Statistical Zaps and New Oblivious Transfer Protocols Vipul Goyal - - PowerPoint PPT Presentation

Statistical Zaps and New Oblivious Transfer Protocols

Vipul Goyal

Carnegie Mellon University Johns Hopkins University Johns Hopkins University

Carnegie Mellon University University of California, Berkeley

Abhishek Jain Zhengzhong Jin Giulio Malavolta

1

Statistical Security in 2-party Protocols

2

Statistical Security in 2-party Protocols

• Everlasting security Computational unbounded adversary can’t break.
• Hard to achieve
• Impossible for both parties to achieve for general functionalities
• Focus of this work: One-side Statistical Security
• Interactive Proof Systems: Statistical Privacy for Prover
• Oblivious Transfer: Statistical Privacy for Receiver

2

Statistical Security in 2-party Protocols

• Everlasting security Computational unbounded adversary can’t break.
• Hard to achieve
• Impossible for both parties to achieve for general functionalities
• Focus of this work: One-side Statistical Security
• Interactive Proof Systems: Statistical Privacy for Prover
• Oblivious Transfer: Statistical Privacy for Receiver

2

Interactive Proof System

Prover Verifier

𝑦 ∈ 𝑀 𝜕 : witness

3

Interactive Proof System

Prover Verifier

𝑦 ∈ 𝑀 𝜕 : witness

3

Interactive Proof System

Prover Verifier

𝑦 ∈ 𝑀 𝜕 : witness

Accept/Reject

3

Witness Indistinguishability (WI)

Prover

Malicious Verifier

𝑦 ∈ 𝑀

𝜕 ∈ witness(𝑦)

Prover

Malicious Verifier

𝑦 ∈ 𝑀

𝜕′ ∈ witness(𝑦)

≈

4

Witness Indistinguishability (WI)

Prover

Malicious Verifier

𝑦 ∈ 𝑀

𝜕 ∈ witness(𝑦)

Prover

Malicious Verifier

𝑦 ∈ 𝑀

𝜕′ ∈ witness(𝑦)

≈

• Unlike zero-knowledge, WI can be achieved in 2-round

4

Zaps: 2-round Public-Coin WI [DN00]

Prover Verifier

𝑦 ∈ 𝑀

5

Zaps: 2-round Public-Coin WI [DN00]

Prover Verifier

𝑦 ∈ 𝑀

5

Zaps: 2-round Public-Coin WI [DN00]

Prover Verifier

𝑦 ∈ 𝑀

5

Zaps: 2-round Public-Coin WI [DN00]

Prover Verifier

𝑦 ∈ 𝑀

Public Verifiable

5

Zaps: 2-round Public-Coin WI [DN00]

Prover Verifier

Public Coin: Verifier only uses public random coins

𝑦 ∈ 𝑀

Public Verifiable

5

Zaps: 2-round Public-Coin WI [DN00]

Prover Verifier

Public Coin: Verifier only uses public random coins

𝑦 ∈ 𝑀

Public Verifiable Many Applications:

• Round-efficient secure multiparty computation [HHPV18]
• Resettable-secure protocols [DGS09]

……

5

Previous Works

[DN00] Zaps and NIZK proofs in common random string model are equivalent.

6

Previous Works

[DN00] Zaps and NIZK proofs in common random string model are equivalent. NIZKs

• Quadratic Residuosity Assumption [DMP88]
• Trapdoor permutation [FLS90]
• Decisional Linear Assumption [GOS06]

6

Previous Works

[DN00] Zaps and NIZK proofs in common random string model are equivalent. NIZKs

• Quadratic Residuosity Assumption [DMP88]
• Trapdoor permutation [FLS90]
• Decisional Linear Assumption [GOS06]

6

Previous Works

[DN00] Zaps and NIZK proofs in common random string model are equivalent. NIZKs

• Quadratic Residuosity Assumption [DMP88]
• Trapdoor permutation [FLS90]
• Decisional Linear Assumption [GOS06]

