The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements towards an M.Sc. degree in Computer Science The Open University of Israel Computer Science Division By Yonatan Ben-Ya akov Prepared under the supervision of Dr. Tamir Tassa November, 2007
Abstract In a Multi-Party Computation (MPC), there are a number of participants, each holding private data. The participants want to compute the value of a public function at the point that corresponds to the data that they hold. An MPC protocol is considered secure if no participant can learn information about the private data of the other participants that could not have been deduced from the description of the public function and the result of the global calculation. One of the prominent primitives of MPC is Oblivious Transfer (OT). OT protocols serve as building blocks in the solution of other MPC problems. Such a problem, introduced by Naor and Pinkas, is called Oblivious Polynomial Evaluation (OPE). Assume that Alice has a polynomial P (x) and Bob has a point α. The goal is to allow Bob to compute P (α) so that Alice remains oblivious of α and Bob of P (x) (apart from what is implied by P (α) and α). We introduce the multivariate version of this problem, where x and α are vectors, offer secure protocols to solve it, and discuss several applications.
Acknowledgements I wish to thank my thesis advisor, Dr. Tamir Tassa, for his wonderful support and help throughout the process of writing this thesis. It was a long and tiring saga, and Dr. Tassa s encouragement, knowledgeable guidance, and major time investment were what made reaching the finish line possible. I appreciate his continual scrutiny and pedantry because it improved my academic writing skills to a great extent, and taught me professionalism. I also wish to thank my family and friends for their loving support and encouragement.
Contents 1 Introduction 1 2 Preliminaries 4 2.1 Computational indistinguishability............... 4 2.2 Security of multi-party computation protocols......... 5 3 Oblivious Transfer 7 3.1 Definition and motivation.................... 7 3.2 An overview of Rabin s paper.................. 8 3.2.1 An overview of square root extraction in Z n...... 9 3.2.2 Rabin s OT setting.................... 11 3.2.3 EOS implementation................... 11 3.2.4 General OT protocol................... 12 3.3 An overview of Even, Goldreich and Lempel s paper..... 13 3.3.1 Definition of 1-out-of-2 OT............... 13 3.3.2 Implementation...................... 14 3.3.3 Analysis.......................... 15 3.3.4 A different OT protocol................. 15 3.4 1-out-of-2 OT using RSA.................... 16 3.5 Generalizations of OT...................... 18 3.5.1 String OT......................... 18 3.5.2 Pseudorandom functions................. 18 3.5.3 First 1-out-of-N OT protocol.............. 19 3.5.4 A second, recursive, 1-out-of-N OT protocol..... 20 3.5.5 A protocol for k-out-of-n OT.............. 22 4 Oblivious Evaluation of Univariate Polynomials 24 4.1 Problem specification....................... 24 4.2 Intractability assumptions.................... 25 I
CONTENTS II 4.2.1 The first intractability assumption........... 26 4.2.2 The second intractability assumption.......... 27 4.3 The protocol........................... 27 4.3.1 The protocol template.................. 28 4.3.2 The first instantiation.................. 29 4.3.3 The second instantiation................. 29 4.4 Protocol properties........................ 30 4.4.1 Correctness........................ 30 4.4.2 Complexity........................ 30 4.4.3 Security.......................... 30 4.4.3.1 The receiver s privacy............. 30 4.4.3.2 The sender s privacy.............. 33 4.5 Security against malicious behaviour.............. 35 4.6 Applications............................ 41 4.6.1 Obliviously computing a polynomial in the exponent. 41 4.6.2 Obliviously comparing information........... 41 4.6.2.1 Original solution by Fagin, Naor and Winkler 42 4.6.2.2 Solution using OPE.............. 44 4.6.3 Set computations..................... 46 4.6.3.1 Membership in a set.............. 46 4.6.3.2 Subsets..................... 47 5 Oblivious Evaluation of Multivariate Polynomials 48 5.1 Multivariate Lagrange interpolation.............. 48 5.1.1 The bivariate case.................... 48 5.1.2 The general multivariate case.............. 49 5.1.3 Probability of success.................. 51 5.1.4 Algorithm for choosing flats............... 54 5.2 Problem specification....................... 56 5.3 Intractability assumptions.................... 57 5.3.1 The first intractability assumption........... 57 5.3.2 The second intractability assumption.......... 58 5.4 The protocol........................... 59 5.4.1 The protocol template.................. 59 5.4.2 The first instantiation.................. 60 5.4.3 The second instantiation................. 61 5.5 Protocol properties........................ 62 5.5.1 Correctness........................ 62 5.5.2 Complexity........................ 62 5.5.3 Security.......................... 62 II
CONTENTS III 5.5.3.1 The receiver s privacy............. 63 5.5.3.2 The sender s privacy.............. 65 5.6 Security against malicious behaviour.............. 68 5.7 Applications............................ 76 5.7.1 Measuring the distance between two parties...... 76 5.7.2 Obliviously computing a polynomial in the exponent. 76 5.7.3 Comparing information................. 77 5.7.4 Linear algebra computations.............. 78 5.7.4.1 Computing the scalar product of two vectors 78 5.7.4.2 The inclusion of a vector is in a subspace.. 79 III
