Oblivious transfer

1

• Oblivious transfer
• Alice has a group of messages and Bob will get a
  subset of them. But Alice does not know which of
  the messages Bob gets.
• Approach using commutative encryption
• A new approach
• Alice has two messages and Bob will receive one,
  but Alice does not know which one.

2

• Oblivious transfer
• Alice generates two public/private key pairs and
  gives both public keys to Bob
• Bob generates a symmetric key K, and randomly
  selects one public key to encrypt and sends back
  to Alice
• Alice does not know which private key to use. So
  she decrypts with both, gets K and K
• She uses K to encrypt one message and K to
  encrypt the other
• At the very end, both sides need to reveal the
  keys to show they do not cheat (what Alice can
  do, what Bob can do)

3

• Oblivious transfer
• Can Alice cheat encrypt the same message with
  two different keys
• Can Bob cheat Bob cannot figure out the other key

4
Application of oblivious transfer

• Simultaneous contract signing
• Alice and Bob have agreed a contract and both
  want to sign, but no one wants to go first. What
  can we do?
• A solution using TTP
• Each side signs a copy and gives to TTP
• Now both sides can sign.
• If any disagreement happens, TTP holds a copy
  with your signature

5

• Simultaneous contract signing using baby steps
• Keep the difference between the degrees of
  commitment from both sides a very small value
• Each side signs a letter and switch
• Each side signs with an increasing commitment
  level

6

• A real simultaneous contract signing protocol
  using oblivious transfer
• Possible attacks
• Can Alice sends garbage bits during OT? For a
  specific pair, Alice has 50 chance to cheat.
  With all n pairs, Alices chance decreases to
  (½)n
• Alice can send fake keys. But she does not know
  which keys Bob has, so she will be caught if she
  cheats.

7

• Possible attacks to simultaneous contract signing
  using OT
• Alice can control which keys Bob receives through
  OT by encrypting the same message with different
  keys. But Bob can bring these messages to court.
• Assumptions of the protocol
• Both sides have roughly the same computation
  capability
• There is no deadline approaching

8

• Digital certified mail using OT
• Alice sends an email to Bob, she wants a signed
  receipt before Bob can read it.
• It looks similar to the contract signing
  protocol, but not really
• Can Alice sends halves of email to Bob?
• Can Alice encrypts the email and send halves of
  the keys to Bob?
• Keys are just random numbers, how can Bob make
  sure these halves are real keys but not some
  garbage? On the contrary, Alice can examine the
  halves of the receipt during OT.

9

• Improved digital certified mail
• Simultaneous exchange of secret
• The secret can be viewed as the email in previous
  protocol
• Both sides XOR the keys to recover the message at
  the very end

10
(No Transcript)
11

• Secure elections Maintain privacy and prevent
  cheating
• A voting method needs the following properties
• Only authorized voters can vote
• No one can vote more than once
• No one can know for whom anyone else vote
• No one can change others vote
• A voter can verify whether his vote is counted

12

• A simple protocol
• Every one signs the vote with private key, then
  encrypt with the centralized nodes public key
• Only authorized voters can vote and no one can
  vote twice
• Violation to privacy
• A voting protocol using blind signature
• We need to separate the vote from the voter, and
  keep the authentication, seems that blind
  signature can do it.
• Every node can only get the signed vote once,
• A malicious node cannot vote twice since the
  votes will have the same identification number
• CTF maybe knows who votes for whom (by tracing
  the source of a vote), anonymous sending can
  solve this problem
• CTF can generate fake votes

13

• A self-organized voting protocol (removing the
  centralized counter)
• First , a bad protocol
• (1) Every node generates his vote and a random
  number, then encrypts
• E_pub-A (E_pub-B (E_pub-C (E_pub-D (vote,
  random number))))
• (2) Every node sends the vote to Alice, who
  will decrypt the first encryption, signs the
  results, and shuffle the order.
• (3) B, C, and D do the same
• (4) Finally, the (vote, random) plain texts
  are revealed, and every node makes sure his vote
  is counted.
• What is the problem? Alice receives the original
  packet. When she sees the final results, she can
  recover the votes by encrypting with the public
  keys and know who vote for whom

14

• A more complicated protocol
• A malicious node cannot insert, or change a vote
  in round 2. All intermediate results are signed
  and broadcasted to everyone
• If the vote is changed in round 1
• If the node checks the votes after that, he will
  immediately find the problem
• Otherwise, he will wait till round 2 and still
  find the problem
• The random numbers and shuffle order together
  prevent the reconstruction of the votes you
  cannot figure out who voted for whom

15

• Problem of the self-organized voting protocol
• Too much computation overhead
• Alice can blindly duplicate others vote to see
  who he/she votes for (three person example)
• Need to examine the random number at the very end