Oblivious Transfer and Bit Commitment from Noisy

Channels

Ivan Damgård

BRICS, Århus University

Commitments

C R

Committer C sends a ”bit b in a box” to a receiver R.

• Hiding: from commitment, R cannot guess b.

• Binding: having given away the box, C cannot change his mind about value of b – can only open in one way.

b

(1-out-of-2 bits) Oblivious Transfer

S R

Sender S sends two bits b0,b1 to a receiver R, who inputs his choice of which bit to receive

• S learns nothing new (in particular nothing about c).

• R learns 1 of S’s bits and nothing about the other one.

Many variants: 1-2 string OT, 1-t bit/string OT, Rabin OT. All are equivalent under information theoretic reductions.

OTb0,b1c

bc

BC follows from OT

For instance..

1. Receiver sends n pairs (bi0,bi1) by OT to Committer

2. Committer reads, for all i, bic, where c is bit to commit to.

3. Open by revealing b1c, b2c,…,bnc. Receiver checks it matches the bits he sent.

In fact, general multiparty computation - and hence more or less anything - follows from OT.

Impossibility if Adversary has full info

If only error-free communication between two parties available, BC (and hence OT) impossible – with unconditional security:

C(ommitter) sees all messages received by the other guy.

Unconditional binding implies C can execute protocol with b=0, but there exists a complete view of the protocol for C, with same exchange of messages, consistent with b=1.

C can always compute such a view and claim this was what he in mind all the time, so no binding.

OT from Binary Symmetric Channels (BSC)

BSC(p) flips every bit sent with probability p.

S BSC(p)b,b b0,b1 R

If b0=b1, bit received,

otherwise ? received

Pr(?) = 2p(1-p), Pr(correct bit received)= (1-p)2, Pr(wrong bit received)= p2. If we drop all ?’s, we have a BSC with error probability q= p2/(p2+(1-p)2)

Observation [Crépeau/Kilian88]: this is a weak version of Rabin OT: R learns nothing, or some info on the bit sent. S (if honest) learns nothing. So perhaps we can get real OT from this..

OT from BSC [Crépeau97]

1. S sends N pairs (bi,bi) over BSC(p) to R.

2. R receives N erasures and bits. Splits them in two sets, T0,T1 of N/2 positions, such that all erasures go

in T1-c. Sends T0,T1 to S (on error free channel).

3. Let str0,str1 be the strings of bits sent at positions in T0, T1. S uses an error correcting code to construct

correction information syn0, syn1. syni will be

sufficient to reconstruct stri if received over a BSC(q). S also chooses two universal hash functions h0,h1 from N/2 bits to 1 bit.

4. syn0, syn1, h0, h1, h0(str0)b0, h1(str1)b1 are sent to R,

who uses sync to reconstruct strc and computes

hc(strc) (hc(strc)bc) = bc

Why does it work?

S RBSC(bibi), i=1..N ? or b’iT0,T1

syn0, syn1, h0, h1, h0(str0)b0, h1(str1)b1

S (if honest) learns nothing.

Even if R cheats, at least one set Ti contains (about) Np(1-p) erasures. Can compute R’s collision entropy of stri given stri and N/2 – Np(1-p) bits of stri through a BSC(q). Turns out to be linear in N. Privacy amplification R’s expected information on hi(stri) is exponentially small. Note: need efficiently decodable error correcting code such that syni small enough

What if S cheats?

Best known solution based on reduction that builds OT from many repetitions of an imperfect OT where S may learn R’s choice (see later for details). Reduction works if S failed to learn R’s choice in at least one of the repetitions.

We do this reduction, and at the same time, R checks that number of received erasures is not larger than expected.

Check satisfied upper bound on number of bad pairs sent by S S failed to break at least one of the weak OT’s overall protocol is OK.

Conclusion on OT/BC from BSC(p)

OT and BC can be built from BSC(p) for any non-trivial value of p (0< p< 1/2) [Crépeau97],[Morozov et al.01].

Reasonably efficient BC (special purpose protocol by Crépeau, no need to build it from OT): O(n) uses of BSC enough for error prob exp small in n.

But very inefficient OT if we want security against active cheating, O(n2+ε) best known. Better solutions??

OT from noisy channels in general

General channel: set of input symbols X, output symbols Y, for each xX, distribution PY|x given.

[Nascimento andWinter 05], [Crépeau, Morozov and Wolf 04]: OT can be built from any non-trivial noisy channel.

Non-trivial channels as defined in [CMW] are essentially equivalent to noiseless channels have complete characteriztion of noisy channels from which OT can be built.

[Kilian 00]: Characterization of Crypto-Gates that can be used for OT. Crypto-gates are a more general concept: take input from both parties and send output to both.

So are we done?

Not quite!

All results so far assume that the channels’ behavior is known exactly, i.e., BSC(p) where p is known.

If p is smaller than we expect, previous protocols fail.

Problems in practice:

• Real channels often do not have constant error rate.

• Worse: an adversary may have an interest in removing noise from the channel.

• Even worse: always possible to conceal that you removed noise: just pretend you received a more noisy signal

Unfair Noisy Channels - more realistic model

[Damgård, Kilian, Salvail 99]

Basic idea: allow the adversary an ”unfair” advantage by giving him extra power/information that is not available to an honest player.

(γ,δ)-UNC: a BSC(p), but only guarantee is that 0< γ ≤ p ≤ δ < ½. Adversary can decide what p should be for every transmission. Models an active adversary that tries to physically modify the channel.

