Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The seminal work of Wyner [Wyn75] demonstrated the usefulness of noise for secure communication. Since then, there has been a large body of work on basing various cryptographic primitives, such as key agreement and commitment [BBCM95, BBR88, Mau91, DKS99, WNI03, Wul09, RTWW11], on different types of noisy communication channels.

In 1988, Crépeau and Kilian [CK88] showed that noise in a communication channel can be used to realize essentially everything a cryptographer could wish for. In particular, they showed that any non-trivial binary-symmetric channel (BSC) can be used to realize oblivious transfer (OT) which is sufficient for realizing two-party secure computation. (More efficient construction were later considered in [KM01, SW02, IKO+11b].) Finally, Crépeau, Morozov and Wolf [CMW04] generalized these results to arbitrary discrete memory-less channels. Other results towards characterizing the types of channels on which OT can be based appeared in [Kil88, DKS99, DFMS04, Wul07, Wul09].

Following the work of Crépeau and Kilian [CK88], the entire body of research on secure two-party computation over noisy channels requires parties to interact. In contrast, the present paper considers cryptographic protocols which only use one-way communication, namely ones in which only one party speaks. There has been a considerable amount of work on realizing information-theoretic secure message transmission in this setting. These works are motivated not only by the goal of achieving information-theoretic security, but also by the goal of efficiency; see [BTV12] for discussion. Our goal is to extend this study to more general cryptographic tasks, including useful special cases of secure two-party computation in which the input originates from only one party.

1.1 Our Model

We model a channel as an ideal functionality \(\mathcal {C}\). This is done in order to capture the security properties of the channel in a clean way and in order to facilitate the use of composition theorems. A channel provides a communication medium between a sender and a receiver. The sender can invoke the channel \(\mathcal {C}\) on an input of its choice. The channel “based on its nature” processes the input and outputs the processed value to the receiver. The correctness and secrecy requirements of a channel and the protocols we build on top of it can be specified in terms of UC security. For example, consider a binary erasure channel (BEC) parameterized by a probability \(p \in (0,1)\). For this channel, the sender inputs a bit \(x \in \{0,1\}\) and the channel outputs (for the receiver) x with a probability p and \(\bot \) with a probability \(1 - p\).Footnote 1 Even for this basic channel, stating the correctness and security properties is non-trivial. Correctness requires that if the sender sends x then the receiver outputs either x or \(\bot \) with the right probability distribution. Security is a bit more involved; it requires that no malicious sender can figure out whether the receiver actually received the sent bit or not, and that a malicious receiver does not learn any partial information about the sent bit in the case of an erasure.

In this work, we consider various such channels. Two other channels that would be of great interest to us are the binary symmetric channel (BSC) and the random oblivious transfer (ROT) channel. A BSC is parameterized by a probability \(p \in (\frac{1}{2},1)\). For this channel, the sent bit is transmitted correctly with probability p and is flipped with probability \(1-p\). An ROT channel takes as input two strings \(m_0\) and \(m_1\) from the sender and outputs either \((m_0,\bot )\) or \((\bot ,m_1)\) to the receiver, with equal probability.

When considering protocols built on top of such channels, we distinguish between the weaker semi-honest model, where the sender follows the protocol but tries to learn information about the receiver’s output from its random coins, and the malicious model, where the sender may send arbitrary information over the channel. When the sender follows the protocol, the receiver’s output should be as specified by the functionality. When the sender deviates from the protocol, the security requirement uses the standard real-ideal paradigm, asserting that the sender’s strategy can be simulated by a distribution over honest strategies. It is important to note, however, that in this case the standard definition of “security with abort” also allows the sender to make the protocol fail, as long as the receiver can detect this failure. By default, the term “secure” refers to the malicious model, though most of our negative results apply also to the semi-honest model.

Fig. 1.
figure 1

Relationships among different kinds of channels and their applications. Solid arrows are used to denote a positive reduction, i.e. implies that B can be constructed given A. On the other hand, dashed arrows indicate negative results, i.e. implies that B cannot be constructed given A. Solid self-edge of BEC indicates that the transmission probability of a BEC can be manipulated in both directions. On the other hand, the solid and dashed self-edges of BSC respectively indicate that the probability of correct transmission of a BSC can be diminished (and brought closer to \(\frac{1}{2}\)) but cannot be amplified (Color figure online).

Full size image

1.2 Our Results

We initiate a general study of one-way secure computation (OWSC) protocols over noisy channels in a setting where only one party speaks. Surprisingly, the one-way setting is strikingly different from the interactive setting. In the interactive setting, all finite channels are either trivial, equivalent to secure message transmission, or equivalent to oblivious transfer. On the other hand, in the setting of OWSC, the landscape of what a channel is useful for is much richer. Specifically, we obtain the following results. All the implications have been summarized in Fig. 1.

  • Relationships Between Channels. Binary erasure channel (BEC) and binary symmetric channel (BSC), which are known to be securely reducible to each other in the interactive setting, turn out to be qualitatively very different in the setting of one-way communication. In particular, we show that a BEC cannot be implemented given a BSC. Also, somewhat surprisingly, we show that while the erasure probability of a BEC can be manipulated in both directions the probability of correct transmission of a BSC can only be manipulated in one direction.

