Equational Security Proofs of Oblivious Transfer Protocols

Transcription

1 Equational Security Proofs of Olivious Transfer Protocols Baiyu Li Daniele Micciancio January 9, 2018 Astract We exeplify and evaluate the use of the equational fraework of Micciancio and Tessaro (ITCS 2013) y analyzing a nuer of concrete Olivious Transfer protocols: a classic OT transforation to increase the essage size, and the recent (so called siplest ) OT protocol in the rando oracle odel of Chou and Orlandi (Latincrypt 2015), together with soe siple variants. Our analysis uncovers sutle tiing ugs or shortcoings in oth protocols, or the OT definition typically eployed when using the. In the case of the OT length extension transforation, we show that the protocol can e forally proved secure using a revised OT definition and a siple protocol odification. In the case of the siplest OT protocol, we show that it cannot e proved secure according to either the original or revised OT definition, in the sense that for any candidate siulator (expressile in the equational fraework) there is an environent that distinguishes the real fro the ideal syste. 1 Introduction Cryptographic design and analysis is a notoriously hard prole, argualy even harder than standard software design ecause it requires to uild systes that ehave roustly in the presence of a alicious adversary that actively tries to suvert their execution. The desiraility of precise foraliss to descrie and analyze cryptographic constructions is well exeplified y the code-ased gae-playing fraework of [4] to present security definitions and proofs of standard cryptographic functions. But even the detailed fraework of [4] offers little help when foralizing ore coplex cryptographic protocols, due to their interactive nature and underlying distriuted execution odel. At the seantic level, the gold standard in secure coputation protocol design and analysis is the universally coposale (UC) security odel of [5] (or one of its any technical variants [1, 2, 7, 9, 16, 17, 21],) which offers strong copositionality guarantees in fully asynchronous execution environents like the Internet. Unfortunately, the relative lack of structure/astraction in the traditional forulation of this odel 1 akes it rather hard to use in practice, when specifying and analyzing concrete protocols. 2 These liitations are widely recognized, and have propted researchers to explore several variants, siplifications and specialization of the general UC security odel [6, 19, 22, 30]. In this perspective, a very interesting line of work is represented y the astract cryptography fraework of [25], which calls for an axioatic approach to the description and analysis of cryptographic priitives/protocols, and the constructive cryptography [24] and equational security [26] fraeworks, which can e thought of as logical odels of the axios put forward in [25]. This work was supported in part y NSF grant CNS Opinions, findings and conclusions or recoendations expressed in this aterial are those of the authors and do not necessarily reflect the views of NSF. University of California, San Diego, USA. E-ail: aiyu@cs.ucsd.edu University of California, San Diego, USA. E-ail: daniele@cs.ucsd.edu 1 Rooted in coputational coplexity, the odel is usually descried as an aritrary network of (dynaically generated) Turing achines that counicate y eans of shared tapes, possily under the direction of soe scheduling process, also odeled as an interactive Turing achine. 2 This is analogous to the Turing achine, an excellent odel to study coputation in general ut a rather inconvenient one when it coes to specifying actual algoriths. 1

2 In this work we exaine the equational security fraework of [26], which provides oth a concrete atheatical odel of coputation/counication, and a concise syntax to forally descrie distriuted systes y eans of a set of atheatical equations. We elieve that progress in our aility to descrie and analyze cryptographic protocols cannot e achieved siply y forulating fraeworks and proving theores in definitional papers, ut it requires putting the fraeworks to work on actual exaple protocols. To this end, we present a detailed case-study where we evaluate the expressiveness and usaility of this fraework y analyzing a nuer of concrete olivious transfer protocols, a siple ut representative type of security protocols of interest to cryptographers. Olivious transfer (OT), in its ost coonly used 1-out-of-2 forulation [12], is a two party protocol involving a sender transitting two essages 0, 1 and a receiver otaining only one of the, in such a way that the sender does not learn which essage {0, 1} was delivered and the receiver does not learn anything aout the other essage 1. OT is a classic exaple of secure coputation [12, 27], and an iportant (in fact, coplete) uilding lock for the construction of aritrary security protocols [11, 14, 18, 20, 23, 32]. In Sections 3 and 4 we investigate a well known transforation often used to increase the essage length of OT protocols with the help of a pseudorando generator. In Section 5, we investigate a very efficient OT protocol in the rando oracle odel recently proposed in [10]. We reark that the priary goal of our work is to exeplify and evaluate the usaility of the equational security fraework of [26], rather than finding and fixing ugs in specific protocol instances. Still, our findings aout the OT protocols under study ay e of independent interest, and well illustrate how equational security odeling can offer a convenient and valuale tool for cryptographic protocol specification and analysis. The ain findings aout the OT protocols are the following: The security of the OT protocol transforation, often considered a folklore result in cryptography, does not hold with respect to the naive OT definition typically used (often iplicitly) in the cryptographic literature. However, if the OT ideal functionality definition is suitaly odified, then the transforation ecoes provaly secure, and can e readily analyzed using siple equational reasoning. The protocol of [10] can e proved secure according to neither the classic nor the revised OT definitions considered aove. Technical details aout our findings, and general coents/conclusions are provided in the next paragraphs. 1.1 Olivious Transfer Extension. The standard definition of OT is given y a functionality OT(( 0, 1 ), ) = that takes a pair of essages ( 0, 1 ) fro the sender, a selection it fro the receiver, gives to the receiver, and gives nothing to the sender. The two essages are assued to have the sae length 0 = 1 = κ, which is usually tied to the security paraeter of the schee and the atheatical structures used to ipleent it. (E.g., κ = log H where H is the doain/range of soe group-theoretic cryptographic function.) A natural and well known ethod to adapt such OT protocol to one allowing the transission of longer essages is the following: 1. Use an underlying OT protocol to send two rando seeds (s 0, s 1 ) of length κ, 2. Use these seeds as keys to encrypt the two essages using a private-key encryption schee, 3 and send oth ciphertexts to the receiver over a standard (authenticated, ut insecure to eavesdropping) counication channel. The intuition is that since the receiver gets only one of the two keys, the other essage is protected y the encryption schee. Indeed, the intuition is correct, in the sense that encryption does its jo and protects the other essage, ut the protocol is nevertheless not secure (at least, according to the siulation-ased fully asynchronous security definition iplied y the OT functionality descried aove.) Our foral analysis 3 Since each seed s i is used only once, the secret key encryption schee can e as siple as stretching s i using a pseudorando generator G, and use the resulting string G(s i ) as a one-tie pad to ask the essage i. 2