Zaps

6

Previous Works

[DN00] Zaps and NIZK proofs in common random string model are equivalent. NIZKs

• Quadratic Residuosity Assumption [DMP88]
• Trapdoor permutation [FLS90]
• Decisional Linear Assumption [GOS06]
• [BP15] Zaps from Indistinguishability Obfuscation
• Above works are computational Zap proofs

Zaps

6

Previous Works

[DN00] Zaps and NIZK proofs in common random string model are equivalent. NIZKs

• Quadratic Residuosity Assumption [DMP88]
• Trapdoor permutation [FLS90]
• Decisional Linear Assumption [GOS06]
• [BP15] Zaps from Indistinguishability Obfuscation
• Above works are computational Zap proofs

Zaps

6

Question (1): Does there exist statistical Zaps?

7

Result (1): Statistical Zaps from quasi-poly hard Learning with Errors Question (1): Does there exist statistical Zaps?

7

Result (1): Statistical Zaps from quasi-poly hard Learning with Errors Question (1): Does there exist statistical Zaps? [KKS18] achieves statistical private-coin WI.

7

Oblivious Transfer (OT)

Sender Receiver

𝑛0 𝑛1

𝛾 ∈ {0,1}

8

Oblivious Transfer (OT)

Sender Receiver

𝑛0 𝑛1

𝛾 ∈ {0,1}

8

Oblivious Transfer (OT)

Sender Receiver

𝑛0 𝑛1 𝑛0 𝑛1

𝛾 ∈ {0,1}

8

Oblivious Transfer (OT)

Sender Receiver

𝑛0 𝑛1 𝑛0 𝑛1

Get 𝑛𝛾 𝛾 ∈ {0,1}

8

Oblivious Transfer (OT)

Sender Receiver

𝑛0 𝑛1 𝑛0 𝑛1

Get 𝑛𝛾 Sender-Privacy: 𝑛1−𝛾 is hidden 𝛾 ∈ {0,1}

8

Oblivious Transfer (OT)

Sender Receiver

𝑛0 𝑛1 𝑛0 𝑛1

Get 𝑛𝛾 Sender-Privacy: 𝑛1−𝛾 is hidden Receiver-Privacy: 𝛾 is hidden to the sender 𝛾 ∈ {0,1}

8

Oblivious Transfer (OT)

Sender Receiver

𝑛0 𝑛1 𝑛0 𝑛1

Get 𝑛𝛾 Sender-Privacy: 𝑛1−𝛾 is hidden Receiver-Privacy: 𝛾 is hidden to the sender 𝛾 ∈ {0,1} Many Applications:

• Secure multiparty computation [Yao86, GMW87]
• 2-round WI [JKKR17, BGI+17, KKS18]
• Non-malleable commitment [KS17]

8

Natural Question

2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Can we construct 2-round statistical receiver-private OT?

Natural Question

2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Can we construct 2-round statistical receiver-private OT?

Natural Question

Impossible! 2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Can we construct 2-round statistical receiver-private OT? Sender Non-uniform Malicious Receiver

Natural Question

Impossible! 2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Can we construct 2-round statistical receiver-private OT? Sender Non-uniform Malicious Receiver

• 𝑢1

OT

1(𝛾 = 0; 𝑠 0)

OT

1(𝛾 = 1; 𝑠 1)

Natural Question

Impossible! 2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Can we construct 2-round statistical receiver-private OT? Sender Non-uniform Malicious Receiver

• 𝑢1

OT

1(𝛾 = 0; 𝑠 0)

OT

1(𝛾 = 1; 𝑠 1)

𝑛0 𝑛1

Natural Question

Impossible! 2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Can we construct 2-round statistical receiver-private OT? Sender Non-uniform Malicious Receiver

• 𝑢1

OT

1(𝛾 = 0; 𝑠 0)

OT

1(𝛾 = 1; 𝑠 1)