Chapter 1 Introduction The field of Multi-Party Computation, or MPC, refers to a setting in which there are several players, P 1,..., P n. Each player P i holds a private value x i. The goal is to compute the value f(x 1,..., x n ), where f is some publicly known function of n variables, so that each player does not learn anything about the private inputs of the other players, except what is implied by the output result f(x 1,..., x n ). One way of accomplishing this task is by delegating the input values x i to a trusted neutral party that can perform the computation on the inputs received from the n players. However, when such a trusted neutral party is not available, it is necessary to accomplish this task by a suitable protocol that the participating players have to execute among themselves. One of the basic primitives of MPC is Oblivious Transfer or OT. It was first introduced by Rabin [17] but there are now many different flavors, or variants, of OT. The one of the most interest in this thesis is called chosen 1-out-of-2 oblivious transfer which concerns the case where Alice has two bits, b 0 and b 1, and Bob has a selection bit s. The goal is for Bob to receive b s and remain oblivious of b 1 s while Alice remains oblivious of s. The generic problem of MPC was solved by Yao [19], who gave a solution that accomplishes secure MPC for every function f with finite domain and finite image. His solution is based on the assumption that factoring integers is intractable. Later, Goldreich and Vainish [13] showed a stronger result saying that the existence of OT is sufficient for this task. A result by Killian [14] shows constructively that OT is necessary and sufficient for general oblivious function evaluation, that is secure against malicious players 1. The problem with these generic results is that their computational and 1 We discuss malicious players in Section 2.2 1
2 communication complexities are very high, which renders them impractical. The aim of further studies in this field is to find more efficient solutions for specific problems of MPC. One such problem of MPC is Oblivious Polynomial Evaluation, or OPE. It involves two players: a sender, who has a univariate polynomial P over a field F, and a receiver, who has a point α F. The goal is for the receiver to learn the value of P (α), without learning any other information about P, and without the sender learning any information about α. This problem was solved by Moni Naor and Benny Pinkas [16]. In this thesis we present the multivariate version of OPE, where P is an r-variate polynomial and α F r. The goal remains the same: The receiver wishes to learn the value of P (α), without learning any other information about P, while the sender remains oblivious to the value of α. We give a solution to this problem, and present several applications. In Chapter 2 we discuss several terms and theorems that are required for the understanding of the OPE protocols presented here. Section 2.1 defines the notions of probability ensembles and computational indistinguishability; Section 2.2 briefly discusses the security of a multi-party computation protocol and defines the concepts of semi-honest players and malicious players. In Chapter 3 we familiarize ourselves with Oblivious Transfer (OT), a basic problem of multi-party computation that is used as a primitive by the OPE protocols presented here. Section 3.1 gives some motivation for OT, and its basic definition; Section 3.2 gives a summary of Rabin s paper [17] which first introduced the concept of OT; Section 3.3 gives a summary of a paper [6] by Even, Goldreich and Lempel, which introduced a slightly different flavor of OT; Section 3.4 gives a solution to the problem of OT using the RSA cryptosystem and studies its properties; Section 3.5 gives generalizations of OT: 1-out-of-N OT and k-out-of-n OT, which are used in the OPE protocols. In Chapter 4 we describe the problem of univariate OPE and present a solution for it given by Naor and Pinkas [16]. Section 4.1 defines the problem. Section 4.2 introduces two intractability assumptions that the OPE protocols rely on. Section 4.3 presents the OPE protocols themselves. Naor and Pinkas give two different protocols, each one based on a different intractability assumption. In Section 4.4 we study the correctness, security and complexity properties of the protocols. Section 4.5 discusses malicious players and the changes that need to be made to the protocol in order to be secure against them as well. Finally, in Section 4.6 we present some applications of univariate OPE. In Chapter 5 we introduce the problem of multivariate OPE and our 2
3 solution for it. Section 5.1 discusses multivariate Lagrange interpolation. Section 5.2 gives the problem specification for multivariate OPE. In Section 5.3 we present two intractability assumptions, that are required by the multivariate OPE protocols. Section 5.4 describes the protocol itself. In Section 5.5 we study the correctness, security and complexity properties of the protocols. Section 5.6 discusses malicious players and the adaptations to the protocol required in order to remain secure against them. Finally, in Section 5.7 we present several applications of multivariate OPE. 3
Chapter 2 Preliminaries 2.1 Computational indistinguishability Here we briefly review the basic concepts of probability ensembles and computational indistinguishability. The material is taken from Goldreich [11]. Definition 2.1.1 (Probability ensemble) Let I be a countably infinite set. A probability ensemble with indices from I is a sequence of random variables with indices from I, X = {X i } i I. The above definition means that for every index i I there exists a distribution X i that one can sample from. In most cases, I = N. Definition 2.1.2 (Computational indistinguishability) Let X = {X n } n N and Y = {Y n } n N be two probability ensembles. We say that X and Y are computationally indistinguishable, and we write X c Y, if for every probabilistic polynomial-time algorithm D and for every polynomial p( ) there exists N N such that for all n N it holds that [ ] [ ] Pr D(X n, 1 n ) = 1 Pr D(Y n, 1 n 1 ) = 1 p(n) when the probability is taken with respect to both the different samples of the random variables X n and Y n, and the coin tosses performed by D. The idea behind Definition 2.1.2 is that it is hard to distinguish between the two ensembles. For any fixed value of the index n, the random variable X n is hard to distinguish from the random variable Y n. Namely, given a sample from one of those two random variables, there exists no efficient 4
