Obtaining Efficient Fully Simulatable Oblivious Transfer from General Assumptions (original) (raw)
Related papers
Efficient Oblivious Transfer from Lossy Threshold Homomorphic Encryption
Lecture Notes in Computer Science, 2017
In this article, a new oblivious transfer (OT) protocol, secure in the presence of erasure-free one-sided active adaptive adversaries is presented. The new bit OT protocol achieves better communication complexity than the existing bit OT protocol in this setting. The new bit OT protocol requires fewer number of public key encryption operations than the existing bit OT protocol in this setting. As a building block, a new two-party lossy threshold homomorphic public key cryptosystem is designed. It is secure in the same adversary model. It is of independent interest. Definition 2. (Lossy Threshold PKE Scheme Secure against Erasure-Free One-Sided Active Adaptive Adversaries) A lossy threshold PKE scheme secure against erasure-free one-sided active adaptive adversaries for the set of parties P = {P 1 , P 2 }, and security parameter n, is a 4-tuple (K, KG, E, Π DEC) having the following properties. Key Space: The key space K is a family of finite sets (pk, sk 1 , sk 2). pk is the public key and sk i is the secret key share of P i. Let M pk denote the message space for public key pk. Key Generation: There exists a probabilistic polynomial-time key generation algorithm KG, which, on input (1 n , mode), generates public output pk and a list {vk, vk 1 , vk 2 } of verification keys, and secret output sk i for P i , where (pk, sk 1 , sk 2) ∈ K. By setting mode to zero and one, key in lossy mode and injective mode can be generated, respectively. vk is called the verification key, vk i is called the verification key of P i. Encryption: There exists a probabilistic polynomial-time encryption algorithm E, which, on input pk, m ∈ M pk , r $ ← coins(E), outputs an encryption c = E pk (m, r) of m. Decryption: There exists a two-party decryption protocol Π DEC secure against erasure-free one-sided active adaptive adversaries. On common public input (c, pk, vk, vk 1 , vk 2), and secret input sk i for each P i , i ∈ {1, 2}, where sk i is the secret key share of P i for the public key pk (as generated by KG), and c is an encrypted message, Π DEC returns a message m, or the symbol ⊥ denoting a decryption failure, as a common public output.
Universally Composable Oblivious Transfer from Lossy Encryption and the McEliece Assumptions
Lecture Notes in Computer Science, 2012
As a fundamental cryptographic primitive, oblivious transfer (OT) is developed for the sake of efficient usability and combinational feasibility. However, most OT protocols are built upon some quantum non-immune cryptosystems by assuming the hardness of discrete logarithm or factoring problem, whose security will break down directly in the quantum setting. Therefore, as a subarea of postquantum cryptography, lattice-based cryptography is viewed as a promising alternative and cornerstone to support for building post-quantum protocols since it enjoys some attractive properties, such as provable security against quantum adversaries and lower asymptotic complexity. In this paper, we first build an efficient 1-out-of-2 OT protocol upon the hardness of ring learning with errors (RLWE) problem, which is at least as hard as some worst-case ideal lattice problems. We show that this 1-out-of-2 OT protocol can be universally composable and secure against static corruptions in the random oracle model. Then we extend it to a general case, i.e., 1-out-of-N OT with achieving the same level of security. Furthermore, on the basis of the above OT structure, we obtain two improved OT protocols using two improved lattice-based key exchange protocols (respectively relying on the RLWE problem and learning with errors (LWE) problem, and both achieving better efficiency by removing the Gaussian sampling for saving cost) as building blocks. To show that our proposed OT protocol indeed achieves comparable security and efficiency, we make a comparison with another two lattice-based OT protocols in the end of the paper. With concerning on the potential threat from quantum
Generic Fully Simulatable Adaptive Oblivious Transfer
Lecture Notes in Computer Science, 2011
We aim at constructing adaptive oblivious transfer protocols, enjoying fully simulatable security, from various well-known assumptions such as DDH, d-Linear, QR, and DCR. To this end, we present two generic constructions of adaptive OT, one of which utilizes verifiable shuffles together with threshold decryption schemes, while the other uses permutation networks together with what we call loosely-homomorphic key encapsulation schemes. The constructions follow a novel designing approach called "blind permutation", which completely differs from existing ones. We then show that specific choices of the building blocks lead to concrete adaptive OT protocols with fully simulatable security in the standard model under the targeted assumptions. Our generic methods can be extended to build universally composable (UC) secure, and leakage-resilient OT protocols.
