SlideShare a Scribd company logo

The protocol will use the following building blocks The Inn.pdf

A
adithvrc

The document outlines a secure protocol for RSA-based cryptographic constructions, using building blocks such as Blum's commitment scheme and zero-knowledge proofs. It discusses how adversaries could potentially break RSA assumptions and the importance of maintaining security during information exchange between two parties, A and B, in an oblivious transfer protocol. The protocol includes steps to ensure inputs are securely shared and verified to prevent corruption or misinformation.

Education
1 of 3
Download to read offline
1
2
3
The protocol will use the following building blocks. The Inner Product Prediction Challenge for RSA. Recall that the RSA based cryptographic constructions involve a composite integer NN where N=pq for large primes p,qN. Additionally, a public exponent e is chosen along with N, whereas the secret exponent d satisfies de =1mod(p1)(q1) and is known by only one of the two players. Recall that de=1mod(p1)(q1) ensures xed=xmodN, whereas given (N,e), recovering d is as hard as factoring N. In the protocol below we will write (N,e,d)RSA.Gen() to indicate that (N,e,d) are generated as above. Finally, recall that the RSA assumption assumes that when (N,e,d)RSA .Gen () and xZN is drawn, one cannot output x if given (N,e,y) where y=xe (of course if one is given (N,e,d,y) then one can simply compute x=yd ). In homework 6 1, problem 3 we saw the following "inner product prediction" version of the RSA game: given (N,e,y,r) where (N,e,d)RSA. Gen(),xZN,y=xe and r{0,1}n where n=log(N), output x,r. We showed that any adversary who can win the inner product prediction game for RSA with probability 1/2+ for non-negligible >0 can be used to build (via the techniques of Goldreich-Levin) another adversary who can break the RSA assumption with non-negligible probability. Blum's Commitment Scheme. The protocol below will use Blum's non-interactive commitment scheme as a building block. While Blum's scheme allows Alice to commit to a single bit, Alice can commit to an n-bit string by committing independently to each bit. For an n-bit string u{0,1}n, we write (z,k)Com(u) to indicate that z and k are respectively the collections of commitment and decommitment strings when Blum's scheme is used to commit to each bit of x. Recall binding says that for any z, there is at most one k such that the decommitment procedure succeeds when run with input (z,k). Recall the hiding game for this commitment scheme is played between a challenger C and adversary A as follows. - A sends (u0, u1) to C where u0,u1{0,1}n; - C draws b{0,1} and (z,k)Com(ub) and sends z to A; - A sends b{0,1} to C signaling the end of the game; A wins if b=b. Hiding security demands that no efficient adversary can win this hiding game except with probability 1/2+ for negligible >0.Zero-Knowledge Proofs. Our OT protocol will use a ZK proof system as a key building block for one of the parties to prove to the other that a particular quantity in the protocol has been computed correctly. As a simple example to help understand the role that the ZK proof plays, imagine that early on in the protocol, A sends z to B where (z,k)Com(0). Then while z is supposed to be a commitment to 0 , hiding says that B cannot actually tell what value is hidden inside, so it is possible that an adversarial A might have actually drawn (z,k)Com(1). In this case, it might be useful to have A prove to B using a ZK proof that in fact z is a commitment to 0 . For this to work, the statement is " zL " where membership in L holds whenever there exists k such that Decom(z,k)=0. So A and B would both use the public input z, while A would also use k as an additional secret input. After the proof completed, soundness guarantees that B can rest assured that z is in fact a commitment to 0 . The Protocol We present the protocol sequentially, though if we are concerned with minimizing the number of back-and-forth rounds we can send some of the messages in parallel with each other (and use some additional shortcuts) to achieve a 4 round protocol. - Input: A has input (a0,a 1){0,1}2 and B has input b{0,1}. - Desired Output: A should receive no output while B should receive ab{0,1}. 1. BA:B chooses u{0,1}n, draws (k,z)Com(u) and sends z to A. 2. AB:A chooses u {0,1}n and sends u to B. 3. AB:A draws (N,e,d)RSAGen() and sends (N,e) to B. 4. B A: B sends (y 0,y1)ZN2 to A where y0 and y1 are prepared as follows (recall b is B 's input bit): . yb is set to yb= xe for a random xZN; . y1b is set to y1b=uu where u and u are the strings used in rounds 1 and 2(
