Information-Theoretic Interactive Hashing and Oblivious ... - IEEE Xplore

Download PDF
2 downloads 0 Views 616KB Size Report
Comment
Interactive Hashing: Alice sends string w to Bob, who receives two strings w0,w1, labeled ...... The authors are grateful to Paul Dumais and Joe Kilian for various ...
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 61, NO. 10, OCTOBER 2015

5623

Information-Theoretic Interactive Hashing and Oblivious Transfer to a Storage-Bounded Receiver Christian Cachin, Fellow, IEEE, Claude Crépeau, Julien Marcil, and George Savvides

Abstract— Interactive hashing has featured as an essential ingredient in protocols realizing a large variety of cryptographic tasks, notably oblivious transfer in the bounded storage model. In interactive hashing, a sender transfers a bit string to a receiver such that two strings are received, the original string and a second string that appear to be chosen at random. This paper presents a self-contained, information theoretic study of interactive hashing. We start by formalizing the notion of interactive hashing as a cryptographic primitive, disentangling it from the specifics of its various implementations. To this end, we present an application-independent set of information theoretic conditions that all interactive hashing protocols must ideally satisfy. We then provide a detailed analysis of a standard implementation of interactive hashing which is shown to satisfy all the conditions of our definition. Our analysis represents a significant improvement over previous attempts in more restricted contexts. Despite its generality, it offers a considerably simpler proof of security. Moreover, it establishes a tighter upper bound on the cheating probability of a dishonest sender, who wishes to manipulate the protocol so that both output strings have some rare desirable property. In particular, we prove that if the set of desirable strings for the dishonest sender represents a fraction f of all strings, then the probability that both outputs will be from this set is no larger than 15.6805 · f . This upper bound is valid for any f and is tight up to a small constant, since a sender acting honestly would get two outputs from this set with probability very close to f . We illustrate the power of interactive hashing as a cryptographic tool by surveying protocols achieving oblivious transfer in the bounded storage model, which typically rely heavily on interactive hashing. Index Terms— Interactive hashing, oblivious transfer, bounded storage model.

I. I NTRODUCTION

I

NTERACTIVE Hashing (IH) is a cryptographic primitive that allows a sender (Alice) to transmit a bit string w to a receiver (Bob) who receives two output strings, labeled w0 , w1 according to lexicographic order. The primitive guarantees that one of the two outputs is equal to the original input. The other string is guaranteed to be effectively random, in the sense that it is chosen beyond Alice’s control, even if she acts dishonestly. On the other hand, provided that from Bob’s point of view w0 , w1 are equiprobable inputs for Alice, the primitive Manuscript received December 17, 2013; accepted December 24, 2014. Date of current version September 11, 2015. C. Cachin is with the IBM Zürich Research Laboratory, Rüschlikon CH-8803, Switzerland (e-mail: [email protected]). C. Crépeau is with the School of Computer Science, McGill University, Montréal, QC H3A 0G4, Canada (e-mail: [email protected]). J. Marcil (e-mail: [email protected]). G. Savvides (e-mail: [email protected]). Communicated by U. M. Maurer, Associate Editor for Complexity and Cryptography. Digital Object Identifier 10.1109/TIT.2015.2450732

Fig. 1. Interactive Hashing: Alice sends string w to Bob, who receives two strings w0 , w1 , labeled according to lexicographic order. One of the two (in our example, w0 ) is equal to the input string while the other is effectively randomly chosen. Bob cannot distinguish which of the two was the input.

guarantees that Bob cannot guess which of the two was the original input with probability greater than 1/2. We remark that typically both outputs are also available to Alice. See Figure 1. In this article we provide a study of Interactive Hashing in the information theoretic setting and in isolation of any surrounding context. This modular approach allows specific implementations of Interactive Hashing to be analyzed independently of any applications in which they appear. It thus leads to a better appreciation of the power of Interactive Hashing as a cryptographic primitive in its own right. A. Organization of the Paper We present the previous work on Interactive Hashing in Section II. In Section III we identify and formalize the information theoretic security properties of Interactive Hashing. Then, in Section IV we turn our attention to the Interactive Hashing implementation that appeared as a sub-protocol in [24] and demonstrate that despite its simplicity, it meets all security properties set forth in Section III. Our new proof of security is an important improvement over the proof that appeared in [5], where we demonstrated that a slight variant of the IH protocol of [24] could be securely used in the specific scenario. Our new proof is more general, as it is based on the security properties of Section III which do not rely on the specific context of any application. Moreover, our proof is significantly simpler and more intuitive. Lastly, it provides an easier to use and much tighter upper bound on the probability that the protocol fails to ensure that one of the two strings is sufficiently random. In the last part of the paper, we review applications of Interactive Hashing to protocols for Oblivious Transfer (OT). In Section V, we first recall the notion of OT and provide a new, simple reduction among two flavors of OT, based on

0018-9448 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

5624

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 61, NO. 10, OCTOBER 2015

Interactive Hashing. Then we review Oblivious Transfer in the bounded storage model, which critically relies on Interactive Hashing in all known implementations. We demonstrate the role of Interactive Hashing in such protocols using our earlier work [5] and its subsequent improvements. (That paper also contained the first draft of information theoretic analysis of Interactive Hashing.) II. P REVIOUS W ORK Various implementations of Interactive Hashing have appeared as sub-protocols in the cryptographic literature, first in computational contexts where at least one of the participants is polynomially bounded and later also in contexts where security is unconditional (information theoretic). While reviewing the previous work, the reader should bear in mind that so far, Interactive Hashing has never been presented as an independent primitive.1 Instead, it only appears within the context of larger protocols achieving a variety of different cryptographic tasks. Not surprisingly, the properties it is expected to have can vary significantly from one application to the next, and thus the proof of security in each case depends on the specific setting. A. Interactive Hashing in Computational Contexts Interactive Hashing first appeared as a sub-protocol within a protocol achieving Oblivious Transfer from an unbounded sender to a polynomial-time bounded receiver [24]. Soon thereafter, Interactive Hashing was deployed in various other scenarios, such as zero-knowledge proofs [26] and bit commitment schemes [17], [23], [25], where at least one of the participants was computationally bounded. An illustrative example of its applications in such computational contexts is the bit commitment scheme of Naor et al. [23]. We briefly remind the reader that a bit commitment scheme allows a player, Alice, to send a commitment to a bit b of her choice to some other player, Bob. The scheme should guarantee that, on one hand, the value of b remains hidden from (dishonest) Bob until the decommitment phase, when Alice opens the commitment and reveals the value of b she had committed to. On the other hand, the scheme should also guarantee that after the commitment phase, (dishonest) Alice is only able to decommit to one value. In the bit commitment scheme of [23], Alice commits to a bit b by choosing uniformly at random a string m ∈ {0, 1}t , computing w = π(m) where π is a one-way permutation,2 and sending the image w to Bob using Interactive Hashing. Alice then announces a labeling of the two outputs w0 , w1 such that wb = w (this labeling allows her to later decommit to the right value). Note that b remains perfectly hidden even from a computationally unbounded3 Bob since, by the 1 Since our original introduction in [5] of information theoretic Interactive Hashing as a standalone primitive, Interactive Hashing in computational contexts has also been defined in [17] and [18] as a standalone tool. 2 In short, a one-way permutation π has the property that it can be efficiently evaluated on any input x, yet given an image y chosen uniformly at random, it is computationally infeasible to compute the pre-image x such that π(x) = y, except with negligible probability. 3 A computationally unbounded player can be thought of as having infinite computational power at his disposal.

properties of Interactive Hashing, Bob cannot tell which of w0 , w1 was Alice’s original input since they are both equally likely to be the image of Alice’s uniformly chosen string m (recall that π is a permutation). At a later time, Alice decommits to b by announcing m, namely the pre-image under π of one of w0 , w1 . As Interactive Hashing guarantees that one of the two outputs is chosen effectively at random, cheating would imply having to invert π on a random string in {0, 1}t . Therefore, if π is one-way, Alice can only cheat a negligible fraction of the time. Indeed, the security of this commitment scheme is formally proved via a reduction showing that if (polynomially-bounded) Alice can decommit both ways a non-negligible fraction of the time, then there exist efficient algorithms that invert π, thereby contradicting its one-wayness. B. Interactive Hashing in Information Theoretic Contexts Beside the computational scenarios in which it was originally used, Interactive Hashing proved to be an important tool in information theoretic contexts as well. Its first such use was in protocols for Oblivious Transfer which are information-theoretically secure under the sole assumption that the receiver’s storage is bounded [1], [5], [12], [13], a subject which we explore in greater length in Section V-C. Interactive Hashing was later used to optimize reductions between Oblivious Transfer variants [9]. We remark that while some of the security properties required of Interactive Hashing in information theoretic settings bear a very close resemblance to their counterparts in computational settings, some other properties are substantially different. Moreover, the transition from computational to information theoretic settings requires a re-evaluation of all security properties of any protocol. For this reason, starting with [5], the security properties of the underlying Interactive Hashing sub-protocol have been re-evaluated in the light of the specific, information theoretic context in which it was used. III. I NFORMATION -T HEORETIC S ECURITY D EFINITION OF I NTERACTIVE H ASHING We now formalize the security properties that Interactive Hashing is expected to satisfy in information theoretic contexts.4 As these properties do not depend on any specific application, they allow us to define Interactive Hashing as an independent cryptographic primitive. Definition 1: Interactive Hashing is a cryptographic primitive between two players, the sender and the receiver. It takes as input a string w ∈ {0, 1}t from the sender, and produces as output two t–bit strings one of which is w and the other w = w. The output strings are available to both the sender and the receiver, and satisfy the following properties: 1) Indistinguishability: The receiver cannot tell which of the two output strings was the original input. Let the two output strings be w0 , w1 , labeled according to lexicographic order. Then if both strings were a priori 4 In some specific applications, such as the one described in Section V-C, one or more of the security properties may actually be relaxed.

