Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oblivious Transfer and Bit Commitment from Noisy Channels Ivan Damgård BRICS, Århus University.

Published byRudolph Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Oblivious Transfer and Bit Commitment from Noisy Channels Ivan Damgård BRICS, Århus University."— Presentation transcript:

1 Oblivious Transfer and Bit Commitment from Noisy Channels Ivan Damgård BRICS, Århus University

2 Commitments C R Committer C sends a ”bit b in a box” to a receiver R. Hiding: from commitment, R cannot guess b. Binding: having given away the box, C cannot change his mind about value of b – can only open in one way. b

3 (1-out-of-2 bits) Oblivious Transfer S R Sender S sends two bits b 0,b 1 to a receiver R, who inputs his choice of which bit to receive S learns nothing new (in particular nothing about c). R learns 1 of S’s bits and nothing about the other one. Many variants: 1-2 string OT, 1-t bit/string OT, Rabin OT. All are equivalent under information theoretic reductions. OT b 0,b 1 c bcbc

4 BC follows from OT For instance.. 1.Receiver sends n pairs (b i0,b i1 ) by OT to Committer 2.Committer reads, for all i, b ic, where c is bit to commit to. 3.Open by revealing b 1c, b 2c,…,b nc. Receiver checks it matches the bits he sent. In fact, general multiparty computation - and hence more or less anything - follows from OT.

5 Impossibility if Adversary has full info If only error-free communication between two parties available, BC (and hence OT) impossible – with unconditional security: C(ommitter) sees all messages received by the other guy. Unconditional binding implies C can execute protocol with b=0, but there exists a complete view of the protocol for C, with same exchange of messages, consistent with b=1. C can always compute such a view and claim this was what he in mind all the time, so no binding.

6 OT from Binary Symmetric Channels (BSC) BSC(p) flips every bit sent with probability p. S BSC(p) b,bb,bb 0,b 1 R If b0=b1, bit received, otherwise ? received Pr(?) = 2p(1-p), Pr(correct bit received)= (1-p) 2, Pr(wrong bit received)= p 2. If we drop all ?’s, we have a BSC with error probability q= p 2 /(p 2 +(1-p) 2 ) Observation [Crépeau/Kilian88]: this is a weak version of Rabin OT: R learns nothing, or some info on the bit sent. S (if honest) learns nothing. So perhaps we can get real OT from this..

7 OT from BSC [Crépeau97] 1.S sends N pairs (b i,b i ) over BSC(p) to R. 2.R receives N erasures and bits. Splits them in two sets, T 0,T 1 of N/2 positions, such that all erasures go in T 1-c. Sends T 0,T 1 to S (on error free channel). 3.Let str 0,str 1 be the strings of bits sent at positions in T 0, T 1. S uses an error correcting code to construct correction information syn 0, syn 1. syn i will be sufficient to reconstruct str i if received over a BSC(q). S also chooses two universal hash functions h 0,h 1 from N/2 bits to 1 bit. 4.syn 0, syn 1, h 0, h 1, h 0 (str 0 )  b 0, h 1 (str 1 )  b 1 are sent to R, who uses syn c to reconstruct str c and computes h c (str c )  (h c (str c )  b c ) = b c

8 Why does it work? SR BSC (b i b i ), i=1..N ? or b’ i T 0,T 1 syn 0, syn 1, h 0, h 1, h 0 (str 0 )  b 0, h 1 (str 1 )  b 1 S (if honest) learns nothing. Even if R cheats, at least one set Ti contains (about) Np(1-p) erasures. Can compute R’s collision entropy of str i given str i and N/2 – Np(1-p) bits of str i through a BSC(q). Turns out to be linear in N. Privacy amplification  R’s expected information on h i (str i ) is exponentially small. Note: need efficiently decodable error correcting code such that syn i small enough

9 What if S cheats? Best known solution based on reduction that builds OT from many repetitions of an imperfect OT where S may learn R’s choice (see later for details). Reduction works if S failed to learn R’s choice in at least one of the repetitions. We do this reduction, and at the same time, R checks that number of received erasures is not larger than expected. Check satisfied  upper bound on number of bad pairs sent by S  S failed to break at least one of the weak OT’s  overall protocol is OK.