  • Deterministic Functions. We show that both BEC and and BSC are sufficient for securely realizing any deterministic (possibly reactive) functionality that takes input from a sender and delivers its output to a receiver with only one-way communication. This provides the first truly non-interactive solution to the problem of zero-knowledge. We extend our results to the Generalized Erasure Channel (GEC) which is a generalization of BEC (see Sect. 3 for formal definition).

  • Randomized Functions. We show that neither BEC nor BSC can be used (even assuming computational assumptions) for the task of realizing randomized functionalities which take input from a sender and deliver output to a receiver, in the setting of one-way communication. Nonetheless, one-way communications over natural channels, such as bursty erasure channels, can be used to realize such functionalities. This result is obtained by first constructing a random oblivious-transfer channel (ROT) and building on the techniques from [IPS08, IKO+11a]. This provides the first non-trivial feasibility result for secure-computation in a setting where only one party speaks.

1.3 Applications

One-way secure computation (OWSC) both for deterministic and randomized functionalities enable a number of applications for which there are no known solutions.

Truly Non-interactive Zero-Knowledge. Non-interactive zero-knowledge proof systems (NIZKs) [BFM90, FLS99] are a fundamental tool in cryptography with widespread applications. However, all known constructions rely on a common random string (or a random oracle)Footnote 2 and inherently fail to achieve useful features such as non-transferability or deniability [Pas03]. OWSC for deterministic functions provides the first truly non-interactive solution to the problem of zero-knowledge. This solution does not rely on a shared string between parties or a random oracle and achieves non-transferability and deniability properties. Furthermore, this solution achieves information theoretic and composable security.

Oblivious Certification of Cryptographic Keys. Public-key cryptography relies on the existence of certification authorities (like Verisign) who sign the public keys of different parties. All known implementations of this certification procedure rely on interaction. Our OWSC for randomized functionalities provides for the first candidate to realize this procedure with just one-way communication. More specifically, our protocol allows the certification authority to send a public-key secret-key pair along with a certificate on the public key with just one-way communication. We stress that in this setting the certification authority itself does not learn the secret key of the recipient party, as the randomness used in its generation is derived from the channel. However, if the certificate authority deviates from the protocol, the recipient may detect failure rather than output a pair of keys.

Fair Puzzle Distribution. Consider a Sudoku Puzzle competition where the organizer of the competition would like to generate signed puzzles for all the participants. However the participants do not trust the organizer and would like their challenge Sudoku puzzles to be of the same difficulty. More specifically, we would like to have a mechanism that allows the competition organizer to provide independent puzzles of a pre-specified difficulty level (along with a signature on this puzzle) to each of the participants. The participants should be assured not only that the puzzles were generated independently from the correct distribution, but also that the organizers do not have an edge in solving the puzzles they generated (e.g., by generating random solved puzzles). There are no known solutions for this problem in a setting with just one-way communication. Our OWSC protocol for randomized functions gives the first such solution.

2 Preliminaries

Let \(\lambda \) denote a security parameter. We say that a function is negligible in \(\lambda \) if it is asymptotically smaller than the inverse of any fixed polynomial in \(\lambda \). Otherwise, the function is said to be non-negligible in \(\lambda \). We say that an event happens with overwhelming probability if it happens with probability \(p(\lambda ) = 1-\nu (\lambda )\), where \(\nu (\lambda )\) is a negligible function in \(\lambda \). We use [n] to denote the set \(\{1,\ldots , n\}\).

Monotone Sets. Let \(X_1, X_2 \ldots X_n\) be independent Bernoulli variables with \(\Pr [X_i = 1] = p_i\). We define \(Q_n = \{0,1\}^n\) (the n-cube) and identify each element \(a \in Q_n\) with the corresponding subset of [n]; i.e., \(\{i~|~a_i=1\}\). We define a probability measure \(\Pr \) on \(Q_n\) by:

$$ \Pr (a) = \prod _{i \in a} p_i \prod _{i \not \in a} (1 - p_i)~. $$

A set \(A \subseteq Q_n\) is said to be a monotone if \(a \in A\) and \(a \subseteq b\) implies that \(b \in A\).

Lemma 1

(Harris [Har60], Kleitman [Kle66]). If A and B are two monotone subsets of \(Q_n\) then A and B are positively correlated; namely,

$$ \Pr [A \cap B] \ge \Pr [A]\Pr [B]. $$

Chernoff Bounds. Let \(X_1, X_2 \ldots X_n\) be independent Bernoulli variables with \(\Pr [X_i = 1] = p_i\). Let \(X = \sum _{i = 1}^{n} X_i\) and \(\mu \) be the expectation of X. Then,

$$ \Pr (X \ge (1+\delta )\mu )\le e^{-\frac{\delta ^2\mu }{3}} \text{, } \text{ for } 0 < \delta < 1. $$
$$ \Pr (X \le (1-\delta )\mu )\le e^{-\frac{\delta ^2\mu }{2}}\text{, } \text{ for } 0 < \delta < 1. $$

