Oblivious Transfer based on Key Exchange

Transcription

1 Oblivious Transfer based on Key Echane bhishek Parakh bstract: Key-echane rotocols have been overlooked as a ossible means for imlementin oblivious transfer (OT) In this aer we resent a rotocol for mutual echane of secrets, -out-of- OT coin-fliin similar to Diffie- Hellman rotocol usin the idea of obliviously echanin encrytion keys Since, Diffie-Hellman scheme is widely used, our rotocol may rovide a useful alternative to the conventional methods for imlementation of oblivious transfer a useful rimitive in buildin larer crytorahic schemes Introduction Oblivious transfer (OT), discussed by Stehen Wiesner as conjuate codin [] became oular when Rabin described a scheme for mutual echane of secrets [] This combined with -outof- oblivious transfer led to the develoment of numerous crytorahic tools n oblivious transfer rotocol is a scheme in which lice transfers to ob a secret without knowin if ob received it, while ob may or may not receive the secret, each haenin with a certain robability, usually one-half Such a scheme usin Ellitic Curve Crytorahy has been discussed in [3] In this aer we construct a rotocol for oblivious transfer usin key echane similar to Diffie- Hellman (DH) rotocol [4], which is a oular method for establishin a shared key between two arties over an insecure channel We modify the Diffie-Hellman rotocol such that the two communicatin arties will succeed or fail in establishin a shared key each with a robability of one-half However, the arty sendin the secret will not know if the receiver has the same key as he/she does There have been imlementations [5,6] of -out-of-n OT based on the Decision Diffie-Hellman (DDH) roblem [7] However, our rotocol differs from revious ones in the sense that - firstly, we describe a scheme for mutual echane of secrets based on DH Secondly, in the revious imlementations the -out-of-n OT use the DDH for the transfer itself, ie alies the Diffie- Hellman eonentiation for the encrytion of secrets directly Here we administer the idea of the oblivious key echane Once the keys are echaned (obliviously), the arties may use any mutually areed encrytion method for the actual transfer / echane of secrets

2 The security of our rotocol arises from the fact that the roblem of determinin an eonent e iven, y a rime, such that e mod y is equivalent to solvin a Discrete Lo Problem (DLP) efficiently The articiants choose numbers, such that is a lare rime on the order of at least 300 decimal diits (04 bits), has a lare rime factor is a enerator of order in the multilicative rou Ζ (a enerator is a rimitive root of ) This ensures the security of the rotocols not only aainst eavesdroers but also aainst the oosin arty, which is to be considered as an adversary as well Since we will be workin only in Ζ, we often do not state it elicitly The roof that the security of Rabin s crytosystem is equivalent to a factorization roblem led to the develoment of the zero-knowlede roof [8] In such a roof a rover tries to convince a verifier that he ossesses certain information but he does not disclose the information but only the roof that he ossesses the information With every iteration of the alorithm, the robability of an imoster cheatin a verifier decreases eonentially We will discuss a scheme for zeroknowlede roof based on the discrete lo roblem Mutual echane of secrets Suose lice ob ossess secrets S S resectively, which they wish to echane, however, they do not trust each other We would like to comlete the echane without a trusted third arty without a rocedure for simultaneous echane of secrets; the latter bein ractically imossible to imlement when the arties are eorahically far aart oth arties are assumed to have an aroriate mechanism to diitally sin every messae they send Let the secrets S S be asswords to files that ob lice want to access such that if a wron assword is used then the files will self-destruct This revents the arties from tryin rom asswords The rotocol is based on the oblivious echane of encrytion keys The Protocol: We eloit the fact that there eist Ζ,, such that they ma to a sinle ciher c, where c mod mod Let K denote the key that lice uses to encryt her secret, while ob uses K to encryt his secret With these assumtions, the rotocol roceeds as follows: lice ob aree uon a rime, a number Ζ as the enerator c such that c mod mod (lice ob both know ) lice rivately chooses or two rom numbers

3 3 ob secretly decides on, such that or a rom number + 4 lice sends to ob: mod mod + 5 ob sends to lice: mod comutes K ( ) mod for himself + 6 lice comutes: K mod 7 ob chooses a rom messae M sends C f ( M ) 8 lice sends back Y f ( C, ) K to ob K, to lice c f ( m, k) is a function known to both lice ob, where m is the inut, k is the key knowin c does not reveal the key used f may be an encrytion function usin a secret key f is the decrytion function (, ) lice Mutual areement: rime such that has a lare rime factor a number Ζ that is a rimitive root of 3 a number c, where c mod mod ( ) M,, ob ( ) K lice [ ( + ) K ] ob Comare with M to determine if K or K K K Illustration of roosed alorithm to achieve oblivious echane of encrytion key (all comutations erformed in Ζ ) 3

