DOCSLIB.ORG

Oblivious Transfer of Bits

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Oblivious Transfer of Bits Oblivious transfer of bits Abstract. We consider the topic Oblivious transfer of bits (OT), that is a powerful primitive in modern cryptography. We can devide our project into these parts: In the first part: We would clarify the definition OT, we would give a precise characterization of its funcionality and use. Committed oblivious transfer (COT) is an enhancement involving the use of commitments, which can be used in many applications of OT covering particular malicious adversarial behavior, it cannot be forgotten. In the second part: We would describe the history of some important discoveries, that preceded present knowledge in this topic. Some famous discovers as Michael O. Rabin or Claude Crépeau could be named with their works. In the third part: For OT, many protocols covering the transfer of bits are known, we would introduce and describe some of them. The most known are Rabin's oblivious transfer protocol, 1-2 oblivious transfer, 1-n oblivious transfer. These would be explained with examples. In the fourth part: We also need to discuss the security of the protocols and attacs, that are comitted. Then security of mobile computing. In the fifth part: For the end, we would give some summary, also interests or news in this topic, maybe some visions to the future evolution. 1 Introduction Oblivious transfer of bits (often abbreviated OT) is a powerful primitive in modern cryptography especially in the context of multiparty computation where two or more parties, mutually distrusting each other, want to collaborate in a secure way in order to achieve a common goal, for instance, to carry out an electronic election, so this is its applicability. 1.1 Multi-party computation An example of a specific multi-party computation is secure function evaluation, where every party holds an input to a function, and the output should be computed in a way such that no party has to reveal unnecessary information about her input. 1.2 Definition of OT OT is a protocol by which a sender sends some information to the receiver, but remains oblivious as to what is received. It means that sender sends a message to a receiver with some fixed probability between 0 and 1 (for example 1/2) without the sender knowing 1 whether or not the receiver received the message. Thus, problem of oblivious transfer of secret reduces to the problem of oblivious transfer of the decryption key. OT solve the problem of mutual exchange of secrets. The main discoverer of OT was Michael O. Rabin. Rabin discovered an interesting application for his cryptosystem and he called this new scheme as ‘Oblivious Transfer’ , so it OT was named by him. His protocol worked only for honest parties. There are some others protocols similar to OT, that will be discuss later also with Rabin’s OT. 1.3 Private information retrieval (PIR) In cryptography, a private information retrieval (PIR) protocol allows a user to retrieve an item from a server in possession of a database without revealing which item she is retrieving. PIR is a weaker version of 1-out-of-n oblivious transfer, where it is also required that the user should not get information about other database items. OT also called symmetric PIR, is PIR with the additional restriction that the user not learn any item other than the one she requested. It is termed symmetric because both the user and the database have a privacy requirement. 1.4 Zero-Knowledge Proofs In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement. A zero-knowledge proof must satisfy three properties: 1) Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover. 2) Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability. 2 3) Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier. Introduced in 1985, zero-knowledge proofs are typically used to force malicious parties to behave according to a predetermined protocol. In addition to their direct applicability to cryptography, they serve as a good benchmark for the study of various problems regarding cryptographic protocols. 