1

Robust Combiners for Oblivious Transfer and Other Primitives

Danny Harnik Joe Kilian Moni Naor

Omer Reingold Alon Rosen

Weizmann Institute of Science

2

Do Not Put All Your Eggs in One Basket

3

Example Encryption• Two candidates for

encryption algorithms• At least one is secure

• Maybe one is not!

• Which one to use ???

• Goal: Combine the two into a single algorithm

• Should be secure even if one is not!

We call such a construction a Robust Combiner for encryption.

EncryptA

Encrypt

EncryptB

4

Robust Combiners

A Robust Combiner for a cryptographic primitive• A method for taking two candidate

implementations of a primitive and producing a single implementation so that:

• If at least one candidate is secure then the resulting scheme is secure

• In general (k,n)-robust combiner: • there are n candidates • if at least k secure then the result is secure

New name for an old concept

5

Some Previous Appearances

• Herzberg (05) – “Tolerant schemes”– Parallel and cascade constructions as combiners.– Combiners for encryptions, one-way functions, signatures

and more.– Emphasis on the efficiency of the combiners.

Some examples:• Asmuth &Blakely (81) –combine two untrusted

encryption schemes.• Multiple encryption is a type of combiner, dates back

to Shannon (49) • Dodis & Katz (05) – combiner for CCA2 security.• Hohenberger & Lysyanskaya (05) – combine two

software implementations.• More…

6

Combiners in Practice

• NESSIE – portfolio for recommended cryptographic primitives – advocate use of multiple encryptions.

• TLS (IETF) – combine SHA1 & MD5 hash functions:

“ In order to make the PRF as secure as possible, it uses two hash algorithms in a way which should guarantee its security if either algorithm remains secure”

7

Combiners as a Theoretical Tool

• Robust combiners are a handy tool in the construction of primitives.

• Can get rid of mild non-uniformity in constructions: – If a short hint is all that is needed to construct an

implementation of P, then go over all hints and use a

(1,k)-robust P-combiner

• Example: The HILL construction of pseudorandom generators from one-way functions:– Finds a construction with mild non-uniformity– Then uses a combiner for PRGs to give a uniform

construction.

8

Example - Universal Primitives

A scheme UU is a universal scheme for a primitive PP if it is guaranteed to be secure under the sole assumption that primitive PP exists.

• Levin introduced such a construction for OWFs (See Goldreich’s book).

• Key to the universal scheme: The existence of (1,k)-robust combiners.

• The idea:– enumerate all programs of code length log n. – Use a (1,n)-combiner for primitive P.

– If P exists then for large enough n, its program is included in the n candidates for the combiner.

– For large enough n the scheme is secure

•Need some bound on the running time (achieved by a padding argument)

Meaning of universal scheme: every proof of

existence is also a constructive one!

But:•Works only for uniform constructions.• Yields no information for which n it is safe to use the construction

9

This Talk

• Goal of this talk: explore when and for what primitives it is possible to obtain combiners and when it impossible/harder.

• Outline:– One-way functions & equivalents– Key Agreement– Oblivious Transfer

• Impossibility result for (1,2)-combiner• Positive results - (2,3)-combiner

– On (1,n)-combiners from (1,2)-combiners

10

• One-way functions: – Two candidates FA , FB

– The Combiner: F(x,y) = FA(x)|FB(y)• Corollary: Combiners also for “equivalents” of

one-way functions. • robust combiners for:

– Pseudo-random generators– Pseudo-random functions– Pseudo random permutations– Private Key Encryption– Signatures – Bit commitments*

Warm-Up – OWF combiners

GA GB FA FB

F=G

F

OWF-Combiner

G[HILL]

Example:

This is not always the simplest way!!

For all but bit commitment there is a direct construction of a combiner Example:An efficient combiner for PRG is : G(x,y) = GA(x)GB(y)

–Used by [HILL]…

11

Key Agreement (KA)

Alice and Bob (who never met before) interact over a public channel.

They want to agree on a secret key.

• Two candidates for KA• Suppose that Both candidate really

reach agreement.• Combiner simply by XOR of the

keys• What if functionality is only

guaranteed for one candidate ?

Alice

Bob

Eavesdropper

public channel

K K

??

KAA KAB

KA KB

K = KA KB

12

Key Agreement (cont.)• In general, only one candidate is guaranteed to be a KA.

– Security – Functionality …

Solution in two stages:

1. Run an offline functionality test for each candidate. – One party simulates the candidate poly(n) times (playing both sides)

• Only if agreement is reached in all instances then use candidate.