indicates the bit-wise XOR of two strings; we are using that since n=log(N), any n bit binary string can be converted to an integer modN ). 5. BA : B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: - Statement: The statement which is used as common input to both players is (z,u,y0,y1)L where membership in L holds if there exists ( k,u,i) such that Decom(z,k)=u and yi=uuZero-Knowledge Proofs. Our OT protocol will use a ZK proof system as a key building block for one of the parties to prove to the other that a particular quantity in the protocol has been computed correctly. As a simple example to help understand the role that the ZK proof plays, imagine that early on in the protocol, A sends z to B where (z,k)Com( 0). Then while z is supposed to be a commitment to 0 , hiding says that B cannot actually tell what value is hidden inside, so it is possible that an adversarial A might have actually drawn (z,k)Com(1 ). In this case, it might be useful to have A prove to B using a ZK proof that in fact z is a commitment to 0 . For this to work, the statement is " zL " where membership in L holds whenever there exists k such that Decom(z,k)=0. So A and B would both use the public input z, while A would also use k as an additional secret input. After the proof completed, soundness guarantees that B can rest assured that z is in fact a commitment to 0 . The Protocol We present the protocol sequentially, though if we are concerned with minimizing the number of back-and-forth rounds we can send some of the messages in parallel with each other (and use some additional shortcuts) to achieve a 4 round protocol. - Input: A has input (a0,a1){0,1}2 and B has input b{0,1}. - Desired Output: A should receive no output while B should receive ab{0,1}. 1. BA:B chooses u{0,1}n, draws (k,z)Com(u) and sends z to A. 2. AB:A chooses u{0,1}n and sends u to B. 3. AB:A draws (N ,e,d)RSAGen() and sends (N,e) to B. 4. B A: B sends (y0,y1)ZN2 to A where y0 and y1 are prepared as follows (recall b is B 's input bit): . yb is set to yb=xe for a random xZN; . y1b is set to y1b=uu where u and u are the strings used in rounds 1 and 2( indicates the bit-wise XOR of two strings; we are using that since n=log(N), any n bit binary string can be converted to an integer modN ). 5. BA : B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: - Statement: The statement which is used as common input to both players is (z,u,y0,y1)L where membership in L holds if there exists (k,u,i) such that Decom(z,k)=u and yi=uu6. AB:A computes (x0,x1)ZN by setting xi=yid for i=0,1 where d is the secret RSA exponent generated in round 3. Additionally, A draws r0,r1{0,1}n and sends (r0,r1,w0,w1) to B where wi=xi,riai{0,1} for i=0,1. - Output: B outputs the bit wbx,rb{0,1}. Intuition. In order to understand the protocol, first imagine that the protocol consists only of rounds 3,4,6 and in round 4 , B chooses yb as stated above, but draws y1bZN. This simpler protocol will satisfy correctness (since B will output ab ), and it will be secure against a corrupt A (since the only information sent by B is (y0,y1) and both yi are simply random elements of ZN ). However, security against B is problematic since B could choose x0,x1ZN and set yi=xie for i=0,1 and then would be able to learn both of A's bits (a0,a1). So the role of the extra rounds is essentially to boost security against B. So to summarize, the simpler scheme is secure as long as B generates (y0,y1) as he is supposed to (i.e., if yb=xe for random xZN and y1bZN ), but fails if B is able to deviate. At a high level, the function of the extra rounds is to ensure that one of the two yi is random in ZN. This works by running a type of "coin flipping" procedure in rounds 1 and 2 , and then using the ZK proof in round 5 to prove that one of the yi is equal to the output of this procedure (B proves that y1b=uu ). So the security of the overall OT protocol against B will follow from 1 ) the fact that the output of the coin-
flipping procedure is random; 2) the soundness of the ZK proof system to force B to send y1b which is equal to the output of the coin-flipping procedure; 3) the fact that the simplified scheme is secure as long as B sends a random y1b. 8 Finally, let's look more closely at the coin-flipping scheme in rounds 1 and 2 . They are very simple; in round 1 , B sends a commitment to a random string u{0,1}n and in round 2, A sends a random u{0,1}n, and the "output" of the coin-flipping procedure is set to uu{0,1}n. Notice two things. 1. B commits himself to u in round 1 , before A selects her random string. Therefore, as far as B is concerned, the output string uu is random due to the randomness of u{0,1}n. 2. A cannot learn any information about u from the commitment she receives in round 1 . Therefore, she too sends her random string u before knowing anything about B's random string u, and so as far as A is concerned, the output string uu is random. The above is the intuition for why the OT protocol is secure. In the following exercises, you will walk through the formal proof of this fact. Problem 9. Prove correctness. Namely, show that if A and B both follow the protocol, then B outputs ab.