2.2. SECURITY OF MULTI-PARTY COMPUTATION PROTOCOLS 5 probabilistic algorithm that can determine the source of that sample with significant probability of success, even if that algorithm is given the index of those variables (in the form of the input 1 n ). Moreover, the task of distinguishing between samples of X n and Y n becomes harder and harder as n tends to infinity. 2.2 Security of multi-party computation protocols Consider a multi-party computation protocol to compute some function f(x 1,..., x n ), where x i is a piece of information that is owned by player P i, 1 i n. Our goal is to compute the value of the output f(x 1,..., x n ) without leaking out to player P j any information about x i that is not implied by the output f(x 1,..., x n ), for all 1 i, j n, i j. For example, assume that n = 2, the inputs are bits, x 1, x 2 {0, 1}, and that f(x 1, x 2 ) = x 1 x 2. Let us focus on player P 1 and see what he may learn from the value of the output x 1 x 2 about the value of P 2 s input, x 2. Clearly, if x 1 = 1, then the output will reveal to P 1 the value of x 2. If, however, x 1 = 0, then the output reveals nothing about x 2. Out goal is to design a protocol that respects those rules. Namely, a protocol that protects the privacy of P 2 by not leaking to P 1 any information about x 2 in case x 1 = 0, and that equally protects P 1 s privacy. In discussing and establishing the security of such protocols, one has to distinguish between two types of players: semi-honest and malicious. A semi-honest player is a player who always follows the protocol precisely, and yet tries to deduce as much information as he can. That is, a semihonest player is honest but curious, and when analyzing with respect to semi-honest players, secrecy requirements for the protocol are translated to requiring that these players can never deduce more information than what is allowed by the problem specifications. A malicious player is a player who has no obligation to follow the protocol. He can act in any way he likes, trying to discover pieces of information that he is not supposed to discover or to lead the other players to deducing wrong information. When analyzing with respect to malicious players, the secrecy requirement is much tighter, requiring that no matter how a player acts, he will not receive any more information than he is allowed. We make the following requirements of a secure multi-party protocol: Correctness If all players follow the protocol precisely, no player is led to accept a false result; if at least one player deviates from the protocol, 5
2.2. SECURITY OF MULTI-PARTY COMPUTATION PROTOCOLS 6 no requirement can be made about correctness, since the output may not be well defined. Privacy If all players follow the protocol precisely, each player must not learn anything more about the inputs of the other players than what is implied by the result and his own input. If some of the players deviate from the protocol, it is required that those players deviating from the protocol will not learn any information about the other players inputs, or will only learn information about the other players inputs that can be inferred by the result of the function calculation, for some valid values of the deviating players inputs. No requirement is made in the opposite direction to protect the privacy of the deviating players, as their inputs may not be well defined. The privacy requirement is sometimes referred to as the security requirement. Sometimes, an additional requirement of fairness is added, stating that all players that should receive the output, will indeed receive the output. In most protocols presented in this thesis, this requirement is irrelevant, as only one player receives the output. 6
Chapter 3 Oblivious Transfer 3.1 Definition and motivation We illustrate the fundamental concept of oblivious transfer by an example that appears in Cramer [5]. In that setting, there are two politicians that wish to find out if they agree on a certain matter. For example, such a matter could be a controversial law that has been proposed. Each of the two politicians either supports this law or opposes to it. They would like to know whether they both support it, but in such a way that if one of them opposes to it, he will not have any information about whether the other one supports it or not. This problem, and many others, can be solved using the primitive known as Chosen 1-out-of-2 Oblivious Transfer which we present here. The problem of Oblivious Transfer was first introduced by Rabin [17] as a problem concerning two parties, a sender and a receiver. In Rabin s setting, the sender has an input bit b, and the goal is that the receiver will receive this bit b with probability 1/2, and will receive nothing with probability 1/2, while the sender remains oblivious of which of the two events happened. Later, Even, Goldreich and Lempel [6] presented a different flavor of the problem, where the sender has two bits b 0 and b 1, and the receiver gets b 0 with probability 1/2 and b 1 with probability 1/2, while the sender remains oblivious of which of those two events actually happened. A slight variation on the version of Even et al., which is of the most interest to us, concerns the case where the receiver is the one who selects which bit to receive, and it is not determined by probabilities. I.e., the receiver has an input bit s, and at the end of the protocol the receiver gets b s and remains oblivious of b 1 s, and the sender remains oblivious of the 7
3.2. AN OVERVIEW OF RABIN S PAPER 8 value of s. We will refer to this version as Chosen 1-out-of-2 Oblivious Transfer, sometimes shortened to 1-out-of-2 OT or even simply OT. The problem is precisely defined as follows: Definition 3.1.1 Chosen 1-out-of-2 Oblivious Transfer is a protocol involving two parties, a sender and a receiver, with the following input/output requirements: Input sender: Two bits, b 0 and b 1. receiver: A selection bit, s. Output sender: None. receiver: b s It is required that the sender gets no information about s and that the receiver gets no information about b 1 s. 3.2 An overview of Rabin s paper This section is a summary of Rabin s paper [17]. Alice has a password S A to open Bob s file and Bob has a password S B to open Alice s file. Can they set up a protocol to exchange the secrets without using a trusted third party and without a safe mechanism for the simultaneous exchange of messages? This problem is called Exchange of Secrets (EOS). We assume that if a wrong password is used, the file is erased. Hence, there can be no trial and error here. Therefore, for the sake of our discussion, we may assume that S A and S B are single bits. What if Bob gives Alice a wrong S S B in exchange to the correct S A? To prevent that, we may assume that Alice and Bob exchange signed messages (contracts), and that the files are prefixed with their access password in a way such that if the file is destroyed, this prefix still remains. That way, if Alice uses S S B and destroys her file, she may go to court to prove that Bob cheated, showing them S B that remained from the file, and the signed message, proving that Bob gave S as the password instead of S B. 8