CACHIN et al.: INFORMATION-THEORETIC INTERACTIVE HASHING AND OBLIVIOUS TRANSFER TO A STORAGE-BOUNDED RECEIVER

Protocol 1 Interactive Hashing Let w be a t-bit string that the sender wishes to send to the receiver. All operations below take place in the binary field F2 . 1) The receiver chooses a (t − 1) × t matrix Q uniformly at random among all binary matrices of rank t − 1. Let qi be the i th query, consisting of the i th row of Q. 2) For 1 ≤ i ≤ t − 1 do: a) The receiver sends query qi to the sender. b) The t sender responds with ci = qi  w = j =1 qi j w j . 3) Given Q and c (the vector of the sender responses), both parties compute the two values of w consistent with the linear system Q · w = c. These solutions are labeled w0 , w1 according to lexicographic order.

equally likely to have been the sender’s input w, then they are a posteriori equally likely as well.5 2) Uniformity: When both participants are honest, the input is equally likely to be paired with any of the other strings. Let w be the sender’s input and let w be the second output of interactive hashing. Then provided that both participants follow the protocol, w will be uniformly distributed among all 2t − 1 strings different from w. 3) Unicity: The sender cannot force both outputs to have a rare property. Let G be a subset of {0, 1}t representing the sender’s “good set”. Let G be the cardinality of G and let T = 2t . Then if G/T is “small”, the probability that a dishonest sender will succeed in having both outputs w0 , w1 be in G is comparably “small”. Remark: In the computational contexts of Section II-A, similar properties to Indistinguishability and Uniformity were also required. On the other hand, the computational counterpart to Unicity is usually stated quite differently, as there is no predetermined good set G. For instance, in [23] where the outputs of Interactive Hashing are interpreted as images under a oneway permutation π, one of the two outputs is required to be sufficiently random so that any polynomial-time algorithm that can produce pre-images to both outputs (a significant fraction of the time) can be used to efficiently invert π on a randomly chosen string (with non-negligible probability).

IV. A P ROTOCOL FOR I NTERACTIVE H ASHING AND A N EW P ROOF OF I TS S ECURITY We will be examining the implementation of Interactive Hashing given in Protocol 1. This standard implementation was originally introduced in a computational context by Ostrovsky et al. [24]. In Section IV we will see that this very simple protocol actually meets all our information theoretic security requirements as well. 5 Note that if we want this property to hold for all possible outputs, then w must be uniformly chosen. Otherwise, it will only hold whenever w happens to be paired with a string w  having the same a priori probability as w.

5625

Remark: One way of choosing the matrix Q is to choose a (t −1)×t binary matrix uniformly at random and test whether it has rank t − 1, repeating the process if necessary. Note that a later variation of the protocol [23] chooses Q in a canonical way to guarantee that it has rank t − 1. However, this appears to complicate the proof of security. Theorem 1 establishes the security of Protocol 1. Theorem 1: Protocol 1 satisfies all three information theoretic security properties of Definition 1. Specifically, for Unicity, it ensures that a dishonest sender can succeed in causing both outputs to be in the “good set” G with probability at most 15.6805 · G/T . Theorem 1 follows from Lemmas 1 and 2, which we prove in Sections IV-A and IV-B, respectively. Lemma 1: Protocol 1 satisfies Indistinguishability and Uniformity of Definition 1. Lemma 2: Protocol 1 ensures that a dishonest sender can succeed in causing both outputs to be in the “good set” G with probability at most 15.6805 · G/T .

A. Satisfying Indistinguishability and Uniformity Protocol 1 essentially builds the linear system of equation (1) in a row-by-row manner. ⎛ ... ⎜. . . ⎜ ⎜ ⎜ .. ⎝ . ...

q1 q2 .. . qt −1



⎞ ⎛ ⎞ c1 ... ⎛ . ⎞ . .⎟ ⎜ c ⎟ . . .⎟ ⎟ ⎜ ⎟ ⎜ 2 ⎟ ⎟·⎜ ⎟ w⎟ = ⎜ .. ⎟ ⎜ ⎜ . ⎟. . ⎠ ⎝ . ⎠ ⎝ .. ⎠ .. ct −1 ...

(1)

Q

The properties of the linear system easily establish that Indistinguishability of Definition 1 is met, in other words, that the receiver cannot guess which of the two output strings was the sender’s original input to the protocol. Let V be the receiver’s (marginal) view at the end of the protocol and let w0 , w1 be the corresponding output strings. Note that V would be identical whether the sender’s input was w0 or w1 , as the responses obtained after each challenge would be the same in both cases. Consequently, if before the protocol begins the sender is equally likely to have chosen w0 and w1 as input — both with some typically very small probability α — then at the end of the protocol, given the view V , each of these two strings has equal probability 1/2 of having been the original input string. We observe that a dishonest receiver would have nothing to gain by selecting a matrix Q in a non-random fashion or by selecting a matrix with rank less than t − 1. As for Uniformity, let w be the sender’s input and let w be the second output of Interactive Hashing. We first note that since the linear system has two distinct solutions, it is always the case that w = w. To see that w is uniformly distributed among all strings in {0, 1}t \ w, it suffices to observe that Q is chosen uniformly at random among all rank t − 1 matrices and that the number of such Q’s satisfying Q(w) = Q(w ) ⇔ Q(w − w ) = 0 is the same for any

5626

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 61, NO. 10, OCTOBER 2015

6 to each such pair w, w  w = w. To be more  t −1 

t −2 specific, correspond exactly i=0 2 − 2i matrices Q.

TABLE I N OTATION

B. Satisfying Unicity The bulk of the proof is devoted to the considerably more ambitious undertaking of proving Lemma 2 establishing that Unicity is also met. Note √ that Unicity would be rather easy to satisfy when G ∈ o( T ) as in this case, the probability that a matrix Q selected as in Protocol 1 will lead to collisions7 within G is negligible. Consequently, in this scenario there would not even be a need for interaction since the sender could simply send the whole of Q in one round. Interaction only becomes necessary for larger sets G for which the probability of collision becomes significant because of the Birthday Paradox.8 What we will show is that interaction in effect “beats” the Birthday Paradox, in the sense that a dishonest sender can only produce a collision in G with probability O(G/T ). 1) Notation: Table I presents the notation we will be using for the rest of the proof. Remark: at the beginning of Protocol 1, G i , Pi , etc. are random variables whose exact value will only be determined at the beginning of round i . The intended interpretation of statements such as Pi = G i (G2i −1) G2

or Pi < 2i is that the relation holds in all executions of the protocol once the corresponding values are fully determined. When we say that we condition on a given value of G i , say, the intended interpretation is that we are setting G i to a specific value gi . All associated variables determined at the same round (such as Pi ) are then also implicitly set to the specific values corresponding to gi , but variables such as G i+1 , whose exact value will depend on future queries, still remain undetermined. 2) Alice’s Cheating Strategy: At the beginning of round i , Alice has G i good strings which are then split into G 0i , G 1i by query qi . It is tempting to assume that the optimal cheating strategy for Alice is to always choose the value of ci that allows her to carry the larger of the two sets into the next round. This would simplify our analysis since it would allow us to establish both an upper and a lower bound on the expected size of G i for all i . However intuitively obvious it may be, though, proving that choosing the maximum subset is indeed the optimal strategy for Alice is not that straightforward.9 To avoid this difficulty, we will consider an imaginary Alice to whom we grant extra powers compared to real Alice, subject to the following condition: after query qi splits the G i remaining strings into two sets of cardinality G 0i and G 1i , imaginary Alice can choose and announce either value for ci , and must then construct a new set of good strings to be 6 To see this, let v = w − w  . As v  = 0 , the equation q  v = 0 has 2t−1 solutions. A matrix Q of rank t − 1 satisfying Q(v) = 0 must have rows q1 , . . . , qt−1 that are non-zero and linearly independent of all previous rows. 7 A collision occurs when there exist strings w , w ∈ G such that Q · w = 0 1 0 Q · w1 . In other words, when w0 − w1 = w where w is the unique non-zero solution to the equation Q(w) = 0 . 8 According to the Birthday Paradox, it is almost certain that there will be √ collisions if G ∈ ω( T ). 9 The structure of the subsets may have an impact on the future probability of cheating. For example, sets consisting of linear subspaces are probably undesirable to dishonest Alice, as each incoming query would break them into two subsets of equal cardinality. It is thus conceivable that in some cases, the smaller subset might be preferable to the larger one.