3 shows that, while the protocol is correct, and secure against corrupted senders, it is not secure against corrupted receivers, and for a very siple reason: it contains a sutle tiing ug! In a real execution, the sender transits the encryption of its two essages as soon as the two essages are ade availale y the environent. However, the siulator can produce the corresponding siulated ciphertexts only after the receiver has chosen her selection it. In order to prove security, the sender should delay the transission of the ciphertexts until after the receiver has provided to the underlying OT protocol. The prole is that the aove OT ideal functionality does not disclose any inforation to the sender, not even if and when the receiver has selected the it. We also consider a revised OT definition OT(( 0, 1 ), ) = (f(), ), that includes an additional output f() {, } disclosing to the sender if has een chosen yet, without providing the actual value of {0, 1}. We odify the protocol accordingly (y letting the sender delay the transission of the ciphertexts until > ), and show that the odified protocol can e forally proved secure according to the revised OT definition. 1.2 Olivious Transfer in the Rando Oracle Model. In [10], Chou and Orlandi propose a new OT protocol achieving UC security in the rando oracle odel [3]. The protocol is very elegant and can e efficiently ipleented ased on elliptic curve groups. We provide a foral analysis of the protocol using the equational fraework. We show that if the naive OT definition is used, then the protocol is insecure against oth corrupted senders and corrupted receivers. For the case of corrupted senders, the failure of siulation is due to the fact that in a real protocol execution the sender learns if and when the receiver provides her selection it, which is not availale to the siulator. For the case of corrupted receivers, the prole is that in a real protocol execution the receiver can delay its rando oracle query until after seeing the sender s ciphertexts, ut in the ideal protocol execution, if the siulator has to output the ciphertexts efore seeing the receiver s rando oracle query, then it ust e ale to guess an external rando it correctly efore seeing any inputs, which is ipossile to achieve with high proaility. However, unlike the case of the OT length extension transforation, these proles are not the only weakness of the protocol, and security cannot e proved y switching to the revised OT definition given aove. 1.3 Discussion/Conclusions Before juping to conclusions, soe rearks aout the significance of our results are in order. As already noted, it should e understood that the ai of our work was to illustrate the use of the equational fraework, rather than criticizing any specific protocol or definition. In particular, we are not arguing that the revised OT definition given in Section 4 is the correct one, and everyody should use it. In fact, other alternative definitions are possile. Our ain point is that the equational odel is a convenient fraework to precisely forulate and investigate alternative definitions. The OT essage length transforation studied in Section 3 is folklore. We are not aware of any work analyzing its security, and our study is, to the est of our knowledge, the first work even aking a foral security clai aout it. This is perhaps ecause doing this using the traditional fraework ased on the inforal use of interactive Turing achines already seeed cuersoe and error prone enough not e worth the effort. In fact, the transforation is siple enough that at first it is natural to wonder if a foral proof of security is required at all. Our analysis shows that a foral security proof is indeed useful, at very least to unaiguously identify the security property (ideal functionality) for which the transforation is (proved or claied to e) correct. We reark that when we set to analyze the OT protocol transforation, we were giving for granted that the transforation was secure, and the analysis was eant priarily as a siple exaple to illustrate the use of the equational fraework. Finding that the protocol does not eulate the traditional OT definition cae to us as a surprise, even if in hindsight the tiing ug is rather ovious. In this respect, the equational fraework proved to e a very convenient tool to carry out a precise foral analysis with relatively odest effort. 3