𝑛0 𝑛1 𝑛0 𝑛1

Compromise sender-privacy

Natural Question

Impossible! 2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Can we construct 2-round statistical receiver-private OT? Sender Non-uniform Malicious Receiver

• 𝑢1

OT

1(𝛾 = 0; 𝑠 0)

OT

1(𝛾 = 1; 𝑠 1)

𝑛0 𝑛1 𝑛0 𝑛1

Compromise sender-privacy

• [KKS18] 3-round protocol from super-poly hardness assumptions

Natural Question

Impossible! 2-round statistical sender-private OT in plain model

[NP01, AIR01, Kal05, HK12, BD18]

9

Question (2): Based on polynomial hardness assumptions, does there exist 3-round statistical receiver-private OT in the plain model?

10

Result (2): 3-round statistical receiver-private OT from

poly-hardness

Construction (1): 2-round statistical sender-private OT Construction (2): Computational Diffie-Hellman assumption

Question (2): Based on polynomial hardness assumptions, does there exist 3-round statistical receiver-private OT in the plain model?

10

Result (2): 3-round statistical receiver-private OT from

poly-hardness

Construction (1): 2-round statistical sender-private OT Construction (2): Computational Diffie-Hellman assumption

Question (2): Based on polynomial hardness assumptions, does there exist 3-round statistical receiver-private OT in the plain model?

OT reversal

10

Technical Details Part I: Statistical Zaps

11

Statistical Zaps

Prover Verifier

𝑦 ∈ 𝑀

Public Verifiable

12

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

13

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

13

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

V P

𝑦 ∈ 𝑀

13

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

V P key 𝑙 for CIH

𝑦 ∈ 𝑀

13

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

V P

Prepare 𝛽 key 𝑙 for CIH 𝑦 ∈ 𝑀

13

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

V P

Prepare 𝛽 𝛾 = H𝑙(𝛽) key 𝑙 for CIH 𝑦 ∈ 𝑀

13

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

V P

Prepare 𝛽 𝛾 = H𝑙(𝛽) key 𝑙 for CIH 𝑦 ∈ 𝑀 Compute 𝛿

13

Starting Idea

• Compress a Σ-protocol via a Correlation Intractable Hash (CIH) H𝑙 ⋅

𝑙

[CGH98, KRR17, CCRR18, HL18, CCH+19, PS19]

V P

𝛽 𝛾 𝛿

𝚻-protocol

𝑦 ∈ 𝑀

V P

𝛽, 𝛿 Prepare 𝛽 𝛾 = H𝑙(𝛽) key 𝑙 for CIH 𝑦 ∈ 𝑀 Compute 𝛿

13

Correlation Intractable Hash (CIH)

A CIH is a hash function H𝑙 ⋅

𝑙:

∀ 𝐷, let 𝑙 ← 0,1 poly(𝜇), it’s hard to find an 𝑦, such that 𝑦 H𝑙(⋅) 𝐷(⋅) H𝑙 𝑦 = 𝐷(𝑦) ⋅

14

Idea for Security

𝚻-protocol

V P 𝛽 = Com 𝑛 𝛾 𝛿 V 𝛽, 𝛿 Prepare 𝛽 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 P

𝑦 ∈ 𝑀 𝑦 ∈ 𝑀

15

Idea for Security

𝚻-protocol

V P 𝛽 = Com 𝑛 𝛾 𝛿 V 𝛽, 𝛿 Prepare 𝛽 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 P

𝑦 ∈ 𝑀 𝑦 ∈ 𝑀

• WI: follows from hiding property of the commitment

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗ 𝛾∗ = 𝐷(𝛽∗)

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗ 𝛾∗ = 𝐷(𝛽∗)

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗ 𝛾∗ = 𝐷(𝛽∗)

Contradicts CIH!

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗ 𝛾∗ = 𝐷(𝛽∗)

Contradicts CIH!

