1: \documentclass[10pt,a5paper]{ETHthesis}
2:
3: \usepackage{E}
4: \usepackage{ETHthesis}
5: \usepackage{makeidx}
6: \usepackage{enumerate}
7: \usepackage{epsfig}
8: \usepackage{amsthm,amssymb,amsmath,latexsym}
9: %\usepackage[plainpages=false]{hyperref}
10: \usepackage{palatino}
11:
12: \addtolength{\textwidth}{+16mm}
13: \setlength{\oddsidemargin}{-8mm}
14: \setlength{\evensidemargin}{-8mm}
15: \setlength{\parindent}{0pt}
16:
17: \pagestyle{plain}
18:
19: \theoremstyle{plain}
20: \newtheorem{theorem}{Theorem}
21: \newtheorem{corollary}{Corollary}
22: \newtheorem{lemma}{Lemma}
23:
24: \theoremstyle{definition}
25: \newtheorem{definition}{Definition}
26: \newtheorem{example}{Example}
27: \newtheorem{protocol}{Protocol}
28:
29: \numberwithin{equation}{chapter}
30: \numberwithin{theorem}{chapter}
31: \numberwithin{lemma}{chapter}
32: \numberwithin{definition}{chapter}
33: \numberwithin{corollary}{chapter}
34:
35: \usepackage{ifpdf}
36: \ifpdf
37: \newcommand{\PDForPSinput}[1]{{ \input{pdf/#1.pdftex_t} }}
38: \else
39: \newcommand{\PDForPSinput}[1]{{ \input{ps/#1.pstex_t} }}
40: \fi
41:
42: \newcommand{\cancel}[1]{}
43:
44: \newcommand{\ol}{\overline}
45: \newcommand{\ul}{\underline}
46: \newcommand{\bbR}{\mathbb R}
47: \newcommand{\bbN}{\mathbb N}
48: \newcommand{\eps}{\varepsilon}
49:
50: \newcommand{\mA}{\mathcal A}
51: \newcommand{\mB}{\mathcal B}
52: \newcommand{\mC}{\mathcal C}
53: \newcommand{\mD}{\mathcal D}
54: \newcommand{\mE}{\mathcal E}
55: \newcommand{\mF}{\mathcal F}
56: \newcommand{\mG}{\mathcal G}
57: \newcommand{\mH}{\mathcal H}
58: \newcommand{\mI}{\mathcal I}
59: \newcommand{\mJ}{\mathcal J}
60: \newcommand{\mK}{\mathcal K}
61: \newcommand{\mL}{\mathcal L}
62: \newcommand{\mM}{\mathcal M}
63: \newcommand{\mN}{\mathcal N}
64: \newcommand{\mO}{\mathcal O}
65: \newcommand{\mP}{\mathcal P}
66: \newcommand{\mQ}{\mathcal Q}
67: \newcommand{\mR}{\mathcal R}
68: \newcommand{\mS}{\mathcal S}
69: \newcommand{\mT}{\mathcal T}
70: \newcommand{\mU}{\mathcal U}
71: \newcommand{\mV}{\mathcal V}
72: \newcommand{\mW}{\mathcal W}
73: \newcommand{\mX}{\mathcal X}
74: \newcommand{\mY}{\mathcal Y}
75: \newcommand{\mZ}{\mathcal Z}
76:
77: \newcommand{\bA}{\mathbf A}
78: \newcommand{\bB}{\mathbf B}
79: \newcommand{\bC}{\mathbf C}
80: \newcommand{\bD}{\mathbf D}
81: \newcommand{\bE}{\mathbf E}
82: \newcommand{\bF}{\mathbf F}
83: \newcommand{\bG}{\mathbf G}
84: \newcommand{\bH}{\mathbf H}
85: \newcommand{\bI}{\mathbf I}
86: \newcommand{\bJ}{\mathbf J}
87: \newcommand{\bK}{\mathbf K}
88: \newcommand{\bL}{\mathbf L}
89: \newcommand{\bM}{\mathbf M}
90: \newcommand{\bN}{\mathbf N}
91: \newcommand{\bO}{\mathbf O}
92: \newcommand{\bP}{\mathbf P}
93: \newcommand{\bQ}{\mathbf Q}
94: \newcommand{\bR}{\mathbf R}
95: \newcommand{\bS}{\mathbf S}
96: \newcommand{\bT}{\mathbf T}
97: \newcommand{\bU}{\mathbf U}
98: \newcommand{\bV}{\mathbf V}
99: \newcommand{\bW}{\mathbf W}
100: \newcommand{\bX}{\mathbf X}
101: \newcommand{\bY}{\mathbf Y}
102: \newcommand{\bZ}{\mathbf Z}
103:
104: \DeclareMathOperator{\adv}{Adv}
105: \DeclareMathOperator{\predadv}{PredAdv}
106:
107: \DeclareMathOperator{\Hop}{H}
108: \DeclareMathOperator{\emin}{min}
109: \newcommand{\Hmin}{\Hop_{\emin}}
110:
111: \newcommand{\PlayerA}{{\textsf{A}}}
112: \newcommand{\PlayerB}{{\textsf{B}}}
113:
114: \newcommand{\Auth}{\textsf{Comm}}
115:
116: \newcommand{\OT}[3]{{#2 \choose #1}{\textsf{-OT}^{#3}}}
117: \newcommand{\OTT}{{\textsf{OT}}}
118: \newcommand{\TO}[3]{{#2 \choose #1}{\textsf{-TO}^{#3}}}
119: \newcommand{\TOO}{{\textsf{TO}}}
120: \newcommand{\ROT}[3]{{#2 \choose #1}\textsf{-ROT}^{#3}}
121: \newcommand{\ROTT}{{\textsf{ROT}}}
122:
123: \newcommand{\semiROT}[3]{{#2 \choose #1}\textsf{-}{\textsf{ROT}}^{#3}}
124: \newcommand{\semiROTT}{{{\textsf{ROT}}}}
125:
126: \newcommand{\EFLO}[1]{\GF{{#1}}{\textsf{-ELFO}}}
127: \newcommand{\EFLOO}{{\textsf{ELFO}}}
128:
129: \newcommand{\RReduce}{\textsf{R-Reduce}}
130: \newcommand{\SReduce}{\textsf{S-Reduce}}
131: \newcommand{\EReduce}{\textsf{E-Reduce}}
132:
133: \newcommand{\SimWOT}{\textsf{SimWOT}}
134:
135: \newcommand{\WOT}[3]{(#1,#2,#3)\textsf{-WOT}}
136: \newcommand{\WOTtwo}[2]{(#1,#2)\textsf{-WOT}}
137: \newcommand{\WOTT}{\textsf{WOT}}
138:
139: \newcommand{\compWOT}[3]{(#1,#2,#3)\textsf{-compWOT}}
140: \newcommand{\compWOTT}{\textsf{compWOT}}
141:
142: \newcommand{\UOT}[2]{(#1)\textsf{-}{2 \choose 1}\textsf{-UOT}^{#2}}
143: \newcommand{\UOTT}{\textsf{UOT}}
144:
145: \newcommand{\ROTfromOT}{\textsf{ROTfromOT}}
146: \newcommand{\OTfromROT}{\textsf{OTfromROT}}
147: \newcommand{\ROTfromSROT}{\textsf{ROTfromSROT}}
148:
149: \newcommand{\ROTfromUOT}{\textsf{ROTfromUOT}}
150:
151: \newcommand{\ROTOR}{\textsf{ROTOR}}
152:
153: \newcommand{\TOR}[3]{{#2 \choose #1}\textsf{-TOR}^{#3}}
154: \newcommand{\TORR}{{\textsf{TOR}}}
155:
156: \newcommand{\semiTOR}[3]{{#2 \choose #1}\textsf{-}{\textsf{TOR}}^{#3}}
157: \newcommand{\semiTORR}{{{\textsf{TOR}}}}
158:
159: \newcommand{\compIndist}{\stackrel{\rm c}{\equiv}}
160:
161: \DeclareMathOperator{\var}{var}
162: \DeclareMathOperator{\maj}{maj}
163:
164: \DeclareMathOperator{\extr}{Ext}
165: \DeclareMathOperator{\leak}{Leak}
166:
167: \DeclareMathOperator{\negl}{negl}
168: \DeclareMathOperator{\eq}{eq}
169: \DeclareMathOperator{\poly}{poly}
170:
171: \pagenumbering{roman}
172:
173: \initETHthesis
174:
175: \makeindex
176:
177: \begin{document}
178:
179: \dissnum{17125}
180: \title{Oblivious-Transfer Amplification}
181: \degree{Doctor of Sciences}
182: \author{J\"urg Wullschleger}
183: \acatitle{Dipl. Inf.-Ing. ETH}
184: \dateofbirth{July 5, 1975}
185: \citizen{Vordemwald, AG, Switzerland}
186: \examiner{Prof. Dr. Stefan Wolf}
187: \coexaminera{Prof. Dr. Ivan Damg{\aa}rd}
188: \coexaminerb{}
189:
190: \maketitle
191: \thispagestyle{empty}
192: \cleardoublepage
193:
194: \pagestyle{plain}
195:
196: \chapter*{Acknowledgments}
197:
198: First of all, I would like to thank Stefan Wolf who has been a great
199: advisor. Many results in this thesis are the outcome of
200: endless discussions with him.
201: I also want to thank Ivan Damg{\aa}rd for co-refereeing this thesis.
202:
203: I would also like to thank all the people I was able to work with or
204: talk to about my research during the last few years, including
205: Don Beaver,
206: Hugue Blier, Gilles Brassard, Anne Broadbent, Daniel Burgarth,
207: Claude Cr\'epeau, Meriem Debbih, Simon-Pierre Desrosiers,
208: Thomas D\"ubendor\-fer, Fr\'ed\'eric Dupuis, Serge Fehr, Matthias Fitzi, Viktor Galliard,
209: S\'ebastien Gambs, Nicolas Gisin, Iftach Haitner, Esther H\"anggi,
210: Patrick Hayden, Martin Hirt, Thomas Holenstein, Reto Kohlas,
211: Robert K\"onig, Ueli Maurer, Remo Meier, Andr\'e M\'ethot, Kirill Morozov,
212: Yvonne Anne Oswald,
213: J\"orn M\"uller-Quade, Anderson Nascimento,
214: Krzysztof Pietrzak,
215: Bartosz Przydatek, Melanie Raemy, Dominik Raub, Renato Renner,
216: Louis Salvail, George Savvides, Valerio Scarani, Christian Schaffner, Jean-Raymond Si\-mard,
217: Johan Sj\"odin, Christian Sommer, Reto Strobl,
218: Alain Tapp, Stefano Tessaro, Dominique Unruh, Stephanie Wehner, Douglas Wikstr\"om, Andreas Winter,
219: Jon Yard, and Vassilis Zikas.
220:
221: Special thanks to Thomas Holenstein for answering many questions
222: and for giving me many helpful hints and ideas, to J\"orn M\"uller-Quade, Dominik Raub, Renato Renner and
223: Dominique Unruh for answering my questions about universal composablility, to Iftach Haitner for helpful comments
224: on the computational part of this thesis,
225: and
226: to Esther H\"anggi, Melanie Raemy and Christian Schaffner for proof-reading this
227: thesis and pointing out many errors.
228:
229: This research was supported by the Swiss National Science Foundation (SNF), by the Natural Sciences and Engineering Research Council of Ca\-na\-da (NSERC) and by the Fonds Qu\'eb\'ecois de la Recherche sur la Nature et les Technologies (FQRNT).
230:
231: \chapter*{Abstract}
232:
233: In \emph{two-party computation}, two players want to
234: collaborate in a secure way in order to achieve a common goal, but, they do
235: not trust each other and do not want the other to learn more than
236: necessary about their inputs.
237: Unfortunately, two-party computation is impossible to achieve \emph{unconditionally}
238: securely, i.e., such that even an adversary with infinite computing power has no chance
239: in breaking the system. We do have implementations in the \emph{computational} setting,
240: i.e., where we assume that the computing power of the adversary is bounded,
241: but the security of these implementations are based on unproven assumptions such
242: as the assumption that factoring
243: is hard.
244:
245: However, if a very simple primitive called \emph{oblivious transfer}
246: is available, then \emph{any} two party computation can be implemented in an unconditionally
247: secure way.
248: In this thesis we investigate what weaker forms of oblivious transfer still allow for
249: implementing oblivious transfer, and hence any two-party computation.
250:
251: First of all, we will show that oblivious transfer is equivalent to a randomized
252: form of oblivious transfer, and that this randomized oblivious transfer is
253: in fact \emph{symmetric}. It follows that also oblivious transfer is symmetric.
254:
255: Then, we present a protocol that implements oblivious transfer from a weakened
256: oblivious transfer called \emph{universal oblivious transfer}, where one of the
257: two players may get additional information. Our reduction is about twice as efficient
258: as previous results.
259:
260: \emph{Weak oblivious transfer} is an even weaker form of oblivious transfer, where
261: both players may obtain additional information about the other player's input, and
262: where the output can contain errors. We give a new, weaker definition of weak oblivious transfer,
263: as well as new reductions with a more detailed analysis.
264:
265: Finally, we show that any protocol that implements oblivious transfer
266: from weak oblivious transfer can be used in the computational setting to implement
267: computationally secure oblivious transfer from \emph{computational weak oblivious transfer},
268: which is a computational version of weak oblivious transfer, where the additional information
269: both players may obtain about the other player's input is only \emph{computationally} bounded.
270:
271: \chapter*{Zusammenfassung}
272:
273: \emph{Sichere Zweiparteienberechnung} erlaubt es zwei Spielern,
274: die einander nicht vertrauen, gemeinsam eine Berechnung durchzuf\"uhren, ohne
275: dass der jeweils andere Spieler irgend\-welche zus\"atzlichen Informationen \"uber ihre Ein\-gabe
276: erf\"ahrt.
277: Leider ist es unm\"oglich eine solche Berechnung so auszu\-f\"uhren, dass sie selbst
278: gegen einen berechenm\"assig unbe\-schr\"ankten Angreifer sicher ist. Unter der Annahme,
279: dass der Angreifer berechenm\"assig be\-schr\"ankt ist, existieren sichere Protokolle, jedoch
280: basiert die Sicherheit dieser Protokolle auf zus\"atz\-lichen Annahmen, wie zum Beispiel der Annahme,
281: dass Faktorisieren schwie\-rig ist.
282:
283: Wenn jedoch eine Primitive mit dem Namen \emph{vergessliche \"Ubertragung}
284: ge\-ge\-ben
285: ist, dann kann \emph{jede} Zweiparteienberechnung sicher gegen unbe\-schr\"ankte Angreifer
286: ausgef\"uhrt werden.
287: In dieser Arbeit untersuchen wir, welche schw\"acheren Formen von ver\-gesslicher \"Uber\-trag\-ung
288: uns immer noch erlauben, eine sichere vergessliche \"Ubertragung auszu\-f\"uhren.
289:
290: Zuerst zeigen wir, dass vergessliche \"Ubertragung \"aquivalent ist zu einer
291: randomisierten vergesslichen \"Uber\-tragung,
292: und dass diese Primitive \emph{symmetrisch} ist. Daraus folgt, dass vergessliche
293: \"Ubertragung ebenfalls sym\-metrisch ist.
294:
295: \emph{Universelle vergessliche \"Ubertragung} ist eine schw\"achere Variante von
296: ver\-gesslicher \"Uber\-tragung, in welcher einer der beiden Spieler zus\"atzliche Informationen erhalten kann.
297: Wir zeigen ein neues, effizienteres Prokoll um daraus vergessliche \"Uber\-tragung herzustellen.
298:
299: \emph{Schwache vergessliche \"Ubertragung} ist eine noch schw\"achere Form von ver\-gesslicher
300: \"Uber\-tragung, in welcher beide Spieler zus\"atzliche Information erhalten k\"onnen und die \"Uber\-tragung
301: falsch sein kann. Wir geben sowohl eine neue, schw\"achere Definition von schwacher ver\-gesslicher \"Uber\-tragung,
302: als auch neue Protokolle wie man daraus vergessliche \"Uber\-trag\-ung herstellen kann.
303:
304: Schliesslich zeigen wir, dass jedes Verfahren, welches vergessliche \"Uber\-trag\-ung aus
305: schwa\-cher ver\-gesslicher \"Uber\-trag\-ung herstellt, auch eingesetzt werden kann, um
306: berechenm\"assig sichere vergessliche \"Ubertragung aus \emph{berechenm\"assig
307: schwacher ver\-gesslicher \"Uber\-trag\-ung} herzu\-stellen.
308:
309:
310:
311: \tableofcontents
312:
313: \cleardoublepage
314:
315: \pagenumbering{arabic}
316: \pagestyle{headings}
317:
318: \chapter{Introduction}
319:
320: On January 16, 1797, Johann Wolfgang von Goethe (1749-1832)
321: sent a letter
322: to the publisher Vieweg with the following content (translated to English by \cite{MolTie98}):
323: \begin{quotation}
324: ''I am inclined to offer Mr.\ Vieweg from Berlin an epic poem, Hermann and Dorothea,
325: which will have approxima\-tely 2000 hexameters. [\dots] Concerning the royalty we will proceed as follows:
326: I will hand over to Mr.\ Counsel B\"ottiger a sealed note which contains my demand, and I wait for
327: what Mr.\ Vieweg will suggest to offer for my work. If his offer is lower than my demand, then
328: I take my note back, unopened, and the negotiation is broken. If, however, his offer is higher, then
329: I will not ask for more than what is written in the note to be opened by Mr.\ B\"ottiger.''
330: \end{quotation}
331: The reason for Goethe to choose such a complicated scheme was not to maximize his profit --- he would not have earned less
332: by just selling it to Vieweg --- he wanted to gain information on how much Vieweg was
333: willing to pay for his work. Indeed, his procedure can be viewed as a second price auction, where
334: Goethe himself was playing the second bidder \cite{MolTie98}. However, other than in a second price auction,
335: Goethe would get to know the bid of the highest bidder. To achieve his goal, Goethe needed to
336: be able to commit to a value that Vieweg would not get to know before placing his bid, but such that
337: Goethe himself would also not
338: be able to change it. He did this by giving an envelope to a third, trusted party, Mr.\ B\"ottiger.
339: Unfortunately, things turned out other than intended by Goethe.
340: B\"ottiger opened the envelope
341: and gave Vieweg a hint, who then bid exactly what Goethe had demanded in his envelope. Vieweg was
342: therefore able to completely hide the information on how much he was willing to pay.
343:
344: This is an example of \emph{two-party computation}, where two players want to achieve a common
345: goal, however they do not trust each other and do not want the other to learn more than
346: necessary about their inputs. Obviously, such a computation can easily be achieved with the help
347: of a trusted third party. However, as the example above shows, the two players would rather
348: not need to trust such a third party. Our goal is therefore to achieve a
349: two-party computation \emph{without the help of a trusted third party}.
350:
351: Unfortunately, this task is impossible to achieve \emph{unconditionally}
352: securely, i.e., such that even an adversary with infinite computing power has no chance
353: in breaking the system. On the other hand, there exist implementations in the computational setting,
354: i.e., they are secure against adversaries which only have limited computing power.
355: However, the security of these implementations are based on unproven assumptions such
356: as that factoring the product of two large prime numbers is hard.
357:
358: Needless to say, we would like to base the security of a two-party computation protocol on as few
359: assumptions as possible.
360: Surprisingly, it turned out that if a
361: very simple primitive called \emph{oblivious transfer} is available,
362: then \emph{any} two party computation can be implemented in an unconditionally secure way.
363: Oblivious transfer is a primitive that allows a sender to send two bits to a receiver, who
364: can choose which bits he wants to receive. The receiver will remain completely
365: ignorant about the other bit, while the sender does not get to
366: know which bit has been chosen by the receiver.
367:
368: Even though oblivious transfer is quite simple, it is rather difficult to implement.
369: For example, in the computational setting quite strong assumptions are needed at the moment.
370: On the other hand, it is possible to implement oblivious transfer under certain physical
371: assumptions. However, such systems generally do not achieve a perfect oblivious transfer,
372: but one where one or both players may still be able to cheat in some way, and obtain
373: additional information that he should not be allowed.
374:
375: The main topic of this thesis is to present different protocols that implement
376: oblivious transfer from weaker variants. For example, in \emph{weak oblivious
377: transfer}, there can occur three types of errors: first, even if both
378: players execute the protocol honestly, the output of the receiver can be wrong with
379: some probability. Secondly, a dishonest receiver may not remain completely ignorant about
380: the second input bit. And finally, a dishonest sender may gain partial
381: information about the receivers choice bit. We show that if these three errors are
382: not too large, it is possible to implement an almost perfect oblivious transfer.
383:
384: \section{Background}
385:
386: \paragraph{Two- and multi-party computation.} The concept of \emph{two- and multi-party computation} was introduced by Yao \cite{Yao82}.
387: A complete solution of this problem with respect to computational security
388: was given by Gold\-reich, Micali, and Wigderson \cite{GoMiWi87}, and later but independently, by Chaum, Dam\-g{\aa}rd, and van de Graaf \cite{ChDaGr87}. Later
389: Ben-Or, Goldwasser, and Wigderson \cite{BeGoWi88} and, independently,
390: Chaum, Cr\'e\-peau, and Dam\-g{\aa}rd \cite{ChCrDa88} showed that in
391: a model with only pairwise secure channels, multi-party computation among $n$ players unconditionally secure
392: against an active adversary is achievable if and only if $t<n/3$
393: players are corrupted. Beaver \cite{Beaver89b} and independently Rabin and Ben-Or \cite{RabBen89}
394: showed that this bound can be improved to $t<n/2$,
395: assuming that global broadcast channels are available.
396:
397: \paragraph{Security definitions.}
398: Intuitively, it seems to be very clear what we mean when we say that a two-party protocol
399: should be \emph{secure}: it should be \emph{correct}, i.e., it should implement
400: the desired functionality, and it should be \emph{private}, meaning that it should not leak additional
401: information to any of the players. Unfortunately, these intuitive ad-hoc requirements are hard to
402: formalize and often even insufficient.
403:
404: Inspired by the work of Goldwasser, Micali, and Rackoff
405: \cite{GoMiRa85} on zero-knowledge proofs of knowledge, Goldreich, Micali and Wigderson
406: \cite{GoMiWi87} were the first to use the simulation paradigm to define the security of
407: multi-party computation protocols. Micali and Rogaway \cite{MicRog91} and
408: Beaver \cite{Beaver91} further formalized this approach.
409: The idea behind these definitions is very intuitive and goes as follows. We
410: say that a (real) protocol securely computes a certain functionality if for
411: any adversary attacking the protocol, there exists a (not much stronger) adversary in an ideal
412: setting --- where the players only have black-box access to the functionality
413: they try to implement --- that achieves the same. In other words, a protocol is
414: secure if any attack in the real model can be simulated in the much more
415: restrictive ideal model.
416: As shown by Beaver \cite{Beaver91}, and formally proved by Canetti \cite{Canetti96,Canetti00b},
417: these security definitions imply that secure protocols are \emph{sequentially composable}: if
418: in a secure protocol that uses an ideal
419: functionality, that ideal functionality is replaced by a secure protocol, then the
420: composed protocol is again a secure protocol.
421: Later, Backes, Pfitzmann and Waidner \cite{PfiWai00,BaPfWa03} and independently
422: Canetti \cite{Canetti00} introduced a stronger security definition called
423: \emph{universal composability}, which guarantees that protocols can be composed in an arbitrary way.
424:
425: \paragraph{Oblivious transfer.}
426: For the special case of two-party computation, there cannot exist
427: a protocol that is unconditionally
428: secure against one corrupted player. However, if a primitive called \emph{oblivious transfer (OT)} is
429: available, then \emph{any} two-party computation can be executed unconditionally secure, which was shown by Goldreich and Vainish \cite{GolVai87} for passive adversaries, and by Kilian \cite{Kilian88} for active adversaries. These results were later improved by Cr\'e\-peau \cite{Crepea89}, Goldwasser and Levin \cite{GolLev90}, and Cr\'e\-peau, van de Graaf, and Tapp \cite{CrvGTa95}. The idea of oblivious transfer goes back to Wiesner~\cite{Wiesner70} in around 1970.
430: He tried to show that quantum physics allows us to achieve certain (classical)
431: tasks that otherwise
432: would not be possible. Since a quantum state can contain more information than what we can get out by measuring
433: it, he proposed to use quantum communication as
434: \emph{``a means for transmitting two messages either but not both of which may be received.''},
435: which is exactly what OT achieves. More formally, OT is a primitive that receives two bits $x_0$ and $x_1$ from the sender and a bit $c$ from the receiver, and sends $x_c$ to the receiver, while the receiver does not get to know $x_{1-c}$, and the sender does not get to know $c$.
436: Wiesner proposed a simple protocol that achieves this, but he pointed out that it could be broken
437: in principle.
438: Rabin \cite{Rabin81} introduced a similar primitive in 1981, and showed its usefulness to cryptographic
439: applications. (He also gave oblivious transfer its name.) Even, Goldreich and Lempel \cite{EvGoLe85}
440: reintroduced Wiesner's version OT.
441:
442: \paragraph{Computationally secure oblivious transfer.}
443: There exist different approaches to securely implement OT, with different
444: degrees of security. If we are only interested in \emph{computational security}, i.e.,
445: a system that cannot be broken by any adversary limited to polynomial computing time,
446: then OT can be implemented using noiseless communication only,
447: given some assumptions are correct. Of course, we would like to make these assumptions as weak
448: as possible, for example, we would like to have an implementation of OT that
449: is secure under the assumption that \emph{one-way functions} --- functions that are easy
450: to evaluate, but hard to invert --- exist. Unfortunately, such an implementation is still not known.
451: Even worse, Impagliazzo and Rudich \cite{ImpRud89} showed that such an implementation, if it exists, will be very hard to find, because there cannot exist any \emph{black-box reduction} of OT to one-way functions.
452:
453: Even, Goldreich and Lempel \cite{EvGoLe85} presented an implementation of OT using
454: trapdoor permutations.
455: However, Goldreich \cite{Goldreich04} showed that in fact the
456: stronger assumption of an \emph{enhanced trapdoor permutations} is needed for the protocol to be secure. This assumption was later weakened by Haitner \cite{Haitne04} to \emph{dense trapdoor permutations}.
457: Other implementations use more specific assumptions such as the assumption that factoring
458: a product of two primes is hard, as shown by Rabin \cite{Rabin81},
459: or the \emph{Diffie-Hellman assumption}, shown by Bellare and Micali, Naor and Pinkas, and Aiello, Ishai and
460: Reingold \cite{BelMic89,NaoPin01,AiIsRe01}.
461: Unfortunately, these latter assumptions have turned out to be wrong in the quantum world, as there exists
462: an efficient algorithm for breaking both assumptions, shown by Shor \cite{Shor94}.
463:
464: In the universally composable framework, Canetti and Fischlin \cite{CanFis01} showed that there cannot exist an implementation of OT secure against active adversaries\footnote{They showed that bit-commitment is impossible, but since bit-commitment can be implemented from OT,
465: this implies that also OT is impossible.}.
466: On the other hand, Canetti, Lindell, Ostrovsky, and Sahai \cite{CLOS02} showed that the protocol
467: presented in
468: \cite{GoMiWi87} is secure against passive adversaries in the universally composable framework.
469: Garay, MacKenzie and Yang \cite{GaMaYa04} proposed an implementation of \emph{enhanced
470: committed OT} secure against active adversaries under the
471: additional assumption of a \emph{common reference string}. Fischlin \cite{Fischl06} proposed a protocol
472: that does not assume a common reference string, but needs the help of other players.
473:
474: \paragraph{Unconditionally secure oblivious transfer.}
475: All known computational implementations of OT --- besides
476: the assumption that the adversary is computationally
477: bounded --- are based on quite strong, unproven assumptions about the complexity of certain problems.
478: \emph{Unconditional security} does not have these shortcomings. It offers a security that
479: cannot be broken \emph{in principle}, no matter what computing power the adversary has,
480: and is generally not based on unproven assumptions. Unfortunately, unconditional secure OT is impossible
481: to achieve if the players only have access to noiseless communication.
482: In fact, even noiseless \emph{quantum} communication does not help, as has been shown by
483: Mayers \cite{Mayers97}, and independently by Lo and Chau \cite{LoChau97}\footnote{They showed that bit-commitment is impossible, but since bit-commitment can be implemented from OT,
484: this implies that also OT is impossible.}.
485: Therefore, some additional resources must be available in order to achieve unconditionally
486: secure OT.
487:
488: \paragraph{Reductions between different variants of OT.}
489: There exist many different variants of OT, and all of them have been
490: shown to be equivalent to OT.
491: Cr\'epeau \cite{Crepea87} showed that OT can be implemented from Rabin's OT, and
492: Brassard, Cr\'epeau and Robert \cite{BrCrRo86b} showed, among others, that string OT
493: (where the sender can send strings instead of single bits)
494: can be implemented from bit OT. More efficient methods to implement string OT from bit OT were presented by
495: Brassard, Cr\'epeau and S\'antha \cite{BrCrSa96},
496: by Brassard, Cr\'epeau and Wolf \cite{BraCre97,BrCrWo03}, and by Cr\'epeau
497: and Savvides \cite{CreSav06}. Imai, Morozov, and Nascimento \cite{ImMoNa06} showed a direct implementation of string
498: OT from Rabin's OT.
499: Dodis and Micali \cite{DodMic99} presented a protocol to extend the number of
500: choices for the receiver. Another interesting property of OT was shown by
501: Bennett, Brassard, Cr{\'e}peau and Skubiszewska \cite{BBCS92} and Beaver \cite{Beaver95}, namely that
502: OT can be \emph{precomputed}. This means that OT can be converted into a randomized version of OT,
503: that can later be converted back into OT. Cr\'epeau and S\'antha \cite{CreSan91},
504: and independently Ostrovsky, Venkatesan and Yung \cite{OsVeYu91} presented protocols which
505: implement OT in one direction from OT in the other direction. Wolf and Wullschleger \cite{WolWul06}
506: presented a much simpler and more efficient protocol for this.
507:
508: Various weak versions of OT have been proposed where either the sen\-der's or the receiver's security
509: is weakened.
510: Cr\'epeau and Kilian \cite{CreKil88} presented an implementation of OT from \emph{$\alpha$-1-2 slightly~OT},
511: which is a weak version of OT where the sender may get some information about the choice bit of the receiver.
512: Brassard, Cr\'epeau and Wolf \cite{BraCre97,BrCrWo03} showed that OT can also be implemented from
513: \emph{XOT}, \emph{GOT} or \emph{UOT with repetitions}, which are weak versions of OT where the receiver
514: may get information he is not supposed to.
515: Cachin \cite{Cachin98} proposed a primitive called \emph{Universal OT} (without repetitions), which is
516: a generalization of XOT, GOT or UOT with repetitions. He proposed a protocol to implement OT, but his proof
517: turned out to be incorrect. The protocol was finally shown to be secure by Damg{\aa}rd, Fehr, Salvail and Schaffner \cite{DFSS06}. The bound for the protocol were later improved by Wullschleger \cite{Wullsc07}.
518: Damg{\aa}rd, Kilian and Salvail \cite{DaKiSa99} presented an even weaker form of OT called \emph{weak OT} (WOT),
519: where the security for \emph{both} players is weakened and the output to the receiver may be faulty.
520: They presented some bounds for which OT can be implemented from WOT. Later Wullschleger \cite{Wullsc07}
521: showed that their definition of WOT implicitly uses quite strong assumptions, and proposed a new,
522: weaker definition together with new reductions.
523:
524: \paragraph{OT from physical assumptions.}
525: Cr\'epeau and Kilian \cite{CreKil88} were the first to present
526: protocols for OT using \emph{noise} as additional resource
527: in form of an \emph{erasure channel}.
528: Cr\'epeau \cite{Crepea97} presented a protocol for the \emph{binary-symmetric noisy channel}, which was later
529: generalized by Korjik and Morozov \cite{KorMor01}. Cr\'epeau, Morozov and Wolf \cite{CrMoWo04} finally presented a protocol for \emph{any non-trivial channel}.
530: As shown by Imai, M\"uller-Quade, Nascimento and Winter, \cite{IMNW04}, Wolf and Wullschleger
531: \cite{WolWul04}, and Nascimento and Winter \cite{NaWi06},
532: these results also translate to the model where the players receive distributed
533: randomness\footnote{A similar model has already been studied in
534: the context of \emph{key agreement} by Ahlswede and Csisz\'ar \cite{AhlCsi93}
535: and Maurer \cite{Maurer93}.}.
536:
537: Damg{\aa}rd, Kilian and Salvail \cite{DaKiSa99} introduced a more realistic, \emph{unfair} model
538: in which the adversary is given more information than the honest players.
539: For example, if a noisy channel is implemented using a transmitter
540: and an antenna, an adversary may be able to replace the official antenna
541: by a larger one, and may, therefore, receive the transmitted signal with less noise than
542: an honest receiver would.
543: They presented explicit bounds for the \emph{unfair binary noisy channel}, which were later improved
544: by Damg{\aa}rd, Fehr, Morozov and Salvail \cite{DFMS04,Morozo05}.
545: A central part of these results was the algorithm that implements OT from WOT. However, for the reduction to
546: work, the definition of \cite{Wullsc07} must be used.
547:
548: \section{Outline of the Thesis}
549:
550: \paragraph{Preliminaries.}
551: In Chapter~\ref{chap:pre}, we introduce the three distance measures that we will be using in this thesis. We will present some of the properties they have and how they are related. The
552: \emph{distinguishing advantage} and the \emph{statistical distance} are standard measures for
553: the distance between two distributions. On the other hand, the \emph{maximal bit-prediction advantage} is a special measure that we will use in Chapters~\ref{chap:wot} and \ref{chap:compWOT}.
554:
555: \paragraph{Definition of secure two-party computation.}
556: In Chapter~\ref{chap:secTPC}, we give a simplified, formal framework for
557: two-party computation that is universally composable.
558: We will define two different models: the malicious model, where the corrupted players may behave arbitrarily, and the semi-honest model, where the corrupted players follow the protocol, but may try to obtain as much information as they can during the protocol. We will also show
559: that these definitions allow protocols to be composed. Finally, we show that
560: security in the malicious model does not imply security in the semi-honest model, and give a
561: weaker security definition for the semi-honest model for which this implication holds.
562:
563: \paragraph{Oblivious transfer.}
564: In Chapter~\ref{chap:ot}, we will introduce the main topic of this thesis: oblivious transfer (OT).
565: We will also define a randomized version of OT, called \emph{randomized OT} (ROT), and show that OT and ROT are equivalent if communication is free.
566: We will then give a very simple protocol which shows that ROT is symmetric. In connection with
567: the other protocols, this gives us a simple way to reverse the direction of OT.
568: Finally, we will present \emph{information-theoretic conditions}
569: that imply that a protocol
570: securely implements ROT.
571:
572: \emph{Contribution.}
573: Our reduction that reverses ROT and hence also OT is joint work with Stefan Wolf \cite{WolWul06}, and
574: is much simpler and more efficient
575: than previous reductions presented in \cite{CreSan91,OsVeYu91}.
576: The information-theoretic conditions for the security of ROT presented here build on prior joint work with Claude Cr\'epeau, George Savvides and Christian Schaff\-ner \cite{CSSW06}. There, we presented information-theoretic conditions that imply that a protocol securely implements secure function evaluation in a sequentially composable model.
577: These conditions replace many ad-hoc definitions for the security of protocols
578: which often have been faulty. Here, we only present conditions for ROT, however we show a stronger statement about ROT,
579: as our conditions imply that a protocol is \emph{universally composable}, and not only sequentially. Also, our conditions
580: have explicit error terms, which makes them easier to use.
581:
582: \paragraph{Universal oblivious transfer.}
583: In Chapter~\ref{chap:uot}, we will present a protocol that implements ROT from a weak variant of ROT
584: called \emph{universal OT} (UOT). In contrast to ROT, UOT allows a corrupted receiver to receive
585: \emph{any} information he wants about the input, as long as he does not receive too much information. For example, he could be allowed to receive a bit string of a certain size that is an arbitrary function of his choice of
586: the sender's inputs.
587:
588: \emph{Contribution.}
589: Our proof, which is also presented in \cite{Wullsc07}, shows that in the reduction of OT to
590: UOT, the string length of the resulting OT can be about twice as long as
591: for the bound presented in
592: \cite{DFSS06}, which is optimal for that protocol.
593: (The same bound that we present here has already been claimed in \cite{Cachin98},
594: but the proof presented there was incorrect, which was discovered by \cite{DFSS06}.)
595: Our proof makes use of a novel \emph{distributed leftover hash lemma},
596: which is a generalization of the well-known leftover hash lemma \cite{BeBrRo88,ILL89},
597: and of independent interest.
598:
599: \paragraph{Weak oblivious transfer.}
600: In Chapter~\ref{chap:wot}, we introduce \emph{weak oblivious transfer} (WOT), a weak
601: variant of ROT where the security for \emph{both} players is weak, and where the output may be incorrect.
602: We give formal definitions of WOT in both the semi-honest and the malicious model. We show that
603: for certain parameters (when the instances of WOT are too weak), it is impossible to implement ROT from WOT.
604: Then we present several protocols that implement ROT from WOT, and give
605: upper bounds on how many instances of WOT are needed.
606: Unfortunately, these reductions do not meet the impossibility bound.
607:
608: \emph{Contribution.} We give several improvements over the results presented in
609: \cite{DaKiSa99}, most of which are also presented in \cite{Wullsc07}.
610: First of all, we give new, weaker definitions of WOT
611: that replaces the definition presented in \cite{DaKiSa99,DFMS04}, which was too strong
612: and had only a very limited range of applications.
613: Also, our definitions make the need
614: for the more general notion of \emph{generalized weak oblivious transfer} of \cite{DFMS04} unnecessary.
615: For the special case where the WOT does not make any
616: error, we present a more detailed proof and a better upper bound on the amount of instances
617: used than in \cite{DaKiSa99}. Then, using a different error-reduction protocol
618: that also works with our weaker definitions, we give bounds for the special case where information is leaked
619: only to one of the two players, as well as several new bounds for the general case.
620:
621: \paragraph{Computational weak oblivious transfer.}
622: In Chapter~\ref{chap:compWOT} we transfer the results from Chapter~\ref{chap:wot} to the computational setting. We define \emph{computational weak oblivious transfer} (compWOT), which is a computational version of WOT, where the adversary may get some additional
623: \emph{computational} knowledge about the value he is not supposed to. Using Holenstein's hard-core lemma \cite{Holens05,Holens06}, we show that any protocol that is secure in the information-theoretic setting can also be used in the computational setting. Hence, the reductions presented in Chapter~\ref{chap:wot} can be used to amplify compWOT to
624: a computationally secure OT.
