Abstract
Oblivious transfer (OT) is a fundamental cryptographic primitive. It is developed for the efficient and feasible implementation of most advanced cryptographic tasks. Today, most of the existing OT protocols’ security is based on number-theoretic assumptions. However, many number-theoretical problems are solvable by a quantum computer in polynomial time. Therefore, OT protocols with post-quantum cryptography approach are required. Multivariate cryptographic constructions are one of the potential candidates for post-quantum cryptography as they are speedy and require only modest computational resources. This paper presents constructions of OT protocols utilizing multivariate public key cryptography (MPKC). Security of our schemes is achieved under the hardness of multivariate quadratic (MQ) problem. To the best of our knowledge, our designs are the first MPKC-based post-quantum OT protocols.
Similar content being viewed by others
References
Rabin M O 2005 How to exchange secrets with oblivious transfer. IACR Cryptology e-print Archive p. 187
Yao A C C 1986 How to generate and exchange secrets. In: Proceedings of the 27th Annual Symposium on Foundations of Computer Science (SFCS), IEEE, pp. 162–167
Kushilevitz E and Ostrovsky R 1997 Replication is not needed: single database, computationally-private information retrieval. In: Proceedings of the 38th Annual Symposium on Foundations of Computer Science, IEEE, pp. 364–373
Freedman M J, Ishai Y, Pinkas B and Reingold O 2005 Keyword search and oblivious pseudorandom functions. In: Proceedings of the Theory of Cryptography Conference. Berlin–Heidelberg: Springer, pp. 303–324
Nielsen J B, Nordholt P S, Orlandi C and Burra S S 2012 A new approach to practical active-secure two-party computation. In: Proceedings of the Annual Cryptology Conference. Berlin: Springer, pp. 681–700
Burra S S, Larraia E, Nielsen J B, Nordholt P S, Orlandi C, Orsini E, Scholl P and Smart N P 2015 High performance multi-party computation for binary circuits based on oblivious transfer. IACR Cryptology e-print Archive p. 472
Shor P W 1999 Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Review 41(2): 303–332
Garey M R and Johnson D S 1979 Computers and intractability. San Francisco: Freeman. 174
Patarin J and Goubin L 1997 Trapdoor one-way permutations and multivariate polynomials. In: Proceedings of the International Conference on Information and Communications Security. Berlin: Springer, pp. 356–368
Bogdanov A, Eisenbarth T, Rupp A and Wolf C 2008 Time-area optimized public-key engines: \(\cal{MQ}\)-cryptosystems as replacement for elliptic curves? In: Proceedings of the International Workshop on Cryptographic Ware and Embedded Systems. Berlin: Springer, pp. 45–61
Chen A I T, Chen M S, Chen T R, Cheng C M, Ding J, Kuo E L H, Lee F Y S and Yang B Y 2009 SSE implementation of multivariate PKCs on modern x86 CPUs. In: Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, pp. 33–48
Dowsley R, Graaf J V D, M\(\ddot{u}\)ller-Quade J and Nascimento A C 2008 Oblivious transfer based on the McEliece assumptions. In: Proceedings of the International Conference on Information Theoretic Security. Berlin: Springer, pp. 107–117
McEliece R J 1978 A public-key cryptosystem based on algebraic. Coding Thv 4244: 114–116
Kobara K, Morozov K and Overbeck R 2008 Coding-based oblivious transfer. In: Mathematical Methods in Computer Science. Berlin–Heidelberg: Springer, pp. 142–156
David B M, Nascimento A C and Nogueira R B 2010 Oblivious transfer based on the McEliece assumptions with unconditional security for the sender. In: Proceedings of X Simposio Brasileiro de Seguranca da Informac ao e de Sistemas Computacionais
Vasant S, Venkatesan S and Rangan C P 2012 A code-based 1-of-N oblivious transfer based on McEliece assumptions. In: Proceedings of the International Conference on Information Security Practice and Experience. Berlin: Springer, pp. 144–157
David B M, Nascimento A C and Jr R T D S 2012 Efficient fully simulatable oblivious transfer from the McEliece assumptions. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 95(11): 2059–2066
David B M, Nascimento A C and M\(\ddot{u}\)ller-Quade J Universally composable oblivious transfer from lossy encryption and the McEliece assumptions. In: Proceedings of the International Conference on Information Theoretic Security. Berlin: Springer, pp. 80–99
Peikert C, Vaikuntanathan V and Waters B 2008 A framework for efficient and composable oblivious transfer. In: Proceedings of the Annual International Cryptology Conference Berlin: Springer, pp. 554–571
