A From Bit OT to String OT - On Black-Box Complexity of Universally Composable Security

In this section, we demonstrate how to transform a bit OT protocol to a string OT protocol in a way that preserves both defensible private with respect to a corrupted receiver and receiver private. At a high-level, in order to obtain ann-bits OT we repeat the bit OT protocol in paralleln-times. Given twon-bits strings (s0, s1), the sender enters theith bit of s0 ands1 as the bit-inputs for theith OT execution. In addition, the receiver must use the same index for all executions. We next prove that the receiver privacy of the transformed protocol follows easily using a simple hybrid argument. Defensible privacy, on the other hand, holds since the receiver is required to produce a good defense for thenparallel executions simultaneously and a good defense should show that the receiver supplied the same index in all the executions. We note that our proof works for random OT, which is sufficient for our purposes, yet can be extended for the more general case.

The definition of defensible privacy forn-bit OT is provided in Section2.3. Below we present an equiv- alent game-based security formulation for bit OT defensible privacy, inspired by [HIK+11]. More formally, we consider the following experiment for a protocolπand a PPT adversaryA:

ExperimentExpt_π(A) :

1. Chooses0, s1∈ {0,1}uniformly at random.

2. Let ρSen be a uniformly chosen random tape for the senderSen, and lettransbe a transcript of an interaction between the adversaryAandSen((s0, s1), ρSen).

3. Let((r, ρRec), s∗)be the output ofA(1n)on transcripttranswhere(r, ρRec)is a defense ands∗is a guess fors1−r.

4. Output1only if(r, ρRec)is a good defense forAintransands∗=s1−r.

Definition A.1. An OT protocol is defensible private with respect to a corrupted receiver if for any PPT

adversaryAthere exists a negligible functionµ(·)such that for all sufficiently largen’s,

Pr[Expt_π(A(1n)) = 1]≤ 1

2+µ(n).

We now provide our transformation and prove correctness. LetπOT be a bit OT protocol. We construct a string OT protocolπnOTusingπOT as follows.

Protocol 2(Protocolπn

OT).

Input:The senderSenhas input(v0, v1)wherev0, v1∈ {0,1}nand the receiverRechas inputu∈ {0,1}.

The protocol:

The parties participate innexecutions of the OT protocolπOTwhere the receiver usesuas its input in all executions

and the sender uses theith_{bits of}_v

0andv1as its input in executioni.

Lemma A.1. Assume thatπOT is a bit OT protocol that is defensible private with respect to a corrupted

receiver and receiver private. Thenπ_OTn is a string OT protocol that is defensible private with respect to a corrupted receiver and receiver private.

Proof. We first prove receiver privacy of the string OT protocol.

Receiver privacy: Loosely speaking, receiver privacy requires that no malicious sender can distinguish the case when the receiver’s input is 0and1, with non-negligible probability. Suppose for contradiction that there exist a PPT adversaryA, distinguisherDand polynomialp(·)such thatDdistinguishes the following distributions with probability at least_p₍1_n₎for infinitely manyn’s,

• {ViewA,πn OT[A(1 n₎_,_Rec(1n_,_0)]_} n∈N, • {ViewA,πn OT[A(1 n₎_,_Rec(1n_,_1)]_} n∈_N.

Fix annfor which this happens. We constructA0 and distinguisherD0 usingAandDthat violates the receiver privacy ofπOT. We introduce a sequence of intermediate hybrid experimentsH0, . . . , Hn, where

in hybrid Hi we consider a receiver Reci that follows the honest receiver’s code in each of thenparallel

executions ofπOT with the exception that it uses the input1in the firstiexecutions and0in the remaining executions. Lethyb_i(n)denote the view of the adversary in hybridHi. Then by construction we have that

hyb₀(n) = ViewA,πn OT[A(1 n₎_,_Rec(1n_,_0)]_,_and hyb_n(n) = ViewA,πn OT[A(1 n₎_,_Rec(1n_,_1)]

Moreover, using a standard hybrid argument there existsisuch thatDdistinguisheshyb_i₋₁(n)andhyb_i(n) with probability at least _np1₍_n₎.

