Black-Box Constructions for Secure Computation

Transcription

1 Black-Box Constructons for Secure Computaton (extended abstract) Yuval Isa Eyal Kuslevtz Yeuda Lndell Erez Petrank ABSTRACT It s well known tat te secure computaton of non-trval functonaltes n te settng of no onest maorty requres computatonal assumptons. We study te way suc computatonal assumptons are used. Specfcally, we ask weter te secure protocol can use te underlyng prmtve (e.g., one-way trapdoor permutaton) n a black-box way, or must t be nonblack-box (by referrng to te code tat computes ts prmtve)? Despte te fact tat many general constructons of cryptograpc scemes (e.g., CPA-secure encrypton) refer to te underlyng prmtve n a black-box way only, tere are some constructons tat are nerently nonblack-box. Indeed, all known constructons of protocols for general secure computaton tat are secure n te presence of a malcous adversary and wtout an onest maorty use te underlyng prmtve n a nonblack-box way (requrng to prove n zero-knowledge statements tat relate to te prmtve). In ts paper, we study weter suc nonblack-box use s essental. We present protocols tat use only black-box access to a famly of (enanced) trapdoor permutatons or to a omomorpc publc-key encrypton sceme. Te result s a protocol wose communcaton complexty s ndependent of te computatonal complexty of te underlyng prmtve (e.g., a trapdoor permutaton) and wose computatonal complexty grows only lnearly wt tat of te underlyng prmtve. Ts s te frst protocol to exbt tese propertes. Categores and Subect Descrptors: F.1.2 [Teory of Computaton]: Interactve and reactve computaton Researc supported by grant 36/03 from te Israel Scence Foundaton. Department of Computer Scence, Tecnon, Israel. emal: {yuval,eyalk,erez}@cs.tecnon.ac.l Department of Computer Scence, Bar-Ilan Unversty, Israel. emal: lndell@cs.bu.ac.l. Muc of ts work was carred out wle te autor was vstng te Tecnon. Permsson to make dgtal or ard copes of all or part of ts work for personal or classroom use s granted wtout fee provded tat copes are not made or dstrbuted for proft or commercal advantage and tat copes bear ts notce and te full ctaton on te frst page. To copy oterwse, to republs, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. STOC 06, May 21 23, 2006, Seattle, Wasngton, USA. Copyrgt 2006 ACM /06/ $5.00. General Terms: Algortms, Teory Keywords: Teory of cryptograpy, secure computaton, black-box reductons, oblvous transfer 1. INTRODUCTION It s a known fact tat most cryptograpc tasks requre te use of computatonal ardness assumptons. Tese assumptons typcally come n two types: specfc assumptons lke te ardness of factorng, RSA, dscrete log and oters, and general assumptons lke te exstence of one-way functons, trapdoor permutatons and oters. In ts paper, we refer to general assumptons and ow tey are used. Specfcally, we consder an ntrgung queston regardng ow secure protocols utlze a prmtve tat s assumed to carry some ardness property. Here agan, tere s a clear dstncton between two types of uses: 1. Black-box usage: a protocol (or constructon) uses aprmtvenablack-boxwayftrefersonlytote nput/output beavor of te prmtve. 1 For example, f te prmtve s a trapdoor permutaton, ten te protocol may sample a permutaton and ts doman, and may compute te permutaton and ts nverse (f te trapdoor s gven). Beyond ts, no reference s made to te prmtve. In partcular, te code used to compute te permutaton (or carry out any oter task) s not referred to by te protocol. Te vast maorty of constructons n cryptograpy are black-box. 2. Nonblack-box usage: a protocol (or constructon) uses a prmtve n a nonblack-box way f t refers to te code for computng ts functonalty. A typcal example of a nonblack-box constructon s were a Karp reducton s appled to te crcut computng te functon, say, n order to prove an NP zero-knowledge proof, as n [14]. A rc and frutful body of work, ntated by [16], attempts to draw te borders between possblty and mpossblty for black-box constructons n cryptograpy. Wle many of te relatons between prmtves are well understood, tere are stll some mportant tasks for wc te only constructons tat we ave rely on nonblack-box access to te assumed prmtve, yet te exstence of a black-box constructon s 1 It s typcally also requred tat te securty proof of te constructon s black-box n te sense tat an adversary breakng te protocol can be used as an oracle n order to break te underlyng prmtve. See, e.g., [11, 12, 29] for a compreensve treatment of black-box reductons n cryptograpy. 99

2 not ruled out. In partcular, all known general constructons of multparty protocols tat are secure n te presence of malcous adversares and wtout an onest maorty, orgnatng from [15], use nonblack-box access to te assumed prmtve. 2 (We note tat by general constructons, we mean constructons tat can be used to securely compute any functonalty.) Anoter notable example of ts penomenon s te case of publc-key encrypton tat s secure aganst cosen-cpertext attacks [7, 30, 23]; ere too, all known constructons are nonblack-box. Te above penomenon begs te followng queston: Is t possble to construct general protocols for secure computaton wtout an onest maorty and wt malcous adversares, gven only blackbox access to a low-level prmtve? Answerng te above queston s of nterest for te followng reasons. Frst, t s of teoretcal nterest to understand weter or not nonblack-box access to a prmtve s necessary for tese tasks. An answer to ts queston would enance our understandng of ow ardness assumptons can (or must) be used. Second, as we ave mentoned, te nonblack-box use of te underlyng prmtve s typcally utlzed n order to apply a Karp reducton for te purpose of usng a (general) zero-knowledge proof. Suc reductons are gly neffcent and are unlkely to be very useful n practce. Furtermore, n tese protocols te communcaton complexty depends on te complexty of computng te prmtve and te computatonal complexty grows more tan lnearly wt tat of te prmtve. (An excepton to ts rule s te communcaton-effcent compler presented n [26], wc reles on te communcaton-effcent arguments of [20, 25]. However, te computatonal complexty of te protocol of [26] s even worse tan te GMW protocol [15].) To llustrate te type of neffcency resultng from current nonblack-box constructons, consder te followng ypotetcal scenaro. Suppose tat, due to maor advances n cryptanalytc tecnques, te securty parameter must be large enoug so tat all basc cryptograpc prmtves requre a full second of computaton on a fast CPU. In suc a case, would t stll be possble to carry out a dstrbuted task lke oblvous transfer? Current nonblack-box tecnques (e.g., te GMW protocol [15]) requre partes to prove n zero-knowledge statements tat nvolve te computaton of te underlyng prmtve, say a trapdoor permutaton. Tese zero-knowledge protocols, n turn, nvoke cryptograpc prmtves for any gate of a crcut computng a trapdoor permutaton. Snce (by our