1.5 Committed Oblivious Transfer COT Committed Oblivious Transfer (COT) is a useful cryptographic primitive that combines the functionalities of bit commitment and oblivious transfer. Is is a natural combination of 1-2 Oblivious Transfer and Bit Commitment. At the start of the computation Alice is committed to bits a 0 and a 1 and Bob is committed to bit b; at the end Bob is committed to a b and knows nothing about a b , while Alice learns nothing about b. One can see that this allows each party engaged in an oblivious transfer to be certain that the other party is performing the oblivious transfer operation on their declared inputs. 2 History • In the early seventies Stephen Wiesner introduced a primitive called multiplexing which was the start of quantum cryptography. But it took more than ten years to be published. Even though this primitive was equivalent to what was later called 1-2 oblivious transfer. Wiesner did not see its application to cryptography. • The first form of oblivious transfer was introduced in 1981 by Michael O. Rabin . 3 • In 1983, a more useful form of oblivious transfer called 1- 2 oblivious transfer or "1 out of 2 oblivious transfer," was developed later by Shimon Even , Oded Goldreich , and Abraham Lempel , in order to build protocols for secure multiparty computation. It is generalized to "1 out of n oblivious transfer" where the user gets exactly one database element without the server getting to know which element was queried. The latter notion of oblivious transfer is a strengthening of private information retrieval where one does not care about database's privacy. • Zero-knowledge proofs introduced in 1985. • The existence of 1-n oblivious transfer protocols from any private information retrieval protocol was first established by Giovanni Di Crescenzo, Tal Malkin and Rafail Ostrovsky. • Additional constructions of 1-n oblivious transfer protocols also related to private information retrieval, were proposed, e.g., by Moni Naor and Benny Pinkas, William Aiello, Yuval Ishai and Omer Reingold, Sven Laur and Helger Lipmaa. • Claude Crépeau showed that Rabin's oblivious transfer is equivalent to 1-2 oblivious transfer. • Committed Oblivious Transfer (COT) was introduced by Crepeau under the name (“Verifiable Oblivious Transfer”). • Further work has revealed oblivious transfer to be a fundamental and important problem in cryptography. It is considered one of the critical problems in the field, because of the importance of the applications that can be built based on it. In particular, it is a `complete' for secure multiparty computation: that is given an implementation of oblivious transfer it is possible to securely evaluate any polynomial time computable function without any additional primitive. 4 3 Rabin's oblivious transfer protocol, 1-2 oblivious transfer, 1-n oblivious transfer 3.1 Rabin oblivious transfer Fig. 1: Rabin oblivious transfer Rabin's oblivious transfer scheme is based on the RSA cryptosystem. 3.1.1 RSA RSA is an algorithm for public-key cryptography. It was the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. Rabin oblivious transfer is a kind of formalization of “noisy wire” communication. The objective is to simulate a random loss of information. Formally, a Rabin OT machine models the following behavior. Sender sends a bit b into the OT machine. The machine then flips a coin, and with probability 1/2 sends b to Receiver, and with probability ½ sends ‘#’ to Reciever to signify that a bit was sent, but the information was lost in the transfer. Sender does not know which output Receiver received. In Rabin's oblivious transfer protocol, the sender generates an RSA public modulus N=pq where p and q are large prime numbers, and an exponent e relatively prime to ( p-1)( q-1). The sender encrypts the message m as me mod N. 5 1. The sender sends N,e, and me mod N to the receiver. 2. The receiver picks a random x modulo N and sends x2 mod N to the sender. Note that gcd( x,N )=1 with overwhelming probability, which ensures that there are 4 square roots of x2 mod N. 3. The sender finds a square root y of x2 mod N and sends y to the receiver. If the y the sender finds is neither x nor -x modulo N, the receiver will be able to factor N and therefore decrypt me to recover m. However, if y is x or -x mod N, the receiver will have no information about m beyond the encryption of it. Since every quadratic residue modulo N has four square roots, the probability that the receiver learns m is 1/2. The Rabin cryptosystem is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the difficulty of factorization.
