One-sided leakage-resilient privacy only two-message oblivious transfer
Transcript of One-sided leakage-resilient privacy only two-message oblivious transfer
ww.sciencedirect.com
j o u rn a l o f i n f o rma t i o n s e c u r i t y and a p p l i c a t i o n s 1 9 ( 2 0 1 4 ) 2 9 5e3 0 0
Available online at w
ScienceDirect
journal homepage: www.elsevier .com/locate/ j isa
One-sided leakage-resilient privacy onlytwo-message oblivious transfer
Partha Sarathi Roy, Avishek Adhikari*
Department of Pure Mathematics, University of Calcutta, India
a r t i c l e i n f o
Article history:
Available online 7 November 2014
MSC:
94A60
Keywords:
Oblivious transfer
Leakage resilient
k-DDH
* Corresponding author.E-mail addresses: royparthasarathi0@gm
http://dx.doi.org/10.1016/j.jisa.2014.10.0022214-2126/© 2014 Elsevier Ltd. All rights rese
a b s t r a c t
Oblivious transfer protocol (OT) is one of the key components in various cryptographic ap-
plications. Construction of OT assumes that local secret state of honest party is perfectly
hiddenfromadversary.However, recentlyoneprimary focusof thecryptographiccommunity
is to build cryptographic tools resilient to side channel attacks. Such attacks exploit various
forms of unintended information leakage which are inherent to almost all physical imple-
mentations. In this paper, we initiate a study of oblivious transfer protocol against malicious
adversary in the presence of side channel attacks. Specifically, we consider a setting where a
cheating sender is allowed to obtain leakage on secret state of the receiver during the protocol
execution. We formalize the Definition and propose a construction of a one-sided leakage-
resilient privacy only two-message oblivious transfer protocol against malicious adversary.
The construction is based on Naor-Pinkas (SODA-2001) two message oblivious transfer pro-
tocol. Security of the protocol is based on k-DDH assumption. The proposed protocol can
tolerate a constant fraction of leakage from the memory of the receiver. To achieve the pro-
posed Definition, we assume leak free input encoding phase in the proposed construction.
© 2014 Elsevier Ltd. All rights reserved.
1. Introduction
Oblivious transfer (OT) is an important primitive in the arsenal
of distributed protocols. The concept of “oblivious transfer”,
was introduced in the seminal work of Rabin (Rabin, 1981).
However, 1-out-2 OT was suggested by Even, Goldreich &
Lempel in (Even et al., June 1985). Very briefly, in 1-out-2 OT,
Sender sends an ordered pair of strings (x0, x1) into the 1-out-2
OT machine. Receiver gives the machine a bit s, indicating
which input he would like to receive. The machine outputs xsto the receiver and discards x1 � s. Sender knows that Receiver
has one of the bits but does not know exactly which one.
Crepeau (1987) showed that Rabin's OT is equivalent to 1-out-2
OT. There are many variations in OT and these are useful
ail.com (P.S. Roy), avishek
rved.
primitives for a variety of applications (Naor and Pinkas, 1999).
These include oblivious sampling which may be used for
comparing securely the sizes of web search engines, protocols
for privately solving the list intersection problem and for mutu-
ally authenticated key exchange based on (possibly weak)
passwords, and protocols for anonymity preserving web
usage metering.
We note that the standard definition of OT, like most
classical security notions, honest party needs to generate and
hold local secret values which are assumed to be perfectly
hidden from adversary. Unfortunately, over the last two de-
cades, it has become increasingly evident that such an
assumption may be unrealistic when arguing security in the
real world where the physical implementation (e.g. on a smart
card or a hardware token) of an algorithm is under attack.