assumpton) a trapdoor permutaton takes one second to compute, ts crcut mplementaton contans trllons of gates, tereby requrng te protocol trllons of second to run. In contrast, a black-box constructon of oblvous transfer from te trapdoor permutaton prmtve would make te number of nvocatons of te prmtve ndependent of te complexty of 2 We stress tat te above dscusson s only true wen consderng general assumptons. Furtermore, t s only true wen consderng low-level prmtves lke trapdoor permutatons. Specfcally, tere do exst constructons of secure multparty protocols tat use only black-box access to an oblvous transfer prmtve [18]. However, snce t s not known ow to construct oblvous transfer usng only black-box access to, say trapdoor permutatons, te overall constructon obtaned does not use ts low-level prmtve n a black-box way. mplementng te prmtve, tus makng oblvous transfer feasble even n te ypotetcal scenaro descrbed above. We conclude tat te current nonblack-box use of te underlyng prmtves consttutes an obstacle to effcency. It s terefore of great nterest to know weter or not t s possble to obtan solutons to tese tasks tat do not suffer from ts obstacle. (We note tat te neffcency of nonblack-box constructons ere s qute ronc because n many areas of cryptograpy, black-box constructons ave been sown to ave nerent computatonal lmtatons [21, 10].) Despte te above, we stress tat te focus of ts paper s not on effcency, but rater on te teoretcal queston of weter or not t s possble to obtan te aforementoned black-box constructons. We beleve ts queston to be nterestng n ts own rgt. Our results. We sow ow to construct general secure multparty computaton (for te case of no onest maorty and malcous adversares), gven black-box access to eter omomorpc encrypton scemes or enanced trapdoor permutatons (see [13, Appendx C.1] for te defnton of enanced trapdoor permutatons). We note tat all known general constructons for ts task from low-level prmtves rely on eter enanced trapdoor permutatons or omomorpc encrypton scemes. However, tey all use tem n an nerently nonblack-box way. Ts s te case even for protocols tat mplement very smple functonaltes, suc as oblvous transfer. We prove te followng: Teorem 1.1. Tere exst protocols for securely computng any multparty functonalty wtout an onest maorty and n te presence of statc malcous adversares, tat rely only on black-box access to a famly of enanced trapdoor permutatons or to a omomorpc encrypton sceme. We remark tat nonblack-box access s not typcally used wen consderng sem-onest adversares [32, 15]. Rater, te nonblack-box access s utlzed n known protocols n order to ave te partes prove (n zero-knowledge) tat tey are correctly followng te protocol specfcaton. Ts s necessary for preventng a malcous adversary from effectvely devatng from te protocol nstructons. We note also tat n te case of an onest maorty, t s possble to securely compute any functonalty nformaton-teoretcally, and wtout any ardness assumpton [2, 5]. Tus, no prmtve at all s needed. For ts reason, we focus on te case of no onest maorty (ncludng te mportant two-party case) and malcous adversares. Tecnques. In order to prove Teorem 1.1, we begn by constructng oblvous transfer protocols tat use only black-box access to enanced trapdoor permutatons or omomorpc encrypton scemes, but provde rater weak securty guarantees. We ten boost te securty of tese protocols n order to obtan protocols tat are secure n te presence of malcous adversares. Constructons untl today tat ave followed ts paradgm work by frst obtanng protocols tat are secure n te presence of sem-onest adversares, and ten boostng tem so tat tey are secure n te presence of malcous adversares. However, t s not known ow to carry out ts boostng n a black-box way (and, ndeed, t as been conectured tat malcous oblvous transfer cannot be constructed from sem-onest oblvous transfer n a black-box way [24]). Snce we ws to make our constructon black-box, we take a dfferent route. 100

3 Protocol number Securty for corrupted sender Securty for corrupted recever 3.1, 3.3 Prvate for defensble sender Prvate for defensble recever 4.1 Prvate for defensble sender Secure for malcous recever 5.1 Secure for malcous sender Prvate for defensble recever In Teorem 6.1 Secure for malcous sender Secure for malcous recever Table 1: Te progresson of our constructons: eac protocol uses te prevous one as a subprotocol. Specfcally, we begn by ntroducng te noton of a defensble adversary. In order to descrbe ts noton, we descrbe wat a defense s: a defense s an nput and random-tape tat s provded by te adversary after te protocol executon concludes. A defense s good f te onest party upon tat nput and random-tape would ave sent te same messages as te adversary sent. Suc a defense s a supposed proof of onest beavor. However, te adversary need not actually beave onestly and can construct ts defense retroactvely (after te executon concludes). A protocol s sad to be prvate n te presence of defensble adversares f prvacy s preserved n te event tat an adversary provdes a good defense. However, n te case tat te adversary doesn t provde a good defense, notng s guaranteed, and te entre onest party s nput may be learned. Ts noton s terefore rater weak. We note tat te oblvous transfer protocol of [8] s not secure under ts noton. However, t can be effcently modfed nto one tat s secure under ts noton. It s also possble to effcently construct suc an oblvous transfer protocol from omomorpc encrypton. Importantly, we sow tat t s possble to construct oblvous transfer tat s secure n te presence of malcous adversares from oblvous transfer tat s prvate n te presence of defensble adversares. Furtermore, ts constructon s black-box. As we ave mentoned, we start by constructng oblvous transfer protocols tat are prvate n te presence of defensble adversares. We present two suc protocols: one tat uses black-box access to a famly of enanced trapdoor permutatons, and one tat uses black-box access to a omomorpc publc-key encrypton sceme. Next, we construct from te above oblvous transfer protocol a new oblvous transfer protocol tat s stll prvate n te presence of defensble senders, but s secure n te presence of malcous recevers (were securty s full securty accordng to te deal/real smulaton paradgm). Ts s aceved usng te so-called cut-and-coose tecnque. Tat s, many oblvous transfer executons (usng random nputs) are run, and te recever s asked to present a defense for ts beavor n alf of tem. If t ndeed presents a good defense, ten we are guaranteed tat t beaved somewat onestly n most of te executons. We stress tat ts step s novel, because te requrements on a protocol tat s secure accordng to te deal/real smulaton paradgm are muc strcter tan wen only prvacy s guaranteed. Indeed, some effcent protocols for oblvous transfer from te lterature [27, 1, 17] are prvate for bot (malcous) partes, but are not fully secure for eter party. Neverteless, we