carried forward into the next  This new set must be  round. of cardinality G i+1 = max G 0i , G 1i and its contents can be chosen arbitrarily among all strings that satisfy Equation (1) up to and including the row containing qi . We remark that intuitively, it would be in imaginary Alice’s best interest to choose the value of ci and the contents of the set so as to maximize the probability that two good strings will remain at the end of the protocol. However, for the purposes of our proof, we do not need to assume anything about imaginary Alice’s actual strategy; it suffices to argue that imaginary Alice is no less powerful than real Alice. This is true because whatever strategy real Alice uses, imaginary Alice can always copy it by choosing the same value for ci in each round, and by defining the set she carries into the next round to contain all the strings that real Alice would carry, plus some arbitrarily chosen strings to reach the size imposed by our condition. Thus, if we were to run the two Alices in parallel, with the same queries, then for all i , imaginary Alice’s G i would be a superset of real Alice’s G i . It is easy to see that real Alice cheats only if imaginary Alice copying real Alice’s strategy cheats. Therefore, real Alice is no more likely to cheat than imaginary Alice, so if we show that any strategy followed by imaginary Alice can succeed with probability no larger than p, the same bound will apply to any strategy followed by real Alice as well. From this point on, we will assume that we are dealing with imaginary Alice.

CACHIN et al.: INFORMATION-THEORETIC INTERACTIVE HASHING AND OBLIVIOUS TRANSFER TO A STORAGE-BOUNDED RECEIVER

3) Some Preliminary Results: Lemma 3: Alice’s strategy implies the following relations for all i : Gi ≥ 1 Gi ≥

(2)

G 

2i−1

Gi (G i )2 + − G 0i G 1i 2 4 G m (G i − 1) − G 0i G 1i = i 2 ≤ Pi − G 0i G 1i .

(3)

G i+1 = G m i =

(4)

Pi+1

(5)

Pi+1

Equation (4) gives the larger of the two solutions to this quadratic  equation (the smaller one would be G ni =

(5)

Gi 2



(G i )2 4

− G 0i G 1i ).

 2 (G m − 1) = G m − Gm We have: 2Pi+1 = G m i i i i .  m 2 m 0 1 = G i G i − G i G i we get Substituting G i 0 1 m 2Pi+1 = (G i G m i − Gi Gi ) − Gi 0 1 = Gm i (G i − 1) − G i G i .

(6)

Note that G 0i G 1i can be interpreted as the number of pairs in Pi that are separated by query qi (one element of the pair is mapped to 0 and the other to 1). These pairs will be separated no matter what value Alice announces for ci . It is thus intuitively obvious that Pi+1 cannot be any larger than Pi −G 0i G 1i . More precisely, we now show that Pi − G 0i G 1i − Pi+1 ≥ 0. We have 2Pi − 2G 0i G 1i − 2Pi+1 n m m = G i (G i − 1) − 2G m i G i − G i (G i − 1) n m m m n = (G m i + G i )(G i − 1) − G i (G i − 1) − 2G i G i m n n = Gm i (G i − 1 − G i + 1 − 2G i ) + G i (G i − 1) m n n = −G i G i + G i (G i − 1)

= G ni (G i − G m i − 1) n n = G i (G i − 1) ≥0

Lemma 4: Conditioning on a given (specific) value of G i the expected value of G 0i G 1i satisfies   2t −1   0 1 E Gi Gi | Gi = (7) Pi 2t − 2i−1 1 (8) ≥ Pi. 2 Proof: Let Gi be any set having cardinality G i . We can arbitrarily enumerate all its strings and write G 0i =

(6)

Proof: (2) Assume that for some i we have G i ≥ 1. Then, as query qi separates Alice’s good strings into those that evaluate to 0 and those that evaluate to 1 and Alice’s strategy is to carry into the next round a subset of cardinality equal to that of the larger set, it will necessarily be the case that G i+1 = G m i ≥ 1. Consequently, provided that G 1 ≥ 1, it follows by induction that for all i we have G i ≥ 1. (3) It follows from Alice’s strategy that for all i , G i+1 ≥ G i /2. We then apply this bound i − 1 times to get from G 1 = G to G i .  2 n m (4) We can write G m = Gm i i (G i − G i ) = G i G i − m n m n 0 1 G i G i . As G i G i = G i G i , this implies  m 2 0 1 Gi − Gi Gm i + G i G i = 0.

since G ni is always a non-negative integer. 

5627

Gi 

zj

G 1i =

and

j =1

Gi 

nj

j =1

where z j (resp. n j ) is an indicator random variable taking on the value of 1 whenever the corresponding string in Gi is mapped to 0 (resp. 1) by query qi (which has not been sent yet). Then we have ⎛ ⎞⎛ ⎞ Gi Gi   z j ⎠·⎝ nj⎠ G 0i G 1i = ⎝ j =1

j =1

= z 1 n 1 + · · · + z G i n G i +z 1 n 2 + z 1 n 3 + · · · + z G i n G i −1



G 2i − G i terms (B)

G i terms (A)

=

Gi Gi    j =1 k= j +1



 z j nk + zk n j .



(9)



(G 2i − G i )/2 = Pi terms

The last step follows by observing that part A vanishes since ∀ j, z j n j = 0 and by grouping the terms in B into the sum of Pi terms of type z j n k + z k n j with k > j .  We will now show that ∀ j, k( j = k) E z j n k + z k n j = 2t−1 . Note that we are still conditioning on the same G i . 2t −2i−1 Fix j, k such that 1 ≤ j, k ≤ G i and j = k. Let w j , wk be the corresponding strings in Gi . There are two cases to consider: Let’s count the queries that result Case 1: w j , wk = 0. in z j n k = 1. These queries must satisfy ⎛ ⎞ ..     . ⎜ 0 . . . wj . . . ⎜ ⎟ · ⎝qi ⎟ = . (10) ⎠ . . . wk . . . 1 .. . As w j , wk are different and non-zero, they are linearly independent. Consequently, there are exactly 2t −2 solutions for qi . Note that all such solutions are linearly independent of all previous queries. This is because both w j , wk satisfy the linear system of Equation (1) up to the row containing qi−1 , which makes it impossible for a linearly dependent query qi to map them to different values. At this round there are 2t − 2i−1 valid queries qi for Bob to choose from (since the 2i−1 queries that are linearly  dependent  t−2 on q1 , . . . , qi−1 are excluded). Therefore E z j n k = 2t 2−2i−1   and by symmetry the same holds for E z k n j . Consequently by linearity of expectation we have:   E z j nk + zk n j =

2t −1 . 2t − 2i−1

5628

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 61, NO. 10, OCTOBER 2015

Without loss of generality, Case 2: one of w j , wk is 0. suppose it is w j . Then no query can result in z k n j = 1. Let’s count the queries that produce z j n k = 1. These must satisfy the system 

... ...

wj wk

⎛ ⎞ ..    . ⎜ ... ⎜ ⎟ 0 ⎟ · ⎜qi ⎟ = . ⎠ ⎝ ... 1 .. .