[email protected] (A. Adhikari).
j o u r n a l o f i n f o rma t i o n s e c u r i t y and a p p l i c a t i o n s 1 9 ( 2 0 1 4 ) 2 9 5e3 0 0296
Motivated by such scenario, we initiate a study of oblivious
transfer protocol against malicious adversary in the presence
of side channel attacks. Specifically, we consider a setting
where a cheating sender is allowed to obtain leakage on secret
state of the receiver during the protocol execution. We note
that while there has been an extensive amount of research
work on leakage-resilient cryptography in the past few years,
to the best of our knowledge, almost all prior works have
either been on leakage resilient primitives such as encryption
and signature schemes (Dziembowski and Pietrzak, 2008;
Akavia et al., 2009; Dodis et al., 2009; Naor and Segev, 2009;
Katz and Vaikuntanathan, 2009 and more) or leakage resil-
ient (and tamper-resilient) devices (Ishai et al., 2003; Ishai
et al., 2006; Ajtai, 2011), while very limited effort has been
dedicated towards constructing leakage-resilient interactive
protocols (Damgard et al., 2011; Bitansky et al., 2012; Boyle
et al., 2011; Boyle et al., 2012; Ganesh et al., 2012; Garg et al.,
2011). Leakage resilient zero-knowledge proof system of Garg
et al. (2011) tolerates only the leakage of secret state of
prover. Leakage resilient secure computation protocols of
Ganesh et al. (2012) assume a leak free input encoding phase
(which is an offline phase) in which each party encodes its
input in a specified format. This phase is assumed to be free of
any leakage and may or may not depend upon the function
that needs to be jointly computed by the parties. In the
interactive phase the adversary gets access to leakage of se-
cret state of honest participants. In Ganesh et al. (2012), two
constructions have been provided. One construction makes
use of a fully homomorphic encryption scheme and the other
construction is based only on the existence of (semi-honest)
oblivious transfer. So, construction of leakage resilient OT
protocol is required to accelerate the design of leakage resil-
ient secure computation protocol and for other realistic
applications.
In this direction, leakage-resilient secure OT protocols
against semi-honest adversary have been proposed in Damgard
et al. (2011) and Bitansky et al. (2012). Leakage-resilient secure
OT against semi-honest adversary of Damgard et al. (2011) is
based on the OT protocol proposed in Peikert et al. (2008).
Leakage-resilient secure OT against semi-honest adversary of
Bitansky et al. (2012) is based on non-committing encryption
with oblivious key sampling (Canetti et al., 1996; Canetti et al.,
2002). But to achieve more realistic model, leakage-resilient
OT against malicious adversary is essential. There is no
doubt that the presence of malicious adversary makes the
problem more challenging and interesting. To this end, up to
the best of our knowledge, we first propose Definition and
construction of a one-sided leakage-resilient privacy only
two-message 1-out-2 OT protocol against malicious adver-
sary, based on the two-message oblivious transfer protocol by
Naor and Pinkas (2001). To distinguish this notion of leakage of
secret state of receiver from leakage of secret state of receiver
and sender, we denote it by one-sided.
2. Preliminaries
In this section we are going to state some of the useful defi-
nitions, lemmas and the hardness assumption which will be
used in the subsequent sections.
Definition 2.1. The min - entropy of a random variable X is
H∞ðXÞ ¼ �logðmaxxPr½X ¼ x�Þ:
Definition 2.2. A random variable X is a k-source over U if it has
min-entropy H∞(X) � k.
2.1. Hardness assumption
2.1.1. k-DDH assumption (Canetti, 1997)We say that the decisional Diffie-Hellman for k-sources (k-
DDH) problem is hard relative to a group G if for all PPT algo-
rithms A there exists a negligible function negl such that
��Pr�A�G;q;g;g1;gb;g2
�¼1��Pr
�A�G;q;g;g1;g
b;gb1
�¼1����neglðnÞ;
where n is the security parameter, order of G is a prime q, g, g1are generators of G and the probabilities are taken over the
choices of g, g1, g2 ∊ G, b ∊ Zq and b is drawn according to B for a
k-source B over Zq.
For simplicity we choose n ¼ logq.