(γ,δ)-PassiveUNC: a BSC(δ), but adversary gets extra side information so that the channel from his point of view is a BSC(γ). Models a passive adversary that eavesdrops somewhere ”in the middle”.

For which values (γ,δ) can we do something interesting?

Trivialities: if γ=δ, we are back in BSC case, everything is possible. If γ=0, adversary has full information, nothing is possible.

So what happens ”in the middle”?

If [γ,δ]-interval is too wide, nothing can be done, namely if δ >= 2γ(1-γ).S R

Wants to send b. Flips b with probability γ. Result b’

b’

Flips b’ with probability γ. Defines result b’’ to be received bit

This is a (γ,δ)-PassiveUNC with δ= 2γ(1-γ)!

UNC’s are trivial for δ ≥ 2γ(1-γ).

BC from any (γ,δ)-UNC with δ < 2γ(1-γ). [Damgård,Kilian,Salvail 99].

S RUNCrandom n-bit str. X X’

Has the right flavor:

S cannot later claim to have sent any bit string: many of them will be to far away from X’, i.e., at Hamming distance > δn.

R does not have full information on X.

Idea: make S reveal more info on X, such that many candidates remain from R’s point of view, yet only one candidate can be convincingly claimed later.

Intuition: why can this work..

Xγn

X’

S will remove as much noise as

he can, so X’ will be at distance

γn

Y

If S reveals Y later, R will reject, since

distance X’ to Y will be 2γ(1-γ) > δ

Y

S must reveal a Y at shorter

distance μ, with μ(1-γ)+(1-

μ)γ < δ

On the other hand, a cheating R only knows that X is some string at distance γn from X’

Conclusion

Have S reveal extra information on X such that

• Of all strings at distance μn from X, only one candidate remains.

• Of all strings at distance γn from X’, a large number of candidates remain.

Possible, since μ < γ: #strings at distance γn from X’ is exponentially larger than #strings at distance μn from X.

Sketch of Protocol

To commit

• S sends random string X to R over UNC, X’ received

• R chooses universal hash function h1,h2

• For i=1,2: R sends hi to S, S returns hi(X).

• S chooses universal hash function h and sends h to R. Committed bit is defined as h(X).

To open

• S sends X to R. R rejects if X is inconsistent with the hash values received or if dist(X,X’)>δ’ where δ’ a constant chosen slightly larger than δ.

γ

δ

nothing possible

BC possible

0 ½

½

BC from UNC resolved

OT from UNC? – first observation[Damgård,Fehr,Morozov,Salvail 04]

Enough to build OT with passive security based on a (γ,δ)-PassiveUNC:

- since any such protocol can be transformed into a protocol for OT with active security based on a (γ,δ)-UNC.

Idea: use a (γ,δ)-UNC to build a new channel that is essentially a (γ,δ)-PassiveUNC, but where players are committed to the bits they send/receive.

Now run passively secure protocol, but have players prove in ZK that they send the correct messages. Possible because they are committed to what they sent and received.

Protocol for Committed Passive UNC (CPUNC)S R

UNC

b1

b2

…

bi

bn

b’1

b’2

…

b’i

b’n

1. Commit, send on UNC, commit to received bits2. Open random sample, check that error rate is not (much) more than δ

3. Choose random unopened position i. Define bi to be bit sent, b’i to be bit received.

Essentially a PassiveUNC:

Pr(bi=b’i) ≈ δ

A cheating S or R may know the bit on other side, with noise γ added

Building Weak OT from PassiveUNC

Assumption: passive security, S,R follow the protocol

bits to send: b0,b1, c is R’s choice bit.

Idea: use the classic trick of sending pairs of bits (b,b).

S sends 4 bits, random of form (u,u),(v,v) over PassiveUNC. Repeat until R receives something of form (u’,u’) (v’,1-v’) or (u’,1-u’) (v’,v’).

R knows something about one of u,v, nothing about the other R asks S to send b0u, b1v or b0u, b1v, choice depending on c.

Not quite OT: corrupt S or R may learn something from their side info, and an honest R may not get the right bit.

Building OT from WOT.

Def: (p,q,ε)-WOT is an OT where S learns R’s choice bit c with probability p (and nothing otherwise), R learns b1-c with probability q, and

honest R gets bc with noise ε added.

What we just constructed from (γ,δ)-UNC is a (p,q,ε)-WOT where p,q,ε are functions of γ,δ.

If we can build OT from (p,q,ε)-WOT for a certain range of values of p,q,ε, this defines a range of values for γ,δ for which OT is possible.

Known Reductions

S- Reduce: reduce p at the cost of larger q,ε

R-Reduce: reduce q at the cost of larger p,ε

ε –Reduce: reduce ε at the cost of larger p,q

Using carefully designed mix of these, can build OT from (p,q,0)-WOT if p+q< 1 Optimal, since (p,q,0)-WOT with p+q≥1 is trivial.

Can also build OT from (p,q,ε)-WOT if p+q+2ε< 0.45. Not optimal.

[DFMS04] tighter analysis, using more general model (GWOT). Leads to best known results for OT from UNC.

γ

δ

nothing possible

??

[DFMS04]

[DKS99]

0 ½

½

Conclusions

We understand quite well which kind of noisy resources allow for general 2-party crypto, assuming that the behavior of the noise is known exactly.

Typically, a ressource is either trivial or allows OT and hence anything.

Efficiency of some constructions seem (very) suboptimal

For resources whoose behavior is not exactly known (UNC), there is much we do not know. The BC vs. UNC question resolved, But:

Is OT possible from any non-trivial UNC? What about other models for the noise? What about channels with memory?