4 As for the protocol of [10], our priary ai is to illustrate the use of the equational fraework to analyze a protocol in the rando oracle odel. We are certainly not concerned aout whether the protocol is aking a orally correct use of the rando oracle, or if a gloal rando oracle definition [8] should e used instead. We siply use the equational fraework to odel and analyze the protocol as descried in the original paper [10]. Our analysis shows that the protocol is not secure according to the original OT definition (seeingly used in [10],) ut even using a revised OT definition still does not allow to prove security in the equational fraework, in the technical sense that for any siulator (expressile in the equational fraework) there is an environent that distinguishes etween the real and the ideal systes. We elieve our analysis highlights the iportance of a ore rigorous proof style when analyzing secure coputation protocols than currently feasile using traditional forulations of the UC fraework and its variants. This is especially iportant when it coes to forally specifying the security properties satisfied (or claied) y a protocol. Without an unaiguous foral security specification/clai, even the ost detailed proof is of little value, as it is not clear what is eing proved or claied. Within the context of our work, the equational fraework of [26] proved to e a very convenient and useful foralis to express security definitions (in the for of ideal functionalities) and cryptographic protocols in a concise, yet atheatically precise way. It allowed us to easily explore different definitional variants and put the to good use to spot potential ugs in cryptographic protocols. Exploring the applicaility of astract fraeworks along the lines of [24 26] to the specification and analysis of a wider range of cryptographic protocols is likely to e utually eneficial, oth to further develop and refine the odels, and to gain useful insight on the security of concrete cryptographic protocols. 2 Background and Notation In this section we review the equational fraework of [26], and define the notation used in this paper. For copleteness, we will first recall soe ackground on the (standard) theory that gives a precise eaning to systes of equations as used in [26] and in this paper. This aterial is iportant to give a solid atheatical foundation to the equational fraework, ut is not essential to follow the rest of the paper, and the reader ay want to skip directly to the following paragraph descriing our coputational odels and notational conventions. 2.1 Doain Theoretical Background The atheatical foundation of the equational fraework is provided y doain theory. Here we give just enough ackground to descrie the systes studied in this paper, and refer the reader to [15, 28, 29] for a detailed treatent. Recall that a partially ordered set (or poset) is a set X equipped with a reflexive, transitive and antisyetric relation. All posets in this paper are coplete partial orders (CPOs), i.e., any (possily epty) chain x 1 < x 2 <... has a least upper ound sup i x i in X. The Cartesian product X Y of two CPOs is also a CPO with the coponent-wise partial order (x 1, y 1 ) (x 2, y 2 ) x 1 x 2 y 1 y 2. These posets are endowed with the Scott topology, where a suset C X is closed if for all x C, y x iplies y C, and any chain in C has a least upper ound in C. A set is open if its copleent is closed. The standard topological definition of continuous function still applies here, and continuous functions (with respect to the Scott topology) are exactly the functions that preserve liits f(sup i x i ) = sup i f(x i ). The set of all continuous functions fro CPOs X to Y is denoted y [X Y ]. Any (Scott) continuous function is necessarily onotone, i.e., for all x, y X, if x y then f(x) f(y). All CPOs X have a inial eleent = sup, called the otto, which satisfies x for all x X. For any set A, we can always construct a flat CPO A = A { } y including a unique otto eleent. The partial order in A consists of x for all x A. It should e easy to see that all nonepty closed sets in A contain, and open sets in A are exactly the susets of A and the whole A. Functions f : A B etween sets can e lifted to strict functions f : A B etween the corresponding flat CPOs y setting f( ) =. The otto eleent usually designates the situation where no (real) input or output is given yet. 4

5 For any CPO X, every continuous functions f : X X adits a least fixed point, denoted as fix(f), which is the inial x X such that f(x) = x. The least fixed point can e otained y taking the liit of the sequence, f( ), f 2 ( ),.... A syste of utually recursive equations can e solved via least fixed point coputation. Such a solution descries the final outputs of interactive coputations etween nodes in a network. By Bekič s theore [31], the least fixed point of such a syste can e coputed one coponent at a tie: For exaple, the syste (x, y) = (f(x, y), g(x, y)) can e solved y coputing first ˆx = fix(λx.f(x, fix(λy.g(x, y)))) and then ŷ = fix(λy.g(ˆx, y)), and the least fixed point of the syste is (ˆx, ŷ). We can also odel proailistic ehaviors in equational fraework. A proaility distriution on a CPO X is a function p: X [0, 1] such that 4 p(a) + p(b) = p(a B) for all disjoint A, B X and p(x) = 1. As usual, we say that a proaility p is negligile if for all x X, p(x) < n c for any constant c > 1, where n is a security paraeter. 5 Siilarly, p is overwheling if 1 p is negligile. If X is a CPO, then the set of proaility distriutions over X, denoted y D(X), is also a CPO, where for any two distriutions p q (in D(X)) if and only if p(a) q(a) for any open suset A X. Proailistic functions are just (continuous) functions etween sets of distriutions with respect to this ordering relation. 2.2 Coputational Model We recall that the execution odel of [26] consists of a network, with nodes representing coputational units, and (directed) edges odeling counication channels. (See elow for details.) Each channel is associated with a partially ordered set of channel histories or ehaviors, representing all possile essages or sequences of essages that ay e transitted on the channel over tie. The partial order represents teporal evolution, so for any two histories h 1 h 2 eans that h 2 is a possile extension (or future) of h 1. The standard exaple is that of finite sequences M = {( 1,..., k ) : k 0, i. i M} of essages fro a ground set M, ordered according to the prefix partial order. By coining the set M of infinite sequences of essages fro M, we get a CPO M ω. Another coon exaple, odeling a channel capale of delivering only a single essage, is the flat partial order M, consisting of all essages in M and a special otto eleent denoting the fact that no essage has een transitted yet. Different incoing and outgoing channels (incident to a single node) are coined taking Cartesian products, so that each node can e thought as having just one input and one output. The coputational units at the nodes are odeled as functions F: X Y fro the incoing channels to the outgoing channels, satisfying the natural onotonicity requireent that for any h 1 h 2 in X, we have F(h 1 ) F(h 2 ) in Y. Inforally, onotonicity captures the intuition that once a party transits a essage, it cannot go ack in tie and take it ack. A proailistic coputational unit can e odeled as a function of type X D(Y ), where D is the proaility onad. We ay also consider units with liited coputational power in the onadic approach, which is an iportant extension to the equational fraework. However, as all the protocols considered in this paper run in constant tie, for siplicity we do not foralize coputational cost (e.g. running tie, space, etc) in our analysis. Coputation units can e connected to a counication network N to for a syste, where N is also a onotone function. Such a syste is again a onotone function apping external input channels to external output channels of all the units, and it is odeled as a coposition of functions descriing all the units and the network. Syntactically, function copositions can e siplified y sustitution and variale eliination, and, when recursive definition is involved, y using fixed point operations. In general, we use the notation (F G) to denote the syste coposed y functions F and G, where the coposition operator is associative. The ain advantage of the equational fraework is that it has a atheatically clean and well defined seantics, where functions can e copletely descried y atheatical equations (specifying the relation etween the input and the output of the units), and coposition siply coines equations together. The equational approach also provides a siple and precise way to reason aout relations etween systes. For exaple, equivalent coponents (in the sense of having equivalent equations) can e replaced y 4 In general we should consider the Borel algera on X when defining proaility distriutions on X. Here we siply use X instead since we work on finite sets and discrete proailities. 5 In the asyptotic setting, cryptographic protocols are paraeterized y a security paraeter n. For notational siplicity, we consider this security paraeter n as fixed throughout the paper. 5

