Oblivious transfer of bits

Abstract. We consider the topic Oblivious transfer of bits (OT), that is a powerful primitive in modern . We can devide our project into these parts: In the first part: We would clarify the definition OT, we would give a precise characterization of its funcionality and use. Committed oblivious transfer (COT) is an enhancement involving the use of commitments, which can be used in many applications of OT covering particular malicious adversarial behavior, it cannot be forgotten. In the second part: We would describe the history of some important discoveries, that preceded present knowledge in this topic. Some famous discovers as Michael O. Rabin or Claude Crépeau could be named with their works. In the third part: For OT, many protocols covering the transfer of bits are known, we would introduce and describe some of them. The most known are Rabin's oblivious transfer protocol, 1-2 oblivious transfer, 1-n oblivious transfer. These would be explained with examples. In the fourth part: We also need to discuss the security of the protocols and attacs, that are comitted. Then security of mobile computing. In the fifth part: For the end, we would give some summary, also interests or news in this topic, maybe some visions to the future evolution.

1 Introduction

Oblivious transfer of bits (often abbreviated OT) is a powerful primitive in modern cryptography especially in the context of multiparty computation where two or more parties, mutually distrusting each other, want to collaborate in a secure way in order to achieve a common goal, for instance, to carry out an electronic election, so this is its applicability.

1.1 Multi-party computation

An example of a specific multi-party computation is secure function evaluation, where every party holds an input to a function, and the output should be computed in a way such that no party has to reveal unnecessary information about her input.

1.2 Definition of OT

OT is a protocol by which a sender sends some information to the receiver, but remains oblivious as to what is received. It means that sender sends a message to a receiver with some fixed probability between 0 and 1 (for example 1/2) without the sender knowing

1 whether or not the receiver received the message. Thus, problem of oblivious transfer of secret reduces to the problem of oblivious transfer of the decryption key.

OT solve the problem of mutual exchange of secrets. The main discoverer of OT was Michael O. Rabin. Rabin discovered an interesting application for his cryptosystem and he called this new scheme as ‘Oblivious Transfer’ , so it OT was named by him. His protocol worked only for honest parties. There are some others protocols similar to OT, that will be discuss later also with Rabin’s OT.

1.3 Private information retrieval (PIR)

In cryptography, a private information retrieval (PIR) protocol allows a user to retrieve an item from a server in possession of a database without revealing which item she is retrieving. PIR is a weaker version of 1-out-of-n oblivious transfer, where it is also required that the user should not get information about other database items.

OT also called symmetric PIR, is PIR with the additional restriction that the user not learn any item other than the one she requested. It is termed symmetric because both the user and the database have a privacy requirement.

1.4 Zero-Knowledge Proofs

In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement. A zero-knowledge proof must satisfy three properties:

1) Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.

2) Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.

2

3) Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.

Introduced in 1985, zero-knowledge proofs are typically used to force malicious parties to behave according to a predetermined protocol. In addition to their direct applicability to cryptography, they serve as a good benchmark for the study of various problems regarding cryptographic protocols.

1.5 Committed Oblivious Transfer COT

Committed Oblivious Transfer (COT) is a useful cryptographic primitive that combines the functionalities of bit commitment and oblivious transfer. Is is a natural combination of 1-2 Oblivious Transfer and Bit Commitment. At the start of the computation Alice is committed to bits a 0 and a 1 and Bob is committed to bit b; at the end Bob is committed to a b and knows nothing about a b , while Alice learns nothing about b. One can see that this allows each party engaged in an oblivious transfer to be certain that the other party is performing the oblivious transfer operation on their declared inputs.

2 History

• In the early seventies Stephen Wiesner introduced a primitive called multiplexing which was the start of . But it took more than ten years to be published. Even though this primitive was equivalent to what was later called 1-2 oblivious transfer. Wiesner did not see its application to cryptography.

• The first form of oblivious transfer was introduced in 1981 by Michael O. Rabin .

3 • In 1983, a more useful form of oblivious transfer called 1- 2 oblivious transfer or "1 out of 2 oblivious transfer," was developed later by Shimon Even , Oded Goldreich , and , in order to build protocols for secure multiparty computation. It is generalized to "1 out of n oblivious transfer" where the user gets exactly one database element without the server getting to know which element was queried. The latter notion of oblivious transfer is a strengthening of private information retrieval where one does not care about database's privacy.

• Zero-knowledge proofs introduced in 1985.

• The existence of 1-n oblivious transfer protocols from any private information retrieval protocol was first established by Giovanni Di Crescenzo, Tal Malkin and .

• Additional constructions of 1-n oblivious transfer protocols also related to private information retrieval, were proposed, e.g., by Moni Naor and Benny Pinkas, William Aiello, Yuval Ishai and , Sven Laur and Helger Lipmaa.

• Claude Crépeau showed that Rabin's oblivious transfer is equivalent to 1-2 oblivious transfer.

• Committed Oblivious Transfer (COT) was introduced by Crepeau under the name (“Verifiable Oblivious Transfer”).