(13)



(11)

2t −1 . 2t − 2i−1

(14)

Combining the two cases, we see that all Pi terms in (9) satisfy   E z j nk + zk n j =

2t

1 2t −1 ≥ − 2i−1 2

and so, by linearity of expectation  E

G 0i G 1i



| Gi =



2t −1 2t − 2i−1

Using Lemma 4 we bounds: Lemma 5: We have

can



  1 Pi . Pi ≥ 2

establish

the

√   Gi + Gi E G i+1 | G i ≤ 2   i+1   1 2 2 E Pi+1 | Pi ≤ Pi 1+ √ 4 G  t    2 − 2i 1 E Pi+1 | Pi ≤ Pi . 2 2t − 2i−1

(12)

 following

(13) (14)

(15)

Proof: We first remark that conditioning on a specific value of Pi (i.e. setting Pi = p) is equivalent to conditioning on the corresponding value of G i and vice versa as the value of one uniquely11 determines the other. 10 This is because as w = 0 , we must have had c1 = c2 = · · · = ci−1 = 0 j and so a linearly dependent query would necessarily map wk to 0. For the special case of the first round, observe that q1 = 0 (the only disallowed query) would map wk to 0. 11 G uniquely determines P = G i (G i −1) . On the other hand, given P i i i 2 there are two solutions to the corresponding quadratic equation for G i of which only the larger is valid since the smaller one is either negative or zero, in violation of (2).



⎡

(15)



Gi (G i ) +E⎣ − G 0i G 1i | G i ⎦ 2 4  " # Gi ! (G i )2 0 1 + E − Gi Gi | Gi ≤ 2 4 2

E Gm i | Gi =

This system has (effectively) one equation with t unknowns and hence 2t −1 solutions for qi , all of which are linearly independent of all previous queries.10 As in Case 1, Bob has 2t − 2i−1 possible values for qi to   t−1 choose from, from which it follows that E z j n k = 2t 2−2i−1 .   Since E z k n j = 0, we have that again,   E z j nk + zk n j =

From (4) we have

by Jensen’s Inequality    Gi (G i )2 = + − E G 0i G 1i | G i 2 4 by linearity of expectation  G i (G i − 1) 1 Gi (G i )2 + − ≤ 2 4 2 2 using (8) √ Gi + Gi = . 2 Using (5), we get the following:    1  0 1 E Pi+1 | G i = E G m i (G i − 1) − G i G i | G i 2 (16)  m  1 = (G i − 1) E G i | G i 2  1  − E G 0i G 1i | G i (17) 2 √ Gi + Gi 1 ≤ (G i − 1) 2 2 1 G i (G i − 1) (18) − 2 4   G i (G i − 1) 2 = (19) 1+ √ 8 Gi   2 1 1+ √ Pi (20) = 4 Gi   i+1 1 2 2 ≤ (21) Pi . 1+ √ 4 G Note that (17) follows by linearity of expectation, (18) follows from bounds (2), (8), (13) while (21) is obtained by applying Inequality (3). From (6) we have     E Pi+1 | Pi ≤ Pi − E G 0i G 1i | Pi   2t −1 = Pi − Pi using (7) 2t − 2i−1   t 1 2 − 2i = Pi . 2 2t − 2i−1

 Lemma 6: Let 1 ≤ b ≤ t − 1 be a positive integer. Let def u−b R = 2 2 . Then the expected number of pairs at the end of Protocol 1 satisfies  ∞  $ 2 G R −2 · E [Pt ] ≤ ·R · (22) 1 + j/2 . T 2 − 2−b 2 j =0

Y

CACHIN et al.: INFORMATION-THEORETIC INTERACTIVE HASHING AND OBLIVIOUS TRANSFER TO A STORAGE-BOUNDED RECEIVER

Proof: Starting from (14) we get ∞ 

  E Pi+1 | Pi = p · Pr [Pi = p]

p=0

  i+1 ∞  2 2 1 ≤ 1+ √ · p · Pr [Pi = p] 4 G p=0

which implies

  i+1 2 2 1 1+ √ E [Pi ] E Pi+1 ≤ 4 G & 1% 1 + 2(i+1−t +u)/2 E [Pi ] replacing G = 2t −u = 4 1 def = (1 + Ri ) E [Pi ] Ri = 2(i+1−t +u)/2 . (23) 4 Similarly, taking expectations on both sides of (15), we get   t   1 2 − 2i E Pi+1 ≤ (24) E [Pi ]. 2 2t − 2i−1 



Note  that  (23) and (24) are both valid upper bounds on E Pi+1 for any i . Note also that these two inequalities remain valid if E [Pi ] on the right hand side is replaced by any upper bound for E [Pi ]. Let a = (t − 1) − b. Suppose that we start by sequentially applying (23) a times. Then, a   1 $ E Pa+1 ≤ E [P1 ] · a (1 + Ri ) 4 i=1

a 1 $ = P1 a (1 + Ri ) since E [P1 ] = P1 4 i=1  a−1  √ Ra 1 $ 1 + i/2 using Ri /Ri−1 = 2 = P1 · a 4 2 i=0   a−1 u−b R 1 $ 1 + i/2 since Ra = R = 2 2 = P1 · a 4 2 i=0  ∞  $ 1 R ≤ P1 · a 1 + i/2 since all terms are ≥ 1. 4 2 i=0

(25) Now suppose we sequentially apply (24) for the last b rounds to get an upper bound for E [Pt ] in terms of E Pt −b . Then  t −1  t   1 $ 2 − 2i E [Pt ] ≤ E Pt −b · b 2 2t − 2i−1 i=t −b  t  t    1 2 − 2t −b 2 − 2t −b+1 ... = E Pt −b · b 2 2t − 2t −b−1 2t − 2t −b  t    2 − 2t −2 2t − 2t −1 ... t 2 − 2t −3 2t − 2t −2  t   1  2 − 2t −1 = E Pt −b · b 2 2t − 2t −b−1     1 1 = E Pt −b · b 2 2 − 2−b    1  1 (26) = E Pa+1 · b 2 2 − 2−b

5629

where Equation (26) follows from the fact that t − b = a + 1. Combining (25) and (26), we have  $  ∞  1 R 1 1 1 + E [Pt ] ≤ P1 · a b 4 2 2 − 2−b 2i/2 i=0  $  ∞  G 2 −2a−b 1 R 2 ≤ 1 + i/2 (27) 2 2 − 2−b 2 i=0  $  ∞  1 R 1 + (28) = 22t −2u−1−2a−b 2 − 2−b 2i/2 i=0  $  ∞  1 R = 2b+1−2u 1 + (29) 2 − 2−b 2i/2 i=0  $  ∞  1 R −u b−u 1 + i/2 = 2 ·2·2 2 − 2−b 2 i=0  $  ∞  G 1 R −2 ·2· R = 1 + i/2 . (30) T 2 − 2−b 2 i=0

. Note that for Equation (27) we used the fact that P1 = G(G−1) 2 For Equation (28) recall that G = 2t −u . Equation (29) uses 2t − 2a = 2b + 2 while Equation (30) follows from u−b  G/T = 2−u and R = 2 2 . We are now ready to prove Lemma 2, which, along with Lemma 1 establishes Theorem 1. Proof of Lemma 2: Remember that Pt is the number of pairs of good strings remaining at the beginning of round t. Since Pt = 1 if the both output strings are good and Pt = 0 otherwise, it follows that the probability that Alice cheats satisfies Pr [Pt = 1] = E [Pt ]. Consequently, the upper bound on E [Pt ] established by (22) is also an upper bound on the probability of successful cheating. Note that any integer value of b in (22) establishes a valid upper bound. We can fix12 b = u + 0.03 in which case part Y becomes a function of u only. The probability of cheating is thus upper bounded by min (G/T · Y (u), 1) = G/T ·min (Y (u), T /G). Recalling that G/T = 2−u , we set   Z (u) = min Y (u), 2u . A graph of Z (u) (see Figure 2) shows that it never exceeds 15.6805. It therefore holds that for all ratios G/T the probability that Alice cheats is upper bounded by 15.6805 · G/T .  Remark: The maximum of Z (u) cannot occur beyond the first few peaks depicted in Figure 2. To see this, recall that R = u−b 2 2 where b = u + 0.03, while Y (u) from Equation (22) can be expressed as the product of two factors, A and B, as follows:  ∞  $ R 2 −2 1 + j/2 . ·R · (31) Y (u) = 2 − 2−b 2 j =0

A

B

12 This value of b was chosen with the help of a 3-D graph of part Y of Equation (22). We remind the reader that however b is chosen, it establishes a valid upper bound.

5630

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 61, NO. 10, OCTOBER 2015

Fig. 2. Graph of  Z (u) vs u, showing that the maximum value of  Z (u) = min Y (u), 2u does not exceed 15.6805. This maximum is attained at the intersection of Y (u) with 2u , occurring near u 1 = 3.9709. Note that Z (u) = 2u for u ≤ u 1 while Z (u) = Y (u) for u > u 1 .