2.1.2. k-DDH game (Damgard et al., 2011)G is a cyclic group of order q, g& g1 are two generators of G and
L is a leakage function.
b)Zq
L)A 1
T ¼�g1; g
b; gbag1�a
1
�; where a)f0;1g & g)Zq
a0)A 2ðLðbÞ;TÞ
A wins if a0 ¼ a:
Note that in the case when a ¼ 0, the view of the adversary
is T ¼ ðg1; gb; gg1Þ and L(b) while in the case when a¼ 1, the view
of the adversary is T ¼ ðg1; gb; gb1Þ and L(b).
Lemma 2.1. (Damgard et al., 2011) Let L be a function with
leakage rate 1 � u(logn)/logq, and assume that
��Pr�A�G;q; g; g1; gb; g2
� ¼ 1�� Pr
�A�G;q; g; g1; g
b; gb1
� ¼ 1���
� neglðnÞ;
where q is the order of G, g, g1 are generators of G and the proba-
bilities are taken over the choices of g, g1, g2 ∊ G, b ∊ Zq and b is
drwan according to B for a k-source B over Zq. Then, A wins the k-
DDH game with probability at most 1/2 þ negl0(n) for some negli-
gible function negl0().
3. Leakage model
In only computational leakage model, leakage occurs not only
from the content of the secret memory, but also from the in-
termediate computations made by the honest party.
j o u rn a l o f i n f o rma t i o n s e c u r i t y and a p p l i c a t i o n s 1 9 ( 2 0 1 4 ) 2 9 5e3 0 0 297
Information leakage takes place whenever bits of data of the
secret memory are accessed and computed upon. The formal
discussion on this type of leakage model can be found in
Micali and Reyzin (2004). However, total leakage is bounded by
some pre-specified l ∊N, whereN denotes the set of all natural
numbers. But, suppose we consider a cheating sender in the
OT protocol who has the capability of leaking a single bit from
the receiver. Now, at some point during the protocol, the
receiver must use his input bit s. Whenever this happens, the
sender can simply leak this bit s, and in this case, one cannot
hope to achieve any indistinguishability based Definition. To
overcome this problem,we consider, as in Ganesh et al. (2012),
a leak free input encoding phase.
The current paper deals with only computation leaks infor-
mation with a leak free input encoding phase. We first assume a
input encoding phase for the receiver. This phase can be run in
isolation and the parties need not be connected to the
network. Hence, this phase is assumed to be free of any
leakage.
Then finally, we have an interactive phase in which the
sender and receiver exchange messages with each other. In
this phase, the adversary can leak from the secret state of the
honest receiver.
fVIEWR� ðSð1n;ðx0;x1ÞÞ;R�ð1n;zÞÞgn2N≡cfVIEWR� ðSð1n;ðx0;xÞÞ;R�ð1n;zÞÞgn2N
orfVIEWR� ðSð1n;ðx0;x1ÞÞ;R�ð1n;zÞÞgn2N≡
cfVIEWR� ðSð1n;ðx;x1ÞÞ;R�ð1n;zÞÞgn2N:
4. Leakage resilient oblivious transfer
The Definition of security that follows the ideal/real simula-
tion paradigm provides strong security guarantees. In partic-
nVIEWS�
�S�O g
ℛ ð1n;zÞ;Rð1n;0Þ�o
n2N≡c
VIEWS�
S�O
g
ℛ ð1n;zÞ;Rð1n;1Þ��
n2N
:
ular, it guarantees privacy, correctness, independence of
inputs and more. However, in some settings, it may be suffi-
cient to guarantee privacy only. It is of interest and is simul-
taneously difficult to provide a workable Definition of only
privacy with non-trivial security guarantees. For the case of
two-message oblivious transfer (where the receiver sends one
message and the sender replies with a single message), it is
possible to formally define this. Based on the Definitions given
in Halevi and Tauman-Kalai (2012) and Hazay and Lindell
(2010), we provide a Definition to withstand side-channel at-
tacks against malicious adversary.