625:
626: \emph{Contribution.} We give a simplified but slightly stronger version of the
627: \emph{pseudo-randomness extraction theorem} from \cite{Holens06}, and fix the proof given in \cite{Holens06},
628: where a step was missing.
629: Then, we show that computationally secure OT can
630: be implemented from a large set of compWOT. This improves
631: the results presented in \cite{Haitne04}, where only one special case was solved.
632:
633: \chapter{Preliminaries} \label{chap:pre}
634:
635: \section{Notation}
636:
637: We will use the following convention: lower case letters will denote fixed values and
638: upper case letters will denote random variables and algorithms. Calligraphic letters
639: will denote sets and domains of random variables.
640: For a random variable
641: $X$ over $\mX$, we denote its distribution by $P_X: \mX \rightarrow [0,1]$ with
642: $\sum_{x\in \mX} P_X(x) = 1$. For a given distribution
643: $P_{XY}: \mX \times \mY \rightarrow [0,1]$, we write for the marginal distribution
644: $P_{X}(x) := \sum_{y \in \mY} P_{XY}(x,y)$ and, if $P_Y(y) \neq 0$,
645: $P_{X \mid Y}(x \mid y) := P_{XY}(x,y) / P_{Y}(y)$ for the conditional distribution.
646: By $x^n$ we denote the list $(x_0,\dots,x_{n-1})$.
647:
648: We use the function $\exp(x) := e^x$. $\ln(x)$ denotes the natural logarithm, and $\log(x)$ denotes the logarithm to the base 2.
649:
650: \section{Distances between Distributions} \label{sec:statDist}
651:
652: In this section, we will introduce two measures for the distance between two distributions:
653: the \emph{distinguishing advantage} and the \emph{statistical distance}.
654:
655: \begin{definition} \label{def:adv-4-RV}
656: The \emph{distinguishing advantage} of an algorithm $A: \mU \rightarrow \{0,1\}$ (called the \emph{distinguisher})
657: to
658: distinguish $X$ from $Y$, which are random variables over the domain $\mU$, is
659: \[ \adv^A(X,Y) := \big| \Pr[A(X) = 1] - \Pr[A(Y)=1] \big |\;.\]
660: The distinguishing advantage of a class $\mD$ of distinguishers in distinguishing $X$ from $Y$ is
661: \[ \adv^{\mD}(X,Y) := \max_{A \in \mD} \adv^{A}(X,Y)\;.\]
662: \end{definition}
663:
664: We have $\adv^\mD(X,X) = 0$ and $\adv^\mD(X,Y) = \adv^\mD(Y,X)$ for all $X$ and $Y$.
665: It is also easy to see that probabilistic distinguishers do not perform better than deterministic ones: let $A_R$ be a probabilistic distinguisher that takes additionally some randomness $R$ as input. We have
666: \[ \adv^{A_R}(X,Y) := \sum_r P_R(r) \cdot \big| \Pr[A_r(X) = 1] - \Pr[A_r(Y)=1] \big |\;.\]
667: Now let $r \in \mR$ be the value that maximizes the expression
668: \[\big| \Pr[A_r(X) = 1] - \Pr[A_r(Y)=1] \big |\;.\]
669: Then $A_r$ is a deterministic distinguisher with
670: \[\adv^{A_r}(X,Y) \geq \adv^{A_R}(X,Y)\;.\]
671:
672: In the following, we will therefore only consider deterministic distinguishers.
673: Lemma~\ref{lem:advTri} shows that the \emph{triangle inequality} holds for the
674: distinguishing advantage.
675:
676: \begin{lemma}[Triangle inequality] \label{lem:advTri}
677: For any $X$, $Y$, and $Z$ over $\mU$, we have
678: \[ \adv^A(X,Z) \leq \adv^A(X,Y) + \adv^A(Y,Z)\;.\]
679: \end{lemma}
680:
681: \begin{proof} We have
682: \begin{align*}
683: \adv^A(X,Z)
684: & = \big| \Pr[A(X) = 1] - \Pr[A(Z)=1] \big | \\
685: & = \big| \Pr[A(X) = 1] - \Pr[A(Y) = 1]\\
686: & \qquad \qquad + \Pr[A(Y) = 1] - \Pr[A(Z)=1] \big | \\
687: & \leq \big| \Pr[A(X) = 1] - \Pr[A(Y) = 1] \big|\\
688: & \qquad \qquad + \big| \Pr[A(Y) = 1] - \Pr[A(Z)=1] \big | \\
689: & = \adv^A(X,Y) + \adv^A(Y,Z)\;.
690: \end{align*}
691: \end{proof}
692:
693: It is easy to see that the same also holds for \emph{classes} of distinguishers, i.e., for any
694: $\mD$, we have
695: $\adv^\mD(X,Z) \leq \adv^\mD(X,Y) + \adv^\mD(Y,Z)$.
696:
697: \begin{definition}
698: The \emph{statistical distance} of two random variables $X$ and $Y$ (or two distributions $P_{X}$ and $P_{Y}$) over the same domain $\mU$
699: is defined as
700: \[
701: \Delta(X,Y) = \Delta(P_X,P_Y)
702: := \frac 1 2 \sum_{u \in \mU} \Big | P_X(u) - P_Y(u) \Big |\;.
703: \]
704: \end{definition}
705:
706: We say that $P_X$ is $\eps$-close to $P_Y$, denoted by $P_X \equiv_\eps P_Y$,
707: if $\Delta(P_X,P_Y) \leq \eps$.
708: We say that a random variable \emph{$X$ is $\eps$-close to uniform with respect to $Y$}, if $P_{XY} \equiv_\eps P_U P_Y$, where $P_U$ is the uniform
709: distribution over $\mX$.
710:
711:
712: \begin{lemma} \label{lem:statDistT}
713: For all $X$ and $Y$, we have
714: \[
715: \Delta(X,Y)
716: = \Pr[X \in \mT]- \Pr[Y \in \mT] = \sum_{u \in \mT} \Big ( P_X(u) - P_Y(u) \Big )
717: \]
718: for $\mT := \{u \in \mU \mid P_X(u) > P_Y(u)\}$\;.
719: \end{lemma}
720:
721: \begin{proof}
722: We have
723: \begin{align*}
724: \Delta(X,Y)
725: &= \frac 1 2 \sum_{u \in \mT} \Big ( P_X(u) - P_Y(u) \Big ) + \frac 1 2 \sum_{u \not \in \mT} \Big ( P_Y(u) - P_X(u) \Big ) \\[.1cm]
726: &= \frac {\Pr[X \in \mT]} 2 + \frac {\Pr[Y \not \in \mT]} 2
727: - \frac {\Pr[X \not \in \mT]} 2 - \frac {\Pr[Y \in \mT]} 2 \\[.1cm]
728: &= \Pr[X \in \mT]- \Pr[Y \in \mT]\;.
729: \end{align*}
730: \end{proof}
731:
732: \begin{lemma} \label{lem:statDistMaxSet}
733: For all $X$ and $Y$, we have
734: \[
735: \Delta(X,Y) = \max_{\mS \subseteq \mU} \Big ( \Pr[X \in \mS] - \Pr[Y \in \mS] \Big )\;.
736: \]
737: \end{lemma}
738:
739: \begin{proof}
740: Follows directly from Lemma~\ref{lem:statDistT}, since
741: \[\Pr[X \in \mS] - \Pr[Y \in \mS]\]
742: is maximal for $\mS = \mT$.
743: \end{proof}
744:
745: From Lemma~\ref{lem:statDistMaxSet} follows now that
746: \[\adv^\mD(X,Y) = \Delta(X,Y)\;,\]
747: where $\mD$ is the class of all (also inefficient) distinguishers.
748:
749:
750: \begin{lemma}\label{lem:statDist-dataprocessing}
751: For any $X$ and $Y$ over $\mU$ and $f: \mU \rightarrow \mV$, we have
752: \[ \Delta(f(X),f(Y)) \leq \Delta(X,Y)\;. \]
753: \end{lemma}
754:
755: \begin{proof}
756: Let $\mD$ be the class of all (also inefficient) distinguishers, and let $D(v)$ be a distinguisher such that
757: \[\adv^D(f(X),f(Y)) = \adv^\mD(f(X),f(Y))\;.\]
758: Then, for $D'(u) := D(f(u))$, we have
759: \[\adv^{D'}(X,Y) = \adv^\mD(f(X),f(Y))\;.\]
760: Since $D' \in \mD$, we have
761: \begin{align*}
762: \Delta(f(X),f(Y))
763: & = \adv^\mD(f(X),f(Y)) = \adv^{D'}(X,Y) \\
764: & \leq \adv^\mD(X,Y) = \Delta(X,Y)\;.
765: \end{align*}
766: \end{proof}
767:
768: \begin{lemma} \label{lem:statDistEvent2}
769: Let $P_{BX}$ and $P_{CY}$ be distributions over $\{0,1\} \times \mU$ such that
770: \[\Pr[B=1] = \Pr[C=1] = \eps\;.\]
771: Then
772: \[ \Delta( P_{X}, P_{Y}) \leq \eps + \Delta( P_{X \mid B=0}, P_{Y \mid C=0})\;.\]
773: \end{lemma}
774:
775: \begin{proof}
776: For any set $\mS \subseteq \mU$, we have
777: \begin{align*}
778: & \Pr[X \in \mS] - \Pr[Y \in \mS] \\
779: & \qquad = \eps \cdot \big ( \Pr[X \in \mS \mid B=1] - \Pr[Y \in \mS \mid C=1] \big ) \\
780: & \qquad \qquad + (1-\eps) \cdot \big ( \Pr[X \in \mS \mid B=0] - \Pr[Y \in \mS \mid C=0] \big )\\[0.1cm]
781: & \qquad \leq \eps + \big ( \Pr[X \in \mS \mid B=0] - \Pr[Y \in \mS \mid C=0] \big )\\
782: & \qquad \leq \eps + \max_{\mS' \subseteq \mU} \Big ( \Pr[X \in \mS' \mid B=0] - \Pr[Y \in \mS' \mid C=0] \Big ) \\
783: & \qquad = \eps + \Delta( P_{X \mid B=0}, P_{Y \mid C=0})\;,
784: \end{align*}
785: and therefore
786: \begin{align*}
787: \Delta(X,Y)
788: = \max_{\mS \subseteq \mU} \Big ( \Pr[X \in \mS] - \Pr[Y \in \mS] \Big ) \leq \eps + \Delta( P_{X \mid B=0}, P_{Y \mid C=0})\;.
789: \end{align*}
790: \end{proof}
791:
792: \section{Prediction of Random Variables}
793:
794: For the case where $X \in \{0,1\}$, we will also use another measure of its closeness
795: to uniform with respect to a random variable $Y$, the \emph{maximal bit-prediction advantage},
796: which measures how well
797: $X$ can be predicted from $Y$. See also Section 2.1 in \cite{Holens06}.
798:
799: \begin{definition}
800: Let $P_{XY}$ be a distribution over $\{0,1\} \times \mY$.
801: The \emph{maximal bit-prediction advantage} of $X$ from $Y$ is
802: \[ \predadv(X \mid Y) := 2 \cdot \max_{f} \Pr[f(Y) = X] - 1\;.\]
803: \end{definition}
804:
805: In other words, if $\predadv(X \mid Y) = \delta$, then we have for all functions $f: \mY \rightarrow \{0,1\}$
806: \[ \Pr[f(Y) = X] \leq \frac{1 + \delta}{2}\;.\]
807: First, we show that $\predadv(X \mid Y) \leq 2\eps$, if and only if $X$ is
808: $\eps$-close to uniform with respect to $Y$.
809:
810: \begin{lemma} \label{lem:PredAdvStadDist}
811: Let $P_{XY}$ be a distribution over $\{0,1\} \times \mY$. Then
812: \[\predadv(X \mid Y)
813: = 2 \cdot \Delta( P_{XY},P_U P_Y)\;,\]
814: where $P_U$ is the uniform distribution over $\{0,1\}$.
815: \end{lemma}
816:
817: \begin{proof}
818: Obviously, the best function $f: \mY \rightarrow \{0,1\}$ for guessing $X$ is
819: \[ f(y) := \left \{
820: \begin{array}{ll}
821: 0 & \textrm{if $P_{XY}(0,y) \geq P_{XY}(1,y)$,} \\
822: 1 & \textrm{otherwise.}
823: \end{array}
824: \right.\]
825: We have
826: \begin{align*}
827: 2 \Pr[f(Y) = X] - 1
828: &= 2 \sum_y P_Y(y) P_{X \mid Y=y}(f(y)) - \sum_y P_Y(y) \\
829: &= \sum_y P_Y(y) \left ( P_{X \mid Y=y}(f(y)) - (1 - P_{X \mid Y=y}(f(y))) \right )\\
830: &= \sum_y P_Y(y) \left ( P_{X \mid Y=y}(f(y)) - P_{X \mid Y=y}(1 - f(y)) \right )\\
831: &= \sum_y P_Y(y) \big |P_{X \mid Y=y}(0) - P_{X \mid Y=y}(1) \big| \\
832: &= \sum_y P_Y(y) \sum_x \Big |P_{X \mid Y=y}(x) - \frac 1 2 \Big | \\
833: &= 2 \cdot \Delta( P_{XY},P_U P_Y) \;.
834: \end{align*}
835: \end{proof}
836:
837: Lemma~\ref{lem:predAdv-dataprocessing} follows immediately from Lemmas~\ref{lem:statDist-dataprocessing} and \ref{lem:PredAdvStadDist}.
838:
839: \begin{lemma} \label{lem:predAdv-dataprocessing}
840: Let $P_{XY}$ be a distribution over $\{0,1\} \times \mY$, and let $f: \mY \rightarrow \mY'$.
841: Then
842: \[\predadv(X \mid f(Y))
843: \leq \predadv(X \mid Y)\;.\]
844: \end{lemma}
845:
846: The following lemma shows that for any distribution $P_{XY}$ over $\{0,1\} \times \mY$,
847: we can define an event that has probability $1-\predadv(X \mid Y)$, such that conditioned on that
848: event,
849: $X$ is uniformly distributed given $Y$, and therefore no function $f(Y)$ can predict $X$.
850:
851: \begin{lemma} \label{lem:Hol22}
852: Let $P_{XY}$ be any distribution over $\{0,1\} \times \mY$. There exists a conditional distribution
853: $P_{B\mid XY}$
854: over $\{0,1\} \times \{0,1\} \times \mY$ such that
855: \[\Pr[B=1] \leq \predadv(X \mid Y)\]
856: and such that for all functions $f: \mY \rightarrow \{0,1\}$,
857: \[ \Pr[f(Y) = X \mid B=0] = 1/2\;.\]
858: \end{lemma}
859:
860: \begin{proof}
861: We define
862: \[ P_{B \mid X,Y}(0 \mid x,y) := \frac {\min(P_{XY}(0,y),P_{XY}(1,y))}{P_{XY}(x,y)}\;.\]
863: Using Lemma~\ref{lem:PredAdvStadDist}, we get
864: \begin{align*}
865: \Pr[B=1]
866: & = \sum_{x,y} P_{XY}(x,y) P_{B \mid X,Y}(1 \mid x,y) \\
867: & = \sum_{x,y} P_{XY}(x,y) \left ( 1 - \frac {\min(P_{XY}(0,y),P_{XY}(1,y))}{P_{XY}(x,y)}\right ) \\
868: & = \sum_{x,y} \left (P_{XY}(x,y) - \min(P_{XY}(0,y),P_{XY}(1,y))\right ) \\
869: & = \sum_{y} \big | P_{XY}(0,y) - P_{XY}(1,y) \big | \\
870: & = \sum_y P_Y(y) \sum_x \Big |P_{X \mid Y=y}(x) - \frac 1 2 \Big | \\
871: & = 2 \cdot \Delta( P_{XY},P_U P_Y)
872: = \predadv(X \mid Y)\;.
873: \end{align*}
874: For $x \in \{0,1\}$, we have
875: \begin{align*}
876: P_{X \mid BY}(x \mid 0,y)
877: & = \frac{P_{X \mid Y}(x \mid y) \cdot P_{B \mid XY}(0 \mid x,y)}{P_{B \mid Y}(0 \mid y)} \\[0.3cm]
878: & = \frac{P_{X \mid Y}(x \mid y) \cdot \min(P_{XY}(0,y),P_{XY}(1,y))}{P_{B \mid Y}(0 \mid y) \cdot
879: P_{Y}(y) \cdot P_{X \mid Y}(x \mid y)} \\[0.3cm]
880: & = \frac{\min(P_{XY}(0,y),P_{XY}(1,y))}{P_{BY}(0,y)}\;.
881: \end{align*}
882: Since $P_{X \mid BY}(x \mid 0,y)$ does not depend on $x$, it must be equal to $1/2$, and, therefore, we have, for
883: all functions $f$ and for all values $y$,
884: \[\Pr[f(Y)=X \mid B=0, Y=y] = 1/2\;.\]
885: \end{proof}
886:
887: Lemma~\ref{lem:Hol22-converse} shows that the statement of
888: Lemma~\ref{lem:Hol22} also works in the other
889: direction. If there exists an event with probability $1-\delta$ under which $X$ cannot
890: be guessed from $Y$ with any advantage, then $\predadv(X \mid Y) \leq \delta$.
891:
892: \begin{lemma} \label{lem:Hol22-converse}
893: Let $P_{XY}$ be any distribution over $\{0,1\} \times \mY$. If there exists a conditional distribution
894: $P_{B\mid XY}$
895: over $\{0,1\} \times \{0,1\} \times \mY$ such that
896: for all functions $f: \mY \rightarrow \{0,1\}$ we have
897: \[ \Pr[f(Y) = X \mid B=0] = 1/2\;,\]
898: then
899: \[\predadv(X \mid Y) \leq \Pr[B=1]\;.\]
900: \end{lemma}
901:
902: \begin{proof}
903: For any function $f$, we have
904: \begin{align*}
905: \Pr[f(Y) = X]
906: & = \Pr[B=0] \cdot \Pr[f(Y) = X \mid B=0] \\
907: & \qquad + \Pr[B=1] \cdot \Pr[f(Y) = X \mid B=1] \\[0.1cm]
908: & \leq 1/2 \cdot \Pr[B=0] + \Pr[B=1]\;,
909: \end{align*}
910: and, therefore,
911: \begin{align*}
912: \predadv(X \mid Y)
913: & = 2 \cdot \max_{f} \Pr[f(Y) = X] - 1 \\
914: & \leq \Pr[B=0] + 2 \cdot \Pr[B=1] - 1
915: = \Pr[B=1]\;.
916: \end{align*}
917: \end{proof}
918:
919: The following lemmas show some rules for $\predadv(X \mid Y)$.
920:
921: \begin{lemma} \label{lem:predXOR}
922: Let $P_{X_0Y_0},\dots,P_{X_{n-1}Y_{n-1}}$ be distributions over $\{0,1\} \times \mY_i$. Then
923: \[\predadv(X_0 \oplus \cdots \oplus X_{n-1} \mid Y^n) \leq \prod_{i=0}^{n-1} \predadv(X_i \mid Y_i)\;.\]
924: \end{lemma}
925:
926: \begin{proof}
927: For $i \in \{0,\dots,n-1 \}$, let $B_i$ be the random variable defined by Lemma~\ref{lem:Hol22}.
928: Let $B = \min_i(B_i)$. If $B = 0$ then for a $j \in \{0,\dots,n-1\}$ we have $B_j = 0$. Therefore,
929: $X_j$ is uniformly at random given $Y_j$, and any $f: \mY^n \rightarrow \{0,1\}$ will output
930: $X_0 \oplus \cdots \oplus X_{n-1}$ with probability $1/2$.
931: The statement now follows from Lemma~\ref{lem:Hol22-converse}, and from the fact that
932: \[\Pr[B=1] = \prod_{i=0}^{n-1} \Pr[B_i=1]\;.\]
933: \end{proof}
934:
935: \begin{lemma} \label{lem:predComm}
936: Let $P_{X_0Y_0},\dots,P_{X_{n-1}Y_{n-1}}$ be distributions over $\{0,1\} \times \mY_i$,
937: and let $D_i := X_{i} \oplus X_{n-1}$.
938: Then
939: \[\predadv(X_{n-1} \mid Y^n,D^{n-1}) \leq 1 - \prod_{i=0}^{n-1} \left( 1 - \predadv(X_i \mid Y_i) \right)\;.\]
940: \end{lemma}
941:
942: \begin{proof}
943: For $i \in \{0,\dots,n-1 \}$, let $B_i$ be the random variable defined by Lemma~\ref{lem:Hol22},
944: and let $B = \max_i(B_i)$.
945: If $B=0$ then for all $0 \leq i < n$ we have $B_i = 0$, and therefore $X_i$ will be
946: uniformly at random given $Y_i$. It follows that $X_{n-1}$ is independent from $(Y^n,D^{n-1})$
947: and any $f: \mY^n \times \mD \rightarrow \{0,1\}$ will output
948: $X_{n-1}$ with probability $1/2$.
949: The statement now follows from Lemma~\ref{lem:Hol22-converse}, and from the fact that
950: \[\Pr[B=1] = 1 - \prod_{i=0}^{n-1} (1- \Pr[B_i=1])\;.\]
951: \end{proof}
952:
953: \begin{lemma} \label{lem:predXOR2}
954: For all $X,Y \in \{0,1\}$ and $Z \in \mZ$, we have
955: \[\predadv(X \oplus Y \mid YZ) = \predadv(X \mid YZ)\;.\]
956: \end{lemma}
957:
958: \begin{proof}
959: If a function $f(y,z)$ can predict $X$
960: with advantage $a$, then the function $f'(y,z) := f(y,z) \oplus y$ can predict
961: $X \oplus Y$ with advantage $a$, and if $g(y,z)$ can predict $X \oplus Y$ with advantage $a$, then the function $g'(y,z) := g(y,z) \oplus y$ can predict $X$ with advantage $a$.
962: \end{proof}
963:
964: \chapter{Secure Two-Party Computation} \label{chap:secTPC}
965:
966: In this chapter we give an introduction to a simplified version of
967: \emph{universally composable two-party computation}. We define security in the malicious
968: and the semi-honest models, and show that these definitions allow protocols to be composed.
969: Finally, we show that
970: security in the malicious model does not imply security in the semi-honest model, and give a
971: weaker security definition for the semi-honest model for which this implication holds.
972:
973: \section{Two-Party Computation}
974:
975: We start with some basic definitions.
976: Our definitions are based on the formalism by Maurer \cite{Maurer06}, as well
977: as the formalisms of Backes, Pfitzmann and Waidner
978: \cite{PfiWai00,BaPfWa03} and Canetti \cite{Canetti00}, but simplified and adapted for our needs.
979: Since we will only consider two players interacting with each other, we can simplify the notation.
980: For example, we will not use any identification tags.
981:
982: We will model everything in terms of \emph{systems} which may interact with other systems or the environment
983: via \emph{interfaces}. We say that system $\bF$ \emph{implements} a set $\mI$ of interfaces.
984: There are two players present, which we will call $\PlayerA$ and $\PlayerB$.
985: The set of interfaces $\mI$ can be divided into two sets: the set $\mI_\PlayerA$
986: of the interfaces belonging to player $\PlayerA$, and the set $\mI_\PlayerB$ of the interfaces belonging to
987: player $\PlayerB$.
988:
989: \begin{center} \PDForPSinput{system} \end{center}
990:
991: A system has an internal, possibly infinite supply of randomness. Every output of the system is a function of the received messages so far, and the internal
992: randomness. The system is efficient if these functions can be evaluated efficiently,
993: i.e., using a polynomial time turing machine.
994: The whole interaction between systems is \emph{asynchronous}, i.e.,
995: there is no global time.
996:
997: Two systems $\bF$ and $\bG$ can be \emph{composed in parallel} to a new system, denoted by $\bF \| \bG$. The two sub-systems $\bF$ and $\bG$ do not interact with each other, and the resulting system
998: has all the interfaces of the two subsystems.
999:
1000: \begin{center} \PDForPSinput{parallel} \end{center}
1001:
1002: We denote the parallel composition of $n$ times the same system $\bF$ by $\bF^{\|n}$.
1003:
1004: A system $\bG$ may use another system $\bF$ as a subsystem, which we denote by
1005: $\bG(\bF)$. $\bG$ may have some interfaces that are connected to
1006: some interfaces of $\bF$. We use this notation because $\bG$ can be viewed as a function that
1007: transforms a system $\bF$ into a system $\bG(\bF)$. $\bF \| \bG$ is a special case of this composition.
1008:
1009: \begin{center} \PDForPSinput{subsystem} \end{center}
1010:
1011: \section{Distinguishing Systems}
1012:
1013: Definition~\ref{def:adv-4-RV} in Section~\ref{sec:statDist}, which defines the distinguishing advantage for random variables, can be generalized to systems in a straightforward way.
1014: A distinguisher is now an algorithm $D$ that interacts with a system $\bF$
1015: and outputs $0$ or $1$.
1016:
1017: \begin{center} \PDForPSinput{distinguisher} \end{center}
1018:
1019: \begin{definition} \label{def:adv}
1020: For two systems $\bF$ and $\bF'$, the \emph{distinguishing advantage} of a distinguisher $D$ in distinguishing $\bF$ from $\bF'$ is
1021: \[ \adv^{D}(\bF,\bF') := \big |\Pr[D(\bF)=1] - \Pr[D(\bF')=1] \big |\;.\]
1022: The distinguishing advantage of a class $\mD$ of distinguishers in distinguishing $\bF$ from $\bF'$ is
1023: \[ \adv^{\mD}(\bF,\bF') := \max_{D \in \mD} \adv^{D}(\bF,\bF')\;.\]
1024: \end{definition}
1025:
1026: The distinguishing advantage of systems still has the same important properties as the distinguishing advantage for random variables. Obviously, we have $\adv^\mD(\bF,\bF) = 0$ and $\adv^\mD(\bF',\bF) = \adv^\mD(\bF,\bF')$, for all $\bF$ and $\bF'$. Furthermore, it also satisfies the triangle inequality:
1027: \[ \adv^\mD(\bF,\bF'') \leq \adv^\mD(\bF,\bF') + \adv^\mD(\bF',\bF'')\;,\]
1028: for all $\mD$, $\bF$, $\bF'$, and $\bF''$.
1029:
1030: Except in Chapter~\ref{chap:compWOT}, $\mD$ will be the set of all possible (also inefficient) distinguishers. In this case, we will omit the $\mD$ and only write $\adv(\bF,\bF')$. We also write $\bF \equiv_{\eps} \bF'$ for $\adv(\bF,\bF') \leq \eps$, and $\bF \equiv \bF'$ for $\adv(\bF,\bF') = 0$.
1031:
1032: Similar to Lemma~\ref{lem:statDist-dataprocessing}, we have for all systems $\bG$, $\bF$, and $\bF'$
1033: \[ \adv(\bG(\bF),\bG(\bF')) \leq \adv(\bF,\bF') \;,\]
1034: since any distinguisher $D$ that distinguishes $\bG(\bF)$ from $\bG(\bF')$ with an
1035: advantage of $\eps$ can be used to distinguish $\bF$ from $\bF'$, by first applying
1036: $\bG$. If $\mD$ is the class of all \emph{efficient} distinguishers, then
1037: \[ \adv^{\mD}(\bG(\bF),\bG(\bF')) \leq \adv^{\mD}(\bF,\bF') \;,\]
1038: if $\bG$ is efficient.
1039:
1040: Note that for the case where $\bF$ and $\bF'$ have no inputs and output random variables $X$ and $X'$, respectively, this definition is equivalent to Definition~\ref{def:adv-4-RV}, and we have
1041: \[ \adv(\bF,\bF') = \Delta(X,X')\;.\]
1042:
1043: \section{Adversaries and Secure Protocols}
1044:
1045: In this section we define protocols and their security.
1046: In the following, we will often use special systems that only have interfaces for one player $p \in \{\PlayerA,\PlayerB\}$.
1047: We denote such systems by $\bF_p$. For any systems $\bF_\PlayerA$, $\bF_\PlayerB$, and $\bG$,
1048: we have
1049: \[ \bF_\PlayerA(\bF_\PlayerB(\bG)) = \bF_\PlayerB(\bF_\PlayerA(\bG))\;.\]
1050:
1051: A system of the form $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF) = \bP_\PlayerA(\bP_\PlayerB(\bF))$ is called a \emph{(two-party) protocol}.
1052:
1053: \begin{center} \PDForPSinput{protocol} \end{center}
1054:
1055: Players may be \emph{honest}, which means that they follow the protocol, or they may be \emph{corrupted} in two different ways. If a player is \emph{actively corrupted}, he may behave in an arbitrary way. If a player
1056: is \emph{passively corrupted}, then he follows the protocol, but forwards everything he sends or receives
1057: immediately over an additional interface that we will call \emph{auxiliary interface}. Such players are also called \emph{honest, but curious}.
1058:
1059: The set of all corrupted players are called the \emph{adversary}.
1060: Let \[\mA \subset \{\PlayerA,\PlayerB, \widehat \PlayerA, \widehat \PlayerB \}\] be the set of corrupted players, where $\PlayerA$ and $\PlayerB$ are actively and $\widehat \PlayerA$ and $\widehat \PlayerB$ passively corrupted players. We will assume that this set is \emph{static}, i.e., it is already
1061: determined before the protocol starts.
1062: We will not mix actively and passively corrupted players, and consider two different models.
1063: In the \emph{malicious model}, the players may be actively corrupted, and in the \emph{semi-honest model}
1064: the players may be passively corrupted.
1065: Furthermore, we can ignore the case where $\mA = \{\PlayerA,\PlayerB\}$ or $\mA = \{\widehat \PlayerA,\widehat \PlayerB\}$,
1066: as we never have any requirement for these cases.
1067: Therefore, we only have to consider the case $|\mA| \leq 1$.
1068:
1069:
1070: Because an adversary may be able to use a system in a different way than the honest players, we will
1071: use the following generalized notion of a system. A \emph{collection of systems}
1072: \[ \bF = (\bF_{\emptyset}, \bF_{\{\PlayerA\}}, \bF_{\{\PlayerB\}})\;, \qquad
1073: \bF = (\bF_{ \emptyset}, \bF_{ \{\widehat \PlayerA\}}, \bF_{\{\widehat \PlayerB\}}) \]
1074: (in the malicious or the semi-honest model) defines a different system $\bF_\mA$ for every possible set of corrupted players $\mA$, where the honest players always
1075: have the same interfaces as in $\bF_{\emptyset}$. This means that in $\bF_{\{\PlayerA\}}$ and $\bF_{\{\widehat \PlayerA\}}$, $\PlayerB$ must have the same interfaces as in $\bF_{\emptyset}$, and in $\bF_{\{\PlayerB\}}$ and $\bF_{\{\widehat \PlayerB\}}$, $\PlayerA$ must have the same interfaces as in
1076: $\bF_{\emptyset}$. Furthermore, the system $\bF_\mA$
1077: should be at least as good for the adversary as the system $\bF_{\emptyset}$, i.e., the adversary
1078: should always be able to behave honestly.
1079: $\bF_\mA$ can be interpreted as a model of a system where the adversary $\mA$ can corrupt a part of the system $\bF$.
1080:
1081: In the following, we will abuse the term ``system'', and also use it for collections of systems.
1082:
1083: \subsection{The Malicious Model}
1084:
1085: In the \emph{malicious model}, the adversary is allowed to cheat actively, in an arbitrary way. Therefore,
1086: we do not have any restrictions on how the interface to the adversary may look like,
1087: as long as it allows him to behave honestly, if he wants.
1088:
1089: \begin{center} \PDForPSinput{collection} \end{center}
1090:
1091: We will now define the security of protocols.
1092: We say that a protocol $\bP$ having access to the system $\bF$ securely implements a system $\bG$, if, first of all, $\bG_{\emptyset} \equiv \bP(\bF_{\emptyset})$, i.e., the protocol implements the system $\bG$ correctly, given that both players are honest. Additionally, for $\mA = \{p\}$, we require that the adversary attacking
1093: the protocol has no advantage over another adversary that attacks
1094: $\bG$ directly. We therefore require that there exists a \emph{simulator} $\bS_p$ that simulates
1095: exactly what the adversary would get in the execution of the protocol $\bP(\bF)$. Since the adversary may not follow the protocol, his view of the protocol is in fact the ``raw'' interface of
1096: $\bF$, without his part of the protocol.
1097:
1098: \begin{definition} \label{def:sec}
1099: A protocol $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$ \emph{securely implements a system $\bG$ in the malicious model with an error of at most $\eps$}, if
1100: \begin{itemize}
1101: \item(Correctness) $\bP(\bF_{\emptyset}) \equiv_\eps \bG_{\emptyset}$\;.
1102: \item(Security for $\PlayerA$) There exists a system $\bS_\PlayerB$ (called \emph{the simulator for $\PlayerB$}), such that
1103: \[\bP_\PlayerA(\bF_{\{\PlayerB\}}) \equiv_\eps \bS_\PlayerB(\bG_{\{\PlayerB\}})\;.\]
1104: \item(Security for $\PlayerB$) There exists a system $\bS_\PlayerA$ (called \emph{the simulator for $\PlayerA$}), such that
1105: \[\bP_\PlayerB(\bF_{\{\PlayerA\}}) \equiv_\eps \bS_\PlayerA(\bG_{\{\PlayerA\}})\;.\]
1106: \end{itemize}
1107: \end{definition}
1108:
1109: Note that the protocol $\bP(\bF)$ can also be viewed as
1110: a new system $\bE$, defined by $\bE_{\emptyset} := \bP(\bF_{\emptyset})$,
1111: $\bE_{\{\PlayerB\}} := \bP_\PlayerA(\bF_{\{\PlayerB\}})$, and
1112: $\bE_{\{\PlayerA\}} := \bP_\PlayerB(\bF_{\{\PlayerA\}})$. Definition~\ref{def:sec} could then be stated by
1113: comparing the systems $\bE$ and $\bG$.
1114:
1115: \begin{figure}
1116: \begin{center} \PDForPSinput{security} \end{center}
1117: \caption{The three conditions for the security in the malicious model of a protocol $\bP = (\bP_\PlayerA \| \bP_\PlayerB)$ that uses
1118: $\bF = (\bF_{\emptyset}, \bF_{\{\PlayerA\}}, \bF_{\{\PlayerB\}})$
1119: and implements $\bG = (\bG_{\emptyset}, \bG_{\{\PlayerA\}}, \bG_{\{\PlayerB\}})$.}
1120: \end{figure}
1121:
1122: We do generally not require the simulation to be efficient. Therefore, an attack that is efficient
1123: in $\bP(\bF)$ may be mapped to a very inefficient attack in $\bG$. This means that if
1124: the system $\bG$ is replaced by the protocol $\bP(\bF)$, the adversary
1125: may gain extra possibilities because he may be able to execute some attacks more efficiently
1126: in the new setting. More precisely, he gains the extra possibility of executing
1127: the simulator for free. Depending on the setting, this may be a problem. For example,
1128: if the simulator allows him to invert a one-way function, a system that relies on
1129: the assumption that inverting this one-way function is hard may not be secure anymore. On the other hand, if $\bP(\bF)$ is used in a protocol that is information-theoretically secure, the additional, virtual computing power of the adversary
1130: will be of little use to him.
1131: Therefore, an efficient simulation is preferable, even in the model where the adversary is (potentially) unbounded, because it allows the protocol to be used also in the computational setting.
1132: A very important property of this security definition is that it allows protocols to be \emph{composed}.
1133:
1134: \begin{theorem}[Composition theorem, malicious model]
1135: If $\bP(\bF)$ securely implements $\bG$ in the malicious model with an error of at most $\eps_1$, and $\bQ(\bH)$ securely implements $\bF$ in the malicious model with an error of at most $\eps_2$, then
1136: $\bP(\bQ(\bH))$ securely implements $\bG$ in the malicious model with an error of at most $\eps_1 + \eps_2$.
1137: \end{theorem}
1138:
1139: \begin{proof}
1140: From $\bQ(\bH_\emptyset) \equiv_{\eps_2} \bF_\emptyset$ follows that
1141: $\bP(\bQ(\bH_\emptyset)) \equiv_{\eps_2} \bP(\bF_\emptyset)$. Since $\bP(\bF_\emptyset) \equiv_{\eps_1} \bG_\emptyset$,
1142: it follows from the triangle inequality that
1143: \[\bP(\bQ(\bH_\emptyset)) \equiv_{\eps_1 + \eps_2} \bG_\emptyset\;.\]
1144:
1145: There exists a simulator $\bS_\PlayerB$, such that
1146: $\bQ_\PlayerA(\bH_{\{\PlayerB\}}) \equiv_{\eps_2} \bS_\PlayerB(\bF_{\{\PlayerB\}})$. It follows that
1147: \[\bP_\PlayerA(\bQ_\PlayerA(\bH_{\{\PlayerB\}})) \equiv_{\eps_2}
1148: \bP_\PlayerA(\bS_\PlayerB(\bF_{\{\PlayerB\}})) = \bS_\PlayerB(\bP_\PlayerA(\bF_{\{\PlayerB\}}))\;.\]
1149: Since there exists a simulator $\bT_\PlayerB$ such that
1150: $\bP_\PlayerA(\bF_{\{\PlayerB\}}) \equiv_{\eps_1} \bT_\PlayerB(\bG_{\{\PlayerB\}})$, we have
1151: \[\bS_\PlayerB(\bP_\PlayerA(\bF_{\{\PlayerB\}})) \equiv_{\eps_1} \bS_\PlayerB( \bT_\PlayerB(\bG_{\{\PlayerB\}}))\;.\]
1152: It follows from the triangle inequality that
1153: \[\bP_\PlayerA(\bQ_\PlayerA(\bH_{\{\PlayerB\}})) \equiv_{\eps_1 + \eps_2} \bS_\PlayerB( \bT_\PlayerB(\bG_{\{\PlayerB\}}))\;,\]
1154: and hence the protocol is secure for $\PlayerA$, with an error of at most $\eps_1 + \eps_2$. The security for $\PlayerB$ can be shown in the same way.
1155: \end{proof}
1156:
1157: \subsection{The Semi-Honest Model} \label{sec:semi-honest}
1158:
1159: In the \emph{semi-honest model}, the adversary is \emph{passive}. Instead of executing $\bP_p$,
1160: a passively corrupted player $p$ executes $\underline \bP_p$, which is equal to $\bP_p$, but forwards
1161: everything it sends or receives immediately over an auxiliary interface. Note that
1162: the output of the auxiliary interface contains the entire \emph{view} of the corrupted player, and therefore also the output of the honest interface.
1163:
1164: \begin{center} \PDForPSinput{passiveAdversary} \end{center}
1165:
1166: We require that every system in a collection must also have the same interfaces for the adversary as
1167: for the honest player, because the adversary executes the protocol honestly and can only connect to these interfaces. However, the system has auxiliary output interfaces for the adversary, that provide him with some extra information.