Note that factor B of Equation (31) depends entirely on R, which, within any interval of length 1 of u, takes on all the values in (R0 , R1 ] where R0 = 2−1.03/2 and R1 = 2−0.03/2 . This explains the oscillations, whose peaks are decreasing due to the fact that A(u) is decreasing, converging to 1 as u → ∞. For any u, u  such that u  = u + 1, we have R  = R while b = b + 1. As A(u  ) < A(u) and B(u  ) = B(u), we have Y (u  ) < Y (u). This shows that the maximum cannot occur after the first two13 peaks of the graph. Without further analysis, we conclude with absolute certainty that the maximum of Z (u) occurs before u = 5 and thus Z (u) ≤ 25 , for all u. The thighter bound Z (u) ≤ 15.6805 was actually obtained from Figure 2 and the related numerical calculations. C. Contributions of Our New Proof An early version of this work [5] proved a similar property to Unicity for a slight variant of Protocol 1 in the context of storage-bounded Oblivious Transfer where again, the goal of a dishonest sender is to force both outputs of the protocol to be from a subset G of cardinality G (out of a total T = 2t ). While that approach relied on upper-bounding the number of the sender’s remaining good strings during the various rounds of the protocol, this work focuses instead on following the evolution of the number of pairs of good strings remaining after each round. This seems to be a more natural choice for this scenario, as there is exactly one such pair remaining at the end of the protocol if the sender succeeds in cheating and none otherwise (as opposed to two strings versus zero or one). Consequently, the probability of cheating is simply equal to the expected number of remaining pairs. Thanks to the nature of the protocol, it is relatively easy to establish an upper bound on the expected number of remaining pairs after each incoming query, and to keep track of its evolution through the protocol. Our approach not only leads to a simpler and more robust proof of security, but more importantly, it also allows us 13 Our reasoning does not allow us to claim that the global maximum cannot occur after the first peak of Z (u), as is in fact the case. This is because the first peak does not necessarily correspond to a peak of Y (u), but might be determined by the intersection of Y (u) with 2u . It is conceivable that this first intersection is lower than the peak of Y (u) immediately following it.

to establish a more general and much tighter upper bound on a dishonest sender’s probability of cheating. Specifically, it allows us to show that any strategy a dishonest sender might employ can succeed with probability no larger than 15.6805 · G/T , for all fractions G/T √ of√good strings. The corresponding upper bound in [5] is 2 · 8 G/T and is only −1 valid provided that G/T < 16t 8 . It should be noted that our upper bound is in fact tight up to a small constant. Indeed, the probability of succeeding in cheating using an optimal strategy is lower-bounded by the probability of getting two good output strings when the sender chooses w ∈ G as input and then acts honestly. By Uniformity of Interactive Hashing, w is equally likely to be paired with any of the remaining strings. It follows that the probability of w being paired with one of the other G − 1 good strings is exactly G − 1/T − 1. Assuming that G ≥ 2, our upper bound is larger%than &this   T −1 lower bound by a factor of at most 15.6805 · G T G−1 < % & G 15.6805 G−1 ≤ 2 · 15.6805. This establishes that our upper bound is tight up to a small constant in all cases where the possibility of cheating exists (cheating is impossible when G < 2). D. An Alternative Implementation Ding et al. [13] make use of a new, constant-round Interactive Hashing protocol to achieve Oblivious Transfer with a storage-bounded receiver. The main idea behind their protocol, which requires only four rounds of interaction (compared to t − 1 rounds in Protocol 1), is that if the receiver sends a random permutation π to the sender (Round 1) who then applies it to his input string w and announces a certain number of bits of π(w) (Round 2), then two more rounds suffice to transmit the remaining part of π(w) so that only 1 bit remains undetermined: in Round 3, the receiver chooses a function g uniformly at random from a family of 2–wise independent 2–1 hash functions, and in Round 4 the sender announces the value of the function applied to the remaining bits of π(w). The output of the Interactive Hashing protocol consists of the two possible inputs to the permutation π consistent with the values transmitted at rounds 2 and 4. The security of this scheme is based on the observation that the permutation π in the first round divides the (dishonest) sender’s good set G into buckets (indexed by the bits transmitted at Round 2), so that with high probability, in each bucket the fraction of good strings is below the Birthday Paradox threshold. This allows regular 2–1 hashing to be used in Rounds 3 and 4 to complete the protocol. It should be noted that since a random permutation would need exponential space to describe, the construction resorts to almost t-wise independent permutations, which can be efficiently constructed and compactly described. Unfortunately, the protocol of [13] is less general than Protocol 1 for a variety of reasons: first, its implementation requires that the two parties know a priori an upper bound on the cardinality of the dishonest receiver’s good set G, as this will determine the number of bits of π(w) announced in Round 2. Secondly, the upper bound for the probability that Unicity is not met is, according to the authors’ analysis,

CACHIN et al.: INFORMATION-THEORETIC INTERACTIVE HASHING AND OBLIVIOUS TRANSFER TO A STORAGE-BOUNDED RECEIVER

 (t · G/T ) and only applies when G ≥ 4t. Moreover, the protocol does not fully satisfy Uniformity, but only a slight relaxation14 of it. We leave it as an open problem to improve upon this construction. V. A PPLICATIONS TO O BLIVIOUS T RANSFER In this section, we first recall the notion of Oblivious Transfer (OT) and then demonstrate a new, simple reduction among two flavors of OT that relies on Interactive Hashing . In the last part, we review Oblivious Transfer implementations in the bounded storage model and their use of Interactive Hashing as one of the critical steps. A. Oblivious Transfer Oblivious Transfer is an important primitive in modern cryptography. It was originally studied by Wiesner [31] (under the name of “multiplexing”), in a paper that marked the birth of quantum cryptography and was later introduced to cryptography in several variations by Rabin [27] and by Even et al. [14]. Oblivious transfer has since become the basis for realizing a broad class of cryptographic protocols, such as bit commitment, zero-knowledge proofs, and general secure multiparty computation [15], [16], [20], [32].  In a one-out-of-two Oblivious Transfer, denoted 21 -OT, a sender owns two secret bits b0 and b1 , and a receiver wants to learn bc for a secret bit c of his choice. The sender will only collaborate if the receiver can obtain information about exclusively one of b0 , b1 . Likewise, the receiver will only participate provided that the sender cannot obtain any information about c. Traditionally, Oblivious Transfer implementations have relied on strong computational assumptions such as the hardness of factoring or the existence of trapdoor one-way permutations [2], [14], [27]. Constructions of Oblivious Transfer that rely on weaker computational assumptions are unlikely to exist. In fact, proving that Oblivious Transfer is secure assuming only a one-way function in a black-box reduction is simply impossible [19], [29]. Oblivious Transfer thus falls, along with key agreement and public-key cryptography, in the class of tasks whose implementation requires trapdoor one-way functions or stronger primitives. In practice, the computational assumptions on which Oblivious Transfer has been based are factoring and the discrete logarithm problem — precisely those that can be defeated by quantum computers [28]. Alternative models for implementing Oblivious Transfer are therefore important, especially if they are information theoretic and do not need computational hardness assumptions. For instance, it is possible to perform Oblivious Transfer based exclusively on resources such as noisy channels [6]–[8]. Oblivious Transfer can also be realized from a bound on the adversary’s memory size, which is the focus of this section. For a formal definition of Oblivious Transfer in the information theoretic security model, we refer to Crépeau et al. [10]. 14 it approximates the uniform distribution over the remaining strings within some η < 2−t .

