Oblivious transfer - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Oblivious transfer

Description:

For a specific pair, Alice has 50% chance to cheat. ... But she does not know which keys Bob has, so she will be caught if she cheats. ... – PowerPoint PPT presentation

Number of Views:208
Avg rating:3.0/5.0
Slides: 16
Provided by: ITTC1
Category:

less

Transcript and Presenter's Notes

Title: Oblivious transfer


1
  • Oblivious transfer
  • Alice has a group of messages and Bob will get a
    subset of them. But Alice does not know which of
    the messages Bob gets.
  • Approach using commutative encryption
  • A new approach
  • Alice has two messages and Bob will receive one,
    but Alice does not know which one.

2
  • Oblivious transfer
  • Alice generates two public/private key pairs and
    gives both public keys to Bob
  • Bob generates a symmetric key K, and randomly
    selects one public key to encrypt and sends back
    to Alice
  • Alice does not know which private key to use. So
    she decrypts with both, gets K and K
  • She uses K to encrypt one message and K to
    encrypt the other
  • At the very end, both sides need to reveal the
    keys to show they do not cheat (what Alice can
    do, what Bob can do)

3
  • Oblivious transfer
  • Can Alice cheat encrypt the same message with
    two different keys
  • Can Bob cheat Bob cannot figure out the other key

4
Application of oblivious transfer
  • Simultaneous contract signing
  • Alice and Bob have agreed a contract and both
    want to sign, but no one wants to go first. What
    can we do?
  • A solution using TTP
  • Each side signs a copy and gives to TTP
  • Now both sides can sign.
  • If any disagreement happens, TTP holds a copy
    with your signature

5
  • Simultaneous contract signing using baby steps
  • Keep the difference between the degrees of
    commitment from both sides a very small value
  • Each side signs a letter and switch
  • Each side signs with an increasing commitment
    level

6
  • A real simultaneous contract signing protocol
    using oblivious transfer
  • Possible attacks
  • Can Alice sends garbage bits during OT? For a
    specific pair, Alice has 50 chance to cheat.
    With all n pairs, Alices chance decreases to
    (½)n
  • Alice can send fake keys. But she does not know
    which keys Bob has, so she will be caught if she
    cheats.

7
  • Possible attacks to simultaneous contract signing
    using OT
  • Alice can control which keys Bob receives through
    OT by encrypting the same message with different
    keys. But Bob can bring these messages to court.
  • Assumptions of the protocol
  • Both sides have roughly the same computation
    capability
  • There is no deadline approaching

8
  • Digital certified mail using OT
  • Alice sends an email to Bob, she wants a signed
    receipt before Bob can read it.
  • It looks similar to the contract signing
    protocol, but not really
  • Can Alice sends halves of email to Bob?
  • Can Alice encrypts the email and send halves of
    the keys to Bob?
  • Keys are just random numbers, how can Bob make
    sure these halves are real keys but not some
    garbage? On the contrary, Alice can examine the
    halves of the receipt during OT.

9
  • Improved digital certified mail
  • Simultaneous exchange of secret
  • The secret can be viewed as the email in previous
    protocol
  • Both sides XOR the keys to recover the message at
    the very end

10
(No Transcript)
11
  • Secure elections Maintain privacy and prevent
    cheating
  • A voting method needs the following properties
  • Only authorized voters can vote
  • No one can vote more than once
  • No one can know for whom anyone else vote
  • No one can change others vote
  • A voter can verify whether his vote is counted

12
  • A simple protocol
  • Every one signs the vote with private key, then
    encrypt with the centralized nodes public key
  • Only authorized voters can vote and no one can
    vote twice
  • Violation to privacy
  • A voting protocol using blind signature
  • We need to separate the vote from the voter, and
    keep the authentication, seems that blind
    signature can do it.
  • Every node can only get the signed vote once,
  • A malicious node cannot vote twice since the
    votes will have the same identification number
  • CTF maybe knows who votes for whom (by tracing
    the source of a vote), anonymous sending can
    solve this problem
  • CTF can generate fake votes

13
  • A self-organized voting protocol (removing the
    centralized counter)
  • First , a bad protocol
  • (1) Every node generates his vote and a random
    number, then encrypts
  • E_pub-A (E_pub-B (E_pub-C (E_pub-D (vote,
    random number))))
  • (2) Every node sends the vote to Alice, who
    will decrypt the first encryption, signs the
    results, and shuffle the order.
  • (3) B, C, and D do the same
  • (4) Finally, the (vote, random) plain texts
    are revealed, and every node makes sure his vote
    is counted.
  • What is the problem? Alice receives the original
    packet. When she sees the final results, she can
    recover the votes by encrypting with the public
    keys and know who vote for whom

14
  • A more complicated protocol
  • A malicious node cannot insert, or change a vote
    in round 2. All intermediate results are signed
    and broadcasted to everyone
  • If the vote is changed in round 1
  • If the node checks the votes after that, he will
    immediately find the problem
  • Otherwise, he will wait till round 2 and still
    find the problem
  • The random numbers and shuffle order together
    prevent the reconstruction of the votes you
    cannot figure out who voted for whom

15
  • Problem of the self-organized voting protocol
  • Too much computation overhead
  • Alice can blindly duplicate others vote to see
    who he/she votes for (three person example)
  • Need to examine the random number at the very end
Write a Comment
User Comments (0)
About PowerShow.com