6 each other, and when considering proailistic ehaviors, if a coponent is indistinguishale fro another coponent, then they can e used interchangealy with negligile ipact on the ehavior of the entire syste. 2.3 Security The definition of security in the equational fraework follows the well-accepted siulation-ased security paradig. In this paper we consider only OT protocols, which are two-party protocols etween a sender progra and a receiver progra. An ideal functionality F is a function fro X = X 0 X 1 to Y = Y 0 Y 1, where X i (Y i ) is the external input (output) of party P i. An environent is a function Env : Y ω X ω { } such that it takes as input the output history (as a sequence of evolving essages) of a syste, and it produces a sequence of evolving inputs to the syste and a decision it t. Here a sequence of essages x 0 x 1... over X is evolving if x i X x i+1 for all i, where x i X and X is the partial order of X. An experient etween an environent Env and a syste S, is executed as follows: Env generates an evolving sequence of input x 0 x 1... to S such that S outputs y i = S(x i ) for each x i, Env takes as input the sequence y 0 y 1..., and it eventually produces an external decision it t. We write Env[S] for the output (distriution) t of this experient. When all parties are honest, the real syste is a coposition of the network N and two parties P 0 and P 1, denoted as (P 0 P 1 N), and it ust e equivalent to the ideal functionality F. When a party P i is corrupted, the real syste is coposed y the reaining honest party and the network, and the ideal syste is coposed y F and a onotone siulator Si. We say that a protocol is secure against the corruption of P i if there exists a siulator Si as a coputation unit such that the systes (N P (1 i) ) and (Si F) are indistinguishale y any environent that produces a decision it in polynoial tie in the output length of the syste and the security paraeter. A distinctive feature of the equational fraework is the aility to specify fully asynchronous systes. An environent ight not provide a coplete input to a syste at once, that is, the input to certain channels ight e. So we ust consider such asynchronous environents when analyzing the security of a protocol. It is an very interesting and iportant open question to copare the equational fraework (with the full extension of coputational security) with the UC odel and its variants (for exaple, the siplified odels of [6, 30].) Due to space liitation, we do not address such a prole in the current paper and we will study it in future work. 2.4 Notation Now we riefly ention our notational conventions. In this paper we ainly use flat CPOs, i.e., partially ordered sets X with a otto eleent X such that x 1 x 2 iff x 1 = or x 1 = x 2. These are used to odel siple counication channels that can transit a single essage fro X \ { }, with representing the state of the channel efore the transission of the essage. For any CPO X, we write X 2 = {(x, y): x, y X, x, y } for the CPO of strict pairs over X and. The eleents of a pair z X 2 are denoted z[0] and z[1], with z[i] = when z = or i =. The operation of coining two eleents into a strict pair is written x, y. Notice that x, =, y =, and therefore x, [0] =, y [1] = even when x, y. For any set A, we write x A for the operation of selecting an eleent x uniforly at rando fro A. It is easily verified that for any pairs z, x 0, x 1, y 0, y 1, strict function f and strict inary operation, The followings are coon CPOs and operations: z = z[0], z[1] (1) f( x 0, x 1 [i]) = f(x 0 ), f(x 1 ) [i] (2) x 0, x 1 [i] y 0, y 1 [i] = x 0 y 0, x 1 y 1 [i] (3) The CPO T = { }, representing signals, i.e., essages with no inforation content. The CPO B = {0, 1} of single it essages, often used to select an eleent fro a pair. 6

7 The CPO M n = {0, 1} n of it-strings of length n. x!y = x, y [1], the operation of guarding an expression y y soe other expression x. Notice that x!y = y, except when x =, and can e used to delay the transission of y until after x is received. x! = x!, testing that x >. As an exaple, using the notation introduced so far, we can descrie the ideal (1-out-of-2) OT functionality y the equations in Fig. 1. (Notice that this functionality is paraeterized y a essage space M.) The first line specifies the naes of the functionality (OT), input channels (, ) and output channel(s). This is followed y a specification of the type of each channel: the input interface includes a essage pair = 0, 1 M 2 fro a sender and a selection it B fro a receiver. The output interface is a single essage M sent to the receiver while the sender does not get any inforation fro the functionality. The last line = [] is an equation specifying the value of the output channel(s) as a function of the input channels. The functionality is illustrated y a diagra showing the naes of the function and the input/output channels. OT M (, ) = : M 2 : B : M = [] OT M Figure 1: A naive OT functionality: the receiver gets the selected essage = [], and the sender does not get anything at all. In the rest of this paper, equational variales usually elong to unique doains (e.g., : M 2 n.) So fro now on, we will oit such type specifications when defining functions using equations, and we will follow the convention listed in Tale 1 for naing variales. Variale nae Doain Variale nae Doain M n M l M 2 n 2 M 2 l c 0,c 1 M l c 2 M 2 n a,a T, B i,o M n i 2,o 2 M 2 l k K n k 2 K 2 n q (G 2 G) q 2 (G 2 G) 2 X,Y G Tale 1: Frequently used variales and their doains. 3 Olivious Transfer Length Extension: a first attept As an areviation, when the essage space M = {0, 1} n is the set of all itstrings of length n, we write OT n instead of OT M. Consider the following OT length extension prole: given an OT n channel for essages of soe (sufficiently large) length n, uild an OT functionality OT l for essages of length l > n. The goal is to ipleent OT l aking a single use of the asic OT n functionality, possily with the help of an auxiliary (unidirectional, one-tie) counication channel for the transission of essages fro the sender to the 7