3 Different Kinds of Channels

In this work, we model a channel as an ideal functionality \(\mathcal {C}\). This is done in order to capture the security properties of a channel in a clean way. A channel provides a (one-way) communication medium between a sender and a receiver. The sender can invoke the channel \(\mathcal {C}\) on an input of its choice. The channel “based on its nature”, processes the input and outputs the processed value to the receiver. The correctness and secrecy requirements of a channel can be specified by a two-party functionality, which takes an input from the sender, generates some internal randomness, and delivers an output to the receiver. Our formulation of channel functionalities, as well as the security definition of protocols that build on top of them, follow the standard UC framework [Can05]. All of our positive results hold with statistical security, and some of our negative results apply also to the case of computational security. We will consider the following types of channels.

Binary Erasure Channel. The binary erasure channel (BEC) is perhaps the simplest non-trivial channel model considered in the literature. We denote this channel by \(\mathcal {C}_{BEC}^p\). For this channel, the sender inputs a bit \(x \in \{0,1\}\) and the channel outputs (to the receiver) x with a probability p and \(\bot \) with a probability \(1 - p\).

Binary Symmetric Channel. The binary symmetric channel (BSC) denoted by \(\mathcal {C}_{BSC}^p\) (for \(p > \frac{1}{2}\)) is a channel in which the sender inputs a bit \(x \in \{0,1\}\) and the channel outputs (for the receiver) x with a probability p and \(1- x\) with a probability \(1 - p\).

Generalized Erasure Channel. The generalized erasure channel (GEC) is a generalization of the BEC, where k strings are sent by the sender and some subset of them, determined by a probability distribution \(\mathcal {D}\), is erased. We denote this channel by \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}\). Formally, the functionality takes as input k strings \(x_1, \ldots , x_k \in \{0,1\}^\ell \) from the sender. It samples a string \(s \in \{0,1\}^k\) (which we call the randomness of the channel) according to the distribution \(\mathcal {D}\). If \(s_i = 1\) then set \(y_i = x_i\) and, otherwise, \(y_i=\bot \). The functionality outputs \(y_1,\ldots ,y_k\) to the receiver. We will consider the following special cases of the generalized erasure channel.

  • \(\ell \)-Bit Random Oblivious Transfer. The \(\ell \)-bit random oblivious transfer channel (\(\ell \)-ROT) denoted by \(\mathcal {C}_{ROT}^{\ell }\) corresponds to the channel \(\mathcal {C}_{GEC}^{2,\ell ,\mathcal {D}_{2,OT}}\), where \(\mathcal {D}_{2,OT}\) is the distribution that outputs a uniformly random value in \(\{01,10\}\). We also consider a p-biased \(\ell \)-bit ROT channel denoted by \(\mathcal {C}_{ROT}^{\ell ,p}\) corresponds to the channel \(\mathcal {C}_{GEC}^{2,\ell ,\mathcal {D}_{2,p,OT}}\), where \(\mathcal {D}_{2,p,OT}\) is the distribution that outputs 10 with probability p and 01 with a probability \(1 - p\).

  • \((k,\ell ,p)\)-Erasure Channel. The \((k,\ell ,p)\)-erasure channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\), where \(\mathcal {D}_{k,p}\) is the distribution that outputs a k bit string s such that, for every \(i \in [k]\), we have \(s_i=1\) with probability p and \(s_i=0\) with probability \(1-p\).

  • \((k,\ell )\)-Perfect Red-Blue Channel. The \((k,\ell )\)-Perfect Red-Blue channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,RB}}\), where \(\mathcal {D}_{k,RB}\) is any distribution such that each string in its output space (namely \(\{0,1\}^k\)) may be labeled either \(\mathsf{Red }\) or \(\mathsf{Blue }\) (or none) in a way that \(\Pr [\mathsf{Red }\cup \mathsf{Blue }] = 1\), \(\Pr [\mathsf{Red }] = \Pr [\mathsf{Blue }]\) and \(\forall r \in \mathsf{Red }\) and \(\forall s \subseteq r\) we have that \(s \notin \mathsf{Blue }\) and, similarly, \(\forall b \in \mathsf{Blue }\) and \(\forall c \subseteq b\) we have that \(c \notin \mathsf{Red }\).Footnote 3

  • \((k,\ell ,\mu ,\nu ,\eta )\)-Statistical Red-Blue Channel. The \((k,\ell ,\mu ,\nu ,\eta )\)-Statistical Red-Blue channel is a relaxed version of the Perfect Red-Blue Channel, that corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,\mu ,\nu ,\eta }}\), where \(\mathcal {D}_{k,\mu ,\nu ,\eta }\) is any distribution whose output space can be labelled \(\mathsf{Red }\) and \(\mathsf{Blue }\) such that (i) \(\Pr [\mathsf{Red }\cup \mathsf{Blue }] \ge 1 - \mu \), (ii) \(|\Pr [\mathsf{Red }] - \Pr [\mathsf{Blue }]| \le \nu \), (iii) \(\Pr _{r\in \mathsf{Red }}[\exists s \subseteq r \text{ such } \text{ that } s \in \mathsf{Blue }] \le \eta \), and (iv) \(\Pr _{b\in \mathsf{Blue }}[\exists c \subseteq b \text{ such } \text{ that } c \in \mathsf{Red }] \le \eta \).

