Coding-Based Oblivious Transfer
Kazukuni Kobara1 , Kirill Morozov1 , and Raphael Overbeck2⋆
1
RCIS, AIST
Akihabara Daibiru, room 1102
1-18-13 Sotokanda, Chiyoda-ku
Tokyo 101-0021 Japan
{k-kobara,kirill.morozov}@aist.go.jp
2
EPFL - I&C - ISC - LASEC
Station 14 - Building INF
CH-1015 Lausanne
Switzerland
overbeck@cdc.informatik.tu-darmstadt.de
Abstract. We present protocols for two flavors of oblivious transfer
(OT): the Rabin and 1-out-of-2 OT based on the assumptions related to
security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Stern’s from Crypto ’93 and Shamir’s from Crypto
’89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions
on which OT – cryptographic primitive of central importance – can be
based.
As a by-product, we expose new interesting applications for both ZKID
schemes: Stern’s can be used for proving correctness of McEliece encryption, while Shamir’s – for proving that some matrix represents a
permuted subcode of a given code.
Unfortunately, it turned out to be difficult to reduce the sender’s security of both schemes to a hard problem, although the intuition suggests
a successful attack may allow to solve some long-standing problems in
coding theory.
Keywords: Oblivious transfer, coding-based cryptography, McEliece
cryptosystem, permuted kernel problem.
1
Introduction
Oblivious transfer (OT) [23, 10, 28] is an important cryptographic primitive which implies secure two-party computation [12, 16]. OT guarantees a
transmission from a sender to a receiver with partial erasure of the input,
⋆
Part of this work was done at the Cryptography and Computer Algebra Group,
TU-Darmstadt, Germany. Part of this work was funded by the DFG.
�which can happen in two manners. When the whole input is erased with
some fixed probability (independently of the player’s control), we have
an analog of the erasure channel, or Rabin OT. When the sender has two
inputs and one of them is received (while the other is erased) according
to the receiver’s choice (and the sender does not learn this choice), we
have 1-out-of-2 OT. In fact, these two flavors of OT were shown to be
equivalent [7].
A number of complexity assumptions were used to construct OT:
generic, e.g., enhanced trapdoor permutations [10, 11, 14], and specific,
e.g., factoring [23], Diffie-Hellman [3, 20, 1], N’th or Quadratic Residuosity and Extended Riemann Hypothesis [15].
Our contribution. We present two coding-based computationally
secure constructions. The Rabin OT protocol is based on the McEliece
encryption [19] where a public-key is constructed from the permuted concatenation of the standard McEliece public key and a random matrix.
The receiver will construct this public key and prove its correctness using
the Shamir’s zero-knowledge identification (ZKID) scheme [25] based on
permuted kernel problem (PKP). The sender will prove that the input
is encrypted using the error vector of the appropriate weight using the
Stern’s ZKID scheme [26] based on general syndrome decoding.
We emphasize that these are new applications of the two ZKID schemes
which can be of indepedent interest in coding-based protocols. In particular, combining McEliece encryption with Stern’s ZKID yields the verifiable McEliece encryption (for verifiable encryption and its applications
see, e.g., [4]).
Unfortunately, in the above protocol, even the honest-but-curious receiver can reduce the probability of erasure. We show that this can be
fixed by applying the reduction [7]. In fact, we show that this reduction
can be used for such a weaker version of Rabin OT. However, the whole
construction becomes involved and we end up implementing 1-out-of-2
OT on the way. Hence, we present a generalization of the above protocol
which implements 1-out-of-2 OT using the presented techniques.
The security of both protocols is based on the assumption related to
security of the McEliece PKC – indintiguishability of permuted generating
matrix of a Goppa code from random and bounded distance decoding –
and, in addition, the assumptions underlying the used ZKID schemes. We
also employ commitment schemes.
Both constructions share the same shortcoming: it turned out to be
difficult to reduce the sender’s secuirty to a hard decoding problem.
Shortly speaking, the intuition suggests that a successfull attack would
�require either efficient list decoding algorithm for Goppa codes, or extending those codes with random columns while still retaining a good error
correcting capability.
Related Work. The work [9] presents 1-out-of-2 Bit OT protocol based
exclusively on the McEliece PKC related assumptions. Its efficiency is
comparable to our 1-out-of-2 String OT protocol, but it provides a stronger
security guarantee for the receiver: it is unconditional as compared to
computational in our case.
Organization. In Section 2, we briefly introduce our security definitions, assumptions, and the main ingredients for our constructions. The
reduction from a weak version of Rabin OT to the original Rabin OT is
presented in Section 3. Section 4 introduces our Rabin OT construction,
while our 1-out-of-2 OT protocol is sketched in Section 5.
2
Preliminaries
In our definitions, the players are bounded to run in probabilistic polynomial time in a security parameter n.
