Oblivious Transfer
Outline Preliminary Requirements protocols
Assumptions Semi-honest party assumption Malicious party assumption Parties honestly follow the security protocol Parties might be curious about the transferred data Malicious party assumption The malicious party can do anything Transfer false data Turn down the protocol Collusion Often, we can handle semi-honest + integrity verification
Public-key encryption Let (G,E,D) be a public-key encryption scheme G is a key-generation algorithm (pk,sk) G Pk: public key Sk: secret key Terms Plaintext: the original text, denoted as m Ciphertext: the encrypted text, denoted as c Encryption: c = Epk(m) Decryption: m = Dsk(c) Concept of one-way function: knowing c, pk, and the function Epk, it is still computationally intractable to find m. *Check literature for different implementations
Example: the RSA algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p.q, where p and q are distinct primes Proposed by Rivest, Shamir, and Adleman in 1977 and a paper was published in The Communications of ACM in 1978
RSA Key generation Alice encrypts M as C≡Me (mod n) Bob chooses two primes p,q and compute n=pq Bob chooses e with gcd(e,(p-1)(q-1))= gcd(e, ψ(n))=1 ψ(n) Euler's totient function counting the positive integers up to a given integer n that are relatively prime to n Bob solves de≡1 (mod ψ(n)) Bob makes (n, e) public and (p,q,d) secret Alice encrypts M as C≡Me (mod n) Bob decrypts by computing M≡Cd (mod n)
Correctness Euler’s theorem RSA correctness proof: If a and n are co-prime, i.e., gcd(a, n)=1, Then: aψ(n) = 1 mod n RSA correctness proof: Cd ≡ (Me)d ≡ Med ≡ M1+kψ(n) ≡M (mod n)
security Finding d -> finding ψ(n) -> finding p and q from n the fastest factorization algorithm for b-bit number
1-out-of-2 Oblivious Transfer (OT) Setting Sender has two messages m0 and m1 Receiver has a single bit {0,1} and wants to learn m , but does not want the sender know which bit is selected. Outputs Sender knows nothing about Receiver obtain m and learns nothing of m1-
A simple protocol Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only): The protocol is simplified with this assumption Knowing pk but not knowing sk – tricky to do that Both parties are honest
A simple Protocol for Oblivious Transfer Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious key generation), but does not know sk’ (pk’ cannot be released by sender; sender should not know which is the pk’) Receiver sets pk = pk, pk1- = pk’ Receiver sends pk0,pk1 to sender Sender (with input m0,m1): Sends c0=Epk0(m0), c1=Epk1(m1) Receiver: Decrypts c using sk and obtains m. Note: receiver can decrypt for pk but not for pk1-
Cost Receiver: Sender: Computation: two key generation operations; one decryption Communication: 2 PKs Sender: Computation: two encryption ops Communication: 2 ciphertext
A more practical 1 out of 2 OT Protocol m0 and m1 Alice’s messages Generate a RSA key-pair: Public Key or PK (N, e) Secret Key or SK (d) 2. Generate random messages: x0 and x1 3. Decrypt the two possible ks as Alice does not know b hence xb used in computing v by Bob: k0 = (v – x0)^d mod N k1 = (v – x1)^d mod N 4. Hide messages m0 and m1 as m0’=m0+k0 m1’=m1+k1 b 𝜖 {0,1} Bob’s input bit Generate a random message: k Encrypt k as: E(k) = ke 3. Compute: v = xb + ke mod N 4. Retrieve: mb = mb’ - k PK, x0, and x1 Alice (sender) v Bob (receiver) m0’ and m1’
security Assume Bob wants to know m0 security: Bob cannot know k1 Needs to know d Alice cannot distinguish k0, k1
Costs Bob Alice Computation: 1 rand msg + 1 encryption + 2 mod add Communication: v Alice Computation: 1 key generation, 2 rand msgs + 2 decryption + 2 mod add Communication: pk + 2 rand msgs + 2 decrypted msgs
Reducing costs There are more efficient 1-out-of-2 protocols developed recently
Generalization Similarly, we can define 1-out-of-k oblivious transfer Protocol remains the same: Choose k-1 public keys for which the secret key is unknown Choose 1 public-key and secret-key pair