15

Idea for Security

• Soundness: Extract 𝑛∗ from 𝛽∗ using a trapdoor

Given 𝑛∗, the (only) accepting 𝛾∗ is efficiently computable Verifier accepts ⇒ 𝛾∗ = CIH𝑙 𝛽∗ = 𝐷 𝛽∗

• Hiding & Extractable commitments can be built in CRS model

⇒ Zaps in CRS model 𝚻-protocol

V V CIH key 𝑙

Cheating Prover 𝛽∗ = Com 𝑛∗

𝛾∗ 𝛿∗

Cheating Prover

𝑦 ∉ 𝑀 𝑦 ∉ 𝑀

𝛽∗, 𝛿∗ 𝛾∗ = 𝐷(𝛽∗)

Contradicts CIH!

15

Hiding & Extractability in Plain Model

• Use a 2-round statistical sender-private oblivious transfer

16

Hiding & Extractability in Plain Model

V P

• Use a 2-round statistical sender-private oblivious transfer

16

Hiding & Extractability in Plain Model

V P

• Use a 2-round statistical sender-private oblivious transfer

Prepare 𝑛, 𝑐′ ←$ 0,1 𝑐 ←$ 0,1

16

Hiding & Extractability in Plain Model

V P Receiver(𝑐) Sender

• Use a 2-round statistical sender-private oblivious transfer

Prepare 𝑛, 𝑐′ ←$ 0,1 𝑐 ←$ 0,1

16

Hiding & Extractability in Plain Model

V P Receiver(𝑐) Sender

• Use a 2-round statistical sender-private oblivious transfer

Prepare 𝑛, 𝑐′ ←$ 0,1 𝑐 ←$ 0,1

16

Hiding & Extractability in Plain Model

V P

𝑛 ⊥

Receiver(𝑐) Sender

• Use a 2-round statistical sender-private oblivious transfer

Prepare 𝑛, 𝑐′ ←$ 0,1 𝑐 ←$ 0,1

Put in 𝑐′-position

16

Hiding & Extractability in Plain Model

V P

𝑛 ⊥

Receiver(𝑐) Sender

• Use a 2-round statistical sender-private oblivious transfer

Prepare 𝑛, 𝑐′ ←$ 0,1 𝑐 ←$ 0,1

Put in 𝑐′-position

16

Hiding & Extractability in Plain Model

V P

𝑛 ⊥

Receiver(𝑐) Sender

• Use a 2-round statistical sender-private oblivious transfer

Prepare 𝑛, 𝑐′ ←$ 0,1 𝑐 ←$ 0,1

Put in 𝑐′-position 𝑛 ⊥ 𝑐 = 𝑐′, extract 𝑛√ With Pr = 1/2,

16

𝑐 ≠ 𝑐′, hide 𝑛√

Hiding & Extractability in Plain Model

V P

𝑛 ⊥

Receiver(𝑐) Sender

• Use a 2-round statistical sender-private oblivious transfer

Prepare 𝑛, 𝑐′ ←$ 0,1 𝑐 ←$ 0,1

Put in 𝑐′-position 𝑛 ⊥ With Pr = 1/2,

16

𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿

‘Weakly Secure’ Statistical Zaps

17

𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿

‘Weakly Secure’ Statistical Zaps

17

𝛽, 𝛿 Prepare 𝛽 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P

‘Weakly Secure’ Statistical Zaps

Compute 𝛿

17

𝛽, 𝛿 Prepare 𝛽 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1 Compute 𝛿

17

𝛽, 𝛿 Prepare 𝛽 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1 Receiver(𝑐) Compute 𝛿

17

𝛽, 𝛿 Prepare 𝛽 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1 Receiver(𝑐) Compute 𝛿

17

𝛽, 𝛿 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P Prepare 𝑛 OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1 Receiver(𝑐) Compute 𝛿

17

𝛽, 𝛿 𝛾 = CIH𝑙(𝛽) CIH key 𝑙 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P Prepare 𝑛 OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1 Receiver(𝑐) Sender Compute 𝛿

17

𝛽, 𝛿 𝛾 = CIH𝑙(OT2) CIH key 𝑙 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P Prepare 𝑛 OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1 Receiver(𝑐) Sender Compute 𝛿

