A new Protocol for 1-2 Oblivious Transfer

A new Proto col for 1-2 Ob li vious T ransfer Bj¨ orn Grohmann Univ ersit¨ at Karlsr uhe, F a kult¨ at f¨ ur Informatik 76128 Ka r lsruhe, Germany nn@mho rg.de Abstract A new pro tocol for 1- 2 (String) Oblivious T ra nsfer is pr o posed. The proto col uses 5 ro unds of messag e exchange. Keyw ords: Oblivio us T ransfer, cryptogr aphic Hash-F unction, One-W a y-F unction. 1 In tro du cti on During a 1-2 (String) Oblivious T rans fer pr o to c ol, Bob sh o uld learn one of t wo bit strings pro vided b y Alice, but not b oth, while Alice should not learn an ything ab out Bob’s c hoice. A proto col fulfilling these constrain ts w ould b e a pow erfu l cryptographic pr imit iv e (cf. [3] for an in tro duction to th e sub ject). In this article, w e prop ose a protocol that uses 5 round s of message exchange. Since most of the compu ta tional part o f the pr o to co l tak es place in th e unit group of a fin it e field, we further inv estigate the question whether Alice or Bo b can gain more information, if it turns out that the computation of discrete log arithms in this group is easy . 2 The Proto col Initialisation: Before the actual start of the pr o to co l Alice and Bob agree on a p ositiv e in teger n ∈ N , a prime p of size ∼ 2 √ n log n , a random matrix C = ( c i , j ) i , j ∈ F n × n p , i, j = 1, . . . n , a cryptographic Hash-F unction h 1 : F p − → { 0, 1 } q and an injectiv e (p olynomial-t ime c omputable) One-W ay-F unction h 2 : { 0, 1 } q − → { 0, 1 } q ′ , for in tegers q and q ′ . Here, F p denotes the finite field with p elemen ts. Round 1: Alice starts by choosing n random bits t 1 , . . . , t n , tw o d istin ct rand o m 1 elemen ts a, b ∈ F p , with a 6 = − c i , j 6 = b for i, j = 1, . . . , n , t w o distinct random elemen ts α a , α b ∈ F × p of order p − 1 (i.e. eac h of these elemen ts is a generato r of the u nit group F × p := F p − { 0 } ) and tw o random p erm utations σ a , σ b on the set { 1 , . . . , n } . She then computes, for j = 1, . . . , n , µ j , a := α σ a ( j ) a n Y i = 1 ( a + c i , j ) t i and µ j , b := α σ b ( j ) b n Y i = 1 ( b + c i , j ) t i (1) and sends (( µ j , a ) j , ( µ j , b ) j ) to Bob. Round 2: Bob c ho oses n r andom b its s 1 , . . . , s n . He computes τ A , a := n Y j = 1 µ s j j , a and τ A , b := n Y j = 1 µ s j j , b (2) and sends ( τ A , a , τ A , b ) to Alice. Round 3: Alice c ho oses t w o (rand o m) bit str in g s m a , m b of size q (the messages) and computes z a := h 2 ( m a ) and z b := h 2 ( m b ) . She then computes, for k = 1, . . . , n ( n − 1 ) 2 , s k , a := h 1  α − k a τ A , a  ⊕ m a and s k , b := h 1  α − k b τ A , b  ⊕ m b , (3) where ⊕ denotes the XOR -function, and sends (( s k , a ) k , ( s k , b ) k , a, b, z a , z b ) to Bob. Round 4: Bob c ho ose s a random element β ∈ F × p of order p − 1 , a r a ndom p er- m utaion ρ on the s et { 1, . . . , n } and an element d ∈ { a, b } . He then computes, for i = 1, . . . , n , ν i := β ρ ( i ) n Y j = 1 ( d + c i , j ) s j (4) and sends ( ν i ) i to Alice. Round 5: Alice computes τ B := n Y i = 1 ν t i i (5) and sends τ B to Bob. Finally , Bob computes for r = 1, . . . , n ( n − 1 ) s the list ( β − r τ B ) r unt il he fin ds r 0 and k 0 suc h that h 2 ( h 1 ( β − r 0 τ B ) ⊕ s k 0 , d ) = z d , wh ic h giv es him the message m d = h 1 ( β − r 0 τ B ) ⊕ s k 0 , d . 2 3 Analysis The follo wing t heorem states the correctness o f the protocol and (roughly) counts the computational cost for b oth sid es (for simplicit y , w e coun t addition and m ultiplicat ion in F p as one elemen tary op eration and lea v e aside the rand omized selection p rocess). Theorem 1 A t the end of the pr oto c ol, Bob is in p ossession of the message he aske d for. The c omputational c ost for Al ic e e quals O ( n 2 · ( cost of h 1 )) elementary op er atio ns, while on Bob’s side it sums up to O ( n 2 · ( cost of h 1 ) + n 4 · ( cost of h 2 )) . Pro of. Th e first statemen t of the theorem is easily seen to b e true, sin ce τ A , d = α k ′ d n Y i , j = 1 ( d + c i , j ) t i s j (6) and resp ectiv ely τ B = β r ′ n Y i , j = 1 ( d + c i , j ) t i s j , (7) with d ∈ { a, b } and 1 6 k ′ , r ′ 6 n ( n − 1 ) /2 . The calculation of the computational cost is straigh tforw ard.  