• Further work has revealed oblivious transfer to be a fundamental and important problem in cryptography. It is considered one of the critical problems in the field, because of the importance of the applications that can be built based on it. In particular, it is a `complete' for secure multiparty computation: that is given an implementation of oblivious transfer it is possible to securely evaluate any polynomial time computable function without any additional primitive.

4 3 Rabin's oblivious transfer protocol, 1-2 oblivious transfer, 1-n oblivious transfer

3.1 Rabin oblivious transfer

Fig. 1: Rabin oblivious transfer

Rabin's oblivious transfer scheme is based on the RSA cryptosystem.

3.1.1 RSA

RSA is an algorithm for public-key cryptography. It was the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

Rabin oblivious transfer is a kind of formalization of “noisy wire” communication. The objective is to simulate a random loss of information. Formally, a Rabin OT machine models the following behavior. Sender sends a bit b into the OT machine. The machine then flips a coin, and with probability 1/2 sends b to Receiver, and with probability ½ sends ‘#’ to Reciever to signify that a bit was sent, but the information was lost in the transfer. Sender does not know which output Receiver received.

In Rabin's oblivious transfer protocol, the sender generates an RSA public modulus N=pq where p and q are large prime numbers, and an exponent e relatively prime to ( p-1)( q-1). The sender encrypts the message m as me mod N.

5 1. The sender sends N,e, and me mod N to the receiver. 2. The receiver picks a random x modulo N and sends x2 mod N to the sender. Note that gcd( x,N )=1 with overwhelming probability, which ensures that there are 4 square roots of x2 mod N. 3. The sender finds a square root y of x2 mod N and sends y to the receiver.

If the y the sender finds is neither x nor -x modulo N, the receiver will be able to factor N and therefore decrypt me to recover m. However, if y is x or -x mod N, the receiver will have no information about m beyond the encryption of it. Since every quadratic residue modulo N has four square roots, the probability that the receiver learns m is 1/2.

The is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the difficulty of factorization. However the Rabin cryptosystem has the advantage that the problem on which it relies has been proved to be as hard as , which is not currently known to be true of the RSA problem. It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs; if each output is a ciphertext, extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext.

Rabin’s protocol was built on the square transformation giving rise to an oblivious transfer probability of one-half. Thus the protocol for mutual exchange of secrets, implemented by Rabin, has a non- termination probability of one-quarter for every iteration. However, using Kak’s cubic function a mutual exchange of secrets protocol would have a non-termination probability of only one- ninth. Moreover, probabilities of transfer other than one-half may be useful in certain applications such as lottery draws, where the probability of draw of prizes of larger value must be lower than the probability of draw for the prizes of lower value.

6 3.2 One-out-of-two oblivious transfer

Fig. 2: 1-2 oblivious transfer

In this situation, Sender sends an ordered pair of bits (b0, b1) into the 1-2-OT machine. Receiver then gives the machine a bit i, indicating which input he would like to receive. The machine outputs bi and discards b 1_i . Sender knows that Receiver has one of the bits, but not which one.

The Ideal Model. In the ideal model, the two parties can make use of a trusted party to calculate the function. The algorithms B1 and B2 of the protocol B = (B1,B2) receive the inputs x and y, respectively, and the auxiliary input z. They send values x0 and y0 to the trusted party, who sends them back the values u0 and v0—satisfying (u0, v0) = f(x0, y0). Finally, B1 and B2 output the values u and v. The two honest algorithms B1 and B2 always send x0 = x and y0 = y to the trusted party, and always output u = u0 and v = v0. Now, if B = (B1,B2) is an admissible pair of algorithms for protocol B = (B1,B2), the joint execution of f under B in the ideal model,

ideal f,B(z) (x, y)

is the resulting output pair, given the inputs x and y and the auxiliary input z.

The Real Model. In the real model, the parties have to compute f by a protocol ∏ = (A1,A2) without the help of a trusted party. Let A = (A1,A2) be an admissible pair for A. Then the joint execution of ∏ under A in the real model,

real ∏,A(z) (x, y)

7 is the resulting output pair, given the inputs x and y and the auxiliary input z.

Perfect Security: “Real = Ideal”. A protocol ∏ computes a function f perfectly securely if, intuitively speaking, every “real” cheater has an equally powerful counterpart in the ideal model.

In a 1-2 oblivious transfer protocol, the sender has two messages m0 and m1, and the receiver has a bit b, and the receiver wishes to receive mb, without the sender learning b, while the sender wants to ensure that the receiver receive only one of the two messages. The protocol of Even, Goldreich, and Lempel, is general, but can be instantiated using RSA encryption as follows:

1. The sender generates RSA keys, including the modulus N, the public exponent e, and the private exponent d, and picks two random messages x0 and x1, and sends N, e, x0, and x1 to the receiver. 2. The receiver picks a random message k, encrypts k, and adds xb to the encryption of k, modulo N, and sends the result q to the sender. 3. The sender computes k0 to be the decryption of q-x0 and similarly k1 to be the decryption of q-x1, and sends m0 + k0 and m1 + k1 to the receiver. 4. The receiver knows kb and subtracts this from the corresponding part of the sender's message to obtain mb.