5631

B. A Reduction Among Two Flavors of Oblivious Transfer Using Interactive Hashing We illustrate the power of Interactive Hashing in information theoretic contexts by considering the following straightforward scenario, originally suggested by Kilian [11]: suppose that a sender Alice and a receiver Bob wish to implement 1-out-of-k Bit Oblivious Transfer, which we will denote as k  –Bit OT. For the purposes of our example, suffice it to say 1 that Alice would like to make available k randomly chosen bits to Bob, who must be able to choose to learn any one of them, with all choices being equally likely from Alice’s point of view. Alice is only willing to participate provided that (dishonest) Bob learns information about exclusively one bit, while Bob must receive the assurance that (dishonest) Alice cannot obtain any information about his choice. Suppose that all that is available to Alice and Bob is an   insecure version of k1 –Bit OT, denoted (k − 1)–faulty k1 –Bit OT, which allows honest Bob to receive (only) one bit of his choice but might allow a dishonest Bob to learn up to k −1 bits of his choice. Protocol 2 shows how Interactive Hashing makes such a reduction  simplicity, Protocol 2   almost trivial. Remark: For reduces 21 –Bit OT to (k − 1)–faulty k1 –Bit OT without any  loss of generality since k1 –Bit OT can in turn be reduced 2 to 1 –Bit OT using the well-known reduction in [4]. For simplicity, we assume that k is a power of 2.15 It is relatively straightforward to see that when both participants are honest, Protocol 2 allows Bob 'n to obtain the bit of his choice since he knows Rd = i=1 rici and can thus decrypt ec˚ . In case Alice is dishonest, Bob’s choice c˚ is perfectly hidden from her when she obtains f at Step 6. This is because at the beginning of the protocol, Bob is equally likely to make the choices encoded by w0 as those encoded by w1 . Consequently, by Indistinguishability of Interactive Hashing, given the specific outputs, the probability of either of them having been the original input is exactly 1/2. Hence d is uniformly distributed from Alice’s point of view and so f = d ⊕ c˚ carries no information about c. ˚ As for the case where Bob is dishonest, we can assume that he always avails himself of the possibility of cheating afforded by (k − 1)– faulty k1 –Bit OT, and obtains k − 1 out of k bits every time. Then, by the end of Step 2, it is always the case that among  n all encodings of positions, only k−1 < e−n/ k are “good”, k in the sense that they represent positions that are all known to him (along with their exclusive OR). By Unicity of Interactive Hashing, Bob cannot force both w0 and w1 to be among these “good” encodings except with probability no larger than 15.6805 · e−n/ k . This probability can be made arbitrarily small by an appropriate choice of the security parameter n. C. Oblivious Transfer in the Bounded Storage Model 1) The Bounded Storage Model: The bounded storage model for cryptographic protocols was introduced by Maurer [22] in the context of secret-key encryption. In the bounded storage model, the only assumption made is that there 15 The general case is somewhat more complex to handle. All the ingredients to deal with this case may be found in [5].

5632

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 61, NO. 10, OCTOBER 2015

Protocol 2    Reduction of 21 –Bit OT to (k − 1)–Faulty k1 –Bit OT Let b˚0, b˚1 and c˚ be the inputs of Alice and Bob, respectively, for 21 –Bit OT. 1) Alice and Bob agree on a security parameter n. 2) For 1 ≤ i ≤ n do: a) Alice selects at random bits ri1 , ri2 , . . . , rik while Bob selects at random ci ∈  R {1, . . . , k}. b) Alice uses (k − 1)–faulty k1 –Bit OT to send her k bits to Bob, who chooses to learn rici . 3) Bob encodes   his choices during the n rounds of (k − 1)–faulty k1 –Bit OT as a bit string w of length n · log(k) by concatenating the binary representations of c1 , c2 , . . . , cn . 4) Bob sends w to Alice using Interactive Hashing. Let w0 , w1 be the output strings labeled according to lexicographic order, and let d ∈ {0, 1} be such that w = wd . 5) Let p1, p2 , . . . , pn be the positions encoded in w0 and let q1 , q2 , . . . , qn be the positions encoded in w1 . Alice computes R0 =

n ( i=1

ripi

R1 =

n (

riqi .

i=1

6) Bob sends f = d ⊕ c˚ to Alice. 7) Alice sends e0 = b˚0 ⊕ R f and e1 = b˚1 ⊕ R f¯ to Bob. 8) Bob decodes b˚c˚ = ec˚ ⊕ R f ⊕c˚ = ec˚ ⊕ Rd .

is an upper bound on the memory size (storage space) of any possible adversary. No other restrictions, of a computational or any other nature, are made. Protocols in this model rely on the availability of a huge random string R of length N. Depending on the specific application, R could be generated and transmitted to the parties either by a trusted third party (such as a satellite) or by one of the protocol participants themselves. Honest participants need only access a relatively small portion of R during the broadcast to carry out the subsequent interactive steps of the protocol. On the other hand, security is guaranteed against any dishonest participant that stores up to γ N bits of R for some constant γ < 1. a) Security and Practicality: The bounded storage model seems realistic in the view of current communication and highspeed networking technologies that allow transmission rates of around 100 gigabits per second and the cost of storage devices with capacities in the order of terabytes. From a security perspective, the model is very attractive for the following reasons: i Security can be based on the sole assumption that the adversary’s memory size is limited. ii Cheating with current technology would require storage systems on the order of petabytes, which would represent a major investment for any potential adversary. Future improvements in storage technology will only increase the gap between the storage required by the

honest participants and the infrastructure needed to successfully cheat, translating into even higher (relative) costs for a potential adversary. iii Storage bounds offer permanent protection in the sense that future technological improvements cannot retrospectively compromise the security of messages transmitted earlier. 2) Implementing Oblivious Transfer in the Bounded Storage Model: a) The original protocol: Cachin et al. [5] have shown how Oblivious Transfer can be securely implemented in the bounded storage model assuming only a bound on the memory size of the receiver (the sender need not be bounded in any way). In this protocol, R can be generated either by a trusted third party or by the sender himself. Their protocol consists of three steps: i The string R is broadcast, and the sender and the receiver each store n bits of R. The positions of the bits are chosen independently at random and n must be √ approximately k N such that there are at least k positions stored by both with high probability. The sender announces its positions to the receiver, who determines the positions where their stored sets overlap. Encoding the locations needs O(n log n) bits of communication between the participants. ii The participants engage in a protocol to form two sets of k bits each among the bits stored by the sender: a useful set consisting of the bits also known to the receiver and a useless set containing at least some bits unknown to the receiver. To this effect, the receiver encodes the useful set into a bit string and sends the string to the sender using Interactive Hashing . The second string resulting from Interactive Hashing determines the useless set. Recall from the properties of Interactive Hashing that although both participants know the two sets, only the receiver can differentiate the useful from the useless set. The encoding of subsets of positions with bit strings uses an efficiently computable enumeration of all subsets of R. Since the encoding is not very dense, it could be the case that up to slightly less than half of all bit strings are invalid encodings of subsets. This causes the second step to fail with probability up to 1/2, which can be overcome by repeating the complete protocol sufficiently many times. iii After the two sets have been determined, the actual  transfer of one of the payload bits in 21 -OT takes place. The receiver asks the sender to encode b0 and b1 using the two sets in such a way that bc is encoded with the bits from the useful set, while bc⊕1 is encoded with the bits from the useless set. More precisely, privacy amplification by universal hashing [3] is applied independently to the bits in the useful set and to the bits in the useless set, resulting in two secret keys. The sender then uses these two keys to encrypt b0 and b1 and sends these encryptions to the receiver. Since the receiver knows all bits in the useful set, he can decrypt bc , but because

CACHIN et al.: INFORMATION-THEORETIC INTERACTIVE HASHING AND OBLIVIOUS TRANSFER TO A STORAGE-BOUNDED RECEIVER

he is missing some bits in the useless set, he cannot recover bc⊕1 . The formal analysis is based on a lower bound on the uncertainty (expressed in terms of min-entropy) that the receiver has about the bits in the useless   set. The 21 -OT protocol’s security relies on the fact that the receiver cannot store all of R since his memory size is bounded by γ N for some γ < 1. Intuitively, if the receiver simply stores γ N of the physical bits of R in memory, then since the sender’s n positions are chosen at random, the receiver will almost certainly not know significantly more than γ n of them. Even though a large fraction of all the bits are known, it turns out that the useful subsets of size k are an exponentially small fraction of all subsets of size k among the receiver’s n positions. Consequently, when two subsets are chosen with the help of Interactive Hashing , by Unicity at least one of them will be useless. This in turn guarantees   that the receiver does not learn the corresponding bit in 21 -OT. We remark that in the general case, a malicious receiver is allowed to first sample all positions of R in the first step and then store an arbitrary function of R of output length γ N in his bounded storage. Much of the analysis in [5] is devoted to proving that this does not significantly increase the receiver’s ability to cheat compared to the case where he only stores physical bits. Both participants require O(n log n) storage with n ≈ N 2/3 to carry out the Oblivious Transfer protocol. The probability that the protocol fails and the receiver learns something about both secrets can be bounded by n −c for some constant c > 1. Security for the receiver is perfect by Indistinguishability of Interactive Hashing . b) Further improvements: The protocol of [5] was later improved by Ding [12] and by Ding et al. [13]. Both protocols follow the same three-step approach. In the protocol of Ding [12], a different analysis of the sampling step is used (based on [1]) in order to bound the receiver’s uncertainty about the useless set. The protocol achieves lower storage consumption and better security 1 because the participants need to store only n = N 2 + bits of R for any  > 0 and because the probability of failure can be made exponentially small. However, its security can only be proved in a weaker model, where additional restrictions are placed on the receiver’s computation and storage during the broadcast of R. The subsequent protocol of Ding et al. [13] improves on all three steps as follows. i In the sampling step, the sender applies an averaging sampler for min-entropy to select the positions to store. Such samplers have been introduced by Vadhan [30] for encryption in the bounded storage model. Their preferred implementation applies a random walk on an expander graph to select the positions. Compared to choosing the positions uniformly at random, the sampler needs much fewer auxiliary random bits to specify the positions. This reduces the communication complexity for this step from O(n log n) bits in [5] to O(k c ) bits, for some constant c. Vadhan’s analysis [30] is also tighter than the original one [5], and guarantees an

