Oblivious Transferbased on the
McEliece Assumptions
Rafael Dowsley Jeroen van der Graaf
Jörn Müller-Quade
Anderson C. A. Nascimento
University of Brasilia
Encryption DecryptionPlaintext Ciphertext Plaintext
Key Key
However, there are other (more challenging) tasks to be dealt with in cryptology…
Secure Multi (Two)-Party Computations.
They want to know if there exists mutual interest between them.
However, they do not want to reveal an uncorresponded love.
F(X,Y)= X AND Y
X AND Y=1 I love you
X AND Y=0 Get away!
The players must learn the answer but should get no extra knowledge on each other’s input, besides what can be computed from his/her input and the output itself.
The Millionaires Problem
Two millionaires want to know who is the richest one between them.
However, they are not willing to reveal the amount of their wealth.
Secure Two Party Computations
Bob
X Y
F(X,Y)
Alice should know nothing about F(X,Y) besides what can be computed from X.
Bob should know nothing about X besides what can be computed from F(X,Y)
If both players are honest Bob should receive F(X,Y)
Alice
An Ideal Protocol
Bob
Trusted Third Party
XY
F(X,Y)F(X,Y)
Security and Adversarial Models
• A protocol is secure if anything an adversary obtains in the real protocol can also be obtained in the ideal model.
• Honest-but-Curious Adversary: Follows the protocol, but otherwise tries to obtain as much information on the other player input as possible
• Malicious: Can deviate from the protocol in an arbitrary way (spit on your face, stick a finger in your eye, etc.)
Oblivious Transfer
b0, b1 c
bc
Joe Kilian: Founding Cryptography on Oblivious Transfer. STOC 88: 20-31
Oblivious Transfer
b0,b1 c
bcc bc
Oblivious Transfer
b0,b1 c
bc
Oblivious Transfer is an important primitive, butno quantum resistant implementation is known.
Oblivious Transfer
b0,b1 c
bc
Oblivious Transfer is an important primitive, butno quantum resistant implementation is known
Here we give an oblivious transfer protocol basedon assumptions from coding theory, which is
computationally secure for Alice andfor Bob.
Here we give an oblivious transfer protocol basedon assumptions from coding theory, which is
computationally secure for Alice andfor Bob.
Relationship to PKC
• OT and PKC do not imply each other in general.
McEliece
Error Correcting Codes
m mc c‘
Random linear codes are good, but difficult to decode.
McEliece
Error Correcting Codes
m mc c‘
Random linear codes are good, but difficult to decode.
NP compete
McEliece
Error Correcting Codes
m mc c‘
Random linear codes are good, but difficult to decode.
McEliece turned this into a public key scheme McEliece turned this into a public key scheme
Goppa Codes
Goppa codes are algebraic geometry codes with gooderror correction properties.
Scrambled Goppa Codes
G SP
G‘ looks like a generator matrix of a random code
= G‘. .
The McEliece Cryptosystem
Secret key:
Public key:
GS
P
G‘
, ,
The McEliece Cryptosystem
Encrypt:
Decrypt:
S-1P-1
G‘ . + e = c
c .
m
=m
errorcorrectionprocedure
random error vectorwith t errors
The McEliece Assumptions
• A scrambled Goppa code matrix is indistiguishable from a random matrix
• Decoding a random linear code is hard on average
We will turn this into an oblivious transfer scheme We will turn this into an oblivious transfer scheme
Two Steps
• Semi-honest adversary
• Active adversary
To later cope with the active adversary we need a commitment scheme from the McEliece assumption.
Secure commitment schemes give us zero knowledge proofs!
Alice puts a bit bin a strong box
b
Alice gives this box to Bob. She cannot change b
Later Alice can unveil b to Bob
b
Bit Commitment
A commitment scheme is said to be secure if it is binding, concealing and correct:
•Binding: the probability that Alice can successfully open two different commitments is negligible.
•Concealing: Bob gets at most negligible information on the information Alice commits to before the opening phase.
•Correct: The probability that honest Alice fails to open a commitment is negligible in a security parameter n.
Commitments from McElieceSimple:
Commit = encryptUnveil = reveal the error vector e
Commitments from McElieceSimple:
To achieve information theoretic security for Bobwe need a statistically hiding commitment.
Commit = encryptUnveil = reveal the error vector e
Commitments from McElieceSimple:
To achieve information theoretic security for Bobwe need a statistically hiding commitment.
The McEliece cryptosystem yields a one-way-function andstatistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]
The McEliece cryptosystem yields a one-way-function andstatistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]
Commit = encryptUnveil = reveal the error vector e
The protocol for semi honest adversary
Random matrix Q Q
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
Order depends on choice
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
Encryptsm0, m1 c0, c1
The protocol for semi honest adversary
Random matrix Q Q
McEliecematrix GG, GQ
Encryptsm0, m1 c0, c1
can decryptonly one
An Active Attack
Given Q can one find P and P‘ with Q = PP‘such that both have reasonableerror correcting properties?
We could not exclude this...
Bob could be able to obtain both...
An Actively Secure Protocol
• We perform the protocol twice (with random inputs): Bob commits to G, and in one of the protocols Alice will ask Bob to unveil and check if he cheated.
• The cheating probability for Bob is 50%, but this can be made arbitrarily small by repetition...
• More efficient than Goldreich‘s compiler.
Interactive Hashing
• We want Bob to send two matrices to Alice one he can decode efficiently and one which is random.
• Interactive hashing could yield a more efficient solution...
• We have a different reduction to a protocol secure against active cheaters based on BR Commitments (a generalized version).
• Yields committed oblivious transfer!
Conclusions
• OT based on McElice Cryptosystem
• Secure against quantum computers (?)
• Maybe an application for interactive hashing.