For vectors, summation is component-wise in the corresponding field,
unless stated otherwise. Computation indistinguishability is denoted by
c
“=”.
2.1
Security Definitions
Informally, Rabin (string) oblivious transfer is the trusted erasure channel
from the sender Sen to the receiver Rec with fixed erasure probability
g
QH = 1 − P and a bit-vector b ∈ Fk2 as input. The malicious sender Sen
g cannot
has no knowledge on the output, while the malicious receiver Rec
learn the erased input.
We denote by a V iew of the player all the messages that he sent
and received during the protocol as well as his local randomness. Let the
binary random variable E (which indicates the fact of erasure and whose
outcome is available to Rec) is equal to 0 with probability P. For the sake
of simplicity, in the expressions for views, we omit most of the variables
which are the same on both sides of equality.
Definition 2.1. A two-party protocol is said to securely implement Rabin OT, if Sen gets as input a k-bit vector m and the following conditions
are satisfied:
�– Completeness: When Sen and Rec follow the protocol, if E = 0, then
Rec outputs m, otherwise he outputs “erasure”.
– Sender’s security: ∀m′ 6= m, m′ ∈ Fk2 :
c
′
V iewRec
g (m|E = 1) = V iewRec
g (m |E = 1).
c
– Receiver’s security: V iewSen
g (E = 0) = V iewSen
g (E = 1).
g
The definition of γ-gap Rabin OT is analogous to the above, but Rec
can decrease the erasure probability from his point of view by γ. This
probability is denoted by Q = 1 − P − γ. Let the binary random variable
g be equal to
e which indicates the fact of erasure (E
e = 1) or not for Rec
E
1 with probability Q.
Definition 2.2. A two-party protocol is said to securely implement γgap Rabin OT, if Definition 2.1 holds except that the sender’s security
condition is replaced with:
c
′ e
e
∀m′ 6= m, m′ ∈ Fk2 : V iewRec
g (m|E = 1) = V iewRec
g (m |E = 1).
In the other flavor of oblivious transfer, 1-out-of-2 String OT, Sen
inputs two a-bit vectors b0 , b1 . Rec obtains one of them according to his
g is unable to learn c, while Rec
g remains ignorant
choice c ∈ {0, 1}. Sen
about b1−c .
2.2
Assumptions
The security of all schemes we present in this paper is based on the
assumption, that the following problems are hard to solve in the average
case:
Definition 2.3. In the following let all matrices and vectors be over Fq .
(i) Given a k × n matrix, decide if its row-space is within a Goppa code
or was generated at random. (Goppa-code-distinguishing Problem)
(ii) Given a (random) [n, k] code generated by the matrix Gpub , a word
c and an integer w, find e of Hamming weight at most w such that
c = mGpub + e for some m. (General Syndrome Decoding)
(iii) Given a (random) [n, k, d] code generated by the matrix Gpub , find a
codeword of weight ≤ w in that code (Finding low weight words).
(iv) Given a random [n, k] code and a random permuted subcode of dimension l < k, find the permutation. (Permuted Kernel Problem)
Only Problems (ii) – (iv) are known to be N P-hard in the general
case [25, 26]. The coding theoretic problems (ii) and (iii) seem to be the
hardest, if w is close to the Gilbert-Varshamov (GV) bound (see, e.g. [18,
Ch. 17, Thm. 30]).
�2.3
Tools
We shortly recall the main ingredients of our scheme: the McEliece PKC,
the zero-knowledge identification protocols (ZKIP) by Stern and Shamir
connected to coding theory, and Crepeaus’s protocol for 1-out-of-2 OT
based on Rabin OT.
McEliece’s public key encryption scheme [19] works as follows:
Upon input of the system parameters m, t, the key generation algorithm
outputs the secret key consisting of three matrices: (S, G, P), where G ∈
Fk×n
is a canonical generator matrix of an [n, k ≥ n − mt, 2t + 1] binary
2
irreducible Goppa code, S ∈ Fk×k
is non-singular and P ∈ F2n×n is a
2
permutation matrix. The corresponding public key is (Gpub = SGP, t). To
encrypt a message m ∈ Fk2 the sender chooses a random binary vector
e of length n and Hamming weight t and computes the ciphertext c =
mGpub + e. The secret key holder now can recover m from c using his
secret key.
For properly chosen parameters, the McEliece PKC is secure [5] and
there exist conversions to obtain CCA2 security [17]. For such variants, or
if only random strings are encrypted, Gpub can be chosen to be systematic
(i.e. with the k-dimensional identity matrix Idk in the first k columns), as
we will do in the following. This reduces space needed to store Gpub .
The size of the ciphertexts can be reduced to n − k if the message is
represented by e. This is known as the Niederreiter PKC, compare [24].