More Related Content

PDF
The Protocol We present the protocol sequentially though if.pdf
adithvrc
 
PDF
Security protocols
Abhijit Mondal
 
PDF
Fast Multiparty Threshold ECDSA with Fast TrustlessSetup
National Chengchi University
 
PDF
One round threshold ecdsa with identifiable abort
National Chengchi University
 
PDF
A compact zero knowledge proof to restrict message space in homomorphic encry...
MITSUNARI Shigeo
 
PDF
IRJET- Formulation of a Secure Communication Protocol and its Implementation
IRJET Journal
 
PDF
Authenticated Public Key Encryption Scheme using Elliptic Curve Cryptography
ijujournal
 
PDF
AUTHENTICATED PUBLIC KEY ENCRYPTION SCHEME USING ELLIPTIC CURVE CRYPTOGRAPHY
ijujournal
 
The Protocol We present the protocol sequentially though if.pdf
adithvrc
 
Security protocols
Abhijit Mondal
 
Fast Multiparty Threshold ECDSA with Fast TrustlessSetup
National Chengchi University
 
One round threshold ecdsa with identifiable abort
National Chengchi University
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
MITSUNARI Shigeo
 
IRJET- Formulation of a Secure Communication Protocol and its Implementation
IRJET Journal
 
Authenticated Public Key Encryption Scheme using Elliptic Curve Cryptography
ijujournal
 
AUTHENTICATED PUBLIC KEY ENCRYPTION SCHEME USING ELLIPTIC CURVE CRYPTOGRAPHY
ijujournal
 

Similar to The protocol will use the following building blocks The Inn.pdf (20)

PDF
AUTHENTICATED PUBLIC KEY ENCRYPTION SCHEME USING ELLIPTIC CURVE CRYPTOGRAPHY
ijujournal
 
PPTX
Fair Exchange of Short Signatures without Trusted Third Party
removed_5ef8f4100b1d7e8bfe3d2dc557fe10d0
 
PDF
Efficient ECC encryption for WSN’s
IDES Editor
 
PDF
Public Key Cryptography
Abhijit Mondal
 
PPTX
Enforcing Web security and privacy with zero-knowledge protocols
Ignat Korchagin
 
PPT
CHAPTER 12 - Zero-knowledge proof protocols.ppt
sprojectdirector
 
ODP
Sigma Protocols and Zero Knowledge
Alex Chepurnoy
 
PDF
Ijnsa050213
IJNSA Journal
 
PDF
A course in cryptography
Pim Piepers
 
PDF
A Digital Signature Based on a Conventional Encryption Function
XequeMateShannon
 
PDF
Tutorial on Cryptography
kenluck2001
 
PDF
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONS
IJNSA Journal
 
PDF
Design and Implementation of a Secure Communication Protocol
IJECEIAES
 
PDF
REU Group 2 - Paper
Scott Payne
 
PDF
ZeroKnowledge Nominative Signatures
Seungjoo Kim
 
PPTX
Broadcasting and low exponent rsa attack
Ankita Kapratwar
 
PPTX
Number theory and cryptography
Yasser Ali
 
PPT
Crypto cs36 39
sravanbabu
 
PPTX
Diffie hellman key exchange algorithm
Sunita Kharayat
 
PDF
cs670_lecture2.pdf , privacy preserving technique
KundanKumar228813
 
AUTHENTICATED PUBLIC KEY ENCRYPTION SCHEME USING ELLIPTIC CURVE CRYPTOGRAPHY
ijujournal
 
Fair Exchange of Short Signatures without Trusted Third Party
removed_5ef8f4100b1d7e8bfe3d2dc557fe10d0
 