17

𝛾 = CIH𝑙(OT2) CIH key 𝑙 OT2, 𝛿 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P Prepare 𝑛 OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1 Receiver(𝑐) Sender Compute 𝛿

17

𝛾 = CIH𝑙(OT2) CIH key 𝑙 OT2, 𝛿 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P Prepare 𝑛 OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1

• Statistical WI with err ≈ 1/2 (when 𝑐 ≠ 𝑐′)
• Computational Soundness

Receiver(𝑐) Sender Compute 𝛿

17

𝛾 = CIH𝑙(OT2) CIH key 𝑙 OT2, 𝛿 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P Prepare 𝑛 OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1

• Statistical WI with err ≈ 1/2 (when 𝑐 ≠ 𝑐′)
• Computational Soundness

Receiver(𝑐) Sender Compute 𝛿

17

𝛾 = CIH𝑙(OT2) CIH key 𝑙 OT2, 𝛿 𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P Prepare 𝑛 OT

1,

‘Weakly Secure’ Statistical Zaps

𝑐′ ←$ 0,1 𝑐 ←$ 0,1

• Statistical WI with err ≈ 1/2 (when 𝑐 ≠ 𝑐′)
• Computational Soundness

Receiver(𝑐) Sender Compute 𝛿

17

Amplify the Security

Receiver Sender

18

Amplify the Security

Receiver Sender 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

Amplify the Security

Receiver Sender 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

Amplify the Security

… ⊥ 𝑛 ⊥ … Receiver Sender 𝒄′-th position 2𝑚-positions 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

Amplify the Security

… ⊥ 𝑛 ⊥ … Receiver Sender 𝒄′-th position 2𝑚-positions 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

Amplify the Security

… ⊥ 𝑛 ⊥ … Receiver Sender 𝒄′-th position 𝒄-th position … ⊥ 𝑛 ⊥ … 2𝑚-positions 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

Amplify the Security

… ⊥ 𝑛 ⊥ … Receiver Sender 𝒄′-th position … ⊥ 𝑛 ⊥ … 2𝑚-positions 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

Amplify the Security

… ⊥ 𝑛 ⊥ … Receiver Sender 𝒄′-th position … ⊥ 𝑛 ⊥ … 2𝑚-positions With Pr = 1 − 2−𝑚, 𝒄 ≠ 𝒄′, hide 𝑛√ 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

… ⊥ 𝑛 ⊥ …

Amplify the Security

… ⊥ 𝑛 ⊥ … Receiver Sender 𝒄′-th position 2𝑚-positions With Pr = 2−𝑚, 𝒄 = 𝒄′, extract 𝑛√ 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

… ⊥ 𝑛 ⊥ …

Amplify the Security

… ⊥ 𝑛 ⊥ … Receiver Sender 𝒄′-th position

• Can be abstracted as a 2-round statistical hiding extractable

commitment [KKS18]

2𝑚-positions With Pr = 2−𝑚, 𝒄 = 𝒄′, extract 𝑛√ 𝒄′ ← 0,1 𝑚 𝒄 ← 0,1 𝑚

18

𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P OT2, 𝛿 Prepare 𝑛 𝛾 = CIH𝑙(OT2) OT

1, CIH key 𝑙

𝒄′ ←$ 0,1 𝑚 𝒄 ←$ 0,1 𝑚 Receiver(𝒄) Sender 𝐚𝐛𝐪𝐭 Compute 𝛿

19

• Statistical WI with err ≈ 1/2𝑚 (negligible)
• Computational Soundness via Complexity Leveraging
• Public Coin Property : OT

1 is pseudorandom

𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P OT2, 𝛿 Prepare 𝑛 𝛾 = CIH𝑙(OT2) OT

1, CIH key 𝑙

𝒄′ ←$ 0,1 𝑚 𝒄 ←$ 0,1 𝑚 Receiver(𝒄) Sender 𝐚𝐛𝐪𝐭 Compute 𝛿

19

• Statistical WI with err ≈ 1/2𝑚 (negligible)
• Computational Soundness via Complexity Leveraging
• Public Coin Property : OT