3.2. AN OVERVIEW OF RABIN S PAPER 9 What if Alice gets S B but does not send to Bob the value of S A in return? Even if Bob goes to court she can say that she did send him the message and that she s willing to send it again. This way Alice gains a time advantage over Bob. It seems that this problem is not solvable! There must be a first message that allows Alice (or Bob) to recover her (his) message first and then she (he) can terminate the protocol. To this end, we need a protocol with the following property: from the fact that Alice knows S B, Bob can deduce S A. In order to succeed, we make one final assumption that if Alice uses S B to open her file then Bob gets notified of it, and vice versa. For the protocol, we assume a public-key cryptosystem. Let K A, K B be Alice s and Bob s public keys, respectively. The cryptosystem allows for both encryption and digital signatures. All messages transferred in the protocol are signed by their sender. We start by reviewing some basic facts in number theory that will be needed for the protocols presented here. 3.2.1 An overview of square root extraction in Z n We review here some well-known facts about modular square roots. We begin by considering square roots modulo a prime p and then turn our attention to square roots modulo numbers n that are products of two distinct primes, n = pq. Let p > 2 be prime and y = x 2 (mod p). Then y has two square roots: x and x = p x. When p = 3 (mod 4), extracting roots is very easy: y p+1 4 is one of its roots. Indeed, ) (y p+1 2 p+1 4 = y 2 = y p 1 2 y = x p 1 y = y, where the last equality follows from Fermat s little theorem. Extracting roots is also possible when p = 1 (mod 4), but the computation in that case is not as simple. Let n = pq be the product of two odd primes p and q, where p q, and let y = x 2 (mod n) where x Z n. Let a 1, a 2 be the square roots of y modulo p, and let b 1, b 2 be the square roots of y modulo q. Then x mod p is either a 1 or a 2, while x mod q is either b 1 or b 2. That means that there are four possible scenarios: x = a i (mod p) and x = b j (mod q) where i and j are taken from {1, 2}. Since gcd(p, q) = 1, we can use the Chi- 9
3.2. AN OVERVIEW OF RABIN S PAPER 10 nese Remainder Theorem (CRT) 1 in order to solve those equations. Solving those equations for each of the four possible pairs in the right hand side of the equations (a 1, b 1 ), (a 1, b 2 ), (a 2, b 1 ) and (a 2, b 2 ) we may recover all four distinct square roots of y modulo n. As seen above, extracting roots modulo n = pq is easy if we know the prime factors p and q. However, if we do not know the factorization of n = pq, extracting roots modulo n is at least as hard as factoring n. To see that, let x 1 and x 2 be two randomly selected roots of y modulo n. Let us assume, without loss of generality, that x 1 (a 1, b 1 ) in the sense that it is the solution of the CRT equations x = a 1 (mod p) and x = b 1 (mod q). Then: 1. If x 2 (a 1, b 1 ), then x 1 = x 2 (mod n) and therefore gcd(x 1 x 2, n) = n. 2. If x 2 (a 1, b 2 ), then x 1 = x 2 (mod p) but x 1 x 2 (mod q) and therefore gcd(x 1 x 2, n) = p. 3. If x 2 (a 2, b 1 ), then x 1 = x 2 (mod q) but x 1 x 2 (mod p) and therefore gcd(x 1 x 2, n) = q. 4. If x 2 (a 2, b 2 ), then x 1 x 2 (mod p) and x 1 x 2 (mod q) and therefore gcd(x 1 x 2, n) = 1. Assume an oracle that can extract roots modulo n (namely, given y Z n, the oracle returns one of its four square roots). We may use this oracle to find the factorization of n, using the following procedure: 1. Choose a random x modulo n. 2. Compute y = x 2 mod n. 3. Extract a root z = y mod n. 4. Compute d = gcd(z x, n). 5. If d {1, n}, return to step 1; otherwise, output d and n/d. Note that since the choice of x is random, the probability that d {1, n} is 1/2, independently of whether or not the oracle chooses a random root, since the oracle is only able to see y, and not x. Therefore, we conclude that 1 CRT for two equations: If gcd(p, q) = 1 then the set of two equations x = a (mod p) and x = b (mod q) has a unique solution modulo p q. That solution is given by x = arq + bsp, where r = q 1 (mod p) and s = p 1 (mod q). 10
3.2. AN OVERVIEW OF RABIN S PAPER 11 the probability of success in every iteration is independently 1/2 and hence, the expected number of iterations until success is 2. This implies that squaring modulo n = p q is a trapdoor one-way function: Squaring is easy, while extracting roots is hard, unless we know p and q, in which case we may extract roots modulo p and q and then use CRT to find the square root modulo n. 3.2.2 Rabin s OT setting The EOS protocol given by Rabin uses a newly defined primitive called Oblivious Transfer (OT). That protocol involves two parties - a sender and a receiver. The sender holds an RSA modulus, n = pq, p, q being two large distinct primes, and its factorization, while the receiver knows only the value of n. The protocol is used to obliviously transfer the factorization of n with probability 1/2. Namely, after the execution of the protocol, the receiver will know the factorization with probability 1/2, and the sender will not know whether or not the receiver got the factorization. OT is implemented as follows in order to allow Alice to obliviously transfer the factorization of n = p q to Bob: 1. Alice sends n to Bob 2. Bob randomly chooses x Z n, computes c = x 2 mod n, and sends c to Alice. 3. Alice, who knows the factors p, q of n, calculates an x such that x 2 = c mod n and sends this x to Bob. 4. Bob calculates d = gcd(x x, n). At this stage, d {p, q} with probability 1/2. Hence, Bob has the factorization of n with probability 1/2. Alice has no clue whether bob got the factorization or not, as she does not know Bob s x. 3.2.3 EOS implementation Rabin s solution of the EOS problem is as follows: 1. Let p A, q A be the factors of n A such that Alice s public key in the cryptosystem is based on n A while her private key depends on the factorization, p A and q A. Let p B, q B, n B be defined similarly for Bob. 2. Alice obliviously transfers the factorization of n A to Bob. 11