Lyubashevsky V, Palacio A and Segev G 2010 Public-key cryptographic primitives provably as secure as subset sum. In: Proceedings of the Theory of Cryptography Conference. Berlin: Springer, pp. 382–400
Cr\(\acute{e}\)peau C and Kazmi R A 2015 Oblivious transfer from weakly random self-reducible public-key cryptosystem. In: Proceedings of the International Symposium on Mathematical Foundations of Computer Science. Berlin: Springer, pp. 261–273
Zeng B, Tang X and Hsu C 2010 A framework for fully-simulatable \( h \)-of-\( n \) oblivious transfer. arXiv: 1005.0043
Blazy O and Chevalier C 2015 Generic construction of UC-secure oblivious transfer. In: Proceedings of the International Conference on Applied Cryptography and Network Security. Cham: Springer, pp. 65–86
Liu M and Hu Y 2019 Universally composable oblivious transfer from ideal lattice. Frontiers of Computer Science 13(4): 879–906
Branco P, Ding J, Goulao M and Mateus P 2018 Universally composable oblivious transfer protocol based on the RLWE assumption. IACR Cryptology e-print Archive p. 1155
Blazy O, Chevalier C and Vu Q H 2019 Post-quantum UC-secure oblivious transfer in the standard model with adaptive corruptions. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–6
Barreto P, Oliveira G and Benits W 2018 Supersingular isogeny oblivious transfer. arXiv preprint arXiv: 1805.06589
Chou T and Orlandi C 2015 The simplest protocol for oblivious transfer. In: Proceedings of the International Conference on Cryptology and Information Security in Latin America. Cham: Springer, pp. 40–58
Jao D and Feo L D 2011 Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Proceedings of the International Workshop on Post-Quantum Cryptography. Berlin: Springer, pp. 19–34
Branco P, Ding J, Goulao M and Mateus P 2019 A framework for universally composable oblivious transfer from one-round key-exchange. In: Proceedings of the IMA International Conference on Cryptography and Coding. Cham: Springer, pp. 78–101
Sakumoto K, Shirai T and Hiwatari H 2011 Public-key identification schemes based on multivariate quadratic polynomials. In: Proceedings of the Annual Cryptology Conference. Berlin: Springer, pp. 706–723
Patarin J 1996 Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, pp. 33–48
Ding J, Gower J E and Schmidt D S 2006 Multivariate public key cryptosystems. Springer Science & Business Media, vol. 25
Fiat A and Shamir A 1986 How to prove yourself: practical solutions to identification and signature problems. In: Proceedings of the Conference on the Theory and Application of Cryptographic Techniques. Berlin: Springer, pp. 186–194
Goldreich O 2009 Basic applications. Foundations of Cryptography, vol. 2. Cambridge University Press
Author information
Authors and Affiliations
Corresponding author
Appendix I. Security model
Appendix I. Security model
In order to design a cryptographic scheme, it is essential to prove its security. Informally, security is an attack game played between a challenger (simulator) and an attacker (adversary). Any multi-party protocol should satisfy the following basic security requirements:
-
Correctness: It ensures that an honest party receives the correct output at the end of the protocol.
-
Privacy: It indicates that on completion of the protocol, each party learns whatever is prescribed in the protocol, not beyond that.
-
Fairness: It ensures that a dishonest party learns its output only when the honest party learns its output.
Security model in semi-honest environment [35] A two-party protocol (\(\Omega \)) is nothing but random process executing a function \(\psi =(\psi _1,\psi _2):(\chi ,\zeta )\rightarrow (\psi _1(\chi ,\zeta ),\psi _2(\chi ,\zeta ))\). We say that the protocol \(\Omega \) is secure in semi-honest environment if whatever can be evaluated by a party after involving in the protocol, which can be obtained using its input and output. In other words the parties follow the protocol honestly, while the adversaries try to extract additional information. It is formalized with the help of a simulation paradigm. During an execution of \(\Omega \) on the input \((\chi ,\zeta )\), the view of a party \(P_i\) is denoted by \(\mathsf{View}_i^{\Omega }(\chi ,\zeta )\) and defined as \(\mathsf{View}_i^{\Omega }(\chi ,\zeta )=(\xi , r^{(i)},\eta ^{(i)}_1,...,\eta ^{(i)}_t)\), where \(\xi \in \{\chi ,\zeta \}\) represents \(P_i\)’s input, \(r^{(i)}\) denotes the outcome of \(P_i\)’s internal coin tosses and \(\eta ^{(i)}_l\) \((l=1,2,...,t)\) stands for the l-th message obtained by \(P_i\) during the computation of \(\Omega \).