8 receiver. For siplicity, 6 we odel the counication channel as a functionality Net l that copies its input of length l to the output of the sae length: Net l (i) = o o = i i Net l o The OT length extension protocol is specified y a pair of Sender and Receiver progras, which are interconnected (using the OT n and Net 2l functionalities) as shown in Fig. 2. Notice how the external input/output interface of the syste corresponding to a real execution of the protocol in Fig. 2 is the sae as that of the ideal functionality OT l ( 2, ) = the protocol is trying to ipleent. 2 Sender i 2 OT n Net 2l o 2 Receiver Real( 2, ) = Figure 2: A real execution of a candidate OT length extension protocol. The protocol consists of a Sender and a Receiver progras that counicate using OT n and Net 2l functionalities. A natural approach to design an OT length extension protocol is to ake use of a pseudorando generator G : M n M l that stretches a short rando seed of length n into a long pseudorando string of length l. Using such pseudorando generator, one ay define candidate Sender and Receiver progras as follows: Sender( 2) = (, i 2 ) M 2 n i 2 [0] = 2[0] G( [0]) i 2 [1] = 2[1] G( [1]) Receiver(, o 2, ) = (, ) = = o 2 [ ] G() 2 Sender i 2 Receiver o 2 In words, these progras work as follows: The sender picks a pair of two rando seeds, and passes (one of) the to the receiver using the OT n functionality. It then stretches the two seeds using the pseudorando generator G, and uses the generator s output as a one-tie pad to ask the actual essages efore they are transitted to the receiver over the counication channel Net 2l. The receiver selects one of the two seeds fro the OT n functionality, expands it using the pseudorando generator, and uses the result to unask the corresponding essage fro Net 2l. It is easy to show that the protocol is correct, in the sense that coining the equations of OT n, Net 2l, Sender and Receiver as shown in Fig. 2 results in a syste Real( 2, ) = that is perfectly equivalent 6 This corresponds to a perfectly secure counication channel. More coplex/realistic counication channels are discussed at the end of this section. 8

9 to the defining equation = 2[ ] of the ideal functionality OT l. Intuitively, the protocol also sees secure ecause only one of the two seeds can e recovered y the receiver, and the unselected essage is protected y an unpredictale pseudorando pad. But security of cryptographic protocols is a notoriously tricky usiness, and deserves a closer look. We first consider the security of the protocol when the sender is corrupted. The attack scenario corresponds to the real syste otained y reoving the Sender progra fro the protocol execution in Fig. 2. Following the siulation paradig, security requires exhiiting an efficient siulator progra SiS (interacting, as a sender, with the ideal functionality OT l ) such that the following real and ideal systes are coputationally indistinguishale: OT 2 n 2 Receiver i o 2 2 SiS OT l i 2 Net 2l IdealS(, i 2, ) = RealS(, i 2, ) = Security is easily proved y defining the following siulator: SiS(, i 2 ) = 2 2[0] = i 2 [0] G( [0]) 2[1] = i 2 [1] G( [1]) i 2 SiS 2 We oserve that RealS and IdealS are perfectly equivalent ecause they oth siplify to = i 2 [ ] G( [ ]). So, the protocol is perfectly secure against corrupted senders. We now turn to analyzing security against a corrupted receiver. This tie we need to coe up with a siulator SiR such that the following real and ideal executions are equivalent: OT n 2 2 Sender OT l SiR o i 2 2 o 2 Net 2l RealR( 2, ) = (, o 2 ) IdealR( 2, ) = (, o 2 ) Of course, this tie we can only ai at proving coputational security, i.e., coing up with a siulator such that RealR and IdealR are coputationally indistinguishale. We egin y writing down explicitly the equations that define the real syste execution. Coining the equations for Sender, OT n and Net 2l, we otain the following syste: RealR( 2, ) = (, o 2 ) M 2 n o 2 [0] = 2[0] G( [0]) o 2 [1] = 2[1] G( [1]) = [] So, the siulator ay proceed y picking 0, 1 at rando on its own, and set = [] just as in the real execution. However, the siulator cannot copute o 2 as in RealR ecause it does not know 2. This is addressed y using the sae essage twice, counting on the pseudorando asking to hide this deviation fro a real protocol execution. Forally, the siulator SiR is defined as follows: 9

