bob using a wiretap channel \(\mathcal {F}_{\mathtt {C}}\) and a public channel \(\mathcal {F}_{\mathtt {Pub}}\) is emulatable if:
-
1.
It realizes the functionality \(\mathcal {F}_{\mathtt {KA}}\). That is, there exists a simulator \(\mathcal {S}\) such that for all eavesdroppers \(\mathcal {A}\),
$$\begin{aligned} \pi \diamond \mathcal {F}_{\mathtt {C}} \diamond \mathcal {F}_{\mathtt {Pub}} \equiv _{\mathcal {A}} \mathcal {F}_{\mathtt {KA}} \diamond \mathcal {S}. \end{aligned}$$ -
2.
There exists an emulator \(\mathcal {E}\) such that the following happens: suppose that we consider the protocol \(\pi '\) where we replace Bob by \(\mathcal {F}_{\mathtt {DC}} \diamond \mathcal {E}\), i.e., \(\mathcal {E}\) is linked to \(\mathcal {F}_{\mathtt {C}}\) via the dummy channel \(\mathcal {F}_{\mathtt {DC}}\), and Alice acts as in protocol \(\pi \), while in both cases the eavesdropper \(\mathcal {A}\) receives information from \(\mathcal {F}_{\mathtt {C}}\) and \(\mathcal {F}_{\mathtt {Pub}}\). Then from the point of view of Alice and all eavesdroppers \(\mathcal {A}\), the protocol executions of \(\pi \) and \(\pi '\) are indistinguishable.
That is, we have
$$\begin{aligned} \pi \diamond \mathcal {F}_{\mathtt {C}} \diamond \mathcal {F}_{\mathtt {Pub}} \equiv _{\mathrm {Alice}, \mathcal {A}} \pi ' \diamond \mathcal {F}_{\mathtt {C}} \diamond \mathcal {F}_{\mathtt {Pub}}. \end{aligned}$$
We will need the following property later on.
Proposition 1
Suppose that a key agreement protocol \(\pi \) is emulatable. Then for any eavesdropper \(\mathcal {A}\), if Alice is executing the protocol \(\pi '\) with the emulator \(\mathcal {E}\) as in the definition, \(\mathcal {A}\) obtains no information about Alice’s output.
This is because, if \(\mathcal {A}\) could obtain any information about Alice’s output in the execution of \(\pi '\), then either she would be able to obtain information about Alice’s output in the execution of \(\pi \) (contradicting property 1 of emulatability) or she would be able to distinguish \(\pi \) and \(\pi '\) (contradicting property 2).
3.1 The Emulatable Key Agreement Protocol
We now describe an emulatable key agreement protocol for a wiretap channel \(\mathcal {F}_{\mathtt {C}}\) with \(\gamma < \delta \), that is, for which the channel to the eavesdropper Eve is more reliable than the channel to Bob.
This is a small modification of a key agreement protocol from [Mau93, Sect. 5]. For each \(\gamma ,\delta \), the protocol specifies numbers \(s, \ell , n \in \mathbb {N}\), to be determined below. In addition, \(\ell =2m+1\) is an odd number. The protocol consists of three phases: advantage distillation, information reconciliation and privacy amplification.
The goal of the advantage distillation step is to create a conceptual channel between Alice and Bob which is more reliable than the one between Alice and Eve. In our protocol, this step proceeds as follows. Alice samples n random bits \(b_i\) and encodes each bit b as a bitstring v in \(\{0,1\}^\ell \) by selecting uniformly at random a set \(\mathcal {J}\subseteq \{1,\dots ,\ell \}\) of size m and setting the j-th coordinate of v to be \(1-b\) if \(j\in \mathcal {J}\) and b if \(j\not \in \mathcal {J}\). Note that this means \(m+1\) of the bits of the encoding equal b while the other m bits equal \(1-b\). Now, if for a given sent bit b, Bob receives a message of the form \((c,c,\dots ,c)\) for some c, we say Bob accepts the bit b and c is his guess about b. Now Alice creates the bitstring \(b_{i_1}b_{i_2}\dots b_{i_s}\) given by the first s bits accepted by Bob and Bob creates the bitstring \(c_{i_1}c_{i_2}\dots c_{i_s}\) of his guesses. They both disregard the remaining bits. Alternatively, one can see Alice’s encoding process as first encoding her bit with the repetition code and then introducing errors in exactly m positions. As we discuss in Sect. 3.2, the protocol is similar to that in [Mau93, Sect. 5], except that the global error introduced here is of fixed weight m, rather than flipping each bit with certain probability. In Sect. 3.2 below, we discuss why we need this to introduce this modification. Yet, from the point of view of advantage distillation, the intuition why this protocol works is the same as in [Mau93]: namely, even though Eve has more information over messages sent over the wiretap channel than Bob has, she has less information about the ones accepted by Bob; in other words, the probability that Bob decodes those bits correctly is higher than that of Eve’s. We formalize this later.
The information reconciliation step is carried out over the public channel. After this step, Alice and Bob will share a common bitstring with overwhelming probability, and Eve is still guaranteed to have some uncertainty about it. In the description below, we use the information reconciliation protocol in [BS94], where Alice sends the evaluation on her bitstring of a hash function chosen from a 2-universal family with an appropriate range size. Then Bob corrects his bitstring by finding the closest bitstring to it which is consistent with this evaluation.
Alice and Bob can then apply privacy amplification to obtain a random string about which Eve has no information. This can also be done by having only Alice send information over the public channel. The fact that both the information reconciliation and privacy amplification steps involve only Alice sending information over the public channel is important to guarantee the emulatability property.
We note that the information reconciliation step may in general not be computationally efficient for Bob; however, in fact any information reconciliation protocol can be used, as long as it is non-interactive. One efficient option is to employ a fuzzy extractor, as in [DORS08, Sect. 8.1], in order to execute both steps.
This description is formalized below. (For simplicity, we omit the description of the “establish” step introduced in the functionality of Sect. 3.)
In order to prove that our protocol is indeed an emulatable key agreement protocol, we introduce the following notation. Let X denote a variable with the uniform distribution over \(\{0,1\}\). Let Y and Z be the random variables that describe respectively the output bit c of Bob and the received bitstring of Eve (which is an element in \(\{0,1\}^\ell \)) when Alice samples a bit b according to X, encodes it as in our protocol, sends it through the wiretap channel and Bob accepts. An important point to make is that, since the noise of Bob and Eve are independent, the probability distribution of Z would be the same if we removed the conditioning on Bob accepting the bit. We have the following theorem.
Theorem 1
The protocol \(\pi _{\mathtt {KA}}\) is an emulatable key agreement protocol.
We use the following lemma which intuitively means that, as \(\ell \) grows, the probability that Eve receives a bitstring where most bits are 0 approaches 1/2 if Alice encoded a 0 (naturally an analogous statement holds if Alice encoded a 1). The proof of the lemma can be found in Appendix B.
Lemma 1
For \(i \in \{0,1\}\), let \(S_i\subseteq \{0,1\}^\ell \) be the set of all bitstrings where most bits are i. Then \(\Pr [Z\in S_i|X=i]\rightarrow 1/2\) as \(\ell \rightarrow \infty \).