Load more

Recommended publications
  • Imperfect Oblivious Transfer Extended Abstract
    Imperfect Oblivious Transfer Extended Abstract Ryan Amiri,1 Petros Wallden,2 and Erika Andersson1 1SUPA, Institute of Photonics and Quantum Sciences, Heriot-Watt University, Edinburgh EH14 4AS, United Kingdom∗ 2LFCS, School of Informatics, University of Edinburgh, 10 Crichton Street, Edinburgh EH8 9AB, United Kingdom I. INTRODUCTION Oblivious transfer (OT) is one of the most widely used and fundamental primitives in cryptography. Its importance stems from the fact that it can be used as the foundation for secure two-party computations; with oblivious transfer, all secure two-party computations are possible [1],[2]. Unfortunately, it has been shown that unconditionally secure oblivious transfer is not possible, and that even quantum mechanics cannot help [3], [4]. In fact, the results of Lo actually go further, and show that it is impossible to securely evaluate any one sided two-party computation. Since then it has been an interesting and productive open question to determine the optimal security parameters achievable for some important two-party computations. In this paper we address the theoretical question \How close to ideal can unconditionally secure OT protocols be?" Our paper contains two main contributions: 1. For general 2-round OT protocols, we increase the lower bound on the minimum cheating probabilities achievable for Alice and Bob, i.e. we show that any OT protocol with at most two rounds of (classical or quantum) communication must have a cheating probability of at least 2=3. If the states in the final round of the (honest) protocol are pure, this bound is increased to 0:749. In the case that the final round contains pure states, we extend our 0:749 bound to general N-round OT protocols.
    [Show full text]
  • Concurrent Non-Malleable Zero Knowledge Proofs
    Concurrent Non-Malleable Zero Knowledge Proofs Huijia Lin?, Rafael Pass??, Wei-Lung Dustin Tseng???, and Muthuramakrishnan Venkitasubramaniam Cornell University, {huijia,rafael,wdtseng,vmuthu}@cs.cornell.edu Abstract. Concurrent non-malleable zero-knowledge (NMZK) consid- ers the concurrent execution of zero-knowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and ver- ifiers. Barak, Prabhakaran and Sahai (FOCS’06) recently provided the first construction of a concurrent NMZK protocol without any set-up assumptions. Their protocol, however, is only computationally sound (a.k.a., a concurrent NMZK argument). In this work we present the first construction of a concurrent NMZK proof without any set-up assump- tions. Our protocol requires poly(n) rounds assuming one-way functions, or O~(log n) rounds assuming collision-resistant hash functions. As an additional contribution, we improve the round complexity of con- current NMZK arguments based on one-way functions (from poly(n) to O~(log n)), and achieve a near linear (instead of cubic) security reduc- tions. Taken together, our results close the gap between concurrent ZK protocols and concurrent NMZK protocols (in terms of feasibility, round complexity, hardness assumptions, and tightness of the security reduc- tion). 1 Introduction Zero-knowledge (ZK) interactive proofs [GMR89] are fundamental constructs that allow the Prover to convince the Verifier of the validity of a mathematical statement x 2 L, while providing zero additional knowledge to the Verifier. Con- current ZK, first introduced and achieved by Dwork, Naor and Sahai [DNS04], considers the execution of zero-knowledge protocols in an asynchronous and con- current setting.
    [Show full text]
  • FOCS 2005 Program SUNDAY October 23, 2005
    FOCS 2005 Program SUNDAY October 23, 2005 Talks in Grand Ballroom, 17th floor Session 1: 8:50am – 10:10am Chair: Eva´ Tardos 8:50 Agnostically Learning Halfspaces Adam Kalai, Adam Klivans, Yishay Mansour and Rocco Servedio 9:10 Noise stability of functions with low influences: invari- ance and optimality The 46th Annual IEEE Symposium on Elchanan Mossel, Ryan O’Donnell and Krzysztof Foundations of Computer Science Oleszkiewicz October 22-25, 2005 Omni William Penn Hotel, 9:30 Every decision tree has an influential variable Pittsburgh, PA Ryan O’Donnell, Michael Saks, Oded Schramm and Rocco Servedio Sponsored by the IEEE Computer Society Technical Committee on Mathematical Foundations of Computing 9:50 Lower Bounds for the Noisy Broadcast Problem In cooperation with ACM SIGACT Navin Goyal, Guy Kindler and Michael Saks Break 10:10am – 10:30am FOCS ’05 gratefully acknowledges financial support from Microsoft Research, Yahoo! Research, and the CMU Aladdin center Session 2: 10:30am – 12:10pm Chair: Satish Rao SATURDAY October 22, 2005 10:30 The Unique Games Conjecture, Integrality Gap for Cut Problems and Embeddability of Negative Type Metrics Tutorials held at CMU University Center into `1 [Best paper award] Reception at Omni William Penn Hotel, Monongahela Room, Subhash Khot and Nisheeth Vishnoi 17th floor 10:50 The Closest Substring problem with small distances Tutorial 1: 1:30pm – 3:30pm Daniel Marx (McConomy Auditorium) Chair: Irit Dinur 11:10 Fitting tree metrics: Hierarchical clustering and Phy- logeny Subhash Khot Nir Ailon and Moses Charikar On the Unique Games Conjecture 11:30 Metric Embeddings with Relaxed Guarantees Break 3:30pm – 4:00pm Ittai Abraham, Yair Bartal, T-H.