Definition Appendix I..1 Security in semi-honest Model:
Let the function \(\psi =(\psi _1,\psi _2):\{0,1\}^*\times \{0,1\}^*\rightarrow \{0,1\}^*\times \{0,1\}^*\) be deterministic. Then we say that the protocol \(\Omega \) computing \(\psi \) is secure in semi-honest environment if for PPT adversaries \(\mathcal {SIM}_1\) (controlling \(P_1\)) and \(\mathcal {SIM}_2\) (controlling \(P_2\)),
where \(\{\mathcal {SIM}_1(\chi ,\psi _1(\chi ,\zeta ))\}_{\chi ,\zeta \in \{0,1\}^*}\) and \(\{\mathcal {SIM}_2(\zeta , \psi _2(\chi ,\zeta ))\}_{\chi ,\zeta \in \{0,1\}^*}\), respectively, denote the simulated views of \(P_1\) and \(P_2\), which contain input of the corresponding party, simulated random coins and simulated protocol messages obtained by the corresponding party.
Security model in malicious environment [35]: In malicious model, adversaries can behave arbitrarily and can deviate at will from the prescribed protocol. In this case, security is formalized by an ideal process. An incorruptible trusted third party (TTP) involves in the ideal process. TTP gets the inputs from the participants, evaluates the functionality on those inputs and sends outputs back to them. We say that a protocol achieves its security in malicious model if a real world adversary can be simulated by an ideal world adversary. We discuss here the security framework of a two-party protocol in the presence of malicious adversary:
The real world: A protocol \(\Omega \) is executed in the real world, where an honest party follows the instructions of \(\Omega \), while the adversary \({\mathcal {A}}_i\) (controlling \(P_i\)) can behave arbitrarily. Let \(P_1\), \(P_2\) have the private inputs \(\chi \), \(\zeta \) and \({\mathcal {A}}_i\) have auxiliary input \(\vartheta \). On completion of the protocol \(\Omega \), an honest party outputs whatever is prescribed in \(\Omega \), a corrupted party outputs nothing and an adversary outputs the available transcripts as its view. In the real world, we denote the joint output as \(\mathsf{REAL}_{\Omega ,{\mathcal {A}}_i(\vartheta )}(\chi , \zeta )\).
The ideal process: Let the ideal process adversary \(\mathcal {SIM}_i\) control \(P_i\), where \(i=1,2\). This process includes an incorruptible TTP.
-
Input: Suppose \(P_1\), \(P_2\) have inputs of \(\chi \), \(\zeta \), respectively, \(\mathcal {SIM}_i\) has access to \(P_i\)’s input and auxiliary input \(\vartheta \).
-
Sending inputs to TTP: An honest party always sends its real input to TTP, while a corrupted party may send arbitrary input or it can abort. Let TTP receive \(({\overline{\chi }}, {\overline{\zeta }})\), where \({\overline{\chi }},{\overline{\zeta }}\) may not be equal to \(\chi ,\zeta \) respectively. TTP sends \(\perp \) to both the parties provided one of \({\overline{\chi }},{\overline{\zeta }}\) is “abort”.
-
TTP answers the adversary: TTP computes the functionality \(\psi :({\overline{\chi }}, {\overline{\zeta }})\rightarrow (\psi _1({\overline{\chi }}, {\overline{\zeta }}),\psi _2({\overline{\chi }}, {\overline{\zeta }}))\) and sends \(\psi _i({\overline{\chi }}, {\overline{\zeta }})\) to \(\mathcal {SIM}_i\), who in turn sends “abort” or “continue” to TTP.
-
TTP answers the honest party: If TTP receives “continue” from \(\mathcal {SIM}_i\), then TTP sends \(\psi _j({\overline{\chi }}, {\overline{\zeta }})\) to the honest party (\(P_t,t\in \{1,2\}\setminus \{i\}\)). Otherwise, TTP sends \(\perp \) to \(P_t,t\in \{1,2\}\setminus \{i\}\).
-
Output: The honest party \(P_t,t\in \{1,2\}\setminus \{i\}\) always outputs the value whatever it receives from TTP, while the corrupted party \(P_i\) outputs nothing and the adversary outputs its view. In the ideal process, we denote the joint output as \(\mathsf{IDEAL}_{\psi ,\mathcal {SIM}_i(\vartheta )}(\chi , \zeta )\).
Definition Appendix I..2 Simulatability: Suppose \(\Omega \) is a two-party protocol and \(\psi \) is the associated functionality. Then we say that \(\Omega \) is secure in malicious environment if for any PPT real world adversary \({\mathcal {A}}_i\), there is a PPT ideal process adversary \(\mathcal {SIM}_i\), such that \(\mathsf{IDEAL}_{\psi ,\mathcal {SIM}_i(Z)}(\chi , \zeta )\equiv ^c \mathsf{REAL}_{\Omega ,{\mathcal {A}}_i(\vartheta )}(\chi , \zeta )\) for each \(i=1,2\).
Rights and permissions
About this article
Cite this article
Kundu, N., Debnath, S.K. & Mishra, D. 1-out-of-2: post-quantum oblivious transfer protocols based on multivariate public key cryptography. Sādhanā 45, 209 (2020). https://doi.org/10.1007/s12046-020-01447-6
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s12046-020-01447-6