5633

exponentially small error probability, while retaining the strong security model. The main contribution of Ding et al. is the constant-round Interactive Hashing protocol described in Section IV-D. The authors also introduced an improved scheme for encoding subsets into bit strings. They showed that at the cost of using an encoding of length m = + k instead of m = , one can guarantee that the proportion of bit strings that correspond to invalid encodings is no larger than 2−k . This in turn allows the failure probability of the Interactive Hashing step to be reduced from up to 1/2 in the case of [5] to an arbitrarily small value, and thus eliminates the need for repeating the protocol, which would have defied the goal of having a protocol requiring only a constant number of rounds. ii In the third step, Ding et al. use strong extractors (inspired by [21] and [30]) instead of universal hashing. The extractor takes as input a k-bit string, i.e., one of the two subsets of R, together with a (much shorter) uniformly distributed auxiliary bit string chosen by the receiver. The extractor produces a shorter string, which acts as the secret key to encrypt the payload of the Oblivious Transfer. The analysis [13] establishes a lower bound on the receiver’s min-entropy about the useless set, and applying the extractor under these premises guarantees that the receiver has only an exponentially small amount of information about the extracted secret key. Compared to using universal hashing in the previous protocols, the communication complexity in this step  is reduced from O(n α ) with α > 0 to O(k c ) bits with c > 1. The choice of the extractor allows also for transferring bit strings as payloads of the Oblivious Transfer protocol instead of single bits. While the protocol of Ding et al. [13] is the currently best OT protocol in the bounded storage model in terms of message complexity and failure probability, it is considerably complicated to implement in practice. Moreover, the authors’ analysis of the failure probability of the interactive hashing step establishes an upper bound of  (t · G/T ) and which only applies when G ≥ 4t. It should also be noted that the underlying four-message Interactive Hashing protocol does not satisfy Uniformity, but only approximates the uniform distribution over the remaining strings within some η < 2−t . Hence, security for the sender is not perfect, but the receiver’s entropy about the sender’s input is only statistically close to 1 bit. The analysis in this paper shows that the standard Interactive Hashing protocol (Protocol 1) may be combined with the other building blocks introduced by the Oblivious Transfer protocol of Ding et al. [13]. The resulting Oblivious Transfer protocol, called CCMS below, provides perfect secrecy for the sender at the cost of increasing the interaction. This choice will also simplify its actual implementation compared to [13]. The properties of OT protocols in the bounded storage model are summarized in the following table. In the columns labeled “security,” a value denotes the probability that one party can distinguish the other’s input from the uniform distribution;  and c denote arbitrarily small positive constants.

5634

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 61, NO. 10, OCTOBER 2015

We remind the reader that the protocol of Ding [12] uses a weaker security model than the others. Protocol

Storage

Rounds R security S security

[5]

O(N 2/3+ )

O(k)

perfect

O(n −c )

[12]

N 1/2+

O(k)

perfect

2−k

c

[13]

N 1/2+

O(1)

2−k

2−k

c

CCMS

N 1/2+

O(k)

perfect

2−k

c

c

VI. C ONCLUSION AND O PEN P ROBLEMS We have presented a rigorous definition of Interactive Hashing by distilling and formalizing its security properties in an information theoretic context, independently of any specific application. This opens the way to recognizing Interactive Hashing as a cryptographic primitive in its own right, and not simply as a sub-protocol whose security properties, as well as their proof, depend on the specifics of the surrounding application. We have also demonstrated that there exists a simple implementation of Interactive Hashing (Protocol 1) that fully meets the above-mentioned security requirements, and gave a proof of correctness that significantly improves upon previous results in the literature. Finally, we provided an overview of protocols achieving Oblivious Transfer when the receiver’s storage is bounded, where Interactive Hashing plays a paramount role. Our new analysis of Interactive Hashing establishes tighter security properties for some of these protocols. Open Problems: The interested reader is encouraged to consider the following open problems: i Devise a more appropriate name for Interactive Hashing which better captures its properties as a cryptographic primitive rather than the mechanics of its known implementations. ii Investigate how much interaction, if any, is really necessary in principle to implement Interactive Hashing. iii Explore ways to implement Interactive Hashing more efficiently, especially regarding the amount of interaction. To this end, the constant-round Interactive Hashing protocol of [13] we briefly described in Section IV-D is an important step in the right direction. We invite the interested reader to improve on this construction so that it meets all the security requirements. ACKNOWLEDGMENTS The authors are grateful to Paul Dumais and Joe Kilian for various fruitful discussions. They also wish to thank two anonymous referees for their detailled comment on this work. They finally want to recognize the work of another anonymous referee at a different journal who also reviewed their work in a previous submission that never resulted into a printed publication. Most of this referee’s comments have been taken into account in this final version.

R EFERENCES [1] Y. Aumann, Y. Z. Ding, and M. O. Rabin, “Everlasting security in the bounded storage model,” IEEE Trans. Inf. Theory, vol. 48, no. 6, pp. 1668–1680, Jun. 2002. [2] M. Bellare and S. Micali, “Non-interactive oblivious transfer and applications,” in Advances in Cryptology (Lecture Notes in Computer Science), vol. 435, G. Brassard, Ed. Berlin, Germany: Springer-Verlag, 1990, pp. 547–557. [3] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized privacy amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp. 1915–1923, Nov. 1995. [4] G. Brassard, C. Crépeau, and J.-M. Robert, “Information theoretic reductions among disclosure problems,” in Proc. 27th Annu. Symp. Found. Comput. Sci., 1986, pp. 168–173. [5] C. Cachin, C. Crépeau, and J. Marcil, “Oblivious transfer with a memory-bounded receiver,” in Proc. 39th Annu. Symp. Found. Comput. Sci. (FOCS), 1998, pp. 493–502. [6] C. Crépeau, “Efficient cryptographic protocols based on noisy channels,” in Advances in Cryptology (Lecture Notes in Computer Science), vol. 1233, W. Fumy, Ed. Berlin, Germany: Springer-Verlag, 1997, pp. 306–317. [7] C. Crépeau and J. Kilian, “Achieving oblivious transfer using weakened security assumptions,” in Proc. 29th IEEE Symp. Found. Comput. Sci. (FOCS), Oct. 1988, pp. 42–52. [8] C. Crépeau, K. Morozov, and S. Wolf, “Efficient unconditional oblivious transfer from almost any noisy channel,” in Proc. 4th Conf. Secur. Commun. Netw. (SCN), vol. 3352 of Lecture Notes in Computer Science. 2005, pp. 47–59. [9] C. Crépeau and G. Savvides, “Optimal reductions between oblivious transfers using interactive hashing,” in Advances in Cryptology (Lecture Notes in Computer Science), vol. 4004, S. Vaudenay, Ed. Berlin, Germany: Springer-Verlag, 2006, pp. 201–221. [10] C. Crépeau, G. Savvides, C. Schaffner, and J. Wullschleger, “Information-theoretic conditions for two-party secure function evaluation,” in Advances in Cryptology (Lecture Notes in Computer Science), vol. 4004, S. Vaudenay, Ed. Berlin, Germany: Springer-Verlag, 2006, pp. 538–554. [11] J. Kilian, private communication, 1992. [12] Y. Z. Ding, “Oblivious transfer in the bounded storage model,” in Advances in Cryptology (Lecture Notes in Computer Science), vol. 2139, J. Kilian, Ed. Berlin, Germany: Springer-Verlag, 2001, pp. 155–170. [13] Y. Z. Ding, D. Harnik, A. Rosen, and R. Shaltiel, “Constant-round oblivious transfer in the bounded storage model,” J. Cryptol., vol. 20, no. 2, pp. 165–202, Apr. 2007. [14] S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing contracts,” Commun. ACM, vol. 28, no. 6, pp. 637–647, 1985. [15] O. Goldreich, Foundations of Cryptography, vols. 1–2. Cambridge, U.K.: Cambridge Univ. Press, 2004. [16] O. Goldreich, S. Micali, and A. Wigderson, “How to play any mental game or a completeness theorem for protocols with honest majority,” in Proc. 19th Annu. ACM Symp. Theory Comput. (STOC), 1987, pp. 218–229. [17] I. Haitner, M.-H. Nguyen, S. J. Ong, O. Reingold, and S. Vadhan, “Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function,” in SIAM J. Comput., vol. 39, no. 3, pp. 1153–1218, Sep. 2009. [18] I. Haitner and O. Reingold, “A new interactive hashing theorem,” in Proc. 22nd Annu. IEEE Conf. Comput. Complex., Jun. 2007, pp. 319–332. [19] R. Impagliazzo and S. Rudich, “Limits on the provable consequences of one-way permutations,” in Proc. 21st Annu. ACM Symp. Theory Comput. (STOC), 1989, pp. 44–61. [20] J. Kilian, “Founding cryptography on oblivious transfer,” in Proc. 20th Annu. ACM Symp. Theory Comput. (STOC), 1988, pp. 20–31. [21] C.-J. Lu, “Encryption against storage-bounded adversaries from on-line strong extractors,” J. Cryptol., vol. 17, no. 1, pp. 27–42, 2004. [22] U. M. Maurer, “Conditionally-perfect secrecy and a provably-secure randomized cipher,” J. Cryptol., vol. 5, no. 1, pp. 53–66, 1992. [23] M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, “Perfect zero-knowledge arguments for NP using any one-way permutation,” J. Cryptol., vol. 11, no. 2, pp. 87–108, Mar. 1998. [24] R. Ostrovsky, R. Venkatesan, and M. Yung, “Fair games against an allpowerful adversary,” in Advances in Computational Complexity Theory, vol. 13. Providence, RI, USA: AMS, 1993, pp. 155–169.

