1 / 37

Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions. Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento. University of Brasilia. Plaintext. Ciphertext. Plaintext. Encryption. Decryption. Key. Key.

ganit
Télécharger la présentation

Oblivious Transfer based on the McEliece Assumptions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oblivious Transferbased on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia

  2. Plaintext Ciphertext Plaintext Encryption Decryption Key Key

  3. However, there are other (more challenging) tasks to be dealt with in cryptology… Secure Multi (Two)-Party Computations.

  4. They want to know if there exists mutual interest between them. However, they do not want to reveal an uncorresponded love. F(X,Y)= X AND Y X AND Y=1  I love you X AND Y=0  Get away! The players must learn the answer but should get no extra knowledge on each other’s input, besides what can be computed from his/her input and the output itself.

  5. The Millionaires Problem • Two millionaires want to know who is the richest one between them. • However, they are not willing to reveal the amount of their wealth.

  6. Secure Two Party Computations Y X Bob Alice Alice should know nothing about F(X,Y) besides what can be computed from X. Bob should know nothing about X besides what can be computed from F(X,Y) If both players are honest Bob should receive F(X,Y) F(X,Y)

  7. An Ideal Protocol X Y Trusted Third Party Bob F(X,Y) F(X,Y)

  8. Security and Adversarial Models • A protocol is secure if anything an adversary obtains in the real protocol can also be obtained in the ideal model. • Honest-but-Curious Adversary: Follows the protocol, but otherwise tries to obtain as much information on the other player input as possible • Malicious: Can deviate from the protocol in an arbitrary way (spit on your face, stick a finger in your eye, etc.)

  9. Oblivious Transfer b0, b1 c bc Joe Kilian: Founding Cryptography on Oblivious Transfer. STOC 88: 20-31

  10. Oblivious Transfer b0,b1 c c bc bc

  11. Oblivious Transfer b0,b1 c bc Oblivious Transfer is an important primitive, but no quantum resistant implementation is known.

  12. Oblivious Transfer b0,b1 c bc Here we give an oblivious transfer protocol based on assumptions from coding theory, which is computationally secure for Alice and for Bob. Oblivious Transfer is an important primitive, but no quantum resistant implementation is known

  13. Relationship to PKC • OT and PKC do not imply each other in general.

  14. McEliece Error Correcting Codes m c c‘ m Random linear codes are good, but difficult to decode.

  15. McEliece Error Correcting Codes m c c‘ m Random linear codes are good, but difficult to decode. NP compete

  16. McEliece Error Correcting Codes m c c‘ m Random linear codes are good, but difficult to decode. McEliece turned this into a public key scheme

  17. Goppa Codes Goppa codes are algebraic geometry codes with good error correction properties.

  18. Scrambled Goppa Codes P G G‘ . . S = G‘ looks like a generator matrix of a random code

  19. The McEliece Cryptosystem P G Secret key: Public key: S , , G‘

  20. The McEliece Cryptosystem G‘ e c . + Encrypt: Decrypt: = m random error vector with t errors c P-1 error correction procedure . S-1 = m

  21. The McEliece Assumptions • A scrambled Goppa code matrix is indistiguishable from a random matrix • Decoding a random linear code is hard on average We will turn this into an oblivious transfer scheme

  22. Two Steps • Semi-honest adversary • Active adversary To later cope with the active adversary we need a commitment scheme from the McEliece assumption.

  23. Bit Commitment b b Alice puts a bit b in a strong box Alice gives this box to Bob. She cannot change b Later Alice can unveil b to Bob Secure commitment schemes give us zero knowledge proofs! • A commitment scheme is said to be secure if it is binding, concealing and correct: • Binding: the probability that Alice can successfully open two different commitments is negligible. • Concealing: Bob gets at most negligible information on the information Alice commits to before the opening phase. • Correct: The probability that honest Alice fails to open a commitment is negligible in a security parameter n.

  24. Commitments from McEliece Simple: Commit = encrypt Unveil = reveal the error vector e

  25. Commitments from McEliece Simple: Commit = encrypt Unveil = reveal the error vector e To achieve information theoretic security for Bob we need a statistically hiding commitment.

  26. Commitments from McEliece Simple: Commit = encrypt Unveil = reveal the error vector e To achieve information theoretic security for Bob we need a statistically hiding commitment. The McEliece cryptosystem yields a one-way-function and statistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]

  27. The protocol for semi honest adversary Random matrix Q Q

  28. The protocol for semi honest adversary Random matrix Q Q McEliece matrix G G, GQ

  29. The protocol for semi honest adversary Random matrix Q Q Order depends on choice McEliece matrix G G, GQ

  30. The protocol for semi honest adversary Random matrix Q Q McEliece matrix G G, GQ Encrypts m0, m1 c0, c1

  31. The protocol for semi honest adversary Random matrix Q Q McEliece matrix G G, GQ Encrypts m0, m1 c0, c1 can decrypt only one

  32. An Active Attack Given Q can one find P and P‘ with Q = PP‘such that both have reasonable error correcting properties? We could not exclude this... Bob could be able to obtain both...

  33. An Actively Secure Protocol • We perform the protocol twice (with random inputs): Bob commits to G, and in one of the protocols Alice will ask Bob to unveil and check if he cheated. • The cheating probability for Bob is 50%, but this can be made arbitrarily small by repetition... • More efficient than Goldreich‘s compiler.

  34. Interactive Hashing • We want Bob to send two matrices to Alice one he can decode efficiently and one which is random. • Interactive hashing could yield a more efficient solution...

  35. We have a different reduction to a protocol secure against active cheaters based on BR Commitments (a generalized version). • Yields committed oblivious transfer!

  36. Conclusions • OT based on McElice Cryptosystem • Secure against quantum computers (?) • Maybe an application for interactive hashing.

More Related