Constant Round Oblivious Transfer in the BoundedStorage Model

1
Constant Round Oblivious Transfer in the
Bounded-Storage Model

• Yan Zong Ding
• Danny Harnik
• Alon Rosen
• Ronen Shaltiel

2
The Bounded Storage Model

• Alternative cryptographic setting
• Mainstream Cryptography Assume parties are
  time bounded (run in polynomial time).
• This model Assume parties have bounded storage.

3
Bounded Storage Model - the setting Maurer 92
A long random string R of length N

• A long random string R is transmitted.
• Honest parties store small portions of R.
• Parties interact.
• Malicious adversary allowed to store almost all
  of R.
• Random string is no longer available.
• Bound is only at end of transmit stage.

A long random string R of length N
Stores ¾N bits


(Arbitrary function of R)
4
The bounded storage model

• Most of the research so far focused on
• Key agreement Mau93,CM97.
• Private-key encryption Mau92,CM97,AR99,ADR02,DR02
  ,DM02,Lu02, Vad03.
• This talk about Oblivious Transfer (OT)
• An interesting and very well studied primitive in
  cryptography, e.g. Rab81,EGL85,GMW87, Kil88,
  CK88, Cre88, BM89, BBCS91, Bea96, Cac98, DKS99,
  NP01
• In BSM model CCM97, Din01, HCR02

5
OT in the bounded storage model A definition

• Alice holds two secrets s0,s1.
• Bob holds a choice bit c.
• A long string R is transmitted.
• After OT protocol
• Bob gets sc.
• Bob doesnt learn s1-c.
• Alice does not learn c.

s0,s1
c
A long random string R of length N


sc
6
OT in the bounded storage model Previous works
Storage
Rounds
Paper
N2/3d
NO(1)
CCM97
N1/2d
O(log N log 1/e)
Ding01
N1/2 d
5 messages
Here

• Other Improvements
• Exponentially small e
• Can pass longer secrets
• Lower communication
• Low probability of abort

Slightly weaker model.
7
Coming up

• A basic protocol (which requires too much
  storage).
• Use a setup protocol to reduce the storage.
• Interactive Hashing.

8
A basic protocol for OT

• A long random string R(R0,R1) is transmitted.
• Bob remembers Rc. (½N bits).
• Alice remembers all of R.
• Idea Use R0 and R1 to hide secrets.
• Bob can recover sc.
• Malicious Bob doesnt know both R0 and R1.
• Has entropy about one of the secrets.
• Method Use Randomness Extractors.

R1 is a high entropy source to me
There must be an extractor here!
s0,s1
c
Stores ¾N bits
9
Randomness Extractors NZ93

• Extract randomness from distributions which
  contain sufficient (min)-entropy.
• Use a short seed of truly random bits.
• Output is (close to) uniform even when the
  adversary knows the seed.
• Relation to BSM pointed out by CM97,Lu02,Vad03.

high entropy distribution
10
A basic protocol for OT

• Malicious Bob doesnt know both R0 and R1.
• Has entropy about one of the secrets.
• Method Use Randomness Extractors.
• Alice sends random seeds Y0,Y1 for extractor.
• Secrets masked by outputs of extractor.

Cant learn both secrets
s0,s1
c
s0
s1
Uniform from Bobs point of view.
11
Basic Protocol Too much storage Solution use
setup protocol

• After R is transmitted. The parties store small
  subsets and engage in a setup protocol.
• Setup protocol parties agree on short (NO(1))
  substrings R0,R1 s.t.
• Functionality
• Alice knows R0,R1.
• Bob knows Rc.
• Security
• Bob has a lot of entropy on R1-c.
• Alice does not know c.
• Run Basic protocol on R0,R1.

A long random string R of length N


R0
R1
Basic Protocol
12
Basic idea for setup protocol Follow
key-agreement CM97

• Alice and Bob store random subsets of R.
• Alice sends the position of her set.
• W is the positions of the intersecting subset.
  Known only to Bob.
• Agree on two sets R0,R1
• Both are in Alices set.
• Rc W
• Bob has high-entropy about R1-c.
• Alice doesnt learn c

A long random string R of length N
Stores N½
Stores N½


W
R0
R1
Agree on two sets R0,R1
Called Interactive Hashing.
13
The story so far A summary of the OT protocol

• Basic protocol for OT, but requires a lot of
  storage.
• Run a setup protocol to reduce the storage.
• A component in this protocol is an interactive
  hashing protocol.

s0,s1
c
A long random string R of length N
Setup Protocol
Basic Protocol
Interactive hashing
Extractors
14
Sources of improvements

• Previous constructions can be viewed as
  complicated versions of this outline.
• Using modern Extractors (and Samplers) improves
  most parameters (e.g. storage, communication,
  output length).
• Does not get a constant number of rounds -
  Bottleneck is the interactive hashing protocol.
• CCM97 use the protocol from NOVY92 which
  takes linearly many rounds.
• We present a new 4-round Interactive hashing
  protocol using almost t-wise independent
  permutations.

