## Interactive Hashing and reductions between Oblivious Transfer variants

Citations: | 6 - 2 self |

### BibTeX

@MISC{Savvides_interactivehashing,

author = {George Savvides},

title = {Interactive Hashing and reductions between Oblivious Transfer variants},

year = {}

}

### OpenURL

### Abstract

Interactive Hashing has featured as an essential ingredient in protocols realizing a large variety of cryptographic tasks. We present a study of this important cryptographic tool in the information-theoretic context. We start by presenting a security definition which is independent of any particular setting or application. We then show that a standard implementation of Interactive Hashing satisfies all the conditions of our definition. Our proof of security improves upon previous ones in several ways. Despite its generality, it is considerably simpler. Moreover, it establishes a tighter upper bound on the cheating probability of a dishonest sender. Specifically, we prove that if the fraction of good strings for a dishonest sender is f, then the probability that both outputs will be good is no larger than 15:6805 f. This upper bound is valid for any f and is tight up to a small constant since a sender acting honestly would get two good outputs with probability very close to f. We illustrate the potential of Interactive Hashing as a cryptographic primitive by demonstrating efficient reductions of String Oblivious Transfer with string length k to Bit Oblivious Transfer and several weaker variants. Our reductions incorporate tests based on Interactive Hashing that allow the sender to verify the receiver’s adherence to the protocol without compromising the latter’s privacy. This allows a much more efficient use of the available entropy without any appreciable impact on security. As a result, for Bit OT and most of its variants n = (1 +)k executions suffice, improving efficiency by a factor of two or more compared to the most efficient reductions that do not use Interactive Hashing. As it is theoretically impossible to achieve an expansion factor n=k smaller than 1, our reductions are in fact asymptotically optimal. They are also more general since they place no restrictions on the types of 2-universal hash families used for Privacy Amplification. Lastly, we present a direct reduction of String OT to Rabin OT which uses similar methods to achieve an expansion factor of 2 + which is again asymptotically optimal.

### Citations

770 |
A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the Sum of Observations
- Chernoff
- 1952
(Show Context)
Citation Context ...t used. 120sA Tools and Mathematical Background A.1 Tail bounds Let B(n, p) be the binomial distribution with parameters n, p and mean µ = np. We will use the following versions of the Chernoff bound =-=[Che52]-=- (as they appear in [Vaz04], p.354) for 0 < δ ≤ 1: Pr [B(n, p) ≤ (1 − δ)µ] ≤ e −δ2 µ/2 (A.1) Pr [B(n, p) ≥ (1 + δ)µ] ≤ e −δ2 µ/4 . (A.2) From (A.1) we can also deduce the following inequality Pr [B(n,... |

538 | How to play any mental game - a completeness theorem for protocols with honest majority - Goldreich, Micali, et al. |

503 | A Randomized Protocol for Signing Contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ...y 1/2. The primitive guarantees that Alice does not learn which of the two events occurred. Another, more frequently encountered variant of Oblivious Transfer is one out of two Bit Oblivious Transfer =-=[EGL85]-=-, denoted � � 2 –Bit OT or simply Bit OT. 1 Here, the sender Alice sends two bits b0, b1 to Bob, who can choose to learn the bit of his choice c, namely bc. This primitive guarantees that on one hand,... |

225 | Generalized privacy amplification
- Bennett, Brassard, et al.
- 1995
(Show Context)
Citation Context ...rmly distributed string r that can be used effectively as a one-time pad in cryptographic applications. For our needs we will use a simplified version of the Generalized Privacy Amplification Theorem =-=[BBCM95]-=- (also covered in [BBR88]) which assumes that there are always u or more unknown physical bits in R (as opposed to general bounds on R’s entropy). Theorem A.1. Let R be a random variable with uniform ... |

196 |
Privacy amplification by public discussion
- Bennett, Brassard, et al.
- 1988
(Show Context)
Citation Context ...nd several of its variants. The novelty of our reductions arises from tests based on Interactive Hashing that are incorporated into well-known reductions [BCW03, Cré87] based on Privacy Amplification =-=[BBR88]-=-. These tests allow the sender (in String OT) to query the receiver on a small subset of the bits he received. Without compromising the honest receiver’s privacy concerning his choice bit, these tests... |

96 | All-or-Nothing Disclosure of Secrets - Brassard, Crepéau, et al. - 1987 |

69 | Equivalence between two flavours of oblivious transfer
- Crépeau
- 1988
(Show Context)
Citation Context ... Alice doesn’t find out what c was. Despite the differences in appearance between Bit OT and Rabin OT, the two variants are in fact equivalent cryptographic primitives, as was demonstrated by Crépeau =-=[Cré87]-=-. The apparent simplicity of Oblivious Transfer belies its surprising power as a cryptographic primitive. Its applicability to multiparty computation was first studied by Even, Goldreich and Lempel [E... |

50 | On the reversibility of oblivious transfer
- Crepeau, Santha
- 1991
(Show Context)
Citation Context ... against a dishonest receiver (Bob), as 1As a brief historical aside, we mention that XOR OT was originally studied in the context of reversing the direction of Oblivious Transfer. Crépeau and Sántha =-=[CS91]-=- showed that it is very easy to obtain XOR OT in one direction if � � 2 1 –Bit OT in the reverse direction is available. Using their approach, obtaining � � 2 1 –Bit OT itself required a more elaborat... |

48 | Oblivious transfer with a memory-bounded receiver - Cachin, Crépeau, et al. - 1998 |