1168:
1169: \begin{center} \PDForPSinput{passiveCollection} \end{center}
1170:
1171: Let $\mA = \{\widehat p \}$. A protocol $\bP(\bF)$ securely implements a system $\bG$ in the
1172: semi-honest model if there exists a simulator $\bS_p$ that accesses the interaction of the system $\bG_{\{\widehat p\}}$ with player $p$ and produces the same output as $\underline \bP_p$. Furthermore, the simulator $\bS_p$ is not allowed to modify the inputs and outputs on the interfaces of the honest player, because we require that the simulated adversary attacking $\bG$ is also only passively, and not actively corrupted. Otherwise, the protocol could not be composed. We get the following definition.
1173:
1174: \begin{definition} \label{def:passiveSec}
1175: A protocol $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$ \emph{securely implements $\bG$ in the
1176: semi-honest model with an error of at most $\eps$}, if
1177: \begin{itemize}
1178: \item(Correctness) $\bP(\bF_{\emptyset}) \equiv_\eps \bG_{\emptyset}$\;.
1179: \item(Security for \PlayerA) There exists a system $\bS_\PlayerB$ (called \emph{the simulator for $\PlayerB$}), that only modifies the auxiliary interfaces, such that
1180: \[(\bP_\PlayerA \| \underline \bP_\PlayerB)(\bF_{\{\widehat \PlayerB\}}) \equiv_\eps \bS_\PlayerB(\bG_{\{\widehat \PlayerB\}})\;.\]
1181: \item(Security for \PlayerB) There exists a system $\bS_\PlayerA$ (called \emph{the simulator for $\PlayerA$}), that only modifies the auxiliary interfaces, such that
1182: \[(\underline \bP_\PlayerA \| \bP_\PlayerB)(\bF_{\{\widehat \PlayerA\}}) \equiv_\eps \bS_\PlayerA(\bG_{\{\widehat \PlayerA\}})\;.\]
1183: \end{itemize}
1184: \end{definition}
1185:
1186: \begin{figure}
1187: \begin{center} \PDForPSinput{passiveSecurity} \end{center}
1188: \caption{The three conditions for the security in the semi-honest model of a two-party protocol $\bP = (\bP_\PlayerA \| \bP_\PlayerB)$ that uses
1189: $\bF = (\bF_{\emptyset}, \bF_{\{\widehat \PlayerA\}}, \bF_{\{\widehat \PlayerB\}})$
1190: and implements $\bG = (\bG_{\emptyset}, \bG_{\{\widehat \PlayerA\}}, \bG_{\{\widehat \PlayerB\}})$.}
1191: \end{figure}
1192:
1193: As in the malicious model, we can show that protocols in the semi-honest model compose.
1194:
1195: \begin{theorem}[Composition theorem, semi-honest model] \label{thm:comSemiHonest}
1196: If $\bP(\bF)$ securely implements $\bG$ in the semi-honest model with an error of at most $\eps_1$, and $\bQ(\bH)$ securely implements $\bF$ in the semi-honest model with an error of at most $\eps_2$, then
1197: $\bP(\bQ(\bH))$ securely implements $\bG$ in the semi-honest model with an error of at most $\eps_1 + \eps_2$.
1198: \end{theorem}
1199:
1200: \begin{proof}[Proof sketch]
1201: From $\bQ(\bH_\emptyset) \equiv_{\eps_2} \bF_\emptyset$ follows that
1202: $\bP(\bQ(\bH_\emptyset)) \equiv_{\eps_2} \bP(\bF_\emptyset)$. Since $\bP(\bF_\emptyset) \equiv_{\eps_1} \bG_\emptyset$,
1203: it follows from the triangle inequality that
1204: \[\bP(\bQ(\bH_\emptyset)) \equiv_{\eps_1 + \eps_2} \bG_\emptyset\;.\]
1205:
1206: There exists a simulator $\bS_\PlayerB$, such that
1207: $(\bQ_\PlayerA \| \underline \bQ_\PlayerB)(\bH_{\{\widehat \PlayerB\}}) \equiv_{\eps_2} \bS_\PlayerB(\bF_{\{\widehat \PlayerB\}})$. It follows that
1208: \[(\bP_\PlayerA \| \underline \bP_\PlayerB)((\bQ_\PlayerA \| \underline \bQ_\PlayerB)(\bH_{\{\widehat \PlayerB\}})) \equiv_{\eps_2}
1209: (\bP_\PlayerA \| \underline \bP_\PlayerB)(\bS_\PlayerB(\bF_{\{\widehat \PlayerB\}}))\;.\]
1210: Note that $\underline \bP_\PlayerB$ passes all its communication to $\PlayerB$, and $\bS_\PlayerB$ only modifies the additional output, but leaves
1211: the messages of the honest player unchanged. Furthermore, all messages that
1212: $\bS_\PlayerB$ sees will be passed along by the protocol $\underline \bP_\PlayerB$. Hence, we can
1213: move $\bS_\PlayerB$ to the outside, i.e.,
1214: \[(\bP_\PlayerA \| \underline \bP_\PlayerB)(\bS_\PlayerB(\bF_{\{\widehat \PlayerB\}})) =
1215: \bS_\PlayerB((\bP_\PlayerA \| \underline \bP_\PlayerB)(\bF_{\{\widehat \PlayerB\}}))\;.\]
1216: Since there exists a simulator $\bT_\PlayerB$ such that
1217: $(\bP_\PlayerA \| \underline \bP_\PlayerB)(\bF_{\{\widehat \PlayerB\}})
1218: \equiv_{\eps_1} \bT_\PlayerB(\bG_{\{\widehat \PlayerB\}})$, we have
1219: \[ \bS_\PlayerB((\bP_\PlayerA \| \underline \bP_\PlayerB)(\bF_{\{\widehat \PlayerB\}}))
1220: \equiv_{\eps_1}
1221: \bS_\PlayerB(\bT_\PlayerB(\bG_{\{\widehat \PlayerB\}}))\;.
1222: \]
1223: It follows from the triangle inequality that
1224: \[ (\bP_\PlayerA \| \underline \bP_\PlayerB)((\bQ_\PlayerA \| \underline \bQ_\PlayerB)(\bH_{\{\widehat \PlayerB\}}))
1225: \equiv_{\eps_1 + \eps_2} \bS_\PlayerB(\bT_\PlayerB(\bG_{\{\widehat \PlayerB\}}))
1226: = (\bS_\PlayerB(\bT_\PlayerB))(\bG_{\{\widehat \PlayerB\}}) \;.\]
1227: Since $\bS_\PlayerB(\bT_\PlayerB)$ only modifies the auxiliary output, it is a valid simulator,
1228: and hence the protocol is secure for $\PlayerA$ with an error of at most $\eps_1 + \eps_2$. The security for $\PlayerB$ can be shown in the same way.
1229: \end{proof}
1230:
1231: \paragraph{From passive to active security.}
1232: Since security against passively corrupted players is quite weak in practice,
1233: it is preferable to have a protocol that is secure against active adversaries.
1234: \cite{GoMiWi87} showed that it is possible to convert any protocols that is secure
1235: in the semi-honest model into a protocol that is secure in the malicious model,
1236: by forcing all players to follow the protocol. To achieve this, every player
1237: must commit himself to all the values he has, and in every step of the protocols,
1238: he must proof in zero-knowledge that he has executed the computation correctly.
1239: We will not further comment on this method, and refer to
1240: \cite{GoMiWi87,Crepea89,CrvGTa95,DaKiSa99,CLOS02,DFMS04} for any details.
1241:
1242: \subsection{The Weak Semi-Honest Model} \label{subsec:weakSemi}
1243:
1244: We would expect that every protocol that is secure in the malicious model is also secure in the semi-honest model,
1245: since the adversary is restricted in the latter case. Unfortunately, this is not always true. The security condition
1246: in the malicious model only tells us that for any (also semi-honest) adversary, there exists a \emph{malicious} adversary for the ideal system. On the other hand, the security condition in the semi-honest model
1247: requires the adversary for the ideal system to be \emph{semi-honest}. The following example, which we call the \emph{asymmetric dating problem}, illustrates the difference.
1248:
1249: \begin{example}[The asymmetric dating problem]
1250: Let the system $\bF$ be defined as follows. It receives a value $x \in \{0,1\}$ from $\PlayerA$,
1251: and a value $y \in \{0,1\}$ from $\PlayerB$. Then, it outputs $z := x \cdot y$ to $\PlayerB$.
1252: \begin{center} \PDForPSinput{weakSemiEx} \end{center}
1253: Let $\Auth$ be a communication channel, and let the protocol $\bP(\Auth)$ be defined as follows. $\bP_\PlayerA$ receives input $x \in \{0,1\}$ and sends $x$ over $\Auth$ to $\PlayerB$.
1254: $\bP_\PlayerB$ receives input $y \in \{0,1\}$ from $\PlayerB$ and $x$ over $\Auth$ and outputs $z := x \cdot y$.
1255: Let us look at the security for $\PlayerA$. It is easy to see that $\bP(\Auth)$ securely implements $\bF$
1256: in the malicious model, since the simulator $\bS_\PlayerB$ can
1257: always input $y=1$ to $\bF$ and obtain the same information as in $\bP(\bF)$. However, the
1258: protocol $\bP(\Auth)$ is \emph{not secure in the semi-honest model}. Since the simulator $\bS_\PlayerB$ is not allowed to
1259: change the value $y$, $\bS_\PlayerB$ cannot simulate $x$ if $y=0$.
1260: \end{example}
1261:
1262: We will now present a weaker security definition for the semi-honest model that is also strictly weaker than
1263: the security definition of the malicious model. The only difference to Definition~\ref{def:passiveSec} is that we allow arbitrary simulators, i.e., the simulator may modify the inputs as it likes.
1264:
1265: \begin{definition} \label{def:passiveSec2}
1266: A protocol $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$ \emph{securely implements $\bG$ in the weak semi-honest model with an error of at most $\eps$}, if
1267: \begin{itemize}
1268: \item(Correctness) $\bP(\bF_{\emptyset}) \equiv_\eps \bG_{\emptyset}$\;.
1269: \item(Security for \PlayerA) There exists a system $\bS_\PlayerB$ (called \emph{the simulator for $\PlayerB$}), such that
1270: \[(\bP_\PlayerA \| \underline \bP_\PlayerB)(\bF_{\{\widehat \PlayerB\}}) \equiv_\eps \bS_\PlayerB(\bG_{\{ \PlayerB\}})\;.\]
1271: \item(Security for \PlayerB) There exists a system $\bS_\PlayerA$ (called \emph{the simulator for $\PlayerA$}), such that
1272: \[(\underline \bP_\PlayerA \| \bP_\PlayerB)(\bF_{\{\widehat \PlayerA\}}) \equiv_\eps \bS_\PlayerA(\bG_{\{ \PlayerA\}})\;.\]
1273: \end{itemize}
1274: \end{definition}
1275:
1276: \begin{lemma} \label{lem:malIsWeakSemiHonest}
1277: If a protocol $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$ securely implements $\bG$ in the semi-honest model or in the malicious model with an error of at most $\eps$, then it also securely implements $\bG$ in the weak semi-honest model with an error of at most $\eps$.
1278: \end{lemma}
1279:
1280: \begin{proof}
1281: It is obvious that security in the semi-honest model implies security
1282: in the weak semi-honest model.
1283:
1284: Let us assume that $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$ securely implements $\bG$ in the malicious model. The correctness conditions in the weak semi-honest model is the same as in the malicious model.
1285:
1286: From the security for $\PlayerA$ follows that there exists a simulator $\bS_\PlayerB$, such that
1287: \[\bP_\PlayerA(\bF_{\{\PlayerB\}}) \equiv_\eps \bS_\PlayerB(\bG_{\{\PlayerB\}})\;.\]
1288: Therefore, we have
1289: \[(\bP_\PlayerA\|\ul \bP_\PlayerB)(\bF_{\{\PlayerB\}})
1290: =
1291: \ul \bP_\PlayerB(\bP_\PlayerA(\bF_{\{\PlayerB\}}))
1292: \equiv_\eps
1293: \ul \bP_\PlayerB (\bS_\PlayerB(\bG_{\{\PlayerB\}}))
1294: = (\ul \bP_\PlayerB (\bS_\PlayerB))(\bG_{\{\PlayerB\}})\;.\]
1295: The system $\bT_{\PlayerB} := \ul \bP_\PlayerB (\bS_\PlayerB)$ is a simulator, which implies security
1296: for $\PlayerA$ in the weak semi-honest model. The security for $\PlayerB$ can be shown in the same way.
1297: \end{proof}
1298:
1299: Unfortunately, Definition~\ref{def:passiveSec2} is too weak to allow for composition,
1300: and is therefore not a very useful definition for the security of protocols. The only composition
1301: that is possible is the following, where the outer protocol is secure in
1302: the weak semi-honest model, and the inner protocol is secure in the semi-honest model.
1303:
1304: \begin{theorem}[Simple composition theorem, weak semi-honest model] \label{thm:compWeakSemiHonest}
1305: If $\bP(\bF)$ securely implements $\bG$ in the weak semi-honest model with an error of at most $\eps_1$, and $\bQ(\bH)$ securely implements $\bF$ in the semi-honest model with an error of at most $\eps_2$, then
1306: $\bP(\bQ(\bH))$ securely implements $\bG$ in the weak semi-honest model with an error of at most $\eps_1 + \eps_2$.
1307: \end{theorem}
1308:
1309: \begin{proof}[Proof sketch]
1310: The proof can be done in the same way as the proof of Theorem~\ref{thm:comSemiHonest}.
1311: The only difference is that now, the simulator $\bT_\PlayerB$ is not restricted in any way.
1312: The argument works in the same way, except that the resulting simulator $\bS_\PlayerB(\bT_\PlayerB)$
1313: will not be restricted either. Hence, the protocol is secure in the weak semi-honest model.
1314: \end{proof}
1315:
1316: The weak semi-honest model is useful to prove impossibilities, since it is weaker than the definitions in both the malicious and the semi-honest models. If we
1317: can show that there cannot exist a protocol in the weak semi-honest model, then there can neither exist
1318: a protocol secure in the malicious, nor in the semi-honest model.
1319:
1320: \section{Discussion}
1321:
1322: In this chapter we presented a simplified universally composable framework for two-party computation.
1323: We did not use the frameworks presented in \cite{PfiWai00,BaPfWa03} or \cite{Canetti00}
1324: because they are far too complex and too general for what we will need them. Our simplified framework
1325: will make the results in the following chapters easier to state,
1326: and hopefully also easier to understand. However, this also means that in order to fit our results into
1327: more general frameworks such as \cite{PfiWai00,BaPfWa03} or \cite{Canetti00}, additional work will be needed.
1328:
1329: If our protocols are to be executed in an environment where more players are present, we have to make sure that all the other players do not get any information over the inputs or the outputs of $\PlayerA$ and $\PlayerB$.
1330: This can be achieved by requiring that all our
1331: two-party systems are completely independent of the other players. This means for example that all
1332: channels must be secure and authentic.
1333:
1334: \chapter{Oblivious Transfer} \label{chap:ot}
1335:
1336: In this chapter we introduce the primitives oblivious transfer (OT) and randomized oblivious transfer (ROT), which is
1337: a variant of OT where the inputs of the honest players are chosen at random.
1338:
1339: We start by showing that OT and ROT are equivalent if noiseless communication
1340: is available for free.
1341: Then, we show that ROT is symmetric by presenting a protocol that converts an instance of ROT into an instance of ROT in the opposite direction.
1342: This implies that also the
1343: direction of OT can be reversed in a very simple way (Theorem~\ref{thm:otto}).
1344:
1345: In Theorems~\ref{thm:SecCondforROT} and \ref{thm:passiveSecCondforSROT2} we give information-theoretic conditions for the security of ROT.
1346: These conditions are similar to the ones presented in \cite{CSSW06},
1347: however we are able to show a stronger result, as our
1348: conditions imply that a protocol which satisfies them
1349: is \emph{universally composable}, and not only sequentially. Also, our conditions
1350: have explicit error terms, which makes them easier to use.
1351:
1352: All the results will be stated in the malicious and the semi-honest model.
1353:
1354: \section{(Randomized) Oblivious Transfer}
1355:
1356: In this section we will introduce \emph{oblivious transfer (OT)}, and a randomized version of OT called
1357: \emph{randomized OT (ROT)}.
1358:
1359: \begin{definition}[Oblivious transfer]
1360: The system $\OT{1}{n}{\ell}$ (or, if the values of $n$ and $\ell$ are clear from the context, $\OTT$) is defined as follows. First, it waits for $\PlayerB$ to send his input $c \in \{0,\dots,n-1\}$, and sends $\PlayerA$
1361: $\bot$\footnote{This is a message without any content, which notifies
1362: $\PlayerA$ about the fact that $\PlayerB$ has sent his input $c$.}
1363: . After having received input $x^n = (x_0,\dots,x_{n-1}) \in \{0,1\}^{\ell \cdot n}$ from $\PlayerA$, it sends
1364: $y := x_c$ to $\PlayerB$. (Notice that $\OTT = \OTT_{\emptyset} = \OTT_{\{\PlayerA\}} = \OTT_{\{\PlayerB\}}$.)
1365: \end{definition}
1366:
1367: \begin{center} \PDForPSinput{ot} \end{center}
1368:
1369: (Note that from now on, the drawings will also include timing aspects. The time flows
1370: from the top to the bottom. The dotted lines indicate waiting points, where the system waits
1371: to receive all messages above the line before it continues.)
1372:
1373: We use the same version of OT as \cite{CLOS02}, where the sender is notified about the fact
1374: that the receiver has made his choice. Notice that in \cite{Canetti00, Fischl06}, OT has been defined differently.
1375: There, the honest sender does not get this notification.
1376: We do not know how to securely implement OT if the malicious sender does
1377: not get to know the fact that the receiver has made his
1378: choice. Therefore, it is preferable to also give this information to the honest sender. For example,
1379: this allows us to easily implement a bit-commitment protocol from the receiver to the sender.
1380: Also, only this definition allows us
1381: to show that OT and ROT are equivalent if noiseless communication is available for free.
1382:
1383:
1384: Often, it is much easier to implement a randomized version of OT, called \emph{randomized oblivious transfer} (ROT), first. One way of defining ROT would be to make it equivalent to OT, but
1385: where all the inputs are chosen uniformly at random by the system.
1386: This definition would, however, not be very
1387: useful, because it is too strong: any secure implementation would
1388: have to make sure that all values are
1389: indeed chosen uniformly at random, which can be very difficult.
1390: Furthermore, it turns out that in most applications
1391: this is not needed. We will, therefore, define ROT as a collection of
1392: systems, where the adversary can choose
1393: her own output.
1394:
1395: \begin{definition}[Randomized oblivious transfer, malicious model] \label{def:rot}
1396: The system $\ROT{1}{n}{\ell}$ (or, if the values of $n$ and $\ell$ are clear from the context, $\ROTT$) is defined as a collection of
1397: systems
1398: \[\ROTT = (\ROTT_\emptyset, \ROTT_{\{\PlayerA\}}, \ROTT_{\{\PlayerB\}})\;,\]
1399: where
1400: \begin{itemize}
1401: \item $\ROTT_\emptyset$: The system chooses uniformly at random the value
1402: $x^n \in \{0,1\}^{\ell \cdot n}$ and $c \in \{0,\dots,n-1\}$. It sends
1403: $x^n$ to $\PlayerA$ and $(c,y)$
1404: to $\PlayerB$ where $y = x_c$.
1405: \item $\ROTT_{\{\PlayerA\}}$: The system waits for $\PlayerA$ to send the value
1406: $x^n \in \{0,1\}^{\ell \cdot n}$. Then, it chooses the value $c \in \{0,\dots,n-1\}$ uniformly at random and sends $(c,y)$
1407: to $\PlayerB$, where $y = x_c$.
1408: \item $\ROTT_{\{\PlayerB\}}$: The system waits for $\PlayerB$ to send the value
1409: $(c,y) \in \{0,\dots,n-1\} \times \{0,1\}^{\ell}$. Then, it sets $x_c = y$, chooses the values $x_i \in \{0,1\}^{\ell}$ uniformly at random for $i \neq c$,
1410: and sends $x^n \in \{0,1\}^{\ell \cdot n}$ to $\PlayerA$.
1411: \end{itemize}
1412: \end{definition}
1413:
1414: \begin{center} \PDForPSinput{rot} \end{center}
1415:
1416: We will now show that $\OTT$ and $\ROTT$ are equivalent if communication is given for free, by presenting two protocols that securely implement
1417: one system using one instance of the other and a communication channel.
1418:
1419: Protocol $\ROTfromOT = \ROTfromOT_\PlayerA \| \ROTfromOT_\PlayerB$ securely implements $\ROTT$ from one instance of $\OTT$, and is defined as follows.
1420:
1421: \begin{protocol} $\ROTfromOT_\PlayerA$:
1422: \begin{enumerate}
1423: \item Choose $x^n \in \{0,1\}^{\ell \cdot n}$ uniformly at random.
1424: \item Send $x^n$ to $\OTT$.
1425: \item Receive $\bot$ from $\OTT$.
1426: \item Output $x^n$.
1427: \end{enumerate}
1428: $\ROTfromOT_\PlayerB$:
1429: \begin{enumerate}
1430: \item Choose $c \in \{0,\dots,n-1\}$ uniformly at random.
1431: \item Send $c$ to $\OTT$.
1432: \item Receive $y \in \{0,1\}^{\ell}$ from $\OTT$.
1433: \item Output $(c,y)$.
1434: \end{enumerate}
1435: \end{protocol}
1436:
1437: \begin{center} \PDForPSinput{ROTfromOT} \end{center}
1438:
1439: \begin{lemma}
1440: $\ROTfromOT(\OT{1}{n}{\ell})$ securely implements $\ROT{1}{n}{\ell}$ in the malicious model.
1441: \end{lemma}
1442:
1443: \begin{proof}
1444: Obviously, we have $\ROTT_{\emptyset} \equiv \ROTfromOT(\OTT)$.
1445:
1446: $\ROTfromOT_\PlayerA(\OTT)$ waits for input $c$ from $\PlayerB$, and then
1447: outputs $x^n$ to $\PlayerA$, where all $x_i$ are chosen uniformly at random and independently of the rest,
1448: and $y := x_c$ to $\PlayerB$.
1449: We define $\bS_\PlayerB$ as follows.
1450: It waits for input $c$ from $\PlayerB$. Then it chooses $y \in \{0,1\}^\ell$ uniformly
1451: at random, sends $(c,y)$ to $\ROTT_{\{\PlayerB\}}$, and outputs $y$.
1452: \begin{center} \PDForPSinput{ROTfromOT-SB} \end{center}
1453: It is easy to verify that
1454: $\ROTfromOT_\PlayerA(\OTT) \equiv \bS_\PlayerB(\ROTT_{\{\PlayerB\}})$.
1455:
1456: $\ROTfromOT_\PlayerB(\OTT)$ outputs $\bot$ to $\PlayerA$. It waits for input $x^n$ from $\PlayerA$, chooses a value $c \in \{0,\dots,n-1\}$ uniformly at random, and sends $c$ and $y := x_c$ to $\PlayerB$.
1457: We define $\bS_\PlayerA$ as follows.
1458: It outputs $\bot$ to $\PlayerA$. It waits for input $x^n$ from $\PlayerA$ and sends it to $\ROTT_{\{\PlayerA\}}$.
1459: \begin{center} \PDForPSinput{ROTfromOT-SA} \end{center}
1460: It is easy to verify that
1461: $\ROTfromOT_\PlayerB(\OTT) \equiv \bS_\PlayerA(\ROTT_{\{\PlayerA\}})$.
1462: \end{proof}
1463:
1464: To implement $\OTT$ from $\ROTT$, $\PlayerA$ and $\PlayerB$ need to be able to communicate.
1465: We will therefore additionally need the system $\Auth$, which implements a communication channel from $\PlayerA$ to $\PlayerB$ and from $\PlayerB$ to $\PlayerA$.
1466: Note that, in contrast to $\OTT$ or $\ROTT$, $\Auth$ can be used many
1467: times.
1468:
1469: \begin{definition}[Channel]
1470: The system $\Auth$ is defined as follows. Every time it receives a message
1471: $m \in \{0,1\}^*$ from $p \in \{\PlayerA,\PlayerB\}$, it sends it to the other player in $\{\PlayerA,\PlayerB\}$.
1472: \end{definition}
1473:
1474: We can now state the protocol $\OTfromROT$, which was first proposed in
1475: \cite{BBCS92} to securely implements $\OTT$ using $\ROTT$ and $\Auth$.
1476: The protocol is defined as follows.
1477:
1478: \begin{protocol} $\OTfromROT_\PlayerA$:
1479: \begin{enumerate}
1480: \item Receive $d \in \{0,\dots,n-1\}$ from
1481: $\Auth$ and $(x')^n \in \{0,1\}^{\ell \cdot n}$ from $\ROTT$.
1482: \item Output $\bot$ to $\PlayerA$.
1483: \item Receive $x^n \in \{0,1\}^{\ell \cdot n}$ from $\PlayerA$.
1484: \item Send $m^n \in \{0,1\}^{\ell \cdot n}$
1485: to $\Auth$, where $m_i := x_i \oplus x'_{i + d \pmod n}$.
1486: \end{enumerate}
1487: $\OTfromROT_\PlayerB$:
1488: \begin{enumerate}
1489: \item Receive $c \in \{0,\dots,n-1\}$ from $\PlayerB$ and $(c',y') \in
1490: \{0,\dots,n-1\} \times \{0,1\}^{\ell}$ from $\ROTT$.
1491: \item Send $d := c' - c \pmod n$ to $\Auth$.
1492: \item Receive $m^n \in \{0,1\}^{\ell \cdot n}$ from $\Auth$.
1493: \item Output $y := m_c \oplus y'$ to $\PlayerB$.
1494: \end{enumerate}
1495: \end{protocol}
1496:
1497: \begin{center} \PDForPSinput{OTfromROT} \end{center}
1498:
1499: \begin{lemma} \label{lem:ROTfromOTactive}
1500: $\ROTfromOT(\ROT{1}{n}{\ell}\|\Auth)$ securely implements $\OT{1}{n}{\ell}$ in the malicious model.
1501: \end{lemma}
1502:
1503: \begin{proof}
1504: $\OTfromROT(\ROTT_{\emptyset} \| \Auth)$ waits for input $c$ from $\PlayerB$, and sends
1505: $\bot$ to $\PlayerA$. After receiving $x^n$ from $\PlayerA$,
1506: it sends
1507: \begin{align*}
1508: y &= m_c \oplus y'
1509: = x_c \oplus x'_{c + d \!\pmod n} \oplus y'
1510: = x_c \oplus x'_{c + c' - c \!\pmod n} \oplus y' \\
1511: &= x_c \oplus x'_{c} \oplus y'
1512: = x_c
1513: \end{align*}
1514: to $\PlayerB$. (We used the fact that $y' = x_c'$.) Hence, we have
1515: \[\OTT \equiv \OTfromROT(\ROTT_{\emptyset} \| \Auth)\;.\]
1516:
1517: $\OTfromROT_\PlayerA(\ROTT_{\{\PlayerB\}} \| \Auth)$ waits for $(c',y')$ and $d$ from
1518: $\PlayerB$, and then outputs
1519: $\bot$ to $\PlayerA$. It then waits for its input $x^n$ from $\PlayerA$ and outputs $m^n$ to $\PlayerB$, where $m_{c' - d} = x_{c'-d} \oplus y'$, and all the other values $m_i$ are uniformly distributed and independent of the rest.
1520: We define $\bS_\PlayerB$ as follows. It waits for input $(c',y')$ on the $\ROTT_{\{\PlayerB\}}$ interface, and $d$ on the $\Auth$ interface. Then it sends $c := c' - d$ to $\OTT$.
1521: It receives $y = x_{c'-d}$ from $\OTT$, sets $m_{c' - d} := y \oplus y'$ and chooses all other
1522: $m_i$ uniformly at random. Finally, it outputs $m^n$ on the $\Auth$ interface.
1523: \begin{center} \PDForPSinput{OTfromROT-SB} \end{center}
1524: It is easy to verify that
1525: $\OTfromROT_\PlayerA(\ROTT_{\{\PlayerB\}} \| \Auth) \equiv \bS_\PlayerB(\OTT)$.
1526:
1527: $\OTfromROT_\PlayerB(\ROTT_{\{\PlayerA\}} \| \Auth)$ waits for $(x')^n$ from the $\ROTT$ interface, and the input $c$ from $\PlayerB$. It chooses $d$ uniformly at random and sends it to $\PlayerA$. After receiving also
1528: $m^n$ from the $\Auth$ interface from $\PlayerA$, it outputs $y = m_c \oplus y' = m_c \oplus x'_{c+d \pmod n}$ to $\PlayerB$.
1529: We define $\bS_\PlayerA$ as follows. It waits for $x'^n$ on the $\ROTT$ interface,
1530: and $\bot$ from $\OTT$. Then, it chooses $d$ uniformly at random and sends it to $\PlayerA$ on the $\Auth$ interface. After receiving $m^n$ on the $\Auth$ interface, it sends
1531: the inputs $x_i := m_i + x'_{i+d}$ for $i \in \{0,\dots,n-1\}$ to $\OTT$.
1532: \begin{center} \PDForPSinput{OTfromROT-SA} \end{center}
1533: It is easy to verify that $\OTfromROT_\PlayerB(\ROTT_{\{\PlayerA\}} \| \Auth) \equiv \bS_\PlayerA(\OTT)$.
1534: \end{proof}
1535:
1536: \section{Oblivious Transfer is Symmetric}
1537:
1538: Even though $\ROT{1}{2}{1}$ does not look very symmetric, it is \emph{almost} symmetric,
1539: as we will show in this section.
1540: In particular, we will show that $\ROT{1}{2}{1}$ can be \emph{reversed}, using a very simple
1541: transformation that we will call $\ROTOR$. Let $\TOR{1}{2}{1}$ be $\ROT{1}{2}{1}$ in the opposite direction.
1542:
1543: The protocol $\ROTOR$
1544: implements $\TOR{1}{2}{1}$ using $\ROT{1}{2}{1}$ and is defined as follows.
1545:
1546: \begin{protocol}
1547: $\ROTOR_\PlayerA$:
1548: \begin{enumerate}
1549: \item Receive $(x'_0,x'_1)$ from $\ROTT$.
1550: \item Output $(c,y)$ to $\PlayerA$, where $y = x'_0$ and $c = x'_0 \oplus x'_1$.
1551: \end{enumerate}
1552: $\ROTOR_\PlayerB$:
1553: \begin{enumerate}
1554: \item Receive $(c',y')$ from $\ROTT$.
1555: \item Output $(x_0,x_1)$, where $x_0 = y'$ and $x_1 = c' \oplus y'$.
1556: \end{enumerate}
1557: \end{protocol}
1558:
1559: \begin{center} \PDForPSinput{ROTOR} \end{center}
1560:
1561: \begin{lemma} \label{lem:ROTOR}
1562: $\ROTOR(\ROT{1}{2}{1})$ securely implements $\TOR{1}{2}{1}$ in the malicious model.
1563: \end{lemma}
1564:
1565: \begin{proof} From
1566: \begin{align*}
1567: x_c
1568: & = x_0 \oplus (x_0 \oplus x_1) \cdot c
1569: = y' \oplus (y' \oplus c' \oplus y') \cdot ( x'_0 \oplus x'_1) \\
1570: & = y' \oplus c' \cdot ( x'_0 \oplus x'_1)
1571: = y' \oplus x'_{c'} \oplus x'_0
1572: = x'_0
1573: = y
1574: \end{align*}
1575: follows that $\TORR_{\emptyset} \equiv \ROTOR(\ROTT_{\emptyset})$. We choose
1576: $\bS_{\PlayerB} := \ROTOR_\PlayerB$ and $\bS_{\PlayerA} := \ROTOR_\PlayerA$. It is easy
1577: to verify that $\ROTOR_\PlayerA(\ROTT_{\{\PlayerB\}}) \equiv \bS_{\PlayerA}(\TORR_{\{\PlayerB\}})$
1578: and $\ROTOR_\PlayerB(\ROTT_{\{\PlayerA\}}) \equiv \bS_{\PlayerB}(\TORR_{\{\PlayerA\}})$.
1579: \end{proof}
1580:
1581: Let $\TO{1}{2}{1}$ be $\OT{1}{2}{1}$ in the opposite direction.
1582: Using the protocols
1583: $\ROTfromOT$, $\ROTOR$ and $\OTfromROT$, we can implement $\OT{1}{2}{1}$ using one instance of $\TO{1}{2}{1}$, and get the following theorem.
1584:
1585: \begin{theorem} \label{thm:otto}
1586: $\OT{1}{2}{1}$ can be securely implemented in the malicious model using $\Auth$ and one instance of $\TO{1}{2}{1}$.
1587: \end{theorem}
1588:
1589: Protocols that implement $\OT{1}{2}{1}$ from $\TO{1}{2}{1}$ have previously been
1590: presented in \cite{CreSan91}, and independently in \cite{OsVeYu91}. However, Theorem~\ref{thm:otto} leads to a much simpler and more
1591: efficient protocol. The protocol of Theorem~\ref{thm:otto} has been proposed in \cite{WolWul06},
1592: together with an even more efficient protocol, that only used one bit of communication. Unfortunately,
1593: that protocol does not work here. The problem is that we are not able to send the
1594: value $\bot$ to $\PlayerA$ as soon as $\PlayerB$ has made his choice, if $\PlayerB$ makes his choice before $\PlayerA$
1595: has given her input.
1596:
1597: \section {In the Semi-Honest Model}
1598:
1599: In Section~\ref{subsec:weakSemi} we have seen that
1600: security in the malicious model does not always imply security in the semi-honest model.
1601: We will therefore show that the protocols $\ROTfromOT$, $\OTfromROT$ and $\ROTOR$
1602: are also secure in the semi-honest model.
1603:
1604: First of all, we have to adjust the definition of $\ROTT$.
1605: Since a semi-honest adversary will always choose its random inputs truly random, we have
1606: $ \semiROTT_{\{\widehat \PlayerA\}} = \semiROTT_{\{\widehat \PlayerB\}} = \semiROTT_{\emptyset}$.
1607:
1608: \begin{lemma}
1609: Protocol $\ROTfromOT(\OT{1}{n}{\ell})$ securely implements $\semiROT{1}{n}{\ell}$ in the semi-honest model.
1610: \end{lemma}
1611:
1612: \begin{proof}
1613: Obviously, we have $\semiROTT_{\emptyset} \equiv \ROTfromOT(\OTT)$.
1614:
1615: $(\ROTfromOT_\PlayerA \| \ul \ROTfromOT_\PlayerB)(\OTT)$ outputs $x^n$ to $\PlayerA$
1616: and $c$ (on the auxiliary interface) and $(c,y)$ to $\PlayerB$.
1617: $\bS_\PlayerB$ receives $(c,y)$, outputs $c$ on the auxiliary interface, and passes $(c,y)$ along to $\PlayerB$.
1618: We have
1619: \[(\ROTfromOT_\PlayerA \| \ul \ROTfromOT_\PlayerB)(\OTT) \equiv \bS_\PlayerB(\semiROTT_{\{\widehat \PlayerB\}})\;.\]
1620:
1621: $(\ul \ROTfromOT_\PlayerA \| \ROTfromOT_\PlayerB)(\OTT)$ outputs $x^n$ and $\bot$ (on the auxiliary interface) and $x^n$ to $\PlayerA$, and $(c,y)$ to $\PlayerB$.
1622: $\bS_\PlayerA$ receives $x^n$, outputs $x^n$ and $\bot$ on the
1623: auxiliary interface and then passes $x^n$ along to $\PlayerA$. We have
1624: \[(\ul \ROTfromOT_\PlayerA \| \ROTfromOT_\PlayerB)(\OTT) \equiv \bS_\PlayerA(\semiROTT_{\{\widehat \PlayerA\}})\;.\]
1625: Hence, the protocol is secure in the semi-honest model.
1626: \end{proof}
1627:
1628: \begin{lemma}
1629: $\OTfromROT(\semiROT{1}{n}{\ell}\|\Auth)$ securely implements $\OT{1}{n}{\ell}$ in the semi-honest model.
1630: \end{lemma}
1631:
1632: \begin{proof}
1633: We have seen in Lemma~\ref{lem:ROTfromOTactive} that $\OTT \equiv \OTfromROT(\ROTT_{\emptyset}\| \Auth)$.
1634:
1635: $(\OTfromROT_\PlayerA\|\ul \OTfromROT_\PlayerB)(\semiROTT_{\{\widehat \PlayerB\}} \| \Auth)$ chooses $(c',y')$ uniformly at random, outputs it on the auxiliary interface to $\PlayerB$, and waits for input $c$ from $\PlayerB$. Then it outputs $d = c'-c$ on the auxiliary interface to $\PlayerB$, and $\bot$ to $\PlayerA$. After receiving $x^n$ from $\PlayerA$, it outputs
1636: $m^n$ on the auxiliary interface and $y = x_c$ on the normal interface to $\PlayerB$, where $m_c = y' \oplus y$ and
1637: all the other values $m_i$ are chosen uniformly at random.
1638:
1639: $\bS_{\PlayerB}$ chooses $(c',y')$ uniformly at random and
1640: outputs it on the auxiliary interface. It waits for input $c$, passes it along to $\OTT$,
1641: and outputs $d := c' - c \pmod n$ on the auxiliary interface. After receiving $y = x_c$ from $\OTT$, it outputs
1642: $m^n$ to $\PlayerB$, where $m_c = y' \oplus y$ and the remaining values are chosen uniformly at random.
1643: Finally, it outputs $y$. It is easy to verify that
1644: \[(\OTfromROT_\PlayerA\|\ul \OTfromROT_\PlayerB)(\semiROTT_{\{\widehat \PlayerB\}} \| \Auth) \equiv \bS_\PlayerB(\OTT)\;.\]
1645:
1646: $(\ul \OTfromROT_\PlayerA\|\OTfromROT_\PlayerB)(\ROTT_{\{\widehat \PlayerA\}} \| \Auth)$ chooses $(x')^n$ uniformly at random and
1647: outputs it on the auxiliary interface to $\PlayerA$. After receiving $c$ from $\PlayerB$, it chooses $d$ uniformly at random and outputs $d$ and $\bot$ to
1648: $\PlayerA$ on the auxiliary interface. After receiving $x^n$ from $\PlayerA$, it outputs
1649: $m^n$ to $\PlayerA$, where $m_i := x_i \oplus x'_{i + d \pmod n}$, and $y=x_c$ to $\PlayerB$.
1650:
1651: $\bS_{\PlayerA}$ chooses $(x')^n$ at random and outputs it on the auxiliary interface to
1652: $\PlayerA$. After receiving $\bot$ from $\OTT$, it outputs $d$ chosen uniformly at random
1653: on the auxiliary interface and passes $\bot$ along to $\PlayerA$. After receiving
1654: $x^n$, it outputs $m^n$ to $\PlayerA$, where $m_i := x_i \oplus x'_{i + d \pmod n}$, and passes $x^n$ along
1655: to $\OTT$.
