# (Efficient) Universally Composable Oblivious Transfer Using a Minimal Number of Stateless Tokens

- 36 Downloads

## Abstract

We continue the line of work initiated by Katz (Eurocrypt 2007) on using *tamper-proof hardware tokens* for universally composable secure computation. As our main result, we show an oblivious-transfer (OT) protocol in which two parties each create and transfer a single, stateless token and can then run an unbounded number of OTs. We also show a more efficient protocol, based only on standard symmetric-key primitives (block ciphers and collision-resistant hash functions), that can be used if a *bounded* number of OTs suffice. Motivated by this result, we investigate the number of stateless tokens needed for universally composable OT. We prove that our protocol is *optimal* in this regard for constructions making *black-box* use of the tokens (in a sense we define). We also show that nonblack-box techniques can be used to obtain a construction using only a single stateless token.

## Keywords

Secure computation Oblivious transfer Hardware tokens Universal composability## Notes

### Acknowledgements

We thank the anonymous reviewers for their careful and thorough reading of our paper and for their helpful comments.

## References

- 1.M. Abdalla, D. Catalano, D. Fiore. Verifiable random functions from identity-based key encapsulation, in
*Advances in Cryptology—Eurocrypt 2009*, volume 5479 of LNCS (Springer, 2009), pp. 554–571.Google Scholar - 2.Y. Aumann, Y. Lindell, Security against covert adversaries: efficient protocols for realistic adversaries.
*Journal of Cryptology*,**23**(2):281–343 (2010)Google Scholar - 3.B. Barak, How to go beyond the black-box simulation barrier, in
*42nd Annual Symposium on Foundations of Computer Science*(IEEE, 2001), pp. 106–115Google Scholar - 4.B. Barak, R. Canetti, J. B. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in
*45th Annual Symposium on Foundations of Computer Science*(IEEE, 2004), pp. 186–195Google Scholar - 5.M. Blum, Coin flipping by telephone, in
*Proceedings of IEEE COMPCOM*(1982), pp. 133–137Google Scholar - 6.S. Brands, Untraceable off-line cash in wallets with observers. In
*Advances in Cryptology—Crypto ’93*, volume 773 of LNCS (Springer, 1994), pp. 302–318Google Scholar - 7.R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in
*42nd Annual Symposium on Foundations of Computer Science*(IEEE, 2001), pp. 136–145. Full version at http://eprint.iacr.org/2000/067 - 8.R. Canetti, Obtaining universally compoable security: towards the bare bones of trust (invited talk), in
*Advances in Cryptology—Asiacrypt 2007*, volume 4833 of LNCS (Springer, 2007), pp. 88–112Google Scholar - 9.R. Canetti, M. Fischlin, Universally composable commitments, in
*Advances in Cryptology—Crypto 2001*, volume 2139 of LNCS (Springer, 2001), pp. 19–40Google Scholar - 10.R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universally composable two-party computation without set-up assumptions.
*J. Cryptol.***19**(2):135–167 (2006)Google Scholar - 11.R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in
*34th Annual ACM Symposium on Theory of Computing*(ACM Press, 2002), pp. 494–503Google Scholar - 12.R. Canetti, R. Pass, A. Shelat, Cryptography from sunspots: How to use an imperfect reference string, in
*48th Annual Symposium on Foundations of Computer Science*(IEEE, 2007), pp. 249–259Google Scholar - 13.N. Chandran, V. Goyal, A. Sahai, New constructions for UC secure computation using tamper-proof hardware. In