In the Definition belowwe use the following notations: for a
two-partyprotocolwith securityparameternhavingparties the
senderS,with inputaandthereceiverR,with inputb,wedenote
the view of S in an execution by VIEWSðSO g
ℛ ð1n;aÞ;Rð1n;bÞÞ
where S has an access to the leakage oracle O gℛ which provides
atmost g bit leakage from the secret state of interactive phase of
R. We denote the view of R by VIEWR(S(1n, a),R(1n, b)). Leakage
oracle for the sender provide leakage to the adversary during
interactive phase.
Further, in the following Definition we use the notation ≡c
to denote computational indistinguishability and a ) A de-
notes that a is drawn uniformly from A.
Definition 4.1. A two-message two-party probabilistic polynomial-
time protocol (S, R) is said to be a g-Leakage-Resilient Privacy
Only Two-Message Oblivious Transfer against malicious ad-
versary, in only computation leaks information with a leak
free input encoding phase model, if the following conditions are
satisfied:
� NON-TRIVIALITY: If S and R follow the protocol then after an
execution in which S has input a pair of strings x0, x1 ∊ { 0, 1}* andR has input a bit s ∊ {0, 1}, the output of R is xs.
� PRIVACY IN THE CASE OF A MALICIOUS R*: For every non-
uniform deterministic polynomial-time R*, every auxiliary input
z ∊ {0, 1}* and every inputs x0, x1, x ∊ {0, 1}* such that
jx0j ¼ jx1j ¼ jxj it holds that either
� PRIVACY IN THE CASE OF A MALICIOUS S*: For every non-
uniform probabilistic polynomial-time S* and every auxiliary
input z ∊ {0,1}*, it holds that
Discussions: Note that when defining the privacy in the
case of a malicious R* we chose to focus on a deterministic
polynomial-time receiver R*. This is necessary in order to fully
define the message R*(z) for any given z, which in turn fully
defines the string x1 � s that R*(z) does not learn. By making R*
non-uniform, we do not weaken the adversary (since the
advice tape of R* can hold its “best coins”).
Notation: Throughout the paper, instead of writing
ðg; g1; gb; gb1; g2Þ we write ðg1; gb; gb1; g2Þ by omitting g in the first
coordinate. The similar notation is followed for the other
tuple.
High level Idea of The Construction: Construction of the
proposed protocol is in the same way as (Naor and Pinkas,
2001). But, there are some tricky changes to make the proto-
col resilient of leakage of the receiver's secret state.
j o u r n a l o f i n f o rma t i o n s e c u r i t y and a p p l i c a t i o n s 1 9 ( 2 0 1 4 ) 2 9 5e3 0 0298
Reducing the secret state is one of the key point. That is
why, the receiver sends to the sender ðg1; gb; gb1; g2Þ or
ðg1; gb; g2; gb1Þ instead of (ga, gb, gab, gg) or (ga, gb, gg, gab),
respectively. That is, we remove the use of extra secret entity a
and use publicly known g1. Another point is less computation
with secret entity. When we use a secret entity for computa-
tion, adversary will get some information from the secret
entity through leakage. That is why we use g2 instead of gg.
Moreover, in intermediate step, leak free exponentiation is
required for the receiver. Method of leak free exponentiation
is described in theorem 4.1. Finally, the receiver never use his
choice bit, s, in the interactive phase. He will use the encoded
form of s.
4.1. Proposed protocol
� Inputs: The sender S has two input strings x0, x1 ∊ {0, 1}m
and the receiver R has a bit s ∊ {0, 1}.
� Auxiliary Inputs: Both parties have the security parameter
n and the description of a group G of prime order q along
with two generators g and g1 of the group. As the order of
the group is prime, except the identity element, every
element is a generator. So, for g and g1, we can choose any
two elements of the group, except the identity element.
� Leak Free Input Encoding Phase:
R chooses g2 ) G, b) {1,…,q} and computes a as follows:
e If s ¼ 0 then a ¼ ðg1; gb; gb1; g2Þ.e If s ¼ 1 then a ¼ ðg1; gb; g2; gb1Þ.