1656: It is easy to verify that
1657: \[\OTfromROT_\PlayerB(\semiROTT_{\{\widehat \PlayerA\}} \| \Auth) \equiv \bS_\PlayerA(\OTT)\;.\]
1658: Hence, the protocol is secure.
1659: \end{proof}
1660:
1661: Protocol $\ROTOR$ applies a bijective function on the output of $\semiROTT$. Hence, all
1662: the auxiliary output can be simulated from the output of $\semiTOR{1}{2}{1}$, and we get the following lemma.
1663:
1664: \begin{lemma} \label{lem:SROTfromROT}
1665: $\ROTOR(\semiROT{1}{2}{1})$ securely implements $\semiTOR{1}{2}{1}$ in the semi-honest model.
1666: \end{lemma}
1667:
1668: \section{Information-Theoretic Security Conditions} \label{sec:infoSecCond}
1669:
1670: We will now present information-theoretic conditions, which imply that a protocol securely implements
1671: $\ROTT$ either in the malicious or the semi-honest models.
1672:
1673: \subsection{In the Malicious Model}
1674:
1675: The following information-theoretic conditions are similar to the conditions presented in \cite{CSSW06}, and to the definitions of randomized oblivious transfer used in \cite{DFSS06} and \cite{Wullsc07}. However, our correctness
1676: condition is stron\-ger, because we require the outputs to be random, if the players are honest.
1677:
1678: \begin{theorem} \label{thm:SecCondforROT}
1679: A protocol $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$ securely implements $\ROT{1}{n}{\ell}$ with
1680: an error of at most $\eps$ in the malicious model, if
1681: \begin{itemize}
1682: \item(Correctness) $\bP(\bF_{\emptyset}) \equiv_\eps \ROTT_{\emptyset}$.
1683: \item(Security for \PlayerA) $\bP_\PlayerA(\bF_{\{\PlayerB\}})$ interacts over the interfaces
1684: belonging to $\PlayerB$ (which produces a transcript $V$), and after the last
1685: input is received, it outputs $X^n \in \{0,1\}^{\ell \cdot n}$ to $\PlayerA$.
1686: There exists a conditional probability distribution $P_{C \mid X^n V}$ that
1687: produces a random variable $C \in \{0,\dots,n-1\}$ such that
1688: $(X_0,\dots,X_{C-1},X_{C+1},\dots,X_{n-1})$ is $\eps$-close to uniform with respect to
1689: $(C,X_{C},V)$.
1690: \item(Security for \PlayerB) $\bP_\PlayerB(\bF_{\{\PlayerA\}})$ interacts over the interfaces belonging to $\PlayerA$ (which produces a transcript $U$), and after the last
1691: input is received, it outputs $(C,Y) \in \{0,\dots,n-1\} \times \{0,1\}^\ell$ to $\PlayerB$ where $C$ is
1692: $\eps$-close to uniform with respect to $U$.
1693: \end{itemize}
1694: \end{theorem}
1695:
1696: \begin{proof}
1697: Let $\bP(\bF)$ satisfy these conditions.
1698: The correctness condition is the same as in Definition \ref{def:sec}.
1699:
1700: Let $\bS_\PlayerB$ first simulate $\bP_\PlayerA(\bF_{\{\PlayerB\}})$ which interacts with $\PlayerB$ and outputs $(X')^n$ and the transcript $V$ of the interaction with $\PlayerB$. Then, it
1701: samples $C$ according to $P_{C \mid X^n=(x')^n,V=v}$
1702: and sends $(C,Y)$ to $\ROTT_{\{\PlayerB\}}$, where $Y := X'_{C}$. $\ROTT_{\{\PlayerB\}}$ will output $X^n$ to $\PlayerA$, where $X_{C} = X'_{C}$ and
1703: \[(X_0,\dots,X_{C-1},X_{C+1},\dots,X_{n-1})\] is chosen uniformly at random and independent from the rest. Since
1704: \[(X'_0,\dots,X'_{C-1},X'_{C+1},\dots,X'_{n-1})\] is $\eps$-close to uniform with respect to $(C,X_{C},V)$, we have
1705: \[ (X^n,C,V) \equiv_\eps ((X')^n,C,V) \;,\]
1706: from which follows that
1707: \[\bS_\PlayerB(\ROTT_{\{\PlayerB\}}) \equiv_{\eps} \bP_\PlayerA(\bF_{\{\PlayerB\}})\;.\]
1708:
1709: $\bS_\PlayerA$ is defined as follows. First, it simulates $\bP_\PlayerB(\bF_{\{\PlayerA\}})$,
1710: which interacts with $\PlayerA$ and outputs
1711: $(C',Y')$ and the transcript $U$ of the interaction with $\PlayerA$. Since $C'$ is $\eps$-close to uniform with
1712: respect to $U$, we have
1713: \[ P_{C'Y'U} = P_{C'U}P_{Y'\mid UC'} \equiv_{\eps} P_{\overline C} P_{U} P_{Y' \mid UC'}\;,\]
1714: where $P_{\overline C}$ is the uniform distribution over $\{0,1\}$.
1715: $\bS_\PlayerA$ now calculates $X'^n$, where $X'_i$ is sampled according to
1716: the probability distributions $P_{Y' \mid U,C'=i}$, and sends them to $\ROTT_{\{\PlayerA\}}$.
1717: Note that the behavior of
1718: the system $\bP_\PlayerB(\bF_{\{\PlayerA\}})$ is known, and therefore also the probability
1719: distribution $P_{Y' \mid U,C'=i}$.
1720: $\PlayerB$ receives a value $C$ chosen uniformly at random, and $Y=X'_C$ distributed according to
1721: $P_{Y' \mid U,C'=c}$. We have
1722: \[P_{CYU} = P_{U} P_{C \mid U} P_{Y' \mid UC'} = P_{U} P_{\ol C} P_{Y' \mid UC'} \equiv_\eps P_{C'Y'U}\;,\] and,
1723: therefore,
1724: \[\bS_\PlayerA(\ROTT_{\{\PlayerA\}}) \equiv_{\eps} \bP_\PlayerB(\bF_{\{\PlayerA\}}) \;.\]
1725: \end{proof}
1726:
1727: Note that the simulation given in Theorem~\ref{thm:SecCondforROT} is not necessarily efficient.
1728:
1729: \subsection{In the Semi-Honest Model}
1730:
1731: \begin{theorem} \label{thm:passiveSecCondforSROT2}
1732: Let $\eps \geq 0$. Let $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$
1733: be a protocol that outputs $X^n$ to $\PlayerA$ and $(C,Y)$ to $\PlayerB$, and let $U$ be the auxiliary output to $\PlayerA$ given by $\ul \bP_\PlayerA$, and $V$ be the auxiliary output to $\PlayerB$ given by $\ul \bP_\PlayerB$.
1734: $\bP(\bF)$ securely implements $\semiROT{1}{n}{\ell}$ with
1735: an error of at most $3\eps$ in the semi-honest model, if
1736:
1737: \begin{itemize}
1738: \item(Correctness) $\bP(\bF_{\emptyset}) \equiv_\eps \ROTT_{\emptyset}$.
1739: \item(Security for $\PlayerA$)
1740: $(X_0,\dots,X_{C-1},X_{C+1},\dots,X_{n-1})$ is $\eps$-close to uniform with respect to $(C,Y,V)$.
1741: \item(Security for $\PlayerB$)
1742: $C$ is $\eps$-close to uniform with respect to $(X^n,U)$.
1743: \end{itemize}
1744: \end{theorem}
1745:
1746: \begin{proof}
1747: Let $\bP(\bF)$ satisfy these conditions and
1748: let $P_{\ol {X}^n \ol{C Y}}$ be the output distribution of $\semiROT{1}{n}{\ell}$.
1749: We have
1750: $P_{X^n C Y} \equiv_{\eps} P_{\ol {X}^n \ol{C Y}}$.
1751: Obviously, the correctness condition is satisfied with an error of at most $\eps$.
1752:
1753: We define $\bS_\PlayerB$ as follows. After receiving $(C,Y)$, it samples a value
1754: $V'$ distributed according to $P_{V \mid CY}$ and outputs $(C,Y,V')$.
1755: We get
1756: \begin{align*}
1757: P_{X_0X_1CYV}
1758: &=\; P_{X_0\dots X_{C-1}X_{C+1}\dots X_{n-1}CYV} P_{X_C \mid X_0\dots X_{C-1}X_{C+1}\dots X_{n-1}CYV}\\
1759: &\equiv_{\eps} P_{X_0\dots X_{C-1}X_{C+1}\dots X_{n-1}CYV} P_{\ol{X}_{\ol{C}} \mid \ol{CY}} \\
1760: &\equiv_{\eps} P_{CYV} P_{\ol X_0\dots \ol X_{C-1}\ol X_{C+1}\dots \ol X_{n-1}} P_{\ol X_{\ol C} \mid \ol C\ol Y} \\
1761: &=\; P_{CY} P_{V \mid CY} P_{\ol X_0\dots \ol X_{C-1}\ol X_{C+1}\dots \ol X_{n-1}} P_{\ol X_{\ol C} \mid \ol C\ol Y} \\
1762: &\equiv_{\eps}
1763: P_{\ol{CY}} P_{V \mid CY} P_{\ol X_0\dots \ol X_{\ol C-1}\ol X_{\ol C+1}\dots \ol X_{n-1}} P_{\ol X_{\ol C} \mid \ol C\ol Y} \\
1764: &=\; P_{\ol {X}^n \ol{C Y}} P_{V \mid CY}
1765: = P_{\ol {X}^n \ol{C Y}} P_{V' \mid CY}
1766: \end{align*}
1767: and, therefore,
1768: \[(\bP_\PlayerA \| \ul \bP_\PlayerB)(\bF_{\{\widehat \PlayerB\}}) \equiv_{3\eps} \bS_\PlayerB(\ROTT_{\{\widehat \PlayerB\}})\;.\]
1769:
1770: We define $\bS_\PlayerA$ as follows. After receiving $X^n$, it samples a value
1771: $U'$ distributed according to $P_{U \mid X^n}$ and outputs $(X^n,U')$.
1772: We get
1773: \begin{align*}
1774: P_{X^n CYU}
1775: &=\; P_{X^n CU} P_{Y \mid X^n CU} \equiv_\eps P_{X^n CU} P_{\ol{Y} \mid \ol{X}^n \ol{C}}\\
1776: &\equiv_{\eps} P_{X^n U} P_{\ol C} P_{\ol Y \mid \ol {X}^n \ol{C}}
1777: = P_{X^n} P_{U \mid X^n} P_{\ol C} P_{\ol Y \mid \ol {X}^n \ol{C}} \\
1778: &\equiv_{\eps} P_{\ol{X}^n} P_{\ol C} P_{\ol Y \mid \ol {X}^n \ol{C}} P_{U \mid X^n}
1779: = P_{\ol {X}^n \ol{CY}} P_{U' \mid X^n}
1780: \end{align*}
1781: and, therefore,
1782: \[(\ul \bP_\PlayerA \| \bP_\PlayerB)(\bF_{\{\widehat \PlayerA\}}) \equiv_{3\eps} \bS_\PlayerA(\ROTT_{\{\widehat \PlayerA\}})\;.\]
1783: \end{proof}
1784:
1785: One way to sample $V'$ according to $P_{V \mid C,Y}$ is to simulate the protocol $(\bP_\PlayerA \| \ul \bP_\PlayerB)(\bF)$ until $(V',C',Y')$ is received where $C'=C$ and $Y'=Y$. This simulation needs
1786: exponential time in the parameter $\ell$ and $n$, but is efficient if $\ell$ and $n$ are small and
1787: $(\bP_\PlayerA \| \ul \bP_\PlayerB)(\bF)$ is efficient.
1788: Similarly, we can sample $U'$ by simulating the protocol $(\ul \bP_\PlayerA \| \bP_\PlayerB)(\bF)$ until $(U',(X')^n)$ is received where $(X')^n = X^n$.
1789:
1790:
1791:
1792: \chapter{Universal Oblivious Transfer} \label{chap:uot}
1793:
1794: \emph{Universal oblivious transfer} (UOT) is a variant of ROT where the security of the sender
1795: is weakened. A malicious receiver is allowed to receive
1796: \emph{any} information he wants about the sender's input, as long as he does not receive too much information. A parameter $\alpha$ specifies a lower bound on the amount of uncertainty the receiver must have over
1797: the sender's input, measured in terms of min-entropy.
1798: UOT was introduced in \cite{Cachin98}, together with a protocol that implements ROT from UOT.
1799: However, the security proof contained an error which was discovered
1800: in \cite{DFSS06}.
1801: It was showed that
1802: ROT with a string length of $\ell$ can be implemented from one instance of UOT with
1803: an error of at most $\eps$ if $\ell \leq \alpha/4 - \frac34 \log(1/\eps) - 1$, which is only about
1804: half as much as originally claimed in \cite{Cachin98}.
1805:
1806: In Theorem~\ref{thm:universal-tight} we give a new proof for the same protocol that was also used in \cite{Cachin98,DFSS06},
1807: and show that the protocol is also secure for
1808: \[ \ell \leq \alpha/2 - 3\log(1/\eps)\]
1809: with an error of at most $2\eps$. This improves the bound of \cite{DFSS06} by a factor of 2 (at the cost of a larger error term) and achieves the bound that has been originally claimed in \cite{Cachin98}, which is asymptotically optimal for this protocol.
1810:
1811: Our proof makes use of a new \emph{distributed leftover hash lemma} (Lemma~\ref{lem:distRandExt}) which is of independent interest.
1812:
1813: \section{Min-Entropy and Randomness Extraction} \label{sec:randExt}
1814:
1815: In this section we show how almost uniform randomness can be extracted out
1816: of non-uniform randomness.
1817: We use the \emph{min-entropy} to
1818: measure the amount of randomness a random variable has.
1819:
1820: \begin{definition} [Conditional Min-entropy]
1821: Let $X$ and $Y$ be random variables. The \emph{min-entropy of $X$ given $Y$} is defined as
1822: \begin{align*}
1823: \Hmin(X \mid Y) &:= \min_{xy: P_{XY}(x,y)>0} \log \frac 1 {P_{X \mid Y}(x \mid y)}\;.
1824: \end{align*}
1825: \end{definition}
1826:
1827: We will need the following lemma.
1828:
1829: \begin{lemma} \label{lem:entropy-cond}
1830: For all $X$, $Y$, and $Z$, we have $\Hmin(X \mid Z) \geq \Hmin(X \mid YZ)$.
1831: \end{lemma}
1832:
1833: \begin{proof} This inequality follows from
1834: \begin{align*}
1835: \max_{x,z} P_{X \mid Z}(x \mid z)
1836: & = \max_{x,z} \sum_{y} P_{Y}(y) P_{X \mid YZ}(x \mid y,z) \\
1837: & \leq \max_{x,z} \sum_{y} P_{Y}(y) \max_{x,y,z} P_{X \mid YZ}(x \mid y,z) \\
1838: & = \max_{x,y,z} P_{X \mid YZ}(x \mid y,z)\;.
1839: \end{align*}
1840: \end{proof}
1841:
1842: We will use \emph{$2$-universal hash functions} to extract randomness.
1843:
1844: \begin{definition}[\cite{CarWeg79}]
1845: A function $h:\mX \times \mS \rightarrow \mY$ is called a \emph{$2$-universal hash function}, if
1846: for all $x_0 \neq x_1 \in \mX$, we have
1847: \[ \Pr [h(x_0,S) = h(x_1,S)] \leq \frac 1{|\mY|}\;,\]
1848: if $S$ is uniform over $\mS$.
1849: \end{definition}
1850:
1851: The \emph{leftover hash lemma} \cite{ILL89}
1852: shows that a $2$-universal hash function is able to extract almost all randomness,
1853: if some additional uniform randomness $S$ is provided as a catalyst. Notice that the
1854: extracted randomness is independent from $S$.
1855: A slightly less general form of this lemma has been proved before in \cite{BeBrRo88}, where
1856: it was called \emph{privacy amplification}. \cite{BBCM95} generalized the notion of
1857: privacy amplification to basically the same statement as \cite{ILL89}, in a slightly different notion.
1858:
1859: \begin{lemma}[Leftover hash lemma \cite{BeBrRo88,ILL89}] \label{lem:randExt}
1860: Let $X$ be a random variable over $\mX$ and let $m > 0$. Let
1861: $h:\mS \times \mX \rightarrow \{0,1\}^m$ be a $2$-universal hash function.
1862: If
1863: \[m \leq \Hmin(X) - 2 \log(1/\eps)\;,\]
1864: then for $S$ uniform over $\mS$,
1865: $h(S,X)$ is $\eps$-close to uniform with respect to $S$.
1866: \end{lemma}
1867:
1868: We will now give a distributed version of the leftover hash lemma, where
1869: two players independently extract randomness from two dependent random variables $X$ and $Y$.
1870: The (normal) leftover hash lemma tells us that if the extracted randomness of $X$ and $Y$, respectively, is smaller than
1871: the min-entropy of $X$ and $Y$, respectively, then the extracted strings are close to uniform. However, the
1872: two extracted strings might depend on each other. Lemma \ref{lem:distRandExt} now states that
1873: if the total length of the extracted randomness is smaller than the min-entropy of $(X,Y)$,
1874: then the two strings are also almost independent. Clearly, this bound is optimal.
1875:
1876: \begin{lemma}[Distributed leftover hash lemma] \label{lem:distRandExt}
1877: Let $X$ and $Y$ be random variables over $\mX$ and $\mY$, and let $m, n > 0$. Let $g:\mS \times \mX \rightarrow \{0,1\}^m$ and $h:\mR \times \mY \rightarrow \{0,1\}^n$ be $2$-universal hash functions.
1878: If
1879: \begin{align*}
1880: m &\leq \Hmin(X) - 2\log(1/\eps)\;, \\
1881: n &\leq \Hmin(Y) - 2\log(1/\eps)\;, \quad \textrm{and} \\
1882: m + n &\leq \Hmin(XY) - 2\log(1/\eps)\;,
1883: \end{align*}
1884: then, for $(S,R)$ uniform over $\mS \times \mR$,
1885: $(g(S,X),h(R,Y))$ is $\eps$-close to uniform with respect to $(S,R)$.
1886: \end{lemma}
1887:
1888: \begin{proof}
1889: For any $W$ having distribution $P_W$ over $\mW$, and $W'$ uniformly distributed over $\mW$, we have
1890: \begin{align*}
1891: \Delta(W,W')
1892: = & \frac 1 2 \sum_{w} \left | P_{W}(w) - \frac{1}{|\mW|} \right|
1893: = \frac 1 2 \sqrt{\left ( \sum_{w} \left | P_{W}(w) - \frac{1}{|\mW|} \right| \right )^2}\\
1894: \leq & \frac 1 2 \sqrt{|\mW|}
1895: \sqrt{\sum_{w}\left ( P_{W}(w) - \frac{1}{|\mW|} \right)^2} \\
1896: = & \frac 1 2 \sqrt{|\mW|}
1897: \sqrt{\sum_{w}P^2_{W}(w) - \frac{1}{|\mW|}}\;.
1898: \end{align*}
1899: Here we used Lemma~\ref{lem:cauchySchwartz2}.
1900:
1901: Let $V = g(S,X)$, $V' = h(R,Y)$ and $U,U'$ be two
1902: uniform random variables over $\{0,1\}^m$ and $\{0,1\}^n$. Choosing $W := (V,V',S,R)$ and $W' := (U,U',S,R)$
1903: in the above inequality, we get
1904: \begin{align*}
1905: & \Delta((V,V',S,R),(U,U',S,R)) \\
1906: & \qquad \leq \frac 1 2 \sqrt{|\mS||\mR| 2^{m+n}}
1907: \sqrt{\sum_{vv'sr}P^2_{VV'SR}(v,v',s,r) - \frac{1}{|\mS||\mR| 2^{m+n}}}\;.
1908: \end{align*}
1909: Since $\sum_{x} P^2_{X}(x)$ is the \emph{collision probability}\footnote{
1910: Let $X_0$ and $X_1$ be distributed according to $P_X$.
1911: The \emph{collision probability} is $\Pr[X_0 = X_1] = \sum P_X(x)^2$.}
1912: of a random variable $X$, we have
1913: for $(X_0,Y_0)$ and $(X_1,Y_1)$ independently distributed according to $P_{XY}$
1914: and for uniformly random $S_0$, $S_1$, $R_0$, and $R_1$ that
1915: \begin{align*}
1916: & \sum_{vv'sr} P^2_{VV'SR}(v,v',s,r) = \Pr[S_0 = S_1 \wedge R_0=R_1] \\
1917: & \qquad \cdot \Pr[g(X_0,S_0) = g(X_1,S_0) \wedge h(Y_0,R_0) = h(Y_1,R_0)]\;.
1918: \end{align*}
1919:
1920: Because $g$ and $h$ are 2-universal hash functions, we have
1921: \begin{align*}
1922: & \Pr[g(X_0,S_0) = g(X_1,S_0) \wedge h(Y_0,R_0) = h(Y_1,R_0)] \\
1923: & \qquad \leq \Pr[X_0 = X_1 \wedge Y_0 = Y_1]
1924: + 2^{-m} \Pr[X_0 \neq X_1 \wedge Y_0 = Y_1] \\
1925: & \qquad \qquad + 2^{-n} \Pr[X_0 = X_1 \wedge Y_0 \neq Y_1] + 2^{-m-n} \\
1926: & \qquad \leq 2^{-m-n} \cdot \eps^2 + 2^{-m} 2^{-n} \cdot \eps^2 + 2^{-n} 2^{-m} \cdot \eps^2 + 2^{-m-n} \\
1927: & \qquad = (1 + 3 \eps^2)2^{-m-n}\;,
1928: \end{align*}
1929: which implies that
1930: \begin{align*}
1931: & \Delta((V,V',S,R),(U,U',S,R)) \\
1932: & \qquad \leq \frac 1 2
1933: \sqrt{|\mS||\mR| 2^{m+n}}
1934: \sqrt{\frac{1}{|\mS||\mR|}\frac{1 + 3\eps^2}{2^{m+n}} - \frac{1}{|\mS||\mR| 2^{m+n}}}
1935: \leq \frac {\sqrt{3}} 2 \eps\;.
1936: \end{align*}
1937: \end{proof}
1938:
1939: Notice that Lemma~\ref{lem:distRandExt} implies Lemma~\ref{lem:randExt}.
1940:
1941: \section{Definition of Universal Oblivious Transfer} \label{sec:uotDef}
1942:
1943: We now define \emph{universal oblivious transfer}, or $\UOT{\alpha}{n}$, which is a variant of $\ROT{1}{2}{n}$ that provides weaker security for $\PlayerA$. For $\mA = \emptyset$ or $\mA= \{\PlayerA\}$, $\UOTT$ is equal to $\ROTT$. But for $\mA= \{\PlayerB\}$,
1944: instead of requiring that $\PlayerB$ does not know anything about
1945: one of the two strings, we only require that he does not entirely know both of them, i.e., the a min-entropy of sender's input is at least $\alpha$.
1946: Note that from Lemma~2 in \cite{RenWol05}, it follows that there
1947: is no need to use different kinds of R\'enyi-entropies \cite{Renyi61} as done in \cite{Cachin98} or \cite{DFSS06}, as they are basically all equivalent to the min-entropy.
1948:
1949: \begin{definition}[Universal oblivious transfer] \label{def:uot}
1950: The system $\UOT{\alpha}{n}$ (or, if $\alpha$ and $n$ are clear from the context, $\UOTT$) is defined as a collection of
1951: systems
1952: \[\UOTT = (\UOTT_\emptyset, \UOTT_{\{\PlayerA\}}, \UOTT_{\{\PlayerB\}})\;,\]
1953: where
1954: $\UOTT_\emptyset = \ROT{1}{2}{n}_\emptyset$ and $\UOTT_{\{\PlayerA\}} = \ROT{1}{2}{n}_{\{\PlayerA\}}$. $\UOTT_{\{\PlayerB\}}$ is defined
1955: as follows. The system waits for $\PlayerB$ to input a distribution
1956: \[p \in \{ P_{X_0X_1} \mid \Hmin(X_0,X_1) \geq \alpha\}\;,\]
1957: where $(X_0,X_1) \in \{0,1\}^n \times \{0,1\}^n$.
1958: After receiving $p$, it chooses $(x_0,x_1)$ according to $p$ and outputs $(x_0,x_1)$ to $\PlayerA$.
1959: \end{definition}
1960:
1961: Notice that our definition UOT is slightly weaker than the
1962: definitions used in \cite{Cachin98,DFSS06}. Because our UOT is a weak version of ROT, we do not
1963: only allow the malicious receiver to receive arbitrary information about his input, but we also allow
1964: him to freely choose his output. For example, we allow him to select $2n-\alpha$ bit and freely fix their values. UOT will then choose the remaining $\alpha$ bit randomly.
1965:
1966: \section{Universal Oblivious Transfer Amplification} \label{sec:uotProtocol}
1967:
1968: Our protocol $\ROTfromUOT$ is basically the same as the protocols used in
1969: \cite{BraCre97,Cachin98,BrCrWo03,DFSS06}. It securely implements $\ROT{2}{1}{\ell}$ using one instance of
1970: $\UOT{\alpha}{n}$ and $\Auth$ in the malicious model.
1971: Let $h: \{0,1\}^n \times \mR \rightarrow \{0,1\}^\ell$ be a $2$-universal hash function.
1972: The protocol is defined as follows.
1973:
1974: \begin{protocol}
1975: $\ROTfromUOT_\PlayerA$:
1976: \begin{enumerate}
1977: \item Receive $(x_0, x_1) \in \{0,1\}^n \times \{0,1\}^n$ from $\UOTT$.
1978: \item Choose $(r_0, r_1) \in \mR^2$ uniformly at random.
1979: \item Send $(r_0, r_1)$ to $\Auth$.
1980: \item Output $(u_0,u_1) \in \{0,1\}^\ell \times \{0,1\}^\ell$ to $\PlayerA$, where $u_0 := h(x_0,r_0)$ and $u_1 := h(x_1,r_1)$.
1981: \end{enumerate}
1982: $\ROTfromUOT_\PlayerB$:
1983: \begin{enumerate}
1984: \item
1985: Receive $(c,w) \in \{0,1\} \times \{0,1\}^n$ from $\UOTT$ and $(r_0, r_1) \in \mR^2$ from $\Auth$.
1986: \item
1987: Output $(c,y) \in \{0,1\} \times \{0,1\}^\ell$ to $\PlayerB$, where $y := h(r_c,w)$.
1988: \end{enumerate}
1989: \end{protocol}
1990:
1991: \begin{center} \PDForPSinput{ROTfromUOT} \end{center}
1992:
1993: We will now show that this protocol indeed achieves the optimal bound
1994: of $\ell \approx \alpha/2$.
1995: The proof works roughly as follows. We define
1996: an additional random variable $A \in \{0,1,2\}$ that distinguishes between three different cases, and show that in each case there
1997: exists a random variable $C$ such that $U_{1-C}$ is almost uniform and independent of the rest. If $A \in \{0,1\}$,
1998: we can lower-bound the min-entropy of $X_{1-A}$ conditioned on
1999: $X_{A}$, and are therefore able to apply Lemma~\ref{lem:randExt} for $C=A$.
2000: If $A=2$ we have lower bounds for the min-entropy of $X_{0}$, $X_{1}$,
2001: and $(X_0,X_1)$, which allow us to
2002: apply Lemma~\ref{lem:distRandExt}.
2003: We need that $\Pr[A=2] \geq \eps$.
2004: If this is not
2005: the case, we ignore the events $A=2$ at the cost of an additional error of at most $\eps$.
2006:
2007: \begin{theorem} \label{thm:universal-tight}
2008: Let $\alpha, n, \ell, \eps > 0$.
2009: Protocol $\ROTfromUOT(\UOT{\alpha}{n})$ securely implements $\ROT{1}{2}{\ell}$
2010: in the malicious model with an error of at most $2\eps$, if $\ell \leq \alpha/2 - 3 \log(1/\eps)$.
2011: \end{theorem}
2012:
2013: \begin{proof}
2014: Obviously, for $\mA = \emptyset$, we have $\ROTfromUOT(\UOTT_{\{\emptyset\}}) \equiv \ROTT_{\{\emptyset\}}$.
2015:
2016: Let $\mA = \{\PlayerA\}$. $\ROTfromUOT_{\PlayerB}(\UOTT_{\{\PlayerA\}})$ waits for receiving $(x_0,x_1)$ and $(r_0,r_1)$ from $\PlayerA$ and then outputs $(c,y)$ to $\PlayerB$, where $c$ is chosen uniformly at random and $y = h(x_c,r_c)$.
2017: We define $\bS_{\PlayerA}$ as follows. It waits for receiving $(x_0,x_1)$ and $(r_0,r_1)$ from $\PlayerA$ and sends
2018: $(h(x_0,r_0),h(x_1,r_1))$ to $\ROTT$. It is easy to see that
2019: $\ROTfromUOT_{\PlayerB}(\UOTT_{\{\PlayerA\}}) = \bS_{\PlayerA}(\ROTT)$.
2020:
2021: Let $\mA = \{\PlayerB\}$. The system $\ROTfromUOT_\PlayerA(\UOTT_{\{\PlayerB\}})$ receives the value $p$
2022: from $\PlayerB$, and then outputs $(U_0,U_1)$ to $\PlayerA$ and $(R_0,R_1)$ to $\PlayerB$. In the following,
2023: we will implicitly condition on the values $P=p$.
2024: Let
2025: \[S_i := \left \{x_i \in \mX_i: \Pr[X_i=x_i] \leq 2^{-\alpha/2} \right \}\;,\]
2026: for $i \in \{0,1\}$. Let
2027: \begin{eqnarray} \label{eq:f2}
2028: g(x_0,x_1) := \left \{
2029: \begin{array}{ll}
2030: 2 & \textrm{if }(x_0 \in S_0) \wedge (x_1 \in S_1) \\
2031: 0 & \textrm{if }(x_{0} \not \in S_{0})\wedge(x_1 \in S_1) \\
2032: 1 & \textrm{if }(x_{0} \in S_{0})\wedge(x_1 \not \in S_1) \\
2033: u & \textrm{if }(x_0 \not \in S_0) \wedge (x_1 \not \in S_1)\;,
2034: \end{array}
2035: \right.
2036: \end{eqnarray}
2037: and $A := g(X_0,X_1)$,
2038: for $u$ chosen uniformly at random from $\{0,1\}$.
2039: If $\Pr[A=2] < \eps$, let $\mE$ be the event that $A < 2$, and let $\mE$ be the event with probability $1$ otherwise.
2040: We have $\Pr[\mE] \geq 1 - \eps$, and the event $(A=2) \cap \mE$
2041: either has probability $0$ or at least $\eps$. Let $C = \min(A,1)$.
2042: \begin{itemize}
2043: \item For $A=a \in \{0,1\}$ and $\Pr[A=a \wedge \mE] > 0$, we have $C=a$.
2044: All $x_a \in S_a$ have $\Pr[X_a = x_a \mid A=a \wedge \mE] =0$. For all $x_a \not \in S_a$ we have
2045: \begin{align*}
2046: & \Pr[X_a = x_a \wedge A=a \wedge \mE] \\
2047: & \qquad = \Pr[X_a = x_a \wedge X_{1-a} \in S_{1-a}]
2048: + \frac {\Pr[X_a = x_a \wedge X_{1-a} \not \in S_{1-a}]} 2 \\
2049: & \qquad \geq \frac {\Pr[X_a = x_a]} 2 \geq 2^{-\alpha/2-1}\;.
2050: \end{align*}
2051: It follows that
2052: \begin{align*}
2053: &\Pr[X_{1-a} = x_{1-a} \mid X_a = x_a \wedge A=a \wedge \mE] \\
2054: & \qquad = \frac{\Pr[X_{1-a} = x_{1-a} \wedge X_a = x_a \wedge A=a \wedge \mE]}{\Pr[X_a = x_a \wedge A=a \wedge \mE]} \\
2055: & \qquad \leq 2^{-\alpha}/2^{-\alpha/2-1} = 2^{-\alpha/2 + 1}\;,
2056: \end{align*}
2057: and hence, $\Hmin(X_{1-C} \mid X_{C},A=a,\mE) \geq \alpha/2 - 1$.
2058: Since $R_{0}$ and $R_1$ are uniformly distributed and independent of the rest, it follows from Lemma~\ref{lem:randExt} that, conditioned on $(A=a) \cap \mE$,
2059: $U_{1-C}$ is $\eps$-close to uniform with respect to $(R_0,R_1,U_{C})$.
2060: \item If $A=2$ and
2061: $\Pr[A=2 \wedge \mE] > 0$, then $C=1$, $\Pr[A=2 \wedge \mE] \geq \eps$, $\Pr[X_0 = x_0 \wedge X_1 = x_1 \mid A=2 \wedge \mE] \leq 2^{-\alpha}/\eps$, and $\Pr[X_i = x_i \mid A=2 \wedge \mE] \leq 2^{-\alpha/2}/\eps$, for $i \in \{0,1\}$.
2062: It follows that
2063: \begin{align*}
2064: \Hmin(X_0 \mid A=2 \wedge \mE) &\geq \alpha/2 - \log(1/\eps) \\
2065: \Hmin(X_1 \mid A=2 \wedge \mE) &\geq \alpha/2 - \log(1/\eps) \\
2066: \Hmin(X_0 X_1 \mid A=2 \wedge \mE) &\geq \alpha - \log(1/\eps)\;.
2067: \end{align*}
2068: Since $R_{0}$ and $R_1$ are uniformly distributed and independent of the rest,
2069: it follows from Lemma~\ref{lem:distRandExt} that conditioned on $(A=2) \cap \mE$,
2070: $(U_0,U_1)$
2071: is $\eps$-close to uniform with respect to $(R_0,R_1)$, from which follows that
2072: $U_{1-C}$ is $\eps$-close to uniform with respect to $(R_0,R_1,U_C)$.
2073: \end{itemize}
2074: Therefore, for all $a \in \{0,1,2\}$, conditioned on $(A=a) \cap \mE$, the distribution of $U_{1-C}$ is
2075: $\eps$-close to uniform with respect to $(R_0,R_1,C,U_{C})$.
2076: Since $\Pr[\mE]\geq 1 - \eps$, it follows from Lemma~\ref{lem:statDistEvent2} that $U_{1-C}$ is $2\eps$-close to uniform with respect
2077: to $(R_0,R_1,C,U_{C})$. Because this holds for every $P=p$,
2078: it follows that $U_{1-C}$ is $2 \eps$-close to uniform with respect to $(C,U_{C},P,R_0,R_1)$.
2079:
2080: We define $\bS_\PlayerB$ as follows. After receiving $p: \mX_0 \times \mX_1 \rightarrow [0,1]$ from $\PlayerB$, it simulates $\UOTT_{\{\PlayerB\}}$ on input $p$, from which it gets
2081: the values $X'_0$ and $X'_1$, distributed according to $p$. It calculates
2082: $C' = \min(g(X'_0,X'_1),1)$ according to (\ref{eq:f2}). Then it choses $R'_0$ and $R'_1$ uniformly at random from $\mR$, sends
2083: $(C',h(X'_{C'},R'_{C'}))$ to $\ROTT_{\{\PlayerB\}}$ and outputs $(R'_0,R'_1)$ on the $\Auth$ interface.
2084: $\ROTT_{\{\PlayerB\}}$ will output $(U'_0,U'_1)$ to $\PlayerA$, where $U'_{C} = h(X'_{C'},R_{C'})$
2085: and $U'_{1-C}$ is chosen uniformly at random and independent
2086: from the rest. Since $U_{1-C}$ is $2\eps$-close to
2087: uniform with respect to $(C,P,U_{C},R_0,R_1)$, it is easy to see that
2088: \[(U'_0,U'_1,C',P,R'_0,R'_1) \equiv_{2\eps}(U_0,U_1,C,P,R_0,R_1)\;,\]
2089: from which follows that
2090: \[\ROTfromUOT_\PlayerA(\UOTT_{\{\PlayerB\}}) \equiv_{2\eps} \bS_\PlayerB(\ROTT_{\{\PlayerB\}})\;.\]
2091: \end{proof}
2092:
2093: \section{Applications}
2094:
2095: The definition of UOT emerged as a generalization of the protocol
2096: presented in \cite{BraCre97,BrCrWo03} to implement string OT out of bit OT.
2097: Therefore it is not surprising that the reduction we presented in this
2098: chapter can be
2099: used to implement string OT from bit OT. Asymptotically, our protocol also
2100: achieves the same bound as the protocol of \cite{BraCre97,BrCrWo03} for this
2101: task. Our protocol can also be used to implement OT from GOT, which leads to better bounds
2102: than the ones presented in \cite{BraCre97,BrCrWo03} or \cite{DFSS06}.
2103:
2104: Recently, another very interesting application of UOT has been presented: in
2105: \cite{DFRSS06}, it was shown that in the \emph{bounded quantum-storage model}, it
2106: is possible to implement a simple protocol that achieves a quantum version of
2107: UOT. Whereas it is not clear how the results of \cite{DFSS06} can be used
2108: in that setting to implement OT, they showed that a simplified version of our proof
2109: (only requiring the normal leftover hash lemma)
2110: can directly be applied, using
2111: a quantum version of the leftover hash lemma,
2112: called \emph{privacy amplification against quantum adversaries} \cite{RenKoe05,Renner05}.
2113: It is also possible to generalize our distributed
2114: leftover hash lemma to the quantum setting, and therefore
2115: the proof we present in this chapter can also
2116: be used in the setting of \cite{DFRSS06} to improve the efficiency of their reduction.
2117:
2118:
2119: \chapter{Weak Oblivious Transfer} \label{chap:wot}
2120:
2121: \begin{figure}
2122: \begin{center} \PDForPSinput{wot-bounds} \end{center}
2123: \caption{The bounds on the parameters $p$, $q$, and $\eps$ for WOT. (0): Impossibility, Theorem~\ref{thm:wot-imposs-reduction}. (1): Special case where
2124: $\eps = 0$ or $\eps$ is small, Theorem~\ref{thm:otAmp-e0} and Corollary~\ref{cor:generalBound5}. (2-3): Special cases where $p=0$ or $q=0$, Theorem~\ref{thm:wotbound-p0} and Corollary~\ref{cor:wotbound-q0}. (4-7): General case where $p,q,\eps > 0$, Theorem~\ref{thm:generalBound}.
2125: }
2126: \end{figure}
2127:
2128: \emph{Weak oblivious transfer} (WOT), introduced in \cite{DaKiSa99}, is a weak variant of ROT
2129: where \emph{both} players may obtain additional information about the other player's input, and where the output may have some errors.