    [Show full text]
  • Generation and Distribution of Quantum Oblivious Keys for Secure Multiparty Computation
    applied sciences Article Generation and Distribution of Quantum Oblivious Keys for Secure Multiparty Computation Mariano Lemus 1,2, Mariana F. Ramos 3,4, Preeti Yadav 1,2, Nuno A. Silva 3,4 , Nelson J. Muga 3,4 , André Souto 2,5,6,* , Nikola Paunkovi´c 1,2 , Paulo Mateus 1,2 and Armando N. Pinto 3,4 1 Departamento de Matemática, Instituto Superior Técnico, Av. Rovisco Pais 1, 1049-001 Lisboa, Portugal; [email protected] (M.L.); [email protected] (P.Y.); [email protected] (N.P.); [email protected] (P.M.) 2 Instituto de Telecomunicações, Av. Rovisco Pais 1, 1049-001 Lisboa, Portugal 3 Departamento de Eletrónica, Telecomunicações e Informática, Universidade de Aveiro, Campus Universitário de Santiago, 3810-193 Aveiro, Portugal; [email protected] (M.F.R.); [email protected] (N.A.S.); [email protected] (N.J.M.); [email protected] (A.N.P.) 4 Instituto de Telecomunicações, Campus Universitário de Santiago, 3810-193 Aveiro, Portugal 5 Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Campo Grande 016, 1749-016 Lisboa, Portugal 6 LASIGE, Faculdade de Ciências da Universidade de Lisboa, Campo Grande 016, 1749-016 Lisboa, Portugal * Correspondence: [email protected] Received: 15 May 2020; Accepted: 10 June 2020; Published: 12 June 2020 Featured Application: Private data mining. Abstract: The oblivious transfer primitive is sufficient to implement secure multiparty computation. However, secure multiparty computation based on public-key cryptography is limited by the security and efficiency of the oblivious transfer implementation. We present a method to generate and distribute oblivious keys by exchanging qubits and by performing commitments using classical hash functions.
    [Show full text]
  • Magic Adversaries Versus Individual Reduction: Science Wins Either Way ?
    Magic Adversaries Versus Individual Reduction: Science Wins Either Way ? Yi Deng1;2 1 SKLOIS, Institute of Information Engineering, CAS, Beijing, P.R.China 2 State Key Laboratory of Cryptology, P. O. Box 5159, Beijing ,100878,China [email protected] Abstract. We prove that, assuming there exists an injective one-way function f, at least one of the following statements is true: – (Infinitely-often) Non-uniform public-key encryption and key agreement exist; – The Feige-Shamir protocol instantiated with f is distributional concurrent zero knowledge for a large class of distributions over any OR NP-relations with small distinguishability gap. The questions of whether we can achieve these goals are known to be subject to black-box lim- itations. Our win-win result also establishes an unexpected connection between the complexity of public-key encryption and the round-complexity of concurrent zero knowledge. As the main technical contribution, we introduce a dissection procedure for concurrent ad- versaries, which enables us to transform a magic concurrent adversary that breaks the distribu- tional concurrent zero knowledge of the Feige-Shamir protocol into non-black-box construc- tions of (infinitely-often) public-key encryption and key agreement. This dissection of complex algorithms gives insight into the fundamental gap between the known universal security reductions/simulations, in which a single reduction algorithm or simu- lator works for all adversaries, and the natural security definitions (that are sufficient for almost all cryptographic primitives/protocols), which switch the order of qualifiers and only require that for every adversary there exists an individual reduction or simulator. 1 Introduction The seminal work of Impagliazzo and Rudich [IR89] provides a methodology for studying the lim- itations of black-box reductions.
