9 research outputs found
"The Simplest Protocol for Oblivious Transfer'' Revisited
In 2015, Chou and Orlandi presented an oblivious transfer protocol that already drew a lot of attention both from theorists and practitioners due to its extreme simplicity and high efficiency.
Chou and Orlandi claimed that their protocol is universally composable secure (UC-secure) in the random oracle model under dynamic corruptions.
UC-security is a very strong security guarantee that assures that, not only the protocol in itself is secure, but can be also used safely in larger protocols.
Unfortunately, in this work we point out a flaw in their security proof for the case of a corrupt sender.
In more detail, we define a decisional problem and we prove that, if a correct security proof for the Chou and Orlandi's protocol is provided, then this problem can be solved correctly with overwhelming probability. Therefore, the protocol of Chou and Orlandi cannot be instantiated securely with groups for which our decisional problem cannot be solved correctly with overwhelming probability.
Consequently, the protocol of Chou and Orlandi cannot be instantiated with {\em all} groups \G in which the CDH problem is intractable, but only with groups in which both the CDH problem is intractable and our decisional problem can be solved with overwhelming probability.
After the appearance of our work, Chou and Orlandi acknowledged the problems we pointed out in their security proof and subsequent works showed additional issues, removing the claims of UC security of their protocol
The Simplest Protocol for Oblivious Transfer
Oblivious Transfer (OT) is one of the fundamental building blocks of cryptographic protocols.
In this paper we describe the simplest and most efficient protocol for -out-of- OT to date, which is obtained by tweaking the Diffie-Hellman key-exchange protocol. The protocol allows to perform -out-of- OTs using only full exponentiations ( for the receiver, for the sender) and, sending only group elements and ciphertexts.
We also report on an implementation of the protocol using elliptic curves, and on a number of mechanisms we employ to ensure that our software is secure against active attacks too.
Experimental results show that our protocol (thanks to both algorithmic and implementation optimizations) is at least one order of magnitude faster than previous work
Efficient Oblivious Evaluation Protocol and Conditional Disclosure of Secrets for DFA
In oblivious finite automata evaluation, one party holds a private automaton, and the other party holds a private string of characters. The objective is to let the parties know whether the string is accepted by the automaton or not, while keeping their inputs secret. The applications include DNA searching, pattern matching, and more. Most of the previous works are based on asymmetric cryptographic primitives, such as homomorphic encryption and oblivious transfer. These primitives are significantly slower than symmetric ones. Moreover, some protocols also require several rounds of interaction. As our main contribution, we propose an oblivious finite automata evaluation protocol via conditional disclosure of secrets (CDS), using one (potentially malicious) outsourcing server. This results in a constant-round protocol, and no heavy asymmetric-key primitives are needed. Our protocol is based on a building block called an oblivious CDS scheme for deterministic finite automata\u27\u27 which we also propose in this paper. In addition, we propose a standard CDS scheme for deterministic finite automata as an independent interest
Equational Security Proofs of Oblivious Transfer Protocols
We exemplify and evaluate the use of
the equational framework of Micciancio and Tessaro (ITCS 2013)
by analyzeing a number of concrete Oblivious Transfer protocols:
a classic OT transformation to increase the message size,
and the recent (so called ``simplest\u27\u27) OT protocol in the random oracle model
of Chou and Orlandi (Latincrypt 2015), together with some
simple variants.
Our analysis uncovers subtle timing bugs or shortcomings
in both protocols, or the OT definition typically employed when
using them. In the case of the OT length extension transformation,
we show that the protocol can be formally proved secure using
a revised OT definition and a simple protocol modification.