  • \((k,\ell ,b)\)-Perfect Bursty Channel. This is an erasure channel where all b erasures appear in a “burst”. Formally, the \((k,\ell ,b)\)-Perfect bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b}}\), where \(\mathcal {D}_{k,b}\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the bits in locations \(x+1, x+2, \ldots , x+{b}\) where x is chosen uniformly from \(\{0,\ldots , k-b\}\).

  • \((k,\ell ,b,\sigma )\)-Noisy Bursty Channel. This is an erasure channel where erasures still appear in a “burst” but their number \(b'\) is normally distributed around b. Formally, the \((k,\ell ,b,\sigma )\)-noisy bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b,\sigma }}\) for typical \(k\gg b\), where \(\mathcal {D}_{k,b,\sigma }\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the bits in locations \(x+1, x+2, \ldots , x+{b'}\) where \(b'\) is sampled from a gaussian and rounded to the closest non-negative integer \(\le k\) with mean b and standard deviation \(\sigma \) and then x is chosen uniformly from \(\{0,\ldots , k-b'\}\).

4 Classification of Functionalities

Below we define the notion of one-way secure computation (OWSC) over a channel \(\mathcal {C}\) (thought of as a non-reactive ideal functionality). We shall refer to such a OWSC scheme as \(OWSC/\mathcal {C}\).

An \(\mathsf{OWSC }^f/\mathcal {C}\) scheme for a function \(f: X \rightarrow Y\) is a two-party protocol between Sender and Receiver and it follows the following format:

  • Sender gets an input \(x \in X\).

  • Sender invokes the channel \(\mathcal {C}\) (possibly multiple instances of the channel) with inputs of its choice. The channel, based on its nature, processes the input value and outputs it to the Receiver.

  • Receiver carries out a local computation and outputs f(x) or an error message.

Similarly, we can consider reactive functionality specified by a stateful function \(f: \varSigma \times X \rightarrow \varSigma \times Y\). The Sender of a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme for a stateful function f obtains multiple inputs on the fly. On obtaining an input \(x \in X\), Sender can invoke the channel \(\mathcal {C}\) multiple times and in each execution the Receiver should either output y where \((\sigma ',y) \leftarrow f(\sigma ,x)\) (where \(\sigma \in \varSigma \) is the current state and \(\sigma '\) is the state for the next execution) or an error message. The first execution of the protocol sets the state to \(\epsilon \).

The correctness and secrecy requirements of an OWSC scheme can be specified in terms of an ideal functionality. An \(\mathsf{OWSC }^f/\mathcal {C}\) scheme for f is required to be a secure realization of the following function \(\mathcal {F}_f\) in the \(\mathcal {C}\)-hybrid model.

  • \(\mathcal {F}_f\) accepts \(x \in X\) from the Sender and outputs f(x) to the receiver. If x is a special input error, then it outputs error to the Receiver.

We shall denote the security parameter by \(\lambda \) and require that the sender and the receiver in any scheme run in time polynomial in \(\lambda \) and the size of the circuit computing the function f. Further, for a scheme to be considered secure, we require that the simulation error be at most \(2^{-\varOmega (\lambda )}\).

Definition 1

(Completeness for Deterministic Functionalities). A channel \(\mathcal {C}\) is said to be \(\mathsf{OWSC }\) complete for deterministic functionalities, if for every deterministic function \(f: X \rightarrow Y\) there exists a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme that is a UC-secure realization of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}\)-hybrid model.

Definition 2

(Completeness for Randomized Functionalities). A channel \(\mathcal {C}\) is said to be \(\mathsf{OWSC }\) complete for randomized functionalities, if for every randomized function \(f: X \rightarrow Y\) there exists a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme that is a UC-secure realization of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}\)-hybrid model.

5 Reductions Among Channels

In this section, we study the relationships between different kinds of channels. Specifically:

  • Impossibility Results for  \(\mathcal {C}_{ROT}\) . One of the key channels of interest to us is the random oblivious transfer channel. We start by establishing (in Sect. 5.1) that this channel cannot be securely realized out of the most basic channels such as \(\mathcal {C}_{BEC}\) (in fact, from any \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\), where \(\mathcal {D}_{k,p}\) is the distribution that outputs a k bit string s such that, for every \(i \in [k]\), we have \(s_i=1\) with probability p and \(s_i=0\) with probability \(1-p\)) and \(\mathcal {C}_{BSC}\). In full-version, we provide extensions of these results to the computational setting (but ruling out only protocols with negligible error rather than small noticeable error).

  • Positive Results for \(\mathcal {C}_{ROT}\) . We consider a variety of more structured channels, such as the Red-Blue channel and the bursty channel, and give constructions of random oblivious transfer channel from such channels (Sect. 5.2).

