Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocol-Oblivious Transfer with a storage-bounded receiver. A public ran-for �2 1 dom string of n bits long is employed, and the protocol is secure against any receiver who can store γn bits, γ<1. Our work improves the work of CCM [15] in two ways. First, the CCM protocol requires the sender and receiver to store O(n c) bits, c ∼ 2/3. We give a similar but more efficient protocol that just requires the sender and receiver to store O ( √ kn) bits, where k is a security parameter. Second, the basic CCM Protocol was proved in [15] to guarantee that a dishonest receiver who can store O(n) bits succeeds with probability at most O(n −d), d ∼ 1/3, although repitition of the protocol can make this probability of cheating exponentially small [20]. Combining the methodologies of [24] and [15], we prove that in our protocol, a dishonest storage-bounded receiver succeeds with probability only 2 −O(k) , without repitition of the protocol. Our results answer an open problem raised by CCM in the affirmative. 1

Abstract. Naor, Pinkas, and Sumner introduced and implemented a sealed-bid, two-server auction system that is perhaps the most efficient and practical to date. Based on a cryptographic primitive known as oblivious transfer, their system aims to ensure privacy and correctness provided that at least one auction server behaves honestly. As observed in [19], however, the NPS system suffers from a security flaw in which one of the two servers can cheat so as to modify bids almost arbitrarily and without detection. We propose a means of repairing this flaw while preserving the attractive practical elements of the NPS protocol, including minimal round complexity for servers and minimal computation by players providing private inputs. Our proposal requires a slightly greater amount of computation and communication on the part of the two auction servers, but actually involves much less computation on the part of bidders. This latter feature makes our proposal particularly attractive for use with low-power devices. While the original proposal of NPS involved several dozen exponentiations for a typical auction, ours by contrast involves only several dozen modular multiplications. The key idea in our proposal is a form of oblivious transfer that we refer to as verifiable proxy oblivious transfer (VPOT). Key words: auction, sealed-bid auction, oblivious transfer, secure multiparty computation, secure function evaluation 1

Abstract. We show that oblivious transfer of bits from A to B can be obtained from a single instance of the same primitive from B to A. Our reduction is perfect and shows that oblivious transfer is in fact a symmetric functionality. This solves an open problem posed by Crépeau and Sántha in 1991. 1

In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum equivocation of the channel (after removing trivial redundancy), even when unlimited noiseless bidirectional side communication is allowed. By a wellknown reduction, this result provides a lower bound on the channels capacity for implementing coin tossing, which we conjecture to be an equality. The method of proving this...

Commitment schemes have been extensively studied since they were introduced by Blum in 1982. Rivest recently showed how to construct unconditionally secure non-interactive commitment schemes, assuming the existence of a trusted initializer. In this paper, we present a formal mathematical model for unconditionally secure non-interactive commitment schemes with a trusted initializer and analyze their binding and concealing properties. In particular, we show that such schemes cannot be perfectly binding: there is necessarily a small probability that Alice can cheat Bob by committing to one value but later revealing a dierent value. We prove several bounds on Alice's cheating probability, and present constructions of schemes that achieve optimal cheating probabilities. We also analyze a class of commitment schemes based on resolvable designs. 1

Abstract — In analogy to the zero-error variant of the channel capacity, the zero-error information between two random variables is defined. We show that our definition is natural in the sense that the representation of the channel capacity with respect to mutual information carries over to the zero-error variants of the quantities. It is shown that the new notion, together with two operators introduced in the same context, namely the common random variable of two random variables and the dependent part of a random variable with respect to another, is useful for giving characterizations of the possibility of realizing cryptographic tasks— such as bit commitment, coin tossing, or oblivious transfer— from correlated pieces of information. I.

This work is about distributed protocols for oblivious transfer, proposed by Naor and Pinkas, and recently generalized by Blundo et. al. In this settings a Sender has n secrets and a Receiver is interested in one of them. The Sender distributes the information about the secrets to m servers, and a Receiver must contact a threshold of the servers in order to compute the secret. These distributed oblivious transfer protocols provide information theoretic security. We present impossibility result and lower bound for existence of one-round threshold distributed oblivious transfer protocols, generalizing the results of Blundo et. al. A threshold based construction implementing 1-out-of-n distributed oblivious transfer achieving the proved lower bound for existence is proposed. A

Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize this concept by introducing error-tolerant combiners, which in addition to protection against insecure implementations provide tolerance to functionality failures: an error-tolerant combiner guarantees a secure and correct implementation of the output primitive even if some of the candidates are insecure or faulty. We present simple constructions of error-tolerant robust combiners for oblivious linear function evaluation. The proposed combiners are also interesting in the regular (not error-tolerant) case, as the construction is much more efficient than the combiners known for oblivious transfer. 1

First of all, I would like to express my deepest gratitude to my advisor Prof. Pandu Rangan C, for inspiring me to take up research seriously. He is easily, one of the best professors I have come across in my four years of undergraduate life. His courses and his formal methods of approaching mathematical problems have helped me obtain a good grasp in the field of theoretical computer science. I thank him for providing the appropriate environment for research in the TCSLab, well known for books, journals and proceedings strewn all around. I would also like to recollect the valuable spree of technical discussions that I have had with him along with the students and interns of the lab on various topics in cryptography during the past 3 years at the lab. I would like to thank my faculty advisor, Prof. C. Siva Ram Murthy for his encouraging words during my initial terms in the department. I would also like to thank Dr. B. Ravindran for helping me broaden my interests in Computer Science through his courses on Operating Systems and Reinforcement learning. I am grateful to Dr. Shankar Balachandran and Prof. G. Srinivasan for they have stood by me and boosted my self-confidence during my tough times. The tete-a-tete sessions that I had with Shankar in his room and near GC reminded me of my school days and friends. The Cricket talk in the Coffee-with-GS sessions every Thursday along

In [3] the authors give the first mathematical formalization of an unconditionally secure commitment scheme. Their construction has some similarities to one used to build authentication codes, so they raise the question whether there is some relation between commitment schemes and authentication schemes. They conjecture that authentication schemes with arbitration can be used, but they stress that the information flows are different. In this