In the latter case (e.g. if a hash of e serves as a random seed or key
for a symmetric encryption scheme) it is sufficient to send the syndrome
e(Gpub )⊥ as ciphertext, where (Gpub )⊥ refers to the systematic check matrix of Gpub .
n×(n−k)
Stern’s ZKIP [26] has a check matrix H ∈ Fq
and an integer
w as system parameters. An user’s identity s is computed from the user’s
secret, a vector e ∈ Fnq of Hamming weight w: s = eH. By Stern’s 3-round
zero-knowledge protocol, the secret key holder can prove his knowledge of
e using two blending factors: a permutation and a random vector. However, a dishonest prover not knowing e can cheat the verifier in the protocol with probability 2/3. Thus, the protocol has to be run several times to
detect cheating provers. Computing e from s is solving Problem (ii) from
Definition 2.3. The communication cost is about n(1 + log2 (n)) log2 (q)
plus three times the size of the employed commitments (e.g. a hash function).
Shamir’s Permuted Kernel ZKIP [25] works quite similarly, i.e. it
n×(n−k)
has a check matrix H ∈ Fq
and an integer l as system parameters.
(Shamir proposed to use l = 1 and q to be a large prime. However,
�taking q small and l < (n − k) works as well [27].) The user’s identity
is computed from the user’s secret, a permutation Π as follows:
K ∈ Fl×n
q
K is taken at random from the right kernel of ΠH. In the following we
can view K as an n-vector over Fql . By Shamir’s 5-round zero-knowledge
protocol, the secret key holder can prove his knowledge of Π using two
blending factors: a permutation and a random n-vector over Fql . However,
a dishonest prover not knowing Π can cheat the verifier in the protocol
with probability (q l + 1)/(2 · q l ). Thus, the protocol has to be repeated
several times to detect cheating provers. Computing Π from K is solving
Problem (iv) from Definition 2.3. The communication cost is about n(l +
log2 (n)) log2 (q) plus two times the size of the commitments. See [22] for
the practical security analysis.
Crépeau’s protocol [7] allows us to build an 1-out-of-2 OT from a
Rabin OT and a hash function h: In a first stage, N random messages ri
are sent to the receiver by a Rabin OT with erasure (receiving) probability
Q (P). Now, K is chosen such that K < PN = (1 − Q)N < 2K < N ,
i.e. the receiver obtains at least K and at most 2K − 1 of the random
messages ri . Then, the receiver sends two disjoint sets I, J ⊆ {1, . . . , N }
of K indices to the sender, such that one of the sets contains only indices
of not erased messages ri . For the 1-out-of-2 OT, the messages m0 , m1
are encrypted as c0 = m0 + h((ri )i∈I ) and c1 = m1 + h((rj )j∈J ). Since
the receiver knows either the set (ri )i∈I or (rj )j∈J , he obtains exactly
one of the messages from c0 and c1 . Crépeau’s protocol fails with some
probability which is negligible in N and can easily be computed.
Commitment scheme. This protocol allows a committer to transmit an evidence (called commitment) of a message to the verifier with
possibility to reveal the message later. The committer cannot learn the
message before revealing, while the verifier cannot change his mind by
opening a different message. In this work, we use a commitment functionality abstracting from its implementation. For details on commitment
schemes, see [8] and the references therein.
3
Reducing the Gap in Rabin OT
We show that the Crépeau’s protocol can be used to reduce the Gap
Rabin OT to the 1-out-of-2 OT and thus to the original Rabin OT.
Theorem 3.1. γ-Gap Rabin OT with γ = QH − QA is equivalent to
Rabin OT, if for some K ′ > 0: K ′ < 1 − QH ≤ 1 − QA < 2K ′ < 1.
Proof (Sketch). Consider the Crépeau’s protocol as described in the previous section and take K = K ′ N . It is easy to check that this protocol
�works, i.e., the sender is very likely to find enough received messages for
one set, while the other set is very likely to contain at least one erasure.
4
Rabin Oblivious Transfer
Our scheme implementing Rabin OT with erasure probability 1 − P consists of two phases: initialization and transmission. The first one is used
for key generation, where a Goppa code is concatenated with a random
code and used as substitute for the secret code in the McEliece PKC, see
Algorithm 4.1. To ensure correct generation of the public key, we use a
trusted third party (TTP) in Algorithm 4.1, which can be omitted as we
show in Section 4.2. In the transmission phase, see Algorithm 4.2, en- and
Algorithm 4.1 Key generation
Input: Security parameters m, t, t′ , l ∈ N.
Receiver: Set n = 2m , k = 2m −mt. Generate a McEliece PKC key pair with security
parameters m, t. Let (S, G, P) be the secret key with public key (Gpub = SGP, t).
