oblivious transfer based on the mceliece assumptions rafael dowsley jeroen van der graaf jörn...
Post on 15-Jan-2016
218 views
TRANSCRIPT
![Page 1: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/1.jpg)
Oblivious Transferbased on the
McEliece Assumptions
Rafael Dowsley Jeroen van der Graaf
Jörn Müller-Quade
Anderson C. A. Nascimento
University of Brasilia
![Page 2: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/2.jpg)
Encryption DecryptionPlaintext Ciphertext Plaintext
Key Key
![Page 3: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/3.jpg)
However, there are other (more challenging) tasks to be dealt with in cryptology…
Secure Multi (Two)-Party Computations.
![Page 4: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/4.jpg)
They want to know if there exists mutual interest between them.
However, they do not want to reveal an uncorresponded love.
F(X,Y)= X AND Y
X AND Y=1 I love you
X AND Y=0 Get away!
The players must learn the answer but should get no extra knowledge on each other’s input, besides what can be computed from his/her input and the output itself.
![Page 5: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/5.jpg)
The Millionaires Problem
Two millionaires want to know who is the richest one between them.
However, they are not willing to reveal the amount of their wealth.
![Page 6: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/6.jpg)
Secure Two Party Computations
Bob
X Y
F(X,Y)
Alice should know nothing about F(X,Y) besides what can be computed from X.
Bob should know nothing about X besides what can be computed from F(X,Y)
If both players are honest Bob should receive F(X,Y)
Alice
![Page 7: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/7.jpg)
An Ideal Protocol
Bob
Trusted Third Party
XY
F(X,Y)F(X,Y)
![Page 8: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/8.jpg)
Security and Adversarial Models
• A protocol is secure if anything an adversary obtains in the real protocol can also be obtained in the ideal model.
• Honest-but-Curious Adversary: Follows the protocol, but otherwise tries to obtain as much information on the other player input as possible
• Malicious: Can deviate from the protocol in an arbitrary way (spit on your face, stick a finger in your eye, etc.)
![Page 9: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/9.jpg)
Oblivious Transfer
b0, b1 c
bc
Joe Kilian: Founding Cryptography on Oblivious Transfer. STOC 88: 20-31
![Page 10: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/10.jpg)
Oblivious Transfer
b0,b1 c
bcc bc
![Page 11: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/11.jpg)
Oblivious Transfer
b0,b1 c
bc
Oblivious Transfer is an important primitive, butno quantum resistant implementation is known.
![Page 12: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/12.jpg)
Oblivious Transfer
b0,b1 c
bc
Oblivious Transfer is an important primitive, butno quantum resistant implementation is known
Here we give an oblivious transfer protocol basedon assumptions from coding theory, which is
computationally secure for Alice andfor Bob.
Here we give an oblivious transfer protocol basedon assumptions from coding theory, which is
computationally secure for Alice andfor Bob.
![Page 13: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/13.jpg)
Relationship to PKC
• OT and PKC do not imply each other in general.
![Page 14: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/14.jpg)
McEliece
Error Correcting Codes
m mc c‘
Random linear codes are good, but difficult to decode.
![Page 15: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/15.jpg)
McEliece
Error Correcting Codes
m mc c‘
Random linear codes are good, but difficult to decode.
NP compete
![Page 16: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/16.jpg)
McEliece
Error Correcting Codes
m mc c‘
Random linear codes are good, but difficult to decode.
McEliece turned this into a public key scheme McEliece turned this into a public key scheme
![Page 17: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/17.jpg)
Goppa Codes
Goppa codes are algebraic geometry codes with gooderror correction properties.
![Page 18: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/18.jpg)
Scrambled Goppa Codes
G SP
G‘ looks like a generator matrix of a random code
= G‘. .
![Page 19: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/19.jpg)
The McEliece Cryptosystem
Secret key:
Public key:
GS
P
G‘
, ,
![Page 20: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/20.jpg)
The McEliece Cryptosystem
Encrypt:
Decrypt:
S-1P-1
G‘ . + e = c
c .
m
=m
errorcorrectionprocedure
random error vectorwith t errors
![Page 21: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/21.jpg)
The McEliece Assumptions
• A scrambled Goppa code matrix is indistiguishable from a random matrix
• Decoding a random linear code is hard on average
We will turn this into an oblivious transfer scheme We will turn this into an oblivious transfer scheme
![Page 22: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/22.jpg)
Two Steps
• Semi-honest adversary
• Active adversary
To later cope with the active adversary we need a commitment scheme from the McEliece assumption.
![Page 23: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/23.jpg)
Secure commitment schemes give us zero knowledge proofs!
Alice puts a bit bin a strong box
b
Alice gives this box to Bob. She cannot change b
Later Alice can unveil b to Bob
b
Bit Commitment
A commitment scheme is said to be secure if it is binding, concealing and correct:
•Binding: the probability that Alice can successfully open two different commitments is negligible.
•Concealing: Bob gets at most negligible information on the information Alice commits to before the opening phase.
•Correct: The probability that honest Alice fails to open a commitment is negligible in a security parameter n.
![Page 24: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/24.jpg)
Commitments from McElieceSimple:
Commit = encryptUnveil = reveal the error vector e
![Page 25: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/25.jpg)
Commitments from McElieceSimple:
To achieve information theoretic security for Bobwe need a statistically hiding commitment.
Commit = encryptUnveil = reveal the error vector e
![Page 26: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/26.jpg)
Commitments from McElieceSimple:
To achieve information theoretic security for Bobwe need a statistically hiding commitment.
The McEliece cryptosystem yields a one-way-function andstatistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]
The McEliece cryptosystem yields a one-way-function andstatistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]
Commit = encryptUnveil = reveal the error vector e
![Page 27: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/27.jpg)
The protocol for semi honest adversary
Random matrix Q Q
![Page 28: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/28.jpg)
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
![Page 29: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/29.jpg)
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
Order depends on choice
![Page 30: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/30.jpg)
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
Encryptsm0, m1 c0, c1
![Page 31: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/31.jpg)
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
Encryptsm0, m1 c0, c1
can decryptonly one
![Page 32: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/32.jpg)
An Active Attack
Given Q can one find P and P‘ with Q = PP‘such that both have reasonableerror correcting properties?
We could not exclude this...
Bob could be able to obtain both...
![Page 33: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/33.jpg)
An Actively Secure Protocol
• We perform the protocol twice (with random inputs): Bob commits to G, and in one of the protocols Alice will ask Bob to unveil and check if he cheated.
• The cheating probability for Bob is 50%, but this can be made arbitrarily small by repetition...
• More efficient than Goldreich‘s compiler.
![Page 34: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/34.jpg)
Interactive Hashing
• We want Bob to send two matrices to Alice one he can decode efficiently and one which is random.
• Interactive hashing could yield a more efficient solution...
![Page 35: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/35.jpg)
• We have a different reduction to a protocol secure against active cheaters based on BR Commitments (a generalized version).
• Yields committed oblivious transfer!
![Page 36: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/36.jpg)
Conclusions
• OT based on McElice Cryptosystem
• Secure against quantum computers (?)
• Maybe an application for interactive hashing.
![Page 37: Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia](https://reader034.vdocuments.us/reader034/viewer/2022051401/56649d415503460f94a1bc2e/html5/thumbnails/37.jpg)