    [Show full text]
  • Data Structures Meet Cryptography: 3SUM with Preprocessing
    Data Structures Meet Cryptography: 3SUM with Preprocessing Alexander Golovnev Siyao Guo Thibaut Horel Harvard NYU Shanghai MIT [email protected] [email protected] [email protected] Sunoo Park Vinod Vaikuntanathan MIT & Harvard MIT [email protected] [email protected] Abstract This paper shows several connections between data structure problems and cryptography against preprocessing attacks. Our results span data structure upper bounds, cryptographic applications, and data structure lower bounds, as summarized next. First, we apply Fiat–Naor inversion, a technique with cryptographic origins, to obtain a data structure upper bound. In particular, our technique yields a suite of algorithms with space S and (online) time T for a preprocessing version of the N-input 3SUM problem where S3 T = O(N 6). This disproves a strong conjecture (Goldstein et al., WADS 2017) that there is no data· structure − − that solves this problem for S = N 2 δ and T = N 1 δ for any constant δ > 0. e Secondly, we show equivalence between lower bounds for a broad class of (static) data struc- ture problems and one-way functions in the random oracle model that resist a very strong form of preprocessing attack. Concretely, given a random function F :[N] [N] (accessed as an oracle) we show how to compile it into a function GF :[N 2] [N 2] which→ resists S-bit prepro- cessing attacks that run in query time T where ST = O(N 2−→ε) (assuming a corresponding data structure lower bound on 3SUM). In contrast, a classical result of Hellman tells us that F itself can be more easily inverted, say with N 2/3-bit preprocessing in N 2/3 time.
    [Show full text]
  • CURRICULUM VITAE Rafail Ostrovsky
    last updated: December 26, 2020 CURRICULUM VITAE Rafail Ostrovsky Distinguished Professor of Computer Science and Mathematics, UCLA http://www.cs.ucla.edu/∼rafail/ mailing address: Contact information: UCLA Computer Science Department Phone: (310) 206-5283 475 ENGINEERING VI, E-mail: [email protected] Los Angeles, CA, 90095-1596 Research • Cryptography and Computer Security; Interests • Streaming Algorithms; Routing and Network Algorithms; • Search and Classification Problems on High-Dimensional Data. Education NSF Mathematical Sciences Postdoctoral Research Fellow Conducted at U.C. Berkeley 1992-95. Host: Prof. Manuel Blum. Ph.D. in Computer Science, Massachusetts Institute of Technology, 1989-92. • Thesis titled: \Software Protection and Simulation on Oblivious RAMs", Ph.D. advisor: Prof. Silvio Micali. Final version appeared in Journal of ACM, 1996. Practical applications of thesis work appeared in U.S. Patent No.5,123,045. • Minor: \Management and Technology", M.I.T. Sloan School of Management. M.S. in Computer Science, Boston University, 1985-87. B.A. Magna Cum Laude in Mathematics, State University of New York at Buffalo, 1980-84. Department of Mathematics Graduation Honors: With highest distinction. Personal • U.S. citizen, naturalized in Boston, MA, 1986. Data Appointments UCLA Computer Science Department (2003 { present): Distinguished Professor of Computer Science. Recruited in 2003 as a Full Professor with Tenure. UCLA School of Engineering (2003 { present): Director, Center for Information and Computation Security. (See http://www.cs.ucla.edu/security/.) UCLA Department of Mathematics (2006 { present): Distinguished Professor of Mathematics (by courtesy). 1 Appointments Bell Communications Research (Bellcore) (cont.) (1999 { 2003): Senior Research Scientist; (1995 { 1999): Research Scientist, Mathematics and Cryptography Research Group, Applied Research.