  • Self-transformations for \(\mathcal {C}_{BEC}\) and \(\mathcal {C}_{BSC}\) . We move back to the basic channels (\(\mathcal {C}_{BEC}\) and \(\mathcal {C}_{BSC}\)) and study additional properties of them. Although both these channels do not imply \(\mathcal {C}_{ROT}^1\), they are of a very different nature. We show (in Sect. 5.3) that erasure probabilities of the \(\mathcal {C}_{BEC}\) can be easily manipulated but the flipping probability of \(\mathcal {C}_{BSC}\) is harder to manipulate. In particular, we show that, given a \(\mathcal {C}_{BEC}\), we can construct another \(\mathcal {C}_{BEC}\) with amplified or diminished erasure probabilities. On the other hand, given a \(\mathcal {C}_{BSC}\), we can only construct another \(\mathcal {C}_{BSC}\) with amplified flipping probability. In fact, diminishing the flipping probability turns out to be is impossible.

We remark that all the impossibility results (in this section) are stated in terms of the simulation based notion but hold even for a weaker game-based security notion. These stronger impossibility results are implied by the proofs and are not spelled out explicitly.

5.1 Impossibility Results for \(\mathcal {C}_{ROT}\)

In this subsection, we rule out the construction of \(\mathcal {C}_{ROT}^1\) (random oblivious transfer) from the most basic channels such as \(\mathcal {C}_{BEC}\) and \(\mathcal {C}_{BSC}\). In particular, we show:

  • \(\mathcal {C}_{ROT}^{\ell '}\) (and, in fact, even biased-ROT) cannot be non-interactively securely realized from \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\).

  • \(\mathcal {C}_{BEC}^{p'}\) cannot be non-interactively securely realized from \(\mathcal {C}_{BSC}^p\). It is easy to realize \(\mathcal {C}_{BEC}^{\frac{1}{2}}\) from \(\mathcal {C}_{ROT}^{\ell '}\). Hence, combining with the above result, we also conclude that \(\mathcal {C}_{ROT}^{\ell '}\) cannot be non-interactively securely realized from \(\mathcal {C}_{BSC}^p\).

The following theorem and its proof can be adapted to rule out even \(\mathcal {C}_{ROT}^{\ell ',q}\) for any constant q. We state the result and the proof in the simpler setting where \(q = \frac{1}{2}\).

Theorem 1

\(\exists ~ \varepsilon \in (0,1)\) and \(\ell ' \in \mathbb {Z}^+\) such that \(\forall k,\ell ,p\), the channel \(\mathcal {C}_{ROT}^{\ell '}\) cannot be \(\varepsilon \)-securely realized in the \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,p}}\) hybrid model even against semi-honest adversaries.

We start by giving some intuition for the case of binary erasure channel. The intuition extends to \((k,\ell ,p)\)-erasure channels in a natural way. In any protocol for non-interactively realizing \(\mathcal {C}_{ROT}^1\) the sender will need to encode both its inputs \(m_0,m_1\) into its first message. Whether the receiver obtains \(m_0\) or \(m_1\) should depend solely on the random coins of the channel. In other words, erasure of certain bits (or more generally one combination from a list of possible choices) allows the receiver to obtain \(m_0\) while erasure of another combination allows the receiver to learn \(m_1\). The key issue is that a binary erasure channel erases each bit sent by the sender independently with a probability \(1-p\). Consider the scenario in which a receiver can obtain \(m_0\) from the received bits. In this scenario, since each bit sent by the sender is treated independently we have that the receiver also obtains \(m_1\) with a large enough probability, contradicting the security of the protocol. Arguing the last step formally is tricky and we rely on the Harris-Kleitman inequality for our argument. The full proof appears in the full-version.

Theorem 2

\(\forall p \in (\frac{1}{2},1)\), \(p' \in (0,1)\) and protocol \(\pi \), \(\exists \varepsilon \) such that \(\pi \) does not \(\varepsilon \)-securely realize \(\mathcal {C}_{BEC}^{p'}\) in the \(\mathcal {C}_{BSC}^p\)-hybrid model even against semi-honest adversaries.

We start by giving some intuition. Any protocol for non-interactively securely realizing \(\mathcal {C}_{BEC}\) will need the sender to encode its input m into its first message. Whether the receiver obtains m or not should depend solely on the random coins of the channel. In other words when certain bits (or, more generally, one combination from a list of possible choices) is flipped then the receiver loses all information about m while flipping another combination allows the receiver to learn m completely. Consider a sequence of hybrid strings between a pair of strings on which the receiver outputs m and \(\bot \) respectively. Among the hybrid strings there must exist two strings that differ in exactly one bit but are such that the receiver’s output on the two differs completely. At this point, we argue that a change of just one bit cannot affect the receiver’s best guess about the sent bit very dramatically, contradicting the security of the protocol. The key technical challenge of the proof lies in proving that this happens with a noticeable probability. The full proof appears in the full-version.