Send Gpub to the TTP.
and a (n+l)×(n+l) random permutation
TTP: Generate a random matrix G′ ∈ Fk×l
2
matrix P′ . Publish the systematic matrix Opub generating the same [n + l, k] code as
ˆ pub ′ ˜ ′
G
G P.
decryption work like in the McEliece PKC. The difference lies in the modified public key, which ensures, that the receiver cannot decrypt all valid
ciphertexts. The time complexity for Algorithm 4.2 is O(n · k + n · m · t2 )
operations [6]. The size of the ciphertexts is n + l, but as mentioned in
Section 2.3, this can be reduced to n + l − k by encoding the message into
the error vector e.
Note that if Opub is re-used in the different instances of Algorithm 4.2,
a security problem might arise when composing such instances, see discussion in Appendix A.2. For the sake of simplicity of our proofs, we
henceforth assume that Opub is generated each time anew.
4.1
Security Analysis
Next, we show that Algorithm 4.2 is an instance of a γ-Gap Rabin OT
according to Definition 2.2.
Correctness. Observe that if parameters are chosen carefully and every
party follows the protocol, Algorithm 4.2 works correctly. Let us assume
�Algorithm 4.2 Transmission
Input: The security parameters m, l, t′ and a k-bit message m.
Encryption:
Obtain the receiver’s public key Opub .
Generate a random vector e of weight t′ and length 2m + l.
Compute the ciphertext c = mOpub + e.
Send c to the receiver.
Following Stern’s protocol with system parameters Opub and t′ , send a zero knowledge proof of knowledge Proof for the public key c and secret key e to the receiver.
Decryption:
Verify Proof.
Set (c1 , c2 ) = c(P′ )−1 , where c1 is an n-bit vector.
Try to apply the error correction algorithm for G to c1 P−1 in order to obtain m.
if (previous step fails) or (mOpub + c has weight 6= t′ ) then
return erasure.
else
return m.
�
�
that l = n and t′ = 2t+1. Let (e1 , e2 ) = e(P′ )−1 = c(P′ )−1 +m Gpub G′ ,
where e1 is an n-bit vector. Then, iff e1 has weight ≤ t, the decryption
procedure returns the correct message m. Else an erasure occurs or the
receiver obtains a false message m′ 6= m. However, the latter case is
unlikely to appear, since then, the weight of m′ Opub + c is t′ . Thus,
m′ Opub + c + mOpub + c has weight ≤ 2t′ = 4t + 2. It is easy to check
that, for the reasonable parameters (m > 10 and appropriate t), the
codeword (m + m′ )Opub has weight below the Gilbert-Varshamov (GV)
bound for Opub , which is infeasible to find, even if such a codeword exists.
Since every choice of t′ below half of the GV-bound of Opub leads to a
correct scheme, the parameters may be chosen, such that the probability
P of obtaining the message m varies. We can compute P as the fraction
of error vectors with no more than t entries on the positions of Gpub :
� l �
� l �
t′
n
t
n
X
X
i t′ −i
i t′ −i
=1−
.
(1)
P :=
n+l�
n+l�
i=0
t′
i=t+1
|
{z
t′
=:QH
}
Thus, for instance, if n = l and t′ = 2t + 1, GV bound for Opub , the
scheme works correctly and we have P = QH = 1/2.
Gap. In fact, Algorithm 4.2 implements the γ-Gap Rabin OT for some
γ > 0, since even an honest-but-curious receiver has the possibility to raise
�its probability of receiving the message m. He might choose to guess a
part of the error vector or try to apply a general decoding algorithm to
the erroneous word c2 of the code G′ . These attacks are reflected in the
following formula for the probability QA of an erasure for a dishonest
receiver spending A operations on decryption:
l
P 1 (ni)(t′ −i
)
,
QA = ti=t
n+l
0
( t′ )
where t0 > t + 1, t1 < t′ (compare (1)) and the following conditions hold:
(i) Solving General Syndrome Decoding problem for c and Opub takes
more than A operations. Note that A can be computed taking into
account the (best known) attack by Canteaut and Chabaud [5] using
the lower bound from [24]:
′
A ≥ 2−t
log2 (1−k/(n+l))
.
(2)
(ii) General Syndrome Decoding problem for c2 = mG′ +e2 and G′ cannot
be solved in A operations if e2 has weight ≥ t′ − t1 .
(iii) If the weight w of e1 = c1 + mGpub is larger than t0 , the receiver
cannot guess a sufficiently large subset of the support of e1 to apply
the decoding algorithm for Goppa codes. This is
n �
w−t
3 2
w �m t
w−t
≥ A,
(3)
since� each decoding attempt takes m3 t2 operations [6] and there are
w
w−t correct guesses.
