Oblivious Transfer based on the McEliece Assumptions Rafael Dowsley Jeroen van der Graaf Jörn Müller-Quade Anderson C. A. Nascimento University of Brasilia
Plaintext Ciphertext Plaintext Encryption Decryption Key Key
However, there are other (more challenging) tasks to be dealt with in cryptology… Secure Multi (Two)-Party Computations.
They want to know if there exists mutual interest between them. However, they do not want to reveal an uncorresponded love. F(X,Y)= X AND Y X AND Y=1 I love you X AND Y=0 Get away! The players must learn the answer but should get no extra knowledge on each other’s input, besides what can be computed from his/her input and the output itself.
The Millionaires Problem Two millionaires want to know who is the richest one between them. However, they are not willing to reveal the amount of their wealth.
F(X,Y) Y X Bob Secure Two Party Computations Alice Alice should know nothing about F(X,Y) besides what can be computed from X. Bob should know nothing about X besides what can be computed from F(X,Y) If both players are honest Bob should receive F(X,Y) F(X,Y)
An Ideal Protocol X Y Trusted Third Party Bob F(X,Y) F(X,Y)
Security and Adversarial Models A protocol is secure if anything an adversary obtains in the real protocol can also be obtained in the ideal model. Honest-but-Curious Adversary: Follows the protocol, but otherwise tries to obtain as much information on the other player input as possible Malicious: Can deviate from the protocol in an arbitrary way (spit on your face, stick a finger in your eye, etc.)
Oblivious Transfer b0, b1 c bc Joe Kilian: Founding Cryptography on Oblivious Transfer. STOC 88: 20-31
Oblivious Transfer b0,b1 c c bc bc
Oblivious Transfer b0,b1 c bc Oblivious Transfer is an important primitive, but no quantum resistant implementation is known.
Here we give an oblivious transfer protocol based b0,b1 c Here we give an oblivious transfer protocol based on assumptions from coding theory, which is computationally secure for Alice and for Bob. bc Oblivious Transfer is an important primitive, but no quantum resistant implementation is known
Relationship to PKC OT and PKC do not imply each other in general.
McEliece Error Correcting Codes m c c‘ m Random linear codes are good, but difficult to decode.
McEliece Error Correcting Codes m c c‘ m Random linear codes are good, but difficult to decode. NP compete
McEliece turned this into a public key scheme Error Correcting Codes m c c‘ m Random linear codes are good, but difficult to decode. McEliece turned this into a public key scheme
Goppa Codes Goppa codes are algebraic geometry codes with good error correction properties.
Scrambled Goppa Codes . . = P G G‘ S G‘ looks like a generator matrix of a random code
The McEliece Cryptosystem G Secret key: Public key: S , , G‘
The McEliece Cryptosystem G‘ e c . Encrypt: Decrypt: + = m random error vector with t errors c P-1 error correction procedure . S-1 = m
The McEliece Assumptions A scrambled Goppa code matrix is indistiguishable from a random matrix Decoding a random linear code is hard on average We will turn this into an oblivious transfer scheme
Two Steps Semi-honest adversary Active adversary To later cope with the active adversary we need a commitment scheme from the McEliece assumption.
Secure commitment schemes give us zero knowledge proofs! Bit Commitment b b Alice puts a bit b in a strong box Alice gives this box to Bob. She cannot change b Later Alice can unveil b to Bob Secure commitment schemes give us zero knowledge proofs! A commitment scheme is said to be secure if it is binding, concealing and correct: Binding: the probability that Alice can successfully open two different commitments is negligible. Concealing: Bob gets at most negligible information on the information Alice commits to before the opening phase. Correct: The probability that honest Alice fails to open a commitment is negligible in a security parameter n.
Commitments from McEliece Simple: Commit = encrypt Unveil = reveal the error vector e
Commitments from McEliece Simple: Commit = encrypt Unveil = reveal the error vector e To achieve information theoretic security for Bob we need a statistically hiding commitment.
Commitments from McEliece Simple: Commit = encrypt Unveil = reveal the error vector e To achieve information theoretic security for Bob we need a statistically hiding commitment. The McEliece cryptosystem yields a one-way-function and statistically hiding commitments can be obtained from any one-way-function [Haitner/Reingold STOC07]
The protocol for semi honest adversary Random matrix Q Q
The protocol for semi honest adversary Random matrix Q Q McEliece matrix G G, GQ
The protocol for semi honest adversary Random matrix Q Q Order depends on choice McEliece matrix G G, GQ
The protocol for semi honest adversary Random matrix Q Q McEliece matrix G G, GQ Encrypts m0, m1 c0, c1
The protocol for semi honest adversary Random matrix Q Q McEliece matrix G G, GQ Encrypts m0, m1 c0, c1 can decrypt only one
An Active Attack Given Q can one find P and P‘ with Q = PP‘ such that both have reasonable error correcting properties? We could not exclude this... Bob could be able to obtain both...
An Actively Secure Protocol We perform the protocol twice (with random inputs): Bob commits to G, and in one of the protocols Alice will ask Bob to unveil and check if he cheated. The cheating probability for Bob is 50%, but this can be made arbitrarily small by repetition... More efficient than Goldreich‘s compiler.
Interactive Hashing We want Bob to send two matrices to Alice one he can decode efficiently and one which is random. Interactive hashing could yield a more efficient solution...
We have a different reduction to a protocol secure against active cheaters based on BR Commitments (a generalized version). Yields committed oblivious transfer!
Conclusions OT based on McElice Cryptosystem Secure against quantum computers (?) Maybe an application for interactive hashing.