� The Interactive Phase:
1. R sends a to S.
2. Let (x, y, z0, z1) denote the tuple a received by S. S checks
whether x, y, z0, z1 2 G and z0 s z1. If not, it aborts with
output ⊥. Otherwise, S chooses u0, u1, v0, v1 ) {1,…,q}
and computes c0, c1 as follows:
e c0 ¼ x0$k0 where, w0 ¼ xu0gv0 and k0 ¼ zu00 yv0
e c1 ¼ x1$k1 where, w1 ¼ xu1gv1 and k1 ¼ zu11 yv1 .
S sends (c0, w0) and (c1, w1) to R.
3. e If gb1 is the third coordinate of a, then R computes
zu00 yv0 ¼ wb
0 and outputs x0 ¼ c0$ðwb0Þ�1.
e If gb1 is the last coordinate of a, then R computes
zu11 yv1 ¼ wb
1 and outputs x1 ¼ c1$ðwb1Þ�1.
Discussion: In the proposed construction, computation of a
is related to the input encoding of R. That is why, receiver R
computes a in leak free phase. We make this minimal
assumption to resist leakage from single bit secret input of R,
viz. s. We, however, do not need to protect any other secret
input of R from leaking. The secret input b is also used in the
interactive phase. So, to achieve the proposed definition 4.1,
we assume minimum amount of leak free secret entity.
Example to illustrate the proposed construction:
Here we illustrate the proposed construction with a toy
example.
Let us consider the group of order 11. To construct the
group of order, we start with Z23. Now, consider all the ele-
ments of Z23 having square roots modulo 23. So, our required
group becomes G ¼ ({1,2,3,4,6,8,9,12,13,16,18},$), where “$”
represents the multiplication modulo 23. In the example, all the
calculations are done in modulo 23.
� Inputs: The sender S has two inputs x0 ¼ 4,x1 ¼ 8 and the
receiver R has a bit s ∊ {0, 1}.
� Auxiliary Inputs: Both parties have the security parameter
n and the description of a group G of prime order 11 along
with two generators g ¼ 9 and g1 ¼ 13 of the group. As the
order of the group is prime, excluding the identity element,
every element is a generator. So, for g and g1, we can
choose any two elements of the group, excluding 1.
� Leak Free Input Encoding Phase:
R randomly chooses g2 ¼ 18 and b ¼ 2 and computes a as
follows:
e If s ¼ 0 then a ¼ ðg1 ¼ 13; gb ¼ 12; gb1 ¼ 8; g2 ¼ 18Þ.e If s ¼ 1 then a ¼ ðg1 ¼ 13; gb ¼ 12; g2 ¼ 18; gb1 ¼ 8Þ.
� The Interactive Phase: Let choice of the receiver R be 0.
1. R sends a ¼ ðg1 ¼ 13; gb ¼ 12; gb1 ¼ 8; g2 ¼ 18Þ to S.
2. Let (x, y, z0, z1) denote the tuple a received by S. S checks
whether x, y, z0, z1 ∊ G and z0 s z1. Here, z0 s z1. So, S
chooses u0 ¼ 8,u1 ¼ 6, v0 ¼ 3, v1 ¼ 12 and computes c0,c1as follows:
e c0 ¼ 2 where, w0 ¼ 9 and k0 ¼ 12.
e c1 ¼ 6 where, w1 ¼ 8 and k1 ¼ 18.
S sends (c0, w0) and (c1, w1) to R.
e R computes zu00 yv0 ¼ wb
0 ¼ 18 and outputs
x0 ¼ c0:ðwb0Þ�1 ¼ 2:2 ¼ 4.
Tomake the construction g-Leakage-Resilient Privacy Only
Two-Message Oblivious Transfer protocol against malicious
adversary, we have to resist leakage at the time of computa-
tion of gb1;wb0 or wb
1. The method of computing these expo-
nentiations is described in the 2nd part of the proof of the
following Theorem 4.1.