3.3 1-n oblivious transfer

A 1-n oblivious transfer protocol can be defined as a natural generalization of a 1-2 oblivious transfer protocol. Specifically, a sender has n messages, and the receiver has an index i, and the receiver wishes to receive the i-th among the sender's messages, without the sender learning i, while the sender wants to ensure that the receiver receive only one of the n messages. Intuitively, it can also be considered as the effect of adding an additional database's privacy requirement to some existing private information retrieval protocol.

8 4 Security, attacs, security of mobile computing

4.1 Attacs

What are the common attacks on Rabin's Oblivious Transfer protocol?

A trap to test the reader is the commom transfer. A certain protocol was developed to train the oblivious. An to open the file the reader of the i, only has to ask for abstract reading as opposed to littorel. A certain test of reader is the common usage and to fail is to never understand abstract reading.

A read to generalize the subject then is applied to the particular. A transfer of subject without understanding is the true intention as the Oblivious Read.

An attack becomes the conversion of the subject to the certain. And the computer bit as the subject is then converted to the certain bit with the operation of sequence.

A set of bits is truely oblivious in meaning until the sequenece is understood. And to reorder the bit set to the understandable becomes the protocol's common attack.

A trapdoor to test the thinking of the cryptographer is this protocols usage. A certain abstract functional transform is given to entice the mathematical reader.

And to think it profound rather than devious is the mistake.

9 4.2 Security

4.2.1 Security of Rabin’s cryptosystem

The proof that the security of Rabin’s cryptosystem is equivalent to a factorization problem led to the development of the zero- knowledge proof. In such a proof a prover tries to convince a verifier that he possesses certain information but he does not disclose the information but only the proof that he possesses the information. With every iteration of the algorithm, the probability of an imposter cheating a verifier decreases exponentially.

4.2.2 Security of mobile computing

As an important paradigm of computation, the mobile agent has a lot of potential applications in electronic commerce. However, the success of the mobile agents depends on security. In the past, the focus of mobile-agent security has been on protecting the safety and the integrity of visited hosts.

The mobile agent is a fundamental building block of the mobile computing paradigm. In mobile agent security, oblivious transfer (OT) from a trusted party can be used to protect the agent's privacy and the hosts' privacy. New cryptographic primitive called Verifiable Distributed Oblivious Transfer (VDOT) , which allows us to replace a single trusted party with a group of threshold trusted servers. The design of VDOT uses a novel technique called consistency verfication of encrypted secret shares . VDOT protects the privacy of both the sender and the receiver against malicious attacks of the servers.

Our VDOT can be viewed as an extension of DOT , which introduces a group of servers to the 1-out-of-2 OT scenario. The major diference is that our VDOT protocol considers potentially malicious servers, while the DOT protocol considers semi-honest servers. Another diference is that our model allows the receiver to communicate with all servers.

A problem similar to OT is private information retrieval (PIR), in which a user (analogous to the receiver in OT) privately retrieves a bit from a database (analogous to the sender in OT). However, in

10 PIR, only the user's privacy is protected, and the amount of communication is required to be small. In order to get nontrivial solutions with information-theoretic privacy, it is often assumed that there are two or more copies of the database, held by database servers that do not communicate with each other. With computational assumptions, a PIR protocol with a single copy of the database can be constructed. Gertner, Ishai, Kushilevitz, and Malkin added the privacy of the database to the PIR model. The result is called symmetric PIR (SPIR). The diference between SPIR and OT is that the former further requires small-communication overhead.

Fig. 3: System Architecture for Mobile Agent Computation

We presented a system for secure mobile-agent computation. The system partitions an agent into the general portion and the security-sensitive portion. The system protects the privacy of both the originator and the hosts, without using any single trusted party.

Fig. 4: Overhead of VDOT (( n; t ) = (6 ; 3))

11

5 Summary

In our project we have considered the topic of „Oblivious transfer of bits“, in the Chapter 1, we have engaged the definition of OT and COT and other things related to them, as PIR or Zero- knowledge. In the Chapter 2, we described the history of OT and other protocols, we commemorated some important discoverers in this topic in chronological succession. Chapter 3 described known protocols of OT: Rabin's oblivious transfer protocol, 1-2 oblivious transfer, 1-n oblivious transfer, they are explained with schemes and algorithms. It appears that such algorithms should have preceded Rabin’s protocol. It shows that there exist numerous variations on the implementation of OT protocols. Security, attacs and mobile security are the objects of Chapter 4. OT is very important topic in cryptography and the future evolution is expected, expecially in improvement of secury.

References

1. Tel, G.: Lecture of cryptography, 2007/08 2. Lacko, V.: Lecture of cryptography, 2006/07 3. www.wikipedia.com , www.google.com

12