are able to boost bot te reslence of te protocol (from a defensble to a malcous adversary) and ts securty guarantee (from prvacy to full smulaton-based securty). Next, we reverse te oblvous transfer protocol (.e., by swtcng te sender and recever roles) n order to obtan a protocol wt reversed securty propertes. Specfcally, ts next protocol s secure n te presence of malcous senders and prvate n te presence of defensble recevers. At ts pont, we reapply our securty boostng tecnque n order to obtan a protocol tat s fully secure ; tat s, a protocol tat s secure n te presence of malcous senders and recevers. See Table 1 for te seres of oblvous transfer protocols tat we construct. Needless to say, eac protocol uses ts subprotocol n a black-box way. Fnally, avng constructed secure oblvous transfer protocols usng only black-box access to prmtves, t suffces to apply te well-known result of Klan [18, 19] tat sows tat any functonalty can be securely computed usng black-box access to a secure oblvous transfer protocol. Ts terefore yelds Teorem 1.1, as desred. Related work. Recently,n[6],twassowntattspossble to construct constant-round protocols for te settng of an onest maorty, tat use only black-box access to te assumed prmtve. As we ave mentoned, n te settng of an onest maorty, t s possble to construct nformatonteoretcally secure protocols (wc are, by trvalty, blackbox). Neverteless, tere are no known (general) constantround protocols for te nformaton-teoretc settng, and so [6] relates to ts ssue. We remark tat te tecnques used n [6] and ere are vastly dfferent, due to te nerent dfferences between te settng of an onest maorty and tat of no onest maorty. Organzaton. Due to lack of space n ts abstract, we present only bref sketces of te defntons and proofs. Complete detals appear n te full verson of te paper. We often wrte OT as sortand for oblvous transfer. 2. DEFINITIONS 2.1 Prelmnares We denote by P 1(1 n,x 1,ρ 1),P 2(1 n,x 2,ρ 2) te transcrpt of an executon between partes P 1 and P 2 wt a securty parameter n, werep as nput x and random-tape ρ.for brevty, we wll sometmes omt te securty parameter 1 n. Te message sent by party P (on te above nputs) after avng receved te seres of ncomng messages α s denoted by P (x,ρ ; α). Stated oterwse, P (x,ρ ; ) denotes te next message functon of P.Lett = P 1(x 1,ρ 1),P 2(x 2,ρ 2). Ten, denote te l t message sent by P n t by sent P l (t) and te frst l messages receved by P n t by receved P 1,...,l (t). We also denote te output of P n an executon by output P P 1(x 1,ρ 1),P 2(x 2,ρ 2). In our presentaton, we assume famlarty wt te standard defntons of secure computaton; see [13, Capter 7] for a full treatment. In ts work, we consder malcous adversares (.e., adversares tat may arbtrarly devate from te protocol specfcaton), and statc corruptons (meanng tat te set of corrupted partes s fxed before te protocol executon begns). We use a non-unform formulaton of adversares ere and terefore, wtout loss of generalty, assume tat tey are 101

4 determnstc. However, ts s not essental and all of our proofs old for te unform model of computaton. Black-box access to prmtves. In ts paper, we consder constructons of protocols tat use only black-box access to an underlyng prmtve. Ts can be easly formalzed by defnng oracles tat provde te functonalty of te prmtve. For example, a trapdoor permutaton can be defned by an oracle tat samples a functon descrpton along wt a trapdoor, an oracle tat s gven te functon descrpton and samples a random value from te doman, an oracle tat s gven te functon descrpton and a pont n te doman and computes te permutaton, and an oracle tat s gven te trapdoor and a pont n te doman and computes te permutaton nverse. It s easy to see tat our protocols rely on te underlyng prmtve n a blackbox way. We wll terefore not burden te presentaton by formally defnng tese oracles. We remark tat we also construct protocols tat use subprotocols n a black-box way. Ts can be formalzed by ust lookng at te nput/output beavor of te protocol. We wll not formalze ts. It suffces for our result to note tat f te subprotocol uses te underlyng prmtve n a black-box way, ten te protocol (tat uses te subprotocol) also uses te underlyng prmtve n a black-box way. Agan, ts s easy to verfy for all of our protocols. In addton to usng te underlyng prmtve n a black-box way, our proofs of securty are also black-box. Terefore, our reductons are wat are typcally called fully black-box [29]. 2.2 Defensble Adversaral Beavor We ntroduce te noton of defensble adversaral beavor. Loosely speakng, an adversary tat exbts defensble beavor may arbtrarly devate from te protocol specfcaton. However, at te concluson of te protocol executon, te adversary must be able to ustfy or defend ts beavor by presentng an nput and a random-tape suc tat te onest party (wt ts nput and random-tape) would beave n te same way as te adversary dd. A protocol s prvate under defensble adversaral beavor f t s prvate n te presence of suc adversares. We stress tat f an adversary beaves malcously and cannot provde a good defense, ten no securty guarantees are gven. We now defne te noton of a good defense. Intutvely, a defense s an explanaton of an adversary s beavor durng te protocol executon. Suc an explanaton conssts of an nput and random-tape, and te defense s good f an onest party, gven tat nput and random-tape, would ave sent te same messages as te adversary dd durng te protocol executon. Te formal defnton follows. Defnton 2.1. (good defense for t): Let t be te transcrpt of an executon of a protocol π =(P 1,P 2) between an adversary A (say, controllng P 1) and te onest party (say P 2). Ten, we say tat te par (x 1,ρ 1) consttutes a good defense by A for t n π, denoted(x 1,ρ 1)=defense π A(t), ffor every l t olds tat sent A l (t) =P 1(x 1,ρ 1; receved A 1,...,l 1(t)). In oter words, every message sent by A n te executon s suc tat te onest party P 1 wt nput (x 1,ρ 1)would ave sent te same message. 