Robust Combiners for Oblivious Transfer and Other Primitives

1
Robust Combiners for Oblivious Transfer and Other
Primitives

• Danny Harnik Joe Kilian
  Moni Naor
• Omer Reingold Alon Rosen

Weizmann Institute of Science
2
Do Not Put All Your Eggs in One Basket
3
Example Encryption

• Two candidates for encryption algorithms
• At least one is secure
• Maybe one is not!
• Which one to use ???
• Goal Combine the two into a single algorithm
• Should be secure even if one is not!
• We call such a construction a Robust Combiner for
  encryption.

EncryptB
EncryptA
Encrypt
4
Robust Combiners

• A Robust Combiner for a cryptographic primitive
• A method for taking two candidate implementations
  of a primitive and producing a single
  implementation so that
• If at least one candidate is secure then the
  resulting scheme is secure
• In general (k,n)-robust combiner
• there are n candidates
• if at least k secure then the result is secure
• New name for an old concept

5
Some Previous Appearances

• Herzberg (05) Tolerant schemes
• Parallel and cascade constructions as combiners.
• Combiners for encryptions, one-way functions,
  signatures and more.
• Emphasis on the efficiency of the combiners.
• Some examples
• Asmuth Blakely (81) combine two untrusted
  encryption schemes.
• Multiple encryption is a type of combiner, dates
  back to Shannon (49)
• Dodis Katz (05) combiner for CCA2 security.
• Hohenberger Lysyanskaya (05) combine two
  software implementations.
• More

6
Combiners in Practice

• NESSIE portfolio for recommended cryptographic
  primitives advocate use of multiple
  encryptions.
• TLS (IETF) combine SHA1 MD5 hash functions
• In order to make the PRF as secure as possible,
  it uses two hash algorithms in a way which should
  guarantee its security if either algorithm
  remains secure

7
Combiners as a Theoretical Tool

• Robust combiners are a handy tool in the
  construction of primitives.
• Can get rid of mild non-uniformity in
  constructions
• If a short hint is all that is needed to
  construct an implementation of P, then go over
  all hints and use a (1,k)-robust P-combiner
• Example The HILL construction of pseudorandom
  generators from one-way functions
• Finds a construction with mild non-uniformity
• Then uses a combiner for PRGs to give a uniform
  construction.

8
Example - Universal Primitives

• A scheme U is a universal scheme for a primitive
  P if it is guaranteed to be secure under the sole
  assumption that primitive P exists.
• Levin introduced such a construction for OWFs
  (See Goldreichs book).
• Key to the universal scheme The existence of
  (1,k)-robust combiners.
• The idea
• enumerate all programs of code length log n.
• Use a (1,n)-combiner for primitive P.
• If P exists then for large enough n, its program
  is included in the n candidates for the combiner.
• For large enough n the scheme is secure

• But
• Works only for uniform constructions.
• Yields no information for which n it is safe to
  use the construction

Meaning of universal scheme every proof of
existence is also a constructive one!

• Need some bound on the running time (achieved by
  a padding argument)

9
This Talk

• Goal of this talk explore when and for what
  primitives it is possible to obtain combiners and
  when it impossible/harder.
• Outline
• One-way functions equivalents
• Key Agreement
• Oblivious Transfer
• Impossibility result for (1,2)-combiner
• Positive results - (2,3)-combiner
• On (1,n)-combiners from (1,2)-combiners

10
Warm-Up OWF combiners

• One-way functions
• Two candidates FA , FB
• The Combiner F(x,y) FA(x)FB(y)
• Corollary Combiners also for equivalents of
  one-way functions.
• robust combiners for
• Pseudo-random generators
• Pseudo-random functions
• Pseudo random permutations
• Private Key Encryption
• Signatures
• Bit commitments

Example
GA
GB

• This is not always the simplest way!!
• For all but bit commitment there is a direct
  construction of a combiner
• ExampleAn efficient combiner for PRG is G(x,y)
  GA(x)?GB(y)
• Used by HILL

11
Key Agreement (KA)

• Alice and Bob (who never met before) interact
  over a public channel.
• They want to agree on a secret key.
• Two candidates for KA
• Suppose that Both candidate really reach
  agreement.
• Combiner simply by XOR of the keys
• What if functionality is only guaranteed for one
  candidate ?

??
KAA
KAB
12
Key Agreement (cont.)