3.2. AN OVERVIEW OF RABIN S PAPER 12 3. Bob obliviously transfers the factorization of n B to Alice. 4. Define ν B = 0 if Bob knows the factors of n A after the transfer, and ν B = 1 otherwise. Define ν A similarly as the state of Alice s knowledge of the factors of n B. 5. Bob computes ε B = S B ν B and sends ε B to Alice. Notice that knowing ε B doesn t allow Alice to access her file as she doesn t know ν B. 6. Alice similarly computes ε A and sends it to Bob. 7. Alice creates a random message and replaces its center bit with S A. We call this message m A. Alice encrypts m A using her public key to yield d A, and sends d A to Bob. 8. Bob acts similarly, creating m B and then d B, and sends d B to Alice. Obviously, if Alice got the factorization of Bob s public key (i.e., p B and q B ), she will be able to recover m B from d B, read the secret S B, and open her file. The same goes, of course, for Bob. In case both got the factorizations (an event that has probability 1/4), the secrets were shared successfully. In case neither of them got the factorizations (probability 1/4) the protocol, unfortunately, fails. In case one of them got the factorization and the other one did not (this is the interesting case, the probability of which is 1/2), let us assume without loss of generality that it was Alice who got the factorization. The moment she will use the secret to open the file, Bob will get notified of it, by our assumption. This enables Bob to deduce that ν A = 0, whence S A = ε A. Therefore, if Alice got her secret, so will Bob. 3.2.4 General OT protocol The OT protocol can be used to allow the oblivious transfer of a bit. Assume that Alice has a single bit b and Bob does not know it. The following protocol allows the transfer of that bit from Alice to Bob so that Bob receives it with probability 1/2, while Alice does not get any information regarding whether the transfer succeeded. Let n = p q, and let Encode n () be a method of encoding a bit, such that it can be encoded knowing n but it may be decoded only by knowing p and q. (For instance, the method that we used in Section 3.2.3, where we generated a random message, replaced its center bit with the bit to encode, and then encrypted it using RSA). The protocol goes as follows: 12
3.3. AN OVERVIEW OF EVEN, GOLDREICH AND LEMPEL S PAPER 13 1. Alice has p, q, n = pq and a bit b. She sends to Bob n and Encode n (b). 2. Bob selects a random x Z n and sends to Alice y = x 2 mod n. 3. Alice computes a random square root z of y and sends it to Bob. 4. There is a chance of 1/2 that z x enables Bob to factor n and then find b by decoding Encode n (b). 3.3 An overview of Even, Goldreich and Lempel s paper Even, Goldreich and Lempel [6] present protocols for three problems, all sharing a common sub-protocol. This sub-protocol requires a new primitive that they defined, called 1-out-of-2 OT. We give a short description of the problems that this paper solves, and proceed to formally define 1-out-of-2 OT and their algorithm for its implementation. The problems discussed in the paper are: Contract Signing Alice and Bob have informally agreed upon a contract and wish to formally exchange binding signatures to it in a way that each party will have the other party s signature on the contract. In particular, Alice must not obtain Bob s signature without Bob obtaining hers, and vice-versa. Certified Mail A sender would like to send a mail message to a receiver and get a receipt regarding the send, such that the receiver can read the message if and only if the sender got his receipt. In addition, the receipt should certify the contents of the message. Coin Flipping Alice and Bob wish to mutually choose a random bit, while requiring that the outcome be random and unforgeable, and that Alice knows the outcome if and only if Bob knows the outcome. 3.3.1 Definition of 1-out-of-2 OT A 1-out-of-2 OT is a protocol involving two parties, a sender and a receiver. The sender has two messages, A 0 and A 1, and in the end of a proper execution, the following requirements should hold: The receiver should get A 0 with probability 1/2 and A 1 with probability 1/2. 13
3.3. AN OVERVIEW OF EVEN, GOLDREICH AND LEMPEL S PAPER 14 When the receiver gets A i he should have no information regarding A 1 i, in the following sense. Assume that after the execution the receiver is given the value of a predetermined function of A 1 i (e.g., the first 5 bits of it). Then computing A 1 i is not easier than in the case the receiver is given the value of that function without the execution of the OT. The sender does not have any information regarding which message did arrive to the receiver; i.e., the sender s a-posteriori probability for the receiver knowing A i is 1/2, i {0, 1}. 3.3.2 Implementation Consider a public-key cryptosystem I, consisting of a pair E I ( ), D I ( ) for encryption and decryption. Let MS I be the message space of the cryptosystem. Assume that there exist two operators:, : MS I MS I MS I, such that: For every x MS I, {x y y MS I } = MS I. For every y MS I, {x y x MS I } = MS I. For every x, y MS I, ((x y) y) = x. E.g., when using RSA as the cryptosystem, and will be addition and substraction mod n, respectively, when n is the modulus of the instantiation I. Let the sender be called S and the receiver R. The two messages held by the sender are A 0 and A 1. The protocol proceeds as follows: 1. S chooses an instantiation I of the relevant cryptosystem, and so has the operators E I ( ) and D I ( ). 2. S chooses two random messages m 0 and m 1. 3. S sends a description of E I, as well as m 0, m 1 to R. 4. R chooses a random bit r {0, 1} and a random value k MS I. 5. R computes q = E I (k) m r and sends q to S. 6. S computes, for i {0, 1}, k i = D I(q m i ). 7. S chooses a random s {0, 1} and sends [ s, A 0 k s, A 1 k 1 s] to R. 14