10 Conclusion on OT/BC from BSC(p) OT and BC can be built from BSC(p) for any non-trivial value of p (0< p< 1/2) [Crépeau97],[Morozov et al.01]. Reasonably efficient BC (special purpose protocol by Crépeau, no need to build it from OT): O(n) uses of BSC enough for error prob exp small in n. But very inefficient OT if we want security against active cheating, O(n 2+ ε ) best known. Better solutions??

11 OT from noisy channels in general General channel: set of input symbols X, output symbols Y, for each x  X, distribution P Y|x given. [Nascimento andWinter 05], [Crépeau, Morozov and Wolf 04]: OT can be built from any non-trivial noisy channel. Non-trivial channels as defined in [CMW] are essentially equivalent to noiseless channels  have complete characteriztion of noisy channels from which OT can be built. [Kilian 00]: Characterization of Crypto-Gates that can be used for OT. Crypto-gates are a more general concept: take input from both parties and send output to both.

12 So are we done? Not quite! All results so far assume that the channels’ behavior is known exactly, i.e., BSC(p) where p is known. If p is smaller than we expect, previous protocols fail.  Problems in practice: Real channels often do not have constant error rate. Worse: an adversary may have an interest in removing noise from the channel. Even worse: always possible to conceal that you removed noise: just pretend you received a more noisy signal

13 Unfair Noisy Channels - more realistic model [Damgård, Kilian, Salvail 99] Basic idea: allow the adversary an ”unfair” advantage by giving him extra power/information that is not available to an honest player. (γ,δ)-UNC: a BSC(p), but only guarantee is that 0< γ ≤ p ≤ δ < ½. Adversary can decide what p should be for every transmission. Models an active adversary that tries to physically modify the channel. (γ,δ)-PassiveUNC: a BSC(δ), but adversary gets extra side information so that the channel from his point of view is a BSC(γ). Models a passive adversary that eavesdrops somewhere ”in the middle”.

14 For which values (γ,δ) can we do something interesting? Trivialities: if γ=δ, we are back in BSC case, everything is possible. If γ=0, adversary has full information, nothing is possible. So what happens ”in the middle”? If [γ,δ]-interval is too wide, nothing can be done, namely if δ >= 2γ(1-γ). SR Wants to send b. Flips b with probability γ. Result b’ b’ Flips b’ with probability γ. Defines result b’’ to be received bit This is a (γ,δ)-PassiveUNC with δ= 2γ(1-γ)!  UNC’s are trivial for δ ≥ 2γ(1-γ).

15 BC from any (γ,δ)-UNC with δ < 2γ(1-γ). [Damgård,Kilian,Salvail 99]. SR UNC random n-bit str. X X’ Has the right flavor: S cannot later claim to have sent any bit string: many of them will be to far away from X’, i.e., at Hamming distance > δn. R does not have full information on X. Idea: make S reveal more info on X, such that many candidates remain from R’s point of view, yet only one candidate can be convincingly claimed later.

16 Intuition: why can this work.. X γnγn X’ S will remove as much noise as he can, so X’ will be at distance γn Y If S reveals Y later, R will reject, since distance X’ to Y will be 2γ(1-γ) > δ Y S must reveal a Y at shorter distance μ, with μ(1-γ)+(1-μ)γ < δ On the other hand, a cheating R only knows that X is some string at distance γn from X’

17 Conclusion Have S reveal extra information on X such that Of all strings at distance μn from X, only one candidate remains. Of all strings at distance γn from X’, a large number of candidates remain. Possible, since μ < γ: #strings at distance γn from X’ is exponentially larger than #strings at distance μn from X.

