Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE OF SCIENCE

Talk Overview  Oblivious transfer (OT)  Collection of trapdoor permutations (TDP)  Does TDP imply OT?  Our result: dense-TDP implies OT

Oblivious Transfer (OT )[Rabin 81’] (one-out-of-two version [EGL 85’] ) 1.Correctness: The receiver learns  i 2.Sender's privacy: The receiver learns nothing about  1-i 3.Receiver's privacy: The sender learns nothing about i Semi-honest model (honest-but-curious) - suffices due to Goldreich, Micali and Wigderson  0 and  1 (w.l.o.g. bits) i 2 {0,1} Sender Receiver

{0,1} n DD x DD f  (x) hard easy easy with trapdoor {0,1} n DD DD Permutation sampler: I (1 n ) = ( ,t  Domain sampler: D(  ) = x 2 R D  Evaluation/ Inversion F( ,x) = f  (x), F -1 ( ,t,x) = f  -1 (x) Known Candidates: Rabin’s collection, RSA,… Does TDP imply OT? hard easy with trapdoor Collection of trapdoor Permutations (TDP) easy x f  (x) {f  : D  ! D  } n = |  |

 EGL protocol r 0,r 1 ( ,t) à I (1 n ) r 1-i à D(  ) s à D(  ) r i = f  (s) For j = 0,1: c j =  j © b(f  -1 (r j )) c 0,c 1 Output: c i © b(s) (=  i ) 1n1n Sender (  0 and  1 ) Receiver (i) Correctness Receiver’s privacy ?Sender's privacy n is the security parameter of the protocol b is any hardcore predicate of f 

Knowing the random coins used by the Domain sampler (D), might give information about the pre-image of the element. –Rabin’s collection original implementation Therefore the EGL protocol might not satisfy the Sender's privacy requirement. –Enhanced–TDP [Glodreich 02’] inverting an element is hard, even when the randomness used to produce it is given. Enhanced–TDP ) OT

Our result: Implementing OT using any dense - TDP {0,1} n DD 9 positive polynomial p s.t.  |D  | ¢ p(n) > 2 n

Enhanced Vs. Dense Dense (property) might be considered as a more natural requirement Probably easier to verify Different approach might lead to OT based on any TDP

Implementing OT using dense-TDP Implementing OT using dense-checkable-TDP checkable-TDP: The existence of domain sampler is not guaranteed, but there is an efficient way to check whether a given element is inside a permutation domain or not.

OT based on dense-checkable-TDP r 0,r 1  ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.if s or r 1-i  D  go back to step 1 3.r i = f  (s).... …. Sender (  0 and  1 ) Receiver (i) Correctness Receiver’s privacy Sender's privacy

Implementing OT using dense-t-checkable-TDP t-checkable-TDP: Like checkable-TDP, but the containment test requires the trapdoor. There exists an efficient algorithm A s.t.: A( ,t,x) = 1 iff x 2 D 

OT based on dense- t-checkable-TDP (first try) r 0,r 1 ( ,t) Ã I (1 n ) Go 1.s,r 1-i 2 R {0,1} n 2.if s or r 1-i  D  go back to step r i = f  (s)  … … If s or r 1-i  D  restart s,r 1-i i Sender (  0 and  1 ) Receiver (i)

OT based on dense t-checkable-TDP (second try) ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.r i = f  (s)  If r 0 or r 1  D  restart For j = 0,1: c j =  j © b(f  -1 (r j )) c 0,c 1 Output: c i © b(s) (=  i ) r 0,r 1 (rand.) Reveal order Sender (  0 and  1 ) Receiver (i) f  (s) ≡ F( ,s)

{0,1} n DD riri DD y f  -1 f  s f  (s) ≡ F( ,s) The receiver might recover  i incorrectly. c i © b(s) =  i © b(f  -1 (r i )) © b(s)   i The sender might reveal i. r i might have different distribution than r 1-i

A weak OT based on dense t-checkable-TDP ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.r i = f  (s)  r 0,r 1 (rand.) If h(s)  h(f -1  (r i )) Restart. If r 0 or r 1  D  Restart h, h(f  -1 (r 0 )), h(f  -1 (r 1 )) Reveal order … h 2 R H n - a collection of hash functions Sender (  0 and  1 ) Receiver (i) w.h.p. s  f  -1 (r i ) w.h.p. Correctness w.h.p. Receiver’s privacy Sender's privacy is not compromised For j = 0,1: c j =  j © b(f  -1 (r j )) … Our solution: Increase the probability that (after revealing step) s = f  -1 (r i )

A “very” weak OT based on any dense-TDP {0,1} n D’D’ DD Can extend any dense-TDP, such that it is still one- to-one and it is t-checkable. D  ’ ≡ {x 2 {0,1} n | F( ,F -1 ( ,t,x)) = x} 1.W.r.t. D  ’ we have containment test (the collection is t-checkable) x 2 D  ’ iff F( ,F -1 ( ,t,x)) = x 2.But the exended f  is only weakly one-way. ) Only noticeable Sender's privacy

A weak OT based on dense t-checkable-TDP ( ,t) Ã I (1 n ) 1.s,r 1-i 2 R {0,1} n 2.r i = f  (s)  r 0,r 1 (rand.) If h(s)  h(f -1  (r i )) Restart. If r 0 or r 1  D  Restart h, h(f  -1 (r 0 )), h(f  -1 (r 1 )) Reveal order … Sender (  0 and  1 ) Receiver (i) w.h.p. Correctness w.h.p. Receiver’s privacy noticeable Sender's privacy For j = 0,1: c j =  j © b(f  -1 (r j )) …

dense-TDP Weak OT (all the requirements are weak) Secret sharing (Yao’s XOR lemma) Weak OT with strong Sender’s privacy Repeating and using majority rule Weak OT with strong Correctness and Sender’s privacy OT Crepeau and Kilian 88’

For k = 0,1:  k,1, …,  k,m-1 2 R {0,1}  k,t = ( © 1 · j · m-1  k,j ) ©  k Output: © 1 · j · m  i,j  0,1  0,2  0,3 …  0,m  1,1  1,2  1,3 …  1,m © )  0 © )  1 Sender (  0 and  1 ) Receiver (i)

Further issues OT based on any TDP? Seems difficult, as Gertner, Kannan, Malkin, Reingold and Viswanathan 2000 showed that OT cannot be black-box reduced to collection of injective trapdoor one-way functions. (most likely) OT cannot be black-box reduced to TDP

Acknowledgment: Oded Goldreich