A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA secure public-key encryption scheme with certain properties in the random oracle model (ROM). In terms of computation, our protocol only requires the generation of a public/secret-key pair, two encryption operations and one decryption operation, apart from a few calls to the random oracle. In~terms of communication, our protocol only requires the transfer of one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. Next, we show how to instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions. Our instantiations based on the low noise LPN, McEliece, and QC-MDPC assumptions are the first UC-secure OT protocols based on coding assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3) low communication and computational complexities. Previous results in this setting only achieved static security and used costly cut-and-choose techniques.Our instantiation based on CDH achieves adaptive security at the small cost of communicating only two more group elements as compared to the gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which only achieves static security in the ROM

Adaptive Oblivious Transfer and Generalization

International audienceOblivious Transfer (OT) protocols were introduced in the seminal paper of Rabin, and allow a user to retrieve a given number of lines (usually one) in a database, without revealing which ones to the server. The server is ensured that only this given number of lines can be accessed per interaction, and so the others are protected; while the user is ensured that the server does not learn the numbers of the lines required. This primitive has a huge interest in practice, for example in secure multi-party computation, and directly echoes to Symmetrically Private Information Retrieval (SPIR). Recent Oblivious Transfer instantiations secure in the UC framework suf- fer from a drastic fallback. After the first query, there is no improvement on the global scheme complexity and so subsequent queries each have a global complexity of O(|DB|) meaning that there is no gain compared to running completely independent queries. In this paper, we propose a new protocol solving this issue, and allowing to have subsequent queries with a complexity of O(log(|DB|)), and prove the protocol security in the UC framework with adaptive corruptions and reliable erasures. As a second contribution, we show that the techniques we use for Obliv- ious Transfer can be generalized to a new framework we call Oblivi- ous Language-Based Envelope (OLBE). It is of practical interest since it seems more and more unrealistic to consider a database with uncontrolled access in access control scenarii. Our approach generalizes Oblivious Signature-Based Envelope, to handle more expressive credentials and requests from the user. Naturally, OLBE encompasses both OT and OSBE, but it also allows to achieve Oblivious Transfer with fine grain access over each line. For example, a user can access a line if and only if he possesses a certificate granting him access to such line. We show how to generically and efficiently instantiate such primitive, and prove them secure in the Universal Composability framework, with adaptive corruptions assuming reliable erasures. We provide the new UC ideal functionalities when needed, or we show that the existing ones fit in our new framework. The security of such designs allows to preserve both the secrecy of the database values and the user credentials. This symmetry allows to view our new approach as a generalization of the notion of Symmetrically PIR

Unlinkable Updatable Databases and Oblivious Transfer with Access Control

An oblivious transfer with access control protocol (OTAC) allows us to protect privacy of accesses to a database while enforcing access control policies. Existing OTAC have several shortcomings. First, their design is not modular. Typically, to create an OTAC, an adaptive oblivious transfer protocol (OT) is extended ad-hoc. Consequently, the security of the OT is reanalyzed when proving security of the OTAC, and it is not possible to instantiate the OTAC with any secure OT. Second, existing OTAC do not allow for policy updates. Finally, in practical applications, many messages share the same policy. However, existing OTAC cannot take advantage of that to improve storage efficiency. We propose an UC-secure OTAC that addresses the aforementioned shortcomings. Our OTAC uses as building blocks the ideal functionalities for OT, for zero-knowledge (ZK) and for an \emph{unlinkable updatable database} (\UUD), which we define and construct. \UUD is a protocol between an updater \fuudUpdater and multiple readers \fuudReader_k. \fuudUpdater sets up a database and updates it. \fuudReader_k can read the database by computing UC ZK proofs of an entry in the database, without disclosing what entry is read. In our OTAC, \UUD is used to store and read the policies. We construct an \UUD based on subvector commitments (SVC). We extend the definition of SVC with update algorithms for commitments and openings, and we provide an UC ZK proof of a subvector. Our efficiency analysis shows that our \UUD is practical

Efficient and Universally Composable Protocols for Oblivious Transfer from the CDH Assumption

Oblivious Transfer (OT) is a simple, yet fundamental primitive which suffices to achieve almost every cryptographic application. In a recent work (Latincrypt `15), Chou and Orlandi (CO) present the most efficient, fully UC-secure OT protocol to date and argue its security under the CDH assumption. Unfortunately, a subsequent work by Genc et al. (Eprint `17) exposes a flaw in their proof which renders the CO protocol insecure. In this work, we make the following contributions: We first point out two additional, previously undiscovered flaws in the CO protocol and then show how to patch the proof with respect to static and malicious corruptions in the UC model under the stronger Gap Diffie-Hellman (GDH) assumption. With the proof failing for adaptive corruptions even under the GDH assumption, we then present a novel OT protocol which builds on ideas from the CO protocol and can be proven fully UC-secure under the CDH assumption. Interestingly, our new protocol is actually significantly more efficient (roughly by a factor of two) than the CO protocol. This improvement is made possible by avoiding costly redundancy in the symmetric encryption scheme used in the CO protocol. Our ideas can also be applied to the original CO protocol, which yields a similar gain in efficiency