3.3. AN OVERVIEW OF EVEN, GOLDREICH AND LEMPEL S PAPER 15 Let us exemplify this protocol. Assume that R chose r = 0. Then q = E I (k) m 0, whence k 0 = k while k 1 reveals no information about k. There are now two cases to consider, according to the value that S chose for s: If s = 0 then in the final step R gets [0, A 0 k, A 1 k 1 }]. Since R knows k, he may recover A 0 from the second component of that message. On the other hand, as k 1 may be any value in MS I, the third component in the message reveals no information about A 1. If s = 1 then R gets [1, A 0 k 1, A 1 k}]. Hence, in this case R gets A 1 but no information about A 0. 3.3.3 Analysis We first note that k = k r. Hence, as k was chosen by R, R knows k r. Consequently, if s = r, then R may recover A 0 while if s r, R may recover A 1. So in general we can say that R knows A s r where is addition modulo 2. We proceed to show that no further information is disclosed to R other than A s r. The value of k 1 r is given by k 1 r = D I(q ) where q = (E I (k) m r ) m 1 r is known to R. Using reasonable assumptions on the cryptosystem, we deduce that R cannot distinguish k 1 r from a random value. Hence, in the final stage of transfer, the only useful information sent to R is A s r k r, while the other part of the message, A 1 (s r) k 1 r, completely hides the value of A 1 (s r), in view of the properties of the operator. It is left to show that S cannot determine which of the two messages was received by R. This is true because the only information that S gets from R is q = E I (k) m r. As k is generated randomly over MS I and E I is a permutation operator, E I (k) is a perfect masking value, so q does not reveal anything at all about r or m r. Hence, S gets no information about which of the two messages was transferred. 3.3.4 A different OT protocol We note that the fact that s is a random bit chosen by S and unknown to R is used so that the latter will have no control over which of the two messages he receives. Next, let us examine what happens if the two parties agree that s = 0. In the resulting protocol, R gets to choose which of the two messages he will receive. Indeed, since in the original protocol R got the value of A s r, where s was chosen by S and r by R (whence both parties were responsible to the selection of the message that would be revealed to 15
3.4. 1-OUT-OF-2 OT USING RSA 16 R), here R will always get the value of A r. Hence, by selecting r, R can decide which of the two messages he will get (while S remains oblivious of that selection). Hence, what we get here is another version of 1-out-of-2 OT, which we call Chosen 1-out-of-2 OT. 3.4 1-out-of-2 OT using RSA We have shown in Section 3.3.2 the protocol given by Even et al. [6] for their version of OT, where the selection bit is random, and not chosen by the receiver. Their protocol can use any public-key cryptosystem that satisfies a few requirements. The RSA cryptosystem is one that satisfies those requirements. Cramer [5] gives a protocol for chosen 1-out-of-2 OT that specifically uses RSA, and is therefore defined more simply. It is this protocol that we present here. Definition 3.4.1 (OT based on RSA) 1. The sender generates a random RSA key (n, p, q, e, d) and sends the public part (n, e) to the receiver. 2. The receiver chooses a random plaintext m and encrypts it using the public key. He then defines a pair of ciphertexts (c 0, c 1 ) as follows: The receiver sets c s to be the result of encrypting m, and c 1 s to be a random integer modulo n, where s is the selection bit. He then sends (c 0, c 1 ) to the sender. 3. The sender, knowing the secret part of the RSA key, decrypts c 0 and c 1. Let r 0 and r 1 be the least-significant bits of the decryptions of c 0 and c 1, respectively. Then the sender, having his input bits b 0 and b 1, computes b 0 = b 0 r 0 and b 1 = b 1 r 1, and sends (b 0, b 1 ) to the receiver. 4. The receiver recovers b s by computing b s r s. Assuming both players are semi-honest, this protocol obviously achieves correctness, i.e., at the end of an execution the receiver learns the correct value of b s. Proposition 3.4.1 The protocol presented in Definition 3.4.1 preserves privacy for semi-honest players. Namely, assuming that both players are semihonest, the following claims hold: 16
3.4. 1-OUT-OF-2 OT USING RSA 17 receiver s privacy: The sender gets no information regarding the bit s. sender s privacy: The receiver gets no information regarding the bit b 1 s. Proof: For the receiver s privacy, note that the only part where the sender gets any information during the protocol is at stage 2, in which he gets (c 0, c 1 ). Recovering s from (c 0, c 1 ) is equivalent to distinguishing between a random integer modulo n and the RSA encryption of a random integer modulo n. Since the receiver chooses m uniformly at random from Z n, c s also has a uniform random distribution over Z n (as for any given encryption key, RSA is a permutation of Z n ). Also c 1 s is chosen uniformly at random from Z n. Hence, the distributions that govern the selection of c 0 and c 1 are the same, and, consequently, they are indistinguishable. For the sender s privacy, note that the only information the receiver receives that depends on b 0 and b 1 is the pair (b 0, b 1 ) so that the only way for the receiver to recover b 1 s is to use b 1 s. Since b 1 s is a masking of b 1 s using the bit r 1 s, the receiver must know r 1 s in order to accomplish this task. Recall that r 1 s is the least significant bit of a decryption of the random number c 1 s. Alexi, Chor, Goldreich and Schnorr [1] proved that in an RSA encryption setting, when the ciphertext is known but the plaintext is not, then finding the least-significant bit of the plaintext is as hard as finding the entire plaintext, i.e., as hard as breaking RSA (this property is known as the hard-core bit property). Since the ciphertext is a random number, then the corresponding plaintext is obviously unknown, and since we assume the receiver cannot break RSA, we deduce that he cannot know r 1 s. It should be noted that the above proof relies heavily on the assumption that the receiver is semi-honest. A malicious receiver would deviate from the protocol by chosing c 1 s as an encryption of another randomly selected plaintext m. That way, he maintains his own privacy, as both c 0 and c 1 will have the same uniform distribution over Z n, but he will know both r 0 and r 1, whence he can recover both b 0 and b 1. There are solutions for OT that are secure even against malicious parties. The first such solution was presented by Fischer, Micali and Rackoff [8]. Later, Goldreich, Micali and Wigderson [12] gave a general scheme for making an OT protocol secure against malicious parties. Their techniques rely on several primitives, including trapdoor one-way permutations, commitment schemes, and mutual randomness. 17