Efficient ECC encryption for WSN’s
IDES Editor
 
Public Key Cryptography
Abhijit Mondal
 
Enforcing Web security and privacy with zero-knowledge protocols
Ignat Korchagin
 
CHAPTER 12 - Zero-knowledge proof protocols.ppt
sprojectdirector
 
Sigma Protocols and Zero Knowledge
Alex Chepurnoy
 
Ijnsa050213
IJNSA Journal
 
A course in cryptography
Pim Piepers
 
A Digital Signature Based on a Conventional Encryption Function
XequeMateShannon
 
Tutorial on Cryptography
kenluck2001
 
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONS
IJNSA Journal
 
Design and Implementation of a Secure Communication Protocol
IJECEIAES
 
REU Group 2 - Paper
Scott Payne
 
ZeroKnowledge Nominative Signatures
Seungjoo Kim
 
Broadcasting and low exponent rsa attack
Ankita Kapratwar
 
Number theory and cryptography
Yasser Ali
 
Crypto cs36 39
sravanbabu
 
Diffie hellman key exchange algorithm
Sunita Kharayat
 
cs670_lecture2.pdf , privacy preserving technique
KundanKumar228813
 

More from adithvrc (20)

PDF
The production function of a restaurant includes items such .pdf
adithvrc
 
PDF
The parent Rubidium87 has a halflife of 50 billion years .pdf
adithvrc
 
PDF
The portfolios identified below are being considered for inv.pdf
adithvrc
 
PDF
The Rings of Saturn There are many planetary subsystems with.pdf
adithvrc
 
PDF
The residents living in the community of Joy has a big pro.pdf
adithvrc
 
PDF
The route of the planned Galway City outer bypass is entirel.pdf
adithvrc
 
PDF
The riskiness of publicly traded bond issues is rated by ind.pdf
adithvrc
 
PDF
The rate of photosynthesis as indicated by oxygen productio.pdf
adithvrc
 
PDF
The random variable Y with a density function given by fy.pdf
adithvrc
 
PDF
The program below is written in C++ language using an Object.pdf
adithvrc
 
PDF
The probability that a patient recovers from a stomach disea.pdf
adithvrc
 
PDF
The purpose of this project is to develop a code which will .pdf
adithvrc
 
PDF
The questionnaires prescreening tools and screening script.pdf
adithvrc
 
PDF
The Public Company Accounting Oversishit Board PCAOB Whs c.pdf
adithvrc
 
PDF
The program first reads integer participantCount from input.pdf
adithvrc
 
PDF
The Pulfrich effect demonstrates one way in which the human .pdf
adithvrc
 
PDF
The purpose of the decision analysis phase is to Identify .pdf
adithvrc
 
PDF
The previous year had an unemployment rate of 108 nominal.pdf
adithvrc
 
PDF
The price of a stock fluctuates between 43 and 560 H the .pdf
adithvrc
 
PDF
The process of selecting elements from a population collect.pdf
adithvrc
 
The production function of a restaurant includes items such .pdf
adithvrc
 
The parent Rubidium87 has a halflife of 50 billion years .pdf
adithvrc
 
The portfolios identified below are being considered for inv.pdf
adithvrc
 
The Rings of Saturn There are many planetary subsystems with.pdf
adithvrc
 
The residents living in the community of Joy has a big pro.pdf
adithvrc
 
The route of the planned Galway City outer bypass is entirel.pdf
adithvrc
 
The riskiness of publicly traded bond issues is rated by ind.pdf
adithvrc
 
The rate of photosynthesis as indicated by oxygen productio.pdf
adithvrc
 
The random variable Y with a density function given by fy.pdf
adithvrc
 
The program below is written in C++ language using an Object.pdf
adithvrc
 
The probability that a patient recovers from a stomach disea.pdf
adithvrc
 
The purpose of this project is to develop a code which will .pdf
adithvrc
 
The questionnaires prescreening tools and screening script.pdf
adithvrc
 
The Public Company Accounting Oversishit Board PCAOB Whs c.pdf
adithvrc
 
The program first reads integer participantCount from input.pdf
adithvrc
 
The Pulfrich effect demonstrates one way in which the human .pdf
adithvrc
 
The purpose of the decision analysis phase is to Identify .pdf
adithvrc
 
The previous year had an unemployment rate of 108 nominal.pdf
adithvrc
 
The price of a stock fluctuates between 43 and 560 H the .pdf
adithvrc
 
The process of selecting elements from a population collect.pdf
adithvrc
 

Recently uploaded (20)

PDF
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
PPTX
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
PPTX
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PDF
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
PDF
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
PPTX
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
PDF
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PDF
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
PDF
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
PDF
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
PDF
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PPTX
History, Philosophy and sociology of education (1).pptx
tmdth1
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
PDF
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
PDF
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
PDF
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
History, Philosophy and sociology of education (1).pptx
tmdth1
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 