– Otherwise agree on 0n

– Run the XOR combiner– Guaranteed agreement with prob 1-1/n

2. Use Error Correcting Code to reach full agreement.– One side chooses key and divides it into shares– The above key agreement is run for each share– With overwhelming prob both sides end with same key

KAA KAB

KA KB

K = KA KB

Notes:

• The KA combiner preserves the number of rounds

• 2 message KA is equivalent to (semantically secure) Public Key Encryption

Robust combiner for PKE

13

Secure Computation• We have simple and black-box robust combiners

for many cryptographic tasks for both private key and public key cryptography.

• What about secure function evaluation (SFE)?• In particular, is there a (1,2)-robust combiner for

the Oblivious Transfer (OT) protocol [Rabin 81]

Alice

Bob

s0,s1 c

sc

OT protocol:• Bob gets sc.• Bob doesn’t learn s1-c.• Alice does not learn c.

OT is complete for SFE !

Consider the task of voting. Idea for implementation: • Use electronic ballots from several vendors.• Combine them to assure security.

14

Finding OT-Combiners seems hard

• Want to show an impossibility result but:– If OT exists, then a combiner can simply ignore the

candidates and run the OT.

• We are interested in combiners that rely on the candidate’s security.

• Consider Black Box Combiners.– The candidates are given in a BB manner (as oracles)– The proof is BB!

• Breaking the combiner allows breaking of both candidates

• Situation more delicate with interactive primitives.

A B

CMB

15

Interactive protocols –Third Party Black Box Combiners

• A Third Party Black Box combiner can only execute a

candidate scheme `in its entirety’ – In a call to a candidate, each party gives its secret to a trusted

third party and gets its output – additional messages may be exchanged

• Models the OT as a separate entity. Examples:– `physical’ implementations (noisy channel, quantum…)– Trusted parties

• Does not allow arbitrary access to the OT– Either to the transcript or to the program

• Advantages: efficiency and generality• Downside: Too restrictive. In such a reduction, OT does not

even imply OWFs…

• Theorem: There exists no third party BB combiner for OT

16

Interactive protocols –Transparent Black Box

Combiners• We attempt to capture a wider notion of combiners.

– Combiners that can also access the transcript.• An interactive protocol is generated using 2 oracles.

– a next message oracle (create the next message to be sent given the history)

– An output oracle (generates the local output given the transcript)

• A Transparent Black Box combiner:– Every time a next message call is invoked then this message is

sent to the other party. • Models using the candidate in the context of the

protocol.

• Theorem: There exists no transparent BB Combiner for OT

17

Impossibility of OT-combiners… Some Intuition

• Consider two naïve `implementations’ of OT

• OTA: the sender gives the receiver s0 and s1 – Unconditionally secure for the receiver

• OTB: the receiver gives the sender c and the latter sends sc – Unconditionally secure for the sender

What if we apply the combiner on OTA and OTB

• Do we get an unconditional implementation of OT?– Impossible…

18

OT transparent black box impossibility

• Theorem: For every transparent BB combiner for OT there exists a world in which it can be broken.

• Broken = Either the sender can guess c with probability ¾ or the receiver can guess both s0 and s1 with probability ¾

• More precisely: – We show two worlds such that every transparent BB OT-

combiner is broken in one of them.

In general we will be considering the honest-but-curious model

19

The two worlds

Good OT via oracles (f1 ,f2, Rec):

• f1 and f2 length tripling random functions, recovery function Rec

• The protocol:– Receiver: m1 = f1(RandR, c)

– Sender: m2 = (RandS, s0, s1 m1)

– Receiver: Rec(m2, RandR)= sc

• This is a good `implementation’ of OT (even in the presence of a PSPACE-complete oracle)

• If there is access to f1-1 and f2

-1 then this implementation is broken

• World 1: – OTA and OTB implemented by

separate oracles.

– Contains a PSPACE-complete oracle

– OTA reveals everything to the sender (access to f1A

-1 and f2A-1)

• World 2: – OTA and OTB

– Contains a PSPACE-complete oracle

– OTB reveals everything to the receiver

OTA = (f1A,f2A,RECA)

OTB = (f1B,f2B,RECB)

20

The protocol OTCOMB

Consider the OT-combiner taking OTA and OTB as candidates.

• Call this protocol OTCOMB :

• OTCOMB looks exactly the same in world1 and world2.

• OTCOMB should be a secure OT in both worlds. – Since one of the OTs is good in

each of the worlds.

• Goal: show an attack on OTCOMB in at least one of the worlds.

• This would be a contradiction!

• World 1: – OTA and OTB implemented by

separate oracles.