UC Updatable Databases and Applications

We define an ideal functionality \Functionality_{\UD} and a construction \mathrm{\Pi_{\UD}} for an updatable database (\UD). \UD is a two-party protocol between an updater and a reader. The updater sets the database and updates it at any time throughout the protocol execution. The reader computes zero-knowledge (ZK) proofs of knowledge of database entries. These proofs prove that a value is stored at a certain position in the database, without revealing the position or the value. (Non-)updatable databases are implicitly used as building block in priced oblivious transfer, privacy-preserving billing and other privacy-preserving protocols. Typically, in those protocols the updater signs each database entry, and the reader proves knowledge of a signature on a database entry. Updating the database requires a revocation mechanism to revoke signatures on outdated database entries. Our construction \mathrm{\Pi_{\UD}} uses a non-hiding vector commitment (NHVC) scheme. The updater maps the database to a vector and commits to the database. This commitment can be updated efficiently at any time without needing a revocation mechanism. ZK proofs for reading a database entry have communication and amortized computation cost independent of the database size. Therefore, \mathrm{\Pi_{\UD}} is suitable for large databases. We implement \mathrm{\Pi_{\UD}} and our timings show that it is practical. In existing privacy-preserving protocols, a ZK proof of a database entry is intertwined with other tasks, e.g., proving further statements about the value read from the database or the position where it is stored. \Functionality_{\UD} allows us to improve modularity in protocol design by separating those tasks. We show how to use \Functionality_{\UD} as building block of a hybrid protocol along with other functionalities

Generalizing Efficient Multiparty Computation

We focus on generalizing constructions of Batch Single-Choice Cut-And-Choose Oblivious Transfer and Multi-sender k-out-of-n Oblivious Transfer, which are at the core of efficient secure computation constructions proposed by Lindell \textit{et al.} and the IPS compiler. Our approach consists in showing that such primitives can be based on a much weaker and simpler primitive called Verifiable Oblivious Transfer (VOT) with low overhead. As an intermediate step we construct Generalized Oblivious Transfer from VOT. Finally, we show that Verifiable Oblivious Transfer can be obtained from a structure preserving oblivious transfer protocol (SPOT) through an efficient transformation that uses Groth-Sahai proofs and structure preserving commitments

A Lightweight Privacy Preserved Buyer Seller Watermarking Protocol Based on Priced Oblivious Transfer

replacing traditional selling of digital products (such as songs, videos,movies, software, books, documents, images, etc.) through shops. This mode of sale can bring the product price down as infrastructure cost in setting up shops and retail chain is reduced. On downside, however, this may increase problem of piracy as digital data can be easily copied, manipulated and transmitted. To protect copyright of owner, establish right of buyer on purchased copy and yet check data piracy, it is required that a rusted e-distribution system be built. Such a system should be able to ensure secure transaction between buyer and seller, check ownership and track the origin of unauthorized copies..The buyer seller watermarking protocols are heavyweight protocols.These protocols require large computation power and network bandwidth.The heavyweight protocols could not be used for the resource constrained devices since the devices does not support battery power.A lightweight protocol has been proposed which is best suited for the resource constrained devices. The protocol is based on a fast asymmetric encryption with novel simplification.In this approach the seller authenticates the buyer but does not learn which items are purchased. The protocol is designed in such a way that the buyers pay the right price without disclosing the purchased item, and the sellers are able to identify buyers that released pirated copies. The protocol is constructed based on the priced oblivious transfer and the existing techniques for asymmetric watermark embedding. Index Terms- Buyer–seller watermarking protocol, fair exchange, priced oblivious transfer (POT). B I

Round-efficient Oblivious Database Manipulation

Most of the multi-party computation frameworks can be viewed as oblivious databases where data is stored and processed in a secret-shared form. However, data manipulation in such databases can be slow and cumbersome without dedicated protocols for certain database operations. In this paper, we provide efficient protocols for oblivious selection, filtering and shuffle---essential tools in privacy-preserving data analysis. As the first contribution, we present a $1$-out-of-$n$ oblivious transfer protocol with $O(\log\log n)$ rounds, which achieves optimal communication and time complexity and works over any ring $Z_N$. Secondly, we show that the round complexity $\tau_{bd}$ of a bit decomposition protocol can be almost matched with oblivious transfer, and that there exists an oblivious transfer protocol with $O(\tau_{bd}\log^*n)$ rounds. Finally, we also show how to construct round-efficient shuffle protocols with optimal asymptotic computation complexity and provide several optimizations