To the best of our knowledge there exist neither codes with better
error correction ratio than binary irreducible Goppa codes nor efficient
list decoding algorithm for binary irreducible Goppa codes [13]. Thus, if
wt(e1 ) > t0 , the receiver either has to guess part of the error or is forced
to use a general decoding algorithm.
We conclude that the dishonest receiver can achieve Q = 1 only if
general decoding is easy. The gap is computed as γ = QH − QA . Given
A, the parameters of Algorithm 4.2 must be chosen according to (2).
Condition (ii) allows us to compute t1 by substituting in (2): t′ and l + n
with t′ −t1 and n, respectively. Finally, t0 is equal to minimal w, satisfying
(3). In Appendix A.1, we present the numerical computations of QH and
QA for A = {38, 70} and some proposed parameter sets.
Sender’s Security. It appeared to be difficult to show a reduction to
a hard problem. The general intuition behind the sender’s security of
�our scheme is as follows. Assume that there exists a malicious receiver
algorithm R which can recover all the messages in the case of erasure.
Then, R must efficiently perform either of the following tasks: 1) Correct
substantially more than t errors in a (n, k ≥ n − mt) Goppa code; 2)
Extend a Goppa code in such a way that the extended code efficiently
corrects as many errors as the Goppa code of the same size.
As there is no known polynomial algorithm for either of these problems, we believe that the sender’s security can be achieved in principle.
Receiver’s Security.
Proof assures that e is of weight t′ . In other words, the dishonest
sender cannot influent P by playing with the error vector’s weight. His
ability to do it would contradict to security of Stern’s ZKID.
Remark 4.1. We note that Stern’s ZKID can be used for proving the
validity of the McEliece encryption in the same way as it is used for
the OT transmission in Algorithm 4.2. This yields a verifiable variant of
McEliece encryption. Verifiable encryption has numerous applications in
cryptographic protocol theory (see [4]). We leave a formal treatment of
this subject for the separate paper.
Theorem 4.2. The Sender S who can distinguish V iewS (m|E = 0) and
V iewS (m|E = 1) can distinguish a Goppa code from a random matrix.
Proof (Sketch).
The proof goes in two parts: First, we show that a sender S able to
efficiently detect erasures (with probability 1) can distinguish the Goppa
part of Opub from the random part. Second, we build an oracle (in a
straight forward way) which distinguishes a Goppa code from a random
code using S. For simplicity of our presentation, we take l = n and t′ =
2t + 1, however our proof generalizes to almost all parameter sets.
Note, that in the case of erasure, the probability pi that for a position
i of Gpub , ei = 1 is at least (t + 1)/n, while for a position j of G′ the
probability pj that ej = 1 is at most t/l. By heuristics, we can construct
a distinguisher D which can tell the positions of Gpub apart from the ones
in G′ . This takes O(running-time(S) · n2 ) steps since |pi − pj | ≥ 1/n. This
approach only fails if pi ≈ pj , which we can fix by guessing some positions
of Gpub . See Appendix A.3 for details.
Now, given two matrices G1 and G2 , where one is a Goppa code, we can
tell, which one is the Goppa code, by querying D with Opub = [G1 | G2 ]
for the Goppa part of Opub .
⊓
⊔
�4.2
Omitting Trusted Third Party
In a fully secure scheme, the key generation is performed by the receiver
and its correctness is verified by the sender using Shamir’s PKP ZKIP [25]
(see Section 2). The basic idea is that the receiver computes the public
key Opub , while the sender provides its random part G′ key and checks
correctness by Shamir’s ZKIP. The key generation protocol is summarized
in Algorithm 4.3.
Algorithm 4.3 Public Key Generation Without TTP
Input: Security parameters same as in Algorithm 4.1 and k′ < 2m − mt ∈ N.
Output: The public key (Opub , t′ ).
Receiver: Generate the same public key (Gpub , t) as in Algorithm 4.1.
Choose a (n + l) × (n + l) random permutation matrix P′ .
Commit to the rows of Gpub (one by one, k commitments in total).
and send it to the receiver.
Sender: Generate a random matrix G′ ∈ Fk×l
2
Receiver:
the systematic matrix Opub generating the same [n + l, k] code
ˆ pub ′Publish
˜ ′
as G
G P.
Sender: Choose a random subset K′ of cardinality k′ from {1, . . . , k}.
Ask the receiver to reveal
the commitments
for K′ .
ˆ pub
˜
′
Compute the rows of G
G with indices in K′ .
Receiver: Use Shamir’s
ZKIP
to
ˆ
˜ prove to the sender, that there is a permutation,
such that the rows of Gpub G′ with indices in K′ are simultaneously in the code
generated by Opub .