2130: In \cite{DaKiSa99} it was
2131: used as a tool to construct OT from \emph{unfair primitives}, i.e., primitives where
2132: the adversary is more powerful than the honest participants, such as the \emph{unfair noisy channel}.
2133: WOT is parameterized by three parameters, $p$, $q$, and $\eps$, where $p$ measures the amount
2134: of side information that the sender gets about the receiver's choice bit, $q$ the amount of side information the receiver gets about the sender's second input bit, and $\eps$
2135: is the maximal probability that an error occurs.
2136:
2137: While the definition of WOT is very informal in \cite{DaKiSa99}, the definition used in
2138: \cite{DFMS04} (which gives an ideal functionality of WOT) made implicitly a quite strong assumption, namely that the event that an adversary gains information is independent of the error. Unfortunately, the protocol used in \cite{DaKiSa99,DFMS04} based on unfair noisy channels does not achieve these strong requirements.
2139: We propose two new, weaker definitions of WOT, one for the semi-honest (Definition~\ref{def:wot-semi}) and one for the malicious model (Definition~\ref{def:wot-mal}), that do not have these assumptions.
2140: Also, our definitions make the use of \emph{generalized weak oblivious transfer} \cite{DFMS04}, at least for the protocols we have at the moment, unnecessary.
2141:
2142: In Theorem~\ref{thm:wot-imposs-reduction} we restate the impossibility result from \cite{DaKiSa99}
2143: that there does not exist a
2144: protocol which implements OT from WOT if $p + q + 2 \eps \geq 1$.
2145: Then, we give several protocols that implement ROT from WOT.
2146: In Theorem~\ref{thm:otAmp-e0}, we show that the bound of $p+q < 1$ and $\eps=0$ presented in \cite{DaKiSa99} can also be achieved using our definition, both in the semi-honest and the malicious model.
2147: Furthermore, we give a more detailed analysis of the protocols's efficiency.
2148: For the case where $\eps > 0$, our new definition makes it necessary to use a different protocol to reduce the error $\eps$, which implies that we are not able to achieve the same bound as \cite{DaKiSa99}. In Theorems~\ref{thm:wotbound-p0} and Corollary~\ref{cor:wotbound-q0},
2149: we show that for the special case where either $p=0$ or $q=0$ holds,
2150: ROT can securely be implemented from
2151: WOT in the semi-honest model if
2152: \[\left(p=0 \ \wedge \ \sqrt{q} + 2 \eps <1 \right)
2153: \qquad \vee \qquad
2154: \left(q=0 \ \wedge \ \sqrt{p} + 2 \eps <1 \right)\;.\]
2155: We achieve these bounds very easily by using an interesting connection to
2156: key agreement protocols \cite{HolRen05,Holens06} and the statistical distance polarization problem
2157: \cite{SahVad99,Vadhan99}.
2158: For the general case where $p$, $q$, and $\eps$ may be larger than $0$, we show in Theorem~\ref{thm:generalBound} that if
2159: \[p+q+2\eps \leq 0.24\]
2160: or
2161: \[(p + 22q + 44\eps < 1) \quad \vee \quad (22p + q + 44\eps < 1) \quad \vee \quad (7 \sqrt{p+q} + 2\eps < 1)\;,\]
2162: ROT can efficiently be implemented from
2163: WOT secure in the semi-honest model. These bounds do not achieve the bound of
2164: $p + q + 2\eps < 0.45$ from \cite{DaKiSa99} for all values $p$, $q$, and $\eps$, but they are
2165: better for the cases where two parameters are small and one is large.
2166: Finally, we show in Corollary~\ref{cor:generalBound5} that we can also implement ROT from WOT in the semi-honest model if
2167: \[(1 - p - q)^4 < - 178 \cdot \log(1 - 2\eps)\;,\]
2168: which means that if $\eps$ is small enough, then we can achieve OT for all values $p+q <1$.
2169:
2170: \section{Definition of WOT} \label{sec:wot-def}
2171:
2172:
2173: In this section we give formal definitions of WOT.
2174: Because our protocols will reduce the information of the adversary
2175: by using the XOR of several values, the maximum bit-prediction advantage ($\predadv$) turns out to be
2176: a good measure for the adversary's side information. Furthermore, it has the advantage that we can easily find a computational version of this measure, which will be very useful in Chapter~\ref{chap:compWOT}.
2177: Our definition of WOT is inspired by the definition of \emph{weak bit agreement} in \cite{Holens05,Holens06}.
2178:
2179: \subsection{In the Semi-Honest Model}
2180:
2181: We start with the definition of WOT in the semi-honest model.
2182: Since the adversary is not able to choose which information he would like to obtain in the semi-honest model, he may only obtain whatever
2183: information the functionality provides him with. But we do not want to fix this information,
2184: as we want to cover a wide range of possibilities --- we might not even
2185: know what information the functionality will provide to the adversary. Therefore, we cannot define
2186: an ideal functionality. Instead, we will define a set of ideal functionalities,
2187: and assume that one instance of this set is provided to us, but we may not know which instance.
2188: We will define this set of ideal functionalities by a list of properties that the ideal functionality
2189: must satisfy.
2190:
2191: \begin{definition}[Weak oblivious transfer, semi-honest model] \label{def:wot-semi}
2192: Let \[\bF = (\bF_{\emptyset},\bF_{\{\widehat \PlayerA\}},\bF_{\{\widehat \PlayerB\}})\] be a collection of systems in the semi-honest model. Let $\bF$ output
2193: $(X_0,X_1)$ to $\PlayerA$ and $(C,Y)$ to $\PlayerB$. Let $U$ be the auxiliary output to $\PlayerA$ by $\bF_{\{\PlayerA\}}$ and $V$ be the auxiliary output to $\PlayerB$ by $\bF_{\{\PlayerB\}}$.
2194: Let $E := X_C \oplus Y$. $\bF$ implements $\WOT{p}{q}{\eps}$ in the semi-honest model, if
2195: \begin{itemize}
2196: \item(Correctness) $\Pr[E=1] \leq \eps$.
2197: \item(Security for $\PlayerA$) $\predadv(X_{1-C} \mid V,E) \leq q$.
2198: \item(Security for $\PlayerB$) $\predadv(C \mid U,E) \leq p$.
2199: \end{itemize}
2200: \end{definition}
2201:
2202: We also use $\WOTtwo{p}{q}$ for $\WOT{p}{q}{0}$.
2203:
2204: It is not immediately clear why we require that $X_{1-C}$ and $C$ are difficult to guess even
2205: when additionally the value $E$ is given. We do this for allowing the adversary to
2206: learn the error during the protocol without getting additional information about
2207: $X_{1-C}$ or $C$. For example, in the protocol $\EReduce$, $\PlayerB$ may get to know $X_C$ during
2208: the protocol, which means that he gets to know $E = Y \oplus X_C$. Therefore, we must make sure that
2209: his side information about $X_{1-C}$ is not increased if he gets to know $E$.
2210: Note, however, that for the protocols we present here, it would be sufficient to only require $\predadv(C \mid U) \leq p$ for the security for $\PlayerB$, because $E$ is never leaked to $\PlayerA$. We do not use this definition in order to
2211: keep WOT symmetric, and to get a stronger Theorem~\ref{thm:compOT} that is simpler to proof. (Otherwise,
2212: Theorem~\ref{thm:compOT} would not work for all protocols, but just for the protocols we present here.)
2213:
2214: We will now show that the conditions of $\WOTT$ suffice to implement $\ROTT$ in the semi-honest model.
2215: We need the following lemma.
2216:
2217: \begin{lemma} \label{lem:almostUniform}
2218: Let $P_U$ be the uniform distribution over $\{0,1\}$ and let $P_{CX_0X_1}$ be a distri\-bution over $\{0,1\}^3$ for which
2219: $P_{CX_1X_0} \equiv_\eps P_U P_{X_1X_0}$ and $P_{X_{1-C}X_CC} \equiv_\eps P_U P_{X_CC}$ holds.
2220: Then $\Delta(P_{CX_0X_1}, P_U P_U P_U) \leq 4 \eps$.
2221: \end{lemma}
2222:
2223: \begin{proof} Let
2224: $a := P_{CX_1X_0}(0,0,0)$, $b:=P_{CX_1X_0}(0,0,1)$, $c:=P_{CX_1X_0}(0,1,0)$, $d:=P_{CX_1X_0}(0,1,1)$,
2225: \dots, and let $h := P_{CX_1X_0}(1,1,1)$.
2226: From $P_{CX_1X_0} \equiv_\eps P_UP_{X_1X_0}$ and Lemma~\ref{lem:redBound4}, we get
2227: \[|a-e| + |b-f| + |c-g| + |d-h| \leq 2\eps\;,\]
2228: and from
2229: $P_{X_{1-C}X_CC} \equiv_\eps P_U P_{X_CC}$ and Lemma~\ref{lem:redBound4}
2230: \[|a-c| + |b-d| + |e-f| + |g-h| \leq 2\eps\;.\]
2231: Adding up the two inequalities, we get
2232: \begin{align}
2233: & |e-a| + |a-c| + |c-g| + |g-h| \notag \\
2234: & \qquad \qquad + |h-d| + |d-b| + |b-f| + |f-e| \leq 4\eps\;. \label{eq:all}
2235: \end{align}
2236: It is easy to see that the difference between the minimal and the maximal values in the set $\{a,\dots,h\}$
2237: is at most $2\eps$, and that the statistical distance is
2238: maximized
2239: for (\ref{eq:all}) by distributions where $n \in \{1,\dots,7\}$ values have equal probability $1/8 + 2 \eps - \eps n / 4$, and
2240: $8-n$ values have equal probability $1/8 - \eps n / 4$.
2241: The statistical distance is $\eps n (2 - n/4)$, which is maximized for $n=4$\footnote{Note that such a distribution does not satisfy our original,
2242: stricter requirements. Values that do satisfy them are $a=e=f=1/2+5/4\cdot\eps$ and $b=d=h=g=c=1/2-3/4\cdot\eps$, which gives a statistical distance of $3.75$.}, where it is $4 \eps$.
2243: \end{proof}
2244:
2245: \begin{lemma} \label{lem:WOT2ROT}
2246: If a protocol $\bF$ implements $\WOT{\eps}{\eps}{\eps}$, then it implements $\semiROT{1}{2}{1}$ secure
2247: in the semi-honest model, with an error of at most $9 \eps$.
2248: \end{lemma}
2249:
2250: \begin{proof}
2251: Let $(X_0,X_1,C,Y)$ be the output of $\bF_{\emptyset}$, let $U$ be the auxiliary output of $\bF_{\{\PlayerA\}}$
2252: to $\PlayerA$ and $V$ the auxiliary output of $\bF_{\{\PlayerB\}}$ to $\PlayerB$. From Lemma~\ref{lem:PredAdvStadDist}
2253: follows that $C$ is $\eps/2$-close to uniform with respect to $(E,X_0,X_1,U)$, and that $X_{1-C}$ is $\eps/2$-close to
2254: uniform with respect to $(E,C,Y,V)$.
2255: Let $P_{\ol{X_0X_1CY}}$ be the output distribution of $\semiROTT_{\emptyset}$.
2256:
2257: Lemma~\ref{lem:almostUniform} implies that $P_{X_0X_1C} \equiv_{2\eps} P_{\ol{X_0X_1C}}$. Since
2258: $\Pr[Y \neq X_C] \leq \eps$, we have
2259: \[P_{X_0X_1CY} \equiv_{\eps} P_{X_0X_1C}P_{\ol Y\mid \ol{X_0X_1C}} \equiv_{2\eps} P_{\ol{X_0X_1CY}}\;.\]
2260: We can now apply Theorem~\ref{thm:passiveSecCondforSROT2}.
2261: \end{proof}
2262:
2263: \subsection{In the Malicious Model}
2264:
2265: We will now also give a formal definition of WOT in the malicious model. The definition differs from the semi-honest case in two important points. Firstly, since we do not have any protocol that can do error reduction in the malicious model, we will only define the case without any error, i.e., $\eps = 0$. Secondly, for the security of $\PlayerA$, we require that the XOR of the two input bits is difficult to guess, because this is a much easier requirement than the standard approach used in Theorem~\ref{thm:SecCondforROT}. Lemma~\ref{lem:OT-XOR-prop} shows that the two conditions are equivalent.
2266: Notice that the security of the XOR does not suffice in the semi-honest model, and, therefore, this trick cannot be applied there. On the other hand,
2267: since in the malicious model a corrupted $\PlayerB$ may choose $C$ freely, we cannot use Lemma~\ref{lem:almostUniform}, and, therefore, the condition $\Pr[Y \neq X_C] = 0$ would not suffice in the
2268: malicious model.
2269:
2270: \begin{definition}[Weak oblivious transfer, malicious model] \label{def:wot-mal}
2271: Let \[\bF = (\bF_{\emptyset},\bF_{\{\PlayerA\}},\bF_{\{\PlayerB\}})\] be a collection of systems in the malicious model.
2272: The system $\bF$ implements $\WOTtwo{p}{q}$ (or, if $p$ and $q$ are clear from the context, $\WOTT$) in the malicious model, if
2273: \begin{itemize}
2274: \item(Correctness): $\bF_{\emptyset} \equiv \ROTT$.
2275: \item(Security for \PlayerA): The system $\bF_{\{\PlayerB\}}$ interacts over the interfaces
2276: belonging to $\PlayerB$ (which produces a transcript $V$), and after the last
2277: input is received over these interfaces, it outputs $(X_0,X_1) \in \{0,1\}^{2}$ to $\PlayerA$ where
2278: $\predadv(X_0 \oplus X_1 \mid V) \leq q$.
2279: \item(Security for \PlayerB) The system $\bF_{\{\PlayerA\}}$ interacts over the interfaces belonging to $\PlayerA$ (which produces a transcript $U$), and after the last
2280: input is received over these interfaces, it outputs $(C,Y) \in \{0,1\}^2$ to $\PlayerB$ where
2281: $\predadv(C \mid U) \leq p$.
2282: \end{itemize}
2283: \end{definition}
2284:
2285: Notice that since we are now in the malicious model, the adversary is able to choose what information he would like to receive, and we could define an ideal functionality in a similar way as we did in Definition~\ref{def:uot} for UOT. We did not do this in order to be closer to Definition~\ref{def:wot-semi} and
2286: Theorem~\ref{thm:SecCondforROT}.
2287:
2288: Again, we will first show that $\WOTT$ suffices to implement $\ROTT$ in the malicious model.
2289: We will need the following lemma, which has already been proved in \cite{DFSS06}.
2290:
2291: \begin{lemma} \label{lem:OT-XOR-prop}
2292: Let $P_{X_0X_1}$ be given. There exists
2293: a random variable $C$ distributed according to a conditional distribution
2294: $P_{C\mid X_0,X_1}$ such that
2295: $X_{1-C}$ is uniform with respect to $(C,X_C)$, if and only if $X_0 \oplus X_1$ is uniformly distributed.
2296: \end{lemma}
2297:
2298: \begin{proof}
2299: Let $P_{X_0X_1C}$ be a distribution such that $X_{1-C}$ is uniform with respect to $(C,X_C)$.
2300: We have
2301: \begin{align*}
2302: \Pr[X_0 \oplus X_1 = 0]
2303: & = P_{X_0X_1C}(0,0,0) + P_{X_0X_1C}(1,1,0) \\
2304: & \qquad + P_{X_0X_1C}(0,0,1) + P_{X_0X_1C}(1,1,1) \\
2305: & = P_{X_0X_1C}(0,1,0) + P_{X_0X_1C}(1,0,0) \\
2306: & \qquad + P_{X_0X_1C}(1,0,1) + P_{X_0X_1C}(0,1,1) \\
2307: & = \Pr[X_0 \oplus X_1 = 1]\;.
2308: \end{align*}
2309: Hence, $X_0 \oplus X_1$ is uniformly distributed.
2310:
2311: The other direction is slightly more complicated.
2312: Let $X_0 \oplus X_1$ be uniformly distributed. We choose
2313: \[ P_{C \mid X_0,X_1}(0 \mid x_0, x_1) := \frac{\min(P_{X_0X_1}(x_0,0),P_{X_0X_1}(x_0,1))}
2314: {P_{X_0X_1}(x_0,x_1)}\;.\]
2315: For $C=0$ and $x_0 \in \{0,1\}$, we have
2316: \begin{align*}
2317: P_{X_0X_1C}(x_0,0,0)
2318: &= P_{X_0X_1}(x_0,0) \cdot P_{C \mid X_0X_1}(0 \mid x_0,0) \\
2319: &= \min(P_{X_0X_1}(x_0,0),P_{X_0X_1}(x_0,1)) \\
2320: &= P_{X_0X_1C}(x_0,1,0)\;.
2321: \end{align*}
2322: Since $X_0 \oplus X_1$ is uniformly distributed, we have
2323: \[ P_{X_0X_1}(0,0) - P_{X_0X_1}(0,1) = P_{X_0X_1}(1,0) - P_{X_0X_1}(1,1)\;,\]
2324: which implies that for $C=1$ and $x_1 \in \{0,1\}$,
2325: \begin{align*}
2326: P_{X_0X_1C}(0,x_1,1)
2327: &= P_{X_0X_1}(0,x_1) \cdot (1 - P_{C \mid X_0X_1}(0 \mid 0,x_1)) \\
2328: & = P_{X_0X_1}(0,x_1) - \min(P_{X_0X_1}(0,0),P_{X_0X_1}(0,1)) \\
2329: & = \max(0,P_{X_0X_1}(0,x_1) - P_{X_0X_1}(0,1 - x_1) \\
2330: & = \max(0,P_{X_0X_1}(1,x_1) - P_{X_0X_1}(1,1 - x_1) \\
2331: & = P_{X_0X_1C}(1,x_1,1)\;.
2332: \end{align*}
2333: Hence, for $c \in \{0,1\}$ and $x_c \in \{0,1\}$,
2334: \begin{align*}
2335: P_{X_{1-C} X_C C}(0,x_c,c) = P_{X_{1-C} X_C C}(1,x_c,c) = \frac 1 2 P_{X_C C}(x_c,c)\;.
2336: \end{align*}
2337: Therefore, $X_{1-C}$ is uniform with respect to $(C,X_C)$.
2338: \end{proof}
2339:
2340:
2341: \begin{lemma}
2342: If a protocol $\bF$ implements $\WOTtwo{\eps}{\eps}$ in the malicious model, then it implements
2343: $\ROT{1}{2}{1}$ secure in the malicious model, with an error of at most $\eps/2$.
2344: \end{lemma}
2345:
2346: \begin{proof}
2347: Let $\mA = \{\PlayerB\}$. From Lemma~\ref{lem:PredAdvStadDist} follows that there
2348: exists $(X'_0,X'_1)$, such that
2349: \[\Delta((X_0,X_1,V),(X'_0,X'_1,V)) \leq \eps/2\]
2350: and
2351: $X'_0 \oplus X'_1$ is uniform with respect to $V$. We choose $P_{C \mid X'_0,X'_1,V}$ as
2352: proposed in Lemma~\ref{lem:OT-XOR-prop}. $X'_{1-C}$ is uniform with respect to $(C,X'_C,V)$,
2353: and, therefore, $X_{1-C}$ is $\eps/2$-close to uniform with respect to $(C,X_C,V)$.
2354:
2355: Let $\mA = \{\PlayerA\}$. From Lemma~\ref{lem:PredAdvStadDist} follows that $C$ is $\eps/2$-close to
2356: uniform with respect to $U$.
2357:
2358: The lemma follows now from Theorem~\ref{thm:SecCondforROT}.
2359: \end{proof}
2360:
2361:
2362: \subsection{Relation to Previous Definitions}
2363:
2364: \paragraph{Difference to WOT from \cite{DaKiSa99, DFMS04}.}
2365: Besides the fact that we only consider a randomized version of WOT,
2366: the difference of our definition of $\WOT{p}{q}{\eps}$ to the definitions
2367: used in \cite{DaKiSa99, DFMS04} is that we do
2368: not specify exactly what a malicious player may receive,
2369: but we only require that his output should not give too much information about the
2370: bits $X_{1-{C}}$ and $C$. This means that a malicious player may, for
2371: example, always receive whether an error occurred in the
2372: transmission or not, if that information is independent of the inputs.
2373: The most important difference is, however, that
2374: our definitions do not require
2375: that the error must occur independently of the event
2376: that a player gets side information, which is very important when we want to apply it.
2377:
2378: Lemmas~\ref{lem:Hol22} and~\ref{lem:Hol22-converse} imply that
2379: our definitions still are quite close to the definitions from \cite{DaKiSa99, DFMS04}, because
2380: there exist events with probability $1-p$ and $1-q$, such that, if they occur, then
2381: the adversary does not get any side information.
2382:
2383: \paragraph{Connection to GWOT from \cite{DFMS04}.}
2384: In \cite{DFMS04}, \emph{Generalized WOT} (GWOT) was introduced
2385: to improve the achievable range of the reductions. It was shown
2386: in Lemma~3 in \cite{DFMS04} that in the reductions they used,
2387: WOT can be replaced by a GWOT, if the probability
2388: to guess the bits $X_{1-{C}}$ and $C$, respectively, remain the same for the adversary.
2389: Since we defined WOT over the advantage to guess these values, Lemma~3 in \cite{DFMS04}
2390: is not needed anymore, and therefore, at least for the moment, the use of GWOT does
2391: not give any advantage over WOT.
2392:
2393: \section{Impossibility Results} \label{sec:wot-imposs}
2394:
2395: In this section we prove the impossibility result stated in \cite{DaKiSa99}, that WOT cannot be amplified if $p + q + 2 \eps \geq 1$.
2396: Note that the proof does not work for the definition of WOT used in \cite{DaKiSa99,DFMS04}.
2397: We start with the protocol $\SimWOT_{(p,q)}(\Auth)$ that implements $\WOT{p}{q}{\eps}$ for $p + q + 2\eps = 1$ in the semi-honest model.
2398:
2399: \begin{protocol}
2400: $\SimWOT_\PlayerA$:
2401: \begin{enumerate}
2402: \item Choose $(x'_0,x'_1) \in \{0,1\}^2$ uniformly at random.
2403: \item With probability $q$, send $a=(x'_0,x'_1)$ to $\Auth$. Otherwise, send $a=\bot$ to $\Auth$.
2404: \item Receive $b$.
2405: \item If $b = \bot$ then output $(x_0,x_1) := (x'_0,x'_1)$. Otherwise,
2406: $b = (c,y) \in \{0,1\}^2$. Output $(x_0,x_1)$, where $x_c := y$ and $x_{1-c} := x'_{1-c}$.
2407: \end{enumerate}
2408:
2409: $\SimWOT_\PlayerB$:
2410: \begin{enumerate}
2411: \item Choose $(c',y') \in \{0,1\}^2$ uniformly at random.
2412: \item Receive $a$.
2413: \item If $a = \bot$ then output
2414: $(c,y) := (c',y')$ and send with probability $p / (1-q)$ the value $(c',y')$ to $\Auth$, and $\bot$ otherwise. Otherwise, $a = (x'_0,x'_1) \in \{0,1\}^2$. Send $\bot$ to $\Auth$ and outputs $(c,y) := (c', x'_{c'})$.
2415: \end{enumerate}
2416: \end{protocol}
2417:
2418: \begin{lemma} \label{lem:simWOT}
2419: Protocol $\SimWOT_{(p,q)}(\Auth)$ securely implements $\WOT{p}{q}{(1-p-q)/2}$ in the semi-honest model.
2420: \end{lemma}
2421:
2422: \begin{proof}
2423: Let $E := Y \oplus X_C$.
2424: With probability $q$, $\PlayerB$ will adjust his output such that $Y=X_C$,
2425: and with probability $(1-q) \cdot p / (1-q) = p$, $\PlayerA$ will adjust her output such
2426: that $X_C = Y$. With probability $1-p-q$, the values $(X_0,X_1)$ and $(C,Y)$ will be
2427: chosen uniformly at random. Therefore, we have
2428: \[\Pr[Y \neq X_C] = (1-p-q)/2\;.\]
2429: When $\SimWOT_\PlayerA$ sends $\bot$ to $\Auth$, then the value $X_{1-C}$ is uniform with respect $(V,E)$.
2430: From Lemma~\ref{lem:Hol22-converse} follows that
2431: \[\predadv(X_{1-C} \mid V,E) \leq q\;.\]
2432: When $\SimWOT_\PlayerB$ sends $\bot$ to $\Auth$, then the value $C$ is uniform with respect $(U,E)$.
2433: From Lemma~\ref{lem:Hol22-converse} follows that \[\predadv(C \mid U,E) \leq p\;.\]
2434: \end{proof}
2435:
2436: We need the following well-known fact.
2437:
2438: \begin{lemma} \label{lem:otImposs}
2439: There cannot exist a protocol
2440: $\bP(\Auth)$ that securely implements $\OT{1}{2}{1}$ in the weak semi-honest model.
2441: \end{lemma}
2442:
2443: \begin{theorem} \label{thm:wot-imposs-reduction}
2444: For any $p$, $q$, und $\eps$ with $p + q + 2 \eps \geq 1$ and for any $n$, there cannot exist a protocol
2445: $\bP(\WOT{p}{q}{\eps}^{\|n}\|\Auth)$ that securely implements $\OT{1}{2}{1}$ in the semi-honest or the malicious model.
2446: \end{theorem}
2447:
2448: \begin{proof}
2449: From Lemma~\ref{lem:malIsWeakSemiHonest} follows that $\bP$ is secure in the weak semi-honest model.
2450: Therefore, it would follow from Lemma~\ref{lem:simWOT} and Theorem~\ref{thm:compWeakSemiHonest} that the protocol
2451: \[\bP(\SimWOT_{(p,q)}(\Auth)^{\|n}\|\Auth)\]
2452: would implement $\OT{1}{2}{1}$ from scratch in the weak semi-honest model,
2453: which contradicts Lemma~\ref{lem:otImposs}.
2454: \end{proof}
2455:
2456: \section{Basic Protocols for WOT Amplification} \label{sec:wot-basic}
2457:
2458: We now present the three basic protocols that we use to implement $\ROTT$ from $\WOTT$.
2459: The protocol $\RReduce$ allows for reducing the parameter $p$, and
2460: the protocol $\SReduce$ is used to reduce the parameter $q$.
2461: Both reductions were already used in
2462: \cite{CreKil88,DaKiSa99,DFMS04,Haitne04}, as well as in \cite{HKNRR05,MePrWu07} for building OT combiners.
2463: The protocol $\EReduce$ is used to reduce the parameter $\eps$. Whereas the other two protocols are secure
2464: in both models, $\EReduce$ is merely secure in the semi-honest model. The same protocol
2465: was also used in \cite{Haitne04} and is the one-way variant of the protocol $\EReduce$ presented in
2466: \cite{DaKiSa99}.
2467: Notice that since we defined $\WOTT$ to be a \emph{randomized} primitive, we are not
2468: able to choose the input, which makes the protocols slightly more complicated.
2469:
2470: We first present all protocols in the semi-honest model, and later give the proofs for the malicious model.
2471:
2472: \subsection{In the Semi-Honest Model}
2473:
2474: The protocol $\RReduce(\WOTT^{\|n} \| \Auth)$ is defined as follows.
2475:
2476: \begin{protocol}
2477: $\RReduce_\PlayerA$:
2478: \begin{enumerate}
2479: \item Receive $(x_{0,i},x_{1,i})$ from the $i$th $\WOTT$, for all $i \in \{0,\dots,n-1\}$.
2480: \item Receive $d^{n-1} = (d_0,\dots,d_{n-2})$ from $\Auth$. Set $d_{n-1} := 0$.
2481: \item Output $(x_0,x_1):=(\bigoplus_{i=0}^{n-1} x_{d_i,i},\bigoplus_{i=0}^{n-1} x_{d_i \oplus 1,i})$.
2482: \end{enumerate}
2483:
2484: $\RReduce_\PlayerB$:
2485: \begin{enumerate}
2486: \item Receive $(c_i,y_i)$ from the $i$th $\WOTT$, for all $i \in \{0,\dots,n-1\}$.
2487: \item Send $d^{n-1} = (d_0,\dots,d_{n-2})$ to $\Auth$, where $d_i := c_{n-1} \oplus c_i$.
2488: \item Output $(c,y) := (c_{n-1},\bigoplus_{i=0}^{n-1} y_i)$.
2489: \end{enumerate}
2490: \end{protocol}
2491:
2492: \begin{center} \PDForPSinput{RReduce} \end{center}
2493:
2494: \begin{lemma} \label{lem:RReduce}
2495: The protocol $\RReduce(\WOT{p}{q}{\eps}^{\|n} \| \Auth)$ securely imple\-ments
2496: $\WOT{p'}{q'}{\eps'}$ in the semi-honest model, where
2497: $p' = 1 - (1-p)^n \leq np$, $q' = q^n \leq e^{-n(1-q)}$, and
2498: $\eps' = (1 - (1 - 2\eps)^n)/2 \leq n\eps$.
2499: \end{lemma}
2500:
2501: \begin{proof} Let $E_i := Y_i \oplus X_{C_i,i}$, and $E := Y \oplus X_C$.
2502: We have
2503: \[E = Y \oplus X_C
2504: = \bigoplus_{i=0}^{n-1} Y_i \oplus \bigoplus_{i=0}^{n-1} X_{C \oplus D_i,i}
2505: = \bigoplus_{i=0}^{n-1} (Y_i \oplus X_{C_i,i}) = \bigoplus_{i=0}^{n-1} E_i\;.\]
2506:
2507: Let $\mA = \emptyset$. Since $\Pr[E_i=1] \leq \eps$, it follows from Lemma~\ref{lem:corrn} that
2508: \[\Pr[E=1] \leq \frac{1 - (1 - 2\eps)^n} {2} \leq n\eps\;.\]
2509:
2510: Let $\mA=\{\PlayerB\}$, and let $V_i$ be the auxiliary output to $\PlayerB$ from the
2511: $i$th instance of $\WOTT_{\{\PlayerB\}}$. The auxiliary output of the protocol to $\PlayerB$ is
2512: $V := V^n$. Since
2513: \[X_{1-C} := \bigoplus_{i=0}^{n-1} X_{1 - D_i \oplus C,i} = \bigoplus_{i=0}^{n-1} X_{1 - C_i,i}\;,\]
2514: and because $E$ is a function of $E^n$, it follows from Lemmas~\ref{lem:predAdv-dataprocessing}, \ref{lem:predXOR} and \ref{lem:redBound2} that
2515: \begin{align*}
2516: \predadv(X_{1-C} \mid V,E)
2517: &\leq \predadv(X_{1-C} \mid V^n,E^n) \\
2518: &= \prod_{i=0}^{n-1} \predadv(X_{1-C_i,i} \mid V_i,E_i) \\
2519: &\leq q^n \leq e^{-n(1-q)}\;.
2520: \end{align*}
2521:
2522: Let $\mA=\{\PlayerA\}$, and let $U_i$ be the auxiliary output to $\PlayerA$ from the
2523: $i$th instance of $\WOTT_{\{\PlayerA\}}$. The auxiliary output of the protocol to $\PlayerA$ is
2524: $U := (U^n,D^{n-1})$. Because $E$ is a function of $E^n$,
2525: Lemmas~\ref{lem:predAdv-dataprocessing}, \ref{lem:predComm} and \ref{lem:redBound1} imply that
2526: \begin{align*}
2527: \predadv(C \mid U,E) &\leq \predadv(C \mid U^n,E^n,D^{n-1}) \\
2528: &\leq 1 - \prod_{i=0}^{n-1}(1 - \predadv(C_i \mid U_i,E_i)) \\
2529: &\leq 1 - (1-p)^n \leq np\;.
2530: \end{align*}
2531: \end{proof}
2532:
2533: We will also need a protocol $\SReduce$ that reduces the error $p$. To achieve this, we can simply use the protocol $\RReduce$ in the opposite direction, together with the protocol $\ROTOR$. We need the fact that Protocol $\ROTOR(\WOTT)$ implements $\WOTT$ in the inverse direction.
2534:
2535: \begin{lemma} \label{lem:rotorWOT}
2536: Protocol $\ROTOR(\WOT{p}{q}{\eps})$ implements $\WOT{q}{p}{\eps}$
2537: in the opposite direction, secure in the semi-honest model.
2538: \end{lemma}
2539:
2540: \begin{proof}
2541: Let $(X'_0, X'_1, C', Y')$ be the output of $\ROTT_{\emptyset}$, and
2542: let $(X_0, X_1, C, Y)$ be the output of $\ROTOR$. Let $U'$ be the auxiliary
2543: output to $\PlayerA$ by $\ROTT_{\{\PlayerA\}}$, and let $V'$ be the auxiliary
2544: output to $\PlayerB$ by $\ROTT_{\{\PlayerB\}}$. The auxiliary output
2545: output to $\PlayerA$ by $\ROTOR$ is $V = U'$, and the auxiliary
2546: output to $\PlayerB$ by $\ROTOR$ is $U = V'$.
2547:
2548: Let $E := Y \oplus X_C$. It is easy to verify that $E' = Y' \oplus X'_{C'} = E$, and therefore
2549: that the correctness condition is satisfied.
2550: From Lemma~\ref{lem:predXOR2} follows that
2551: \begin{align*}
2552: \predadv(X_{1-C} \mid V,E)
2553: & = \predadv(X_{1-C} \oplus (E \oplus Y) \mid V,E) \\
2554: & = \predadv(X_{1-C} \oplus X_C \mid V,E') \\
2555: & = \predadv(C' \mid U',E') \leq p
2556: \end{align*}
2557: and
2558: \begin{align*}
2559: \predadv(C \mid U,E)
2560: & = \predadv(X'_0 \oplus X'_1 \mid V',E') \\
2561: & = \predadv(X'_{1-C'} \oplus X'_{C'} \mid V',E') \\
2562: & = \predadv(X'_{1-C'} \mid V',E') \leq q\;.
2563: \end{align*}
2564: \end{proof}
2565:
2566: We can, therefore, implement $\SReduce$ in the following way: We apply $\ROTOR$
2567: to all $n$ instances of $\WOTT$, then use $\RReduce$ in the opposite direction, and finally apply $\ROTOR$ to the resulting $\WOTT$. We get
2568:
2569: \begin{lemma} \label{lem:SReduce}
2570: The protocol $\SReduce(\WOT{p}{q}{\eps}^{\|n} \| \Auth)$ securely imple\-ments $\WOT{p'}{q'}{\eps'}$ in the semi-honest model,
2571: where
2572: $q' = 1 - (1-q)^n \leq n q$,
2573: $p' = p^n \leq e^{-n(1-p)}$, and
2574: $\eps' = (1 - (1 - 2\eps)^n)/2 \leq n\eps$.
2575: \end{lemma}
2576:
2577: Protocol $\EReduce(\WOTT^{\|n} \| \Auth)$ reduces the error $\eps$, and is defined as follows.
2578:
2579: \begin{protocol}
2580: $\EReduce_\PlayerA$:
2581: \begin{enumerate}
2582: \item Receive $(x_{0,i},x_{1,i})$ from the $i$th $\WOTT$, for all $i \in \{0,\dots,n-1\}$.
2583: \item Receive $d^{n-1} = (d_0,\dots,d_{n-2})$ from $\Auth$.
2584: \item Send $(s_0^{n-1},s_1^{n-1}) = ((s_{0,0},\dots,s_{0,n-2}),(s_{1,0},\dots,s_{1,n-2}))$
2585: to $\Auth$, where
2586: $s_{j,i} := x_{d_i \oplus j,i} \oplus x_{j,n-1}$.
2587: \item Output $x_0 := x_{0,n-1}$ and $x_1 := x_{1,n-1}$.
2588: \end{enumerate}
2589:
2590: $\EReduce_\PlayerB$:
2591: \begin{enumerate}
2592: \item Receive $(c_i,y_i)$ from the $i$th $\WOTT$, for all $i \in \{0,\dots,n-1\}$.
2593: \item Send $d^{n-1} = (d_0,\dots,d_{n-2})$ to $\Auth$, where $d_i := c_{n-1} \oplus c_i$.
2594: \item Receive $(s_0^{n-1},s_1^{n-1})$
2595: from $\Auth$.
2596: \item Output $(c,y) := (c_{n-1}, \maj(\{\ol y_i\}))$ where $\ol y_i := y_i \oplus s_{c_{n-1},i}$ for
2597: $i \in \{0,\dots,n-2\}$ and $\ol y_{n-1} := y_{n-1}$.
2598: \end{enumerate}
2599: \end{protocol}
2600:
2601: \begin{center} \PDForPSinput{EReduce} \end{center}
2602:
2603: \begin{lemma} \label{lem:ered}
2604: Protocol $\EReduce(\WOT{p}{q}{\eps}^{\|n} \| \Auth)$ securely implements $\WOT{p'}{q'}{\eps'}$ in the semi-honest model, where
2605: $p' = 1 - (1-p)^n \leq np$,
2606: $q' = 1 - (1-q)^n \leq nq$ and
2607: \[ \eps' = \sum_{i=\lceil n/2 \rceil}^{n} \binom{n}{i} \eps^{i} (1 - \eps)^{n-i} \leq e^{-2 n (1/2 - \eps)^2}\;.\]
2608: \end{lemma}
2609:
2610: \begin{proof} Let $E_i := Y_i \oplus X_{C_i,i}$, and $E := Y \oplus X_C$.
2611:
2612: Let $\mA = \emptyset$. We have $\Pr[E_{i}=1] \leq \eps$.
2613: Since for $i \in \{0,\dots,n-2\}$
2614: \begin{align*}
2615: \ol Y_i
2616: &= Y_i \oplus S_{C_{n-1},i}
2617: = Y_i \oplus X_{D_i \oplus C_{n-1},i} \oplus X_{C_{n-1},n-1} \\
2618: &= Y_i \oplus X_{C_i,i} \oplus X_{C}
2619: = E_i \oplus X_{C}\;,
2620: \end{align*}
2621: it follows from Lemma~\ref{lem:errRed} that the protocol satisfies correctness with an error of at most
2622: \[ \eps' = \sum_{i=\lceil n/2 \rceil}^{n} \binom{n}{i} \eps^{i} (1 - \eps)^{n-i} \leq e^{-2 n (1/2 - \eps)^2}\;.\]
2623:
2624: Let $\mA=\{\PlayerB\}$. Let $V_i$ be the auxiliary output to $\PlayerB$ from the
2625: $i$th instance of $\WOTT_{\{\PlayerB\}}$.
2626: The auxiliary output
2627: to $\PlayerB$ is $V = (D^{n-1},S^{n-1}_0,S^{n-1}_{1},V^n)$.
2628: Note that
2629: $D^{n-1}$ is a function of $V^n$.