Proof
(of Theorem 1). The detailed proof is in Appendix C. Here we give a sketch.
First we argue about the correctness of the protocol. It is not difficult to see that, for each index i, Bob accepts the corresponding bit with probability \(p_{\mathtt {accept}} = (\delta (1-\delta ))^m\). Furthermore, condition to Bob having accepted a bit, the probability that he decodes it correctly is again exactly \(1-\delta \), i.e., the advantage distillation step creates another conceptual noisy channel where the noise parameter is still \(\delta \), the same as in the original noisy channel.
Since we set n slightly larger than \(\lceil s/p_{\mathtt {accept}} \rceil \), for large enough parameters Bob will, with very high probability, accept at least s bits, of which roughly \(\delta \cdot s\) will be incorrect. By the results on information reconciliation in [BS94] our choice of \(\mathcal {H}_1\) guarantees that Bob corrects to the right string in the information reconciliation step, and hence that they output the same key at the end of the protocol.
Next, we consider privacy. Let X and Z be as above. We can use Lemma 1 in order to establish that \(H_{\infty }(X|Z)\rightarrow 1\) as \(\ell \rightarrow \infty \). We can then select \(\ell \) large enough so that \(H_\infty (X^s|Z^s, h_1, h_1(X^s))\ge t+2\sigma \) (see the full proof for details), and apply the leftover hash lemma to conclude that conditioned on everything seen by Eve during the protocol, the distribution of \(h_2(X^s)\) is \(2^{-\sigma }\)-close to the uniform distribution over \(\{0,1\}^t\).
Finally, to show that the protocol is emulatable, we have to construct an emulator \(\mathcal {E}\) that satisfies Property 2 in Definition 1. Note the only information sent by Bob is the description of the set \(\mathcal {I}\) of indices for which Bob accepted Alice’s message. Hence, this can be emulated by sampling a random index set \(\mathcal {I} \subseteq \{0,1\}^n\), where each index belongs to \(\mathcal {I}\) with independent probability \(p_{\mathtt {accept}}.\)
3.2 On the Emulatability of Other Key Agreement Protocols
Protocol \(\pi _{\mathtt {KA}}\) described above is based on the protocol given in [Mau93, Sect. 5]. As a matter of fact, several key agreement protocols for noisy channels are described in [Mau93] and subsequent works. However, they are either not emulatable (or, at least, it seems difficult to show they are) or they do not work for all non-trivial sets of parameters \((\gamma ,\delta )\).
First, [Mau93, Sect. 5], considers a slightly different scenario, in which there is only a public channel available for communication but on the other hand at the beginning of the protocol Alice, Bob and Eve have noisy versions (respectively \(r_A\), \(r_B\) and \(r_E\)) of a common string r, where each bit is independently flipped with probabilities \(\epsilon _A\), \(\epsilon _B\) and \(\epsilon _E\) for Alice, Bob and Eve respectively. Then having Alice mask a message (by xoring it with \(r_A\)) and send it through the public channel, induces a conceptual noisy channel where the input of Alice is m, and the outputs of Bob and Eve are \(m\oplus r_A\oplus r_B\) and \(m\oplus r_A\oplus r_E\) respectively. In the protocol proposed in [Mau93, Sect. 5] Alice encodes random bits with a repetition code and sends the information over the conceptual channel. From this point, the protocol proceeds as ours (Bob accepts the bits corresponding to codewords and they execute information reconciliation and privacy amplification on the resulting string). It can be shown that any parameters \(0<\epsilon _A, \epsilon _B, \epsilon _E<1/2\) lead to a secure key agreement protocol.
In our scenario, the players do not start with noisy versions of a common string, but have a \((\gamma ,\delta )\)-wiretap channel. We can reproduce the situation above in our scenario as follows: in order to send the message m, Alice flips each bit independently with probability \(\epsilon _A>0\) and sends the result through the \((\gamma ,\delta )\)-wiretap channel. This would be an equivalent situation of the above where \(\epsilon _B=\gamma \) and \(\epsilon _E=\delta \), and therefore it would lead to a secure key agreement protocol. However, the protocol would not be emulatable: the reason is that the probability that Bob accepts a given instance depends on the exact number of bitflips introduced by Alice. However, because this artificial noise has been introduced by Alice and not by the channel, this information is known by Alice; on the other hand, the number of bitflips in a given instance cannot be determined precisely by the emulator, even though it knows \(\epsilon _A\). Hence, regardless of how we define the emulator, Alice will be able to distinguish when she is interacting with it or with Bob.
If Alice does not introduce this artificial noise (i.e., if \(\epsilon _A=0\)), then there is an emulator that can reproduce Bob’s answer in every case, but the range of \((\gamma ,\delta )\) for which this protocol is a secure key agreement protocol does not include all possible \(0<\gamma , \delta <1/2\) and, in fact, it can be seen is exactly the very same range of parameters \((\gamma ,\delta )\) for which [KMS16] shows the existence of an OT protocol for a \((\gamma ,\delta )\)-elastic noisy channel (i.e. those pairs satisfying \(\delta \le \left( 1+(4\gamma (1-\gamma ))^{-1/2}\right) ^{-1}\)).
In our protocol, we solve these problems by having Alice introduce artificial noise, but making this noise be of a fixed Hamming weight m. This solves the problem with the existence of the emulator, while still preserving the security of the protocol.
Finally, we also need to mention that a simpler protocol for key agreement in our wire-tap channel scenario is presented in [Mau93, Proposition 1]. The protocol first creates a conceptual channel from Bob to Alice in which Alice has more information about Bob’s message than Eve does. This protocol works for all non-trivial wire-tap channel noise parameters. However, the information reconciliation and privacy amplification steps cannot be performed in such a way that it is only Alice who sends information (because in this case these steps are going to correct Alice’s knowledge of Bob’s string). Then, it is unclear whether this protocol can be made emulatable, because we would also need the emulator to simulate the information sent by Bob in these steps, and this does not appear to be straightforward.
4 Semi-honest Protocol
Now we present an OT protocol over the elastic channel \(\mathcal {F}_{\mathtt {EC}}(\gamma ,\delta )\) for semi-honest adversaries. We show that such an oblivious transfer protocol can be constructed from any emulatable key agreement protocol that works in the setting of Sect. 3 (where Alice, Bob and Eve are connected by a wiretap channel \(\mathcal {F}_{\mathtt {C}}\) with the noise parameters being \(\delta \) for Bob and \(\gamma \) for Eve).
The idea of the protocol is for sender and receiver to engage in two separate subprotocols. In one, they run the emulatable key agreement protocol with the sender acting as Alice and the receiver acting as Bob. In the other subprotocol, the sender follows again the key agreement protocol as Alice, whereas the receiver runs the emulator, according to Definition 1. The choice bit c determines whether the receiver will follow the protocol or act as the emulator. Here, the elastic channel is used as a conceptual wiretap channel \(\mathcal {F}_{\mathtt {C}}\), where an honest receiver gets the output of the legitimate (noisier) channel, whereas an adversarial receiver gets the output of the less noisy channel.