The last step of Algorithm 4.3 requires some additional explanation:
′
After
of
� pub the
� second last step, the sender knows a k × n submatrix Kpub
′
G
G and can compute the n + l − k dimensional kernel of O
given by a matrix H. Now we can take H and k′ as system parameters for
Shamir’s Permuted Kernel ZKIP. If the receiver is honest and has followed
the protocol, he knows the secret permutation Π = P′ corresponding to
the user’s identity K, i.e. a permutation such that K · Π · H = 0. Thus,
the honest receiver can employ Shamir’s ZKIP to convince the sender by
a zero-knowledge proof that he followed the protocol, while the dishonest
receiver will be revealed.
Note that G′ can be generated using a pseudorandom generator. In
this case, only a seed to the generator needs to be transmitted, hereby
communication cost can be reduced.
�5
1-out-of-2 String Oblivious Transfer
As a generalization of the previous scheme, we can construct a substantially more efficient protocol for 1-out-of-2 String OT. Unfortunately, this
construction inherits the drawback of the previous scheme – we are unable to formally prove its sender’s security. In fact, the sender’s security
proof would be a generalization of that of our Rabin OT scheme.
In this section, we briefly sketch this 1-out-of-2 String OT scheme and
its security intuition, without giving formal proofs.
We assume the players’ inputs to the protocol to be random since there
exists a reduction by Beaver [2] which allows to convert such randomized
OT into OT with actual inputs. Let the following be the security parameters: the matrix Q ∈ Fk×n
chosen uniformly at random, and G ∈ Fk×n
,
2
2
as before, be a canonical generator matrix of an [n, k ≥ n − mt, 2t + 1]
binary irreducible Goppa code. Encryption is done using a variant of the
McEliece PKC, we assume that the corresponding inputs’ length is whatever prescribed by the encryption algorithm, denoted a bits for certainty.
Our 1-out-of-2 String OT protocols is summarized in Algorithm 5.1.
Algorithm 5.1 1-out-of-2 String OT
Input: Security parameters: m, k, k ′ , t, G, Q
Sender: b0 , b1 ∈ Fa2 ; Receiver: c ∈ {0, 1}
Output: Sender: none; Receiver: bc
and a random
Receiver: Generate random permutation matrices P′ , P′′ ∈ Fn×n
2
′
matrix of rank k′ : S′ ∈ F2k ×k . Set Cc = S′ GP′ , C1−c = S′ QP′′ .
Send [C0 |C1 ] to the receiver.
Prove using Shamir’s ZKIP that [C0 |C1 ] is a permuted subcode of [G|Q].
Sender: Reject if the proof fails, otherwise
For i = 0, 1: Encrypt bi as follows: bi Ci + ei , where ei is random vector of weight t,
and send the encryption.
Receiver: Decrypt and output bc .
Note that the communication cost of this protocol can be substantially
reduced, if only the non-systematic parts of the codes are dealt with.
This modification will also require using the IND-CCA2 conversion for
encryption [17]. Also, Q can be computed using a pseudorandom generator
such that only its seed will be obtained by coin flipping.
Intuition. We provide only a sketch of the security analysis.
�Correctness. If both players follow the protocol, then the receiver is not
rejected by the sender and is able to decode Cc which is a subcode of G.
Hence, the decoding algorithm of G can be used.
Sender’s Security. Assume that the receiver is honest-but-curious, i.e.,
he tries to compute both inputs, but still follows the protocol. In order to
compute b1−c , he must decode a subcode of the random code, i.e., solve
Problem (ii) of Definition 2.3.
Now, suppose that the IND-CPA version of the McEliece PKC [21]
is used for encryption, then the input b1−c which is encrypted on the
subcode of Q is indistinguishable from random according [21, Lemma 3].
If we use only non-systematic parts of the codes, then we must employ
the IND-CCA2 conversion [17] since the “message” part of the encryption
will be sent in open in this case. Indistinguishability of one of the inputs
will follow in a way similar to the variant above. Note, that the price to
pay here is the additional assumption: the random oracle model, which
is not required by the variant above.
Now, assume that the receiver is fully malicious. The ZK proof will
convince the sender that [Cc |C1−c ] is indeed a permutation of [G|Q]. Unfortunately, the receiver may distribute the columns of G and Q into both Cc
and C1−c . Then, the security proof will boil down to proving the receiver’s
inability to efficiently decode an extended Goppa code. In fact, we will
need a generalization of the security proof for our Rabin OT protocol:
here, the receiver does not necessarily distributes G and Q as “half-tohalf” in the subcodes. As it was mentioned in the previous section, such
the proof is not easy to construct.
Receiver’s Security. The malicious sender who learns the receiver’s
choice must either distinguish the subcode of G from that of Q hence solving Problem (i) or recover the permutations P′ , P′′ solving Problem (iv)
of Definition 2.3.