    [Show full text]
  • A Review on Quantum Cryptography and Quantum Key Distribution
    3rd International Conference on Multidisciplinary Research & Practice P a g e | 463 A Review on Quantum Cryptography and Quantum Key Distribution Ritu Rani Lecturer, Department of Physics, CRM Jat College, Hisar Abstract: - Quantum cryptography uses our current knowledge key. The main disadvantage of a secret-key cryptosystem is of physics to develop a cryptosystem that is not able to be related to the exchange of keys. Symmetric encryption is defeated - that is, one that is completely secure against being based on the exchange of a secret (keys). Secret key compromised without knowledge of the sender or the receiver of cryptography systems are often classified to be either stream the messages. Quantum cryptography promises to reform secure ciphers or block ciphers. Stream ciphers work on a single bit communication by providing security based on the elementary laws of physics, instead of the current state of mathematical at a time and also use some kind of feedback mechanism so algorithms or computing technology. This paper describes an that the key changes regularly. The goal of position-based overview about Quantum cryptography and Quantum key quantum cryptography is to use the geographical location of a distribution technology, and how this technology contributes to player as its (only) credential. A quantum cryptographic the network security. protocol is device-independent if its security does not rely on Keywords:- Quantum cryptography, public-key encryption, trusting that the quantum devices used are truthful. Thus the Secret key encryption, Quantum key distribution technology security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices.
    [Show full text]
  • Adversarial Robustness of Streaming Algorithms Through Importance Sampling
    Adversarial Robustness of Streaming Algorithms through Importance Sampling Vladimir Braverman Avinatan Hassidim Yossi Matias Mariano Schain Google∗ Googley Googlez Googlex Sandeep Silwal Samson Zhou MITO CMU{ June 30, 2021 Abstract Robustness against adversarial attacks has recently been at the forefront of algorithmic design for machine learning tasks. In the adversarial streaming model, an adversary gives an algorithm a sequence of adaptively chosen updates u1; : : : ; un as a data stream. The goal of the algorithm is to compute or approximate some predetermined function for every prefix of the adversarial stream, but the adversary may generate future updates based on previous outputs of the algorithm. In particular, the adversary may gradually learn the random bits internally used by an algorithm to manipulate dependencies in the input. This is especially problematic as many important problems in the streaming model require randomized algorithms, as they are known to not admit any deterministic algorithms that use sublinear space. In this paper, we introduce adversarially robust streaming algorithms for central machine learning and algorithmic tasks, such as regression and clustering, as well as their more general counterparts, subspace embedding, low-rank approximation, and coreset construction. For regression and other numerical linear algebra related tasks, we consider the row arrival streaming model. Our results are based on a simple, but powerful, observation that many importance sampling-based algorithms give rise to adversarial robustness which is in contrast to sketching based algorithms, which are very prevalent in the streaming literature but suffer from adversarial attacks. In addition, we show that the well-known merge and reduce paradigm in streaming is adversarially robust.