CACHIN et al.: INFORMATION-THEORETIC INTERACTIVE HASHING AND OBLIVIOUS TRANSFER TO A STORAGE-BOUNDED RECEIVER

[25] R. Ostrovsky, R. Venkatesan, and M. Yung, “Secure commitment against a powerful adversary,” in Proc. 9th Annu. Symp. Theoretical Aspects Comput. Sci., vol. 577. 1992, pp. 439–448. [26] R. Ostrovsky, R. Venkatesan, and M. Yung, “Interactive hashing simplifies zero-knowledge protocol design,” in Advances in Cryptology (Lecture Notes in Computer Science), vol. 765, T. Helleseth, Ed. Berlin, Germany: Springer-Verlag, 1994, pp. 267–273. [27] M. O. Rabin, “How to exchange secrets by oblivious transfer,” Harvard Univ., Aiken Comput. Lab., Cambridge, MA, USA, Tech. Rep. TR-81, 1981. [28] P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM J. Comput., vol. 26, no. 5, pp. 1484–1509, 1997. [29] O. Reingold, L. Trevisan, and S. Vadhan, “Notions of reducibility between cryptographic primitives,” in Proc. 1st Theory Cryptogr. Conf. (TCC), vol. 2951 of Lecture Notes in Computer Science. 2004, pp. 1–20. [30] S. P. Vadhan, “Constructing locally computable extractors and cryptosystems in the bounded-storage model,” J. Cryptol., vol. 17, no. 1, pp. 43–77, 2004. [31] S. Wiesner, “Conjugate coding,” SIGACT News, vol. 15, no. 1, pp. 78–88, 1983. [32] A. C.-C. Yao, “How to generate and exchange secrets,” in Proc. 27th IEEE Symp. Found. Comput. Sci. (FOCS), Oct. 1986, pp. 162–167.

Christian Cachin (F’–) is a researcher in cryptography and security at IBM Research - Zürich. He graduated with a Ph.D. in Computer Science from ETH Zürich and has held visiting positions at MIT and at EPFL. Presently he serves as the President of the International Association for Cryptologic Research (IACR). An IEEE Fellow, ACM Distinguished Scientist, and recipient of multiple IBM Outstanding Technical Achievement Awards, he has co-authored the book “Introduction to Reliable and Secure Distributed Programming” and contributed to the OASIS Key Management Interoperability Protocol (KMIP) standard. His current research addresses the security of cloud computing, secure protocols for distributed systems, and cryptography.

5635

Claude Crépeau is a professor in the School of Computer Science at McGill University. He received his Ph.D. in Computer Science from MIT in 1990, working in the field of cryptography. He spent two years as a Postdoctoral Fellow at Université d’Orsay, and was a CNRS researcher at École Normale Supérieure from 1992 to 1995. He was appointed associate professor at Université de Montréal in 1995, and has been a faculty member at McGill University since 1998. He was a member of the Canadian Institute for Advanced Research program on Quantum Information Processing from 2002 to 2012. Prof. Crépeau is best known for his fundamental work in zeroknowledge proof, multiparty computing, quantum cryptography, and quantum teleportation. He was nominated as a fellow of the IACR in 2013.

Julien Marcil received his M.Sc. in Computer Science from Université de Montréal in 2000. He is currently a freelance software architect. He previously worked at Taleo and Oracle as Technical Architect. Julien is also a course lecturer at the Université Laval.

George Savvides received his Ph.D in Computer Science from McGill University in 2007. His graduate research focused on information-theoretic cryptography, in particular Interactive Hashing and its applications. Since 2007 he has been working at the European Patent Office as a Patent Examiner in the field of computer and network security.

Suggest Documents

Interactive Entertainment Applications - IEEE Xplore

Interactive Entertainment Applications - IEEE Xplore
Read more
Reverse Query-Aware Locality-Sensitive Hashing for ... - IEEE Xplore

Reverse Query-Aware Locality-Sensitive Hashing for ... - IEEE Xplore
Read more
Robust Perceptual Image Hashing Based on Ring ... - IEEE Xplore

Robust Perceptual Image Hashing Based on Ring ... - IEEE Xplore
Read more
Local Feature Hashing for Face Recognition - IEEE Xplore

Local Feature Hashing for Face Recognition - IEEE Xplore
Read more
On a variant of multilinear modular hashing with ... - IEEE Xplore

On a variant of multilinear modular hashing with ... - IEEE Xplore
Read more
Parallel d-Pipeline: A Cuckoo Hashing Implementation ... - IEEE Xplore

Parallel d-Pipeline: A Cuckoo Hashing Implementation ... - IEEE Xplore
Read more
Asymmetric Cyclical Hashing for Large Scale Image ... - IEEE Xplore

Asymmetric Cyclical Hashing for Large Scale Image ... - IEEE Xplore
Read more
Minimal Perfect Hashing-Based Information Collection ... - IEEE Xplore

Minimal Perfect Hashing-Based Information Collection ... - IEEE Xplore
Read more
Generalized Non-Interactive Oblivious Transfer Using ... - CiteSeerX

Generalized Non-Interactive Oblivious Transfer Using ... - CiteSeerX
Read more
interactive 3d video streaming - IEEE Xplore

interactive 3d video streaming - IEEE Xplore
Read more
interactive 3d video streaming - IEEE Xplore

interactive 3d video streaming - IEEE Xplore
Read more
Interactive, immersive visualization for indoor ... - IEEE Xplore

Interactive, immersive visualization for indoor ... - IEEE Xplore
Read more
Implementation of Interactive Communicational ... - IEEE Xplore

Implementation of Interactive Communicational ... - IEEE Xplore
Read more
Interactive Optimization of System Reliability - IEEE Xplore

Interactive Optimization of System Reliability - IEEE Xplore
Read more
Special Section on Interactive Multimedia - IEEE Xplore

Special Section on Interactive Multimedia - IEEE Xplore
Read more
Interactive wireless electronic billboard - Networking ... - IEEE Xplore

Interactive wireless electronic billboard - Networking ... - IEEE Xplore
Read more
Interactive hashing simplifies zero-knowledge protocol ... - CiteSeerX

Interactive hashing simplifies zero-knowledge protocol ... - CiteSeerX
Read more
An Interactive Grading and Learning System for Chinese ... - IEEE Xplore

An Interactive Grading and Learning System for Chinese ... - IEEE Xplore
Read more
Semi-supervised and Interactive Semantic Concept ... - IEEE Xplore

Semi-supervised and Interactive Semantic Concept ... - IEEE Xplore
Read more
Mobile Phone and Interactive Television (iTV) - IEEE Xplore

Mobile Phone and Interactive Television (iTV) - IEEE Xplore
Read more
relasphone - mobile phone and interactive applications ... - IEEE Xplore

relasphone - mobile phone and interactive applications ... - IEEE Xplore
Read more
Human interactive secure key and identity exchange ... - IEEE Xplore

Human interactive secure key and identity exchange ... - IEEE Xplore
Read more
Smart Fabrics and Interactive Textile Enabling Wearable ... - IEEE Xplore

Smart Fabrics and Interactive Textile Enabling Wearable ... - IEEE Xplore
Read more
ElVis: A System for the Accurate and Interactive ... - IEEE Xplore

ElVis: A System for the Accurate and Interactive ... - IEEE Xplore
Read more