The Simplest Protocol for Oblivious Transfer

Oblivious Transfer (OT) is one of the fundamental building blocks of cryptographic protocols. In this paper we describe the simplest and most efficient protocol for $1$-out-of-$n$ OT to date, which is obtained by tweaking the Diffie-Hellman key-exchange protocol. The protocol allows to perform $m$ $1$-out-of-$n$ OTs using only $2+3m$ full exponentiations ($2m$ for the receiver, $2+m$ for the sender) and, sending only $m+1$ group elements and $2mn$ ciphertexts. We also report on an implementation of the protocol using elliptic curves, and on a number of mechanisms we employ to ensure that our software is secure against active attacks too. Experimental results show that our protocol (thanks to both algorithmic and implementation optimizations) is at least one order of magnitude faster than previous work

"The Simplest Protocol for Oblivious Transfer'' Revisited

In 2015, Chou and Orlandi presented an oblivious transfer protocol that already drew a lot of attention both from theorists and practitioners due to its extreme simplicity and high efficiency. Chou and Orlandi claimed that their protocol is universally composable secure (UC-secure) in the random oracle model under dynamic corruptions. UC-security is a very strong security guarantee that assures that, not only the protocol in itself is secure, but can be also used safely in larger protocols. Unfortunately, in this work we point out a flaw in their security proof for the case of a corrupt sender. In more detail, we define a decisional problem and we prove that, if a correct security proof for the Chou and Orlandi's protocol is provided, then this problem can be solved correctly with overwhelming probability. Therefore, the protocol of Chou and Orlandi cannot be instantiated securely with groups for which our decisional problem cannot be solved correctly with overwhelming probability. Consequently, the protocol of Chou and Orlandi cannot be instantiated with {\em all} groups \G in which the CDH problem is intractable, but only with groups in which both the CDH problem is intractable and our decisional problem can be solved with overwhelming probability. After the appearance of our work, Chou and Orlandi acknowledged the problems we pointed out in their security proof and subsequent works showed additional issues, removing the claims of UC security of their protocol

Generation and Distribution of Quantum Oblivious Keys for Secure Multiparty Computation

The oblivious transfer primitive is sufficient to implement secure multiparty computation. However, secure multiparty computation based only on classical cryptography is severely limited by the security and efficiency of the oblivious transfer implementation. We present a method to efficiently and securely generate and distribute oblivious keys by exchanging qubits and by performing commitments using classical hash functions. With the presented hybrid approach, quantum and classical, we obtain a practical and high-speed oblivious transfer protocol, secure even against quantum computer attacks. The oblivious distributed keys allow implementing a fast and secure oblivious transfer protocol, which can pave the way for the widespread of applications based on secure multiparty computation.Comment: 11 pages, 5 figure

ВИКОРИСТАННЯ МЕТОДУ «РОЗДІЛЯЙ ТА ВОЛОДАРЮЙ» В АЛГОРИТМАХ ЗАПЕРЕЧУВАНОГО ШИФРУВАННЯ

Abstract. The deniable encryption algorithms productivity increasing is investigated in this paper. This investigation is relevant because of effective schemes for information and its users protection. But these algorithms is very complex and lumped. It really affects them. That's why deniable encryption algorithms have not been widespread in data processing and information security systems. The execution time reducing methods and tools exploration is the main goal of this work. The divide and conquer method has been discussed and investigated in this paper. It has been implemented into the data processing system of the deniable encryption algorithms. Nothing modifies have been implemented into the base algorithm. It allows to make it universal and apply to other deniable encryption algorithms. The series of experiments have been completed by authors to verify the hypothesis. The base deniable encryption algorithm discussing is the first stage of investigation. Its vulnerabilities have been found and investigated. Another algorithm is based on the divide and conquer method applying. It has been implemented into the modified data processing system. The both algorithms efficiency has been investigated by the experiments with the real with public and secret information files. The experiments have been completed on the prepared equipment. This equipment simulates the user's workplace with real hardware and software. According to the results the deniable encryption algorithms productivity has been reached by the divide and rule method. Also the method has been verified by the different size encryption keys. The base deniable encryption algorithms have not been modified. The results have been compared with other authors' investigations. In the end authors' hypothesis has been proved. But some restrictions of this results reaching have been set by the authors. Keywords: deniable encryption; information security; sensitive data; the divide and conquer method; unauthorized access; coercion; productivity; cipher.Поточне дослідження проведене авторами для перевірки гіпотези щодо можливості збільшення швидкості роботи алгоритмів заперечуваного шифрування. Вказане дослідження  є актуальним, оскільки алгоритми заперечуваного шифрування використовують ефективні схеми перетворення для захисту як інформації, так і її користувачів. Разом з тим, структура алгоритмів заперечуваного шифрування досить складна та зосереджена. Це впливає на швидкість їх роботи та робить неможливим їх практичне застосування в галузях з обробки даних і захисту інформації. Основною метою дослідження є пошук методів і засобів, використання яких дозволить зменшити час виконання алгоритмів заперечуваного шифрування. В цій роботі було розглянуто та досліджено застосування методу «розділяй та володарюй». Вказаний метод був застосований до процедур обробки даних алгоритмів заперечуваного шифрування. Оскільки кінцеве рішення повинне бути універсальним для подальшого використання з іншими алгоритмами заперечуваного шифрування, то автори не вносили жодних змін у вихідні алгоритми шифрування. Для перевірки гіпотези автори провели серію експериментів. Першим об’єктом дослідження був алгоритм заперечуваного шифрування побудований на базі багатопотокових обчислень. Недоліки безпеки спричинені його використанням були виявлені та досліджені. Інший алгоритм ґрунтувався на використанні методу «розділяй та володарюй». Вказаний метод був імплементований в систему обробки даних першого алгоритму. Для перевірки ефективності обох алгоритмів в експериментах були використані реальні файли з публічними та секретними даними. Саме дослідження було проведене на стендовому обладнанні, яке імітує типове робоче місце користувача. Результати експериментів демонструють появу приросту у швидкості роботи вихідного алгоритму заперечуваного шифрування даних. Також вказані результати були перевірені з використанням ключів шифрування різного розміру. Отримані результати були порівняні з дослідженнями інших авторів. В кінцевому результаті гіпотеза авторів була підтверджена. Використання методу «розділяй та володарюй» призвело до значного приросту швидкодії алгоритмів заперечуваного шифрування даних

