



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
These lecture notes cover the concept of secure computation through encrypted data, specifically focusing on Oblivious Transfer. The notes explore the ideal trusted party model and the real-world view without the mediator. The notes also cover different types of adversaries that challenge any protocols constructed and a secure construction for Oblivious Transfer. The notes are from a CS/ECE 498AC3/4 course at the University of Illinois, Urbana Champaign.
Typology: Lecture notes
1 / 6
This page cannot be seen from the preview
Don't miss anything!




University of Illinois, Urbana Champaign CS/ECE 498AC3/4 Applied Cryptography
Instructor: Dakshita Khurana Scribe: Mohammad Behnia Date: September 29, 2020
Oblivious Transfer
In this lecture we will introduce the concept of secure computation. In a transition out of our discussions of zero knowledge, we will explore methods of performing computation on encrypted data in a secure manner. So far, we have explored ways to facilitate secure com- munication (various encryption systems) followed by methods to show proof of encryption without revealing any secrets (using zero-knowledge to enable such proofs). Now moving onto secure computation, the high-level goals will be to reveal some partial results to the involved parties while hiding sensitive information we do not want specific parties to recover. The first part of this lecture involves setting up a scenario where Alice and Bob want to engage in an oblivious transfer. We will explore this model using an ideal trusted party as a mediator and a real-world view without the mediator. We will look at different types of adversaries that will challenge any protocols we construct. Finally, we will look at a secure construction and begin to formulate our security proofs.
Oblivious transfer is a cryptography primitive under which a sender transfers one of many choices of information but remains oblivious to which one was chosen. Let’s take a first look at an example of oblivious transfer. Consider the scenario with a sender Alice, and receiver Bob depicted in Figure 20.1. Alice has two messages m 0 and m 1 , and Bob has some binary choice denoted by bit b. The goal is for Bob to receive exactly one of m 0 and m 1 depending on bit b. The chosen message will be denoted as mb. Under the ideal construction, we will have a trusted authority that will mediate this exchange. Alice will send m 0 and m 1 to the authority and in return receive an acknowledgement that the exchange has completed. Bob will send bit b to the authority and receive a message mb. In this scheme, both Alice and Bob only receive partial information from the trusted authority (Alice receives the acknowledgement signal and Bob receives only mb). Beyond the multiplexer functionality, we care about the security of the oblivious transfer. In particular, we would like Alice to have no idea about the value of bit b (which we should be able to formally prove using the two-game adversary model), and Bob to have no idea about the contents of the message that was not selected: m 1 −b. Under the trusted authority model both of these goals are satisfied, but the question remains if we can guarantee these security goals without the trusted authority.
Figure 20.1: An ideal model of oblivious transfer between Alice and Bob.
This will be our first attempt at creating an oblivious transfer protocol for Alice and Bob assuming they are honest parties. We will explore the definition of “honesty” and alterna- tive adversary models after completing this construction. The goal of this construction is to create a groundwork for a functional protocol.
The high-level idea is to have Bob sample two public keys pk 0 and pk 1. Alice will then encrypt each message using its corresponding public key and return ciphertexts to Bob. Bob, however, should only be able to decrypt one of the encrypted messages. Using the El-Gamal key exchange scheme we will define the construction as follows:
If Bob follows the protocol for generating the two public keys and Alice is not able to dis- tinguish the two public keys, this will be a sound protocol. However if Bob is not honest and samples both key-pairs, the adversarial Bob will be able to recover both messages.
Figure 20.2: An adversarial receiver interacting with the simulator.
Figure 20.3: An adversarial sender interacting with the simulator.
Note, we can also create this simulator model for the context of a malicious sender (Alice). In this case, the simulator will be between Alice and the trusted authority, with a transcript with Alice and sending m 0 and m 1 and receiving acknowledgement from the trusted author- ity. One observation from this construction is that the simulator must be able to find m 0 and m 1 independent of b, since simulator has no knowledge of bit b. It follows, that Alice’s behavior in the real game must also be independent of the Bob’s choice of bit b.
This construction is similar to a work [1] in which El-Gamal encryption is employed. Further security analysis under adversarial Alice/Bob are presented in the paper.
Consider Bob has some input bit b.
Alice receives s 0 and s 1 from Bob.
Alice sends ct 0 and ct 1 to Bob.
Bob knows exactly one (pk, sk) pair, corresponding to mb. For b == 0, Bob can recover m 0 , and for b == 1 Bob can recover m 1.
We will address some underlying assumptions and initial questions about this protocol.
Assumption 20.1. A public key encryption scheme with pseudorandom public keys (or mapping thereof) is selected.
We will begin to look at what the simulator must do and look at some constructions that we will revisit next lecture to finalize our proof of view-indistinguishability.
Consider security against a malicious Alice:
The simulator sends s˜ 0 and s˜ 1 to Alice and receives ct˜ 0 and ct˜ 1. The simulator should be able to decrypt both ciphertexts and send m 0 and m 1 to the trusted authority. To enable this, the simulator will have control of the random oracle (programmability of oracle hash output values). This can be achieved if the simulator samples s˜ 0 and s˜ 1 such that they will
know the sk˜ 0 and sk˜ 1 corresponding to ˜pk 0 and pk˜ 1. One approach is for the simulator to randomly sample s˜ 0 and s˜ 1 and set H( s˜ 0 ) = ˜pk 0 ⊕ s˜ 1 and H( s˜ 1 ) = pk˜ 1 ⊕ s˜ 0. To prove indistinguishability, one would need to show the view of Alice observing s˜ 0 and s˜ 1 sampled uniformly at random and her interactions with the random oracle (with the outputs set accordingly) is indistinguishable from the real world transaction with Bob (next lecture).