46 | Everlasting security in the bounded storage model - Aumann, Ding, et al. |

42 | Oblivious Transfer and Intersecting Codes
- Brassard, Crepéau, et al.
- 1996
(Show Context)
Citation Context ...s yield simpler constructions with easier to prove security. 4.1 Previous work All reductions of � � 2 –ROT 1 k to Bit OT fall within two major categories: reductions based on Self-intersecting Codes =-=[BCS96]-=- (Section 4.1.1) and reductions based on Privacy Amplification [BBR88] (Section 4.1.2). 4.1.1 Reductions based on Self-intersecting Codes Self-intersecting Codes are a special class of error-correctin... |

35 | Oblivious transfers and privacy amplification
- Brassard, Crépeau, et al.
- 2003
(Show Context)
Citation Context ...crucial as, for example, in the case where the string is to be used as a one-time pad. For more information on Privacy Amplification, see Section A.3. In Protocol 4.1 we introduce the construction of =-=[BCW03]-=- upon which our own construction (Protocol 4.2) builds and expands using Interactive Hashing. Protocol 4.1 Reduction of � � 2 –ROT 1 k to Bit OT 1. Alice selects R0, R1 ∈R {0, 1} n . Bob selects c ∈R ... |

22 | Oblivious Transfer in the Bounded Storage Model - Ding - 2001 |

20 | Lower Bounds for Oblivious Transfer Reduction
- Dodis, Micali
- 1999
(Show Context)
Citation Context ...r0, r1 ∈ {0, 1} k . 79sGains in efficiency As k ≥ n−8xn where x is a very small constant less than 1, the expansion factor n/k is 1 + ɛ for ɛ = 8x 1−8x ≈ 8x. As one cannot do better than n/k = 1 (see =-=[DM99]-=- for a formal proof of this fact), our expansion factor is asymptotically optimal and represents a two-fold improvement over the corresponding reduction in [BCW03] where the expansion factor is at lea... |

18 | Optimal reductions between oblivious transfers using interactive hashing
- Crépeau, Savvides
- 2006
(Show Context)
Citation Context ...lly secure under the sole assumption that the receiver’s memory is bounded [CCM98, ADR02, Din01, DHRS04]. Interactive Hashing was later used to optimize reductions between Oblivious Transfer variants =-=[CS06]-=-, a topic which will be explored further in Chapters 4 and 5. We remark that while some of the security properties required of Interactive Hashing in information theoretic settings bear a very close r... |

18 | Foundations of Cryptography, Volume I - Goldreich - 2001 |

15 | Information-theoretic conditions for two-party secure function evaluation
- Crépeau, Savvides, et al.
- 2006
(Show Context)
Citation Context ...in scope and thus applicable to only a few specialized scenarios, or suffer from subtle (and sometimes not so subtle) flaws. An overview of some of these definitions and their shortcomings appears in =-=[CSSW06]-=-, along with a new information theoretic definition of � � 2 –String OT 1 k which is shown to be equivalent to a widely accepted security definition of general two-party computation in the real/ideal ... |

15 | Secure Commitment Against a Powerful Adversary - Ostrovsky, Venkatesan, et al. - 1992 |

12 |
Founding crytpography on oblivious transfer
- Kilian
- 1988
(Show Context)
Citation Context ...nt in an array of protocols implementing a large variety of cryptographic tasks, such as Bit Commitment, Zero-knowledge Proofs, and general Secure Multiparty Computation [Yao86, GMW87, Gol04]. Kilian =-=[Kil88]-=- demonstrated that this primitive is in and of itself sufficient to securely implement any two-party computation. String OT is a generalization of Bit OT that allows Alice to send one of two k–bit str... |

6 |
Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Perfect zero-knowledge arguments for p using any one-way permutation
- Naor
- 1998
(Show Context)
Citation Context ... NOVY98], where at least one of the participants was compu21stationally bounded. An illustrative example of its applications in such computational contexts is the Bit Commitment scheme of Naor et al. =-=[NOVY98]-=-. We briefly remind the reader that a Bit Commitment scheme allows a player, Alice, to send a commitment to a bit b of her choice to some other player Bob. The scheme should guarantee that, on one han... |

3 |
personal communication
- Crepeau, Gottesman, et al.
(Show Context)
Citation Context ...rm distribution over the remaining strings within some η < 2 −t . 47sof his choice but might allow a dishonest Bob to learn up to k − 1 bits of his choice. Over the past few years, Crépeau and Kilian =-=[CK]-=- have made repeated but unsuccessful attempts to find a satisfactory reduction of � � k –Bit OT to (k − 1)– 1 faulty � � k –Bit OT. Protocol 2.2 shows how Interactive Hashing makes such a 1 reduction ... |

3 |
Ronen Shaltiel: Constant-Round Oblivious Transfer in the Bounded Storage Model
- Ding, Harnik, et al.
- 2007
(Show Context)
Citation Context ... that G−1 our upper bound is tight up to a small constant in all cases where the possibility of cheating exists (cheating is impossible when G < 2). 45s2.3.4 An alternative implementation Ding et al. =-=[DHRS04]-=- make use of a new, constant-round Interactive Hashing protocol to achieve Oblivious Transfer with a memory-bounded receiver. The main idea behind their protocol, which requires only four rounds of in... |

2 | Foundations of Cryptography, volume II. Cambridge University Press, 2004. [GPV08] [HILL99] [HWZ07] [Imp95] [KS06] [KTX07] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions - Goldreich - 2008 |