A Light-weight Oblivious Transfer Protocol Based on Channel Noise Albert Guan

Outline Introduction Related Work Oblivious Transfer Protocol Comparison Conclusions

Introduction Design fundamental tools in cryptography Applications Oblivious transfer (OT) Applications Secure multiparty computation Private information retrieval

Secure Multiparty Computation Millionaires problem Suppose A has wealth x, B has wealth y They want to know whom is richer Without revealing their actual wealth f (x, y) = 1, if x > y f (x, y) = 0, otherwise

Secure Multiparty Computation Parties P1,…,Pn Parties Pi has private input xi The parties want to jointly compute a function y = f(x1,…, xn) Each parties Pi knows only y, nothing else.

Private Information Retrieval Server holds x1, x2,…, xn User wants to retrieve xi Server can’t learn which xi is retrieved. User only learn xi , nothing else.

Definition of the problem Oblivious-Transfer (OT) A: sender has two secrets m0 and m1 B: receiver has choice c Goal: B learns only mc, A doesn’t know c

Security Models Computationally secure Statistically secure Attacker does not have enough computing resources to break the system. If quantum computers are available, most of the commonly used public key cryptosystems (e. g. RSA) can be broken. Statistically secure The probability for the attacker to break the system is negligible even with unlimited computing resources. Our protocol is statistically secure.

Related Work Rabin's oblivious transfer protocol [Rabin 83] Based on computational hard problem Factoring large integer Computationally secure Heavy computation long integer arithmetic

Related Work Erasure channel model [Imai et al. 06] receiver either receives the bit or it was not received Channel delay model [Cheong et al. 11] Packets deliver with some delay Security doesn’t depend on computationally hard problems

Our Work Design protocols Security does not depends on computationally hard problems Only need XOR and hash operations Suitable for sensors or any devices with low computational power

Our Work Based on noise in communication channel Channel noise is a good random source Unpredictable

Binary Symmetric Channel b, with prob. 1 – p BSp(b) = 1 – b, with prob. p Pr[b’ = 0 | b = 0] = Pr[b’ = 1 | b = 1] = 1 – p Pr[b’ = 1 | b = 0] = Pr[b’ = 0 | b = 1] = p

Oblivious Transfer (OT) Beacon node M = A B X = Y = Z Z = { |1 ≤ i ≤ n/2} if |{i | }| < n/4 abort , , {1, 2,…, n/2} ∩ = ϕ, | | = | | = n/4 Sc = {i | }

Oblivious Transfer (OT) A B f, ,

Security of the oblivious transfer protocol Theorem 1 A has no information about B’s choice c. Proof This follows from the fact that the sets and give A no information on c since the bits are flipped by the channel independently. The sender A cannot control the bits received by B.

Security of the oblivious transfer protocol Theorem 2 B has no information about , the other secret he does not choose. Proof since the secret correspond to the index set , which is contain some inconsistent parity bits, thus B can’t reconstruct the string

Comparison (oblivious transfer) scheme Hao’s Cheong’s Crepeau’s Our Message 1 bit 1 bit 1 bit multi-bit Based on noise delay noise noise Overhead O(n²) O(n log n) O(n³) O(n) n : security parameter

Conclusions Design efficient and lightweight protocols for oblivious transfer. Security does not depends on computationally hard problems Suitable for sensors or any devices with low computational power