1 is pseudorandom

𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P OT2, 𝛿 Prepare 𝑛 𝛾 = CIH𝑙(OT2) OT

1, CIH key 𝑙

𝒄′ ←$ 0,1 𝑚 𝒄 ←$ 0,1 𝑚 Receiver(𝒄) Sender 𝐚𝐛𝐪𝐭 Compute 𝛿

19

• Statistical WI with err ≈ 1/2𝑚 (negligible)
• Computational Soundness via Complexity Leveraging
• Public Coin Property : OT

1 is pseudorandom

𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P OT2, 𝛿 Prepare 𝑛 𝛾 = CIH𝑙(OT2) OT

1, CIH key 𝑙

𝒄′ ←$ 0,1 𝑚 𝒄 ←$ 0,1 𝑚 Receiver(𝒄) Sender 𝐚𝐛𝐪𝐭 Compute 𝛿

19

• Statistical WI with err ≈ 1/2𝑚 (negligible)
• Computational Soundness via Complexity Leveraging
• Public Coin Property : OT

1 is pseudorandom

𝚻-protocol V P 𝛽 = Com 𝑛 𝛾 𝛿 V P OT2, 𝛿 Prepare 𝑛 𝛾 = CIH𝑙(OT2) OT

1, CIH key 𝑙

𝒄′ ←$ 0,1 𝑚 𝒄 ←$ 0,1 𝑚 Receiver(𝒄) Sender

Statistical Zaps

𝐚𝐛𝐪𝐭 Compute 𝛿

19

Technical Details Part II: Oblivious Transfer (OT)

20

Technical Details Part II: Oblivious Transfer (OT)

3-round Statistical Receiver-Private OT Statistical Hash Commitment 2-round Statistical Sender-Private OT Computational Diffie-Hellman

20

Technical Details Part II: Oblivious Transfer (OT)

3-round Statistical Receiver-Private OT Statistical Hash Commitment 2-round Statistical Sender-Private OT Computational Diffie-Hellman

20

Statistical Receiver-Private OT

Sender Receiver(𝛾 ∈ {0,1})

𝑛0 𝑛1 𝑛0 𝑛1

Get 𝑛𝛾

21

Statistical Receiver-Private OT

Sender Receiver(𝛾 ∈ {0,1})

𝑛0 𝑛1 𝑛0 𝑛1

Get 𝑛𝛾

Statistical Receiver-Privacy: 𝛾 is statistical hidden

21

Main Tool: Statistical Hash Commitments (SHC)

22

Main Tool: Statistical Hash Commitments (SHC)

Committer(𝛾 ∈ {0,1}) Receiver

22

Main Tool: Statistical Hash Commitments (SHC)

Committer(𝛾 ∈ {0,1}) Receiver Committing Phase:

22

Main Tool: Statistical Hash Commitments (SHC)

Committer(𝛾 ∈ {0,1}) Receiver Committing Phase:

22

Main Tool: Statistical Hash Commitments (SHC)

Committer(𝛾 ∈ {0,1}) Receiver Committing Phase: Opening Phase:

22

Hash value for 𝛾 = 0:

Main Tool: Statistical Hash Commitments (SHC)

Committer(𝛾 ∈ {0,1}) Receiver Hash value for 𝛾 = 1: Committing Phase: Opening Phase:

22

Hash value for 𝛾 = 0:

Main Tool: Statistical Hash Commitments (SHC)

Committer(𝛾 ∈ {0,1}) Receiver Hash value for 𝛾 = 1: Committing Phase: Opening Phase:

𝛾,

22

Hash value for 𝛾 = 0:

Main Tool: Statistical Hash Commitments (SHC)

Committer(𝛾 ∈ {0,1}) Receiver Hash value for 𝛾 = 1: Committing Phase: Opening Phase: Check

=?