Employing Cut-And-Choose. We note, although do not prove it formally, that in the above algorithm, one can use the cut-and-choose technique instead of the zero-knowledge proof in order for the sender to check
that the keys were formed correctly. This would remove the above mentioned problem with the sender’s security proof. However, in this case,
our protocol would become quite similar to that of [9], since it would use
the same machinery to reduce the advantage of malicious receiver.
Acknowledgments. The authors would like to thank anonymous reviewers from Eurocrypt 2008. The second author would also like to thank
Yang Cui for his pointer on verifiable encryption.
�References
1. W. Aiello, Y. Ishai, and O. Reingold. Priced oblivious transfer: How to sell digital
goods. In Birgit Pfitzmann, editor, EUROCRYPT, volume 2045 of Lecture Notes
in Computer Science, pages 119–135. Springer, 2001.
2. D. Beaver. Precomputing oblivious transfer. In Don Coppersmith, editor,
CRYPTO, volume 963 of Lecture Notes in Computer Science, pages 97–109.
Springer, 1995.
3. M. Bellare and S. Micali. Non-interactive oblivious transfer and spplications. In
Gilles Brassard, editor, CRYPTO, volume 435 of Lecture Notes in Computer Science, pages 547–557. Springer, 1989.
4. Jan Camenisch and Victor Shoup. Practical verifiable encryption and decryption
of discrete logarithms. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture
Notes in Computer Science, pages 126–144. Springer, 2003.
5. A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weight words
in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH
codes of length 511. IEEETIT: IEEE Transactions on Information Theory, 44,
1998.
6. N. Courtois, M. Finiasz, and N.Sendrier. How to achieve a McEliece-based digital
signature scheme. In Advances in Cryptology - ASIACRYPT 2001, volume 2248,
pages 157–174. Springer-Verlag, 2001.
7. Claude Crépeau. Equivalence between two flavours of oblivious transfers. In Carl
Pomerance, editor, CRYPTO, volume 293 of Lecture Notes in Computer Science,
pages 350–354. Springer, 1987.
8. I. Damgård and J. Nielsen. Commitment schemes and zero-knowledge protocols. Lecture notes, University of Aarhus, February 2008. Available at:
http://www.daimi.au.dk/ĩvan/ComZK08.pdf.
9. R. Dowsley, J. van de Graaf, J. Müller-Quade, and A. Nascimento. Oblivious
transfer based on the McEliece assumptions. Accepted to ICITS 2008, August
2008.
10. S. Even, O. Goldreich, and A. Lempel. A randomized protocol for signing contracts.
Commun. ACM, 28(6):637–647, 1985.
11. O. Goldreich. Foundations of Cryptography - Volume 2 (Basic Applications). Cambridge University Press, 2004.
12. O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or a
completeness theorem for protocols with honest majority. In STOC, pages 218–229.
ACM, 1987.
13. V. Guruswami and M. Sudan. Improved decoding of reed-solomon and algebraicgeometry codes. IEEE Transactions on Information Theory, 45(6):1757–1767,
1999.
14. I. Haitner. Implementing oblivious transfer using collection of dense trapdoor permutations. In Moni Naor, editor, TCC, volume 2951 of Lecture Notes in Computer
Science, pages 394–409. Springer, 2004.
15. Y. Kalai. Smooth projective hashing and two-message oblivious transfer. In Ronald
Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science,
pages 78–95. Springer, 2005.
16. J. Kilian. Founding cryptography on oblivious transfer. In STOC, pages 20–31.
ACM, 1988.
17. K. Kobara and H. Imai. Semantically secure McEliece public-key cryptosystems conversions for McEliece PKC. In Practice and Theory in Public Key Cryptography
- PKC ’01 Proceedings. Springer Verlag, 2001.
�18. F.J. MacWilliams and N.J.A. Sloane. The Theory of Error-Correctiong Codes.
North-Holland Amsterdam, 7 edition, 1992.
19. R.J. McEliece. A public key cryptosystem based on algebraic coding theory. DSN
progress report, 42-44:114–116, 1978.
20. M. Naor and B. Pinkas. Efficient oblivious transfer protocols. In SODA, pages
448–457, 2001.
21. Ryo Nojima, Hideki Imai, Kazukuni Kobara, and Kirill Morozov. Semantic security for the McEliece cryptosystem without random oracles. Accepted
to Special Issue of Designs, Codes and Cryptography, 2008. Available at:
http://www.springerlink.com/content/382002h225822816/.
22. G. Poupard. A realistic security analysis of identification schemes based on combinatorial problems. European Transactions on Telecommuncations, 8(5):417–480,
September/October 1997.
23. M.O. Rabin. How to exchange secrets by oblivious transfer. Technical report,
Aiken Computation Laboratory, Harvard University, 1981. Tech. Memo TR-81.