5.2 Positive Constructions for \(\mathcal {C}_{ROT}\)

We start by presenting a construction of a random oblivious transfer channel in Red-Blue channel hybrid model. Our construction provides a solution for any arbitrary Red-Blue channel and is inefficient. Furthermore, such a channel in its generality is not very natural. Therefore, we study natural examples of Red-Blue channels (and their approximate variants) and attempt at more efficient solutions.

We start by considering the basic setting of an arbitrary Red-Blue Channel and prove that it is sufficient to realize a random oblivious transfer channel.

Theorem 3

\(\mathcal {C}_{ROT}^\ell \) can be \(\max \{\mu ,\nu ,\eta \}\)-UC-securely realized (even against malicious adversaries) in the \((k,\ell ',\mu ,\nu ,\eta )\)-Red-Blue Channel hybrid model where \(\ell ' = \ell \cdot 2^k\).

The proof appears in the full-version. Note that for the case of perfect Red-Blue Channel, we have that \(\mu = \nu = \eta = 0\), and hence \(\mathcal {C}_{ROT}^\ell \) can be perfectly-UC-securely realized in the \((k,\ell ')\)-Perfect Red-Blue Channel hybrid model where \(\ell ' = \ell \cdot 2^k\).

Efficient Construction for ROT. We will start by considering the case of perfect bursty channel and show that it can be used to realize ROT. Recall that a \((k,\ell ,b)\)-perfect bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b}}\), where \(\mathcal {D}_{k,b}\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the “burst” of bits in locations \(x+1, x+2, \ldots , x+{b}\) which are set to 0, where x is chosen uniformly from \(\{0,\ldots , k-b\}\). In this setting we claim that:

Theorem 4

\(\mathcal {C}_{ROT}^\ell \) can be UC-securely realized (even against malicious adversaries) in the \((k,\ell ,b)\)-perfect bursty channel hybrid model when \(b > \frac{k}{2}\) or when b is odd.

Proof

We start by giving the intuition. The key idea is to use Shamir’s secret sharing (with shares of length \(\ell \)) and secret share the first string in the first half and the second string in the second half (with some appropriate threshold). Both when \(b > \frac{k}{2}\) or when b is odd we will have an asymmetry in terms of the deletion pattern. If more terms from the first half are erased then the first string is deleted and, on the other hand, if more terms from the second half get erased then the second string is deleted. If k is odd then our construction will only give a biased-ROT but this bias can be corrected using the transformation from Sect. 7. Similarly, we note that in our construction we do not need the distribution over where the burst happens to be uniform. Our protocol can be very easily modified so that this restriction is not crucial. This would however only give biased ROT protocols and this bias will need to be corrected using the transformation from Sect. 7.

Next we give the construction for the case when b is odd. We assume, for simplicity, that k is even and \(t = \frac{k}{2}\). The construction for the setting when k is odd or when b is not necessarily odd but \(k > b/2\) are identical except that the parameters should be adjusted appropriately.

The construction appears in Fig. 2. Since b is odd, either in the first half or in the second half at least \(\lceil b/2\rceil \) of the strings are erased and hence that value remains hidden. On the other hand, in the other half the value can always be computed since at most \(\lfloor b/2\rfloor \) strings are deleted. The proof is identical to the case of Red-Blue Channel (proved in the full-version and is therefore omitted.

Fig. 2.
figure 2

\(\mathcal {C}_{ROT}^\ell \) in the \((k,\ell ,b)\)-perfect bursty channel hybrid model, for odd b

Full size image

Channel with Imprecise Burst. Finally, we consider a bursty erasure channel where the size of burst is not precisely known but comes from roughly a discrete gaussian distribution. Recall that \((k,\ell ,b,\sigma )\)-noisy bursty channel corresponds to the channel \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}_{k,b,\sigma }}\), where \(\mathcal {D}_{k,b,\sigma }\) is the distribution that outputs a k bit string such that all the bits are set to 1 besides the bits in locations \(x+1, x+2, \ldots , x+{b'}\) where \(b'\) is sampled from a gaussian and rounded to the closest non-negative integer \(\le k\) with mean b and standard deviation \(\sigma \) and then x is chosen uniformly from \(\{0,\ldots , k-b'\}\).

Theorem 5

\(\mathcal {C}_{ROT}^\ell \) can be \(\frac{(1-\alpha )b}{k-(1+\alpha )b} + \frac{\sigma ^2}{\alpha ^2b^2}\)-UC-securely realized in the \((k,\ell ,b,\sigma )\)-noisy bursty channel hybrid model for any constant \(\alpha \in (0,1)\).

Proof

We use the same construction as in Fig. 2 except the threshold parameter \(\theta \) of the Shamir secret sharing. We set it up in a way so that it is possible to obtain \(m_0\) if less than \((1-\alpha )b/2\) symbols are erased from the first half. Similarly secret sharing is done for the second half. By Chebyshev’s inequality, the probability that the size of the burst, \(b'\), lies outside the range \(\{(1-\alpha )b,\ldots , (1+\alpha )b\}\) is at most \(\frac{\sigma ^2}{\alpha ^2b^2}\) (if \(b'\) is too big the receiver may not learn any value, while if \(b'\) is too small it may learn both values). Assuming this does not happen, then the receiver gets only one of the sent values as long as the burst does not happen “in the middle” (i.e., \((1-\alpha )b/2\) symbols are erased from each half). The probability that the burst happens in the middle is at most \(\frac{(1-\alpha )b}{k-(1+\alpha )b}\).