The protocol will use the following building blocks The Inn.pdf

  • 1. The protocol will use the following building blocks. The Inner Product Prediction Challenge for RSA. Recall that the RSA based cryptographic constructions involve a composite integer NN where N=pq for large primes p,qN. Additionally, a public exponent e is chosen along with N, whereas the secret exponent d satisfies de =1mod(p1)(q1) and is known by only one of the two players. Recall that de=1mod(p1)(q1) ensures xed=xmodN, whereas given (N,e), recovering d is as hard as factoring N. In the protocol below we will write (N,e,d)RSA.Gen() to indicate that (N,e,d) are generated as above. Finally, recall that the RSA assumption assumes that when (N,e,d)RSA .Gen () and xZN is drawn, one cannot output x if given (N,e,y) where y=xe (of course if one is given (N,e,d,y) then one can simply compute x=yd ). In homework 6 1, problem 3 we saw the following "inner product prediction" version of the RSA game: given (N,e,y,r) where (N,e,d)RSA. Gen(),xZN,y=xe and r{0,1}n where n=log(N), output x,r. We showed that any adversary who can win the inner product prediction game for RSA with probability 1/2+ for non-negligible >0 can be used to build (via the techniques of Goldreich-Levin) another adversary who can break the RSA assumption with non-negligible probability. Blum's Commitment Scheme. The protocol below will use Blum's non-interactive commitment scheme as a building block. While Blum's scheme allows Alice to commit to a single bit, Alice can commit to an n-bit string by committing independently to each bit. For an n-bit string u{0,1}n, we write (z,k)Com(u) to indicate that z and k are respectively the collections of commitment and decommitment strings when Blum's scheme is used to commit to each bit of x. Recall binding says that for any z, there is at most one k such that the decommitment procedure succeeds when run with input (z,k). Recall the hiding game for this commitment scheme is played between a challenger C and adversary A as follows. - A sends (u0, u1) to C where u0,u1{0,1}n; - C draws b{0,1} and (z,k)Com(ub) and sends z to A; - A sends b{0,1} to C signaling the end of the game; A wins if b=b. Hiding security demands that no efficient adversary can win this hiding game except with probability 1/2+ for negligible >0.Zero-Knowledge Proofs. Our OT protocol will use a ZK proof system as a key building block for one of the parties to prove to the other that a particular quantity in the protocol has been computed correctly. As a simple example to help understand the role that the ZK proof plays, imagine that early on in the protocol, A sends z to B where (z,k)Com(0). Then while z is supposed to be a commitment to 0 , hiding says that B cannot actually tell what value is hidden inside, so it is possible that an adversarial A might have actually drawn (z,k)Com(1). In this case, it might be useful to have A prove to B using a ZK proof that in fact z is a commitment to 0 . For this to work, the statement is " zL " where membership in L holds whenever there exists k such that Decom(z,k)=0. So A and B would both use the public input z, while A would also use k as an additional secret input. After the proof completed, soundness guarantees that B can rest assured that z is in fact a commitment to 0 . The Protocol We present the protocol sequentially, though if we are concerned with minimizing the number of back-and-forth rounds we can send some of the messages in parallel with each other (and use some additional shortcuts) to achieve a 4 round protocol. - Input: A has input (a0,a 1){0,1}2 and B has input b{0,1}. - Desired Output: A should receive no output while B should receive ab{0,1}. 1. BA:B chooses u{0,1}n, draws (k,z)Com(u) and sends z to A. 2. AB:A chooses u {0,1}n and sends u to B. 3. AB:A draws (N,e,d)RSAGen() and sends (N,e) to B. 4. B A: B sends (y 0,y1)ZN2 to A where y0 and y1 are prepared as follows (recall b is B 's input bit): . yb is set to yb= xe for a random xZN; . y1b is set to y1b=uu where u and u are the strings used in rounds 1 and 2(