4 Two cases arise from the above sequence, namely If then K K, else K K Hence, ob receives K with robability one-half Stes 7 8 hel ob check if he has K by comarin Y M Similarly, echane of key Define states, K takes lace from ob to lice U b K, K, if if ob received K ob did not receive K where, K Ζ K is the bitwise comlement of K U a is similarly defined In order to revent cheatin by either arty, lice sends U a S to ob ob sends Ub S to lice Since, neither arty knows other s state of knowlede of the secret key, this ste does not rovide either arty with any knowlede of other s secret Finally, lice ob echane their secrets encrytin them usin K K, resectively If at the last ste, after lice sends her encryted secret to ob, ob was to cheat not send his secret to lice, then the fact that ob cheated imlies that ob received K U b K that ob had reviously sent Ub S K S lice can retrieve S by comutin K S K S The robability, after the rotocol is comlete, that neither arty knows other s secret key is onefourth Eamle: lice ob wish to echane secrets S c 9 Therefore, c mod 3 c mod 0 from ste of the alorithm Let us eamine them: S They aree uon 3, 5 Two cases arise beinnin Case I: lice chooses: 3 two rom numbers ob chooses: lice sends to ob: mod 5 + mod mod 5 mod 3 9 4

5 5 ob sends to lice: mod mod ( 6 5 ) mod 3 7 mod 3 7 ( 6 7) mod 3 7 comutes for himself: ( ) 7 K mod 9 mod lice comutes: K mod ( 7) 5 mod 3 ob may encryt a rom messae with the key that he has enerated ask lice to decryt it usin her key to determine if he has K Since lice ob have chosen 3, then K K ( 0 ives similar results) Case II: lice chooses: 3 two rom numbers ob chooses: lice sends to ob: mod 5 + mod mod 5 mod ob sends to lice: mod mod 3 7 ( 6 ) mod 3 7 mod 3 7 ( 6 ) mod 3 9 comutes for himself: ( ) 7 K mod 9 mod lice comutes: K mod () 9 5 mod 3 6 5

6 In this case, lice ob have chosen similar results), hence K K ( 0 3 yields In none of the cases can ob can redict before h what choice lice has made, so the rotocol remains fair Security issues: The rotocol breaks down if ob is able to comute both ( ) mod ( + ) [ ] mod We see that ob can deduce comute, usin which he may y mod Given y, deducin y is a DLP If we assume that some how ob is able to deduce y, then in order for him to comute the ratio, he still needs to know either or, which is aain equivalent to a DLP ased on the assumtion that a Discrete Lo Problem is difficult to solve, the rotocol remains secure 3 One-out-of-two oblivious transfer One of the most owerful rimitives that have led to the invention of numerous crytorahic schemes is the one-out-of-two oblivious transfer It may concetually be described as a black bo where lice uts in two secrets, S S, such that ob can only retrieve one of them while ettin no information about the other ob is concerned that lice should not know which secret he retrieved situation may be such that a sy wishes to sell one out of two secrets that he ossesses, while the buyer does not wish the sy to know which information he wants In such a situation the - out-of- oblivious transfer can be emloyed It is assumed that the arty ossessin the two secrets is willin to disclose one only one of these to the other The rocedure of choosin rime, enerator number c mod mod remains identical to that described before However, this time lice uses secret keys K K to encryt secrets S S, resectively She announces to ob that she is associatin key K with key K with With these initial conditions the rotocol follows: + lice secretly chooses sends to ob: mod ob chooses (if he wants secret S ) or (if he wants secret S ) secret numbers 6

7 + 3 ob sends to lice: mod mod + 4 lice chooses a number sends to ob: mod ob comutes: K mod mod 6 lice comutes: K mod ( ) + K mod ( ) 7 lice encryts secret S usin K secret S usin K sends them to ob From the above sequence we see that if ob chooses, then K K if ob chooses, then K K Hence, ob will only be able to retrieve one of the two secrets deendin uon his choice, while lice will not be able to determine which secret ob has retrieved Security issues: In order for ob to cheat, he needs to comute both K K His best otion is to determine one of the keys honestly usin that, try to deduce the other key For instance, if ob honestly comutes K, then he will have access to ut this does not rovide him with any information about which he needs to comute K Similarly, he cannot calculate K from K The roblem is aain equivalent to efficiently solvin a DLP 4 Coin-Fliin Protocols coule may decide on which restaurant to o to or whether they should take a vacation or buy a car for their net anniversary, by tossin a coin In this case fliin a coin is a trivial matter since both arties are resent at the same lace hysically However, roblems arise when the articiants are eorahically searated over lare distances How are they suosed to fairly fli a coin when both of them cannot see the outcome simultaneously? Many business transactions require such an arranement or a simle ame of amblin over the Web may need a fair coin-toss umerous solutions eist for this urose that emloy crytorahic techniques of bit commitment [9, 0] 7