In the case of the ``simplest\u27\u27 OT protocol,
we show that it cannot be proved secure according to either the original
or revised OT definition, in the sense that for any candidate simulator
(expressible in the equational framework)
there is an environment that distinguishes the real from the ideal system
Algebraic Adversaries in the Universal Composability Framework
The algebraic-group model (AGM), which lies between the generic group model and the standard model of computation, provides a means by which to analyze the security of cryptosystems against so-called algebraic adversaries. We formalize the AGM within the framework of universal composability, providing formal definitions for this setting and proving an appropriate composition theorem. This extends the applicability of the AGM to more-complex protocols, and lays the foundations for analyzing algebraic adversaries in a composable fashion. Our results also clarify the meaning of composing proofs in the AGM with other proofs and they highlight a natural form of independence between idealized groups that seems inherent to the AGM and has not been made formal before-these insights also apply to the composition of game-based proofs in the AGM. We show the utility of our model by proving several important protocols universally composable for algebraic adversaries, specifically: (1) the Chou-Orlandi protocol for oblivious transfer, and (2) the SPAKE2 and CPace protocols for password-based authenticated key exchange
Algebraic Adversaries in the Universal Composability Framework
International audienceThe algebraic-group model (AGM), which lies between the generic group model and the standard model of computation, provides a means by which to analyze the security of cryptosystems against so-called algebraic adversaries. We formalize the AGM within the framework of universal com-posability, providing formal deïŹnitions for this setting and proving an appropriate composition theorem. This extends the applicability of the AGM to more-complex protocols, and lays the foundations for analyzing algebraic adversaries in a composable fashion. Our results also clarify the meaning of com-posing proofs in the AGM with other proofs and they highlight a natural form of independence between idealized groups that seems inherent to the AGM and has not been made formal beforeâthese insights also apply to the composition of game-based proofs in the AGM. We show the utility of our model by proving several important protocols universally composable for algebraic adversaries, speciïŹcally:(1) the Chou-Orlandi protocol for oblivious transfer, and (2) the SPAKE2 and CPace protocols for password-based authenticated key exchange
Critical Perspectives on Provable Security: Fifteen Years of Another Look Papers
We give an overview of our critiques of âproofsâ of security and a guide to
our papers on the subject that have appeared over the past decade and a half. We also
provide numerous additional examples and a few updates and errata
Endemic Oblivious Transfer via Random Oracles, Revisited
The notion of Endemic Oblivious Transfer (EOT) was introduced by Masny and Rindal (CCS\u2719). EOT offers a weaker security guarantee than the conventional random OT; namely, the malicious parties can fix their outputs arbitrarily. The authors presented a 1-round UC-secure EOT protocol under a tailor-made and non-standard assumption, Choose-and-Open DDH, in the RO model.
In this work, we systematically study EOT in the UC/GUC framework. We present a new 1-round UC-secure EOT construction in the RO model under the DDH assumption. Under the GUC framework, we propose the first 1-round EOT construction under the CDH assumption in the Global Restricted Observable RO (GroRO) model proposed by Canetti et al. (CCS\u2714). We also provide an impossibility result, showing there exist no 1-round GUC-secure EOT protocols in the Global Restricted Programmable RO (GrpRO) model proposed by Camenisch et al. (Eurocrypt\u2718).
Subsequently, we provide the first round-optimal (2-round) EOT protocol with adaptive security under the DDH assumption in the GrpRO model. Finally, we investigate the relations between EOT and other cryptographic primitives.
As side products, we present the first 2-round GUC-secure commitment in the GroRO model as well as a separation between the GroRO and the GrpRO models, which may be of independent interest
âThe simplest protocol for oblivious transferâ revisited
In 2015, Chou and Orlandi presented an oblivious transfer protocol that already drew a lot of attention both from theorists and practitioners due to its extreme simplicity and high efficiency. Chou and Orlandi claimed that their protocol is universally composable secure (UC-secure) in the random oracle model under dynamic corruptions. UC-security is a very strong security guarantee that assures that, not only the protocol in itself is secure, but can be also used safely in larger protocols. Unfortunately, in this work we point out a flaw in their security proof for the case of a corrupt sender. In more detail, we define a decisional problem and we prove that, if a correct security proof for the Chou and Orlandi's protocol is provided, then this problem can be solved correctly with overwhelming probability. Therefore, the protocol of Chou and Orlandi cannot be instantiated securely with groups for which our decisional problem cannot be solved correctly with overwhelming probability. Consequently, the protocol of Chou and Orlandi cannot be instantiated with all groups G in which the CDH problem is intractable, but only with groups in which both the CDH problem is intractable and our decisional problem can be solved with overwhelming probability. After the appearance of our work, Chou and Orlandi acknowledged the problems we pointed out in their security proof and subsequent works showed additional issues, removing the claims of UC security of their protocol