Note The new protocol only applies to the
information theoretic setting
15
Interactive Hashing

• Bob holds an input W.
• At the end of the protocol both parties agree on
  R0,R1 s.t.
• Honest Bob
• WRc
• R1-c is uniform in Alices set.
• Alice does not know c.
• Malicious Bob Cannot know both strings, has
  high-entropy about one of the strings.

W
R0,R1
Note This has got nothing to do with the bounded
storage model. Such a protocol exists for
unbounded parties.
16
A naïve implementation of Interactive Hashing
choose W after I see h

• Let H be a family of 2-to-1 pair-wise ind. hash
  functions h0,1n?0,1n-1.
• Alice sends a random hash function h.
• Bob sends h(W).
• The two pre-images of h(W) are R0,R1.

W
One is W the other uniformly distributed (because
of pair-wise independence). But Bob may choose W
after he sees h!
17
Interactive Hashing in CCM97 The NOVY-protocol

• Send h gradually !
• Alice sends portions of her hash function in
  exchange to portions of Bob replies.
• Consider W as an n bit vector.
• h is an n-1xn matrix A with full rank and h(w)
  Aw.
• Send a row of A at each round (instead of all at
  once).
• Requires n-1 rounds.

W
A1
A2
A3
Aw
18
This Paper 4 Message Interactive Hashing

• h g ? P
• P is an almost t-wise ind. Permutation on n bits
  (e.g. Gow).
• g is a 2-to-1 pair-wise ind. hash on 1/4n bits.
• Alice sends P to Bob who replies with P(w)13/4n
  .
• Alice sends g to Bob who replies with
  g(P(w)3/4nn).
• Requires 4 messages.

P
P
g
g
h(w)
19
Wrapping up

• Main result
• A constant round protocol for OT in the bounded
  storage model.
• Contributions
• Simplifying and improving the previous protocols
  using randomness extractors.
• A new constant round protocol for interactive
  hashing.

s0,s1
c
A long random string R of length N
Setup Protocol
Basic Protocol
Interactive hashing
Extractors
20
Further Issues

• We also came up with a 3-message protocol.
• N½ is a lower bound on storage DM04.
• Open Questions
• Can we mix the bounded storage model and standard
  cryptography?
• How do protocols compose in the bounded storage
  model?
• Can our new constant round Interactive-Hashing
  protocol replace NOVY in computational
  applications.

21
Thank You
22
Weakness of basic protocol

• The basic protocol works but requires a lot of
  storage for the honest players.
• Alice has to store all of R(R0,R1).
• Bob has to store half of R.
• The actual construction
• Use a setup protocol to obtain short R0,R1 with
  good properties.
• Run the basic protocol.

23
Oblivious Transfer in the bounded storage model
24
Oblivious Transfer (OT)

• Alice holds two secrets s0,s1.
• Bob holds a choice bit c.
• After OT protocol
• Bob gets sc.
• Bob doesnt learn s1-c.
• Alice does not learn c.
• OT is a fundamental primitive in cryptography and
  useful building block. (e.g., Kil88)

s0,s1
c
sc
25
The bounded storage model

• Practical? Depends on ratio between price of
  memory and speed of broadcast.
• Most of the research so far focused on
• Key agreement Mau93,CM97.
• Private-key encryption Mau93,CM97,AR99,ADR02,DR02
  ,DM02,Lu02,Vad03.
• Advantages
• Clean model.
• Security does not require unproven assumptions.
• Everlasting security DR The security is
  guaranteed even if at a later stage the adversary
  gains more memory.

26
OT is the bounded storage model Protocols

• Other Improvements
• Can pass longer secrets
• Lower communication
• Lower error probability
• Lower probability of abort

The rounds in previous work depend on various
parameters. Dings model is different and weaker.
27
OT in the bounded storage model Protocols

• Other Improvements
• Can pass longer secrets
• Lower communication
• Lower error probability
• Low probability of abort

The rounds in previous work depend on various
parameters. Dings model is different and weaker.
28
OT in the Bounded Storage Model Previous work

• CCM97 first protocol
• NO(1) rounds.
• Error probability egtNO(1).
• N2/3 d storage for honest parties.
• Ding01
• O(log N log 1/e) rounds.
• N1/2 d storage.
• Slightly different (and weaker) model
• Here
• 5 rounds.
• N1/2 d storage.
• exponentially small error

• Other Improvements
• Can pass longer secrets
• Lower communication
• Low probability of abort

29
Randomness Extractors NZ93

• Extract randomness from arbitrary distributions
  which contain sufficient (min)-entropy.
• Use a short seed of truly random bits.
• Output is (close to) uniform even when the
  adversary knows the seed.
• Relation to BSM pointed out by Lu02,Vad03.

high entropy distribution
All my memory is useless! I hate extractors!
30
A basic protocol for OT

• A long random string R(R0,R1) is transmitted.
• Bob remembers Rc. (½N bits).
• Alice remembers all of R.
• Alice randomly chooses seeds Y0,Y1 for an
  extractor.
• Alice sends
• Y0, B0Ext(R0,Y0) xor s0.
• Y1, B1Ext(R1,Y1) xor s1.
• Bob recovers sc.