2630: Furthermore, $S^{n-1}_{C}$ is a function of $(V^n,E^n)$, because
2631: \begin{align*}
2632: S_{C,i}
2633: & = X_{D_i \oplus C_{n-1},i} \oplus X_{C_{n-1},n-1}
2634: = X_{C_{i},i} \oplus X_{C_{n-1},n-1} \\
2635: & = Y_i \oplus E_i \oplus Y_{n-1} \oplus E_{n-1}\;,
2636: \end{align*}
2637: for all $i$. Since
2638: \[X_{1-C} = X_{1-C,n-1} = S_{1-C,i} \oplus X_{1-D_i \oplus C,i} = S_{1-C,i} \oplus X_{1-C_i,i}\;, \]
2639: Lemmas~\ref{lem:predAdv-dataprocessing}, \ref{lem:predComm} and \ref{lem:redBound1} imply
2640: \begin{align*}
2641: \predadv(X_{1-C} \mid V,E)
2642: &\leq \predadv(X_{1-C} \mid V^n,E^n,S^{n-1}_{1 - C}) \\
2643: &\leq 1 - \prod_{i=0}^{n-1}(1 - \predadv(X_{1-C_i,i} \mid V_i,E_i)) \\
2644: &\leq 1 - (1-q)^n \leq nq\;.
2645: \end{align*}
2646:
2647: Let $\mA=\{\PlayerA\}$, and let $U_i$ be the auxiliary output to $\PlayerA$ from the
2648: $i$th instance of $\WOTT_{\{\PlayerA\}}$. The auxiliary output of the protocol to $\PlayerA$ is
2649: $U := (U^n,D^{n-1})$. Because $E$ is a function of $E^n$,
2650: it follows from Lemmas~\ref{lem:predAdv-dataprocessing}, \ref{lem:predComm} and \ref{lem:redBound1} that
2651: \begin{align*}
2652: \predadv(C \mid U,E) &\leq \predadv(C \mid U^n,E^n,D^{n-1}) \\
2653: &\leq 1 - \prod_{i=0}^{n-1}(1 - \predadv(C_i \mid U_i,E_i)) \\
2654: &\leq 1 - (1-p)^n \leq np\;.
2655: \end{align*}
2656: \end{proof}
2657:
2658: \subsection{In the Malicious Model}
2659:
2660: We will now show that the protocols $\RReduce$ and $\SReduce$ are also secure in the
2661: malicious model, for the same parameters as in the semi-honest model.
2662:
2663: \begin{lemma} \label{lem:RReduce-mal}
2664: Protocol $\RReduce(\WOTtwo{p}{q}^{\|n} \| \Auth)$ securely implements $\WOTtwo{p'}{q'}$ in the malicious model,
2665: where
2666: $p' = 1 - (1-p)^n \leq np$ and
2667: $q' = q^n \leq e^{-n(1-q)}$.
2668: \end{lemma}
2669:
2670: \begin{proof}
2671: Let $\mA = \emptyset$. It is easy to verify that $X_0$, $X_1$, and $C$ are uniformly distributed.
2672: Further, we have
2673: \begin{align*}
2674: Y = \bigoplus_{i=0}^{n-1} Y_i
2675: = \bigoplus_{i=0}^{n-1} X_{C_i,i}
2676: = \bigoplus_{i=0}^{n-1} X_{D_i \oplus C,i}
2677: = X_C\;.
2678: \end{align*}
2679: Hence, the protocol achieves correctness.
2680:
2681:
2682: Let $\mA=\{\PlayerA\}$, and let $U_i$ be the transcript of the interaction with player $\PlayerA$ by the
2683: $i$th instance of $\WOTT$. The transcript of the interaction with $\PlayerA$ of the protocol is
2684: $U := (U^n,D^{n-1})$.
2685: From Lemma~\ref{lem:predComm} and \ref{lem:redBound1} follows that
2686: \begin{align*}
2687: \predadv(C \mid U) &\leq \predadv(C \mid U^n,D^{n-1}) \\
2688: & \leq 1 - \prod_{i=0}^{n-1}(1 - \predadv(C_i \mid U_i)) \\
2689: & \leq 1 - (1-p)^n \leq np\;.
2690: \end{align*}
2691:
2692: Let $\mA=\{\PlayerB\}$, and let $V_i$ be the transcript of the interaction with player $\PlayerB$ by the
2693: $i$th instance of $\WOTT$. The transcript of the interaction with $\PlayerB$ of the protocol is
2694: $V := (V^n,D^{n-1})$.
2695: Note that since $D^{n-1}$ is a probabilistic function of $V$ it can be ignored.
2696: It follows from Lemmas \ref{lem:predXOR} and \ref{lem:redBound2} that
2697: \begin{align*}
2698: \predadv(X_0 \oplus X_1 \mid V)
2699: &\leq \predadv \left (\bigoplus_{i=0}^{n-1} X_{D_i \oplus 0,i} \oplus \bigoplus_{i=0}^{n-1} X_{D_i \oplus 1,i}
2700: \mid V^n \right ) \\
2701: &\leq \predadv \left (\bigoplus_{i=0}^{n-1} (X_{0,i} \oplus X_{1,i} ) \mid V^n \right ) \\
2702: &= \prod_{i=0}^{n-1} \predadv(X_{0,i} \oplus X_{1,i} \mid V_i) \\
2703: &\leq q^n \leq e^{-n(1-q)}\;.
2704: \end{align*}
2705: \end{proof}
2706:
2707: The proof that $\ROTOR(\WOTT)$ implements $\WOTT$ in the opposite direction is very simple.
2708:
2709: \begin{lemma} \label{lem:rotorWOT-mal}
2710: $\ROTOR(\WOT{p}{q}{\eps})$ implements $\WOT{q}{p}{\eps}$
2711: in the opposite direction, secure in the malicious model.
2712: \end{lemma}
2713:
2714: \begin{proof}
2715: It is easy to verify that the correctness condition is satisfied.
2716: Furthermore, we have
2717: \begin{align*}
2718: \predadv(X_0 \oplus X_1 \mid U)
2719: & = \predadv(C' \mid U) \leq p \\
2720: \predadv(C \mid V)
2721: & = \predadv(X'_0 \oplus X'_1 \mid V)
2722: \leq q\;.
2723: \end{align*}
2724: \end{proof}
2725:
2726: In the same way as in the passive case, we can implement $\SReduce$ by first applying $\ROTOR$ to all $n$ instances of $\WOTT$, then use $\RReduce$ in the opposite direction, and by finally applying $\ROTOR$. We get
2727:
2728: \begin{lemma} \label{lem:SReduce-mal}
2729: Protocol $\SReduce(\WOTtwo{p}{q}^{\|n} \| \Auth)$ securely implements $\WOTtwo{p'}{q'}$ in the semi-honest model,
2730: where
2731: $q' = 1 - (1-q)^n \leq nq$ and
2732: $p' = p^n \leq e^{-n(1-p)}$.
2733: \end{lemma}
2734:
2735: \section{WOT Amplification if $\eps=0$} \label{sec:wot-amp-e0}
2736:
2737: We will now present several protocols that implement ROT from WOT.
2738: We start with the special case where $p,q >0$, but $\eps = 0$.
2739: In \cite{DaKiSa99}, a protocol for this case is presented that works for all values $p$ and $q$
2740: if $p + q < 1$, which is optimal.
2741: We present a slightly simplified protocol and give a more detailed analysis of its efficiency.
2742:
2743: The main part of the reduction is the following lemma, which shows that we can implement a $\WOTtwo{p'}{q'}$ out
2744: of 4 instances of $\WOTtwo{p}{q}$, where the value $1 - (1 - p - q)^2$ is squared.
2745:
2746: \begin{lemma} \label{lem:132}
2747: Let $f(p,q) := 1 - (1 - p - q)^2$, and let $p + q < 1$.
2748: We can securely implement
2749: $\WOTtwo{p'}{q'}$ out of 4 instances of $\WOTtwo{p}{q}$
2750: with
2751: \[ f(p',q') \geq f^2(p,q)\;,\]
2752: secure in the semi-honest and the malicious model.
2753: \end{lemma}
2754:
2755: \begin{proof}
2756: It suffices to show that
2757: \[ 1-p'-q' \geq \sqrt{2 - (1-p-q)^2} \cdot (1-p-q)\;,\]
2758: since then
2759: \begin{align*}
2760: f(p',q')
2761: &= 1 - (1-p' -q')^2 \\
2762: &\leq 1 - (2 - (1 - p - q)^2)(1-p-q)^2 \\
2763: & = f^2(p,q)\;.
2764: \end{align*}
2765:
2766: Twice, we apply either the protocol $\RReduce(\WOTT^{\|2} \| \Auth)$ or protocol
2767: $\SReduce(\WOTT^{\|2} \| \Auth)$, such that each time the larger of the two parameter gets
2768: reduced.
2769:
2770: Since the protocols are symmetric, we can assume that $p > q$. Therefore, the
2771: first protocol that will be applied is $\SReduce$.
2772: We have to distinguish between two cases. If $p^2 \geq 1 - (1-q)^2 = 2q - q^2$, then also
2773: the second protocol is $\SReduce$, and, therefore,
2774: \begin{align*}
2775: p' = p^4, \qquad
2776: q' = 1 - (1-q)^4\;.
2777: \end{align*}
2778: Let
2779: \begin{align*}
2780: f_1(p,q)
2781: &:= \frac{1-p'-q'}{1-p-q} = \frac{(1-q)^4 - p^4}{1-p-q} \\
2782: &= p^3 + p^2(1-q) + (1-q)^2p + (1-q)^3
2783: \end{align*}
2784: and
2785: \[g_1(p,q) := f_1(p,q) - (1 + p - q) = (p^2 - 2q + q^2)(1+p-q)\;.\]
2786: We will now show that $f_1(p,q) \geq \sqrt{2 - (1-p-q)^2} $ if $p^2 \geq 2q - q^2$.
2787: Since for $0 < p< 1$
2788: and $0 <q <1$, we have $1 + p - q > 0$.
2789: It follows that $g_1(p,q) \geq 0$
2790: for all $p$ and $q$ that satisfy
2791: $p^2 \geq 2q - q^2$ and, therefore, also
2792: \[f_1(p,q) \geq 1 + p - q\]
2793: for all these values. Hence, it suffices to show that
2794: \[1 + p - q \geq \sqrt{2 - (1-p-q)^2}\] for $p^2 \geq 2q - q^2$.
2795:
2796: Let us fix the value $d := 1 - p - q$. We have $1 + p - q = 2p+d$, and thus $1+p-q$
2797: is minimal for $p^2 = 2q - q^2$.
2798: It is taken on by the values $q_0$ and
2799: $p_0 = \sqrt{2q_0 - q_0^2}$, which can be calculated by solving the equation
2800: $\sqrt{2q_0 - q_0^2} + q_0 = 1 - d$, which is equal to
2801: $2q_0^2 - (4-2d)q_0 + (1-2d + d^2) = 0$. We get
2802: \[ q_0 = \frac{(4-2d) - \sqrt{(4-2d)^2 - 4\cdot 2 \cdot (1-2d + d^2)}}{4}
2803: =\frac{2 - d - \sqrt{2 - d^2}}{2}\;.\]
2804: So, for $p + q = 1 - d$, we have
2805: \[ f_1(p,q) \geq 1 + (1-d-q_0) - q_0 = 2 - d - (2 - d - \sqrt{2 - d^2}) = \sqrt{2 - d^2}\;.\]
2806:
2807: If $p^2 < 2q - q^2$, the second protocol will be $\RReduce$, and, therefore,
2808: \begin{align*}
2809: p' &= 1 - (1-p^2)^2 = 2p^2 - p^4\;, \\
2810: q' &= (1 - (1-q)^2)^2 = 4q^2 - 4q^3 + q^4\;.
2811: \end{align*}
2812: Let
2813: \begin{align*}
2814: f_2(p,q) := & \; \frac{1-p'-q'}{1-p-q}
2815: = \frac{1-2p^2 + p^4- 4q^2 + 4q^3 - q^4}{1-p-q} \\
2816: = & \; q^3-3q^2-q^2p+q+2qp+q p^2+1+p-p^2-p^3\;.
2817: \end{align*}
2818: We will now show that $f_2(p,q) \geq \sqrt{2 - d^2}$ for $p^2 \leq 2q + q^2$.
2819: Let
2820: \[g_2(p,q) := f_2(p,q) - (1 + p - q) = (p^2 - 2q + q^2)(q-p-1)\;, \]
2821: which is equal to $0$ if $p^2 = 2q + q^2$. Therefore, we have
2822: \[ f_2(p,q) = 1 + p - q = f_1(p,q)\]
2823: for all $p$ and $q$ that satisfy $p^2 = 2q + q^2$. Again, let us fix $d := 1 - p - q$ and let
2824: \begin{align*}
2825: h_2(q)
2826: := & \; f_2(1 - d - q,q) \\
2827: = & \; 4q^3 - (12-6d)q^2 + (8 - 12d + 4d^2)q + 4d-4d^2+d^3\;.
2828: \end{align*}
2829: We differentiate $h_2(q)$ twice, and get
2830: \begin{align*}
2831: h'_2(q) & = 12q^2 - (24-12d)q + 8 - 12d + 4d^2\;, \\
2832: h''_2(q) & = 24q - 24-12d\;.
2833: \end{align*}
2834: Since $h''_2(q) \leq 24q - 24 < 0$ for $q < 1$, $h_2(q)$ is concave for $0 \leq q \leq 1$ and
2835: $p^2 \leq 2q + q^2$.
2836: It will therefore take on its minimum on a point on the bound. One one side, we have
2837: $p^2 = 2q - q^2$, and therefore
2838: $q_0$ (see above) is the value on the bound, for which we have $h_2(q_0) = \sqrt{2 - d^2}$.
2839: On the other side, $q_1 = (1-d)/2$ is the value on the bound, for which we have
2840: \[h_2((1-d)/2) = \frac{3 -d^2} {2}\;.\]
2841: For all $d$ we have
2842: \[\frac{3 -d^2} {2} = \sqrt{ \frac { (d^2 - 1)^2}{4} + (2 - d^2)} \geq \sqrt{2 - d^2}\;,\]
2843: so the minimum is always in $q_0$. Therefore, both $f_1(p,q)$ and $f_2(p,q)$
2844: take on their minimum in $(1-d-q_0,q_0)$,
2845: and are always larger than $\sqrt{2 - d^2}$. The statement follows.
2846: \end{proof}
2847:
2848: \begin{theorem} \label{thm:otAmp-e0}
2849: Let $p(k)$ and $q(k)$ be functions computable in time $\poly(k)$ such that $p(k) + q(k) < 1$ for all $k$.
2850: $\WOTtwo{2^{-k}}{2^{-k}}$ can efficiently be implemented using
2851: \[\frac{2 \cdot k^{2}}{(1-p(k)-q(k))^{4}}\]
2852: instances of $\WOTtwo{p}{q}$, secure in the semi-honest and the malicious model.
2853: \end{theorem}
2854:
2855: \begin{proof}
2856: We apply $t$ times Lemma~\ref{lem:132}, which gives us a $\WOTtwo{p'}{q'}$ with
2857: $f(p',q') \leq f^{(2^t)}(p,q)$. Using Lemmas~\ref{lem:redBound2} and \ref{lem:redBound3}, we get
2858: \begin{align*}
2859: p' + q' &= 1 - \sqrt{1 - f(p',q')}
2860: \leq 1 - \sqrt{1 - f^{(2^t)}(p,q)} \leq f^{(2^t)}(p,q) \\
2861: & \leq \exp(-2^t(1-f(p,q)))
2862: = \exp(-2^t(1-p-q)^2)\;.
2863: \end{align*}
2864: To satisfy $p' + q' \leq 2^{-k}$, we choose
2865: \[ t := \left \lceil \log \left ( \frac {-\ln(2^{-k})} {(1 - p - q)^2} \right ) \right \rceil
2866: \leq \log \left ( \frac {\ln(2) \cdot k } {(1 - p - q)^2} \right ) + 1\;.\]
2867: Our protocol requires
2868: \[ 4^t
2869: \leq \frac {4 \cdot \ln^2(2) \cdot k^2} {(1 - p - q)^4}
2870: \leq \frac {2 \cdot k^2} {(1 - p - q)^4}\]
2871: instances of $\WOTtwo{p}{q}$.
2872: \end{proof}
2873:
2874: \paragraph{OT-Combiners.}
2875: As shown in \cite{HKNRR05,MePrWu07}, Theorem~\ref{thm:otAmp-e0} can be used to implement an efficient \emph{$(\alpha,\beta;n)$-robust oblivious transfer combiner}.
2876: We have $n$ different implementations of OT, out of which $\alpha$ are secure for the sender, and $\beta$
2877: are secure for the receiver, where $\alpha + \beta > n$. Choosing randomly one of these $n$ different implementations of OT and using random inputs
2878: implements a $\WOTtwo{p}{q}$ for $p = (n-\beta)/n$, and $q = (n-\alpha)/n$. Since $1 - p - q \geq 1/n$,
2879: we can implement a $\WOTtwo{2^{-k}}{2^{-k}}$ using
2880: $2 k^{2}n^{4}$
2881: instances of the weak implementations of OT, and common randomness.
2882:
2883: \section{WOT Amplification if $p=0$ or $q=0$} \label{sec:wot-amp-p0}
2884:
2885: We will now look at the special case where $\eps > 0$, but either $p=0$ or $q=0$. This special
2886: case has not been considered in \cite{DaKiSa99}.
2887: There is a strong connection of this problem to the one-way key-agreement problem studied
2888: in \cite{HolRen05,Holens06}, as well as to the statistical-distance polarization problem
2889: studied in \cite{SahVad99,Vadhan99}.
2890:
2891: We will make the amplification in two steps. First, in Lemma~\ref{lem:holae-sahvad} (which is related to Lemma~4.13 in \cite{Holens06}), we implement a $\WOTT$ with constant errors. In Lemma~\ref{lem:sahvad} (related to Lemma~4.1 in \cite{SahVad99}),
2892: we show how the error can be made arbitrarily small.
2893:
2894: \begin{lemma} \label{lem:holae-sahvad}
2895: Let $q(k)$ and $\eps(k)$ be functions computable in time $\poly(k)$ such that $\sqrt{q(k)} + 2 \eps(k) <1$ for all $k$.
2896: Let
2897: \[ \lambda := \max \left (1,\frac{1}{ \log\left((1 - 2\eps)^2/q\right)} \right )\;.\]
2898: Then $\WOT{0}{1/3}{1/50}$ can efficiently be implemented using at most
2899: \[\frac {128 \lambda}{(1 - 2\eps)^{(12 \lambda)}}\] instances of
2900: $\WOT{0}{q}{\eps}$ secure in the semi-honest model.
2901: \end{lemma}
2902:
2903: \begin{proof}
2904: Let $\alpha = 1 - 2\eps$ and $\beta = \max(q,\alpha^2/2)$. Note that $\lambda = 1/ \log(\alpha^2/\beta)$.
2905: We use
2906: \begin{align*}
2907: \bG & = \RReduce(\bF^{\|s}\|\Auth)\;,\\
2908: \bH & = \EReduce(\bG^{\|r}\|\Auth)
2909: \end{align*}
2910: for $s := \lceil 5 \lambda \rceil$ and $r := \lceil 1/(4 \beta^s) \rceil$.
2911: Notice that $s < 5 \lambda + 1 \leq 6 \lambda$. Further, since
2912: $s > 5/ \log(\alpha^2 / \beta) > 5/\log(1/\beta) = \log_{\beta}(1/32)$,
2913: we get
2914: \[r < \frac{1}{4\beta^s} + 1 = \frac{1 + 4\beta^s}{4\beta^s}
2915: < \frac{1 + 4/32}{4 \beta^s} = \frac{9}{32 \beta^s}
2916: < \frac {1}{3\beta^s}\;.\]
2917: Using Lemmas \ref{lem:RReduce} and \ref{lem:ered}, we get that $\bG$ is a $\WOT{0}{\beta'}{(1-\alpha')/2}$ with
2918: $\beta' = \beta^s$ and $\alpha' = \alpha^s$, and $\bH$ is a $\WOT{0}{q''}{\eps''}$ with
2919: \begin{align*}
2920: \eps''
2921: &\leq \exp \left ( -2 r \left (\frac 1 2 - \frac {1-\alpha'} 2 \right )^2 \right )
2922: \leq \exp \left ( -r \frac{\alpha^{2s}}{2} \right ) \\
2923: & \leq \exp \left ( -\frac {\alpha^{2s}}{8\beta^s} \right )
2924: = \exp \left ( -\frac {1}{8} \left ( \frac {\alpha^{2}}{\beta}\right)^s \right ) \\
2925: &\leq \exp \left ( -\frac {1}{8} 2^{\log(\alpha^2/\beta)\frac{5}{\log(\alpha^{2}/\beta)}} \right )
2926: = \exp \left( -32/8 \right ) < 1/50
2927: \end{align*}
2928: and, using that $r < 1/(3\beta^s)$, we get $q '' \leq r \beta' \leq r \beta^s < 1/3$.
2929:
2930: Finally, the number of instances used is $s \cdot r$, which is at most
2931: \[
2932: 6 \lambda \cdot \frac 1 {3 \beta^{6\lambda}}
2933: = \frac {2 \lambda} {\beta^{6\lambda}} = \frac{128\lambda}{\alpha^{12\lambda}}
2934: \;,\]
2935: since $2^{1/\lambda} = \alpha^2/\beta$ and thus $\beta^{6\lambda} = \alpha^{12\lambda}/64$.
2936: \end{proof}
2937:
2938: \begin{lemma} \label{lem:sahvad}
2939: $\WOT{0}{2^{-k}}{2^{-k}}$ can efficiently be implemented using
2940: \[116 \cdot \log(20 k) \cdot k^{\log 3+1} = O\left( k^{2.6}\right)\] instances of
2941: $\WOT{0}{1/3}{1/11}$ secure in the semi-honest model.
2942: \end{lemma}
2943:
2944: \begin{proof}
2945: Let $\beta = 1/3$, and $\alpha = 1 - 2 \cdot 1/11 = 9/11$.
2946: Let $\ell = \lceil \log(4 k + 4\log k) \rceil$ and $m = 3^{\ell} / 2$.
2947: We use the reductions
2948: \begin{align*}
2949: \bG & = \RReduce(\bF^{\|\ell}\|\Auth)\;, \\
2950: \bH & = \EReduce(\bG^{\|m}\|\Auth)\;, \\
2951: \bI & = \RReduce(\bH^{\|k}\|\Auth)\;.
2952: \end{align*}
2953: Using Lemmas \ref{lem:RReduce} and \ref{lem:ered} and since $\bF$ is a $\WOT{0}{\beta}{(1-\alpha)/2}$,
2954: $\bG$ is a $\WOT{0}{\beta'}{(1-\alpha')/2}$, where
2955: $\beta' = \beta^\ell$ and $\alpha' = \alpha^\ell$. $\bH$ is a $\WOT{0}{\beta''}{\eps''}$ with
2956: \[\beta'' \leq m \beta' = 3^\ell/2 \cdot (1/3)^\ell = 1/2\]
2957: and, since $3 \cdot \alpha^2 > 2$,
2958: \begin{align*}
2959: \eps''
2960: &\leq \exp \left ( -2m \left ( \frac 1 2 - \frac{1-\alpha'} 2 \right ) ^2 \right ) =
2961: \exp \left ( - 3^{\ell} \cdot \frac {(\alpha^\ell)^2}{4} \right )
2962: \\
2963: &= \exp \left ( - \frac {(3 \cdot \alpha^2)^{\ell}} 4 \right )
2964: \leq \exp \left ( - \frac {2^{\ell}} 4 \right )
2965: \leq \exp \left ( - k - \log k \right )
2966: < 2^{ - k - \log k}
2967: \;.
2968: \end{align*}
2969: Finally, $\bI$ is a $\WOT{0}{\beta'''}{\eps'''}$ with
2970: $\eps''' \leq k 2^{-k - \log k} = 2^{-k}$ and $\beta''' \leq 2^{-k}$.
2971:
2972: From Lemma~\ref{lem:redBound2} follows that
2973: \[4 k + 4\log k = 4k + 4 \ln(k)/\ln(2) \leq 4k + (4k - 1)/\ln(2) \leq 10k\;.\]
2974: The number of instances used is, using Lemma~\ref{lem:redBound2},
2975: \begin{align*}
2976: \ell \cdot m \cdot k
2977: &\leq (\log(4 k + 4\log k)+1) \cdot 3^{\log(4 k + 4 \log k)+1} \cdot k \\
2978: &\leq (\log(10 k)+1) \cdot 3 \cdot (10 k)^{\log 3} \cdot k \\
2979: &\leq 116 \cdot \log(20 k) \cdot k^{\log 3+1} = O\left( k^{2.6}\right)\;.
2980: \end{align*}
2981: \end{proof}
2982:
2983: Combining Lemma~\ref{lem:holae-sahvad} and Lemma~\ref{lem:sahvad}, we get the following theorem.
2984:
2985: \begin{theorem} \label{thm:wotbound-p0}
2986: Let $q(k)$ and $\eps(k)$ be functions computable in time $\poly(k)$ such that $\sqrt{q(k)} + 2 \eps(k) <1$ for all $k$. Let
2987: \[ \lambda := \max \left (1,\frac{1}{ \log\left((1 - 2\eps)^2/q\right)} \right )\;.\]
2988: $\WOT{0}{2^{-k}}{2^{-k}}$ can efficiently be implemented using at most
2989: \[O\left( \frac {k^{2.6} \lambda}{(1 - 2\eps)^{(12 \lambda)}}\right)\] instances of
2990: $\WOT{0}{q}{\eps}$ secure in the semi-honest model.
2991: \end{theorem}
2992:
2993: Since $\RReduce$ and $\SReduce$ are symmetrical, we immediately get
2994:
2995: \begin{corollary} \label{cor:wotbound-q0}
2996: Let $p(k)$ and $\eps(k)$ be functions computable in time $\poly(k)$ such that $\sqrt{p(k)} + 2 \eps(k) <1$ for all $k$. Let
2997: \[ \lambda := \max \left (1,\frac{1}{ \log\left((1 - 2\eps)^2/p\right)} \right )\;.\]
2998: $\WOT{2^{-k}}{0}{2^{-k}}$ can efficiently be implemented using at most
2999: \[O\left( \frac {k^{2.6} \lambda}{(1 - 2\eps)^{(12 \lambda)}}\right)\] instances of
3000: $\WOT{p}{0}{\eps}$ secure in the semi-honest model.
3001: \end{corollary}
3002:
3003:
3004: Since any protocol (using our basic protocols) for the special cases where either $p=0$ or $q=0$
3005: can directly be translated into a one-way key-agreement protocol for distributions studied in
3006: \cite{HolRen05}, it follows from Theorem~4 in \cite{HolRen05} that
3007: using our basic protocols, this is the best bound that we can achieve.
3008: However, it is not clear whether other reductions,
3009: would be able to achieve a better bound.
3010:
3011: \section{WOT Amplification if $p,q,\eps >0$.} \label{sec:wot-amp}
3012:
3013: To find an optimal protocol for the general case where all three parameters are non-zero
3014: turns out to be much harder than the other three special cases. It is still unknown
3015: what the exact bound is in this case. In this section we present some
3016: partial results.
3017:
3018: We start with the case where all values are non-zero, but smaller than $1/50$.
3019:
3020: \begin{lemma} \label{lem:genLowBound1}
3021: $\WOT{2^{-k}}{2^{-k}}{2^{-k}}$ can efficiently be implemented using
3022: \[175 \cdot k^{2+\log(3)} \leq 175 \cdot k^{3.6} \] instances of
3023: $\WOT{1/50}{1/50}{1/50}$ secure in the semi-honest model.
3024: \end{lemma}
3025:
3026:
3027: \begin{proof}
3028: We set $\bF_0 := \WOT{p}{q}{\eps}$ and iterate the reduction
3029: \[\bF_{i+1} := \SReduce(\RReduce(\EReduce(\bF_{i}^{\|3}\|\Auth)^{\|2}\|\Auth)^{\|2}\|\Auth)\;,\]
3030: until $\bF_j$ is a $\WOT{p_j}{q_j}{\eps_j}$ with $\max(p_j,q_j,\eps_j) \leq 2^{-k}$.
3031: In every iteration, we have
3032: $p_{i+1} \leq (2 \cdot (3 p_i))^2 = 36 p^2_i$, $q_{i+1} \leq 2 \cdot ((3 q_i)^2) = 18 q^2_i$, and
3033: $\eps_{i+1} \leq 2 \cdot 2 \cdot (3 \eps^2 - 2 \eps^3) \leq 12 \eps^2$, from which follows that
3034: \[ \max(p_j,q_j,\eps_j) \leq 36^{2^j-1} \cdot \frac 1 {50^{2^j}} = \frac 1 {36} \left ( \frac{ 36}{50} \right )^{2^j} \leq \left ( \frac{ 36}{50} \right )^{2^j}\;.\]
3035: To achieve $\max(p_j,q_j,\eps_j) \leq 2^{-k}$,
3036: we choose
3037: \[j := \left \lceil \log \frac k {\log(50/36)} \right \rceil \leq \log(2.1101 \cdot k) + 1 = \log(4.2202 \cdot k)\;.\]
3038: To implement one instance of $\bF_j$, we need at most
3039: \[12^j \leq (4.2202 \cdot k)^{\log(12)} \leq 175 \cdot k^{2+\log(3)} \leq 175 \cdot k^{3.6}\]
3040: instances of $\bF_0$.
3041: \end{proof}
3042:
3043: We will now give a similar bound as in Lemma~5 in \cite{DaKiSa99}, which was
3044: $p + q + 2\eps \leq 0.45$.
3045: But since our protocol $\EReduce$ is different, we are only able to achieve a smaller bound.
3046: As in \cite{DaKiSa99}, we are only able to obtain our bound using a simulation. Our simulation
3047: works as follows:
3048: Let $l_i(p,q)$ be a function such that for all $p$, $q$ and $\eps < l_i(p,q)$,
3049: $\WOT{1/50}{1/50}{1/50}$ can be implemented using $\WOT{p}{q}{\eps}$. Using $l_i(p,q)$, we define
3050: \begin{align*}
3051: l_{i+1}(p,q) & := \max(S^{-1}_{\eps}(l_i(S_p(p),S_q(q))), R^{-1}_{\eps}(l_i(R_p(p),R_q(q))),\\
3052: & \qquad \qquad E^{-1}_{\eps}(l_i(E_p(p),E_q(q))) )\;,
3053: \end{align*}
3054: where
3055: \begin{align*}
3056: S_p(p) := p^2\;, \quad
3057: S_q(q) := 1 - (1-q)^2\;, \quad
3058: S^{-1}_{\eps}(\eps) := (1 - \sqrt{1-2\eps})/2\;,
3059: \end{align*}
3060: \begin{align*}
3061: R_p(p) := 1 - (1-p)^2\;, \quad
3062: R_q(q) := q^2\;, \quad
3063: R^{-1}_{\eps}(\eps) := (1 - \sqrt{1-2\eps})/2\;,
3064: \end{align*}
3065: \begin{align*}
3066: E_p(p) := 1 - (1-p)^3\;, \quad \quad E_q(q) := 1 - (1-q)^3\;,
3067: \end{align*}
3068: and $E^{-1}_{\eps}(\eps)$ is the inverse of $E_{\eps}(\eps) := 3\eps^2 - 2 \eps^3$.
3069:
3070: Now, for all $p$, $q$ and $\eps < l_{i+1}(p,q)$,
3071: $\WOT{1/50}{1/50}{1/50}$ can be implemented using $\WOT{p}{q}{\eps}$, since applying one of the three protocols $\SReduce(\WOT{p}{q}{\eps}^{\|2}\|\Auth)$, $\RReduce(\WOT{p}{q}{\eps}^{\|2}\|\Auth)$,
3072: or $\EReduce(\WOT{p}{q}{\eps}^{\|3}\|\Auth))$ gives us an instance of $\WOT{p'}{q'}{\eps'}$ with
3073: $\eps' < l_i(p',q')$, from which $\WOT{1/50}{1/50}{1/50}$ can be implemented.
3074:
3075: Obviously, $l_0(p,q) := (0.02 - p - q)/2$ satisfies our condition.
3076: Iterating $8$ times, we get $l_8(p,q)$, where for all $p,q$ we have $l_8(p,q) \geq (0.15 - p - q)/2$.
3077: Using $l'_0(p,q) := (0.15 - p - q)/2$ and iterating
3078: $11$ times, we get $l'_{11}(p,q)$, were for all $p,q$ we have $l'_{11}(p,q) \geq (0.24 - p - q)/2$
3079: (See also Figure~\ref{fig:wot-bound2}).
3080:
3081: \begin{figure}
3082: \begin{center}
3083: \input{wot-bound.tex}
3084: \end{center}
3085: \vspace{-1.5cm}
3086: \caption{Plot of the bounds $\eps = l'_{11}(p,q)$ and $p+q+2\eps=0.24$. \label{fig:wot-bound2}
3087: }
3088: \end{figure}
3089:
3090: \begin{lemma} \label{lem:generalBound}
3091: If $p+q+2\eps \leq 0.24$, then $\WOT{1/50}{1/50}{1/50}$ can efficiently be implemented using
3092: $O(1)$ instances of
3093: $\WOT{p}{q}{\eps}$, secure in the semi-honest model.
3094: \end{lemma}
3095:
3096: We will now further extend this result and give bounds for the cases where one of the
3097: three values is large, while the others are small.
3098:
3099: \begin{lemma} \label{lem:generalBound2}
3100: If $p + 22q + 44\eps < 1$, then $\WOT{p'}{q'}{\eps'}$ with $p'+q'+2\eps' \leq 0.24$ can efficiently be implemented using $4/(1-p)$ instances of
3101: $\WOT{p}{q}{\eps}$, secure in the semi-honest model.
3102: \end{lemma}
3103:
3104: \begin{proof}
3105: We apply \[\bF = \SReduce(\WOT{p}{q}{\eps}^{\|n}\|\Auth)\] for an $n > 0$ such that $\bF$ is a $\WOT{p'}{q'}{\eps'}$ with $p'+q'+2\eps' \leq 0.24$.
3106: Using Lemma~\ref{lem:SReduce}, we need to find a value $n$ and constants $\alpha$ and $\beta$ with $\alpha + \beta \leq 0.24$, such that $e^{-n(1-p)} \leq \alpha$
3107: and $n q + 2 n \eps \leq \beta$, which is equivalent to $n (1-p) \geq \ln (1/\alpha)$ and $q + 2\eps \leq \beta / n$. We can choose
3108: \[n := \left \lceil \frac{\ln (1/\alpha)}{1-p} \right \rceil \leq \frac{\ln (1/\alpha)}{1-p} + 1 \leq \frac{\ln (1/\alpha)+1}{1-p}\;.\]
3109: The first inequality is satisfied by definition of $n$, and the second if
3110: \[ q + 2\eps \leq \frac {\beta (1-p)} {\ln (1/\alpha) + 1}\;,\]
3111: which is equivalent to
3112: \[ \frac{\ln (1/\alpha) + 1}{\beta}(q + 2\eps) + p \leq 1\;. \]
3113: Choosing $\alpha = 0.05$, and $\beta = 0.19$, we get $(\ln (1/\alpha) + 1)/\beta \leq 22$.
3114: Our protocol needs $n \leq 4/(1-p)$ instances.
3115: \end{proof}
3116:
3117: In the same way, we get
3118:
3119: \begin{lemma} \label{lem:generalBound3}
3120: If $22p + q + 44\eps < 1$, then $\WOT{p'}{q'}{\eps'}$ with $p'+q'+2\eps' \leq 0.24$ can efficiently be implemented using $4/(1-q)$ instances of
3121: $\WOT{p}{q}{\eps}$, secure in the semi-honest model.
3122: \end{lemma}
3123:
3124: The proof of Lemma~\ref{lem:generalBound3} is omitted, as it can be done in the same way as the proof of Lemma~\ref{lem:generalBound2}.
3125:
3126: \begin{lemma} \label{lem:generalBound4}
3127: If $7 \sqrt{p+q} + 2\eps < 1$, then $\WOT{p'}{q'}{\eps'}$ with $p'+q'+2\eps' \leq 0.24$ can efficiently be implemented using $3(1/2-\eps)^{-2}$ instances of
3128: $\WOT{p}{q}{\eps}$, secure in the semi-honest model.
3129: \end{lemma}
3130:
3131: \begin{proof}
3132: We apply \[\bF = \EReduce(\WOT{p}{q}{\eps}^{\|n}\|\Auth)\]
3133: for an $n > 0$ such that $\bF$ is a $\WOT{p'}{q'}{\eps'}$ with $p'+q'+2\eps' \leq 0.24$.
3134: Using Lemma~\ref{lem:ered}, we need to find a value $n$ and constants $\alpha$ and $\beta$ with $2\alpha + \beta \leq 0.24$, such that $e^{-2n(1/2-\eps)^2} \leq \alpha$ and $n p + n q \leq \beta$, which is equivalent to $2n (1/2-\eps)^2 \geq \ln (1/\alpha)$ and $p+q \leq \beta / n$. Furthermore, we need $\eps < \frac12$.
3135: We choose
3136: \[n := \left \lceil \frac {\ln (1/\alpha)}{2(1/2-\eps)^2} \right \rceil
3137: \leq \frac {\ln (1/\alpha) }{ 2(1/2-\eps)^2} + 1 \leq \frac {\ln (1/\alpha) + 1/2 }{ 2(1/2-\eps)^2}\;.\]
3138: The last inequality follows from the fact that $2(1/2-\eps)^2 \leq 1/2$.
3139: The first inequality is satisfied by definition of $n$, and the second if
3140: \[ p+q \leq \frac {2 \beta (1/2-\eps)^2} {\ln (1/\alpha) + 1/2}\;,\]
3141: which is equivalent to
3142: \[ \sqrt{\frac{2\ln (1/\alpha) + 1}{\beta}}\sqrt{p+q} + 2\eps < 1\;. \]
3143: Choosing $\alpha = 0.02$ and $\beta = 0.20$, we get
3144: \[ \sqrt{\frac{2\ln (1/\alpha) + 1}{\beta}} \leq 7\;.\]
3145: Our protocol needs $n \leq 3(1/2-\eps)^{-2}$ instances.
3146: \end{proof}
3147:
3148: Theorem~\ref{thm:generalBound} summarizes all the partial results we obtained in this section.
3149:
3150: \begin{theorem} \label{thm:generalBound}
3151: Let $p(k)$, $q(k)$ and $\eps(k)$ be functions computable in time $\poly(k)$
3152: such that
3153: \[p+q+2\eps \leq 0.24\;,\] or
3154: \[\min( p + 22q + 44\eps,22p + q + 44\eps, 7 \sqrt{p+q} + 2\eps) < 1\]
3155: for all $k$. Then
3156: $\WOT{2^{-k}}{2^{-k}}{2^{-k}}$ can efficiently be implemented using
3157: \[O \left ( \frac{k^{3.6}}{(1-p) (1-q)(1/2-\eps)^{2}} \right ) \]
3158: instances of
3159: $\WOT{p}{q}{\eps}$ secure in the semi-honest model.