10 SiR(, ) = (,, o 2 ) = M 2 n = [] o 2 [0] = G( [0]) o 2 [1] = G( [1]) SiR o 2 Coining SiR with OT l results in the ideal syste: IdealR( 2, ) = (, o 2 ) M 2 n o 2 [0] = 2[] G( [0]) o 2 [1] = 2[] G( [1]) = [] As expected, the two systes IdealR, RealR are indistinguishale for oth = 0 and = 1. For exaple, RealR( 2, 0) and IdealR( 2, 0) are equivalent ecause they are oth coputationally indistinguishale fro the process that chooses M n and c M l at rando and sets o 2 = 2[0] G(), c. The case when = 1 is siilar. At this point it would e very tepting to conclude that RealR and IdealR are equivalent, ut they are not: they can e easily distinguished y an environent that sets 2 and =. In fact, IdealR( 2, ) = (, ), ut RealR( 2, ) = (, o 2 ), where o 2. So, IdealR and RealR are not equivalent, and the siulator SiR is not valid. Insecurity in general By generalizing the aove idea, we can show that, for any siulator SiR there is an environent Env that can distinguish the two systes RealR and IdealR with nonnegligile proaility. We uild Env that works in two stages: Env 0 (, o 2 ) = (, 2, t) where =, 2 M 2 n, t = (o 2 > ) Env 1 (, o 2 ) = (, 2, t) where {0, 1}, 2 M 2 n, t = (G() + o 2 [] = 2[]) Notice that the output of the ideal syste IdealR( 2, ) = (, o 2 ) is defined y (,, o 2 ) SiR( 2[ ], ), where is an internal channel. Since ranges over a flat CPO, and 2[ ] =, the value of resulting fro a least fixed point coputation is given y (,, ) = SiR(, ). In particular, ay depend only on the external input. We denote using SiR() the rando variale coputed on input. Let p = Pr{SiR( ) = } and q = Pr{SiR(, ) o2 = }. It is clear that Pr{Env i [RealR] = } = 1 for all i {1, 2}. For the ideal syste, we have Pr{Env 0 [IdealR] = } = Pr{SiR(, ) o2 > } p + Pr{SiR(, 2[ ]) o2 > } (1 p) = (1 q)p + Pr{SiR(, 2[ ]) o2 > } (1 p). Since Pr{Env 0 [RealR] = } = 1, Pr{Env 0 [IdealR] = } ust e overwheling; and since Pr{SiR(, ) o2 > } Pr{SiR(, 2[ ]) o2 > }, p ust e negligile. Finally, notice that Pr{Env 1 [IdealR] = } = Pr{G() + o 2 [] = 2[] SiR( ) = } p + Pr{G() + o 2 [] = 2[] SiR( ) > } (1 p). If SiR( ) >, then Pr{ = } = 1 2 and so Pr{G() + o 2 [] = 2[] SiR( ) > } = 1 2 ( l ). 10

11 This iplies that Pr{Env 2 [IdealR] = } = ɛ for soe negligile ɛ > 0, and so Env can distinguish the two systes. The discrepancy etween the two systes as shown aove highlights a sutle tiing ug in the protocol: in order to carry out the siulation, the transission of i 2 should e delayed until after the receiver has selected her it. However, this inforation is not availale to the sender, and fixing the protocol requires revising the definition of OT, as we will do in the next section. Other counication channels We conclude this section with a discussion of other possile counication channels and weaker OT variants that leak soe inforation to the environent. For exaple, one ay replace the perfectly secure counication channel Net M with an authenticated channel AuthNet M (i, e i ) = (o, e o ) that also takes an input e i : T and provides an output e o : M to the environent. The environent output e o = i is used to leak the transitted essage as well as the tiing inforation aout when the essage is transitted. The environent input e i is used to allow the environent to delay the transission of the essage o = e i!i to the receiver. Siilarly, one ay consider the OT variants that leak the input tiing inforation e o = (!,! ) to the environent, and allow the environent to delay the OT output = e i! []. This idea is siilar to the essage header in the UC odels proposed in [6, 30]. We reark that none of these odifications affect the analysis presented in this section. In particular, considering a perfectly secure counication channel Net only akes our insecurity result stronger. Also, leaking the signal! to the environent does not solve the tiing ug in the protocol: in order to fix the ug, the sender needs to delay the transission of i 2 until >. So, it is not enough to provide this inforation to the environent. The tiing signal! needs to e provided as an input to the honest sender. 4 OT Length Extension We have seen that the standard OT definition is inadequate even to odel and analyze a siple OT length-extension protocol. In Fig. 3 we provide a revised definition of olivious transfer that includes an acknowledgent inforing the sender of when the receiver has provided her selection it. OT M(, ) = (a, ) = [] a = ( > ) a OT M Figure 3: A revised OT functionality. We use this revised definition to uild and analyze a secure OT length-extension protocol, siilar to the one descried in the previous section. The OT length extension uses the sae Receiver progra as defined in Section 3, ut odifies Sender y using the signal a to delay the transission of the essage i 2. The new Sender also forwards the signal a to the environent to atch the new OT definition: Sender ( 2, a) = (a,, i 2 ) (, i 2) Sender( 2) a = a i 2 = a!i 2 2 a Sender a i 2 The Sender and Receiver progras are interconnected using OT n and Net 2l as shown in Fig. 4. As in the previous section, it is easy to check that the protocol is correct, i.e., coining and siplifying all the 11

12 2 a Sender a i 2 OT n Net 2l o 2 Receiver Real( 2, ) = (a, ) Figure 4: A noral execution of the OT Length Extension protocol. equations fro the real syste in Fig. 4 produces a set of equations identical to the revised definition of the ideal functionality OT ( 2, ) = (a, ). Security when the sender is corrupted is also siilar to efore. The real and ideal systes in this case are given y 2 2 a OT n a Receiver SiS OT o 2 i 2 i 2 a l Net 2l RealS(, i 2, ) = (, a) IdealS(, i 2, ) = (, a) We see that this tie SiS has an additional input a and output a. We adapt the siulator fro the previous section siply y adding an equation that forwards the a signal fro OT to the external environent: SiS (, i 2, a ) = (a, 2) 2 = SiS(, i 2 ) a = a 2 a SiS i a 2 RealS(, i 2, ) and Ideal(, i 2, ) are equivalent ecause they oth output = o 2 [ ] G( [ ]) and a = ( > ). So, the protocol is still perfectly secure against corrupted senders according to the revised OT definition. We now go ack to the analysis of security against corrupted receivers. The real and ideal systes are: 2 2 a OT n Sender OT SiR a o a i l 2 2 o 2 Net 2l RealR( 2, ) = (a,, o 2 ) IdealR( 2, ) = (a,, o 2 ) No change to the siulator are required: we use exactly the sae candidate siulator SiR as defined in Section 3. Coining and siplifying the equations, gives the following real and ideal systes: 12

13 RealR( 2, ) = (a,, o 2 ) M 2 n c 0 = 2[0] G( [0]) c 1 = 2[1] G( [1]) o 2 =! c 0, c 1 = [] a = ( > ) IdealR( 2, ) = (a,, o 2 ) M 2 n c 0 = 2[] G( [0]) c 1 = 2[] G( [1]) o 2 = c 0, c 1 = [] a = ( > ) Now, when =, we have RealR( 2, ) = IdealR( 2, ) = (,, ). So, no adversary can distinguish the two systes y not setting. On the other hand, when, RealR and IdealR are identical to the real and ideal systes fro the previous section, augented with the auxiliary output a = ( > ) =. As we already oserved in Section 3, these two distriutions are coputationally indistinguishale, proving that the length extension protocol is secure against corrupted receivers. 5 The OT protocol of Chou and Orlandi In this section we consider the OT protocol proposed y Chou and Orlandi in [10]. In the original paper, this is descried as a protocol to execute l instances of 1-out-of- OT, in parallel, i.e., the sender provides an l-diensional vector of -tuples of essages, and the receiver (non-adaptively) selects one essage fro each tuple. For siplicity, we consider the ost asic case where l = 1 and = 2, i.e., a single OT execution of a asic OT protocol as defined in the previous sections. This is without loss of generality ecause our results are ultiately negative. So, fixing l = 1 and = 2 only akes our results stronger. Our goal is to show that this protocol is not provaly secure in the equational fraework according to a fully asynchronous siulation-ased security definition. In order to forally analyze security, we egin y giving a atheatical description of the protocol and odel of [10] using the equational fraework. The Rando Oracle odel The protocol of [10] is designed and analyzed in the rando oracle odel [3]. So, oth parties have access to an ideal functionality RO ipleenting a rando function with appropriately chosen doain Q and range K. Queries fro the sender and receiver are answered consistently, and, in general, RO can receive ultiple (adaptively chosen) queries fro oth parties. Forally, the rando oracle is odeled y the following functionality, where f (x 1, x 2,..., ) = (f(x 1 ), f(x 2 ),...) is the standard extension of f to sequences: RO Q,K (qs, qr) = (ks, kr) qs, qr : Q ks, kr : K f [Q K] ks = f (qs) kr = f (qr) qs ks RO qr kr The rando oracle starts y picking a function f : Q K uniforly at rando, and then it uses f to answer any sequence of queries qs, qr Q fro each party. We give separate channels to access RO to the sender (qs) and receiver (qr) to odel the fact that rando oracle queries are ipleented as local coputations, and each party is not aware of if/when other players access the oracle. The Sender and Receiver progras fro the protocol of [10] only ake a sall nuer of queries (two and one respectively.) Moreover, the two sender queries are chosen siultaneously, non-adaptively. So, for siplicity, we restrict RO(q 2, q) = (k 2, k) to an oracle that receives just a pair of queries q 2 = q 0, q 1 Q 2 fro the sender and one query q Q fro the receiver. We reark that in order to prove security, one should consider an aritrary (still polynoial) nuer of (sequential, adaptively chosen) queries to odel the adversary/environent 13

14 aility to copute the RO function locally an aritrary nuer of ties. 7 However, since our results are negative, fixing the nuer of queries only akes our result stronger: we show that the protocol is not provaly secure even against the restricted class of adversaries that ake only this very liited nuer of rando oracle queries. It has een oserved, for exaple in [8], that a protocol analyzed stand-alone in the traditional rando oracle odel ight lose its security when coposed with other instances of protocols in the sae rando oracle odel: either each instance uses an independent rando oracle such that the real coposed syste cannot assue a single hash function, or the coposed syste suffers fro transferaility attack. A odified notion called gloal rando oracle was proposed in [8] to allow a coposed syste achieving UC security when all protocols can access a single gloal rando oracle. With respect to this issue, the OT protocol of [10] cannot e claied UC secure and it should e re-defined in the gloal rando oracle odel or an equivalent notion. However, such issue is independent of the negative result we are going to present. Since our otivation is to illustrate the use of equational fraework, for siplicity, we still consider the traditional rando oracle odel as used in [10]. The protocol In order to facilitate a coparison with the original paper, we use as far as possile the sae notation as [10]. Let G = B e a group generated y an eleent B of prie order p. Following [10], we use additive group notation, so that the group eleents are written as xb for x = 0,..., p 1. 8 In [10] it is assued that group eleents have unique, canonical representations (which allows for equality testing), and group eership can e efficiently checked. Here, for siplicity, we assue that all essages representing group eleents are syntactically valid, i.e., whenever a progra expects a group eleent fro G as input, it will always receive the valid representation of a such a group eleent (or if the no essage has een sent), even when this value is adversarially chosen. This is easily enforced y testing for group eership, and apping invalid strings to soe standard eleent, e.g., the group generator B. The protocol uses a rando oracle RO(q 2, q) = (k 2, k) for functions with doain Q = G 2 G and range K = {0, 1} n, which receives two (parallel) queries q 2 = q 0, q 1 Q 2 fro the sender and one query q Q fro the receiver. The protocol also uses a syetric encryption schee (E,D), with the sae essage space M n as the OT functionality, and key and ciphertext space K n = {0, 1} n equal to the range of the rando oracle. In addition, the schee is assued to satisfy the following properties: 1. Non-coitting: There exist PPT S 1,S 2 such that, for all M n, the following distriutions are identical: 9 {(e, k) : k K, e E(k, )} {(e, k) : e S 1, k S 2 (e, )} 2. Roustness: Let S e a set of keys chosen independently and uniforly at rando fro K n. For any PPT algoriths A, if e A(S), then the set V S,e = {k S D(k, e) } of keys under which e can e successfully decrypted has size at ost 1 with overwheling proaility (over the choice of S and the randoness of A.) A siple encryption schee satisfying these property is given y E(, k) = (, 0 n ) k, i.e., padding the essage with a string of zeros for redundancy, and asking the result with a one-tie pad. The protocol of [10] can e descried y the equations in Fig. 5, and its execution is depicted in Fig. 6. We riefly explain the noral protocol execution: Sender first saples a rando group eleent X and sends 7 This can e odeled y letting qs and qr range over the set of sequences of queries Q, partially ordered according to the prefix ordering relation. 8 Chou and Orlandi use additive notation to atch their efficient ipleentation ased on elliptical curve groups. Here we are not concerned with any specific ipleentation, ut retain the additive notation to atch [10] and facilitate the coparison with the original protocol description. 9 In fact, coputational indistinguishaility is enough, ut it is easy to achieve perfect security. 14