3.5. GENERALIZATIONS OF OT 18 3.5 Generalizations of OT So far we have discussed a setting in which the sender holds two values and the receiver chooses to receive one of them. Now consider the case where the sender has N > 2 values and the receiver chooses to receive one of them. This problem is called 1-out-of-N OT. Further, the receiver may choose to receive k of the N values, assuming of course that k < N. This problem is called k-out-of-n OT. The idea of 1-out-of-N OT was originally introduced by Brassard, Crépeau and Robert [3] who give information-theoretic reductions to construct 1-outof-N OT protocols from N 1 invocations of a 1-out-of-2 OT protocol. We will restrict our attention to more recent and more efficient implementations given by Naor and Pinkas [15], who also give a construction of k-out-of-n OT. Their constructions further use two other primitives, string OT and pseudorandom functions, which we will also present here. 3.5.1 String OT The problem of Chosen 1-out-of-2 String Oblivious Transfer is very similar to the regular OT problem, the only difference being that the sender s inputs are no longer single bits but bit-strings of length n, for some n. I.e., the sender has two inputs x 0, x 1 which are both bit strings of length n, and the receiver has a bit s. At the end of the protocol, the receiver learns the string x s and gets no information about x 1 s and the sender gets no information about s. Brassard, Crépeau, and Santha [4] give an efficient construction of string OT using regular bit OT. 3.5.2 Pseudorandom functions A pseudorandom function is a function that is indistinguishable from a truly random function by a probabilistic polynomial-time adversary that is allowed only adaptive black-box accesses to it 2. A working assumption of [15] is that strong block ciphers (such as DES or AES) or keyed one way hash functions (such as HMAC) can be used to produce efficient key-dependent pseudorandom functions. This efficiency 2 The exact definition of pseudorandomness speaks of a family of functions {F n} n N being pseudorandom when no probabilistic polynomial-time (polynomial in n) adversary with adaptive oracle access can distinguish between it and the uniform function family 18
3.5. GENERALIZATIONS OF OT 19 is relative to expensive operations such as the ones involved in public-key cryptography. The pseudorandom functions used in the 1-out-of-N and k-out-of-n protocols presented herein are required to be part of a keyed family, i.e., a family of pseudorandom functions that are indexed by a key K, {F K : {0, 1} l {0, 1} m K {0, 1} t }. Note that the 1-out-of-2 OT s in the protocols will be string-ot protocols (Section 3.5.1) that are performed on strings of length t, since the transmitted strings are used as keys of F. 3.5.3 First 1-out-of-N OT protocol The first protocol presented reduces 1-out-of-N OT to N log N evaluations of a pseudorandom function, and log N invocations of the 1-out-of-2 OT protocol (as opposed to N 1 invocations in the information-theoretic reduction). The communications overhead involves the sender sending N encryptions to the receiver. The sender s input is X 0, X 1,..., X N 1 where each X I {0, 1} m and N = 2 l. The receiver would like to learn X I for some 0 I N 1. Protocol 1. (1-out-of-N OT) 1. The sender prepares 2l random keys (K 0 1, K 1 1), (K 0 2, K 1 2),..., (K 0 l, K1 l ) where each Kj b, 1 j l and b {0, 1}, is a t-bit key to the pseudorandom function F K. 2. The sender computes for each input X I a value Y I : Y I = X I l j=1 where i 1, i 2,..., i l are the bits of I. F i K j (I) j 3. For 1 j l, the sender and receiver engage in a 1-out-of-2 string-ot on the strings Kj 0 and K1 j. If the receiver would like to learn X I, he should choose to learn K i j j in each of the invocations, where i j is again the j-th bit of I. 19
3.5. GENERALIZATIONS OF OT 20 4. The sender sends the strings Y 0, Y 1,..., Y N 1 to the receiver. 5. The receiver reconstructs X I from Y I : X I = Y I l j=1 F i K j (I) j Clearly, Protocol 1 is a 1-out-of-N OT protocol, since it lets the receiver learn the value of one of the inputs according to his choice. As for the security of the protocol, it enjoys both receiver and sender security, provided that the 1-out-of-2 protocol on which it relies is secure and that F is indeed pseudorandom, as stated in the following two lemmas. Lemma 3.5.1 If the receiver s privacy is not preserved in Protocol 1, then it is not preserved in the 1-out-of-2 OT protocol either. Lemma 3.5.2 If the sender s privacy is not preserved in Protocol 1, then either the 1-out-of-2 OT protocol does not provide the sender s privacy or the function F is not pseudorandom. The computational complexity of Protocol 1 is N log N evaluations of the pseudorandom function F K in the preprocessing stage (step 2), and log N invocations of the 1-out-of-2 OT protocol in the transfer stage. The communication overhead involves the sender sending to the receiver N encryptions, one of each of his input items. 3.5.4 A second, recursive, 1-out-of-N OT protocol The protocol presented in this section reduces 1-out-of-N OT to two invocations of a 1-out-of- N OT. These invocations can be implemented using the protocol in Section 3.5.3, or, alternatively, by recursively applying it until reaching 1-out-of-2 OTs. As before, the sender s input is X 0, X 1,..., X N 1 where each X I {0, 1} m and N = 2 l. The receiver would like to learn X I for some 0 I N 1. Protocol 2. (1-out-of-N OT) 1. The sender prepares two sets of randomly chosen keys: R i and C j, 0 i, j N 1, each of these keys is t-bits long. 20