– Contains a PSPACE-complete oracle

– OTA reveals everything to the sender (access to f1A

-1 and f2A-1)

• World 2: – OTA and OTB

– Contains a PSPACE-complete oracle

– OTB reveals everything to the receiver

21

The Bare World• The bare world contains only a PSPACE-

complete oracle (no oracles for OT).• We give a simulation of OTCOMB in this world,

called OTBARE.– Notice that OTCOMB is well defined as long as we plug in

implementations of OTA and OTB

– The idea for OTBARE : • the sender handles the OTA calls • the receiver handles the OTB calls.

For example:– The receiver wants to query OTA, – He instead asks the sender this query. – The sender chooses random values as answers for

queries to f1A, f2A. (this imitates the real oracle) – The sender also records all his answers, giving him the

ability to correctly answer queries to RecA.

22

No OT in the Bare World

• OTBARE cannot be secure since there is no crypto with a PSPACE oracle!

• More precisely:– For every execution of OTBARE either the sender

learns c or the receiver learns both secrets (using the PSPACE-complete oracle).

• The point: these attacks can be translated to attacks on OTCOMB in one of the two worlds!

23

No OT in the Bare World

• Corrolary: – If sender in the bare world learns c then sender of

corresponding OTCOMB in world 1 also learns c.– If receiver in the bare world learns both secrets then

receiver of OTCOMB in world 2 learns both secrets.

• Altogether: every execution is broken in one of the two worlds…

OTBARE OTCOMB

View of sender View of sender in World 1

View of receiver View of receiver in World 2

Includes: •sender’s inputs & coins •all messages •all queries + answers to OTA (since he simulates OTA)

Includes: •sender’s inputs & coins •all messages •all queries + answers to OTA (since he has inverter

to OTA and due to tranparency of the combiner)

24

(2,3)-Robust OT-Combiner

Define 2 constructions, R and S (from Crepeau & Kilian 89). Both have OT functionality. Also:

• R takes 2 candidates for OT. Outcome is:– Secure for the receiver if at least one candidate is secure for

receiver.– Secure for sender only if both are secure for sender.

• S takes 3 candidates for OT. Outcome is:– secure for the receiver if all 3 are secure.– Secure for sender if at least one is secure.

• Define– OTAB = R(OTA,OTB)– OTAC = R(OTA,OTC)– OTBC = R(OTB,OTC)

• The (2,3)-combiner is defined as S(OTAB, OTAC, OTBC)

25

(1,K)-Combiner from (1,2)-Combiner

Existence of (1,2)-combiner is necessary for (1,k)-combiners to exist.• When are they sufficient?

• Natural approach: – Organize the k schemes in a binary tree with k leaves. – Each node runs the (1,2)-combiner with its siblings as candidates. – Outcome is secure if at least one leaf is secure.

• Need to ensure running time is polynomial.– If (1,2)-combiner runs in time m(candidates time), – total running time is mΩ(log k)

• If m is a constant then total time is polynomial and the tree construction works.

• If (1,2)-combiner for OT is found it will not likely be that efficient…

26

(1,K)-Combiner for OT from (1,2)-Combiner for OT

Theorem: Any (1,2)-combiner for OT can be used for a (1,k)-combiner for OT.

Solution: use the (2,3)-combiner for OT which runs in time ~6(candidates time). – Divide the k candidates into 3 groups of size 2/3k.– Each candidate should appear in at least two groups.– Recursively run a (1,2/3k)-combiner on each group. – The 3 outcomes are combined using the (2,3)-combiner.

• Running time is polynomial.– If (1,2)-combiner runs in time nd, total running time is 18Ω(log k)nd .

27

Summary for OT Combiners

Negative• No transparent BB robust combiners for OT

Positive• OT given hardness of discrete log or factoring.

– Since the security of one of the sides is unconditional

• There are (2,3)-robust OT-combiner simple and third party black box.

• (1,2)-combiners for OT suffice for a universal OT scheme.• Main open problem: combiners for OT ????(perhaps non-black-box)…

28

Main open problem: Non-black box combiners for OT

• Approaches for non-BB: – Use the circuit of a function

• Examples: ZK for NP, garbled circuits (Yao)

– Use the program of the adversary • Example: Barak’s public coin ZK

• Attempt with garbled circuits:– consider the circuit for OTA

– The sender garbles this circuit • fixing s0 and s1 and its randomness RandS

– Let the receiver evaluates his output bit • on inputs c and RandR using OTB at the input gates.

– Fails when OTB is insecure…

29

Open Problems – Commitments

• For computationally hiding commitment know only via full reduction to one-way functions– Inefficient and requires the transcript

• What about information hiding commitments?– Not known to be equivalent to OWFs (one-way permutations

are needed in NOVY)*

• Negative: Third party BB impossibility for both commitments.

• Positive: – Simple (2,3)-combiners (Herzberg)– If one sides security is guaranteed, then easy (e.g. string

commitments that are very short (kilian 92))