• In general, only one candidate is guaranteed to
  be a KA.
• Security ?
• Functionality
• Solution in two stages
• Run an offline functionality test for each
  candidate.
• One party simulates the candidate poly(n) times
  (playing both sides)
• Only if agreement is reached in all instances
  then use candidate.
• Otherwise agree on 0n
• Run the XOR combiner
• Guaranteed agreement with prob 1-1/n
• Use Error Correcting Code to reach full
  agreement.
• One side chooses key and divides it into shares
• The above key agreement is run for each share
• With overwhelming prob both sides end with same
  key

• Notes
• The KA combiner preserves the number of rounds
• 2 message KA is equivalent to (semantically
  secure) Public Key Encryption
• ? Robust combiner for PKE

13
Secure Computation

• We have simple and black-box robust combiners for
  many cryptographic tasks for both private key and
  public key cryptography.
• What about secure function evaluation (SFE)?
• In particular, is there a (1,2)-robust combiner
  for the Oblivious Transfer (OT) protocol Rabin
  81

• Consider the task of voting.
• Idea for implementation
• Use electronic ballots from several vendors.
• Combine them to assure security.

• OT protocol
• Bob gets sc.
• Bob doesnt learn s1-c.
• Alice does not learn c.
• OT is complete for SFE !

c
s0,s1
sc
14
Finding OT-Combiners seems hard

• Want to show an impossibility result but
• If OT exists, then a combiner can simply ignore
  the candidates and run the OT.
• We are interested in combiners that rely on the
  candidates security.
• Consider Black Box Combiners.
• The candidates are given in a BB manner (as
  oracles)
• The proof is BB!
• Breaking the combiner allows
  breaking of both candidates
• Situation more delicate with
  interactive primitives.

A
B
CMB
15
Interactive protocols Third Party Black Box
Combiners

• A Third Party Black Box combiner can only execute
  a candidate scheme in its entirety
• In a call to a candidate, each party gives its
  secret to a trusted third party and gets its
  output
• additional messages may be exchanged
• Models the OT as a separate entity. Examples
• physical implementations (noisy channel,
  quantum)
• Trusted parties
• Does not allow arbitrary access to the OT
• Either to the transcript or to the program
• Advantages efficiency and generality
• Downside Too restrictive. In such a reduction,
  OT does not even imply OWFs
• Theorem There exists no third party BB combiner
  for OT

16
Interactive protocols Transparent Black Box
Combiners

• We attempt to capture a wider notion of
  combiners.
• Combiners that can also access the transcript.
• An interactive protocol is generated using 2
  oracles.
• a next message oracle (create the next message to
  be sent given the history)
• An output oracle (generates the local output
  given the transcript)
• A Transparent Black Box combiner
• Every time a next message call is invoked then
  this message is sent to the other party.
• Models using the candidate in the context of the
  protocol.
• Theorem There exists no transparent BB Combiner
  for OT

17
Impossibility of OT-combiners Some Intuition

• Consider two naïve implementations of OT
• OTA the sender gives the receiver s0 and s1
• Unconditionally secure for the receiver
• OTB the receiver gives the sender c and the
  latter sends sc
• Unconditionally secure for the sender
• What if we apply the combiner on OTA and OTB
• Do we get an unconditional implementation of OT?
• Impossible

18
OT transparent black box impossibility

• Theorem For every transparent BB combiner for OT
  there exists a world in which it can be broken.
• Broken Either the sender can guess c with
  probability ¾ or the receiver can guess both s0
  and s1 with probability ¾
• More precisely
• We show two worlds such that every transparent BB
  OT-combiner is broken in one of them.
• In general we will be considering the
  honest-but-curious model

19
The two worlds
OTB (f1B,f2B,RECB)
OTA (f1A,f2A,RECA)

• Good OT via oracles (f1 ,f2, Rec)
• f1 and f2 length tripling random functions,
  recovery function Rec
• The protocol
• Receiver m1 f1(RandR, c)
• Sender m2 (RandS, s0, s1 m1)
• Receiver Rec(m2, RandR) sc
• This is a good implementation of OT (even in
  the presence of a PSPACE-complete oracle)
• If there is access to f1-1 and f2-1 then this
  implementation is broken

• World 1
• OTA and OTB implemented by separate oracles.
• Contains a PSPACE-complete oracle
• OTA reveals everything to the sender (access to
  f1A-1 and f2A-1)
• World 2
• OTA and OTB
• Contains a PSPACE-complete oracle
• OTB reveals everything to the receiver

20
The protocol OTCOMB

• Consider the OT-combiner taking OTA and OTB as
  candidates.
• Call this protocol OTCOMB
• OTCOMB looks exactly the same in world1 and
  world2.
• OTCOMB should be a secure OT in both worlds.
• Since one of the OTs is good in each of the
  worlds.
• Goal show an attack on OTCOMB in at least one of
  the worlds.
• This would be a contradiction!

• World 1
• OTA and OTB implemented by separate oracles.
• Contains a PSPACE-complete oracle
• OTA reveals everything to the sender (access to
  f1A-1 and f2A-1)
• World 2
• OTA and OTB
• Contains a PSPACE-complete oracle
• OTB reveals everything to the receiver

21
The Bare World

• The bare world contains only a PSPACE-complete
  oracle (no oracles for OT).
• We give a simulation of OTCOMB in this world,
  called OTBARE.
• Notice that OTCOMB is well defined as long as we
  plug in implementations of OTA and OTB
• The idea for OTBARE
• the sender handles the OTA calls
• the receiver handles the OTB calls.
• For example
• The receiver wants to query OTA,
• He instead asks the sender this query.
• The sender chooses random values as answers for
  queries to f1A, f2A. (this imitates the real
  oracle)
• The sender also records all his answers, giving
  him the ability to correctly answer queries to
  RecA.