*Advances in Cryptology—Eurocrypt 2008*, volume 4965 of LNCS (Springer, 2008), pp. 545–562Google Scholar - 14.D. Chaum, T. P. Pedersen, Wallet databases with observers, in
*Advances in Cryptology—Crypto ’92*, volume 740 of LNCS (Springer, 1993), pp. 89–105Google Scholar - 15.R. Cramer, T.P. Pedersen, Improved privacy in wallets with observers, in
*Advances in Cryptology—Eurocrypt ’93*, volume 765 of LNCS (Springer, 1993), pp. 329–343Google Scholar - 16.I. Damgård, J.B. Nielsen, D. Wichs, Universally composable multiparty computation with partially isolated parties, in
*6th Theory of Cryptography Conference—TCC 2009*, volume 5444 of LNCS (Springer, 2009), pp. 315–331Google Scholar - 17.I. Damgård, T.P. Pedersen, B. Pfitzmann, On the existence of statistically hiding bit commitment schemes and fail-stop signatures.
*J. Cryptol.***10**(3):163–194 (1997)Google Scholar - 18.Y. Desmedt, J.-J. Quisquater, Public-key systems based on the difficulty of tampering (is there a difference between DES and RSA?), in
*Advances in Cryptology—Crypto ’86*, volume 263 of LNCS (Springer, 1987), pp. 111–117Google Scholar - 19.Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys, in
*8th Intl. Workshop on Theory and Practice in Public Key Cryptography (PKC)*, volume 3386 of LNCS (Springer, 2005), pp. 416–431Google Scholar - 20.N. Döttling, D. Kraschewski, J.Müller-Quade, Unconditional and composable security using a single stateful tamper-proof hardware token, in
*8th Theory of Cryptography Conference—TCC 2011*, volume 6597 of LNCS (Springer, 2011), pp. 164–181Google Scholar - 21.N. Döttling, T. Mie, J.Müller-Quade, T. Nilges, Implementing resettable UC-functionalities with untrusted tamper-proof hardware-tokens, in
*10th Theory of Cryptography Conference—TCC 2013*, volume 7785 of LNCS (Springer, 2013), pp. 642–661Google Scholar - 22.M. Dubovitskaya, A. Scafuro, I. Visconti, On efficient non-interactive oblivious transfer with tamper-proof hardware, 2010. Cryptology ePrint Archive, Report 2010/509Google Scholar
- 23.M. Fischlin, B. Pinkas, A.-R. Sadeghi, T. Schneider, I. Visconti, Secure set intersection with untrusted hardware tokens, in
*Cryptographers’ Track—RSA 2011*, volume 6558 of LNCS (Springer, 2011), pp. 1–16Google Scholar - 24.O. Goldreich,
*Foundations of Cryptography, vol. 2: Basic Applications*(Cambridge University Press, Cambridge, 2004)Google Scholar - 25.O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions, in
*21st Annual ACM Symposium on Theory of Computing*(ACM Press, 1989), pp. 25–32Google Scholar - 26.S. Goldwasser, Y.T. Kalai, G.N. Rothblum, One-time programs, in
*Advances in Cryptology—Crypto 2008*, volume 5157 of LNCS (Springer, 2008), pp. 39–56Google Scholar - 27.S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent, in
*Advances in Cryptology—Crypto ’92*, volume 740 of LNCS (Springer, 1993), pp. 228–245Google Scholar - 28.V. Goyal, Y. Ishai, M. Mahmoody, A. Sahai, Interactive locking, zero-knowledge PCPs, and unconditional cryptography, in
*Advances in Cryptology—Crypto 2010*, volume 6223 of LNCS (Springer, 2010), pp. 173–190Google Scholar - 29.V. Goyal, Y. Ishai, A. Sahai, R. Venkatesan, A. Wadia, Founding cryptography on tamper-proof hardware tokens, in
*7th Theory of Cryptography Conference—TCC 2010*, volume 5978 of LNCS (Springer, 2010), pp. 308–326Google Scholar - 30.S. Halevi, S. Micali, Practical and provably-secure commitment schemes from collision-free hashing, in