More extensions of weak oblivious transfer
2006 International Conference onResearch, Innovation and Vision for the Future
Oblivious Transfer (OT) is a primitive of asymmetrically distributing information between users, proposed to build Secure Computations. In this letter, we propose an informationtheoretical variant of OT that requires weak assumptions and can be therefore more easily implemented with transmission media. We show then that One-out-of-two Oblivious Transfer (O-OT), the central version of OT, can be reduced to this Weak OT (WOT) with arbitrary small loss of security, i.e. secure O-OT can be realised from our WOT.
Efficient and Universally Composable Committed Oblivious Transfer and Applications
Lecture Notes in Computer Science, 2004
Committed Oblivious Transfer (COT) is a useful cryptographic primitive that combines the functionalities of bit commitment and oblivious transfer. In this paper, we introduce an extended version of COT (ECOT) which additionally allows proofs of relations among committed bits, and we construct an efficient protocol that securely realizes an ECOT functionality in the universalcomposability (UC) framework in the common reference string (CRS) model. Our construction is more efficient than previous (non-UC) constructions of COT, involving only a constant number of exponentiations and communication rounds. Using the ECOT functionality as a building block, we construct efficient UC protocols for general two-party and multi-party functionalities (in the CRS model), each gate requiring a constant number of ECOT's.
Reducing Complexity Assumptions for Oblivious Transfer
2009
Abstract. Reducing the minimum assumptions needed to construct various cryptographic primitives is an important and interesting task in theoretical cryptography. Oblivious transfer, one of the most basic cryptographic building blocks, could be also studied under this scenario. Reducing the minimum assumptions for oblivious transfer seems not an easy task, as there are a few impossibility results under black-box reductions.
Essentially Optimal Universally Composable Oblivious Transfer
Information Security and Cryptology – ICISC 2008, 2009
Oblivious transfer is one of the most important cryptographic primitives, both for theoretical and practical reasons and several protocols were proposed during the years. We provide the first oblivious transfer protocol which is simultaneously optimal on the following list of parameters: Security: it has universal composition. Trust in setup assumptions: only one of the parties needs to trust the setup (and some setup is needed for UC security). Trust in computational assumptions: only one of the parties needs to trust a computational assumption. Round complexity: it uses only two rounds. Communication complexity: it communicates O(1) group elements to transfer one out of two group elements. The Big-O notation hides 32, meaning that the communication is probably not optimal, but is essentially optimal in that the overhead is at least constant. Our construction is based on pairings, and we assume the presence of a key registration authority.
Generalized Oblivious Transfer
2013
Abstract. We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT based on the assumptions related to security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Stern’s from Crypto ’93 and Shamir’s from Crypto ’89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions on which OT – cryptographic primitive of central importance – can be based. As a by-product, we expose new interesting applications for both ZKID schemes: Stern’s can be used for proving correctness of McEliece encryption, while Shamir’s – for proving that some matrix represents a permuted subcode of a given code. Unfortunately, it turned out to be difficult to reduce the sender’s security of both schemes to a hard problem, although the intuition suggests a successful attack may allow to solve some long-standing problems in coding theory.
Generic Construction of UC-Secure Oblivious Transfer
Lecture Notes in Computer Science, 2015
We show how to construct a completely generic UC-secure oblivious transfer scheme from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Our work is based on the work of Abdalla et al. at Asiacrypt 2013, where the authors formalize the notion of SPHF-friendly commitments, i.e. accepting an SPHF on the language of valid commitments (to allow implicit decommitment), and show how to construct from them a UC-secure oblivious transfer in a generic way. But Abdalla et al. only gave a DDH-based construction of SPHF-friendly commitment schemes, furthermore highly relying on pairings. In this work, we show how to generically construct an SPHF-friendly commitment scheme from a collision-resistant CH scheme and an SPHF-friendly CCA encryption scheme. This allows us to propose an instanciation of our schemes based on the DDH, as efficient as that of Abdalla et al., but without requiring any pairing. Interestingly, our generic framework also allows us to propose an instantiation based on the learning with errors (LWE) assumption. For the record, we finally propose a last instanciation based on the decisional composite residuosity (DCR) assumption.