Then adversary A0 is defined as follows. It internally emulates the hybrid experiment hyb_i−1(n) by playing the role of the honest rceeiver againstA, with the exception that it forwards A’s messages in the

ith execution to an external receiver. Consider the function reconstruct that on input the view ofA0 _in an interaction usingπOT reconstructs the view ofA in the internal emulation ofA0. It follows from our

construction that if the receiver uses input0in the interaction withA0_{this view of}_A_{is identically distributed} tohyb_i₋₁(n). If the receiver uses input1the view is identically distributed tohyb_i(n). More precisely,

reconstruct(ViewA0_,π OT[A(1 n₎_,_Rec(1n_,_0)]) ₌ _hyb i−1(n) reconstruct(ViewA0_,π OT[A(1 n₎_,_Rec(1n_,_1)]) ₌ _hyb i(n)

Next, we construct a distinguisherD0. On input a view ofA0, runs the functionreconstructon the view and runsDon the output of the function. Finally,D0outputs whatDoutputs. It now follows that

Pr[D0(ViewA0_,π OT[A(1 n₎_,_Rec(1n_,_{0)]) = 1]} ₌ _Pr[_D₍_hyb i−1(n)) = 1] Pr[D0(ViewA0_,π OT[A(1 n₎_,_Rec(1n_,_{1)]) = 1]} ₌ _Pr[_D₍_hyb i(n)) = 1]

which implies thatD0distinguishesA0_{’s view when the receiver’s input are}₀_and₁_because_D_{distinguishes}

hyb_i−1(n)andhybi(n)with probability at least np1(n), which contradicts the receiver privacy ofπOT. Defensible privacy with respect to a corrupted receiver: As mentioned before, we reduce the security of defensible-privacy for string OT according to Definition2.6to the game-based formulation of defensible privacy for bit OT (cf. DefinitionA.1). Assume by contradiction that there exists an adversaryAthat violates the defensible privacy of πOTn with respect to a corrupted receiver. More precisely, suppose there exist a PPT adversaryA, distinguisherDand polynomialp(·) such that for infinitely manyn’s, Ddistinguishes the following distributions with probability at least _p₍1_n₎,

• {Γ(ViewA[Sen(1n,(U₀n, U₁n)),A(1n)], U₁n₋_b)}, and • {Γ(ViewA[Sen(1n,(U₀n, U₁n)),A(1n)],U¯n)}

whereΓ(v,∗)equals(v,∗)if when following the executionAoutputs a good defense forπ, and⊥other- wise,bisRec’s input in this defense andUn

0, U1n,U¯nare independent random variables that are uniformly distributed over{0,1}n_{. Fix}_n_{for which this happens. Then we rewrite these distributions more explicitly:}

{Γ(ViewA[Sen(1n,(U₀n, U₁n)),A(1n)], U₁n₋_b)}

={s0 ←U0n;s1 ←U1n, z←U¯n;v←ViewA[Sen(1n,(s0, s1)),A(1n)] : Γ(v, s1−b)}

{Γ(ViewA[Sen(1n,(U₀n, U₁n)),A(1n)],U¯n)}

={s0 ←U0n;s1 ←U1n, z←U¯n;v←ViewA[Sen(1n,(s0, s1)),A(1n)] : Γ(v, z)}

Next, we useA to constructA0 that breaks the defensible privacy ofπOT with respect to a corrupted receiver. We use the experiment formulation of defensible privacy for the bit OT protocol. Towards this, we consider the following sequence of distributions:

hyb_i(n) ={s0 ←U0n;s1 ←U1n, z←U¯n;v←ViewA[Sen(1n,(s0, s1)),A(1n)] :

Γ(v,(z1, . . . , zi, s₁i+1₋_b, . . . , sn₁−b))}

wherez= (z1, . . . , zn)ands0 = (s10, . . . , sn0)ands1 = (s11, . . . , sn1). Observe that

hyb₀(n) = {Γ(ViewA[Sen(1n,(U₀n, U₁n)),A(1n)], U₁n₋_b)}

hyb_n(n) = {Γ(ViewA[Sen(1n,(U₀n, U₁n)),A(1n)],U¯n)}.