  • 2. indicates the bit-wise XOR of two strings; we are using that since n=log(N), any n bit binary string can be converted to an integer modN ). 5. BA : B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: - Statement: The statement which is used as common input to both players is (z,u,y0,y1)L where membership in L holds if there exists ( k,u,i) such that Decom(z,k)=u and yi=uuZero-Knowledge Proofs. Our OT protocol will use a ZK proof system as a key building block for one of the parties to prove to the other that a particular quantity in the protocol has been computed correctly. As a simple example to help understand the role that the ZK proof plays, imagine that early on in the protocol, A sends z to B where (z,k)Com( 0). Then while z is supposed to be a commitment to 0 , hiding says that B cannot actually tell what value is hidden inside, so it is possible that an adversarial A might have actually drawn (z,k)Com(1 ). In this case, it might be useful to have A prove to B using a ZK proof that in fact z is a commitment to 0 . For this to work, the statement is " zL " where membership in L holds whenever there exists k such that Decom(z,k)=0. So A and B would both use the public input z, while A would also use k as an additional secret input. After the proof completed, soundness guarantees that B can rest assured that z is in fact a commitment to 0 . The Protocol We present the protocol sequentially, though if we are concerned with minimizing the number of back-and-forth rounds we can send some of the messages in parallel with each other (and use some additional shortcuts) to achieve a 4 round protocol. - Input: A has input (a0,a1){0,1}2 and B has input b{0,1}. - Desired Output: A should receive no output while B should receive ab{0,1}. 1. BA:B chooses u{0,1}n, draws (k,z)Com(u) and sends z to A. 2. AB:A chooses u{0,1}n and sends u to B. 3. AB:A draws (N ,e,d)RSAGen() and sends (N,e) to B. 4. B A: B sends (y0,y1)ZN2 to A where y0 and y1 are prepared as follows (recall b is B 's input bit): . yb is set to yb=xe for a random xZN; . y1b is set to y1b=uu where u and u are the strings used in rounds 1 and 2( indicates the bit-wise XOR of two strings; we are using that since n=log(N), any n bit binary string can be converted to an integer modN ). 5. BA : B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: - Statement: The statement which is used as common input to both players is (z,u,y0,y1)L where membership in L holds if there exists (k,u,i) such that Decom(z,k)=u and yi=uu6. AB:A computes (x0,x1)ZN by setting xi=yid for i=0,1 where d is the secret RSA exponent generated in round 3. Additionally, A draws r0,r1{0,1}n and sends (r0,r1,w0,w1) to B where wi=xi,riai{0,1} for i=0,1. - Output: B outputs the bit wbx,rb{0,1}. Intuition. In order to understand the protocol, first imagine that the protocol consists only of rounds 3,4,6 and in round 4 , B chooses yb as stated above, but draws y1bZN. This simpler protocol will satisfy correctness (since B will output ab ), and it will be secure against a corrupt A (since the only information sent by B is (y0,y1) and both yi are simply random elements of ZN ). However, security against B is problematic since B could choose x0,x1ZN and set yi=xie for i=0,1 and then would be able to learn both of A's bits (a0,a1). So the role of the extra rounds is essentially to boost security against B. So to summarize, the simpler scheme is secure as long as B generates (y0,y1) as he is supposed to (i.e., if yb=xe for random xZN and y1bZN ), but fails if B is able to deviate. At a high level, the function of the extra rounds is to ensure that one of the two yi is random in ZN. This works by running a type of "coin flipping" procedure in rounds 1 and 2 , and then using the ZK proof in round 5 to prove that one of the yi is equal to the output of this procedure (B proves that y1b=uu ). So the security of the overall OT protocol against B will follow from 1 ) the fact that the output of the coin-
  • 3. flipping procedure is random; 2) the soundness of the ZK proof system to force B to send y1b which is equal to the output of the coin-flipping procedure; 3) the fact that the simplified scheme is secure as long as B sends a random y1b. 8 Finally, let's look more closely at the coin-flipping scheme in rounds 1 and 2 . They are very simple; in round 1 , B sends a commitment to a random string u{0,1}n and in round 2, A sends a random u{0,1}n, and the "output" of the coin-flipping procedure is set to uu{0,1}n. Notice two things. 1. B commits himself to u in round 1 , before A selects her random string. Therefore, as far as B is concerned, the output string uu is random due to the randomness of u{0,1}n. 2. A cannot learn any information about u from the commitment she receives in round 1 . Therefore, she too sends her random string u before knowing anything about B's random string u, and so as far as A is concerned, the output string uu is random. The above is the intuition for why the OT protocol is secure. In the following exercises, you will walk through the formal proof of this fact. Problem 9. Prove correctness. Namely, show that if A and B both follow the protocol, then B outputs ab.