2.3 Securty of OT Protocols Te startng pont of our constructons s an oblvous transfer protocol [28, 8] tat s prvate n te presence of a defensble recever or sender. Recall tat an oblvous transfer protocol nvolves a sender S wt two nput strngs s 0 and s 1, and a recever R wt an nput bt r {0, 1}. Very nformally, an oblvous transfer protocol as te property tat te sender learns notng about te recever s bt r and te recever obtans s r, but learns notng about s 1 r. (Te varant of oblvous-transfer tat we use ere s usually referred to as 1-out-of-2 OT.) We begn by presentng te formal defnton of oblvous transfer tat s prvate n te presence of a defensble recever and ten proceed to defne prvacy n te presence of a defensble sender. Non-trval protocols. One tecncalty tat must be dealt wt s tat a protocol tat does notng s trvally prvate n tat t does not reveal anytng about te partes nputs. Of course, suc a protocol s also useless. In order to make sure tat te oblvous transfer protocols tat we construct are useful, we defne te noton of a nontrval oblvous transfer protocol. Suc a protocol as te property tat f bot te sender and recever are onest, ten te recever wll receve ts output as desgnated by te oblvous transfer functonalty f((s 0,s 1),r) = (λ, s r) (were λ denotes te empty output). Prvacy for random nputs n te presence of a defensble recever. We now defne prvacy for defensble recevers. Recall tat te recever n an oblvous transfer protocol s supposed to obtan one of te par (s 0,s 1)nte executon. However, te oter value must reman secret. Wen consderng defensble adversares, te requrement s tat, as long as te adversary can provde a good defense, t can only learn one of te values. Recall tat, by Defnton 2.1, a party s defense ncludes ts nput (n ts case, te bt r of te recever, meanng tat t wses to obtan te value s r). We terefore requre tat a defensble recever can learn notng about s 1 r wen ts defense contans te nput value r. Due to tecncal reasons n our proofs later on, we defne prvacy only for te case tat te sender s nputs are unformly dstrbuted bts. Fortunately, ts wll suffce for our constructons. We defne an experment for a protocol π andanadversary A modelled by a polynomal-sze famly of crcuts {A n} n N. Informally, te experment begns by coosng a random par of bts (s 0,s 1) to be used for te sender s nput. Te adversary s am s to guess te value of te nput tat t doesn t receve as output. Experment Expt rec π (An): 1. Coose s 0,s 1 R {0, 1} unformly at random. 2. Let ρ S be a unformly dstrbuted random tape for S and let t = S(1 n,s 0,s 1,ρ S), A n. 3. Let ((r, ρ r), (τ)) be te output of A n(t). (Te par (r, ρ r) consttute A n s defense and τ s ts guess for s 1 r.) 4. Output 1 f and only f (r, ρ r) s a good defense by A n for t n π, andτ = s 1 r. Notce tat by A s defense, t sould ave receved s r.te callenge of te adversary s terefore to guess te value of s 1 r; f t cannot do ts, ten te sender s prvacy s preserved. 102

5 Defnton 2.2. (prvacy for random nputs n te presence of a defensble recever): Let π =(S, R) be a non-trval oblvous transfer protocol. We say tat π s prvate for random nputs n te presence of a defensble recever f for every polynomal-sze famly of crcuts A = {A n} n N controllng R, for every polynomal p( ) and for all suffcently large n s Pr [Expt rec π (An) =1]< p(n). Remark. Te defnton of Expt rec π only consders te case tat te nputs of te sender are unformly dstrbuted. We stress tat ts s a very weak defnton. However, te reasons tat we make ts restrcton are because (a) t suffces for our constructon of fully secure oblvous transfer (see Protocol 4.1), and more mportantly, (b) wtout ts restrcton we were unable to prove te prvacy of Protocol 3.3 for defensble recevers (see Secton 3.2). We stress tat ts restrcton s not made wen consderng securty n te presence of malcous partes. Prvacy n te presence of a defensble sender. In an oblvous transfer protocol, te sender s not supposed to learn anytng about te recever s nput. Wen consderng a defensble sender, ts means tat te sender sould not be able to smultaneously present a good defense of ts beavor and make a correct guess as to te value of te recever s nput. We stress tat ts prvacy requrement only needs to old wen te sender outputs a good defense; n all oter cases, tere may be no prvacy watsoever. Te exact defnton s formulated n a smlar way as above. Securty. Te defntons above refer only to prvacy, meanng tat te adversary can learn notng more about te onest party s nput tan wat s revealed by te output. However, tese defntons say notng about te smulatablty of te protocols n queston. In partcular, a protocol tat s prvate by one of te above defntons may not be secure accordng to te real/deal smulaton paradgm (see [13, Capter 7] for tese defntons). Wen we menton securty n ts paper, we refer to securty accordng to te deal/real model paradgm. 3. PRIVACY FOR DEFENSIBLE SENDERS AND DEFENSIBLE RECEIVERS In ts secton we sow ow to construct oblvous transfer protocols tat are prvate for defensble senders and recevers. We present two protocols: one based on omomorpc encrypton and one based on enanced trapdoor permutatons. Importantly, bot protocols access te underlyng prmtve n a black-box way only. 3.1 Bt OT from Homomorpc Encrypton We assume te exstence of a publc-key encrypton sceme (G, E, D) tat s ndstngusable under cosen-plantext attacks and as te followng omomorpc property: 1. Te plantext s taken from a fnte Abelan group determned by te publc key. For notatonal convenence, we assume ere tat te group s an addtve group Z q; owever, te same constructon works for multplcatve groups as well. 2. Gven any publc-key pk generated by te key generaton algortm G and any two cpertexts c 1 = E pk (m 1)andc 2 = E pk (m 2), t s possble to effcently compute a random encrypton of te sum E pk (m 1 + m 2). Consequently, t s also possble to effcently compute E pk (α m 1) for any known nteger α. We also assume tat (G, E, D) as no decrypton errors. Suc encrypton scemes can be constructed under te quadratc-resduosty, decsonal Dffe-Hellman and oter assumptons; see [1, 17] for some references. Te followng protocol s mplct n [22]. Protocol 3.1. Inputs: Te sender S as a par of bts (s 0,s 1); te recever R as a bt r. Te protocol: 1. Te recever R cooses a par of keys (pk, sk) G(1 n ), computes c = E pk (r) and sends c and p k to S. 2. Te sender S uses te omomorpc property and ts knowledge of s 0 and s 1 to compute a random encrypton c = E pk ((1 r)s 0 + rs 1). 3. R computes and outputs s r = D sk (c ). Before provng securty, note tat f S and R are bot onest, ten R receves te correct output. For example, f r =0,tenc = E pk (1 s 0 +0 s 1)=E pk (s 0)andsoR receves te correct value after decrypton. Clam 3.2. Assume tat te encrypton sceme (G, E, D) s ndstngusable under cosen-plantext attacks and as no decrypton errors. Ten, Protocol 3.1 s a non-trval oblvous transfer protocol tat s prvate n te presence of defensble senders and prvate for random nputs n te presence of defensble recevers. Prvacy n te presence of a defensble (or even malcous) sender follows from te fact tat te sender s vew conssts only of a sngle encrypton under E, and ts encrypton s secure. Prvacy wt respect to a defensble recever follows snce te exstence of a proper defense mples tat c s ndeed an encrypton of 0 or 1. Ts, n turn, guarantees tat c s a random encrypton of s r. Hence, agan, prvacy follows from te securty of E. 3.2 Bt OT from Enanced Trapdoor Permutatons Te followng protocol s a modfed verson of [8] tat s prvate n te presence of defensble adversares. We stress tat te orgnal protocol of [8] s completely nsecure n te presence of defensble adversares. Te constructon uses any famly of enanced trapdoor permutatons. Informally speakng, a famly of trapdoor permutatons s comprsed of a functon-samplng algortm I, a doman-samplng algortm D f, an algortm F for computng te permutaton and an algortm F 1 for nvertng te permutaton (gven te trapdoor). Suc a famly s called enanced f t s ard to nvert a random value y even wen gven te cons used by te doman-samplng algortm to sample y. See [13, Appendx C.1 and Secton 7.3] for a full defnton. In te sequel, we wll abuse notaton and refer to te random cons used by D f as ts nput. We note tat te enanced property 103