PQC: R-Propping of a Simple Oblivious Transfer

Post-quantum cryptography (PQC) is nowadays a very active research field [1]. We follow a non-standard way to achieve it, taking any common protocol and replacing arithmetic with GF(2^8) field operations, a procedure defined as R-Propping [2-7]. The resulting protocol security relies on the intractability of a generalized discrete log problem, combined with the power sets of algebraic ring extension tensors and resilience to quantum and algebraic attacks. Oblivious Transfer (OT) is a keystone for Secure Multiparty Computing (SMPC) [8], one of the most pursued cryptographic areas. It is a critical issue to develop a fast OT solution because of its intensive use in many protocols. Here, we adopt the simple OT protocol developed by Chou and Orlandi [9] as the base model to be propped. Our solution is fully scalable to achieve quantum and classical security levels as needed. We present a step-by-step numerical example of the proposed protocol

Finding Safety in Numbers with Secure Allegation Escrows

For fear of retribution, the victim of a crime may be willing to report it only if other victims of the same perpetrator also step forward. Common examples include 1) identifying oneself as the victim of sexual harassment, especially by a person in a position of authority or 2) accusing an influential politician, an authoritarian government, or ones own employer of corruption. To handle such situations, legal literature has proposed the concept of an allegation escrow: a neutral third-party that collects allegations anonymously, matches them against each other, and de-anonymizes allegers only after de-anonymity thresholds (in terms of number of co-allegers), pre-specified by the allegers, are reached. An allegation escrow can be realized as a single trusted third party; however, this party must be trusted to keep the identity of the alleger and content of the allegation private. To address this problem, this paper introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group of parties with independent interests and motives, acting jointly as an escrow for collecting allegations from individuals, matching the allegations, and de-anonymizing the allegations when designated thresholds are reached. By design, SAEs provide a very strong property: No less than a majority of parties constituting a SAE can de-anonymize or disclose the content of an allegation without a sufficient number of matching allegations (even in collusion with any number of other allegers). Once a sufficient number of matching allegations exist, the join escrow discloses the allegation with the allegers' identities. We describe how SAEs can be constructed using a novel authentication protocol and a novel allegation matching and bucketing algorithm, provide formal proofs of the security of our constructions, and evaluate a prototype implementation, demonstrating feasibility in practice.Comment: To appear in NDSS 2020. New version includes improvements to writing and proof. The protocol is unchange

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA secure public-key encryption scheme with certain properties in the random oracle model (ROM). In terms of computation, our protocol only requires the generation of a public/secret-key pair, two encryption operations and one decryption operation, apart from a few calls to the random oracle. In~terms of communication, our protocol only requires the transfer of one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. Next, we show how to instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions. Our instantiations based on the low noise LPN, McEliece, and QC-MDPC assumptions are the first UC-secure OT protocols based on coding assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3) low communication and computational complexities. Previous results in this setting only achieved static security and used costly cut-and-choose techniques.Our instantiation based on CDH achieves adaptive security at the small cost of communicating only two more group elements as compared to the gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which only achieves static security in the ROM

BVOT: Self-Tallying Boardroom Voting with Oblivious Transfer

A boardroom election is an election with a small number of voters carried out with public communications. We present BVOT, a self-tallying boardroom voting protocol with ballot secrecy, fairness (no tally information is available before the polls close), and dispute-freeness (voters can observe that all voters correctly followed the protocol). BVOT works by using a multiparty threshold homomorphic encryption system in which each candidate is associated with a masked unique prime. Each voter engages in an oblivious transfer with an untrusted distributor: the voter selects the index of a prime associated with a candidate and receives the selected prime in masked form. The voter then casts their vote by encrypting their masked prime and broadcasting it to everyone. The distributor does not learn the voter's choice, and no one learns the mapping between primes and candidates until the audit phase. By hiding the mapping between primes and candidates, BVOT provides voters with insufficient information to carry out effective cheating. The threshold feature prevents anyone from computing any partial tally---until everyone has voted. Multiplying all votes, their decryption shares, and the unmasking factor yields a product of the primes each raised to the number of votes received. In contrast to some existing boardroom voting protocols, BVOT does not rely on any zero-knowledge proof; instead, it uses oblivious transfer to assure ballot secrecy and correct vote casting. Also, BVOT can handle multiple candidates in one election. BVOT prevents cheating by hiding crucial information: an attempt to increase the tally of one candidate might increase the tally of another candidate. After all votes are cast, any party can tally the votes

Protocols for Authenticated Oblivious Transfer

Oblivious transfer (OT) is a basic building block in many cryptographic protocols. In this paper, we exploit some well-known authenticated Diffie-Hellman-based key exchange protocols to build three authenticated 1-out-of-2 oblivious transfers. We show that our proposed protocols are secure in the semi-honest model. We also compare our schemes with three similar 1-out-of-2 OT protocols and show that authentication in our schemes costs only up to either two more exponentiations or one message signing, compared to those with no authentication