3.5. GENERALIZATIONS OF OT 21 2. The sender arranges the N inputs, X 0,..., X N 1 in a N N matrix, i.e., each input is indexed now as X i,j, where 0 i, j N 1. From this point onwards, this is the indexing used, by both sender and receiver. 3. The sender next computes, for each X i,j a respective encryption Y i,j : Y i,j = X i,j F Ri (j) F Cj (i) 4. The sender and receiver engage in a 1-out-of- N OT protocol on R 0, R 1,..., R N 1. If the receiver would like to learn X i,j he should pick R i. 5. The sender and receiver engage in a 1-out-of- N OT protocol on C 0, C 1,..., C N 1. If the receiver would like to learn X i,j he should pick C j. 6. The sender sends all the Y i,j s to the receiver. 7. The receiver reconstructs X i,j from the Y i,j s: X i,j = Y i,j F Ri (j) F Cj (i) The complexity of this algorithm, in terms of pseudorandom function computations, 1-out-of-2 OT protocol invocation, and communication, is summarized below: Two invocations of the pseudorandom function for each 0 i, j N 1, namely, 2N invocations altogether. The pseudorandom function here is F K : {0, 1} l 1 {0, 1} m, where K {0, 1} t. 2 N log N = N log N invocations of the pseudorandom function for the two applications of the 1-out-of- N OTs. The pseudorandom function here is F K : {0, 1} l 1 {0, 1} t, where K {0, 1} t. 2 log N = log N invocations of the 1-out-of-2 OT protocol. 2 N encryptions are sent from the sender to the receiver in the course of the two 1-out-of- N OTs. In addition, the sender sends N encryptions in Step 6. 21
3.5. GENERALIZATIONS OF OT 22 3.5.5 A protocol for k-out-of-n OT A k-out-of-n OT protocol may be implemented by k repetitions of the 1- out-of-n OT protocol. However, it is possible to do it with a single protocol, as described below, that is much more efficient. In addition, repeating the 1- out-of-n OT protocol k times invokes the problem of consistency - the sender might not be consistent in the k rounds and thus induce an output at the receiver s end that is distinguishable from the receiver s output in the ideal implementation. This problem may be solved by the use of commitments. The protocol that we describe below avoids that problem. The weakness of this protocol is that it works only for small values of k, specifically, for k N 1/4 ε. The sender s input is X 0, X 1,..., X N 1 where N = 2 l, and the receiver would like to learn X I1, X I2,..., X Ik. Let W be some integer, that will be specified later on. Protocol 3. (k-out-of-n OT) 1. Repeat for j = 1 to W (a) The sender chooses two random sets of N keys each: R j 0, Rj 1,..., Rj N 1 and C j 0, Cj 1,..., Cj N 1. (b) The sender chooses a random permutation σ j on {0,..., N 1}. For any 0 I N 1, σ j R (I) stands for the first l/2 bits in σ j (I) and σ j C (I) stands for the remaining l/2 bits in σj (I). The sender arranges the permuted values X σ j (0),..., X σ j (N 1) in a N N matrix, so that input XI is now indexed X σ j R (I),σj (I). C (c) The sender sends σ j to the receiver. (d) The sender and receiver engage in k rounds of 1-out-of- N OT to learn the values of R j σ j R (I h), 1 h k, out of Rj 0, Rj 1,..., Rj N 1. (e) Similarly, the sender and receiver engage in k rounds of 1-outof- N OT to learn the values of C j, 1 h k, out of σ j C (I h) C j 0, Cj 1,..., Cj N 1. 2. The sender computes for each X I a corresponding Y I, ( ) W Y I = X I F R j (I) F C j (I), 0 I N 1, σ j R (I) σ j C (I) j=1 and sends all these Y I to the receiver. 22
3.5. GENERALIZATIONS OF OT 23 3. The receiver reconstructs X Ih, 1 h k, through X Ih = Y Ih ( W j=1 F R j σ j R (I h ) (I h ) F C j σ j C (I h ) (I h ) This protocol preserves the receiver s privacy since the OT protocols that are run have this property. As for the sender s privacy, it is provided with probability 1 δ, if k N 1/4 ε and W = w + 2 where w > log(1/δ)/(2ε log N) [15, Theorem 2.5]. The computational complexity overhead consists of 2W N applications of a pseudo-random function for the initialization, additional 2W k N applications of a pseudo-random function for initializing the 1-out-of- N OT protocols, and W k log N invocations of 1-out-of-2 OT for the actual transfers [15]. ) 23
Chapter 4 Oblivious Evaluation of Univariate Polynomials In this chapter we summarize the paper Oblivious Polynomial Evaluation by Moni Naor and Benny Pinkas [16]. That paper describes and studies a protocol for the oblivious evaluation of a univariate polynomial over a finite field F. We review the protocol, and study its correctness, security and complexity properties. 4.1 Problem specification The problem of oblivious polynomial evaluation is a multi-party computation problem with two players, so called sender and receiver. The problem is defined as follows: Definition 4.1.1 Oblivious Polynomial Evaluation is a protocol involving two parties, the sender and the receiver, with the following input/output specifications: Input sender: A polynomial P (x) = d i=0 b ix i over a finite field F. receiver: A value α F. Output sender: None. 24
4.2. INTRACTABILITY ASSUMPTIONS 25 receiver: P (α). It is required that the sender gets no information about α and that the receiver gets no information about the polynomial P other than what is implied by the value of P (α). Note that in the above definition of the problem, only the receiver receives the output. However, any protocol for the solution of the above problem, may be translated to a protocol where both players receive the output. We introduce two intractability assumptions that the OPE protocols rely on. We then give two protocols for OPE, each one based on a different intractability assumption. We then look at malicious players, and what modifications are needed to the protocol in order to remain secure against them. Finally, we present some applications of OPE. 4.2 Intractability assumptions The protocols for oblivious polynomial evaluation employ two intractability assumptions based on the polynomial reconstruction and polynomial list reconstruction problems. Definition 4.2.1 (Polynomial reconstruction problem) Input Integers k and t, and n points {(x i, y i )} n i=1, where x i, y i F. Output A univariate polynomial P of degree at most k such that P (x i ) = y i for at least t of those n points. Definition 4.2.2 (Polynomial list reconstruction problem) Input Integers k and t, and n points {(x i, y i )} n i=1, where x i, y i F. Output All univariate polynomials P of degree at most k such that P (x i ) = y i for at least t of those n points. Note that the only difference between the two problems is that the polynomial reconstruction problem requires finding any one of the satisfying polynomials, while the polynomial list reconstruction problem requires finding all of them. These problems give rise to two intractability assumptions that play an essential role in the design of our protocol. 25