6 s used n all constructons of oblvous transfer from trapdoor permutatons. Indeed t as been sown tat black-box constructons of oblvous transfer from plan trapdoor permutatons s mpossble [9]. We wll requre tat I s errorless, meanng tat for every seres of random cons provded to I, te descrpton of te functon output s ndeed a permutaton. We call ts errorless functon samplng, orusterrorless samplng. Te protocol uses a perfectly bndng commtment sceme C. We denote a commtment to a usng randomness ρ by C(a; ρ). For smplcty, we assume tat n order to commt to a strng a of lengt n, t suffces to use a random strng tat s also of lengt n. Suc a commtment sceme can be obtaned usng black-box access to any trapdoor permutaton or omomorpc encrypton sceme. Protocol 3.3. Inputs: Te sender S as a par of random bts (s 0,s 1); te recever R as a bt r. Auxlary nformaton: Te descrpton of a famly of (enanced) trapdoor permutatons (I,D f,f,f 1 ) and a ard-core bt B for te famly. Te protocol: 1. Te recever R cooses ρ 1,ρ R {0, 1} n and sends c = C(ρ 1; ρ) to te sender S. 2. S cooses a trapdoor permutaton par (, t) I(1 n ) and a random ρ 2 R {0, 1} n, and sends and ρ 2 to R. 3. R computes y 1 r = D f (ρ 1 ρ 2);.e., y 1 r s obtaned by runnng te doman samplng algortm wt cons ρ 1 ρ 2. In addton, R cooses ρ R {0, 1} n,obtansx r = D f (ρ ) and computes y r = f (x r). Fnally,R sends (y 0,y 1) to S. 4. S uses t to compute σ 0 = B(f 1 (y 0)) s 0 and σ 1 = B(f 1 (y 1)) s 1. S sends (σ 0,σ 1) to R. 5. R computes and outputs s r = B(x r) σ r. Note tat te only dfference between Protocol 3.3 and te protocol of [8] s tat n [8], te value y 1 r s cosen sngleandedly by te recever, wereas ere te value s cosen mutually usng a (weak non-smulatable) con-tossng protocol. (Indeed, n te protocol of [8] a ceatng recever can ust coose a value y 1 r for wc t knows te premage. Te recever wll ten learn bot s 0 and s 1.Notealsotata defensble recever can also easly ceat n te protocol of [8] because t can send any value y 1 r and not te value tat equals D f (ρ 1 ρ 2). In partcular, t can send a value y 1 r for wc t knows ts premage x 1 r under f, and can stll clam n ts defense tat ts cons are suc tat y 1 r was sampled drectly.) Clam 3.4. Assume tat (I,D f,f,f 1 ) s a famly of enanced one-way trapdoor permutatons and tat te sceme C s perfectly bndng and computatonally dng. Ten, Protocol 3.3 s a non-trval oblvous transfer protocol tat s prvate n te presence of defensble recevers and prvate for random nputs n te presence of defensble senders. Intutvely, a corrupted sender cannot guess te value of r from (y 0,y 1) because tese values are dentcally dstrbuted. Ts actually only olds as long as te functon f cosen by te sender s really a permutaton from te famly. (Oterwse, t may be possble to dstngus y r wc s generated by computng f (x r)fromy 1 r wc s randomly cosen from te doman.) Te fact tat te functon s really a permutaton s proven n te defense, and so f a good defense s provded, y r and y 1 r are dentcally dstrbuted. We terefore ave tat te only way a defensble sender can learn te value of r s from te commtments. However, ts nvolves dstngusng between c = C(D 1 f (y0) ρ2) and c = C(D 1 f (y1) ρ2) wc s ard due to te dng property of commtments. (Notce tat y 1 r = D f (ρ 1 ρ 2) and so c = C(ρ 1) = C(D 1 f (y1 r) ρ2). Terefore, te problem of guessng r reduces to te problem of dstngusng suc commtments.) As for prvacy n te presence of a defensble recever R : ntutvely, f R beaves so tat t can present a good defense, ten t s unable to compute B(f 1 (y 1 r)) because t as no freedom n coosng y 1 r. Tat s, R must coose y 1 r = ρ 1 ρ 2 and so t cannot know te premage f 1 (y 1 r). Ts mples tat t can only learn te sender s bt s r. 4. ACHIEVING SECURITY AGAINST A MALICIOUS RECEIVER In ts secton we construct a bt oblvous transfer protocol tat s secure n te presence of a malcous recever and prvate n te presence of a defensble sender. We stress tat te securty aceved for malcous recevers s accordng to te deal/real model defnton of securty for secure computaton. Our constructon uses black-box access to an oblvous transfer protocol tat s prvate for defensble recevers and senders (lke tose constructed n te prevous secton). Tus, n ts secton we sow ow to boost te securty guarantee from prvacy n te presence of a defensble recever to securty n te presence of a malcous recever. Te guarantee regardng a corrupted sender remans uncanged. Protocol 4.1. Inputs: Te sender S as a par of bts (s 0,s 1); te recever R as a bt r. Te protocol: 1. Te recever R cooses 2n unformly dstrbuted bts r 1,...,r 2n R {0, 1}. 2. Te sender S cooses 2n pars of random bts s 0,s 1 R {0, 1} for =1,...,2n. 3. S and R run 2n parallel executons of a bt oblvous transfer protocol π tat s prvate n te presence of defensble recevers and defensble senders. In te t executon, S nputs (s 0,s 1 ) and R nputs r. Let t 1,...,t 2n be te transcrpts tat result from tese executons. 4. S and R run a secure two-party con-tossng protocol (tat accesses a one-way functon n a blackbox way) for generatng a random strng of lengt n: q = q 1,...,q n. 3 Te strng q s used to defne a set of ndces Q {1,...,2n} of sze n n te followng way: Q = {2 q } n =1. (Tus, for n =3and q = 010 we ave tat Q = {2, 3, 6}.) 3 Sequental executons of te con-tossng protocol of [3] can be used. Te securty of ts as been proven formally n [13]. 104

7 5. For every Q, te recever R provdes a defense (r,ρ r). 6. S cecks tat for every Q, te par (r,ρ r) consttutes a good defense by R for t. If not, ten S aborts and alts. Oterwse, t contnues to te next step. 7. For every / Q, te recever R computes α = r r (were r s R s ntal nput) and sends {α } / Q to S. L 8. S computes σ 0 = s 0 / Q sα and σ 1 = L s 1 / Q s1 α, and sends (σ 0,σ 1) to R. 9. R computes and outputs s r = σ r L / Q sr We note tat te sender s nputs to te executons of te oblvous transfer subprotocol π n Protocol 4.1 are unformly dstrbuted. Terefore, t suffces to use Protocol 3.3, even toug t as only been proven prvate for te case of unformly dstrbuted sender nputs. We stress tat our proof below of Protocol 4.1 reles on te fact tat te sender s nputs are sngle bts. 4 Clam 4.2. Assume tat π s a non-trval oblvous transfer protocol tat s prvate for random nputs n te presence of defensble senders and recevers. Ten, Protocol 4.1 s a non-trval oblvous transfer protocol tat s secure n te presence of malcous recevers and prvate n te presence of defensble senders. Proof Sketc: We frst demonstrate te non-trvalty property; tat s, we sow tat f S and R are onest, ten R receves s r, as requred. To see ts, frst note tat by te non-trvalty of π, tereceverr obtans all of te bts s r, andnpartcularalls r for / Q. Now,fr =0,tenRsets α = r for every / Q. Terefore, R wll compute s 0 = L σ 0 / Q sr L = σ 0 / Q sα. Ts computaton L s correct because S computed σ 0 = s 0 / Q sα. In contrast, f r =1,tenα =1 r for every, wcs equvalent to r =1 α. Tus, once agan, R s computaton of L / Q sr wen computng s 1 equals S s computaton of L/ Q s1 α wen computng σ 1,andR wll obtan σ 1. Prvacy n te presence of defensble senders. We present only te dea bend te proof tat Protocol 4.1 s prvate n te presence of a defensble sender A. Intutvely, f protocol π s prvate n te presence of a defensble sender, ten a defensble adversary ere cannot learn any of te r values n te executon (apart from tose explctly revealed by R wen t provdes ts defenses). Terefore, te α = r r values tat t receves reveal notng of te recever s nput r, becauseforall/ Q, tevaluer s not learned. Securty n te presence of malcous recevers. We present an almost full proof tat Protocol 4.1 s secure n te presence of malcous recevers. Te ntuton bend 4 Ts s due to our defnton of oblvous transfer tat s prvate for defensble adversares. It s possble to defne a stronger noton of defensble adversares tat s suffcent for provng tat Protocol 4.1 s secure even wen te sender s nputs are strngs of an arbtrary lengt. However, we were not able to prove tat Protocol 3.3 s prvate for defensble adversares under ts stronger noton (n contrast to Protocol 3.1 tat can be proven secure under te stronger noton).. ts proof s tat te cut-and-coose tecnque forces an adversaral recever A to be able to provde a good defense for most of te oblvous transfer executons (or be caugt wt g probablty). In partcular, tere must be at least one / Q for wc A could ave provded a good defense. Ts mples tat tere exsts some for wc A cannot predct te value of s 1 r wt any non-neglgble advantage. Snce s 1 r s masked by s 1 r, t follows tat A also learns notng about s 1 r. We stress tat te above ntuton sows tat a malcous A cannot learn anytng about s 1 r. However, we actually need to prove a muc stronger clam n tat te protocol s secure for a malcous R, as defned va te deal/real model smulaton paradgm. We present our analyss n te so-called ybrd model, were te onest partes use a trusted party to compute te con-tossng functonalty for tem. We now descrbe te smulator Sm for A = {A n}: 1. For eac =1,...,2n, smulator Sm cooses random pars s 0,s 1 R {0, 1} and plays te onest sender n π wt tese nputs, were A n plays te recever. 2. Sm cooses a random strng q R {0, 1} n and ands t to A n as f t s te output of te con-tossng functonalty, as sent by te trusted party. Let Q be te ndex set derved from q. Upon recevng back pars (r,ρ r)for Q, smulator Sm cecks tat tey all consttute good defenses, respectvely. If not, ten t aborts (ust lke te onest sender). 3. Sm rewnds A n to te begnnng of te prevous step and cooses a new random strng q wt assocated ndex set Q. (We stress tat q s ndependent of q.) Sm ands q to A n and sees f t reples wt pars (r,ρ r) tat are good defenses, for all Q. Sm repeats ts process wt a new q untl A n ndeed reples wt pars (r,ρ r) tat are good defenses, for all Q.IfQ = Q, tensm outputs fal. Oterwse t proceeds to te next step. 4. Gven tat Q Q (and Q = Q ), tere exsts at least one ndex suc tat / Q but Q. For suc a, Sm computes r = r α and sends r to te trusted party. (Note tat r s obtaned from te defense (r,ρ r)tatwasrecevedfroma n after t was sent te query set Q. In contrast, α s te value receved from A n after rewndng;.e., wen te query set was Q.) 5. Upon recevng back a bt s r from te trusted party, Sm computes σ 0 and σ 1 as follows: L (a) If r = 0, ten σ 0 = s 0 / Q s α and σ 1 R {0, 1}. (b) If r = 1, ten σ 0 R {0, 1} and σ 1 = s 1 L / Q s 1 α. Sm sends (σ 0,σ 1)toA n and output watever A n does. We proceed to prove tat te ont output of Sm and te onest sender S n te deal model s computatonally ndstngusable from te ont output of A n and S n te real model. Actually, snce te onest S as no output from te protocol, t suffces ere to sow tat te output of Sm n te deal model s computatonally ndstngusable from te output of A n n te real model. We frst clam tat apart from te par (σ 0,σ 1), te vew of A n n te smulaton wt 105

8 Sm s statstcally close to ts vew n a real executon wt S; te only dfference beng n te case tat Sm outputs fal. Ts can be seen as follows: f A n does not send good defenses after recevng q, tensm aborts, ust as te onest S would (and n ts case te smulaton s perfect). If A n does send good defenses, ten Sm contnues untl t fnds anoter (ndependent) q for wc A n also reples wt good defenses. It s not ard to see tat ts yelds a dstrbuton tat s te same as n a real executon, except wen q = q, n wc case Sm outputs fal. However, ts event (tat t provdes good defenses on q and ten te next tme tat t provdes good defenses s agan on q) can appen wt probablty only 2 n. We terefore ave tat n te smulaton by Sm, teadversary A n s partal vew up untl te pont tat t receves (σ 0,σ 1) s statstcally close to ts vew n a real executon wt S. We now sow tat A n s full vew s computatonally ndstngusable. To do ts, we consder a modfed dealmodel smulator Sm wo receves te sender S s nput par (s 0,s 1). Smulator Sm works n exactly te same way as Sm, except tat t computes σ 1 r as an onest sender would nstead of coosng t unformly. By te above argument, t follows tat te dstrbuton generated by Sm n te deal model s statstcally close to te dstrbuton generated by a real executon between S and A n.(recalltatsm already generates σ r n te same way as an onest S, and terefore so does Sm.) It remans to sow tat te dstrbuton generated by Sm s computatonally ndstngusable to tat generated by Sm. Te only dfference between Sm and Sm s n te generaton of σ 1 r: smulator Sm generates t onestly, wereas Sm cooses t unformly. As mentoned above, ntutvely, ndstngusablty follows from te fact tat at least one s 1 r masks te value of s 1 r. Formally, we sow tat f ts fake σ 1 r can be dstngused from a real one, ten we can construct a defensble recever à n tat can break te oblvous transfer protocol π. Tat s, we sow tat f te output generated by Sm and Sm can be dstngused wt non-neglgble probablty, ten t s possble for a defensble adversary Ãn to succeed n te experment of Defnton 2.2 wt non-neglgble advantage, wt respect to te subprotocol π. Assume by contradcton tat tere exsts a dstnguser D, apolynomal p( ) and nfntely many n s suc tat Pr[D(output Sm )=1] Pr[D(output Sm )=1] 1 p(n). Wtout loss of generalty, assume tat Pr[D(output Sm )=1] Pr[D(output Sm )=1] 1 p(n). (1) We now use te above to construct a defensble adversary à = {Ãn}. Adversary Ãn begns ts attack by startng te smulaton of Protocol 4.1, accordng to Sm s strategy. Specfcally, à n cooses s 0,s 1 R {0, 1} and runs te smulaton strategy of Sm wt A n up untl te pont were σ 0 and σ 1 are sent. Te smulaton s te same as Sm, except for te followng dfference: à n begns by coosng R {1,...,2n} and nternally nvokes A n, smulatng an executon of Protocol 4.1. Ten, all of te oblvous transfers subexecutons of π, except for te t one, are run nternally wt Ãn playng te onest sender (Ãn also cooses te s0 and s 1 values as S would); n contrast, te messages of te t executon of te oblvous transfer protocol π are forwarded between Ãn s external sender and te nternal An playng te recever. Followng te oblvous transfer executons, à n runs te onest sender n te con-tossng protocol to generate q and tus Q as requred. If / Q, tenãn outputs fal and alts. Oterwse, à n receves back te defenses; snce Q, te t defense s ncluded. If (r,ρ r)s not a good defense, ten Ãn outputs fal and alts. Oterwse, t stores (r,ρ r) and contnues lke Sm by rewndng A n and generatng a new q and Q. If Q, ten once agan Ãn outputs fal and alts. Oterwse, t contnues lke Sm (usng te cosen above for wc t s gven tat Q and / Q ). à n contnues n te same way tat Sm does up untl (but not ncludng) te pont at wc (σ 0,σ 1) must be sent. Now, à n computes (σ 0,σ 1) as follows. Frst, note tat à n knows te values (s 0,s 1) and s 0,s 1 for all (because t cose tem). However, te values s 0 and s 1 are not known to à n because tese are te values used by te external sender wt wom t nteracts. Neverteless, te (good) defense provded by A n s enoug to obtan te value s r. Ts olds because gven te transcrpt of te t oblvous transfer executon and te nput and random-tape of te recever, t s possble to derve s r. Te only value unknown to Ãn s terefore s1 r. Terefore, à n s able to compute σ r lke te onest sender. In contrast, t cannot onestly compute σ 1 r. Rater, à n guesses te value of s 1 r R {0, 1} randomly, and ten computes σ 1 r usng s 1 r, alloftes values tat t knows (.e., all apart from s 1 r ), and te unformly cosen s 1 r. In order to determne ts output, à n obtans te output of A n and runs te dstnguser D (from Eq. (1)) on ts output; let b be te bt output by D. Ten, à n sets τ = s 1 r b. (Recalltat τ s Ãn s guess for te not-receved bt used by te onest sender. Te motvaton for ts guess s tat by Eq. (1), D outputs 1 wt ger probablty on Sm (wen te bt s random) tan on Sm (wen te bt s correct). Tus, wen D outputs 1, we flp à n s guess for s 1 r.) Fnally, à n outputs te defense (r,ρ r) from above and te bt τ. We proceed to analyze te probablty tat Ãn succeeds n Expt rec π. Frst, note tat unless Ãn outputs fal, tevew of A n wen nteractng wt Ãn above s dentcal to ts vew n te smulaton by Sm. Ts s due to te fact tat à n follows Sm s strategy, except for two dfferences. Te frst dfference s tat n te t executon of te oblvous transfer protocol π s run externally. However, snce Sm plays te role of an onest recever n all of te executons, ts makes no dfference to A n s vew. Te second dfference s n ow σ 1 r s computed: Sm cooses t unformly, wereas à n computes t as descrbed above. Clearly, te dstrbuton generated s te same because Ãn uses a unformly dstrbuted s 1 r, and tus σ 1 r s also unformly dstrbuted. Now, denote te nputs of te onest sender tat Ãn nteracts wt by ( s 0, s 1). Usng te facts tat (a) à n generates te exact same dstrbuton as Sm, (b) Ãn sets τ = s1 r b (were b s D s output bt), and (c) Ãn presents a good defense every tme tat t does not output fal, weavetat Pr Expt rec π (Ãn) =1 outputãn fal (2) =Pr D(output Sm ) s 1 r = s 1 r. 106

9 (Recall tat Expt rec π (Ãn) =1fà n presents a good defense and τ = s 1 r.) In contrast to te above, condtoned on te event tat s 1 r = s 1 r (.e., te event tat Ãn guessed correctly), te result s an executon tat s dstrbuted exactly accordng to Sm. (Recall tat te only dfference between Sm and Sm s wt respect to te computaton of σ 1 r.) Tat s, Pr D(output Sm ) s 1 r = s 1 r s 1 r = s 1 r =Pr D(output Sm ) s 1 r = s 1 r s 1 r = s 1 r =Pr[D(output Sm )=0] were te last equalty s ust due to te fact tat s 1 r s 1 r. Now, recallng tat s 1 r s cosen unformly by Ãn (and so equals s 1 r wt probablty exactly 1/2), we ave: Pr D(output Sm ) s 1 r = s 1 r = = 1 D(output 2 Pr Sm ) s 1 r = s 1 r s 1 r = s 1 r + 1 D(output 2 Pr Sm ) s 1 r = s 1 r s 1 r s 1 r = 1 2 Pr [D(output Sm )=0] Pr D(output Sm )=1 s 1 r s 1 r = 1 2 (1 Pr [D(output Sm )=1]) Pr D(output Sm )=1 s 1 r s 1 r = D(output 2 Pr Sm )=1 s 1 r s 1 r 1 2 Pr [D(output Sm )=1]. Recallng agan tat wen s 1 r = s 1 r te output of Sm s te same as Sm,weavetat Pr D(output Sm )=1 s 1 r s 1 r 1 2 Pr [D(output Sm )=1] = Pr D(output Sm )=1 s 1 r Pr D(output Sm )=1 s 1 r Pr [D(output Sm )=1] s 1 r = s 1 r = 1 2 +Pr[D(output Sm )=1] Pr [D(output Sm )=1]. Eq. (1) mples tat for nfntely many n s, A n outputs a good defense wt probablty at least 1/p(n). Next, recall tat Ãn cooses te sets Q and Q randomly (under te constrants prescrbed n te protocol). Tus, wt probablty exactly 1/4, Q and / Q (because te probablty tat agven s n a specfed set s exactly 1/2). We conclude tat wt non-neglgble probablty, à n does not output fal, and tus Pr[Expt rec π (Ãn) = 1] s non-neglgble. It remans to sow tat Sm runs n expected polynomaltme. Asde from te rewndng stage, all work takes a fxed polynomal amount of tme. Regardng te rewndng stage, we ave te followng. Let p denote te probablty tat A n reples correctly upon a random set of ndces Q of sze n, as specfed n te protocol. Ten, gven tat A n repled correctly to te ntal query set Q, te expected number of rewndng attempts wt ndependent Q made by Sm equals 1/p. Snce tese rewndng attempts are only made f A n repled correctly to te ntal query set Q, weavetat te expected number of attempts overall equals p 1/p =1. Ts completes te proof. 5. MALICIOUS SENDERS AND DEFENSI- BLE RECEIVERS In ts secton, we reverse te oblvous transfer protocol of Protocol 4.1 to obtan a protocol tat s secure n te presence of a malcous sender and prvate for random nputs n te presence of a defensble recever. We use te constructon of [31] for reversng Protocol 4.1. Te protocol s as follows: Protocol 5.1. (reversng oblvous transfer): Inputs: Te sender S as a par of bts (s 0,s 1) for nput and te recever R as a bt r. Te protocol: 1. Te sender and recever run an oblvous transfer protocol π tat s secure n te presence of a malcous recever and prvate n te presence of a defensble sender: (a) Te sender S, playng te recever n π, nputs r = s 0 s 1 (b) Te recever R, playngtesendernπ, cooses a random bt ρ R {0, 1} and nputs s 0 = ρ and s 1 = ρ r. Denote S s output from π by a. 2. S sends R te bt α = s 0 a. 3. R outputs s r = ρ α. Combnng te above wt Equatons (1) and (2), we ave tat for nfntely many n s Pr Expt rec π (Ãn) =1 outputãn fal =Pr D(output Sm ) s 1 r = s 1 r p(n). Recall now tat Ãn outputs fal f An does not output a good defense, f / Q, orf Q. We frst clam tat A n must output a good defense wt non-neglgble probablty. Ts follows smply from te fact tat wen A n does not output a good defense, te executon s truncated and te dstrbutons generated by Sm and Sm are dentcal. Terefore, Te securty of Protocol 5.1 can be easly proven as an nformaton-teoretc reducton, or wen te orgnal oblvous transfer protocol s fully secure. In contrast, t s far more subtle n te settng were only prvacy n te presence of a defensble sender s assumed. Neverteless, we do obtan te followng clam: Clam 5.2. If π s a non-trval oblvous transfer protocol tat s secure n te presence of a malcous recever and prvate n te presence of a defensble sender, ten Protocol 5.1 s a non-trval oblvous transfer protocol tat s secure n te presence of a malcous sender and prvate for random nputs n te presence of a defensble recever. 107