𝛾,

22

Statistical Hash Commitments (SHC): Statistical Hiding Property

Committer 𝛾 = 0 Malicious Receiver

≈𝑡

Malicious Receiver Committer 𝛾 = 1

23

Statistical Hash Commitments (SHC): Computational Binding

Hash value for 𝛾 = 0: Malicious Committer Receiver Hash value for 𝛾 = 1: Committing Phase:

24

Statistical Hash Commitments (SHC): Computational Binding

Hash value for 𝛾 = 0: Malicious Committer Receiver Hash value for 𝛾 = 1: Committing Phase:

Computational Binding:

it’s hard for committer to find both

24

3-round Statistical Receiver-Private OT from SHC

25

3-round Statistical Receiver-Private OT from SHC

Receiver(𝑐 ∈ {0,1}) Sender(𝑛0, 𝑛1)

25

3-round Statistical Receiver-Private OT from SHC

Receiver(𝑐 ∈ {0,1}) Sender(𝑛0, 𝑛1) Hash values for opening: Committing Phase

𝑐

25

3-round Statistical Receiver-Private OT from SHC

Receiver(𝑐 ∈ {0,1}) Sender(𝑛0, 𝑛1) ℎ𝑑(⋅) : Goldreich-Levin hardcore predicate Hash values for opening: Committing Phase

𝑐

25

3-round Statistical Receiver-Private OT from SHC

Receiver(𝑐 ∈ {0,1}) Sender(𝑛0, 𝑛1)

ℎ𝑑 ⊕ 𝑛0 ℎ𝑑 ⊕ 𝑛1

ℎ𝑑(⋅) : Goldreich-Levin hardcore predicate Hash values for opening: Committing Phase

𝑐

25

3-round Statistical Receiver-Private OT from SHC

Receiver(𝑐 ∈ {0,1}) Sender(𝑛0, 𝑛1)

ℎ𝑑 ⊕ 𝑛0 ℎ𝑑 ⊕ 𝑛1

ℎ𝑑(⋅) : Goldreich-Levin hardcore predicate Hash values for opening: Committing Phase

𝑐

• Statistical Hiding ⇒ Statistical Receiver-Private
• Computational Binding ⇒ Computational Sender-Private

25

Statistical Hash Commitment from 2-round OT

Receiver Committer(𝛾 ∈ 0,1 )

26

Statistical Hash Commitment from 2-round OT

Receiver Committer(𝛾 ∈ 0,1 ) Secure 2-Party Computation from 2-round OT

← 0,1 𝜇 𝛾 0,1 𝜇 →

26

Statistical Hash Commitment from 2-round OT

Receiver Committer(𝛾 ∈ 0,1 )

• r

Secure 2-Party Computation from 2-round OT

← 0,1 𝜇 𝛾 0,1 𝜇 →

If 𝛾 = 0 If 𝛾 = 1

0: 1:

26

Statistical Hash Commitment from 2-round OT

Receiver Committer(𝛾 ∈ 0,1 )

• r

Secure 2-Party Computation from 2-round OT

← 0,1 𝜇 𝛾 0,1 𝜇 → = ⊕

Where

If 𝛾 = 0 If 𝛾 = 1

0: 1:

26

Statistical Hash Commitment from 2-round OT

Receiver Committer(𝛾 ∈ 0,1 )  Statistical Sender-Privacy of OT ⇒ Statistical Hiding  Computational Hiding of ⇒ Computational Binding

• r

Secure 2-Party Computation from 2-round OT

← 0,1 𝜇 𝛾 0,1 𝜇 → = ⊕

Where

If 𝛾 = 0 If 𝛾 = 1

0: 1:

26

Thank you!

Summary of Results

• Statistical Zaps from quasi-poly hardness Learning with Errors
• 3-round statistical receiver-private oblivious transfer from poly hardness
• 2-round statistical sender-private oblivious transfer
• Computational Diffie-Hellman Assumption

Full version : ia.cr/2020/235

27