3160: \end{theorem}
3161:
3162: \begin{proof}
3163: Follows directly from Lemmas \ref{lem:generalBound}, \ref{lem:generalBound2}, \ref{lem:generalBound3}, and \ref{lem:generalBound4}.
3164: \end{proof}
3165:
3166: Since Theorem~\ref{thm:otAmp-e0} gives us a bound on the number of instances used, we can also bound
3167: the error probability, and therefore, we can extend the result of Theorem~\ref{thm:otAmp-e0} to allow
3168: for a (small) error.
3169:
3170: \begin{corollary} \label{cor:generalBound5}
3171: Let $p(k)$, $q(k)$ and $\eps(k)$ be functions computable in time $\poly(k)$
3172: such that
3173: \[(1 - p - q)^4 < - 178 \cdot \log(1 - 2\eps)\]
3174: for all $k$. Then $\WOT{2^{-k}}{2^{-k}}{2^{-k}}$ can efficiently be implemented using
3175: \[O \left ( \frac{k^{3.6}}{(1-p-q)^{4}} \right )\]
3176: instances of $\WOT{p}{q}{\eps}$, secure in the semi-honest model.
3177: \end{corollary}
3178:
3179: \begin{proof}
3180: We apply the reduction used in Theorem~\ref{thm:otAmp-e0} for $k = 5$. We get $p' \leq 2^{-5}$, $q' \leq 2^{-5}$,
3181: and $\eps' \leq (1 - (1- 2\eps)^n)/2$, for $n = 50 \cdot (1-p-q)^{-4}$. We have
3182: \begin{align*}
3183: \log(1 - 2\eps')
3184: & = n \log(1- 2\eps) = 50 \cdot (1-p-q)^{-4} \cdot (1 - p - q)^4 / {-178} \\
3185: & = - 50/178
3186: \end{align*}
3187: and therefore
3188: \[p' + q' + 2 \eps' \leq 2 \cdot 2^{-5} + (1 - 2^{- 50/178}) < 0.24\;.\]
3189: The statement follows now by applying Lemmas~\ref{lem:genLowBound1} and \ref{lem:generalBound}.
3190: \end{proof}
3191:
3192: \section{Discussion and Open Problems}
3193:
3194: We have presented several protocols that implement ROT from many instances of WOT.
3195: For
3196: the special case where $\eps = 0$, we were able to achieve the optimal bound,
3197: and when either $p=0$ or $q=0$, we were at least able to give protocols which
3198: achieve the optimal bound for the basic protocols that we use.
3199:
3200: However, for the general case, we still do not have very satisfactory results.
3201: One of the main difficulties is that we do not know exactly which of the basic
3202: protocols needs to be applied in which
3203: situation. To be able to do that, we would need a better understanding of
3204: how these protocols work together.
3205:
3206: There are still many open problems concerning WOT amplification. Here are some of them:
3207:
3208: \begin{itemize}
3209: \item
3210: Can we improve the impossibility bound?
3211: \item
3212: For what parameters of WOT can we implement ROT with our basic protocols?
3213: How many instances do we need?
3214: \item
3215: Are there other basic protocols that give better bounds?
3216: Is it possible to use (a modified version of) the protocol $\EReduce$ from \cite{DaKiSa99}?
3217: Is it possible to reduce two parameters at the same time?
3218: \item Is there a (simple) way to make $\EReduce$ secure in the malicious model?
3219: \item
3220: Can GWOT be used to improve WOT amplification?
3221: \item
3222: Is it possible to define WOT in another, more general way?
3223: \item
3224: How do we have to define WOT in a multi-party setting?
3225: \end{itemize}
3226:
3227: \chapter{Computational Weak Oblivious Transfer} \label{chap:compWOT}
3228:
3229: In this chapter we show how an OT which may contain errors and
3230: which is only \emph{mildly computationally secure} for the
3231: two players can be amplified to a computationally-secure OT. In particular, we show in
3232: Theorem~\ref{thm:compOT} --- using Holenstein's uniform hard-core lemma \cite{Holens05,Holens06},
3233: which is a uniform variant of Impagliazzo's hard-core lemma \cite{Impagl95} ---
3234: that if WOT can be amplified to
3235: ROT in the information-theoretic setting, then also the corresponding computational version of WOT
3236: can be amplified to a computationally-secure ROT, \emph{using the same protocol}.
3237:
3238: Our results
3239: generalize the results presented in \cite{Haitne04}, as we cover a much larger
3240: region for the values $p$, $q$ and $\eps$, and in our case the security for both players may be computational.
3241:
3242: \section{Preliminaries}
3243:
3244: In the following, $k \in \bbN$ is always the the security parameter.
3245: We say that a function $f: \bbN \rightarrow \bbN$ is \emph{polynomial in $k$}, denoted by $\poly(k)$, if there exist constants $c > 0$ and $k_0$, such that $f(k) \leq k^{c}$ for all $k \geq k_0$.
3246: A function $f: \bbN \rightarrow [0,1]$ is \emph{negligible in $k$}, denoted by $\negl(k)$, if for all constant $c > 0$ there exists a constant $k_0$, such that $f(k) \leq k^{-c}$ for all $k \geq k_0$. A function $f: \bbN \rightarrow [0,1]$ is \emph{noticeable} if there exit constants $c>0$ and $k_0$ such that $f(k) \geq k^{-c}$ for all $k \geq k_0$. An algorithm $B$ which has oracle access to an algorithm $A$ will be denoted by $B^A$.
3247:
3248: We will need the following lemmas, which are, when put together, the computational version of Lemma~\ref{lem:PredAdvStadDist}.
3249:
3250: \begin{lemma} \label{lem:comp-dist2pred}
3251: Let functions $f: \{0,1\}^k \rightarrow \{0,1\}^\ell$, $P: \{0,1\}^k \rightarrow \{0,1\}$, and a
3252: distribution $P_W$ over $\{0,1\}^k$ be given. There is an oracle algorithm $B^{(\cdot)}$ such that, for any algorithm $A$ where
3253: \[\Pr[A(f(W),P(W)) = 1] - \Pr[A(f(W),U) = 1] = \eps\;,\]
3254: where $W$ is distributed according to $P_W$ and $U$ is uniformly distributed, algorithm $B^A$ satisfies
3255: \[\Pr[ B^A(f(W)) = P(W)] = \frac 1 2 + \eps\;,\]
3256: does one oracle call to $A$, and computes one XOR.
3257: \end{lemma}
3258:
3259: \begin{proof}
3260: On input $f(w)$, let algorithm $B^A$ choose a bit $u$ uniformly at random and output $A(f(w),u) \oplus u \oplus 1$. Let
3261: \[g(w,u) := \Pr[ A(f(w),u) = 1]\;.\]
3262: The output of $B^A$ is correct either if $U=P(W)$ and the output of $A$ is $1$, or $U \neq P(W)$
3263: and the output of $A$ is $0$. We get
3264: \begin{align*}
3265: & \Pr[ B^A(f(W)) = P(W)] \\
3266: & \qquad = \sum_w P_W(w) \left (\frac{g(w,P(w))}{2} + \frac{1- g(w,1-P(w))}{2} \right ) \\
3267: & \qquad = \frac 1 2 + \sum_w P_W(w) \frac{g(w,P(w))- g(w,1-P(w))}{2} \\
3268: & \qquad = \frac 1 2 + \sum_w P_W(w) \left ( g(w,P(w)) - \frac{g(w,P(w))- g(w,1-P(w))}{2} \right ) \\
3269: & \qquad = \frac 1 2 + \Pr[A(f(W),P(W)) = 1] - \Pr[A(f(W),U) = 1] \\
3270: & \qquad = \frac 1 2 + \adv^A(f(W),P(W)),(f(W),U) \;.
3271: \end{align*}
3272: \end{proof}
3273:
3274: \begin{lemma} \label{lem:comp-pred2dist}
3275: Let functions $f: \{0,1\}^k \rightarrow \{0,1\}^\ell$, $P: \{0,1\}^k \rightarrow \{0,1\}$, and a
3276: distribution $P_W$ over $\{0,1\}^k$ be given. There is an oracle algorithm $A^{(\cdot)}$ such that, for any algorithm $B$
3277: where \[\Pr[ B(f(W)) = P(W)] = \frac 1 2 + \eps\;,\]
3278: we have
3279: \[\adv^{A^B}(f(W),P(W)),(f(W),U) = \eps\;,\]
3280: where $W$ is distributed according to $P_W$ and $U$ is uniformly distributed, does one oracle call to $A$, and computes one XOR.
3281: \end{lemma}
3282:
3283: \begin{proof}
3284: On input $(f(w),b)$, let Algorithm $A$ output $B(f(w)) \oplus b \oplus 1$.
3285: If $b$ is a uniform random bit, than we have $\Pr[A^B(f(w),b)=1]=1/2$, and if $b = P(w)$, then
3286: $\Pr[A^B(f(w),b)=1]=1/2 + \eps$. Therefore, we have $\adv^{A^B}((f(W),P(W)),(f(W),U)) = \eps$.
3287: \end{proof}
3288:
3289: \section{Pseudo-Randomness Extraction} \label{sec:PseudoRandExt}
3290:
3291: In this section we state a \emph{pseudo-randomness extraction theorem}, Theorem \ref{thm:holae}, that we need later to prove our main theorem of
3292: this chapter, Theorem~\ref{thm:compOT}. Theorem \ref{thm:holae} is based on the \emph{uniform hard-core lemma}
3293: \cite{Holens05,Holens06}, which is a uniform variant of the hard-core lemma from \cite{Impagl95}.
3294:
3295: \begin{lemma}[Uniform hard-core lemma \cite{Holens05,Holens06}] \label{lem:hardcore}
3296: Let the functions $f:\{0,1\}^k \rightarrow \{0,1\}^\ell$, $P:\{0,1\}^k \rightarrow \{0,1\}$,
3297: $\delta: \bbN \rightarrow [0,1]$ and $\gamma: \bbN \rightarrow [0,1]$ computable in time $\poly(k)$ be given, such that $\gamma$ and $\delta$ are noticeable.
3298: Assume that there is no polynomial time algorithm $B$ such that
3299: \[\Pr[B(f(W))=P(W)] \geq 1 - \frac \delta 2 + \frac {\gamma^2 \delta^5}{8192}\;,\]
3300: where $W$ is chosen uniformly at random from $\{0,1\}^k$, for infinitely many $k$.
3301: Then, there is no polynomial time oracle algorithm $A^{(\cdot)}$\footnote{$A^{(\cdot)}$ has oracle access to the \emph{characteristic function} $\chi_\mS$ of the set $\mS$, which is defined as $\chi_{\mS}(w) := 1$ if $w \in \mS$ and $\chi_{\mS}(w) := 0$ otherwise.} such that for infinitely many $k$ the following holds: For any set $\mS \subseteq \{0,1\}^k$ with $|\mS| \geq \delta 2^k$,
3302: \[ \Pr[ A^{\chi_\mS}(f(W)) = P(W)] \geq \frac{1+\gamma} 2\;,\]
3303: where $W$ is chosen uniformly at random from $\mS$ and the queries of $A$ to $\chi_\mS$ are computed independently of the input $f(W)$.
3304: \end{lemma}
3305:
3306: Theorem \ref{thm:holae} is a modified version of Theorem 7.3 in \cite{Holens06} and differs from it in two points. First, we simplified it by omitting
3307: the function $q(w)$ that indicates whether $w$ is valid, because in our setting all $w$ are valid. Second, we allow the functions $\extr$ and $\leak$ to
3308: depend on the value $Z^n$, and not only on $X^n$.
3309: The proof of Theorem~\ref{thm:holae} is basically the same as the proof of Theorem 7.3 in \cite{Holens06}. Notice that in the proof of Theorem 7.3 in \cite{Holens06} there is a step
3310: missing before equation (7.8), which is fixed in our proof.
3311:
3312: The main difference of Theorem 7.3 in \cite{Holens06} and our Theorem~\ref{thm:holae} compared to the (implicit) extraction lemma in \cite{Hastad90,HILL99} and
3313: the extraction lemma in \cite{HaHaRe05} is that it allows the adversary to gain some additional knowledge during the extraction, expressed by the function $\leak$.
3314:
3315: \begin{theorem}[Pseudo-randomness extraction theorem, \cite{Holens06}] \label{thm:holae}
3316: Let the functions
3317: $f : \{0,1\}^k \rightarrow \{0,1\}^\ell$,
3318: $P : \{0,1\}^k \rightarrow \{0,1\}$, and
3319: $\beta : \mathbb N \rightarrow [0,1]$, all computable in time $\poly(k)$, be given, and let
3320: $1 - \beta(k)$ be noticeable.
3321: Assume that every polynomial time algorithm $B$ satisfies
3322: \[ \Pr [ B(f(W)) = P(W) ] \leq \frac {1+\beta(k)} 2 \]
3323: for all but finitely many k, for a uniform random $W \in \{0,1\}^k$. Further, let also functions $n(k)$, $s(k)$,
3324: \begin{align*}
3325: \extr &: \{0,1\}^{\ell \cdot n} \times \{0,1\}^n \times \{0,1\}^s \rightarrow \{0,1\}^t\;,\\
3326: \leak &: \{0,1\}^{\ell \cdot n} \times \{0,1\}^n \times \{0,1\}^s \rightarrow \{0,1\}^{t'}\;,
3327: \end{align*}
3328: be given which are computable in time $\poly(k)$, and satisfy the following: For any distribution $P_{XZ}$ over
3329: $\{0,1\} \times \{0,1\}^\ell$ where $\predadv(X \mid Z) \leq \beta(k)$,
3330: $\extr(Z^n,X^n,R)$ is $\eps(k)$-close to uniform with
3331: respect to $\leak(Z^n,X^n,R)$, for $R \in \{0,1\}^s$ chosen uniformly at random.
3332: Then, no polynomial time algorithm $A$, which gets as input
3333: \[\leak((f(W_0), \dots, f(W_{n-1})),(P(W_0), \dots, P(W_{n-1})),R)\;,\]
3334: (where $(W_1, \dots,W_n)$ is chosen uniformly at random) distinguishes
3335: \[\extr((f(W_0), \dots, f(W_{n-1})),(P(W_0), \dots, P(W_{n-1})),R)\;\]
3336: from a uniform random string of length $t$ with advantage $\eps(k) + \gamma(k)$,
3337: for any non-negligible function $\gamma(k)$.
3338: \end{theorem}
3339:
3340: \begin{proof}
3341: Let us assume there exists an algorithm $A$ that contradicts our assumption. We will use $A$ to construct
3342: an oracle algorithm $\ol A^{\chi_\mS}$ for which the following holds for infinitely many $k$ for a noticeable function $\gamma'$. For any set $\mS \subseteq \{0,1\}^k$ with $|\mS| \geq (1-\beta(k))2^k$, we have
3343: \[ \Pr[\ol A^{\chi_\mS}(f(W)) = P(W)] \geq \frac{1+\gamma'} 2\;,\]
3344: where the probability is over the randomness of $\ol A^{\chi_\mS}$, $W$ is chosen uniformly at random from $\{0,1\}^k$, and $\ol A^{\chi_\mS}$ calls $\chi_\mS$ only with queries which are computed independently of the input.
3345:
3346: Since $\gamma(k)$ is non-negligible, there exists a constant $c$, such that $\gamma(k) \geq k^{-c}$ for infinitely many $k$. Let $\gamma^*(k) := k^{-c}$. $\gamma^*(k)$ is a noticeable function with
3347: $\gamma^*(k) \leq \gamma(k)$ for infinitely many $k$.
3348:
3349: For any fixed $j \in \{0,\dots,n\}$ and any fixed set $\mS \subseteq \{0,1\}^k$ with $|\mS| \geq (1-\beta)2^k$,
3350: we define the following values. For all $i \in \{0,\dots,n-1\}$, we choose $w_i \in \{0,1\}^k$
3351: and $u_i \in \{0,1\}$ uniformly at random. Then we compute
3352: \begin{align}
3353: y_i &:= \left \{
3354: \begin{array}{ll}
3355: P(w_i) & \textrm{if $i \geq j$ or $w_i \not \in \mS$\;,} \label{eq:yi} \\
3356: u_i & \textrm{otherwise\;,}
3357: \end{array}
3358: \right. \\
3359: e_j &:= \extr((f(w_1),\dots,f(w_n)), y^n, r)\;, \quad \textrm{and} \label{eq:ej} \\
3360: \ell_j &:= \leak((f(w_1),\dots,f(w_n)), y^n, r)\;, \label{eq:lj}
3361: \end{align}
3362: where $r \in \{0,1\}^s$ is chosen uniformly at random.
3363:
3364: Let $P_{E_jL_j}$ be the distribution of $(e_j,\ell_j)$. From our assumption follows that
3365: \[\adv^A((E_0,L_0),(U,L_0)) \geq \eps + \gamma^*\]
3366: for infinitely many $k$,
3367: where $U \in \{0,1\}^t$ is chosen uniformly at random.
3368: On the other hand, for $j=n$, with probability $1-\beta$ (over the choice of $w_i$) we have $y_i = u_i$, and
3369: therefore, by Lemma~\ref{lem:Hol22}, $\predadv(Y_i \mid f(W_i)) \leq \beta$.
3370: The information-theoretic requirement on the functions $\extr$ and $\leak$ imply that $E_n$ is $\eps$-close to uniform with respect to
3371: $L_n$ and therefore
3372: \[\adv^A((E_n,L_n),(U,L_n)) \leq \eps \;.\]
3373: The triangle inequality implies
3374: \[\adv^A((E_0,L_0),(E_n,L_n)) + \adv^A((U,L_0),(U,L_n)) \geq \gamma^*\]
3375: for infinitely many $k$.
3376: It follows that at least one of the four inequalities
3377: $\Pr[A(E_0,L_0)=1] - \Pr[A(E_n,L_n)=1] \geq \gamma^*/2$,
3378: $\Pr[A(E_n,L_n)=1] - \Pr[A(E_0,L_0)=1] \geq \gamma^*/2$,
3379: $\Pr[A(U,L_0)=1] - \Pr[A(U,L_n)=1] \geq \gamma^*/2$, or
3380: $\Pr[A(U,L_n)=1] - \Pr[A(U,L_0)=1] \geq \gamma^*/2$ holds for infinitely many $k$,
3381: from which follows that there exists an algorithm $A'$ such that
3382: \[\Pr[A'(E_0,L_0)=1] - \Pr[A'(E_n,L_n)=1] \geq \frac {\gamma^*} 2\]
3383: for infinitely many $k$.
3384: For a $J \in \{0,\dots,n-1\}$ chosen uniformly at random, we have
3385: \[\Pr[A'(E_J,L_J)=1] - \Pr[A'(E_{J+1},L_{J+1})=1] \geq \frac{\gamma^*}{2n}\]
3386: for infinitely many $k$.
3387: We can now give an implementation of a distinguisher which distinguishes $(f(W),P(W))$ from $(f(W),U)$ with
3388: advantage $\gamma^*/(2n)$ for infinitely many $k$, if $W$ is chosen uniformly from $\mS$ and $U$ is a uniform random bit, as long as oracle access to $\chi_{\mS}$ is given. Let $(f(w),b)$ be the input to the distinguisher.
3389: It chooses $j \in \{0,\dots, n-1\}$, and for all $i \in \{0,\dots,n-1\}$ the values $w_i \in \{0,1\}^k$ and $u_i \in \{0,1\}$ uniformly at random. Then, for all $i \in \{0,\dots,n-1\}$, it computes the values $f(w_i)$, $P(w_i)$ and $y_i$ as in (\ref{eq:yi}). If $w_j \in \mS$, it replaces $f(w_j)$ with $f(w)$ and $y_i$ with $b$. Then, it computes $e_j$ and $\ell_j$ as in (\ref{eq:ej}) and (\ref{eq:lj}).
3390: If $b$ is a uniform bit, then this process gives random variables $(E_j,L_j)$ distributed according to $P_{E_{j+1}L_{j+1}}$, otherwise it gives random variables distributed according to
3391: $P_{E_{j}L_{j}}$. Therefore, $A'$ distinguishes $(f(W),P(W))$ from $(f(W),U)$ with
3392: advantage $\gamma^*/(2n)$ for infinitely many $k$, if $W$ is chosen uniformly at random from $\mS$. From Lemma~\ref{lem:comp-dist2pred} follows that there exists a polynomial time
3393: algorithm that predicts $P(W)$ from $f(W)$, where $W$ is chosen uniformly at random from $\mS$, with probability at least $1/2 + \gamma^*/(2n)$ for infinitely many $k$. We can now apply Lemma~\ref{lem:hardcore} for $\gamma := \gamma^*/n$ and $\delta := 1-\beta$ to obtain the statement.
3394: \end{proof}
3395:
3396:
3397: \section{Definition of Computational WOT} \label{sec:compOTDef}
3398:
3399: In order to define security in the computational setting, i.e., where the running time of the adversary is bounded by a polynomial, we need to introduce a security parameter $k$ on which the players agree beforehand. We consider the \emph{uniform} model, that is, we require the same protocols to run on all
3400: security parameters, which they get as a separate input. Additionally, we require the security parameter to be larger than the sum of the length of all the inputs and outputs of the protocol. The security in the \emph{computational
3401: semi-honest model} is very similar to the (information-theoretic) semi-honest model
3402: (Definition \ref{def:passiveSec}). The only differences are that
3403: we require the distinguishers to be efficient, i.e., to run in time $\poly(k)$,
3404: and we require the advantage of these distinguishers to be negligible in $k$. Furthermore,
3405: we require that the simulator is efficient, i.e., runs in time $\poly(k)$.
3406:
3407: We say that $X(k)$ and $Y(k)$ are \emph{computationally indistinguishable}, denoted by
3408: $X \compIndist Y$, if $\adv^\mD(X,Y) \leq \negl(k)$, where
3409: $\mD$ is the set of all distinguishers that run in time $\poly(k)$.
3410:
3411: \begin{definition} \label{def:compPassiveSec}
3412: A protocol $\bP(\bF) = (\bP_\PlayerA \| \bP_\PlayerB)(\bF)$ \emph{securely implements $\bG$ in the computational
3413: semi-honest model}, if
3414: \begin{itemize}
3415: \item(Correctness) $\bP(\bF_{\emptyset}) \compIndist \bG_{\emptyset} $\;.
3416: \item(Security for \PlayerA) There exists a system $\bS_\PlayerB$ (called \emph{the simulator for $\PlayerB$}), that runs in time $\poly(k)$ and only modifies the auxiliary interfaces, such that
3417: \[(\bP_\PlayerA \| \underline \bP_\PlayerB)(\bF_{\{\widehat \PlayerB\}}) \compIndist \bS_\PlayerB(\bG_{\{\widehat \PlayerB\}}) \;.\]
3418: \item(Security for \PlayerB) There exists a system $\bS_\PlayerA$ (called \emph{the simulator for $\PlayerA$}), that runs in time $\poly(k)$ and only modifies the auxiliary interfaces, such that
3419: \[(\underline \bP_\PlayerA \| \bP_\PlayerB)(\bF_{\{\widehat \PlayerA\}}) \compIndist \bS_\PlayerA(\bG_{\{\widehat \PlayerA\}}) \;.\]
3420: \end{itemize}
3421: \end{definition}
3422:
3423: The primitive $\compWOT{p}{q}{\eps}$ denotes the computational version of $\WOT{p}{q}{\eps}$.
3424: The difference to the definition of $\WOTT$ is that we require the algorithm that
3425: guesses $X_{1-C}$ or $C$ to be efficient.
3426:
3427: \begin{definition}[Computational WOT, semi-honest model]
3428: Let functions $\eps: \mathbb N \rightarrow [0,1/2]$,
3429: $p: \mathbb N \rightarrow [0,1]$, and $q: \mathbb N \rightarrow [0,1]$ computable in time $\poly(k)$ be given. Let $\bF = (\bF_{\emptyset},\bF_{\{\widehat \PlayerA\}},\bF_{\{\widehat \PlayerB\}})$ be a collection of systems in the computational semi-honest model. On input $k$, $\bF$ outputs
3430: $(X_0,X_1)$ to $\PlayerA$ and $(C,Y)$ to $\PlayerB$. Let $U$ be the auxiliary output to $\PlayerA$ by $\bF_{\{\widehat \PlayerA\}}$ and $V$ be the auxiliary output to $\PlayerB$ by $\bF_{\{\widehat \PlayerB\}}$.
3431: Let $E := X_C \oplus Y$. $\bF$ implements $\compWOT{p(k)}{q(k)}{\eps(k)}$ in the computational semi-honest model, if
3432: \begin{itemize}
3433: \item(Efficiency) $\bF$ can be executed in time $\poly(k)$.
3434: \item(Correctness) $\Pr[E=1] \leq \eps(k)$ for all $k$.
3435: \item(Security for \PlayerA)
3436: All polynomial time algorithms $A$ satisfy
3437: \[ \Pr[A(V,E)=X_{1-{C}}] \leq \frac {1 + q(k)} 2\]
3438: for all but finitely many $k$.
3439: \item(Security for \PlayerB)
3440: All polynomial time algorithms $A$ satisfy
3441: \[ \Pr[A(U,E)=C] \leq \frac {1 + p(k)} 2\]
3442: for all but finitely many $k$.
3443: \end{itemize}
3444: \end{definition}
3445:
3446: Lemma~\ref{lem:compSecCond} is the computational version of Lemma~\ref{lem:WOT2ROT}.
3447:
3448: \begin{lemma} \label{lem:compSecCond}
3449: A collection of systems $\bF$ that securely implements
3450: \[\compWOT{\negl(k)}{\negl(k)}{\negl(k)}\] also securely implements $\ROT{1}{2}{1}$ in the
3451: computational semi-honest model.
3452: \end{lemma}
3453:
3454: \begin{proof}
3455: From the (computational) security conditions for $\PlayerA$ follows
3456: that $C$ is (statistically) $\negl(k)$-close to uniform with respect to $(X_0,X_1)$.
3457: Otherwise, it could easily and efficiently be distinguished from uniform. Similarly, it
3458: follows from the security condition for $\PlayerB$ that $X_{1-C}$ is $\negl(k)$-close
3459: to uniform with respect to $(C,X_C)$. From Lemma~\ref{lem:almostUniform}
3460: follows that $(C,X_0,X_1)$ is $\negl(k)$-close to uniform. Together with the
3461: correctness condition, we get
3462: \[ \bF_{\emptyset} \equiv_{\negl(k)} \ROTT_{\emptyset}\;.\]
3463:
3464: Let $\bF_{\{\PlayerB\}}$ produce the output distribution $P_{X_0X_1CYV}$,
3465: and let $P_{\ol {X_0X_1CY}}$ be the output distribution of $\ROTT$. We define $\bS_\PlayerB$ as follows. After receiving $(c,y)$ from
3466: $\ROTT$, it simulates $\bF_{\{\PlayerB\}}$, which outputs $(c',y',v')$,
3467: until $c'=b$ and $y'=y$. It outputs $v'$.
3468:
3469: From the correctness condition follows
3470: that $(C',Y')$ is $\negl(k)$-close to uniform, and, therefore, the probability $C'=c$ and $Y'=y$ is at least $1/4 - \negl(k)$. The expected number of iterations\footnote{If we want the algorithm to be worst-case polynomial, we simply abort after a polynomial amount of simulations.} is therefore constant and the simulator is efficient since the system $\bF$ is efficient.
3471:
3472: Let us assume that there exists an algorithm $A$ with
3473: \[ \adv^A( {X_0X_1CYV}, \ol {X_0X_1CY}V' ) \geq \gamma(k)\;,\]
3474: for a non-negligible function $\gamma(k)$. There exists a constant $c$, such that $\gamma(k) \geq k^{-c}$ for infinitely many $k$. Let $\gamma^*(k) := k^{-c}$. $\gamma^*(k)$ is a noticeable function with
3475: $\gamma^*(k) \leq \gamma(k)$ for infinitely many $k$.
3476:
3477: Since $(C,X_C,Y,V)$ is $\negl(k)$-close
3478: to $(\ol C,\ol X_{\ol C},\ol Y,V')$, and
3479: $\ol X_{1-\ol C}$ is uniform
3480: with respect to $(\ol C,\ol X_{\ol C},\ol Y,V')$, we have
3481: \[ \adv^A( {R C X_{C}YV}, \ol X_{1-\ol C} \ol C \ol X_{\ol C}\ol YV') \leq \negl(k)\;,\]
3482: where $R$ is chosen uniformly at random. It follows that
3483: \[ \adv^A( R C X_{C}YV, {X_{1-C} C X_{C}YV}) \geq \gamma^*(k) - \negl(k)\]
3484: for infinitely many $k$, and therefore either
3485: \[ \Pr[A(R C X_{C}YV) = 1] - \Pr[A({X_{1-C} C X_{C}YV}) = 1] \geq \gamma^*(k) - \negl(k) \]
3486: for infinitely many $k$, or
3487: \[\Pr[A({X_{1-C} C X_{C}YV}) = 1] - \Pr[A(R C X_{C}YV) = 1] \geq \gamma^*(k) - \negl(k) \]
3488: for infinitely many $k$. Note that $(C,Y)$ is a function of $V$ and $E = X_{C} \oplus Y$.
3489: In both cases, it follows from Lemma~\ref{lem:comp-dist2pred} that
3490: there exists an algorithm that can predict $X_{1-C}$ with probability $1/2 + \gamma^*(k) - \negl(k)$
3491: for infinitely many $k$, which contradicts our assumption that no such algorithm exists.
3492:
3493: The proof for the security of $\PlayerB$ can be done the same way.
3494: \end{proof}
3495:
3496: \section{Computational-WOT Amplification} \label{sec:compWOTamp}
3497:
3498: In \cite{Holens05}, Lemma~\ref{lem:hardcore} was used to show that any information-theoretic key-agreement protocol can also be used in the computational
3499: setting. We will use a very similar proof to show that any protocol that efficiently implements
3500: $\ROTT$ out of many instances of $\WOTT$ in the semi-honest model can be used to implement $\ROTT$ out of many instances of $\compWOTT$ in the computational semi-honest model.
3501:
3502: \begin{theorem} \label{thm:compOT}
3503: Let the functions $\eps(k)$, $p(k)$, $q(k)$ and $n(k)$ computable in time $\poly(k)$ be given. Let a protocol $\bP(\Auth)$
3504: achieve $\compWOT{p}{q}{\eps}$. Further, let an efficient protocol $\bQ(\WOT{p}{q}{\eps}^{\|n} \| \Auth)$ be given which takes $k$ as input and
3505: securely implements $\WOT{\negl(k)}{\negl(k)}{\negl(k)}$ in the semi-honest model. Then the protocol\footnote{This is an execution of $\bQ$, where all calls to $\WOTT$ are replaced by independent executions of $\bP$.} $\bQ(\bP(\Auth)^{\|n} \| \Auth)$ implements $\compWOT{\negl(k)}{\negl(k)}{\negl(k)}$
3506: in the computational semi-honest model.
3507: \end{theorem}
3508:
3509: \begin{proof}
3510: Let $W = (W_\PlayerA,W_\PlayerB)$ be the randomness used in $\bP(\Auth)$ by the sender and the receiver, and let
3511: $Z$ be the communication. The honest protocols $\bP_\PlayerA$ and $\bP_\PlayerB$ output $(X_0,X_1)$ and $(C,Y)$, respectively, while the semi-honest protocols $\ul \bP_\PlayerA$ and $\ul \bP_\PlayerB$ additionally have the auxiliary outputs $U = (X_0,X_1,Z,W_\PlayerA)$ and $V = (C,Y,Z,W_\PlayerB)$, respectively. Let $E := Y \oplus X_C$.
3512: All these values are functions of $W$.
3513:
3514: $\bQ_{\PlayerA}$ receives $(X_0^n,X_1^n)$ from $\bP(\Auth)^{\|n}$
3515: and
3516: outputs $(X_0^*,X_1^*)$. $\bQ_{\PlayerB}$ receives
3517: $(C^n,Y^n)$ from $\bP(\Auth)^{\|n}$
3518: and outputs $(C^*,Y^*)$.
3519: Let $R = (R_{\PlayerA},R_{\PlayerB})$ be the randomness used in $\bQ$ by both players, and let $Z'$ be the communication sent
3520: over $\Auth$ in $\bQ$. Let $E^* := Y^* \oplus X^*_{C^*}$.
3521: The values $E^*$, $X_0^*$, $X_1^*$, $C^*$, $Y^*$ and $Z'$ are functions of $(X_0^n,X_1^n,C^n,Y^n,R)$.
3522:
3523: First of all, the resulting protocol $\bQ(\bP(\Auth)^{\|n} \| \Auth)$ will be correct and efficient, as every outcome of $\bP(\Auth)$ satisfies $\Pr[Y \neq X_C] \leq \eps$.
3524:
3525: For the security for $\PlayerA$, we define the following functions: let $f(W) := (V,E)$ and
3526: $P(W) := X_{1-C}$. Since $X_C = E \oplus Y$, it is possible to simulate the protocol $\bQ$ using the values
3527: $(V,E)^n$, $(X_{1-C})^n$, and $R$. Therefore, we can define
3528: \[\extr((V,E)^n,(X_{1-C})^n,R) := X^*_{1-C^*}\] and \[\leak((V,E)^n,(X_{1-C})^n,R) := (E^*,C^*,Y^*,V^n,Z',R_{\PlayerB})\;.\]
3529: $\bQ$ implements $\WOT{\negl(k)}{\negl(k)}{\negl(k)}$. It follows from
3530: Lemma~\ref{lem:comp-pred2dist} that the functions $\extr$ and $\leak$ satisfy the extraction requirements from
3531: Theorem~\ref{thm:holae} with $\eps(k) = \negl(k)$. Furthermore, $\extr$ and $\leak$ can be computed efficiently, since the protocol $\bQ$ is efficient.
3532: From the security condition of $\compWOTT$ follows that every polynomial-time algorithm $B$ satisfies
3533: \[ \Pr [ B(f(W)) = P(W) ] = \Pr [ B(V,E) = X_{1-C} ] \leq \frac {1+q(k)} 2 \]
3534: for all but finitely many $k$, for $W$ chosen uniformly at random. Theorem~\ref{thm:holae} tells us that
3535: no polynomial time algorithm $A$, which gets as input $\leak((V,E)^n,(X_{1-C})^n,R)$ distinguishes $\extr((V,E)^n,(X_{1-C})^n,R)$
3536: from a uniform random bit with advantage $\negl(k) + \gamma(k)$,
3537: for any non-negligible function $\gamma(k)$. The security for $\PlayerA$ follows now from Lemma~\ref{lem:comp-pred2dist}.
3538:
3539: For the security for $\PlayerB$, we define the following functions: let $f(W) := (U,E)$ and
3540: $P(W) := C$. Since $X_C = E \oplus Y$, it is possible to simulate the protocol $\bQ$ using the values
3541: $(U,E)^n$, $C^n$, and $R$. Therefore, we can define
3542: \[\extr((U,E)^n,C^n,R) := C^*\;,\] and
3543: \[\leak((U,E)^n,C^n,R) := (E^*,X_0^*,X_1^*,U^n,Z',R_{\PlayerA})\;.\] $\bQ$ implements $\WOT{\negl(k)}{\negl(k)}{\negl(k)}$. It follows from
3544: Lemma~\ref{lem:comp-pred2dist} that the functions $\extr$ and $\leak$ satisfy the extraction requirements from
3545: Theorem~\ref{thm:holae} with $\eps(k) = \negl(k)$.
3546: Furthermore, $\extr$ and $\leak$ can be computed efficiently, since the protocol $\bQ$ is efficient.
3547: From the security condition of $\compWOTT$ follows that every polynomial time algorithm $A$ satisfies
3548: \[ \Pr [ A(f(W)) = P(W) ] = \Pr [ A(U,E) = C ] \leq \frac {1+p(k)} 2 \]
3549: for all but finitely many k, for $W$ chosen uniformly at random. Theorem~\ref{thm:holae} tells us that
3550: no polynomial time algorithm $B$, which gets as input $\leak((U,E)^n,C^n,R)$ distinguishes $\extr((U,E)^n,C^n,R)$
3551: from a uniform random bit with advantage $\negl(k) + \gamma(k)$,
3552: for any non-negligible function $\gamma(k)$. The security for $\PlayerB$ follows now from Lemma~\ref{lem:comp-pred2dist}.
3553: \end{proof}
3554:
3555: \noindent
3556: Together with the information-theoretic reductions presented in Chapters \ref{chap:ot} and \ref{chap:wot}, we get a protocol that securely amplifies $\compWOT{p}{q}{\eps}$ to $\OT{2}{1}{1}$ in the computational semi-honest model.
3557:
3558: \begin{corollary} \label{cor:comOT}
3559: Let the functions $\eps(k)$, $p(k)$, and $q(k)$, computable in time $\poly(k)$, be given, where either for all $k$
3560: \[\eps=0 \ \wedge \ p+q < 1 - 1/\poly(k)\;,\]
3561: \[p+q+2\eps \leq 0.24\;,\] or
3562: \[\min( p + 22q + 44\eps,22p + q + 44\eps, 7 \sqrt{p+q} + 2\eps) < 1 - 1/\poly(k)\;,\]
3563: or, for constant functions $p(k)$, $q(k)$ and $\eps(k)$,
3564: \[p=0 \ \wedge \ \sqrt{q} + 2 \eps <1\;,\]
3565: \[q=0 \ \wedge \ \sqrt{p} + 2 \eps <1\;,\] or
3566: \[(1 - p - q)^4 < - 178 \cdot \log(1 - 2\eps)\;.\]
3567: If there exists a protocol $\bP(\Auth)$ that securely implements $\compWOT{p}{q}{\eps}$ in the computational semi-honest model, then there exists a protocol $\bQ(\Auth)$ that implements $\OT{2}{1}{1}$ in the computational semi-honest model.
3568: \end{corollary}
3569:
3570: \section{Discussion and Open Problems}
3571:
3572: We have shown that Holenstein's hard-core lemma \cite{Holens05,Holens06} can also be applied
3573: in the setting of two-party computation, and presented a new computational assumption, namely \emph{computational weak oblivious transfer}, under which
3574: oblivious transfer and hence any two-party computation is possible in a computationally secure way.
3575:
3576: The \emph{pseudo-randomness extraction theorem} presented in \cite{Holens06} turned out not to be
3577: general enough for our application. It would be interesting to know
3578: whether our generalization is also useful in other applications.
3579:
3580: A very interesting open problem is whether our results can be used to improve the results
3581: from \cite{Haitne04}, i.e., whether it is possible to implement computationally-secure OT
3582: from weaker requirements on trapdoor permutations.