10 6. FULLY-SECURE BIT OT In ts secton, we use te constructon of Protocol 4.1 agan n order to boost te securty of Protocol 5.1 so tat t s secure n te presence of bot a malcous sender and a malcous recever; we call suc a protocol fully secure to stress tat t s secure n te face of any corrupton. By Clam 4.2, we ave tat Protocol 4.1 boosts te securty of any oblvous transfer protocol tat s prvate for defensble recevers nto one tat s secure n te presence of malcous recevers. We can terefore use Protocol 4.1 to boost te securty of Protocol 5.1 so tat te result s a protocol tat s secure n te presence of malcous recevers. Ts does not suffce, owever, because we must sow tat f te subprotocol used n Protocol 4.1 s secure n te presence of malcous senders, ten te result s stll secure n te presence of malcous senders. (Clam 4.1 consders only prvacy for defensble senders.) Ts s actually easy to sow, and s omtted ere due to lack of space. Teorem 6.1. Assume tat tere exsts a non-trval bt oblvous transfer protocol π tat s secure n te presence of malcous senders and prvate for random nputs n te presence of defensble recevers. Ten, Protocol 4.1 tat s nstantated usng ts π, s a non-trval bt oblvous transfer protocol tat s secure n te presence of malcous recevers and senders. Black-box constructon of oblvous transfer. Notng tat perfectly-bndng commtment scemes (as used n Protocol 3.3) can be constructed usng black-box access to omomorpc encrypton or enanced trapdoor permutatons, and combnng Protocols 3.1 and 3.3 wt Protocol 4.1, followed by Protocol 5.1 and te constructon n Teorem 6.1, we obtan secure bt oblvous transfer wt black-box access to a omomorpc encrypton sceme or a famly of enanced trapdoor permutatons. 7. BLACK-BOX SECURE COMPUTATION Klan [18] sowed tat any functon can be securely computed gven black-box access to a bt oblvous transfer functonalty. We terefore ave te followng teorem, tat consttutes our man result: Teorem 7.1. Assume tat tere exst omomorpc encrypton scemes wt errorless decrypton or famles of enanced trapdoor permutatons. Ten, for any probablstc polynomal-tme functonalty f tere exsts a protocol tat uses only black-box access to a omomorpc encrypton sceme or to a famly of enanced trapdoor permutatons, and securely computes f wt any number of corrupted partes and n te presence of a statc malcous adversary. We remark tat as s standard for te settng of no onest maorty, te securty guarantee aceved ere s tat of securty wt abort ; see [13, Capter 7] for formal defntons. 8. REFERENCES [1] W. Aello, Y. Isa and O. Rengold. Prced Oblvous Transfer: How to Sell Dgtal Goods. In EUROCRYPT 2001, Sprnger-Verlag (LNCS 2045), pages , [2] M. Ben-Or, S. Goldwasser and A. Wgderson. Completeness Teorems for Non-Cryptograpc Fault-Tolerant Dstrbuted Computaton. In 20t STOC, pages 1 10, [3] M. Blum. Con Flppng by Pone. In IEEE Sprng COMPCOM, pages , [4] R. Canett. Securty and Composton of Multparty Cryptograpc Protocols. Journal of Cryptology, 13(1): , [5] D.Caum,C.Crépeau and I. Damgård. Mult-party Uncondtonally Secure Protocols. In 20t STOC, pages 11 19, [6] I. Damgård and Y. Isa. Constant-Round Multparty Computaton Usng a Black-Box Pseudorandom Generator. In CRYPTO 2005, Sprnger-Verlag (LNCS 3621), pages , [7] D. Dolev, C. Dwork and M. Naor. Non-Malleable Cryptograpy. SIAM Journal on Computng, 30(2): , [8] S. Even, O. Goldrec and A. Lempel. A Randomzed Protocol for Sgnng Contracts. In Communcatons of te ACM, 28(6): , [9] R. Gennaro, Y. Lndell and T. Malkn. Enanced versus Plan Trapdoor Permutatons for Non-Interactve Zero-Knowledge and Oblvous Transfer. Manuscrpt n preparaton, [10] R. Gennaro and L. Trevsan. Lower Bounds on te Effcency of Generc Cryptograpc Constructons. In 41st FOCS, pages , [11] Y. Gertner, S. Kannan, T. Malkn, O. Rengold and M. Vswanatan. Te Relatonsp between Publc Key Encrypton and Oblvous Transfer. In 41st FOCS, pages , [12] Y. Gertner, T. Malkn and O. Rengold. On te Impossblty of Basng Trapdoor Functons on Trapdoor Predcates. In 42nd FOCS, pages , [13] O. Goldrec. Foundatons of Cryptograpy: Volume 2 Basc Applcatons. Cambrdge Unversty Press, [14] O. Goldrec, S. Mcal and A. Wgderson. Proofs tat Yeld Notng but ter Valdty or All Languages n NP Have Zero-Knowledge Proof Systems. Journal of te ACM, 38(1): , [15] O. Goldrec, S. Mcal and A. Wgderson. How to Play any Mental Game A Completeness Teorem for Protocols wt Honest Maorty. In 19t STOC, pages , [16] R. Impaglazzo and S. Rudc. Lmts on te Provable Consequences of One-way Permutatons. In CRYPTO 88, Sprnger-Verlag (LNCS 403), pages 8 26, [17] Y.T. Kala. Smoot Proectve Hasng and Two-Message Oblvous Transfer. In EUROCRYPT 2005, Sprnger-Verlag (LNCS 3494) pages 78 95, [18] J. Klan. Foundng Cryptograp on Oblvous Transfer. In 20t STOC, pages 20 31, [19] J. Klan. Uses of Randomness In Algortms and Protocols. MIT Press, [20] J. Klan. Improved Effcent Arguments. In CRYPTO 95, Sprnger-Verlag (LNCS 963), pages , [21] J.H. Km, D.R. Smon and P. Tetal. Lmts on te Effcency of One-Way Permutaton-Based Has Functons. In 40t FOCS, pages , [22] E. Kuslevtz and R. Ostrovsky. Replcaton Is Not Needed: Sngle Database, Computatonally-Prvate Informaton Retreval. In 38t FOCS, pages , [23] Y. Lndell. A Smpler Constructon of CCA2-Secure Publc-Key Encrypton Under General Assumptons. In EUROCRYPT 2003, Sprnger-Verlag (LNCS 2656), pages , [24] T. Malkn and O. Rengold. Personal communcaton, [25] S. Mcal. Computatonally Sound Proofs. SIAM Journal on Computng, 30(4): , [26] M. Naor and K. Nssm. Communcaton Preservng Protocols for Secure Functon Evaluaton. In 33rd STOC, pages , [27] M. Naor and B. Pnkas. Effcent Oblvous Transfer Protocols. In 12t SODA, pages , [28] M. Rabn. How to Excange Secrets by Oblvous Transfer. Tec. Memo TR-81, Harvard Unversty, [29] O. Rengold, L. Trevsan, and S. Vadan. Notons of Reducblty between Cryptograpc Prmtves. In 1st TCC, pages 1 20, [30] A. Saa. Non-Malleable Non-Interactve Zero-Knowledge and Adaptve Cosen-Cpertext Securty. In 40t FOCS, pages , [31] S. Wolf and J. Wullscleger. Oblvous Transfer Is Symmetrc. To appear n EUROCRYPT Appears at Cryptology eprnt Arcve, Report 2004/336, [32] A. Yao. How to Generate and Excange Secrets. In 27t FOCS, pages ,