8 It turns out that any oblivious transfer scheme may be suitably modified to fli a coin, so can be the rotocol for mutual echane of secrets that we have resented For instance, if ob receives the same key as lice then ob wins the toss else lice wins fter ob declares the key he has comuted, lice relies if he won or lost reveals all the variables that she had chosen which ob can use to verify lice s claim ob may not disclose any of the variables of his choice 5 Zero-Knowlede Proofs Introduced in 985, zero-knowlede roofs are tyically used to force malicious arties to behave accordin to a redetermined rotocol In addition to their direct alicability to crytorahy, they serve as a ood benchmark for the study of various roblems reardin crytorahic rotocols [,, 3] Here we discuss a rotocol for a rover P to convince a verifier V that he ossesses certain information without disclosin the actual information We may formally describe the roblem as the followin: P declares a y, such that y e mod, where is a rime Ζ y, may be lobal information However, only P knows the eonent e For everyone else, determinin e is a DLP The roblem is for P to convince V that he knows the value of e without disclosin it The rotocol may roceed as follows: e en P chooses a rom inteer n sends X ( ) mod mod n to V V chooses a rom bit b If b 0, M 0; else he chooses a rom m sets M m mod b, M to P sends ( ) e me 3 If b 0, P sends n to V ; else P sends Y M mod mod to V n en 4 When b 0, V verifies X is equal to y mod mod So he believes that P m em knows the value of n If b, V verifies if Y is equal to y mod mod So he is convinced that P knows the value of e This is a sinle round of the rotocol Uon multile rounds of the rotocol, the robability of an imoster cheatin the verifier decreases eonentially We see that an imoster who does not know e will succeed with a robability of one-half in each round This is because if V starts communicatin with an imoster P from round one, then when b 0, P successfully comletes the rotocol, but when b, then P will have to uess the value of e Hence, after t iterations, the robability of the verifier bein cheated t decreases to The rotocol is zero-knowlede because P never sends e, but only uses it as an eonent This makes it equivalent to Discrete-Lo-Problem 8

9 zero-knowlede roof can be used for identification if the verifier knows the value of e, which acts like a assword The rover has to convince the verifier that he knows the assword, without actually ivin it out This is because the verifier may be an imoster tryin to determine the assword by cheatin 6 Conclusion Our alorithm oens u the ossibility of develoment of oblivious transfer schemes usin key echane rotocols cademically, it aears that such alorithms should have receded Rabin s rotocol It shows that there eist numerous variations on the imlementation of OT rotocols lso, most OT schemes can be etended to coin fliin with minor modifications, in which case, only one sided transfer may take lace success or failure deends on the oosin arty bein lucky enouh to deduce the key Our rotocol is different from Rabin s rotocol in the sense that the latter aims at obliviously transmittin the decrytion key from the transmitter to the receiver whereas we establish a shared key between the transmitter receiver with robability one-half Hiher eonents may be emloyed to enerate transfer robabilities other than one-half It turns out that the Diffie- Hellman rotocol is a owerful rimitive can be used as a basis for imlementin many crytorahic rotocols that have been imlemented via the RS tye transformations This ossibility had been overlooked cknowledement I sincerely thank William Perkins James Harold Thomas for discussions useful comments References S Wiesner Conjuate Codin, manuscrit written circa 970, unublished until it aeared in Siact ews, Vol 5, no, 983, M O Rabin How to echane secrets by oblivious transfer Technical Reort TR-8, iken Comutation Laboratory, Harvard University, 98 3 Parakh Oblivious Transfer usin Ellitic Curves, Crytoloia, Volume 3, Issue ril 007, aes W Diffie M E Hellman ew Directions in Crytorahy, IEEE Transactions on Information Theory, vol IT-, ov 976, : M ellare, S Micali on-interactive oblivious transfer alicatoins Cryto 89,

10 6 M aor Pinkas Efficient Oblivious Transfer Protocols, Proceedins of SOD 00 (SIM Symosium on Discrete lorithms), January , Washinton DC 7 D oneh The Decision Diffie-Hellman Problem Proceedins of the Third lorithmic umber Theory Symosium Sriner-Verla LCS 43, 998, : S Goldwasser, S Micali, C Rackoff The knowlede comleity of interactive roof systems CM Symosium on Theory of Comutin, CM Press, ew York, US, 985, M lum Coin fliin by telehone dvances in Crytoloy: Reort on CRYPTO 8, aes 5, Santa arbara, 98 ECE Reort o J Reyneri E Karnin Coin fliin by telehone (Corres) Information Theory, IEEE Transactions on, Volume 30, Issue 5, Se 984 aes: Fiat Shamir, How to rove yourself: Practical solutions to identification sinature roblems, dvances in Crytoloy - Cryto '86, Sriner-Verla (987), U Feie Fiat Shamir Zero Knowlede Proofs of Identity Proceedins of the 9th CM Sym on Theory of Comutin, May 987, aes:0-7 3 O Goldreieh, S Micali Widerson, "Proofs That Yield othin ut Their Validity a Methodoloy of Crytorahic Protocol Desin", Proceedins of FOGS 986,