To see why the protocol is secure, we note that since the key agreement protocol is emulatable, the sender does not know whether she is interacting with Bob (that is, whether she is engaging in the actual key agreement protocol) or with the emulator. Hence, she does not learn any information about the choice bit c. This guarantees the receiver’s privacy.
On the other hand, by definition the emulator can generate the transcript for the key agreement protocol without knowing anything about the exchanged key. Therefore in this case the receiver has no information about the key output by Alice at the end of the key agreement protocol.
This proof sketch is formalized in Theorem 2, below.
Theorem 2
The protocol \(\pi _{\mathtt {OTSH}}\) realizes \(\mathcal {F}_{\mathtt {OT}}\). That is, there exists a simulator \(\mathcal {S}\) such that
for all semi-honest environments \(\mathcal {Z}\).
Proof
For each activation, the environment \(\mathcal {Z}\) chooses \(m_0,m_1,c\). When interacting with the protocol, \(\mathcal {Z}\) receives \(m_c'\), and when interacting with \(\mathcal {F}_{\mathtt {OT}}\), it receives \(m_c\). We note first that since \(\pi _c\) is an instance of \(\pi _{\mathtt {KA}}\), which implements \(\mathcal {F}_{\mathtt {KA}}\), we have \(m_c' = m_c\). All that remains to be shown is that there exists a simulator for \(\mathcal {F}_{\mathtt {OT}}\) that can reproduce the view of the environment.
First, assume \(P_1\) is corrupted, so that \(\mathcal {Z}\) gets access to \(P_1\)’s internal state. During the real execution, it gets access to \(k_0, k_1\) (through \(P_1\)), \(\bar{m}_0, \bar{m}_1\) plus the leakage from \(\pi _0\) and \(\pi _1\) (through the adversary \(\mathcal {A}\), which interacts with \(\mathcal {F}_{\mathtt {EC}}\) and \(\mathcal {F}_{\mathtt {Pub}}\)). At the end of the execution, it gets \(P_2\)’s output, which is given by \(m_c\).
In the ideal process, the simulator \(\mathcal {S}\) corrupts \(P_1\), so that it gets access to \(m_0, m_1\). \(\mathcal {S}\) proceeds as follows. First, it executes two copies of \(\mathcal {F}_{\mathtt {KA}} \diamond \mathcal {S}'\), where \(\mathcal {S}'\) is the simulator for the key agreement protocol. By assumption, this internal simulator replicates the leakage from \(\pi _0\) and \(\pi _1\), which is relayed to \(\mathcal {Z}\). Additionally, at the end of \(\mathcal {F}_{\mathtt {KA}}\)’s execution, \(\mathcal {S}\) gets two random keys, which we denote by \(k_0'',k_1''\). It then computes \(\bar{m}_i = m_i \oplus k_i''\) for \(i=1,2\) and sends both to \(\mathcal {Z}\). Finally, it sends \(m_0, m_1\) to \(\mathcal {F}_{\mathtt {OT}}\), which will then send \(m_c\) to \(P_2\). It is easy to see that \(\mathcal {F}_{\mathtt {OT}} \diamond \mathcal {S}\) provides \(\mathcal {Z}\) with the same view as in the real protocol.
Now assume \(P_2\) is corrupted. Throughout the real execution, \(\mathcal {Z}\) gets access to \(k_c\) (through \(P_2\)), \(\bar{m}_0, \bar{m}_1, m_c\) plus the leakage from \(\pi _0\) and \(\pi _1\) (through the eavesdropper \(\mathcal {A}\)). In the ideal process, \(\mathcal {S}\) gets c by corrupting \(P_2\). It proceeds as follows. It runs one copy of \(\mathcal {F}_{\mathtt {KA}} \diamond \mathcal {S}'\), obtaining a random key \(k_c''\), and relays c to \(\mathcal {F}_{\mathtt {OT}}\). After \(P_2\) receives \(m_c\) from \(\mathcal {F}_{\mathtt {OT}}\), \(\mathcal {S}\) computes \(\bar{m}_c = m_c \oplus k_c''\) and sends it to \(\mathcal {Z}\). Clearly, \(m_c\) and \(\bar{m}_c\) have the same distribution as in the real execution.
Finally, we look at the leakage from the execution of \(\pi _{1-c}\) (executing the instance of \(\pi _{\mathtt {KA}}'\) with the emulator \(\mathcal {E}\)). Due to Proposition 1, \(\pi _{1-c}\) gives no information on \(k_{1-c}\) to the eavesdropper \(\mathcal {A}\). Therefore \(\bar{m}_{1-c}\) gives no additional information to \(\mathcal {Z}\). Moreover, since the execution of \(\mathcal {E}\) only depends on the outputs of the dummy channel \(\mathcal {F}_{\mathtt {DC}}\), its view provides \(\mathcal {Z}\) with no additional information, even given the rest of \(\mathcal {Z}\)’s view. The view of \(\mathcal {Z}\) is therefore the same in both scenarios.
5 OT Protocol Secure Against a Malicious Receiver
In this section, we make our protocol secure against a malicious receiver. Note that in our semi-honest protocol, we rely on the fact that the players will engage in two instances of an emulatable key agreement protocol, where the receiver will play the role of Bob in one of them and the emulator in the other. Of course, if the receiver is malicious, he will not necessarily adopt this behaviour. We will use standard techniques to solve this problem. Namely, we want to use the paradigm introduced in [GMW86]: we will make the receiver prove in zero knowledge that he is acting as in the semi-honest protocol.
To do this, we will need that the receiver can commit to bits. Recall that in [KMS16] it was shown that commitments where the sender commits follow from any non-trivial EC, but since an EC is asymmetric, it is not clear that this allows the receiver to commit. Therefore, we solve this problem first.
5.1 Receiver Commitment from Any Non-trivial EC
The solution in a nutshell is to observe that the commitment protocol from [DKS99] will work for receiver commitments on any non-trivial EC, if we slightly tune some of the parameters.
First, note that we can reverse the direction of the EC, by simply having the sender send a random bit x on the EC, the receiver chooses a bit b to send and sends \(x\oplus b\) back on the public channel. This is clearly a noisy channel in the opposite direction. In this subsection we will rename the sender and call him the verifier V, while the receiver will be called the committer C. What we just constructed is a “reversed EC” where the C sends and V receives. V always receives with noise rate \(\delta \), but C can reduce his noise rate to \(\gamma \) if he is corrupted (and hence get a better idea of what V received). The goal is now to build an unconditionally secure commitment scheme based on such a channel.
In fact, we show that, under a careful choice of parameters, the commitment protocol from [DKS99] already works with no change. A complete description of the protocol, as well as an intuition for why it is secure, is provided in Appendix D.