5.3 Self-transformations for \(\mathcal {C}_{BEC}\) and \(\mathcal {C}_{BSC}\)

In this subsection, we show that any erasure channel can be used to construct a binary erasure channel with any desired erasure probability. On the other hand, the case of BSC is very different. The probability of correct transmission in a BSC channel can be reduced but cannot be increased. Formally,

Theorem 6

\(\forall ~\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}\) such that \(\mathcal {D}\) is not a constant distribution, \(\exists ~ p\) such that \(\mathcal {C}_{BEC}^{p}\) can be (perfectly) UC-securely realized (even against malicious adversaries) in the \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}\)-hybrid model.

Theorem 7

\(\forall p,p'\in (0,1)\) and \(\epsilon > 1\), \(\exists p'' \in [p',\epsilon p']\), such that \(\mathcal {C}_{BEC}^{p''}\) can be (perfectly) UC-securely realized (even against malicious adversaries) in the \(\mathcal {C}_{BEC}^{p}\)-hybrid model.

Theorem 8

\(\forall p\in (\frac{1}{2},1)\) and \(t \in \mathbb {Z}^+\), the channel \(\mathcal {C}_{BSC}^{p'}\) can be (perfectly) UC-securely realized (even against malicious adversaries) in the \(\mathcal {C}_{BSC}^{p}\)-hybrid model where \(p' = \frac{1}{2}+ 2^{t-1}\left( p-\frac{1}{2}\right) ^t\).

Theorem 9

\(\forall ~ p,p' \in (\frac{1}{2},1), p' > p\) and protocol \(\pi \), \(\exists \varepsilon \) such that \(\pi \) does not \(\varepsilon \)-securely realize \(\mathcal {C}_{BSC}^{p'}\) in the \(\mathcal {C}_{BSC}^p\)-hybrid model even against semi-honest adversaries.

Proofs of the above theorems appear in the full-version.

6 OWSC Scheme for Deterministic Functionalities

\(\mathsf{OWSC }^{f}/\mathcal {C}\) is a meaningful notion only for those deterministic functions f such that given a value y identifying if there exists an input x such that \(y = f(x)\) is non-trivial (cannot be done in efficiently). This, in particular, rules out all functions with polynomial sized input domains. Furthermore, this notion is useful only in the setting of malicious adversaries because it is trivial to realize this notion in the setting of semi-honest adversaries.

We start by noting that a \(\mathsf{OWSC }^{f}/\mathcal {C}\) scheme, for any deterministic function f, can be realized by using a \(\mathsf{OWSC }^{\mathsf {zk}}/\mathcal {C}\) scheme for the zero-knowledge functionality. This can be achieved simply by having the sender send the output to the receiver and along with it prove in zero-knowledge, knowledge of an input x for which f(x) yields the provided output. Here we implicitly assume that besides the channel \(\mathcal {C}\) the sender also has access to an error free channel which can be implemented using \(\mathcal {C}\) itself (with a negligible error). Formally,

Theorem 10

For every deterministic function f, there exists a \(\mathsf{OWSC }^f/\mathcal {C}\) scheme that is a UC-secure realization (even against malicious adversaries) of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}\)-hybrid model where \(\mathcal {C}\in \{\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}, \mathcal {C}_{BSC}^p\}\).

As already mentioned, proving the above theorem reduces to the task of realizing a \(\mathsf{OWSC }^{\mathsf {zk}}/\mathcal {C}\) scheme. In our construction, we will make use of oblivious ZK-PCPs (see definitions in full-version).

Lemma 2

There exists a \(\mathsf{OWSC }^{\mathsf {zk}}/\mathcal {C}\) scheme that is a UC-secure realization (even against malicious adversaries) of the zero-knowledge functionality in the \(\mathcal {C}\)-hybrid model where \(\mathcal {C}\in \{\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}, \mathcal {C}_{BSC}^p\}\).

We start by giving some intuition. The key idea is to use an erasure channel or a binary symmetric channel to send over multiple instances of independently chosen ZK-PCPs and observe the statistical gap that can be created only if valid proofs were sent. However, a number of difficulties arise in realizing this intuition, particularly in our construction from BSC. Below, we provide our construction from erasure channels. The more involved construction from binary symmetric channel is deferred to full-version.

Erasure Channels. We start by considering the case of binary erasure channels with error probability \(\frac{1}{2}\); i.e., when \(\mathcal {C}= \mathcal {C}_{BEC}^{\frac{1}{2}}\). It follows from Theorems 6 and 7 that any \(\mathcal {C}_{GEC}^{k,\ell ,\mathcal {D}}\) can be used to realize \(\mathcal {C}_{BEC}^{\frac{1}{2}}\).Footnote 4 We give the protocol in Fig. 3.