3583:
3584: \bibliographystyle{alpha}
3585:
3586: \newcommand{\etalchar}[1]{$^{#1}$}
3587:
3588: \begin{thebibliography}{IMQNW04}
3589:
3590: \bibitem[AC93]{AhlCsi93}
3591: R.~Ahlswede and I.~Csisz{\'a}r.
3592: \newblock Common randomness in information theory and cryptography -- part {I}:
3593: Secret sharing.
3594: \newblock {\em {IEEE} Transactions on Information Theory}, 39(4):1121--1132,
3595: 1993.
3596:
3597: \bibitem[AIR01]{AiIsRe01}
3598: W.~Aiello, Y.~Ishai, and O.~Reingold.
3599: \newblock Priced oblivious transfer: How to sell digital goods.
3600: \newblock In {\em Advances in Cryptology --- EUROCRYPT '01}, Lecture Notes in
3601: Computer Science, pages 119--135. Springer-Verlag, 2001.
3602:
3603: \bibitem[BBCM95]{BBCM95}
3604: C.~H. Bennett, G.~Brassard, C.~Cr{\'e}peau, and U.~Maurer.
3605: \newblock Generalized privacy amplification.
3606: \newblock {\em IEEE Transactions on Information Theory}, 41, 1995.
3607:
3608: \bibitem[BBCS92]{BBCS92}
3609: C.~H. Bennett, G.~Brassard, C.~Cr{\'e}peau, and H.~Skubiszewska.
3610: \newblock Practical quantum oblivious transfer.
3611: \newblock In {\em Advances in Cryptology --- CRYPTO '91}, volume 576 of {\em
3612: Lecture Notes in Computer Science}, pages 351--366. Springer, 1992.
3613:
3614: \bibitem[BBR88]{BeBrRo88}
3615: C.~H. Bennett, G.~Brassard, and J.-M. Robert.
3616: \newblock Privacy amplification by public discussion.
3617: \newblock {\em SIAM Journal on Computing}, 17(2):210--229, 1988.
3618:
3619: \bibitem[BC97]{BraCre97}
3620: G.~Brassard and C.~Cr{\'e}peau.
3621: \newblock Oblivious transfers and privacy amplification.
3622: \newblock In {\em Advances in Cryptology --- EUROCRYPT '97}, volume 1233 of
3623: {\em Lecture Notes in Computer Science}, pages 334--347. Springer-Verlag,
3624: 1997.
3625:
3626: \bibitem[BCR86]{BrCrRo86b}
3627: G.~Brassard, C.~Cr{\'e}peau, and J.-M. Robert.
3628: \newblock Information theoretic reductions among disclosure problems.
3629: \newblock In {\em Proceedings of the 27th Annual IEEE Symposium on Foundations
3630: of Computer Science (FOCS~'86)}, pages 168--173, 1986.
3631:
3632: \bibitem[BCS96]{BrCrSa96}
3633: G.~Brassard, C.~Cr{\'e}peau, and M.~S{\'a}ntha.
3634: \newblock Oblivious transfers and intersecting codes.
3635: \newblock {\em IEEE Transactions on Information Theory, special issue on coding
3636: and complexity}, 42(6):1769--1780, 1996.
3637:
3638: \bibitem[BCW03]{BrCrWo03}
3639: G.~Brassard, C.~Cr{\'e}peau, and S.~Wolf.
3640: \newblock Oblivious transfers and privacy amplification.
3641: \newblock {\em Journal of Cryptology}, 16(4):219--237, 2003.
3642:
3643: \bibitem[Bea89]{Beaver89b}
3644: D.~Beaver.
3645: \newblock Multiparty protocols tolerating half faulty processors.
3646: \newblock In {\em Advances in Cryptology --- CRYPTO '89}, volume 435 of {\em
3647: Lecture Notes in Computer Science}, pages 560--572. Springer-Verlag, 1989.
3648:
3649: \bibitem[Bea92]{Beaver91}
3650: D.~Beaver.
3651: \newblock Foundations of secure interactive computing.
3652: \newblock In {\em Advances in Cryptology --- CRYPTO '91}, volume 1233 of {\em
3653: Lecture Notes in Computer Science}, pages 377--391. Springer-Verlag, 1992.
3654:
3655: \bibitem[Bea95]{Beaver95}
3656: D.~Beaver.
3657: \newblock Precomputing oblivious transfer.
3658: \newblock In {\em Advances in Cryptology --- EUROCRYPT '95}, volume 963 of {\em
3659: Lecture Notes in Computer Science}, pages 97--109. Springer-Verlag, 1995.
3660:
3661: \bibitem[BGW88]{BeGoWi88}
3662: M.~{Ben-Or}, S.~Goldwasser, and A.~Wigderson.
3663: \newblock Completeness theorems for non-cryptographic fault-tolerant
3664: distributed computation.
3665: \newblock In {\em Proceedings of the 21st Annual ACM Symposium on Theory of
3666: Computing (STOC~'88)}, pages 1--10. ACM Press, 1988.
3667:
3668: \bibitem[BM90]{BelMic89}
3669: M.~Bellare and S.~Micali.
3670: \newblock Non-interactive oblivious transfer and applications.
3671: \newblock In {\em Advances in Cryptology --- CRYPTO '89}, volume 435 of {\em
3672: Lecture Notes in Computer Science}. Springer-Verlag, 1990.
3673:
3674: \bibitem[BPW03]{BaPfWa03}
3675: M.~Backes, B.~Pfitzmann, and M.~Waidner.
3676: \newblock A universally composable cryptographic library.
3677: \newblock http://eprint.iacr.org/2003/015, 2003.
3678:
3679: \bibitem[Cac98]{Cachin98}
3680: C.~Cachin.
3681: \newblock On the foundations of oblivious transfer.
3682: \newblock In {\em Advances in Cryptology --- EUROCRYPT '98}, volume 1403 of
3683: {\em Lecture Notes in Computer Science}, pages 361--374. Springer-Verlag,
3684: 1998.
3685:
3686: \bibitem[Can96]{Canetti96}
3687: R.~Canetti.
3688: \newblock {\em Studies in Secure Multiparty Computation and Applications}.
3689: \newblock PhD thesis, Weizmann Institiute of Science, Israel, 1996.
3690:
3691: \bibitem[Can00]{Canetti00b}
3692: R.~Canetti.
3693: \newblock Security and composition of multiparty cryptographic protocols.
3694: \newblock {\em Journal of Cryptology}, 13(1):143--202, 2000.
3695:
3696: \bibitem[Can01]{Canetti00}
3697: R.~Canetti.
3698: \newblock Universally composable security: A new paradigm for cryptographic
3699: protocols.
3700: \newblock In {\em Proceedings of the 42th Annual IEEE Symposium on Foundations
3701: of Computer Science (FOCS~'01)}, pages 136--145, 2001.
3702: \newblock Updated Version at http://eprint.iacr.org/2000/067.
3703:
3704: \bibitem[CCD88]{ChCrDa88}
3705: D.~Chaum, C.~Cr{\'e}peau, and I.~Damg{\aa}rd.
3706: \newblock Multiparty unconditionally secure protocols (extended abstract).
3707: \newblock In {\em Proceedings of the 21st Annual ACM Symposium on Theory of
3708: Computing (STOC~'88)}, pages 11--19. ACM Press, 1988.
3709:
3710: \bibitem[CDvdG88]{ChDaGr87}
3711: D.~Chaum, I.~Damg{\aa}rd, and J.~van~de Graaf.
3712: \newblock Multiparty computations ensuring privacy of each party's input and
3713: correctness of the result.
3714: \newblock In {\em Advances in Cryptology --- {CRYPTO} '87}, volume 293 of {\em
3715: Lecture Notes in Computer Science}, pages 87--119. Springer-Verlag, 1988.
3716:
3717: \bibitem[CF01]{CanFis01}
3718: R.~Canetti and M.~Fischlin.
3719: \newblock Universally composable commitments.
3720: \newblock In {\em Advances in Cryptology --- CRYPTO '01}, volume 576 of {\em
3721: Lecture Notes in Computer Science}, pages 19--40. Springer-Verlag, 2001.
3722:
3723: \bibitem[Che52]{Cherno52}
3724: H.~Chernoff.
3725: \newblock A measure of asymptotic efficiency for tests of a hypothesis based on
3726: the sum of observations.
3727: \newblock {\em Annals of Mathematical Statistics}, 23:493--507, 1952.
3728:
3729: \bibitem[CK88]{CreKil88}
3730: C.~Cr{\'e}peau and J.~Kilian.
3731: \newblock Achieving oblivious transfer using weakened security assumptions
3732: (extended abstract).
3733: \newblock In {\em Proceedings of the 29th Annual IEEE Symposium on Foundations
3734: of Computer Science (FOCS~'88)}, pages 42--52, 1988.
3735:
3736: \bibitem[CLOS02]{CLOS02}
3737: R.~Canetti, Y.~Lindell, R.~Ostrovsky, and A.~Sahai.
3738: \newblock Universally composable two-party and multi-party secure computation.
3739: \newblock In {\em Proceedings of the 34th Annual ACM Symposium on Theory of
3740: Computing (STOC~'02)}, pages 494--503. ACM Press, 2002.
3741: \newblock Full version available at http://eprint.iacr.org/2002/140.
3742:
3743: \bibitem[CMW04]{CrMoWo04}
3744: C.~Cr{\'e}peau, K.~Morozov, and S.~Wolf.
3745: \newblock Efficient unconditional oblivious transfer from almost any noisy
3746: channel.
3747: \newblock In {\em Proceedings of Fourth Conference on Security in Communication
3748: Networks (SCN)}, volume 3352 of {\em Lecture Notes in Computer Science},
3749: pages 47--59. Springer-Verlag, 2004.
3750:
3751: \bibitem[Cr{\'e}88]{Crepea87}
3752: C.~Cr{\'e}peau.
3753: \newblock Equivalence between two flavours of oblivious transfers (abstract).
3754: \newblock In {\em Advances in Cryptology --- CRYPTO '87}, volume 293 of {\em
3755: Lecture Notes in Computer Science}, pages 350--354. Springer-Verlag, 1988.
3756:
3757: \bibitem[Cr{\'e}90]{Crepea89}
3758: C.~Cr{\'e}peau.
3759: \newblock Verifiable disclosure of secrets and applications.
3760: \newblock In {\em Advances in Cryptology --- {CRYPTO}~'89}, volume 434 of {\em
3761: Lecture Notes in Computer Science}, pages 181--191. Springer-Verlag, 1990.
3762:
3763: \bibitem[Cr{\'e}97]{Crepea97}
3764: C.~Cr{\'e}peau.
3765: \newblock Efficient cryptographic protocols based on noisy channels.
3766: \newblock In {\em Advances in Cryptology --- CRYPTO '97}, volume 1233 of {\em
3767: Lecture Notes in Computer Science}, pages 306--317. Springer-Verlag, 1997.
3768:
3769: \bibitem[CS91]{CreSan91}
3770: C.~Cr{\'e}peau and M.~S{\'a}ntha.
3771: \newblock On the reversibility of oblivious transfer.
3772: \newblock In {\em Advances in Cryptology --- EUROCRYPT '91}, volume 547 of {\em
3773: Lecture Notes in Computer Science}, pages 106--113. Springer, 1991.
3774:
3775: \bibitem[CS06]{CreSav06}
3776: C.~Cr{\'e}peau and G.~Savvides.
3777: \newblock Optimal reductions between oblivious transfers using interactive
3778: hashing.
3779: \newblock In {\em Advances in Cryptology --- EUROCRYPT '06}, volume 4004 of
3780: {\em Lecture Notes in Computer Science}, pages 201--221. Springer-Verlag,
3781: 2006.
3782:
3783: \bibitem[CSSW06]{CSSW06}
3784: C.~Cr{\'e}peau, G.~Savvides, C.~Schaffner, and J.~Wullschleger.
3785: \newblock Information-theoretic conditions for two-party secure function
3786: evaluation.
3787: \newblock In {\em Advances in Cryptology --- EUROCRYPT '06}, volume 4004 of
3788: {\em Lecture Notes in Computer Science}, pages 538--554. Springer-Verlag,
3789: 2006.
3790: \newblock {Full version available at http://eprint.iacr.org/2006/183}.
3791:
3792: \bibitem[CvdGT95]{CrvGTa95}
3793: C.~Cr{\'e}peau, J.~van~de Graaf, and A.~Tapp.
3794: \newblock Committed oblivious transfer and private multi-party computation.
3795: \newblock In {\em Advances in Cryptology --- {CRYPTO}~'95}, Lecture Notes in
3796: Computer Science, pages 110--123. Springer-Verlag, 1995.
3797:
3798: \bibitem[CW79]{CarWeg79}
3799: J.~L. Carter and M.~N. Wegman.
3800: \newblock {Universal classes of hash functions}.
3801: \newblock {\em Journal of Computer and System Sciences}, 18:143--154, 1979.
3802:
3803: \bibitem[DFMS04]{DFMS04}
3804: I.~Damg{\aa}rd, S.~Fehr, K.~Morozov, and L.~Salvail.
3805: \newblock Unfair noisy channels and oblivious transfer.
3806: \newblock In {\em Theory of Cryptography Conference --- TCC~'04}, volume 2951
3807: of {\em Lecture Notes in Computer Science}, pages 355--373. Springer-Verlag,
3808: 2004.
3809:
3810: \bibitem[DFR{\etalchar{+}}06]{DFRSS06}
3811: I.~Damg{\aa}rd, S.~Fehr, R.~Renner, L.~Salvail, and C.~Schaffner.
3812: \newblock A tight high-order entropic uncertinty relation with applications in
3813: the bounded quantum-storage model.
3814: \newblock In preparation, 2006.
3815:
3816: \bibitem[DFSS06]{DFSS06}
3817: I.~Damg{\aa}rd, S.~Fehr, L.~Salvail, and C.~Schaffner.
3818: \newblock Oblivious transfer and linear functions.
3819: \newblock In {\em Advances in Cryptology --- CRYPTO '06}, volume 4117 of {\em
3820: Lecture Notes in Computer Science}. Springer-Verlag, 2006.
3821:
3822: \bibitem[DKS99]{DaKiSa99}
3823: I.~Damg{\aa}rd, J.~Kilian, and L.~Salvail.
3824: \newblock On the (im)possibility of basing oblivious transfer and bit
3825: commitment on weakened security assumptions.
3826: \newblock In {\em Advances in Cryptology --- EUROCRYPT '99}, volume 1592 of
3827: {\em Lecture Notes in Computer Science}, pages 56--73. Springer-Verlag, 1999.
3828:
3829: \bibitem[DM99]{DodMic99}
3830: Y.~Dodis and S.~Micali.
3831: \newblock Lower bounds for oblivious transfer reductions.
3832: \newblock In {\em Advances in Cryptology --- {EUROCRYPT} '99}, volume 1592 of
3833: {\em Lecture Notes in Computer Science}, pages 42--55. Springer-Verlag, 1999.
3834:
3835: \bibitem[EGL85]{EvGoLe85}
3836: S.~Even, O.~Goldreich, and A.~Lempel.
3837: \newblock A randomized protocol for signing contracts.
3838: \newblock {\em Commun. ACM}, 28(6):637--647, 1985.
3839:
3840: \bibitem[Fis06]{Fischl06}
3841: M.~Fischlin.
3842: \newblock Universally composable oblivious transfer in the multi-party setting.
3843: \newblock In {\em RSA Security Cryptographer's Track 2006}, volume 3860 of {\em
3844: Lecture Notes in Computer Science}, pages 332--349. Springer-Verlag, 2006.
3845:
3846: \bibitem[GL91]{GolLev90}
3847: S.~Goldwasser and L.~A. Levin.
3848: \newblock Fair computation of general functions in presence of immoral
3849: majority.
3850: \newblock In {\em Advances in Cryptology --- {CRYPTO}~'90}, Lecture Notes in
3851: Computer Science, pages 77--93. Springer-Verlag, 1991.
3852:
3853: \bibitem[GMR85]{GoMiRa85}
3854: S.~Goldwasser, S.~Micali, and C.~Rackoff.
3855: \newblock The knowledge complexity of interactive proof-systems.
3856: \newblock In {\em Proceedings of the 17th Annual ACM Symposium on Theory of
3857: Computing (STOC~'85)}, pages 291--304. ACM Press, 1985.
3858:
3859: \bibitem[GMW87]{GoMiWi87}
3860: O.~Goldreich, S.~Micali, and A.~Wigderson.
3861: \newblock How to play any mental game.
3862: \newblock In {\em Proceedings of the 21st Annual ACM Symposium on Theory of
3863: Computing (STOC~'87)}, pages 218--229. ACM Press, 1987.
3864:
3865: \bibitem[GMY04]{GaMaYa04}
3866: J.~Garay, P.~MacKenzie, and K.~Yang.
3867: \newblock Efficient and universally composable committed oblivious transfer and
3868: applications.
3869: \newblock In {\em Theory of Cryptography Conference --- TCC~'04}, volume 2951
3870: of {\em Lecture Notes in Computer Science}, pages 297--316. Springer-Verlag,
3871: 2004.
3872:
3873: \bibitem[Gol04]{Goldreich04}
3874: O.~Goldreich.
3875: \newblock {\em Foundations of Cryptography}, volume II: Basic Applications.
3876: \newblock Cambridge University Press, 2004.
3877:
3878: \bibitem[GV88]{GolVai87}
3879: O.~Goldreich and R.~Vainish.
3880: \newblock How to solve any protocol problem - an efficiency improvement.
3881: \newblock In {\em Advances in Cryptology --- {CRYPTO}~'87}, Lecture Notes in
3882: Computer Science, pages 73--86. Springer-Verlag, 1988.
3883:
3884: \bibitem[Hai04]{Haitne04}
3885: I.~Haitner.
3886: \newblock Implementing oblivious transfer using collection of dense trapdoor
3887: permutations.
3888: \newblock In {\em Theory of Cryptography Conference --- TCC~'04}, volume 2951
3889: of {\em Lecture Notes in Computer Science}, pages 394--409. Springer-Verlag,
3890: 2004.
3891:
3892: \bibitem[H{\aa}s90]{Hastad90}
3893: J.~H{\aa}stad.
3894: \newblock Pseudo-random generators under uniform assumptions.
3895: \newblock In {\em Proceedings of the 22st Annual ACM Symposium on Theory of
3896: Computing (STOC~'90)}, pages 395--404. ACM Press, 1990.
3897:
3898: \bibitem[HHR06]{HaHaRe05}
3899: I.~Haitner, D.~Harnik, and O.~Reingold.
3900: \newblock On the power of the randomized iterate.
3901: \newblock In {\em Advances in Cryptology --- CRYPTO '06}, volume 4117 of {\em
3902: Lecture Notes in Computer Science}, pages 21--40. Springer-Verlag, 2006.
3903:
3904: \bibitem[HILL99]{HILL99}
3905: J.~H{\aa}stad, R.~Impagliazzo, L.~A. Levin, and M.~Luby.
3906: \newblock A pseudorandom generator from any one-way function.
3907: \newblock {\em SIAM J. Comput.}, 28(4):1364--1396, 1999.
3908:
3909: \bibitem[HKN{\etalchar{+}}05]{HKNRR05}
3910: D.~Harnik, J.~Kilian, M.~Naor, O.~Reingold, and A.~Rosen.
3911: \newblock On robust combiners for oblivious transfer and other primitives.
3912: \newblock In {\em Advances in Cryptology --- EUROCRYPT '05}, volume 3494 of
3913: {\em Lecture Notes in Computer Science}, pages 96--113, 2005.
3914:
3915: \bibitem[Hoe63]{Hoeffd63}
3916: W.~Hoeffding.
3917: \newblock Probability inequalities for sums of bounded random variables.
3918: \newblock {\em Journal of the American Statistical Association},
3919: 58(301):13--30, 1963.
3920:
3921: \bibitem[Hol05]{Holens05}
3922: T.~Holenstein.
3923: \newblock Key agreement from weak bit agreement.
3924: \newblock In {\em Proceedings of the 37th ACM Symposium on Theory of Computing
3925: (STOC~'05)}, pages 664--673. ACM Press, 2005.
3926:
3927: \bibitem[Hol06]{Holens06}
3928: T.~Holenstein.
3929: \newblock {\em Strengthening key agreement using hard-core sets}.
3930: \newblock PhD thesis, {ETH} Zurich, Switzerland, 2006.
3931: \newblock Reprint as vol.~7 of {\em ETH Series in Information Security and
3932: Cryptography}, {H}artung-{G}orre {V}erlag.
3933:
3934: \bibitem[HR05]{HolRen05}
3935: T.~Holenstein and R.~Renner.
3936: \newblock One-way secret-key agreement and applications to circuit polarization
3937: and immunization of public-key encryption.
3938: \newblock In {\em Advances in Cryptology --- CRYPTO '05}, volume 3621 of {\em
3939: Lecture Notes in Computer Science}, pages 478--493. Springer-Verlag, 2005.
3940:
3941: \bibitem[ILL89]{ILL89}
3942: R.~Impagliazzo, L.~A. Levin, and M.~Luby.
3943: \newblock Pseudo-random generation from one-way functions.
3944: \newblock In {\em Proceedings of the 21st Annual ACM Symposium on Theory of
3945: Computing (STOC~'89)}, pages 12--24. ACM Press, 1989.
3946:
3947: \bibitem[IMN06]{ImMoNa06}
3948: H.~Imai, K.~Morozov, and A.~Nascimento.
3949: \newblock On the oblivious transfer capacity of the erasure channel.
3950: \newblock In {\em Proceedings of 2006 IEEE International Symposium on
3951: Information Theory (ISIT~'06)}, pages 1428--1431, 2006.
3952:
3953: \bibitem[Imp95]{Impagl95}
3954: R.~Impagliazzo.
3955: \newblock Hard-core distributions for somewhat hard problems.
3956: \newblock In {\em Proceedings of the 36th Annual IEEE Symposium on Foundations
3957: of Computer Science (FOCS~'95)}, pages 538--545. IEEE Computer Society, 1995.
3958:
3959: \bibitem[IMQNW04]{IMNW04}
3960: H.~Imai, J.~M{\"u}ller-Quade, A.~Nascimento, and A.~Winter.
3961: \newblock Rates for bit commitment and coin tossing from noisy correlation.
3962: \newblock In {\em Proceedings of the IEEE International Symposium on
3963: Information Theory (ISIT~'04)}, 2004.
3964:
3965: \bibitem[IR89]{ImpRud89}
3966: R.~Impagliazzo and S.~Rudich.
3967: \newblock Limits on the provable consequences of one-way permutations.
3968: \newblock In {\em Proceedings of the 21st Annual ACM Symposium on Theory of
3969: Computing (STOC~'89)}, pages 186--208. ACM Press, 1989.
3970:
3971: \bibitem[Kil88]{Kilian88}
3972: J.~Kilian.
3973: \newblock Founding cryptography on oblivious transfer.
3974: \newblock In {\em Proceedings of the 20th Annual ACM Symposium on Theory of
3975: Computing (STOC~'88)}, pages 20--31. ACM Press, 1988.
3976:
3977: \bibitem[KM01]{KorMor01}
3978: V.~Korjik and K.~Morozov.
3979: \newblock Generalized oblivious transfer protocols based on noisy channels.
3980: \newblock In {\em Proceedings of the International Workshop MMM ACNS}, volume
3981: 2052 of {\em Lecture Notes in Computer Science}, pages 219--229.
3982: Springer-Verlag, 2001.
3983:
3984: \bibitem[LC97]{LoChau97}
3985: H.~K. Lo and H.~F. Chau.
3986: \newblock Is quantum bit commitment really possible?
3987: \newblock {\em Physical Review Letters}, 78:3410--3413, 1997.
3988:
3989: \bibitem[Mau93]{Maurer93}
3990: U.~Maurer.
3991: \newblock Secret key agreement by public discussion.
3992: \newblock {\em IEEE Transaction on Information Theory}, 39(3):733--742, 1993.
3993:
3994: \bibitem[Mau06]{Maurer06}
3995: U.~Maurer.
3996: \newblock Lecture notes information security, 2006.
3997:
3998: \bibitem[May97]{Mayers97}
3999: D.~Mayers.
4000: \newblock Unconditionally secure quantum bit commitment is impossible.
4001: \newblock {\em Physical Review Letters}, 78:3414--3417, 1997.
4002:
4003: \bibitem[Mor05]{Morozo05}
4004: K.~Morozov.
4005: \newblock {\em On Cryptographic Primitives Based on Noisy Channels}.
4006: \newblock PhD thesis, University of Aarhus, Denmark, 2005.
4007:
4008: \bibitem[MPW07]{MePrWu07}
4009: R.~Meier, B.~Przydatek, and J.~Wullschleger.
4010: \newblock Robuster combiners for oblivious transfer.
4011: \newblock In {\em Theory of Cryptography Conference --- TCC '07}, Lecture Notes
4012: in Computer Science. Springer-Verlag, 2007.
4013:
4014: \bibitem[MR92]{MicRog91}
4015: S.~Micali and P.~Rogaway.
4016: \newblock Secure computation (abstract).
4017: \newblock In {\em Advances in Cryptology --- CRYPTO '91}, volume 576 of {\em
4018: Lecture Notes in Computer Science}, pages 392--404. Springer-Verlag, 1992.
4019:
4020: \bibitem[MT98]{MolTie98}
4021: B.\ Moldovanu and M.\ Tietzel.
4022: \newblock Goethe's second-price auction.
4023: \newblock {\em The Journal of Political Economy}, 106(4):854--859, 1998.
4024:
4025: \bibitem[NP01]{NaoPin01}
4026: M.~Naor and B.~Pinkas.
4027: \newblock Efficient oblivious transfer protocols.
4028: \newblock In {\em Proceedings of the 12th annual ACM-SIAM symposium on Discrete
4029: algorithms (SODA~'01)}, pages 448--457. Society for Industrial and Applied
4030: Mathematics, 2001.
4031:
4032: \bibitem[NW06]{NaWi06}
4033: A.~Nascimento and A.~Winter.
4034: \newblock On the oblivious transfer capacity of noisy correlations.
4035: \newblock In {\em Proceedings of the IEEE International Symposium on
4036: Information Theory (ISIT~'06)}, 2006.
4037:
4038: \bibitem[OVY93]{OsVeYu91}
4039: R.~Ostrovsky, R.~Venkatesan, and M.~Yung.
4040: \newblock Fair games against an all-powerful adversary.
4041: \newblock In {\em Advances in Computational Complexity Theory}, volume~13 of
4042: {\em AMS DIMACS Series in Discrete Mathematics and Theoretical Computer
4043: Science}, pages 155--169. AMS, 1993.
4044:
4045: \bibitem[PW01]{PfiWai00}
4046: B.~Pfitzmann and M.~Waidner.
4047: \newblock A model for asynchronous reactive systems and its application to
4048: secure message transmission.
4049: \newblock In {\em Proceedings of the 2001 IEEE Symposium on Security and
4050: Privacy (SP~'01)}, page 184, 2001.
4051: \newblock Also available at http://eprint.iacr.org/2000/066.
4052:
4053: \bibitem[Rab81]{Rabin81}
4054: M.~O. Rabin.
4055: \newblock How to exchange secrets by oblivious transfer.
4056: \newblock Technical Report TR-81, Harvard Aiken Computation Laboratory, 1981.
4057:
4058: \bibitem[RB89]{RabBen89}
4059: T.~Rabin and M.~{Ben-Or}.
4060: \newblock Verifiable secret sharing and multiparty protocols with honest
4061: majority.
4062: \newblock In {\em Proceedings of the 21st Annual ACM Symposium on Theory of
4063: Computing (STOC~'89)}, pages 73--85. ACM Press, 1989.
4064:
4065: \bibitem[R{\'e}n61]{Renyi61}
4066: A.~R{\'e}nyi.
4067: \newblock On measures of information and entropy.
4068: \newblock In {\em Proceedings of the 4th Berkeley Symposium on Mathematics,
4069: Statistics and Probability}, pages 547--561, 1961.
4070:
4071: \bibitem[Ren05]{Renner05}
4072: R.~Renner.
4073: \newblock {\em Security of Quantum Key Distribution}.
4074: \newblock PhD thesis, {ETH} Zurich, Switzerland, 2005.
4075: \newblock Available at http://arxiv.org/abs/quant-ph/0512258.
4076:
4077: \bibitem[RK05]{RenKoe05}
4078: R.~Renner and R.~K{\"o}nig.
4079: \newblock Universally composable privacy amplification against quantum
4080: adversaries.
4081: \newblock In {\em Theory of Cryptography Conference --- TCC '05}, volume 3378
4082: of {\em Lecture Notes in Computer Science}, pages 407--425. Springer-Verlag,
4083: 2005.
4084: \newblock Also available at http://arxiv.org/abs/quant-ph/0403133.
4085:
4086: \bibitem[RW05]{RenWol05}
4087: R.~Renner and S.~Wolf.
4088: \newblock Simple and tight bounds for information reconciliation and privacy
4089: amplification.
4090: \newblock In {\em Advances in Cryptology --- ASIACRYPT 2005}, volume 3788 of
4091: {\em Lecture Notes in Computer Science}, pages 199--216. Springer-Verlag,
4092: 2005.
4093:
4094: \bibitem[Sho94]{Shor94}
4095: P.~Shor.
4096: \newblock Algorithms for quantum computation: discrete logarithms and
4097: factoring.
4098: \newblock In {\em Proceedings of the 35th Annual IEEE Symposium on Foundations
4099: of Computer Science (FOCS~'94)}, pages 124--134, 1994.
4100:
4101: \bibitem[SV99]{SahVad99}
4102: A.~Sahai and S.~Vadhan.
4103: \newblock Manipulating statistical difference.
4104: \newblock In {\em Randomization Methods in Algorithm Design ({DIMACS}
4105: Workshop~'97)}, volume~43 of {\em {DIMACS} Series in Discrete Mathematics and
4106: Theoretical Computer Science}, pages 251--270. American Mathematical Society,
4107: 1999.
4108:
4109: \bibitem[Vad99]{Vadhan99}
4110: S.~Vadhan.
4111: \newblock {\em A study of statistical zero-knowledge proofs}.
4112: \newblock PhD thesis, Massachusets Institute of Technology, USA, 1999.
4113:
4114: \bibitem[Wie83]{Wiesner70}
4115: S.~Wiesner.
4116: \newblock Conjugate coding.
4117: \newblock {\em SIGACT News}, 15(1):78--88, 1983.
4118:
4119: \bibitem[Wul07]{Wullsc07}
4120: J.~Wullschleger.
4121: \newblock Oblivious-transfer amplification.
4122: \newblock In {\em Advances in Cryptology --- {EUROCRYPT}~'07}, Lecture Notes in
4123: Computer Science. Springer-Verlag, 2007.
4124:
4125: \bibitem[WW04]{WolWul04}
4126: S.~Wolf and J.~Wullschleger.
4127: \newblock Zero-error information and applications in cryptography.
4128: \newblock In {\em Proceedings of 2004 IEEE Information Theory Workshop
4129: (ITW~'04)}, 2004.
4130:
4131: \bibitem[WW06]{WolWul06}
4132: S.~Wolf and J.~Wullschleger.
4133: \newblock Oblivious transfer is symmetric.
4134: \newblock In {\em Advances in Cryptology --- EUROCRYPT '06}, volume 4004 of
4135: {\em Lecture Notes in Computer Science}, pages 222--232. Springer-Verlag,
4136: 2006.
4137:
4138: \bibitem[Yao82]{Yao82}
4139: A.~C. Yao.
4140: \newblock Protocols for secure computations.
4141: \newblock In {\em Proceedings of the 23rd Annual IEEE Symposium on Foundations
4142: of Computer Science (FOCS~'82)}, pages 160--164, 1982.
4143:
4144: \end{thebibliography}
4145:
4146: \appendix
4147:
4148: \chapter{Appendix}
4149:
4150: \section{Formal Technicalities}
4151:
4152: \begin{lemma}[Chernoff/Hoeffding Bound \cite{Cherno52,Hoeffd63}] \label{lem:chernoff1}
4153: Let $P_{X_0\dots X_n} = P_{X}^n$ be a product distribution
4154: with $X_i \in [0,1]$. Let
4155: $X := \frac 1 n \sum_{i=0}^{n-1} X_i$, and $\mu = E[X]$. Then, for any $\eps > 0$,
4156: \begin{align*}
4157: \Pr\left[ X \geq \mu + \eps \right ] &\leq e^{-2n\eps^2}\;,\\
4158: \Pr\left[ X \leq \mu - \eps \right ] &\leq e^{-2n\eps^2}\;.
4159: \end{align*}
4160: \end{lemma}
4161:
4162: \begin{lemma}[Cauchy-Schwartz] \label{lem:cauchySchwartz}
4163: For all $x_0, \dots, x_{n-1}, y_0, \dots, y_{n-1} \in \bbR$, we have
4164: \[\left(\sum_{i=0}^{n-1} x_i y_i\right)^2\leq \left(\sum_{i=0}^{n-1} x_i^2\right) \cdot \left(\sum_{i=0}^{n-1} y_i^2\right)\;.\]
4165: \end{lemma}
4166:
4167: \begin{lemma}\label{lem:cauchySchwartz2}
4168: For all $a_0, \dots, a_{n-1} \in \bbR$, we have
4169: \[\left(\sum_{i=0}^{n-1} a_i\right)^2\leq n \cdot \sum_{i=0}^{n-1} a_i^2\;.\]
4170: \end{lemma}
4171:
4172: \begin{proof}
4173: The statement follows from Lemma~\ref{lem:cauchySchwartz},
4174: choosing $x_i :=1$ and $y_i := a_i$.
4175: \end{proof}
4176:
4177:
4178: \begin{lemma} \label{lem:redBound2}
4179: For all $x \in \bbR$, we have $\ln(x+1) \leq x \leq e^{x-1}$.
4180: \end{lemma}
4181:
4182: \begin{proof}[Proof sketch]
4183: The function $\ln(x+1)$ is convex, and goes through the point $(0,0)$ with slope $1$, and the function $e^{x-1}$ is concave, and goes through the point $(1,1)$ with slope $1$. Hence, we have
4184: $\ln(x+1) \leq x \leq e^{x-1}$.
4185: \end{proof}
4186:
4187: \begin{lemma} \label{lem:redBound3}
4188: For $0 \leq x \leq 1$, we have $1 - \sqrt{1 - x} \leq x$.
4189: \end{lemma}
4190:
4191: \begin{proof}
4192: From $(1-x)^2 \leq 1 - x$ follows that $1 - x \leq \sqrt{1-x}$, and hence $1 - \sqrt{1 - x} \leq x$.
4193: \end{proof}
4194:
4195: \begin{lemma} \label{lem:redBound4}
4196: For all $x, y \in \bbR$, we have
4197: \[ \left |x - \frac{x+y} 2 \right | + \left |y - \frac{x+y} 2 \right| = |x-y| \]
4198: \end{lemma}
4199:
4200: \begin{proof}
4201: If $x \geq y$, we have
4202: \begin{align*}
4203: \left |x - \frac{x+y} 2 \right | + \left |y - \frac{x+y} 2 \right|
4204: = x - \frac{x+y} 2 + \frac{x+y} 2 - y
4205: = x-y = |x-y|\;.
4206: \end{align*}
4207: The same holds for $y > x$.
4208: \end{proof}
4209:
4210: \begin{lemma} \label{lem:corr2}
4211: Let $X_0$ and $X_1$ be two independent binary random variables with $\Pr[X_0=1] \leq (1-\alpha_0)/2$ and
4212: $\Pr[X_1=1] \leq (1-\alpha_1)/2$, where $\alpha_0,\alpha_1 \geq 0$. Then $\Pr[X_0 \oplus X_1=1] \leq (1-\alpha_0\alpha_1)/2$.
4213: \end{lemma}
4214:
4215: \begin{proof}
4216: For $\Pr[X_0=1] = (1-\alpha'_0)/2$ and $\Pr[X_1=1] = (1-\alpha'_1)/2$, we have
4217: \begin{align*}
4218: \Pr[X_0 \oplus X_1 =1]
4219: = \frac{1+\alpha'_0}{2} \cdot \frac{1-\alpha'_1}{2} + \frac{1-\alpha'_0}{2} \cdot \frac{1+\alpha'_1}{2}
4220: = \frac{1- \alpha'_0 \alpha'_1} 2\;.
4221: \end{align*}
4222: The lemma follows from the fact that
4223: \[\frac{1- \alpha'_0 \alpha'_1} 2 \geq \frac{1- \alpha_0 \alpha_1} 2\]
4224: for all $\alpha'_0 \in [\alpha_0,1]$ and $\alpha'_1 \in [\alpha_1,1]$.
4225: \end{proof}
4226:
4227: \begin{lemma} \label{lem:corrn}
4228: For $i \in\{0,\dots,n-1\}$, let $X_i$ be independent binary random variables
4229: where $\Pr[X_i = 1] \leq \alpha$, for $\alpha \leq 1/2$. Then
4230: \[\Pr[X_0 \oplus \cdots \oplus X_{n-1} = 1] \leq \frac{1 - (1-2 \alpha)^n}{2} \leq n \alpha\;.\]
4231: \end{lemma}
4232:
4233: \begin{proof}
4234: The first inequality follows by induction from Lemma~\ref{lem:corr2}, and the second
4235: by the union bound, since
4236: \[\Pr[X_0 \oplus \cdots \oplus X_{n-1} = 1] \leq \Pr[\exists i: X_i = 1] \leq n \alpha\;.\]
4237: \end{proof}
4238:
4239: \begin{lemma} \label{lem:redBound1}
4240: For $i \in \{0,\dots,n-1\}$, let $X_i \in \{0,1\}$ be independently distributed with $\Pr[X_i = 1] \leq \alpha$.
4241: We have
4242: \[ \Pr[ X_0 = 1 \vee \dots \vee X_{n-1} = 1 ] \leq 1 - (1-\alpha)^n \leq n \alpha.\]
4243: \end{lemma}
4244:
4245: \begin{proof}
4246: Follows directly from the union bound.
4247: \end{proof}
4248:
4249: \begin{lemma} \label{lem:errRed}
4250: For $i \in \{0,\dots,n-1\}$, let $X_i \in \{0,1\}$ be independently distributed with $\Pr[X_i = 1] \leq \alpha$.
4251: We have
4252: \[ \Pr\left[\sum_{i=0}^{n-1} X_i \geq n/2\right ] \leq \sum_{i=\lceil n/2 \rceil}^{n} \binom{n}{i} \alpha^{i} (1 - \alpha)^{n-i} \leq e^{-2 n (1/2 - \alpha)^2}\;.\]
4253: \end{lemma}
4254:
4255: \begin{proof}
4256: We apply Lemma~\ref{lem:chernoff1} for $\mu := \alpha$ and $\eps := 1/2 - \alpha$.
4257: \end{proof}
4258:
4259: \end{document}
4260: