Oblivious Transfer using Elliptic Curves

Transcription

1 Oblivious Trasfer usig Elliptic Curves bhishek Parakh Louisiaa State Uiversity, ato Rouge, L May 4, 006 bstract: This paper proposes a algorithm for oblivious trasfer usig elliptic curves lso, we preset its applicatio to chose oe-out-of-two oblivious trasfer Itroductio oblivious trasfer scheme is a protocol i which a seder seds a message to a receiver with some fixed probability betwee 0 ad without the seder kowig whether or ot the receiver received the message The idea was itroduced i 98 by Michael Rabi [], [] Rabi developed a solutio to the problem of mutual exchage of secrets betwee two distrustful parties For example, lice ad ob have secrets S ad S, respectively, which they wish to exchage (S may be the password to a file that ob wats ad vice versa) The problem is to establish a protocol without a trusted third party ad without simultaeous exchage of messages Rabi exploited the fact that a square trasformatio c = m mod, = p q, p ad q are primes, results i two or four messages beig mapped to a sigle cipher Hece, usig Rabi s protocol, lice would covey the factors of (assumig lice is usig e a public key ecryptio method of the form c = m mod, where e is the ecryptio expoet) without kowig for sure whether ob received the factors or ot I other words, ob may or may ot receive the factors, each happeig with probability oehalf I this paper we itroduce a oblivious trasfer protocol usig elliptic curve cryptography (ECC), a fast upcomig competitor agaist RS We use exactly the same set up as described i [] We preset a algorithm that achieves oblivious trasfer betwee two parties usig elliptic curves for ecryptio of their messages Sectio discuses the basics of elliptic curve cryptography Sectio 3 itroduces the key observatio that led to the idea of oblivious trasfer ad Sectio 4 presets our algorithm together with a illustrative example Sectio 5 presets a applicatio of our oblivious trasfer algorithm to chose oe-out-of-two oblivious trasfer

2 asics of elliptic curves elliptic curve used for cryptographic purposes is defied as follows: y = x 3 + ax + b () where a ad b are iteger costats The set of poits E ( a, is a set ( x, y) of all x ad y satisfyig () For a elliptic curve over a fiite field Z p, we use the cubic equatio () i which the variables ad coefficiets all take o values i the set of itegers from 0 ad p, for some prime p, i which calculatios are performed modulo p Thus, we use y 3 mod p = ( x + ax + mod p () for cryptographic applicatios over fiite fields This set of poits is deoted as E p ( a, The order of a poit G = x, y ) o a elliptic curve is defied as the ( smallest positive iteger such that G = 0 Poit G is called the base poit i ( a, ad is picked such that its order is a very large value E p The security of ECC arises from the fact that forq = kp, where Q, P E ( a, ad k < p, it is easy to calculate Q give the values of k ad P, but it is p relatively very hard to determie k give the values of Q ad P stadard elliptic curve trasfer proceeds as follows: the first task i this system is to ecode the plai text message m to be set as a x y poit Pm It is the poit Pm that will be ecrypted as cipher-text ad subsequetly decrypted We caot simply ecode the message as the x or y coordiate at a poit, because ot all such coordiates are i ( a, Each user selects a private key ad geerates a public key E p P = G To ecrypt ad sed a message Pm to, chooses a radom positive iteger k ad produces a cipher-text C cosistig of the pair of poits m C m = { kg ; Pm + kp P has used s public key To decrypt the cipher-text, multiplies the first poit i the pair by s secret key ad subtracts the result from the secod poit: m ( kg) = Pm + k( G) ( kg) Pm P + kp =

3 Note that has masked the message P by addig kp to it Nobody but kows the m value of k, so eve though P is public, obody ca remove the mask kp Reader may refer to [3] for further backgroud o elliptic curve cryptography 3 Key Observatio If we look closely at square trasformatio i [] ad the elliptic curve equatio give by (), we ca rewrite () as y mod p = S (3) where S = ( x 3 + ax + mod p It should be clear to the reader that for every x coordiate there are two possible y coordiates However, ulike i square trasformatio, here either x or y ca be substituted for message, because ot all values of x ad y are permissible i ECC 4 The Proposed lgorithm Our aim is to allow exchage of secret S ad S betwee two parties ad without usig a trusted third party ad without simultaeous exchage Here, we do ot go ito the details of sigig the messages usig ECC ad take it for grated that all the messages are siged oth ad select a commo elliptic curve ( a, This iformatio is public They the decide upo oe x - coordiate Let the two poits correspodig to this x - coordiate be P ad P, whereupo by symmetry P = P The x - coordiate is also public kowledge Sice, ad have ot decided upo which y - coordiate to use, we will deote s choice of poit as P ad s choice as P, such that P = P or P = P E q Similarly, P = P or P = P Eve though the x - coordiate is commo, either party kows what is the fial poit chose by the other because there are two possible y - coordiates to choose from Now, let choose a secret key, which she wishes to use for ecryptio of her messages, with the aim of obliviously coveyig this secret key to lso, we assume that a procedure for mappig of to a poit o elliptic curve has bee predecided We call the poit o our elliptic curve, correspodig to, as Thus, if a perso kows P, he ca deduce from it Similar, arragemet is made o s side too P 3

4 Uder the above assumptios, the oblivious trasfer of secret key proceeds as follows: seds to : P seds to : { ; P ( P ) R R + ; where, is s secret key R is radomly chose poit by, belogig to the group ( a, E q 3 does : [ ( P ) R ( P ) + ] = Q 4 seds to : { ( P ) + Q ; ( R) P 5 does : a ( P ) Q ( P ) + = K ( ) K b R P = Z + + The sequece of steps preseted above achieves our goal of oblivious trasfer The two cases that arise i such a trasfer are P = P ad P P We discuss these two cases below ad show how the algorithm give above achieves our goal The differece betwee the two cases arises from step 3 Hece, we aalyze them step 3 owards Case I: P = P 3 does : [ ( P ) R ( P ) + ] = R 4 sed to : { ( P ) + R ; ( R) P 5 does : a ( P ) R ( P ) + + = R b ( R) P ( R) + = P Case II: P P I this case, we ote that P = P Therefore, the results are as follows: 4

5 3 does : [ ( P ) R ( P ) + ] = [ ( P ) + R ] 4 sed to : { ( P ) + [ ( P ) + R ] ; ( R) P 5 does : a ( P ) + ( P ) + R ] ( P ) b ( R) P ( K ) [ = K + P + Oce the receiver kows P, he ca deduce from it Therefore, this poit forward we refer to P as However, it is to be oted that o matter what calculatios are performed by i step 5, he caot get if P P The problem is equivalet to the discrete log problem i case of P P Sice, P = P with probability oe-half, receives the secret key with probability oe-half Returig to our algorithm, ca verify the value it has obtaied from step 5, whether it is or ot, by doig Z P ad Z P ad checkig if oe of them is equal to P set to it by i the first step I a similar maer, trasfers its secret key to with probability oe-half Oce this trasfer has bee achieved we ca follow similar step proposed i [] i order to prevet cheatig by either of the parties durig exchage of iformatio Here, we preset these steps, adaptig them to suit elliptic curve trasfers We defie the state of kowledge of the secret keys as follows: Z k Μ, = Μ, if if kows ' s secret key does ot kow ' s secret key Similarly, k Μ, = Μ, if if kows ' s secret key does ot kow ' s secret key where Μ is a costat ad Μ is the bit wise complemet of Μ fter the trasfer of keys accordig the algorithm preseted i this paper ad havig defied the state of kowledge of keys as above, 5

6 seds to : k S seds to : k S Note that the above two steps do ot provide either party ay iformatio about other s secret Now, may trasfer its secret to usig a elliptic curve cryptographic trasfer However, will ecode the secret usig its ow secret key ad ot the public key of the other party, as is usually doe i a stadard elliptic curve trasfers; G is the base poit with large order seds to : S G + does (assumig he kows ) : S + G G = S trasfers its secret to i the ext step i a similar maer However, suppose, at the last step were to cheat ad ot pass o his secret S to, the the fact that has cheated implies that has, ie k S = Μ S Thus, ca do Μ S Μ = S ad thus obtai S The probability, whe the protocol is completed, that either oe kows other s secret is oe-quarter Example: Let ad choose a elliptic curve E 3 (9, ) The equatio correspodig 3 to this curve is y mod 3 = ( x + 9x + ) mod 3 Now, both parties decide upo a commo x - coordiate, say 7 The two poits correspodig to this x - coordiate are P = (7, 6) ad P = (7, 7) From properties of elliptic curve, we have P = P Let choose a secret umber = 5 We do ot explore the details of its mappig of to the elliptic curve ad just refer to it as I tur, let chooses a secret umber P = 3 ad a radom poit R = (, ) Now we execute our algorithm by cosiderig the two cases separately: Case: P = (7, 6) ad = (7, 6) P seds to : = 5 (7, 6) = (, 8) P seds to : { P ; ( P ) + R; R = { 3 (7, 6); 3 (, 8) = { (, 0); (, 5); + (, ); (4, 9) 3 (, ) 6

7 3 does: [ ( P ) + R ( P ) ] = Q = 5 [ (, 5) 5 (, 0) ] = 5 [ (, 5) (3, 9) ] = 5[ (, ) ] = (7, 7) 4 seds to : { ( P ) + Q; ( R) = { (3, 9) + (7, 7); = { (5, 9); (, 3) 5 (4, 9) 5 does: a) ( P ) + Q ( P ) = K = ( 5, 9) 3(,8) = ( 5, 9) (3, 9) = (7, 7) ( R) P ( K) = (, 3) 3 (7, 7) + =, 3) = P ( (, 3) Case : P = (7, 6) ad = (7, 7) P seds to : = 5 (7, 6) = (, 8) P seds to : { P ; ( P 3 does: [ ( P ) + R; R = { 3 (7, 7); ) + R ( P ) ] = Q 3 (, 8) = { (, 3); (, 5); 5[ (3, ) ] = (9, 7) + (, ); (4, 9) = 5 [ (, 5) 5 (, 3) ] = 5 [ (, 5) (3, 4) ] = 3 (, ) 4 seds to : { ( P ) + Q; ( R) = { (3, 4) + (9, 7); = { (7, ); (, 3) 5 (4, 9) 7

8 5 does: a) ( P ) + Q ( P ) = K = ( 7, ) 3(,8) = ( 7, ) (3, 9) = (, ) ( R) P ( K) = (, 3) 3 (, ) + =, 3) P ( (4, 4) The above example makes the workig of our algorithm clear 5 Chose oe-out-of-two oblivious trasfer The chose oe-out-of-two oblivious trasfer, - OT for short, is a importat applicatio of the basic oblivious trasfer protocol I this trasfer, the seder seds two secrets ad s ad the receiver s iput is choice bit c ; the latter the lears s but s0 gets o iformatio about other secret s c This trasfer has bee implemeted usig expoetiatios Here we show that the oeout-of-two oblivious trasfer ca be implemeted usig the algorithm we preseted We assume that both parties are willig to take part i the protocol hoestly, ie is willig to disclose oe out of two secrets that it has to, but does ot wat to kow which oe secret it wats to kow lso, should lear oly the oe secret it wats to kow ad othig about the other is said to have two secrets ad s, associates two differet secret keys with each s0 of them These secret keys will be used to ecrypt s0 ad s whe trasferrig them to must be able to retrieve oly oe of these two secrets ad should ot come to kow, what has extracted Let associate keys with ad with s for ecryptio Now, s task is to retrieve oe of these two keys, ie retrieve if it wats to kow ad retrieve if s it wats to kow, i such a maer that should ot come to kow which key retrieved ad should ot gai ay iformatio about the other key associated with the other secret 0 s0 0 s0 c 8

9 x P = P s0 Recall, from the previous sectio that every - coordiate yields two poits ad P such that P declares that it is associatig secret with poit P ad secret s with poit P The trasfer of secret the proceeds as follows: seds to : { ; P seds to : { ; P 3 does : 0 P 0 [ ( P ) R ( P ) 0 0 ( P ) R 0 + ; ( P ) + R + ] = ; [ ( P ) R ( P ) 4 seds to : { P ; H + ] = H 0 ( ) + H 0 ( R) ; ( ) 0 P H ; R ( ) + ; R Note: ad is the mappig of secret keys ad to poits o the elliptic curve P 0 P 0 must have chose P i the secod step such that P = P if wats secret s 0 ad P = P if wats secret s Therefore after step 4, picks up oly oe of the two pairs of poits set to it by which will yield it the secret key it wats For example, if has chose P = P the the first pair of poits i step 4, ie { 0 ( P ) H ; R, will yield 0 i the followig maer : + ( ) 0 5 does : 0 a) 0 ( P ) + H ( 0P ) = H = 0R ( R) ( R) = P 0 From, ca easily calculate The secod pair of poits will ot yield ay key 0 Thus, ca get oly oe of the two secret keys ad remais oblivious to the fact that which of the two keys did retrieve P 0 Now, may sed both the secrets to i the followig maer: seds to : { Ps + 0 0G ; Ps G +, where Ps0 is the mappig of secret s0 to the elliptic curve 9

10 will be able to retrieve oly Ps0 i our example because it has oly 0 ad hece obtai It will ot be able to get ay iformatio from the secod half of the message s 0 s about secret does ot kow which of the two secrets did obtai We have achieved our goal of chose oe-out-of-two oblivious trasfers 6 Coclusios I this paper we have itroduced the idea of oblivious trasfer to elliptic curves ad preseted a algorithm for its implemetatio lso, we have show how it ca be applied to the traditioal problem of - OT The algorithm preseted here may be expressed i differet variats The key cotributio is the itroductio of oblivious trasfer to ECC The oe-out-of-two oblivious trasfer may be further modified i order to obtai -out-of- oblivious trasfer 7 Refereces MO Rabi Digitalized sigatures ad public-key fuctios as itractable as factorizatio MIT/LCS/TR-, MIT Laboratory for Computer Sciece, 979 M O Rabi How to exchage secrets by oblivious trasfer Techical Report TR-8, ike Computatio Laboratory, Harvard Uiversity, 98 3 Ege, Elliptic Curves ad their pplicatios to Cryptography Kluwer cademic, osto, 999 0