Then using a standard hybrid argument we can conclude that there exists an indexisuch thatDdistinguishes

hyb_i−1(n)andhybi(n)with probability at least np1(n). More precisely,

Pr[D(hybi(n)) = 1]−Pr[D(hybi−1(n)) = 1] > 1 p(n).

Without loss of generality, we assume that

Pr[D(hyb_i(n)) = 1]−Pr[D(hyb_i−1(n)) = 1]>

p(n). (9)

Now, consider a machineA0that is interacting externally with a sender on input(s0, s1)in the protocol

πOT. A0 internally incorporatesAand proceeds as follows. It starts by emulating an execution withAby supplying the sender’s messages inπOTn which impliesnparallel OT executions. Specifically,A

0 _supplies random inputs for the sender in all but theithexecution, for which it forwards externally to the sender that participates inπOT. Denote by(s

0, s

1) the sender’s selected inputs for everyj 6=i. Upon completion,A0 receives a defense fromA. If the defense is not goodA0 aborts. Else, A0 computesw = (w1, . . . , wn)as

follows:

• wj =zj wherezj is sampled at random from{0,1}forj <=i.

• wj =sjuj forj > i, whereuj is the receiver’s input in thej

th_{execution which can be obtained from}

the defense output byA.

Next,A0_invokes_D_{on input}₍_{v, w}₎_where_v_is_A_{’s internally generated view. Let}_b_{be the output of}_D on these inputs and(ui, ρR)be the defense ofAin theithinteraction. ThenA0 outputs a defense(ui, ρR)

and defined its guess for the external sender’s other input byb⊕wi. By construction, we have that(v, w)

are sampled in the internal emulation according tohyb_i(n). This means thatA0_{succeeds in the experiment}

Expt_π

OT when it is given

D(hyb_i(n))⊕wi =s1−ui.

Observe that if wi = s1−ui then (v, w) in the internal emulation of A

0 _{is distributed according to}

hyb_i₋₁(n). This means that:

Pr[A0 winsExpt_π_OT|wi=s1−ui] = Pr[D(hybi−1(n) = 0]. (10)

Next, we introduce a new distributionUb_jnthat is identical toUe_jnwith the exception that the(j+ 1)stbit

inU¯_jnis flipped. More precisely, forj∈[n],

hyb_j(n) ={s0 ←U0n;s1 ←U1n, z←U¯n;v←ViewA[Sen(1n,(s0, s1)),A(1n)] :

Γ(v,(z1, . . . , zj,1⊕s₁j+1₋_b, . . . , sn₁−b))}

wherez = (z1, . . . , zn),s0 = (s10, . . . , s0n) ands1 = (s11, . . . , sn1). Now, since the bits in theithposition are complement of each other inUb_in₋₁andUe_in₋₁, and theithbit is randomly distributed inUe_inwe have that

Pr[D(hyb_i(n)) = 1] = 1 2Pr[D(hybi−1(n)) = 1] + 1 2Pr[D(dhybi−1(n)) = 1]. (11) Moreover,A0_{succeeds if}_D₍ d

hyb_i₋₁(n)) = 1whenwi 6=s1−ui. More precisely

Now, since boths1−randwiare chosen at random we have that: Pr[A0winsExpt_π_OT] = Pr[A0 winsExpt_π OT|wi6=s1−ui] Pr[wi 6=s1−ui] + Pr[A0winsExpt_π OT|wi =s1−r] Pr[wi =s1−ui] = 1 2Pr[D(hybdi−1(n)) = 1] + 1

2Pr[D(hybi−1(n)) = 0] (Using Equations12and10) = Pr[D(hyb_i(n)) = 1]− 1 2Pr[D(hybi−1(n)) = 1] + 1

2Pr[D(hybi−1(n)) = 0] (Using Equation11) = Pr[D(hyb_i(n)) = 1]− 1 2Pr[D(hybi−1(n)) = 1] + 1 2− 1 2Pr[D(hybi−1(n)) = 1] = 1 2 + Pr[D(hybi(n)) = 1]−Pr[D(hybi−1(n)) = 1] ≥ 1 2 + 1 p(n) (Using Equation9).

In document On Black-Box Complexity of Universally Composable Security in the CRS model (Page 43-47)