    [Show full text]
  • Verifiable Random Functions
    Verifiable Random Functions y z Silvio Micali Michael Rabin Salil Vadhan Abstract random string of the proper length. The possibility thus ex- ists that, if it so suits him, the party knowing the seed s may We efficiently combine unpredictability and verifiability by declare that the value of his pseudorandom oracle at some x f x extending the Goldreich–Goldwasser–Micali construction point is other than s without fear of being detected. It f s of pseudorandom functions s from a secret seed , so that is for this reason that we refer to these objects as “pseudo- s f knowledge of not only enables one to evaluate s at any random oracles” rather than using the standard terminology f x x NP point , but also to provide an -proof that the value “pseudorandom functions” — the values s come “out f x s is indeed correct without compromising the unpre- of the blue,” as if from an oracle, and the receiver must sim- s f dictability of s at any other point for which no such a proof ply trust that they are computed correctly from the seed . was provided. Therefore, though quite large, the applicability of pseu- dorandom oracles is limited: for instance, to settings in which (1) the “seed owner”, and thus the one evaluating 1Introduction the pseudorandom oracle, is totally trusted; or (2) it is to the seed-owner’s advantage to evaluate his pseudorandom oracle correctly; or (3) there is absolutely nothing for the PSEUDORANDOM ORACLES. Goldreich, Goldwasser, and seed-owner to gain from being dishonest. Micali [GGM86] show how to simulate a random ora- f x One efficient way of enabling anyone to verify that s b cle from a-bit strings to -bit strings by means of a con- f x really is the value of pseudorandom oracle s at point struction using a seed, that is, a secret and short random clearly consists of publicizing the seed s.However,this string.
    [Show full text]
  • Choosing T-Out-Of-N Secrets by Oblivious Transfer
    ++ I&S CHOOSING T-OUT-OF-N SECRETS BY OBLIVIOUS TRANSFER Jung-San LEE and Chin-Chen CHANG Abstract: Oblivious Transfer (OT) has been regarded as one of the most signifi- cant cryptography tools in recent decades. Since the mechanism of OT is widely used in many applications such as e-commerce, secret information exchange, and games, various OT schemes have been proposed to improve its functionality and efficiency. In 2001, Naor and Pinkas proposed a secure 1-out-of-n OT protocol, in which the sender has n messages and the chooser can get one of these n messages in each protocol run. What is more, the sender cannot find which message has been chosen by the chooser and the chooser knows only the correct message. In 2004, Wakaha and Ryota proposed a secure t-out-of-n OT protocol, which is an extension of the 1-out-of-n OT protocol proposed by Naor and Pinkas. Wakaha and Ryota’s t- out-of-n OT protocol allows the chooser to get t messages from the sender simulta- neously in each protocol run. Besides, the sender cannot know what the chooser has chosen and the chooser can only know the exact t messages. However, getting deep understanding of Wakaha and Ryota’s protocol, it could be concluded that it still lacks efficiency such that it is hard to be applied in real-world applications. In this article, a secure and efficient t-out-of-n OT protocol based on the Generalized Chi- nese Remainder Theorem is proposed, in which the chooser can securely get t mes- sages from the sender simultaneously in each protocol run.
    [Show full text]
  • Verifiable Random Functions
    Verifiable Random Functions The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citation Micali, Silvio, Michael Rabin, and Salil Vadhan. 1999. Verifiable random functions. In Proceedings of the 40th Annual Symposium on the Foundations of Computer Science (FOCS `99), 120-130. New York: IEEE Computer Society Press. Published Version http://dx.doi.org/10.1109/SFFCS.1999.814584 Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:5028196 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA Verifiable Random Functions y z Silvio Micali Michael Rabin Salil Vadhan Abstract random string of the proper length. The possibility thus ex- ists that, if it so suits him, the party knowing the seed s may We efficiently combine unpredictability and verifiability by declare that the value of his pseudorandom oracle at some x f x extending the Goldreich–Goldwasser–Micali construction point is other than s without fear of being detected. It f s of pseudorandom functions s from a secret seed , so that is for this reason that we refer to these objects as “pseudo- s f knowledge of not only enables one to evaluate s at any random oracles” rather than using the standard terminology f x x NP point , but also to provide an -proof that the value “pseudorandom functions” — the values s come “out f x s is indeed correct without compromising the unpre- of the blue,” as if from an oracle, and the receiver must sim- s f dictability of s at any other point for which no such a proof ply trust that they are computed correctly from the seed .
    [Show full text]