5.2 From Commitment to Security Against a Malicious Receiver
Recall that the GMW compiler [GMW86] transforms a semi-honestly secure protocol into a maliciously secure one by using the following three steps: in the first step, each party commits to his input; in the second step, each party is forced to commit to a random tape, where it is important that the tape is hidden from the other party and is chosen at random. This is done by having the party that is committing to a random tape commit to a random value. The other party then sends a random string. The tape is then defined to be the xor of both strings. This technique is known as coin-tossing in the well. Finally, in the third step, each player follows the protocol with the committed inputs and their committed tape and whenever they send a message, they also prove in zero-knowledge that this is the correct message given their committed input, their committed random tape and the transcript of the protocol.
In this section, we are only interested in achieving security against a malicious receiver, so we apply the compiler to the receiver only. This results in the following approach: In the first step, the receiver will commit to his choice of input c; this also indicates the instance of the key agreement protocol where he will play the role of Bob. In the second step, the receiver will be forced to commit to a random tape t for the emulator using coin-tossing in the well. Then the sender and receiver will run an augmented version of the semi-honest protocol. Each instance of the key agreement protocol will be associated to an index b. Each time a receiver sends a message, the receiver also proves in zero-knowledge: “Either the given instance of key agreement has index \(b=c\) or the message was produced by following the description of the emulator with random tape t”.
There is, however, one difficulty: In [GMW86], the commitments were computational. It was therefore possible to prove statements about committed values directly. For a black-box information-theoretically secure commitment, it is not directly possible to prove statements that involve the committed values. To fix this problem, we use a commitment scheme which can indeed be used for any number of zero-knowledge proofs. This is the commitment scheme from [CvdGT95] which was later proven UC-secure in [Est04]. As shown in [CvdGT95], this commitment scheme can be constructed in a black-box manner from any commitment schemes. Although this commitment scheme only allows proofs of xor relationships directly, one can use techniques such as [BCC88] to prove arbitrary statements involving the committed values.
Theorem 3
\(\pi _{\mathtt {OTMR}}\) securely realizes \(\mathcal {F}_{\mathtt {OT}}\) in the \(\mathcal {F}_{\mathtt {EC}}\)-hybrid model against an environment that can only semi-honestly corrupt the sender.
This theorem follows directly from the construction of XOR commitments from [CvdGT95, Est04], the security of the GMW compiler [GMW86] and the security of the zero-knowledge protocol from [BCC88, Kil92].
6 Secure Protocol
In this section we consider our oblivious transfer protocol \(\pi _{\mathtt {OTMR}}\) from Sect. 5, which is secure against a semi-honest sender and a malicious receiver and we show that, if \(\pi _{\mathtt {OTMR}}\) is implemented with the key agreement protocol from Sect. 3.1, we can transform \(\pi _{\mathtt {OTMR}}\) into a protocol \(\pi _{\mathtt {OT}}\) secure against an malicious sender too.
Note that in the aforementioned key agreement protocol, the sender is supposed to send through the channel several bitstrings of length \(\ell \) and Hamming weight either m or \(m+1\), where \(\ell =2m+1\). From now on, we refer to bitstrings of weights m and \(m+1\) as codewords, while the rest will be non-codewords. A problem that arises when using this key agreement protocol as a basis for our oblivious transfer protocol, is that an active sender could use non-codewords to bias the distribution of indices and learn the receiver’s choice. For example, if she sends the all-one bitstring, this index will be accepted by the receiver with higher probability if he is playing the role of Bob, than it will if he is playing the role of the emulator.
We will prevent an active sender from using non-codewords in her advantage by combining cut-and-choose techniques, a typicality test and an OT-combiner. The protocol works essentially as follows: the sender and receiver will start to run N instances of \(\pi _{\mathtt {OTMR}}\) in parallel. Right after the sender has sent the intended codewords through the channel \(\mathcal {F}_{\mathtt {EC}}\) in all these instances, the receiver will then choose half of those instances and request the sender to open her view (i.e., to reveal the information that she sent through the channel). The receiver now runs a typicality test on those instances: he counts the number of differences between what the sender claims to have sent and what he received for those instances. If this distance is higher than what would be typically expected from the noisy channel then the receiver aborts. If the test passes then it is guaranteed that, except with negligible probability, there is at least one unopened instance where no bad codeword was sent.
The sender and receiver now apply a (1, N / 2) OT-combiner on the half of the instances of \(\pi _{\mathtt {OTMR}}\) that have not been opened; in general, a (t, n) OT-combiner [HKN+05] is a primitive which given (black-box) access to n OT candidates, implements a secure OT as long as t of them are secure; in our case, our candidates are the unopened instances of \(\pi _{\mathtt {OTMR}}\) and we use a simple XOR-based OT-combiner which only needs to be secure against a malicious sender (all the candidates are already guaranteed to be secure against a malicious receiver). Since the sender has behaved well in at least one of these instances, we achieve a secure oblivious transfer protocol by applying this combiner.
The sender could also try to cheat in the public channel part of the key agreement protocol by sending some inconsistent information (for example in the information reconciliation step) to see the aborting behaviour of the receiver; however, we have the receiver abort in the global protocol if he sees at least one inconsistency in some instance of the protocol. Given the properties of the combiner the only way to obtain information about the receiver’s input bit is that the sender cheats in one of the key agreement protocols of every unopened instance and the receiver never aborts, which happens if the sender guesses each of the \(b_i\)’s for the unopened instances and in turn this happens with probability \(2^{-N/2}\) (in fact, we could make her cheating probability even lower by having the receiver abort if he detects inconsistent information in the opened instances).
6.1 Protocol
The protocol \(\pi _{\mathtt {OT}}\) is described below.
In protocol \(\pi _{\mathtt {OT}}\), the parameters N (the number of instances of \(\pi _{\mathtt {OTMR}}\) that will be run), \(\sigma \) (the security parameter of \(\pi _{\mathtt {OTMR}}\)) and \(\tau \) (a threshold parameter for the test, which is \(W(\sigma )\) plus a small offset) are defined so that we have the following guarantees:
-
1.
The probability that at least one instance of \(\pi _{\mathtt {OTMR}}\) is broken by a dishonest receiver is smaller than \(2^{-\kappa }\): Indeed, each individual instance can be broken with probability at most \(2^{-\sigma }\), and it is easy to see that with our choice of parameters, it holds that \(N\cdot 2^{-\sigma }\le 2^{-\kappa }\).
-
2.
The probability that an honest sender passes the typicality test is at least \(1-2^{-\kappa }\): see proof in Appendix E.1.
-
3.
If a malicious sender sends at least one non-valid codeword in at least \(N/2-\kappa \) instances of \(\pi _{\mathtt {OTMR}}\) from the testing set, then she passes the typicality test with probability at most \(2^{- \kappa }\): see proof in Appendix E.1.
Note that the third property prevents a malicious sender to cheat except with probability \(2^{-\kappa }\). Indeed, in order for a malicious sender to cheat successfully, she would need to break each of the N / 2 instances of \(\pi _{\mathtt {OTMR}}\) from the evaluation set, and for that she would need to send at least one bad codeword in each of those instances. By 3., in order to pass the test she needs to send all the correct codewords in at least \(\kappa \) instances of the testing set. But since she does not know which instances will be selected for the evaluation set and which for the testing set, then the probability that none of these (at least) \(\kappa \) correct instances end up in the evaluation set is at most \(2^{-\kappa }\).