15 it to Receiver; once it receives Y fro Receiver, it suits a pair of queries q 2 to RO; and once it receives rando keys k 2 fro RO, it encrypts essages under the keys k 2, and it sends the ciphertext pair c 2 to Receiver. On the other hand, Receiver first saples a rando group eleent yb, and upon receiving X fro Sender it coputes Y = X + yb and sends it to Sender; it then suits a query q to RO, and once the rando key k and the ciphertexts c 2 are all received, it decrypts c 2 [] using k to get the desired essage. Sender(, k 2, Y ) = (q 2, X, c 2 ) x Z p X = xb q 2 [0] = ((X, Y ), xy ) q 2 [1] = ((X, Y ), xy xx) c 2 [0] E(k 2 [0], [0]) c 2 [1] E(k 2 [1], [1]) Receiver(k, X, c 2, ) = (q, Y, ) y Z p Y = X + yb q = ((X, Y ), yx) = D(k, c 2 []) Figure 5: The OT protocol of Chau and Orlandi. q 2 q k 2 RO k Sender X Y Receiver c 2 Figure 6: A noral execution of the OT protocol of Chou and Orlandi. In the following susections, we show that this protocol is insecure, oth according to the classic OT definition given in Fig. 1, and according to our revised OT definition of Fig. 3 that includes the signal a = ( > ) to the sender. Specifically, first, in Susections 5.1 and 5.2 we show that if the definition fro Fig. 1 is used, then the protocol is insecure against corrupted senders and corrupted receivers. The sender insecurity is for reasons very siilar to those leading to the failure siulation in Section 3. Unlike the case of OT length extension, when considering the revised OT definition and odifying the sender progra accordingly, we show in Susection 5.3 that the odified protocol is still insecure against corrupted senders and corrupted receivers. 5.1 Corrupted sender We egin our analysis of the OT protocol with respect to the standard OT functionality, and we first consider the case when the sender is corrupted. The corresponding real and ideal systes are shown in the following diagras: 15

16 q 2 q q 2 k 2 RO k k 2 X Y Receiver X Y SiS OT c 2 c 2 RealS(q 2, X, c 2, ) = (k 2, Y, ) IdealS(q 2, X, c 2, ) = (k 2, Y, ) For the protocol to e secure, the two systes should e coputationally indistinguishale (for soe siulator progra SiS.) Just like the case of OT length extension, there exists an environent that can distinguish the two systes. We now descrie an environent Env that works in two stages Env 0 and Env 1, and show that for any SiS, at least one of Env 0 and Env 1 distinguishes the real and ideal systes with nonnegligile advantage. We recall that a distinguishing environent connects to all input and output channels of the syste, and produces one external output t {, }. The distinguishing advantage of Env i is given y Adv[Env i ] = Pr{Env i [RealS] = } Pr{Env i [IdealS] = }. The two stages of the distinguisher work as follows: Env 0 (k 2, Y, ) = (q 2, X, c 2,, t) sets q 2 =, X = B, c 2 = and =, and outputs t = (Y > ). Env 1 (k 2, Y, ) = (q 2, X, c 2,, t) sets q 2 =, X = B, c 2 = and = 0, and outputs t = (Y > ). Notice that the only difference etween these two stages is in the value of. Using the equations for the Receiver, we see that in the real syste Y > if and only if >. In particular, we have Pr{Env 0 [RealS] = } = 0 and Pr{Env 1 [RealS] = } = 1. On the other hand, we have Pr{Env 0 [IdealS] = } = Pr{Env 1 [IdealS] = } (4) ecause when interacting with IdealS, the output value t is independent of. So, if we let p e the proaility in (4), the two stages of Env have advantage Adv[Env 0 ] = p and Adv[Env 1 ] = 1 p. It follows that either Env 0 or Env 1 has distinguishing advantage at least 1/2. Intuitively, this environent can distinguish the real and the ideal systes ecause a corrupted sender (interacting with the real syste RealS), learns when the receiver sets > y oserving the incoing essage Y >, ut in the ideal syste this tiing inforation is not passed to the siulator. 5.2 Corrupted receiver We have seen that when using the standard OT definition, the protocol is not secure against corrupted senders. Now we turn to analyzing the protocol against corrupted receivers with respect to the standard OT definition. The real and ideal syste in this case are shown in Fig. 7. Security requires that the real and the ideal systes are indistinguishale for soe siulator progra SiR. Unfortunately, as we are aout to show, no such siulator exists. Proposition 1. For the OT protocol in Fig. 5, when the receiver is corrupted, for any receiver siulator SiR, there is an environent that distinguishes the two systes with nonnegligile proaility. Proof. We uild an environent that works in three stages, denoted y Env i for i {0, 1, 2}: 16