Fig. 3.
figure 3

Realizing zero-knowledge from binary erasure channel

Full size image

Completeness. For every \(i \in [k]\), using Chernoff bound, we have that:

$$ \Pr \left[ \Upsilon (\pi _i') \le \frac{n}{4}\right] \le e^{-\frac{n}{16}}, $$

where \(\Upsilon (\pi _i')\) denotes the number of occurrences of \(\bot \) in \(\pi _i'\).

Hence, except with negligible probability for each \(i \in [k]\), R receives at least c. Given this the completeness of the protocol follows from the completeness of the oblivious ZK-PCP.

Soundness. We will construct an extractor \(E'\), that extracts valid witnesses from any cheating prover \(P^*\) that makes the honest verifier accept with non-negligible probability. We will first describe our extractor \(E'\) and then argue that it indeed works (with overwhelming probability).

Our extractor \(E'\) proceeds as follows. Let \((\pi _1,\pi _2,\ldots , \pi _\ell )\) be the proofs generated by the cheating prover \(P^*\). For every \(i \in [\ell ]\), \(E'\) obtains \(y_i = E(x,\pi _i)\). If \(\exists i^* \in [\ell ]\) such that \(y_{i^*}\in R(x)\) then output \(y_{i^*}\) (breaking ties arbitrarily). If no such \(i^*\) exists then output \(\bot \).

Note that since our extractor \(E'\) failed to extract witness out of \(\pi _i\) for any \(i \in [\ell ]\) we have (by soundness of the ZK-PCP) that \(\Pr [V_{\mathsf{oZK }}(x,\pi '_i) = 0] \ge {\kappa }\), for every \(i \in [\ell ]\), where the probability is taken over the random choices of obtaining \(\pi '_i\) from \(\pi _i\). Hence, if \(E'\) outputs \(\bot \) then the verifier must also always reject, except with probability at most \(\le (1 - {\kappa })^\ell \), which is negligible for \(\ell = \frac{\lambda }{{\kappa }}\).

Zero-Knowledge. We need to construct a simulator \(\mathcal {S}'\) for our protocol. This construction follows immediately from the \(\nu \)-zero-knowledge property of the oblivious ZK-PCP.

The full proof for the case of BSC appears in full-version.

7 \(\mathcal {C}_{ROT}^\ell \) is \(\mathsf{OWSC }\) Complete for Randomized Functionalities

In this section, we describe an OWSC scheme for any randomized function in the \(\mathcal {C}_{ROT}\)-hybrid model that uses only a single round of random OTs and no additional interaction. The functionalities considered here provide output to only one party. This result follows directly from [IPS08, Appendix B] and we include the construction and proof in the full-version for completeness (much of the text have been taken verbatim from [IPS08, Appendix B]). More efficient alternatives have been considered by [IKO+11a] however we consider the simplest feasibility result for our setting.

One technical difference in our setting compared to [IPS08] is in the underlying primitive from which the protocols are constructed. While the protocol in [IPS08] uses a regular 1-out-of-N OT protocol, in our case we only have access to a 1-out-of-2 ROT protocol and need to convert it to a 1-out-of-N ROT protocol. (Recall that the choice about which 1-out-of-N strings the receiver obtains is made by the channel in the ROT protocol.) This however can be done easily using standard techniques and a sketch of the construction has been provided in full-version.

Theorem 11

For every randomized function f, \(\exists \ell \) and a \(\mathsf{OWSC }^f/\mathcal {C}_{ROT}^\ell \) scheme that is a UC-secure realization (even against malicious adversaries) of the functionality \(\mathcal {F}_f\) in the \(\mathcal {C}_{ROT}^\ell \)-hybrid model.

\(\epsilon \)-secure Variant. We can also use the \(\epsilon \)-UC realization of ROT (based on noisy bursty channel as in Theorem 5) in order to obtain a \(\epsilon \cdot r\)-UC realization of \(\mathsf{OWSC }^f\) where r is the number of ROT calls made inside our construction. r for our construction is a fixed polynomial in the security parameter \(\lambda \), independent of the size of the function being computed.

Construction Using Biased-ROT. The above theorem is stated just for the case of \(\mathcal {C}_{ROT}^\ell \)-hybrid model. However we note that the same construction continues to work in the \(\mathcal {C}_{ROT}^{\ell ,p}\)-hybrid model, for any constant \(p \in (0,1)\), with one small change. When using the \(\mathcal {C}_{ROT}^{\ell ,p}\) channel, the input provided by the channel for the function evaluation will be biased. This issue can be resolved by using security parameter \(\lambda \) number of independent bits from the channel to obtain each bit for the functionality being evaluated. More specifically, each input bit for the functionality is obtained by taking the exclusive or of \(\lambda \) independent input bits. By the XOR Lemma, we claim that the obtained bits will be close to uniform.

Furthermore, when using the \(\mathcal {C}_{ROT}^{\ell ,p}\)-hybrid model, the construction itself does not depend on the precise value of the constant p. Hence, our construction is robust in the sense that it remains secure even if the adversary gets to specify the value of p (within some bounded range).