Theorem 4.1. Assume that the k-DDH assumption (Canetti, 1997)
holds in G. Then the proposed protocol is a g-Leakage-Resilient Pri-
vacy Only Two-Message Oblivious Transfer protocol against mali-
cious adversary, where g ¼ (1 � u(logn)/logq) jskRecj and jskRecjdenotes the bit lengths of the secret memory contents of the receiver.
Proof.Non-triviality: Let x0, x1 be the inputs of S and let s be
the input of R. Further let c0,c1 be sent by S to R. Non-triviality
follows from the fact that wbs ¼ xus$bgvs$b ¼ gus$b
1 gvs$b ¼ zuss yvs .
Thus, R recovers the correct key and can compute xs.
Privacy in the case of a malicious R*
Analysis of privacy of the sender S against malicious receiver
is same as in Claim 7.2.3 of (Hazay and Lindell, 2010). Privacy of
the sender does not depend on any computational hardness
assumption. Privacy of sender is unconditional.
Privacy in the case of a malicious S*
An adversary corrupting the sender obtains leakage from the
secret memory of the receiver and from the computation,
which involved secret memory of receiver, done by the
receiverSecret memory of the receiver includes (s, b, g2). Now,
g2 will be given to the sender and s is only used in the leak free
input encoding phase.We therefore focus on the leakage from
b and prove that the privacy remains intact for honest receiver
as in Definition 4.1.
j o u rn a l o f i n f o rma t i o n s e c u r i t y and a p p l i c a t i o n s 1 9 ( 2 0 1 4 ) 2 9 5e3 0 0 299
To this end, firstly, we prove for class of restricted leakage
function and then extend it. Restricted leakage function:
HSen ¼ {L1, L2, …, Lt} denotes the set of leakage functions,
submitted by an adversary corrupting the sender, which do
not leak from the intermediate computations while
computing gb1;wb0 or wb
1.
In first part, we prove the privacy of the receiver for the
leakage function of HSen, i.e., we avoid leakage from compu-
tation and in 2nd part we capture leakage from computation.
1st Part: The requirement is that S*’s view when R has
input 0 is indistinguishable from its view when R has input 1.
Now, the view of an adversarial sender S* in the Protocol
consists merely of R's first message a and the leakage from b.
Now, assume by contradiction that there exists a probabilistic
polynomial-time distinguisher D and a non-negligible func-
tion ∊ such that for infinitely many n.
��Pr�D�g1; gb; gb
1; g2; L�b�� ¼ 1
�� Pr�D�g1; g
b; g2; gb1; L
�b�� ¼ 1
���� 3
�n�
where, g1; g2)G;b)f1;…; qg. Then, by subtracting and adding
Pr�D�g1; g
b; g2; g3; L�b�� ¼ 1
�we have,
��Pr�D�g1; gb; gb
1; g2; L�b�� ¼ 1
�� Pr�D�g1; g
b; g2; gb1; L
�b�� ¼ 1
���� ��Pr�D�g1; g
b; gb1; g2; L
�b�� ¼ 1
�� Pr�D�g1; g
b; g2; g3; L�b�� ¼ 1
���þ��Pr�D�g1; g
b; g2; g3; L�b�� ¼ 1
�� Pr�D�g1; g
b; g2; gb1; L
�b�� ¼ 1
���where, g1, g2, g3 ) G, b ) {1,…,q}. Therefore, by the
hypothesis,
��Pr�D�g1;gb;gb
1;g2;L�b��¼1
��Pr�D�g1;g
b;g2;g3;L�b��¼1
���� 3=2
or
��Pr�D�g1;gb;g2;g3;L
�b��¼1
��Pr�D�g1;g
b;g2;gb1;L
�b��¼1
���� 3=2:
Assume that first oneholds.We construct a distinguisherD0
for the k-DDH problem that works as follows: Upon receiving
input a¼ (x, y, z) from the challengerCk � DDH, the distinguisher
D0 chooses a random g3 ) G, provides D the tuple a¼ðx;y;z;g3Þand receives the leakage function L.D0 sends L toCk � DDH. After,
getting L from Ck � DDH, D0 sends it to D. The key observation is
that on one hand, if a¼ (g1,gb,g2) then a¼ðg1;gb;g2;g3;LÞ. On the
other hand, if a¼ðg1;gb;gb1Þ then a¼ðg1;gb;gb
1;g3;LÞ. Noting that
in this last tuple g2 does not appear, and g2 and g3 are distrib-
uted identically, we have that a¼ðg1;gb;gb1;g2;LÞ. Thus.