W e now tu r n to the t w o fu ndamen tal questions for this proto col. F or this, we de- fine the fun c tion f ( y ) := Q i , j ( y + c i , j ) t i s j . It is clear that, for d ∈ { a, b } , the kn o wledge of f ( d ) leads to the kno wledge of the message m d . Q1: C a n Alice efficien tly decide whether Bob c hose d = a ? Q2: C a n Bob, who kno ws f ( d ) , efficien tly compute f ( a + b − d ) ? So far, the author of this article is not a w are of an y p olynomial time algo rithm that w ould answ er one of these questions with “y es”. In the follo wing w e sh a ll see that ev en the abilit y to efficientl y compute discrete logarithms in F × p do es n ot seem to h e lp m uc h. So, from n o w on we will assume that Alice and Bob can compu te discrete log a- rithms in F × p efficien tly . T o start with Bob (i.e. Q 2 ) it is easily seen that th e kno wledge of Alice’s secret bits t 1 , . . . , t n immediately giv es him b oth messages m a and m b (he can compute f ( a ) and f ( b ) ). T o get these bits, Bob can c ho ose a generator g of th e group F × p and try to solv e the equation (cf. (5)) x 1 δ g ( ν 1 ) + · · · + x n δ g ( ν n ) ≡ δ g ( τ B ) mo d p − 1, (8) 3 where δ g ( · ) denotes the discrete logarithm fu nctio n with resp ect to g . Since there are 2 n w a ys to select the v alues of the x i ’s, there are, heur istc ally sp eaking, app ro ximately 2 n − log p ∼ 2 n ( 1 − √ log n / n ) solutions to equation (8). No w su pp ose that Bob knows f ( a ) . He then can compute α k ′ a , with an u n kno wn p ositiv e integ er k ′ 6 n ( n − 1 ) /2 . S upp ose f urther that he somehow manages to determine α a (or at least a list of p ossible candidates for α a ). Since gcd ( δ q ( α a ) , p − 1 ) = 1 this leads (cf. (1)) in general to the follo w in g Challenge 1 Given n ∈ N , a prime p of size ∼ 2 √ n log n , a matrix ( e i , j ) i , j = 1 , . . . , n with inte ger c o efficients and a list of inte gers ( f j ) j = 1 , . . . , n , c ompute x 1 , . . . , x n , with x i ∈ { 0, 1 } , and a p ermutation π on the set { 1, . . . , n } such that x 1 e 1 , 1 + . . . + x n e 1 , n + π ( 1 ) ≡ f 1 mo d p − 1 x 1 e 2 , 1 + . . . + x n e 2 , n + π ( 2 ) ≡ f 2 mo d p − 1 . . . x 1 e n , 1 + . . . + x n e n , n + π ( n ) ≡ f n mo d p − 1. Again, the author of these l ines is not a wa re of an y efficien t metho d that solv es th is c hallenge. No w , Alice’s story ( Q1 ) is p rett y m uc h the same. In the end, Alice fin ds herself confron ted with a decision version of Challenge 1, but as is easily seen, an algorithm that can decide in p olynomial time whether a solution exists can also b e used to efficien tly compute a solution. References [1] Goldreic h, O., Micali, S., Wigderson, A. : Ho w to Pla y An y Mental Game, or: A completness theorem for proto cols with honest ma jority . In: Pro c., 19th Annual A CM Symp osium on the Theory of Comp u ta tion (STOC), pp. 218-2 29, 1987 [2] Grohmann, B.: A New Key-Agreemen t-Protocol. arXiv:0904.11 86 [cs.CR], 2009 [3] Killian, J .: F ounding Cryp to graph y on Ob livio us T r a nsfer. In : Pro c., 20th Annual A CM Symp osium on the Theory of Comp u ta tion (STOC), pp. 20-31 , 1988 [4] Rabin, M.O.: How to exc hange secrets by oblivious transfer. In: T echnical Rep ort TR-81, Akien Computation Lab oratory , Ha v ard Unive rsit y , 1981 [5] Shamir, A.: An efficien t identificati on sc heme based on p erm utation k ernels. In : Pr oc of Crypto 89, V ol. 435 LNCS, pp. 606-609, Sprin ger, 1990 4