With all these remarks in mind, we can show (Appendix E) that
Theorem 4
\(\pi _{\mathtt {OT}}\) securely realizes \(\mathcal {F}_{\mathtt {OT}}\) in \(\mathcal {F}_{\mathtt {EC}}\)-hybrid model.
Notes
- 1.
In the remainder of this section, we interchangeably call the parties Alice, Bob, Eve or respectively \(P_1,P_2,\mathcal {A}\).
References
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Brassard, G., Crépeau, C., Santha, M.: Oblivious transfers and intersecting codes. IEEE Trans. Inf. Theory 42(6), 1769–1780 (1996)
Brassard, G., Salvail, L.: Secret-key reconciliation by public discussion. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 410–423. Springer, Heidelberg (1994). doi:10.1007/3-540-48285-7_35
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)
Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions (Extended Abstract). In: 29th Annual Symposium on Foundations of Computer Science, White Plains, New York, USA, 24–26 October 1988, pp. 42–52 (1988)
Crépeau, C., Morozov, K., Wolf, S.: Efficient unconditional oblivious transfer from almost any noisy channel. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 47–59. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30598-9_4
Crépeau, C.: Efficient cryptographic protocols based on noisy channels. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 306–317. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_21
Crépeau, C., Savvides, G.: Optimal reductions between oblivious transfers using interactive hashing. In: Proceedings of Advances in Cryptology - EUROCRYpPT, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, pp. 201–221 (2006)
Crépeau, C., Graaf, J., Tapp, A.: Committed oblivious transfer and private multi-party computation. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 110–123. Springer, Heidelberg (1995). doi:10.1007/3-540-44750-4_9
Damgård, I., Fehr, S., Morozov, K., Salvail, L.: Unfair noisy channels and oblivious transfer. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 355–373. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24638-1_20
Damgård, I., Kilian, J., Salvail, L.: On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 56–73. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X_5
Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.D.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)
Estren, G.: Universally composable committed oblivious transfer and multi-party computation assuming only basic black-box primitives. Ph.D. thesis, McGill University (2004)
Goldreich, O., Micali, S., Wigderson, A.: How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design (Extended Abstract). In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 171–185. Springer, Heidelberg (1987). doi:10.1007/3-540-47721-7_11
Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On robust combiners for oblivious transfer and other primitives. In: Proceedings of Advances in Cryptology - EUROCRYpPT, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, pp. 96–113, 22–26 May 2005
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Prabhakaran, M., Sahai, A., Wullschleger, J.: Constant-rate oblivious transfer from noisy channels. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 667–684. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_38
Kilian, J.: Founding cryptography on oblivious transfer. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 20–31. ACM (1988)
Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: Proceedings of the Twenty-Fourth Annual ACM Symposium on Theory of Computing, pp. 723–732. ACM (1992)
Khurana, D., Maji, H.K., Sahai, A.: Secure computation from elastic noisy channels. In: Proceedings of Advances in Cryptology - EUROCRYpPT - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, Part II, pp. 184–212, 8–12 May 2016
Maurer, U.M.: Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory 39(3), 733–742 (1993)
Pinto, A.C.B., Dowsley, R., Morozov, K., Nascimento, A.C.A.: Achieving oblivious transfer capacity of generalized erasure channels in the malicious model. IEEE Trans. Inf. Theory 57(8), 5566–5571 (2011)
Acknowledgments
Part of this work was carried out while Ignacio Cascudo was with Aarhus University. The authors acknowledge support from the Danish National Research Foundation and The National Science Foundation of China (under the grant 61361136003) for the Sino-Danish Center for the Theory of Interactive Computation and from the Center for Research in Foundations of Electronic Markets (CFEM), supported by the Danish Strategic Research Council. In addition, Ignacio Cascudo acknowledges support from the Danish Council for Independent Research, grant no. DFF-4002-00367, Ivan Damgrd was also supported by the advanced ERC grant MPCPRO and Samuel Ranellucci was supported by European Research Council Starting Grant 279447. We thank Jesper Buus Nielsen, Maciej Obremski and the anonymous reviewers for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Universal Composability
The Universal Composability security framework, introduced in [Can01], is based on the simulation paradigm. Roughly, the idea is to compare the execution of the actual protocol (the real world) with an idealized scenario (the ideal world) in which the computations are carried out by a trusted third party (the ideal functionality) which receives inputs from and hands in outputs to the players. The goal is to show that these two worlds are indistinguishable. In order to formalize this goal, we introduce a party called the environment \(\mathcal {Z}\), whose task is to distinguish between both worlds. Furthermore, in the ideal world, we introduce a simulator \(\mathcal {S}\), its task being to simulate any action of the adversary in the real protocol and thereby to make the two views indistinguishable for any environment. More precisely, in the real world execution of protocol \(\pi \), with the adversary \(\mathcal {A}\) and environment \(\mathcal {Z}\), the environment provides input and receives output from both \(\mathcal {A}\) and \(\pi \). Call \(\mathtt {Real}_{\mathcal {A},\pi ,\mathcal {Z}}\) the view of \(\mathcal {Z}\) in this execution. In the ideal world \(\mathcal {Z}\) provides input and receives output from \(\mathcal {S}\) and the ideal functionality \(\mathcal {F}\). Call \(\mathtt {Ideal}_{\mathcal {S},\mathcal {F},\mathcal {Z}}\) the view of \(\mathcal {Z}\) in the ideal execution. We can proceed to define what it means for a protocol to be secure.
Definition 2
A protocol \(\pi \) UC-implements a functionality \(\mathcal {F}\) against a certain class of adversaries \(\mathcal {C}\) if for every adversary \(\mathcal {A}\in \mathcal {C}\) there exists a simulator \(\mathcal {S}\) such that for every environment \(\mathcal {Z}\), \(\mathtt {Real}_{\mathcal {A},\pi ,\mathcal {Z}} \approx \mathtt {Ideal}_{\mathcal {S},\mathcal {F},\mathcal {Z}}. \)
The cornerstone of the universal composability framework is the composition theorem, which works as follows. Denote by \(\pi \diamond G\) a protocol \(\pi \) that during its execution makes calls to an ideal functionality G. The composition proof shows that if \(\pi _f \diamond G\) securely implements \(\mathcal {F}\) and if \(\pi _g\) securely implements G then \(\pi _f \diamond \pi _g\) securely implements \(\mathcal {F}\). This provides modularity in construction of protocols and simplifies proofs dramatically. It is also shown that proving security against a dummy adversary, one who acts as a communication channel, is sufficient for proving general security.