��Pr�D0�g1; gb; g2; L
� ¼ 1�� Pr
�D0�g1; g
b; gb1; L
� ¼ 1���
¼ ��Pr�D�g1; gb; gb
1; g2; L� ¼ 1
�� Pr�D�g1; g
b; g2; g3; L� ¼ 1
��� � 3=2
in contradiction to the k-DDH game. A similar analysis follows
in the case where the 2nd one holds. It therefore follows that ∊must be a negligible function. The proof of R's privacy is
concluded by noting that ðg1; gb; gb1; g2; LÞ is exactly the distri-
bution over R's message when s ¼ 0 and ðg1; gb; g2; gb1; LÞ is
exactly the distribution over R'smessagewhen s¼ 1. Thus, the
privacy of R follows from the k-DDH assumption over the
group in question. So by Lemma 2.1, the leakage can be at
most (1 � u(logn)/logq) jsecRecj.2nd Part: Now, we are going to remove the restriction from
the leakage function submitted by the malicious S*. So, we
have to resist leakage at the time of computation of
ðgb1;wb0 orw
b1Þ. We consider the case of gb1. In this case we wish
to compute exponentiations gb1 without leaking anything but
L(b) where L is a leakage function with some specified leakage
rate. Specifically, we wish to implement these exponentia-
tions in a black-box manner. To this end, we adopt the tech-
nique described in Akavia et al. (2012). The idea is as follows: A
generator g1 is stored in thememory using random k1,…,kl and
t1,…,tl, so that g1 ¼ kt11 kt22 /ktll . Then, for computing gb1 the
receiver emulates the following protocol: letM1 andM2 be two
memory parts. M1 computes first the encryptions of k1,…,klwith respect to the homomorphic SKE (Akavia et al., 2012), and
sends these ciphertexts toM2 which keeps t1,…,tl. Given t1,…,tland b, M2 computes the encryption of kbt11 kbt22 /kbtll and returns
this encryption c to M1 which decrypts it. The result of Akavia
et al. (2012) shows, based on the leftover hash lemma, that gb1is statistically close to uniform when tolerating (1 � o(1))
fraction of leakage from both k1,…,kl and t1,…,tl, as long as
leakage from k1,…,kl and t1,…,tl is computed independently.
This implies that the adversary does not learn anything but
the computed outcome gb1. Similarly, we compute wb0 or wb
1.
Combining the analysis of above two parts, we can guar-
antee the privacy of the receiver against malicious sender
with leakage in only computation leaks informationwith a leak free
input encoding phase model.
5. Conclusion
We have presented a definition and a construction of a one-
sided leakage-resilient privacy only two-message oblivious
transfer protocol against malicious adversary. To construct
the leakage resilient protocol, we use and follow some results
of existing literature (Akavia et al., 2012; Damgard et al., 2011;
Dziembowski and Faust, 2011). Lastly, the study of other
variant of leakage resilient OT protocols and their applications
will also be interesting.
Acknowledgment
Authors are supported by the National Board for Higher Math-
ematics, Department of Atomic Energy, Government of India
(No2/48(10)/2013/NBHM(R.P.)/R&D II/695).Weare also thankful
to the anonimous reviewers for their useful comments.
r e f e r e n c e s
Akavia A, Goldwasser S, Hazay C. Distributed public key schemessecure against continual leakage. In: PODC; 2012. p. 155e64.