24. N. Sendrier. On the security of the McEliece public-key cryptosystem. In
M. Blaum, P.G. Farrell, and H. van Tilborg, editors, Proceedings of Workshop
honoring Prof. Bob McEliece on his 60th birthday, pages 141–163. Kluwer, 2002.
25. A. Shamir. An efficient identification scheme based on permuted kernels. In Proc.
of Crypto’89, volume 435 of LNCS, pages 606–609. Springer Verlag, 1990.
26. J. Stern. A new identification scheme based on syndrome decoding. In Advances
in Cryptology - CRYPTO’93, volume 773 of LNCS. Springer Verlag, 1994.
27. Serge Vaudenay. Cryptanalysis of the Chor–Rivest cryptosystem. J. Cryptology,
14(2):87–100, 2001.
28. S. Wiesner. Conjugate coding. SIGACT News, 15(1):78–88, 1983.
Appendix A
A.1
Details on Security of Rabin OT
Examples of Security Parameters
We can achieve reasonable values for P and Q280 , compare Table A.1.
In fact, one can even use the dishonest receiver’s strategy in a positive
way, i.e., to raise the chance of obtaining the message. The work factor
for decryption is then given by Equation (3). This is useful for protocols
like in [7], where we need to ensure that the receiver gets at least half of
the messages, compare Section 3.
Parameters
m t t′
l
Size Public Key Size Ciphertext Decryption
QA
= k(n + l − k)
= n + l − k runtime QH A = 238 A = 280
12 200 2t + 1 212 1,377 KBytes
13 402 2t + 13 213 4,974 KBytes
14 800 2t + 1 214 17,874 KBytes
812 Bytes 226
1,677 Bytes 228.5
3,448 Bytes 231
0.5 0.41
0.66 0.61
0.5 0.46
Table A.1. Parameter sets for the Rabin OT
0.11
0.36
0.29
�Example 1. With the first parameter set from Table A.1 and a receiver
spending up to 235 operations on each decryption, we can obtain a 1-outof-2 OT by Crépeau’s construction, which fails with probability less than
2−30 if we choose N = 180.
A.2
Reaction Attack
Note that if the same public key Opub is used in the different instances of
Algorithm 4.2, the dishonest sender can adaptively influent the erasure
probability, as long as he gets feedback whether an erasure occurred or
not. Suppose that an attacker learns that the receiver cannot decode a
certain ciphertext. Then, the sender can choose to modify the corresponding error vector only slightly for the next encryption. Thus, by statistics,
the sender could identify the columns of Gpub in Opub , which breaks the
security of our scheme. Nevertheless, the sender should be cautious, as
the receiver might detect such manipulations by comparing ciphertexts.
This might get important as feedback may well come from the higher
level protocols (like Crépeau’s protocol), for which oblivious transfer is
used as a primitive. However, there are plenty of possible countermeasures
against an attack by feedback. For instance, when the conversion [17] is
used for encryption, the task of tuning the erasure probability is not at
all trivial.
A.3
Proof Details for Receiver’s Security
The distinguisher D works as follows. Repeat the following until n2+ǫ
(0 < ǫ < 1) erasure views are encountered:
– Generate a view of the sender using some error vector e (distinct each
time) and submit it to S
– Each time S outputs “erasure”, remember on which columns the error
locations of e were.
Note that the expected running time will be n2+ǫ /Q, where Q is the
erasure probability. Hence, D is efficient.
Then, consider the “score” of each column. For those of Gpub , the
expected score is at least (t + 1)n1+ǫ , since at least t + 1 errors are needed
to cause an erasure. Hence, for the columns of G′ , the expected score is at
most (t′ − t − 1)n2+ǫ /l as at most t′ − t − 1 errors are left for G′ . Now, the
standard Chernoff bound can be applied in order to show that one can
distinguish between two random variables with the above expectations
with negligible (in n) probability of error.
�It easy to check that the above reasoning works when (t + 1)/n >
− t − 1)/l. The only case, when it breaks down is when the above
expectations are too close to each other such that the Chernoff bound
does not apply. However, this can be fixed in the following way: guess a
few positions of Gpub and run D. Note that once t + 1 candidate columns
for Gpub are obtained, they can be easily verified by placing the error
locations on them and submitting such the view to S. If the initial guess
was wrong, guess a different set of columns and start over. Since the
probability of the correct guess is non-negligible, the expected running
time is polynomial in n.
In case of (t′ − t − 1)/l < (t + 1)/n, we slightly modify the construction
of D: it will iterate until n2+ǫ non-erasure views are encountered. Note
that in this case, the expected score of Gpub ’s column is at most tn1+ǫ ,
while that of G′ is at least (t′ −t)n2+ǫ /l. Thus, the reasoning before applies
in a similar way.
(t′