B Proof of Lemma 1
Clearly, we only need to cover the case \(i=0\). First, note that \(\Pr [Z\in S_0|X=0]\ge 1/2\) since \(\gamma <1/2\). Let \(\overline{X}\) denote the random variable describing the encoding of \(b=0\) by Alice, i.e., \(\overline{X}\) has the uniform distribution over the set of bitstrings in \(\{0,1\}^\ell \) of weight exactly m or \(m+1\). We observe that since Eve’s noise is independent and identically distributed for each bit sent through the wiretap channel, for every string \(\overline{x}\in \{0,1\}^\ell \) of weight m, \(\Pr [Z\in S_0|X=0]=\Pr [Z\in S_0|\overline{X}=\overline{x}]\). So we now compute \(\Pr [Z\in S_0|\overline{X}=\overline{x}]\) for \(\overline{x}=010101\dots 010\).
For \(i=1,\dots ,m\), let \(V_i\) be the random variable that takes value 1 if \(Z=z\) and \(z_{2i-1}=z_{2i}=1\), the value \(-1\) if \(z_{2i-1}=z_{2i}=0\) and the value 0 if \(z_{2i-1}\ne z_{2i}\). Then clearly \(\Pr [Z\in S_0|\overline{X}=\overline{x}]\le \Pr [\sum _{i=1}^m V_i\le 0]\).
Now note that \(V_i\) are independent identically distributed variables such that \(\Pr [V_i=1]=\Pr [V_i=-1]=p\) and \(\Pr [V_i=0]=1-2p\) where \(p=\gamma (1-\gamma )\). Hence \(\Pr [\sum _{i=1}^m V_i< 0]=\Pr [\sum _{i=1}^m V_i> 0]\) and clearly (using for example the central limit theorem) \(\Pr [\sum _{i=1}^m V_i= 0]\rightarrow 0\) as \(\ell \) (and consequently m) grows. Therefore
and consequently \(\Pr [Z\in S_0|X=0]\rightarrow 1/2\).
C Proof of Theorem 1
We first argue that, if we set the parameters adequately, the protocol is correct and secure, i.e., with overwhelming probability Alice and Bob have a common string at the end of the protocol about which Eve has a negligible amount of information.
Remember that for each index i, Alice encodes \(b_i\) as a bitstring containing \(m+1\) bits equal to \(b_i\) and m bits equal to \((1-b_i)\) and Bob accepts if he receives \(c_i^{\ell }\). Hence, the probability that Bob accepts i, i.e., the probability that an index i is in \(\mathcal {I}\) is \(p_{\mathtt {accept}} = \delta ^{m}(1-\delta )^{m+1} + \delta ^{m+1}(1-\delta )^{m}=(\delta (1-\delta ))^m\).
On the other hand, conditioned on Bob accepting index i, the probability that \(c_i\ne b_i\) is
Furthermore these probabilities are independent from each i, so the advantage distillation step creates another conceptual noisy channel where Alice communicates s bits to Bob and the noise parameter is still \(\delta \) (independently of how large \(\ell \) is).
Hence if we set n slightly larger than \(\lceil s/p_{\mathtt {accept}} \rceil \) for large enough parameters, Bob will, with very high probability, accept at least s bits, of which roughly \(\delta \cdot s\) will be incorrect. By the results on information reconciliation in [BS94], if \(h_1\) is chosen from the 2-universal family of hash functions \(\mathcal {H}_1\), then Bob can correct to the right string \(X^s\) with very high probability given his original string, \(h_1\) and \(h_1(X^s)\). Hence both Alice and Bob will compute the same value \(h_2(X^s)\) with high probability and hence the protocol is correct.
As for privacy, remember that X denotes the uniform distribution over \(\{0,1\}\) and Z the variable that represents Eve’s output when Alice chooses b according to X, encodes it, and sends it through the channel. Then
Now the maximum of \(\Pr (X=b|Z=z)\) is reached for \(b=0\) if \(z\in S_0\) and for \(b=1\) if \(z\in S_1\), where \(S_i\) is defined as in Lemma 1. On the other hand, for every \(z\in S_0\), we have \(z':=(1,\dots ,1)-z\in S_1\) and clearly, \(\Pr [X=0|Z=z]=\Pr [X=1|Z=z']\). Hence we can write
Now, clearly \(\sum _{z_\in S_0} 2\cdot Pr[Z=z]=1\) and \(-\log \) is a convex function. This means we can apply Jensen’s inequality to get
Now we use that \(\Pr [Z=z] \Pr [X=0|Z=z]=\Pr [X=0]\Pr [Z=z|X=0]=\frac{1}{2}\Pr [Z=z|X=0]\), so after summing over \(z\in S_0\) we obtain:
as \(\ell \rightarrow \infty \) because of Lemma 1. Since \(\delta +\epsilon <1/2\), for large enough \(\ell \), we have \(\mathfrak {h}(\delta +\epsilon )<H_\infty (X|Z)\) (remember \(\mathfrak {h}(\cdot )\) denotes the binary entropy function).
Now let \(X^s, Y^s\) denote the random variables denoting the s bits outputted by Alice and Bob respectively and let \(Z^s\) be the variable representing the s bitstrings outputted by Eve. Then clearly \(H_\infty (X^s|Z^s)=sH_\infty (X|Z)>s\mathfrak {h}(\delta +\epsilon )+t+3\sigma \) since \(t,\sigma =o(s)\) and therefore \(H_\infty (X^s|Z^s, h_1, h_1(X^s))\ge H_\infty (X^s|Z^s)-s\mathfrak {h}(\delta +\epsilon )-\sigma > t+2\sigma \).
Now, the leftover hash lemma guarantees that conditioned on everything seen by Eve during the protocol, the distribution of \(h_2(X^s)\) is \(2^{-\sigma }\)-close to the uniform distribution over \(\{0,1\}^t\).
To show that the protocol is emulatable, we have to construct an emulator \(\mathcal {E}\) that satisfies Property 2 in Definition 1. We note that the only information Bob sends to Eve is the description of the set \(\mathcal {I}\) of indices for which Bob accepted Alice’s message. We can construct an emulator for Bob thus. After \(\mathcal {E}\) receives a message from the dummy channel \(\mathcal {F}_{\mathtt {DC}}\), it samples a random index set \(\mathcal {I} \subseteq \{0,1\}^n\), where each index is chosen according to a Bernoulli distribution with parameter \(p_{\mathtt {accept}}\)—the index is included in \(\mathcal {I}\) if the trial succeeds. \(\mathcal {E}\) then sends a description of \(\mathcal {I}\) to Alice via \(\mathcal {F}_{\mathtt {Pub}}\). It is clear that such an emulator satisfies Property 2.
D Commitment Protocol for ECs from [DKS99]
In this section we describe the commitment protocol from [DKS99] and show that, under the adequate choice of parameters, it is a receiver commitment protocol for any \((\gamma ,\delta )\)-elastic noisy channels.
We define some constants as follows. \(d_0\) is defined by \(\delta = \gamma (1-d_0) + d_0(1-\gamma )\). That is, \(d_0\) is such that adding noise with rate \(\gamma \) and then noise with rate \(d_0\) produces total noise rate \(\delta \). This means that \(d_0 = (\delta -\gamma )/(1-2\gamma )\), and from it follows trivially that since \(\delta < 1/2\), we have \(\delta > d_0\). We can therefore choose constants \(d_1, d\) and \(d^*\) such that \(d_0< d_1< d^*< d < \delta \). Finally, we define \(\delta ' = \gamma (1-d_1) + d_1(1-\gamma )\). Note that since \(d_1 > d_0\) we have \(\delta ' > \delta \).