18 Sketch of Protocol To commit S sends random string X to R over UNC, X’ received R chooses universal hash function h1,h2 For i=1,2: R sends hi to S, S returns hi(X). S chooses universal hash function h and sends h to R. Committed bit is defined as h(X). To open S sends X to R. R rejects if X is inconsistent with the hash values received or if dist(X,X’)>δ’ where δ’ a constant chosen slightly larger than δ.

19 γ δ nothing possible BC possible 0½ ½ BC from UNC resolved

20 OT from UNC? – first observation [Damgård,Fehr,Morozov,Salvail 04] Enough to build OT with passive security based on a (γ,δ)-PassiveUNC: - since any such protocol can be transformed into a protocol for OT with active security based on a (γ,δ)- UNC. Idea: use a (γ,δ)-UNC to build a new channel that is essentially a (γ,δ)-PassiveUNC, but where players are committed to the bits they send/receive. Now run passively secure protocol, but have players prove in ZK that they send the correct messages. Possible because they are committed to what they sent and received.

21 Protocol for Committed Passive UNC (CPUNC) S R UNC b1b1 b2b2 …bibi bnbn b’ 1 b’ 2 …b’ i b’ n 1. Commit, send on UNC, commit to received bits 2. Open random sample, check that error rate is not (much) more than δ 3. Choose random unopened position i. Define b i to be bit sent, b’ i to be bit received. Essentially a PassiveUNC: Pr(b i =b’ i ) ≈ δ A cheating S or R may know the bit on other side, with noise γ added

22 Building Weak OT from PassiveUNC Assumption: passive security, S,R follow the protocol bits to send: b 0,b 1, c is R’s choice bit. Idea: use the classic trick of sending pairs of bits (b,b). S sends 4 bits, random of form (u,u),(v,v) over PassiveUNC. Repeat until R receives something of form (u’,u’) (v’,1-v’) or (u’,1-u’) (v’,v’). R knows something about one of u,v, nothing about the other  R asks S to send b 0  u, b 1  v or b 0  u, b 1  v, choice depending on c. Not quite OT: corrupt S or R may learn something from their side info, and an honest R may not get the right bit.

23 Building OT from WOT. Def: (p,q,ε)-WOT is an OT where S learns R’s choice bit c with probability p (and nothing otherwise), R learns b 1-c with probability q, and honest R gets b c with noise ε added. What we just constructed from (γ,δ)-UNC is a (p,q,ε)- WOT where p,q,ε are functions of γ,δ. If we can build OT from (p,q,ε)-WOT for a certain range of values of p,q,ε, this defines a range of values for γ,δ for which OT is possible.

24 Known Reductions S- Reduce: reduce p at the cost of larger q,ε R-Reduce: reduce q at the cost of larger p,ε ε –Reduce: reduce ε at the cost of larger p,q Using carefully designed mix of these, can build OT from (p,q,0)-WOT if p+q< 1 Optimal, since (p,q,0)-WOT with p+q≥1 is trivial. Can also build OT from (p,q,ε)-WOT if p+q+2ε< 0.45. Not optimal. [DFMS04] tighter analysis, using more general model (GWOT). Leads to best known results for OT from UNC.

25 γ δ nothing possible ?? [DFMS04] [DKS99] 0½ ½

26 Conclusions We understand quite well which kind of noisy resources allow for general 2-party crypto, assuming that the behavior of the noise is known exactly. Typically, a ressource is either trivial or allows OT and hence anything. Efficiency of some constructions seem (very) suboptimal For resources whoose behavior is not exactly known (UNC), there is much we do not know. The BC vs. UNC question resolved, But: Is OT possible from any non-trivial UNC? What about other models for the noise? What about channels with memory?

Download ppt "Oblivious Transfer and Bit Commitment from Noisy Channels Ivan Damgård BRICS, Århus University."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Optimal Lower Bounds for 2-Query Locally Decodable Linear Codes Kenji Obata.

Optimal Lower Bounds for 2-Query Locally Decodable Linear Codes Kenji Obata.
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Applied Algorithmics - week7

Applied Algorithmics - week7
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Similar presentations

Ads by Google