Cant learn both secrets
s0,s1
c
Stores ¾N bits
s0
s1
Uniform from Bobs point of view.
31
Open Problems

• We also came up with a 3-message protocol.
• Is it possible to break the N½ barrier?
• Security issues
• Can we compose protocols in the bounded storage
  model?
• Can we mix the bounded storage model and standard
  cryptography?
• Simulation arguments (This work gives a
  simulation argument where the simulator isnt
  efficient).
• Warning The bounded-storage model creates new
  problems for simulation and compilation
  paradigms.
• More protocols for the bounded-storage model.
• Can our new constant round Interactive-Hashing
  protocol replace NOVY in computational
  applications.

32
Example Key-Agreement

• Alice and Bob (who never met before) interact
  over a public channel.
• They want to agree on a secret key.

??
33
Protocol Key-Agreement Mau93,CM97

• A long random string R is transmitted.
• Alice and Bob store random subsets of size N½.
• Send position of subsets and agree on content of
  intersection.
• Next, argue that an eavesdropper which stores ¾N
  bits has a lot of entropy on the key.

A long random string R of length N
Stores N½
Stores N½


key
Does not know the key!
34
The view of the adversary

• Simplifying assumption The adversary stores a
  subset of size ¾N of the bits of R.
• The sets chosen by the players are random.
• The set which defines the key is a random subset.
• The adversary does not remember ¼N bits.

¾N bits
key


¾ known
¼ unknown
From my point of view the key is a high-entropy
source!
Holds even when the adversary stores an
arbitrary function of R NZ93.
35
Key-Agreement using extractors

• A long random string R is transmitted.
• Alice and Bob store random subsets of size N½.
• Send position of subsets and agree on content of
  intersection.
• Alice randomly chooses a seed and sends it to
  Bob. Both apply an extractor.

A long random string R of length N
Stores N½
Stores N½




36
Interactive Hashing

• Bob holds an input W.
• At the end of the protocol both parties agree on
  R0,R1 s.t.
• W?R0,R1 yet Alice does not know which one it
  is.
• The other string is uniformly distributed.

Note This has got nothing to do with the bounded
storage model. Such a protocol exists for
unbounded parties.
W
R0,R1
Formally For every set S of strings (chosen by
Bob), Bob cannot force both R0 and R1 to land in
S (with high probability).
Bob cannot control both strings.
37
A naïve implementation of Interactive Hashing
choose W after I see h

• Let H be a family of 2-to-1 pairwise ind. hash
  functions h0,1n?0,1n-1.
• Alice sends a random hash function.
• Bob sends h(W).
• Alice and Bob compute the two preimages of h(W)
  under h R0,R1.

W
Example Choose a random n-1xn matrix A with full
rank. h(w)Aw (Can also be implemented with
linear functions h(w)awb).
Pairwise independence guarantees that the other
output is uniformly distributed. But only if Bob
chooses W before he sees h!
38
Naïve interactive hasing protocol fails for large
sets
choose W after I see h

• Suppose that Bob has a large set S (of size gt
  2n/2) and he wants to force both strings to be in
  this set.
• By the birthday paradox we expect to have
  collisions in S.
• Bob can simply wait to see h and choose a
  collision.

W
h
S
0,1n-1
39
The solution in CCM97 The NOVY-protocol

• The NOVY-protocol is based on h(w)Aw.
• Naïve protocol.
• NOVY-protocol Alice sends portions of her hash
  function A in exchange to portions of Bob
  replies.
• Requires n-1 rounds.

W
A
A1
A2
A3
Aw
The NOVY-protocol works in a stronger
(computational) setting. Our improvements only
apply to the information-theoretic setup.
40
New constant round Interactive-Hashing protocol
The fact that p is a permutation guarantees that
the pair (p,h) is 2-to-1.
By using more independence I can be safe with
just 2 rounds.

• Based on almost n-wise independent family of
  permutations (e.g. Gow) p0,1n ? 0,1n.
• Alice sends permutation.
• Bob replies with many (¾n) output bits.
• Apply naïve interactive hashing on remaining (¼n)
  bits.
• Natural variant of NOVY.

W

• Every p in the family is a permutation.
• The images of every n inputs behave almost like
  in a completely random permutation (over choice
  of p).
• No known construction of perfect t-wise
  independent family for tgt3 is known.

41
This Paper 4 Message Interactive Hashing

• h g ? P
• P is an almost t-wise ind. Permutation.
• g is a 2-to-1 pair-wise ind. hash.
• Alice sends P to Bob who replies with P(w)13/4n
  .
• Alice sends g to Bob who replies with h(w)3/4nn
  .
• Requires 4 messages.

P
P
g
g
P
g
42
NOVY Interactive-Hashing

• View as choosing n-1 hash functions h1,,hn-1
  hi0,1n?0,1
• In each step a hash function is sent in return
  for the image hi(W).
• Each step reduces the possible values for W,
  until at the end only two are left.

W