Furthermore, we define \(\ell \) to be the logarithm of the number of elements in a Hamming ball of radius d, and likewise \(\ell ^*\) the logarithm of number of elements in a Hamming ball of radius \(d^*\).
We will need three families of universal hash functions \(\mathcal{H}, \mathcal{H}_1, \mathcal{H}_2\) that are 64k-wise independent and map from \(\{0,1 \}^k\) to \(\{0,1\}, \{0,1\}^{\ell ^*}, \{0,1\}^{\ell -\ell ^*}\), respectively.
Finally, remember that, as explained in Sect. 5.1, we reverse the direction of the elastic channel, so the protocol that we describe next uses a noisy channel with noise rate \(\delta \) where the committer C sends information and the verifier V receives, but where it is C who can alter the noise rate and reduce it to \(\gamma \).
We have defined our constants slightly differently from what was done in [DKS99], but \(d_0\) is defined in the same way, and the rest of the constants satisfy the same inequalities. It therefore turns out that exactly the same proofs can be used to show this version secure. We will not repeat the proofs here, but give some intuition why the protocol is secure. We let \(\Delta \) denote the Hamming distance, and by negligible we mean negligible as a function of k.
-
Both parties are honest. In this case we expect \(X'\) to be at distance \(\delta k\) from X. Since \(\delta '> \delta \), the probability that the distance is greater than \(\delta ' k\) is negligible, so V will accept the opening.
-
C is corrupt. We want to argue that there is only one string C can convincingly open after commitment time. Suppose first that C tries to claim a string \(X^*\) with \(\Delta (X^*,X) > d^*k\). Then note than in his view, the received string \(X'\) is expected to be such that \(\delta (X, X') = \gamma k\). So we expect that \(\Delta (X^*, X')> (d^*(1-\gamma ) + \gamma (1-d^*))k > \delta 'k\) because \(d^* > d_1\). So V would reject with overwhelming probability in this case. This means that \(X^*\) must be in a Hamming ball with radius \(d^*\) and center in X. But by sending \(h_1(X), h_2(X)\), C reveals \(\ell \) bits of information on X. Since \(\ell >\ell ^*\) this is more than required to identify uniquely an string in a ball of radius \(\ell ^*\), so there is only one string that can be opened.
-
V is corrupt. We want to argue that V has essentially no information about h(X) before opening. Note that in V’s view X is in a Hamming ball with radius \(\delta \) and center in \(X'\). Via the hashing V gets only \(\ell \) bits of information, and since \(d< \delta \), one can show that there are exponentially many candidates left for X, even after hashing. Now by a standard privacy amplification argument, it follows that the expected information V has on h(X) is negligible.
E Proof of Security of \(\pi _{\texttt {OT}}\)
1.1 E.1 Statements About the Typicality Test
We will need to establish some statements about the typicality test from our protocol.
Define \({\mathsf {{X}}}[\mu ]\) to be a binomial variable with expectation \(\mu \). By abuse of notation, we denote by \(\sum _{i=1}^N {\mathsf {{X}}}[\mu ]\) the variable defined by sampling N independent random variables with expectation \(\mu \) and adding the result.
Probability that an Honest Sender Passes the Typicality Test. We show that the honest sender passes the typicality test with probability at least \(1-2^{-\kappa }\). Let \(T = \sum _{i=1}^{N/2} {\mathsf {{X}}}[W(\sigma )]\). An honest receiver does not pass the typicality test if and only if \(T \ge \tau N/2\). Now let \(\mu = {\mathsf {{E}}}[T] = \frac{N}{2} W(\sigma )\) and \(\beta = \frac{1}{2 W(\sigma )}\). We can apply Chernoff’s bound to see that
Probability that a Malicious Sender Breaks the Typicality Test. We show that if a malicious sender cheats in \(N/2-\kappa \) instances of the testing set, she passes the typicality test with probability at most \(2^{-\kappa }\). Note that in order for the sender to send something different from a codeword in a given instance, at least one of the bits she sent does not correspond to the bit she communicates when she sends \(\tilde{X}\). Now note that, for a given bit \(x_{i,j}\) communicated by the sender when she sends \(\tilde{X}\), if this bit was indeed correct, then \(x_{i,j}\ne y_{i,j}\) with probability \(\delta \), while if she sent \(1-x_{i,j}\) instead, then \(x_{i,j}\ne y_{i,j}\) with probability \(1-\delta \). Note that the difference between these probabilities is \(1-2\delta \). This means that, in expectation, if the sender assumes the cheating behaviour we just described, the distance between the bitstrings \((x_{i,j})\) and \((y_{i,j})\) will grow by an additive factor of \((1-2\delta )(N/2-\kappa )\) with respect to the case where the sender would be honest. We want to show that in these conditions, the malicious sender will fail the test with high probability. That is, again defining \(T = \sum _{i=1}^{N/2} {\mathsf {{X}}}\left[ W(\sigma )\right] \), we need to show:
Let \(\mu = {\mathsf {{E}}}[T] = \frac{N}{2} W(\sigma )\) and \(\beta = \frac{(1-2\delta )(N-4\kappa )}{2N W(\sigma )}\). Chernoff’s bound then says
Now it is easy to see that, for the values of \(\mu \) and \(\beta \) detailed above, \((1-\beta )\mu = \frac{\tau N}{2} - (1-2\delta )\left( \frac{N}{2}-\kappa \right) \) (so this probability is indeed what we want to bound) and that \(e^{-\mu \beta ^2/2}\le 2^{-\kappa }\).
In the rest of the section we will prove Theorem 4.
1.2 E.2 Correctness
If both players are honest, then the protocol is correct with probability at least \(1-2^{-\kappa }\). Indeed, with at least this probability the honest sender passes the typicality test and the protocol is completed. Then, note that:
Hence \(w=w_0\) if there is an even number of \(i\in \mathcal {L}\) such that \(b_i=1\), i.e., if \(b=0\), and \(w=w_0\oplus \Delta =w_1\) if \(b=1\). In other words, \(w=w_b\).
On the other hand \(v_c=m_c\oplus w_{c\oplus d}=m_c\oplus w_b\).
Therefore the output of the receiver equals \(w\oplus v_c= m_c\), so the protocol outputs the correct value.
1.3 E.3 Security Against a Malicious Receiver
Simulation. The simulator \(\mathcal {S}\) for \(\pi _{\mathtt {OT}}\) will first proceed by running N instances \(\mathcal {S}_1,\ldots ,\mathcal {S}_N\) of the simulator for \(\pi _{\mathtt {OTMR}}\). Upon receiving \((\texttt {choice},b_i)\) from the environment, it will record it and send a random \(w_i\). If any of the simulators aborts, then the simulator aborts. In the next step, it awaits the test set \(\mathcal {T}\) from \(\mathcal {Z}\). Now, the simulator must send a \(\tilde{X}\) such that the view of \(\mathcal {Z}\) for the test instances is the same as in the real world.