22
No OT in the Bare World

• OTBARE cannot be secure since there is no crypto
  with a PSPACE oracle!
• More precisely
• For every execution of OTBARE either the sender
  learns c or the receiver learns both secrets
  (using the PSPACE-complete oracle).
• The point these attacks can be translated to
  attacks on OTCOMB in one of the two worlds!

23
No OT in the Bare World
OTBARE
OTCOMB
View of sender in World 1
View of sender
View of receiver in World 2
View of receiver

• Includes
• senders inputs coins
• all messages
• all queries answers to OTA (since he simulates
  OTA)

• Includes
• senders inputs coins
• all messages
• all queries answers to OTA (since he has
  inverter to OTA and due to tranparency of the
  combiner)

• Corrolary
• If sender in the bare world learns c then sender
  of corresponding OTCOMB in world 1 also learns
  c.
• If receiver in the bare world learns both secrets
  then receiver of OTCOMB in world 2 learns both
  secrets.
• Altogether every execution is broken in one of
  the two worlds

24
(2,3)-Robust OT-Combiner

• Define 2 constructions, R and S (from Crepeau
  Kilian 89). Both have OT functionality. Also
• R takes 2 candidates for OT. Outcome is
• Secure for the receiver if at least one candidate
  is secure for receiver.
• Secure for sender only if both are secure for
  sender.
• S takes 3 candidates for OT. Outcome is
• secure for the receiver if all 3 are secure.
• Secure for sender if at least one is secure.
• Define
• OTAB R(OTA,OTB)
• OTAC R(OTA,OTC)
• OTBC R(OTB,OTC)
• The (2,3)-combiner is defined as S(OTAB, OTAC,
  OTBC)

25
(1,K)-Combiner from (1,2)-Combiner

• Existence of (1,2)-combiner is necessary for
  (1,k)-combiners to exist.
• When are they sufficient?
• Natural approach
• Organize the k schemes in a binary tree with k
  leaves.
• Each node runs the (1,2)-combiner with its
  siblings as candidates.
• Outcome is secure if at least one leaf is secure.
• Need to ensure running time is polynomial.
• If (1,2)-combiner runs in time m?(candidates
  time),
• total running time is mO(log k)
• If m is a constant then total time is polynomial
  and the tree construction works.
• If (1,2)-combiner for OT is found it will not
  likely be that efficient

26
(1,K)-Combiner for OT from (1,2)-Combiner for OT

• Theorem Any (1,2)-combiner for OT can be used
  for a (1,k)-combiner for OT.
• Solution use the (2,3)-combiner for OT which
  runs in time 6?(candidates time).
• Divide the k candidates into 3 groups of size
  2/3k.
• Each candidate should appear in at least two
  groups.
• Recursively run a (1,2/3k)-combiner on each
  group.
• The 3 outcomes are combined using the
  (2,3)-combiner.
• Running time is polynomial.
• If (1,2)-combiner runs in time nd,
• total running time is 18O(log k)nd .

27
Summary for OT Combiners

• Negative
• No transparent BB robust combiners for OT
• Positive
• OT given hardness of discrete log or factoring.
• Since the security of one of the sides is
  unconditional
• There are (2,3)-robust OT-combiner
• simple and third party black box.
• (1,2)-combiners for OT suffice for a universal OT
  scheme.
• Main open problem combiners for OT ????
• (perhaps non-black-box)

28
Main open problem Non-black box combiners for OT

• Approaches for non-BB
• Use the circuit of a function
• Examples ZK for NP, garbled circuits (Yao)
• Use the program of the adversary
• Example Baraks public coin ZK
• Attempt with garbled circuits
• consider the circuit for OTA
• The sender garbles this circuit
• fixing s0 and s1 and its randomness RandS
• Let the receiver evaluates his output bit
• on inputs c and RandR using OTB at the input
  gates.
• Fails when OTB is insecure

29
Open Problems Commitments

• For computationally hiding commitment know only
  via full reduction to one-way functions
• Inefficient and requires the transcript
• What about information hiding commitments?
• Not known to be equivalent to OWFs (one-way
  permutations are needed in NOVY)
• Negative Third party BB impossibility for both
  commitments.
• Positive
• Simple (2,3)-combiners (Herzberg)
• If one sides security is guaranteed, then easy
  (e.g. string commitments that are very short
  (kilian 92))

30
Open Problems

• Characterize functions where BB combiners exist
• Efficiency issues can you get a one-way hash
  function without concatenation
• Especially relevant given recent developments..