*Advances in Cryptology—Crypto ’96*, volume 1109 of LNCS (Springer, 1996), pp. 201–215Google Scholar - 31.C. Hazay, Y. Lindell, Constructions of truly practical secure protocols using standard smartcards, in
*15th ACM Conf. on Computer and Communications Security*(ACM Press, 2008), pp. 491–500Google Scholar - 32.C. Hazay, A. Polychroniadou, M. Venkitasubramaniam, Composable security in the tamper-proof hardware model under minimal complexity, in
*14th Theory of Cryptography Conference—TCC-B 2016*, volume 9985 of LNCS (Springer, 2016), pp. 367–399. Prior versions available at https://eprint.iacr.org/2015/887 - 33.D. Hofheinz, T. Jager, Verifiable random functions from standard assumptions, in
*13th Theory of Cryptography Conference—TCC-A 2016*, volume 9562 of LNCS (Springer, 2016), pp. 336–362Google Scholar - 34.D. Hofheinz, D. Unruh, J.Müller-Quade, Universally composable zero-knowledge arguments and commitments from signature cards, in
*5th Central European Conference on Cryptology (MoraviaCrypt)*(2005)Google Scholar - 35.S. Hohenberger, B. Waters, Constructing verifiable random functions with large input spaces, in
*Advances in Cryptology—Eurocrypt 2010*, volume 6110 of LNCS (Springer, 2010), pp. 656–672Google Scholar - 36.Y. Ishai, J. Kilian, K. Nissim, E. Petrank, Extending oblivious transfers efficiently, in
*Advances in Cryptology—Crypto 2003*, volume 2729 of LNCS (Springer, 2003), pp. 145–161Google Scholar - 37.Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in
*Advances in Cryptology—Crypto 2008*, volume 5157 of LNCS (Springer, 2008), pp. 572–591Google Scholar - 38.K. Järvinen, V. Kolesnikov, A.-R. Sadeghi, T. Schneider, Embedded SFE: offloading server and network using hardware tokens, in
*Financial Cryptography and Data Security 2010*, volume 6052 of LNCS (Springer, 2010), pp. 207–221Google Scholar - 39.J. Katz, Universally composable multi-party computation using tamper-proof hardware, in
*Advances in Cryptology—Eurocrypt 2007*, volume 4515 of*LNCS*(Springer, 2007), pp. 115–128Google Scholar - 40.J. Katz, Y. Lindell,
*Introduction to Modern Cryptography, 2nd edition*(Chapman and Hall/CRC Press, 2014)Google Scholar - 41.J. Kilian, Founding cryptography on oblivious transfer, in
*20th Annual ACM Symposium on Theory of Computing*(ACM Press, 1988), pp. 20–31Google Scholar - 42.V. Kolesnikov, Truly efficient string oblivious transfer using resettable tamper-proof tokens, in
*7th Theory of Cryptography Conference—TCC 2010*, volume 5978 of LNCS (Springer, 2010), pp. 327–342Google Scholar - 43.H. Lin, R. Pass, M. Venkitasubramaniam, A unified framework for concurrent security: Universal composability from stand-alone non-malleability, in
*41st Annual ACM Symposium on Theory of Computing*(ACM Press, 2009), pp. 179–188Google Scholar - 44.Y. Lindell, General composition and universal composability in secure multi-party computation.
*J. Cryptol.***22**(3):395–428 (2009)Google Scholar - 45.H.K. Maji, M. Prabhakaran, M. Rosulek, Complexity of multi-party computation problems: The case of 2-party symmetric secure function evaluation, in
*6th Theory of Cryptography Conference—TCC 2009*, volume 5444 of LNCS (Springer, 2009), pp. 256–273Google Scholar - 46.S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in
*40th Annual Symposium on Foundations of Computer Science*(IEEE, 1999), pp. 120–130Google Scholar - 47.T. Moran, G. Segev, David and Goliath commitments: UC computation for asymmetric parties using tamper-proof hardware, in
*Advances in Cryptology—Eurocrypt 2008*, volume 4965 of LNCS (Springer, 2008), pp. 527–544Google Scholar - 48.