Each of the views produced by the simulators are statistically indistinguishable (within \(2^{-\sigma }\)) from real instances of the OT protocol. Therefore, there must be a distribution D for \(\tilde{X}\) that depends only on the transcript between the simulators and \(\mathcal {Z}\) that is \((1/2^{\kappa })\)-close to one which would be produced in the real world.
Indeed, if this was not the case, since
then \(\mathcal {Z}\) would be able to distinguish with probability larger than \(1/2^{\sigma }\) between a run of the simulated malicious-receiver OT and a run with the malicious-receiver OT protocol with the elastic channel for at least one of the N instances, which contradicts the security of \(\pi _{\mathtt {OTMR}}\).
-
\(\mathcal {S}\) samples \(\tilde{X} \in _{R}D\). \(\mathcal {S}\) sets \(\mathcal {L} = \{1,\ldots ,N\} \setminus \mathcal {T}\). \(\mathcal {S}\) samples \(\Delta _i \in _{R}\{0,1\}\), for \(i\in \mathcal {L}\) and sets \(S= \{(i,\Delta _i) \mid i \in \mathcal {L}\}\).
-
\(\mathcal {S}\) sends \(S,\tilde{X}\) to \(\mathcal {Z}\). \(\mathcal {S}\) computes \(\displaystyle w:= \bigoplus _{i \in \mathcal {L}} w_i \oplus (\Delta _i \wedge b_i)\) and \(\displaystyle b:= \bigoplus _{i\in \mathcal {L}} b_i\). \(\mathcal {S}\)
awaits that the environment inputs d. \(\mathcal {S}\) samples a random \(x\in _{R}\{0,1\}\), sets \(c = b \oplus d\) and sends \((\texttt {choice},c)\) to \(\mathcal {F}_{\mathtt {OT}}\). Upon receiving \((\texttt {receipt},m)\), \(\mathcal {S}\) sets \(u_0 = m \oplus w, u_{1} = x\) and sends \((v_0,v_1):=(u_{d},u_{1 \oplus d})\) to \(\mathcal {Z}\).
Indistinguishability. This follows from the fact that the given robust OT-combiner is universally composable and that the underlying OT protocol is secure against a malicious receiver.
1.4 E.4 Security Against a Malicious Sender
Simulation. The simulator \(\mathcal {S}\) employs the following strategy. First, for each instance of OT, \(\mathcal {S}\) runs an instance \(\mathcal {S}_i\) of the simulator for the protocol \(\pi _{\mathtt {OTMR}}\) (for the semi-honest sender) for as long as \(\mathcal {Z}\) does not send invalid codewords for that instance. If any \(\mathcal {S}_i\) aborts, then \(\mathcal {S}\) aborts.
When, for a given instance, \(\mathcal {Z}\) sends an invalid codeword, \(\mathcal {S}\) takes the simulator \(\mathcal {S}_i\), samples a \(b_i\) at random and samples a receiver \(R_i\) whose input is \(b_i\) and whose view is consistent with what has been sent by the environment for that instance.
From this point on, instead of running the simulator for the given instance, \(\mathcal {S}\) runs \(R_i\) and whenever \(\mathcal {Z}\) sends a message which is meant to be communicated through the elastic channel, \(\mathcal {S}\) simulates the channel and sends the result to \(R_i\).
Once the instances of OT (both simulated and run with honest receiver) have completed, \(\mathcal {S}\) samples a random test set \(\mathcal {T}\) and sends it to \(\mathcal {Z}\). \(\mathcal {S}\) awaits \(\tilde{X},S\) from the environment. \(\mathcal {S}\) simulates the typicality test. \(\mathcal {S}\) takes each instance of OT for the test that is still run by the simulator for the test cases and replaces it with a receiver in the same way that was described above. Then once \(\mathcal {S}\) has produced the given views, \(\mathcal {S}\) takes these views and runs the typicality test. If the test fails, the simulator aborts.
\(\mathcal {S}\) denotes the set of instances \(\mathcal {I}\) that were only run by simulators and were not part of the test set. Let \(\mathcal {J}\) be the set of instances that were run by the receivers and were not part of the test set. The simulators provided the values \(\{(w^i_0,w^i_1) \mid i \in \mathcal {I}\}\) and the receivers provided the values \(\{w^{j}_{b_j} \mid j \in \mathcal {J}\}\).
\(\mathcal {S}\) samples a \(u \in \mathcal {I}\) and, for each \(i \in \mathcal {I}\), selects a random \(b_i\). \(\mathcal {S}\) selects \(\displaystyle b = \bigoplus _{i \in \mathcal {L}, i \ne u} b_i\), \(\displaystyle w := \bigoplus _{i \in \mathcal {L}, i \ne u} w^i_{b_i} \oplus (\Delta _i \wedge b_i)\). \(\mathcal {S}\) sets \(m'_0 := w \oplus w^u_0\), \(m'_1 := w \oplus w^u_1 \oplus \Delta _u\). \(\mathcal {S}\) samples a random r and sends \(d = b \oplus r\) to \(\mathcal {Z}\). \(\mathcal {S}\) awaits \(v_0, v_1\) from \(\mathcal {Z}\). \(\mathcal {S}\) sets \(m_0 := w \oplus v_{b \oplus r} \oplus m'_{b \oplus r}\) and \(m_1 := w \oplus v_{b \oplus r \oplus 1} \oplus m'_{b \oplus r \oplus 1}\). \(\mathcal {S}\) sends \((\texttt {send},\mathrm {sid},m_0,m_1)\) to \(\mathcal {F}_{\mathtt {OT}}\).
Indistinguishability. The real-world instances of OT where the sender did not send bad codewords are indistinguishable from the ideal-world instances run by local simulators. This follows from the security of \(\pi _{\mathtt {OTSH}}\) against semi-honest adversaries.
Next, we consider, the instances of OT where the sender sent bad codewords. These are also indistinguishable from instances run by the simulator because, on seeing a bad codeword, the simulator replaces the local simulator with a receiver \(R_i\), with random input \(b_i\), that acts as in the real world (including the communication between the sender and this receiver, which is simulated by imitating the behaviour of the channel). Furthermore, the receiver is constructed so that it is consistent with what had been previously sent through the channel and the given choice of inputs.
The last step of our simulation needs, however, to make sure that \(\mathcal {I}\) is non-empty, i.e., that there is at least one instance of the evaluation set where \(\mathcal {Z}\) sends only correct codewords. But notice that, as we have shown before, if \(\mathcal {Z}\) would send a non-codeword in each instance, it would result (except with probability \(2^{-\kappa }\)) in an abort due to the typicality test.
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Cascudo, I., Damgård, I., Lacerda, F., Ranellucci, S. (2016). Oblivious Transfer from Any Non-trivial Elastic Noisy Channel via Secret Key Agreement. In: Hirt, M., Smith, A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9985. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53641-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-662-53641-4_9
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53640-7
Online ISBN: 978-3-662-53641-4
eBook Packages: Computer ScienceComputer Science (R0)