Akavia A, Goldwasser S, Vaikuntanathan V. Simultaneoushardcore bits and cryptography against memory attacks. In:TCC; 2009. p. 474e95.
Ajtai M. Secure computation with information leaking to anadversary. In: STOC; 2011. p. 715e24.
Bitansky N, Canetti R, Halevi S. Leakage Tolerant interactiveprotocols. In: TCC; 2012. p. 266e84.
Boyle E, Goldwasser S, Kalai YT. Leakage-resilient Coin Tossing.In: DISC; 2011. p. 181e96.
j o u r n a l o f i n f o rma t i o n s e c u r i t y and a p p l i c a t i o n s 1 9 ( 2 0 1 4 ) 2 9 5e3 0 0300
Boyle E, Goldwasser S, Jain A, Kalai YT. Multiparty computationsecure against continual memory leakage. In: STOC; 2012.p. 1235e54.
Canetti R, Feige U, Goldreich O, Naor M. Adaptively secure multi-party computation. In: STOC; 1996. p. 639e48.
Canetti R, Lindell Y, Ostrovsky R, Sahai A. Universally composabletwo-party and multi-party secure computation. In: STOC;2002. p. 494e503.
Canetti R. Towards realizing random oracles: hash functions thathide all partial information. In: CRYPTO; 1997. p. 455e69.
Crepeau C. An equivalence between two flavors of oblivioustransfer. In: CRYPTO; 1987. p. 350e4.
Damgard I, Hazay C, Patra A. Leakage resilient two-partycomputation. Cryptology ePrint Archive, Report 2011/256. 2011.
Dodis Y, Kalai YT, Lovett S. On cryptography with auxiliary input.In: STOC; 2009. p. 621e30.
Dziembowski S, Faust S. Leakage-resilient cryptography from theinner-product extractor. In: ASIACRYPT; 2011. p. 702e21.
Dziembowski S, Pietrzak K. Leakage-resilient cryptography. In:FOCS; 2008. p. 293e302.
Even S, Goldreich O, Lempel A. A randomized protocol for signingcontracts. Communications of the ACM June1985;28(6):637e47.
Garg S, Jain A, Sahai A. Leakage-resilient zero knowledge. In:CRYPTO; 2011. p. 297e315.
Ganesh C, Goyal V, Lokam SV. On-Line/Off-Line leakage resilientsecure computation protocols. In: INDOCRYPT; 2012. p. 100e19.
Halevi S, Tauman-Kalai Y. Smooth Projective hashing and two-message oblivious Transfer. Journal of Cryptology2012;25:158e93.
Hazay C, Lindell Y. Efficient secure two-party protocolstechniques and constructions. Berlin Heidelberg: Springer-Verlag; 2010.
Ishai Y, Prabhakaran M, Sahai A, Wagner D. Private circuits ii:keeping secrets in tamperable circuits. In: EUROCRYPT; 2006.p. 308e27.
Ishai Y, Sahai A, Wagner D. Private circuits: securing hardwareagainst probing attacks. In: CRYPTO; 2003. p. 463e81.
Katz J, Vaikuntanathan V. Signature schemes with boundedleakage resilience. In: ASIACRYPT; 2009. p. 703e20.
Micali S, Reyzin L. Physically observable cryptography. In: TCC;2004. p. 278e96.
Naor M, Pinkas B. Oblivious Transfer and polynomial Evaluation.In: STOC; 1999. p. 245e54.
Naor M, Pinkas B. Efficient oblivious transfer protocols. In: SODA;2001. p. 448e57.
Naor M, Segev G. Public-key cryptosystems resilient to keyleakage. In: CRYPTO; 2009. p. 18e35.
Peikert C, Vaikuntanathan V, Waters B. A framework for efficientand composable oblivious transfer. In: CRYPTO; 2008. p. 554e71.
Rabin MO. How to exchange secrets by oblivious transfer.Technical Report TR-81. Aiken Computation Laboratory,Harvard University; 1981.